Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

Transcription

1 1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010

2 2 / 14 Talk Outline 1 State of Lattice-Based Cryptography 2 Main Result: Public-Key Encryption based on GapSVP 3 Future Work

3 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: b 2 L = n (Z b i ) i=1 λ b 1

4 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: b 2 L = n (Z b i ) i=1 λ b 1 Shortest Vector Problem (γ-gapsvp) Given B, decide: λ 1 or λ > γ?

5 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: L = n (Z b i ) λ i=1 b 1 b 2 Shortest Vector Problem (γ-gapsvp) Given B, decide: λ 1 or λ > γ?

6 3 / 14 Shortest Vector Problem(s) A lattice L R n having basis B = {b 1,..., b n } is: L = n (Z b i ) i=1 λ b 2 b 1 γ λ Shortest Vector Problem (γ-gapsvp) Given B, decide: λ 1 or λ > γ? Unique SVP (γ-usvp) Given B with γ-unique shortest vector, find it.

7 Worst-Case Complexity GapSVP γ = 2 (log n) 1 ɛ n n 2 n NP-hard [Ajt98,...,HR07] conp [GG98,AR05] (some) crypto [Ajt96,..., MR04,Reg05] P [LLL82,Sch87] 4 / 14

8 Worst-Case Complexity GapSVP γ = 2 (log n) 1 ɛ n n 2 n NP-hard [Ajt98,...,HR07] conp [GG98,AR05] (some) crypto [Ajt96,..., MR04,Reg05] P [LLL82,Sch87] For γ = poly(n), best algorithm is 2 n time & space [AKS01] 4 / 14

9 Worst-Case Complexity GapSVP γ = 2 (log n) 1 ɛ n n 2 n NP-hard [Ajt98,...,HR07] conp [GG98,AR05] (some) crypto [Ajt96,..., MR04,Reg05] P [LLL82,Sch87] For γ = poly(n), best algorithm is 2 n time & space [AKS01] usvp γ =?? NP-hard 4 n coam [Cai98] n 1.5 crypto [AD97/07,Reg03] 4 / 14

10 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt OWF [Ajt96,... ] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10]

11 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt OWF [Ajt96,... ] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] GapSVP etc. hard

12 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt CRYPTOMANIA OWF [Ajt96,... ] PKE [AD97,Reg03,Reg05] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] CCA [PW08] ID-based [GPV08] GapSVP etc. hard

13 5 / 14 Taxonomy of Lattice-Based Crypto minicrypt CRYPTOMANIA OWF [Ajt96,... ] PKE [AD97,Reg03,Reg05] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] CCA [PW08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09,GHV10], KDM [ACPS09], HIBE [CHKP10], Deniable [OP10],... ) GapSVP etc. hard

14 Taxonomy of Lattice-Based Crypto minicrypt CRYPTOMANIA OWF [Ajt96,... ] PKE [AD97,Reg03,Reg05] ID schemes [MV03,Lyu08] Sigs [LM08,GPV08, CHKP10] CCA [PW08] ID-based [GPV08] (Obl. tran. [PVW08], leakage [AGV09], homom [G09,GHV10], KDM [ACPS09], HIBE [CHKP10], Deniable [OP10],... ) GapSVP etc. hard usvp hard GapSVP etc. quantum-hard 5 / 14

15 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2

16 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 a 1, s mod q a 2, b 2 a 2, s mod q.

17 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 = a 1, s + x 1 mod q a 2, b 2 = a 2, s + x 2 mod q. Uniform a i Z n q, Gaussian errors x i α q n

18 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 = a 1, s + x 1 mod q a 2, b 2 = a 2, s + x 2 mod q. Uniform a i Z n q, Gaussian errors x i Decision: distinguish from uniform (a i, b i ) α q n

19 6 / 14 Learning With Errors Generalizes learning parity with noise : dim n, modulus q 2 Search: find s Z n q given noisy random inner products a 1, b 1 = a 1, s + x 1 mod q a 2, b 2 = a 2, s + x 2 mod q. Uniform a i Z n q, Gaussian errors x i Decision: distinguish from uniform (a i, b i ) α q n State of the Art (n/α)-gapsvp etc. search-lwe decision-lwe crypto quantum [Reg05] prime q = poly(n) [BFKL94,R05] [R05,PW08,GPV08, PVW08,AGV09,ACPS09,... ]

20 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness

21 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors

22 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n

23 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n New ζ-to-(n/α) -GapSVP: q ζ [ = poly(n) ]

24 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n New ζ-to-(n/α) -GapSVP: q ζ [ = poly(n) ] 2 LWE search decision for large q [ poly(n) ] GapSVP-hardness of prior LWE-based crypto [Reg05,... ]

25 7 / 14 Our Results First public-key encryption based on classical GapSVP hardness 1 Classical reduction: GapSVP Learning With Errors Standard (n/α)-gapsvp: large LWE modulus q 2 n New ζ-to-(n/α) -GapSVP: q ζ [ = poly(n) ] 2 LWE search decision for large q [ poly(n) ] GapSVP-hardness of prior LWE-based crypto [Reg05,... ] 3 New LWE-based chosen ciphertext-secure encryption Simpler construction, milder assumption than prior CCA [PW08]

26 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 L BDD classical LWE

27 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 quantum L BDD L BDD classical classical LWE LWE

28 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 quantum quantum L BDD L BDD classical classical LWE LWE

29 8 / 14 [Regev05] Hardness of LWE BDD on L: d λ/2 quantum quantum L BDD L BDD classical LWE classical LWE GapSVP SIVP

30 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L

31 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L A better answer: to make use of BDD/LWE oracle 1 Choose some x L 2 Perturb to y x 3 Invoke oracle on y x y y BDD (LWE)

32 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L A better answer: to make use of BDD/LWE oracle 1 Choose some x L 2 Perturb to y x 3 Invoke oracle on y 4 Returns x we already knew that! x y y BDD (LWE) x

33 9 / 14 Why Quantum? Obvious answer: iterative step BDD on L quantum FT L A better answer: to make use of BDD/LWE oracle 1 Choose some x L 2 Perturb to y x 3 Invoke oracle on y 4 Returns x we already knew that! Quantum can uncompute x x y y BDD (LWE) x

34 10 / 14 Our Approach New way of solving GapSVP in a reduction

35 10 / 14 Our Approach The Usual New way of solving GapSVP in a reduction x y y BDD (LWE) x

36 10 / 14 Our Approach New way of solving GapSVP in a reduction The Usual IMAGINE x y x y y BDD (LWE) x y BDD (LWE)??

37 10 / 14 Our Approach New way of solving GapSVP in a reduction The Usual x y y BDD (LWE) IMAGINE x y y BDD (LWE) Illegal BDD instance Incorrect (& unknown!) LWE distribution x??

38 10 / 14 Our Approach New way of solving GapSVP in a reduction The Usual x y y BDD (LWE) x IMAGINE x y y BDD (LWE)?? Illegal BDD instance Incorrect (& unknown!) LWE distribution SO WHAT! When λ d, oracle cannot guess x Distinguishes large λ from small

39 10 / 14 Our Approach The Usual x y y BDD (LWE) x New way of solving GapSVP in a reduction IMAGINE x y y BDD (LWE)?? Illegal BDD instance Incorrect (& unknown!) LWE distribution SO WHAT! When λ d, oracle cannot guess x Distinguishes large λ from small View as [GoldGold98] AM proof between reduction and oracle

40 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!)

41 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L.

42 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. (LLL-reduced basis is 2 n -good.)

43 11 / 14 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. One shot (non-iterative) reduction (LLL-reduced basis is 2 n -good.)

44 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. (LLL-reduced basis is 2 n -good.) One shot (non-iterative) reduction 2 LWE search / decision equivalence? (Normally requires prime q = poly(n)... ) 11 / 14

45 Technical Obstacles 1 What about in BDD LWE reduction? (No quantum allowed!) Use [GPV08] sampling algorithm with best available basis for L. ζ-good basis LWE modulus q ζ. (LLL-reduced basis is 2 n -good.) One shot (non-iterative) reduction 2 LWE search / decision equivalence? (Normally requires prime q = poly(n)... ) Option 1: crypto directly based on search-lwe Option 2: search = decision for smooth q and Gaussian error 11 / 14

46 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform.

47 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n).

48 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi

49 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi If yes, maps A s,α to itself. If not, maps A s,α to uniform?

50 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi If yes, maps A s,α to itself. If not, maps A s,α to uniform! Gaussians of width αq (q/q i ) separated by (q/q i ) uniform by smoothing bounds [MicReg04]

51 12 / 14 Reducing Search to Decision Suppose D distinguishes (a Z n q, b a, s ) A s,α from uniform. Let q = q 1 q t [ poly(n) ] for distinct (1/α) q i poly(n). Find s: Chinese remaindering & smoothing To test if s 1 = 0 mod q i : (a, b) (a + r e 1, b) for r (q/q i ) Z qi If yes, maps A s,α to itself. If not, maps A s,α to uniform! Gaussians of width αq (q/q i ) separated by (q/q i ) uniform by smoothing bounds [MicReg04] (NB: for general error dists, hybrid argument over q i s fails.)

52 13 / 14 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle

53 13 / 14 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08].

54 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08]. Define g A (s, x) = A t s + x. Can generate A with trapdoor for g 1 A [GGH97,Ajt99,AP09] 13 / 14

55 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08]. Define g A (s, x) = A t s + x. Can generate A with trapdoor for g 1 A [GGH97,Ajt99,AP09] Distinguish g A1 (s, x 1 ),..., g Ak (s, x k ) [same s!] solve LWE So g A1,..., g Ak pseudorandom under correlated inputs [RS09] 13 / 14

56 Chosen-Ciphertext Security Intuitive Definition [RS91,DDN91,NY95] Encryption conceals message, even given decryption oracle Elementary Construction Follows witness-recovering decryption approach [PW08]. Define g A (s, x) = A t s + x. Can generate A with trapdoor for g 1 A [GGH97,Ajt99,AP09] Distinguish g A1 (s, x 1 ),..., g Ak (s, x k ) [same s!] solve LWE So g A1,..., g Ak pseudorandom under correlated inputs [RS09] Correlation-secure injective TDF CCA-secure encryption But care needed to make g A chosen-output secure. 13 / 14

57 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03]

58 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03] Unifies two styles of cryptosystems [AD97,Reg03] and [Reg05,... ] under (almost) same assumption.

59 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03] Unifies two styles of cryptosystems [AD97,Reg03] and [Reg05,... ] under (almost) same assumption. 2 Open: classical, iterative reduction from lattices to LWE I d expect it to work for GapSVP, SIVP, etc. with q = poly(n)

60 14 / 14 Epilogue 1 Building off of our approach, [LyuMic09] showed (γ n)-gapsvp γ-usvp crypto [AjtDwo97,Reg03] Unifies two styles of cryptosystems [AD97,Reg03] and [Reg05,... ] under (almost) same assumption. 2 Open: classical, iterative reduction from lattices to LWE I d expect it to work for GapSVP, SIVP, etc. with q = poly(n) 3 Open: complexity of new ζ-to-γ -GapSVP problem? NP-hard for nontrivial ζ? Better algorithms?