HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Size: px

Start display at page:

Download "HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51"

Robert Higgins
6 years ago
Views:

15-26, 2016 Abderrahmane Nitaj (LMNO, Caen)

1 HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

2 Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 2 / 51

3 Introduction Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 3 / 51

Introduction Cryptography in daily life 1 Cell phone conversations 2 Emails 3 Shopping

communications 8 Medical records 9 Cloud storage (Dropbox, Microsoft One Drive, Google

4 Introduction Cryptography in daily life 1 Cell phone conversations 2 s 3 Shopping online 4 Online banking 5 Aircraft Communications 6 Satellite communications 7 Government communications 8 Medical records 9 Cloud storage (Dropbox, Microsoft One Drive, Google Drive,...) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 4 / 51

5 Introduction RSA RSA Invented in 1978 by Rivest, Shamir and Adleman. Hard Problem : IFP Integer Factorization Problem: Let N = pq be the product of two large prime numbers p and q. The integer factorization problem is to find p and q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51

6 Introduction RSA RSA Invented in 1978 by Rivest, Shamir and Adleman. Hard Problem : IFP Integer Factorization Problem: Let N = pq be the product of two large prime numbers p and q. The integer factorization problem is to find p and q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51

7 Introduction RSA RSA Invented in 1978 by Rivest, Shamir and Adleman. Hard Problem : IFP Integer Factorization Problem: Let N = pq be the product of two large prime numbers p and q. The integer factorization problem is to find p and q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51

8 Introduction Diffie-Hellman and El Gamal Diffie-Hellman: invented in 1976 by W. Diffie and M. Hellman. El Gamal: invented in 1985 by T. El Gamal. Hard Problem: DLP Discrete Logarithm Problem: Let g and b be two positive integers and p be prime number. Find x such that g x b (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 6 / 51

9 Introduction Diffie-Hellman and El Gamal Diffie-Hellman: invented in 1976 by W. Diffie and M. Hellman. El Gamal: invented in 1985 by T. El Gamal. Hard Problem: DLP Discrete Logarithm Problem: Let g and b be two positive integers and p be prime number. Find x such that g x b (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 6 / 51

10 Introduction ECC ECC ECC (Elliptic Curve Cryptography), invented in 1985 (independently) by Koblitz and Miller. Hard Problem: ECLDP Elliptic Curve Discrete Logarithm Problem : Let P and Q be tow points on an elliptic curve E. Find n such that np = Q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 7 / 51

Hard Problem: ECLDP Elliptic Curve Discrete Logarithm Problem : Let P and Q be tow

11 Introduction ECC ECC ECC (Elliptic Curve Cryptography), invented in 1985 (independently) by Koblitz and Miller. Hard Problem: ECLDP Elliptic Curve Discrete Logarithm Problem : Let P and Q be tow points on an elliptic curve E. Find n such that np = Q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 7 / 51

12 Homomorphic encryption Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 8 / 51

13 Homomorphic encryption Desirable cryptographic properties For the cloud Store encrypted data on the cloud. Allow the cloud to process on the encrypted data Perform computations or search on data without decrypting it. Decrypt the result to get the same answer as performing an analogous operation on the original data. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 9 / 51

14 Homomorphic encryption Desirable cryptographic properties Example Store the s on the cloud. Encrypt an inquiry and perform it on the cloud without decrypting it. Decrypt the result to get the same answer as performing an analogous operation on the original data. The simplified scheme Encrypt a data x as Enc(x) and store it on the cloud. Encrypt a function f as Enc(f) and send it to the cloud. Ask the cloud to perform Enc(f)[Enc(x)]=Enc(f(x)). Download Enc(f(x)) and decrypt it to get f(x). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY10 / 51

15 Homomorphic encryption Desirable cryptographic properties Example Store the s on the cloud. Encrypt an inquiry and perform it on the cloud without decrypting it. Decrypt the result to get the same answer as performing an analogous operation on the original data. The simplified scheme Encrypt a data x as Enc(x) and store it on the cloud. Encrypt a function f as Enc(f) and send it to the cloud. Ask the cloud to perform Enc(f)[Enc(x)]=Enc(f(x)). Download Enc(f(x)) and decrypt it to get f(x). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY10 / 51

Homomorphic encryption Homomorphic systems The concept of homomorphic encryption It allows certain types of operations to be carried out on the encrypted data without the need to decrypt them.

16 Homomorphic encryption Homomorphic systems The concept of homomorphic encryption It allows certain types of operations to be carried out on the encrypted data without the need to decrypt them. Proposed by Rivest, Adleman, and Dertouzos in Many schemes are partially homomorphic. In 2009, Gentry presented the first fully homomorphic encryption scheme: totally impracticable. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY11 / 51

17 Homomorphic encryption Homomorphic systems Homomorphism If (G 1, ) and (G 2, ) are two groups, then a function f : G 1 G 2 is a group homomorphism if f(x y) = f(x) f(y) for all x, y G 1 Examples: f(x) = e x, f(x) = log(x),... Partially homomorphic encryption Additively homomorphic: Enc(x)+Enc(y)= Enc(x + y). Multiplicatively: Enc(x) Enc(y)= Enc(x y). Fully homomorphic encryption (FHE) Fully homomorphic encryption allows to do arbitrary computations on encrypted data without decrypting it. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY12 / 51

18 Homomorphic encryption The RSA example RSA addition: not homomorphic Private m 1 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) m 2 c 2 m e 2 (mod N) (m e 1 + me 2 )d RSA(N,d) m 1 + m 2 c 1 + c 2 m e 1 + me 2 (mod N) RSA multiplication: homomorphic Private m 1 m 2 ((m 1 m 2 ) e ) d m 1 m 2 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) c 2 m e 2 (mod N) RSA(N,d) c 1 c 2 (m 1 m 2 ) e (mod N) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY13 / 51

19 Homomorphic encryption The RSA example RSA addition: not homomorphic Private m 1 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) m 2 c 2 m e 2 (mod N) (m e 1 + me 2 )d RSA(N,d) m 1 + m 2 c 1 + c 2 m e 1 + me 2 (mod N) RSA multiplication: homomorphic Private m 1 m 2 ((m 1 m 2 ) e ) d m 1 m 2 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) c 2 m e 2 (mod N) RSA(N,d) c 1 c 2 (m 1 m 2 ) e (mod N) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY13 / 51

20 Homomorphic encryption Partial homomorphic systems RSA: multiplicatively homomorphic Given c 1 m e 1 (mod N), c 2 m e 2 (mod N). Then c 1 c 2 m e 1 m e 2 (m 1 m 2 ) e (mod N). ElGamal: multiplicatively homomorphic Given c 1 = ( g a 1, g a ) 1b 1 m 1 (mod p), c2 = ( g a 2, g a ) 2b 2 m 2 (mod p). Then ) c 1 c 2 = (g a 1+a 2, g a 1b 1 +a 2 b 2 m 1 m 2 (mod p). Paillier: additively homomorphic Given c 1 = g m 1 r N 1 (mod N 2 ), c 2 = g m 2 r N 2 (mod N 2 ). Then c 1 c 2 = g m 1+m 2 (rs) N (mod N 2 ). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY14 / 51

21 Homomorphic encryption DGHV: Somewhat Homomorphic Encryption DGHV: 2010 Invented by van Dijk, Gentry, Halevi, and Vaikuntanathan. The first fully homomorphic encryption over the integers. Choose a secret large prime key p. Choose a large integer q. Choose a small integer r < p 2. Encrypt m {0, 1} as c = qp + 2r + m. Decrypt c using (c mod p) mod 2 = m. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY15 / 51

22 Homomorphic encryption Homomorphic properties of DGHV c 1 = q 1 p + 2r 1 + m 1, c 2 = q 2 p + 2r 2 + m 2 Addition c 1 + c 2 = (q 1 + q 2 )p + 2(r 1 + r 2 ) + m 1 + m 2. Hence Enc(m 1 + m 2 )=Enc(m 1 )+Enc(m 2 ). Multiplication c 1 c 2 = (c 2 q 1 + c 1 q 2 q 1 q 2 p)p + 2(2r 1 r 2 + r 1 m 2 + r 2 m 1 ) + m 1 m 2. Hence Enc(m 1 m 2 )=Enc(m 1 ) Enc(m 2 ). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY16 / 51

23 LWE Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY17 / 51

24 LWE Learning With Errors LWE Invented by O. Regev in Security based on the GapSVP problem. Provable Security. Definition The GapSVP problem: Let L be a lattice with a basis B. Let λ 1 (L) be the length of the shortest nonzero vector of L. Let γ > 0 and r > 0. Decide whether λ 1 (L) < r or λ 1 (L) > γr. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY18 / 51

25 LWE Learning With Errors Example Easy: solve the system x x 2 = x Harder: solve the system } 223 {{ 45 } A x 1 x 2 x 3 }{{} S AS + E = P : LWE equation over Z. }{{} + + e 1 e 2 e 3 }{{} E }{{} = = } 2485 {{ } P Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY19 / 51

26 LWE Learning With Errors Example Hard: solve the system x (mod 503) x 2 = 158 (mod 503) x (mod 503) Much harder: solve the system x x 2 }{{} x 3 + }{{}}{{} A S e 1 e 2 e 3 }{{} E AS + E = P : LWE equation over Z 503. }{{} = = 144 (mod 503) 229 (mod 503) 503 } (mod 503) {{} P Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY20 / 51

27 LWE Learning With Errors LWE Key Generation Algorithm 1 : LWE Key Generation Require: Integers n, m, l, q. Ensure: A private key S and a public key (A, P ). 1: Choose S Z n l q at random. 2: Choose A Z m n q at random. 3: Choose E Z m l q according to χ(e) = e π E 2 /r 2 for some r > 0. 4: Compute P = AS + E (mod q). Hence P Z m l q. 5: The private key is S. 6: The public key is (A, P ). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY21 / 51

28 LWE Learning With Errors LWE: Encryption Algorithm 2 : LWE Encryption Require: Integers n, m, l, t, r, q, a public key (A, P ) and a plaintext M Z l 1 t. Ensure: A ciphertext (u, c). 1: Choose a [ r, r] m 1 at random. 2: Compute u = A T a (mod q) Z ] n 1 3: Compute c = P T a + [ Mq t 4: The ciphertext is (u, c). q. (mod q) Z l 1 q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY22 / 51

29 LWE Learning With Errors LWE: Decryption Algorithm 3 : LWE Decryption Require: Integers n, m, l, t, r, q, a private key S and a ciphertext (u, c). Ensure: A plaintext M. ] 1: Compute v = c S T u and M =. [ tv q Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY23 / 51

30 LWE Learning With Errors Correctness of decryption We have Hence v = c S T u [ ] Mq = (AS + E) T a S T A T a + t [ ] Mq = E T a +. t [ ] [ tv te T a = + t q q q [ Mq t ]]. With suitable parameters, the term tet a q is negligible and t q ] Consequently = M. [ tv q [ ] Mq t = M. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY24 / 51

31 LWE LWE Hard Problem Equations The public equation P = AS + E (mod q). ] The public ciphertext c = P T a + (mod q). [ Mq t Can be reduced to the approximate-svp and GapSVP. q-ary lattices Let A Z n l q for some integers q, n, l. The q-ary lattice: { Λ q (A) = y Z l : y A T s (mod q) for some s Z n}. The orthogonal q-ary lattice: { } Λ q (A) = y Z l : Ay 0 (mod q). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY25 / 51

32 NTRU Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY26 / 51

33 NTRU NTRU NTRU Invented by Hoffstein, Pipher et Silverman in Security based on the Shortest Vector Problem (SVP). Various versions between 1996 and Definition The Shortest Vector Problem (SVP): Given a basis matrix B for L, compute a non-zero vector v L such that v is minimal, that is v = λ 1 (L). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY27 / 51

34 NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = i+j k (mod N) f i g j. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51

35 NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = i+j k (mod N) f i g j. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51

36 NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = i+j k (mod N) f i g j. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51

37 NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Convolution f = (f 0, f 1,, f N 1 ), g = (g 0, g 1,, g N 1 ). }{{} f g = h = (h 0, h 1,, h N 1 ) 1 X X k X N 1 f 0 g 0 f 0 g 1 f 0 g k f 0 g N 1 + f 1 g N 1 f 1 g 0 f 1 g k 1 f 1 g N 2 + f 2 g N 2 f 2 g N 1 f 2 g k 2 f 2 g N f N 2 g 2 f N 2 g 3 f N 2 g k+2 f N 2 g 1 + f N 1 g 1 f N 1 g 2 f N 1 g k+1 f N 1 g 0 h = h 0 h 1 h k h N 1 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY29 / 51

38 NTRU NTRU Parameters N = a prime number (e.g. N = 167, 251, 347, 503). q = a large modulus (e.g. q = 128, 256). p = a small modulus (e.g. p = 3). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY30 / 51

39 NTRU NTRU Algorithms Key Generation: Randomly choose two private polynomials f and g. Compute the inverse of f modulo q: f f q = 1 (mod q). Compute the inverse of f modulo p: f f p = 1 (mod p). Compute the public key h = f q g (mod q). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY31 / 51

40 NTRU NTRU Algorithms Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51

41 NTRU NTRU Algorithms Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51

42 NTRU NTRU Algorithms Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51

43 NTRU NTRU Correctness of decryption We have a f e (mod q) a f (p r h + m) (mod q) a f r (p g f q ) + f m (mod q) a p r g f f q + f m (mod q) a p r g + f m (mod q). If p r g + f m [ q 2, 2] q, then m a f p mod p. MAPLE p. 24 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY33 / 51

44 NTRU NTRU Example Key generation Public parameters N = 13, p = 3, q = 8. Private keys f = X 12 + X 11 + X 10 + X 9 + X 8 + X 7 + 1, g = X 12 + X 5 X 4 + X 3 X 2 + X 1. f f p 1 (mod p) with f p = 2X 12 +2X 11 +2X 10 +2X 9 +2X 8 +2X 7 +2X 5 +2X 4 +2X 3 +2X 2 +2X. f f q 1 (mod q) with f q = X 12 +X 11 +X 10 +X 9 +X 8 +X 7 +2X 6 +X 5 +X 4 +X 3 +X 2 +X +2. The public key is h g f q (mod q) = 2X X X 9 + 2X 7 + 3X 5 + 2X 3 + 2X. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY34 / 51

45 NTRU NTRU Example Encryption Message m = X 10 + X 8 + X 7 + X 4 + X Random error r = X 12 + X 11 + X 8 + X The ciphertext e = p r h + m (mod q) 5X 12 +2X 11 +3X 10 +2X 9 +5X 8 +3X 7 +2X 6 +5X 5 +6X 4 +4X 3 +2X. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY35 / 51

46 NTRU NTRU Example Decryption a f e (mod q) 6X X X X 9 + 3X 8 + 4X 7 +6X 6 + 6X 5 + 4X 4 + 7X 3 + X 2 + 6X + 3. m f p a (mod p) X 10 + X 8 + X 7 + X 4 + X 3 + 1, Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY36 / 51

47 Lattices Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY37 / 51

48 Lattices Introduction to lattices Definition Let n and d be two positive integers. Let b 1, b d R n be d linearly independent vectors. The lattice L generated by (b 1, b d ) is the set L = { d d } Zb i = x i b i x i Z. i=1 i=1 The vectors b 1, b d are called a vector basis of L. The lattice rank is n and the lattice dimension is d. If n = d then L is called a full rank lattice. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY38 / 51

49 Lattices Introduction to lattices Example: Lattice with dimension 2 [ ] [ ] b 1 =, b 0 2 =, L = { v, v = x 1 1 b 1 + x 2 b 2, (x 1, x 2 ) Z 2}. b 2 Figure: The lattice with the basis (b 1, b 2 ) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY39 / 51 b 1

50 Lattices Introduction to lattices Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY40 / 51

51 Lattices Introduction to lattices How to find v? v? b 1 b 2 Figure: A lattice with a bad basis (b 1, b 2 ) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY41 / 51

52 Lattices Introduction to lattices How to find v? u 2 v? u 1 Figure: The same lattice with a good basis (u 1, u 2 ) b 1 b 2 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY42 / 51

53 Lattices Short vectors Definition (The Shortest Vector Problem (SVP)) Given a basis matrix B for L, compute a non-zero vector v L such that v is minimal, that is v = λ 1 (L). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY43 / 51

54 Lattices Short vectors The shortest vector b 2 b 1 λ 1 Figure: The shortest vectors Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY44 / 51

55 Lattices Closest Vectors Definition (The Closest Vector Problem (CVP)) Given a basis matrix B for L and a vector v L, compute a vector v 0 L such that v v 0 is minimal. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY45 / 51

56 Lattices Closest Vectors The closest vector v b 2 v 0 b 1 Figure: The closest vector to v is v 0 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY46 / 51

57 Bibliography Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY47 / 51

58 Bibliography Bibliography 1 P.W. Shor: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Computing 26, pp (1997). 2 O. Regev: On lattices, learning with errors, random linear codes, and cryptography, STOC 2005, ACM (2005) p J. Hoffstein: J. Pipher, and J. H. Silverman, NTRU: A Ring Based Public Key Cryptosystem in Algorithmic Number Theory. Lecture Notes in Computer Science 1423, Springer-Verlag, pp , Pittet Shillong: 2013, November 18-29, Fourier analysis of groups in combinatorics, CIMPA-UNESCO-MESR-MINECO-INDIA research school: North Eastern Hill University, Shillong. 5 A. Nitaj: Quantum and Post Quantum Cryptography. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY48 / 51

59 Conclusion Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY49 / 51

Conclusion Conclusion Lattice based cryptography Can be used to build

Can be used to build fully homomorphic encryption, Digital signatures,

Many hard problems (SVP, CVP,...). Fast implementation.

60 Conclusion Conclusion Lattice based cryptography Can be used to build cryptographic schemes (GGH, NTRU, LWE,...). Can be used to build fully homomorphic encryption, Digital signatures, identity based encryption IBE, hash functions. Many hard problems (SVP, CVP,...). Fast implementation. Resistance to quantum computers and NSA. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY50 / 51

61 Conclusion Merci Thank you Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY51 / 51

Post-Quantum Cryptography

Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike