Part 2 LWE-based cryptography

Transcription

1 Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, Funding acknowledgements:

2 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 2 Post-quantum crypto Classical crypto with no known exponential quantum speedup Hash-based Code-based Multivariate Latticebased Isogenies Merkle signatures Sphincs McEliece Niederreiter multivariate quadratic NTRU learning with errors ring-lwe supersingular elliptic curve isogenies

3 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 3 Quantum-safe crypto Classical post-quantum crypto Quantum crypto Quantum key distribution Hash-based Merkle signatures Sphincs Code-based McEliece Niederreiter Multivariate multivariate quadratic Latticebased NTRU learning with errors ring-lwe Isogenies supersingular elliptic curve isogenies Quantum random number generators Quantum channels Quantum blind computation

4 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 4 Today's agenda 1. Quantum computing and its impact on cryptography (Mosca) 2. LWE-based cryptography (Stebila) 3. Isogeny-based cryptography (Jao) 4. Additional topics Security models for post-quantum cryptography (Jao) Applications (Stebila) Topics excluded: Code-based cryptography Hash-based signatures Multivariate cryptography

5 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 5 Learning with errors problems

6 Linear system problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 6 Solving systems of linear equations Z secret Z = Z

7 Linear system problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 7 Solving systems of linear equations Z secret Z = Z

8 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 8 Learning with errors problem random secret small noise Z Z Z Z =

9 Search LWE problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 9 Learning with errors problem random secret small noise Z Z Z Z =

10 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 10 Search LWE problem Let n, m, and q be positive integers. Let s and e be distributions over Z. Let s $ n $ s. Let a i U(Z n $ q ), e i e, and set b i ha i, si + e i mod q, for i =1,...,m. The search LWE problem for (n, m, q, s, e) is to find s given (a i,b i ) m i=1. In particular, for algorithm A, define the advantage Adv lwe n,m,q, s, e (A) =Pr s $ n s ; a i $ U(Z n q ); e i $ b i ha i, s i i + e mod q : A((a i,b i ) m i=1) =s). e;

11 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 11 Decision learning with errors problem random secret small noise looks random Z Z Z Z = Decision LWE problem: given blue, distinguish green from random

12 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 12 Decision LWE problem Let n and q be positive integers. Let s and e be distributions over Z. Let s $ n s. Define the following two oracles: O e,s: a $ U(Z n q ), e $ e;return(a, ha, si + e mod q). U: a $ U(Z n q ), u $ U(Z q ); return (a,u). The decision LWE problem for (n, q, s, e) is to distinguish O,s from U. In particular, for algorithm A, define the advantage Adv dlwe n,q, s, e (A) = Pr(s $ Z n q : A O e,s () = 1) Pr(A U () = 1).

13 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 13 Choice of error distribution Usually a discrete Gaussian distribution of width s = q < 1 for error rate Define the Gaussian function s (x) =exp( kxk 2 /s 2 ) The continuous Gaussian distribution has probability density function Z f(x) = s (x)/ s (z)dz = s (x)/s n R n

14 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 14 Short secrets The secret distribution s was originally taken to be the uniform distribution Short secrets: use s = e There's a tight reduction showing that LWE with short secrets is hard if LWE with uniform secrets is hard

15 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 15 Toy example versus real-world example Z Z bits = 11 KiB

16 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 16 Ring learning with errors problem random Z Each row is the cyclic shift of the row above

17 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 17 Ring learning with errors problem random Z Each row is the cyclic shift of the row above with a special wrapping rule: x wraps to x mod 13.

18 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 18 Ring learning with errors problem random Z Each row is the cyclic shift of the row above with a special wrapping rule: x wraps to x mod 13. So I only need to tell you the first row.

19 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 19 Ring learning with errors problem 4 + 1x + 11x x 3 Z 13 [x]/hx 4 +1i random x + 11x x 3 0 1x + 1x 2 + 1x 3 secret small noise = x + 10x 2 + 7x 3

20 Search ring-lwe problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 20 Ring learning with errors problem 4 + 1x + 11x x 3 Z 13 [x]/hx 4 +1i random secret + small noise = x + 10x 2 + 7x 3

21 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 21 Search ring-lwe problem Let R = Z[X]/hX n +1i, wheren is a power of 2. Let q be an integer, and define R q = R/qR, i.e.,r q = Z q [X]/hX n +1i. Let s and e be distributions over R q. Let s $ s. Let a $ U(R q ), e $ e, and set b as + e. The search ring-lwe problem for (n, q, s, e) is to find s given (a, b). In particular, for algorithm A define the advantage Adv rlwe n,q, s, e (A) =Pr s $ s; a $ U(R q ); e $ e; b as + e : A(a, b) =s.

22 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 22 Decision ring-lwe problem Let n and q be positive integers. Let s and e be distributions over R q. Let s $ s. Define the following two oracles: O e,s: a $ U(R q ), e $ e;return(a, as + e). U: a, u $ U(R q ); return (a, u). The decision ring-lwe problem for (n, q, s, e) is to distinguish O e,s from U. In particular, for algorithm A, define the advantage Adv drlwe n,q, s, e (A) = Pr(s $ R q : A O e,s () = 1) Pr(A U () = 1).

23 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 23 Problems Computational LWE problem Decision LWE problem with or without short secrets Computational ring-lwe problem Decision ring-lwe problem

24 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 24 Search-decision equivalence Easy fact: If the search LWE problem is easy, then the decision LWE problem is easy. Fact: If the decision LWE problem is easy, then the search LWE problem is easy. Requires nq calls to decision oracle Intuition: test the each value for the first component of the secret, then move on to the next one, and so on.

25 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 25 NTRU problem For an invertible s 2 R q and a distribution on R, define N s, to be the distribution that outputs e/s 2 R q where e $. The NTRU learning problem is: given independent samples a i 2 R q where every sample is distributed according to either: (1) N s, for some randomly chosen s 2 R q (fixed for all samples), or (2) the uniform distribution, distinguish which is the case.

26 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 26 "Lattice-based"

27 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 27 Hardness of decision LWE "lattice-based" worst-case gap shortest vector problem (GapSVP) poly-time [Regev05, BLPRS13] decision LWE

28 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 28 Lattices Let B = {b 1, b n } Z n n q be a set of linearly independent basis vectors for Z n q. Define the corresponding lattice ( n ) X L = L(B) = z i b i : z i 2 Z. (In other words, a lattice is a set of integer linear combinations.) i=1 Define the minimum distance of a lattice as 1(L) = min kvk. v2l\{0}

29 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 29 Shortest vector problem The shortest vector problem (SVP) is: given a basis B for some lattice L = L(B), find a shortest non-zero vector, i.e., find v 2 L such that kvk = 1 (L). The decision approximate shortest vector problem (GapSVP ) is: given a basis B for some lattice L = L(B) whereeither 1(L) apple 1 or 1(L) >, determine which is the case.

30 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 30 Regev's iterative reduction Theorem. [Reg05] For any modulus q apple 2 poly(n) and any discretized Gaussian error distribution of parameter q 2 p n where 0 < < 1, solving the decision LWE problem for (n, q, U, ) with at most m = poly(n) samples is at least as hard as quantumly solving GapSVP and SIVP on arbitrary n- dimensional lattices for some = Õ(n/ ). The polynomial-time reduction is extremely non-tight: approximately O(n 13 ). [Regev; STOC 2005]

31 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 31 Solving the (approximate) shortest vector problem The complexity of GapSVP depends heavily on how and n relate, and get harder for smaller. Algorithm Time Approx. factor LLL algorithm poly(n) (n log log n/ log n) 2 various 2 (n log n) poly(n) various 2 (n) time and space poly(n) Sch87 2 (n/k) 2 k p NP \ co-np n NP-hard n o(1) In cryptography, we tend to use n.

32 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 32 Picking parameters Estimate parameters based on runtime of lattice reduction algorithms. Based on reductions: Calculate required runtime for GapSVP or SVP based on tightness gaps and constraints in each reduction Pick parameters based on best known GapSVP or SVP solvers or known lower bounds Based on cryptanalysis: Ignore tightness in reductions. Pick parameters based on best known LWE solvers relying on lattice solvers.

33 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 33 Ring-LWE LWE Cyclic structure Z Þ Save communication, more efficient computation 4 KiB representation Z bits = 11 KiB

34 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 34 Why consider (slower, bigger) LWE? Generic vs. ideal lattices Ring-LWE matrices have additional structure Relies on hardness of a problem in ideal lattices LWE matrices have no additional structure Relies on hardness of a problem in generic lattices Currently, best algorithms for ideal lattice problems are essentially the same as for generic lattices Small constant factor improvement in some cases Very recent quantum polynomial time algorithm for Ideal-SVP ( but not immediately applicable to ring- LWE NTRU also relies on a problem in a type of ideal lattices If we want to eliminate this additional structure, can we still get an efficient protocol?

35 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 35 Public key encryption from LWE

36 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 36 Regev's public key encryption scheme Let n, m, q, be LWE parameters. KeyGen(): s $ Z n q. A $ Z m n q. e $ (Z m q ). b As + e. Return pk (A, b), sk s. Enc(pk, x 2 {0, 1}): s 0 $ {0, 1} m. b 0 s 0 A. v 0 hs 0, bi. c x encode(v 0 ). Return (b 0,c). Dec(sk, (b 0,c)): v hb 0, si. Returndecode(v). [Regev; STOC 2005]

37 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 37 Encode/decode encode(x 2 {0, 1}) j q x 2k ( decode(x 2 Z q ) 0, if x 2 [ 1, otherwise q 4, q 4 ) [Regev; STOC 2005]

38 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 38 Lindner Peikert public key encryption Let n, q, be LWE parameters. KeyGen(): s $ (Z n ). A $ Z n n q. e $ (Z n ). b As + e. Return pk (A, b) and sk s. Enc(pk, x 2 {0, 1}): s 0 $ (Z n ). e 0 $ (Z n ). b 0 s 0 A + e 0. e 00 $ ṽ 0 hs 0, bi + e 00. c encode(x)+ṽ 0.Returnctxt ( b 0,c). (Z). Dec(sk, ( b 0,c)): v h b 0, si. Returndecode(c v). [Lindner, Peikert; CT-RSA 2011]

39 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 39 Correctness Sender and receiver approximately compute the same shared secret s 0 As ṽ 0 = hs 0, bi + e 00 = s 0 (As + e)+e 00 = s 0 As + hs 0, ei + e 00 s 0 As v = h b 0, si =(s 0 A + e 0 )s = s 0 As + he 0, si s 0 As

40 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 40 Difference between Regev and Lindner Peikert Regev: Bob s public key is s 0 A where s 0 $ {0, 1} m Encryption mask is hs 0, bi Lindner Peikert: Bob s public key is s 0 A + e 0 where s 0 $ e Encryption mask is hs 0, bi + e 00 In Regev, Bob s public key is a subset sum instance. In Lindner Peikert, Bob s public key and encryption mask is just another LWE instance.

41 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 41 IND-CPA security of Lindner Peikert Indistinguishable against chosen plaintext attacks Theorem. If the decision LWE problem is hard, then Lindner Peikert is IND- CPA-secure. Let n, q, be LWE parameters. Let A be an algorithm. Then there exist algorithms B 1, B 2 such that Adv ind-cpa LP[n,q, ](A) apple Advdlwe n,q, (A B 1 )+Adv dlwe n,q, (A B 2 ) [Lindner, Peikert; CT-RSA 2011]

42 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 42 IND-CPA security of Lindner Peikert Game 0: Decision-LWE Game 1: Rewrite Game 2: 1: A $ U(Z n n q ) 2: s, e $ (Z n q ) 3: b As + e 4: s 0, e 0 $ (Z n q ) 5: b0 s 0 A + e 0 6: e 00 $ (Z q ) 7: ṽ 0 s 0 b + e 00 8: c 0 encode(0) + ṽ 0 9: c 1 encode(1) + ṽ 0 10: b $ U({0, 1}) 11: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0, e 0 $ (Z n q ) 4: b0 s 0 A + e 0 5: e 00 $ (Z q ) 6: ṽ 0 s 0 b + e 00 7: c 0 encode(0) + ṽ 0 8: c 1 encode(1) + ṽ 0 9: b $ U({0, 1}) 10: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0 $ 4: [e 0 ke 00 ] 5: (Z n q ) $ (Z n+1 q ) [ b 0 kṽ 0 ] s 0 [Ak b]+[e 0 ke 00 ] 6: c 0 encode(0) + ṽ 0 7: c 1 encode(1) + ṽ 0 8: b $ U({0, 1}) 9: return (A, b, b 0,c b ) [Lindner, Peikert; CT-RSA 2011]

43 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 43 IND-CPA security of Lindner Peikert Game 2: Decision-LWE Game 3: Rewrite Game 4: 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0 $ 4: [e 0 ke 00 ] 5: (Z n q ) $ (Z n+1 q ) [ b 0 kṽ 0 ] s 0 [Ak b]+[e 0 ke 00 ] 6: c 0 encode(0) + ṽ 0 7: c 1 encode(1) + ṽ 0 8: b $ U({0, 1}) 9: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: [ b 0 kṽ 0 ] $ U(Z n+1 q ) 4: c 0 encode(0) + ṽ 0 5: c 1 encode(1) + ṽ 0 6: b $ U({0, 1}) 7: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: [ b 0 kṽ 0 ] $ U(Z n+1 q ) 4: b $ U({0, 1}) 5: return (A, b, b 0, ṽ 0 ) Independent of hidden bit [Lindner, Peikert; CT-RSA 2011]

44 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 44 Public key validation No public key validation possible in IND-CPA KEMs/PKEs from LWE/ring- LWE Key reuse in LWE/ring-LWE leads to real attacks following from searchdecision equivalence Comment in [Peikert, PQCrypto 2014] Attack described in [Fluhrer, Eprint 2016] Need to ensure usage is okay with just IND-CPA Or construct IND-CCA KEM/PKE using Fujisaki Okamoto transform or quantum-resistant variant [Targhi Unruh, TCC 2016] [Hofheinz et al., Eprint 2017]

45 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 45 Direct key agreement

46 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 46 LWE and ring-lwe public key encryption and key exchange Regev STOC 2005 Public key encryption from LWE Lyubashevsky, Peikert, Regev Eurocrypt 2010 Public key encryption from ring-lwe Lindner, Peikert eprint 2010, CT-RSA 2011 Public key encryption from LWE and ring-lwe Approximate key exchange from LWE Ding, Xie, Lin eprint 2012 Key exchange from LWE and ring-lwe with single-bit reconciliation Peikert PQCrypto 2014 Key encapsulation mechanism based on ring-lwe and variant single-bit reconciliation Bos, Costello, Naehrig, Stebila IEEE S&P 2015 Implementation of Peikert's ring-lwe key exchange, testing in TLS 1.2

47 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 47 Basic LWE key agreement (unauthenticated) Based on Lindner Peikert LWE public key encryption scheme Alice public: big A in Z q n x m Bob secret: random small s, e in Z q m b = As + e secret: random small s', e' in Z q n b' = s'a + e' shared secret: b's = s'as + e's s'as shared secret: s'b s'as These are only approximately equal need rounding

48 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 48 Rounding Each coefficient of the polynomial is an integer modulo q Treat each coefficient independently Techniques by Ding [Din12] and Peikert [Pei14] [Ding; eprint 2012] [Peikert; PQCrypto 2014]

49 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 49 Basic rounding Round either to 0 or q/2 Treat q/2 as 1 q/4 This works most of the time: prob. failure q/2 round to 1 round to 0 0 Not good enough: we need exact key agreement. 3q/4

50 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 50 Rounding (Peikert) Bob says which of two regions the value is in: or q/4 q/4 If q/2 0 q/2 0 3q/4 q/4 3q/4 If q/2 0 3q/4 [Peikert; PQCrypto 2014]

51 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 51 Rounding (Peikert) If alice bob q/8, then this always works. q/4 bob alice alice If q/2 0 alice 3q/4 Security not affected: revealing or leaks no information [Peikert; PQCrypto 2014]

52 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 52 Exact LWE key agreement (unauthenticated) Alice public: big A in Z q n x m Bob secret: random small s, e in Z q m b = As + e secret: random small s', e' in Z q n b' = s'a + e', or shared secret: round(b's) shared secret: round(s'b)

53 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 53 Exact ring-lwe key agreement (unauthenticated) Alice public: big a in R q = Z q [x]/(x n +1) Bob secret: random small s, e in R q b = a s + e secret: random small s, e in R q b = a s + e, or shared secret: round(s b ) shared secret: round(b s )

54 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 54 Exact LWE key agreement "Frodo" Uses two matrix forms of LWE: Public key is n x n matrix Shared secret is m x n matrix A generated pseudorandomly Secure if decision learning with errors problem is hard (and Gen is a random oracle). [Bos et al.; ACM CCS 2016]

55 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 55 Rounding Error distribution We extract 4 bits from each of the 64 matrix entries in the shared secret More granular form of Peikert s 400 rounding var. = Parameter sizes, rounding, and error distribution all found via search scripts. Close to discrete Gaussian in terms of Rényi divergence ( ) Only requires 12 bits of randomness to sample

56 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 56 Parameters Recommended All known variants of the sieving algorithm require a list of vectors to be created of this size Paranoid 144-bit classical security, 130-bit quantum security, 103-bit plausible lower bound n = 752, m = 8, q = 2 15 χ = approximation to rounded Gaussian with 11 elements Failure: Total communication: 22.6 KiB 177-bit classical security, 161-bit quantum security, 128-bit plausible lower bound n = 864, m = 8, q = 2 15 χ = approximation to rounded Gaussian with 13 elements Failure: Total communication: 25.9 KiB

57 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 57 Exact ring-lwe key agreement "BCNS15" [Bos, Costello, Naehrig, Stebila; IEEE S&P 2015]

58 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 58 Parameters 160-bit classical security, 80-bit quantum security n = 1024 q = χ = discrete Gaussian with parameter sigma = 8/sqrt(2π) Failure: Total communication: 8.1 KiB

59 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 59 Implementation aspect 1: Polynomial arithmetic Polynomial multiplication in R q = Z q [x]/(x ) done with Nussbaumer s FFT: If 2 m = rk, then R[X] hx 2m +1i = R[Z] hz r +1i [X] hx k Zi Rather than working modulo degree-1024 polynomial with coefficients in Z q, work modulo: degree-256 polynomial whose coefficients are themselves polynomials modulo a degree-4 polynomial, or degree-32 polynomials whose coefficients are polynomials modulo degree-8 polynomials whose coefficients are polynomials or

60 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 60 Implementation aspect 2: Sampling discrete Gaussians D Z, (x) = 1 S e x for x 2 Z, 3.2,S =8 Security proofs require small elements sampled within statistical distance of the true discrete Gaussian We use inversion sampling: precompute table of cumulative probabilities For us: 52 elements, size = bits Sampling each coefficient requires six 192-bit integer comparisons and there are 1024 coefficients for constant time

61 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 61 Sampling is expensive [Bos, Costello, Naehrig, Stebila; IEEE S&P 2015]

62 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 62 NewHope Alkim, Ducas, Pöppelman, Schwabe. USENIX Security 2016 New parameters Different error distribution Improved performance Pseudorandomly generated parameters Further performance improvements by others [GS16,LN16,AOPPS17, ]

63 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 63 Implementations Our implementations Ring-LWE BCNS15 LWE Frodo Pure C implementations Constant time Compare with others RSA 3072-bit (OpenSSL 1.0.1f) ECDH nistp256 (OpenSSL) Use assembly code Ring-LWE NewHope NTRU EES743EP1 SIDH (Isogenies) (MSR) Pure C implementations

64 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 64 Post-quantum key exchange performance Speed Communication RSA 3072-bit Fast 4 ms Small 0.3 KiB ECDH nistp256 Very fast 0.7 ms Very small 0.03 KiB Code-based Very fast 0.5 ms Very large 360 KiB NTRU Very fast ms Medium 1 KiB Ring-LWE Very fast ms Medium 2 4 KiB LWE Fast 1.4 ms Large 11 KiB SIDH Med. slow ms Small 0.5 KiB See [Bos, Costello, Ducas, Mironov, Naehrig, Nikolaenko, Raghunathan, Stebila, ACM CCS 2016] for details/methodology

65 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 65 Other applications of LWE

66 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 66 Fully homomorphic encryption from LWE KeyGen(): s $ (Z n q ) Enc(sk, µ 2 Z 2 ): Pick c 2 Z n q satisfies e µ mod 2. such that hs, ci = e mod q where e 2 Z Dec(sk, c): Compute hs, ci 2Z q, represent this as e 2 Z \ [ Return µ 0 e mod 2. q 2, q 2 ). [Brakerski, Vaikuntanathan; FOCS 2011]

67 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 67 Fully homomorphic encryption from LWE c 1 + c 2 encrypts µ 1 + µ 2 : hs, c 1 + c 2 i = hs, c 1 i + hs, c 2 i = e 1 + e 2 mod q Decryption will work as long as the error e 1 + e 2 remains below q/2. [Brakerski, Vaikuntanathan; FOCS 2011]

68 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 68 Fully homomorphic encryption from LWE Let c 1 c 2 =(c 1,i c 2,j ) i,j 2 Z n2 q be the tensor product (or Kronecker product). c 1 c 2 is the encryption of µ 1 µ 2 under secret key s s: hs s, c 1 c 2 i = hs, c 1 i hs, c 2 i = e 1 e 2 mod q Decryption will work as long as the error e 1 e 2 remains below q/2. [Brakerski, Vaikuntanathan; FOCS 2011]

69 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 69 Fully homomorphic encryption from LWE Error conditions mean that the number of additions and multiplications is limited. Multiplication increases the dimension (exponentially), so the number of multiplications is again limited. There are techniques to resolve both of these issues. Key switching allows converting the dimension of a ciphertext. Modulus switching and bootstrapping are used to deal with the error rate.

70 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 70 Digital signatures [Lyubashevsky 2011] KeyGen(): S $ { d,..., 0,...,d} m k, A $ Z n m q, T AS. Secret key: S; publickey:(a, T). Sign(S,µ): y $ m ; c H(Ay,µ); z Sc + y. With prob. p(z) output (z, c), else restart Sign. "Rejection sampling" Vfy((A, T),µ,(z, c)): Accept i kzk apple p m and c = H(Az Tc,µ) [Lyubashevsky; Eurocrypt 2012]

71 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 71 Post-quantum signature sizes Public key Signature RSA 3072-bit Small 0.3 KiB Small 0.3 KiB ECDSA nistp256 Very small 0.03 KiB Very small 0.03 KiB Hash-based (stateful) Small 0.9 KiB Medium 3.6 KiB Hash-based (stateless) Small 1 KiB Large 32 KiB Lattice-based (ignoring tightness) Lattice-based (respecting tightness) Medium KiB Medium 3 9 KiB Very large 1330 KiB Small 1.2 KiB SIDH Small KiB Very large KiB See [Bindel, Herath, McKague, Stebila PQCrypto 2017] for details

72 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 72 Summary

73 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 73 Summary LWE and ring-lwe problems Search, decision, short secrets Reduction from GapSVP to LWE Public key encryption from LWE Regev Lindner Peikert Key exchange from LWE / ring-lwe Other applications of LWE

74 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 74 More reading Post-Quantum Cryptography by Bernstein, Buchmann, Dahmen A Decade of Lattice Cryptography by Chris Peikert