HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Similar documents
Post-Quantum Cryptography

Applications of Lattice Reduction in Cryptography

Post Quantum Cryptography

Lattice-Based Cryptography

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

Gurgen Khachatrian Martun Karapetyan

Open problems in lattice-based cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

MaTRU: A New NTRU-Based Cryptosystem

A new attack on RSA with a composed decryption exponent

Weaknesses in Ring-LWE

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

A New Attack on RSA with Two or Three Decryption Exponents

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

MATH 158 FINAL EXAM 20 DECEMBER 2016

An Overview of Homomorphic Encryption

Ideal Lattices and NTRU

Fully Homomorphic Encryption

Post-quantum key exchange for the Internet based on lattices

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

FULLY HOMOMORPHIC ENCRYPTION

New attacks on RSA with Moduli N = p r q

Slides by Kent Seamons and Tim van der Horst Last Updated: Oct 1, 2013

Background: Lattices and the Learning-with-Errors problem

Classical hardness of the Learning with Errors problem

arxiv: v3 [cs.it] 14 Nov 2012

9 Knapsack Cryptography

Chapter 4 Asymmetric Cryptography

Asymmetric Cryptography

A New Generalization of the KMOV Cryptosystem

Asymmetric Encryption

Lattices, Cryptography, and NTRU. An introduction to lattice theory and the NTRU cryptosystem. Ahsan Z. Zahid

Quantum-resistant cryptography

Public Key Algorithms

RSA. Ramki Thurimella

Partially homomorphic encryption schemes over finite fields

Methods of Public-Key Cryptography. Émilie Wheeler

Lattice Reduction of Modular, Convolution, and NTRU Lattices

Lecture V : Public Key Cryptography

The Elliptic Curve in https

Cryptography IV: Asymmetric Ciphers

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Notes for Lecture 15

Recent Advances in Identity-based Encryption Pairing-free Constructions

Computing with Encrypted Data Lecture 26

Classical hardness of Learning with Errors

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Random Small Hamming Weight Products with Applications to Cryptography

On error distributions in ring-based LWE

Threshold Cryptography

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Introduction to Modern Cryptography. Benny Chor

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

New Cryptosystem Using The CRT And The Jordan Normal Form

Aitken and Neville Inverse Interpolation Methods over Finite Fields

A new security notion for asymmetric encryption Draft #8

CPSC 467b: Cryptography and Computer Security

Lecture 1: Introduction to Public key cryptography

A new security notion for asymmetric encryption Draft #12

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

NTRU Cryptosystem and Its Analysis

Implementation of Automatic Invertible Matrix Mechanism in NTRU Matrix Formulation Algorithm

Other Public-Key Cryptosystems

Introduction to Cryptography. Lecture 8

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Public-Key Cryptosystems CHAPTER 4

High-speed cryptography, part 3: more cryptosystems. Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven

CIS 551 / TCOM 401 Computer and Network Security

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

CPSC 467: Cryptography and Computer Security

Lower bounds of shortest vector lengths in random knapsack lattices and random NTRU lattices

Shai Halevi IBM August 2013

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

A new security notion for asymmetric encryption Draft #10

Cryptology. Scribe: Fabrice Mouhartem M2IF

LECTURE 5: APPLICATIONS TO CRYPTOGRAPHY AND COMPUTATIONS

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

CPSC 467b: Cryptography and Computer Security

CRYPTOGRAPHY AND NUMBER THEORY

Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.

Mathematics of Cryptography

Homomorphic Encryption. Liam Morris

Notes for Lecture 16

Fully Key-Homomorphic Encryption and its Applications

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Implementing Ring-LWE cryptosystems

Lattice Based Crypto: Answering Questions You Don't Understand

Ti Secured communications

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

5199/IOC5063 Theory of Cryptology, 2014 Fall

Mathematics of Public Key Cryptography

An Introduction to Probabilistic Encryption

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

University of Tokyo: Advanced Algorithms Summer Lecture 6 27 May. Let s keep in mind definitions from the previous lecture:

Polynomial Interpolation in the Elliptic Curve Cryptosystem

Introduction to Elliptic Curve Cryptography

Transcription:

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 2 / 51

Introduction Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 3 / 51

Introduction Cryptography in daily life 1 Cell phone conversations 2 Emails 3 Shopping online 4 Online banking 5 Aircraft Communications 6 Satellite communications 7 Government communications 8 Medical records 9 Cloud storage (Dropbox, Microsoft One Drive, Google Drive,...) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 4 / 51

Introduction RSA RSA Invented in 1978 by Rivest, Shamir and Adleman. Hard Problem : IFP Integer Factorization Problem: Let N = pq be the product of two large prime numbers p and q. The integer factorization problem is to find p and q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51

Introduction RSA RSA Invented in 1978 by Rivest, Shamir and Adleman. Hard Problem : IFP Integer Factorization Problem: Let N = pq be the product of two large prime numbers p and q. The integer factorization problem is to find p and q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51

Introduction RSA RSA Invented in 1978 by Rivest, Shamir and Adleman. Hard Problem : IFP Integer Factorization Problem: Let N = pq be the product of two large prime numbers p and q. The integer factorization problem is to find p and q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 5 / 51

Introduction Diffie-Hellman and El Gamal Diffie-Hellman: invented in 1976 by W. Diffie and M. Hellman. El Gamal: invented in 1985 by T. El Gamal. Hard Problem: DLP Discrete Logarithm Problem: Let g and b be two positive integers and p be prime number. Find x such that g x b (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 6 / 51

Introduction Diffie-Hellman and El Gamal Diffie-Hellman: invented in 1976 by W. Diffie and M. Hellman. El Gamal: invented in 1985 by T. El Gamal. Hard Problem: DLP Discrete Logarithm Problem: Let g and b be two positive integers and p be prime number. Find x such that g x b (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 6 / 51

Introduction ECC ECC ECC (Elliptic Curve Cryptography), invented in 1985 (independently) by Koblitz and Miller. Hard Problem: ECLDP Elliptic Curve Discrete Logarithm Problem : Let P and Q be tow points on an elliptic curve E. Find n such that np = Q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 7 / 51

Introduction ECC ECC ECC (Elliptic Curve Cryptography), invented in 1985 (independently) by Koblitz and Miller. Hard Problem: ECLDP Elliptic Curve Discrete Logarithm Problem : Let P and Q be tow points on an elliptic curve E. Find n such that np = Q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 7 / 51

Homomorphic encryption Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 8 / 51

Homomorphic encryption Desirable cryptographic properties For the cloud Store encrypted data on the cloud. Allow the cloud to process on the encrypted data Perform computations or search on data without decrypting it. Decrypt the result to get the same answer as performing an analogous operation on the original data. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 9 / 51

Homomorphic encryption Desirable cryptographic properties Example Store the emails on the cloud. Encrypt an inquiry and perform it on the cloud without decrypting it. Decrypt the result to get the same answer as performing an analogous operation on the original data. The simplified scheme Encrypt a data x as Enc(x) and store it on the cloud. Encrypt a function f as Enc(f) and send it to the cloud. Ask the cloud to perform Enc(f)[Enc(x)]=Enc(f(x)). Download Enc(f(x)) and decrypt it to get f(x). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY10 / 51

Homomorphic encryption Desirable cryptographic properties Example Store the emails on the cloud. Encrypt an inquiry and perform it on the cloud without decrypting it. Decrypt the result to get the same answer as performing an analogous operation on the original data. The simplified scheme Encrypt a data x as Enc(x) and store it on the cloud. Encrypt a function f as Enc(f) and send it to the cloud. Ask the cloud to perform Enc(f)[Enc(x)]=Enc(f(x)). Download Enc(f(x)) and decrypt it to get f(x). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY10 / 51

Homomorphic encryption Homomorphic systems The concept of homomorphic encryption It allows certain types of operations to be carried out on the encrypted data without the need to decrypt them. Proposed by Rivest, Adleman, and Dertouzos in 1978. Many schemes are partially homomorphic. In 2009, Gentry presented the first fully homomorphic encryption scheme: totally impracticable. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY11 / 51

Homomorphic encryption Homomorphic systems Homomorphism If (G 1, ) and (G 2, ) are two groups, then a function f : G 1 G 2 is a group homomorphism if f(x y) = f(x) f(y) for all x, y G 1 Examples: f(x) = e x, f(x) = log(x),... Partially homomorphic encryption Additively homomorphic: Enc(x)+Enc(y)= Enc(x + y). Multiplicatively: Enc(x) Enc(y)= Enc(x y). Fully homomorphic encryption (FHE) Fully homomorphic encryption allows to do arbitrary computations on encrypted data without decrypting it. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY12 / 51

Homomorphic encryption The RSA example RSA addition: not homomorphic Private m 1 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) m 2 c 2 m e 2 (mod N) (m e 1 + me 2 )d RSA(N,d) m 1 + m 2 c 1 + c 2 m e 1 + me 2 (mod N) RSA multiplication: homomorphic Private m 1 m 2 ((m 1 m 2 ) e ) d m 1 m 2 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) c 2 m e 2 (mod N) RSA(N,d) c 1 c 2 (m 1 m 2 ) e (mod N) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY13 / 51

Homomorphic encryption The RSA example RSA addition: not homomorphic Private m 1 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) m 2 c 2 m e 2 (mod N) (m e 1 + me 2 )d RSA(N,d) m 1 + m 2 c 1 + c 2 m e 1 + me 2 (mod N) RSA multiplication: homomorphic Private m 1 m 2 ((m 1 m 2 ) e ) d m 1 m 2 RSA(N,e) The cloud c 1 m e 1 RSA(N,e) (mod N) c 2 m e 2 (mod N) RSA(N,d) c 1 c 2 (m 1 m 2 ) e (mod N) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY13 / 51

Homomorphic encryption Partial homomorphic systems RSA: multiplicatively homomorphic Given c 1 m e 1 (mod N), c 2 m e 2 (mod N). Then c 1 c 2 m e 1 m e 2 (m 1 m 2 ) e (mod N). ElGamal: multiplicatively homomorphic Given c 1 = ( g a 1, g a ) 1b 1 m 1 (mod p), c2 = ( g a 2, g a ) 2b 2 m 2 (mod p). Then ) c 1 c 2 = (g a 1+a 2, g a 1b 1 +a 2 b 2 m 1 m 2 (mod p). Paillier: additively homomorphic Given c 1 = g m 1 r N 1 (mod N 2 ), c 2 = g m 2 r N 2 (mod N 2 ). Then c 1 c 2 = g m 1+m 2 (rs) N (mod N 2 ). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY14 / 51

Homomorphic encryption DGHV: Somewhat Homomorphic Encryption DGHV: 2010 Invented by van Dijk, Gentry, Halevi, and Vaikuntanathan. The first fully homomorphic encryption over the integers. Choose a secret large prime key p. Choose a large integer q. Choose a small integer r < p 2. Encrypt m {0, 1} as c = qp + 2r + m. Decrypt c using (c mod p) mod 2 = m. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY15 / 51

Homomorphic encryption Homomorphic properties of DGHV c 1 = q 1 p + 2r 1 + m 1, c 2 = q 2 p + 2r 2 + m 2 Addition c 1 + c 2 = (q 1 + q 2 )p + 2(r 1 + r 2 ) + m 1 + m 2. Hence Enc(m 1 + m 2 )=Enc(m 1 )+Enc(m 2 ). Multiplication c 1 c 2 = (c 2 q 1 + c 1 q 2 q 1 q 2 p)p + 2(2r 1 r 2 + r 1 m 2 + r 2 m 1 ) + m 1 m 2. Hence Enc(m 1 m 2 )=Enc(m 1 ) Enc(m 2 ). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY16 / 51

LWE Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY17 / 51

LWE Learning With Errors LWE Invented by O. Regev in 2005. Security based on the GapSVP problem. Provable Security. Definition The GapSVP problem: Let L be a lattice with a basis B. Let λ 1 (L) be the length of the shortest nonzero vector of L. Let γ > 0 and r > 0. Decide whether λ 1 (L) < r or λ 1 (L) > γr. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY18 / 51

LWE Learning With Errors Example Easy: solve the system 17 42 127 x 1 3265 24 3 71 x 2 = 246 7 23 45 x 3 1202 Harder: solve the system 117 422 127 214 23 71 17 } 223 {{ 45 } A x 1 x 2 x 3 }{{} S AS + E = P : LWE equation over Z. }{{} + + e 1 e 2 e 3 }{{} E }{{} = = 4718 4177 } 2485 {{ } P Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY19 / 51

LWE Learning With Errors Example Hard: solve the system 17 42 127 x 1 116 (mod 503) 24 3 71 x 2 = 158 (mod 503) 7 23 45 x 3 271 (mod 503) Much harder: solve the system 117 422 127 x 1 214 23 71 x 2 }{{} + 17 223 45 x 3 + }{{}}{{} A S e 1 e 2 e 3 }{{} E AS + E = P : LWE equation over Z 503. }{{} = = 144 (mod 503) 229 (mod 503) 503 } (mod 503) {{} P Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY20 / 51

LWE Learning With Errors LWE Key Generation Algorithm 1 : LWE Key Generation Require: Integers n, m, l, q. Ensure: A private key S and a public key (A, P ). 1: Choose S Z n l q at random. 2: Choose A Z m n q at random. 3: Choose E Z m l q according to χ(e) = e π E 2 /r 2 for some r > 0. 4: Compute P = AS + E (mod q). Hence P Z m l q. 5: The private key is S. 6: The public key is (A, P ). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY21 / 51

LWE Learning With Errors LWE: Encryption Algorithm 2 : LWE Encryption Require: Integers n, m, l, t, r, q, a public key (A, P ) and a plaintext M Z l 1 t. Ensure: A ciphertext (u, c). 1: Choose a [ r, r] m 1 at random. 2: Compute u = A T a (mod q) Z ] n 1 3: Compute c = P T a + [ Mq t 4: The ciphertext is (u, c). q. (mod q) Z l 1 q. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY22 / 51

LWE Learning With Errors LWE: Decryption Algorithm 3 : LWE Decryption Require: Integers n, m, l, t, r, q, a private key S and a ciphertext (u, c). Ensure: A plaintext M. ] 1: Compute v = c S T u and M =. [ tv q Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY23 / 51

LWE Learning With Errors Correctness of decryption We have Hence v = c S T u [ ] Mq = (AS + E) T a S T A T a + t [ ] Mq = E T a +. t [ ] [ tv te T a = + t q q q [ Mq t ]]. With suitable parameters, the term tet a q is negligible and t q ] Consequently = M. [ tv q [ ] Mq t = M. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY24 / 51

LWE LWE Hard Problem Equations The public equation P = AS + E (mod q). ] The public ciphertext c = P T a + (mod q). [ Mq t Can be reduced to the approximate-svp and GapSVP. q-ary lattices Let A Z n l q for some integers q, n, l. The q-ary lattice: { Λ q (A) = y Z l : y A T s (mod q) for some s Z n}. The orthogonal q-ary lattice: { } Λ q (A) = y Z l : Ay 0 (mod q). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY25 / 51

NTRU Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY26 / 51

NTRU NTRU NTRU Invented by Hoffstein, Pipher et Silverman in 1996. Security based on the Shortest Vector Problem (SVP). Various versions between 1996 and 2001. Definition The Shortest Vector Problem (SVP): Given a basis matrix B for L, compute a non-zero vector v L such that v is minimal, that is v = λ 1 (L). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY27 / 51

NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = i+j k (mod N) f i g j. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51

NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = i+j k (mod N) f i g j. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51

NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Polynomials f = N 1 i=0 f ix i, g = N 1 i=0 g ix i, Sum f + g = (f 0 + g 0, f 1 + g 1,, f N 1 + g N 1 ). Product f g = h = (h 0, h 1,, h N 1 ) with h k = i+j k (mod N) f i g j. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY28 / 51

NTRU NTRU: Ring of Convolution Π = Z[X]/(X N 1) Convolution f = (f 0, f 1,, f N 1 ), g = (g 0, g 1,, g N 1 ). }{{} f g = h = (h 0, h 1,, h N 1 ) 1 X X k X N 1 f 0 g 0 f 0 g 1 f 0 g k f 0 g N 1 + f 1 g N 1 f 1 g 0 f 1 g k 1 f 1 g N 2 + f 2 g N 2 f 2 g N 1 f 2 g k 2 f 2 g N 3..... + f N 2 g 2 f N 2 g 3 f N 2 g k+2 f N 2 g 1 + f N 1 g 1 f N 1 g 2 f N 1 g k+1 f N 1 g 0 h = h 0 h 1 h k h N 1 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY29 / 51

NTRU NTRU Parameters N = a prime number (e.g. N = 167, 251, 347, 503). q = a large modulus (e.g. q = 128, 256). p = a small modulus (e.g. p = 3). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY30 / 51

NTRU NTRU Algorithms Key Generation: Randomly choose two private polynomials f and g. Compute the inverse of f modulo q: f f q = 1 (mod q). Compute the inverse of f modulo p: f f p = 1 (mod p). Compute the public key h = f q g (mod q). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY31 / 51

NTRU NTRU Algorithms Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51

NTRU NTRU Algorithms Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51

NTRU NTRU Algorithms Encryption: m is a plaintext in the form of a polynomial mod q. Randomly choose a private polynomial r. Compute the encrypted message e = m + pr h (mod q). Decryption: Compute a = f e = f (m + pr h) = f m + pr g (mod q). Compute a f p = (f m + pr g) f p = m (mod p). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY32 / 51

NTRU NTRU Correctness of decryption We have a f e (mod q) a f (p r h + m) (mod q) a f r (p g f q ) + f m (mod q) a p r g f f q + f m (mod q) a p r g + f m (mod q). If p r g + f m [ q 2, 2] q, then m a f p mod p. MAPLE p. 24 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY33 / 51

NTRU NTRU Example Key generation Public parameters N = 13, p = 3, q = 8. Private keys f = X 12 + X 11 + X 10 + X 9 + X 8 + X 7 + 1, g = X 12 + X 5 X 4 + X 3 X 2 + X 1. f f p 1 (mod p) with f p = 2X 12 +2X 11 +2X 10 +2X 9 +2X 8 +2X 7 +2X 5 +2X 4 +2X 3 +2X 2 +2X. f f q 1 (mod q) with f q = X 12 +X 11 +X 10 +X 9 +X 8 +X 7 +2X 6 +X 5 +X 4 +X 3 +X 2 +X +2. The public key is h g f q (mod q) = 2X 12 + 2X 11 + 2X 9 + 2X 7 + 3X 5 + 2X 3 + 2X. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY34 / 51

NTRU NTRU Example Encryption Message m = X 10 + X 8 + X 7 + X 4 + X 3 + 1. Random error r = X 12 + X 11 + X 8 + X 7 + 1. The ciphertext e = p r h + m (mod q) 5X 12 +2X 11 +3X 10 +2X 9 +5X 8 +3X 7 +2X 6 +5X 5 +6X 4 +4X 3 +2X. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY35 / 51

NTRU NTRU Example Decryption a f e (mod q) 6X 12 + 3X 11 + 6X 10 + 2X 9 + 3X 8 + 4X 7 +6X 6 + 6X 5 + 4X 4 + 7X 3 + X 2 + 6X + 3. m f p a (mod p) X 10 + X 8 + X 7 + X 4 + X 3 + 1, Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY36 / 51

Lattices Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY37 / 51

Lattices Introduction to lattices Definition Let n and d be two positive integers. Let b 1, b d R n be d linearly independent vectors. The lattice L generated by (b 1, b d ) is the set L = { d d } Zb i = x i b i x i Z. i=1 i=1 The vectors b 1, b d are called a vector basis of L. The lattice rank is n and the lattice dimension is d. If n = d then L is called a full rank lattice. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY38 / 51

Lattices Introduction to lattices Example: Lattice with dimension 2 [ ] [ ] 1 0.5 b 1 =, b 0 2 =, L = { v, v = x 1 1 b 1 + x 2 b 2, (x 1, x 2 ) Z 2}. b 2 Figure: The lattice with the basis (b 1, b 2 ) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY39 / 51 b 1

Lattices Introduction to lattices Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY40 / 51

Lattices Introduction to lattices How to find v? v? b 1 b 2 Figure: A lattice with a bad basis (b 1, b 2 ) Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY41 / 51

Lattices Introduction to lattices How to find v? u 2 v? u 1 Figure: The same lattice with a good basis (u 1, u 2 ) b 1 b 2 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY42 / 51

Lattices Short vectors Definition (The Shortest Vector Problem (SVP)) Given a basis matrix B for L, compute a non-zero vector v L such that v is minimal, that is v = λ 1 (L). Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY43 / 51

Lattices Short vectors The shortest vector b 2 b 1 λ 1 Figure: The shortest vectors Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY44 / 51

Lattices Closest Vectors Definition (The Closest Vector Problem (CVP)) Given a basis matrix B for L and a vector v L, compute a vector v 0 L such that v v 0 is minimal. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY45 / 51

Lattices Closest Vectors The closest vector v b 2 v 0 b 1 Figure: The closest vector to v is v 0 Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY46 / 51

Bibliography Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY47 / 51

Bibliography Bibliography 1 P.W. Shor: Polynomial-time algorithms for prime factorization and discrete logarithms on a quantum computer, SIAM J. Computing 26, pp. 1484 1509 (1997). 2 O. Regev: On lattices, learning with errors, random linear codes, and cryptography, STOC 2005, ACM (2005) p. 84 93. 3 J. Hoffstein: J. Pipher, and J. H. Silverman, NTRU: A Ring Based Public Key Cryptosystem in Algorithmic Number Theory. Lecture Notes in Computer Science 1423, Springer-Verlag, pp. 267 288, 1998. 4 Pittet Shillong: 2013, November 18-29, Fourier analysis of groups in combinatorics, CIMPA-UNESCO-MESR-MINECO-INDIA research school: North Eastern Hill University, Shillong. https://hal.archives-ouvertes.fr/cimpa/cel-00963668v1 5 A. Nitaj: Quantum and Post Quantum Cryptography. http://www.math.unicaen.fr/~nitaj/postquant.pdf Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY48 / 51

Conclusion Contents 1 Introduction 2 Homomorphic encryption 3 LWE 4 NTRU 5 Lattices 6 Bibliography 7 Conclusion Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY49 / 51

Conclusion Conclusion Lattice based cryptography Can be used to build cryptographic schemes (GGH, NTRU, LWE,...). Can be used to build fully homomorphic encryption, Digital signatures, identity based encryption IBE, hash functions. Many hard problems (SVP, CVP,...). Fast implementation. Resistance to quantum computers and NSA. Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY50 / 51

Conclusion Merci Thank you Abderrahmane Nitaj (LMNO, Caen) HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY51 / 51

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback