Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt PDF Free Download

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24

Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations: BLISS, NewHope, Frodo, HElib, Λ λ,... 4 Along the Way: open questions, research directions 2 / 24

Foundations 3 / 24

Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b ) N = p q = (Images courtesy xkcd.org) 4 / 24

Lattice-Based Cryptography = (Images courtesy xkcd.org) 4 / 24

Lattice-Based Cryptography = Why? Efficient: linear, embarrassingly parallel operations (Images courtesy xkcd.org) 4 / 24

Lattice-Based Cryptography = Why? Efficient: linear, embarrassingly parallel operations Resists quantum attacks (so far) (Images courtesy xkcd.org) 4 / 24

Lattice-Based Cryptography = Why? Efficient: linear, embarrassingly parallel operations Resists quantum attacks (so far) Security from mild worst-case assumptions (Images courtesy xkcd.org) 4 / 24

Lattice-Based Cryptography = Why? Efficient: linear, embarrassingly parallel operations Resists quantum attacks (so far) Security from mild worst-case assumptions Solutions to holy grail problems in crypto: FHE and related (Images courtesy xkcd.org) 4 / 24

What s a Lattice? A periodic grid in Z m. (Formally: full-rank additive subgroup.) O 5 / 24

What s a Lattice? A periodic grid in Z m. (Formally: full-rank additive subgroup.) Basis B = {b 1,..., b m } : L = m (Z b i ) i=1 b 2 b 1 O 5 / 24

What s a Lattice? A periodic grid in Z m. (Formally: full-rank additive subgroup.) Basis B = {b 1,..., b m } : L = m (Z b i ) i=1 b 1 O b 2 5 / 24

What s a Lattice? A periodic grid in Z m. (Formally: full-rank additive subgroup.) Basis B = {b 1,..., b m } : L = m (Z b i ) i=1 b 1 (Other representations too... ) O b 2 5 / 24

What s a Lattice? A periodic grid in Z m. (Formally: full-rank additive subgroup.) Basis B = {b 1,..., b m } : L = m (Z b i ) i=1 b 1 (Other representations too... ) O b 2 Hard Lattice Problems Find/detect short nonzero lattice vectors: (Gap)SVP γ, SIVP γ For γ = poly(m), solving appears to require 2 Ω(m) time (and space). 5 / 24

A Hard Problem: Short Integer Solution [Ajtai 96] Z n q = n-dimensional integer vectors modulo q 6 / 24

A Hard Problem: Short Integer Solution [Ajtai 96] Z n q = n-dimensional integer vectors modulo q a 1 a 2 a m Z n q 6 / 24

A Hard Problem: Short Integer Solution [Ajtai 96] Z n q = n-dimensional integer vectors modulo q Goal: find nontrivial z 1,..., z m {0, ±1} such that: z 1 a 1 + z 2 a 2 + + z m a m = 0 Z n q 6 / 24

A Hard Problem: Short Integer Solution [Ajtai 96] Z n q = n-dimensional integer vectors modulo q Goal: find nontrivial z {0, ±1} m such that: A z = 0 Zn q } {{ } m 6 / 24

A Hard Problem: Short Integer Solution [Ajtai 96] Z n q = n-dimensional integer vectors modulo q Goal: find nontrivial z {0, ±1} m such that: A z = 0 Zn q } {{ } m Collision-Resistant Hash Function Set m > n log 2 q. Define shrinking f A : {0, 1} m Z n q f A (x) = Ax 6 / 24

Cool! (But what does this have to do with lattices?) 7 / 24

Cool! (But what does this have to do with lattices?) A Z n m q defines a q-ary lattice: L (A) = {z Z m : Az = 0} O 7 / 24

Cool! (But what does this have to do with lattices?) (0, q) A Z n m q defines a q-ary lattice: L (A) = {z Z m : Az = 0} O (q, 0) 7 / 24

Cool! (But what does this have to do with lattices?) (0, q) A Z n m q defines a q-ary lattice: L (A) = {z Z m : Az = 0} Short solutions z lie in O (q, 0) 7 / 24

Cool! (But what does this have to do with lattices?) (0, q) A Z n m q defines a q-ary lattice: L (A) = {z Z m : Az = 0} Short solutions z lie in O (q, 0) Worst-Case to Average-Case Reduction [Ajtai 96,... ] Finding short ( z β q) nonzero z L (A) (for uniformly random A Z n m q ) solving GapSVP β n, SIVP β n on any n-dim lattice 7 / 24

Application: Digital Signatures [GentryPeikertVaikuntanathan 08] Generate uniform vk = A with secret trapdoor sk = T. 8 / 24

Application: Digital Signatures [GentryPeikertVaikuntanathan 08] Generate uniform vk = A with secret trapdoor sk = T. Sign(T, µ): use T to sample a short z Z m s.t. Az = H(µ) Z n q. 8 / 24

Application: Digital Signatures [GentryPeikertVaikuntanathan 08] Generate uniform vk = A with secret trapdoor sk = T. Sign(T, µ): use T to sample a short z Z m s.t. Az = H(µ) Z n q. Draw z from a distribution that reveals nothing about secret key: Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. 8 / 24

Another Hard Problem: Learning With Errors [Regev 05] Parameters: dimension n, modulus q = poly(n), error distribution 9 / 24

Another Hard Problem: Learning With Errors [Regev 05] Parameters: dimension n, modulus q = poly(n), error distribution Search: find secret s Z n q given many noisy inner products A, ( b t ) = s t A + e t n error q, rate α Decision: distinguish (A, b) from uniform (A, b) LWE is Hard (n/α)-approx worst case lattice problems search-lwe decision-lwe crypto (quantum [R 05]) [BFKL 93,R 05,... ] 9 / 24

LWE is Versatile What kinds of crypto can we do with LWE? 10 / 24

LWE is Versatile What kinds of crypto can we do with LWE? Key Exchange, Public Key Encryption Oblivious Transfer Actively Secure Encryption (w/o random oracles) Block Ciphers, PRFs 10 / 24

LWE is Versatile What kinds of crypto can we do with LWE? Key Exchange, Public Key Encryption Oblivious Transfer Actively Secure Encryption (w/o random oracles) Block Ciphers, PRFs Identity-Based Encryption (w/ RO) Hierarchical ID-Based Encryption (w/o RO) 10 / 24

Key Exchange from LWE [Regev 05,LP 11] r Z n (error) A Z n n q s Z n (error) 11 / 24

Key Exchange from LWE [Regev 05,LP 11] r Z n (error) A Z n n q s Z n (error) u t r t A Z n q 11 / 24

Key Exchange from LWE [Regev 05,LP 11] r Z n (error) A Z n n q s Z n (error) u t r t A Z n q v A s Z n q 11 / 24

Key Exchange from LWE [Regev 05,LP 11] r Z n (error) A Z n n q s Z n (error) u t r t A Z n q r t v r t As v A s Z n q k u t s r t As 11 / 24

Key Exchange from LWE [Regev 05,LP 11] r Z n (error) A Z n n q s Z n (error) u t r t A Z n q r t v r t As v A s Z n q k u t s r t As (A, u, v, k) 11 / 24

Key Exchange from LWE [Regev 05,LP 11] r Z n (error) A Z n n q s Z n (error) u t r t A Z n q r t v r t As v A s Z n q k u t s r t As (A, u, v, k) by decision-lwe 11 / 24

Efficiency from Rings 12 / 24

SIS/LWE are (Sort Of) Efficient. ( ai ) s + e i. = b i Z q Getting one pseudorandom scalar b i Z q requires an n-dim mod-q inner product 13 / 24

SIS/LWE are (Sort Of) Efficient. ( ai ) s + e i. = b i Z q Getting one pseudorandom scalar b i Z q requires an n-dim mod-q inner product Can amortize each a i over many secrets s j, but still Õ(n) work per scalar output. Cryptosystems have rather large keys:.. pk = A, b Ω(n).. } {{ } n 13 / 24

Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one (cheap) product operation? Replace Z n n q -chunks by Z n q. 14 / 24

Wishful Thinking.... a i. s +. e i =. b i Zn q.... Get n pseudorandom scalars from just one (cheap) product operation? Replace Z n n q -chunks by Z n q. Question How to define the product so that (a i, b i ) is pseudorandom? Careful! With small error, coordinate-wise multiplication is insecure! Answer = multiplication in a polynomial ring: e.g., Z q [X]/(X n + 1). Fast and practical with FFT: n log n operations mod q. 14 / 24

LWE Over Rings, Over Simplified Let R = Z[X]/(X n + 1) for n a power of two, and R q = R/qR 15 / 24

LWE Over Rings, Over Simplified Let R = Z[X]/(X n + 1) for n a power of two, and R q = R/qR Elements of Rq are deg < n polynomials with mod-q coefficients Operations in Rq are very efficient using FFT-like algorithms Search: find secret ring element s(x) R q, given: a 1 R q, b 1 = s a 1 + e 1 R q a 2 R q, b 2 = s a 2 + e 2 R q a 3 R q, b 3 = s a 3 + e 3 R q (e i R are small ). 15 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev 10] Two main theorems (reductions): worst-case approx-svp on ideal lattices in R (quantum, any R = O K ) search R-LWE (classical, any cyclotomic R) decision R-LWE 1 If you can find s given (a i, b i ), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish (a i, b i ) from (a i, b i ), then you can find s. 16 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev 10] Two main theorems (reductions): worst-case approx-svp on ideal lattices in R (quantum, any R = O K ) search R-LWE (classical, any cyclotomic R) decision R-LWE Then: 1 If you can find s given (a i, b i ), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish (a i, b i ) from (a i, b i ), then you can find s. decision R-LWE lots of crypto 16 / 24

Hardness of Ring-LWE [LyubashevskyPeikertRegev 10] Two main theorems (reductions): worst-case approx-svp on ideal lattices in R (quantum, any R = O K ) search R-LWE (classical, any cyclotomic R) decision R-LWE Then: 1 If you can find s given (a i, b i ), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm). 2 If you can distinguish (a i, b i ) from (a i, b i ), then you can find s. decision R-LWE lots of crypto If you can break the crypto, then you can distinguish (ai, b i ) from (a i, b i )... 16 / 24

Ideal Lattices Say R = Z[X]/(X n + 1) for power-of-two n. (Or R = O K.) An ideal I R is closed under + and, and under with R. 17 / 24

Ideal Lattices Say R = Z[X]/(X n + 1) for power-of-two n. (Or R = O K.) An ideal I R is closed under + and, and under with R. To get ideal lattices, embed R and its ideals into R n. How? 17 / 24

Ideal Lattices Say R = Z[X]/(X n + 1) for power-of-two n. (Or R = O K.) An ideal I R is closed under + and, and under with R. To get ideal lattices, embed R and its ideals into C n. How? 1 Obvious answer: coefficient embedding a 0 + a 1 X + + a n 1 X n 1 R (a 0,..., a n 1 ) Z n + is coordinate-wise, but analyzing is cumbersome. 2 Minkowski: canonical embedding. Let ω = exp(πi/n) C, so roots of X n + 1 are ω 1, ω 3,..., ω 2n 1. Embed: a(x) R (a(ω 1 ), a(ω 3 ),..., a(ω 2n 1 )) C n 17 / 24

Ideal Lattices Say R = Z[X]/(X n + 1) for power-of-two n. (Or R = O K.) An ideal I R is closed under + and, and under with R. To get ideal lattices, embed R and its ideals into R n. How? 1 Obvious answer: coefficient embedding a 0 + a 1 X + + a n 1 X n 1 R (a 0,..., a n 1 ) Z n + is coordinate-wise, but analyzing is cumbersome. 2 Minkowski: canonical embedding. Let ω = exp(πi/n) C, so roots of X n + 1 are ω 1, ω 3,..., ω 2n 1. Embed: a(x) R (a(ω 1 ), a(ω 3 ),..., a(ω 2n 1 )) C n Both + and are coordinate-wise. Error distribution is Gaussian in canonical embedding. 17 / 24

Ideal Lattices Say R = Z[X]/(X 2 + 1). Embeddings map X ±i. σ(x) = (i, i) σ(1) = (1, 1)

Ideal Lattices Say R = Z[X]/(X 2 + 1). Embeddings map X ±i. I = X 2, 3X + 1 is an ideal in R. σ(x) = (i, i) σ(1) = (1, 1) σ(x 2) σ( 3X + 1) 18 / 24

Ideal Lattices Say R = Z[X]/(X 2 + 1). Embeddings map X ±i. I = X 2, 3X + 1 is an ideal in R. σ(x) = (i, i) σ(1) = (1, 1) σ(x 2) σ( 3X + 1) (Approximate) Shortest Vector Problem Given (an arbitrary basis of) an arbitrary ideal I R, find a nearly shortest nonzero a I. 18 / 24

Complexity of Ideal Lattices 1 We know approx-r-svp R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-r-svp? 19 / 24

Complexity of Ideal Lattices 1 We know approx-r-svp R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-r-svp? R-LWE samples (a i, b i ) don t readily translate to ideals in R. 2 How hard/easy is poly(n)-r-svp? (In cyclotomics etc.) Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known. But 2 O( n log n) -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR 16,BS 16,K 16,CDW 16] 19 / 24

Implementations 20 / 24

Key Exchange NewHope [ADPS 15]: Ring-LWE key exchange a la [LPR 10,P 14], with many optimizations and conjectured 200-bit quantum security. 21 / 24

Key Exchange NewHope [ADPS 15]: Ring-LWE key exchange a la [LPR 10,P 14], with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. Frodo [BCDMNNRS 16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured 128-bit quantum security. 21 / 24

Digital Signatures Most implementations follow design from [Lyubashevsky 09/ 12,... ]. 22 / 24

Digital Signatures Most implementations follow design from [Lyubashevsky 09/ 12,... ]. BLISS [DDLL 13]: optimized implementation in this framework. 22 / 24

Digital Signatures Most implementations follow design from [Lyubashevsky 09/ 12,... ]. BLISS [DDLL 13]: optimized implementation in this framework. Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4.0 4.0 0.1 7.5 ECDSA-256 0.5 0.25 9.5 2.5 BLISS 5.6 7.0 8.0 33 (Conjectured 128 bits of security, openssl implementations.) 22 / 24

Other Implementations HElib [HaleviShoup]: an assembly language for fully homomorphic encryption (FHE). 23 / 24

Other Implementations HElib [HaleviShoup]: an assembly language for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records 23 / 24

Other Implementations HElib [HaleviShoup]: an assembly language for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records Λ λ (L O L) [CrockettPeikert 16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems. 23 / 24

Conclusions Lattices are a very attractive foundation for post-quantum crypto, both basic and advanced. 24 / 24

Conclusions Lattices are a very attractive foundation for post-quantum crypto, both basic and advanced. Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing. 24 / 24

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016