Lattice-based cryptography

advertisement
Lattice-Based Cryptography:
From Practice to Theory to Practice
Vadim Lyubashevsky
INRIA / CNRS / ENS Paris
(September 12, 2011)
La Cryptographie Reposant sur les Réseaux:
de la Pratique à la Théorie à la Pratique
Vadim Lyubashevsky
INRIA / CNRS / ENS Paris
(Septembre 12, 2011)
Lattice-Based Encryption
Schemes
1. NTRU [Hoffstein, Pipher, Silverman ‘98]
2. LWE-Based [Regev ‘05]
3. Ring-LWE Based [L, Peikert, Regev ’10]
4. “NTRU-like” with a proof of security
[Stehle, Steinfeld ‘11]
Cryptosystèmes Reposant sur les
Réseaux
1. NTRU [Hoffstein, Pipher, Silverman ‘98]
2. Reposant sur LWE [Regev ‘05]
3. Reposant sur Anneau-LWE [L, Peikert,
Regev ’10]
4. “NTRU” avec une preuve de la sécurité
[Stehle, Steinfeld ‘11]
Subset Sum Problem
Subset-Sum Based [L, Palacio, Segev ‘10]
LWE-Based [Regev ‘05]
Ring-LWE Based [L, Peikert, Regev ’10]
“NTRU-like” with a proof of security
[Stehle, Steinfeld ‘11]
NTRU [Hoffstein, Pipher, Silverman ‘98]
Part 0.
The Subset Sum Problem
Subset Sum Problem
ai , T in ZM
ai are chosen randomly
T is a sum of a random subset of the ai
a1
a2
a3
…
an
T
Find a subset of ai's that sums to T (mod M)
Subset Sum Problem
ai , T in Z49
ai are chosen randomly
T is a sum of a random subset of the ai
15
31
24
3
14
15 + 31 + 14 = 11 (mod 49)
11
How Hard is Subset Sum?
ai , T in ZM
a1
a2
a3 …
an
T
Find a subset of ai's that sums to T (mod M)
Hardness Depends on:
 Size of n and M
 Relationship between n and M
Complexity of Solving Subset Sum
M
2log²(n)
poly(n)
2n
2n log(n)
2Ω(n)
2n²
poly(n)
run-time
“generalized birthday attacks”
[FlaPrz05,Lyu06,Sha08]
“lattice reduction attacks”
[LagOdl85,Fri86]
Subset Sum Crypto

Why?

Simple operations

Exponential hardness

Seems very different from number
theoretic assumptions

Seems to resist quantum attacks
Subset Sum is “Pseudorandom”
[Impagliazzo-Naor 1989]:
For random a1,...,an in ZM and random x1,...,xn in {0,1}
distinguishing the distribution
(a1,...,an, a1x1+...+anxn mod M)
from the uniform distribution U(ZMn+1) is as hard as
finding x1,...,xn
Part 1.
Cryptosystem Based on
Subset Sum
[L, Palacio, Segev 2010]
Public Key Encryption
Allows for secure communication between parties who have previously
never met
Public Key Encryption
public key: p
secret key: s
Encrypt, Decrypt
Decrypt(s,Encrypt(p,M))=M
c=Encrypt(p,M)
M=Decrypt(s,c)
Public Key Encryption
What does “secure” mean?
Intuitive answer: The adversary should not be able to
read the message.
c=Encrypt(p,M)
Public Key Encryption
What does “secure” mean?
Intuitive answer: The adversary should not be able to
read the message.
But what about other information about the message?
c=Encrypt(p,M), c=Encrypt(p,M)
E.g. If adversary can figure out that the same
message was sent twice, is the scheme “secure”?
Public Key Encryption
What does “secure” mean?
Semantic Security:
For every 2 messages M, M', it's impossible to distinguish
Encrypt(p,M) from Encrypt(p,M') in polynomial time
The Encrypt algorithm must be randomized!
Subset Sum Cryptosystem


Semantically secure based on Subset Sum
for M ≈ nn
Main tools
Subset sum is pseudo-random
Addition in (Zq)n is “kind of like” addition in ZM
where M=qn

The proof is very simple
Facts About Addition
Want to add 4679+3907+8465+1343 mod 104
2
4
3
8
1
8
1
6
9
4
3
3
2
7
0
6
4
9
9
7
5
3
4
4
3
8
1
6
6
9
4
3
2
7
0
6
4
7
9
7
5
3
4
Adding n numbers (written in base q) modulo qm → carries < n
If q>>n, then Adding with carries ≈ Adding without carries
(i.e. in ZM)
(i.e. in (Zq)n )
So...
1 1 0 1
=
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
8 1 1 9
NOT Pseudorandom!
1 1 0 1
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
+ 2 1 1 0
= 0 2 2 9
Pseudorandom based on
Subset Sum!
Column Subset Sum Addition
Is Also Pseudorandom
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
1
1
0
1
+
1
0
1
9
=
1
8
0
0
“Hybrid” Subset Sum Addition Is
Also Pseudorandom
1 0 0 1
+
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
0
9
8
0
1 1 1 0 0
= 6 3 2 2 0
pseudorandom
Encryption Scheme (for 1 bit)
A
s +
= t
r
{0,1}n
Zqn x n
{0,1}n
Public Key
A
t
+
=
u
v
Encryption Scheme
A
s +
= t
r
A
t
+
=
u
v
Is pseudo-random based on the
hardness of the subset sum problem
Encryption Scheme
A
s +
r
= t
A
t
+
=
u
v
v =
r
A
=
s +
r
+
A
s
+
Encryption Scheme
A
s +
r
= t
A
t
+
=
u
v
u
s
=
r
=
r
A
+
s
+
A
s
≈
v
Encryption Scheme
A
s +
= t
r
A
t
+
=
u
v
Encryption of 0
v -
u
s
=
Encryption Scheme
A
s +
r
= t
A
t
+
Encryption of 1
v’ -
u
s
=
q/2
+
=
u
v
+
0
q/2
=
u v’
Part 2.
Cryptosystem Based on
Learning With Errors
and
Worst-Case Lattice Problems
[Regev 2005]
Encryption Scheme
(what we needed)
A
s +
= t
r
A
t
+
“small”
Pseudorandom
=
u
v
Picking the “Carries”
In Subset Sum: carries were deterministic
What if … we pick the “carries” at random
from some distribution?
So...
2 3 0 1 4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
1 1 0 1
4
3
8
1
6
9
4
6
7
0
6
4
9
7
5
3
+ 1 3 2 1
+ 2 1 1 0
= 7 2 0 3
= 0 2 2 9
Pseudorandom based on
LWE and worst-case
lattice problems [Reg ‘05]
Pseudorandom based on
Subset Sum!
(with a lemma from [ACPS ‘09])
Learning With Errors (LWE) Problem
a1
a2
...
s
+
e
=
b
am
Given ai and <ai,s>+ ei find s. (ei and s are “small”)
(Once there are enough ai , the s is uniquely determined)
Theorem [Regev '05] : There is a polynomial-time quantum reduction from
solving certain lattice problems in the worst-case to solving LWE.
Decision LWE Problem
a1
a2
...
am
World 1
a1
a2
s
+ e
= b
...
am
World 2
b
uniformly
random in Zpm
Lemma[Reg ’05]: Search-LWE < Decision-LWE
LWE vs. Subset Sum
The Subset Sum assumption has
deterministic “noise”
The LWE assumption is more “versatile”
a1
a2
n2
...
LWE Problem
Subset Sum Problem
s
s
+ e
= b
n2
a1 a2 … an
am
n
n
+
= b
LWE / Subset Sum Encryption
A
s +
= t
r
A
t
+
=
u
v
n-bit Encryption
Have
Want
Public Key Size
Õ(n) / Õ(n2)
O(n)
Secret Key Size
Õ(n) / Õ (n2)
O(n)
Ciphertext Expansion Õ(n) / Õ (1)
O(1)
Encryption Time
Õ(n3) / Õ (n2)
O(n)
Decryption Time
Õ(n2)
O(n)
Part 3.
Cryptosystem Based on
Learning With Errors over Rings
and
Worst-Case Ideal Lattice Problems
[L, Peikert, Regev 2010]
Source of Inefficiency of LWE
2
8
7
3
*
1
+
2
=
0
1
Getting just one extra random-looking
number requires n random numbers
and a small error element.
2
1
Wishful thinking: get n random numbers and produce
n pseudo-random numbers in “one shot”
2
1
8
0
7
3
*
2
1
+
=
Use Polynomials
f(x) is a polynomial xn + an-1xn-1 + … + a1x + a0
R = Zp[x]/(f(x)) is a polynomial ring with
•
Addition mod p
•
Polynomial multiplication mod p and f(x)
Each element of R consists of n elements in Zp
In R:
•
small+small = small
•
small*small = small (depending on f(x) )
Polynomial Interpretation of the
LWE-based cryptosystem
a s +
= t
r a +
= u
r t +
= v
Public Key
v - u s
= r t +
-
r
a s +
+
- r a +
+
-
s =
r
r a +
s
s
Security
a s +
= t
Pseudorandom??
r a +
= u
r t +
= v
Learning With Errors over Rings
a1
s
e1
b1
a2
e2
b2
a3
e3
b3
…
am
+
…
em
=
…
bm
Theorem [LPR ‘10]: Finding s is as hard as solving lattice problems
in all ideals of the ring Z[x]/(f(x))
Decision
Learning With Errors over Rings
World 1
a1
s
World 2
b1
a1
b1
a2
b2
a2
b2
a3
b3
a3
b3
…
…
…
bm
am
bm
…
am
+
=
Theorem [LPR ‘10]: In cyclotomic rings, Search-RLWE < Decision-RLWE
Use Polynomials in Zp[x]/(f(x))
a s +
= t
r a +
= u
r t +
= v
n-bit Encryption
From LWE / SS
From Ring-LWE
Public Key Size
Õ(n) / Õ(n2)
Õ(n)
Secret Key Size
Õ(n) / Õ (n2)
Õ(n)
Ciphertext Expansion Õ(n) / Õ (1)
Õ(1)
Encryption Time
Õ(n3) / Õ (n2)
Õ(n)
Decryption Time
Õ(n2)
Õ(n)
Part 4.
1-Element Cryptosystem Based on
Learning With Errors over Rings
and
Worst-Case Ideal Lattice Problems
[Stehle, Steinfeld 2011]
Number of Ring Elements
a s +
= t
Encryption of m:
r a +
= u
r t +
= v
u
,
v +
p
2
m
Can you have a ciphertext with just 1 ring element?
Stehle, Steinfeld Cryptosystem
f
g
“small” coefficients
= a
mod p
Uniformly random
u =2 a r +
g + g m
u g mod 2 = g m
g
mod p
Pseudorandom based on Ring-LWE
u g = 2 f r +
u g mod 2
+ m
=
m
Part 5.
NTRU Cryptosystem
[Hoffstein, Pipher, Silverman 1998]
NTRU Cryptosystem
f
f
g
g - Very small
= a
mod p
“looks” random
u =2 a r +
+ m
mod p
If a is random, then
pseudorandom based on Ring-LWE
u g = 2 f r +
g + g m
Since f, g are smaller, p can be smaller as well
(Textbook) NTRU
Cryptosystem / Trap-Door Function
f
f
g
g - Very small
= a
mod p
u = 2a r + m
u g = 2 f r + g m
u g mod 2 = g m
u g mod 2
g
=
m
mod p
Thanks, eh!
Download