Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011) La Cryptographie Reposant sur les Réseaux: de la Pratique à la Théorie à la Pratique Vadim Lyubashevsky INRIA / CNRS / ENS Paris (Septembre 12, 2011) Lattice-Based Encryption Schemes 1. NTRU [Hoffstein, Pipher, Silverman ‘98] 2. LWE-Based [Regev ‘05] 3. Ring-LWE Based [L, Peikert, Regev ’10] 4. “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11] Cryptosystèmes Reposant sur les Réseaux 1. NTRU [Hoffstein, Pipher, Silverman ‘98] 2. Reposant sur LWE [Regev ‘05] 3. Reposant sur Anneau-LWE [L, Peikert, Regev ’10] 4. “NTRU” avec une preuve de la sécurité [Stehle, Steinfeld ‘11] Subset Sum Problem Subset-Sum Based [L, Palacio, Segev ‘10] LWE-Based [Regev ‘05] Ring-LWE Based [L, Peikert, Regev ’10] “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11] NTRU [Hoffstein, Pipher, Silverman ‘98] Part 0. The Subset Sum Problem Subset Sum Problem ai , T in ZM ai are chosen randomly T is a sum of a random subset of the ai a1 a2 a3 … an T Find a subset of ai's that sums to T (mod M) Subset Sum Problem ai , T in Z49 ai are chosen randomly T is a sum of a random subset of the ai 15 31 24 3 14 15 + 31 + 14 = 11 (mod 49) 11 How Hard is Subset Sum? ai , T in ZM a1 a2 a3 … an T Find a subset of ai's that sums to T (mod M) Hardness Depends on: Size of n and M Relationship between n and M Complexity of Solving Subset Sum M 2log²(n) poly(n) 2n 2n log(n) 2Ω(n) 2n² poly(n) run-time “generalized birthday attacks” [FlaPrz05,Lyu06,Sha08] “lattice reduction attacks” [LagOdl85,Fri86] Subset Sum Crypto Why? Simple operations Exponential hardness Seems very different from number theoretic assumptions Seems to resist quantum attacks Subset Sum is “Pseudorandom” [Impagliazzo-Naor 1989]: For random a1,...,an in ZM and random x1,...,xn in {0,1} distinguishing the distribution (a1,...,an, a1x1+...+anxn mod M) from the uniform distribution U(ZMn+1) is as hard as finding x1,...,xn Part 1. Cryptosystem Based on Subset Sum [L, Palacio, Segev 2010] Public Key Encryption Allows for secure communication between parties who have previously never met Public Key Encryption public key: p secret key: s Encrypt, Decrypt Decrypt(s,Encrypt(p,M))=M c=Encrypt(p,M) M=Decrypt(s,c) Public Key Encryption What does “secure” mean? Intuitive answer: The adversary should not be able to read the message. c=Encrypt(p,M) Public Key Encryption What does “secure” mean? Intuitive answer: The adversary should not be able to read the message. But what about other information about the message? c=Encrypt(p,M), c=Encrypt(p,M) E.g. If adversary can figure out that the same message was sent twice, is the scheme “secure”? Public Key Encryption What does “secure” mean? Semantic Security: For every 2 messages M, M', it's impossible to distinguish Encrypt(p,M) from Encrypt(p,M') in polynomial time The Encrypt algorithm must be randomized! Subset Sum Cryptosystem Semantically secure based on Subset Sum for M ≈ nn Main tools Subset sum is pseudo-random Addition in (Zq)n is “kind of like” addition in ZM where M=qn The proof is very simple Facts About Addition Want to add 4679+3907+8465+1343 mod 104 2 4 3 8 1 8 1 6 9 4 3 3 2 7 0 6 4 9 9 7 5 3 4 4 3 8 1 6 6 9 4 3 2 7 0 6 4 7 9 7 5 3 4 Adding n numbers (written in base q) modulo qm → carries < n If q>>n, then Adding with carries ≈ Adding without carries (i.e. in ZM) (i.e. in (Zq)n ) So... 1 1 0 1 = 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 8 1 1 9 NOT Pseudorandom! 1 1 0 1 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 + 2 1 1 0 = 0 2 2 9 Pseudorandom based on Subset Sum! Column Subset Sum Addition Is Also Pseudorandom 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 1 1 0 1 + 1 0 1 9 = 1 8 0 0 “Hybrid” Subset Sum Addition Is Also Pseudorandom 1 0 0 1 + 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 0 9 8 0 1 1 1 0 0 = 6 3 2 2 0 pseudorandom Encryption Scheme (for 1 bit) A s + = t r {0,1}n Zqn x n {0,1}n Public Key A t + = u v Encryption Scheme A s + = t r A t + = u v Is pseudo-random based on the hardness of the subset sum problem Encryption Scheme A s + r = t A t + = u v v = r A = s + r + A s + Encryption Scheme A s + r = t A t + = u v u s = r = r A + s + A s ≈ v Encryption Scheme A s + = t r A t + = u v Encryption of 0 v - u s = Encryption Scheme A s + r = t A t + Encryption of 1 v’ - u s = q/2 + = u v + 0 q/2 = u v’ Part 2. Cryptosystem Based on Learning With Errors and Worst-Case Lattice Problems [Regev 2005] Encryption Scheme (what we needed) A s + = t r A t + “small” Pseudorandom = u v Picking the “Carries” In Subset Sum: carries were deterministic What if … we pick the “carries” at random from some distribution? So... 2 3 0 1 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 1 1 0 1 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 + 1 3 2 1 + 2 1 1 0 = 7 2 0 3 = 0 2 2 9 Pseudorandom based on LWE and worst-case lattice problems [Reg ‘05] Pseudorandom based on Subset Sum! (with a lemma from [ACPS ‘09]) Learning With Errors (LWE) Problem a1 a2 ... s + e = b am Given ai and <ai,s>+ ei find s. (ei and s are “small”) (Once there are enough ai , the s is uniquely determined) Theorem [Regev '05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE. Decision LWE Problem a1 a2 ... am World 1 a1 a2 s + e = b ... am World 2 b uniformly random in Zpm Lemma[Reg ’05]: Search-LWE < Decision-LWE LWE vs. Subset Sum The Subset Sum assumption has deterministic “noise” The LWE assumption is more “versatile” a1 a2 n2 ... LWE Problem Subset Sum Problem s s + e = b n2 a1 a2 … an am n n + = b LWE / Subset Sum Encryption A s + = t r A t + = u v n-bit Encryption Have Want Public Key Size Õ(n) / Õ(n2) O(n) Secret Key Size Õ(n) / Õ (n2) O(n) Ciphertext Expansion Õ(n) / Õ (1) O(1) Encryption Time Õ(n3) / Õ (n2) O(n) Decryption Time Õ(n2) O(n) Part 3. Cryptosystem Based on Learning With Errors over Rings and Worst-Case Ideal Lattice Problems [L, Peikert, Regev 2010] Source of Inefficiency of LWE 2 8 7 3 * 1 + 2 = 0 1 Getting just one extra random-looking number requires n random numbers and a small error element. 2 1 Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot” 2 1 8 0 7 3 * 2 1 + = Use Polynomials f(x) is a polynomial xn + an-1xn-1 + … + a1x + a0 R = Zp[x]/(f(x)) is a polynomial ring with • Addition mod p • Polynomial multiplication mod p and f(x) Each element of R consists of n elements in Zp In R: • small+small = small • small*small = small (depending on f(x) ) Polynomial Interpretation of the LWE-based cryptosystem a s + = t r a + = u r t + = v Public Key v - u s = r t + - r a s + + - r a + + - s = r r a + s s Security a s + = t Pseudorandom?? r a + = u r t + = v Learning With Errors over Rings a1 s e1 b1 a2 e2 b2 a3 e3 b3 … am + … em = … bm Theorem [LPR ‘10]: Finding s is as hard as solving lattice problems in all ideals of the ring Z[x]/(f(x)) Decision Learning With Errors over Rings World 1 a1 s World 2 b1 a1 b1 a2 b2 a2 b2 a3 b3 a3 b3 … … … bm am bm … am + = Theorem [LPR ‘10]: In cyclotomic rings, Search-RLWE < Decision-RLWE Use Polynomials in Zp[x]/(f(x)) a s + = t r a + = u r t + = v n-bit Encryption From LWE / SS From Ring-LWE Public Key Size Õ(n) / Õ(n2) Õ(n) Secret Key Size Õ(n) / Õ (n2) Õ(n) Ciphertext Expansion Õ(n) / Õ (1) Õ(1) Encryption Time Õ(n3) / Õ (n2) Õ(n) Decryption Time Õ(n2) Õ(n) Part 4. 1-Element Cryptosystem Based on Learning With Errors over Rings and Worst-Case Ideal Lattice Problems [Stehle, Steinfeld 2011] Number of Ring Elements a s + = t Encryption of m: r a + = u r t + = v u , v + p 2 m Can you have a ciphertext with just 1 ring element? Stehle, Steinfeld Cryptosystem f g “small” coefficients = a mod p Uniformly random u =2 a r + g + g m u g mod 2 = g m g mod p Pseudorandom based on Ring-LWE u g = 2 f r + u g mod 2 + m = m Part 5. NTRU Cryptosystem [Hoffstein, Pipher, Silverman 1998] NTRU Cryptosystem f f g g - Very small = a mod p “looks” random u =2 a r + + m mod p If a is random, then pseudorandom based on Ring-LWE u g = 2 f r + g + g m Since f, g are smaller, p can be smaller as well (Textbook) NTRU Cryptosystem / Trap-Door Function f f g g - Very small = a mod p u = 2a r + m u g = 2 f r + g m u g mod 2 = g m u g mod 2 g = m mod p Thanks, eh!