a very brief introduction to lattice-based...

A Very Brief Introduction to Lattice-BasedCryptography

Erkay Savas

Department of Computer Science and EngineeringSabancı University

November 15, 2018

Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography

Outline

LatticesRing Learning with Errors (Ring-LWE) problemA Public Key Cryptosystem based on Ring-LWEFully Homomorphic Encryption


Lattices & Hard Lattice Problems

A full rank lattice Λ, which is a discrete additive subgroup ofthe n-dimensional real space Rn, is the integer spanΛ = L(B) = {Bz|z ∈ Zn} of a basis B = (b1, . . . , bn).The minimum distance λ1(Λ) of a lattice Λ is the length(usually in the Euclidean `2 norm) of its shortest nonzerovector; namely λ1(Λ) = min06=~x∈Λ||x||Shortest Vector Problem (SVP) Given a lattice basis B forΛ, find the shortest nonzero vector in Λ.Closest Vector Problem (CVP) Given a lattice basis B and apoint in real space v (not necessarily on the lattice), find theclosest lattice point


q-ary Lattices

Given an arbitrary matrix of A ∈ Zn×m, q-ary lattices aredefined as

Λq(A) = {y ∈ Zm : y = AT s (mod q) for some s ∈ Zn}Λ⊥q (A) = {y ∈ Zm : Ay = 0 (mod q)}


Ring-LWE

Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.

– R is the set of polynomials of degree less than n with integercoefficients.

Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1

Rq denotes the ring R reduced modulo q;

– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x

n−1

ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}


Ring-LWE

Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.

– R is the set of polynomials of degree less than n with integercoefficients.

Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1

Rq denotes the ring R reduced modulo q;– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x

n−1

ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}


Error Distribution: DR,σ

The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.

– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)

Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0

For a normal distribution with µ = 0 and σ, erf(

aσ√

2

)is the

probability that a sample lies in (−a, a) for positive a.





Let B0 be a bound on normal distribution with µ = 0 and σ

We can use error function erf to compute B0


aσ√

2

)is the






Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0


aσ√

2

)is the



Hard Problems

Two hard problems can be given:

– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σand set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.

– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:

(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ

Ring-LWE Problems are still hard even if s← DR,σ


Hard Problems

Two hard problems can be given:– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σ

and set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.





Hard Problems




(i) b is chosen uniformly at random (b←Rq)

(ii) b← a · s+ e where a, s←Rq and e← DR,σ



Hard Problems







Hardness of Ring-LWE Assumptions

Depends on the ring dimension n, the size of q and σwe use the LWE estimator accessible viahttps://bitbucket.org/malb/lwe-estimator/overview

Table: σ = 4.578 (δ is the root Hermite factor)

n k λ δclassical quantum

512 24 84.1 79.1 1.0065461024 27 149.3 138.3 1.0039411024 31 126.2 117.4 1.0045711024 32 121.6 113.1 1.0047271024 33 117.2 109.2 1.0048861024 34 113.1 105.4 1.0050451024 35 109.0 101.7 1.0052041024 36 105.5 98.5 1.0056301024 37 102.5 95.9 1.0055141024 38 99.1 92.7 1.0056781024 39 96.1 90.1 1.005837


https://bitbucket.org/malb/lwe-estimator/overview

A PKC based on Ring-LWE - Key Generation

We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.

i) s, e← DR,σii) a← Rq

iii) b← as+ pe (mod q)

– public key: pk ← (a, b)– secret key: sk ← s



We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)

Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.






We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.

{p, q,R, σ}: public domain parameters.







i) s, e← DR,σii) a← Rqiii) b← as+ pe (mod q)





i) s, e← DR,σ

ii) a← Rqiii) b← as+ pe (mod q)






– public key: pk ← (a, b)

– secret key: sk ← s


A PKC based on R-LWE - Encryption

Let µ ∈ Rp be an arbitrary message

i) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µ

iii) c1 ← ae0 + pe2

– Ciphertext: (c0, c1)



Let µ ∈ Rp be an arbitrary message

i) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2




Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σ

ii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2




Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µ

iii) c1 ← ae0 + pe2




Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2



A PKC based on R-LWE - Decryption

µ← (c0 − c1s (mod q)) (mod p)Decryption is a vector product 〈(c0, c1), (1,−s )〉 where

– secret key: (1,−s )– ciphertext: (c0, c1)



µ← (c0 − c1s (mod q)) (mod p)

Decryption is a vector product 〈(c0, c1), (1,−s )〉 where





– secret key: (1,−s )

– ciphertext: (c0, c1)


Correctness of the decryption operation

µ = (c0 − c1s (mod q)) (mod p)= ((be0 − pe1 + µ)− (ase0 − pe2s) (mod q)) (mod p)= (p(ee0 + e1 − e2s) + µ (mod q)) (mod p)= (p · “small” + µ (mod q)) (mod p)

(p · “small” + µ (mod q)) (mod p) will return µ only ifp · “small” + µ < p · “small” + p <

q

2 .


Correctness Constraint

For correct decryption, we should have

p(ee0 + e1 − e2s) + p <q

2 ,

where s, e, e0, e1, e2 are sampled from the same distribution.Also they are all in R = Z[x]/Φ(x)




p(ee0 + e1 − e2s) + p <q

2 ,

where s, e, e0, e1, e2 are sampled from the same distribution.

Also they are all in R = Z[x]/Φ(x)




p(ee0 + e1 − e2s) + p <q

2 ,

where s, e, e0, e1, e2 are sampled from the same distribution.Also they are all in R = Z[x]/Φ(x)



p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0



p(ee0 + e1 − e2s+ 1) < q

2

Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0



p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)

What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0



p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?

Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0



p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.

‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0



p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0


Correctness Constraint - Example

R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R

– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0

Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2

0

An upper bound for a coefficient is then nB20 (a bit loose

upper bound)



R = Z[x]/Φ8(x) (m = 8, n = 4)

Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R



0


upper bound)



R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1

c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R



0


upper bound)






0


upper bound)





Every coefficient in ci is the sum of four (n = 4) productterms.

An upper bound for a product term is B20


upper bound)






0


upper bound)


Correctness Constraint - Cont.

Let η = ee0 + e1 − e2s

An upper bound for η is, then, nB20 +B0 + nB2

0

pη+µ < p(nB20 +B0+nB2

0 +1) < q

2 ⇒ q > 2p(2nB20 +B0+1)

Let B = (2nB20 +B0) bound for η then q > 2p(B + 1)


Fully Homomorphic Encryption

µ ∈ Rpc = E(µ, pk)c ∈ R2

q

Additive Homomorphism:

D(E(µ, pk) + E(µ, pk), sk) = µ+ µ

Multiplicative Homomorphism:

D(E(µ, pk) · E(µ, pk), sk) = µ · µ



µ ∈ Rp

c = E(µ, pk)c ∈ R2

q


D(E(µ, pk) + E(µ, pk), sk) = µ+ µ


D(E(µ, pk) · E(µ, pk), sk) = µ · µ



µ ∈ Rpc = E(µ, pk)

c ∈ R2q


D(E(µ, pk) + E(µ, pk), sk) = µ+ µ


D(E(µ, pk) · E(µ, pk), sk) = µ · µ



µ ∈ Rpc = E(µ, pk)c ∈ R2

q


D(E(µ, pk) + E(µ, pk), sk) = µ+ µ


D(E(µ, pk) · E(µ, pk), sk) = µ · µ


Additive Homomorphism

Our Ring-LWE-based PKC system is additively homomorphic

– Consider two ciphertexts c and c, which encrypts µ and µ,respectively,

c = (c0, c1)c = (c0, c1)

– Consider also the decryption operation

〈(c0, c1), (1,−s)〉 = (c0 − sc1 = µ+ pη (mod q)) (mod p)




Our Ring-LWE-based PKC system is additively homomorphic– Consider two ciphertexts c and c, which encrypts µ and µ,

respectively,

c = (c0, c1)c = (c0, c1)







respectively,c = (c0, c1)

c = (c0, c1)– Consider also the decryption operation






respectively,c = (c0, c1)c = (c0, c1)






Our Ring-LWE-based PKC system is additively homomorphic

– Now, apply addition to ciphertexts c+ c and decrypt

〈c+ c, (1,−s)〉 = (c0 + c0 − sc1 − sc1 (mod q)) (mod p)= (c0 − sc1 + c0 − sc1 (mod q)) (mod p)= (µ+ pη + µ+ pη (mod q)) (mod p)= (µ+ µ+ p(η + η) (mod q)) (mod p)

– So long as p(η + η) + (µ+ µ) < q

2 , modulo q reduction doesnot happen ⇒ CORRECT decryption

– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly



Our Ring-LWE-based PKC system is additively homomorphic– Now, apply addition to ciphertexts c+ c and decrypt











– An upper bound for both pη and pη is 2pB

– Then, an upper bound for p(η + η) is the 4pB– The noise increases linearly







– An upper bound for both pη and pη is 2pB– Then, an upper bound for p(η + η) is the 4pB

– The noise increases linearly


Homomorphic addition of l ciphertexts

µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)

⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))

An upper bound for p(η(1) + . . .+ η(l)) is then 2lpBEventually, the error term will exceed q

2 depending on l and p.

This means that we can perform only a limited number ofhomomorphic additions of ciphertexts, whereby this number isdetermined mainly by p and q.This is what is known as SOMEWHAT HOMOMORPHICENCRYPTION system (SWHE or SHE)



µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)

⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))

An upper bound for p(η(1) + . . .+ η(l)) is then 2lpB

Eventually, the error term will exceed q





µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)

⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))






µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)

⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))



This means that we can perform only a limited number ofhomomorphic additions of ciphertexts, whereby this number isdetermined mainly by p and q.

This is what is known as SOMEWHAT HOMOMORPHICENCRYPTION system (SWHE or SHE)



µ(1), . . . , µ(l) → c(1), . . . , c(l)⟨c(1) + . . .+ c(l), (1,−s)

⟩= µ(1) + . . .+ µ(l) + p(η(1) + . . .+ η(l))





Multiplicative Homomorphism

Our Ring-LWE-based PKC supports homomorphicmultiplication of ciphertexts

– Suppose two ciphertexts c = (c0, c1) and c = (c0, c1)encrypting µ and µ, respectively.Define tensor product of c and c as

c⊗ c = (c0c0, c0c1, c1c0, c1c1) = (d0, d1, d2, d3)




– Suppose two ciphertexts c = (c0, c1) and c = (c0, c1)encrypting µ and µ, respectively.

Define tensor product of c and c as

c⊗ c = (c0c0, c0c1, c1c0, c1c1) = (d0, d1, d2, d3)




– Suppose two ciphertexts c = (c0, c1) and c = (c0, c1)encrypting µ and µ, respectively.Define tensor product of c and c as

c⊗ c = (c0c0, c0c1, c1c0, c1c1) = (d0, d1, d2, d3)


Multiplicative Homomorphism - Decryption forMutiplication of Ciphertexts

Now, we have four-dimensional ciphertext, which will decryptwith respect to the “secret key” vector(1,−s)⊗ (1,−s) = (1,−s,−s, s2) since

⟨c⊗ c, (1,−s,−s, s2)

⟩= (d0 − d1s− d2s+ d3s

2 (mod q)) (mod p)= c0c0 − c0c1s− c1c0s+ c1c1s

2

= (c0 − c1s)(c0 − c1s)(modq)= (µ+ pη)(µ+ pη)(modq)= (µµ+ p(µη + µη + pηη) (mod q)) (mod p)= (µµ+ pηf (mod q)) (mod p)

Therefore, c⊗ c is an encryption of µµ under the secret key(1,−s,−s, s2)


Multiplicative Homomorphism - Decryption forMutiplication of Ciphertexts

Now, we have four-dimensional ciphertext, which will decryptwith respect to the “secret key” vector(1,−s)⊗ (1,−s) = (1,−s,−s, s2) since⟨c⊗ c, (1,−s,−s, s2)

⟩= (d0 − d1s− d2s+ d3s

2 (mod q)) (mod p)= c0c0 − c0c1s− c1c0s+ c1c1s

2

= (c0 − c1s)(c0 − c1s)(modq)= (µ+ pη)(µ+ pη)(modq)= (µµ+ p(µη + µη + pηη) (mod q)) (mod p)= (µµ+ pηf (mod q)) (mod p)

Therefore, c⊗ c is an encryption of µµ under the secret key(1,−s,−s, s2)


Noise Increases Quadratically

⟨c⊗ c, (1,−s,−s, s2)

⟩= (µµ+ pηf (mod q)) (mod p)

ηf = µη + µη + pηη

For correct decryption µµ+ pηf <q

2µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2

µµ+ pηf < p2 + p2(2B +B2) < q

2q > 2p2(B2 + 2B + 1)Noise increases quadratically.



⟨c⊗ c, (1,−s,−s, s2)




2

µ, µ < p, µµ < p2 and η, η < B.ηf < pB + pB + pB2

µµ+ pηf < p2 + p2(2B +B2) < q




⟨c⊗ c, (1,−s,−s, s2)




2µ, µ < p, µµ < p2 and η, η < B.

ηf < pB + pB + pB2

µµ+ pηf < p2 + p2(2B +B2) < q




⟨c⊗ c, (1,−s,−s, s2)





µµ+ pηf < p2 + p2(2B +B2) < q




⟨c⊗ c, (1,−s,−s, s2)





µµ+ pηf < p2 + p2(2B +B2) < q

2

q > 2p2(B2 + 2B + 1)Noise increases quadratically.



⟨c⊗ c, (1,−s,−s, s2)





µµ+ pηf < p2 + p2(2B +B2) < q

2q > 2p2(B2 + 2B + 1)

Noise increases quadratically.



⟨c⊗ c, (1,−s,−s, s2)





µµ+ pηf < p2 + p2(2B +B2) < q



Questions??

[email protected]


a very brief introduction to lattice-based...

Documents