fundamentals of lattice-based cryptographytoday’s cryptography (e.g., rsa, di e-hellman) i...
TRANSCRIPT
![Page 1: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/1.jpg)
Fundamentals ofLattice-Based Cryptography
Chris PeikertUniversity of Michigan
2nd Crypto Innovation SchoolShanghai, China
13 December 2019
1 / 23
![Page 2: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/2.jpg)
Talk Outline
1 Lattices and hard problems
2 The SIS and LWE problems; basic applications
3 Using rings for efficiency
2 / 23
![Page 3: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/3.jpg)
Today’s Cryptography (e.g., RSA, Diffie-Hellman)
I Conjectured-hard problems: factor N = P ·Q, compute discrete logs
I Shor’s quantum algorithm:
N =
21305750140972822779
67336009072353225107
58864221620325802176
55802658737520126407
22059995071405557278
967027854563351343547
P =
16062216870909044065
12585584569433331615
827658775597032991663
Q =
13264514053200565459
67263583507984286802
756201383768089567669
g, y = gX ∈ G X
3 / 23
![Page 4: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/4.jpg)
Today’s Cryptography (e.g., RSA, Diffie-Hellman)
I Conjectured-hard problems: factor N = P ·Q, compute discrete logs
I Shor’s quantum algorithm:
N =
21305750140972822779
67336009072353225107
58864221620325802176
55802658737520126407
22059995071405557278
967027854563351343547
P =
16062216870909044065
12585584569433331615
827658775597032991663
Q =
13264514053200565459
67263583507984286802
756201383768089567669
g, y = gX ∈ G X
3 / 23
![Page 5: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/5.jpg)
Today’s Cryptography (e.g., RSA, Diffie-Hellman)
I Conjectured-hard problems: factor N = P ·Q, compute discrete logs
I Shor’s quantum algorithm:
N =
21305750140972822779
67336009072353225107
58864221620325802176
55802658737520126407
22059995071405557278
967027854563351343547
P =
16062216870909044065
12585584569433331615
827658775597032991663
Q =
13264514053200565459
67263583507984286802
756201383768089567669
g, y = gX ∈ G X
3 / 23
![Page 6: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/6.jpg)
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org)
4 / 23
![Page 7: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/7.jpg)
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
![Page 8: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/8.jpg)
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
![Page 9: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/9.jpg)
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
![Page 10: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/10.jpg)
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
![Page 11: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/11.jpg)
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
![Page 12: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/12.jpg)
Part 1:
Lattices andHard Problems
5 / 23
![Page 13: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/13.jpg)
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
![Page 14: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/14.jpg)
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
![Page 15: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/15.jpg)
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
![Page 16: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/16.jpg)
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
![Page 17: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/17.jpg)
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
v
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
![Page 18: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/18.jpg)
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
vλ1
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
![Page 19: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/19.jpg)
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
![Page 20: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/20.jpg)
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
![Page 21: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/21.jpg)
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
![Page 22: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/22.jpg)
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
![Page 23: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/23.jpg)
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
![Page 24: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/24.jpg)
Part 2:
SIS/LWE andBasic Applications
8 / 23
![Page 25: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/25.jpg)
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
![Page 26: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/26.jpg)
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
z1 ·
|a1|
+ z2 ·
|a2|
+
· · ·
+ zm ·
|am|
=
|0|
∈ Znq
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
![Page 27: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/27.jpg)
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find nontrivial z1, . . . , zm ∈ 0,±1 s.t.
z1 ·
|a1|
+ z2 ·
|a2|
+ · · · + zm ·
|am|
=
|0|
∈ Znq
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
![Page 28: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/28.jpg)
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
![Page 29: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/29.jpg)
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash FunctionI Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
![Page 30: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/30.jpg)
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash FunctionI Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
![Page 31: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/31.jpg)
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash FunctionI Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.9 / 23
![Page 32: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/32.jpg)
Cool! (but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie inO
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
![Page 33: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/33.jpg)
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie in
O
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
![Page 34: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/34.jpg)
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie in
O
(0, q)
(q, 0)
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
![Page 35: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/35.jpg)
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie inO
(0, q)
(q, 0)
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
![Page 36: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/36.jpg)
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie inO
(0, q)
(q, 0)
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
![Page 37: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/37.jpg)
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
![Page 38: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/38.jpg)
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
![Page 39: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/39.jpg)
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
![Page 40: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/40.jpg)
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
![Page 41: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/41.jpg)
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
![Page 42: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/42.jpg)
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
![Page 43: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/43.jpg)
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
![Page 44: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/44.jpg)
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
![Page 45: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/45.jpg)
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
![Page 46: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/46.jpg)
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
x
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
![Page 47: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/47.jpg)
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
x
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
![Page 48: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/48.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
![Page 49: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/49.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’
a1 ← Znq , b1 ≈ 〈s , a1〉 mod q
a2 ← Znq , b2 ≈ 〈s , a2〉 mod q
...
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
![Page 50: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/50.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’
a1 ← Znq , b1 = 〈s , a1〉+ e1 ∈ Zqa2 ← Znq , b2 = 〈s , a2〉+ e2 ∈ Zq
... √n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
![Page 51: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/51.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
![Page 52: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/52.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
![Page 53: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/53.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
![Page 54: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/54.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
![Page 55: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/55.jpg)
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]13 / 23
![Page 56: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/56.jpg)
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
![Page 57: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/57.jpg)
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
![Page 58: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/58.jpg)
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
![Page 59: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/59.jpg)
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
![Page 60: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/60.jpg)
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq
s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
![Page 61: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/61.jpg)
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq
s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
![Page 62: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/62.jpg)
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
![Page 63: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/63.jpg)
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
![Page 64: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/64.jpg)
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
![Page 65: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/65.jpg)
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
![Page 66: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/66.jpg)
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)by LWE
15 / 23
![Page 67: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/67.jpg)
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
![Page 68: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/68.jpg)
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
![Page 69: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/69.jpg)
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
![Page 70: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/70.jpg)
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
![Page 71: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/71.jpg)
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
![Page 72: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/72.jpg)
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
![Page 73: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/73.jpg)
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!16 / 23
![Page 74: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/74.jpg)
IBE from LWE
mpk = Amsk = trapdoor T
u = H(“Alice”)
(‘identity’ public key)
b = stA + et
(ciphertext preamble)
b′ − bt x ≈ bit · q2b′ = st u + e′ + bit · q2
(‘payload’)
Gaussian x s.t. Ax = u
17 / 23
![Page 75: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/75.jpg)
Part 3:
Rings forBetter Efficiency
18 / 23
![Page 76: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/76.jpg)
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
![Page 77: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/77.jpg)
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
![Page 78: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/78.jpg)
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
![Page 79: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/79.jpg)
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
![Page 80: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/80.jpg)
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
![Page 81: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/81.jpg)
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
![Page 82: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/82.jpg)
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
![Page 83: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/83.jpg)
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
![Page 84: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/84.jpg)
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
![Page 85: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/85.jpg)
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
![Page 86: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/86.jpg)
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
![Page 87: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/87.jpg)
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
![Page 88: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/88.jpg)
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
![Page 89: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/89.jpg)
Hardness of Ring-LWE
Initial Reductions [LyubashevskyPeikertRegev’10]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
search R-LWE ≤
(classical,any cyclotomic R)
decision R-LWE
Newer Reduction [PeikertRegevStephens-Davidowitz’17]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
decision R-LWE
Constructions
decision R-LWE ≤ much crypto
22 / 23
![Page 90: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/90.jpg)
Hardness of Ring-LWE
Initial Reductions [LyubashevskyPeikertRegev’10]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
search R-LWE ≤
(classical,any cyclotomic R)
decision R-LWE
Newer Reduction [PeikertRegevStephens-Davidowitz’17]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
decision R-LWE
Constructions
decision R-LWE ≤ much crypto
22 / 23
![Page 91: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/91.jpg)
Hardness of Ring-LWE
Initial Reductions [LyubashevskyPeikertRegev’10]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
search R-LWE ≤
(classical,any cyclotomic R)
decision R-LWE
Newer Reduction [PeikertRegevStephens-Davidowitz’17]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
decision R-LWE
Constructions
decision R-LWE ≤ much crypto
22 / 23
![Page 92: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/92.jpg)
Final Thoughts
I Lattices are a very attractive foundation for post-quantum crypto, forboth ‘basic’ and ‘advanced’ objects.
See remaining talks for much more.
I Cryptanalysis/concrete security estimates are subtle and ongoing, butmaturing.
See Phong Nguyen’s talks tomorrow for coverage of this topic.
Thanks!
23 / 23
![Page 93: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/93.jpg)
Final Thoughts
I Lattices are a very attractive foundation for post-quantum crypto, forboth ‘basic’ and ‘advanced’ objects.
See remaining talks for much more.
I Cryptanalysis/concrete security estimates are subtle and ongoing, butmaturing.
See Phong Nguyen’s talks tomorrow for coverage of this topic.
Thanks!
23 / 23
![Page 94: Fundamentals of Lattice-Based CryptographyToday’s Cryptography (e.g., RSA, Di e-Hellman) I Conjectured-hard problems: factor N= PQ, compute discrete logs I Shor’s quantum algorithm:](https://reader036.vdocuments.us/reader036/viewer/2022062509/610405ef507c2c38c57d7543/html5/thumbnails/94.jpg)
Final Thoughts
I Lattices are a very attractive foundation for post-quantum crypto, forboth ‘basic’ and ‘advanced’ objects.
See remaining talks for much more.
I Cryptanalysis/concrete security estimates are subtle and ongoing, butmaturing.
See Phong Nguyen’s talks tomorrow for coverage of this topic.
Thanks!
23 / 23