lattice cryptography: introduction and open problemsasilverb/conference2015/... · lattice...
TRANSCRIPT
![Page 1: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/1.jpg)
Lattice Cryptography: Introduction and Open Problems
Daniele Micciancio
Department of Computer Science and EngineeringUniversity of California, San Diego
August 2015
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 1 / 32
![Page 2: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/2.jpg)
Point Lattices
The simplest example of lattice is Zn = (x1, . . . , xn) : xi ∈ Z
Other lattices are obtained by applying a linear transformation
B : x = (x1, . . . , xn) 7→ Bx = x1 · b1 + · · ·+ xn · bn
B b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 2 / 32
![Page 3: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/3.jpg)
Point Lattices
The simplest example of lattice is Zn = (x1, . . . , xn) : xi ∈ ZOther lattices are obtained by applying a linear transformation
B : x = (x1, . . . , xn) 7→ Bx = x1 · b1 + · · ·+ xn · bn
(1, 0)
(0, 1)
B b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 2 / 32
![Page 4: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/4.jpg)
Lattice Cryptography
1982 1996 todaycryptanalysis crypto design
Lenstra, Lenstra, Lovasz (1982) : The “LLL” paper“Factoring Polynomials with Rational Coefficients”
Algorithmic breakthroughEfficient approximate solution of lattice problemsExponential approximation factor, but very good in practiceKiller App: Cryptanalysis
Ajtai (1996) : “Generating Hard Instances of Lattice Problems”
Marks the beginning of the modern use of lattices in the design ofcryptographic functions
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 3 / 32
![Page 5: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/5.jpg)
Lattice Cryptography
1982 1996 todaycryptanalysis crypto design
Lenstra, Lenstra, Lovasz (1982) : The “LLL” paper“Factoring Polynomials with Rational Coefficients”
Algorithmic breakthroughEfficient approximate solution of lattice problemsExponential approximation factor, but very good in practiceKiller App: Cryptanalysis
Ajtai (1996) : “Generating Hard Instances of Lattice Problems”
Marks the beginning of the modern use of lattices in the design ofcryptographic functions
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 3 / 32
![Page 6: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/6.jpg)
Ajtai’s paper (quotes)
“cryptography . . . generation of a specific instance of a problem in NPwhich is thought to be difficult”.
“NP-hard problems”“very famous question (e.g., prime factorization).”
“Unfortunately ‘difficult to solve’ means . . . in the worst case”
“no guidance about how to create [a hard instance]”
“possible solution”1 “find a set of randomly generated problems”, and2 “show that if there is an algorithm which [works] with a positive
probability, then there is also an algorithm which solves the famousproblem in the worst case.”
“In this paper we give such a class of random problems.”
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 4 / 32
![Page 7: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/7.jpg)
Example: Discrete Logrithm (DLOG)
p: a prime
Z∗p: multiplicative group
g ∈ Z∗p: generator of (prime order sub-)group G = g i : i ∈ Z ⊆ Z∗pInput: h = g i mod p
DLOG Problem
Given p, g , h, recover i (modulo q = o(g))
Random Self Reducibility
If you can solve DLOG for random g and h (with some probability), thenyou can solve it for any g , h in the worst-case.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 5 / 32
![Page 8: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/8.jpg)
Example: Discrete Logrithm (DLOG)
p: a prime
Z∗p: multiplicative group
g ∈ Z∗p: generator of (prime order sub-)group G = g i : i ∈ Z ⊆ Z∗pInput: h = g i mod p
DLOG Problem
Given p, g , h, recover i (modulo q = o(g))
Random Self Reducibility
If you can solve DLOG for random g and h (with some probability), thenyou can solve it for any g , h in the worst-case.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 5 / 32
![Page 9: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/9.jpg)
DLOG: Random Self Reducibility (RSR)
1 Given arbitrary g , h
2 Compute g ′ = ga and h′ = hab for random a, b ∈ Z∗q.
3 Notice:
g ′, h′ ∈ G are (almost) uniformly randomh′ = hab = g iab = (g ′)ib
4 Find j = DLOG (g ′, h′) = ib
5 Output j/b (mod q).
Conclusion
We know how to choose g , h ∈ G .But, how do we choose G?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32
![Page 10: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/10.jpg)
DLOG: Random Self Reducibility (RSR)
1 Given arbitrary g , h
2 Compute g ′ = ga and h′ = hab for random a, b ∈ Z∗q.
3 Notice:
g ′, h′ ∈ G are (almost) uniformly randomh′ = hab = g iab = (g ′)ib
4 Find j = DLOG (g ′, h′) = ib
5 Output j/b (mod q).
Conclusion
We know how to choose g , h ∈ G .But, how do we choose G?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32
![Page 11: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/11.jpg)
DLOG: Random Self Reducibility (RSR)
1 Given arbitrary g , h
2 Compute g ′ = ga and h′ = hab for random a, b ∈ Z∗q.
3 Notice:
g ′, h′ ∈ G are (almost) uniformly randomh′ = hab = g iab = (g ′)ib
4 Find j = DLOG (g ′, h′) = ib
5 Output j/b (mod q).
Conclusion
We know how to choose g , h ∈ G .But, how do we choose G?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32
![Page 12: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/12.jpg)
DLOG: Random Self Reducibility (RSR)
1 Given arbitrary g , h
2 Compute g ′ = ga and h′ = hab for random a, b ∈ Z∗q.
3 Notice:
g ′, h′ ∈ G are (almost) uniformly randomh′ = hab = g iab = (g ′)ib
4 Find j = DLOG (g ′, h′) = ib
5 Output j/b (mod q).
Conclusion
We know how to choose g , h ∈ G .But, how do we choose G?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32
![Page 13: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/13.jpg)
DLOG: Random Self Reducibility (RSR)
1 Given arbitrary g , h
2 Compute g ′ = ga and h′ = hab for random a, b ∈ Z∗q.
3 Notice:
g ′, h′ ∈ G are (almost) uniformly randomh′ = hab = g iab = (g ′)ib
4 Find j = DLOG (g ′, h′) = ib
5 Output j/b (mod q).
Conclusion
We know how to choose g , h ∈ G .But, how do we choose G?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32
![Page 14: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/14.jpg)
DLOG: Random Self Reducibility (RSR)
1 Given arbitrary g , h
2 Compute g ′ = ga and h′ = hab for random a, b ∈ Z∗q.
3 Notice:
g ′, h′ ∈ G are (almost) uniformly randomh′ = hab = g iab = (g ′)ib
4 Find j = DLOG (g ′, h′) = ib
5 Output j/b (mod q).
Conclusion
We know how to choose g , h ∈ G .But, how do we choose G?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 6 / 32
![Page 15: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/15.jpg)
DLOG vs Lattices (1)
Lattice Assumption
The complexity of solving lattice problems in n-dimensional lattices growssuperpolynomially (or exponentially) in n.
Similarly, one may conjecture that the complexity of DLOG growssuperpolynomially in n = log p or n = log |G |.This is not the same:
For any n, there are (exponentially) many primes p.Typically, p is chosen at random among all n-bit primesAssumption is still average-case: DLOG is hard for random p.
We do not know how to reduce DLOG (Z∗p) to DLOG (Z∗q).RSR provides no guidance on how to choose p.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32
![Page 16: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/16.jpg)
DLOG vs Lattices (1)
Lattice Assumption
The complexity of solving lattice problems in n-dimensional lattices growssuperpolynomially (or exponentially) in n.
Similarly, one may conjecture that the complexity of DLOG growssuperpolynomially in n = log p or n = log |G |.
This is not the same:
For any n, there are (exponentially) many primes p.Typically, p is chosen at random among all n-bit primesAssumption is still average-case: DLOG is hard for random p.
We do not know how to reduce DLOG (Z∗p) to DLOG (Z∗q).RSR provides no guidance on how to choose p.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32
![Page 17: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/17.jpg)
DLOG vs Lattices (1)
Lattice Assumption
The complexity of solving lattice problems in n-dimensional lattices growssuperpolynomially (or exponentially) in n.
Similarly, one may conjecture that the complexity of DLOG growssuperpolynomially in n = log p or n = log |G |.This is not the same:
For any n, there are (exponentially) many primes p.Typically, p is chosen at random among all n-bit primesAssumption is still average-case: DLOG is hard for random p.
We do not know how to reduce DLOG (Z∗p) to DLOG (Z∗q).RSR provides no guidance on how to choose p.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32
![Page 18: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/18.jpg)
DLOG vs Lattices (1)
Lattice Assumption
The complexity of solving lattice problems in n-dimensional lattices growssuperpolynomially (or exponentially) in n.
Similarly, one may conjecture that the complexity of DLOG growssuperpolynomially in n = log p or n = log |G |.This is not the same:
For any n, there are (exponentially) many primes p.Typically, p is chosen at random among all n-bit primesAssumption is still average-case: DLOG is hard for random p.
We do not know how to reduce DLOG (Z∗p) to DLOG (Z∗q).RSR provides no guidance on how to choose p.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 7 / 32
![Page 19: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/19.jpg)
DLOG vs Lattices (2)
Alternative assumption
DLOG(pn) is hard when pn is the smallest prime > 2n.
Equivalent to worst-case family of problems (indexed by n)
Ad-hoc: problem definition seems rather arbitrary
There is more:
Lattice problems in dimension n reduce to lattice problems indimension m > n:
B =⇒ B OO ∞
No such reduction for DLOG:
DLOG (pn)?
=⇒ DLOG (pn+1)
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 8 / 32
![Page 20: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/20.jpg)
DLOG vs Lattices (2)
Alternative assumption
DLOG(pn) is hard when pn is the smallest prime > 2n.
Equivalent to worst-case family of problems (indexed by n)
Ad-hoc: problem definition seems rather arbitrary
There is more:
Lattice problems in dimension n reduce to lattice problems indimension m > n:
B =⇒ B OO ∞
No such reduction for DLOG:
DLOG (pn)?
=⇒ DLOG (pn+1)
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 8 / 32
![Page 21: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/21.jpg)
DLOG vs Lattices (3)
Other (natural) representations:
G = (Z∗p, ·) ≡ (Zp−1,+)
but “DLOG” in (Zp−1,+) is easy.
Other (still natural) groups:
G = Z∗pq
Question
Assume one of DLOG (Zp) and DLOG (Zp·q) is polynomial time solvable,and one is not. Which group family would you choose?
Chinese Reminder Theorem (CRT): Zpq ≈ Zp × Zq
DLOG (Z∗p) =⇒ DLOG (Z∗pq).
Reduction in the other direction requires factoring.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32
![Page 22: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/22.jpg)
DLOG vs Lattices (3)
Other (natural) representations:
G = (Z∗p, ·) ≡ (Zp−1,+)
but “DLOG” in (Zp−1,+) is easy.
Other (still natural) groups:
G = Z∗pq
Question
Assume one of DLOG (Zp) and DLOG (Zp·q) is polynomial time solvable,and one is not. Which group family would you choose?
Chinese Reminder Theorem (CRT): Zpq ≈ Zp × Zq
DLOG (Z∗p) =⇒ DLOG (Z∗pq).
Reduction in the other direction requires factoring.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32
![Page 23: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/23.jpg)
DLOG vs Lattices (3)
Other (natural) representations:
G = (Z∗p, ·) ≡ (Zp−1,+)
but “DLOG” in (Zp−1,+) is easy.
Other (still natural) groups:
G = Z∗pq
Question
Assume one of DLOG (Zp) and DLOG (Zp·q) is polynomial time solvable,and one is not. Which group family would you choose?
Chinese Reminder Theorem (CRT): Zpq ≈ Zp × Zq
DLOG (Z∗p) =⇒ DLOG (Z∗pq).
Reduction in the other direction requires factoring.Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 9 / 32
![Page 24: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/24.jpg)
Ajtai’s one-way function (SIS)
Parameters: m, n, q ∈ ZKey: A ∈ Zn×m
q
Input: x ∈ 0, 1m
Output: fA(x) = Ax mod q
m
xT
×
n A
f
Ax
Theorem (A’96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in theworst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [A’96], Hashing [GGH’97], Commit [KTX’08], IDschemes [L’08], Signatures [LM’08,GPV’08,. . . ,DDLL’13] . . .
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 10 / 32
![Page 25: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/25.jpg)
Ajtai’s one-way function (SIS)
Parameters: m, n, q ∈ ZKey: A ∈ Zn×m
q
Input: x ∈ 0, 1m
Output: fA(x) = Ax mod q
m
xT
×
n Af
Ax
Theorem (A’96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in theworst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [A’96], Hashing [GGH’97], Commit [KTX’08], IDschemes [L’08], Signatures [LM’08,GPV’08,. . . ,DDLL’13] . . .
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 10 / 32
![Page 26: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/26.jpg)
Ajtai’s one-way function (SIS)
Parameters: m, n, q ∈ ZKey: A ∈ Zn×m
q
Input: x ∈ 0, 1m
Output: fA(x) = Ax mod q
m
xT
×
n Af
Ax
Theorem (A’96)
For m > n lg q, if lattice problems (SIVP) are hard to approximate in theworst-case, then fA(x) = Ax mod q is a one-way function.
Applications: OWF [A’96], Hashing [GGH’97], Commit [KTX’08], IDschemes [L’08], Signatures [LM’08,GPV’08,. . . ,DDLL’13] . . .
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 10 / 32
![Page 27: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/27.jpg)
Relation to lattices
The kernel set Λ⊥(A) is a lattice
Λ⊥(A) = z ∈ Zm : Az = 0 (mod q)
Collisions Ax = Ay (mod q) can be represented by a single vectorz = x− y ∈ −1, 0, 1 such that
A
z =
A
x−
A
y
= 0 mod q
Collisions are lattice vectors z ∈ Λ⊥(A) with small norm‖z‖∞ = maxi |zi | = 1.
... there is a much deeper and interesting relation between breakingfA and lattice problems.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 11 / 32
![Page 28: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/28.jpg)
Relation to lattices
The kernel set Λ⊥(A) is a lattice
Λ⊥(A) = z ∈ Zm : Az = 0 (mod q)
Collisions Ax = Ay (mod q) can be represented by a single vectorz = x− y ∈ −1, 0, 1 such that
Az = Ax− Ay = 0 mod q
Collisions are lattice vectors z ∈ Λ⊥(A) with small norm‖z‖∞ = maxi |zi | = 1.
... there is a much deeper and interesting relation between breakingfA and lattice problems.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 11 / 32
![Page 29: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/29.jpg)
Relation to lattices
The kernel set Λ⊥(A) is a lattice
Λ⊥(A) = z ∈ Zm : Az = 0 (mod q)
Collisions Ax = Ay (mod q) can be represented by a single vectorz = x− y ∈ −1, 0, 1 such that
Az = Ax− Ay = 0 mod q
Collisions are lattice vectors z ∈ Λ⊥(A) with small norm‖z‖∞ = maxi |zi | = 1.
... there is a much deeper and interesting relation between breakingfA and lattice problems.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 11 / 32
![Page 30: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/30.jpg)
Relation to lattices
The kernel set Λ⊥(A) is a lattice
Λ⊥(A) = z ∈ Zm : Az = 0 (mod q)
Collisions Ax = Ay (mod q) can be represented by a single vectorz = x− y ∈ −1, 0, 1 such that
Az = Ax− Ay = 0 mod q
Collisions are lattice vectors z ∈ Λ⊥(A) with small norm‖z‖∞ = maxi |zi | = 1.
... there is a much deeper and interesting relation between breakingfA and lattice problems.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 11 / 32
![Page 31: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/31.jpg)
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x ∈ Zk) oflength (at most) ‖Bx‖ ≤ λ1
b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 12 / 32
![Page 32: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/32.jpg)
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x ∈ Zk) oflength (at most) ‖Bx‖ ≤ λ1
b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 12 / 32
![Page 33: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/33.jpg)
Shortest Vector Problem
Definition (Shortest Vector Problem, SVP)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x ∈ Zk) oflength (at most) ‖Bx‖ ≤ λ1
b1
b2
λ1
Bx = 5b1 − 2b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 12 / 32
![Page 34: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/34.jpg)
Shortest Vector Problem
Definition (Shortest Vector Problem, SVPγ)
Given a lattice L(B), find a (nonzero) lattice vector Bx (with x ∈ Zk) oflength (at most) ‖Bx‖ ≤ γλ1
2λ1
b1
b2
λ1
Bx = 5b1 − 2b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 12 / 32
![Page 35: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/35.jpg)
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance ‖Bx− t‖ ≤ µ from the target
t
b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 13 / 32
![Page 36: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/36.jpg)
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance ‖Bx− t‖ ≤ µ from the target
t
b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 13 / 32
![Page 37: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/37.jpg)
Closest Vector Problem
Definition (Closest Vector Problem, CVP)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance ‖Bx− t‖ ≤ µ from the target
tµ
b1
b2
Bx
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 13 / 32
![Page 38: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/38.jpg)
Closest Vector Problem
Definition (Closest Vector Problem, CVPγ)
Given a lattice L(B) and a target point t, find a lattice vector Bx withindistance ‖Bx− t‖ ≤ γµ from the target
tµ 2µ
b1
b2
Bx
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 13 / 32
![Page 39: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/39.jpg)
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVP)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ λn
b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 14 / 32
![Page 40: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/40.jpg)
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVP)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ λn
b1
b2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 14 / 32
![Page 41: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/41.jpg)
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVP)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ λn
b1
b2
Bx1
λ2
Bx2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 14 / 32
![Page 42: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/42.jpg)
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVPγ)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ γλn
2λ2
b1
b2
Bx1
λ2
Bx2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 14 / 32
![Page 43: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/43.jpg)
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 15 / 32
![Page 44: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/44.jpg)
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 15 / 32
![Page 45: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/45.jpg)
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 15 / 32
![Page 46: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/46.jpg)
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1λ2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 15 / 32
![Page 47: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/47.jpg)
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = minr : dim span(B(r) ∩ L) ≥ i
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1λ2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 15 / 32
![Page 48: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/48.jpg)
Blurring a lattice
Consider a lattice Λ, and
add noise to eachlattice point until the entire space is covered.Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 49: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/49.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.
Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 50: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/50.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.
Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 51: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/51.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.
Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 52: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/52.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.
Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 53: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/53.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 54: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/54.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 55: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/55.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 56: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/56.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.Increase the noise until the space is uniformlycovered.
How much noise is needed?
[MR]
‖r‖ ≤
(log n) ·
√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 57: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/57.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.Increase the noise until the space is uniformlycovered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 58: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/58.jpg)
Blurring a lattice
Consider a lattice Λ, and add noise to eachlattice point until the entire space is covered.Increase the noise until the space is uniformlycovered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√n · λn/2
Each point in a ∈ Rn can be writtena = v+ r where v ∈ L and ‖r‖ ≈
√nλn.
a ∈ Rn/Λ is uniformly distributed.
Think of Rn ≈ 1qΛ [GPV’07]
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 16 / 32
![Page 59: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/59.jpg)
Average-case hardness (sketch)
Generate random points ai = vi + ri ∈ 1qΛ, where
vi ∈ Λ is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] ≈ 1qΛm ≡ Zn×m
q
Assume we can find a short lattice vector z ∈ Zm
∑(vi + ri )zi =
∑aizi =
Az = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rizi‖ ≈√m ·max ‖ri‖ ≈ n · λn
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 17 / 32
![Page 60: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/60.jpg)
Average-case hardness (sketch)
Generate random points ai = vi + ri ∈ 1qΛ, where
vi ∈ Λ is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] ≈ 1qΛm ≡ Zn×m
q
Assume we can find a short lattice vector z ∈ Zm∑(vi + ri )zi =
∑aizi = Az = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rizi‖ ≈√m ·max ‖ri‖ ≈ n · λn
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 17 / 32
![Page 61: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/61.jpg)
Average-case hardness (sketch)
Generate random points ai = vi + ri ∈ 1qΛ, where
vi ∈ Λ is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] ≈ 1qΛm ≡ Zn×m
q
Assume we can find a short lattice vector z ∈ Zm∑(vi + ri )zi =
∑aizi = Az = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rizi‖ ≈√m ·max ‖ri‖ ≈ n · λn
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 17 / 32
![Page 62: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/62.jpg)
Shortcomings of Ajtai’s function
Expressivity:
Ajtai’s proof requires m > n log q
The function fA : 0, 1m → Znq is not injective
Enough for one-way functions, collision resistant hashing, some digitalsiguatures, commitments, identification, etc.
. . . but (public key) encryption seem to require stronger assumptions.
1996: Ajtai-Dwork cryptosystem, based on the “unique” ShortestVector Problem.
Efficiency:
The matrix/key A ∈ Zn×mq requires Ω(n2) storage (and computation)
1996: NTRU Cryptosystem, efficient, but not supported by securityproof from worst-case lattice problems.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 18 / 32
![Page 63: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/63.jpg)
Learning with errors (LWE)
A ∈ Zm×nq , s ∈ Zn
q, e ∈ Em.
gA(s
; e
) = As
+ e
mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Regev’05)
The function gA(s, e) is hard toinvert on the average, assumingSIVP is hard to approximate in theworst-case even for quantumcomputers.
n
sT
×
m A
+ e
gb
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 19 / 32
![Page 64: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/64.jpg)
Learning with errors (LWE)
A ∈ Zm×nq , s ∈ Zn
q, e ∈ Em.
gA(s; e) = As + e mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Regev’05)
The function gA(s, e) is hard toinvert on the average, assumingSIVP is hard to approximate in theworst-case even for quantumcomputers.
n
sT
×
m A + eg
b
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 19 / 32
![Page 65: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/65.jpg)
Learning with errors (LWE)
A ∈ Zm×nq , s ∈ Zn
q, e ∈ Em.
gA(s; e) = As + e mod q
Learning with Errors: Given Aand gA(s, e), recover s.
Theorem (Regev’05)
The function gA(s, e) is hard toinvert on the average, assumingSIVP is hard to approximate in theworst-case even for quantumcomputers.
n
sT
×
m A + eg
b
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 19 / 32
![Page 66: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/66.jpg)
SIS/LWE as CVP
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ β
Output: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: fL is surjective
β µ: fL(x) is almost uniform
Question
Are these functions cryptographicallyhard to invert?
x
fL
xb1
b2
0
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 20 / 32
![Page 67: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/67.jpg)
SIS/LWE as CVP
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: fL is surjective
β µ: fL(x) is almost uniform
Question
Are these functions cryptographicallyhard to invert?
x
fL
xb1
b2
0
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 20 / 32
![Page 68: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/68.jpg)
SIS/LWE as CVP
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: fL is surjective
β µ: fL(x) is almost uniform
Question
Are these functions cryptographicallyhard to invert?
fL
b1
b2
0
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 20 / 32
![Page 69: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/69.jpg)
SIS/LWE as CVP
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: fL is surjective
β µ: fL(x) is almost uniform
Question
Are these functions cryptographicallyhard to invert?
fL
b1
b2
0
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 20 / 32
![Page 70: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/70.jpg)
SIS/LWE as CVP
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: fL is surjective
β µ: fL(x) is almost uniform
Question
Are these functions cryptographicallyhard to invert?
fL
b1
b2
0
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 20 / 32
![Page 71: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/71.jpg)
SIS/LWE as CVP
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: fL is surjective
β µ: fL(x) is almost uniform
Question
Are these functions cryptographicallyhard to invert?
fL
b1
b2
0
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 20 / 32
![Page 72: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/72.jpg)
SIS/LWE as CVP
Candidate OWF
Key: a hard lattice LInput: x, ‖x‖ ≤ βOutput: fL(x) = x mod L
β < λ1/2: fL is injective
β > λ1/2: fL is not injective
β ≥ µ: fL is surjective
β µ: fL(x) is almost uniform
Question
Are these functions cryptographicallyhard to invert?
fL
b1
b2
0
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 20 / 32
![Page 73: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/73.jpg)
Special Versions of CVP
Definition (Closest Vector Problem (CVP))
Given (L, t, d), with µ(t,L) ≤ d , find a lattice point within distance dfrom t.
If d is arbitrary, then one can find the closest lattice vector by binarysearch on d .
Bounded Distance Decoding (BDD): If d < λ1(L)/2, then there is atmost one solution. Solution is the closest lattice vector.
Absolute Distance Decoding (ADD): If d ≥ ρ(L), then there is alwaysat least one solution. Solution may not be closest lattice vector.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 21 / 32
![Page 74: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/74.jpg)
Computational problems on random lattices
Ajtai’s class of random lattices an their duals:
A ∈ Zn×m
Λ⊥q (A) = x ∈ Zm : Ax = 0 mod qΛq(A) = ATZn + qZm
Inverting Ajtai’s function Ax = b
Solution x always exist, but it is hard to find
Average case version of ADD on random Λ⊥q (A)
Solving LWE sA + x = b
For small enough x, solution is unique
Average case version of BDD on random dual lattice Λq(A).
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 22 / 32
![Page 75: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/75.jpg)
ADD reduces to SIVP
ADD input: L and arbitrary t
Compute short vectors V = SIVP(L)
Use V to find a lattice vector within distance∑i12‖vi‖ ≤ (n/2)λn ≤ nρ from t
Px
t
v1
v2
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 23 / 32
![Page 76: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/76.jpg)
BDD reduces to SIVP
BDD input: t close to L
Compute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 24 / 32
![Page 77: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/77.jpg)
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)
For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 24 / 32
![Page 78: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/78.jpg)
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 24 / 32
![Page 79: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/79.jpg)
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 24 / 32
![Page 80: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/80.jpg)
BDD reduces to SIVP
BDD input: t close to LCompute V = SIVP(L∗)For each vi ∈ L∗, find the layerLi = x | x · vi = ci closest to t
Output L1 ∩ L2 ∩ · · · ∩ Ln
Output is correct as long as
µ(t,L) ≤ λ12n≤ 1
2λ∗n≤ 1
2‖vi‖
0 t
vi
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 24 / 32
![Page 81: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/81.jpg)
Special Versions of SVP and SIVP
GapSVP: compute (or approximate) the value λ1 without necessarilyfinding a short vector
GapSIVP: compute (or approximate) the value λn without necessarilyfinding short linearly independent vectors
Transference Theorem λ1 ≈ 1/λ∗n: GapSVP can be (approximately)solved by solving GapSIVP in the dual lattice, and vice versa
Problems
Exercise: Computing λ1 (or λn) exactly is as hard as SVP (or SIVP)
Open Problem: Reduce approximate SVP (or SIVP) to approximateGapSVP (or GapSIVP)
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 25 / 32
![Page 82: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/82.jpg)
Relations among lattice problems
SIVP ≈ ADD [MG’01]
SVP ≤ CVP [GMSS’99]
SIVP ≤ CVP [M’08]
BDD . SIVP
CVP . SVP [L’87]
GapSVP ≈ GapSIVP[LLS’91,B’93]
GapSVP . BDD [LM’09]
GapSVP GapSIVP BDD
SIVP ADD
SVP CVP
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 26 / 32
![Page 83: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/83.jpg)
Relations among lattice problems
SIVP ≈ ADD [MG’01]
SVP ≤ CVP [GMSS’99]
SIVP ≤ CVP [M’08]
BDD . SIVP
CVP . SVP [L’87]
GapSVP ≈ GapSIVP[LLS’91,B’93]
GapSVP . BDD [LM’09]
GapSVP GapSIVP BDD
SIVP ADD
SVP CVP
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 26 / 32
![Page 84: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/84.jpg)
Open Problems
Does the ability to approximate λ1 helps in solving SVP?
Does the ability to approximate λn helps in solving SIVP?
Is there a reduction from CVP/SVP to SIVP?
Yes, for the exact version of the problems [M. 08]Open for approximation version
Is there a classical (nonquantum) reduction from SIVP/ADD toGapSVP/BDD?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 27 / 32
![Page 85: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/85.jpg)
Efficient Lattice Cryptography from Structured Lattices
Idea
Use structured matrix
A = [A(1) | . . . | A(m/n)]
where A(i) ∈ Zn×nq is circulant
A(i) =
a(i)1 a
(i)n · · · a
(i)2
a(i)2 a
(i)1 · · · a
(i)3
......
. . ....
a(i)n a
(i)n−1 · · · a
(i)1
“Generalized Compact Knapsacks and Efficient One-Way Functions”(Micciancio, FOCS 2002)
Efficient version of Ajtai’s connection:
O(n log n) space and time complexityProvable security: guidance on how to choose random instances.
Theorem
“CyclicSIS” is hard to invert on average, assuming the worst-case hardnessof lattice problems over “cyclic” lattices.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 28 / 32
![Page 86: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/86.jpg)
Ideal Lattices and Algebraic number theory
Isomorphism: Acyc ↔ Z[X ]/(X n − 1)
Cyclic SIS:
fa1,...,ak (u1, . . . ,uk) =∑i
ai (X ) · ui (X ) (mod X n − 1)
where ai , ui ∈ R = Z[X ]/(X n − 1).
More generally, use R = Z[X ]/p(X ) for some monic polynomialp(X ) ∈ Z[X ]
If p(X ) is irreducible, then finding collisions to fa for random a is ashard as solving lattice problems in the worst case in ideal lattices
Can set R to the ring of integers of K = Q[X ]/p(X ).
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 29 / 32
![Page 87: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/87.jpg)
How to choose p(X )/R?
RingSIS (Lyubashevsky, PhD Thesis, UCSD 2008)
define fa(u) =∑
i ai (X ) · ui (X )
Notice: no reduction modulo p(X )!
If fa(u) = fa(u′) in Z[X ], then fa(u) = fa(u′) (mod p(X )).
Conclusion: breaking f is at least as hard as solving lattices problemsin ideal lattices for any p(X ).
RingLWE:
Most applications require not only hardness of inverting fa, but alsopseudorandomness of output fa(u)
[Lyubashevsky,Peikert,Regev’10]: For cyclotomic p(X ), hardness ofinverting fa implies pseudorandomness of fa(u).
[Lauter’15] constructs polynomial rings where inverting fa isconceivably hard, but fa(u) is easily distinguished from random.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 30 / 32
![Page 88: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/88.jpg)
How to choose p(X )/R?
RingSIS (Lyubashevsky, PhD Thesis, UCSD 2008)
define fa(u) =∑
i ai (X ) · ui (X )
Notice: no reduction modulo p(X )!
If fa(u) = fa(u′) in Z[X ], then fa(u) = fa(u′) (mod p(X )).
Conclusion: breaking f is at least as hard as solving lattices problemsin ideal lattices for any p(X ).
RingLWE:
Most applications require not only hardness of inverting fa, but alsopseudorandomness of output fa(u)
[Lyubashevsky,Peikert,Regev’10]: For cyclotomic p(X ), hardness ofinverting fa implies pseudorandomness of fa(u).
[Lauter’15] constructs polynomial rings where inverting fa isconceivably hard, but fa(u) is easily distinguished from random.
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 30 / 32
![Page 89: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/89.jpg)
Classical Hardness of LWE
[P’09, BLPRS’13] There is a classical reduction from GapSVP toLWE when q = 2O(n), or LWE dimension d = O(n2)
Open Problems
Is there a more efficient reduction from GapSVP to LWE?
Is there a classical reduction from SIVP to LWE?
Is there a reduction from SVP/SIVP to LWE on ideal lattices?
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 31 / 32
![Page 90: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/90.jpg)
More Open Problems – Tonight 7:30pm
Bring your own open problems to share!
Send email [email protected]
with estimated time for scheduling.
. . . or, just talk to me over lunch or coffee break.
Thank you!
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 32 / 32
![Page 91: Lattice Cryptography: Introduction and Open Problemsasilverb/Conference2015/... · Lattice Cryptography 1982 1996 today cryptanalysis crypto design Lenstra, Lenstra, Lovasz (1982)](https://reader035.vdocuments.us/reader035/viewer/2022062602/5ee13edaad6a402d666c31b6/html5/thumbnails/91.jpg)
More Open Problems – Tonight 7:30pm
Bring your own open problems to share!
Send email [email protected]
with estimated time for scheduling.
. . . or, just talk to me over lunch or coffee break.
Thank you!
Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August 2015 32 / 32