overview of quantum cryptanalysis of lattice systems · overview of quantum cryptanalysis of...
TRANSCRIPT
Overview of Quantum Cryptanalysis of Lattice Systems
Elena Kirshanova
I. Kant Baltic Federal University
based on joint works with G.Herold, T. Laarhoven
Quantum Cryptanalysis of Post-Quantum CryptographyThe Simons Institute for the Theory of Computing
March 1, 2020
Outline
• The Shortest Vector Problem
• Classical & Quantum Sieve
• Other algorithms
SVP
0
b1
b2
v
Minimum
λ1(L) = minv∈L\0 ‖v‖
Determinant
det(L) = |det(bi)i|
Minkowski bound
λ1(L) ≤√n(det(L)) 1n
The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:
‖vshortest‖ = λ1(L)
SVP
0
b1
b2
v
Minimum
λ1(L) = minv∈L\0 ‖v‖
Determinant
det(L) = |det(bi)i|
Minkowski bound
λ1(L) ≤√n(det(L)) 1n
The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:
‖vshortest‖ = λ1(L)
SVP
0
b1
b2
v
Minimum
λ1(L) = minv∈L\0 ‖v‖
Determinant
det(L) = |det(bi)i|
Minkowski bound
λ1(L) ≤√n(det(L)) 1n
The Shortest Vector Problem (SVP) asks to find vshortest ∈ L:
‖vshortest‖ = λ1(L)
Asymptotics for SVP Algorithms
• Enumeration
Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)
Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)
• Sieving
(Heuristic)
Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n
Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n
Asymptotics for SVP Algorithms
• Enumeration
Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)
Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)
• Sieving
(Heuristic)
Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n
Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n
Asymptotics for SVP Algorithms
• Enumeration
Classical: Time = 2((1/2e)+o(1))n log n Mem. = poly(n)
Quantum: Time = 2((1/4e)+o(1))n log n Mem. = poly(n)
• Sieving (Heuristic)
Classical: Time = 2(0.292+o(1))n Mem. = 2(0.2075+o(1))n
Quantum: Time = 2(0.265+o(1))n Mem. = 2(0.265+o(1))n
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Basic 2-Sieve (Nguyen-Vidick sieve)
Main idea: Sample many Gaussian lattice vectors so that theirsums give short(er) vectors
L L=
L′x1 ± x2
||x1 ± x2||is small
L′=
...poly(n)
0
Main Routine in Sieving: 2-List problem on the unit sphere
Given 2-lists L1, L2 ⊂ Sn−1 of iid. elements
L1 L2 ⊂
find all (x1, x2) ∈ L1 × L2 :||x1 ± x2|| ≤ 1
0
Q1: How large is L?Q2: How fast can we find all (x1, x2)?
Main Routine in Sieving: 2-List problem on the unit sphere
Given 2-lists L1, L2 ⊂ Sn−1 of iid. elements
L1 L2 ⊂
find all (x1, x2) ∈ L1 × L2 :||x1 ± x2|| ≤ 1
0
Q1: How large is L?Q2: How fast can we find all (x1, x2)?
Distribution of Gram matrices
Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :
Ci.j = 〈xi , xj〉
• C determines the 2-norm of the sum:
||∑
xi||2 = k + 2∑i<j
〈xi , xj〉
• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function
µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k
A proof is in [HK’17] and relies on the Wishart distribution
Distribution of Gram matrices
Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :
Ci.j = 〈xi , xj〉
• C determines the 2-norm of the sum:
||∑
xi||2 = k + 2∑i<j
〈xi , xj〉
• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function
µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k
A proof is in [HK’17] and relies on the Wishart distribution
Distribution of Gram matrices
Let C ∈ Rk×k be the Gram matrix of x1, . . . , xk ∈ Sn−1 :
Ci.j = 〈xi , xj〉
• C determines the 2-norm of the sum:
||∑
xi||2 = k + 2∑i<j
〈xi , xj〉
• The Gram matrix C(x1, . . . , xk) follows a distribution withdensity function
µC = O(det(C)12(n−k))dC1,2 . . . dCk−1,k
A proof is in [HK’17] and relies on the Wishart distribution
Q1: How large is L?
µC ≈ det(C)n2 = det
(1 〈x1 , x2〉
〈x1 , x2〉 1
)n2
det
(1 1/21/2 1
)= 3
4=⇒ |L| =
(43
)n/2+o(n)= 2(0.2075+o(1))n
0
1
x1
1 x2
1
π/3
Q2: How fast can we find all (x1, x2)?
Brute force complexity: |L|2 = 2(0.415+o(1))n
To achieve T = 20.292+o(1) use Near Neighbor search(aka Locality-Sensitive techniques)
Locality-sensitive filtering [MO15, BGJ15, BDGL16]
u1
u2
u3
u4
u5
u6
u7
u8
u9
α
choose ui ∈ Sn−1
Locality-sensitive filtering [MO15, BGJ15, BDGL16]
u1
u2
u3
u4
u5
u6
u7
u8
u9
x1
x2
x3
x4
x5x6
x7
x8
x9
x10
x11
α
choose ui ∈ Sn−1
∀xi ∈ L, find all uj :
〈xi , uj〉 < α
Locality-sensitive filtering [MO15, BGJ15, BDGL16]
u1
u2
u3
u4
u5
u6
u7
u8
u9
x1
x2
x3
x4
x5x6
x7
x8
x9
x10
x11
q
β
choose ui ∈ Sn−1
∀xi ∈ L, find all uj :
〈xi , uj〉 < α
∀qi ∈ L, find all uj :
〈qi , uj〉 < β
Analysis I
1. How to find relevant centers fast?
[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis I
1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis I
1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis I
1. How to find relevant centers fast?[MO15, BDGL16]: choose u from a product code.
u ∈ C1 × C2 × . . .× Ct =: U,
Ci - spherical codes of length o(n).
To obtain all close centers to x = [x1|x2| . . . |xt], decodexi wrt. Ci.
2. For each x ∈ L : finding all relevant ui ∈ U :
TUpdate = |U | · Prui∈Sn−1
[〈ui , x〉 < α] = |U | · (1− α2)n/2.
3. For each x ∈ L : query all relevant ui ∈ U :
TQuery = |U | · Prui∈Sn−1
[〈ui , x〉 < β] = |U | · (1− β2)n/2.
Analysis IIHow large is U?
u1
u2
u3
u4
u5
u6
u7
u8
u9
x3
x4
Analysis II
How large is U?
|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2
1. 〈u , x3〉 = α
2. 〈u , x4〉 = β
P = Pru∈Sn−1
[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]
=
(det
(1 α βα 1 cβ c 1
))n/2(det( 1 cc 1 ))
n/2.
For α = β = c = 1/2, P−1 =(32
)n/2= 20.292n
Analysis II
How large is U?
|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2
1. 〈u , x3〉 = α
2. 〈u , x4〉 = β
P = Pru∈Sn−1
[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]
=
(det
(1 α βα 1 cβ c 1
))n/2(det( 1 cc 1 ))
n/2.
For α = β = c = 1/2, P−1 =(32
)n/2= 20.292n
Analysis II
How large is U?
|U | is determined by P = 1/|U | that conditioned on〈x3 , x4〉 = 1/2
1. 〈u , x3〉 = α
2. 〈u , x4〉 = β
P = Pru∈Sn−1
[〈u , x3〉 = α, 〈u , x4〉 = β | 〈x3 , x4〉 = 1/2]
=
(det
(1 α βα 1 cβ c 1
))n/2(det( 1 cc 1 ))
n/2.
For α = β = c = 1/2, P−1 =(32
)n/2= 20.292n
Quantum LSF [Laa’15]
Main idea: apply Grover search inside each bucket
Classical:
1. TUpdate = |U | · (1− α2)n/2
2. TQuery = |U | · (1− β2)n/2
3. Set α : |L| · (1− α2)n/2 = 1
Quantum:
1. TUpdate = |U | · (1−α2)n/2
2. TQQuery = |U |·(1−β
2)n/2+Grover Search inside eachrelevant center
TQQuery =|U | · (1− β
2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2
TQQuery = TQ
Update for α =√34 and |U | = (139 )
n/2 = 20.265·n
Quantum LSF [Laa’15]
Main idea: apply Grover search inside each bucket
Classical:
1. TUpdate = |U | · (1− α2)n/2
2. TQuery = |U | · (1− β2)n/2
3. Set α : |L| · (1− α2)n/2 = 1
Quantum:
1. TUpdate = |U | · (1−α2)n/2
2. TQQuery = |U |·(1−β
2)n/2+Grover Search inside eachrelevant center
TQQuery =|U | · (1− β
2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2
TQQuery = TQ
Update for α =√34 and |U | = (139 )
n/2 = 20.265·n
Quantum LSF [Laa’15]
Main idea: apply Grover search inside each bucket
Classical:
1. TUpdate = |U | · (1− α2)n/2
2. TQuery = |U | · (1− β2)n/2
3. Set α : |L| · (1− α2)n/2 = 1
Quantum:
1. TUpdate = |U | · (1−α2)n/2
2. TQQuery = |U |·(1−β
2)n/2+Grover Search inside eachrelevant center
TQQuery =|U | · (1− β
2)n/2+√| # relevant centers | · |Bucket size| · |# solutions| =|U | · (1− β2)n/2+√|U | · (1− β2)n/2 · |L| · (1− α2)n/2 · |L| · (1− c2)n/2
TQQuery = TQ
Update for α =√34 and |U | = (139 )
n/2 = 20.265·n
Other Ways to Attack SVP/LWE/SIS?
1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size
TEnum = 2((1/2e)+o(1))n logn
Quantum: back-tracking technique [ANS18]
TQEnum = 2((1/4e)+o(1))n logn
2. Low-mem. Sparse/binary secret LWE: Grover search:
TGrover = 212|Search space|
3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.
Thank you!
Other Ways to Attack SVP/LWE/SIS?
1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size
TEnum = 2((1/2e)+o(1))n logn
Quantum: back-tracking technique [ANS18]
TQEnum = 2((1/4e)+o(1))n logn
2. Low-mem. Sparse/binary secret LWE: Grover search:
TGrover = 212|Search space|
3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.
Thank you!
Other Ways to Attack SVP/LWE/SIS?
1. Low-memory SVP: EnumerationClassical : depth-first traversal of a tree of size
TEnum = 2((1/2e)+o(1))n logn
Quantum: back-tracking technique [ANS18]
TQEnum = 2((1/4e)+o(1))n logn
2. Low-mem. Sparse/binary secret LWE: Grover search:
TGrover = 212|Search space|
3. Sparse/binary secret LWE: BKW: quantum speed-up fordistinguishing phase.
Thank you!
References I
• [ANS18] Y. Aono, P. Q. Nguyen, Y. Shen. Quantum LatticeEnumeration and Tweaking Discrete Pruning
• [BDGL16] A. Becker, L. Ducas, N. Gama, T. Laarhoven. New directionsin nearest neighbor searching with applications to lattice sieving.
• [Laa15] T. Laarhoven. Search problems in cryptography. PhD thesis
• [MO15] A. May, I.Ozerov. On Computing Nearest Neighbors withApplications to Decoding of Binary Linear Codes