1 New Lattice Based Cryptographic Constructions Oded Regev

1

New Lattice Based New Lattice Based Cryptographic ConstructionsCryptographic Constructions

Oded RegevOded Regev

2

• Basis: v1,…,vn vectors in Rn

• The lattice is a1v1+…+anvn for all integer a1,…,an.

• What is the shortest vector u ?

LatticesLattices

v1 v2

0

2v1v1+v2 2v2

2v2-v1

2v2-2v1

3

Lattices – not so easyLattices – not so easy

0

v1

v2

3v1-4v2

4

• Promise: the shortest vector u is shorter by a factor of f(n)

• Algorithm for 2n-unique SVP [LLL82,Schnorr87]

• Believed to be hard for any nc

f(n)-unique-SVP (shortest f(n)-unique-SVP (shortest vector problem)vector problem)

1 f(n)

1 2n

believed hard easy

nc

5

• Geometric objects with rich structure• Early work by Gauss 1801, Hermite 1850,

Minkowski 1896• More recent developments:

– LLL Algorithm - approximates the shortest vector in a lattice [LenstraLenstraLovàsz82]•Factoring rational polynomials•Solving integer programs in a fixed

dimension•Breaking knapsack cryptosystems

– Ajtai’s average case connection [Ajtai96] •Lattice based cryptosystems

HistoryHistory

6

• From which distribution is the following sequence taken?

478, 21, 431, 897, 150, 701, 929, 232

QuestionQuestion

1

1 1000

1000

Uniform?

Or wavy?

Pro

bPro

b

7

The d,γ-wavy DistributionThe d,γ-wavy Distribution

0 R-1

Pro

b

=γ

• Periodization of the normal distribution• R=2^(2n2)• Number of periods is d (usually integer)• Ratio of period to standard dev. is γ• distd : {0,…,R-1} [0,½] is the normalized

distance from the nearest peak

d=7

8

• For all γ=γ(n), a reduction from γn1/2-unique Shortest Vector Problem

to distinguishing between the uniform distribution and the d,γ-wavy

distributions with an integer d<2^(n2)

Main TheoremMain Theorem

9


to distinguishing between the uniform

distribution and the d,γ-wavydistributions for a non-negligible fraction of values d in

[2^(n2),2•2^(n^2)]

Average-case TheoremAverage-case Theorem

10

1. Public key encryption scheme2. Collision resistant hash function3. A problem in quantum computation

Applications of Main Applications of Main TheoremTheorem

11

CryptographyCryptography• ‘Standard’ cryptography:

•Usually based on factoring, discrete log, principal ideal problem

•Average case assumption•Mostly broken by quantum computers

• Lattice based cryptography [Ajtai96,…]:•Based on lattice problems•Worst case assumption•Still not broken by quantum computers

12

Application 1Application 1Public Key Encryption (PKE)Public Key Encryption (PKE)

• Consists of private key, public key, encryption and decryption

• The Ajtai-Dwork cryptosystem [AjtaiDwork96,GoldreichGoldwasserHalevi97]

•Previously, the only lattice based PKE with worst case assumption

•Based on n7-unique Shortest Vector Problem

13

Application 1Application 1Public Key Encryption (PKE)Public Key Encryption (PKE)

• We construct a new lattice based PKE from the average-case theorem:•Very simple description•Improves Ajtai-Dwork to n1.5-unique

Shortest Vector Problem•Uses integer numbers, very efficient

14

Application 2Application 2Collision Resistant Hash Collision Resistant Hash

FunctionFunction• A function f:{0,1}r{0,1}s with r>s such

that it is hard to find collisions, i.e.,xy s.t. f(x)=f(y)

• Many previous constructions [Ajtai96, GoldreichGoldwasserHalevi96, CaiNerurkar97, Cai99, Micciancio02, Micciancio02]

• Our construction is•The first which is not based on Ajtai’s

iterative step•Somewhat stronger (based on n1.5-

uSVP)

15

Application 3 Application 3 Quantum ComputationQuantum Computation

• Quantum computers can break cryptography based on factoring [Shor96]

• Based on the HSP on Abelian groups

• What about lattice based cryptography?

16

• Lattice based cryptography can be broken using the HSP on Dihedral groups [R’02]

• Our main theorem explains the failure of previous attempts to solve the HSP on Dihedral groups [EttingerHoyer’00]

Application 3 Application 3 Quantum ComputationQuantum Computation

17


to distinguishing between the uniform distribution and the d,γ-wavy

distributions with an integer d<2^(n2)


18

Proof of theProof of the


19

Proof OutlineProof Outline

n1.5-Unique-SVP

n-dim distributions

Main theorem

decision problem

promise problem

20

Reduction to:Reduction to:Decision ProblemDecision Problem

• Given a n1.5-unique lattice, and a prime p>n1.5

• Assume the shortest vector is:u = a1v1+a2v2+…+anvn

• Decide whether a1 is divisible by p

21

The ReductionThe Reduction• Idea: decrease the coefficients of the

shortest vector

• If we find out that p|a1 then we can replace the basis with pv1,v2,…,vn .

• u is still in the new lattice:u = (a1/p)•pv1 + a2v2 + … + anvn

• The same can be done whenever p|ai for some i

22

The ReductionThe Reduction• But what if p ai for all i ?

• Consider the basis v1,v2-v1,v3,…,vn

• The shortest vector isu = (a1+a2)v1 + a2(v2-v1) + a3v3 + … + anvn

• The first coefficient is a1+a2

• Similarly, we can set it to a1-bp/2ca2 ,…, a1-a2 , a1 , a1+a2 , … , a1+bp/2ca2

• One of them is divisible by p, so we choose it and continue

|

23


n1.5-Unique-SVP

n-dim distributions

Main theorem

decision problem

promise problem

24

Reduction from:Reduction from:Decision ProblemDecision Problem

• Given a n1.5-unique lattice, and a prime p>n1.5

• Assume the shortest vector is:u = a1v1+a2v2+…+anvn

• Decide whether a1 is divisible by p

25

Reduction to:Reduction to:Promise ProblemPromise Problem

• Given a lattice, distinguish between:Case 1. Shortest vector is of length 1/n and all

non-parallel vectors are of length more than n

Case 2. Shortest vector is of length more than n

26

The reductionThe reduction

• Input: a basis (v1,…,vn) of a n1.5 unique lattice

• Scale the lattice so that the shortest vector is of length 1/n

• Replace v1 by pv1. Let M be the resulting lattice

• If p | a1 then M has shortest vector 1/n and all non-parallel vectors more than n

• If p a1 then M has shortest vector more than n

|

27

The input lattice LThe input lattice L

0

n

1/nL

u2u

-u

28

The lattice MThe lattice M

0n

1/n

• The lattice M is spanned by pv1,v2,…,vn:

• If p|a1, then u = (a1/p)•pv1 + a2v2 +…+ anvn 2M :

M

u

29

The lattice MThe lattice M

0n

• The lattice M is spanned by pv1,v2,…,vn:

• If p a1, then u M:

M

| 2

pu

-pu

30


n1.5-Unique-SVP

n-dim distributions

Main theorem

decision problem

promise problem

31

Reduction from:Reduction from:Promise ProblemPromise Problem

• Given a lattice, distinguish between:Case 1. Shortest vector is of length 1/n and all

non-parallel vectors are of length more than n

Case 2. Shortest vector is of length more than n

32

n-dimensional n-dimensional distributionsdistributions

?

Wavy Uniform

• Distinguish between the distributions:

33

• Given a lattice L, the dual lattice is L* = { x | 8y2L, <x,y>2Z }

Dual LatticeDual Lattice

0

1/5

L L*

0

5

34

LL** - the dual of L - the dual of L

0

L

0

n1/n

n

L*

0

n

Case 1

Case 2

35

• Choose a point randomly from L*

• Perturb it by a Gaussian of radius n

ReductionReduction

36

Creating the DistributionCreating the DistributionL*

0

n

L*+ perturb

Case 1

Case 2

37

• Theorem: (using [Banaszczyk’93])The distribution obtained above depends only on the points in L of distance n from the origin(up to an exponentially small error)

• Therefore, Case 1: Determined by multiples of u

wavy on hyperplanes orthogonal to u

Case 2: Determined by the origin uniform

Analyzing the DistributionAnalyzing the Distribution

38

• For a set A in Rn, define:

• Poisson Summation Formula implies:

• Banaszczyk’s theorem:For any lattice L,

Proof of TheoremProof of Theorem

Ax

xeA2

)(

Lx

yxin xeLdLyy })({)()(, ,2*

)(2)( )(n

nn BnLBnL

39

• In Case 2, the distribution obtained is very close to uniform:

• Because:

Proof of Theorem (cont.)Proof of Theorem (cont.)

Lx

yxin xeLdLyy })({)()(, ,2*

)(})({1)(}0{

,2 LdxeLdLx

yxi

}0{}0{

,2 })({})({LxLx

yxi xxe

)(})0{( nBnLL )()( 2)(2 n

nn BnL

40


n1.5-Unique-SVP

n-dim distributions

Main theorem

decision problem

promise problem

41

n-dimensional n-dimensional distributionsdistributions

?

Wavy Uniform

• Distinguish between the distributions• Given by an oracle that returns points

inside a cube of side length 2n

42

• Distinguish between the distributions:


0

0 R-1

R-1

Uniform:

Wavy:

43

Reducing to 1-dimensionReducing to 1-dimension• First attempt: sample and project to a line

44

Reducing to 1-dimensionReducing to 1-dimension• But then we lose the wavy structure!• We should project only from points very

close to the line

45

The solutionThe solution

• Use the periodicity of the distribution• Project on a ‘dense line’ :

46


47


• We choose the line that connects the origin to e1+Ke2+K2e3…+Kn-1en

where K is large enough

• The distance between hyperplanes is n• The sides are of length 2n

• Therefore, we choose K=2O(n) • Hence, d<O(Kn)=2^(O(n2))

48

DoneDone

n1.5-Unique-SVP

n-dim distributions

Main theorem

decision problem

promise problem

49

From Worst-Case to From Worst-Case to Average-CaseAverage-Case

50

• Main theorem presents a problem that is hard in the worst-case: distinguish between uniform and d,γ-wavy distributions for all integers d<2^(n2)

• For cryptographic applications, we would like to have a problem that is hard on the average: distinguish between uniform and d,γ-wavy distributions for a non-negligible fraction of d in [2^(n2), 2•2^(n2)]

Worst-case vs. Average-Worst-case vs. Average-casecase

51

• The following procedure transforms d,γ-wavy into 2d,γ-wavy for all integer d:– Sample a from the distribution– Return either a/2 or (a+R)/2 with probability ½

• In general, for any real 1,we can compress d,γ-wavy into d,γ-wavy

• Notice that compressing preserves the uniform distribution

• We show a reduction from worst-case to average-case

CompressingCompressing

52

• Assume there exists a distinguisher between uniform and d,γ-wavy distribution for some non-negligible fraction of d in [2^(n2), 2•2^(n2)]

• Given either a uniform or a d,γ-wavy distribution for some integer d<2^(n2) repeat the following:– Choose in {1,…,2¢2^(n2)} according to a certain

distribution– Compress the distribution by – Check the distinguisher’s acceptance probability

• If for some the acceptance probability differs from that of uniform sequences, return ‘wavy’; otherwise, return ‘uniform’

ReductionReduction

53

…1

d

2^(n2)…

2¢2^(n2)

• Distribution is uniform:– After compression it is still uniform– Hence, the distinguisher’s acceptance

probability equals that of uniform sequences for all

• Distribution is d,γ-wavy:– After compression it is in the good range with

some probability– Hence, for some , the distinguisher’s

acceptance probability differs from that of uniform sequences

ReductionReduction

54

Application 1Application 1

Public Key Encryption Public Key Encryption SchemeScheme

55

• Let m=2log2R=4n2

• Private key:– A real number y chosen uniformly in

[2^(n2),2¢2^(n2)] such that y is close to an integer (1/100m)

• Public key: – Choose integers A={a1,…,am} from the y,γ-

wavy distribution with γ=n1+ε

• Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε

unique-SVP)

PKE – Description PKE – Description

56

• Private key: y

• Public key: A={a1,…,am}

• Encryption:– Bit 0: a number chosen uniformly in {0,…,R-

1}– Bit 1: the sum of a random subset of A mod R

• Decryption of w:– If disty(w)<1/50 then 1 otherwise 0

PKE – Description (cont.)PKE – Description (cont.)

57

• Encryption of the bit 0:– With probability 96%, disty(Sai)>1/50

– These errors can be avoided

• Encryption of the bit 1:– For a subset S, with high probability,

disty(Sai)<1/100

– Using Sai < m¢R,

disty(Sai mod R)<1/50

PKE – CorrectnessPKE – Correctness

58

• Lemma: If {a1,…,am} is a uniform sequence then both encryptions of 0 and of 1 are uniform

• Hence, distinguishing between encryptions of 0 and 1 implies distinguishing between public keys and uniform sequences!

PKE - SecurityPKE - Security

public key {a1,…,am}

uniform {a1,…,am}

Enc(0)~Enc(1)

Enc(0) ? Enc(1)

59

• Lemma: Public keys are indistinguishable from uniform sequences (based on n1.5+ε

unique-SVP)• Proof: Follows from the average-case

theorem (since we choose y from a set of size 1/(50m) of all [2^(n2),2¢2^(n2)])

PKE – SecurityPKE – Security

60


Collision Resistant Hash Collision Resistant Hash FunctionFunction

61


• Choose a1,…,am uniformly in {0,…,R-1} where m=2log2R=4n2. Then:

b1,…,bm{0,1}, f(b1,…,bm)=Σbiai mod R

• We will see a simpler proof based on n2.5+ε-uSVP

62


• Assume there exists a collision finding algorithm C

• I.e., with non-negligible probability, given a1,…,am chosen uniformly, C finds c1,…,cm{-1, 0,1} (not all zero) such that

Σaici = 0 (mod R)

63


• We show how to distinguish between the uniform and the d,γ-wavy with γ=n2+ε using C

• Choose z uniformly from {0,…,R-1}

• With probability 0.9, distd(z) > 1/20

• Repeat the following enough times:

• Choose a1,…,am from the unknown distribution

• Call C with a1,…,ak-1,(ak+z mod R),ak+1,…,am where k is chosen uniformly from {1,…,m}

• If ck is always zero or C keeps failing, say ‘wavy’ otherwise ‘uniform’

64

CorrectnessCorrectness• Distribution is uniform:

• a1,…,ak-1,(ak+z mod R),ak+1,…,am has the same distribution as a uniform sequence

• Therefore, C answers with non-negligible probability and ck0 with probability at least 1/m

• Distribution is d,γ-wavy:

• W.h.p., i{1,…,m}, distd(ai) < 1/(100n2)

• For all c1,…,cm{-1,0,1}, distd(Σciai) < 1/25 (since m=4n2)

• Therefore, if z has distd(z) > 1/20 then it can never be included in the sum, i.e., ck=0

65


Quantum Computation –Quantum Computation –The Dihedral HSPThe Dihedral HSP

66

Hidden Subgroup ProblemHidden Subgroup Problem

• Given a function that is constant and distinct on cosets of HG, find H

• Solved for Abelian groups• Also for certain non-Abelian groups

[RöttelerBeth’98,HallgrenRussellTashma’00,GrigniSchulmanVaziraniVazirani’01…]

• Still open for many groups. In particular:– Symmetric group

– Dihedral group (ZNZ2)

67

Solving Dihedral HSPSolving Dihedral HSP

• Two approaches:

• Ettinger and Høyer ’00– Reduction to “Period finding from

samples”• R ’02, Kuperberg ‘03

– Reduction to average case subset sum

68

Solving Dihedral HSPSolving Dihedral HSP

• Idea of Ettinger and Høyer:– Reduce to “Hidden Translation on ZN”:

Given an oracle that outputs states of the form |xi+|x+di where x is arbitrary and d is fixed, find d

– Take the Fourier transform

– Measure

jeeN

j

NjdiNjxi |)1(1

0

)/(2)/(2

69

Period Finding from Period Finding from SamplesSamples

• Find the period of the following (cos2) distribution by sampling:

• [EH] showed that there is enough information in a polynomial number of samples

• Open question in [EH]: is there an efficient solution to this problem?

0 R-1

70

• Lemma: A distinguisher between cos2 and the uniform distribution implies a distinguisher between the wavy and uniform distribution

ReductionReduction

71

Guess the period and add noiseGuess the period and add noise

72

• Corollary: finding the period of the cos2 distribution is hard

• Proof: Since all cos2 distributions look like uniform, they all look the same

ReductionReduction

73

• Main theorem• Average case form• Applications

– Strong public key encryption scheme– Collision resistant hash function– Solution to an open question in quantum

computation

• Other applications?

ConclusionConclusion

Documents

1 New Lattice Based Cryptographic Constructions Oded Regev