Fundamentals ofLattice-Based Cryptography
Chris PeikertUniversity of Michigan
2nd Crypto Innovation SchoolShanghai, China
13 December 2019
1 / 23
Talk Outline
1 Lattices and hard problems
2 The SIS and LWE problems; basic applications
3 Using rings for efficiency
2 / 23
Today’s Cryptography (e.g., RSA, Diffie-Hellman)
I Conjectured-hard problems: factor N = P ·Q, compute discrete logs
I Shor’s quantum algorithm:
N =
21305750140972822779
67336009072353225107
58864221620325802176
55802658737520126407
22059995071405557278
967027854563351343547
P =
16062216870909044065
12585584569433331615
827658775597032991663
Q =
13264514053200565459
67263583507984286802
756201383768089567669
g, y = gX ∈ G X
3 / 23
Today’s Cryptography (e.g., RSA, Diffie-Hellman)
I Conjectured-hard problems: factor N = P ·Q, compute discrete logs
I Shor’s quantum algorithm:
N =
21305750140972822779
67336009072353225107
58864221620325802176
55802658737520126407
22059995071405557278
967027854563351343547
P =
16062216870909044065
12585584569433331615
827658775597032991663
Q =
13264514053200565459
67263583507984286802
756201383768089567669
g, y = gX ∈ G X
3 / 23
Today’s Cryptography (e.g., RSA, Diffie-Hellman)
I Conjectured-hard problems: factor N = P ·Q, compute discrete logs
I Shor’s quantum algorithm:
N =
21305750140972822779
67336009072353225107
58864221620325802176
55802658737520126407
22059995071405557278
967027854563351343547
P =
16062216870909044065
12585584569433331615
827658775597032991663
Q =
13264514053200565459
67263583507984286802
756201383768089567669
g, y = gX ∈ G X
3 / 23
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org)
4 / 23
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
Lattice-Based Cryptography
N=p · q
y =gx mod p
me mod N
e(ga, gb)
=⇒
Advantages
I Appears resistant to quantum attacks
I Simple description and implementation
I Efficient: linear, highly parallelizable
I Security from worst-case assumptions [Ajtai96,. . . ]
(Images courtesy xkcd.org) 4 / 23
Part 1:
Lattices andHard Problems
5 / 23
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
v
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
LatticesI An (integer) lattice is a subgroup L ⊆ Zm. (Looks like a periodic “grid.”)
I Has a basis B = b1, . . . ,bk oflinearly independent vectors:
L =
k∑i=1
(Z · bi)
Today, k = m always: “full rank.”
(Other representations as well. . . )
O
b1
b2
vλ1
Conjectured Hard Problems
I Find ‘relatively short’ (nonzero) lattice vector(s): SVPγ , SIVPγ
I Estimate geometric quantities of the lattice: minimum distance λ1,successive minima λi, covering radius µ, . . .
6 / 23
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
Complexity (for the Worst Case)
GapSVPγI Given (a basis of) an m-dim lattice L and some d > 0, distinguish
λ1(L) ≤ d FROM λ1(L) > γ(m) · d
I Becomes easier for larger γ(m):
γ = 2(logm)1−ε
NP-hard∗
[Ajt98,. . . ]
√m
∈ coNP[GG98,AR05]
& m
crypto[Ajt96,. . . ]
2∼m
∈ P[LLL82,Sch87]
I For γ = poly(m), fastest algorithm: 2m time & space [AKS01,MV10,. . . ]
I Similar status for other problems like SIVPγ , . . .
7 / 23
Part 2:
SIS/LWE andBasic Applications
8 / 23
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
z1 ·
|a1|
+ z2 ·
|a2|
+
· · ·
+ zm ·
|am|
=
|0|
∈ Znq
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find nontrivial z1, . . . , zm ∈ 0,±1 s.t.
z1 ·
|a1|
+ z2 ·
|a2|
+ · · · + zm ·
|am|
=
|0|
∈ Znq
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash Function
I Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash FunctionI Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash FunctionI Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.
9 / 23
A Hard Problem: Short Integer Solution [Ajtai’96]
I Fix a dimension n and modulus q (e.g., q ≈ n2).
Let Znq = n-dimensional integer vectors modulo q.
I SIS: given many uniform ai, find ‘short’ nonzero z s.t.
· · · · A · · · ·
︸ ︷︷ ︸
m
z
= 0 ∈ Znq
Collision-Resistant Hash FunctionI Define fA : 0, 1m → Znq for any m > n lg q as
fA(x) = Ax.
I Collision x,x′ ∈ 0, 1m where Ax = Ax′ . . .
. . . yields a short (nonzero) solution z = x− x′ ∈ 0,±1m.9 / 23
Cool! (but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie inO
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie in
O
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie in
O
(0, q)
(q, 0)
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie inO
(0, q)
(q, 0)
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
Cool!
(but what does this have to do with lattices?)
I Matrix A = (a1, . . . ,am) ∈ Zn×mq :
L⊥(A) = z ∈ Zm : Az = 0
I ‘Short’ solutions z lie inO
(0, q)
(q, 0)
Worst-Case/Average-Case Connection [Ajtai96,. . . ]
Finding ‘short’ (‖z‖ ≤ β q) nonzero z ∈ L⊥(A)(for uniformly random A ∈ Zn×mq )
⇓solving GapSVPβ
√n and SIVPβ
√n on any n-dim lattice
10 / 23
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with ‘trapdoor’ sk = T. [Ajtai’99,. . . ,MP’12]
I Sign(T, µ): use T to sample a short x ∈ Zm s.t. Ax = H(µ) ∈ Znq .
Draw x from a (Gaussian) distribution, which reveals nothingabout T:
I Verify(A, µ,x): check that Ax = H(µ) and x is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding ashort x∗ s.t. Ax∗ = H(µ∗). This is SIS!
11 / 23
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
x
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
Gaussian Sampling over a (Shifted) Lattice
I Sample x s.t. Ax = u given any ‘short’ basis T: max‖ti‖ ≤ std dev
F Output distribution leaks no information about secret basis T!
I “Nearest-plane” algorithm with randomized rounding [Klein’00,GPV’08]
coset L⊥u (A)t1
t2
O
x
I Proof idea: DL⊥u (plane) depends (essentially) only on dist(O, plane);not affected by shift within plane. So rounding with that probabilityproduces that distribution.
12 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’
a1 ← Znq , b1 ≈ 〈s , a1〉 mod q
a2 ← Znq , b2 ≈ 〈s , a2〉 mod q
...
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’
a1 ← Znq , b1 = 〈s , a1〉+ e1 ∈ Zqa2 ← Znq , b2 = 〈s , a2〉+ e2 ∈ Zq
... √n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]
13 / 23
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution χ
I Search: find secret s ∈ Znq given many ‘noisy inner products’· · · A · · ·
,(· · · bt · · ·
)≈ stA
√n ≤ std dev q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst caseGapSVP, SIVP
≤
(quantum [R’05])
search-LWE ≤
[BFKL’93,R’05,. . . ]
decision-LWE ≤ crypto
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Also a direct worst-case ≤ decision-LWE (quantum) reduction [PRS’17]13 / 23
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
LWE is VersatileWhat kinds of crypto can we construct from LWE?
4 Key Exchange/Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 (Constrained) PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
44 NIZK for NP (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based/Predicate Encryption for arbitrary policies
and much, much more. . .
14 / 23
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq
s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq
s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)
by LWE
15 / 23
Public-Key Cryptosystem from LWE [Regev’05,GPV’08]
short x A← Zn×mq s← Znq
u = Ax(public key, uniform when m > n log q)
bt = stA + et
(ciphertext ‘preamble’)
b′ − bt x ≈bit · q2
b′ = st u + e′ + bit · q2(‘payload’)
(A,u), (b, b′)by LWE
15 / 23
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!
16 / 23
Identity-Based EncryptionI Proposed by [Shamir’84]: could this exist?
mpk (msk)
?? ??
Enc(mpk, “Alice”, msg)
skAlice skBobbi
skCarol
1 [BonehFranklin’01,. . . ]: first IBE, based on pairings
2 [Cocks’01,BGH’07]: based on quadratic residuosity mod N = pq
3 [GPV’08]: based on lattices!16 / 23
IBE from LWE
mpk = Amsk = trapdoor T
u = H(“Alice”)
(‘identity’ public key)
b = stA + et
(ciphertext preamble)
b′ − bt x ≈ bit · q2b′ = st u + e′ + bit · q2
(‘payload’)
Gaussian x s.t. Ax = u
17 / 23
Part 3:
Rings forBetter Efficiency
18 / 23
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
SIS/LWE are (Sort Of) Efficient
(· · · ai · · ·
)...s...
+ ei = bi ∈ Zq
I Getting one pseudorandomscalar bi ∈ Zq requires an n-diminner product (mod q)
I Can amortize each ai over manysecrets sj , but still O(n) workper scalar output.
I Cryptosystems have rather large keys:
pk =
...At
...
︸ ︷︷ ︸
n
,
...b...
Ω(n)
I Inherently ≥ n2 time to encrypt & decrypt a message.
19 / 23
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
Wishful Thinking. . ....ai...
?
...s...
+
...ei...
=
...bi...
∈ Znq
I Get n pseudorandom scalarsfrom just one (cheap)product operation?
I Replace n× n blocks byn-dimensional vectors.
QuestionI How to define the product ‘?’ so that (ai,bi) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
AnswerI ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(Xn + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
20 / 23
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
LWE Over Rings, Over Simplified
I Let R = Z[X]/(Xn + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s ∈ Rq, given:
a1 ← Rq , b1 = s · a1 + e1 ∈ Rqa2 ← Rq , b2 = s · a2 + e2 ∈ Rqa3 ← Rq , b3 = s · a3 + e3 ∈ Rq
...
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi) from uniform (ai , bi) ∈ Rq ×Rq
21 / 23
Hardness of Ring-LWE
Initial Reductions [LyubashevskyPeikertRegev’10]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
search R-LWE ≤
(classical,any cyclotomic R)
decision R-LWE
Newer Reduction [PeikertRegevStephens-Davidowitz’17]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
decision R-LWE
Constructions
decision R-LWE ≤ much crypto
22 / 23
Hardness of Ring-LWE
Initial Reductions [LyubashevskyPeikertRegev’10]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
search R-LWE ≤
(classical,any cyclotomic R)
decision R-LWE
Newer Reduction [PeikertRegevStephens-Davidowitz’17]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
decision R-LWE
Constructions
decision R-LWE ≤ much crypto
22 / 23
Hardness of Ring-LWE
Initial Reductions [LyubashevskyPeikertRegev’10]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
search R-LWE ≤
(classical,any cyclotomic R)
decision R-LWE
Newer Reduction [PeikertRegevStephens-Davidowitz’17]
worst-case approx-SVPon ideal lattices in R
≤
(quantum,any R = OK)
decision R-LWE
Constructions
decision R-LWE ≤ much crypto
22 / 23
Final Thoughts
I Lattices are a very attractive foundation for post-quantum crypto, forboth ‘basic’ and ‘advanced’ objects.
See remaining talks for much more.
I Cryptanalysis/concrete security estimates are subtle and ongoing, butmaturing.
See Phong Nguyen’s talks tomorrow for coverage of this topic.
Thanks!
23 / 23
Final Thoughts
I Lattices are a very attractive foundation for post-quantum crypto, forboth ‘basic’ and ‘advanced’ objects.
See remaining talks for much more.
I Cryptanalysis/concrete security estimates are subtle and ongoing, butmaturing.
See Phong Nguyen’s talks tomorrow for coverage of this topic.
Thanks!
23 / 23
Final Thoughts
I Lattices are a very attractive foundation for post-quantum crypto, forboth ‘basic’ and ‘advanced’ objects.
See remaining talks for much more.
I Cryptanalysis/concrete security estimates are subtle and ongoing, butmaturing.
See Phong Nguyen’s talks tomorrow for coverage of this topic.
Thanks!
23 / 23