Foundations of Lattice Cryptography Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 12-16, 2013, (UCI) Daniele Micciancio Foundations of Lattice Cryptography
Foundations of Lattice Cryptography
Daniele Micciancio
Department of Computer Science and EngineeringUniversity of California, San Diego
August 12-16, 2013, (UCI)
Daniele Micciancio Foundations of Lattice Cryptography
This Talk
Introduction to Lattice Cryptography for Math/non-CS
Assume familiarity with math (number theory, lattices, . . . )Focus on computational issues, relevant tocryptography/computer science
High level view. If you want to know more ask questions!
Cryptography ⊆ Math ∩ Computer Science
Same old latticesMany interesting questions, both from math and cryptographyHere: what questions are relevant/important to cryptography?Will use familiar examples from number theory for illustration
Daniele Micciancio Foundations of Lattice Cryptography
Lattices and Bases
A lattice is the set of all integer linear combinations of (linearlyindependent) basis vectors B = {b1, . . . ,bn} ⊂ Rn:
L =n∑
i=1
bi · Z = {Bx : x ∈ Zn}
The same lattice has many bases
L =n∑
i=1
ci · Z
Definition (Lattice)
A discrete additive subgroup of Rn
b1
b2
c1
c2
Daniele Micciancio Foundations of Lattice Cryptography
Cryptography
Goal (informal): Build functions f : A→ B that are hard to break
Question 1: What does it mean to break a function?
Average-case vs Worst-case complexityPseudorandomness. . . for now, assume “break” = “invert”
Question 2: How do we argue about f being hard to break?
Attacks/Cryptanalysis: study the best known algorithms toinvert a functionSecurity proofs: show that inversting the function allows tosolve underlying mathematical problem
Daniele Micciancio Foundations of Lattice Cryptography
Familiar Example: Factoring based cryptography
Definition (Factoring problem)
Given composite N ∈ N, find P,Q > 1 such that N = P · Q
Cryptographic functions:Square(x) = x2 mod N (Rabin)Cube(x) = x3 mod N (low exponent RSA)
x x3
Cube
???
Definition (loRSA inversion problem)
Given N ∈ N, and y ∈ Z∗N , find x such that Cube(x) = y .
Daniele Micciancio Foundations of Lattice Cryptography
Relation between Inversion and Factoring problems
Square,Cube are easy to invert if factorization N = P · Q isknown
Invert modulo P and Q separatelyCombine the results using the Chinese Reminder Theorem
Factor N
Invert x2
Invert x3
Factor N
???
If you can invert x2, then you can factor N:
Choose random x ∈ Z∗N , and compute x ′ =√x2
If x ′ 6= ±x , then gcd(x − x ′,N) ∈ {P,Q} gives outfactorization
Daniele Micciancio Foundations of Lattice Cryptography
Lattice cryptography
Two “kinds” of cryptographic functions
Functions for which lattice algorithms are the best known, ormost natural attack. (E.g., NTRU, Gentry FHE, . . . )
Lattice Problem Invert f Lattice Problem???
Functions that are at least as hard to break as some standardlattice problem. (E.g., Ajtai, Regev, . . . )
Lattice Problem Invert f Lattice Problem
What does f look like?
What Lattice Problem shall we use?
f may look quite different from Lattice Problem!
Daniele Micciancio Foundations of Lattice Cryptography
Minimum Distance and Successive Minima
Minimum distance
λ1 = minx,y∈L,x6=y
‖x− y‖
= minx∈L,x6=0
‖x‖
Successive minima (i = 1, . . . , n)
λi = min{r : dim span(B(r) ∩ L) ≥ i}
Examples
Zn: λ1 = λ2 = . . . = λn = 1Always: λ1 ≤ λ2 ≤ . . . ≤ λn
λ1λ2
Daniele Micciancio Foundations of Lattice Cryptography
Distance Function and Covering Radius
Distance function
µ(t,L) = minx∈L‖t− x‖
Covering radius
µ(L) = maxt∈span(L)
µ(t,L)
Spheres or radius µ(L) centeredaround all lattice points cover thewhole space
tµ
µ
Daniele Micciancio Foundations of Lattice Cryptography
Relations among lattice parameters
Theorem
λ1(L) ≤ λ2(L) ≤ . . . ≤ λn(L) ≤ 2µ(L) ≤√nλn(L)
Theorem (Banaszczyk)
1 ≤ 2λ1(L) · ρ(L∗) ≤ n.
1 ≤ λi (L) · λn−i+1(L∗) ≤ n.
Remarks:1 µ ≈ λn (up to
√n factors)
2 For some lattices λ1 � λ2 � . . .� λn3 For some lattices λ1 = λ2 = . . . = λn and 2µ =
√nλn
4 For some lattices λ1 = λ2 = . . . = λn and µ ≤ 2λn
Problem
Give an explicit construction of a lattice satisfying (4)
Daniele Micciancio Foundations of Lattice Cryptography
Shortest Vector Problem
Definition (Shortest Vector Problem, SVPγ)
Given a lattice L(B), find a (nonzero) lattice vector Bx (withx ∈ Zk) of length (at most) ‖Bx‖ ≤ γλ1
2λ1
b1
b2
λ1
Bx = 5b1 − 2b2
Daniele Micciancio Foundations of Lattice Cryptography
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVPγ)
Given a lattice L(B), find n linearly independent lattice vectorsBx1, . . . ,Bxn of length (at most) maxi ‖Bxi‖ ≤ γλn
2λ2
b1
b2
Bx1
λ2
Bx2
Daniele Micciancio Foundations of Lattice Cryptography
Closest Vector Problem
Definition (Closest Vector Problem, CVPγ)
Given a lattice L(B) and a target point t, find a lattice vector Bxwithin distance ‖Bx− t‖ ≤ γµ from the target
tµ 2µ
b1
b2
Bx
Daniele Micciancio Foundations of Lattice Cryptography
Special Versions of SVP, SIVP and CVP
GapSVP: compute (or approximate) the value λ1 withoutnecessarily finding a short vector
GapSIVP: compute (or approximate) the value λn withoutnecessarily finding short linearly independent vectors
Bounded Distance Decoding (BDD): Solve CVP whenµ(t,L) < λ1(L)/(2γ),
Absolute Distance Decoding (ADD): Find lattice point Bxsuch that ‖Bx− t‖ ≤ γ · µ(L).
Daniele Micciancio Foundations of Lattice Cryptography
Relations among (general) lattice problems
SIVP ≈ ADD [MG’01]
SVP ≤ CVP [GMSS’99]
SIVP ≤ CVP [M’08]
BDD . SIVP
CVP . SVP [L’86]
GapSVP ≈ GapSIVP[LLS’90,B’93]
GapSVP . BDD [LM’09]
Public Key Cryptography
Private Key Cryptography
GapSVP GapSIVP BDD
SIVP ADD
SVP CVP
Question
What can we say the same about lattices with symmetries?
See [PR’07] for SVP ≤ CVP.
Daniele Micciancio Foundations of Lattice Cryptography
Worst-case vs. Average-case Hardness
Definition (Factoring problem)
Given composite N ∈ N, find P,Q > 1 such that N = P · Q
Algorithm A solves the factoring problem if for any compositeN, it outputs P,Q > 1 such that N = PQ.
Factoring is hard = No efficient algorithm solves Factoring
Same as: for every efficient algorithm A there exists compositeN such that A(N) does not output P,QThis is worst-case hardness: the hardest to factor N is indeedhard to factor
Not enough for cryptography!
It doesn’t matter if some key is hard to breakYou want assurance that your (randomly chosen) key is hardto break with high probebilityAverage-case hardness: most N are hard to factor
Daniele Micciancio Foundations of Lattice Cryptography
Difficulties with average-case complexity
Average-case complexity depends on input distribution
Let N be a uniformly random integer in {1, . . . , 2n}Easy on average: N = 2 · N2 with probability 50%!
Let N be uniformly random in {N ∈ {1, . . . , 2n} : N = P · Q}Still easy: there are O(2n/n) products with P = 2, and onlyO(2n/n2) products with P ≈ Q.
Let N = P · Q where P,Q ∈ {1, . . . , 2n/2} are chosenuniformly at random
Ok, maybe now we got it right. This is believed to be hard onaverage.
Belief is based on many decades (or centuries) of hard work!
Question
How do we know a distribution is right for cryptography?
Daniele Micciancio Foundations of Lattice Cryptography
Average-case hardness: inversion problem
Definition (loRSA inversion problem)
Given N ∈ N, and y = Cube(x), recover x
Assume N = P · Q is a hard distribution for N
Question: how shall we choose x?
Answer: choose x ∈ Z∗N uniformly at random
Why? This is provably the hardest distribution!
Assume we can invert Cube on the average (say, w/ prob. 1%)Say we want to invert y = Cube(x) (in the worst case)Compute y ′ = y · Cube(r) for randomly chosen r ∈ Z∗NNotice: x ′ = x · r ∈ Z∗N is uniformly random and Cube(x ′) = y ′
Recover x ′ = x · r (with probability 1%)Compute x = x ′/rRepeat 100 times to boost success probability
Daniele Micciancio Foundations of Lattice Cryptography
Cryptographic functions
Definition (Ajtai’s function)
fA(x) = Ax mod q where A ∈ Zn×mq and x ∈ {0, 1}m
m
n
x ∈ {0, 1}m 0 1 1 0 1 0 0 (q = 10)
A ∈ Zn×mq
1 4 5 9 3 0 24 2 8 6 2 4 37 5 5 4 7 8 02 7 0 1 4 6 9
y = Ax ∈ Znq
2271
Cryptanalysis (Inversion)
Given A and y, find x ∈ {0, 1}m such that Ax = y
Daniele Micciancio Foundations of Lattice Cryptography
Ajtai’s function and lattice problems
Cryptanalysis (Inversion)
Given A and y, find small solution x ∈ {0, 1}m to inhomogeneouslinear system Ax = y (mod q)
Inverting Ajtai’s function can be formulated as a lattice problem.
Easy problem: find (arbitrary) integer solution t to system oflinear equations At = y (mod q)
All solutions to Ax = y are of the form t + L where
L = {x ∈ Zm : Ax = 0 (mod q)}
Cryptanalysis problem: find a small vector in t + LEquivalently: find a lattice vector v ∈ L close to t
Inverting Ajtai’s function is an average case instance of the ClosestVector Problem where the lattice is chosen according to L, forA ∈ Zm×n
q and x is a random “short” vector.
Daniele Micciancio Foundations of Lattice Cryptography
Breaking a function
What does it mean to “break” f : A→ B?
Recovery Problem: Given f and f (x), recover x
with nonnegligible probability when f , x are chosen at random
Inversion Problem: Given f and y ∈ B, find x s.t. f (x) = y
with nonnegligible probability when f , x are chosen at random
Decision Problem: Given f and y ∈ B, determine if y ∈ f (A)
Given random f and y ∈ B, determine if y was chosen asy = f (x) (for random x), or uniformly from y ∈ B.
Definition (Pseudorandomness)
f (x) looks like a uniformly random element of f (A).
Daniele Micciancio Foundations of Lattice Cryptography
Pseudorandomness
the output of f : A→ B is pseudorandom if f (A) looks like B.
interesting property when |A| � |B|.Very important in cryptography:
Typically f (x) is used as an input or key to some othercryptographic functionIf f (x) does not look random, it cannot be used as a keyExample: if f (x) is used as a one-time pad, then correlationsin f (x) reveal correlations in the message.
Pseudorandomness can be very tricky:
Example: square(x) = x2 (mod N)Decision problem: determine if y is a quadratic residueAre random quadratic residues hard to recognize?Is testing quadratic residuosity as hard as factoring?
Daniele Micciancio Foundations of Lattice Cryptography
Lattice Based Cryptography
Ajtai: fA(x) = Ax (mod q), where A ∈ Zn×mq and x ∈ {0, 1}m
are chosen uniformly at random.
Regev: Similar, but for parameters that make fA injective
Lattice Problem: GapSVP approximate λ1 within a factorO(n) in the worst-case
GapSVP Invert random f f (x) ≈ Znq?
This is the right way to use lattices!
Daniele Micciancio Foundations of Lattice Cryptography
Lattices with symmetries
Why use lattices with symmetries?
fA(x) = Ax can be computed much faster when A is astructured matrix, both in theory and practice
E.g., SWIFFT function [LMPR’08] performance comparableto block ciphers
Mathematically attractive (algebraic number theory, etc.)
Cryptanalysis:
Are structured A’s easier to break?
Is fA(x) still pseudorandom?
Security proof:
fA still hard to invert, assuming worst-case hardness of SVPon algebraic lattices [M’02]
One-way and pseudorandom even in the injective setting[LPR’10,LPR’13]
Daniele Micciancio Foundations of Lattice Cryptography
Limitations of proof based security analysis
Proof of security shows that
uniform A ∈ Zn×mq is the right distribution for cryptography,
fA(x) = Ax (mod q) is the right way to use A.
However it does not provide a good indication of concretehardness of breaking fA.
Conclusion
Security proof provides strong qualitative results pointing tothe right distribution to be used in lattice cryptography
Concrete security is better assessed by cryptanalysis / latticealgorithms
Daniele Micciancio Foundations of Lattice Cryptography
Lattice Algorithms
Best known attack against lattice cryprography
Most accurate method to assess current security level oflattice cryptography
Many other applications:
Algebraic Number TheoryFactoring polynomialsCoding theoryInteger Programming. . .
Daniele Micciancio Foundations of Lattice Cryptography
The LLL Algorithm [LLL’82]
Landmark result in theoretical computer science
Elegant theoretical analysis showing it approximates SVPwithin γ = 2O(n) factor
Works much better in practice when run on “random” lattices
Still, as dimension grows, experiments confirm γ = 2O(n)
approximation
Questions
1 Can we do better that LLL?
2 Can lattice algorithms take advantage of lattice symmetries?
Daniele Micciancio Foundations of Lattice Cryptography
Beyond LLL: Exact Algorithms
Lattice algorithms for the exact solution of SVP, CVP, etc.Time Space Prob. Problem
Enum. [K’87] 2O(n log n) poly no SVP, CVP, SIVP
Sieve [AKS’01] 2O(n) exp yes SVP
Voronoi [MV’10] 2O(n) exp no SVP, CVP, SIVP
All work for arbitrary lattices
Use very different techniques/ideas
Can these methods take advantage of lattice symmetries?
Can they solve BDD faster than SVP/CVP?
Daniele Micciancio Foundations of Lattice Cryptography
Beyond LLL: Polynomial time approximation
Generalize LLL using exact algorithms for SVP in smalldimensional sublattices
Block Korkine Zolotarev (BKZ) [Schnorr’87]
Rankin/Mordell inequality [GHKN’06,GN’08,DM’13]
Polynomial time approximation
LLL+Enumeration: γ = 2O(n(log log n)2/ log n)
LLL+Sieving: γ = 2O(n log log n/ log n) (randomized)
LLL+Voronoi: γ = 2O(n log log n/ log n)
Smooth trade-off between running time and approximation:
γ ≈ 2O(n log logT/ logT )
Daniele Micciancio Foundations of Lattice Cryptography
References
MG Micciancio, Goldwasser (Springer 2001)GMSS Goldreich, Micciancio, Safra, Seifert (Inf. Proc. Letters, 1999)
M Micciancio (SODA 2008) (FOCS 2002/Comp. Compl. 2007)L Lovasz (SIAM 1986)
LLS Lagarias, Lenstra, Schnorr (Combinatorica 1990)B Banaszczyk (Math. Ann. 1993)
LM Lyubashevsky, Micciancio (Crypto 2009)PR Peikert, Rosen (STOC 2007)
LPR Lyubashevsky, Peikert, Regev (Eurocrypt 2010, 2013)LMPR Lyubashevsky, Micciancio, Peikert, Rosen (FSE 2008)
LLL Lenstra, Lenstra, Lovasz (Math. Ann. 1982)K Kannan (STOC 1983)
AKS Ajtai, Kumar, Sivakumar (STOC 2001)MV Miccincio, Voulgaris (STOC 2010, SIAM J. Comp. 2013)
GHKN Gama, Howgrave-Graham, Koy, Nguuyen (Crypto 2006)GN Gama, Nguyen (STOC 2008)DM Dadush, Micciancio (SODA 2013)
Daniele Micciancio Foundations of Lattice Cryptography
Blurring a lattice
Consider an arbitrary lattice, and addnoise to each lattice point until the en-tire space is covered. Increase the noiseuntil the space is uniformly covered.
How much noise is needed? [MR]
‖r‖ ≤ (log n) ·√n · λn/2
Each point in a ∈ Rn can bewritten a = v + r where v ∈ L and‖r‖ ≈
√nλn.
a ∈ Rn is uniformly distributed.
vr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
avr
a
Daniele Micciancio Foundations of Lattice Cryptography
Security of Ajtai’s function (sketch)
Generate random points ai = vi + ri , where
vi is a random lattice pointri is a random error vector of length ‖ri‖ ≈
√nλn
A = [a1, . . . , am] is distributed almost uniformly at random inRn×m, q = nO(1), m = O(n log q) = O(n log n), so
if we can break Ajtai’s function fA, thenwe can find a vector z ∈ {−1, 0, 1}m such that∑
(vi + ri )zi =∑
aizi = 0
Rearranging the terms yields a lattice vector∑vizi = −
∑rizi
of length at most ‖∑
rizi‖ ≈√m ·max ‖ri‖ ≈ n · λn
Daniele Micciancio Foundations of Lattice Cryptography