Lattice-based (Post Quantum) Cryptography

Σχετικά έγγραφα
EE512: Error Control Coding

ST5224: Advanced Statistical Theory II

Block Ciphers Modes. Ramki Thurimella

Homework 3 Solutions

2 Composition. Invertible Mappings

Statistical Inference I Locally most powerful tests

Μηχανική Μάθηση Hypothesis Testing

Other Test Constructions: Likelihood Ratio & Bayes Tests

Section 8.3 Trigonometric Equations

Abstract Storage Devices

Πανεπιστήμιο Πειραιώς Τμήμα Πληροφορικής Πρόγραμμα Μεταπτυχιακών Σπουδών «Πληροφορική»

CHAPTER 25 SOLVING EQUATIONS BY ITERATIVE METHODS

The Simply Typed Lambda Calculus

Jesse Maassen and Mark Lundstrom Purdue University November 25, 2013

ANSWERSHEET (TOPIC = DIFFERENTIAL CALCULUS) COLLECTION #2. h 0 h h 0 h h 0 ( ) g k = g 0 + g 1 + g g 2009 =?

Econ 2110: Fall 2008 Suggested Solutions to Problem Set 8 questions or comments to Dan Fetter 1

HOMEWORK 4 = G. In order to plot the stress versus the stretch we define a normalized stretch:

6.1. Dirac Equation. Hamiltonian. Dirac Eq.

derivation of the Laplacian from rectangular to spherical coordinates

Phys460.nb Solution for the t-dependent Schrodinger s equation How did we find the solution? (not required)

The challenges of non-stable predicates

Matrices and Determinants

ΚΥΠΡΙΑΚΗ ΕΤΑΙΡΕΙΑ ΠΛΗΡΟΦΟΡΙΚΗΣ CYPRUS COMPUTER SOCIETY ΠΑΓΚΥΠΡΙΟΣ ΜΑΘΗΤΙΚΟΣ ΔΙΑΓΩΝΙΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ 19/5/2007

Approximation of distance between locations on earth given by latitude and longitude

Problem Set 3: Solutions

Models for Probabilistic Programs with an Adversary

Every set of first-order formulas is equivalent to an independent set

Solutions to Exercise Sheet 5

New bounds for spherical two-distance sets and equiangular lines

Srednicki Chapter 55

3.4 SUM AND DIFFERENCE FORMULAS. NOTE: cos(α+β) cos α + cos β cos(α-β) cos α -cos β

ΕΙΣΑΓΩΓΗ ΣΤΗ ΣΤΑΤΙΣΤΙΚΗ ΑΝΑΛΥΣΗ

Access Control Encryption Enforcing Information Flow with Cryptography

Numerical Analysis FMN011

Ordinal Arithmetic: Addition, Multiplication, Exponentiation and Limit

Partial Differential Equations in Biology The boundary element method. March 26, 2013

Lecture 15 - Root System Axiomatics

Bayesian statistics. DS GA 1002 Probability and Statistics for Data Science.

Lecture 2: Dirac notation and a review of linear algebra Read Sakurai chapter 1, Baym chatper 3

C.S. 430 Assignment 6, Sample Solutions

Congruence Classes of Invertible Matrices of Order 3 over F 2

Areas and Lengths in Polar Coordinates

Example Sheet 3 Solutions

TMA4115 Matematikk 3

Practice Exam 2. Conceptual Questions. 1. State a Basic identity and then verify it. (a) Identity: Solution: One identity is csc(θ) = 1

Exercises to Statistics of Material Fatigue No. 5

Section 7.6 Double and Half Angle Formulas

4.6 Autoregressive Moving Average Model ARMA(1,1)

Areas and Lengths in Polar Coordinates

Elements of Information Theory

k A = [k, k]( )[a 1, a 2 ] = [ka 1,ka 2 ] 4For the division of two intervals of confidence in R +

Reminders: linear functions

Physical DB Design. B-Trees Index files can become quite large for large main files Indices on index files are possible.

Finite Field Problems: Solutions

Math 6 SL Probability Distributions Practice Test Mark Scheme

Αλγόριθμοι και πολυπλοκότητα NP-Completeness (2)

CRASH COURSE IN PRECALCULUS

ω ω ω ω ω ω+2 ω ω+2 + ω ω ω ω+2 + ω ω+1 ω ω+2 2 ω ω ω ω ω ω ω ω+1 ω ω2 ω ω2 + ω ω ω2 + ω ω ω ω2 + ω ω+1 ω ω2 + ω ω+1 + ω ω ω ω2 + ω

Απόκριση σε Μοναδιαία Ωστική Δύναμη (Unit Impulse) Απόκριση σε Δυνάμεις Αυθαίρετα Μεταβαλλόμενες με το Χρόνο. Απόστολος Σ.

w o = R 1 p. (1) R = p =. = 1

Chapter 6: Systems of Linear Differential. be continuous functions on the interval

9.09. # 1. Area inside the oval limaçon r = cos θ. To graph, start with θ = 0 so r = 6. Compute dr

SCHOOL OF MATHEMATICAL SCIENCES G11LMA Linear Mathematics Examination Solutions

Space-Time Symmetries

LESSON 14 (ΜΑΘΗΜΑ ΔΕΚΑΤΕΣΣΕΡΑ) REF : 202/057/34-ADV. 18 February 2014

Instruction Execution Times

Lecture 2. Soundness and completeness of propositional logic

Homework 8 Model Solution Section

5.4 The Poisson Distribution.

Lecture 34 Bootstrap confidence intervals

Math221: HW# 1 solutions

SOLUTIONS TO MATH38181 EXTREME VALUES AND FINANCIAL RISK EXAM

6.003: Signals and Systems. Modulation

ΚΥΠΡΙΑΚΗ ΕΤΑΙΡΕΙΑ ΠΛΗΡΟΦΟΡΙΚΗΣ CYPRUS COMPUTER SOCIETY ΠΑΓΚΥΠΡΙΟΣ ΜΑΘΗΤΙΚΟΣ ΔΙΑΓΩΝΙΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ 6/5/2006

ΓΕΩΜΕΣΡΙΚΗ ΣΕΚΜΗΡΙΩΗ ΣΟΤ ΙΕΡΟΤ ΝΑΟΤ ΣΟΤ ΣΙΜΙΟΤ ΣΑΤΡΟΤ ΣΟ ΠΕΛΕΝΔΡΙ ΣΗ ΚΤΠΡΟΤ ΜΕ ΕΦΑΡΜΟΓΗ ΑΤΣΟΜΑΣΟΠΟΙΗΜΕΝΟΤ ΤΣΗΜΑΣΟ ΨΗΦΙΑΚΗ ΦΩΣΟΓΡΑΜΜΕΣΡΙΑ

Estimation for ARMA Processes with Stable Noise. Matt Calder & Richard A. Davis Colorado State University

Overview. Transition Semantics. Configurations and the transition relation. Executions and computation

Γιπλυμαηική Δπγαζία. «Ανθπυποκενηπικόρ ζσεδιαζμόρ γέθςπαρ πλοίος» Φοςζιάνηρ Αθανάζιορ. Δπιβλέπυν Καθηγηηήρ: Νηθφιανο Π. Βεληίθνο

Notes on the Open Economy

ΚΥΠΡΙΑΚΗ ΕΤΑΙΡΕΙΑ ΠΛΗΡΟΦΟΡΙΚΗΣ CYPRUS COMPUTER SOCIETY ΠΑΓΚΥΠΡΙΟΣ ΜΑΘΗΤΙΚΟΣ ΔΙΑΓΩΝΙΣΜΟΣ ΠΛΗΡΟΦΟΡΙΚΗΣ 24/3/2007

Strain gauge and rosettes

Fourier Series. MATH 211, Calculus II. J. Robert Buchanan. Spring Department of Mathematics

Assalamu `alaikum wr. wb.

ΤΕΧΝΟΛΟΓΙΚΟ ΠΑΝΕΠΙΣΤΗΜΙΟ ΚΥΠΡΟΥ ΤΜΗΜΑ ΝΟΣΗΛΕΥΤΙΚΗΣ

Local Approximation with Kernels

Concrete Mathematics Exercises from 30 September 2016

Αλγόριθμοι και πολυπλοκότητα NP-Completeness

Exercises 10. Find a fundamental matrix of the given system of equations. Also find the fundamental matrix Φ(t) satisfying Φ(0) = I. 1.

Advanced Subsidiary Unit 1: Understanding and Written Response

( ) 2 and compare to M.

Πώς μπορεί κανείς να έχει έναν διερμηνέα κατά την επίσκεψή του στον Οικογενειακό του Γιατρό στο Ίσλινγκτον Getting an interpreter when you visit your

SOLUTIONS TO MATH38181 EXTREME VALUES AND FINANCIAL RISK EXAM

(C) 2010 Pearson Education, Inc. All rights reserved.

Second Order Partial Differential Equations

Right Rear Door. Let's now finish the door hinge saga with the right rear door

A Note on Intuitionistic Fuzzy. Equivalence Relation

ΠΤΥΧΙΑΚΗ ΕΡΓΑΣΙΑ ΒΑΛΕΝΤΙΝΑ ΠΑΠΑΔΟΠΟΥΛΟΥ Α.Μ.: 09/061. Υπεύθυνος Καθηγητής: Σάββας Μακρίδης

Fractional Colorings and Zykov Products of graphs

Example of the Baum-Welch Algorithm

Transcript:

Lattice-based (Post Quantum) Cryptography Divesh Aggarwal Center of Quantum Technologies, Singapore February 8, 28 Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 1 / 30

Lattices A lattice is a set of points L = {a 1 v 1 + + a nv n a i integers}. for some linearly independent vectors v 1,..., v n R n. We call v 1,..., v n a basis of L, and n the dimension of the lattice. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 2 / 30

Basis is Not Unique Good Basis: v 1, v 2 Bad Basis: v 1, v 2 Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 3 / 30

Hard Problems SVP: Given a lattice, find the shortest non-zero vector (of length λ 1 ). Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 4 / 30

Hard Problems SVP: Given a lattice, find the shortest non-zero vector (of length λ 1 ). ApproxSVP γ : Given a lattice basis, find a vector of length γ λ 1. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 4 / 30

Hard Problems SVP: Given a lattice, find the shortest non-zero vector (of length λ 1 ). ApproxSVP γ : Given a lattice basis, find a vector of length γ λ 1. GapSVP γ : Given a basis and d, decide whether λ 1 d or λ 1 > γ d. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 4 / 30

Hard Problems SVP: Given a lattice, find the shortest non-zero vector (of length λ 1 ). ApproxSVP γ : Given a lattice basis, find a vector of length γ λ 1. GapSVP γ : Given a basis and d, decide whether λ 1 d or λ 1 > γ d. There are also other hard problems like CVP, SIVP Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 4 / 30

GapSVP γ - Algorithms and Complexity γ 2 (log n)1 ɛ n n O(1) (1 + ɛ) n NP Hard Problem co-np Cryptography P [Ajt98,..., HR07] [GG98, AR05] [Ajtai96,...] [LLL82, Sch87] Fastest known algorithms for γ = r n/r run in 2 O(r) poly(n) time, i.e., For γ = poly(n), the running time is exponential in n. In particular, fastest known algorithm for γ close to 1 runs in time 2 n+o(n) [ADRS15,AS18] Under the Gap exponential time hypothesis, no algorithm can solve GapSVP γ for a constant γ 1 in time better than 2 cn for some constant c [AS17]. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 5 / 30

Lattices and Cryptography The first applications included attacking knapsack-based cryptosystems [LagOdl85] and variants of RSA [Has85,Cop]. Lattices began to be used to create cryptography starting with a breakthrough work of Ajtai[Ajt96]. Cryptography based on lattices has many advantages compared with traditional cryptography like RSA: It has strong, mathematically proven, security. It is believed to be resistant to quantum computers. In some cases, it is much faster. It can do more, e.g., fully homomorphic encryption, which is one of the most important cryptographic primitives. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 6 / 30

Lattice-based Crypto Public-key Encryption [Reg05,KTX07,PKW08] CCA-Secure PKE [PW08,Pei09]. Identity-based Encryption [GPV08] Oblivious Transfer [PVW08] Circular Secure Encryption [ACPS09] Hierarchical Identity-based Encryption [Gen09,CHKP09,ABB09]. Fully Homomorphic Encryption [Gen09,BV11,Bra12]. And more... Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 7 / 30

Talk Outline GGH Public Key Encryption Scheme LWE Problem and Applications Efficiency from Rings Recent Implementations. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 8 / 30

GGH Public Key Encryption Scheme Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 9 / 30

Public key encryption Suppose Alice wants to send a message m privately to Bob over a public channel. Key Generation: Bob generates a pair (pk, sk). Encryption: Alice sends c = Enc(pk, m) to Bob. Decryption: Bob obtains the message m = Dec(sk, m). Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 10 / 30

Public key encryption Suppose Alice wants to send a message m privately to Bob over a public channel. Key Generation: Bob generates a pair (pk, sk). Encryption: Alice sends c = Enc(pk, m) to Bob. Decryption: Bob obtains the message m = Dec(sk, m). Security: An eavesdropper shouldn t learn anything about the message given the public-key and the ciphertext. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 10 / 30

Digital Signatures Suppose you wish to digitally sign the message m. Key Generation: The algorithm generates a pair (pk, sk). Sign: A tag for the message is computed using the signing algorithm t = Sign(sk, m). Verify: The signature can be verified using the public key Verify(pk, t, m ) {True, False}. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 11 / 30

Digital Signatures Suppose you wish to digitally sign the message m. Key Generation: The algorithm generates a pair (pk, sk). Sign: A tag for the message is computed using the signing algorithm t = Sign(sk, m). Verify: The signature can be verified using the public key Verify(pk, t, m ) {True, False}. Security: An eavesdropper shouldn t be able to forge a signature given a valid signature and the public key. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 11 / 30

Reducing a vector modulo a basis u mod B = u B B 1 t. 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 00 11 0 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 1 00 0 1 11 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 01 00 0 1 11 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 0 0 1 1 0 1 0 0 0 1 1 1 0 1 If u = α 1 u 1 + + α n u n, then u mod B = (α 1 α 1 ) u 1 + + (α n α n ) u n. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 12 / 30

Bad Basis 0 1 01 01 01 u mod B is likely a long vector. Note that u u mod B is a lattice vector close to u. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 13 / 30

Good Basis 0 1 0 1 00 0 1 11 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 00 11 00 0 1 11 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 0 1 0 1 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 01 0 1 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 0 1 0 0 1 1 0 0 1 1 u mod B is a short vector. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 14 / 30

Good Basis 0 1 0 1 00 0 1 11 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 00 11 00 0 1 11 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 0 1 0 1 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 01 0 1 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 0 1 0 0 1 1 0 0 1 1 u mod B is a short vector. Note that u u mod B is a lattice vector close to u. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 14 / 30

The encryption scheme Map the message m to a vector close to the origin. Encryption: c = m mod B pk (public basis) Processed plaintext 0100 00000 11111 0000000 1111111 0000000 1111111 0000000 1111111 0000000 1111111 0000 111110 01 01 01 Ciphertext 0000000000000000 11111111111111110 1 Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 15 / 30

The encryption scheme Map the message m to a vector close to the origin. Encryption: c = m mod B pk (public basis) Decryption: m = c mod B sk (secret basis) 00 0 1 11 00 0 1 11 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 00 Processed 11 00000 11111 00000 11111 plaintext 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 00000 1111100 000000 111111 000000 111111 01 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 01 Ciphertext 00000000000000000000000000000000000000000 11111111111111111111111111111111111111111 0 0 0000000 1111111 00000000 11111111 1 0000000 1111111 1 Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 15 / 30

More on the GGH Scheme There is a dual digital signature scheme based on the same principle. Map the message m to a random vector in space. Signature: t = m m mod B sk (secret(good) basis) resulting in a lattice vector close to m. Verification: Use the public (bad) basis to check whether t is a lattice vector and that t m is short. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 16 / 30

More on the GGH Scheme There is a dual digital signature scheme based on the same principle. Map the message m to a random vector in space. Signature: t = m m mod B sk (secret(good) basis) resulting in a lattice vector close to m. Verification: Use the public (bad) basis to check whether t is a lattice vector and that t m is short. Nguyen in 1999 pointed out a flaw in the GGH scheme. He showed that every ciphertext reveals information about the plaintext. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 16 / 30

More on the GGH Scheme There is a dual digital signature scheme based on the same principle. Map the message m to a random vector in space. Signature: t = m m mod B sk (secret(good) basis) resulting in a lattice vector close to m. Verification: Use the public (bad) basis to check whether t is a lattice vector and that t m is short. Nguyen in 1999 pointed out a flaw in the GGH scheme. He showed that every ciphertext reveals information about the plaintext. The principle of GGH, however, has been used in several follow-up schemes. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 16 / 30

More on the GGH Scheme There is a dual digital signature scheme based on the same principle. Map the message m to a random vector in space. Signature: t = m m mod B sk (secret(good) basis) resulting in a lattice vector close to m. Verification: Use the public (bad) basis to check whether t is a lattice vector and that t m is short. Nguyen in 1999 pointed out a flaw in the GGH scheme. He showed that every ciphertext reveals information about the plaintext. The principle of GGH, however, has been used in several follow-up schemes. In fact, the first fully homomorphic encryption scheme candidate by Gentry [2009] was based on the same principle. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 16 / 30

Talk Outline GGH Public Key Encryption Scheme LWE Problem and Applications Efficiency from Rings Recent Implementations. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 17 / 30

LWE Problem and Applications Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 18 / 30

Learning with Errors Problem [Regev05] Parameters: Dimension n, modulus q = poly(n), error distribution Search: Find uniformly random secret s Z n q given A 11 A 12 A 13... A 1n A = A 21 A 22 A 23... A 2n........................... and b = A s + e, A m1 A m2 A m3... A mn where A Z m n q is chosen uniformly at random and e Z m q is some short noise distribution. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 19 / 30

Learning with Errors Problem [Regev05] Parameters: Dimension n, modulus q = poly(n), error distribution Search: Find uniformly random secret s Z n q given A 11 A 12 A 13... A 1n A = A 21 A 22 A 23... A 2n........................... and b = A s + e, A m1 A m2 A m3... A mn where A Z m n q is chosen uniformly at random and e Z m q is some short noise distribution. Decision: Distinguish (A, b) from (A, u) where u is uniform in Z m q. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 19 / 30

Learning with Errors Problem [Regev05] Parameters: Dimension n, modulus q = poly(n), error distribution Search: Find uniformly random secret s Z n q given A 11 A 12 A 13... A 1n A = A 21 A 22 A 23... A 2n........................... and b = A s + e, A m1 A m2 A m3... A mn where A Z m n q is chosen uniformly at random and e Z m q is some short noise distribution. Decision: Distinguish (A, b) from (A, u) where u is uniform in Z m q. Worst case to Average Case: Break Crypto = Decision LWE = Search LWE = GapSVP poly(n) Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 19 / 30

A PKE scheme from decision LWE hardness Suppose Alice wants to send a bit µ {0, 1} privately to Bob over a public channel. Key Generation: Bob chooses q, m, n and A Z m n q, s Z n q are chosen uniformly at random and e Z m q is chosen from the LWE noise distribution. Then pk = A, b = A s + e, sk = s. Encryption: Alice chooses uniform r {0, 1} m and sends c = (r A, r b + µ q 2 ). Decryption: Bob on receiving the ciphertext (C 1, c 2 ) checks whether c 2 C 1 s is closer to 0 or q and hence deciphers the 2 message bit µ. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 20 / 30

A PKE scheme from decision LWE hardness Suppose Alice wants to send a bit µ {0, 1} privately to Bob over a public channel. Key Generation: Bob chooses q, m, n and A Z m n q, s Z n q are chosen uniformly at random and e Z m q is chosen from the LWE noise distribution. Then pk = A, b = A s + e, sk = s. Encryption: Alice chooses uniform r {0, 1} m and sends c = (r A, r b + µ q 2 ). Decryption: Bob on receiving the ciphertext (C 1, c 2 ) checks whether c 2 C 1 s is closer to 0 or q and hence deciphers the 2 message bit µ. Security is almost immediate from the Decision LWE Hardness assumption. The ciphertext looks random given the public key. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 20 / 30

Talk Outline GGH Public Key Encryption Scheme LWE Problem and Applications Efficiency from Rings Recent Implementations. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 21 / 30

Efficiency from Rings. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 22 / 30

How efficient is LWE? Getting one pseudorandom b i Z q requires an n-dimensional inner product modulo q. Cryptosystems have larger keys of size larger than n 2 log q. Wishful thinking: (a 1, a 2,..., a n) (s 1, s 2,..., s n) + (e 1, e 2,..., e n) = (b 1, b 2,..., b n). Get n pseudorandom elements in Z q from one inner product. Replace every n 2 length key by a key of length n. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 23 / 30

How efficient is LWE? Getting one pseudorandom b i Z q requires an n-dimensional inner product modulo q. Cryptosystems have larger keys of size larger than n 2 log q. Wishful thinking: (a 1, a 2,..., a n) (s 1, s 2,..., s n) + (e 1, e 2,..., e n) = (b 1, b 2,..., b n). Get n pseudorandom elements in Z q from one inner product. Replace every n 2 length key by a key of length n. Question: How to define the operation? Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 23 / 30

How efficient is LWE? Getting one pseudorandom b i Z q requires an n-dimensional inner product modulo q. Cryptosystems have larger keys of size larger than n 2 log q. Wishful thinking: (a 1, a 2,..., a n) (s 1, s 2,..., s n) + (e 1, e 2,..., e n) = (b 1, b 2,..., b n). Get n pseudorandom elements in Z q from one inner product. Replace every n 2 length key by a key of length n. Question: How to define the operation? With small error, co-ordinate wise multiplication is insecure. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 23 / 30

LWE over Rings Let R = Z[X]/(X n + 1), and R q = R/qR. Operations in R q are very efficient using algorithms similar to FFT. Search: Find secret s R q given a 1 R q, b 1 = a 1 s + e 1 a 2 R q, b 2 = a 2 s + e 2 Decision: Distinguish (a i, b i ) from (a i, u i ) where u i is uniform in R q. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 24 / 30

LWE over Rings Let R = Z[X]/(X n + 1), and R q = R/qR. Operations in R q are very efficient using algorithms similar to FFT. Search: Find secret s R q given a 1 R q, b 1 = a 1 s + e 1 a 2 R q, b 2 = a 2 s + e 2 Decision: Distinguish (a i, b i ) from (a i, u i ) where u i is uniform in R q. Worst case to Average Case [LPR10, PRS17] Decision R-LWE = Search R-LWE = ApproxSVP poly(n) on ideal lattices Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 24 / 30

Complexity of SVP on Ideal Lattices We know that if we can solve R-LWE, then we can also solve SVP on ideal lattices. The other direction is unknown. There has been some recent progress[cdpr16, BS16, K16, CDW16] giving an efficient quantum algorithm for 2 O( n log n) approximation of SVP on Ideal Lattices. This does not say anything about the hardness of Ring-LWE. There is more algebraic structure in Ring-LWE that can possibly lead to quantum attacks, but so far there has been little success. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 25 / 30

Complexity of SVP on Ideal Lattices We know that if we can solve R-LWE, then we can also solve SVP on ideal lattices. The other direction is unknown. There has been some recent progress[cdpr16, BS16, K16, CDW16] giving an efficient quantum algorithm for 2 O( n log n) approximation of SVP on Ideal Lattices. This does not say anything about the hardness of Ring-LWE. There is more algebraic structure in Ring-LWE that can possibly lead to quantum attacks, but so far there has been little success. Ring-LWE based crypto is more efficient, but perhaps less secure. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 25 / 30

Talk Outline GGH Public Key Encryption Scheme LWE Problem and Applications Efficiency from Rings Recent Implementations. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 26 / 30

Recent Implementations. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 27 / 30

Key Exchange [BCNS15] Ring-LWE based key exchange. NewHope [ADPS 15]: Optimized Ring-LWE key exchange with λ = 200 bit quantum security. Comparable to or even faster than current ECDH with 128-bit classical security. Google has experimentally deployed NewHope + ECDH. Frodo [BCDMNNRS 16]: Plain-LWE key exchange with some optimizations. Conjectures 128-bit quantum security. About 10 times slower than NewHope, but almost as fast as ECDH (and much faster than RSA). NTRU EES743EP1 [WEJ13]. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 28 / 30

Other Implementations BLISS: [DDLL 13] An efficient digital signature scheme based on [Lyu09,Lyu12] DILITHIUM: [DLLSSS17] Another efficient digital signature based on [GLP12] that eliminates some of the vulnerabilities of BLISS. HELib: [HaleviShoup] Implementation of Fully Homomorphic Encryption. Λ λ: [CroPei 16] A high level framework aimed at advanced lattice cryptosystems. Lots of ongoing work including many proposals of new post-quantum crypto schemes submitted to NIST. Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 29 / 30

Questions? Divesh Aggarwal (CQT) Lattice-based Cryptography February 8, 28 30 / 30

2025 © DocPlayer.gr Πολιτική Απορρήτου | Όροι Χρήσης | Σχόλια