Lattice Cryptography: Introduction and Open Problems

Size: px

Start display at page:

Download "Lattice Cryptography: Introduction and Open Problems"

Virgil Strickland
6 years ago
Views:

1 Lattice Cryptography: Introduction and Open Problems Daniele Micciancio Department of Computer Science and Engineering University of California, San Diego August 2015 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

2 Point Lattices The simplest example of lattice is Z n = {(x 1,..., x n ): x i Z} Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

3 Point Lattices The simplest example of lattice is Z n = {(x 1,..., x n ): x i Z} Other lattices are obtained by applying a linear transformation B: x = (x 1,..., x n ) Bx = x 1 b x n b n (0, 1) b 2 (1, 0) B b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

4 Lattice Cryptography cryptanalysis crypto design today Lenstra, Lenstra, Lovasz (1982) : The LLL paper Factoring Polynomials with Rational Coefficients Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

5 Lattice Cryptography cryptanalysis crypto design today Lenstra, Lenstra, Lovasz (1982) : The LLL paper Factoring Polynomials with Rational Coefficients Algorithmic breakthrough Efficient approximate solution of lattice problems Exponential approximation factor, but very good in practice Killer App: Cryptanalysis Ajtai (1996) : Generating Hard Instances of Lattice Problems Marks the beginning of the modern use of lattices in the design of cryptographic functions Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

6 Ajtai s paper (quotes) cryptography... generation of a specific instance of a problem in NP which is thought to be difficult. NP-hard problems very famous question (e.g., prime factorization). Unfortunately difficult to solve means... in the worst case no guidance about how to create [a hard instance] possible solution 1 find a set of randomly generated problems, and 2 show that if there is an algorithm which [works] with a positive probability, then there is also an algorithm which solves the famous problem in the worst case. In this paper we give such a class of random problems. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

7 Example: Discrete Logrithm (DLOG) p: a prime Z p: multiplicative group g Z p: generator of (prime order sub-)group G = {g i : i Z} Z p Input: h = g i mod p DLOG Problem Given p, g, h, recover i (modulo q = o(g)) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

8 Example: Discrete Logrithm (DLOG) p: a prime Z p: multiplicative group g Z p: generator of (prime order sub-)group G = {g i : i Z} Z p Input: h = g i mod p DLOG Problem Given p, g, h, recover i (modulo q = o(g)) Random Self Reducibility If you can solve DLOG for random g and h (with some probability), then you can solve it for any g, h in the worst-case. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

9 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

10 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

11 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

12 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib 4 Find j = DLOG(g, h ) = ib Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

13 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib 4 Find j = DLOG(g, h ) = ib 5 Output j/b (mod q). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

14 DLOG: Random Self Reducibility (RSR) 1 Given arbitrary g, h 2 Compute g = g a and h = h ab for random a, b Z q. 3 Notice: g, h G are (almost) uniformly random h = h ab = g iab = (g ) ib 4 Find j = DLOG(g, h ) = ib 5 Output j/b (mod q). Conclusion We know how to choose g, h G. But, how do we choose G? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

15 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

16 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log G. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

17 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log G. This is not the same: For any n, there are (exponentially) many primes p. Typically, p is chosen at random among all n-bit primes Assumption is still average-case: DLOG is hard for random p. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

18 DLOG vs Lattices (1) Lattice Assumption The complexity of solving lattice problems in n-dimensional lattices grows superpolynomially (or exponentially) in n. Similarly, one may conjecture that the complexity of DLOG grows superpolynomially in n = log p or n = log G. This is not the same: For any n, there are (exponentially) many primes p. Typically, p is chosen at random among all n-bit primes Assumption is still average-case: DLOG is hard for random p. We do not know how to reduce DLOG(Z p) to DLOG(Z q). RSR provides no guidance on how to choose p. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

19 DLOG vs Lattices (2) Alternative assumption DLOG(p n ) is hard when p n is the smallest prime > 2 n. Equivalent to worst-case family of problems (indexed by n) Ad-hoc: problem definition seems rather arbitrary Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

20 DLOG vs Lattices (2) Alternative assumption DLOG(p n ) is hard when p n is the smallest prime > 2 n. Equivalent to worst-case family of problems (indexed by n) Ad-hoc: problem definition seems rather arbitrary There is more: Lattice problems in dimension n reduce to lattice problems in dimension m > n: B = B O O No such reduction for DLOG: DLOG(p n )? = DLOG(p n+1 ) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

21 DLOG vs Lattices (3) Other (natural) representations: but DLOG in (Z p 1, +) is easy. Other (still natural) groups: G = (Z p, ) (Z p 1, +) G = Z pq Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

22 DLOG vs Lattices (3) Other (natural) representations: but DLOG in (Z p 1, +) is easy. Other (still natural) groups: G = (Z p, ) (Z p 1, +) G = Z pq Question Assume one of DLOG(Z p ) and DLOG(Z p q ) is polynomial time solvable, and one is not. Which group family would you choose? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

23 DLOG vs Lattices (3) Other (natural) representations: but DLOG in (Z p 1, +) is easy. Other (still natural) groups: G = (Z p, ) (Z p 1, +) G = Z pq Question Assume one of DLOG(Z p ) and DLOG(Z p q ) is polynomial time solvable, and one is not. Which group family would you choose? Chinese Reminder Theorem (CRT): Z pq Z p Z q DLOG(Z p) = DLOG(Z pq). Reduction in the other direction requires factoring. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

24 Ajtai s one-way function (SIS) Parameters: m, n, q Z Key: A Z n m q Input: x {0, 1} m m x T n A Ax Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

25 Ajtai s one-way function (SIS) m Parameters: m, n, q Z x T Key: A Z n m q Input: x {0, 1} m Output: f A (x) = Ax mod q n A f Ax Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

26 Ajtai s one-way function (SIS) m Parameters: m, n, q Z x T Key: A Z n m q Input: x {0, 1} m Output: f A (x) = Ax mod q n A f Ax Theorem (A 96) For m > n lg q, if lattice problems (SIVP) are hard to approximate in the worst-case, then f A (x) = Ax mod q is a one-way function. Applications: OWF [A 96], Hashing [GGH 97], Commit [KTX 08], ID schemes [L 08], Signatures [LM 08,GPV 08,...,DDLL 13]... Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

27 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that z = x y Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

28 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that Az = Ax Ay = 0 mod q Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

29 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that Az = Ax Ay = 0 mod q Collisions are lattice vectors z Λ (A) with small norm z = max i z i = 1. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

30 Relation to lattices The kernel set Λ (A) is a lattice Λ (A) = {z Z m : Az = 0 (mod q)} Collisions Ax = Ay (mod q) can be represented by a single vector z = x y { 1, 0, 1} such that Az = Ax Ay = 0 mod q Collisions are lattice vectors z Λ (A) with small norm z = max i z i = there is a much deeper and interesting relation between breaking f A and lattice problems. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

31 Shortest Vector Problem Definition (Shortest Vector Problem, SVP) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx λ 1 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

32 Shortest Vector Problem Definition (Shortest Vector Problem, SVP) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx λ 1 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

33 Shortest Vector Problem Definition (Shortest Vector Problem, SVP) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx λ 1 Bx = 5b 1 2b 2 λ 1 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

34 Shortest Vector Problem Definition (Shortest Vector Problem, SVP γ ) Given a lattice L(B), find a (nonzero) lattice vector Bx (with x Z k ) of length (at most) Bx γλ 1 Bx = 5b 1 2b 2 2λ 1 λ 1 b1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

35 Closest Vector Problem Definition (Closest Vector Problem, CVP) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t µ from the target t b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

36 Closest Vector Problem Definition (Closest Vector Problem, CVP) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t µ from the target t b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

37 Closest Vector Problem Definition (Closest Vector Problem, CVP) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t µ from the target Bx µ t b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

38 Closest Vector Problem Definition (Closest Vector Problem, CVP γ ) Given a lattice L(B) and a target point t, find a lattice vector Bx within distance Bx t γµ from the target Bx t µ 2µ b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

39 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i λ n b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

40 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i λ n b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

41 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i λ n Bx 2 Bx 1 λ 2 b 1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

42 Shortest Independent Vectors Problem Definition (Shortest Independent Vectors Problem, SIVP γ ) Given a lattice L(B), find n linearly independent lattice vectors Bx 1,..., Bx n of length (at most) max i Bx i γλ n Bx 2 Bx 1 2λ 2 λ 2 b1 b 2 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

43 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

44 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 λ 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

45 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Successive minima (i = 1,..., n) λ 1 λ i = min{r : dim span(b(r) L) i} Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

46 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Successive minima (i = 1,..., n) λ i = min{r : dim span(b(r) L) i} λ 2 λ 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

47 Minimum Distance and Successive Minima Minimum distance λ 1 = min x y x,y L,x y = min x L,x 0 Successive minima (i = 1,..., n) λ i = min{r : dim span(b(r) L) i} Examples Z n : λ 1 = λ 2 =... = λ n = 1 Always: λ 1 λ 2... λ n λ 2 λ 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

48 Blurring a lattice Consider a lattice Λ, and Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

49 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

50 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

51 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

52 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

53 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

54 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

55 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

56 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? r n λn /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

57 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? [MR] r (log n) n λ n /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. a R n /Λ is uniformly distributed. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

58 Blurring a lattice Consider a lattice Λ, and add noise to each lattice point until the entire space is covered. Increase the noise until the space is uniformly covered. How much noise is needed? [MR] r (log n) n λ n /2 v r a Each point in a R n can be written a = v + r where v L and r nλ n. a R n /Λ is uniformly distributed. Think of R n 1 q Λ [GPV 07] Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

59 Average-case hardness (sketch) Generate random points a i = v i + r i 1 q Λ, where v i Λ is a random lattice point r i is a random error vector of length r i nλ n A = [a 1,..., a m ] 1 q Λm Z n m q Assume we can find a short lattice vector z Z m Az = 0 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

60 Average-case hardness (sketch) Generate random points a i = v i + r i 1 q Λ, where v i Λ is a random lattice point r i is a random error vector of length r i nλ n A = [a 1,..., a m ] 1 q Λm Z n m q Assume we can find a short lattice vector z Z m (vi + r i )z i = a i z i = Az = 0 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

61 Average-case hardness (sketch) Generate random points a i = v i + r i 1 q Λ, where v i Λ is a random lattice point r i is a random error vector of length r i nλ n A = [a 1,..., a m ] 1 q Λm Z n m q Assume we can find a short lattice vector z Z m (vi + r i )z i = a i z i = Az = 0 Rearranging the terms yields a lattice vector vi z i = r i z i of length at most r i z i m max r i n λ n Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

62 Shortcomings of Ajtai s function Expressivity: Ajtai s proof requires m > n log q The function f A : {0, 1} m Z n q is not injective Enough for one-way functions, collision resistant hashing, some digital siguatures, commitments, identification, etc.... but (public key) encryption seem to require stronger assumptions. 1996: Ajtai-Dwork cryptosystem, based on the unique Shortest Vector Problem. Efficiency: The matrix/key A Zq n m requires Ω(n 2 ) storage (and computation) 1996: NTRU Cryptosystem, efficient, but not supported by security proof from worst-case lattice problems. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

63 Learning with errors (LWE) A Z m n q, s Z n q, e E m. g A (s ) = As mod q n s T m A g b Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

64 Learning with errors (LWE) A Z m n q, s Z n q, e E m. g A (s; e) = As + e mod q Learning with Errors: Given A and g A (s, e), recover s. n s T m A + e g b Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

65 Learning with errors (LWE) A Z m n q, s Z n q, e E m. g A (s; e) = As + e mod q n Learning with Errors: Given A and g A (s, e), recover s. s T Theorem (Regev 05) The function g A (s, e) is hard to invert on the average, assuming SIVP is hard to approximate in the worst-case even for quantum computers. m A + e g b Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

66 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β x Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

67 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L x f L 0 b 2 x b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

68 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

69 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

70 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective β µ: f L is surjective f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

71 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective β µ: f L is surjective β µ: f L (x) is almost uniform f L b 2 0 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

72 SIS/LWE as CVP Candidate OWF Key: a hard lattice L Input: x, x β Output: f L (x) = x mod L β < λ 1 /2: f L is injective β > λ 1 /2: f L is not injective β µ: f L is surjective β µ: f L (x) is almost uniform f L Question Are these functions cryptographically hard to invert? 0 b 2 b 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

73 Special Versions of CVP Definition (Closest Vector Problem (CVP)) Given (L, t, d), with µ(t, L) d, find a lattice point within distance d from t. If d is arbitrary, then one can find the closest lattice vector by binary search on d. Bounded Distance Decoding (BDD): If d < λ 1 (L)/2, then there is at most one solution. Solution is the closest lattice vector. Absolute Distance Decoding (ADD): If d ρ(l), then there is always at least one solution. Solution may not be closest lattice vector. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

74 Computational problems on random lattices Ajtai s class of random lattices an their duals: A Z n m Λ q (A) = {x Z m : Ax = 0 mod q} Λ q (A) = A T Z n + qz m Inverting Ajtai s function Ax = b Solution x always exist, but it is hard to find Average case version of ADD on random Λ q (A) Solving LWE sa + x = b For small enough x, solution is unique Average case version of BDD on random dual lattice Λ q (A). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

75 ADD reduces to SIVP ADD input: L and arbitrary t Compute short vectors V = SIVP(L) Use V to find a lattice vector within distance 1 i 2 v i (n/2)λ n nρ from t v 2 x P t v 1 Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

76 BDD reduces to SIVP BDD input: t close to L 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

77 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) v i 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

78 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) For each v i L, find the layer L i = {x x v i = c i } closest to t v i 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

79 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) For each v i L, find the layer L i = {x x v i = c i } closest to t v i Output L 1 L 2 L n 0 t Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

80 BDD reduces to SIVP BDD input: t close to L Compute V = SIVP(L ) For each v i L, find the layer L i = {x x v i = c i } closest to t v i Output L 1 L 2 L n Output is correct as long as 0 t µ(t, L) λ 1 2n 1 2λ n 1 2 v i Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

81 Special Versions of SVP and SIVP GapSVP: compute (or approximate) the value λ 1 without necessarily finding a short vector GapSIVP: compute (or approximate) the value λ n without necessarily finding short linearly independent vectors Transference Theorem λ 1 1/λ n: GapSVP can be (approximately) solved by solving GapSIVP in the dual lattice, and vice versa Problems Exercise: Computing λ 1 (or λ n ) exactly is as hard as SVP (or SIVP) Open Problem: Reduce approximate SVP (or SIVP) to approximate GapSVP (or GapSIVP) Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

82 Relations among lattice problems SIVP ADD [MG 01] SVP CVP [GMSS 99] SIVP CVP [M 08] BDD SIVP CVP SVP [L 87] GapSVP GapSIVP [LLS 91,B 93] GapSVP BDD [LM 09] GapSVP GapSIVP BDD SIVP ADD SVP CVP Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

83 Relations among lattice problems SIVP ADD [MG 01] SVP CVP [GMSS 99] SIVP CVP [M 08] BDD SIVP CVP SVP [L 87] GapSVP GapSIVP [LLS 91,B 93] GapSVP BDD [LM 09] GapSVP GapSIVP BDD SIVP ADD SVP CVP Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

84 Open Problems Does the ability to approximate λ 1 helps in solving SVP? Does the ability to approximate λ n helps in solving SIVP? Is there a reduction from CVP/SVP to SIVP? Yes, for the exact version of the problems [M. 08] Open for approximation version Is there a classical (nonquantum) reduction from SIVP/ADD to GapSVP/BDD? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

85 Efficient Lattice Cryptography from Structured Lattices Idea Use structured matrix A = [A (1)... A (m/n) ] where A (i) Z n n q is circulant A (i) = a (i) 1 a n (i) a (i) 2 a (i) 2 a (i) 1 a (i) 3. a (i) n..... a (i) n 1 a (i) 1 Generalized Compact Knapsacks and Efficient One-Way Functions (Micciancio, FOCS 2002) Efficient version of Ajtai s connection: O(n log n) space and time complexity Provable security: guidance on how to choose random instances. Theorem CyclicSIS is hard to invert on average, assuming the worst-case hardness of lattice problems over cyclic lattices. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

86 Ideal Lattices and Algebraic number theory Isomorphism: A cyc Z[X ]/(X n 1) Cyclic SIS: f a1,...,a k (u 1,..., u k ) = i a i (X ) u i (X ) (mod X n 1) where a i, u i R = Z[X ]/(X n 1). More generally, use R = Z[X ]/p(x ) for some monic polynomial p(x ) Z[X ] If p(x ) is irreducible, then finding collisions to f a for random a is as hard as solving lattice problems in the worst case in ideal lattices Can set R to the ring of integers of K = Q[X ]/p(x ). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

87 How to choose p(x )/R? RingSIS (Lyubashevsky, PhD Thesis, UCSD 2008) define f a (u) = i a i(x ) u i (X ) Notice: no reduction modulo p(x )! If f a (u) = f a (u ) in Z[X ], then f a (u) = f a (u ) (mod p(x )). Conclusion: breaking f is at least as hard as solving lattices problems in ideal lattices for any p(x ). Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

88 How to choose p(x )/R? RingSIS (Lyubashevsky, PhD Thesis, UCSD 2008) define f a (u) = i a i(x ) u i (X ) Notice: no reduction modulo p(x )! If f a (u) = f a (u ) in Z[X ], then f a (u) = f a (u ) (mod p(x )). Conclusion: breaking f is at least as hard as solving lattices problems in ideal lattices for any p(x ). RingLWE: Most applications require not only hardness of inverting f a, but also pseudorandomness of output f a (u) [Lyubashevsky,Peikert,Regev 10]: For cyclotomic p(x ), hardness of inverting f a implies pseudorandomness of f a (u). [Lauter 15] constructs polynomial rings where inverting f a is conceivably hard, but f a (u) is easily distinguished from random. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

89 Classical Hardness of LWE [P 09, BLPRS 13] There is a classical reduction from GapSVP to LWE when q = 2 O(n), or LWE dimension d = O(n 2 ) Open Problems Is there a more efficient reduction from GapSVP to LWE? Is there a classical reduction from SIVP to LWE? Is there a reduction from SVP/SIVP to LWE on ideal lattices? Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

90 More Open Problems Tonight 7:30pm Bring your own open problems to share! Send to with estimated time for scheduling.... or, just talk to me over lunch or coffee break. Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

91 More Open Problems Tonight 7:30pm Bring your own open problems to share! Send to with estimated time for scheduling.... or, just talk to me over lunch or coffee break. Thank you! Daniele Micciancio (UCSD) Lattice Cryptography: Introduction and Open Problems August / 32

Lattice Problems. Daniele Micciancio UC San Diego. TCC 2007 Special Event: Assumptions for cryptography

Lattice Problems. Daniele Micciancio UC San Diego. TCC 2007 Special Event: Assumptions for cryptography Lattice Problems Daniele Micciancio UC San Diego TCC 2007 Special Event: Assumptions for cryptography Outline Lattice Problems Introduction to Lattices, SVP, SIVP, etc. Cryptographic assumptions Average-case