Lattice-Based Cryptography

Size: px

Start display at page:

Download "Lattice-Based Cryptography"

Kathlyn Flynn
5 years ago
Views:

1 Lattice-Based Cryptography Huijing Gong 9/24/2018 Slides courtesy of Dana Dachman-Soled, Valeria Nikolaenko, Chris Peikert, and Oded Regev

2 Traditional Crypto Assumptions Recall

3 Traditional Crypto Assumptions Discrete Log: Given gg xx mmoodd pp, find xx. (Decisional) Diffie-Hellman Assumptions (gg xx, gg yy, gg xxyy ), (gg xx, gg yy,gg zz ) More: Factoring

4 Are They Secure? Algorithmic Advances: OO(nn Factoring: Best algorithm time 2 3) to factor nn-bit number. OO(nn Discrete log: Best algorithm 2 3) for groups Ζ pp, where pp isnn-bit. 1 1 Quantum Computers: Shor s algorithm solves both factoring and discrete log in quantum polynomial time ( OO(nn 2 )).

5 Are They Secure? For those partners and vendors that have not yet made the transition to Suite B algorithms (ECC), we recommend not making a significant expenditure to do so at this point but instead to prepare for the upcoming quantum resistant algorithm transition... Unfortunately, the growth of elliptic curve use has bumped up against the fact of continued progress in the research on quantum computing, necessitating a re-evaluation of our cryptographic strategy. NSA Statement, August 2015

6 Post-Quantum Approach Believed to be hard for quantum computers. Versatile: Can essentially construct all cryptosystems out of these assumptions. Candidates: Lattice-based Crypto, Hash-based Crypto, codebased, etc.

7 What s a Lattice? A periodic grid in Ζ mm (Formally: full-rank additive subgroup.) O

8 What s a Lattice? A periodic grid in Ζ mm (Formally: full-rank additive subgroup.) Basis BB = {bb 1,, bb m } Lattice = mm jj=1 Ζ bb jj b 2 b 1 O

9 What s a Lattice? A periodic grid in Ζ mm (Formally: full-rank additive subgroup.) Basis BB = {bb 1,, bb m } Lattice = mm jj=1 Ζ bb j b 1 (Other representations too... ) O b 2

10 Hard Lattice Problem: Learning With Errors (LWE) [Regev 05] There is a secret vector s in Ζ nn pp (we'll use Z 4 17 as a running example) An oracle (who knows s) generates a vector a in Ζ nn pp and small noise element e in Z The oracle outputs (a,b=<a,s>+e mod 17) This procedure is repeated with the same s and fresh a and e Our task is to find s

11 Learning With Errors (LWE) Problem There is a secret vector s in Ζ nn pp (we'll use Z 4 17 as a running example) An oracle (who knows s) generates a vector a in Ζ nn pp and small noise element e in Ζ. The oracle outputs (a,b=<a,s>+e mod 17) This procedure is repeated with the same s and fresh a and e Our task is to find s

12 Learning With Errors (LWE) Problem There is a secret vector s in Ζ nn pp (we'll use Z 4 17 as a running example) An oracle (who knows s) generates a vector a in Ζ nn pp and small noise element e in Ζ. The oracle outputs (aa, bb = aa, ss + ee mmmmmm pp) * = This procedure is repeated with the same s and fresh a and e Our task is to find s

13 Learning With Errors (LWE) Problem There is a secret vector s in Ζ nn pp (we'll use Z 4 17 as a running example) An oracle (who knows s) generates a vector a in Ζ nn pp and small noise element e in Ζ. The oracle outputs (aa, bb = aa, ss + ee mmmmmm pp) * = This procedure is repeated with the same ss and fresh aa and ee Our task is to find ss

14 Learning With Errors (LWE) Problem There is a secret vector s in Ζ nn pp (we'll use Z 4 17 as a running example) An oracle (who knows s) generates a vector a in Ζ nn pp and small noise element e in Ζ. The oracle outputs (aa, bb = aa, ss + ee mmmmmm pp) * = This procedure is repeated with the same ss and fresh aa and ee Our task is to find ss

15 Learning With Errors (LWE) Problem a 1 a 2... s + e = b LWE Instance AA, bb = AA ss + ee mmmmmm pp a m Once there are enough a i, the s is uniquely determined Theorem [Regev '05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE.

16 Decisional LWE Problem a 1 a 2... World 1 s + e = b a 1 a 2..., b a m a m a 1 a 2... World 2, b uniformly in Ζ pp mm Decision LWE Oracle a m I am in World 1 (or 2)

17 LWE is Versatile What kinds of crypto can we do with LWE? Key Exchange, Public Key Encryption ObliviousTransfer Actively Secure Encryption (w/o oracles) Block Ciphers, Pseudo Functions Identity-Based Encryption (w/ RO) Hierarchical ID-Based Encryption (w/o RO) Fully HomomorphicEncryption Attribute-Based Encryption for arbitrary policies and much, much more..

18 Recall Diffie-Hellman key exchange Parameters gg, p Client Server Nonsecret value in blue and secret value in red. 1. Client and Server agree on the algorithm parameters g and p 2. Client and Server generate their own private keys, named yy and xx, respectively 3. Server computes gg xx and sends it to Client. 4. Client computes gg yy and sends it to Server. 5. Client computers (gg xx ) yy and uses it as its secret. 6. Server computers (gg yy ) xx and uses it as its secret.

19 Recall Diffie-Hellman key exchange Parameters gg, p Client Server Nonsecret value in blue and secret value in red. 1. Client and Server agree on the algorithm parameters g and p yy xx 2. Client and Server generate their own private keys, named yy and xx, respectively 3. Server computes gg xx and sends it to Client. 4. Client computes gg yy and sends it to Server. 5. Client computers (gg xx ) yy and uses it as its secret. 6. Server computers (gg yy ) xx and uses it as its secret.

20 Recall Diffie-Hellman key exchange Parameters gg, p Client Server Nonsecret value in blue and secret value in red. 1. Client and Server agree on the algorithm parameters g and p yy g xx xx 2. Client and Server generate their own private keys, named yy and xx, respectively g yy 3. Server computes gg xx and sends it to Client. 4. Client computes gg yy and sends it to Server. 5. Client computers (gg xx ) yy and uses it as its secret. 6. Server computers (gg yy ) xx and uses it as its secret.

21 Recall Diffie-Hellman key exchange Parameters gg, p Client Server Nonsecret value in blue and secret value in red. 1. Client and Server agree on the algorithm parameters g and p yy g x xx 2. Client and Server generate their own private keys, named yy and xx, respectively g y 3. Server computes gg xx and sends it to Client. gg xxyy gg xxyy 4. Client computes gg yy and sends it to Server. 5. Client computers (gg xx ) yy and uses it as its secret. 6. Server computers (gg yy ) xx and uses it as its secret.

22 Slides modified from Recall Diffie-Hellman key exchange yy Parameters gg, p Client Server gg xxyy g x g y gg xxyy xx Attacker sees gg, gg xx, gg yy, but cannot sees xx, yy, gg xxxx. In the view of attacker gg xxxx looks like Nonsecret value in blue and secret value in red. 1. Client and Server agree on the algorithm parameters g and p 2. Client and Server generate their own private keys, named yy and xx, respectively 3. Server computes gg xx and sends it to Client. 4. Client computes gg yy and sends it to Server. 5. Client computers (gg xx ) yy and uses it as its secret. 6. Server computers (gg yy ) xx and uses it as its secret.

23 DH Key Exchange Translatesto LWE Diffie-Hellman key exchange LWE key exchange [DXL12] yy Parameters gg, p Client Server g x xx Client small yy, eee Parameter A Ax+e Server small xx, eee g y ya+e gg xxyy gg xxyy Attacker sees gg, gg xx, gg yy, but cannot sees xx, yy, gg xxxx. In the view of attacker gg xxxx looks like Compute y(ax + e) yax [Pei14] C. Peikert. Lattice cryptography for the Internet. In Post-Quantum Cryptography. Springer, 2014 [DXL12] Ding, J., Xie, X., Lin, X. A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Compute (ya + e )x yax Attacker sees A, Ax+e, ya+e, but cannot sees yy, eee, xx, ee.. In the view of attacker KeyCon(yAx) looks like

24 DH Key Exchange Translatesto LWE Diffie-Hellman key exchange LWE key exchange [DXL12] Parameters gg, p Client Server Client Parameter A Server yy g x xx g y gg xxyy gg xxyy Attacker sees gg, gg xx, gg yy, but cannot sees xx, yy, gg xxxx. In the view of attacker gg xxxx looks like

25 DH Key Exchange Translatesto LWE Diffie-Hellman key exchange LWE key exchange [DXL12] yy Parameters gg, p Client Server g x g y xx Client small vectors yy, eee Parameter A Server small vectors xx, ee gg xxyy gg xxyy Attacker sees gg, gg xx, gg yy, but cannot sees xx, yy, gg xxxx. In the view of attacker gg xxxx looks like

26 DH Key Exchange Translatesto LWE Diffie-Hellman key exchange LWE key exchange [DXL12] yy Parameters gg, p Client Server g x g y xx Client small vectors yy, eee Parameter A Ax+e ya+e Server small vectors xx, ee gg xxyy gg xxyy Attacker sees gg, gg xx, gg yy, but cannot sees xx, yy, gg xxxx. In the view of attacker gg xxxx looks like

27 DH Key Exchange Translatesto LWE Diffie-Hellman key exchange LWE key exchange [DXL12] yy Parameters gg, p Client Server g x g y xx Client small vectors yy, eee Parameter A Ax+e ya+e Server small vectors xx, ee gg xxyy gg xxyy Attacker sees gg, gg xx, gg yy, but cannot sees xx, yy, gg xxxx. In the view of attacker gg xxxx looks like Compute y(ax + e) yax Compute (ya + e )x yax

28 DH Key Exchange Translatesto LWE Diffie-Hellman key exchange LWE key exchange [DXL12] yy Parameters gg, p Client Server g x g y xx Client small vectors yy, eee Parameter A Ax+e ya+e Server small vector xx, ee gg xxyy gg xxyy Attacker sees gg, gg xx, gg yy, but cannot sees xx, yy, gg xxxx. In the view of attacker gg xxxx looks like Compute y(ax + e) yax Compute (ya + e )x yax Attacker sees A, Ax+e, ya+e, but cannot sees yy, eee, xx, ee.. In the view of attacker KeyCon(yAx) looks like

29 Key Exchange Implementation NewHope [ADPS 15]: Ring-LWE key exchange a la [LPR 10,P 14], with many optimizations and conjectured 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (nonquantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers. Frodo [BCDMNNRS 16]: Plain-LWE key exchange, with many tricks and optimizations. Conjectured 128-bit quantum security. About 10x slower than NewHope, but only 2x slower than ECDH

30 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp Dual Attack: If we can find a short vector ww such that ww AA mmoooo pp = 0, OR Then compute inner product ww, bb AA, bb = rrrrrrrrrrrr

31 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp OR AA, bb = rrrrrrrrrrrr ww bb ww bb

32 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp OR AA, bb = rrrrrrrrrrrr ww bb = ww(aa ss + ee) ww bb

33 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp OR AA, bb = rrrrrrrrrrrr ww bb = ww(aa ss + ee) = (wwaa) ss + ww ee ww bb

34 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp OR AA, bb = rrrrrrrrrrrr ww bb = ww(aa ss + ee) = (wwaa) ss + ww ee = ww ee = small small ww bb

35 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp OR AA, bb = rrrrrrrrrrrr ww bb = ww(aa ss + ee) = (wwaa) ss + ww ee = ww ee = small small ww bb = rraaaaaaaaaa

36 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp OR AA, bb = rrrrrrrrrrrr ww bb = ww(aa ss + ee) = (wwaa) ss + ww ee = ww ee = small small ww bb = rraaaaaaaaaa

37 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as AA, bb = AA ss + ee mmmmmm pp AA, bb = rrrrrrrrrrrr If we can find a short vector ww such that ww AA mmoooo pp = 0, Then compute inner product ww, bb Wait That sounds very easy to attack, why LWE is hard? OR

38 Next Mission Now you are a cryptanalyst Our goal: Given a pair (AA, bb), want to know whether it is generated as HARD AA, bb = AA ss + ee mmmmmm pp OR AA, bb = rrrrrrrrrrrr If we can find a short vector ww such that ww AA mmoooo pp = 0, Then compute inner product ww, bb Wait That sounds very easy to attack, why LWE is hard?

39 For more check Short Integer Solution Problem!

Intro to Public Key Cryptography Diffie & Hellman Key Exchange

Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary Introduction Stream & Block Ciphers Block Ciphers Modes (ECB,CBC,OFB) Advanced Encryption Standard (AES) Message Authentication