COM S
COM S 453X – Spring 2017
Privacy Preserving Algorithms
and Data Security
Lecture 22: Lattice-Based Cryptography and
FHE
Prof. EWD Rozier
FHE
•
Craig Gentry (PhD Stanford, now at IBM
Watson)
• Presented first (and second!) FHE system.
• Supports additive and multiplicative
operations on ciphertexts.
• Supports circuit construction for arbitrary
computation.
2
COM S
Mathematical Background
•
Start with a lattice as a discrete subgroup
•
Further reduce our starting lattice to integer
lattices, i.e.
•
We will be working with something known as a
basis of a lattice. A basis of L is an ordered
set:
3
COM S
Bases
•
A basis is an ordered set:
•
Such that:
4
COM S
What is a Lattice?
A lattice is a regular array of points in space.
We can connect the dots to form parallelograms.
The lattice may be described by giving
basis vectors that span a parallelogram.
COM S
What is the Closest Vector Problem?
Suppose that you know a basis for the lattice L.
Suppose that someone gives you a point P.
Q
P
Challenge: Find the lattice point Q that is closest to P.
This is the Closet Vector Problem.
COM S
Why Is That A Hard Problem?
I can sense everyone thinking –
“What’s so hard about the Closest Vector Problem?
Just draw the picture and pick out the closest point!”
For lattices in the plane, you’re right, it’s very easy.
It’s not even very hard in dimension 3, or 4 , or 5.
However, the Closest Vector Problem is very hard in
high dimension, say in dimension 500.
COM S
Why Use Lattices for Cryptography?
Lattice problems offer the possibility of faster encryption
and decryption algorithms.
Let n be the number of bits in the underlying problem:
 n = # of bits in an RSA modulus pq
 n = # of bits in a prime p for ECC in E(Fp)
 n = (dimension of a lattice L) x (# of bits in a coordinate)
Using various “tricks,” encryption/decryption takes:
O(n2 log n) Steps
O(n log n) Steps
for RSA and ECC.
for lattice-based cryptosystems.
It also seems prudent to have practical cryptosystems
available based on many different hard problems, rather
than relying exclusively on one or two problems.
COM S
Some History of Lattice-Based Crypto
Ajtai and Dwork (1995) described a lattice-based public key
cryptosystem having average case-worst case equivalence. This was
a theoretical cryptographic milestone, but the AD cryptosystem is not
practical.
Inspired by the work of Ajtai and Dwork, Goldreich, Goldwasser,
and Halevi (1996) proposed a more practical lattice-based
cryptosystem.
The GGH cryptosystem is fast, but it requires megabyte-size public
keys to be secure.
At the same time, working independently, Hoffstein (with
Pipher and JS) developed a ring-based cryptosystem called
NTRU that only requires RSA-sized keys.
It was later discovered that NTRU could be described in terms of a
special class of lattices and is closely related to the GGH system.
COM S
Bases
10
COM S
11
COM S
The Knapsack Problem
•
Start with a list of positive integers.
•
Given a target t determine if there are values
•
Such that
12
COM S
Knapsack Problem
•
In a knapsack problem or rucksack
problem, we are given a set of 𝑛 items,
where each item 𝑖 is specified by a size 𝑠𝑖
and a value 𝑣𝑖 . We are also given a size
bound 𝑆, the size of our knapsack.
Item #
1
2
3
Size
1
3
5
Value
8
6
5
COM S
Knapsack Problem
Sample Problem
value
size
A
7
3
B
9
4
C
5
2
D
12
6
E
14
7
F
6
3
G
12
5
COM S
Knapsack Crypto
•
Building crypto around knapsack:
•
Map this to a crypto problem.
COM S
Knapsack Crypto
•
How does Bob decrypt?
COM S
Some knapsack problems are easy
•
Superincreasing knapsack:
•
Finding x become easy:
•
Which allows us to reduce the dimensions:
COM S
How is this for Bob’s Decryption
Problem?
COM S
Knapsack Crypto
•
What if Bob’s superincreasing set is private and
hidden?
COM S
Knapsack Crypto
COM S