COM S
COM S 453X – Spring 2017
Privacy Preserving Algorithms
and Data Security
Lecture 22: Lattice-Based Cryptography and
FHE
Prof. EWD Rozier
Bases
2
COM S
Lattice Cryptography
Lattice
• Provably Secure
• Security is based on
worst-case problem
• Hardness of lattice
problems
• No known quantum
solution
• Simple computation
RSA/ECC
• Not always provable
• Average-case problem
• Discrete log, factoring
• Known quantum
algorithms
• Requires mod, expo, etc
3
COM S
Provable security
•
•
With ECC we don’t know a curve is good, we
can only know it is bad. With RSA picking a
good N is a hard problem.
With a lattice we don’t have this restriction as it
is based on a worst-case problem.
4
COM S
What is a lattice?
•
Given a set of linear independent vectors
•
We generate a lattice on the basis of:
•
I.e., discrete additive subgroup.
5
COM S
Bases
6
COM S
Bases
7
COM S
Equivalent Bases
•
When do two bases generate the same lattice?
8
COM S
Equivalent Basis
•
When do two bases generate the same lattice?
• Given vectors v_i, v_j
• Permute:
• Negate:
• Add integer multiples:
9
COM S
Equivalent Bases
•
We can multiply B from the right by any
unimodular matrix (i.e. integer matrix with
determinant +/- 1)
•
Two Bases are equivalent iff
10
COM S
Using Parallelepiped
11
COM S
Lattice Problems
•
Given a basis B and a vector v, it is easy to
decide if v is in L(b).
• How?
12
COM S
Lattice Problems
•
Given two bases B_1, B_2, it is easy to decide if
they generate the same lattice. L(B_1) = L(B_2).
13
COM S
Lattice Problems
•
Algebraic problems easy, geometry problems
are hard!
•
Given an arbitrary basis, can you the
combination of the bases that become the
shortest vector?
14
COM S
Lattice Problems
•
SVP: Given B, find a vector in L(B) of
length
•
Gap SVP: Given a lattice decide if
(length of the shortest non-zero vector) is:
• Less than 1
• More than
15
COM S
Gamma SVP
•
Gamma is an approximation parameter, as
gamma gets small, the problem gets harder.
16
COM S
Lattice Problems
•
Shortest Independent Vectors Problem (SIVP)
• Given some B, find n linearly independent
vectors in L(B) of length
17
COM S
Lattice Problems
•
Closest Vector Problem
• CVP: Given B and a point v, find a lattice
point that is at most
father than the closest
point.
•
If you can find CVP, you can find SVP.
These problems are equivalent
(GoldreichMicciancioSafraSeifert 99)
18
COM S
Lattice
•
Bounded Distance Decoding (BDD): find the
closest lattice point, given that v is already
“pretty close”.
19
COM S
Why are these problems good for
crypto?
20
COM S
One-way functions
•
Typically based on GapSVP.
21
COM S
Lattice Crypto
•
•
Public-key: A really “bad” basis
Private-key: highly orthogonal short basis
22
COM S
Lattice Crypto
•
•
Signing – Hash to a point in space, produce the
nearest hyperplane.
Send a lattice point that is close
23
COM S
Encryption with Lattices
•
Given a message
Compute:
•
Where m are integers, and b’ are lattice points,
which makes v a lattice point. The ciphertext
then becomes:
24
COM S
Encryption with Lattices
•
We can decrypt using:
25
COM S
Learning with errors
•
•
Decision problem
Given a ring on integers and:
26
COM S
Basic LWE Scheme
•
•
Make a zero as a random subset sum…
Add to the polynomial.
27
COM S
FHE Trade off
Dimension
Keygen
PK Size
ReCrypt
2048
40s
70MB
31s
8192
8m
285MB
3m
32768
2h
2.3GB
30m
28
COM S