Lattice-Based Cryptography
Chris Peikert
University of Michigan
QCrypt 2016
1 / 24
Agenda
1
Foundations: lattice problems, SIS/LWE and their applications
2
Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices
3
Practical Implementations: BLISS, NewHope, Frodo, HElib, Λ◦λ, . . .
4
Along the Way: open questions, research directions
2 / 24
Foundations
3 / 24
Lattice-Based Cryptography
mod
g
y=
x
p
N
N
m mod
e
=
p·
=⇒
q
e(g a , g b )
(Images courtesy xkcd.org)
4 / 24
Lattice-Based Cryptography
=⇒
(Images courtesy xkcd.org)
4 / 24
Lattice-Based Cryptography
=⇒
Why?
I Efficient: linear, embarrassingly parallel operations
(Images courtesy xkcd.org)
4 / 24
Lattice-Based Cryptography
=⇒
Why?
I Efficient: linear, embarrassingly parallel operations
I Resists quantum attacks (so far)
(Images courtesy xkcd.org)
4 / 24
Lattice-Based Cryptography
=⇒
Why?
I Efficient: linear, embarrassingly parallel operations
I Resists quantum attacks (so far)
I Security from mild worst-case assumptions
(Images courtesy xkcd.org)
4 / 24
Lattice-Based Cryptography
=⇒
Why?
I Efficient: linear, embarrassingly parallel operations
I Resists quantum attacks (so far)
I Security from mild worst-case assumptions
I Solutions to ‘holy grail’ problems in crypto: FHE and related
(Images courtesy xkcd.org)
4 / 24
What’s a Lattice?
I A periodic ‘grid’ in Zm . (Formally: full-rank additive subgroup.)
O
5 / 24
What’s a Lattice?
I A periodic ‘grid’ in Zm . (Formally: full-rank additive subgroup.)
I Basis B = {b1 , . . . , bm } :
L
=
m
X
(Z · bi )
b2
i=1
b1
O
5 / 24
What’s a Lattice?
I A periodic ‘grid’ in Zm . (Formally: full-rank additive subgroup.)
I Basis B = {b1 , . . . , bm } :
L
=
m
X
(Z · bi )
b1
i=1
O
b2
5 / 24
What’s a Lattice?
I A periodic ‘grid’ in Zm . (Formally: full-rank additive subgroup.)
I Basis B = {b1 , . . . , bm } :
L
=
m
X
(Z · bi )
b1
i=1
(Other representations too . . . )
O
b2
5 / 24
What’s a Lattice?
I A periodic ‘grid’ in Zm . (Formally: full-rank additive subgroup.)
I Basis B = {b1 , . . . , bm } :
L
=
m
X
(Z · bi )
b1
i=1
(Other representations too . . . )
O
b2
Hard Lattice Problems
I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ , SIVPγ
I For γ = poly(m), solving appears to require 2Ω(m) time (and space).
5 / 24
A Hard Problem: Short Integer Solution
[Ajtai’96]
I Znq = n-dimensional integer vectors modulo q
6 / 24
A Hard Problem: Short Integer Solution
[Ajtai’96]
I Znq = n-dimensional integer vectors modulo q
 
|
a1 
|
 
|
a2 
|

···

|
am 
|
∈ Znq
6 / 24
A Hard Problem: Short Integer Solution
[Ajtai’96]
I Znq = n-dimensional integer vectors modulo q
I Goal: find nontrivial z1 , . . . , zm ∈ {0, ±1} such that:
 
 
   
|
|
|
|







z1 · a 1
+ z2 · a 2
+ · · · + zm · am = 0 ∈ Znq
|
|
|
|
6 / 24
A Hard Problem: Short Integer Solution
[Ajtai’96]
I Znq = n-dimensional integer vectors modulo q
I Goal: find nontrivial z ∈ {0, ±1}m such that:
 


 

· · · · A · · · · 
z = 0 ∈ Znq
 
|
{z
}
m
6 / 24
A Hard Problem: Short Integer Solution
[Ajtai’96]
I Znq = n-dimensional integer vectors modulo q
I Goal: find nontrivial z ∈ {0, ±1}m such that:
 


 

· · · · A · · · · 
z = 0 ∈ Znq
 
|
{z
}
m
Collision-Resistant Hash Function
I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1}m → Znq
fA (x) = Ax
6 / 24
A Hard Problem: Short Integer Solution
[Ajtai’96]
I Znq = n-dimensional integer vectors modulo q
I Goal: find nontrivial z ∈ {0, ±1}m such that:
 


 

· · · · A · · · · 
z = 0 ∈ Znq
 
|
{z
}
m
Collision-Resistant Hash Function
I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1}m → Znq
fA (x) = Ax
I Collision x, x0 ∈ {0, 1}m where Ax = Ax0 . . .
6 / 24
A Hard Problem: Short Integer Solution
[Ajtai’96]
I Znq = n-dimensional integer vectors modulo q
I Goal: find nontrivial z ∈ {0, ±1}m such that:
 


 

· · · · A · · · · 
z = 0 ∈ Znq
 
|
{z
}
m
Collision-Resistant Hash Function
I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1}m → Znq
fA (x) = Ax
I Collision x, x0 ∈ {0, 1}m where Ax = Ax0 . . .
. . . yields solution z = x − x0 ∈ {0, ±1}m .
6 / 24
Cool!
(But what does this have to do with lattices?)
7 / 24
Cool!
(But what does this have to do with lattices?)
I A ∈ Zn×m
defines a ‘q-ary’ lattice:
q
L⊥ (A) = {z ∈ Zm : Az = 0}
O
7 / 24
Cool!
(But what does this have to do with lattices?)
(0, q)
I A ∈ Zn×m
defines a ‘q-ary’ lattice:
q
L⊥ (A) = {z ∈ Zm : Az = 0}
(q, 0)
O
7 / 24
Cool!
(But what does this have to do with lattices?)
(0, q)
I A ∈ Zn×m
defines a ‘q-ary’ lattice:
q
L⊥ (A) = {z ∈ Zm : Az = 0}
(q, 0)
I ‘Short’ solutions z lie in
O
7 / 24
Cool!
(But what does this have to do with lattices?)
(0, q)
I A ∈ Zn×m
defines a ‘q-ary’ lattice:
q
L⊥ (A) = {z ∈ Zm : Az = 0}
(q, 0)
I ‘Short’ solutions z lie in
Worst-Case to Average-Case Reduction
O
[Ajtai’96,. . . ]
Finding ‘short’ (kzk ≤ β q) nonzero z ∈ L⊥ (A)
(for uniformly random A ∈ Zn×m
)
q
⇓
solving GapSVPβ √n , SIVPβ √n on any n-dim lattice
7 / 24
Application: Digital Signatures
[GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T.
8 / 24
Application: Digital Signatures
[GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T.
I Sign(T, µ): use T to sample a short z ∈ Zm s.t. Az = H(µ) ∈ Znq .
8 / 24
Application: Digital Signatures
[GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T.
I Sign(T, µ): use T to sample a short z ∈ Zm s.t. Az = H(µ) ∈ Znq .
Draw z from a distribution that reveals nothing about secret key:
8 / 24
Application: Digital Signatures
[GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T.
I Sign(T, µ): use T to sample a short z ∈ Zm s.t. Az = H(µ) ∈ Znq .
Draw z from a distribution that reveals nothing about secret key:
I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short.
8 / 24
Application: Digital Signatures
[GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T.
I Sign(T, µ): use T to sample a short z ∈ Zm s.t. Az = H(µ) ∈ Znq .
Draw z from a distribution that reveals nothing about secret key:
I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short.
I Security: forging a signature for a new message µ∗ requires finding
short z∗ s.t. Az∗ = H(µ∗ ). This is SIS: hard!
8 / 24
Another Hard Problem: Learning With Errors
[Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
9 / 24
Another Hard Problem: Learning With Errors
[Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
I Search: find secret s ∈ Znq given many ‘noisy inner products’
a1 ← Znq
,
b1 ≈ hs , a1 i mod q
a2 ← Znq
,
..
.
b2 ≈ hs , a2 i mod q
9 / 24
Another Hard Problem: Learning With Errors
[Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
I Search: find secret s ∈ Znq given many ‘noisy inner products’
a1 ← Znq
,
b1 = hs , a1 i + e1 ∈ Zq
a2 ← Znq
,
..
.
b2 = hs , a2 i + e2 ∈ Zq
√
n ≤ error q, ‘rate’ α
9 / 24
Another Hard Problem: Learning With Errors
[Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
I Search: find secret s ∈ Znq given many ‘noisy inner products’


· · · A · · · 
,
· · · bt · · · = st A + et
√
n ≤ error q, ‘rate’ α
9 / 24
Another Hard Problem: Learning With Errors
[Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
I Search: find secret s ∈ Znq given many ‘noisy inner products’


· · · A · · · 
,
· · · bt · · · = st A + et
√
n ≤ error q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
9 / 24
Another Hard Problem: Learning With Errors
[Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
I Search: find secret s ∈ Znq given many ‘noisy inner products’


· · · A · · · 
,
· · · bt · · · = st A + et
√
n ≤ error q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst case
≤ search-LWE ≤ decision-LWE ≤ crypto
lattice problems
(quantum [R’05])
[BFKL’93,R’05,. . . ]
9 / 24
Another Hard Problem: Learning With Errors
[Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
I Search: find secret s ∈ Znq given many ‘noisy inner products’


· · · A · · · 
,
· · · bt · · · = st A + et
√
n ≤ error q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
LWE is Hard
(n/α)-approx worst case
≤ search-LWE ≤ decision-LWE ≤ crypto
lattice problems
(quantum [R’05])
[BFKL’93,R’05,. . . ]
I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
9 / 24
LWE is Versatile
What kinds of crypto can we do with LWE?
10 / 24
LWE is Versatile
What kinds of crypto can we do with LWE?
4 Key Exchange, Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 Block Ciphers, PRFs
10 / 24
LWE is Versatile
What kinds of crypto can we do with LWE?
4 Key Exchange, Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 Block Ciphers, PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
10 / 24
LWE is Versatile
What kinds of crypto can we do with LWE?
4 Key Exchange, Public Key Encryption
4 Oblivious Transfer
4 Actively Secure Encryption (w/o random oracles)
4 Block Ciphers, PRFs
44 Identity-Based Encryption (w/ RO)
44 Hierarchical ID-Based Encryption (w/o RO)
!!! Fully Homomorphic Encryption
!!! Attribute-Based Encryption for arbitrary policies
and much, much more. . .
10 / 24
Key Exchange from LWE
[Regev’05,LP’11]
r ← Zn (error)
A ← Zn×n
q
s ← Zn (error)
11 / 24
Key Exchange from LWE
[Regev’05,LP’11]
r ← Zn (error)
A ← Zn×n
q
s ← Zn (error)
ut ≈ rt · A ∈ Znq
11 / 24
Key Exchange from LWE
[Regev’05,LP’11]
r ← Zn (error)
A ← Zn×n
q
s ← Zn (error)
ut ≈ rt · A ∈ Znq
v ≈ A · s ∈ Znq
11 / 24
Key Exchange from LWE
[Regev’05,LP’11]
r ← Zn (error)
A ← Zn×n
q
s ← Zn (error)
ut ≈ rt · A ∈ Znq
v ≈ A · s ∈ Znq
rt · v ≈ rt As
k ≈ ut · s ≈ rt As
11 / 24
Key Exchange from LWE
[Regev’05,LP’11]
r ← Zn (error)
A ← Zn×n
q
s ← Zn (error)
ut ≈ rt · A ∈ Znq
v ≈ A · s ∈ Znq
rt · v ≈ rt As
k ≈ ut · s ≈ rt As
(A, u, v, k)
11 / 24
Key Exchange from LWE
[Regev’05,LP’11]
r ← Zn (error)
A ← Zn×n
q
s ← Zn (error)
ut ≈ rt · A ∈ Znq
v ≈ A · s ∈ Znq
rt · v ≈ rt As
k ≈ ut · s ≈ rt As
(A, u, v, k)
by decision-LWE
11 / 24
Key Exchange from LWE
[Regev’05,LP’11]
r ← Zn (error)
A ← Zn×n
q
s ← Zn (error)
ut ≈ rt · A ∈ Znq
v ≈ A · s ∈ Znq
rt · v ≈ rt As
k ≈ ut · s ≈ rt As
(A, u, v, k)
by decision-LWE
11 / 24
Efficiency from Rings
12 / 24
SIS/LWE are (Sort Of) Efficient
 
..
.

· · · ai · · · 
s + ei = bi ∈ Zq
..
.
I Getting one pseudorandom
scalar bi ∈ Zq requires an n-dim
mod-q inner product
13 / 24
SIS/LWE are (Sort Of) Efficient
 
..
.

· · · ai · · · 
s + ei = bi ∈ Zq
..
.
I Getting one pseudorandom
scalar bi ∈ Zq requires an n-dim
mod-q inner product
I Can amortize each ai over many
secrets sj , but still Õ(n) work
per scalar output.
13 / 24
SIS/LWE are (Sort Of) Efficient
 
..
.

· · · ai · · · 
s + ei = bi ∈ Zq
..
.
I Getting one pseudorandom
scalar bi ∈ Zq requires an n-dim
mod-q inner product
I Can amortize each ai over many
secrets sj , but still Õ(n) work
per scalar output.
I Cryptosystems have rather large keys:


..
 . 

pk = 
 A  ,
..
.
| {z }
 
.. 

 . 
b Ω(n)
 
.. 
. 
n
13 / 24
SIS/LWE are (Sort Of) Efficient
 
..
.

· · · ai · · · 
s + ei = bi ∈ Zq
..
.
I Getting one pseudorandom
scalar bi ∈ Zq requires an n-dim
mod-q inner product
I Can amortize each ai over many
secrets sj , but still Õ(n) work
per scalar output.
I Cryptosystems have rather large keys:


..
 . 

pk = 
 A  ,
..
.
| {z }
 
.. 

 . 
b Ω(n)
 
.. 
. 
n
I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.
13 / 24
Wishful Thinking. . .
     
 
..
..
..
..
 .  .  . 
.
ai ?s+ei  = bi  ∈ Znq
     
 
..
..
..
..
.
.
.
.
I Get n pseudorandom scalars
from just one (cheap)
product operation?
I Replace Zn×n
-chunks by Znq .
q
14 / 24
Wishful Thinking. . .
     
 
..
..
..
..
 .  .  . 
.
ai ?s+ei  = bi  ∈ Znq
     
 
..
..
..
..
.
.
.
.
I Get n pseudorandom scalars
from just one (cheap)
product operation?
I Replace Zn×n
-chunks by Znq .
q
Question
I How to define the product ‘?’ so that (ai , bi ) is pseudorandom?
14 / 24
Wishful Thinking. . .
     
 
..
..
..
..
 .  .  . 
.
ai ?s+ei  = bi  ∈ Znq
     
 
..
..
..
..
.
.
.
.
I Get n pseudorandom scalars
from just one (cheap)
product operation?
I Replace Zn×n
-chunks by Znq .
q
Question
I How to define the product ‘?’ so that (ai , bi ) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
14 / 24
Wishful Thinking. . .
     
 
..
..
..
..
 .  .  . 
.
ai ?s+ei  = bi  ∈ Znq
     
 
..
..
..
..
.
.
.
.
I Get n pseudorandom scalars
from just one (cheap)
product operation?
I Replace Zn×n
-chunks by Znq .
q
Question
I How to define the product ‘?’ so that (ai , bi ) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
Answer
I ‘?’ = multiplication in a polynomial ring: e.g., Zq [X]/(X n + 1).
Fast and practical with FFT: n log n operations mod q.
14 / 24
Wishful Thinking. . .
     
 
..
..
..
..
 .  .  . 
.
ai ?s+ei  = bi  ∈ Znq
     
 
..
..
..
..
.
.
.
.
I Get n pseudorandom scalars
from just one (cheap)
product operation?
I Replace Zn×n
-chunks by Znq .
q
Question
I How to define the product ‘?’ so that (ai , bi ) is pseudorandom?
I Careful! With small error, coordinate-wise multiplication is insecure!
Answer
I ‘?’ = multiplication in a polynomial ring: e.g., Zq [X]/(X n + 1).
Fast and practical with FFT: n log n operations mod q.
I Same ring structures used in NTRU cryptosystem [HPS’98],
compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
14 / 24
LWE Over Rings, Over Simplified
I Let R = Z[X]/(X n + 1) for n a power of two, and Rq = R/qR
15 / 24
LWE Over Rings, Over Simplified
I Let R = Z[X]/(X n + 1) for n a power of two, and Rq = R/qR
F
Elements of Rq are deg < n polynomials with mod-q coefficients
F
Operations in Rq are very efficient using FFT-like algorithms
15 / 24
LWE Over Rings, Over Simplified
I Let R = Z[X]/(X n + 1) for n a power of two, and Rq = R/qR
F
Elements of Rq are deg < n polynomials with mod-q coefficients
F
Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s(X) ∈ Rq , given:
a1 ← Rq
,
b1 = s · a1 + e1 ∈ Rq
a2 ← Rq
,
b2 = s · a2 + e2 ∈ Rq
a3 ← Rq
,
..
.
b3 = s · a3 + e3 ∈ Rq
(ei ∈ R are ‘small’)
15 / 24
LWE Over Rings, Over Simplified
I Let R = Z[X]/(X n + 1) for n a power of two, and Rq = R/qR
F
Elements of Rq are deg < n polynomials with mod-q coefficients
F
Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s(X) ∈ Rq , given:
a1 ← Rq
,
b1 = s · a1 + e1 ∈ Rq
a2 ← Rq
,
b2 = s · a2 + e2 ∈ Rq
a3 ← Rq
,
..
.
b3 = s · a3 + e3 ∈ Rq
(ei ∈ R are ‘small’)
I Decision: distinguish (ai , bi ) from uniform (ai , bi ) ∈ Rq × Rq
(with noticeable advantage)
15 / 24
Hardness of Ring-LWE
[LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP
on ideal lattices in R
≤ search R-LWE ≤ decision R-LWE
(quantum,
any R = OK )
(classical,
any cyclotomic R)
16 / 24
Hardness of Ring-LWE
[LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP
on ideal lattices in R
≤ search R-LWE ≤ decision R-LWE
(quantum,
any R = OK )
1
(classical,
any cyclotomic R)
If you can find s given (ai , bi ), then you can find approximately
shortest vectors in any ideal lattice in R (using a quantum algorithm).
16 / 24
Hardness of Ring-LWE
[LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP
on ideal lattices in R
≤ search R-LWE ≤ decision R-LWE
(quantum,
any R = OK )
(classical,
any cyclotomic R)
1
If you can find s given (ai , bi ), then you can find approximately
shortest vectors in any ideal lattice in R (using a quantum algorithm).
2
If you can distinguish (ai , bi ) from (ai , bi ), then you can find s.
16 / 24
Hardness of Ring-LWE
[LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP
on ideal lattices in R
≤ search R-LWE ≤ decision R-LWE
(quantum,
any R = OK )
(classical,
any cyclotomic R)
1
If you can find s given (ai , bi ), then you can find approximately
shortest vectors in any ideal lattice in R (using a quantum algorithm).
2
If you can distinguish (ai , bi ) from (ai , bi ), then you can find s.
I Then:
decision R-LWE ≤ lots of crypto
16 / 24
Hardness of Ring-LWE
[LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP
on ideal lattices in R
≤ search R-LWE ≤ decision R-LWE
(quantum,
any R = OK )
(classical,
any cyclotomic R)
1
If you can find s given (ai , bi ), then you can find approximately
shortest vectors in any ideal lattice in R (using a quantum algorithm).
2
If you can distinguish (ai , bi ) from (ai , bi ), then you can find s.
I Then:
decision R-LWE ≤ lots of crypto
F
If you can break the crypto, then you can distinguish (ai , bi ) from
(ai , bi ). . .
16 / 24
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n.
(Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
17 / 24
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n.
(Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
To get ideal lattices, embed R and its ideals into Rn . How?
17 / 24
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n.
(Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
To get ideal lattices, embed R and its ideals into Rn . How?
1 Obvious answer: ‘coefficient embedding’
a0 + a1 X + · · · + an−1 X n−1 ∈ R
7→
(a0 , . . . , an−1 ) ∈ Zn
17 / 24
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n.
(Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
To get ideal lattices, embed R and its ideals into Rn . How?
1 Obvious answer: ‘coefficient embedding’
a0 + a1 X + · · · + an−1 X n−1 ∈ R
7→
(a0 , . . . , an−1 ) ∈ Zn
+ is coordinate-wise, but analyzing · is cumbersome.
17 / 24
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n.
(Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
To get ideal lattices, embed R and its ideals into Cn . How?
1 Obvious answer: ‘coefficient embedding’
a0 + a1 X + · · · + an−1 X n−1 ∈ R
7→
(a0 , . . . , an−1 ) ∈ Zn
+ is coordinate-wise, but analyzing · is cumbersome.
2
Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots
of X n + 1 are ω 1 , ω 3 , . . . , ω 2n−1 . Embed:
a(X) ∈ R
7→
(a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn
17 / 24
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n.
(Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
To get ideal lattices, embed R and its ideals into Cn . How?
1 Obvious answer: ‘coefficient embedding’
a0 + a1 X + · · · + an−1 X n−1 ∈ R
7→
(a0 , . . . , an−1 ) ∈ Zn
+ is coordinate-wise, but analyzing · is cumbersome.
2
Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots
of X n + 1 are ω 1 , ω 3 , . . . , ω 2n−1 . Embed:
a(X) ∈ R
7→
(a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn
Both + and · are coordinate-wise.
17 / 24
Ideal Lattices
I Say R = Z[X]/(X n + 1) for power-of-two n.
(Or R = OK .)
I An ideal I ⊆ R is closed under + and −, and under · with R.
To get ideal lattices, embed R and its ideals into Rn . How?
1 Obvious answer: ‘coefficient embedding’
a0 + a1 X + · · · + an−1 X n−1 ∈ R
7→
(a0 , . . . , an−1 ) ∈ Zn
+ is coordinate-wise, but analyzing · is cumbersome.
2
Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots
of X n + 1 are ω 1 , ω 3 , . . . , ω 2n−1 . Embed:
a(X) ∈ R
7→
(a(ω 1 ) , a(ω 3 ) , . . . , a(ω 2n−1 )) ∈ Cn
Both + and · are coordinate-wise.
Error distribution is Gaussian in canonical embedding.
17 / 24
Ideal Lattices
I Say R = Z[X]/(X 2 + 1). Embeddings map X 7→ ±i.
σ(X) = (i, −i)
σ(1) = (1, 1)
Ideal Lattices
I Say R = Z[X]/(X 2 + 1). Embeddings map X 7→ ±i.
I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i)
σ(1) = (1, 1)
σ(X − 2)
σ(−3X + 1)
18 / 24
Ideal Lattices
I Say R = Z[X]/(X 2 + 1). Embeddings map X 7→ ±i.
I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i)
σ(1) = (1, 1)
σ(X − 2)
σ(−3X + 1)
(Approximate) Shortest Vector Problem
I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R,
find a nearly shortest nonzero a ∈ I.
18 / 24
Complexity of Ideal Lattices
1
We know approx-R-SVP ≤ R-LWE (quantumly). Other direction?
Can we solve R-LWE using an oracle for approx-R-SVP?
19 / 24
Complexity of Ideal Lattices
1
We know approx-R-SVP ≤ R-LWE (quantumly). Other direction?
Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai , bi ) don’t readily translate to ideals in R.
19 / 24
Complexity of Ideal Lattices
1
We know approx-R-SVP ≤ R-LWE (quantumly). Other direction?
Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai , bi ) don’t readily translate to ideals in R.
2
How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
19 / 24
Complexity of Ideal Lattices
1
We know approx-R-SVP ≤ R-LWE (quantumly). Other direction?
Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai , bi ) don’t readily translate to ideals in R.
2
How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
F
Despite much ring structure (e.g., subfields, Galois), no significant
improvement versus general n-dim lattices is known.
19 / 24
Complexity of Ideal Lattices
1
We know approx-R-SVP ≤ R-LWE (quantumly). Other direction?
Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai , bi ) don’t readily translate to ideals in R.
2
How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
F
Despite much ring structure (e.g., subfields, Galois), no significant
improvement versus general n-dim lattices is known.
F
But 2O( n log n) -SVP is quantum poly-time solvable in prime-power
cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
√
19 / 24
Complexity of Ideal Lattices
1
We know approx-R-SVP ≤ R-LWE (quantumly). Other direction?
Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai , bi ) don’t readily translate to ideals in R.
2
How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
F
Despite much ring structure (e.g., subfields, Galois), no significant
improvement versus general n-dim lattices is known.
F
But 2O( n log n) -SVP is quantum poly-time solvable in prime-power
cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
F
There is a 2Ω(
circumvented?
√
√
n/ log n)
barrier for the main technique. Can it be
19 / 24
Implementations
20 / 24
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14],
with many optimizations and conjectured ≥ 200-bit quantum security.
21 / 24
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14],
with many optimizations and conjectured ≥ 200-bit quantum security.
Comparable to or even faster than state-of-the-art ECDH w/ 128-bit
(non-quantum) security.
21 / 24
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14],
with many optimizations and conjectured ≥ 200-bit quantum security.
Comparable to or even faster than state-of-the-art ECDH w/ 128-bit
(non-quantum) security.
Google has experimentally deployed NewHope+ECDH in Chrome
canary and its own web servers.
21 / 24
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14],
with many optimizations and conjectured ≥ 200-bit quantum security.
Comparable to or even faster than state-of-the-art ECDH w/ 128-bit
(non-quantum) security.
Google has experimentally deployed NewHope+ECDH in Chrome
canary and its own web servers.
I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange,
with many tricks and optimizations. Conjectured ≥ 128-bit quantum
security.
21 / 24
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14],
with many optimizations and conjectured ≥ 200-bit quantum security.
Comparable to or even faster than state-of-the-art ECDH w/ 128-bit
(non-quantum) security.
Google has experimentally deployed NewHope+ECDH in Chrome
canary and its own web servers.
I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange,
with many tricks and optimizations. Conjectured ≥ 128-bit quantum
security.
About 10x slower than NewHope, but only ≈2x slower than ECDH.
21 / 24
Digital Signatures
I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].
22 / 24
Digital Signatures
I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].
I BLISS [DDLL’13]: optimized implementation in this framework.
22 / 24
Digital Signatures
I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].
I BLISS [DDLL’13]: optimized implementation in this framework.
I Compelling efficiency:
System
Sig (Kb)
PK (Kb)
KSign/sec
KVer/sec
RSA-4096
ECDSA-256
BLISS
4.0
0.5
5.6
4.0
0.25
7.0
0.1
9.5
8.0
7.5
2.5
33
(Conjectured ≥ 128 bits of security, openssl implementations.)
22 / 24
Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic
encryption (FHE).
23 / 24
Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic
encryption (FHE).
Implements many advanced FHE features, holds most speed records
23 / 24
Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic
encryption (FHE).
Implements many advanced FHE features, holds most speed records
I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level
framework aimed at advanced lattice cryptosystems.
23 / 24
Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic
encryption (FHE).
Implements many advanced FHE features, holds most speed records
I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level
framework aimed at advanced lattice cryptosystems.
Focuses on modularity, safety, and consistency with best theory.
23 / 24
Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto,
both ‘basic’ and ‘advanced.’
24 / 24
Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto,
both ‘basic’ and ‘advanced.’
I Cryptanalysis/security estimates for concrete parameters is subtle and
ongoing, but maturing.
24 / 24
Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto,
both ‘basic’ and ‘advanced.’
I Cryptanalysis/security estimates for concrete parameters is subtle and
ongoing, but maturing.
I A big success story for rigorous theory and practical engineering alike!
24 / 24
Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto,
both ‘basic’ and ‘advanced.’
I Cryptanalysis/security estimates for concrete parameters is subtle and
ongoing, but maturing.
I A big success story for rigorous theory and practical engineering alike!
Thanks!
24 / 24