Foundations of Lattice Cryptography
Daniele Micciancio
Department of Computer Science and Engineering
University of California, San Diego
August 12-16, 2013, (UCI)
Daniele Micciancio
Foundations of Lattice Cryptography
This Talk
Introduction to Lattice Cryptography for Math/non-CS
Assume familiarity with math (number theory, lattices, . . . )
Focus on computational issues, relevant to
cryptography/computer science
High level view. If you want to know more ask questions!
Cryptography ⊆ Math ∩ Computer Science
Same old lattices
Many interesting questions, both from math and cryptography
Here: what questions are relevant/important to cryptography?
Will use familiar examples from number theory for illustration
Daniele Micciancio
Foundations of Lattice Cryptography
Lattices and Bases
A lattice is the set of all integer linear combinations of (linearly
independent) basis vectors B = {b1 , . . . , bn } ⊂ Rn :
n
X
L=
bi · Z = {Bx : x ∈ Zn }
i=1
The same lattice has many bases
b2
L=
n
X
b1
ci · Z
c1
i=1
Definition (Lattice)
c2
A discrete additive subgroup of Rn
Daniele Micciancio
Foundations of Lattice Cryptography
Cryptography
Goal (informal): Build functions f : A → B that are hard to break
Question 1: What does it mean to break a function?
Average-case vs Worst-case complexity
Pseudorandomness
. . . for now, assume “break” = “invert”
Question 2: How do we argue about f being hard to break?
Attacks/Cryptanalysis: study the best known algorithms to
invert a function
Security proofs: show that inversting the function allows to
solve underlying mathematical problem
Daniele Micciancio
Foundations of Lattice Cryptography
Familiar Example: Factoring based cryptography
Definition (Factoring problem)
Given composite N ∈ N, find P, Q > 1 such that N = P · Q
Cryptographic functions:
Square(x) = x 2 mod N (Rabin)
Cube(x) = x 3 mod N (low exponent RSA)
Cube
x
x3
???
Definition (loRSA inversion problem)
Given N ∈ N, and y ∈ Z∗N , find x such that Cube(x) = y .
Daniele Micciancio
Foundations of Lattice Cryptography
Relation between Inversion and Factoring problems
Square, Cube are easy to invert if factorization N = P · Q is
known
Invert modulo P and Q separately
Combine the results using the Chinese Reminder Theorem
Invert x 2
Factor N
Factor N
???
Invert x 3
If you can invert x 2 , then you can factor N: √
∗
0
Choose random x ∈ ZN , and compute x = x 2
If x 0 6= ±x, then gcd(x − x 0 , N) ∈ {P, Q} gives out
factorization
Daniele Micciancio
Foundations of Lattice Cryptography
Lattice cryptography
Two “kinds” of cryptographic functions
Functions for which lattice algorithms are the best known, or
most natural attack. (E.g., NTRU, Gentry FHE, . . . )
Lattice Problem
???
Invert f
Lattice Problem
Functions that are at least as hard to break as some standard
lattice problem. (E.g., Ajtai, Regev, . . . )
Lattice Problem
Invert f
Lattice Problem
What does f look like?
What Lattice Problem shall we use?
f may look quite different from Lattice Problem!
Daniele Micciancio
Foundations of Lattice Cryptography
Minimum Distance and Successive Minima
Minimum distance
λ1 =
=
min
x,y∈L,x6=y
kx − yk
min kxk
x∈L,x6=0
λ2
λ1
Successive minima (i = 1, . . . , n)
λi = min{r : dim span(B(r ) ∩ L) ≥ i}
Examples
Zn : λ1 = λ2 = . . . = λn = 1
Always: λ1 ≤ λ2 ≤ . . . ≤ λn
Daniele Micciancio
Foundations of Lattice Cryptography
Distance Function and Covering Radius
Distance function
µ(t, L) = min kt − xk
µ t
x∈L
Covering radius
µ(L) =
max
µ(t, L)
µ
t∈span(L)
Spheres or radius µ(L) centered
around all lattice points cover the
whole space
Daniele Micciancio
Foundations of Lattice Cryptography
Relations among lattice parameters
Theorem
λ1 (L) ≤ λ2 (L) ≤ . . . ≤ λn (L) ≤ 2µ(L) ≤
√
nλn (L)
Theorem (Banaszczyk)
1 ≤ 2λ1 (L) · ρ(L∗ ) ≤ n.
1 ≤ λi (L) · λn−i+1 (L∗ ) ≤ n.
Remarks:
√
1 µ ≈ λ (up to
n factors)
n
2 For some lattices λ λ . . . λ
1
2
n
√
3 For some lattices λ = λ = . . . = λ and 2µ =
nλn
1
2
n
4 For some lattices λ = λ = . . . = λ and µ ≤ 2λ
1
2
n
n
Problem
Give an explicit construction of a lattice satisfying (4)
Daniele Micciancio
Foundations of Lattice Cryptography
Shortest Vector Problem
Definition (Shortest Vector Problem, SVPγ )
Given a lattice L(B), find a (nonzero) lattice vector Bx (with
x ∈ Zk ) of length (at most) kBxk ≤ γλ1
Bx = 5b1 − 2b2
2λ1
λ1
b1
b2
Daniele Micciancio
Foundations of Lattice Cryptography
Shortest Independent Vectors Problem
Definition (Shortest Independent Vectors Problem, SIVPγ )
Given a lattice L(B), find n linearly independent lattice vectors
Bx1 , . . . , Bxn of length (at most) maxi kBxi k ≤ γλn
Bx1
Bx2
2λ2
λ2
b1
b2
Daniele Micciancio
Foundations of Lattice Cryptography
Closest Vector Problem
Definition (Closest Vector Problem, CVPγ )
Given a lattice L(B) and a target point t, find a lattice vector Bx
within distance kBx − tk ≤ γµ from the target
Bx t
µ
2µ
b1
b2
Daniele Micciancio
Foundations of Lattice Cryptography
Special Versions of SVP, SIVP and CVP
GapSVP: compute (or approximate) the value λ1 without
necessarily finding a short vector
GapSIVP: compute (or approximate) the value λn without
necessarily finding short linearly independent vectors
Bounded Distance Decoding (BDD): Solve CVP when
µ(t, L) < λ1 (L)/(2γ),
Absolute Distance Decoding (ADD): Find lattice point Bx
such that kBx − tk ≤ γ · µ(L).
Daniele Micciancio
Foundations of Lattice Cryptography
Relations among (general) lattice problems
SIVP ≈ ADD [MG’01]
SVP ≤ CVP [GMSS’99]
SIVP ≤ CVP [M’08]
GapSVP
GapSIVP
BDD
Public Key Cryptography
BDD . SIVP
SIVP
ADD
CVP . SVP [L’86]
GapSVP ≈ GapSIVP
[LLS’90,B’93]
GapSVP . BDD [LM’09]
Private Key Cryptography
SVP
Question
What can we say the same about lattices with symmetries?
See [PR’07] for SVP ≤ CVP.
Daniele Micciancio
Foundations of Lattice Cryptography
CVP
Worst-case vs. Average-case Hardness
Definition (Factoring problem)
Given composite N ∈ N, find P, Q > 1 such that N = P · Q
Algorithm A solves the factoring problem if for any composite
N, it outputs P, Q > 1 such that N = PQ.
Factoring is hard = No efficient algorithm solves Factoring
Same as: for every efficient algorithm A there exists composite
N such that A(N) does not output P, Q
This is worst-case hardness: the hardest to factor N is indeed
hard to factor
Not enough for cryptography!
It doesn’t matter if some key is hard to break
You want assurance that your (randomly chosen) key is hard
to break with high probebility
Average-case hardness: most N are hard to factor
Daniele Micciancio
Foundations of Lattice Cryptography
Difficulties with average-case complexity
Average-case complexity depends on input distribution
Let N be a uniformly random integer in {1, . . . , 2n }
Easy on average: N = 2 ·
N
2
with probability 50%!
Let N be uniformly random in {N ∈ {1, . . . , 2n } : N = P · Q}
Still easy: there are O(2n /n) products with P = 2, and only
O(2n /n2 ) products with P ≈ Q.
Let N = P · Q where P, Q ∈ {1, . . . , 2n/2 } are chosen
uniformly at random
Ok, maybe now we got it right. This is believed to be hard on
average.
Belief is based on many decades (or centuries) of hard work!
Question
How do we know a distribution is right for cryptography?
Daniele Micciancio
Foundations of Lattice Cryptography
Average-case hardness: inversion problem
Definition (loRSA inversion problem)
Given N ∈ N, and y = Cube(x), recover x
Assume N = P · Q is a hard distribution for N
Question: how shall we choose x?
Answer: choose x ∈ Z∗N uniformly at random
Why? This is provably the hardest distribution!
Assume we can invert Cube on the average (say, w/ prob. 1%)
Say we want to invert y = Cube(x) (in the worst case)
Compute y 0 = y · Cube(r ) for randomly chosen r ∈ Z∗N
Notice: x 0 = x · r ∈ Z∗N is uniformly random and Cube(x 0 ) = y 0
Recover x 0 = x · r (with probability 1%)
Compute x = x 0 /r
Repeat 100 times to boost success probability
Daniele Micciancio
Foundations of Lattice Cryptography
Cryptographic functions
Definition (Ajtai’s function)
where A ∈ Zqn×m and x ∈ {0, 1}m
fA (x) = Ax mod q
x ∈ {0, 1}m
A ∈ Zn×m
q
0 1 1 0 1 0 0
m
1
4
7
2
4
2
5
7
5
8
5
0
9
6
4
1
3
2
7
4
0
4
8
6
2
3
0
9
(q = 10)
n
2
2
y = Ax ∈ Znq
7
1
Cryptanalysis (Inversion)
Given A and y, find x ∈ {0, 1}m such that Ax = y
Daniele Micciancio
Foundations of Lattice Cryptography
Ajtai’s function and lattice problems
Cryptanalysis (Inversion)
Given A and y, find small solution x ∈ {0, 1}m to inhomogeneous
linear system Ax = y (mod q)
Inverting Ajtai’s function can be formulated as a lattice problem.
Easy problem: find (arbitrary) integer solution t to system of
linear equations At = y (mod q)
All solutions to Ax = y are of the form t + L where
L = {x ∈ Zm : Ax = 0 (mod q)}
Cryptanalysis problem: find a small vector in t + L
Equivalently: find a lattice vector v ∈ L close to t
Inverting Ajtai’s function is an average case instance of the Closest
Vector Problem where the lattice is chosen according to L, for
A ∈ Zm×n
and x is a random “short” vector.
q
Daniele Micciancio
Foundations of Lattice Cryptography
Breaking a function
What does it mean to “break” f : A → B?
Recovery Problem: Given f and f (x), recover x
with nonnegligible probability when f , x are chosen at random
Inversion Problem: Given f and y ∈ B, find x s.t. f (x) = y
with nonnegligible probability when f , x are chosen at random
Decision Problem: Given f and y ∈ B, determine if y ∈ f (A)
Given random f and y ∈ B, determine if y was chosen as
y = f (x) (for random x), or uniformly from y ∈ B.
Definition (Pseudorandomness)
f (x) looks like a uniformly random element of f (A).
Daniele Micciancio
Foundations of Lattice Cryptography
Pseudorandomness
the output of f : A → B is pseudorandom if f (A) looks like B.
interesting property when |A| |B|.
Very important in cryptography:
Typically f (x) is used as an input or key to some other
cryptographic function
If f (x) does not look random, it cannot be used as a key
Example: if f (x) is used as a one-time pad, then correlations
in f (x) reveal correlations in the message.
Pseudorandomness can be very tricky:
Example: square(x) = x 2 (mod N)
Decision problem: determine if y is a quadratic residue
Are random quadratic residues hard to recognize?
Is testing quadratic residuosity as hard as factoring?
Daniele Micciancio
Foundations of Lattice Cryptography
Lattice Based Cryptography
Ajtai: fA (x) = Ax (mod q), where A ∈ Zqn×m and x ∈ {0, 1}m
are chosen uniformly at random.
Regev: Similar, but for parameters that make fA injective
Lattice Problem: GapSVP approximate λ1 within a factor
Õ(n) in the worst-case
GapSVP
Invert random f
f (x) ≈ Znq ?
This is the right way to use lattices!
Daniele Micciancio
Foundations of Lattice Cryptography
Lattices with symmetries
Why use lattices with symmetries?
fA (x) = Ax can be computed much faster when A is a
structured matrix, both in theory and practice
E.g., SWIFFT function [LMPR’08] performance comparable
to block ciphers
Mathematically attractive (algebraic number theory, etc.)
Cryptanalysis:
Are structured A’s easier to break?
Is fA (x) still pseudorandom?
Security proof:
fA still hard to invert, assuming worst-case hardness of SVP
on algebraic lattices [M’02]
One-way and pseudorandom even in the injective setting
[LPR’10,LPR’13]
Daniele Micciancio
Foundations of Lattice Cryptography
Limitations of proof based security analysis
Proof of security shows that
uniform A ∈ Zqn×m is the right distribution for cryptography,
fA (x) = Ax (mod q) is the right way to use A.
However it does not provide a good indication of concrete
hardness of breaking fA .
Conclusion
Security proof provides strong qualitative results pointing to
the right distribution to be used in lattice cryptography
Concrete security is better assessed by cryptanalysis / lattice
algorithms
Daniele Micciancio
Foundations of Lattice Cryptography
Lattice Algorithms
Best known attack against lattice cryprography
Most accurate method to assess current security level of
lattice cryptography
Many other applications:
Algebraic Number Theory
Factoring polynomials
Coding theory
Integer Programming
...
Daniele Micciancio
Foundations of Lattice Cryptography
The LLL Algorithm [LLL’82]
Landmark result in theoretical computer science
Elegant theoretical analysis showing it approximates SVP
within γ = 2O(n) factor
Works much better in practice when run on “random” lattices
Still, as dimension grows, experiments confirm γ = 2O(n)
approximation
Questions
1 Can we do better that LLL?
2
Can lattice algorithms take advantage of lattice symmetries?
Daniele Micciancio
Foundations of Lattice Cryptography
Beyond LLL: Exact Algorithms
Lattice algorithms for the exact solution of SVP, CVP, etc.
Time
Space Prob.
Problem
O(n
log
n)
Enum. [K’87]
2
poly
no
SVP, CVP, SIVP
Sieve [AKS’01]
2O(n)
exp
yes
SVP
O(n)
Voronoi [MV’10]
2
exp
no
SVP, CVP, SIVP
All work for arbitrary lattices
Use very different techniques/ideas
Can these methods take advantage of lattice symmetries?
Can they solve BDD faster than SVP/CVP?
Daniele Micciancio
Foundations of Lattice Cryptography
Beyond LLL: Polynomial time approximation
Generalize LLL using exact algorithms for SVP in small
dimensional sublattices
Block Korkine Zolotarev (BKZ) [Schnorr’87]
Rankin/Mordell inequality [GHKN’06,GN’08,DM’13]
Polynomial time approximation
2 / log n)
LLL+Enumeration: γ = 2O(n(log log n)
LLL+Sieving: γ = 2O(n log log n/ log n) (randomized)
LLL+Voronoi: γ = 2O(n log log n/ log n)
Smooth trade-off between running time and approximation:
γ ≈ 2O(n log log T / log T )
Daniele Micciancio
Foundations of Lattice Cryptography
References
MG
GMSS
M
L
LLS
B
LM
PR
LPR
LMPR
LLL
K
AKS
MV
GHKN
GN
DM
Micciancio, Goldwasser (Springer 2001)
Goldreich, Micciancio, Safra, Seifert (Inf. Proc. Letters, 1999)
Micciancio (SODA 2008) (FOCS 2002/Comp. Compl. 2007)
Lovasz (SIAM 1986)
Lagarias, Lenstra, Schnorr (Combinatorica 1990)
Banaszczyk (Math. Ann. 1993)
Lyubashevsky, Micciancio (Crypto 2009)
Peikert, Rosen (STOC 2007)
Lyubashevsky, Peikert, Regev (Eurocrypt 2010, 2013)
Lyubashevsky, Micciancio, Peikert, Rosen (FSE 2008)
Lenstra, Lenstra, Lovasz (Math. Ann. 1982)
Kannan (STOC 1983)
Ajtai, Kumar, Sivakumar (STOC 2001)
Miccincio, Voulgaris (STOC 2010, SIAM J. Comp. 2013)
Gama, Howgrave-Graham, Koy, Nguuyen (Crypto 2006)
Gama, Nguyen (STOC 2008)
Dadush, Micciancio (SODA 2013)
Daniele Micciancio
Foundations of Lattice Cryptography
Blurring a lattice
Consider an arbitrary lattice, and add
noise to each lattice point until the entire space is covered. Increase the noise
until the space is uniformly covered.
How much noise is needed? [MR]
√
krk ≤ (log n) · n · λn /2
v
r
Each point in a ∈ Rn can be
written a = v + r where v ∈ L and
√
krk ≈ nλn .
a ∈ Rn is uniformly distributed.
Daniele Micciancio
Foundations of Lattice Cryptography
a
Security of Ajtai’s function (sketch)
Generate random points ai = vi + ri , where
vi is a random lattice point
√
ri is a random error vector of length kri k ≈ nλn
A = [a1 , . . . , am ] is distributed almost uniformly at random in
Rn×m , q = nO(1) , m = O(n log q) = O(n log n), so
if we can break Ajtai’s function fA , then
we can find a vector z ∈ {−1, 0, 1}m such that
X
X
(vi + ri )zi =
a i zi = 0
Rearranging the terms yields a lattice vector
X
X
vi zi = −
ri zi
of length at most k
P
ri zi k ≈
Daniele Micciancio
√
m · max kri k ≈ n · λn
Foundations of Lattice Cryptography