Due to the imminent threat of quantum computers, which may break all currently deployed cryptographic schemes in the near future, research in the field of cryptography has increasingly shifted to "post-quantum" cryptographic primitives, which attempt to offer security even in the age of large-scale quantum computers. Lattice-based solutions are leading candidates among post-quantum cryptosystems, due to their efficiency, versatility, and simplicity. These slides explain the basic ideas behind lattice-based cryptography, using visuals whenever possible for ease of understanding.
28. Lattices
Lattice problems
Easy lattice problems:
• Given a good basis, finding a bad basis
• Given a good basis, finding short lattice vectors
• Given a good basis, finding close lattice vectors
• Given any basis, verifying membership of the lattice
29. Lattices
Lattice problems
Easy lattice problems:
• Given a good basis, finding a bad basis
• Given a good basis, finding short lattice vectors
• Given a good basis, finding close lattice vectors
• Given any basis, verifying membership of the lattice
Hard lattice problems:
• Given a bad basis, finding a good basis
• Given a bad basis, finding short lattice vectors
• Given a bad basis, finding close lattice vectors
45. r1
r2
b1
b2
O
s
c
Lattice-based signatures
Attacking the scheme [NR06]
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
46. O
s
c
Lattice-based signatures
Obtain a signature
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
47. e
O
s
c
Lattice-based signatures
Compute the error vector
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
48. O
Lattice-based signatures
Store the error vector
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
49. O
s
c
Lattice-based signatures
Obtain a signature
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
50. e
O
s
c
Lattice-based signatures
Compute the error vector
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
51. O
Lattice-based signatures
Store the error vector
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
52. O
s
c
Lattice-based signatures
Obtain a signature
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
53. e
O
s
c
Lattice-based signatures
Compute the error vector
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
54. O
Lattice-based signatures
Store the error vector
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
55. O
Lattice-based signatures
Obtain many error vectors
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
56. O
Lattice-based signatures
Obtain many error vectors
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
57. O
Lattice-based signatures
Obtain many error vectors
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
58. O
Lattice-based signatures
Obtain many error vectors
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
59. r1
r2
O
Lattice-based signatures
Recover the private key
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
60. r1
r2
O
Lattice-based signatures
Recover the private key
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
61. r1
r2
b1
b2
O
s
c
Lattice-based signatures
Overview
Private key:
R = {r1,...,rn}
Public key:
B = {b1,...,bn}
Signing m:
c = H(m)
s = R R−1
c
Verifying s:
s ∈ L
s − H(m) small
Obtain error vectors:
s = Sign(m)
c = H(m)
e = c − s
Leaks R = {r1,...,rd}:
e ∈ D(R)
Can recover R via
gradient descent
84. Lattice algorithms
Lattice enumeration vs. lattice sieving
Lattice enumeration
• Brute-force all combinations of the basis vectors [FP85]
• Each coordinate 2O(n)
options =⇒ 2O(n2
)
time complexity
• Balance preprocessing time with search time: 2O(nlogn)
time [Kan83]
• Requires almost no memory
85. Lattice algorithms
Lattice enumeration vs. lattice sieving
Lattice enumeration
• Brute-force all combinations of the basis vectors [FP85]
• Each coordinate 2O(n)
options =⇒ 2O(n2
)
time complexity
• Balance preprocessing time with search time: 2O(nlogn)
time [Kan83]
• Requires almost no memory
Lattice sieving
• Combine vectors in a huge list to find shorter vectors [AKS01]
• Generally requires 2O(n)
time and 2O(n)
space
• Current best asymptotics: 20.292n+o(n)
time and space [BDGL16]
87. Lattice algorithms
Concrete estimates
Most common hardness estimates:
• Cost of finding nice basis (n) ≥ Cost of sieving/enumeration (β)
• Ignore space complexity, ignore o(β) in time complexity
• Classical sieving: 20.292β
time [BDGL16]
• Quantum sieving: 20.265β
time [Laa16]
89. Summary
Lattice-based cryptography
• Main principle: hard to find good bases from bad bases
Private key: Good lattice basis
Public key: Bad lattice basis
• Signatures: Decode with good basis to nearby lattice point
Lattice-based cryptanalysis
• Two flavors, trading time for memory
Enumeration: Low memory, slower in high dimensions
Sieving: High memory, faster in practice
• Security estimates: solving SVP/CVP takes ≥ 20.292n
time