Recommended
More Related Content
What's hot
What's hot (20)
Similar to An introduction to lattice-based cryptography
Similar to An introduction to lattice-based cryptography (20)
Recently uploaded
Recently uploaded (20)
An introduction to lattice-based cryptography
- 1. An introduction to lattice-based cryptography Thijs Laarhoven mail@thijs.com http://www.thijs.com/ (Slides from July 2019)
- 4. Lattices What is a lattice?
- 5. O Lattices What is a lattice?
- 6. b1 b2 O Lattices What is a lattice?
- 7. b1 b2 O Lattices What is a lattice?
- 8. r1 r2 O Lattices Basis for the same lattice
- 9. v1 v2 O Lattices Basis for a sublattice
- 10. v1 v2 O Lattices Basis for a sublattice
- 11. v1 v2 O Lattices Basis for a sublattice
- 13. b1 b2 s -s O Lattices Shortest Vector Problem (SVP)
- 18. r1 r2 O Lattices Finding closest vectors (good basis)
- 19. r1 r2 O Lattices Finding closest vectors (good basis)
- 20. r1 r2 O t Lattices Finding closest vectors (good basis)
- 21. r1 r2 O t Lattices Finding closest vectors (good basis)
- 22. r1 r2 O t v Lattices Finding closest vectors (good basis)
- 23. b1 b2 O Lattices Finding closest vectors (bad basis)
- 24. b1 b2 O Lattices Finding closest vectors (bad basis)
- 25. b1 b2 O t Lattices Finding closest vectors (bad basis)
- 26. b1 b2 O t Lattices Finding closest vectors (bad basis)
- 27. b1 b2 O t v Lattices Finding closest vectors (bad basis)
- 28. Lattices Lattice problems Easy lattice problems: • Given a good basis, finding a bad basis • Given a good basis, finding short lattice vectors • Given a good basis, finding close lattice vectors • Given any basis, verifying membership of the lattice
- 29. Lattices Lattice problems Easy lattice problems: • Given a good basis, finding a bad basis • Given a good basis, finding short lattice vectors • Given a good basis, finding close lattice vectors • Given any basis, verifying membership of the lattice Hard lattice problems: • Given a bad basis, finding a good basis • Given a bad basis, finding short lattice vectors • Given a bad basis, finding close lattice vectors
- 31. Lattice-based signatures Overview [GGH97] Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 32. O Lattice-based signatures Private key Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 33. r1 r2 O Lattice-based signatures Private key Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 34. r1 r2 O Lattice-based signatures Private key Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 35. r1 r2 O Lattice-based signatures Public key Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 36. r1 r2 b1 b2 O Lattice-based signatures Public key Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 37. b1 b2 r1 r2 O Lattice-based signatures Signing a message Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 38. b1 b2 r1 r2 O c Lattice-based signatures Signing a message Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 39. b1 b2 r1 r2 O c Lattice-based signatures Signing a message Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 40. b1 b2 r1 r2 O c Lattice-based signatures Signing a message Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 41. b1 b2 r1 r2 O s c Lattice-based signatures Signing a message Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 42. r1 r2 b1 b2 O s c Lattice-based signatures Verifying a signature Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 43. r1 r2 b1 b2 O s c Lattice-based signatures Verifying a signature Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 44. r1 r2 b1 b2 O s c Lattice-based signatures Overview Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small
- 45. r1 r2 b1 b2 O s c Lattice-based signatures Attacking the scheme [NR06] Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 46. O s c Lattice-based signatures Obtain a signature Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 47. e O s c Lattice-based signatures Compute the error vector Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 48. O Lattice-based signatures Store the error vector Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 49. O s c Lattice-based signatures Obtain a signature Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 50. e O s c Lattice-based signatures Compute the error vector Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 51. O Lattice-based signatures Store the error vector Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 52. O s c Lattice-based signatures Obtain a signature Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 53. e O s c Lattice-based signatures Compute the error vector Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 54. O Lattice-based signatures Store the error vector Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 55. O Lattice-based signatures Obtain many error vectors Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 56. O Lattice-based signatures Obtain many error vectors Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 57. O Lattice-based signatures Obtain many error vectors Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 58. O Lattice-based signatures Obtain many error vectors Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 59. r1 r2 O Lattice-based signatures Recover the private key Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 60. r1 r2 O Lattice-based signatures Recover the private key Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 61. r1 r2 b1 b2 O s c Lattice-based signatures Overview Private key: R = {r1,...,rn} Public key: B = {b1,...,bn} Signing m: c = H(m) s = R R−1 c Verifying s: s ∈ L s − H(m) small Obtain error vectors: s = Sign(m) c = H(m) e = c − s Leaks R = {r1,...,rd}: e ∈ D(R) Can recover R via gradient descent
- 64. b1 b2 O Lattice algorithms Determine possible coefficients of b2
- 65. b1 b2 O Lattice algorithms Determine possible coefficients of b2
- 66. b1 b2 O Lattice algorithms Determine possible coefficients of b2
- 67. b1 b2 O Lattice algorithms Determine possible coefficients of b2
- 68. b1 * b2 * O Lattice algorithms Determine possible coefficients of b2
- 69. b1 * b2 * O Lattice algorithms Determine possible coefficients of b2
- 70. b1 * b2 * O Lattice algorithms Find short vectors for each coefficient of b2
- 71. O Lattice algorithms Find short vectors for each coefficient of b2
- 72. O Lattice algorithms Find short vectors for each coefficient of b2
- 73. v1 -v1 O Lattice algorithms Find short vectors for each coefficient of b2
- 74. v1 -v1 O Lattice algorithms Find short vectors for each coefficient of b2
- 75. v1 -v1 v2 v3 O Lattice algorithms Find short vectors for each coefficient of b2
- 76. v1 -v1 v2 v3 O Lattice algorithms Find short vectors for each coefficient of b2
- 77. v1 -v1 v2 v3 v4 v5 O Lattice algorithms Find short vectors for each coefficient of b2
- 78. v1 -v1 v2 v3 v4 v5 O Lattice algorithms Find short vectors for each coefficient of b2
- 79. v1 -v1 v2 v3 v4 v5 v6O Lattice algorithms Find short vectors for each coefficient of b2
- 80. v1 -v1 v2 v3 v4 v5 v6O Lattice algorithms Find short vectors for each coefficient of b2
- 81. v1 -v1 v2 v3 v4 v5 v6-v2 -v3 -v4 -v5-v6 O Lattice algorithms Find short vectors for each coefficient of b2
- 82. v1 -v1 v2 v3 v4 v5 v6-v2 -v3 -v4 -v5-v6 O Lattice algorithms Find a shortest vector among all found vectors
- 83. v1 -v1 s v3 v4 v5 v6-s -v3 -v4 -v5-v6 O Lattice algorithms Find a shortest vector among all found vectors
- 84. Lattice algorithms Lattice enumeration vs. lattice sieving Lattice enumeration • Brute-force all combinations of the basis vectors [FP85] • Each coordinate 2O(n) options =⇒ 2O(n2 ) time complexity • Balance preprocessing time with search time: 2O(nlogn) time [Kan83] • Requires almost no memory
- 85. Lattice algorithms Lattice enumeration vs. lattice sieving Lattice enumeration • Brute-force all combinations of the basis vectors [FP85] • Each coordinate 2O(n) options =⇒ 2O(n2 ) time complexity • Balance preprocessing time with search time: 2O(nlogn) time [Kan83] • Requires almost no memory Lattice sieving • Combine vectors in a huge list to find shorter vectors [AKS01] • Generally requires 2O(n) time and 2O(n) space • Current best asymptotics: 20.292n+o(n) time and space [BDGL16]
- 86. Lattice algorithms Practice [SVP] ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ■ ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼ ▼▼▼ ▼ ▼▼ ★ ★★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ★ ♢ ♢ ♢ ♢ ♢♢ ♢♢♢ ♢ ♢♢ ♢ ♢ ♢ ♢♢ ♢ ♢ ■ Enumeration (continuous pruning) ▼ Enumeration (discrete pruning) ★ Sieving (old) ♢ Sieving (new) 80 100 120 140 160 100 104 106 108 1010 → Lattice dimension →Singlecoretimings(seconds) 1 hour 1 day 1 year 1 century
- 87. Lattice algorithms Concrete estimates Most common hardness estimates: • Cost of finding nice basis (n) ≥ Cost of sieving/enumeration (β) • Ignore space complexity, ignore o(β) in time complexity • Classical sieving: 20.292β time [BDGL16] • Quantum sieving: 20.265β time [Laa16]
- 89. Summary Lattice-based cryptography • Main principle: hard to find good bases from bad bases Private key: Good lattice basis Public key: Bad lattice basis • Signatures: Decode with good basis to nearby lattice point Lattice-based cryptanalysis • Two flavors, trading time for memory Enumeration: Low memory, slower in high dimensions Sieving: High memory, faster in practice • Security estimates: solving SVP/CVP takes ≥ 20.292n time
- 90. References (clickable) Lattice-based cryptography • General: [MG02], [MR09], [Mic16], [Pei16], [NIST] • Signatures: [GGH97], [NR06], [DN12] • NTRU: [HPS98], [HHPW10], [SS11], [BCLV17] • LWE: [Reg05], [Reg10], [BCD+16] • Ring-LWE: [SSTX09], [LPR10], [LPR13] • (Ring-)LWR: [BPR13], [AKPW13], [AKRV17], [BBF+17] Lattice-based cryptanalysis • General: [MG02], [MR09], [HPS11], [Mic16], [ACD+18], [SVP] • Enumeration: [FP85], [Kan83], [GNR10], [AN17], [ANS18] • Sieving: [AKS01], [LMP15], [BDGL16], [Laa16], [Duc18], [ADH+19] • Basis reduction: [LLL82], [SE94], [CN11]