Apresentação sobre Criptografia baseada em reticulados (lattices), realizada no contexto da disciplina de Post-Quantum Cryptography do PPGCC da UFSC.
Versão odp: http://coenc.td.utfpr.edu.br/~giron/presentations/aula_lattice.odp
3. Lattice-Based CryptographyLattice-Based Cryptography3
References & Materials
Books:
Bernstein, Daniel J., Buchmann, Johannes and Dahmen, Erik. Post-Quantum
Cryptography. Springer-Verlag Berlin Heidelberg, 2009. (pp 147-187).
Buchmann, J. Post Quantum Cryptography. 2010. (pp 22-37).
Von zur Gathen, Joachim. CryptoSchool. Springer, 2015. (pp 575-651)
Papers:
Hoffstein, Jeffrey, Jill Pipher, and Joseph H. Silverman. "NTRU: A ring-based
public key cryptosystem." International Algorithmic Number Theory Symposium.
Springer, Berlin, Heidelberg, 1998.
Coppersmith, Don, and Adi Shamir. "Lattice attacks on NTRU." International
Conference on the Theory and Applications of Cryptographic Techniques. Springer,
Berlin, Heidelberg, 1997.
Bernstein, Daniel J., et al. "NTRU Prime: reducing attack surface at low cost."
International Conference on Selected Areas in Cryptography. Springer, Cham, 2017.
Puodzius, Cassius de Oliveira, and Paulo SLM Barreto. "Implementação do
Criptossistema Pós-Quântico NTRU conforme a Norma IEEE 1363.1." X Simpósio
Brasileiro em Segurança da Informação e de Sistemas Computacionais.
Wang, Qingxuan, Chi Cheng, and Ling Zuo. "Analysis and Improvement of a NTRU-Based
Handover Authentication Scheme." IEEE Communications Letters (2019).
Xie, Shaofen, et al. "Similarity Test for Privacy-Preserving Medical Data Sharing
Based on NTRU Encryption." 2019 IEEE 9th International Conference on Electronics
Information and Emergency Communication (ICEIEC). IEEE, 2019.
Summer SchoolSummer School on Post-Quantum Cryptography 2017 -on Post-Quantum Cryptography 2017 -
https://2017.pqcrypto.org/school/schedule.htmlhttps://2017.pqcrypto.org/school/schedule.html
4. Lattice-Based CryptographyLattice-Based Cryptography4
IntroductionIntroduction
What is a lattice?
Thijs Laarhoven:
Vector space (n dimensions)
Has Basis Vectors (ex b1 e b2)
L generated by all of the integer linear combinations of the basis vectors
(ex 5*b1 – 2*b2 → a point in the lattice).
Bernstein: ”A lattice is a set of points in n-dimensional space with a
periodic structure”
Von Zur Gathen:
6. Lattice-Based CryptographyLattice-Based Cryptography6
Introduction
Definitions
Matrix notation for a lattice
(1) If U is a Unimodular matrix, the basis B and BU generates
the same lattice:
(2) Determinant of a lattice:
(3) Linearly Independent Vectors
if the equation of the linear combinations:
a1v1+ a2v2 +… + anvn = 0 is true only when ai are all equal to zero.
(4) Norm (Euclidean Norm)
x = (x1,x2...xn) ϵ ℝn
,
⋆: inner product
8. Lattice-Based CryptographyLattice-Based Cryptography8
Introduction
Lattice Basis Reduction
“Find nicer basis of the
same lattice”
Ex: r1,r2 generates the same
lattice
Reduction Algorithms:
Gauss Algorithm (or Lagrange Algo.)
LLL reduction [LLL82]
Blockwise generalization of Gauss reduction
BKZ reduction [Sch87, SE94]
Blockwise generalization of Korkin-Zolotarev reduction
Goal is to find the SVP in projected sub-lattices in dimension k
22. Lattice-Based CryptographyLattice-Based Cryptography22
Introduction – LWE
Learning With Errors
Also called “the hidden vector” problem
The starting point for the construction of various other
cryptographic primitives
First security proof by Regev in 2009
(under CPA) Parameters:
n ,m ,qprime ,s∈ℤq
n
,e∈ℤq
m
Input:(G ,A)
ℤq
m×n
ℤq
m
Gs+e
A
A
or
=
The goal is to distinguish
between these two cases
G
23. Lattice-Based CryptographyLattice-Based Cryptography23
Introduction – LWE
(Toy Example)
https://www.youtube.com/watch?v=MBdKvBA5vrw
A=Gs+e(mod q)
Encryption
model:
s 5
secret
[5,8,12,16,2,6,11,3,7,10 ]
e 12
G
A=Gs+e(mod q)
A=[37,52, 27,92, 22,42,67,27,47,62 ]
v=∑(Asamples)−(
q
2
)∗M
Encrypting a bit (M=1):
pk=(A ,G)
q=97
Decryption:
C=(52,226.5)
s=5
Dec=v−su(mod q)
M =1 if Dec >
q
2
M = 0 otherwise
u=∑(Gsamples)
v=∑([52,27,92,62,42])−(
97
2
)∗1
v=275−48.5=226.5
Dec=226.5−5∗52(mod 97)Sampling : Ccipher=(u ,v)
u=∑([8,12,16,10,6])=52
Dec=−33.5(mod 97)
Dec = 63.5 >
97
2
M =1
24. Lattice-Based CryptographyLattice-Based Cryptography24
Introduction – LWE
Worst-case connection
Quantum reduction from SVPy to LWE
(Regev, O. 2009)
The hardness of LWE (and hence the security of a crypto.) is
based on the worst-case quantum hardness of SVPy
Connection to Coding Theory
“Learning parity with noise problem”
Also believed to be hard
25. Lattice-Based CryptographyLattice-Based Cryptography25
Introduction – Applicability of Lattices
Cryptanalysis
“For many types of new systems, one has to consider carefully potential attacks
using this methodology”
Security Reductions
“If a system like the Diffie-Hellman key exchange or RSA encryption is secure, it is
not clear that … a prime factor in an RSA modulus are also secure. Lattice
technology provides proofs that this is indeed the case.”
Cryptography
“Since 1996, the method has been used to devise cryptosystems that have ... a
desirable property that no previous system had: breaking an ‘average instance’ is
as difficult as breaking a ‘hardest instance’.
Discovered in a breakthrough paper by Ajtai
Ex: GGH, NTRU, NTRUPrime, NewHope…
Ajtai, M. Generating hard instances of lattice problems. In Complexity of
computations and proofs, volume 13 of Quad. Mat., pages 1–32. Dept. Math.,
Seconda Univ. Napoli, Caserta (2004). Preliminary version in STOC 1996.
27. Lattice-Based CryptographyLattice-Based Cryptography27
GGH Cryptosystem
GGH
Oded Goldreich, Shafi Goldwasser and Shai Halevi
Provides
Encryption scheme
Signature scheme
Trapdoor mechanism
Difference in the ability to find close lattice points to arbitrary vectors on
different bases of the same lattice
Good x Bad basis
“Non reduced” basis B to compute the function
Reduced basis R used for the inversion
Goldreich, Oded, Shafi Goldwasser, and Shai Halevi.
"Public-key cryptosystems from lattice reduction
problems." Annual International Cryptology
Conference. Springer, Berlin, Heidelberg, 1997.
31. Lattice-Based CryptographyLattice-Based Cryptography31
GGH Parameters
Dimension of the lattice: n
Distribution of private basis
Choosing a random lattice
Choosing an “almost rectangular” lattice
HNF of the reduced basis
Generating public basis
Mixing steps
Berstein lecture:
GGH would need very high dimension and it would be impractical
GGH Cryptosystem
32. Lattice-Based CryptographyLattice-Based Cryptography32
GGH Cryptosystem
Remarks: GGH Encryption
Map the message as a lattice point
Integer combinations of the public basis
Add a (randomly) “small error vector”
Decryption
Using a private (reduced) basis
Look for a lattice point which is close to the ciphertext
“We remark that our encryption algorithm is similar in its algorithmic nature to a scheme
based on algebraic coding that was suggested by McEliece”
33. Lattice-Based CryptographyLattice-Based Cryptography33
GGH Cryptosystem
Remarks: GGH Signature
M (message) as a n-dimensional vector over the reals.
A signature of such vector
Lattice point which is close to it
Verifying
Checking that a signature is indeed a lattice point and M is close to the
signature
Problem
If M’ is close to M’’ then they will have the same signature
Recommendation: Hash first
35. Lattice-Based CryptographyLattice-Based Cryptography35
NTRU
NTRU – A Ring-based Public Key Cryptosystem
Introduced by Hoffstein–Pipher–Silverman in 1998.
Ring-based
“N-th degree TRUncated polynomial ring”
Security related to lattice problems
Encryption with a mixing system based on
polynomial algebra and reduction modulo p and q
Also in the fact that it is very difficult to find
short vectors, for most lattices
US Patent No
6,081,597
NTRUEncrypt (open-source)
NTRUSign
Parameters:
p ,q ,N
gcd(p ,q)=1
Lf ,Lg ,Lϕ ,Lm
q>p
Assumptions:
R=ℤ[X]/(XN
−1)
37. Lattice-Based CryptographyLattice-Based Cryptography37
NTRU
Key Creation
ƒ,g polynomials
ƒ must have inverses
(Fq , Fp)
Public key: h
Private key: ƒ
Also store Fp
f ,g Lf ,Lg
f ∗ F q ≡ 1 (mod q)
f ∗ F p ≡ 1 (mod p)
h ≡ F q ∗ g (mod q)
Example (Link)
Parameters:N =11, q=32, p=3
SupposeBob chooses:
g=−1+X2
+X3
+X5
−X8
−X10
f=−1+X+X2
−X4
+X6
+X9
−X10
Computing F p ,F q
F p=1+2 X+2X3
+2X4
+X5
+2X7
+2X9
F q=5+9X+6X2
+16 X3
+4 X4
+15 X5
+16 X6
+22X7
+20 X8
+18X9
+30X10
Computing h:3F q ∗ g(mod 32)
h=8+25 X+22X2
+20X3
+12X4
+24 X5
+15X6
+19 X7
+12X8
+19X9
+16 X10
38. Lattice-Based CryptographyLattice-Based Cryptography38
NTRU
Encryption
Select:
Encrypt:
Decryption
First decrypt
Recovering with
ϕ Lϕϕ
m ∈Lm
e≡ p ϕ∗¿ h+m (mod q)
a ≡ f ∗ e (mod q)
m = F p ∗ a (mod p)
m
Example (Link)
Alicechoosesm ,ϕ:
m=−1+X3
−X4
−X8
+X9
+X10
ϕ=−1+X2
+X3
+X4
−X5
+X7
Aliceencryptsit withBob 'sPublic key h:
e=(−1+X2
+X3
+X4
−X5
+X7
)∗h+
(−1+X3
−X4
−X8
+X9
+X10
)(mod 32)
e≡ϕ ∗ h+m (mod q)
e=(14+11X+26 X2
+24 X3
+14 X4
+16 X5
+
30 X6
+7X7
+25 X8
+6 X9
+19X10
)(mod 32)
Bob decryptsit:
a=f∗e (mod 32)
a=(3−7 X−10 X2
−11 X3
+10 X4
+7 X5
+
6 X6
+7 X7
+5 X8
−3 X9
−7 X10
)(mod 32)
m=−1+X3
−X4
−X8
+X9
+X10
(mod 3)
Bob reduces(mod p),recovering with F p :
39. Lattice-Based CryptographyLattice-Based Cryptography39
NTRU – Why it works?
≡f (p ϕ h+m)(mod q)
Decryption starts with:
Using appropriate parameters, all of its coefficients are between
, , also does not change when reduced to modulo q
Therefore,
Reducing a to mod p:
Multiplying it with Fp :
a ≡ f ∗ e (mod q)
=f∗¿(p ϕ∗¿(F q∗¿ g)+m)(mod q)
−(
q
2
) (
q
2
)
a=(p ϕ∗¿ g+f∗¿m)
=(p ϕ∗¿ g +f∗¿ m)(mod q)
ℤ[X]/(X
N
−1)in
a=(p ϕ∗¿ g+f∗¿m)(mod p)= f∗¿m(mod p)
f m(mod p) F p= m(mod p)
42. Lattice-Based CryptographyLattice-Based Cryptography42
NTRUSign
NTRU Digital Signature
PASS: “Polynomial Authentication and Signature Scheme”
(1999)
Based on GGH
Updated version: pqNTRUSign (2014)
Based on Learning with Truncation (LWT) problem
Submitted to NIST
For a given L and document m, its signature is a vector v:
v = hash(m|L) mod p
https://www.onboardsecurity.com/nist-post-quantum-crypto-submission
43. Lattice-Based CryptographyLattice-Based Cryptography43
NTRUSign
Signing
Input: hash function, m (message), (pf,g) from the private key
and h (the public key)
Steps:
1. (sp,tp) ← Hash (m | h) mod p
2. Vector r from sampling on a given distribution;
3. Compute s0 = pr + sp in which s0 mod≡ mod p and compute t0 = s0h.
(s0,t0) is a lattice vector.
4. Compute a = (tp – t0)g-1
mod p.
5. Compute (s1,t1) = a(pf,g)
6. The above steps are repeated with rejection sampling.
Output: (s,t) the signature with (s,t) = (s0,t0) + (s1,t1)
https://2017.pqcrypto.org/conference/slides/recent-results/zhang.pdf
44. Lattice-Based CryptographyLattice-Based Cryptography44
NTRUSign
Verify:
1. Check if (s, t) = hash (m|h) mod p.
2. Check if the norm of (s,t) is within some bound.
3. Check if t = sh
Remarks on the submission
pqNTRUSign is an efficient instantiation of modular lattice
signature over the NTRU lattice.
Public key security based on the NTRU security
The forgery security is based on LWT over NTRU lattice
The transcript security is provided by rejection samplings