Introduction - Lattice-based Cryptography

LATTICE-BASEDLATTICE-BASED
CRYPTOGRAPHYCRYPTOGRAPHY Alexandre Augusto GironAlexandre Augusto Giron

Lattice-Based CryptographyLattice-Based Cryptography2
Outline
1 Introduction
Definitions
Lattice Problems
Lattice Basis Reduction
Learning With Errors (LWE)
Applicability of Lattices
2 GGH Cryptosystem
3 NTRU Cryptosystem
4 Conclusions

References & Materials
Books:
Bernstein, Daniel J., Buchmann, Johannes and Dahmen, Erik. Post-Quantum
Cryptography. Springer-Verlag Berlin Heidelberg, 2009. (pp 147-187).
Buchmann, J. Post Quantum Cryptography. 2010. (pp 22-37).
Von zur Gathen, Joachim. CryptoSchool. Springer, 2015. (pp 575-651)
Papers:
Hoffstein, Jeffrey, Jill Pipher, and Joseph H. Silverman. "NTRU: A ring-based
public key cryptosystem." International Algorithmic Number Theory Symposium.
Springer, Berlin, Heidelberg, 1998.
Coppersmith, Don, and Adi Shamir. "Lattice attacks on NTRU." International
Conference on the Theory and Applications of Cryptographic Techniques. Springer,
Berlin, Heidelberg, 1997.
Bernstein, Daniel J., et al. "NTRU Prime: reducing attack surface at low cost."
International Conference on Selected Areas in Cryptography. Springer, Cham, 2017.
Puodzius, Cassius de Oliveira, and Paulo SLM Barreto. "Implementação do
Criptossistema Pós-Quântico NTRU conforme a Norma IEEE 1363.1." X Simpósio
Brasileiro em Segurança da Informação e de Sistemas Computacionais.
Wang, Qingxuan, Chi Cheng, and Ling Zuo. "Analysis and Improvement of a NTRU-Based
Handover Authentication Scheme." IEEE Communications Letters (2019).
Xie, Shaofen, et al. "Similarity Test for Privacy-Preserving Medical Data Sharing
Based on NTRU Encryption." 2019 IEEE 9th International Conference on Electronics
Information and Emergency Communication (ICEIEC). IEEE, 2019.
Summer SchoolSummer School on Post-Quantum Cryptography 2017 -on Post-Quantum Cryptography 2017 -
https://2017.pqcrypto.org/school/schedule.htmlhttps://2017.pqcrypto.org/school/schedule.html

IntroductionIntroduction
What is a lattice?
Thijs Laarhoven:
Vector space (n dimensions)
Has Basis Vectors (ex b1 e b2)
L generated by all of the integer linear combinations of the basis vectors
(ex 5*b1 – 2*b2 → a point in the lattice).
Bernstein: ”A lattice is a set of points in n-dimensional space with a
periodic structure”
Von Zur Gathen:

Introduction
Example
Point p = 3*(12,2) – 2*(13,4)
= (36,6) – (26,8)
= (10,-2)
p is here

Introduction
Definitions
Matrix notation for a lattice
(1) If U is a Unimodular matrix, the basis B and BU generates
the same lattice:
(2) Determinant of a lattice:
(3) Linearly Independent Vectors
if the equation of the linear combinations:
a1v1+ a2v2 +… + anvn = 0 is true only when ai are all equal to zero.
(4) Norm (Euclidean Norm)
x = (x1,x2...xn) ϵ ℝn
,
⋆: inner product

Introduction
Lattice Problems
Shortest (nonzero) Vector Problem (SVP)
Closest Vector Problem (CVP)
Related to a point t
Approximations
Ex: SVPγ: find a vector whose norm is at
most γ times that of the shortest nonzero
vector.

Introduction
Lattice Basis Reduction
“Find nicer basis of the
same lattice”
Ex: r1,r2 generates the same
lattice
Reduction Algorithms:
Gauss Algorithm (or Lagrange Algo.)
LLL reduction [LLL82]
Blockwise generalization of Gauss reduction
BKZ reduction [Sch87, SE94]
Blockwise generalization of Korkin-Zolotarev reduction
Goal is to find the SVP in projected sub-lattices in dimension k

Introduction
Gauss Reduction
Works in two dimensions
Normalize: Gram-Schmidt orthogonalization (GSO) that is computed with
the GS-process.
Swap: Switches two vectors (b1 , b2) → (b2 , b1).

Introduction
GS Process
onde

Introduction – Summer School Exercise
Preparação:
‖b1‖⩽‖b2‖
‖b1‖=√144∗144+0∗0=144
‖b2‖=√89∗89+1∗1=√7922=89.01
b1=(89,1)
b2=(144,0)
Logo: swap(b1
,b2
)

Iteração 1: b1=(89,1)
b2=(144,0)
|μ2,1|=
⟨b2 ,
~
b1⟩
‖
~
b1‖
2
|μ2,1|=
144∗89+0
(√89
2
+1)
2
|μ2,1|=
12816
7922
≈1.617>
1
2

Iteração 1:
Normalize:
b1=(89,1)
b2=(144,0)
b2 :=b2−⌈μ2,1⌉b1
b2 :=(144,0)−⌈1.617⌉(89,1)
b2 :=(144,0)−(178,2)
b2 :=(−34 ,−2)

Iteração 1:
if:
b1=(89,1)
b2=(144,0)
b2=(−34 ,−2)
‖b2‖<‖b1‖
‖b1‖≈89.01
‖b2‖=√(−34)
2
+(−2)
2
‖b2‖=√1160≈34.05
Então swap(b1
,b2
)
b1=(−34 ,−2)
b2=(89,1)

Iteração 2: b1=(−34 ,−2)
b2=(89,1)
μ2,1=
⟨b2 ,
~
b1⟩
‖
~
b1‖
2
|μ2,1|=
89∗(−34)+1∗(−2)
(√(−34)
2
+(−2)
2
)
2
|μ2,1|=|−3028
1160 |≈2.61>
1
2

Iteração 2:
Normalize:
b1=(−34 ,−2)
b2=(89,1)
b2 :=b2−⌈μ2,1⌉b1
b2 :=(89,1)−⌈−2.61⌉(−34 ,−2)
b2 :=(89,1)−(102,6)
b2 :=(−13,−5)

Iteração 2:
If:
b2=(−13,−5)
b1=(−34 ,−2)
b2=(89,1)
‖b2‖<‖b1‖
‖b1‖≈34.05
‖b2‖=√(−13)
2
+(−5)
2
‖b2‖=√194≈13.92
Então swap(b1
,b2
)
b1=(−13,−5)
b2=(−34 ,−2)

Iteração 3:
μ2,1=
⟨b2 ,
~
b1⟩
‖
~
b1‖
2
b1=(−13,−5)
b2=(−34 ,−2)
|μ2,1|=
(−34)∗(−13)+(−2)∗(−5)
(√(−13)
2
+(−5)
2
)
2
|μ2,1|=
452
194
≈2.33>
1
2

Iteração 3:
Normalize:
b1=(−13,−5)
b2=(−34 ,−2)
b2 :=b2−⌊μ2,1⌋b1
b2 :=(−34 ,−2)−⌊2.33⌋(−13,−5)
b2 :=(−34 ,−2)−(−26 ,−10)
b2 :=(−8,8)

Iteração 3:
If:
b2=(−8,8)
b1=(−13,−5)
b2=(−34 ,−2)
‖b2‖<‖b1‖
‖b1‖≈13.92
‖b2‖=√(−8)
2
+8
2
‖b2‖=√128≈11.31
Então swap(b1
,b2
)
b1=(−8,8)
b2=(−13 ,−5)

Iteração 4:
b1=(−8,8)
b2=(−13 ,−5)
μ2,1=
⟨b2 ,
~
b1⟩
‖
~
b1‖
2
|μ2,1|=
(−13)∗(−8)+(−5)∗8
(√(−8)
2
+8
2
)
2
|μ2,1|=
64
128
=
1
2 END

Introduction – LWE
Learning With Errors
Also called “the hidden vector” problem
The starting point for the construction of various other
cryptographic primitives
First security proof by Regev in 2009
(under CPA) Parameters:
n ,m ,qprime ,s∈ℤq
n
,e∈ℤq
m
Input:(G ,A)
ℤq
m×n
ℤq
m
Gs+e
A
A
or
=
The goal is to distinguish
between these two cases
G

(Toy Example)
https://www.youtube.com/watch?v=MBdKvBA5vrw
A=Gs+e(mod q)
Encryption
model:
s 5
secret
[5,8,12,16,2,6,11,3,7,10 ]
e 12
G
A=Gs+e(mod q)
A=[37,52, 27,92, 22,42,67,27,47,62 ]
v=∑(Asamples)−(
q
2
)∗M
Encrypting a bit (M=1):
pk=(A ,G)
q=97
Decryption:
C=(52,226.5)
s=5
Dec=v−su(mod q)
M =1 if Dec >
q
2
M = 0 otherwise
u=∑(Gsamples)
v=∑([52,27,92,62,42])−(
97
2
)∗1
v=275−48.5=226.5
Dec=226.5−5∗52(mod 97)Sampling : Ccipher=(u ,v)
u=∑([8,12,16,10,6])=52
Dec=−33.5(mod 97)
Dec = 63.5 >
97
2
M =1

Worst-case connection
Quantum reduction from SVPy to LWE
(Regev, O. 2009)
The hardness of LWE (and hence the security of a crypto.) is
based on the worst-case quantum hardness of SVPy
Connection to Coding Theory
“Learning parity with noise problem”
Also believed to be hard

Introduction – Applicability of Lattices
Cryptanalysis
“For many types of new systems, one has to consider carefully potential attacks
using this methodology”
Security Reductions
“If a system like the Diffie-Hellman key exchange or RSA encryption is secure, it is
not clear that … a prime factor in an RSA modulus are also secure. Lattice
technology provides proofs that this is indeed the case.”
Cryptography
“Since 1996, the method has been used to devise cryptosystems that have ... a
desirable property that no previous system had: breaking an ‘average instance’ is
as difficult as breaking a ‘hardest instance’.
Discovered in a breakthrough paper by Ajtai
Ex: GGH, NTRU, NTRUPrime, NewHope…
Ajtai, M. Generating hard instances of lattice problems. In Complexity of
computations and proofs, volume 13 of Quad. Mat., pages 1–32. Dept. Math.,
Seconda Univ. Napoli, Caserta (2004). Preliminary version in STOC 1996.

GGH Cryptosystem
GGH
Oded Goldreich, Shafi Goldwasser and Shai Halevi
Provides
Encryption scheme
Signature scheme
Trapdoor mechanism
Difference in the ability to find close lattice points to arbitrary vectors on
different bases of the same lattice
Good x Bad basis
“Non reduced” basis B to compute the function
Reduced basis R used for the inversion
Goldreich, Oded, Shafi Goldwasser, and Shai Halevi.
"Public-key cryptosystems from lattice reduction
problems." Annual International Cryptology
Conference. Springer, Berlin, Heidelberg, 1997.

GGH Cryptosystem
(ilustrated in 2 dimensions)

GGH Cryptosystem
Decryption with bad basis:
incorrect!

GGH Cryptosystem
GGH Signature
Hermite Normal Form

GGH Parameters
Dimension of the lattice: n
Distribution of private basis
Choosing a random lattice
Choosing an “almost rectangular” lattice
HNF of the reduced basis
Generating public basis
Mixing steps
Berstein lecture:
GGH would need very high dimension and it would be impractical
GGH Cryptosystem

GGH Cryptosystem
Remarks: GGH Encryption
Map the message as a lattice point
Integer combinations of the public basis
Add a (randomly) “small error vector”
Decryption
Using a private (reduced) basis
Look for a lattice point which is close to the ciphertext
“We remark that our encryption algorithm is similar in its algorithmic nature to a scheme
based on algebraic coding that was suggested by McEliece”

GGH Cryptosystem
Remarks: GGH Signature
M (message) as a n-dimensional vector over the reals.
A signature of such vector
Lattice point which is close to it
Verifying
Checking that a signature is indeed a lattice point and M is close to the
signature
Problem
If M’ is close to M’’ then they will have the same signature
Recommendation: Hash first

NTRU
NTRU – A Ring-based Public Key Cryptosystem
Introduced by Hoffstein–Pipher–Silverman in 1998.
Ring-based
“N-th degree TRUncated polynomial ring”
Security related to lattice problems
Encryption with a mixing system based on
polynomial algebra and reduction modulo p and q
Also in the fact that it is very difficult to find
short vectors, for most lattices
US Patent No
6,081,597
NTRUEncrypt (open-source)
NTRUSign
Parameters:
p ,q ,N
gcd(p ,q)=1
Lf ,Lg ,Lϕ ,Lm
q>p
Assumptions:
R=ℤ[X]/(XN
−1)

NTRU
Preliminaries
An element will be written as polynomial (or a vector):
The multiplication in :
F ∈R
R

NTRU
Key Creation
ƒ,g polynomials
ƒ must have inverses
(Fq , Fp)
Public key: h
Private key: ƒ
Also store Fp
f ,g Lf ,Lg
f ∗ F q ≡ 1 (mod q)
f ∗ F p ≡ 1 (mod p)
h ≡ F q ∗ g (mod q)
Example (Link)
Parameters:N =11, q=32, p=3
SupposeBob chooses:
g=−1+X2
+X3
+X5
−X8
−X10
f=−1+X+X2
−X4
+X6
+X9
−X10
Computing F p ,F q
F p=1+2 X+2X3
+2X4
+X5
+2X7
+2X9
F q=5+9X+6X2
+16 X3
+4 X4
+15 X5
+16 X6
+22X7
+20 X8
+18X9
+30X10
Computing h:3F q ∗ g(mod 32)
h=8+25 X+22X2
+20X3
+12X4
+24 X5
+15X6
+19 X7
+12X8
+19X9
+16 X10

NTRU
Encryption
Select:
Encrypt:
Decryption
First decrypt
Recovering with
ϕ Lϕϕ
m ∈Lm
e≡ p ϕ∗¿ h+m (mod q)
a ≡ f ∗ e (mod q)
m = F p ∗ a (mod p)
m
Example (Link)
Alicechoosesm ,ϕ:
m=−1+X3
−X4
−X8
+X9
+X10
ϕ=−1+X2
+X3
+X4
−X5
+X7
Aliceencryptsit withBob 'sPublic key h:
e=(−1+X2
+X3
+X4
−X5
+X7
)∗h+
(−1+X3
−X4
−X8
+X9
+X10
)(mod 32)
e≡ϕ ∗ h+m (mod q)
e=(14+11X+26 X2
+24 X3
+14 X4
+16 X5
+
30 X6
+7X7
+25 X8
+6 X9
+19X10
)(mod 32)
Bob decryptsit:
a=f∗e (mod 32)
a=(3−7 X−10 X2
−11 X3
+10 X4
+7 X5
+
6 X6
+7 X7
+5 X8
−3 X9
−7 X10
)(mod 32)
m=−1+X3
−X4
−X8
+X9
+X10
(mod 3)
Bob reduces(mod p),recovering with F p :

NTRU – Why it works?
≡f (p ϕ h+m)(mod q)
Decryption starts with:
Using appropriate parameters, all of its coefficients are between
, , also does not change when reduced to modulo q
Therefore,
Reducing a to mod p:
Multiplying it with Fp :
a ≡ f ∗ e (mod q)
=f∗¿(p ϕ∗¿(F q∗¿ g)+m)(mod q)
−(
q
2
) (
q
2
)
a=(p ϕ∗¿ g+f∗¿m)
=(p ϕ∗¿ g +f∗¿ m)(mod q)
ℤ[X]/(X
N
−1)in
a=(p ϕ∗¿ g+f∗¿m)(mod p)= f∗¿m(mod p)
f m(mod p) F p= m(mod p)

NTRU – Parameter selection
Sample spaces
Lm= m∈R :coefficients between−
1
2
(p−1),
1
2
(p−1)
Lf =L(df ,df−1), Lg (dg ,dg), Lϕ(d ,d)
{ }
where theform L(d1 , d2)has d1=#1, d2=#−1

NTRU Experiments
NTRUEncrypt
Open source
https://github.com/NTRUOpenSourceProject/NTRUEncrypt
Encryption Decryption
0
50000
100000
150000
200000
250000
300000
EES401ep2
EES449ep1
EES677ep1
EES887ep1
EES1087ep2
EES1171ep1
Timings(inNanoseconds)
Key Gen.
0
500000
1000000
1500000
2000000
2500000
3000000
3500000
EES401ep2
EES449ep1
EES677ep1
EES887ep1
EES1087ep2
EES1171ep1
Timings(inNanoseconds)
Public key Private key Ciphertext
0
200
400
600
800
1000
1200
1400
1600
1800
2000
EES401ep2
(112 bits)
EES449ep1
(128 bits)
EES677ep1
(192 bits)
EES887ep1
(192 bits)
EES1087ep2
(256 bits)
EES1171ep1
(256 bits)
Size(inbytes)

NTRUSign
NTRU Digital Signature
PASS: “Polynomial Authentication and Signature Scheme”
(1999)
Based on GGH
Updated version: pqNTRUSign (2014)
Based on Learning with Truncation (LWT) problem
Submitted to NIST
For a given L and document m, its signature is a vector v:
v = hash(m|L) mod p
https://www.onboardsecurity.com/nist-post-quantum-crypto-submission

NTRUSign
Signing
Input: hash function, m (message), (pf,g) from the private key
and h (the public key)
Steps:
1. (sp,tp) ← Hash (m | h) mod p
2. Vector r from sampling on a given distribution;
3. Compute s0 = pr + sp in which s0 mod≡ mod p and compute t0 = s0h.
(s0,t0) is a lattice vector.
4. Compute a = (tp – t0)g-1
mod p.
5. Compute (s1,t1) = a(pf,g)
6. The above steps are repeated with rejection sampling.
Output: (s,t) the signature with (s,t) = (s0,t0) + (s1,t1)
https://2017.pqcrypto.org/conference/slides/recent-results/zhang.pdf

NTRUSign
Verify:
1. Check if (s, t) = hash (m|h) mod p.
2. Check if the norm of (s,t) is within some bound.
3. Check if t = sh
Remarks on the submission
pqNTRUSign is an efficient instantiation of modular lattice
signature over the NTRU lattice.
Public key security based on the NTRU security
The forgery security is based on LWT over NTRU lattice
The transcript security is provided by rejection samplings

Conclusions
Is replacing RSA with NTRUEncrypt the best
solution moving forward?
“We don’t think a single encryption solution is the best idea,
regardless of the algorithm” (Dr. William Whyte)

Conclusions
Trends
Dustin Moody (NIST). The 2nd Round of the
NIST PQC Standardization Process. Aug. 2019.
https://csrc.nist.gov/Presentations/2019/the-2
nd-round-of-the-nist-pqc-standardization-proc
Learning With Errors (LWE)
Learning With Rounding (LWR)

Lattice-Based Cryptogra
phy
50
Thank you for your attention

Introduction - Lattice-based Cryptography

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to Introduction - Lattice-based Cryptography

Similar to Introduction - Lattice-based Cryptography (20)

More from Alexandre Augusto Giron

More from Alexandre Augusto Giron (6)

Recently uploaded

Recently uploaded (20)

Introduction - Lattice-based Cryptography