Professional Documents
Culture Documents
𝐿 ∩ 𝑤 ∈ ℝ𝑛 : 𝑣 − 𝑤 = 𝑣 . (discrete)
𝑣 = min 𝑢
𝑢∈𝐿− 0
Hardness:
CVP≥SVP (sketch)
• Given a lattice 𝐿 generated by a independent set 𝑏1 , … , 𝑏𝑛 .
• Write the shortest nonzero lattice point 𝑣 = 𝑎𝑖 𝑏𝑖 .
(Note that 𝑎𝑖 ∈ ℤ can not be all even.)
• For each 𝑖, feed the CVP oracle with 𝐿′𝑖 , 𝑏𝑖 where lattice 𝐿′𝑖 is
generated by {𝑏1 , … , 𝑏𝑖−1 , 2𝑏𝑖 , 𝑏𝑖+1 , 𝑏𝑛 }
• And the output is 𝑣𝑖
(Why?)
Linear Equations
• There is a secret vector 𝒔 = 𝑠1 , 𝑠2 , 𝑠3 , 𝑠4 𝑇 4
∈ ℤ13
• Given
1𝑠1 + 2𝑠2 + 5𝑠3 + 2𝑠4 = 9 𝑚𝑜𝑑 13
12𝑠1 + 1𝑠2 + 1𝑠3 + 6𝑠4 = 7 𝑚𝑜𝑑 13
6𝑠1 + 10𝑠2 + 3𝑠3 + 6𝑠4 = 1 𝑚𝑜𝑑 13
10𝑠1 + 4𝑠2 + 12𝑠3 + 8𝑠4 = 0 𝑚𝑜𝑑 13 .
• Solve for 𝒔
The Learning with Errors Problem (Search)
• There is a secret vector 𝒔 = 𝑠1 , 𝑠2 , 𝑠3 , 𝑠4 𝑇 4
∈ ℤ13
• Given
5𝑠1 + 5𝑠2 + −3 𝑠3 + 7𝑠4 ≈ 6 𝑚𝑜𝑑 13
−1𝑠1 + 1𝑠2 + 2𝑠3 + −5 𝑠4 ≈ −4 𝑚𝑜𝑑 13
−3 𝑠1 + 3𝑠2 + 7𝑠3 + 4𝑠4 ≈ 2 𝑚𝑜𝑑 13
5𝑠1 + 4𝑠2 + −1 𝑠3 + 2𝑠4 ≈ −5 𝑚𝑜𝑑 13
−4 𝑠1 + 6𝑠2 + 3𝑠3 + −2 𝑠4 ≈ 5 𝑚𝑜𝑑 13
−2 𝑠1 + 3𝑠2 + 1𝑠3 + 6𝑠4 ≈ −3 𝑚𝑜𝑑 13 .
• There is an odds of ½ for each equation that is added by 1.
• Solve for 𝒔
LWE distribution
• (Definition)
• (Definition)
Adversary Challenger
𝐴, 𝒃
• (Definition)
𝐴, 𝒃
$
𝒔 ← ℤ𝒏𝒒
Output: {“LWE”, ”uniform at random”}
Generate :
𝑝𝑜𝑙𝑦 𝑛 LWE samples 𝐴, 𝒃
either from 𝒜𝒔,𝑛,𝑞,𝜒 or
uniformly at random over
ℤ𝑚×𝑛
𝑞 × ℤ𝑚
𝑞
For example
• Dimension 𝑛 = 4
• Modulus 𝑞 = 13
• Error distribution 𝜒. (±1 ← 𝜒 with prob ¼, 0 ← 𝜒 with ½ )
Given
0 6 0 −2 5 1
−6 6 0 −2 4 7
−5 6 6 3 −3 , 4
4 3 −2 1 1 9
−5−3−5−4−1 0
Q: LWE distribution or uniform distribution?
Remark.
• The distribution 𝜒 is called the “error distribution”. 𝜒 is
typically chosen to be a discrete Gaussian (normal) distribution
with small standard deviation.
• The hardness varies with the S.D. of 𝜒
“≥”
• Given 𝑝𝑜𝑙𝑦(𝑛) samples a LWE distribution 𝒜𝒔,𝑛,𝑞,𝜒 for some unknown 𝒔 ∈ ℤ𝑛𝑞 .
Claim we can solve it with a DLWE oracle.
If the modulus 𝑞 is 𝑝𝑜𝑙𝑦 𝑛 -bounded,
then DLWE=SLWE problem
“≥”
• Given 𝑝𝑜𝑙𝑦(𝑛) samples 𝒂𝒊 , 𝑏𝑖 from a LWE distribution 𝒜𝒔,𝑛,𝑞,𝜒 for some
unknown 𝒔 = 𝑠1 , … , 𝑠𝑛 𝑇
∈ ℤ𝑛𝑞 . Claim we can solve for 𝑠1 with a DLWE oracle.
1. Choose guessing 𝑘 ∈ ℤ𝑞 .
2. Define a transformation 𝜙𝑘 : ℤ𝑛𝑞 × ℤ𝑞 → ℤ𝑛𝑞 × ℤ𝑞 by
𝒂 + 𝑟 ′ , 𝑏 + 𝑘 ∙ 𝑟 ← 𝜙𝑘 𝒂, 𝑏 ,
where 𝑟 ∈ ℤ𝑞 is generated uniformly at random and 𝑟 ′ = 𝑟, 0, … , 0 𝑇
∈ ℤ𝑛𝑞 .
<Uniformly random>:
⇒?
If the modulus 𝑞 is 𝑝𝑜𝑙𝑦 𝑛 -bounded,
then DLWE=SLWE problem
“≥”
• Define a transformation 𝜙𝑘 : ℤ𝑛𝑞 × ℤ𝑞 → ℤ𝑛𝑞 × ℤ𝑞 by
𝒂 + 𝑟 ′ , 𝑏 + 𝑘 ∙ 𝑟 ← 𝜙𝑘 𝒂, 𝑏 ,
where 𝑟 ∈ ℤ𝑞 is generated uniformly at random and 𝑟 ′ = 𝑟, 0, … , 0 𝑇
∈ ℤ𝑛𝑞 .
<LWE samples>: 𝒂𝒊 , 𝑏𝑖 = 𝒂𝒊 , 𝒂𝒊 , 𝒔 + 𝑒𝑖
𝒂𝒊 + 𝑟 ′ , 𝑏𝑖 + 𝑘 ∙ 𝑟 = 𝒂𝒊 + 𝒓′ , 𝒂𝒊 + 𝒓′ , 𝑠 + 𝑒𝑖 + 𝑟 ∙ 𝑘 − 𝑠1
If 𝑘 = 𝑠1 , ⇒?
If 𝑘 ≠ 𝑠1 , ⇒?
Short Secret DLWE Problem:
Dimension 𝑛
Modulus 𝑞
Error distribution 𝜒
Adversary Challenger
𝐴, 𝒃
$
• Given LWE instances (𝐴 ∈ ℤ𝑛×𝑛
𝑞 , 𝒃 = 𝐴𝑇 𝑠 + 𝒆𝒔 ) where 𝐴 ← ℤ𝑛×𝑛
𝑞 ,
$
unknown 𝑠 ← ℤ𝑛𝑞 and 𝑒𝑠 generated from 𝜒. (DLWE problem setting)
• Say 𝐴 is invertible.
• Consider a transformation 𝜙: ℤ𝑛𝑞 × ℤ𝑞 → ℤ𝑛𝑞 × ℤ𝑞
𝜙 𝒂′ , 𝑏′ = −𝐴−1 𝒂′ , 𝑏′ + −𝐴−1 𝒂′ , 𝑏
• Given a LWE instance (𝒂′ ∈ ℤ𝑛𝑞 , 𝑏′ = 𝒂′ , 𝑠 + 𝑒 ′ )
• Compute:𝜙 𝒂′ , 𝑏′
= −𝐴−1 𝒂′ , −𝐴−1 𝒂′ , 𝑒𝑠 + 𝑒′
⇒?
A Taste of
Passive Security Proof with DLWE problem
$
𝐴 ← ℤ𝑛×𝑛
𝑞
𝒔𝒂 ← 𝜒 ; 𝒆𝒂 ← 𝜒 𝑛
𝑛
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 ∈ ℤ𝑛𝑞
𝐴, 𝒃 ∈ ℤ𝑛×𝑛
𝑞 × ℤ𝑛𝑞
𝒃′ , 𝑐 ∈ ℤ𝑛𝑞 × ℤ𝑞
𝑚 ∈ 0,1
𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
Decrypt:
𝑞 𝑒𝐵 ′ ← 𝜒
𝑐 − 𝒃′ 𝒔𝒂 = 𝑒𝑏′ − 𝒆𝑻𝑩 𝑠𝑎 ≈ 𝑚 ∙ 𝑚𝑜𝑑 𝑞
2 𝒃′ = 𝒔𝑻𝑩 𝐴 + 𝒆𝑻𝑩 ∈ ℤ𝑛𝑞
𝑞
𝑐= 𝒔𝑻𝑩 𝒃 + 𝑒𝐵′ +𝑚∙
2
Game0 (original protocol)
$
𝐴 ← ℤ𝑛×𝑛
𝑞
𝒔𝒂 ← 𝜒 𝑛 ; 𝒆𝒂 ← 𝜒 𝑛
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 ∈ ℤ𝑛𝑞
𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚
𝑚 ∈ 0,1
𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
Decrypt:
𝑒𝐵 ′ ← 𝜒
𝑐 − 𝒃′ 𝒔𝒂 = 𝑒𝐵′ − 𝒆𝑻𝑩 𝑠𝑎
𝑞 𝒃′ = 𝒔𝑻𝑩 𝐴 + 𝒆𝑻𝑩 ∈ ℤ𝑛𝑞
≈ 𝑚 ∙ 2 𝑚𝑜𝑑 𝑞 𝑞
𝑐= 𝒔𝑻𝑩 𝒃 + 𝑒𝐵′ +𝑚∙
2
Game1
$
𝐴 ← ℤ𝑛×𝑛
𝑞
$
𝒃 ← ℤ𝑛𝑞
𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚
𝑚 ∈ 0,1
𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
𝑒𝐵 ′ ← 𝜒
𝒃′ = 𝒔𝑻𝑩 𝐴 + 𝒆𝑻𝑩 ∈ ℤ𝑛𝑞
𝑞
𝑐= 𝒔𝑻𝑩 𝒃 + 𝑒𝐵′ +𝑚∙
2
Game2
$
𝐴 ← ℤ𝑛×𝑛
𝑞
$
𝒃 ← ℤ𝑛𝑞
𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚
𝑚 ∈ 0,1
𝒔𝑩 ← 𝜒 𝑛
𝑒𝐵 ′ ← 𝜒
$
𝒃′ ← ℤ𝑛𝑞 𝑞
𝑻 ′
𝑐 = 𝒔𝑩 𝒃 + 𝑒𝐵 + 𝑚 ∙
2
Game3
$
𝐴 ← ℤ𝑛×𝑛
𝑞
$
𝒃 ← ℤ𝑛𝑞
𝐴, 𝒃
𝐴, 𝒃
𝒃′ , 𝑐
𝒃′ , 𝑐
𝑚
$
𝑚 ← 0,1
$
𝒃′ ← ℤ𝑛𝑞
$
𝑐 ← ℤ𝑞
Public Key Cryptosystems
Based on the LWE Problem
or Related Problems
Contents
• Review
• Diffie-Hellman Like Key Exchange
• Peikert’s Method
• RLWE in Brief
• NewHope
Review Lattice-based
cryptography
Multivariate
cryptography
Shor
Post-Quantum
Algorithm
Cryptography Code-based
etc. cryptography
Break
(quantum)
Hash-based
Integer cryptography
Factoring
Problem
Supersingular
Diffie-Hellman elliptic curve
Problem isogeny
(over ℤ𝑞 or elliptic curves)
cryptography
Review Lattice-based CVP
cryptography SVP
Multivariate
cryptography LWE
Post-Quantum
Cryptography Code-based
cryptography
Hash-based
cryptography
Supersingular
elliptic curve
isogeny
cryptography
Lattices in
Cryptography
𝑣 = min 𝑢
𝑢∈𝐿− 0
Hardness
• Oded Regev shows that 𝐿𝑊𝐸 ≥ 𝑎𝑝𝑝𝑟𝑜𝑥−𝑆(𝐼)𝑉𝑃 &
𝑎𝑝𝑝𝑟𝑜𝑥−GapSVP with a quantum reduction. There is also a
classical one in a bit more wider condition provided by Chris
Peikert.
• Specifically, with 𝑑𝑖𝑚𝑒𝑛𝑠𝑖𝑜𝑛 𝑛, modulus 𝑞 = 𝑝𝑜𝑙𝑦 𝑛 , and error
distribution (discrete normal/Gaussian distribution) 𝜒 of
standard deviation 𝛼𝑞,
𝐿𝑊𝐸𝑛,𝑞,𝜒 ≥ ( 𝑛/ 𝛼)−𝑆(𝐼)𝑉𝑃.
Diffie-Hellman Like Structure [DXL12]
$
𝐴 ← ℤ𝑛×𝑛
𝑞
𝒔𝒂 ← 𝜒 ; 𝒆𝒂 ← 𝜒 𝑛
𝑛 𝒔𝑩 , 𝒆𝑩 ← 𝜒 𝑛
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 ∈ ℤ𝑛𝑞 𝒃′ = 𝐴𝑇 𝒔𝑩 + 𝒆𝑩 ∈ ℤ𝑛𝑞
𝐴, 𝒃 ∈ ℤ𝑛×𝑛
𝑞 × ℤ𝑛𝑞
𝒃′ ∈ ℤ𝑞
𝒔𝑻𝒂 𝒃′ = 𝒔𝑻𝒂 𝐴𝑇 𝒔𝑩 + 𝒔𝑻𝒂 𝒆𝑩 = 48 𝑚𝑜𝑑 𝑞 𝒔𝑻𝑩 𝒃 = 𝒔𝑻𝑩 𝐴𝒔𝒂 + 𝒔𝑻𝑩 𝒆𝒂 = −47 𝑚𝑜𝑑 𝑞
Peikert’s Key Exchange (Sketch)
Chris Peikert
Error Tolerance: 𝑠𝑎 𝑒𝑏 − 𝑠𝑏 𝑒𝑎 ∞ ≤𝑞 8
43
2 42 −31
𝐴 = 45 −26 21
Example:
14 −5 −23 Peikert’s Method
−1 1 0 3
𝒔𝒂 = 2 ; 𝒆𝒂 = 0 𝒔𝑩 = 1 ; 𝒆𝑩 = −1
−2 −3 0 1
40 −8
𝒃 = 𝐴𝒔𝒂 + 𝒆𝒂 = −24 𝒃′ = 𝐴𝑇 𝒔𝑩 + 𝒆𝑩 = −7
−37 19
• Hardness Guarantee? ⋮
(−𝒄𝒏−𝟐 , −𝒄𝒏−𝟏 , … , 𝒄𝒏−𝟑 )
Hardness of Ring LWE
• Ring-LWE>approx-SIVP over ideal lattices.
• Suspicion:
1. Gap-SVP is not hard on ideal lattices.
2. SVP/SIVP is an NP-hard problem.
SIVP over ideal lattices???
•
Ring-LWE (RLWE)
• LWE is over ℤ𝑚×𝑛
𝑞 .
• Ring-LWE is over a ring 𝑅.
• Consider an ideal lattice on it.
• Typically, 𝑅 = ℤ 𝑥 𝑥 𝑛 + 1 where 𝑛 is power-of-2.
$
• For 𝑠 ← 𝜒, the RLWE distribution 𝐴𝑠,𝒳,𝑞,𝑛 over 𝑅𝑞 × 𝑅𝑞
$
which is sampled by choosing 𝑎 ∈ 𝑅𝑞 uniformly at random and 𝑒 ← 𝒳,
and output 𝑎, 𝑏 = 𝑎 ∙ 𝑠 + 𝑒 𝑚𝑜𝑑 𝑞
• Given poly(n) samples from 𝐴𝑠,𝒳,𝑞,𝑛 or uniformly random in 𝑅𝑞 × 𝑅𝑞 ,
determine where the samples from.
50
Diffie-Hellman Like Structure (Ring LWE form)
𝑅 = ℤ 𝑥 < 𝑥𝑛 + 1 >
𝑅𝑞 = 𝑅/𝑞𝑅
𝒳 ∶ an error distribution over 𝑅
(𝐴, 𝑢𝑎 = 𝐴𝑠𝑎 + 𝑒𝑎 )
$ $
𝐴 ← 𝑅𝑞 𝑠𝑏 , 𝑒𝑏 ← 𝜒
$
𝑠𝑎 , 𝑒𝑎 ← 𝜒 𝑢𝑏 = 𝐴𝑠𝑏 + 𝑒𝑏 𝑢𝑏 = 𝐴𝑠𝑏 + 𝑒𝑏
𝑢𝑎 = 𝐴𝑠𝑎 + 𝑒𝑎
𝑣𝑎 = 𝑠𝑎 𝑢𝑏 𝑣𝑏 = 𝑠𝑏 𝑢𝑎
𝑣𝑎 − 𝑣𝑏 = 𝑠𝑎 𝑒𝑏 − 𝑠𝑏 𝑒𝑎
= 𝑠𝑎 𝐴𝑠𝑏 + 𝑠𝑎 𝑒𝑏 = 𝑠𝑏 𝐴𝑠𝑎 + 𝑠𝑏 𝑒𝑎
If 𝒳 is 𝛽-bounded, then
𝑣𝑎 − 𝑣𝑏 ∞ = 𝑠𝑎 𝑒𝑏 − 𝑠𝑏 𝑒𝑎 ∞ ≤ 2𝑛𝛽2
with overwhelming probability
51
• The following is a “sketch” of the reconciliation mechanism.
Reconciliation in New Hope – Intuition1 (2 in 1 out)
Bob
Alice
Grey : k=1
White: k=0
Example
Alice Bob
Reconciliation in New Hope - Security
“0”?
“1”?
Drawback
• Whole “difference vector” is too heavy
Reconciliation in New Hope – Intuition2 (quantization)
Example
1 1 1 1
• 𝐷4 ⊆ ℤ4 𝑏𝑒 𝑎 𝑓𝑢𝑙𝑙 𝑙𝑎𝑡𝑡𝑖𝑐𝑒 𝑤𝑖𝑡ℎ 𝑏𝑎𝑠𝑖𝑠 𝑢1 , 𝑢2 , 𝑢3 , 𝑔 = , , ,
2 2 2 2
,
4
𝑤ℎ𝑒𝑟𝑒 𝑢𝑖 𝑖=1 𝑖𝑠 𝑡ℎ𝑒 𝑠𝑡𝑎𝑛𝑑𝑎𝑟𝑑 𝑏𝑎𝑠𝑖𝑠 𝑓𝑜𝑟 ℤ4
• 𝑪𝑽𝑷𝑫𝟒 ∶ 𝑎𝑛 𝐶𝑉𝑃 𝑎𝑙𝑔𝑜𝑟𝑖𝑡ℎ𝑚 𝑓𝑟𝑜𝑚 ℝ4 𝑡𝑜 𝐷4
$
• 𝑯𝒆𝒍𝒑𝑹𝒆𝒄 𝒙; 𝒃 ← 𝟎, 𝟏 ∶ 𝑎𝑛 𝑎𝑙𝑔. 𝑒𝑛𝑐𝑜𝑑𝑖𝑛𝑔 𝑡ℎ𝑒 𝑙𝑜𝑐𝑎𝑡𝑖𝑜𝑛 𝑖𝑛𝑓𝑜𝑟𝑚𝑎𝑡𝑖𝑜𝑛
• 𝑹𝒆𝒄 𝒙, 𝒓 ∶ 𝑟𝑒𝑐𝑜𝑛𝑐𝑖𝑙𝑖𝑎𝑡𝑖𝑜𝑛 𝑤𝑖𝑡ℎ 𝑡ℎ𝑒 𝑖𝑛𝑓𝑜𝑟𝑚𝑎𝑡𝑖𝑜𝑛 𝑟
Note: Including b, there are some technique in 𝐻𝑒𝑙𝑝𝑅𝑒𝑐 to remove the bias.
New Hope
• More precisely,
𝐹𝑟𝑒𝑠ℎ 𝒂
• In security of level 128, the previous schemes are built with n at most 512
• q=1 mod 2n: ensures the 𝑛𝑡ℎ root of unity 𝜔 & its square root 𝛾 exist in ℤ𝑞 ,
auxiliary elements in the algorithm.
Speed/cost:
• 𝑞 = 1 𝑚𝑜𝑑 2𝑛 & 𝑞 < 214 (NTT)
• 𝜓16 (cost down)
• Improved Rec/HelpRec (decreasing the modulus q)
Security/failure:
• Fresh 𝒂 (Against the all-for-the-price-of-one attacks)
• Improved Rec/HelpRec
• 𝑛 = 1024 (be wary)
Reference
• Google Security Blog:
https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html
• CECPQ1results:
https://www.imperialviolet.org/2016/11/28/cecpq1.html
• V. Lyubashevsky, C. Peikert, and O. Regev. On ideal lattices and learning with errors over rings.
• E. Alkim, Léo Ducas, Thomas Pöppelmann, Peter Schwabe . Post-quantum key exchange - a new
hope.
• Chris Peikert. Lattice cryptography for the internet. In International Workshop on Post-
Quantum Cryptography, pages 197–219. Springer, 2014.
• Jintai Ding. A simple provably secure key exchange scheme based on the learning with
errors problem. Cryptology ePrint Archive, Report 2012/688, 2012.
https://eprint.iacr.org/2012/688/20121210:115748.
• Jintai Ding, Xiang Xie, and Xiaodong Lin. A simple provably secure key exchange scheme
based on the learning with errors problem. Cryptology ePrint Archive, Report 2012/688
(29 Jul 2014 revised), 2012. http://eprint.iacr.org/2012/688.
• Oded Regev. The learning with errors problem. Invited survey in CCC, page 15, 2010.
Reference
• Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and composable
oblivious transfer. In Annual International Cryptology Conference, pages 554–571. Springer, 2008.
• Chris Peikert and Brent Waters. Lossy trapdoor functions and their applications. SIAM Journal on
Computing, 40(6):1803–1844, 2011.
• Chris Peikert. Public-key cryptosystems from the worst-case shortest vector problem. In
Proceedings of the forty-first annual ACM symposium on Theory of computing, pages
333–342. ACM, 2009.
• Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (leveled) fully homomorphic
encryption without bootstrapping. ACM Transactions on Computation Theory (TOCT),
6(3):13, 2014.
• Chris Peikert, Vinod Vaikuntanathan, and Brent Waters. A framework for efficient and
composable oblivious transfer. In Annual International Cryptology Conference, pages 554–
571. Springer, 2008.