New Lattice Based Cryptographic Constructions

1
New Lattice Based Cryptographic Constructions
Oded Regev
2
Lattices

• Basis v1,,vn vectors in Rn
• The lattice is a1v1anvn for all integer
  a1,,an.
• What is the shortest vector u ?

v1v2
2v2
2v1
2v2-v1
v1
v2
2v2-2v1
0
3
Lattices not so easy
v1
v2
0
4
f(n)-unique-SVP (shortest vector problem)

• Promise the shortest vector u is shorter by a
  factor of f(n)
• Algorithm for 2n-unique SVP LLL82,Schnorr87
• Believed to be hard for any nc

2n
nc
1
believed hard
easy
5
History

• Geometric objects with rich structure
• Early work by Gauss 1801, Hermite 1850, Minkowski
  1896
• More recent developments
• LLL Algorithm - approximates the shortest vector
  in a lattice LenstraLenstraLovàsz82
• Factoring rational polynomials
• Solving integer programs in a fixed dimension
• Breaking knapsack cryptosystems
• Ajtais average case connection Ajtai96
• Lattice based cryptosystems

6
Question

• From which distribution is the following sequence
  taken?
• 478, 21, 431, 897, 150, 701, 929, 232

Uniform?
Prob
1
1000
Prob
Or wavy?
1
1000
7
The d,?-wavy Distribution

• Periodization of the normal distribution
• R2(2n2)
• Number of periods is d (usually integer)
• Ratio of period to standard dev. is ?
• distd 0,,R-1 ? 0,½ is the normalized
  distance from the nearest peak

?
d7
Prob
0
R-1
8
Main Theorem

• For all ??(n), a reduction from
• ?n1/2-unique Shortest Vector Problem
• to
• distinguishing between the uniform
  distribution and the d,?-wavy distributions
  with an integer dlt2(n2)

9
Average-case Theorem

• For all ??(n), a reduction from
• ?n1/2-unique Shortest Vector Problem
• to
• distinguishing between the uniform
  distribution and the d,?-wavy
• distributions for a non-negligible
• fraction of values d in 2(n2),22(n2)

10
Applications of Main Theorem

1. Public key encryption scheme
2. Collision resistant hash function
3. A problem in quantum computation

11
Cryptography

• Standard cryptography
• Usually based on factoring, discrete log,
  principal ideal problem
• Average case assumption
• Mostly broken by quantum computers
• Lattice based cryptography Ajtai96,
• Based on lattice problems
• Worst case assumption
• Still not broken by quantum computers

12
Application 1Public Key Encryption (PKE)

• Consists of private key, public key, encryption
  and decryption
• The Ajtai-Dwork cryptosystem AjtaiDwork96,Goldrei
  chGoldwasserHalevi97
• Previously, the only lattice based PKE with worst
  case assumption
• Based on n7-unique Shortest Vector Problem

13
Application 1Public Key Encryption (PKE)

• We construct a new lattice based PKE from the
  average-case theorem
• Very simple description
• Improves Ajtai-Dwork to n1.5-unique Shortest
  Vector Problem
• Uses integer numbers, very efficient

14
Application 2Collision Resistant Hash Function

• A function f0,1r?0,1s with rgts such that it
  is hard to find collisions, i.e.,
• x?y s.t. f(x)f(y)
• Many previous constructions Ajtai96,
  GoldreichGoldwasserHalevi96, CaiNerurkar97,
  Cai99, Micciancio02, Micciancio02
• Our construction is
• The first which is not based on Ajtais iterative
  step
• Somewhat stronger (based on n1.5-uSVP)

15
Application 3 Quantum Computation

• Quantum computers can break cryptography based on
  factoring Shor96
• Based on the HSP on Abelian groups
• What about lattice based cryptography?

16
Application 3 Quantum Computation

• Lattice based cryptography can be broken using
  the HSP on Dihedral groups R02
• Our main theorem explains the failure of previous
  attempts to solve the HSP on Dihedral groups
  EttingerHoyer00

17
Main Theorem

• For all ??(n), a reduction from
• ?n1/2-unique Shortest Vector Problem
• to
• distinguishing between the uniform
  distribution and the d,?-wavy distributions
  with an integer dlt2(n2)

18
Proof of theMain Theorem
19
Proof Outline
n1.5-Unique-SVP
decision problem
promise problem
n-dim distributions
Main theorem
20
Reduction toDecision Problem

• Given a n1.5-unique lattice, and a prime pgtn1.5
• Assume the shortest vector is
• u a1v1a2v2anvn
• Decide whether a1 is divisible by p

21
The Reduction

• Idea decrease the coefficients of the shortest
  vector
• If we find out that pa1 then we can replace the
  basis with pv1,v2,,vn .
• u is still in the new lattice
• u (a1/p)pv1 a2v2 anvn
• The same can be done whenever pai for some i

22
The Reduction

• But what if p ai for all i ?
• Consider the basis v1,v2-v1,v3,,vn
• The shortest vector is
• u (a1a2)v1 a2(v2-v1) a3v3 anvn
• The first coefficient is a1a2
• Similarly, we can set it to
• a1-bp/2ca2 ,, a1-a2 , a1 , a1a2 , ,
  a1bp/2ca2
• One of them is divisible by p, so we choose it
  and continue

23
Proof Outline
n1.5-Unique-SVP
?
decision problem
promise problem
n-dim distributions
Main theorem
24
Reduction fromDecision Problem

• Given a n1.5-unique lattice, and a prime pgtn1.5
• Assume the shortest vector is
• u a1v1a2v2anvn
• Decide whether a1 is divisible by p

25
Reduction toPromise Problem

• Given a lattice, distinguish between
• Case 1. Shortest vector is of length 1/n and all
  non-parallel vectors are of length more than ?n
• Case 2. Shortest vector is of length more than ?n

26
The reduction

• Input a basis (v1,,vn) of a n1.5 unique lattice
• Scale the lattice so that the shortest vector is
  of length 1/n
• Replace v1 by pv1. Let M be the resulting lattice
• If p a1 then M has shortest vector 1/n and all
  non-parallel vectors more than ?n
• If p a1 then M has shortest vector more than ?n

27
The input lattice L
L
1/n
?n
-u
0
u
2u
28
The lattice M

• The lattice M is spanned by pv1,v2,,vn
• If pa1, then u (a1/p)pv1 a2v2 anvn 2M

M
?n
1/n
0
u
29
The lattice M

• The lattice M is spanned by pv1,v2,,vn
• If p a1, then u M

M
?n
-pu
0
pu
30
Proof Outline
n1.5-Unique-SVP
?
decision problem
?
promise problem
n-dim distributions
Main theorem
31
Reduction fromPromise Problem

• Given a lattice, distinguish between
• Case 1. Shortest vector is of length 1/n and all
  non-parallel vectors are of length more than ?n
• Case 2. Shortest vector is of length more than ?n

32
n-dimensional distributions

• Distinguish between the distributions

?
Uniform
Wavy
33
Dual Lattice

• Given a lattice L, the dual lattice is
• L x 8y2L, ltx,ygt2Z

1/5
L
L
5
0
0
34
L - the dual of L
L
?n
Case 1
1/n
0
?n
Case 2
35
Reduction

• Choose a point randomly from L
• Perturb it by a Gaussian of radius ?n

36
Creating the Distribution
L
L perturb
0
Case 1
n
Case 2
37
Analyzing the Distribution

• Theorem (using Banaszczyk93)
• The distribution obtained above depends only on
  the points in L of distance ?n from the origin
• (up to an exponentially small error)
• Therefore,
• Case 1 Determined by multiples of u ?
• wavy on hyperplanes orthogonal to u
• Case 2 Determined by the origin ?
• uniform

38
Proof of Theorem

• For a set A in Rn, define
• Poisson Summation Formula implies
• Banaszczyks theorem
• For any lattice L,

39
Proof of Theorem (cont.)

• In Case 2, the distribution obtained is very
  close to uniform
• Because

40
Proof Outline
n1.5-Unique-SVP
?
decision problem
?
promise problem
?
n-dim distributions
Main theorem
41
n-dimensional distributions

• Distinguish between the distributions
• Given by an oracle that returns points inside a
  cube of side length 2n

?
Wavy
Uniform
42
Main Theorem

• Distinguish between the distributions

Uniform
0
R-1
Wavy
0
R-1
43
Reducing to 1-dimension

• First attempt sample and project to a line

44
Reducing to 1-dimension

• But then we lose the wavy structure!
• We should project only from points very close to
  the line

45
The solution

• Use the periodicity of the distribution
• Project on a dense line

46
The solution
47
The solution

• We choose the line that connects the origin to
  e1Ke2K2e3Kn-1en where K is large enough
• The distance between hyperplanes is n
• The sides are of length 2n
• Therefore, we choose K2O(n)
• Hence, dltO(Kn)2(O(n2))

48
Done
n1.5-Unique-SVP
?
decision problem
?
promise problem
?
n-dim distributions
?
Main theorem
49
From Worst-Case to Average-Case
50
Worst-case vs. Average-case

• Main theorem presents a problem that is hard in
  the worst-case distinguish between uniform and
  d,?-wavy distributions for all integers dlt2(n2)
• For cryptographic applications, we would like to
  have a problem that is hard on the average
  distinguish between uniform and d,?-wavy
  distributions for a non-negligible fraction of d
  in 2(n2), 22(n2)

51
Compressing

• The following procedure transforms d,?-wavy into
  2d,?-wavy for all integer d
• Sample a from the distribution
• Return either a/2 or (aR)/2 with probability ½
• In general, for any real a?1, we can compress
  d,?-wavy into ad,?-wavy
• Notice that compressing preserves the uniform
  distribution
• We show a reduction from worst-case to
  average-case

52
Reduction

• Assume there exists a distinguisher between
  uniform and d,?-wavy distribution for some
  non-negligible fraction of d in 2(n2),
  22(n2)
• Given either a uniform or a d,?-wavy distribution
  for some integer dlt2(n2) repeat the following
• Choose a in 1,,22(n2) according to a certain
  distribution
• Compress the distribution by a
• Check the distinguishers acceptance probability
• If for some a the acceptance probability differs
  from that of uniform sequences, return wavy
  otherwise, return uniform

53
Reduction

• Distribution is uniform
• After compression it is still uniform
• Hence, the distinguishers acceptance probability
  equals that of uniform sequences for all a
• Distribution is d,?-wavy
• After compression it is in the good range with
  some probability
• Hence, for some a, the distinguishers
  acceptance probability differs from that of
  uniform sequences

2(n2)
22(n2)
1


d
54
Application 1Public Key Encryption Scheme
55
PKE Description

• Let m2log2R4n2
• Private key
• A real number y chosen uniformly in
  2(n2),22(n2) such that y is close to an
  integer (?1/100m)
• Public key
• Choose integers Aa1,,am from the y,?-wavy
  distribution with ?n1e
• Lemma Public keys are indistinguishable from
  uniform sequences (based on n1.5e unique-SVP)

56
PKE Description (cont.)

• Private key y
• Public key Aa1,,am
• Encryption
• Bit 0 a number chosen uniformly in 0,,R-1
• Bit 1 the sum of a random subset of A mod R
• Decryption of w
• If disty(w)lt1/50 then 1 otherwise 0

57
PKE Correctness

• Encryption of the bit 0
• With probability 96, disty(?Sai)gt1/50
• These errors can be avoided
• Encryption of the bit 1
• For a subset S, with high probability,
• disty(?Sai)lt1/100
• Using ?Sai lt mR,
• disty(?Sai mod R)lt1/50

58
PKE - Security

• Lemma If a1,,am is a uniform sequence then
  both encryptions of 0 and of 1 are uniform
• Hence, distinguishing between encryptions of 0
  and 1 implies distinguishing between public keys
  and uniform sequences!

Enc(0) ? Enc(1)
public key a1,,am
Enc(0) Enc(1)
uniform a1,,am
59
PKE Security

• Lemma Public keys are indistinguishable from
  uniform sequences (based on n1.5e unique-SVP)
• Proof Follows from the average-case theorem
  (since we choose y from a set of size 1/(50m) of
  all 2(n2),22(n2))

60
Application 2Collision Resistant Hash Function
61
Collision Resistant Hash Function

• Choose a1,,am uniformly in 0,,R-1 where
  m2log2R4n2. Then
• ?b1,,bm?0,1, f(b1,,bm)Sbiai mod R
• We will see a simpler proof based on n2.5e-uSVP

62
Collision Resistant Hash Function

• Assume there exists a collision finding algorithm
  C
• I.e., with non-negligible probability, given
  a1,,am chosen uniformly, C finds c1,,cm?-1,
  0,1 (not all zero) such that
• Saici 0 (mod R)

63
Collision Resistant Hash Function

• We show how to distinguish between the uniform
  and the d,?-wavy with ?n2e using C
• Choose z uniformly from 0,,R-1
• With probability 0.9, distd(z) gt 1/20
• Repeat the following enough times
• Choose a1,,am from the unknown distribution
• Call C with a1,,ak-1,(akz mod R),ak1,,am
  where k is chosen uniformly from 1,,m
• If ck is always zero or C keeps failing, say
  wavy otherwise uniform

64
Correctness

• Distribution is uniform
• a1,,ak-1,(akz mod R),ak1,,am has the same
  distribution as a uniform sequence
• Therefore, C answers with non-negligible
  probability and ck?0 with probability at least
  1/m
• Distribution is d,?-wavy
• W.h.p., ?i?1,,m, distd(ai) lt 1/(100n2)
• For all c1,,cm?-1,0,1, distd(Sciai) lt 1/25
  (since m4n2)
• Therefore, if z has distd(z) gt 1/20 then it can
  never be included in the sum, i.e., ck0

65
Application 3Quantum Computation The Dihedral
HSP
66
Hidden Subgroup Problem

• Given a function that is constant and distinct on
  cosets of H?G, find H
• Solved for Abelian groups
• Also for certain non-Abelian groups
  RöttelerBeth98,HallgrenRussellTashma00,GrigniSc
  hulmanVaziraniVazirani01
• Still open for many groups. In particular
• Symmetric group
• Dihedral group (ZN?Z2)

67
Solving Dihedral HSP

• Two approaches
• Ettinger and Høyer 00
• Reduction to Period finding from samples
• R 02, Kuperberg 03
• Reduction to average case subset sum

68
Solving Dihedral HSP

• Idea of Ettinger and Høyer
• Reduce to Hidden Translation on ZN
• Given an oracle that outputs states of
• the form xixdi where x is arbitrary
• and d is fixed, find d
• Take the Fourier transform
• Measure

69
Period Finding from Samples

• Find the period of the following (cos2)
  distribution by sampling
• EH showed that there is enough information in a
  polynomial number of samples
• Open question in EH is there an efficient
  solution to this problem?

R-1
0
70
Reduction

• Lemma A distinguisher between cos2 and the
  uniform distribution implies a distinguisher
  between the wavy and uniform distribution

71
Guess the period and add noise
72
Reduction

• Corollary finding the period of the cos2
  distribution is hard
• Proof Since all cos2 distributions look like
  uniform, they all look the same

73
Conclusion

• Main theorem
• Average case form
• Applications
• Strong public key encryption scheme
• Collision resistant hash function
• Solution to an open question in quantum
  computation
• Other applications?