How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions

Chris Peikert SRI

Work with Craig Gentry and Vinod Vaikuntanathan

1 / 14 Digital Signatures

2 / 14 Digital Signatures

(public)

(secret)

2 / 14 Digital Signatures

(public)

“I love you” 

(secret)

2 / 14 Digital Signatures

(public)

(secret) “It’s over” 

2 / 14 I Candidates: [RSA78,Rabin79,Paillier99]  “General assumption”  Applications: digital signatures, OT, NIZK, . . .

I All rely on hardness of factoring  Complex: 2048-bit exponentiation  Lack of diversity  Broken by quantum algorithms [Shor]

Dom Dom

Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1

3 / 14 I Candidates: [RSA78,Rabin79,Paillier99]  “General assumption”  Applications: digital signatures, OT, NIZK, . . .

I All rely on hardness of factoring  Complex: 2048-bit exponentiation  Lack of diversity  Broken by quantum algorithms [Shor]

Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1

f x y Dom Dom

3 / 14 I Candidates: [RSA78,Rabin79,Paillier99]  “General assumption”  Applications: digital signatures, OT, NIZK, . . .

I All rely on hardness of factoring  Complex: 2048-bit exponentiation  Lack of diversity  Broken by quantum algorithms [Shor]

Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1

x y Dom Dom

3 / 14 I Candidates: [RSA78,Rabin79,Paillier99]  “General assumption”  Applications: digital signatures, OT, NIZK, . . .

I All rely on hardness of factoring  Complex: 2048-bit exponentiation  Lack of diversity  Broken by quantum algorithms [Shor]

Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1

x y Dom Dom f −1

3 / 14 I All rely on hardness of factoring  Complex: 2048-bit exponentiation  Lack of diversity  Broken by quantum algorithms [Shor]

Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1

x y Dom Dom f −1

I Candidates: [RSA78,Rabin79,Paillier99]  “General assumption”  Applications: digital signatures, OT, NIZK, . . .

3 / 14 Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1

x y Dom Dom f −1

I Candidates: [RSA78,Rabin79,Paillier99]  “General assumption”  Applications: digital signatures, OT, NIZK, . . .

I All rely on hardness of factoring  Complex: 2048-bit exponentiation  Lack of diversity  Broken by quantum algorithms [Shor]

3 / 14 What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev]

2 Public- [AjtaiDwork,Regev]

3 Recent developments [LyubMicc,PeikWat,. . . ]

What’s Missing I Everything else! Practical signatures, protocols, “advanced” crypto, . . .

Lattice-Based What’s To Like I Simple & efficient: linear ops, small integers I Resist subexp & quantum attacks (so far) I Security from worst-case hardness [Ajtai,. . . ]

4 / 14 What’s Missing I Everything else! Practical signatures, protocols, “advanced” crypto, . . .

Lattice-Based Cryptography What’s To Like I Simple & efficient: linear ops, small integers I Resist subexp & quantum attacks (so far) I Security from worst-case hardness [Ajtai,. . . ]

What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev]

2 Public-key encryption [AjtaiDwork,Regev]

3 Recent developments [LyubMicc,PeikWat,. . . ]

4 / 14 Lattice-Based Cryptography What’s To Like I Simple & efficient: linear ops, small integers I Resist subexp & quantum attacks (so far) I Security from worst-case hardness [Ajtai,. . . ]

What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev]

2 Public-key encryption [AjtaiDwork,Regev]

3 Recent developments [LyubMicc,PeikWat,. . . ]

What’s Missing I Everything else! Practical signatures, protocols, “advanced” crypto, . . .

4 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

x y D R

New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

5 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x f y D R

5 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x f y D R

5 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x y f −1 D R

5 / 14 • “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x y f −1 D R

• Generate (x, y) in two equivalent ways: f f −1 D x y x y R

5 / 14 2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x y f −1 D R

• Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

5 / 14 3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x y f −1 D R

• Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

5 / 14 New Algorithmic Tool I “Oblivious decoder” on lattices

Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x y f −1 D R

• Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

5 / 14 Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions

x y f −1 D R

• Generate (x, y) in two equivalent ways: f f −1 D x y x y R

• “As good as” trapdoor permutations in many applications

2 “Hash and sign” signatures: FDH etc.

3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...

New Algorithmic Tool I “Oblivious decoder” on lattices

5 / 14 Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.

Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.

Lattices

n A lattice L ⊂ R having basis B = {b1,..., bn} is:

n X b2 L = (Z · bi)

i=1 O b1

6 / 14 Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.

Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.

Lattices

n A lattice L ⊂ R having basis B = {b1,..., bn} is:

n X L = (Z · bi) b1 i=1 O

b2

6 / 14 Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.

Lattices

n A lattice L ⊂ R having basis B = {b1,..., bn} is:

n X L = (Z · bi) b1 i=1 O

b2

Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.

6 / 14 Lattices

n A lattice L ⊂ R having basis B = {b1,..., bn} is:

β n X t L = (Z · bi) b1 i=1 O

b2

Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.

Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.

6 / 14 I Decoding hard on average, too

Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:

ADD SVP n β as hard as β· random lattice every lattice

Bottom Line

I On random lattices, SVPγ and ADDβ seem exponentially hard

Complexity of Lattice Problems

SVPγ in the Worst Case

γ = O(1) poly(n) 2n

NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]

7 / 14 I Decoding hard on average, too

Bottom Line

I On random lattices, SVPγ and ADDβ seem exponentially hard

Complexity of Lattice Problems

SVPγ in the Worst Case

γ = O(1) poly(n) 2n

NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]

Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:

SVP SVPγ·n γ as hard as random lattice every lattice

7 / 14 Bottom Line

I On random lattices, SVPγ and ADDβ seem exponentially hard

Complexity of Lattice Problems

SVPγ in the Worst Case

γ = O(1) poly(n) 2n

NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]

Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:

ADD SVP n β as hard as β· random lattice every lattice

I Decoding hard on average, too

7 / 14 Complexity of Lattice Problems

SVPγ in the Worst Case

γ = O(1) poly(n) 2n

NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]

Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:

ADD SVP n β as hard as β· random lattice every lattice

I Decoding hard on average, too

Bottom Line

I On random lattices, SVPγ and ADDβ seem exponentially hard

7 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

I Sign with “nearest-plane” algorithm [Babai]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S

s2

s1 b1

b2

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

s2

s1

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

s2

s1

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

s2

s1

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

s2

s1

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

s2

s1

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

s2

s1

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

s2

s1

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]

GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness

8 / 14 GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]

Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 2 Secret key leakage • Total break after several signatures [NguyenRegev]

8 / 14 n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]

Gaussians and Lattices

9 / 14 n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]

Gaussians and Lattices

9 / 14 n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]

Gaussians and Lattices

9 / 14 Gaussians and Lattices

n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]

9 / 14 I Input v ∈ L, error e I Uniform output t

I Conditional distribution is “discrete Gaussian” DL,t

Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]

Our Trapdoor Function

I “Hard” public basis B, s2 short secret basis S

[Ajtai99,AP08] b s1 1

b2

10 / 14 I Uniform output t

I Conditional distribution is “discrete Gaussian” DL,t

Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]

Our Trapdoor Function

I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e

10 / 14 I Uniform output t

I Conditional distribution is “discrete Gaussian” DL,t

Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]

Our Trapdoor Function

I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e

10 / 14 I Conditional distribution is “discrete Gaussian” DL,t

Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]

Our Trapdoor Function

I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e t I Uniform output t

10 / 14 I Conditional distribution is “discrete Gaussian” DL,t

Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]

Our Trapdoor Function

I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e t I Uniform output t

10 / 14 Our Trapdoor Function

I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e t I Uniform output t

I Conditional distribution is “discrete Gaussian” DL,t

Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]

10 / 14 I Randomized nearest-plane [Babai,Klein]

[Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly

Inverting: Gaussian Sampler / Decoder

I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!

11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly

Inverting: Gaussian Sampler / Decoder

I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!

I Randomized nearest-plane [Babai,Klein]

s2

t s1

11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly

Inverting: Gaussian Sampler / Decoder

I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!

I Randomized nearest-plane [Babai,Klein]

s2

t s1

11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly

Inverting: Gaussian Sampler / Decoder

I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!

I Randomized nearest-plane [Babai,Klein]

s2

t s1

11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly

Inverting: Gaussian Sampler / Decoder

I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!

I Randomized nearest-plane [Babai,Klein]

s2

t s1

11 / 14 ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly

Inverting: Gaussian Sampler / Decoder

I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!

I Randomized nearest-plane [Babai,Klein]

s2

t s1

[Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant

11 / 14 Inverting: Gaussian Sampler / Decoder

I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!

I Randomized nearest-plane [Babai,Klein]

s2

t s1

[Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly

11 / 14 • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p ·

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]:

12 / 14 • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk

12 / 14 • With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

12 / 14 I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . .

12 / 14 I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings

12 / 14 Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

12 / 14 msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

12 / 14 n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

12 / 14 −1 √ skID random ∈ f (y) random y

Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN

12 / 14 Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .

• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)

Lattice-based QR-based [Cocks,BGH]

mpk random lattice random N = p · q

msk trapdoor basis trapdoor p, q

n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y

12 / 14 w

I For v ∈ L∗: hv, pki = hv, ski mod 1 I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement I Security: decoding w, a.k.a. “” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]

Cryptosystem with Master Trapdoor Primal L Dual L∗

sk

pk

13 / 14 w

I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement I Security: decoding w, a.k.a. “learning with errors” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]

Cryptosystem with Master Trapdoor Primal L Dual L∗

v

sk

pk

I For v ∈ L∗: hv, pki = hv, ski mod 1

13 / 14 I Security: decoding w, a.k.a. “learning with errors” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]

Cryptosystem with Master Trapdoor Primal L Dual L∗

v

sk w

pk

I For v ∈ L∗: hv, pki = hv, ski mod 1 I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement

13 / 14 Cryptosystem with Master Trapdoor Primal L Dual L∗

v

sk w

pk

I For v ∈ L∗: hv, pki = hv, ski mod 1 I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement I Security: decoding w, a.k.a. “learning with errors” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]

13 / 14 2 Practical “plain model” signatures ?

3 Relate factoring to lattice problems ?

4 “Essence” of quantum-immune crypto ?

Thanks!

(Artwork courtesy of xkcd.org)

Open Problems

1 Tighter sampling for random lattices ?

14 / 14 3 Relate factoring to lattice problems ?

4 “Essence” of quantum-immune crypto ?

Thanks!

(Artwork courtesy of xkcd.org)

Open Problems

1 Tighter sampling for random lattices ?

2 Practical “plain model” signatures ?

14 / 14 4 “Essence” of quantum-immune crypto ?

Thanks!

(Artwork courtesy of xkcd.org)

Open Problems

1 Tighter sampling for random lattices ?

2 Practical “plain model” signatures ?

3 Relate factoring to lattice problems ?

14 / 14 Thanks!

(Artwork courtesy of xkcd.org)

Open Problems

1 Tighter sampling for random lattices ?

2 Practical “plain model” signatures ?

3 Relate factoring to lattice problems ?

4 “Essence” of quantum-immune crypto ?

14 / 14 Open Problems

1 Tighter sampling for random lattices ?

2 Practical “plain model” signatures ?

3 Relate factoring to lattice problems ?

4 “Essence” of quantum-immune crypto ?

Thanks!

(Artwork courtesy of xkcd.org)

14 / 14