How to Use a Short Basis: Trapdoors for Hard Lattices and New Cryptographic Constructions
Chris Peikert SRI
Work with Craig Gentry and Vinod Vaikuntanathan
1 / 14 Digital Signatures
2 / 14 Digital Signatures
(public)
(secret)
2 / 14 Digital Signatures
(public)
“I love you”
(secret)
2 / 14 Digital Signatures
(public)
(secret) “It’s over”
2 / 14 I Candidates: [RSA78,Rabin79,Paillier99] “General assumption” Applications: digital signatures, OT, NIZK, . . .
I All rely on hardness of factoring Complex: 2048-bit exponentiation Lack of diversity Broken by quantum algorithms [Shor]
Dom Dom
Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1
3 / 14 I Candidates: [RSA78,Rabin79,Paillier99] “General assumption” Applications: digital signatures, OT, NIZK, . . .
I All rely on hardness of factoring Complex: 2048-bit exponentiation Lack of diversity Broken by quantum algorithms [Shor]
Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1
f x y Dom Dom
3 / 14 I Candidates: [RSA78,Rabin79,Paillier99] “General assumption” Applications: digital signatures, OT, NIZK, . . .
I All rely on hardness of factoring Complex: 2048-bit exponentiation Lack of diversity Broken by quantum algorithms [Shor]
Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1
x y Dom Dom
3 / 14 I Candidates: [RSA78,Rabin79,Paillier99] “General assumption” Applications: digital signatures, OT, NIZK, . . .
I All rely on hardness of factoring Complex: 2048-bit exponentiation Lack of diversity Broken by quantum algorithms [Shor]
Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1
x y Dom Dom f −1
3 / 14 I All rely on hardness of factoring Complex: 2048-bit exponentiation Lack of diversity Broken by quantum algorithms [Shor]
Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1
x y Dom Dom f −1
I Candidates: [RSA78,Rabin79,Paillier99] “General assumption” Applications: digital signatures, OT, NIZK, . . .
3 / 14 Trapdoor Permutations [DiffieHellman76] I Public function f , secret “trapdoor” f −1
x y Dom Dom f −1
I Candidates: [RSA78,Rabin79,Paillier99] “General assumption” Applications: digital signatures, OT, NIZK, . . .
I All rely on hardness of factoring Complex: 2048-bit exponentiation Lack of diversity Broken by quantum algorithms [Shor]
3 / 14 What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev]
2 Public-key encryption [AjtaiDwork,Regev]
3 Recent developments [LyubMicc,PeikWat,. . . ]
What’s Missing I Everything else! Practical signatures, protocols, “advanced” crypto, . . .
Lattice-Based Cryptography What’s To Like I Simple & efficient: linear ops, small integers I Resist subexp & quantum attacks (so far) I Security from worst-case hardness [Ajtai,. . . ]
4 / 14 What’s Missing I Everything else! Practical signatures, protocols, “advanced” crypto, . . .
Lattice-Based Cryptography What’s To Like I Simple & efficient: linear ops, small integers I Resist subexp & quantum attacks (so far) I Security from worst-case hardness [Ajtai,. . . ]
What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev]
2 Public-key encryption [AjtaiDwork,Regev]
3 Recent developments [LyubMicc,PeikWat,. . . ]
4 / 14 Lattice-Based Cryptography What’s To Like I Simple & efficient: linear ops, small integers I Resist subexp & quantum attacks (so far) I Security from worst-case hardness [Ajtai,. . . ]
What’s Known 1 One-way & collision-resistant functions [Ajtai,. . . ,MicciancioRegev]
2 Public-key encryption [AjtaiDwork,Regev]
3 Recent developments [LyubMicc,PeikWat,. . . ]
What’s Missing I Everything else! Practical signatures, protocols, “advanced” crypto, . . .
4 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
x y D R
New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
5 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x f y D R
5 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x f y D R
5 / 14 • Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x y f −1 D R
5 / 14 • “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x y f −1 D R
• Generate (x, y) in two equivalent ways: f f −1 D x y x y R
5 / 14 2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x y f −1 D R
• Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
5 / 14 3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x y f −1 D R
• Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
5 / 14 New Algorithmic Tool I “Oblivious decoder” on lattices
Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x y f −1 D R
• Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
5 / 14 Results: New Lattice-Based Crypto 1 Preimage sampleable trapdoor functions
x y f −1 D R
• Generate (x, y) in two equivalent ways: f f −1 D x y x y R
• “As good as” trapdoor permutations in many applications
2 “Hash and sign” signatures: FDH etc.
3 Identity-based encryption, OT [PVW], NCE [CDMW], NISZK [PV],...
New Algorithmic Tool I “Oblivious decoder” on lattices
5 / 14 Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.
Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.
Lattices
n A lattice L ⊂ R having basis B = {b1,..., bn} is:
n X b2 L = (Z · bi)
i=1 O b1
6 / 14 Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.
Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.
Lattices
n A lattice L ⊂ R having basis B = {b1,..., bn} is:
n X L = (Z · bi) b1 i=1 O
b2
6 / 14 Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.
Lattices
n A lattice L ⊂ R having basis B = {b1,..., bn} is:
n X L = (Z · bi) b1 i=1 O
b2
Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.
6 / 14 Lattices
n A lattice L ⊂ R having basis B = {b1,..., bn} is:
β n X t L = (Z · bi) b1 i=1 O
b2
Shortest Vector Problem (SVPγ) I Given B, find (nonzero) v ∈ L within γ factor of shortest.
Absolute Distance Decoding (ADDβ) n I Given B and target t ∈ R , find some v ∈ L within distance β.
6 / 14 I Decoding hard on average, too
Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:
ADD SVP n β as hard as β· random lattice every lattice
Bottom Line
I On random lattices, SVPγ and ADDβ seem exponentially hard
Complexity of Lattice Problems
SVPγ in the Worst Case
γ = O(1) poly(n) 2n
NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]
7 / 14 I Decoding hard on average, too
Bottom Line
I On random lattices, SVPγ and ADDβ seem exponentially hard
Complexity of Lattice Problems
SVPγ in the Worst Case
γ = O(1) poly(n) 2n
NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]
Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:
SVP SVPγ·n γ as hard as random lattice every lattice
7 / 14 Bottom Line
I On random lattices, SVPγ and ADDβ seem exponentially hard
Complexity of Lattice Problems
SVPγ in the Worst Case
γ = O(1) poly(n) 2n
NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]
Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:
ADD SVP n β as hard as β· random lattice every lattice
I Decoding hard on average, too
7 / 14 Complexity of Lattice Problems
SVPγ in the Worst Case
γ = O(1) poly(n) 2n
NP-hard 2n time poly(n) time [Ajt,Mic,Kho] [AKS] [LLL,Sch]
Average-Case I [Ajtai96,. . . ,MicciancioRegev04]:
ADD SVP n β as hard as β· random lattice every lattice
I Decoding hard on average, too
Bottom Line
I On random lattices, SVPγ and ADDβ seem exponentially hard
7 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
I Sign with “nearest-plane” algorithm [Babai]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S
s2
s1 b1
b2
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
s2
s1
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
s2
s1
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
s2
s1
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
s2
s1
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
s2
s1
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
s2
s1
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
s2
s1
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
8 / 14 2 Secret key leakage • Total break after several signatures [NguyenRegev]
GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness
8 / 14 GGH Signatures [GoldreichGoldwasserHalevi96] I “Hard” (public) verification basis B, short (secret) signing basis S I Sign with “nearest-plane” algorithm [Babai]
Issues 1 Generating short & hard bases together • Ad-hoc, no worst-case hardness 2 Secret key leakage • Total break after several signatures [NguyenRegev]
8 / 14 n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]
Gaussians and Lattices
9 / 14 n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]
Gaussians and Lattices
9 / 14 n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]
Gaussians and Lattices
9 / 14 Gaussians and Lattices
n “Uniform” in R when std dev ≥ shortest basis [Regev,MicciancioRegev]
9 / 14 I Input v ∈ L, error e I Uniform output t
I Conditional distribution is “discrete Gaussian” DL,t
Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]
Our Trapdoor Function
I “Hard” public basis B, s2 short secret basis S
[Ajtai99,AP08] b s1 1
b2
10 / 14 I Uniform output t
I Conditional distribution is “discrete Gaussian” DL,t
Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]
Our Trapdoor Function
I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e
10 / 14 I Uniform output t
I Conditional distribution is “discrete Gaussian” DL,t
Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]
Our Trapdoor Function
I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e
10 / 14 I Conditional distribution is “discrete Gaussian” DL,t
Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]
Our Trapdoor Function
I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e t I Uniform output t
10 / 14 I Conditional distribution is “discrete Gaussian” DL,t
Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]
Our Trapdoor Function
I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e t I Uniform output t
10 / 14 Our Trapdoor Function
I “Hard” public basis B, short secret basis S [Ajtai99,AP08] I Input v ∈ L, error e t I Uniform output t
I Conditional distribution is “discrete Gaussian” DL,t
Analysis tool in [Ban,AR,Reg,MR,Pei,. . . ]
10 / 14 I Randomized nearest-plane [Babai,Klein]
[Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly
Inverting: Gaussian Sampler / Decoder
I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!
11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly
Inverting: Gaussian Sampler / Decoder
I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!
I Randomized nearest-plane [Babai,Klein]
s2
t s1
11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly
Inverting: Gaussian Sampler / Decoder
I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!
I Randomized nearest-plane [Babai,Klein]
s2
t s1
11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly
Inverting: Gaussian Sampler / Decoder
I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!
I Randomized nearest-plane [Babai,Klein]
s2
t s1
11 / 14 [Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly
Inverting: Gaussian Sampler / Decoder
I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!
I Randomized nearest-plane [Babai,Klein]
s2
t s1
11 / 14 ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly
Inverting: Gaussian Sampler / Decoder
I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!
I Randomized nearest-plane [Babai,Klein]
s2
t s1
[Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant
11 / 14 Inverting: Gaussian Sampler / Decoder
I Given basis S, samples DL,t for any std dev ≥ maxksik • Leaks nothing about S!
I Randomized nearest-plane [Babai,Klein]
s2
t s1
[Klein]: std dev ≤ min ks˜ik ⇒ solves CVP variant ∗ [This work]: std dev ≥ maxks˜ik ⇒ samples DL,t exactly
11 / 14 • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]:
12 / 14 • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk
12 / 14 • With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
12 / 14 I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . .
12 / 14 I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings
12 / 14 Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
12 / 14 msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
12 / 14 n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
12 / 14 −1 √ skID random ∈ f (y) random y
Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN
12 / 14 Identity-Based Encryption I Proposed by [Shamir84]: • Master keys mpk, msk • With mpk: encrypt to ID “Alice” or “Bob” or . . .
• With msk: extract skAlice or skBob or . . . I [BonehFranklin01]: bilinear pairings I [Cocks01]: quadratic residuosity (mod N = pq)
Lattice-based QR-based [Cocks,BGH]
mpk random lattice random N = p · q
msk trapdoor basis trapdoor p, q
n Hash(ID) uniform y ∈ R uniform y ∈ QRN −1 √ skID random ∈ f (y) random y
12 / 14 w
I For v ∈ L∗: hv, pki = hv, ski mod 1 I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement I Security: decoding w, a.k.a. “learning with errors” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]
Cryptosystem with Master Trapdoor Primal L Dual L∗
sk
pk
13 / 14 w
I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement I Security: decoding w, a.k.a. “learning with errors” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]
Cryptosystem with Master Trapdoor Primal L Dual L∗
v
sk
pk
I For v ∈ L∗: hv, pki = hv, ski mod 1
13 / 14 I Security: decoding w, a.k.a. “learning with errors” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]
Cryptosystem with Master Trapdoor Primal L Dual L∗
v
sk w
pk
I For v ∈ L∗: hv, pki = hv, ski mod 1 I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement
13 / 14 Cryptosystem with Master Trapdoor Primal L Dual L∗
v
sk w
pk
I For v ∈ L∗: hv, pki = hv, ski mod 1 I For w ≈ v: hv, pki ≈ hw, ski mod 1 “quasi”-agreement I Security: decoding w, a.k.a. “learning with errors” • Quantum worst-case connection [Regev] • Now: classical worst-case hardness [P]
13 / 14 2 Practical “plain model” signatures ?
3 Relate factoring to lattice problems ?
4 “Essence” of quantum-immune crypto ?
Thanks!
(Artwork courtesy of xkcd.org)
Open Problems
1 Tighter sampling for random lattices ?
14 / 14 3 Relate factoring to lattice problems ?
4 “Essence” of quantum-immune crypto ?
Thanks!
(Artwork courtesy of xkcd.org)
Open Problems
1 Tighter sampling for random lattices ?
2 Practical “plain model” signatures ?
14 / 14 4 “Essence” of quantum-immune crypto ?
Thanks!
(Artwork courtesy of xkcd.org)
Open Problems
1 Tighter sampling for random lattices ?
2 Practical “plain model” signatures ?
3 Relate factoring to lattice problems ?
14 / 14 Thanks!
(Artwork courtesy of xkcd.org)
Open Problems
1 Tighter sampling for random lattices ?
2 Practical “plain model” signatures ?
3 Relate factoring to lattice problems ?
4 “Essence” of quantum-immune crypto ?
14 / 14 Open Problems
1 Tighter sampling for random lattices ?
2 Practical “plain model” signatures ?
3 Relate factoring to lattice problems ?
4 “Essence” of quantum-immune crypto ?
Thanks!
(Artwork courtesy of xkcd.org)
14 / 14