Lattice-Based Cryptography
Chris Peikert University of Michigan
QCrypt 2016
1 / 24 Agenda
1 Foundations: lattice problems, SIS/LWE and their applications
2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices
3 Practical Implementations: BLISS, NewHope, Frodo, HElib, Λ◦λ,...
4 Along the Way: open questions, research directions
2 / 24 Foundations
3 / 24 I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related
Why? I Efficient: linear, embarrassingly parallel operations
Lattice-Based Cryptography
p x mod = g y N = =⇒ N p · me mod q e(ga, gb)
(Images courtesy xkcd.org) 4 / 24 I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related
p x mod = g y N = N p · me mod q e(ga, gb)
Why? I Efficient: linear, embarrassingly parallel operations
Lattice-Based Cryptography
=⇒
(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)
I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related
Lattice-Based Cryptography
=⇒
Why? I Efficient: linear, embarrassingly parallel operations
(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)
I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related
Lattice-Based Cryptography
=⇒
Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far)
(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)
I Solutions to ‘holy grail’ problems in crypto: FHE and related
Lattice-Based Cryptography
=⇒
Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far) I Security from mild worst-case assumptions
(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)
Lattice-Based Cryptography
=⇒
Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related
(Images courtesy xkcd.org) 4 / 24 (Other representations too . . . )
I Basis B = {b1,..., bm} :
m X L = (Z · bi) i=1
Hard Lattice Problems
I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).
What’s a Lattice?
m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)
O
5 / 24 (Other representations too . . . )
Hard Lattice Problems
I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).
What’s a Lattice?
m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)
I Basis B = {b1,..., bm} :
m X L = (Z · bi) b2 i=1 b1
O
5 / 24 (Other representations too . . . )
Hard Lattice Problems
I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).
What’s a Lattice?
m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)
I Basis B = {b1,..., bm} :
m X L = (Z · bi) b1 i=1
b O 2
5 / 24 Hard Lattice Problems
I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).
What’s a Lattice?
m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)
I Basis B = {b1,..., bm} :
m X L = (Z · bi) b1 i=1
b2 (Other representations too . . . ) O
5 / 24 What’s a Lattice?
m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)
I Basis B = {b1,..., bm} :
m X L = (Z · bi) b1 i=1
b2 (Other representations too . . . ) O
Hard Lattice Problems
I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).
5 / 24 m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq
fA(x) = Ax
m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.
Collision-Resistant Hash Function
m I Goal: find nontrivial z ∈ {0, ±1} such that:
A Hard Problem: Short Integer Solution [Ajtai’96]
n I Zq = n-dimensional integer vectors modulo q
6 / 24 m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq
fA(x) = Ax
m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.
Collision-Resistant Hash Function
m I Goal: find nontrivial z ∈ {0, ±1} such that:
| z1 · + z2 · + + zm · = 0 |
A Hard Problem: Short Integer Solution [Ajtai’96]
n I Zq = n-dimensional integer vectors modulo q
| | | n a1 a2 ··· am ∈ Zq | | |
6 / 24 m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq
fA(x) = Ax
m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.
Collision-Resistant Hash Function
A Hard Problem: Short Integer Solution [Ajtai’96]
n I Zq = n-dimensional integer vectors modulo q I Goal: find nontrivial z1, . . . , zm ∈ {0, ±1} such that:
| | | | n z1 · a1 + z2 · a2 + ··· + zm · am = 0 ∈ Zq | | | |
6 / 24 . . . yields solution z = x − x0 ∈ {0, ±1}m.
m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq
fA(x) = Ax
m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...
Collision-Resistant Hash Function
A Hard Problem: Short Integer Solution [Ajtai’96]
n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:
n ···· A ···· z = 0 ∈ Zq
| {zm }
6 / 24 . . . yields solution z = x − x0 ∈ {0, ±1}m.
m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...
A Hard Problem: Short Integer Solution [Ajtai’96]
n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:
n ···· A ···· z = 0 ∈ Zq
| {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq
fA(x) = Ax
6 / 24 . . . yields solution z = x − x0 ∈ {0, ±1}m.
A Hard Problem: Short Integer Solution [Ajtai’96]
n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:
n ···· A ···· z = 0 ∈ Zq
| {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq
fA(x) = Ax
m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...
6 / 24 A Hard Problem: Short Integer Solution [Ajtai’96]
n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:
n ···· A ···· z = 0 ∈ Zq
| {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq
fA(x) = Ax
m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.
6 / 24 Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice
n×m I A ∈ Zq defines a ‘q-ary’ lattice:
⊥ m L (A) = {z ∈ Z : Az = 0}
O I ‘Short’ solutions z lie in
Cool! (But what does this have to do with lattices?)
7 / 24 I ‘Short’ solutions z lie in
Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice
Cool! (But what does this have to do with lattices?)
n×m I A ∈ Zq defines a ‘q-ary’ lattice:
⊥ m L (A) = {z ∈ Z : Az = 0}
O
7 / 24 I ‘Short’ solutions z lie in
Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice
Cool! (But what does this have to do with lattices?) (0, q)
n×m I A ∈ Zq defines a ‘q-ary’ lattice:
⊥ m L (A) = {z ∈ Z : Az = 0}
(q, 0) O
7 / 24 Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice
Cool! (But what does this have to do with lattices?) (0, q)
n×m I A ∈ Zq defines a ‘q-ary’ lattice:
⊥ m L (A) = {z ∈ Z : Az = 0}
(q, 0) O I ‘Short’ solutions z lie in
7 / 24 Cool! (But what does this have to do with lattices?) (0, q)
n×m I A ∈ Zq defines a ‘q-ary’ lattice:
⊥ m L (A) = {z ∈ Z : Az = 0}
(q, 0) O I ‘Short’ solutions z lie in
Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice
7 / 24 Draw z from a distribution that reveals nothing about secret key:
I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!
m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq .
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T.
8 / 24 I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!
Draw z from a distribution that reveals nothing about secret key:
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq .
8 / 24 I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq . Draw z from a distribution that reveals nothing about secret key:
8 / 24 I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!
Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq . Draw z from a distribution that reveals nothing about secret key:
I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short.
8 / 24 Application: Digital Signatures [GentryPeikertVaikuntanathan’08]
I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq . Draw z from a distribution that reveals nothing about secret key:
I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!
8 / 24 √ n ≤ error q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
n I Search: find secret s ∈ Zq given many ‘noisy inner products’
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution
9 / 24 I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
√ n ≤ error q, ‘rate’ α
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’
n a1 ← Zq ,b 1 ≈ hs , a1i mod q n a2 ← Zq ,b 2 ≈ hs , a2i mod q . .
9 / 24 I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’
n a1 ← Zq ,b 1 = hs , a1i + e1 ∈ Zq n a2 ← Zq ,b 2 = hs , a2i + e2 ∈ Zq . . √ n ≤ error q, ‘rate’ α
9 / 24 I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ]
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’ t t t ··· A ··· , ··· b ··· = s A + e
√ n ≤ error q, ‘rate’ α
9 / 24 I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ]
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’ t t t ··· A ··· , ··· b ··· = s A + e
√ n ≤ error q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b)
9 / 24 I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]
Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’ t t t ··· A ··· , ··· b ··· = s A + e
√ n ≤ error q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ]
9 / 24 Another Hard Problem: Learning With Errors [Regev’05]
I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’ t t t ··· A ··· , ··· b ··· = s A + e
√ n ≤ error q, ‘rate’ α
I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13] 9 / 24 Key Exchange, Public Key Encryption Oblivious Transfer Actively Secure Encryption (w/o random oracles) Block Ciphers, PRFs
Identity-Based Encryption (w/ RO) Hierarchical ID-Based Encryption (w/o RO)
!!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies
and much, much more. . .
LWE is Versatile What kinds of crypto can we do with LWE?
10 / 24 Identity-Based Encryption (w/ RO) Hierarchical ID-Based Encryption (w/o RO)
!!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies
and much, much more. . .
LWE is Versatile What kinds of crypto can we do with LWE?
Key Exchange, Public Key Encryption Oblivious Transfer Actively Secure Encryption (w/o random oracles) Block Ciphers, PRFs
10 / 24 !!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies
and much, much more. . .
LWE is Versatile What kinds of crypto can we do with LWE?
Key Exchange, Public Key Encryption Oblivious Transfer Actively Secure Encryption (w/o random oracles) Block Ciphers, PRFs
Identity-Based Encryption (w/ RO) Hierarchical ID-Based Encryption (w/o RO)
10 / 24 LWE is Versatile What kinds of crypto can we do with LWE?
Key Exchange, Public Key Encryption Oblivious Transfer Actively Secure Encryption (w/o random oracles) Block Ciphers, PRFs
Identity-Based Encryption (w/ RO) Hierarchical ID-Based Encryption (w/o RO)
!!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies
and much, much more. . .
10 / 24 by decision-LWE
t t n u ≈ r · A ∈ Zq
n v ≈ A · s ∈ Zq
(A, u, v,k )
Key Exchange from LWE [Regev’05,LP’11]
n n×n n r ← Z (error) A ← Zq s ← Z (error)
11 / 24 by decision-LWE
n v ≈ A · s ∈ Zq
(A, u, v,k )
Key Exchange from LWE [Regev’05,LP’11]
n n×n n r ← Z (error) A ← Zq s ← Z (error)
t t n u ≈ r · A ∈ Zq
11 / 24 by decision-LWE
(A, u, v,k )
Key Exchange from LWE [Regev’05,LP’11]
n n×n n r ← Z (error) A ← Zq s ← Z (error)
t t n u ≈ r · A ∈ Zq
n v ≈ A · s ∈ Zq
11 / 24 by decision-LWE
(A, u, v,k )
Key Exchange from LWE [Regev’05,LP’11]
n n×n n r ← Z (error) A ← Zq s ← Z (error)
t t n u ≈ r · A ∈ Zq
n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs
11 / 24 by decision-LWE
Key Exchange from LWE [Regev’05,LP’11]
n n×n n r ← Z (error) A ← Zq s ← Z (error)
t t n u ≈ r · A ∈ Zq
n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs
(A, u, v,k )
11 / 24 Key Exchange from LWE [Regev’05,LP’11]
n n×n n r ← Z (error) A ← Zq s ← Z (error)
t t n u ≈ r · A ∈ Zq
n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs
(A, u, v,k ) by decision-LWE
11 / 24 Key Exchange from LWE [Regev’05,LP’11]
n n×n n r ← Z (error) A ← Zq s ← Z (error)
t t n u ≈ r · A ∈ Zq
n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs
(A, u, v,k ) by decision-LWE
11 / 24 Efficiency from Rings
12 / 24 I Can amortize each ai over many secrets sj, but still O˜(n) work per scalar output. I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn } I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.
SIS/LWE are (Sort Of) Efficient
I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product ··· ai ··· s + ei = bi ∈ Zq . .
13 / 24 I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn } I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.
SIS/LWE are (Sort Of) Efficient
I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product ··· ai ··· s + ei = bi ∈ Zq I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output.
13 / 24 I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.
SIS/LWE are (Sort Of) Efficient
I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product ··· ai ··· s + ei = bi ∈ Zq I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output. I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn }
13 / 24 SIS/LWE are (Sort Of) Efficient
I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product ··· ai ··· s + ei = bi ∈ Zq I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output. I Cryptosystems have rather large keys: . . . . pk = A , b Ω(n) . . . .
| {zn } I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.
13 / 24 I Careful! With small error, coordinate-wise multiplication is insecure!
I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom?
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
Wishful Thinking. . . I Get n pseudorandom scalars . . . . . . . . from just one (cheap) n product operation? ai?s+ei = bi ∈ Zq . . . . n×n n . . . . I Replace Zq -chunks by Zq .
14 / 24 I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
I Careful! With small error, coordinate-wise multiplication is insecure!
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
Wishful Thinking. . . I Get n pseudorandom scalars . . . . . . . . from just one (cheap) n product operation? ai?s+ei = bi ∈ Zq . . . . n×n n . . . . I Replace Zq -chunks by Zq .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom?
14 / 24 I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
Wishful Thinking. . . I Get n pseudorandom scalars . . . . . . . . from just one (cheap) n product operation? ai?s+ei = bi ∈ Zq . . . . n×n n . . . . I Replace Zq -chunks by Zq .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!
14 / 24 I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]
Wishful Thinking. . . I Get n pseudorandom scalars . . . . . . . . from just one (cheap) n product operation? ai?s+ei = bi ∈ Zq . . . . n×n n . . . . I Replace Zq -chunks by Zq .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.
14 / 24 Wishful Thinking. . . I Get n pseudorandom scalars . . . . . . . . from just one (cheap) n product operation? ai?s+ei = bi ∈ Zq . . . . n×n n . . . . I Replace Zq -chunks by Zq .
Question
I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!
Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q. I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ] 14 / 24 I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq
a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .
I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
LWE Over Rings, Over Simplified
n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
15 / 24 I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq
a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .
I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
LWE Over Rings, Over Simplified
n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
15 / 24 I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
LWE Over Rings, Over Simplified
n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq
a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .
15 / 24 LWE Over Rings, Over Simplified
n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR
F Elements of Rq are deg < n polynomials with mod-q coefficients
F Operations in Rq are very efficient using FFT-like algorithms
I Search: find secret ring element s(X) ∈ Rq, given:
a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq
a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .
I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)
15 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
16 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
16 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
I Then:
decision R-LWE ≤ lots of crypto
Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s.
16 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
16 / 24 Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]
I Two main theorems (reductions):
worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)
1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).
2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:
decision R-LWE ≤ lots of crypto
F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...
16 / 24 1 Obvious answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.
n To get ideal lattices, embed R and its ideals into R . How?
Ideal Lattices
n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.
17 / 24 + is coordinate-wise, but analyzing · is cumbersome.
2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.
1 Obvious answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z
Ideal Lattices
n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How?
17 / 24 2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.
+ is coordinate-wise, but analyzing · is cumbersome.
Ideal Lattices
n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How? 1 Obvious answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z
17 / 24 Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.
2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C
Ideal Lattices
n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How? 1 Obvious answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
17 / 24 Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.
Ideal Lattices
n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into C . How? 1 Obvious answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C
17 / 24 Error distribution is Gaussian in canonical embedding.
Ideal Lattices
n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into C . How? 1 Obvious answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise.
17 / 24 Ideal Lattices
n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How? 1 Obvious answer: ‘coefficient embedding’
n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.
2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:
1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.
17 / 24 I I = hX − 2, −3X + 1i is an ideal in R.
σ(X − 2) σ(−3X + 1)
(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I.
Ideal Lattices
2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i.
σ(X) = (i, −i) σ(1) = (1, 1)
18 / 24 (Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I.
Ideal Lattices
2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i) σ(1) = (1, 1)
σ(X − 2) σ(−3X + 1)
18 / 24 Ideal Lattices
2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.
σ(X) = (i, −i) σ(1) = (1, 1)
σ(X − 2) σ(−3X + 1)
(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I. 18 / 24 F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.
√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?
2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
R-LWE samples (ai,b i) don’t readily translate to ideals in R.
Complexity of Ideal Lattices
1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?
19 / 24 F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.
√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?
2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
Complexity of Ideal Lattices
1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai,b i) don’t readily translate to ideals in R.
19 / 24 F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.
√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?
Complexity of Ideal Lattices
1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai,b i) don’t readily translate to ideals in R.
2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
19 / 24 √ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?
Complexity of Ideal Lattices
1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai,b i) don’t readily translate to ideals in R.
2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.
19 / 24 √ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?
Complexity of Ideal Lattices
1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai,b i) don’t readily translate to ideals in R.
2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.
√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
19 / 24 Complexity of Ideal Lattices
1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?
R-LWE samples (ai,b i) don’t readily translate to ideals in R.
2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)
F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.
√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]
√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?
19 / 24 Implementations
20 / 24 I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security. About 10x slower than NewHope, but only ≈2x slower than ECDH.
Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security.
21 / 24 I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security. About 10x slower than NewHope, but only ≈2x slower than ECDH.
Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security.
21 / 24 About 10x slower than NewHope, but only ≈2x slower than ECDH.
I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security.
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.
21 / 24 About 10x slower than NewHope, but only ≈2x slower than ECDH.
Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.
I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security.
21 / 24 Key Exchange
I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.
I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security. About 10x slower than NewHope, but only ≈2x slower than ECDH.
21 / 24 I BLISS [DDLL’13]: optimized implementation in this framework.
I Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4.0 4.0 0.1 7.5 ECDSA-256 0.5 0.25 9.5 2.5 BLISS5 .6 7.0 8.0 33 (Conjectured ≥ 128 bits of security, openssl implementations.)
Digital Signatures
I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].
22 / 24 I Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4.0 4.0 0.1 7.5 ECDSA-256 0.5 0.25 9.5 2.5 BLISS5 .6 7.0 8.0 33 (Conjectured ≥ 128 bits of security, openssl implementations.)
Digital Signatures
I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].
I BLISS [DDLL’13]: optimized implementation in this framework.
22 / 24 Digital Signatures
I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].
I BLISS [DDLL’13]: optimized implementation in this framework.
I Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4.0 4.0 0.1 7.5 ECDSA-256 0.5 0.25 9.5 2.5 BLISS5 .6 7.0 8.0 33 (Conjectured ≥ 128 bits of security, openssl implementations.)
22 / 24 I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems. Focuses on modularity, safety, and consistency with best theory.
Implements many advanced FHE features, holds most speed records
Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE).
23 / 24 Focuses on modularity, safety, and consistency with best theory.
I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems.
Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records
23 / 24 Focuses on modularity, safety, and consistency with best theory.
Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records
I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems.
23 / 24 Other Implementations
I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records
I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems. Focuses on modularity, safety, and consistency with best theory.
23 / 24 I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.
I A big success story for rigorous theory and practical engineering alike!
Thanks!
Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’
24 / 24 I A big success story for rigorous theory and practical engineering alike!
Thanks!
Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’
I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.
24 / 24 Thanks!
Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’
I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.
I A big success story for rigorous theory and practical engineering alike!
24 / 24 Conclusions
I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’
I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.
I A big success story for rigorous theory and practical engineering alike!
Thanks!
24 / 24