Lattice-Based Cryptography

Chris Peikert University of Michigan

QCrypt 2016

1 / 24 Agenda

1 Foundations: lattice problems, SIS/LWE and their applications

2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices

3 Practical Implementations: BLISS, NewHope, Frodo, HElib, Λ◦λ,...

4 Along the Way: open questions, research directions

2 / 24 Foundations

3 / 24 I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related

Why? I Efficient: linear, embarrassingly parallel operations

Lattice-Based Cryptography

p x mod = g y N = =⇒ N p · me mod q e(ga, gb)

(Images courtesy xkcd.org) 4 / 24 I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related

p x mod = g y N = N p · me mod q e(ga, gb)

Why? I Efficient: linear, embarrassingly parallel operations

Lattice-Based Cryptography

=⇒

(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)

I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related

Lattice-Based Cryptography

=⇒

Why? I Efficient: linear, embarrassingly parallel operations

(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)

I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related

Lattice-Based Cryptography

=⇒

Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far)

(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)

I Solutions to ‘holy grail’ problems in crypto: FHE and related

Lattice-Based Cryptography

=⇒

Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far) I Security from mild worst-case assumptions

(Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga, gb)

Lattice-Based Cryptography

=⇒

Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to ‘holy grail’ problems in crypto: FHE and related

(Images courtesy xkcd.org) 4 / 24 (Other representations too . . . )

I Basis B = {b1,..., bm} :

m X L = (Z · bi) i=1

Hard Lattice Problems

I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).

What’s a Lattice?

m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)

O

5 / 24 (Other representations too . . . )

Hard Lattice Problems

I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).

What’s a Lattice?

m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)

I Basis B = {b1,..., bm} :

m X L = (Z · bi) b2 i=1 b1

O

5 / 24 (Other representations too . . . )

Hard Lattice Problems

I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).

What’s a Lattice?

m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)

I Basis B = {b1,..., bm} :

m X L = (Z · bi) b1 i=1

b O 2

5 / 24 Hard Lattice Problems

I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).

What’s a Lattice?

m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)

I Basis B = {b1,..., bm} :

m X L = (Z · bi) b1 i=1

b2 (Other representations too . . . ) O

5 / 24 What’s a Lattice?

m I A periodic ‘grid’ in Z . (Formally: full-rank additive subgroup.)

I Basis B = {b1,..., bm} :

m X L = (Z · bi) b1 i=1

b2 (Other representations too . . . ) O

Hard Lattice Problems

I Find/detect ‘short’ nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space).

5 / 24 m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq

fA(x) = Ax

m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.

Collision-Resistant Hash Function

m I Goal: find nontrivial z ∈ {0, ±1} such that:

A Hard Problem: Short Integer Solution [Ajtai’96]

n I Zq = n-dimensional integer vectors modulo q

6 / 24 m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq

fA(x) = Ax

m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.

Collision-Resistant Hash Function

m I Goal: find nontrivial z ∈ {0, ±1} such that:

| z1 · + z2 · + + zm · = 0 |

A Hard Problem: Short Integer Solution [Ajtai’96]

n I Zq = n-dimensional integer vectors modulo q

 |   |   |  n a1 a2 ··· am ∈ Zq | | |

6 / 24 m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq

fA(x) = Ax

m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.

Collision-Resistant Hash Function

A Hard Problem: Short Integer Solution [Ajtai’96]

n I Zq = n-dimensional integer vectors modulo q I Goal: find nontrivial z1, . . . , zm ∈ {0, ±1} such that:

 |   |   |  | n z1 · a1 + z2 · a2 + ··· + zm · am = 0 ∈ Zq | | | |

6 / 24 . . . yields solution z = x − x0 ∈ {0, ±1}m.

m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq

fA(x) = Ax

m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...

Collision-Resistant Hash Function

A Hard Problem: Short Integer Solution [Ajtai’96]

n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:

        n ···· A ···· z = 0 ∈ Zq  

| {zm }

6 / 24 . . . yields solution z = x − x0 ∈ {0, ±1}m.

m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...

A Hard Problem: Short Integer Solution [Ajtai’96]

n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:

        n ···· A ···· z = 0 ∈ Zq  

| {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq

fA(x) = Ax

6 / 24 . . . yields solution z = x − x0 ∈ {0, ±1}m.

A Hard Problem: Short Integer Solution [Ajtai’96]

n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:

        n ···· A ···· z = 0 ∈ Zq  

| {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq

fA(x) = Ax

m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...

6 / 24 A Hard Problem: Short Integer Solution [Ajtai’96]

n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z ∈ {0, ±1} such that:

        n ···· A ···· z = 0 ∈ Zq  

| {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define ‘shrinking’ fA : {0, 1} → Zq

fA(x) = Ax

m I Collision x, x0 ∈ {0, 1} where Ax = Ax0 ...... yields solution z = x − x0 ∈ {0, ±1}m.

6 / 24 Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β  q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice

n×m I A ∈ Zq defines a ‘q-ary’ lattice:

⊥ m L (A) = {z ∈ Z : Az = 0}

O I ‘Short’ solutions z lie in

Cool! (But what does this have to do with lattices?)

7 / 24 I ‘Short’ solutions z lie in

Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β  q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice

Cool! (But what does this have to do with lattices?)

n×m I A ∈ Zq defines a ‘q-ary’ lattice:

⊥ m L (A) = {z ∈ Z : Az = 0}

O

7 / 24 I ‘Short’ solutions z lie in

Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β  q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice

Cool! (But what does this have to do with lattices?) (0, q)

n×m I A ∈ Zq defines a ‘q-ary’ lattice:

⊥ m L (A) = {z ∈ Z : Az = 0}

(q, 0) O

7 / 24 Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β  q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice

Cool! (But what does this have to do with lattices?) (0, q)

n×m I A ∈ Zq defines a ‘q-ary’ lattice:

⊥ m L (A) = {z ∈ Z : Az = 0}

(q, 0) O I ‘Short’ solutions z lie in

7 / 24 Cool! (But what does this have to do with lattices?) (0, q)

n×m I A ∈ Zq defines a ‘q-ary’ lattice:

⊥ m L (A) = {z ∈ Z : Az = 0}

(q, 0) O I ‘Short’ solutions z lie in

Worst-Case to Average-Case Reduction [Ajtai’96,. . . ] Finding ‘short’ (kzk ≤ β  q) nonzero z ∈ L⊥(A) n×m (for uniformly random A ∈ Zq ) ⇓ √ √ solving GapSVPβ n, SIVPβ n on any n-dim lattice

7 / 24 Draw z from a distribution that reveals nothing about secret key:

I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!

m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq .

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

I Generate uniform vk = A with secret ‘trapdoor’ sk = T.

8 / 24 I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!

Draw z from a distribution that reveals nothing about secret key:

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq .

8 / 24 I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq . Draw z from a distribution that reveals nothing about secret key:

8 / 24 I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!

Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq . Draw z from a distribution that reveals nothing about secret key:

I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short.

8 / 24 Application: Digital Signatures [GentryPeikertVaikuntanathan’08]

I Generate uniform vk = A with secret ‘trapdoor’ sk = T. m n I Sign(T, µ): use T to samplea short z ∈ Z s.t. Az = H(µ) ∈ Zq . Draw z from a distribution that reveals nothing about secret key:

I Verify(A, µ, z): check that Az = H(µ) and z is sufficiently short. I Security: forging a signature for a new message µ∗ requires finding short z∗ s.t. Az∗ = H(µ∗). This is SIS: hard!

8 / 24 √ n ≤ error  q, ‘rate’ α

I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]

n I Search: find secret s ∈ Zq given many ‘noisy inner products’

Another Hard Problem: Learning With Errors [Regev’05]

I Parameters: dimension n, modulus q = poly(n), error distribution

9 / 24 I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]

√ n ≤ error  q, ‘rate’ α

Another Hard Problem: Learning With Errors [Regev’05]

I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’

n a1 ← Zq ,b 1 ≈ hs , a1i mod q n a2 ← Zq ,b 2 ≈ hs , a2i mod q . .

9 / 24 I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]

Another Hard Problem: Learning With Errors [Regev’05]

I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’

n a1 ← Zq ,b 1 = hs , a1i + e1 ∈ Zq n a2 ← Zq ,b 2 = hs , a2i + e2 ∈ Zq . . √ n ≤ error  q, ‘rate’ α

9 / 24 I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]

I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ]

Another Hard Problem: Learning With Errors [Regev’05]

I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’   t
t t ··· A ··· , ··· b ··· = s A + e

√ n ≤ error  q, ‘rate’ α

9 / 24 I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]

LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ]

Another Hard Problem: Learning With Errors [Regev’05]

I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’   t
t t ··· A ··· , ··· b ··· = s A + e

√ n ≤ error  q, ‘rate’ α

I Decision: distinguish (A , b) from uniform (A , b)

9 / 24 I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13]

Another Hard Problem: Learning With Errors [Regev’05]

I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’   t
t t ··· A ··· , ··· b ··· = s A + e

√ n ≤ error  q, ‘rate’ α

I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ]

9 / 24 Another Hard Problem: Learning With Errors [Regev’05]

I Parameters: dimension n, modulus q = poly(n), error distribution n I Search: find secret s ∈ Zq given many ‘noisy inner products’   t
t t ··· A ··· , ··· b ··· = s A + e

√ n ≤ error  q, ‘rate’ α

I Decision: distinguish (A , b) from uniform (A , b) LWE is Hard (n/α)-approx worst case ≤ search-LWE ≤ decision-LWE ≤ crypto lattice problems (quantum [R’05]) [BFKL’93,R’05,. . . ] I Also fully classical reductions, for worse params [Peikert’09,BLPRS’13] 9 / 24  Key Exchange, Public Key Encryption  Oblivious Transfer  Actively Secure Encryption (w/o random oracles)  Block Ciphers, PRFs

 Identity-Based Encryption (w/ RO)  Hierarchical ID-Based Encryption (w/o RO)

!!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies

and much, much more. . .

LWE is Versatile What kinds of crypto can we do with LWE?

10 / 24  Identity-Based Encryption (w/ RO)  Hierarchical ID-Based Encryption (w/o RO)

!!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies

and much, much more. . .

LWE is Versatile What kinds of crypto can we do with LWE?

 Key Exchange, Public Key Encryption  Oblivious Transfer  Actively Secure Encryption (w/o random oracles)  Block Ciphers, PRFs

10 / 24 !!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies

and much, much more. . .

LWE is Versatile What kinds of crypto can we do with LWE?

 Key Exchange, Public Key Encryption  Oblivious Transfer  Actively Secure Encryption (w/o random oracles)  Block Ciphers, PRFs

 Identity-Based Encryption (w/ RO)  Hierarchical ID-Based Encryption (w/o RO)

10 / 24 LWE is Versatile What kinds of crypto can we do with LWE?

 Key Exchange, Public Key Encryption  Oblivious Transfer  Actively Secure Encryption (w/o random oracles)  Block Ciphers, PRFs

 Identity-Based Encryption (w/ RO)  Hierarchical ID-Based Encryption (w/o RO)

!!! Fully Homomorphic Encryption !!! Attribute-Based Encryption for arbitrary policies

and much, much more. . .

10 / 24 by decision-LWE

t t n u ≈ r · A ∈ Zq

n v ≈ A · s ∈ Zq

(A, u, v,k )

Key Exchange from LWE [Regev’05,LP’11]

n n×n n r ← Z (error) A ← Zq s ← Z (error)

11 / 24 by decision-LWE

n v ≈ A · s ∈ Zq

(A, u, v,k )

Key Exchange from LWE [Regev’05,LP’11]

n n×n n r ← Z (error) A ← Zq s ← Z (error)

t t n u ≈ r · A ∈ Zq

11 / 24 by decision-LWE

(A, u, v,k )

Key Exchange from LWE [Regev’05,LP’11]

n n×n n r ← Z (error) A ← Zq s ← Z (error)

t t n u ≈ r · A ∈ Zq

n v ≈ A · s ∈ Zq

11 / 24 by decision-LWE

(A, u, v,k )

Key Exchange from LWE [Regev’05,LP’11]

n n×n n r ← Z (error) A ← Zq s ← Z (error)

t t n u ≈ r · A ∈ Zq

n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs

11 / 24 by decision-LWE

Key Exchange from LWE [Regev’05,LP’11]

n n×n n r ← Z (error) A ← Zq s ← Z (error)

t t n u ≈ r · A ∈ Zq

n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs

(A, u, v,k )

11 / 24 Key Exchange from LWE [Regev’05,LP’11]

n n×n n r ← Z (error) A ← Zq s ← Z (error)

t t n u ≈ r · A ∈ Zq

n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs

(A, u, v,k ) by decision-LWE

11 / 24 Key Exchange from LWE [Regev’05,LP’11]

n n×n n r ← Z (error) A ← Zq s ← Z (error)

t t n u ≈ r · A ∈ Zq

n v ≈ A · s ∈ Zq rt · v ≈ rtAs k ≈ ut · s ≈ rtAs

(A, u, v,k ) by decision-LWE

11 / 24 Efficiency from Rings

12 / 24 I Can amortize each ai over many secrets sj, but still O˜(n) work per scalar output. I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn } I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.

SIS/LWE are (Sort Of) Efficient

I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product
  ··· ai ··· s + ei = bi ∈ Zq . .

13 / 24 I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn } I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.

SIS/LWE are (Sort Of) Efficient

I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product
  ··· ai ··· s + ei = bi ∈ Zq   I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output.

13 / 24 I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.

SIS/LWE are (Sort Of) Efficient

I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product
  ··· ai ··· s + ei = bi ∈ Zq   I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output. I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn }

13 / 24 SIS/LWE are (Sort Of) Efficient

I Getting one pseudorandom scalar bi ∈ Zq requires an n-dim . . mod-q inner product
  ··· ai ··· s + ei = bi ∈ Zq   I Can amortize each ai over many . . secrets sj, but still O˜(n) work per scalar output. I Cryptosystems have rather large keys:     . . . .      pk =  A  , b Ω(n)  .   .  . . 

| {zn } I Inherently ≥ n2 time to encrypt & decrypt an n-bit message.

13 / 24 I Careful! With small error, coordinate-wise multiplication is insecure!

I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

Question

I How to define the product ‘?’ so that (ai, bi) is pseudorandom?

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

Wishful Thinking. . . I Get n pseudorandom scalars  .  .  .   .  . . . . from just one (cheap)         n product operation? ai?s+ei = bi ∈ Zq  .  .  .   .  n×n n . . . . I Replace Zq -chunks by Zq .

14 / 24 I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

I Careful! With small error, coordinate-wise multiplication is insecure!

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

Wishful Thinking. . . I Get n pseudorandom scalars  .  .  .   .  . . . . from just one (cheap)         n product operation? ai?s+ei = bi ∈ Zq  .  .  .   .  n×n n . . . . I Replace Zq -chunks by Zq .

Question

I How to define the product ‘?’ so that (ai, bi) is pseudorandom?

14 / 24 I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

Wishful Thinking. . . I Get n pseudorandom scalars  .  .  .   .  . . . . from just one (cheap)         n product operation? ai?s+ei = bi ∈ Zq  .  .  .   .  n×n n . . . . I Replace Zq -chunks by Zq .

Question

I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!

14 / 24 I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ]

Wishful Thinking. . . I Get n pseudorandom scalars  .  .  .   .  . . . . from just one (cheap)         n product operation? ai?s+ei = bi ∈ Zq  .  .  .   .  n×n n . . . . I Replace Zq -chunks by Zq .

Question

I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q.

14 / 24 Wishful Thinking. . . I Get n pseudorandom scalars  .  .  .   .  . . . . from just one (cheap)         n product operation? ai?s+ei = bi ∈ Zq  .  .  .   .  n×n n . . . . I Replace Zq -chunks by Zq .

Question

I How to define the product ‘?’ so that (ai, bi) is pseudorandom? I Careful! With small error, coordinate-wise multiplication is insecure!

Answer n I ‘?’ = multiplication in a polynomial ring: e.g., Zq[X]/(X + 1). Fast and practical with FFT: n log n operations mod q. I Same ring structures used in NTRU cryptosystem [HPS’98], compact one-way / CR hash functions [Mic’02,PR’06,LM’06,. . . ] 14 / 24 I Search: find secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq

a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .

I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

F Elements of Rq are deg < n polynomials with mod-q coefficients

F Operations in Rq are very efficient using FFT-like algorithms

LWE Over Rings, Over Simplified

n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

15 / 24 I Search: find secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq

a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .

I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

LWE Over Rings, Over Simplified

n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

F Elements of Rq are deg < n polynomials with mod-q coefficients

F Operations in Rq are very efficient using FFT-like algorithms

15 / 24 I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

LWE Over Rings, Over Simplified

n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

F Elements of Rq are deg < n polynomials with mod-q coefficients

F Operations in Rq are very efficient using FFT-like algorithms

I Search: find secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq

a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .

15 / 24 LWE Over Rings, Over Simplified

n I Let R = Z[X]/(X + 1) for n a power of two, and Rq = R/qR

F Elements of Rq are deg < n polynomials with mod-q coefficients

F Operations in Rq are very efficient using FFT-like algorithms

I Search: find secret ring element s(X) ∈ Rq, given:

a1 ← Rq ,b 1 = s · a1 + e1 ∈ Rq

a2 ← Rq ,b 2 = s · a2 + e2 ∈ Rq (ei ∈ R are ‘small’) a3 ← Rq ,b 3 = s · a3 + e3 ∈ Rq . .

I Decision: distinguish (ai ,b i) from uniform (ai ,b i) ∈ Rq × Rq (with noticeable advantage)

15 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:

decision R-LWE ≤ lots of crypto

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]

I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

16 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:

decision R-LWE ≤ lots of crypto

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]

I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

16 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

I Then:

decision R-LWE ≤ lots of crypto

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]

I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s.

16 / 24 F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]

I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:

decision R-LWE ≤ lots of crypto

16 / 24 Hardness of Ring-LWE [LyubashevskyPeikertRegev’10]

I Two main theorems (reductions):

worst-case approx-SVP ≤ search R-LWE ≤ decision R-LWE on ideal lattices in R (quantum, (classical, any R = OK ) any cyclotomic R)

1 If you can find s given (ai ,b i), then you can find approximately shortest vectors in any ideal lattice in R (using a quantum algorithm).

2 If you can distinguish (ai ,b i) from (ai ,b i), then you can find s. I Then:

decision R-LWE ≤ lots of crypto

F If you can break the crypto, then you can distinguish (ai ,b i) from (ai ,b i)...

16 / 24 1 Obvious answer: ‘coefficient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.

n To get ideal lattices, embed R and its ideals into R . How?

Ideal Lattices

n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R.

17 / 24 + is coordinate-wise, but analyzing · is cumbersome.

2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.

1 Obvious answer: ‘coefficient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z

Ideal Lattices

n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How?

17 / 24 2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.

+ is coordinate-wise, but analyzing · is cumbersome.

Ideal Lattices

n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How? 1 Obvious answer: ‘coefficient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z

17 / 24 Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.

2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C

Ideal Lattices

n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How? 1 Obvious answer: ‘coefficient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

17 / 24 Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.

Ideal Lattices

n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into C . How? 1 Obvious answer: ‘coefficient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C

17 / 24 Error distribution is Gaussian in canonical embedding.

Ideal Lattices

n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into C . How? 1 Obvious answer: ‘coefficient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise.

17 / 24 Ideal Lattices

n I Say R = Z[X]/(X + 1) for power-of-two n. (Or R = OK .) I An ideal I ⊆ R is closed under + and −, and under · with R. n To get ideal lattices, embed R and its ideals into R . How? 1 Obvious answer: ‘coefficient embedding’

n−1 n a0 + a1X + ··· + an−1X ∈ R 7→ (a0, . . . , an−1) ∈ Z + is coordinate-wise, but analyzing · is cumbersome.

2 Minkowski: ‘canonical embedding.’ Let ω = exp(πi/n) ∈ C, so roots of Xn + 1 are ω1, ω3, . . . , ω2n−1. Embed:

1 3 2n−1 n a(X) ∈ R 7→ (a(ω ) , a(ω ) , . . . , a(ω )) ∈ C Both + and · are coordinate-wise. Error distribution is Gaussian in canonical embedding.

17 / 24 I I = hX − 2, −3X + 1i is an ideal in R.

σ(X − 2) σ(−3X + 1)

(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I.

Ideal Lattices

2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i.

σ(X) = (i, −i) σ(1) = (1, 1)

18 / 24 (Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I.

Ideal Lattices

2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.

σ(X) = (i, −i) σ(1) = (1, 1)

σ(X − 2) σ(−3X + 1)

18 / 24 Ideal Lattices

2 I Say R = Z[X]/(X + 1). Embeddings map X 7→ ±i. I I = hX − 2, −3X + 1i is an ideal in R.

σ(X) = (i, −i) σ(1) = (1, 1)

σ(X − 2) σ(−3X + 1)

(Approximate) Shortest Vector Problem I Given (an arbitrary basis of) an arbitrary ideal I ⊆ R, find a nearly shortest nonzero a ∈ I. 18 / 24 F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.

√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]

√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?

2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)

R-LWE samples (ai,b i) don’t readily translate to ideals in R.

Complexity of Ideal Lattices

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

19 / 24 F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.

√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]

√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?

2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)

Complexity of Ideal Lattices

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

R-LWE samples (ai,b i) don’t readily translate to ideals in R.

19 / 24 F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.

√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]

√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?

Complexity of Ideal Lattices

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

R-LWE samples (ai,b i) don’t readily translate to ideals in R.

2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)

19 / 24 √ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]

√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?

Complexity of Ideal Lattices

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

R-LWE samples (ai,b i) don’t readily translate to ideals in R.

2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)

F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.

19 / 24 √ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?

Complexity of Ideal Lattices

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

R-LWE samples (ai,b i) don’t readily translate to ideals in R.

2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)

F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.

√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]

19 / 24 Complexity of Ideal Lattices

1 We know approx-R-SVP ≤ R-LWE (quantumly). Other direction? Can we solve R-LWE using an oracle for approx-R-SVP?

R-LWE samples (ai,b i) don’t readily translate to ideals in R.

2 How hard/easy is poly(n)-R-SVP? (In cyclotomics etc.)

F Despite much ring structure (e.g., subfields, Galois), no significant improvement versus general n-dim lattices is known.

√ O( n log n) F But 2 -SVP is quantum poly-time solvable in prime-power cyclotomics, and maybe other rings [CDPR’16,BS’16,K’16,CDW’16]

√ Ω( n/ log n) F There is a 2 barrier for the main technique. Can it be circumvented?

19 / 24 Implementations

20 / 24 I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security. About 10x slower than NewHope, but only ≈2x slower than ECDH.

Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.

Key Exchange

I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security.

21 / 24 I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security. About 10x slower than NewHope, but only ≈2x slower than ECDH.

Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.

Key Exchange

I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security.

21 / 24 About 10x slower than NewHope, but only ≈2x slower than ECDH.

I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security.

Key Exchange

I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.

21 / 24 About 10x slower than NewHope, but only ≈2x slower than ECDH.

Key Exchange

I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.

I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security.

21 / 24 Key Exchange

I NewHope [ADPS’15]: Ring-LWE key exchange a la [LPR’10,P’14], with many optimizations and conjectured ≥ 200-bit quantum security. Comparable to or even faster than state-of-the-art ECDH w/ 128-bit (non-quantum) security. Google has experimentally deployed NewHope+ECDH in Chrome canary and its own web servers.

I Frodo [BCDMNNRS’16]: removes the ring! Plain-LWE key exchange, with many tricks and optimizations. Conjectured ≥ 128-bit quantum security. About 10x slower than NewHope, but only ≈2x slower than ECDH.

21 / 24 I BLISS [DDLL’13]: optimized implementation in this framework.

I Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4.0 4.0 0.1 7.5 ECDSA-256 0.5 0.25 9.5 2.5 BLISS5 .6 7.0 8.0 33 (Conjectured ≥ 128 bits of security, openssl implementations.)

Digital Signatures

I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].

22 / 24 I Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4.0 4.0 0.1 7.5 ECDSA-256 0.5 0.25 9.5 2.5 BLISS5 .6 7.0 8.0 33 (Conjectured ≥ 128 bits of security, openssl implementations.)

Digital Signatures

I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].

I BLISS [DDLL’13]: optimized implementation in this framework.

22 / 24 Digital Signatures

I Most implementations follow design from [Lyubashevsky’09/’12,. . . ].

I BLISS [DDLL’13]: optimized implementation in this framework.

I Compelling efficiency: System Sig (Kb) PK (Kb) KSign/sec KVer/sec RSA-4096 4.0 4.0 0.1 7.5 ECDSA-256 0.5 0.25 9.5 2.5 BLISS5 .6 7.0 8.0 33 (Conjectured ≥ 128 bits of security, openssl implementations.)

22 / 24 I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems. Focuses on modularity, safety, and consistency with best theory.

Implements many advanced FHE features, holds most speed records

Other Implementations

I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE).

23 / 24 Focuses on modularity, safety, and consistency with best theory.

I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems.

Other Implementations

I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records

23 / 24 Focuses on modularity, safety, and consistency with best theory.

Other Implementations

I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records

I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems.

23 / 24 Other Implementations

I HElib [HaleviShoup]: an ‘assembly language’ for fully homomorphic encryption (FHE). Implements many advanced FHE features, holds most speed records

I Λ◦λ (L O L) [CrockettPeikert’16]: a general-purpose, high-level framework aimed at advanced lattice cryptosystems. Focuses on modularity, safety, and consistency with best theory.

23 / 24 I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.

I A big success story for rigorous theory and practical engineering alike!

Thanks!

Conclusions

I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’

24 / 24 I A big success story for rigorous theory and practical engineering alike!

Thanks!

Conclusions

I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’

I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.

24 / 24 Thanks!

Conclusions

I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’

I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.

I A big success story for rigorous theory and practical engineering alike!

24 / 24 Conclusions

I Lattices are a very attractive foundation for ‘post-quantum’ crypto, both ‘basic’ and ‘advanced.’

I Cryptanalysis/security estimates for concrete parameters is subtle and ongoing, but maturing.

I A big success story for rigorous theory and practical engineering alike!

Thanks!

24 / 24