Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Choosing security parameters – Using lattices with special properties Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Choosing security parameters – Using lattices with special properties Point Lattices ● Set of all integer linear combinations of n basis vectors B = [b1,...,bn] ⊂ R ● n n L(B)={Bx: x Z } ⊂ span(B)={Bx: x R } b1+3b2 B b1 b2 Successive Minima ● For every n-dimensional lattice L, and i=1,...,n, the ith successive minimum (L) is li the smallest radius r such that Ball(0,r) contains i linearly independent lattice vectors l1 l2 Lattice problems ● Shortest Vector Problems (SVP) – Given a lattice L, find the nonzero lattice vector v closest to the origin (||v||£ g l1(L)) ● Shortest Independent Vect. Prob. (SIVP) – Given a lattice L, find n lin. independent vectors v1,...,vn of length maxi ||vi|| £ g ln(L) ● Approximation factor g(n) usually a function of the lattice dimension n. Lattice Reduction Algorithms O(n) ● [LLL] solves SVP and SIVP for g = 2 g g – Still useful in many algorithmic applications ● [Sch,NS] Improve polynomial running time of LLL ● [Sch,AKS] Improve g = 2O(n log(n) / log log (n)) ● This talk – Assume no efficient algorithm solves lattice problems substantially better than LLL – Application: design cry ptographic functions Complexity of SVP, SIVP, CVP 100 2n g = O(1) n n n NP coAM / coNP P / RP hard ● NNPP-hard [vEB, Ajt, ABSS, Mic, BS, K] ● ccooAAMM,, ccooNNPP [GG, AR, GMR] ● PP, RRPP [LLL, Sch, AKS] ● Conjecture: SVP, SIVP are hard for g=nO(1) – not NNPP-hard, but still hard (e.g., not in PP) Cryptography by examples (1) Public Key Encryption ● Alice wants to send m to Bob, privately – Bob generates (pk,sk), and publishes pk – Alice retrieves pk, and send E(pk,m) to Bob – Bob uses sk to retrieve m = D(sk,E(pk,m)) m m Adversary Alice: ... Bob: pk Oded: ... Alice E(pk,m) Bob Cryptography by examples (1) Public Key Encryption ● Alice wants to send m to Bob, privately – Bob generates (pk,sk), and publishes pk ● Security: – Computing m from pk & E(pk,m) is hard with high probability, when pk is randomly chosen ??? m m Adversary Alice: ... Bob: pk Oded: ... Alice E(pk,m) Bob Cryptography by examples (2) Collision Resistant Hashing ● H(pk,m): No sk! Only pk. {0,1}N H(pk,.) – H(pk, {0,1}N) = {0,1}n, N>>n {0,1}n ● Security: – finding collisions H(pk,m) = H(pk,m') is hard when pk is chosen at random Adversary H(pk,m')=h? Alice To Bob: m m m' Bob pk, H(pk,m)=h “Provable security” approach to Cryptography ● Start from a hard computational problem – e.g., factoring large prime product N=pq ● Define a cryptographic function that is somehow related to the hard problem – e.g., modular squaring f(x) = x2 mod N ● Reduce solving the hard problem to breaking the cryptographic function – If you were able to compute square roots mod N, then you could efficiently factor N Worst-case vs. Average-case ● Worst-case complexity – A problem can be solved in time T(n) if there is an algorithm with running time T(n) that solves all problems instances of size n – Used in algorithms and complexity: P,NP,etc. ● Average-case complexity – There is an algorithm that solves a large fraction of the instances of size n – Used in cryptography: assume there is no such algorithm Provable security from average case hardness ● Example: (Rabin) modular squaring – 2 fN(x) = x mod N, where N=pq, ... – Inverting fN is as hard as factoring N ● fN is cryptographically hard to invert, provided most N are hard to factor All N's All fN's hard N's hard fN's Provable security from worst case hardness ● Any fixed L is mapped to random fN ● fN is cryptographically hard to invert if lattice problem L is hard in the worst case hard L easy fN's hard f 's All L's N Outline ● Introduction – Lattices and algorithms – Complexity and Cryptography ● Lattice based cryptography – Lattice based hash functions – Other cryptographic primitives ● Conclusion / Open Problems – Using lattices with special properties – Choosing security parameters The Subset-sum Problem Subset-sum function f (x ,...,x ) = Σ a x a1 a2 A 1 m i i a 3 ai: ring elements a4 xi: 0/1 a5 a6 a7 b=a2+a4+a5+a6+a8 a9 a8 a 10 weights Subset Sum Problem: Given weights A = (a1,...,am) and target b, find coefficients x1,...,xm such that fA(x1,...,xm ) = b. Subset-sum Hash function ● Key: A = [a1,...am] where ai is in group G ● Input: x=(x1,...,xm) where xi=0/1 ● Output fA(x) = Ax = S aixi ● Collisions: – 0/1 vectors x, y such that Ax = Ay – Equiv.: -1/0/1 vector z =(x-y) such that Az=0 ● Parameters: – n n m > log2 |G|, e.g., G = Z /(pZ ), m =2n log(p) Lattice based cryptography Lattice problem construction Cryptographic Worst-case hard function f(x) Approximation Attack algorithm security proof ● Proof of security: – Assume can break random function f (x) A – Use attack(A) to solve SIVP on any lattice B ● Main problem – A need to depend on B – A should be uniformly random, given B Lattice based Hash function (oversimplified version) ● Construction: – Subset-sum over R – n Key: random points a1,...,am in R – Function: fA(x1,...,xm) = Si aixi , (xi in {0,1}) – m n fA : {0,1} --> R ● Technical problem – n Range R is infinite, so fA never compresses – n n We will address this using ZM instead of R Intuition LATTICE random Rn noise Every point in Rn can be written as the sum a = v + r of a lattice point v and small error vector r Security proof ● Proof of security: – Generate random key as ai=vi+ri (i=1,...n) – Find a collision fA(x1,...,xm)=fA(y1,...,ym) – Notice: Si ai zi = 0, where zi = xi - yi ● Substituting ai=vi+ri and rearranging: Si vi zi = - Si ri zi Lattice short vector vector Technical details ● Issues with oversimplified construction – Cannot pick uniformly random lattice point v i – Range of the function Rn is infinite ● Solution – Work “modulo L(B)” – Use fine grid Zn/q instead of Rn ● Final result – f (x) = Ax mod q, where A is in Z mxn A q Adding noise to “all” lattice points ● Reducing a point modulo a lattice x Adding noise to “all” lattice points ● Reducing a point modulo a lattice x Adding noise to “all” lattice points ● Reducing a point modulo a lattice x Error vector modulo the lattice ● Same as adding noise to all lattice points x (x mod B) ● How much noise is needed to get almost uniform distribution modulo B? Smoothing parameter [MR] O(s n1/2) ● 2 Gaussian rs(x) = exp(-p ||x/s|| ) ● Smoothing parameter – (L(B)) = smallest s s.t. r1/s(L(B)* \ {0}) ≤ . ● Properties: – -n For s = (L(B)), distribution (s rs mod B) is within e/2 distance from uniform over P(B) – (L(B)) < log(n) ln(L(B)) Remark: Worst to Average case connection ● m The set L = {z in Z | fA(z)=0} is a lattice ● Collisions: z=x-y in L of norm ||z||max = 1 ● Security proof: Exact (Lmax) SVP Approximate SIVP reduction Random lattice Arbitrary lattice dimension = m >> n dimension = n Worst-case Average-case complexity assumption cryptanalysis More Crypto from Lattices ● One-way hash functions – [Ajt], [CN], [Mic], [MR] ● Public key encryption – [AD, Reg] public key encryption based on hardness of uSVP ● More efficient constructions – [Mic], [PR], [LM] hash functions with almost linear complexity based on hardness of cyclic lattices Public Key Encryption ● Public key encryption [AD, Reg] – Requires planting a trapdoor for decryption – Can be done by using lattices where l1<< l2 ● Unique SVP (uSVP) – Solve SVP on special class of lattices such that l1<< l2 – Still worst-case assumption, but over smaller class of lattices ● [Rev] PKC from quantum hardness of SVP Key Size of subset-sum function x1 x2 s t i * b Σ a a a ) x a 1 2 m n * i i ( O * * xm m=O(n) Key size = O(n2) {0,1} Compact knapsacks x1 s it * Σ b x a a am i i 1 n * 2 * xm m = O(1) n Key size = O(n) D, |D|= 2 Ring choice and security ● Traditional compact knapsacks – n 2n ai in ZN, xi in {0,...,M}, e.g. M=2 and N=2 – ILP with few vars: insecure! ● Quotient ring of polynomials: – ai in Zp[X] / q(X), e.g. – d n xi in {0,...,p } ● [Mic] If q(X) = Xn–1, as hard to invert as solving SIVP on any cyclic lattice L, i.e. – L closed under [1,2,3,4 ,5] ----> [2,3,4,5,1] More general: Ideal lattices ● q(X): monic polynomial in Z[X] of deg. n – R = Z[X] / q(X) is isomorphic to Zn – h: 5X2+3X-1 ----> [5,3,-1] ● Ideal lattices – q(X) arbitrary monic polynomial – h(S) where S is an ideal of Z[X]/q(X) – If q(X) = Xn – 1, same as h(S) cyclic ● [PR,LM] Hash functions based on cyclic and ideal lattices with q(X) irreducible Ideal lattices and small conjugates ● Two ways to map polynomials to vectors – Coefficients vector – Conjugates vector (Eval.