Indian Institute of Technology Kanpur CS682A Quantum Computing Course Project Report Lattice Based Cryptography Advisor: Author: Prof. Rajat Mittal Nikhil Vanjani (14429) IIT Kanpur November 15, 2017 Lattice Based Cryptography Nikhil Vanjani (14429) Contents 1 Abstract 2 2 Background 2 2.1 Cryptography........................................2 2.2 Post Quantum Cryptography...............................3 3 Lattices in Computer Science3 3.1 Introduction.........................................3 3.2 LLL Algorithm.......................................7 3.3 Dual Lattices........................................8 3.4 Fourier Transform...................................... 10 4 On Lattices, Learning With Errors, Random Linear Codes, and Cryptography 10 4.1 Preliminaries........................................ 10 4.2 Some Results that will be useful in proving Main Theorem............... 12 4.3 Main Theorem....................................... 13 4.4 Public Key Cryptosystem................................. 17 1 Lattice Based Cryptography Nikhil Vanjani (14429) 1 Abstract There are three main contributions of Regev's paper[1] studied in this project - first being the reduction from worst-case lattice problems to the Learning With Errors (LWE) problem introduced by Regev. Second being explaining the necessity of this reduction being quantum and its implication in showing relation between two worst-case lattice problems - Bounded Distance Decoding (a variant of CVP) and Discrete Gaussian Sampling (DGS) problem. Third being the proposal of a first of its kind classical cryptosystem whose hardness is based on quantum hardness assumptions. 2 Background 2.1 Cryptography Cryptography is the study of techniques used for secure communication in presence of third party adversaries. The central problems that cryptography tries to solve are - • Confidentiality : If Alice wants to communicate something confidential to Bob, any third party adversary Eve who can tap the communication should not be able to understand what is being communicated. • Integrity : If Bob is receiving some message from Alice, he needs to be sure that the message hasn't been tampered with while being transmitted to him. • Authentication : If Alice is communicating something to Bob, Bob needs to be sure that it is indeed Alice who is sending the message and not someone else. • Non-repudiation : If Alice communicates something to Bob, at a later point she should not be able to deny authority of what she communicated. Modern day cryptographic protocols are based on mathematical theory. When we say that some stan- dard protocol is secure, we mean that the protocol is based on computational hardness assumptions, meaning that breaching security of the protocol would be equivalent to solving the computationally hard problem it is based on. This is considered to be not possible as by definition, the hard problems are the ones which can't be solved efficiently in polynomial time. Today's most popular public key algorithms are based on the problems - Integer Factorization Problem[2], Discrete Logarithm Problem[3], Elliptic Curve Discrete Logarithm Problem[4]. Peter Shor, in 1994 formulated Shor's algorithm[5] which can solve all these three problems in poly- nomial time on a quantum computer. In 2001, IBM demonstrated an implementation of Shor's Algorithm to factor 15. An intutive question which follows after Shor's algorithm is could Quantum Computers solve NP-complete problems ? Lance Fortnow[6] explains that this is unlikely to happen and the majority of researchers believes likewise for now. 2 Lattice Based Cryptography Nikhil Vanjani (14429) Unlike public key cryptography, secret key cryptography is considered to be secure against quan- tum computers. Though Grover's Algorithm[7] reduces the run time quatratically, it can be tackled by doubling the key size[8]. 2.2 Post Quantum Cryptography After Shor's breakthrough algorithm, people have started exploring and building algorithms which would be resistant to attacks by quantum computers. Such algorithms come under the purview of Post Quantum Cryptography (PQC). Note Often post quantum cryptography and quantum cryptography are confused to be same, but they are not. Quantum Cryptography explores using quantum mechanical properties to achieve con- fidentiality, integrity, authentication and non-repudibility. More recently, advances in PQC have been made majorly by the following 3 approaches: • Lattice Based Cryptography : This approach is based on Lattice-based constructions. Ajtai[9], in 1996 introduced the first lattice based cryptographic protocol, based on the lattice problem - Short Integer Solutions. More recently, works revolve around Regev's[1] lattice based public key encryption key based on Learning With Errors problem. • Code Based Cryptography : This apporach is based on Error Correction Codes. The most popular algorithm based on this apporach is McEliece's Algorithm which is based on random Goppa codes. • Hash Based Cryptography : Hash based digital signatures were introduced by Merkle in 1970s through Merkle Signature Scheme[10]. Research in this approach revived when people came to that this was resistant to attacks by quantum computers. Note Proofs of Lemmas/Theorems/Claims marked with # in subsequent sections are provided in the appendix 3 Lattices in Computer Science 3.1 Introduction In this subsection, we define lattices, thier span, fundamental parallelopipid and its properties, de- terminant of a lattice. Then, we proceeded to defining Successive Minima and finding some upper bounds on them, namely Blichfeld's Theorem and Minkowski's theorems. Lastly, popular computa- tional problems in lattices - Shortest Vector Problem and Closest Vector Problem are defined along with their approximation variants. m Definition 3.1.1 (Lattice) Given n linearly independent vectors b1; b2; :::; bn 2 R , the lattice generated by them is defined as 3 Lattice Based Cryptography Nikhil Vanjani (14429) n L(B) = L(b1; b2; :::; bn) = fΣxibijxi 2 Zg = fBxjx 2 Z g We refer to b1; b2; :::; bn as a basis of the lattice Figure 1: A lattice in R2[11] Definition 3.1.2 (Span) The span of a lattice L(B) is the linear space spanned by its vectors, span(L(B)) = span(B) = fByjy 2 Rng Definition 3.1.3 (Fundamental Parallelopipid) For any lattice basis B we define n P (B) = fBxjx 2 R ; 8i : 0 ≤ xi < 1g Figure 2: A lattice in R2[11] # Lemma 3.1.4 Let Λ be a lattice of rank n and let b1; b2; :::; bn 2 Λ be n independent lattice vectors. Then b1; b2; :::; bn form a basis of Λ if and only if P (b1; b2; :::; bn) \ Λ = f0g mxn Lemma 3.1.5 Two bases B1;B2 2 R are equivalent iff B2 = B1U for some unimodular matrix U. Definition 3.1.6 (Determinant) For a rank n lattice Λ, its determinant denoted by det(Λ) is defined as the n-dimensional volume of P(B). Mathematically, det(Λ) := pdet(BT B). When Λ is full rank, det(Λ) := jdet(B)j Definition 3.1.7 (Successive Minima) Let Λ be a lattice of rank n. For i 2 f1; 2; :::ng we define the ith successive minimum as λi(Λ) = inffrjdim(span(Λ \ B(0; r))) ≥ ig where B(0; r) = fx 2 Rmj jjxjj ≤ rg is the closed ball of radius r around 0. 4 Lattice Based Cryptography Nikhil Vanjani (14429) Figure 3: Some lattice bases[11] Figure 4: Successive Minimas: λ1(Λ) = 1; λ2(Λ) = 2:3[11] Blichfeld's Theorem : For any full rank lattice Λ ⊆ Rn and set S ⊆ Rn with vol(S) > det(Λ), there exist two non-equal points z1; z2 2 S such that z1 − z2 2 Λ Figure 5: Blichfeld's Theorem[11] 5 Lattice Based Cryptography Nikhil Vanjani (14429) Minkowski's Convex Body Theorem : Let Λ be a full rank lattice of rank n. Then for any centrally symmetric convex set S, if vol(S) > 2ndet(Λ) then S contains a non-zero lattice point. ^ 1 ^ Figure 6: Intuitive proof of Minkowski's Convex Body Theorem : S = 2 S; S satisfies Blichfeld's Theorem; Lastly, z1 − z2 2 S because S is centrally symmetric[11] Minkowski's First Theorem : For any full-rank lattice Λ of rank n, p 1=n λ1(Λ) ≤ n(det(Λ)) Proof p2r n • Claim: The volume of an n-dimensional ball of radius r is vol(B(0; r)) ≥ ( n ) • By definition, the open ball B(0; λ1(Λ)) contains no nonzero lattice points. By Minkowski's Convex Body Theorem and Claim 1, 2λ (Λ) p1 n n ( n ) ≤ vol(B(0; λ1(Λ))) ≤ 2 det(Λ) and we obtain the bound on λ1(Λ) by rearranging. Minkowski's Second Theorem : For any full-rank lattice Λ of rank n, n p Q 1=n 1=n ( λi(Λ)) ≤ n(det(Λ)) i=1 Computational Problems : Minkowski'sp first theorem implies that any lattice Λ of rank n contains a nonzero vector of length at most n(det(Λ))1=n. Its proof, however, is non-constructive: it does not give us an algorithm to find such a lattice vector. In fact there is no known efficient algorithm that finds such short vectors. The computational problems presented below are conjectured to be hard problems. Shortest Vector Problem (SVP) We are given a lattice and we are supposed to find the shortest nonzero lattice point mxn • Search SV P : Given a lattice basis B 2 Z find v 2 L(B) such that jjvjj = λ1(L(B)). mxn • Optimization SV P : Given a lattice basis B 2 Z , find λ1(L(B)). • Decisional SV P : Given a lattice basis B 2 Zmxn and a rational r 2 Q, determine whether λ1(L(B)) ≤ r or not. 6 Lattice Based Cryptography Nikhil Vanjani (14429) Approximation variants of SVP: Here, instead of finding the shortest vector, we are interested in an approximation of it. The factor of approximation is given by some parameter γ ≥ 1 mxn • Search SV Pγ: Given a lattice basis B 2 Z find v 2 L(B) such that v 6= 0 and jjvjj ≤ γλ1(L(B)).
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages19 Page
-
File Size-