Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations: BLISS, NewHope, Frodo, HElib, Λ◦λ,... 4 Along the Way: open questions, research directions 2 / 24 Foundations 3 / 24 I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to `holy grail' problems in crypto: FHE and related Why? I Efficient: linear, embarrassingly parallel operations Lattice-Based Cryptography p x mod = g y N = =) N p · me mod q e(ga; gb) (Images courtesy xkcd.org) 4 / 24 I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to `holy grail' problems in crypto: FHE and related p x mod = g y N = N p · me mod q e(ga; gb) Why? I Efficient: linear, embarrassingly parallel operations Lattice-Based Cryptography =) (Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga; gb) I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to `holy grail' problems in crypto: FHE and related Lattice-Based Cryptography =) Why? I Efficient: linear, embarrassingly parallel operations (Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga; gb) I Security from mild worst-case assumptions I Solutions to `holy grail' problems in crypto: FHE and related Lattice-Based Cryptography =) Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far) (Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga; gb) I Solutions to `holy grail' problems in crypto: FHE and related Lattice-Based Cryptography =) Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far) I Security from mild worst-case assumptions (Images courtesy xkcd.org) 4 / 24 p x mod = g y N = N p · me mod q e(ga; gb) Lattice-Based Cryptography =) Why? I Efficient: linear, embarrassingly parallel operations I Resists quantum attacks (so far) I Security from mild worst-case assumptions I Solutions to `holy grail' problems in crypto: FHE and related (Images courtesy xkcd.org) 4 / 24 (Other representations too . ) I Basis B = fb1;:::; bmg : m X L = (Z · bi) i=1 Hard Lattice Problems I Find/detect `short' nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space). What's a Lattice? m I A periodic `grid' in Z . (Formally: full-rank additive subgroup.) O 5 / 24 (Other representations too . ) Hard Lattice Problems I Find/detect `short' nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space). What's a Lattice? m I A periodic `grid' in Z . (Formally: full-rank additive subgroup.) I Basis B = fb1;:::; bmg : m X L = (Z · bi) b2 i=1 b1 O 5 / 24 (Other representations too . ) Hard Lattice Problems I Find/detect `short' nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space). What's a Lattice? m I A periodic `grid' in Z . (Formally: full-rank additive subgroup.) I Basis B = fb1;:::; bmg : m X L = (Z · bi) b1 i=1 b O 2 5 / 24 Hard Lattice Problems I Find/detect `short' nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space). What's a Lattice? m I A periodic `grid' in Z . (Formally: full-rank additive subgroup.) I Basis B = fb1;:::; bmg : m X L = (Z · bi) b1 i=1 b2 (Other representations too . ) O 5 / 24 What's a Lattice? m I A periodic `grid' in Z . (Formally: full-rank additive subgroup.) I Basis B = fb1;:::; bmg : m X L = (Z · bi) b1 i=1 b2 (Other representations too . ) O Hard Lattice Problems I Find/detect `short' nonzero lattice vectors: (Gap)SVPγ, SIVPγ I For γ = poly(m), solving appears to require 2Ω(m) time (and space). 5 / 24 m n I Set m > n log2 q. Define `shrinking' fA : f0; 1g ! Zq fA(x) = Ax m I Collision x; x0 2 f0; 1g where Ax = Ax0 ... yields solution z = x − x0 2 f0; ±1gm. Collision-Resistant Hash Function m I Goal: find nontrivial z 2 f0; ±1g such that: A Hard Problem: Short Integer Solution [Ajtai'96] n I Zq = n-dimensional integer vectors modulo q 6 / 24 m n I Set m > n log2 q. Define `shrinking' fA : f0; 1g ! Zq fA(x) = Ax m I Collision x; x0 2 f0; 1g where Ax = Ax0 ... yields solution z = x − x0 2 f0; ±1gm. Collision-Resistant Hash Function m I Goal: find nontrivial z 2 f0; ±1g such that: 0j1 z1 · + z2 · + + zm · = @0A j A Hard Problem: Short Integer Solution [Ajtai'96] n I Zq = n-dimensional integer vectors modulo q 0 j 1 0 j 1 0 j 1 n @a1A @a2A ··· @amA 2 Zq j j j 6 / 24 m n I Set m > n log2 q. Define `shrinking' fA : f0; 1g ! Zq fA(x) = Ax m I Collision x; x0 2 f0; 1g where Ax = Ax0 ... yields solution z = x − x0 2 f0; ±1gm. Collision-Resistant Hash Function A Hard Problem: Short Integer Solution [Ajtai'96] n I Zq = n-dimensional integer vectors modulo q I Goal: find nontrivial z1; : : : ; zm 2 f0; ±1g such that: 0 j 1 0 j 1 0 j 1 0j1 n z1 · @a1A + z2 · @a2A + ··· + zm · @amA = @0A 2 Zq j j j j 6 / 24 . yields solution z = x − x0 2 f0; ±1gm. m n I Set m > n log2 q. Define `shrinking' fA : f0; 1g ! Zq fA(x) = Ax m I Collision x; x0 2 f0; 1g where Ax = Ax0 ... Collision-Resistant Hash Function A Hard Problem: Short Integer Solution [Ajtai'96] n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z 2 f0; ±1g such that: 0 1 0 1 B C B C n @···· A ····A BzC = 0 2 Zq @ A | {zm } 6 / 24 . yields solution z = x − x0 2 f0; ±1gm. m I Collision x; x0 2 f0; 1g where Ax = Ax0 ... A Hard Problem: Short Integer Solution [Ajtai'96] n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z 2 f0; ±1g such that: 0 1 0 1 B C B C n @···· A ····A BzC = 0 2 Zq @ A | {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define `shrinking' fA : f0; 1g ! Zq fA(x) = Ax 6 / 24 . yields solution z = x − x0 2 f0; ±1gm. A Hard Problem: Short Integer Solution [Ajtai'96] n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z 2 f0; ±1g such that: 0 1 0 1 B C B C n @···· A ····A BzC = 0 2 Zq @ A | {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define `shrinking' fA : f0; 1g ! Zq fA(x) = Ax m I Collision x; x0 2 f0; 1g where Ax = Ax0 ... 6 / 24 A Hard Problem: Short Integer Solution [Ajtai'96] n I Zq = n-dimensional integer vectors modulo q m I Goal: find nontrivial z 2 f0; ±1g such that: 0 1 0 1 B C B C n @···· A ····A BzC = 0 2 Zq @ A | {zm } Collision-Resistant Hash Function m n I Set m > n log2 q. Define `shrinking' fA : f0; 1g ! Zq fA(x) = Ax m I Collision x; x0 2 f0; 1g where Ax = Ax0 ... yields solution z = x − x0 2 f0; ±1gm. 6 / 24 Worst-Case to Average-Case Reduction [Ajtai'96,. ] Finding `short' (kzk ≤ β q) nonzero z 2 L?(A) n×m (for uniformly random A 2 Zq ) + p p solving GapSVPβ n; SIVPβ n on any n-dim lattice n×m I A 2 Zq defines a `q-ary' lattice: ? m L (A) = fz 2 Z : Az = 0g O I `Short' solutions z lie in Cool! (But what does this have to do with lattices?) 7 / 24 I `Short' solutions z lie in Worst-Case to Average-Case Reduction [Ajtai'96,. ] Finding `short' (kzk ≤ β q) nonzero z 2 L?(A) n×m (for uniformly random A 2 Zq ) + p p solving GapSVPβ n; SIVPβ n on any n-dim lattice Cool! (But what does this have to do with lattices?) n×m I A 2 Zq defines a `q-ary' lattice: ? m L (A) = fz 2 Z : Az = 0g O 7 / 24 I `Short' solutions z lie in Worst-Case to Average-Case Reduction [Ajtai'96,. ] Finding `short' (kzk ≤ β q) nonzero z 2 L?(A) n×m (for uniformly random A 2 Zq ) + p p solving GapSVPβ n; SIVPβ n on any n-dim lattice Cool! (But what does this have to do with lattices?) (0; q) n×m I A 2 Zq defines a `q-ary' lattice: ? m L (A) = fz 2 Z : Az = 0g (q; 0) O 7 / 24 Worst-Case to Average-Case Reduction [Ajtai'96,. ] Finding `short' (kzk ≤ β q) nonzero z 2 L?(A) n×m (for uniformly random A 2 Zq ) + p p solving GapSVPβ n; SIVPβ n on any n-dim lattice Cool! (But what does this have to do with lattices?) (0; q) n×m I A 2 Zq defines a `q-ary' lattice: ? m L (A) = fz 2 Z : Az = 0g (q; 0) O I `Short' solutions z lie in 7 / 24 Cool! (But what does this have to do with lattices?) (0; q) n×m I A 2 Zq defines a `q-ary' lattice: ? m L (A) = fz 2 Z : Az = 0g (q; 0) O I `Short' solutions z lie in Worst-Case to Average-Case Reduction [Ajtai'96,.