Cryptography with Lattices 07D37042 Keita Xagawa Supervisor: Keisuke Tanaka Department of Mathematical and Computing Sciences Tokyo Institute of Technology February 15, 2010 Contents 1 Introduction 1 1.1 Backgrounds ............................ 1 1.2 Preliminaries ............................ 2 1.2.1 Basic notions and notation ................. 2 1.2.2 Probabilities and Distributions ............... 3 1.3 Organization ............................. 3 2 Lattices 5 2.1 Lattices ............................... 5 2.1.1 Lattice Constants ...................... 6 2.2 Lattice Problems .......................... 9 2.3 Hardness of Lattice Problems .................... 13 2.4 Average-Case/Worst-Case Reductions ............... 14 2.4.1 Linear Codes and q-Ary Lattices .............. 14 2.4.2 From the Small Integer Solution Problem ......... 15 2.4.3 From the Learning With Errors ............... 18 3 Cyclic and Ideal Lattices 27 3.1 Preliminaries ............................ 27 3.2 Cyclic and Ideal Lattices ...................... 29 3.3 Problems .............................. 30 3.4 Average-Case/Worst-Case Reductions ............... 31 3.4.1 From Small Integer Solution Problems ........... 31 3.4.2 From Learning With Errors ................. 32 4 Hash Functions 35 4.1 Definitions .............................. 35 4.1.1 Model of Hash Schemes .................. 35 4.1.2 Security Notions ...................... 36 4.2 Probabilistic Notions on Hash Functions and the Leftover Hash Lemma ............................... 36 4.3 Lattice-based hash functions .................... 38 4.3.1 Regularity .......................... 39 4.4 Ideal-Lattice-Based Hash Functions ................ 40 4.4.1 Computational Tricks .................... 41 iii iv CONTENTS 4.4.2 Micciancio’s Regularity Lemma .............. 44 5 Commitment 47 5.1 Definitions .............................. 47 5.1.1 Model of Non-Interactive Commitment Schemes ..... 48 5.1.2 Security Notions ...................... 48 5.1.3 Special Property ...................... 49 5.2 Example: The Halevi–Micali Commitment Scheme ........ 50 5.3 A Lattice-based String Commitment Scheme ........... 51 5.3.1 Extending the Domain ................... 52 5.4 An Ideal-Lattice-Based String Commitment Scheme ....... 53 6 Identification 55 6.1 Introduction ............................. 55 6.1.1 Main Ideas ......................... 56 6.2 Definitions .............................. 57 6.2.1 Protocols .......................... 57 6.2.2 Model of Identification Schemes .............. 59 6.2.3 Security Notions ...................... 60 6.3 The Micciancio–Vadhan Protocol .................. 61 6.4 The Variants of the Micciancio–Vadhan Schemes ......... 62 6.4.1 Concrete Schemes ..................... 64 6.5 Lyubashevsky’s Scheme – 1 .................... 65 6.5.1 Description ......................... 67 6.6 Review of Stern’s ID Scheme .................... 67 6.7 The Kawachi–Tanaka–Xagawa Identification Scheme ....... 69 6.7.1 Description ......................... 69 6.7.2 Security Proofs ....................... 70 6.7.3 The Cyclic/Ideal Version .................. 75 6.8 The Lyubashevsky ID Scheme – 2 ................. 76 6.8.1 Description ......................... 76 6.9 Summary .............................. 77 7 Identity-based Identification 79 7.1 Definitions .............................. 79 7.1.1 Model of Identity-Based Identification Schemes ...... 79 7.1.2 Security Notions ...................... 80 7.2 Identity-based Identification Schemes ............... 81 8 Ring Identification 83 8.1 Introduction ............................. 83 8.2 Definitions .............................. 84 8.2.1 Model of Ring Identification Schemes ........... 84 8.2.2 Security Notions ...................... 85 CONTENTS v 8.3 The Kawachi–Tanaka–Xagawa Ring Identification Schemes ... 87 8.3.1 Description ......................... 88 8.3.2 Security Proof ....................... 89 8.3.3 The Cyclic/Ideal version .................. 90 9 Interlude: Zero-Knowledge Protocols on NTRU 93 9.1 Introduction ............................. 93 9.2 Brief Sketch of NTRU ....................... 96 9.3 Interpretation of NTRU as Lattice-based Encryption ........ 97 9.4 The Xagawa–Tanaka Protocol ................... 97 9.4.1 Relations of Stern’s Protocol and its Variant ........ 97 9.4.2 The Xagawa–Tanaka Protocol ............... 98 9.4.3 Description ......................... 98 9.4.4 Relations for NTRU .................... 101 9.5 Identification Schemes ....................... 103 9.5.1 Description ......................... 104 9.5.2 Security Proofs ....................... 105 9.5.3 Parameters and Communication Costs ........... 106 9.6 Comparisons ............................ 107 9.7 Concluding Remarks ........................ 109 10 Trapdoors for Lattices 111 10.1 Introduction ............................. 111 10.2 Definition of Preimage Sampleable Functions ........... 112 10.2.1 Model of Preimage Sampleable Functions ......... 112 10.2.2 Security Notions ...................... 113 10.3 The Ajtai and Alwen–Peikert Constructions ............ 114 10.3.1 Main Strategy ........................ 114 10.3.2 The First Construction ................... 115 10.3.3 The Second Construction .................. 117 10.3.4 The Third Construction ................... 118 10.4 The Sampling Algorithm ...................... 119 10.4.1 The Acceptance–Rejection Method ............ 120 10.4.2 Sampling over a One-Dimensional Lattice ......... 121 10.4.3 Sampling over Arbitrary Lattice .............. 122 10.5 Lattice-Based Collision-Resistant Preimage Sampleable Function 124 10.6 Ideal-Lattice Version of the Alwen-Peikert Construction ...... 125 10.6.1 The Stehle–Steinfeld–Tanaka–Xagawa´ Construction ... 125 10.6.2 An Analog of the Alwen–Peikert Construction 1 ..... 128 10.6.3 An Analog of the Alwen–Peikert Construction 2 ..... 129 10.6.4 Discussions ......................... 130 10.7 Ideal-Lattice-Based Collision-Resistant Preimage Sampleable Functions .............................. 130 10.8 On “Bonsai” Notions ........................ 133 vi CONTENTS 10.8.1 Undirected Growth ..................... 133 10.8.2 Controlled Growth ..................... 133 10.8.3 Extending Control ..................... 133 10.8.4 Randomizing Control .................... 134 10.9 On “Miniature Bonsai” Notions .................. 134 10.9.1 Undirected Growth ..................... 134 10.9.2 Controlled Growth ..................... 134 10.9.3 Extending Control ..................... 134 10.9.4 Randomizing Control .................... 135 10.10An Application: Trapdoor Hash Functions ............. 135 10.10.1 Definitions ......................... 136 10.10.2 Constructions ........................ 137 11 Signature 141 11.1 Definitions .............................. 141 11.1.1 Model of Signature Schemes ................ 141 11.1.2 Security Notions ...................... 142 11.2 General Conversions to Secure Signature Schemes ........ 144 11.2.1 From One-Way Function Family to Strong One-Time Sig- nature Schemes ....................... 144 11.2.2 From One-time Signature Scheme ............. 146 11.2.3 From One-Way Trapdoor Permutations .......... 146 11.2.4 From Collision-Resistant Preimage Sampleable Functions 147 11.2.5 From Identification Schemes: The Fiat–Shamir Conversion 148 11.2.6 From Trapdoor Hash Schemes and Weakly Secure Signa- ture Schemes ........................ 151 11.2.7 From Identity-based Encryption .............. 151 11.3 The Gentry–Peikert–Vaikuntanathan Signature .......... 152 11.3.1 Description ......................... 152 11.4 The Stehle–Steinfeld–Tanaka–Xagawa´ Signature ......... 153 11.4.1 Description ......................... 153 11.4.2 Security Proofs ....................... 153 11.5 The Lyubashevsky–Micciancio One-Time Signature ........ 154 11.5.1 Description ......................... 154 11.6 The Lyubashevsky Signature .................... 154 11.6.1 Descriptions ........................ 155 11.7 The Signature from “Bonsai” .................... 155 11.7.1 Description ......................... 155 12 Encryption 157 12.1 Introduction ............................. 157 12.2 Definitions .............................. 159 12.2.1 Model of Public-Key Encryption Schemes ......... 159 12.2.2 Security Notions ...................... 160 CONTENTS vii 12.3 The McEliece Encryption Scheme ................. 161 12.4 The Ajtai–Dwork Encryption Scheme ............... 161 12.4.1 Description ......................... 162 12.4.2 Security ........................... 163 12.4.3 Attacks ........................... 163 12.5 The Goldreich–Goldwasser–Halevi Encryption Scheme ...... 163 12.5.1 Description ......................... 164 12.5.2 Attacks ........................... 165 12.5.3 Micciancio’s Variant .................... 165 12.5.4 The Variant by Paeng, Jung, and Ha ............ 166 12.6 NTRU ................................ 166 12.6.1 Description ......................... 167 12.6.2 Attacks ........................... 168 12.7 The Regev03 Encryption Scheme .................. 169 12.7.1 Description ......................... 169 12.7.2 Security and Attacks .................... 169 12.8 The Regev05 Encryption Scheme .................. 169 12.8.1 Description ......................... 170 12.8.2 Security Proof ....................... 171 12.8.3 Attacks ........................... 172 12.8.4 Extensions ......................... 173 12.9 The Gentry–Peikert–Vaikuntanathan “Dual” encryption scheme . 173 12.9.1 Description ......................... 173 12.9.2 Security Proof ....................... 174 12.9.3 Attacks ..........................