LatticeBased Cryptography From Practice to Theory to Practice

Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)

La Cryptographie Reposant sur les Réseaux: de la Pratique à la Théorie à la Pratique Vadim Lyubashevsky INRIA / CNRS / ENS Paris (Septembre 12, 2011)

Lattice-Based Encryption Schemes 1. NTRU [Hoffstein, Pipher, Silverman ‘ 98] 2. LWE-Based [Regev ‘ 05] 3. Ring-LWE Based [L, Peikert, Regev ’ 10] 4. “NTRU-like” with a proof of security [Stehle, Steinfeld ‘ 11]

Cryptosystèmes Reposant sur les Réseaux 1. NTRU [Hoffstein, Pipher, Silverman ‘ 98] 2. Reposant sur LWE [Regev ‘ 05] 3. Reposant sur Anneau-LWE [L, Peikert, Regev ’ 10] 4. “NTRU” avec une preuve de la sécurité [Stehle, Steinfeld ‘ 11]

Subset Sum Problem Subset-Sum Based [L, Palacio, Segev ‘ 10] LWE-Based [Regev ‘ 05] Ring-LWE Based [L, Peikert, Regev ’ 10] “NTRU-like” with a proof of security [Stehle, Steinfeld ‘ 11] NTRU [Hoffstein, Pipher, Silverman ‘ 98]

Part 0. The Subset Sum Problem

Subset Sum Problem ai , T in ZM ai are chosen randomly T is a sum of a random subset of the ai a 1 a 2 a 3 … an T Find a subset of ai's that sums to T (mod M)

Subset Sum Problem ai , T in Z 49 ai are chosen randomly T is a sum of a random subset of the ai 15 31 24 3 14 15 + 31 + 14 = 11 (mod 49) 11

How Hard is Subset Sum? ai , T in ZM a 1 a 2 a 3 … an T Find a subset of ai's that sums to T (mod M) Hardness Depends on: Size of n and M Relationship between n and M

Complexity of Solving Subset Sum M 2 log²(n) poly(n) 2 n 2 n log(n) 2Ω(n) 2 n² poly(n) run-time “generalized birthday attacks” [Fla. Prz 05, Lyu 06, Sha 08] “lattice reduction attacks” [Lag. Odl 85, Fri 86]

Subset Sum Crypto Why? Simple operations Exponential hardness Seems very different from number theoretic assumptions Seems to resist quantum attacks

Subset Sum is “Pseudorandom” [Impagliazzo-Naor 1989]: For random a 1, . . . , an in ZM and random x 1, . . . , xn in {0, 1} distinguishing the distribution (a 1, . . . , an, a 1 x 1+. . . +anxn mod M) from the uniform distribution U(ZMn+1) is as hard as finding x 1, . . . , xn

Part 1. Cryptosystem Based on Subset Sum [L, Palacio, Segev 2010]

Public Key Encryption Allows for secure communication between parties who have previously never met

Public Key Encryption public key: p secret key: s Encrypt, Decrypt(s, Encrypt(p, M))=M c=Encrypt(p, M) M=Decrypt(s, c)

Public Key Encryption What does “secure” mean? Intuitive answer: The adversary should not be able to read the message. c=Encrypt(p, M)

Public Key Encryption What does “secure” mean? Intuitive answer: The adversary should not be able to read the message. But what about other information about the message? c=Encrypt(p, M), c=Encrypt(p, M) E. g. If adversary can figure out that the same message was sent twice, is the scheme “secure”?

Public Key Encryption What does “secure” mean? Semantic Security: For every 2 messages M, M', it's impossible to distinguish Encrypt(p, M) from Encrypt(p, M') in polynomial time The Encrypt algorithm must be randomized!

Subset Sum Cryptosystem Semantically secure based on Subset Sum for M ≈ nn Main tools Subset sum is pseudo-random Addition in (Zq)n is “kind of like” addition in ZM where M=qn The proof is very simple

Facts About Addition Want to add 4679+3907+8465+1343 mod 104 2 4 3 8 1 6 9 4 3 3 2 7 0 6 4 9 9 7 5 3 4 4 3 8 1 6 6 9 4 3 2 7 0 6 4 7 9 7 5 3 4 Adding n numbers (written in base q) modulo qm → carries < n If q>>n, then Adding with carries ≈ Adding without carries (i. e. in ZM) (i. e. in (Zq)n )

So. . . 1 1 0 1 = 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 8 1 1 9 NOT Pseudorandom! 1 1 0 1 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 + 2 1 1 0 = 0 2 2 9 Pseudorandom based on Subset Sum!

Column Subset Sum Addition Is Also Pseudorandom 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 1 1 0 1 + 1 0 1 9 = 1 8 0 0

“Hybrid” Subset Sum Addition Is Also Pseudorandom 1 0 0 1 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 0 9 8 0 + 1 1 1 0 0 = 6 3 2 2 0 pseudorandom

Encryption Scheme (for 1 bit) A Z qn x n s + = t r {0, 1}n Public Key A t + = u v

Encryption Scheme A s + = t r A t + = u v Is pseudo-random based on the hardness of the subset sum problem

Encryption Scheme A s + r = t A t + = u v v = r + A = s + r + A s

Encryption Scheme A r = t s + A t + = u v u s = r A + s + A s ≈ v

Encryption Scheme A = t s + r A t + = u v Encryption of 0 v - u s =

Encryption Scheme A r = t s + A t + Encryption of 1 v’ - u s = q/2 + = u v + 0 q/2 = u v’

Part 2. Cryptosystem Based on Learning With Errors and Worst-Case Lattice Problems [Regev 2005]

Encryption Scheme (what we needed) A s + = t r A t + “small” Pseudorandom = u v

Picking the “Carries” In Subset Sum: carries were deterministic What if … we pick the “carries” at random from some distribution?

So. . . 2 3 0 1 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 1 1 0 1 4 3 8 1 6 9 4 6 7 0 6 4 9 7 5 3 + 1 3 2 1 + 2 1 1 0 = 7 2 0 3 = 0 2 2 9 Pseudorandom based on LWE and worst-case lattice problems [Reg ‘ 05] Pseudorandom based on Subset Sum! (with a lemma from [ACPS ‘ 09])

Learning With Errors (LWE) Problem a 1 a 2. . . s + e = b am Given ai and <ai, s>+ ei find s. (ei and s are “small”) (Once there are enough ai , the s is uniquely determined) Theorem [Regev '05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE.

Decision LWE Problem a 1 a 2. . . am World 1 a 2 s + e = b . . . am World 2 b uniformly random in Zpm Lemma[Reg ’ 05]: Search-LWE < Decision-LWE

LWE vs. Subset Sum The Subset Sum assumption has deterministic “noise” The LWE assumption is more “versatile” a 1 a 2 n 2 . . . am n LWE Problem Subset Sum Problem s ! ! a a … a Y + S EA s + e = b n 2 1 2 n n = b

LWE / Subset Sum Encryption A s + = t r A t + = u v n-bit Encryption Have Want Public Key Size Õ(n) / Õ(n 2) O(n) Secret Key Size Õ(n) / Õ (n 2) O(n) Ciphertext Expansion Õ(n) / Õ (1) O(1) Encryption Time Õ(n 3) / Õ (n 2) O(n) Decryption Time Õ(n 2) O(n)

Part 3. Cryptosystem Based on Learning With Errors over Rings and Worst-Case Ideal Lattice Problems [L, Peikert, Regev 2010]

Source of Inefficiency of LWE 2 8 7 3 * 1 + 2 = 0 1 Getting just one extra random-looking number requires n random numbers and a small error element. 2 1 Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot” 2 1 8 0 7 3 * 2 1 + =

Use Polynomials f(x) is a polynomial xn + an-1 xn-1 + … + a 1 x + a 0 R = Zp[x]/(f(x)) is a polynomial ring with • Addition mod p • Polynomial multiplication mod p and f(x) Each element of R consists of n elements in Zp In R: • small+small = small • small*small = small (depending on f(x) )

Polynomial Interpretation of the LWE-based cryptosystem a s + = t r a + = u r t + = v Public Key v - u s = r t + - r a s + + - r a + + - s = r r a + s s

Security a s + = t Pseudorandom? ? r a + = u r t + = v

Learning With Errors over Rings a 1 s e 1 b 1 a 2 e 2 b 2 a 3 e 3 b 3 … am + … em = … bm Theorem [LPR ‘ 10]: Finding s is as hard as solving lattice problems in all ideals of the ring Z[x]/(f(x))

Decision Learning With Errors over Rings World 1 a 1 s World 2 b 1 a 1 b 1 a 2 b 2 a 3 b 3 … … … bm am bm … am + = Theorem [LPR ‘ 10]: In cyclotomic rings, Search-RLWE < Decision-RLWE

Use Polynomials in Zp[x]/(f(x)) a s + = t r a + = u r t + = v n-bit Encryption From LWE / SS From Ring-LWE Public Key Size Õ(n) / Õ(n 2) Õ(n) Secret Key Size Õ(n) / Õ (n 2) Õ(n) Ciphertext Expansion Õ(n) / Õ (1) Õ(1) Encryption Time Õ(n 3) / Õ (n 2) Õ(n) Decryption Time Õ(n 2) Õ(n)

Part 4. 1 -Element Cryptosystem Based on Learning With Errors over Rings and Worst-Case Ideal Lattice Problems [Stehle, Steinfeld 2011]

Number of Ring Elements a s + = t Encryption of m: r a + = u r t + = v u , v + p 2 m Can you have a ciphertext with just 1 ring element?

Stehle, Steinfeld Cryptosystem f g “small” coefficients = a mod p Uniformly random u =2 a r + g m u g mod 2 = g mod p Pseudorandom based on Ring-LWE u g = 2 f r + u g mod 2 + m = m

Part 5. NTRU Cryptosystem [Hoffstein, Pipher, Silverman 1998]

NTRU Cryptosystem f f g g - Very small = a mod p “looks” random u =2 a r + + m mod p If a is random, then pseudorandom based on Ring-LWE u g = 2 f r + g m Since f, g are smaller, p can be smaller as well

(Textbook) NTRU Cryptosystem / Trap-Door Function f f g g - Very small = a mod p u = 2 a r + m u g = 2 f r + g m u g mod 2 = g m u g mod 2 g = m mod p

Thanks, eh!