a very brief introduction to lattice-based...

A Very Brief Introduction to Lattice-BasedCryptography

Erkay Savas

Department of Computer Science and EngineeringSabancı University

November 15, 2018

Erkay Savas A Very Brief Introduction to Lattice-Based Cryptography

Outline

LatticesRing Learning with Errors (Ring-LWE) problemA Public Key Cryptosystem based on Ring-LWEFully Homomorphic Encryption

Lattices & Hard Lattice Problems

A full rank lattice Λ, which is a discrete additive subgroup ofthe n-dimensional real space Rn, is the integer spanΛ = L(B) = {Bz|z ∈ Zn} of a basis B = (b1, . . . , bn).The minimum distance λ1(Λ) of a lattice Λ is the length(usually in the Euclidean `2 norm) of its shortest nonzerovector; namely λ1(Λ) = min06=~x∈Λ||x||Shortest Vector Problem (SVP) Given a lattice basis B forΛ, find the shortest nonzero vector in Λ.Closest Vector Problem (CVP) Given a lattice basis B and apoint in real space v (not necessarily on the lattice), find theclosest lattice point

q-ary Lattices

Given an arbitrary matrix of A ∈ Zn×m, q-ary lattices aredefined as

Λq(A) = {y ∈ Zm : y = AT s (mod q) for some s ∈ Zn}Λ⊥q (A) = {y ∈ Zm : Ay = 0 (mod q)}

Ring-LWE

Consider the ring of polynomials R = Z[x]/Φ(x), where Φ(x)is cyclotomic polynomial of degree n, where n is a power of 2.

– R is the set of polynomials of degree less than n with integercoefficients.

Addition: standard polynomial additionMultiplication: standard polynomial multiplication andreduction modulo Φ(x) = xn + 1

Rq denotes the ring R reduced modulo q;

– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x

ai ∈ [−q/2, q/2] for i = 0, 1, . . . , n− 1Example: q = 7, F7 = {−3,−2,−1, 0, 1, 2, 3}

Ring-LWE

Rq denotes the ring R reduced modulo q;– i.e., Rq = Zq[x]/Φ(x)a ∈ Rq is a polynomial a = a0 + a1x+ . . .+ an−1x

Error Distribution: DR,σ

The operation e← DR,σ outputs a polynomial in R, whosecoefficients are sampled from a normal distribution with 0mean and standard deviation σ.

– In other words, it outputs a polynomial with “small”coefficients if σ is small (e.g. σ = 3.5)

Let B0 be a bound on normal distribution with µ = 0 and σWe can use error function erf to compute B0

For a normal distribution with µ = 0 and σ, erf(

aσ√

)is the

probability that a sample lies in (−a, a) for positive a.

aσ√

)is the

aσ√

)is the

Let B0 be a bound on normal distribution with µ = 0 and σ

We can use error function erf to compute B0

aσ√

)is the

aσ√

)is the

aσ√

)is the

Hard Problems

Two hard problems can be given:

– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σand set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.

– Ring LWE Decision Problem: Given (a, b) where a, b ∈ Rq,determine which of the following two cases holds:

(i) b is chosen uniformly at random (b←Rq)(ii) b← a · s+ e where a, s←Rq and e← DR,σ

Ring-LWE Problems are still hard even if s← DR,σ

Hard Problems

Two hard problems can be given:

– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σand set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.

Hard Problems

Two hard problems can be given:– Ring-LWE Search Problem: Pick a, s← Rq and e← DR,σ

and set b← as+ e (mod q). The search problem is, given thepair (a, b), to output the value s.

Hard Problems

(i) b is chosen uniformly at random (b←Rq)

(ii) b← a · s+ e where a, s←Rq and e← DR,σ

Hard Problems

Hardness of Ring-LWE Assumptions

Depends on the ring dimension n, the size of q and σwe use the LWE estimator accessible viahttps://bitbucket.org/malb/lwe-estimator/overview

Table: σ = 4.578 (δ is the root Hermite factor)

n k λ δclassical quantum

512 24 84.1 79.1 1.0065461024 27 149.3 138.3 1.0039411024 31 126.2 117.4 1.0045711024 32 121.6 113.1 1.0047271024 33 117.2 109.2 1.0048861024 34 113.1 105.4 1.0050451024 35 109.0 101.7 1.0052041024 36 105.5 98.5 1.0056301024 37 102.5 95.9 1.0055141024 38 99.1 92.7 1.0056781024 39 96.1 90.1 1.005837

A PKC based on Ring-LWE - Key Generation

We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.

i) s, e← DR,σii) a← Rq

iii) b← as+ pe (mod q)

– public key: pk ← (a, b)– secret key: sk ← s

We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)

Security depends on the ring dimension n, q and σ.{p, q,R, σ}: public domain parameters.

We pick two prime integers p and q such that p << q, a ringR, and a normal distribution with standard deviation σ.(e.g., p = 2)Security depends on the ring dimension n, q and σ.

{p, q,R, σ}: public domain parameters.

i) s, e← DR,σii) a← Rqiii) b← as+ pe (mod q)

i) s, e← DR,σ

ii) a← Rqiii) b← as+ pe (mod q)

– public key: pk ← (a, b)

– secret key: sk ← s

A PKC based on R-LWE - Encryption

Let µ ∈ Rp be an arbitrary message

i) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µ

iii) c1 ← ae0 + pe2

– Ciphertext: (c0, c1)

Let µ ∈ Rp be an arbitrary message

i) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2

Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σ

ii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2

Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µ

iii) c1 ← ae0 + pe2

Let µ ∈ Rp be an arbitrary messagei) e0, e1, e2 ← DR,σii) c0 ← be0 + pe1 + µiii) c1 ← ae0 + pe2

A PKC based on R-LWE - Decryption

µ← (c0 − c1s (mod q)) (mod p)Decryption is a vector product 〈(c0, c1), (1,−s )〉 where

– secret key: (1,−s )– ciphertext: (c0, c1)

µ← (c0 − c1s (mod q)) (mod p)

Decryption is a vector product 〈(c0, c1), (1,−s )〉 where

– secret key: (1,−s )

– ciphertext: (c0, c1)

Correctness of the decryption operation

µ = (c0 − c1s (mod q)) (mod p)= ((be0 − pe1 + µ)− (ase0 − pe2s) (mod q)) (mod p)= (p(ee0 + e1 − e2s) + µ (mod q)) (mod p)= (p · “small” + µ (mod q)) (mod p)

(p · “small” + µ (mod q)) (mod p) will return µ only ifp · “small” + µ < p · “small” + p <

Correctness Constraint

For correct decryption, we should have

p(ee0 + e1 − e2s) + p <q

where s, e, e0, e1, e2 are sampled from the same distribution.Also they are all in R = Z[x]/Φ(x)

p(ee0 + e1 − e2s) + p <q

where s, e, e0, e1, e2 are sampled from the same distribution.

Also they are all in R = Z[x]/Φ(x)

p(ee0 + e1 − e2s) + p <q

where s, e, e0, e1, e2 are sampled from the same distribution.Also they are all in R = Z[x]/Φ(x)

p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0

p(ee0 + e1 − e2s+ 1) < q

Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0

p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)

What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0

p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?

Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0

p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.

‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0

p(ee0 + e1 − e2s+ 1) < q

2Let B0 be an upper bound for coefficients of e, e0, e1, e2 and swhere e, e0, e1, e2, s ∈ R = Z[x]/Φ(x)What is the upper bound for the coefficients of ee0 and e2s?Infinity norm of a polynomial ‖e‖∞ is the maximum of itscoefficients.‖e‖∞, ‖e0‖∞, ‖e1‖∞, ‖e2‖∞, ‖s‖∞ ≤ B0

Correctness Constraint - Example

R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R

– c0 = a0b0 − a1b3 − a2b2 − a3b1– c1 = a0b1 + a1b0 − a2b3 − a3b2– c2 = a0b2 + a1b1 + a2b0 − a3b3– c3 = a0b3 + a1b2 + a2b1 + a3b0

Every coefficient in ci is the sum of four (n = 4) productterms.An upper bound for a product term is B2

An upper bound for a coefficient is then nB20 (a bit loose

upper bound)

R = Z[x]/Φ8(x) (m = 8, n = 4)

Φ8(x) = x4 + 1c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R

upper bound)

R = Z[x]/Φ8(x) (m = 8, n = 4)Φ8(x) = x4 + 1

c(x) = a(x)b(x) where a(x), b(x), c(x) ∈ R

upper bound)

Every coefficient in ci is the sum of four (n = 4) productterms.

An upper bound for a product term is B20

upper bound)

Correctness Constraint - Cont.

Let η = ee0 + e1 − e2s

An upper bound for η is, then, nB20 +B0 + nB2

pη+µ < p(nB20 +B0+nB2

0 +1) < q

2 ⇒ q > 2p(2nB20 +B0+1)

Let B = (2nB20 +B0) bound for η then q > 2p(B + 1)

0 +1) < q

2 ⇒ q > 2p(2nB20 +B0+1)

0 +1) < q

2 ⇒ q > 2p(2nB20 +B0+1)

0 +1) < q

2 ⇒ q > 2p(2nB20 +B0+1)

0 +1) < q

2 ⇒ q > 2p(2nB20 +B0+1)

Fully Homomorphic Encryption

µ ∈ Rpc = E(µ, pk)c ∈ R2

Additive Homomorphism: