MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276

Lecture 20 Foundations of Cryptography

TODAY: Lattice-based Cryptography

Why Lattice-based Crypto?

• Quantum-Resistant

(so far)

• Worst-case hardness
• Exponentially Hard
• Simple and Efficient

(unique feature of lattice-based crypto)

• Enabler of Surprising Capabilities

(computing on encrypted data) (so far)

Solving Linear Equations

5𝑡! + 11𝑡" = 2 2𝑡! + 𝑡" = 6 7𝑡! + 𝑡" = 26 where all equations are over ℤ, the integers

Solving Linear Equations

More generally, 𝑜 variables and 𝑛 ≫ 𝑜 equations. and A A s Given: GOAL: Find s.

Solving Linear Equations

GOAL: Find s.

EASY! For example, by Gaussian Elimination

and A A s Given:

Solving Linear Equations

GOAL: Find s. How to make it hard: That is, work modulo some 𝑟. (1121 𝑛𝑝𝑒 100 = 21)

Still EASY! Gaussian Elimination mod 𝑟

and A A s Given: Chop the head?

Solving Linear Equations

GOAL: Find s. How to make it hard: Chop the tail? Add a small error to each equation.

Still EASY! Linear regression.

and A A s Given:

+

e

Solving Linear Equations

GOAL: Find s. How to make it hard: Chop the head and the tail? Add a small error to each equation and work mod 𝑟.

Turns out to be very HARD!

and A A s Given:

+

e

Solving Noisy Modular Linear Equations

GOAL: Find s. A is chosen at random from ℤ#

$×&, s from ℤ# &

and e from 𝜓$. and A A s Given:

+

e Parameters: dimensions 𝒐 and 𝑛, modulus 𝒓, error distribution 𝜓 = uniform in some interval [−𝑪, … , 𝑪].

Learning with Errors (LWE)

Learning with Errors (LWE)

u Decoding Random Linear Codes

(over Fq with L1 errors)

u Learning Noisy Linear Functions u Worst-case hard Lattice Problems

[Regev’05, Peikert’09]

Attack 1: Linearization

Given 𝑩, 𝑩𝒕 + 𝒇, find 𝒕. Idea (a) Each noisy linear equation is an exact polynomial eqn. Consider 𝑐 = 𝒃, 𝒕 + 𝑓 = ∑𝒋(𝟐

𝒐

𝑏+𝑡+ + 𝑓. Imagine for now that the error bound 𝐶 = 1. So, 𝑓 ∈ −1,0,1 . In other words, b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+ ∈ −1,0,1 . So, here is a noiseless polynomial equation on 𝑡+: (b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+ − 1) (b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+)(b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+ + 1) = 0

Attack 1: Linearization

Given 𝑩, 𝑩𝒕 + 𝒇, find 𝒕. BUT: Solving (even degree 2) polynomial equations is NP-hard. (b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+ − 1) (b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+)(b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+ + 1) = 0

Attack 1: Linearization

(b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+ − 1) (b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+)(b − ∑𝒋(𝟐

𝒐

𝑏+𝑡+ + 1) = 0 Idea (b) Easy to solve given sufficiently many equations. (using a technique called “linearization”)

* 𝑏!"#𝑡!𝑡"𝑡# + * 𝑏!"𝑡!𝑡" + * 𝑏!𝑡! + 𝑐 − 1 𝑐(𝑐 + 1) = 0

Treat each “monomial”, e.g. s,s-s. as an independent variable, e.g. t,-.. Now, you have a noiseless linear equation in t,-.!!!

Attack 1: Linearization

* 𝑏!"#𝑢!"# + * 𝑏!"𝑢!" + * 𝑏!𝑢! + 𝑐 − 1 𝑐(𝑐 + 1) = 0

Solution space (with some eqns): The real solution 𝑢+/0 = 𝑡+𝑡

/𝑡 0 etc.

Attack 1: Linearization

* 𝑏!"#𝑢!"# + * 𝑏!"𝑢!" + * 𝑏!𝑢! + 𝑐 − 1 𝑐(𝑐 + 1) = 0

Solution space (with more eqns): The real solution 𝑢+/0 = 𝑡+𝑡

/𝑡 0 etc.

Attack 1: Linearization

* 𝑏!"#𝑢!"# + * 𝑏!"𝑢!" + * 𝑏!𝑢! + 𝑐 − 1 𝑐(𝑐 + 1) = 0

Solution space (with even more eqns): The real solution 𝑢+/0 = 𝑡+𝑡

/𝑡 0 etc.

Attack 1: Linearization

* 𝑏!"#𝑢!"# + * 𝑏!"𝑢!" + * 𝑏!𝑢! + 𝑐 − 1 𝑐(𝑐 + 1) = 0

Solution space (keep going): The real solution 𝑢+/0 = 𝑡+𝑡

/𝑡 0 etc.

Attack 1: Linearization

* 𝑏!"#𝑢!"# + * 𝑏!"𝑢!" + * 𝑏!𝑢! + 𝑐 − 1 𝑐(𝑐 + 1) = 0

When #eqns = #vars ≈ 𝑃(𝑜1) the only surviving solution to the linear system is the real solution.

Attack 1: Linearization

Given 𝑩, 𝑩𝒕 + 𝒇, find 𝒕. Can solve/break as long as 𝒏 ≫ 𝒐𝟑𝑪4𝟐 We will set 𝐶 = 𝑜5(!), in other words polynomial in 𝑜 so as to blunt this attack.

a1

O

a2

Attack 2: Lattice Decoding

a1*s1+a2*s2 a1*s1+a2*s2+e

in polynomial time when 𝒓/𝑪 > 𝟑𝒐

The famed Lenstra-Lenstra-Lovasz algorithm decodes

Setting Parameters

Put together, we are safe with: 𝑜 = security parameter (≈ 1 − 10K) 𝑛 = arbitrary poly in 𝑜 𝐶 = small poly in 𝑜, say 𝑜 𝑟 = poly in 𝑜, larger than 𝐶, and could be as large as sub-exponential, say 2&!.## even from quantum computers, AFAWK!

Decisional LWE

Theorem: “Decisional LWE is as hard as LWE”. Can you distinguish between: , A A s + e and , A b

OWF and PRG

gA(s,e) = As+e

• gA is a one-way function (assuming LWE)
• gA is a pseudo-random generator (decisional LWE)
• gA is also a trapdoor function…
• also a homomorphic commitment…

𝒇 ∈ 𝑎!

": random “small” error vector)

(A ∈ 𝑎!

"#$

s ∈ 𝑎!

" random “small” secret vector

Basic (Secret-key) Encryption

• Secret key sk = Uniformly random vector s Î 𝑎%

&

• Encryption Encs(𝜈): // 𝜈 Î {0,1}

– Sample uniformly random a Î 𝑎%

&, “small” noise e Î 𝑎

– The ciphertext c = (a, b = áa, sñ + e +𝜈 𝑟/2 )

n = security parameter, q = “small” modulus [Regev05]

• Decryption Decsk(c): Output Roundq/2(b − áa, sñ mod q)

// correctness as long as |e| < q/4

Basic (Secret-key) Encryption

[Regev05]

We already saw that this scheme is additively homomorphic.

𝒅 = (a, b = áa, sñ + e + 𝜈 𝑟/2 ) 𝒅′ = (a′ , b′ = áa′, sñ + e′ + 𝜈 ′ 𝑟/2 ) 𝒅 + 𝒅′ = (a+a′ , b+ b′)

+ In words: 𝑑 + 𝑑′ is an encryption of 𝜈 + 𝜈 ′ (mod 2)

Encs(m) Encs(m’)

𝒅 + 𝒅′ = (a+a′ , b+ b′ = á a +a′, sñ + (e+e′) + (𝜈 + 𝜈 ′) 𝑟/2 )

Basic (Secret-key) Encryption

[Regev05]

We will see how to make this scheme into a fully homomorphic scheme (in the next lec) Setting 𝑟 = 𝑜9:; & and 𝐶 = 𝑜 (for example) lets us support any polynomial number of additions. For now, note that the error increases when you add two ciphertexts. That is, |𝑓<== ≈ |𝑓! + 𝑓" ≤ 2𝐶. You can also negate the encrypted bit easily.

Public-key Encryption

• Secret key sk = Uniformly random vector s Î 𝑎%

& [Regev05]

• Public key pk: for 𝑗 𝑔𝑠𝑝𝑛 1 𝑢𝑝 𝑛 = 𝑞𝑝𝑚𝑧(𝑜) TBD

𝒅𝒋 = (𝒃𝒋, 𝒃𝒋, 𝒕 + 𝑓!)

Public-key Encryption

• Secret key sk = Uniformly random vector s Î 𝑎%

& [Regev05]

• Public key pk: for 𝑗 𝑔𝑠𝑝𝑛 1 𝑢𝑝 𝑛 = 𝑞𝑝𝑚𝑧(𝑜)

(𝑩, 𝒄 = 𝑩𝒕 + 𝒇)

• Encrypting a message bit 𝜈: pick a random vector 𝒔 ∈ {0,1}(

(𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 )

, A A s + e

• Decryption: compute

𝒔𝒄 + 𝜈 𝑟/2 − 𝒔𝑩 𝐭 and round to nearest multiple of q/2.

Correctness

• Encrypting a message bit 𝜈: pick a random vector 𝒔 ∈ {0,1}(

(𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 )

• Decryption:

𝒔𝒄 + 𝜈 𝑟/2 − 𝒔𝑩 𝐭 = 𝒔(𝑩𝒕 + 𝒇) + 𝜈 𝑟/2 − 𝒔𝑩 𝐭 Decryption works as long as |𝒔𝒇| < 𝒓/𝟓 or in other words, if the LWE error bound B < 𝒓/𝟓𝒏 ≈ q/poly(n).

Security

Theorem: under decisional LWE, the scheme is IND-

• secure. In fact, even more: a ciphertext together with

the public key is pseudorandom. We show this by a hybrid argument. Let’s stare at a public key, ciphertext pair.

𝒒𝒍 = 𝑩, 𝒄 = 𝑩𝒕 + 𝒇 , 𝒅 = 𝑭𝒐𝒅 𝒒𝒍, 𝜈 = 𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 )

Call this distribution Hybrid 0.

Security

Theorem: under decisional LWE, the scheme is IND-

• secure. In fact, even more: a ciphertext together with

the public key is pseudorandom. Hybrid 1. Change the public key to random (from LWE).

^ 𝒒𝒍 = 𝑩, 𝒄 , _ 𝒅 = 𝑭𝒐𝒅 ^ 𝒒𝒍, 𝜈 = 𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 )

Hybrids 0 and 1 are comp. indist. by decisional LWE.

Detour: Leftover Hash Lemma

[Impagliazzo-Levin-Luby’90]

We want to understand how 𝒔𝑩, 𝒔𝒄 = 𝒔 𝑩 𝒄] is distributed when 𝐵, 𝑐 is random (and public). But 𝒔 is NOT truly random! It has small entries. 𝑩 𝒄 If 𝒔 is truly random, so is 𝒔 𝑩 𝒄]. 𝒔 Nevertheless, 𝒔 has entropy. Leftover hash lemma tells us that matrix multiplication turns (sufficient) entropy into true randomness. We need 𝑛 ≫ 𝑜 + 1 log 𝑟. ≈

𝒅

𝒃′ 𝑐′

Security

Theorem: under decisional LWE, the scheme is IND-

• secure. In fact, even more: a ciphertext together with

the public key is pseudorandom. Hybrid 1. Change the public key to random (from LWE).

^ 𝒒𝒍 = 𝑩, 𝒄 , _ 𝒅 = 𝑭𝒐𝒅 ^ 𝒒𝒍, 𝜈 = 𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 )

Hybrids 0 and 1 are comp. indist. by decisional LWE.

Security

Theorem: under decisional LWE, the scheme is IND-

• secure. In fact, even more: a ciphertext together with

the public key is pseudorandom. Hybrid 2. Change 𝒔𝑩, 𝒔𝒄 into random.

^ 𝒒𝒍 = 𝑩, 𝒄 , _ 𝒅 = 𝑭𝒐𝒅 ^ 𝒒𝒍, 𝜈 = 𝒃′, 𝑐′ + 𝜈 𝑟/2 )

Hybrids 1 and 2 are stat. indist. by leftover hash lemma.

Security

Theorem: under decisional LWE, the scheme is IND-

• secure. In fact, even more: a ciphertext together with

the public key is pseudorandom. Hybrid 2. Change 𝒔𝑩, 𝒔𝒄 into random.

^ 𝒒𝒍 = 𝑩, 𝒄 , _ 𝒅 = 𝑭𝒐𝒅 ^ 𝒒𝒍, 𝜈 = 𝒃′, 𝑐′ + 𝜈 𝑟/2 )

Now, we have the message 𝜈 encrypted with a one-time pad which perfectly hides 𝜈.

Public-key Encryption

• Secret key sk = Uniformly random vector s Î 𝑎%

& [Regev05]

• Public key pk: for 𝑗 𝑔𝑠𝑝𝑛 1 𝑢𝑝 𝑛 = 2 𝑜 + 1 log 𝑟

(𝑩, 𝒄 = 𝑩𝒕 + 𝒇)

• Encrypting a message bit 𝜈: pick a random vector 𝒔 ∈ {0,1}(

(𝒔𝑩, 𝒔𝒄 + 𝜈 𝑟/2 )

• Decryption: compute

𝒔𝒄 + 𝜈 𝑟/2 − 𝒔𝑩 𝐭 and round to nearest multiple of q/2.

Next Lecture: Fully Homomorphic Encryption