Lattice Based Cryptography - GGH Cryptosystem

27
Lattice Based Cryptography GGH Cryptosystem Tarun Raj - 110050050 Rama Krishna Banoth - 110050054 Abhilash Gupta - 110050058 Vinod Reddy - 110050060 Varun Janga - 110050076

Transcript of Lattice Based Cryptography - GGH Cryptosystem

Page 1: Lattice Based Cryptography - GGH Cryptosystem

Lattice Based CryptographyGGH Cryptosystem

Tarun Raj - 110050050Rama Krishna Banoth - 110050054

Abhilash Gupta - 110050058Vinod Reddy - 110050060 Varun Janga - 110050076

Page 2: Lattice Based Cryptography - GGH Cryptosystem

Quick recap of Linear Algebra andVector Spaces

❖ A vector space V is a subset of Rn with the property that α1*v1+α2*v2 +..+αm*vm ∈ V: for a given v1, v2, ...,vm ∈ V and all α1, α2 ,.., αm∈ R where m<=n.

❖ Let v = (x1,.., xm) ∊ V ⊂ Rm then Euclidean norm of v is defined as

||v|| = √(x12 + ..+xm

2).

Page 3: Lattice Based Cryptography - GGH Cryptosystem

What is a Lattice?

❖ A basis for L is any set of independent vectors that generates L.

❖ The dimension of L is the no. of vectors in a basis for L.

Page 4: Lattice Based Cryptography - GGH Cryptosystem

Properties of Lattices❖ An Integer lattice is a lattice all of whose vectors have

integer coordinates.

❖ Any two basis for a lattice L are related by a matrix having integer coordinates and determinant equal to ±1.

Page 5: Lattice Based Cryptography - GGH Cryptosystem

Hadamard Ratio0<H(B)<1, the closer the value tends to 1 the more orthogonal the vectors in the basis.

0<H(B)≤1, the closer the value tends to 1,the more orthogonal the vectors in the basis.We use Hadamard ratio to differentiate between a good basis and a bad basis.

Page 6: Lattice Based Cryptography - GGH Cryptosystem

Good Basis Vs Bad Basis

❖ Good basis is the one which has nearly orthogonal vectors i.e, having hadamard ratio close to 1.

❖ Bad Basis is the one having hadamard ratio close to 0.

Page 7: Lattice Based Cryptography - GGH Cryptosystem

Hard problems on lattices

Page 8: Lattice Based Cryptography - GGH Cryptosystem

Hard problems on lattices

Page 9: Lattice Based Cryptography - GGH Cryptosystem

Hard problems on latticesNote:❖ No polynomial-time algorithm is known for

approximating the CVP in Rn to within a polynomial factor of n.

❖ Best known polynomial time algorithms were based on LLL.

❖ Babai proved that CVP in Rn can be approximated to a factor of 2n/2

Page 10: Lattice Based Cryptography - GGH Cryptosystem

Babai’s Algorithm

Page 11: Lattice Based Cryptography - GGH Cryptosystem

Cryptosystems based on hard Lattice Problems

Some of the initial ones are:➔ Ajtai-Dwork Cryptosystem.➔ GGH Cryptosystem by Goldreich, Goldwasser, Halevi.➔ NTRU cryptosystem by Hoffstein, Pipher and Silverman.

Page 12: Lattice Based Cryptography - GGH Cryptosystem

GGH Cryptosystem

● Based on the problem of finding lattice point closest to a given vector.(CVP)

● Security Parameter - n = dimension of the lattice

● Threshold Parameter - σ = bound on error vector

● Private Key - Good basis of lattice.● Public Key - Bad basis of the same lattice

Page 13: Lattice Based Cryptography - GGH Cryptosystem

GGH - Cryptosystem

Page 14: Lattice Based Cryptography - GGH Cryptosystem

Private Key(R) Generation❖ Choosing a random lattice

➢ R’, an nxn matrix is chosen where elements are uniformly taken at random from {-l,...,l}nxn for some integer bound l.

➢ l had no effect on basis so small value is chosen.(±4)❖ Choosing an almost rectangular lattice

➢ Start with k.I and add the “noise” generated above.❖ R = R’ + kIExperimentally, we get best parameters when k~l√n

Page 15: Lattice Based Cryptography - GGH Cryptosystem

Public Key(B) Generation❖ R is multiplied by a few random unimodular matrices.❖ B = R.T1.T2…❖ Each Ti = Li.Ui , where

➢ Li & Ui are Lower & Upper triangular matrices.➢ Each of the diagonal element is ±1 in Li & Ui

➢ Other non-zero elements can be chosen at random, for experiments they chose from {-1,0,1}

❖ Multiplying R by atleast 4 transformations is required to prevent attack using LLL lattice reduction algorithm.

Page 16: Lattice Based Cryptography - GGH Cryptosystem

Cryptanalysis - GGH Cryptosystem

Following are the attacks on GGH cryptosystem❖ From the original paper by GGH

➢ The Round-off Attack➢ The Nearest-plane Attack➢ The embedding Attack

❖ From Phong Nguyen which led to the failure of this system➢ Based on Leaking Remainders

Page 17: Lattice Based Cryptography - GGH Cryptosystem

Embedding Attack● Embed n basis-vectors and the point c (for

which we want to find the closest lattice point) in an (n+1) dimensional lattice.

● After embedding, lattice reduction algorithms are used to find the shortest non-zero vector in L(B’).

● This heuristic works upto dimensions 110-120.

Page 18: Lattice Based Cryptography - GGH Cryptosystem

Nguyen’s Attack● Let (n, σ) be as already defined & B be public

basis.● Assume message m ∈ ℤn is encrypted into

ciphertext c ∈ ℤn with B.● There is an error vector e ∈ {±σ}n such that

c = mB + e

Page 19: Lattice Based Cryptography - GGH Cryptosystem

Nguyen’s AttackLeaking Remainders:

c = mB + eConsider s = (σ,...,σ) ∈ ℤn, then we have

e + s ≡ 0 (mod 2σ)⇒ c + s ≡ mB (mod 2σ)If we can solve the above equation, we get m modulo 2σ, denoted by m2σ

Page 20: Lattice Based Cryptography - GGH Cryptosystem

Nguyen’s AttackSimplifying the CVP:Once we get m2σ , observe that m - m2σ= 2σm’ for some m’ ∈ ℤn.

c = mB + e⇒ c - m2σB= (m - m2σ)B + e⇒ c - m2σB= 2σm’B + e ⇒

Page 21: Lattice Based Cryptography - GGH Cryptosystem

Nguyen’s Attack

In the above equation, LHS is known. So, the new problem reads as a Closest Vector Problem(CVP) for which error vector e/2σ ∈ {±½}n.Observe that this is simpler CVP for which error vectors have entries ±½, thereby traditional methods like embedding are more likely to work now that error vector is smaller.

Page 22: Lattice Based Cryptography - GGH Cryptosystem

Advantages of Lattice Cryptography ❖ Shor’s algorithm (which runs on a Quantum

computer) can solve the public key cryptographic systems which rely on integer factorization problem or the discrete logarithm problem

❖ Lattice based cryptography provides one of the best alternatives for post-quantum cryptographic systems

❖ Most of lattice based cryptographic constructions are believed to be secure against attacks using either conventional or quantum computers

Page 23: Lattice Based Cryptography - GGH Cryptosystem

Disadvantages of Lattice Cryptography

❖ NTRU based schemes are practical and efficient to implement but lack proof of security

❖ Theoretical schemes like matrix based learning with errors offer strong security proof but use impractically large key sizes for general use

❖ Since current publicly known experimental quantum computing is nowhere near powerful to attack real cryptographic systems, Lattice based schemes are not used much in practice

Page 24: Lattice Based Cryptography - GGH Cryptosystem

❖ Research has been done on trying to merge NTRU family algorithms and LWE (Learning with error) schemes

❖ This class of algorithms are called Learning with errors designs over rings, which offer very efficient computation, moderate key sizes and strong proof of security

Recent Developments

Page 25: Lattice Based Cryptography - GGH Cryptosystem

References❖ An Introduction to Mathematical Cryptography by Jeffrey Hoffstein,

Jill Pipher, Joseph H. Silverman❖ Public-key cryptosystems from lattice reduction problems by Oded

Goldreich, Shafi Goldwasser, Shai Halevi❖ Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from

Crypto ’97 by Phong Nguyen❖ http://www.math.uni-bonn.de/~saxena/courses/WS2010-ref5.pdf❖ http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf❖ https://www.sav.sk/journals/uploads/0114115305BCKSS.pdf

Page 26: Lattice Based Cryptography - GGH Cryptosystem

Thank You

Page 27: Lattice Based Cryptography - GGH Cryptosystem

Example: