Lattice Based CryptographyGGH Cryptosystem
Tarun Raj - 110050050Rama Krishna Banoth - 110050054
Abhilash Gupta - 110050058Vinod Reddy - 110050060 Varun Janga - 110050076
Quick recap of Linear Algebra andVector Spaces
❖ A vector space V is a subset of Rn with the property that α1*v1+α2*v2 +..+αm*vm ∈ V: for a given v1, v2, ...,vm ∈ V and all α1, α2 ,.., αm∈ R where m<=n.
❖ Let v = (x1,.., xm) ∊ V ⊂ Rm then Euclidean norm of v is defined as
||v|| = √(x12 + ..+xm
2).
What is a Lattice?
❖ A basis for L is any set of independent vectors that generates L.
❖ The dimension of L is the no. of vectors in a basis for L.
Properties of Lattices❖ An Integer lattice is a lattice all of whose vectors have
integer coordinates.
❖ Any two basis for a lattice L are related by a matrix having integer coordinates and determinant equal to ±1.
Hadamard Ratio0<H(B)<1, the closer the value tends to 1 the more orthogonal the vectors in the basis.
0<H(B)≤1, the closer the value tends to 1,the more orthogonal the vectors in the basis.We use Hadamard ratio to differentiate between a good basis and a bad basis.
Good Basis Vs Bad Basis
❖ Good basis is the one which has nearly orthogonal vectors i.e, having hadamard ratio close to 1.
❖ Bad Basis is the one having hadamard ratio close to 0.
Hard problems on lattices
Hard problems on lattices
Hard problems on latticesNote:❖ No polynomial-time algorithm is known for
approximating the CVP in Rn to within a polynomial factor of n.
❖ Best known polynomial time algorithms were based on LLL.
❖ Babai proved that CVP in Rn can be approximated to a factor of 2n/2
Babai’s Algorithm
Cryptosystems based on hard Lattice Problems
Some of the initial ones are:➔ Ajtai-Dwork Cryptosystem.➔ GGH Cryptosystem by Goldreich, Goldwasser, Halevi.➔ NTRU cryptosystem by Hoffstein, Pipher and Silverman.
GGH Cryptosystem
● Based on the problem of finding lattice point closest to a given vector.(CVP)
● Security Parameter - n = dimension of the lattice
● Threshold Parameter - σ = bound on error vector
● Private Key - Good basis of lattice.● Public Key - Bad basis of the same lattice
GGH - Cryptosystem
Private Key(R) Generation❖ Choosing a random lattice
➢ R’, an nxn matrix is chosen where elements are uniformly taken at random from {-l,...,l}nxn for some integer bound l.
➢ l had no effect on basis so small value is chosen.(±4)❖ Choosing an almost rectangular lattice
➢ Start with k.I and add the “noise” generated above.❖ R = R’ + kIExperimentally, we get best parameters when k~l√n
Public Key(B) Generation❖ R is multiplied by a few random unimodular matrices.❖ B = R.T1.T2…❖ Each Ti = Li.Ui , where
➢ Li & Ui are Lower & Upper triangular matrices.➢ Each of the diagonal element is ±1 in Li & Ui
➢ Other non-zero elements can be chosen at random, for experiments they chose from {-1,0,1}
❖ Multiplying R by atleast 4 transformations is required to prevent attack using LLL lattice reduction algorithm.
Cryptanalysis - GGH Cryptosystem
Following are the attacks on GGH cryptosystem❖ From the original paper by GGH
➢ The Round-off Attack➢ The Nearest-plane Attack➢ The embedding Attack
❖ From Phong Nguyen which led to the failure of this system➢ Based on Leaking Remainders
Embedding Attack● Embed n basis-vectors and the point c (for
which we want to find the closest lattice point) in an (n+1) dimensional lattice.
● After embedding, lattice reduction algorithms are used to find the shortest non-zero vector in L(B’).
● This heuristic works upto dimensions 110-120.
Nguyen’s Attack● Let (n, σ) be as already defined & B be public
basis.● Assume message m ∈ ℤn is encrypted into
ciphertext c ∈ ℤn with B.● There is an error vector e ∈ {±σ}n such that
c = mB + e
Nguyen’s AttackLeaking Remainders:
c = mB + eConsider s = (σ,...,σ) ∈ ℤn, then we have
e + s ≡ 0 (mod 2σ)⇒ c + s ≡ mB (mod 2σ)If we can solve the above equation, we get m modulo 2σ, denoted by m2σ
Nguyen’s AttackSimplifying the CVP:Once we get m2σ , observe that m - m2σ= 2σm’ for some m’ ∈ ℤn.
c = mB + e⇒ c - m2σB= (m - m2σ)B + e⇒ c - m2σB= 2σm’B + e ⇒
Nguyen’s Attack
In the above equation, LHS is known. So, the new problem reads as a Closest Vector Problem(CVP) for which error vector e/2σ ∈ {±½}n.Observe that this is simpler CVP for which error vectors have entries ±½, thereby traditional methods like embedding are more likely to work now that error vector is smaller.
Advantages of Lattice Cryptography ❖ Shor’s algorithm (which runs on a Quantum
computer) can solve the public key cryptographic systems which rely on integer factorization problem or the discrete logarithm problem
❖ Lattice based cryptography provides one of the best alternatives for post-quantum cryptographic systems
❖ Most of lattice based cryptographic constructions are believed to be secure against attacks using either conventional or quantum computers
Disadvantages of Lattice Cryptography
❖ NTRU based schemes are practical and efficient to implement but lack proof of security
❖ Theoretical schemes like matrix based learning with errors offer strong security proof but use impractically large key sizes for general use
❖ Since current publicly known experimental quantum computing is nowhere near powerful to attack real cryptographic systems, Lattice based schemes are not used much in practice
❖ Research has been done on trying to merge NTRU family algorithms and LWE (Learning with error) schemes
❖ This class of algorithms are called Learning with errors designs over rings, which offer very efficient computation, moderate key sizes and strong proof of security
Recent Developments
References❖ An Introduction to Mathematical Cryptography by Jeffrey Hoffstein,
Jill Pipher, Joseph H. Silverman❖ Public-key cryptosystems from lattice reduction problems by Oded
Goldreich, Shafi Goldwasser, Shai Halevi❖ Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from
Crypto ’97 by Phong Nguyen❖ http://www.math.uni-bonn.de/~saxena/courses/WS2010-ref5.pdf❖ http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf❖ https://www.sav.sk/journals/uploads/0114115305BCKSS.pdf
Thank You
Example:
Top Related