Lattice-based cryptography

Last updated

Lattice-based cryptography is the generic term for constructions of cryptographic primitives that involve lattices, either in the construction itself or in the security proof. Lattice-based constructions support important standards of post-quantum cryptography. [1] Unlike more widely used and known public-key schemes such as the RSA, Diffie-Hellman or elliptic-curve cryptosystems — which could, theoretically, be defeated using Shor's algorithm on a quantum computer — some lattice-based constructions appear to be resistant to attack by both classical and quantum computers. Furthermore, many lattice-based constructions are considered to be secure under the assumption that certain well-studied computational lattice problems cannot be solved efficiently.

Contents

History

In 1996, Miklós Ajtai introduced the first lattice-based cryptographic construction whose security could be based on the hardness of well-studied lattice problems, [2] and Cynthia Dwork showed that a certain average-case lattice problem, known as short integer solutions (SIS), is at least as hard to solve as a worst-case lattice problem. [3] She then showed a cryptographic hash function whose security is equivalent to the computational hardness of SIS.

In 1998, Jeffrey Hoffstein, Jill Pipher, and Joseph H. Silverman introduced a lattice-based public-key encryption scheme, known as NTRU. [4] However, their scheme is not known to be at least as hard as solving a worst-case lattice problem.

The first lattice-based public-key encryption scheme whose security was proven under worst-case hardness assumptions was introduced by Oded Regev in 2005, [5] together with the learning with errors problem (LWE). Since then, much follow-up work has focused on improving Regev's security proof [6] [7] and improving the efficiency of the original scheme. [8] [9] [10] [11] Much more work has been devoted to constructing additional cryptographic primitives based on LWE and related problems. For example, in 2009, Craig Gentry introduced the first fully homomorphic encryption scheme, which was based on a lattice problem. [12]

Mathematical background

In linear algebra, a lattice is the set of all integer linear combinations of vectors from a basis of . In other words, For example, is a lattice, generated by the standard basis for . Crucially, the basis for a lattice is not unique. For example, the vectors , , and form an alternative basis for .

The most important lattice-based computational problem is the shortest vector problem (SVP or sometimes GapSVP), which asks us to approximate the minimal Euclidean length of a non-zero lattice vector. This problem is thought to be hard to solve efficiently, even with approximation factors that are polynomial in , and even with a quantum computer. Many (though not all) lattice-based cryptographic constructions are known to be secure if SVP is in fact hard in this regime.

Selected lattice-based schemes

This section presents selected lattice-based schemes, grouped by primitive.

Encryption

Selected schemes for the purpose of encryption:

Homomorphic encryption

Selected schemes for the purpose of homomorphic encryption:

Hash functions

Selected lattice-based cryptographic schemes for the purpose of hashing:

Key exchange

Selected schemes for the purpose of key exchange, also called key establishment, key encapsulation and key encapsulation mechanism (KEM):

Signing

This section lists a selection of lattice-based schemes for the purpose of digital signatures.

CRYSTALS-Dilithium

CRYSTALS-Dilithium or simply Dilithium [26] [27] is built upon module-LWE and module-SIS. Dilithium was selected by the NIST as the basis for a digital signature standard. [1] According to a message from Ray Perlner, writing on behalf of the NIST PQC team, the NIST module-LWE signing standard is to be based on version 3.1 of the Dilithium specification. NIST's changes on Dilithium 3.1 intend to support additional randomness in signing (hedged signing) and other improvements. [32]

Dilithium was one of the two digital signature schemes initially chosen by the NIST in their post-quantum cryptography process, the other one being SPHINCS⁺, which is not based on lattices but on hashes.

In August 2023, NIST published FIPS 204 (Initial Public Draft), and started calling Dilithium as Module-Lattice-Based Digital Signature Algorithm (ML-DSA). [33]

As of October 2023, ML-DSA was being implemented as a part of Libgcrypt, according to Falco Strenzke. [34]

Security

Lattice-based cryptographic constructions hold a great promise for public-key post-quantum cryptography. [35] Indeed, the main alternative forms of public-key cryptography are schemes based on the hardness of factoring and related problems and schemes based on the hardness of the discrete logarithm and related problems. However, both factoring and the discrete logarithm are known to be solvable in polynomial time on a quantum computer. [36] Furthermore, algorithms for factorization tend to yield algorithms for discrete logarithm, and conversely. This further motivates the study of constructions based on alternative assumptions, such as the hardness of lattice problems.

Many lattice-based cryptographic schemes are known to be secure assuming the worst-case hardness of certain lattice problems. [2] [5] [6] I.e., if there exists an algorithm that can efficiently break the cryptographic scheme with non-negligible probability, then there exists an efficient algorithm that solves a certain lattice problem on any input. However, for the practical lattice-based constructions (such as schemes based on NTRU and even schemes based on LWE with efficient parameters), meaningful reduction-based guarantees of security are not known.

Assessments of the security levels provided by reduction arguments from hard problems - based on recommended parameter sizes, standard estimates of the computational complexity of the hard problems, and detailed examination of the steps in the reductions - are called concrete security and sometimes practice-oriented provable security. [37] Authors who have investigated concrete security for lattice-based cryptosystems have found that the provable security results for such systems do not provide any meaningful concrete security for practical values of the parameters. [38] [39]

Functionality

For many cryptographic primitives, the only known constructions are based on lattices or closely related objects. These primitives include fully homomorphic encryption, [12] indistinguishability obfuscation, [40] cryptographic multilinear maps, and functional encryption. [40]

See also

Related Research Articles

Elliptic-curve cryptography (ECC) is an approach to public-key cryptography based on the algebraic structure of elliptic curves over finite fields. ECC allows smaller keys compared to non-EC cryptography to provide equivalent security.

Articles related to cryptography include:

NTRU is an open-source public-key cryptosystem that uses lattice-based cryptography to encrypt and decrypt data. It consists of two algorithms: NTRUEncrypt, which is used for encryption, and NTRUSign, which is used for digital signatures. Unlike other popular public-key cryptosystems, it is resistant to attacks using Shor's algorithm. NTRUEncrypt was patented, but it was placed in the public domain in 2017. NTRUSign is patented, but it can be used by software under the GPL.

In cryptography, the McEliece cryptosystem is an asymmetric encryption algorithm developed in 1978 by Robert McEliece. It was the first such scheme to use randomization in the encryption process. The algorithm has never gained much acceptance in the cryptographic community, but is a candidate for "post-quantum cryptography", as it is immune to attacks using Shor's algorithm and – more generally – measuring coset states using Fourier sampling.

NTRUSign, also known as the NTRU Signature Algorithm, is an NTRU public-key cryptography digital signature algorithm based on the GGH signature scheme. The original version of NTRUSign was Polynomial Authentication and Signature Scheme (PASS), and was published at CrypTEC'99. The improved version of PASS was named as NTRUSign, and was presented at the rump session of Asiacrypt 2001 and published in peer-reviewed form at the RSA Conference 2003. The 2003 publication included parameter recommendations for 80-bit security. A subsequent 2005 publication revised the parameter recommendations for 80-bit security, presented parameters that gave claimed security levels of 112, 128, 160, 192 and 256 bits, and described an algorithm to derive parameter sets at any desired security level. NTRU Cryptosystems, Inc. have applied for a patent on the algorithm.

The Goldreich-Goldwasser-Halevi (GGH) signature scheme is a digital signature scheme proposed in 1995 and published in 1997, based on solving the closest vector problem (CVP) in a lattice. The signer demonstrates knowledge of a good basis for the lattice by using it to solve CVP on a point representing the message; the verifier uses a bad basis for the same lattice to verify that the signature under consideration is actually a lattice point and is sufficiently close to the message point.

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted.

In computational complexity theory, a computational hardness assumption is the hypothesis that a particular problem cannot be solved efficiently. It is not known how to prove (unconditional) hardness for essentially any useful problem. Instead, computer scientists rely on reductions to formally relate the hardness of a new or complicated problem to a computational hardness assumption about a problem that is better-understood.

<span class="mw-page-title-main">Cryptography</span> Practice and study of secure communication techniques

Cryptography, or cryptology, is the practice and study of techniques for secure communication in the presence of adversarial behavior. More generally, cryptography is about constructing and analyzing protocols that prevent third parties or the public from reading private messages. Modern cryptography exists at the intersection of the disciplines of mathematics, computer science, information security, electrical engineering, digital signal processing, physics, and others. Core concepts related to information security are also central to cryptography. Practical applications of cryptography include electronic commerce, chip-based payment cards, digital currencies, computer passwords, and military communications.

The following outline is provided as an overview of and topical guide to cryptography:

In cryptography, learning with errors (LWE) is a mathematical problem that is widely used to create secure encryption algorithms. It is based on the idea of representing secret information as a set of equations with errors. In other words, LWE is a way to hide the value of a secret by introducing noise to it. In more technical terms, it refers to the computational problem of inferring a linear -ary function over a finite ring from given samples some of which may be erroneous. The LWE problem is conjectured to be hard to solve, and thus to be useful in cryptography.

Post-quantum cryptography (PQC), sometimes referred to as quantum-proof, quantum-safe or quantum-resistant, is the development of cryptographic algorithms that are thought to be secure against a cryptanalytic attack by a quantum computer. The problem with popular algorithms currently used in the market is that their security relies on one of three hard mathematical problems: the integer factorization problem, the discrete logarithm problem or the elliptic-curve discrete logarithm problem. All of these problems could be easily solved on a sufficiently powerful quantum computer running Shor's algorithm or even faster and less demanding alternatives.

In discrete mathematics, ideal lattices are a special class of lattices and a generalization of cyclic lattices. Ideal lattices naturally occur in many parts of number theory, but also in other areas. In particular, they have a significant place in cryptography. Micciancio defined a generalization of cyclic lattices as ideal lattices. They can be used in cryptosystems to decrease by a square root the number of parameters necessary to describe a lattice, making them more efficient. Ideal lattices are a new concept, but similar lattice classes have been used for a long time. For example, cyclic lattices, a special case of ideal lattices, are used in NTRUEncrypt and NTRUSign.

Digital signatures are a means to protect digital information from intentional modification and to authenticate the source of digital information. Public key cryptography provides a rich set of different cryptographic algorithms the create digital signatures. However, the primary public key signatures currently in use will become completely insecure if scientists are ever able to build a moderately sized quantum computer. Post quantum cryptography is a class of cryptographic algorithms designed to be resistant to attack by a quantum cryptography. Several post quantum digital signature algorithms based on hard problems in lattices are being created replace the commonly used RSA and elliptic curve signatures. A subset of these lattice based scheme are based on a problem known as Ring learning with errors. Ring learning with errors based digital signatures are among the post quantum signatures with the smallest public key and signature sizes

In post-quantum cryptography, ring learning with errors (RLWE) is a computational problem which serves as the foundation of new cryptographic algorithms, such as NewHope, designed to protect against cryptanalysis by quantum computers and also to provide the basis for homomorphic encryption. Public-key cryptography relies on construction of mathematical problems that are believed to be hard to solve if no further information is available, but are easy to solve if some information used in the problem construction is known. Some problems of this sort that are currently used in cryptography are at risk of attack if sufficiently large quantum computers can ever be built, so resistant problems are sought. Homomorphic encryption is a form of encryption that allows computation on ciphertext, such as arithmetic on numeric values stored in an encrypted database.

In cryptography, a public key exchange algorithm is a cryptographic algorithm which allows two parties to create and share a secret key, which they can use to encrypt messages between themselves. The ring learning with errors key exchange (RLWE-KEX) is one of a new class of public key exchange algorithms that are designed to be secure against an adversary that possesses a quantum computer. This is important because some public key algorithms in use today will be easily broken by a quantum computer if such computers are implemented. RLWE-KEX is one of a set of post-quantum cryptographic algorithms which are based on the difficulty of solving certain mathematical problems involving lattices. Unlike older lattice based cryptographic algorithms, the RLWE-KEX is provably reducible to a known hard problem in lattices.

Post-Quantum Cryptography Standardization is a program and competition by NIST to update their standards to include post-quantum cryptography. It was announced at PQCrypto 2016. 23 signature schemes and 59 encryption/KEM schemes were submitted by the initial submission deadline at the end of 2017 of which 69 total were deemed complete and proper and participated in the first round. Seven of these, of which 3 are signature schemes, have advanced to the third round, which was announced on July 22, 2020.

Oded Regev is an Israeli-American theoretical computer scientist and mathematician. He is a professor of computer science at the Courant institute at New York University. He is best known for his work in lattice-based cryptography, and in particular for introducing the learning with errors problem.

In post-quantum cryptography, NewHope is a key-agreement protocol by Erdem Alkim, Léo Ducas, Thomas Pöppelmann, and Peter Schwabe that is designed to resist quantum computer attacks.

Kyber is a key encapsulation mechanism (KEM) designed to be resistant to cryptanalytic attacks with future powerful quantum computers. It is used to establish a shared secret between two communicating parties without an (IND-CCA2) attacker in the transmission system being able to decrypt it. This asymmetric cryptosystem uses a variant of the learning with errors lattice problem as its basic trapdoor function. It won the NIST competition for the first post-quantum cryptography (PQ) standard. NIST calls its draft standard Module-Lattice-Based Key-Encapsulation Mechanism (ML-KEM).

References

  1. 1 2 3 4 5 6 7 CSRC, National Institute of Standards and Technology. Post-Quantum Cryptography. 2019. Available from the Internet on <https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/>, accessed in November 2nd, 2022.
  2. 1 2 Ajtai, Miklós (1996). "Generating Hard Instances of Lattice Problems". Proceedings of the Twenty-Eighth Annual ACM Symposium on Theory of Computing. pp. 99–108. CiteSeerX   10.1.1.40.2489 . doi:10.1145/237814.237838. ISBN   978-0-89791-785-8. S2CID   6864824.
  3. Public-Key Cryptosystem with Worst-Case/Average-Case Equivalence.
  4. Hoffstein, Jeffrey; Pipher, Jill; Silverman, Joseph H. (1998). "NTRU: A ring-based public key cryptosystem". Algorithmic Number Theory. Lecture Notes in Computer Science. Vol. 1423. pp. 267–288. CiteSeerX   10.1.1.25.8422 . doi:10.1007/bfb0054868. ISBN   978-3-540-64657-0.
  5. 1 2 Regev, Oded (2005-01-01). "On lattices, learning with errors, random linear codes, and cryptography". Proceedings of the thirty-seventh annual ACM symposium on Theory of computing – STOC '05. ACM. pp. 84–93. CiteSeerX   10.1.1.110.4776 . doi:10.1145/1060590.1060603. ISBN   978-1581139600. S2CID   53223958.
  6. 1 2 Peikert, Chris (2009-01-01). "Public-key cryptosystems from the worst-case shortest vector problem". Proceedings of the 41st annual ACM symposium on Symposium on theory of computing – STOC '09. ACM. pp. 333–342. CiteSeerX   10.1.1.168.270 . doi:10.1145/1536414.1536461. ISBN   9781605585062. S2CID   1864880.
  7. Brakerski, Zvika; Langlois, Adeline; Peikert, Chris; Regev, Oded; Stehlé, Damien (2013-01-01). "Classical hardness of learning with errors". Proceedings of the 45th annual ACM symposium on Symposium on theory of computing – STOC '13. ACM. pp. 575–584. arXiv: 1306.0281 . doi:10.1145/2488608.2488680. ISBN   9781450320290. S2CID   6005009.
  8. Lyubashevsky, Vadim; Peikert, Chris; Regev, Oded (2010-05-30). "On Ideal Lattices and Learning with Errors over Rings". Advances in Cryptology – EUROCRYPT 2010. Lecture Notes in Computer Science. Vol. 6110. pp. 1–23. CiteSeerX   10.1.1.352.8218 . doi:10.1007/978-3-642-13190-5_1. ISBN   978-3-642-13189-9.
  9. 1 2 Peikert, Chris (2014-07-16). "Lattice cryptography for the Internet" (PDF). IACR . Retrieved 2017-01-11.
  10. Alkim, Erdem; Ducas, Léo; Pöppelmann, Thomas; Schwabe, Peter (2015-01-01). "Post-quantum key exchange – a new hope". Cryptology ePrint Archive.
  11. Bos, Joppe; Costello, Craig; Ducas, Léo; Mironov, Ilya; Naehrig, Michael; Nikolaenko, Valeria; Raghunathan, Ananth; Stebila, Douglas (2016-01-01). "Frodo: Take off the ring! Practical, Quantum-Secure Key Exchange from LWE". Cryptology ePrint Archive.
  12. 1 2 3 Gentry, Craig (2009-01-01). A Fully Homomorphic Encryption Scheme (Thesis). Stanford, CA, USA: Stanford University.
  13. NGUYEN, Phon. Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from crypto ’97. In Crypto ’99: Proceedings of the 19th Annual International Cryptology Conference on Advances in Cryptology, pages 288–304, London, UK, 1999. Springer-Verlag.
  14. Brakerski, Zvika; Vaikuntanathan, Vinod (2011). "Efficient Fully Homomorphic Encryption from (Standard) LWE". Cryptology ePrint Archive.
  15. Brakerski, Zvika; Vaikuntanathan, Vinod (2013). "Lattice-Based FHE as Secure as PKE". Cryptology ePrint Archive.
  16. "LASH: A Lattice Based Hash Function". Archived from the original on October 16, 2008. Retrieved 2008-07-31.
  17. Contini, Scott; Matusiewicz, Krystian; Pieprzyk, Josef; Steinfeld, Ron; Guo, Jian; Ling, San; Wang, Huaxiong (2008). "Cryptanalysis of LASH" (PDF). Fast Software Encryption. Lecture Notes in Computer Science. Vol. 5086. pp. 207–223. doi:10.1007/978-3-540-71039-4_13. ISBN   978-3-540-71038-7. S2CID   6207514.
  18. AVANZI, R. et al. CRYSTALS-KYBER Algorithm Specifications And Supporting Documentation. CRYSTALS Team, 2021. Available from the Internet on <https: //www.pq-crystals.org/>, accessed on November 4th, 2022.
  19. Raimondo, Gina M., and Locascio, Laurie E., FIPS 203 (Draft) Federal Information Processing Standards Publication – Module-Lattice-based Key-Encapsulation Mechanism Standard. August 24, 2023. Information Technology Laboratory, National Institute of Standards and Technology. Gaithersburg, MD, United States of America. DOI 10.6028/NIST.FIPS.203.ipd. Available from the Internet on <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.203.ipd.pdf>, accessed in October 30th, 2023.
  20. FrodoKEM team. FrodoKEM. 2022. Available from the Internet on <https://frodokem.org/>, accessed on November 2nd, 2022.
  21. ALKIM, E. et al. FrodoKEM learning with errors key encapsulation algorithm specifications and supporting documentation. 2020. Available from the Internet on <https://frodokem.org/files/FrodoKEM-specification-20200930.pdf>, accessed in November 1st, 2022
  22. Bernstein, Daniel J. FrodoKEM documentation claims that "the FrodoKEM parameter sets comfortably match their target security levels with a large margin". Warning: That's not true. Send 2^40 ciphertexts to a frodokem640 public key; one of them will be decrypted by a large-scale attack feasible today. 2022. Available from the Internet on <https://twitter.com/hashbreaker/status/1587184970258255872>, accessed in November 2nd, 2022.
  23. SCHWABE, Peter et al. NewHope's Web site. 2022. Available from the Internet on <https://newhopecrypto.org/>, accessed in December 6th, 2022.
  24. Bernstein, Daniel J. et al., NTRU Prime: round 3. 2020. Available from the Internet on <https://ntruprime.cr.yp.to/>, accessed in November 8th, 2022.
  25. D'ANVERS, Jan-Pieter, KARMAKAR, Angshuman, ROY, Sujoy Sinha, and VERCAUTEREN, Frederik. Saber: Module-LWR based key exchange, CPA-secure encryption and CCA-secure KEM. 2018. Available from Internet on <https://eprint.iacr.org/2018/230>, accessed in November 5th, 2022.
  26. 1 2 BAI, S. et al. CRYSTALS-Dilithium Algorithm Specifications and Supporting Documentation (Version 3.1). CRYSTALS Team, 2021. Available from the Internet on <https://www.pq-crystals.org/>, accessed in November 2nd, 2021.
  27. 1 2 SEILER, Gregor et al. pq-crystals/dilithium (Dilithium at GitHub), 2022. Available from the Internet on <https://github.com/pq-crystals/dilithium>, accessed in December 29th, 2022.
  28. FOUQUE, Pierre-Alain et al. Falcon: Fast-Fourier Lattice-based Compact Signatures over NTRU. 2020. Available from the Internet on <https://falcon-sign.info/>, accessed in November 8th, 2020.
  29. Güneysu, Tim; Lyubashevsky, Vadim; Pöppelmann, Thomas (2012). "Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems" (PDF). Cryptographic Hardware and Embedded Systems – CHES 2012. Lecture Notes in Computer Science. Vol. 7428. IACR. pp. 530–547. doi:10.1007/978-3-642-33027-8_31. ISBN   978-3-642-33026-1 . Retrieved 2017-01-11.
  30. ESPITAU, Thomas et al. MITAKA: A Simpler, Parallelizable, Maskable Variant of Falcon. 2021.
  31. ALKIM, E. et al. The Lattice-Based Digital Signature Scheme qTESLA. IACR, 2019. Cryptology ePrint Archive, Report 2019/085. Available from Internet on <https://eprint.iacr.org/2019/085>, accessed in NOVEMBER 1st, 2022.
  32. Perlner, Ray A.. Planned changes to the Dilithium spec. April 20th, 2023. Google Groups. Available from the Internet on <https://groups.google.com/a/list.nist.gov/g/pqc-forum/c/3pBJsYjfRw4/m/GjJ2icQkAQAJ>, accessed in June 14th, 2023.
  33. Raimondo, Gina M., and Locascio, Laurie E., FIPS 204 (Draft) Federal Information Processing Standards Publication – Module-Lattice-Based Digital Signature Standard. August 24, 2023. Information Technology Laboratory, National Institute of Standards and Technology. Gaithersburg, MD, United States of America. DOI 10.6028/NIST.FIPS.204.ipd. Available from the Internet on <https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.204.ipd.pdf>, accessed in September 2nd, 2023.
  34. Gcrypt-devel mailing list. Dilithium Implementation in Libgcrypt. October 24th, 2023. Available from the Internet on <https://lists.gnupg.org/pipermail/gcrypt-devel/2023-October/005572.html>, accessed on October 24th, 2023.
  35. Micciancio, Daniele; Regev, Oded (2008-07-22). "Lattice-based cryptography" (PDF). Nyu.edu. Retrieved 2017-01-11.
  36. Shor, Peter W. (1997-10-01). "Polynomial-Time Algorithms for Prime Factorization and Discrete Logarithms on a Quantum Computer". SIAM Journal on Computing. 26 (5): 1484–1509. arXiv: quant-ph/9508027 . doi:10.1137/S0097539795293172. ISSN   0097-5397. S2CID   2337707.
  37. Bellare, Mihir (1998), Practice-Oriented Provable-Security, Lecture Notes in Computer Science, vol. 1396, Springer-Verlag, pp. 221–231, doi:10.1007/BFb0030423
  38. Koblitz, Neal; Samajder, Subhabrata; Sarkar, Palash; Singha, Subhadip (2022). "Concrete analysis of approximate ideal-SIVP to decision ring-LWE reduction". Advances in the Mathematics of Communications. doi: 10.3934/amc.2022082 .
  39. Gärtner, Joel (2023), Concrete Security from Worst-Case to Average-Case Lattice Reductions, Lecture Notes in Computer Science, vol. 14064, Springer-Verlag, pp. 344–369, ISBN   978-3-031-37678-8
  40. 1 2 Garg, Sanjam; Gentry, Craig; Halevi, Shai; Raykova, Mariana; Sahai, Amit; Waters, Brent (2013-01-01). "Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits". Cryptology ePrint Archive. CiteSeerX   10.1.1.400.6501 .

Bibliography

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.