Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS /...
-
Upload
sharon-cain -
Category
Documents
-
view
260 -
download
0
Transcript of Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS /...
![Page 1: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/1.jpg)
Lattice-Based Cryptography: From Practice to Theory to
Practice
Vadim LyubashevskyINRIA / CNRS / ENS Paris
(September 12, 2011)
![Page 2: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/2.jpg)
La Cryptographie Reposant sur les Réseaux:
de la Pratique à la Théorie à la Pratique
Vadim LyubashevskyINRIA / CNRS / ENS Paris
(Septembre 12, 2011)
![Page 3: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/3.jpg)
Lattice-Based Encryption Schemes
1. NTRU [Hoffstein, Pipher, Silverman ‘98]
2. LWE-Based [Regev ‘05]
3. Ring-LWE Based [L, Peikert, Regev ’10]
4. “NTRU-like” with a proof of security [Stehle, Steinfeld ‘11]
![Page 4: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/4.jpg)
Cryptosystèmes Reposant sur les Réseaux
1. NTRU [Hoffstein, Pipher, Silverman ‘98]
2. Reposant sur LWE [Regev ‘05]
3. Reposant sur Anneau-LWE [L, Peikert, Regev ’10]
4. “NTRU” avec une preuve de la sécurité [Stehle, Steinfeld ‘11]
![Page 5: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/5.jpg)
Subset Sum Problem
Subset-Sum Based [L, Palacio, Segev ‘10]
LWE-Based [Regev ‘05]
Ring-LWE Based [L, Peikert, Regev ’10]
“NTRU-like” with a proof of security [Stehle, Steinfeld ‘11]
NTRU [Hoffstein, Pipher, Silverman ‘98]
![Page 6: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/6.jpg)
Part 0.
The Subset Sum Problem
![Page 7: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/7.jpg)
ai , T in ZM
ai are chosen randomly
T is a sum of a random subset of the ai
a1 a2 a3 … an T
Find a subset of ai's that sums to T (mod
M)
Subset Sum Problem
![Page 8: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/8.jpg)
ai , T in Z49
ai are chosen randomly
T is a sum of a random subset of the ai
15 31 24 3 14 11
15 + 31 + 14 = 11 (mod 49)
Subset Sum Problem
![Page 9: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/9.jpg)
How Hard is Subset Sum?
ai , T in ZM
a1 a2 a3 … an T
Find a subset of ai's that sums to T (mod M)
Hardness Depends on: Size of n and M Relationship between n and M
![Page 10: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/10.jpg)
Complexity of Solving Subset Sum
M
run-time
2log²(n) 2n 2n log(n) 2n²
poly(n)
2Ω(n) poly(n)
“generalized birthday attacks”
[FlaPrz05,Lyu06,Sha08]
“lattice reduction attacks” [LagOdl85,Fri86]
![Page 11: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/11.jpg)
Subset Sum Crypto
Why?
Simple operations
Exponential hardness
Seems very different from number theoretic assumptions
Seems to resist quantum attacks
![Page 12: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/12.jpg)
Subset Sum is “Pseudorandom”
[Impagliazzo-Naor 1989]:
For random a1,...,an in ZM and random x1,...,xn in
0,1
distinguishing the distribution
(a1,...,an, a1x1+...+anxn mod M)
from the uniform distribution U(ZMn+1) is as hard
as finding x1,...,xn
![Page 13: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/13.jpg)
Part 1.
Cryptosystem Based on
Subset Sum
[L, Palacio, Segev 2010]
![Page 14: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/14.jpg)
Public Key Encryption
Allows for secure communication between parties who have previously never met
![Page 15: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/15.jpg)
Public Key Encryption
public key: psecret key: sEncrypt, DecryptDecrypt(s,Encrypt(p,M))=M
c=Encrypt(p,M)
M=Decrypt(s,c)
![Page 16: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/16.jpg)
Public Key Encryption
c=Encrypt(p,M)
What does “secure” mean?
Intuitive answer: The adversary should not be able to read the message.
![Page 17: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/17.jpg)
Public Key Encryption
c=Encrypt(p,M), c=Encrypt(p,M)
What does “secure” mean?
Intuitive answer: The adversary should not be able to read the message.
But what about other information about the message?
E.g. If adversary can figure out that the same message was sent twice, is the scheme “secure”?
![Page 18: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/18.jpg)
Public Key Encryption
What does “secure” mean?Semantic Security:
For every 2 messages M, M', it's impossible to distinguish
Encrypt(p,M) from Encrypt(p,M') in polynomial time
The Encrypt algorithm must be randomized!
![Page 19: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/19.jpg)
Subset Sum Cryptosystem
Semantically secure based on Subset Sum for M ≈ nn
Main tools
Subset sum is pseudo-random
Addition in (Zq)n
is “kind of like” addition in
ZM where M=qn
The proof is very simple
![Page 20: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/20.jpg)
Facts About AdditionWant to add 4679+3907+8465+1343 mod
104
4 6 7 93 9 0 78 4 6 51 3 4 34
2
9
1
3
2
8Adding n numbers (written in base q) modulo qm → carries < nIf q>>n, then Adding with carries ≈ Adding without
carries (i.e. in ZM) (i.e. in (Zq)
n )
4 6 7 93 9 0 78 4 6 51 3 4 3
4726
![Page 21: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/21.jpg)
So...
4 6 7 93 9 0 78 4 6 51 6 4 3
1 1 0 1
8 1 1 9
4 6 7 93 9 0 78 4 6 51 6 4 3
1 1 0 1
+2 1 1 00 2 2 9
=
=
NOT Pseudorandom!
Pseudorandom based on Subset Sum!
![Page 22: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/22.jpg)
Column Subset Sum Addition Is Also Pseudorandom
4 6 7 93 9 0 78 4 6 51 6 4 3
1101
1110
0980
+ =
![Page 23: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/23.jpg)
“Hybrid” Subset Sum Addition Is Also Pseudorandom
4 6 7 9 03 9 0 7 98 4 6 5 81 6 4 3 0
1 0 0 1
+ 1 1 1 0 0
6 3 2 2 0=
pseudorandom
![Page 24: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/24.jpg)
Encryption Scheme (for 1 bit)
A s t=+ A tr
+
u v=
Public Key
0,1n
0,1n
Zqn x n
![Page 25: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/25.jpg)
Encryption Scheme
A s t=+ A tr
+
u v=
Is pseudo-random based on the hardness of the subset sum problem
![Page 26: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/26.jpg)
Encryption Scheme
A s t=+ A tr
+
u v=
v
A s +r +
A sr
A sr +
A s
=
=
![Page 27: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/27.jpg)
Encryption Scheme
A s t=+ A tr
+
u v=
us A
rs
= +
Ar
s+= ≈ v
![Page 28: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/28.jpg)
us
v - =
Encryption Scheme
A s t=+ A tr
+
u v=
Encryption of 0
![Page 29: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/29.jpg)
us
- =
Encryption Scheme
A s t=+ A tr
+
u v=
Encryption of 1+
0
u=+q/2
q/2
v’
v’
![Page 30: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/30.jpg)
Part 2.
Cryptosystem Based on
Learning With Errors and
Worst-Case Lattice Problems
[Regev 2005]
![Page 31: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/31.jpg)
Encryption Scheme(what we needed)
A s t=+ A tr
+
u v=
Pseudorandom
“small”
![Page 32: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/32.jpg)
Picking the “Carries”
In Subset Sum: carries were deterministic
What if … we pick the “carries” at random from some distribution?
![Page 33: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/33.jpg)
So...4 6 7 93 9 0 78 4 6 51 6 4 3
1 1 0 1
+2 1 1 00 2 2 9
=
Pseudorandom based on Subset Sum!
4 6 7 93 9 0 78 4 6 51 6 4 3
2 3 0 1
+1 3 2 17 2 0 3
=
Pseudorandom based on LWE and worst-case lattice problems [Reg ‘05](with a lemma from [ACPS ‘09])
![Page 34: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/34.jpg)
Given ai and <ai,s>+ ei find s. (ei and s are “small”)
(Once there are enough ai , the s is uniquely determined)
Theorem [Regev '05] : There is a polynomial-time quantum reduction from solving certain lattice problems in the worst-case to solving LWE.
Learning With Errors (LWE) Problem
. . .
a1
a2
am
s
+ e = b
![Page 35: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/35.jpg)
Decision LWE Problem
. . .
a1a2 s
+ e = b
World 1
. . .
a2
a1
am
b
uniformly random in Zp
m
World 2
Lemma[Reg ’05]: Search-LWE < Decision-LWE
am
![Page 36: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/36.jpg)
LWE vs. Subset Sum
The Subset Sum assumption has deterministic “noise”
The LWE assumption is more “versatile”
. . .
a1a2
am
s
+ e = b
LWE Problem
n2
n
s
+ = b
Subset Sum Problem
n2
n
a2a1 an…
EASY !!
![Page 37: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/37.jpg)
LWE / Subset Sum Encryption
A s t=+ A tr
+
u v=
n-bit Encryption Have Want
Public Key Size Õ(n) / Õ(n2) O(n)
Secret Key Size Õ(n) / Õ (n2) O(n)
Ciphertext Expansion
Õ(n) / Õ (1) O(1)
Encryption Time Õ(n3) / Õ (n2) O(n)
Decryption Time Õ(n2) O(n)
![Page 38: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/38.jpg)
Part 3.
Cryptosystem Based on
Learning With Errors over Rings and
Worst-Case Ideal Lattice Problems
[L, Peikert, Regev 2010]
![Page 39: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/39.jpg)
Source of Inefficiency of LWE1
0
2
1
3782 2*
+ =
1 Getting just one extra random-looking number requires n random numbers and a small error element.
Wishful thinking: get n random numbers and produce n pseudo-random numbers in “one shot”
2
8
7
3
*
+ =
1
0
2
1
![Page 40: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/40.jpg)
Use Polynomials
f(x) is a polynomial xn + an-1xn-1 + … + a1x + a0
R = Zp[x]/(f(x)) is a polynomial ring with
• Addition mod p
• Polynomial multiplication mod p and f(x)
Each element of R consists of n elements in Zp
In R:
• small+small = small
• small*small = small (depending on f(x) )
![Page 41: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/41.jpg)
Polynomial Interpretation of the LWE-based cryptosystem
a s t r a u
r t v
v u s
+ +
+
= =
=
- r t + r a + s
r a s + + r a + s
r + s
= -
-
- =
Public Key
![Page 42: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/42.jpg)
Security
a s t r a u
r t v
+ +
+
= =
=
Pseudorandom??
![Page 43: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/43.jpg)
Learning With Errors over Rings
a
1a
2a
3
…
a
m
s b
1b2
b3
…
b
m
+ =
e
1e2
e3
…
e
m
Theorem [LPR ‘10]: Finding s is as hard as solving lattice problems in all ideals of the ring Z[x]/(f(x))
![Page 44: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/44.jpg)
Decision Learning With Errors over Rings
a
1a
2a
3
…
a
m
s b
1b2
b3
…
b
m
+ =
a
1a
2a
3
…
a
m
b
1b2
b3
…
b
m
Theorem [LPR ‘10]: In cyclotomic rings, Search-RLWE < Decision-RLWE
World 1 World 2
![Page 45: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/45.jpg)
Use Polynomials in Zp[x]/(f(x))
a s t r a u
r t v
+ +
+
= =
=
n-bit Encryption From LWE / SS From Ring-LWE
Public Key Size Õ(n) / Õ(n2) Õ(n)
Secret Key Size Õ(n) / Õ (n2) Õ(n)
Ciphertext Expansion
Õ(n) / Õ (1) Õ(1)
Encryption Time Õ(n3) / Õ (n2) Õ(n)
Decryption Time Õ(n2) Õ(n)
![Page 46: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/46.jpg)
Part 4.
1-Element Cryptosystem Based on
Learning With Errors over Rings and
Worst-Case Ideal Lattice Problems
[Stehle, Steinfeld 2011]
![Page 47: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/47.jpg)
Number of Ring Elements
a s t r a u
r t v
+ +
+
= =
=
u v + mp
2,
Can you have a ciphertext with just 1 ring element?
Encryption of m:
![Page 48: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/48.jpg)
Stehle, Steinfeld Cryptosystem
f
ga a r + +mu 2=
u g r + + m2 f g g=
u g mod 2 = mg
u g mod 2=
gm
=
Uniformly random Pseudorandom based on Ring-
LWE
mod p
mod p
“small” coefficients
![Page 49: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/49.jpg)
Part 5.
NTRU Cryptosystem
[Hoffstein, Pipher, Silverman 1998]
![Page 50: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/50.jpg)
NTRU Cryptosystem
f
ga a r + +mu 2==
“looks” random If a is random, then pseudorandom based on Ring-LWE
f g - Very small
u g r + + m2 f g g=
mod p
mod p
Since f, g are smaller, p can be smaller as well
![Page 51: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/51.jpg)
(Textbook) NTRU Cryptosystem / Trap-Door
Function
f
ga=
f g - Very small
u g r + m2 f g=
mod p
a r +mu 2= mod p
u g mod 2 = mg
u g mod 2=
gm
![Page 52: Lattice-Based Cryptography: From Practice to Theory to Practice Vadim Lyubashevsky INRIA / CNRS / ENS Paris (September 12, 2011)](https://reader035.fdocuments.fr/reader035/viewer/2022081417/56649eca5503460f94bd7aaf/html5/thumbnails/52.jpg)
Thanks, eh!