2. Quick recap of Linear Algebra and
Vector Spaces
❖ A vector space V is a subset of Rn with the
property that α*v+α*v+..+α*v∈ V:
1122 mm for a given v, v, ...,v∈ V and all α, α,..,
12m 12 α∈ R where m<=n.
m
❖ Let v = (x1,.., xm) ε V ⊂ Rm then Euclidean
norm of v is defined as
||v|| = √(x1
2 + ..+xm
2).
3. What is a Lattice?
❖ A basis for L is any set of independent vectors that
generates L.
❖ The dimension of L is the no. of vectors in a basis for L.
4. Properties of Lattices
❖ An Integer lattice is a lattice all of whose vectors have
integer coordinates.
❖ Any two basis for a lattice L are related by a matrix having
integer coordinates and determinant equal to ±1.
5. Hadamard Ratio
0<H(B)<1, the closer the value tends to 1 the
more orthogonal the vectors in the basis.
0<H(B)≤1, the closer the value tends to 1,the more orthogonal the
vectors in the basis.
We use Hadamard ratio to differentiate between a good basis and a
bad basis.
6. Good Basis Vs Bad Basis
❖ Good basis is the one which has nearly orthogonal vectors i.e, having
hadamard ratio close to 1.
❖ Bad Basis is the one having hadamard ratio close to 0.
9. Hard problems on lattices
Note:
❖ No polynomial-time algorithm is known for
approximating the CVP in Rn to within a polynomial
factor of n.
❖ Best known polynomial time algorithms were based on
LLL.
❖ Babai proved that CVP in Rn can be approximated to a
factor of 2n/2
11. Cryptosystems based on hard Lattice
Problems
Some of the initial ones are:
➔ Ajtai-Dwork Cryptosystem.
➔ GGH Cryptosystem by Goldreich, Goldwasser, Halevi.
➔ NTRU cryptosystem by Hoffstein, Pipher and Silverman.
12. GGH Cryptosystem
● Based on the problem of finding lattice point
closest to a given vector.(CVP)
● Security Parameter - n = dimension of the
lattice
● Threshold Parameter - σ = bound on error
vector
● Private Key - Good basis of lattice.
● Public Key - Bad basis of the same lattice
14. Private Key(R) Generation
❖ Choosing a random lattice
➢ R’, an nxn matrix is chosen where elements are
uniformly taken at random from {-l,...,l}nxn for some
integer bound l.
➢ l had no effect on basis so small value is chosen.(±4)
❖ Choosing an almost rectangular lattice
➢ Start with k.I and add the “noise” generated above.
❖ R = R’ + kI
Experimentally, we get best parameters when k~l√n
15. Public Key(B) Generation
❖ R is multiplied by a few random unimodular matrices.
❖ B = R.T1.T2…
❖ Each Ti = Li.Ui , where
➢ Li & Ui are Lower & Upper triangular matrices.
➢ Each of the diagonal element is ±1 in Li & Ui
➢ Other non-zero elements can be chosen at random,
for experiments they chose from {-1,0,1}
❖ Multiplying R by atleast 4 transformations is required to
prevent attack using LLL lattice reduction algorithm.
16. Cryptanalysis - GGH Cryptosystem
Following are the attacks on GGH cryptosystem
❖ From the original paper by GGH
➢ The Round-off Attack
➢ The Nearest-plane Attack
➢ The embedding Attack
❖ From Phong Nguyen which led to the failure
of this system
➢ Based on Leaking Remainders
17. Embedding Attack
● Embed n basis-vectors and the point c (for
which we want to find the closest lattice point)
in an (n+1) dimensional lattice.
● After embedding, lattice
reduction algorithms are used to
find the shortest non-zero vector in L(B’).
● This heuristic works upto dimensions 110-120.
18. Nguyen’s Attack
● Let (n, σ) be as already defined & B be public
basis.
● Assume message m ∈ ℤn is encrypted into
ciphertext c ∈ ℤn with B.
● There is an error vector e ∈ {±σ}n such that
c = mB + e
19. Nguyen’s Attack
Leaking Remainders:
c = mB + e
Consider s = (σ,...,σ) ∈ ℤn, then we have
e + s ≡ 0 (mod 2σ)
⇒ c + s ≡ mB (mod 2σ)
If we can solve the above equation, we get m
modulo 2σ, denoted by m2σ
20. Nguyen’s Attack
Simplifying the CVP:
Once we get m2σ , observe that m - m2σ= 2σm’
for some m’ ∈ ℤn.
c = mB + e
⇒ c - m2σB= (m - m2σ)B + e
⇒ c - m2σB= 2σm’B + e
⇒
21. Nguyen’s Attack
In the above equation, LHS is known. So, the
new problem reads as a Closest Vector Problem
(CVP) for which error vector e/2σ ∈ {±½}n.
Observe that this is simpler CVP for which error
vectors have entries ±½, thereby traditional
methods like embedding are more likely to
work now that error vector is smaller.
22. Advantages of Lattice Cryptography
❖ Shor’s algorithm (which runs on a Quantum
computer) can solve the public key cryptographic
systems which rely on integer factorization problem or
the discrete logarithm problem
❖ Lattice based cryptography provides one of the best
alternatives for post-quantum cryptographic systems
❖ Most of lattice based cryptographic constructions are
believed to be secure against attacks using either
conventional or quantum computers
23. Disadvantages of Lattice Cryptography
❖ NTRU based schemes are practical and efficient to
implement but lack proof of security
❖ Theoretical schemes like matrix based learning with
errors offer strong security proof but use impractically
large key sizes for general use
❖ Since current publicly known experimental quantum
computing is nowhere near powerful to attack real
cryptographic systems, Lattice based schemes are not
used much in practice
24. Recent Developments
❖ Research has been done on trying to merge NTRU
family algorithms and LWE (Learning with error)
schemes
❖ This class of algorithms are called Learning with errors
designs over rings, which offer very efficient
computation, moderate key sizes and strong proof of
security
25. References
❖ An Introduction to Mathematical Cryptography by Jeffrey Hoffstein,
Jill Pipher, Joseph H. Silverman
❖ Public-key cryptosystems from lattice reduction problems by Oded
Goldreich, Shafi Goldwasser, Shai Halevi
❖ Cryptanalysis of the Goldreich-Goldwasser-Halevi Cryptosystem from
Crypto ’97 by Phong Nguyen
❖ http://www.math.uni-bonn.de/~saxena/courses/WS2010-ref5.pdf
❖ http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf
❖ https://www.sav.sk/journals/uploads/0114115305BCKSS.pdf