Post-Quantum Cryptography Notes

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Designing cryptosystems that can run on today's classical computers and are secure against quantum attacks.

What's the rush in developing post-quantum cryptosystems?

Big QCs probably won't exist at a commercial level for several years, however :
- Harvesting Attacks: SNDL (Store Now Decrypt Later), Attackers all over the world are currently following this attacks strategy where they are storing today's cipher texts and public keys and are in hopes of performing a brute force attack, once QCs are a common thing, and are commercially available.
- Rewriting Past Timestamps (fork history and rewrite transactions that happened in the past thereby, making blockchains mutable)
- Deploying new cryptography at scale takess about 10 years.

Lattices

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Why Lattices?

Linear and highly parallelizable by the computer.
Resists quantum attacks (till now)
Security from mild worst-case hardness assumptions (this means that these cryptosystems exhibit random-instances of hardness, based on the fact that there exists hard instances).
Solutions to some amazing cryptosystems till date like Fully Homomorphic Encryption.

What is a Lattice?

A periodic grid in
$Z_{m}$ . (Formally: a full-rank additive group.)

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

This diagram represents a 2-dimenstional lattice for the viewer's simplicity.

It consists of a basis, a basis is a set of

m

linearly independent vectors, which generates a lattice via all integer-based linear combinations.

Basis
$B = {b_{1}, b_{2}, . . ., b_{m}}$ : such that

$L = \sum_{i = 1}^{m} (Z . b_{i})$

So before we start doing linear combinations, we can picturise the vectors so be arranged like this:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Basis are not unique, there are different vectors forming a differemt basis, thereby constructing the same lattice, for example, differing from the previous set of vectors, if you look at this, it surprisingly builds the same lattice!

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Some Hard Lattice Problems

Find/detect short nonzero lattice vectors: (Gap)SVP
$γ$ (Shortest Vector Problem), SIVP
$γ$ (Shortest Independent Vector Problem).
For
$γ = p o l y (m)$ , appears to require
$2^{Ω (m)}$ time and space, even by the QC.

Note that

γ

here is the approximation factor, so in real life, probably one doesn't need to exactly find the shortest vector, and can simply compute a vector in the factors of

γ

The approximation factor can also be dependent on the dimension we are dealing with, hence,

γ = p o l y (m)

means where

γ

is a polynomial in the dimension (degree for newbies)

m

Lastly, as the approximation factor

γ

grows, the problem becomes easier. As the nature of what an expected solution is grows largely.

Why Shor's algorithm doesn't work here?

Shor's algorithm specializes in finding group structures explicitly, which means, suppose a problem talks about a mathematically defined lattice, using Shor one can construct that lattice explicity, but not perform geometric computations within that lattice, especially in

p o l y

time.

Here, the SVP

γ

is a geometric problem within that lattice, hence, it is extremely hard to find out the specific geometric pattern in terms of the SVP

γ

Hence, we can say that lattice problems typically fall into the complexity class, where everything depends on the degree of

γ

Usually, if the

γ

is a constant, it usually falls into NP-Complete, however for a

γ

bigger than the square root of the dimension, the complexity class is usually somewhere in

N P \cap C o - N P

Some Harder Problems : Foundations & Digital Signatures

A Hard Problem: Short Integer Solution `[Ajtai`96]`

$Z_{q}^{n}$ =
$n$ dimensional integer vectors modulo
$q$ .
GOAL: find a non-trivial
$z_{1}, z_{2}, . . ., z_{m}$
$\in$
${0, \pm 1}$ such that:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

In simpler terms, goal is to find a non-trivial "short"
$z \in Z^{m}, | | z | | \leq β ≪ q$ such that:

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Here,

| | z | |

denotes the Euclidean Norm of

z

Converting this into a Collision-Resistant Hash Function

Set
$m > n l o g_{2} q$ . Define "compressing"
$f_{A} : {0, 1}^{m} \to Z_{q}^{n}$ . Hence the function is simply defined as:

f_{A} (x) = A . x

Collision: let
$x, x^{'} \in {0, 1}^{m}$ where
$A x = A x^{'}$ , then
$A (x - x^{'}) = 0$ , this yields us a short solution
$z = x - x^{'} \in {0, 1}^{m}$ .

Hence the Euclidean norm of this

| | z | |

is atmost

\sqrt{m}

Correlation of the Short Integer Solution with Lattices

$A \in Z_{q}^{n \times m}$ defines a '
$q - a r y$ ' lattice:

L (A) := {z \in Z^{m} : A z = 0} \supseteq q Z^{m}

Here '

q - a r y

' means

q \times a n y i n t e g e r

will be inside the lattice. And hence, the short solutions

z

lie in the enclosed circle inside the lattice. Refer to the diagram below, this enclosed circle indeed behaves as the Shortest Vector.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Hence, the short solutions lie in this enclosed circle.

Worst to Average Case Reduction [Ajtai'96…]

Finding "short" (

| | z | | \leq β ≪ q

) nonzero

z \in L (A)

(for uniformly random

A \in Z_{q}^{n \times m}

), then it implies that GapSVP

β \sqrt{n}

is also solvable on any n-d lattice. –-(1)

This statement in Lattice Cryptography is known as a randomized cousin reduction problem.

Here

β

again acts as an approximation factor for the shortest vector, which means that the more we relax

β

we will be facing worse-approximation problems in the worst-case to average-case scenario.

Hence, for an instance here if

β

is a polynomial, then

β \sqrt{n}

is also a polynomial, and then the problem would indeed be considered as a hard problem.

How is the
$β$ value even deduced?

Honestly, it's reverse-engineered, hit experimenting, it's regarded as the smallest value that we can get away with.

If the domain for 'short'

z \in Z^{m}

, then the value of

β

at the worst-case is

\sqrt{m}

Now we can simply plug in the value of

β

into eq –-(1) and deduce the worst-case time complexity.

How is the self-reduction problem stated here different from the self-reduction problem stated in Discrete Log?

In discrete log, self-reduction can be defined in the following way.

If a problem's discrete log can be computed in
$p o l y t i m e ()$ under the group
$g$ . Then the discrete log of a similar problem can also be solvable in
$p o l y t i m e ()$ under the same group
$g$ .

In lattice problems, however, these things work differently, first of all because in the cousin-reduction statement, the 2 problems may or may not be in the same group

g

If the groups were definitely same like the ones' in discrete log, then the QC would likely have an easy time, figuring out all the factors of a certain number in that group, in about

p o l y t i m e ()

Applications of this Lattice Theory in Digital Signatures.

Application: [GentryPeikertVaikuntanathan'08]

Generate uniform
$v k = A$ such that with a secret trapdoor
$s k = T$ .

As we discussed before, in a digital signature, we just need to generate a public key and a private key, here, the following are a basically a uniformly random matrix

A

and

T

respectively.

Hence, just to reiterate,

T

will be my secret signing key and

A

will be viewing key that I give out to the public.

Sign(
$T, μ$ ) and use
$T$ to sample a short
$z \in Z^{m}$ s.t.
$A z = H (μ) \in Z_{q}^{n}$ .

So to boil it down we first use as a hash function H to map the hidden message

μ

to a vector in

Z_{q}^{n}

Then we use the secret key to sample a short solution

z

In simpler context, we draw

z

such that it reveals nothing about the secret key or basically the trapdoor, here that is

T

For visualising the distribution, and the algorithm is supposed to sample random

z

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Verify (
$A, μ, z$ ), checking that
$A z = H (μ)$ and
$z$ is sufficiently short.

The verifier redoes the computation of

H (μ)

and checks it's equality with

A z

. In real life we deduce the value of

H (μ)

using a random oracle, ideally, it's a encrypted by a collision-resistant hash function, usually sha-2 or sha-3.

Security Breach: forging a signature for a new message
$μ *$ requires finding short
$z$ st
$A z * = H (μ *)$ . This is indeed computationally hard to find.

There is still indeed a chance of a security vulnerability, that is, when Alice signs the message multiple times.

In that case, for the same

H (μ)

, multiple

m a t h b b z

values are getting leaked.

Hence, for every sign try, there's a new

z

, that gets generated, so we can write down the equations like:

A z = H (μ) - (1)

and

A z^{'} = H (μ) - (2)

therefore, rearranging we get:

A (z^{'} - z) = 0 - (3)

This is a really harmful step here, as this signifies giving away short vectors in the A lattice.

One of the ways to mitigate this problem is to add a salt to the hash-function, so that every time we sign we are essentially hashing a different number.

Today's lattice-based digital signatures: Falcon [FHK + '17], Dilithium [DKL + '17]

Refinements for the components of the framework:

Generating a "hard" lattice/trapdoor pair:

The key question is that is it hard to decode within the threshold distance on lattices produced.

Gaussian lattice sampling

Falcon uses these to get the smallest vk+sig size, also with very fast verification.

Dilithium uses a technique called "Fiat Shamir with Aborts", a very simple signing algorithm.

However, Dilithium assumes that SIS is quantumly hard for solution norm

≲ q

l_{\infty}

norm, apart from just the eucludian norm.

The other security concern is that Dilithium does have a security proof where the Hash function is verified that it is truly random (Random Oracle).

Public Key-Encryption using Lattices

Learning With Errors [Regev'05]

Parameters: dimension
$n$ , modulus
$q$ , error distribution
Goal: find the secret vector
$s$ which is chosen at random such that
$s \in Z_{q}^{n}$ , given many noisy inner products.

a_{1} \leftarrow Z_{q}^{n}, b_{1} \approx < s, a_{1} > m o d q

a_{2} \leftarrow Z_{q}^{n}, b_{2} \approx < s, a_{2} > m o d q

....

We can see that the secret

s

remains the same in the inner products, but we use the

\approx

symbol to indicate the noisy-ness.

Therefore, if we want to further refine the equation, then a good representation shall look like:

a_{1} \leftarrow Z_{q}^{n}, b_{1} = < s, a_{1} > + e_{1} \in Z_{q}

a_{2} \leftarrow Z_{q}^{n}, b_{2} = < s, a_{2} > + e_{2} \in Z_{q}

....

Where,

e_{1}

and

e_{2}

are picked up from a Gaussian distribution of errors.

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

here,

\sqrt{n}

is the standard deviation of the error, and

q

as we know is the prime modulus.

also, the rate, also called the error rate is denoted as:

r a t e (α) = \frac{\sqrt{n}}{q}

The

A

matrix states uniformly random

a_{i}

vectors that are horizontally stacked sideways to each other. Hence,

s^{t} A

is the linear combination of the

A

with

b^{t}

provided there's an extent of error

e_{i}

among the inner products of these matrices.

Decision: to distinguish between (A, b) from uniformly independent (A, b) with no errors in their inner products.

Hardness of LWE

(

\frac{n}{α}

)-approx worst case lattice problems

\leq

search-LWE

\leq

decision-LWE

\leq

crypto

If we have an algorithm that can solve a search-LWE problem, then one can convert this algorithm into an algorithm that solves worst case lattice problems that has (

\frac{n}{α}

) approximation factors.

α

again is the error rate here, which is the fraction of the cycle covered by the error here. However, (

\frac{n}{α}

) states that the approximation factor that we have here kind of grows inversely with

α

Hence, when the error rate narrows, the approximation factor worsens, thereby the problem becomes more relaxed. Smaller error rate gives us a weaker guarantee for the worst case lattice problem.

Moreover, being unable to solve Decision-LWE with quantum also implies being unable to solve Search-LWE with quantum. Thus, coming to the last piece of the puzzle, that is most Post-Quantum Cryptosystems are built based on the fact that decision-LWEs are hard to solve by a quantum computer.

A Learning with errors problem can be called a
dual to a Short Integer Solutions problem. We use the word dual because they share the same strong mathematical foundation.

Let

L (A) = {z^{t} \equiv s^{t} A m o d q}

Given

A

and

b \approx s A

, find

s

Here is a diagrammatic representation

Image Not Showing Possible Reasons

The image was uploaded to a note which you don't have access to
The note which the image was originally uploaded to has been deleted

Learn More →

Here we can see that

b

is not exactly where we want it to be, but it's close enough in the neighbourhood, within the approximation factor

γ

, in terms of SIS.

However, in terms of LWE, we call this a Bounded-Distance Decoding (BDD

$_{α}$ ), where the given target is '

α

-far' from a lattice point. Our task is to find that point.

The difference between LWE and BDD is that in LWE the inputs are generated from a Gaussian Distribution of points. Whereas in BDD, the lattice, the inputs as well as the targets could be anything and anywhere. Hence BDD is more like a worst-case scenario for LWE.

Regev's Theorem

Statement: If we have an algorithm that solves BDD

_{α}

on an arbitrary lattice

L

, then have a quantum procedure then there exists an algorithm that samples '

(1 / α)

-short' points from a dual lattice

L^{*}

. The length of that Gaussian is inversely related to the relative distance of

α

Further into Dilithium

Some interesting features:

Recommended Paramters, Public key size 1.5 KB, signature size 2.7 KB (recommended parameters).
Design of Dilithium is based on Fiat Shamir with Aborts technique.
Uses singature compression algorithms, to send signatures that are 50% smaller.
Latest specs of Dilithium consists of compression of the public key, thereby making it 60% smaller.
Hardness of the underlying problem is neither based on Learning with Errors nor Short Integer Solutions problem, it's based on something that keeps interpolating between the 2, hence it's called Module LWE.

Principal design patterns of TrueID-Q, based on Dilithium

Easy to implement securely as it does not involve any Gaussian sampling.
Total size of public key + signature is relatively small. Although among the other NIST PQC algorithms, Falcon is smaller.
Parameters on Dilithium are chosen very conservatively, so that future developments can take place easily.
Using Module-LWE/SIS allows us to work over the same small ring for all security levels, arithmetics need to be optimized only once and for all.

Choosing such a Ring

Strategy: Choosing the smallest ring dimension n such that it gives the main advantages of Ring LWE.

Dimensions: 256 is sufficiently large enough to get a large set of small norm challenges.

Fully splitting prime q allows for NTT-based mutliplications.

R = Z_{2^{23} + 2^{13} + 1} [X] / (X^{2} 56 + 1)

Main Algorithm

Key Generation

A \leftarrow R^{5 \times 4} S_{1} \leftarrow S_{5}^{4}, S_{2} \leftarrow S_{5}^{5} t = A s_{1} + s_{2} p k (A, t), s k = (A, t, s_{1}, s_{2})

Verification

c^{'} = H (H i g h (A z - c t), M) I f | | z | |_{\infty} > γ - β a n d c^{'} = c, a c c e p t

Signing

y \leftarrow S_{γ}^{4} w = A y c = H (H i g h (w), M) \in B_{60} z = y + c s_{1} I f | | z | |_{\infty} > γ - β o r | | L o w (w - c s_{2} | |_{\infty} > γ - β, r e s t a r t s i g = (z, c)

Post-Quantum Cryptography Notes

Designing cryptosystems that can run on today's classical computers and are secure against quantum attacks.

What's the rush in developing post-quantum cryptosystems?

Lattices

Why Lattices?

What is a Lattice?

Some Hard Lattice Problems

Why Shor's algorithm doesn't work here?

Some Harder Problems : Foundations & Digital Signatures

A Hard Problem: Short Integer Solution [Ajtai96]`

Converting this into a Collision-Resistant Hash Function

Correlation of the Short Integer Solution with Lattices

Worst to Average Case Reduction [Ajtai'96…]

How is the β value even deduced?

How is the self-reduction problem stated here different from the self-reduction problem stated in Discrete Log?

Applications of this Lattice Theory in Digital Signatures.

Application: [GentryPeikertVaikuntanathan'08]

Today's lattice-based digital signatures: Falcon [FHK + '17], Dilithium [DKL + '17]

Public Key-Encryption using Lattices

Learning With Errors [Regev'05]

Hardness of LWE

Regev's Theorem

Further into Dilithium

Some interesting features:

Principal design patterns of TrueID-Q, based on Dilithium

Choosing such a Ring

Main Algorithm

Key Generation

Verification

Signing

Read more

PeerDAS POC To-do list

A Path-based approach of Nimbus-Eth1 for Kaustinen

EPF Update 12 and 13

EPF Update 10&11 - In Math we Trust

A Hard Problem: Short Integer Solution `[Ajtai`96]`

How is the
$β$ value even deduced?