 Okay, so as I was just saying to Bjorn today, finally, I think we got all the electronics working to start with okay, so Welcome to lecture number five Lattices and lattice-based crypto Today, we're going to talk about digital signatures that use lattices and as you'll see at some point I'm actually going to leave some of it for you to read about in the exercises because I decided to concentrate on one aspect of digital signatures that only applies to signatures not to Encryption schemes and it's kind of an interesting Problem that took a long time for people to figure out how to solve So Just to remind you from Wednesday What a digital signature scheme is it consists of two algorithms? Assigning algorithm and a verification algorithm The signing algorithm takes his input Alice's private signing key and the document she wants to sign Normally, it's actually a hash of the document, but I'll ignore that and the output is Alice's signature on that document Then Bob when he wants to check that Alice's signature is valid Uses the verification function its input is Alice's public key, which everyone knows The signature they came out of the signing algorithm and the document of course the one that you want to check and the output is simply a Yes, or no. Yes, the signature is valid. No, the signature is not valid and the crucial property is that if you take a public key private key and a document and the public key actually is associated to that private key then The verification says that the signature is Correct is valid if and only if the signature came from signing the document with Alice's private key I already discussed digital signatures using integer factorization the RSA version and using discrete logs Which was that slightly complicated but interesting system So today I want to discuss signatures that are based on the closest vector problem really and the prototypical scheme is as with the encryption scheme sort of the straightforward GGH digital signature and When I talked about digital signatures, I think I briefly mentioned this or not. Oh, actually, I think I didn't mention But let's go over to get anyway. This is how the GGH would work The private key Alice's private key is a good basis for her lattice As I said you can produce a basis that's good enough Just by taking the coordinates of each of the end vectors to be random numbers in some range and you'll pretty certainly get a non-trivial lattice and that basis will be reasonably good and then she takes some big linear combinations integer linear combinations of her good basis to create a bad basis and she publishes that that's her public key And what's her document? Well, the document she signs is a vector. Well, I said not in L What I really mean it's just a random vector in space somewhere Okay, and Alice is going to try to solve CVP or at least it approximately solve it Okay, is her document really a vector like that suppose she's signing a PDF file No, a PDF file doesn't look like a vector in n-dimensional space She runs the file through a hash function whose output is Is is that is sort of random ish looking vectors? Okay So this is the thing about using hashes Okay, so how does Alice sign this document? Well, she has the good basis and remember bad-byes algorithm Which essentially is? well It's up here again, so I'll remind you about it But she uses her good basis and bad-byes algorithm does pretty well at finding a nearby lattice point To the target vector what she does is she takes the target vector and writes it as a linear combination of her good basis Just using real or probably rational numbers or real numbers, whatever So this is just linear algebra problem. It's inverting a matrix or not even that hard It's doing Gaussian elimination to solve a system of linear equations So D is exactly equal to this linear combination, but the deltas are not integers So she rounds each of them to the nearest integer That's bad-byes algorithm and the s that she gets Will be a lattice point clearly. It's an integer linear combination of the basis vectors and It will be fairly close to D the more orthogonal her basis the closer it'll be but it'll be pretty good and Her signature is this Vector s she needs to tell Bob and the whole world this vector s without revealing her good basis and she does that by expressing s using the bad basis Again, that's just a linear algebra problem Undergraduate linear algebra. You're solving a system of linear equations. It's pretty quick and And Her signature is then the end tuple of coefficients here. Remember the W's are already in the public domain that those are Alice's Public key. So Bob just needs the s's to reconstruct the s sub i's Which are numbers to reconstruct the s? I'll mention that the signatures here actually aren't that big it's they're just n numbers It's the public key that's large Because the public key is the w vector. So you need n vectors each with n coordinates. So In terms of signature size ggh actually isn't that bad But the public keys are pretty big And how does Bob check? Well, he uses the s sub i's and the public w's to reconstruct the s and Then he checks that s is sufficiently close to D Now so the words sufficiently close are not Rigorous mathematical Terms, but what that really means it depends on the parameters, you know But what the what n is what how big the coordinates of the these that you chose originally were and stuff like that but you can do an analysis and It's a little delicate because what you need to do is do an analysis that says using bad-byes algorithm with the good basis The s and the d should be this close But Even using something like L cubed Eve cannot find a vector in the lattice close enough to this to satisfy This closeness condition. Okay, so sufficiently close the Bounds need to be set fairly delicately and I'm completely sloughing over that that's the practical implementation and it's important And if we had another week, I could could run you through through it, but we don't Okay What are some security issues? Anytime you create a public key System or a digital signature system you want to go through and check how is Eve going to attack this because remember what I said Crypt analysts use every Tricking in the book that they can And there's some standard things that they try first The first is what's usually called a combinatorial attack, which means well Alice chose a public key, right? Let's just check all possible. I mean Alice shows a private key. Let's just check all possible private keys So there better be enough different private keys That I can't do that if there are too many to loop through And it turns out that for many systems If you're trying to find a needle in a haystack where the haystack has K Elements in it and only one of them is the winning needle It turns out you the run usually rather than checking first this piece then this Element and this element of this element you can use sort of algebraic techniques and it's enough to find a collision And that sort of cuts the runtime by a square root. So anytime you do cryptography and Someone can break the system by running through the sets in an element of with K a set with K elements You should assume it won't take them more than about square root of K time to do that There's usually a way to do that Which again Jeff Hofstein Joe Piper and I didn't realize when we were novices with this and the initial Parameters we suggested were not strong enough because of this Okay But if people may have seen this sort of phenomenon with the birthday paradox, right? The probability that one of you has my birthday is one in 365 roughly But if we take 20 or if we take 25 people the odds are very good that two of them will have a The same birthday even though I can't predict ahead of time what the birthday would be It's the same kind of thing a square root thing All right, lattice security Since we're talking about a lattice system here or for RSA factorization security You have to take the fastest known algorithm for solving the underlying hard problem and we spent some time discussing that for lattices currently it's LLL with using blocks and there are other tricks that do some speed ups They're not huge amounts, but maybe in order of magnitude or two speed up and usually what you want to do is Figure out the minimum You need for the security you you want and then build in a buffer Because there's always a little ambiguity or maybe someone will be real clever or next year someone will be to build a computer That's twice as fast. That's almost certainly in two years now almost certainly true So this should really be labeled how hard is the underlying hard problem Practicality well This has nothing to do with security, but after you make the system secure You then need to check how practical it is and something like ggh Might be practical. It depends on your application as long as you're okay with big key sizes But small signatures are what you want not super small, but reasonably small It might be okay If you want the smallest possible signatures Currently what you'd use is elliptic curve discrete log systems, but Only use those if you are willing to take the risk of a quantum computer being built Okay So slightly older thing how many people have ever read mad magazine what me worry. Yeah, okay So here's another thing to worry about This is only something that happens with digital signatures. I Think when in any case it doesn't happen with encryption schemes Think about what Alice is doing Alice is doing. She's taking a document and she's signing it And she's sending you the signature to check