On the Lattice Isomorphism Problem, Quadratic Forms, Remarkable Lattices, and Cryptography

A natural and recurring idea in the knapsack/lattice cryptography literature is to start from a lattice with remarkable decoding capability as your private key, and hide it somehow to make a public key. This is also how the code-based encryption scheme of McEliece (1978) proceeds. This idea has never worked out very well for lattices: ad-hoc approaches have been proposed, but they have been subject to ad-hoc attacks, using tricks beyond lattice reduction algorithms. On the other hand the framework o ered by the Short Integer Solution (SIS) and Learning With Errors (LWE) problems, while convenient and well founded, remains frustrating from a coding perspective: the underlying decoding algorithms are rather trivial, with poor decoding performance. In this work, we provide generic realizations of this natural idea (independently of the chosen remarkable lattice) by basing cryptography on the lattice isomorphism problem (LIP). More speci cally, we provide: a worst-case to average-case reduction for search-LIP and distinguishLIP within an isomorphism class, by extending techniques of Haviv and Regev (SODA 2014). a zero-knowledge proof of knowledge (ZKPoK) of an isomorphism. This implies an identi cation scheme based on search-LIP. a key encapsulation mechanism (KEM) scheme and a hash-then-sign signature scheme, both based on distinguish-LIP. The purpose of this approach is for remarkable lattices to improve the security and performance of lattice-based cryptography. For example, decoding within poly-logarithmic factor from Minkowski's bound in a remarkable lattice would lead to a KEM resisting lattice attacks down to poly-logarithmic approximation factor, provided that the dual lattice is also close to Minkowski's bound. Recent works have indeed reached such decoders for certain lattices (Chor-Rivest, Barnes-Sloan), but these do not perfectly t our need as their duals have poor minimal distance.

[1]  Daniele Micciancio,et al.  Worst-case to average-case reductions based on Gaussian measures , 2004, 45th Annual IEEE Symposium on Foundations of Computer Science.

[2]  C. P. Schnorr,et al.  A Hierarchy of Polynomial Time Lattice Basis Reduction Algorithms , 1987, Theor. Comput. Sci..

[3]  Kenneth J. Giuliani Factoring Polynomials with Rational Coeecients , 1998 .

[4]  Wilhelm Plesken,et al.  Computing Isometries of Lattices , 1997, J. Symb. Comput..

[5]  Hugo Krawczyk,et al.  Leftover Hash Lemma, Revisited , 2011, IACR Cryptol. ePrint Arch..

[6]  M. Pohst Constructing Integral Lattices With Prescribed Minimum , 2010 .

[7]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[8]  Oded Regev,et al.  On the Lattice Isomorphism Problem , 2013, SODA.

[9]  W. Fischer,et al.  Sphere Packings, Lattices and Groups , 1990 .

[10]  Oleksandra Lapiha,et al.  Comparing Lattice Families for Bounded Distance Decoding near Minkowski's Bound , 2021, IACR Cryptol. ePrint Arch..

[11]  Giacomo Micheli,et al.  LESS is More: Code-Based Signatures Without Syndromes , 2020, IACR Cryptol. ePrint Arch..

[12]  Damien Stehlé,et al.  Classical hardness of learning with errors , 2013, STOC '13.

[13]  Michael Szydlo,et al.  Hypercubic Lattice Reduction and Analysis of GGH and NTRU Signatures , 2003, EUROCRYPT.

[14]  Andrew Odlyzko,et al.  The Rise and Fall of Knapsack Cryptosystems , 1998 .

[15]  Chaoping Xing,et al.  On the Bounded Distance Decoding Problem for Lattices Constructed and Their Cryptographic Applications , 2020, IEEE Transactions on Information Theory.

[16]  Daniel Dadush,et al.  Solving the Shortest Vector Problem in 2n Time Using Discrete Gaussian Sampling: Extended Abstract , 2014, STOC.

[17]  Chris Peikert,et al.  An Efficient and Parallel Gaussian Sampler for Lattices , 2010, CRYPTO.

[18]  Adi Shamir,et al.  A polynomial time algorithm for breaking the basic Merkle-Hellman cryptosystem , 1984, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[19]  Léo Ducas,et al.  Polynomial time bounded distance decoding near Minkowski’s bound in discrete logarithm lattices , 2018, IACR Cryptol. ePrint Arch..

[20]  Hendrik W. Lenstra,et al.  Revisiting the Gentry-Szydlo Algorithm , 2014, CRYPTO.

[21]  Philip N. Klein,et al.  Finding the closest lattice vector when it's unusually close , 2000, SODA '00.

[22]  Craig Gentry,et al.  Trapdoors for hard lattices and new cryptographic constructions , 2008, IACR Cryptol. ePrint Arch..

[23]  Phong Q. Nguyen,et al.  Sieve algorithms for the shortest vector problem are practical , 2008, J. Math. Cryptol..

[24]  Chris Charnes,et al.  A lattice-based McEliece scheme for encryption and signature , 2001, Electron. Notes Discret. Math..

[25]  Keisuke Tanaka,et al.  Quantum Public-Key Cryptosystems , 2000, CRYPTO.

[26]  Martin R. Albrecht,et al.  Lattice Attacks on NTRU and LWE: A History of Refinements , 2021, IACR Cryptol. ePrint Arch..

[27]  Anja Becker,et al.  New directions in nearest neighbor searching with applications to lattice sieving , 2016, IACR Cryptol. ePrint Arch..

[28]  Ronald L. Rivest,et al.  A Knapsack Type Public Key Cryptosystem Based On Arithmetic in Finite Fields , 1984, CRYPTO.

[29]  Oded Regev,et al.  Hardness of the covering radius problem on lattices , 2006, 21st Annual IEEE Conference on Computational Complexity (CCC'06).

[30]  Hendrik W. Lenstra On the Chor—Rivest knapsack cryptosystem , 2004, Journal of Cryptology.

[31]  Serge Vluaduct Lattices with exponentially large kissing numbers , 2018, Moscow Journal of Combinatorics and Number Theory.

[32]  Brent Waters,et al.  Lossy trapdoor functions and their applications , 2008, SIAM J. Comput..

[33]  Martin E. Hellman,et al.  Hiding information and signatures in trapdoor knapsacks , 1978, IEEE Trans. Inf. Theory.

[34]  Leonid A. Levin,et al.  A Pseudorandom Generator from any One-way Function , 1999, SIAM J. Comput..

[35]  Robert J. McEliece,et al.  A public key cryptosystem based on algebraic coding theory , 1978 .

[36]  Jean-Pierre Serre A Course in Arithmetic , 1973 .

[37]  Mathieu Dutour Sikiri'c,et al.  A canonical form for positive definite matrices , 2020, Open Book Series.

[38]  Tamar Lichter Blanks,et al.  Generating cryptographically-strong random lattice bases and recognizing rotations of Zn , 2021, IACR Cryptol. ePrint Arch..

[39]  Chris Peikert,et al.  Efficient Collision-Resistant Hashing from Worst-Case Assumptions on Cyclic Lattices , 2006, TCC.

[40]  Shafi Goldwasser,et al.  Complexity of lattice problems - a cryptographic perspective , 2002, The Kluwer international series in engineering and computer science.

[41]  Chris Peikert,et al.  Lattice (List) Decoding Near Minkowski’s Inequality , 2020, IEEE Transactions on Information Theory.

[42]  A. Schürmann,et al.  Computational geometry of positive definite quadratic forms : polyhedral reduction theories, algorithms, and applications , 2008 .

[43]  László Babai,et al.  Graph isomorphism in quasipolynomial time [extended abstract] , 2015, STOC.

[44]  Silvio Micali,et al.  Proofs that yield nothing but their validity or all languages in NP have zero-knowledge proof systems , 1991, JACM.

[45]  I. Damgård,et al.  The protocols. , 1989, The New Zealand nursing journal. Kai tiaki.

[46]  Daniele Micciancio,et al.  Efficient bounded distance decoders for Barnes-Wall lattices , 2008, 2008 IEEE International Symposium on Information Theory.

[47]  Craig Gentry,et al.  Cryptanalysis of the Revised NTRU Signature Scheme , 2002, EUROCRYPT.