Skip to main content

Lattices: algorithms and cryptography

Final Report Summary - LATTAC (Lattices: algorithms and cryptography)

Contemporary cryptography, with security relying on the factorisation and discrete logarithm problems, is ill-prepared for the future: It will collapse with the rise of quantum computers, its costly algorithms require growing resources, and it is too cumbersome for the fast-developing trend of externalising computations to the cloud. Lattice-based cryptography (LBC) addresses these concerns: it is believed to
resist would-be quantum computers, its costs scales better with secruity, and enables computations on encrypted data. LBC could supersede contemporary cryptography within a decade. The goal of the LattAC ERC project was to enable this technology switch.

LattAC considered the computational aspects of lattices from various angles, with cryptography as the driving motive,
and with a strong focus on lattice algorithms. Indeed, assessing the limits of lattice algorithms and attempting to find novel algorithmic approaches are crucial towards establishing the security of lattice-based cryptography.
The project contained three main components: the conception of LBC protocols, the study of the intractability assumptions underlying LBC, and the design, analysis and implementation of lattice algorithms.

Concerning the *LBC expressiveness*, a breakthrough of the project was the first cryptanalysis of a multi-linear map, impacting many works building upon it. This was followed by results from other teams breaking many other multi-linear maps. Today, the main surviving application seems to be indistinguishability obfuscation, which itself has many applications, but whose security foundations are questionable.
On a more positive note, among several constructions, we proposed a functional encryption scheme for inner products, which has been used for broadcast encryption and recent proposals of obfuscators, among others.

We have significantly simplified the landscape of *hardness assumptions* used in LBC. We showed that the Approximate GCD
problem and the more classical LWE problem reduce to one another, we exhibited a serious weakness in the (overstretched) NTRU hardness assumptions, and we studied the hardness of variants of LWE over number fields. We also showed the computational equivalence between LWE and a variant of the dihedral coset problem, a well-known problem in quantum complexity theory.

We made progress on various *lattice algorithms*. We proposed the asymptotically fastest LLL-type lattice reduction algorithm, which allows to efficiently compute a lattice basis of decent quality. We designed a (heuristic) algorithm for computing a shortest non-zero vector in a lattice, which is exponential-time like the best known algorithms,
but requires less memory. On the implementation side, we contributed to a massive overhaul of the fplll lattice reduction library, which now contains the fastest available implementations of most lattice reduction algorithms. The two latter contributions were important ingredients that allowed us to outperform prior records for solving the shortest lattice vector problem, by several orders of magnitude.

The progress made on the hardness foundations of LBC and lattice algorithms provides more confidence in lattice-based submissions to the NIST standardization process for post-quantum cryptography. Among these submissions, LattAC participated to the design of the KYBER encryption scheme and DILITHIUM digital signature.