Periodic Reporting for period 2 - PARQ (Lattices in a Parallel and Quantum World)
Berichtszeitraum: 2022-01-01 bis 2023-06-30
Today’s digital world creates many security and privacy issues. But cryptography, a pillar of cybersecurity, is facing two major challenges.
The first challenge is the threat of quantum computers, fueled by massive investment worldwide, in both the public and private sector.
In 1994, Shor showed that a quantum computer can break the most prevalent forms of public-key cryptography,
namely those relying on the hardness of integer factoring or discrete logarithm:
this type of public-key cryptography is massively deployed,
it is for instance used by e-commerce, passports, downloads of software (such as installation of apps in mobile phones)
and bitcoins.
The second challenge is new requirements, such as in big data, IoT, or crypto-currencies. Because classical cryptographic primitives no longer suffice for these settings, novel cryptographic schemes and functionalities have been developed,
such as encryption schemes allowing to compute on encrypted data. But these benefits come at the cost of security uncertainty: most of these schemes require more risky hardness assumptions and make it more difficult to select parameters with confidence.
Lattices are mathematical objects which have emerged as a key technique to respond to these two challenges:
three of the four NIST post-quantum cryptography standards (selected recently in July 2022) are based on lattices, including the two main standards Kyber and Dilithium;
and all the proposals for fully-homomorphic encryption standardization rely on the hardness of lattice problems.
Furthermore, due to performance reasons, one often relies on special forms of lattices arising from algebraic number theory:
this creates additional security risks, because these special properties may make the underlying problems easier.
In fact, there are results showing that some special lattices are easier to attack than the general case.
This proposal aims at answering the main security questions surrounding lattice-based cryptography.
Are lattice problems really hard, even against quantum computers and massively-parallel computing platforms?
What are the best parallel and quantum algorithms for lattice problems? Can we estimate their cost?
How should we select parameters for lattice-based cryptography?
Several security estimates have been proposed in the past for lattice-based cryptography,
especially during the NIST standardization of post-quantum cryptography,
but the accuracy and the methodology of such estimates is debatable.
The first challenge is the threat of quantum computers, fueled by massive investment worldwide, in both the public and private sector.
In 1994, Shor showed that a quantum computer can break the most prevalent forms of public-key cryptography,
namely those relying on the hardness of integer factoring or discrete logarithm:
this type of public-key cryptography is massively deployed,
it is for instance used by e-commerce, passports, downloads of software (such as installation of apps in mobile phones)
and bitcoins.
The second challenge is new requirements, such as in big data, IoT, or crypto-currencies. Because classical cryptographic primitives no longer suffice for these settings, novel cryptographic schemes and functionalities have been developed,
such as encryption schemes allowing to compute on encrypted data. But these benefits come at the cost of security uncertainty: most of these schemes require more risky hardness assumptions and make it more difficult to select parameters with confidence.
Lattices are mathematical objects which have emerged as a key technique to respond to these two challenges:
three of the four NIST post-quantum cryptography standards (selected recently in July 2022) are based on lattices, including the two main standards Kyber and Dilithium;
and all the proposals for fully-homomorphic encryption standardization rely on the hardness of lattice problems.
Furthermore, due to performance reasons, one often relies on special forms of lattices arising from algebraic number theory:
this creates additional security risks, because these special properties may make the underlying problems easier.
In fact, there are results showing that some special lattices are easier to attack than the general case.
This proposal aims at answering the main security questions surrounding lattice-based cryptography.
Are lattice problems really hard, even against quantum computers and massively-parallel computing platforms?
What are the best parallel and quantum algorithms for lattice problems? Can we estimate their cost?
How should we select parameters for lattice-based cryptography?
Several security estimates have been proposed in the past for lattice-based cryptography,
especially during the NIST standardization of post-quantum cryptography,
but the accuracy and the methodology of such estimates is debatable.
The project improved the best approximation algorithms known for the shortest vector problem in lattices.
It also found the first dynamic analysis of the original BKZ blockwise reduction algorithm, and adapted it to the case of slide reduction,
which allows to guarantee the quality of the current lattice basis during execution.
This BKZ algorithm is widely used in cryptanalysis.
The project revisited the so-called hybrid attack against the NTRU cryptosystem,
one of the third-round finalist to the NIST competition for post-quantum cryptography standardization:
it gave improvements and fixed the main issues in previous analyses.
The project is currently reanalyzing current security estimates of NIST lattice-based standards for post-quantum cryptography.
It also found the first dynamic analysis of the original BKZ blockwise reduction algorithm, and adapted it to the case of slide reduction,
which allows to guarantee the quality of the current lattice basis during execution.
This BKZ algorithm is widely used in cryptanalysis.
The project revisited the so-called hybrid attack against the NTRU cryptosystem,
one of the third-round finalist to the NIST competition for post-quantum cryptography standardization:
it gave improvements and fixed the main issues in previous analyses.
The project is currently reanalyzing current security estimates of NIST lattice-based standards for post-quantum cryptography.
We expect to obtain new security estimates for lattice-based cryptography.
We are also developing new algorithms and implementations for lattice problems.
We are also developing new algorithms and implementations for lattice problems.