TECHNIQUES OF LATTICE BASED CRYPTOGRAPHY STUDIED ON A PERVASIVE COMPUTING ENVIRONMENT

Creation of smart spaces and scaling of devices to achieve miniaturization in pervasive computing environments has put forth a question on the degree of security of such devices. Security being a unique challenge in such environments, solution demands scalability, access control, heterogeneity, trust. Most of the existing cryptographic solutions widely in use rely on the hardness of factorization and number theory problems. With the increase in cryptanalytic attacks these schemes will soon become insecure. We need an alternate security mechanism which is as hard as the existing number theoretic approaches. In this work, we discuss the aspects of Lattice based cryptography as a new dimension of providing security whose strength lies in the hardness of lattice problems. We discuss about a cryptosystem whose security relies on high lattice dimension.


1.1.Related Work
A power efficient authentication protocol for an RFID tag was designed based on LWE cryptosystem which consisted of only one round of LWE encryption [14].NTRU encryption was implemented on several hand held devices [15] [16].The LLL algorithm is being widely used for public key cryptanalysis and IBE schemes are being used for security against Chosen-Ciphertext Attacks [17].

2.1.Scalability
Scalability becomes very important requirement when more than one operating domain is involved.A person may want to sit in his home and communicate with his office, kid's school; when the number of operating domains increase, a security solution should be feasible with all the domains.Achieving scalability can be challenging due to lack of central authority in some environments such as wireless sensor networks [1] [2].

2.2.Access Control
Though there are several methods to protect information from malicious attacks, a good control model is essential which can protect all the services and devices used in pervasive computing [12].

2.3.Trust
With the advent of new network paradigms, Traditional security authentication mechanisms are inadequate to meet the security challenges imposed by pervasive computing environments.Developing a trust model must be robust, flexible and reputation based.

2.4.Heterogeneity
Though a number of middleware solutions have been proposed for data, service management, lot of coordination problems exist due to the wide heterogeneity of network resources involved in pervasive computing environment.As a result a secured single middleware solution is very much needed.

2.5.Entity Authentication
Service Providers are looking for a sound authentication mechanism for comfortable and convenient information exchange in a pervasive environment, so that all authorized users enjoy access to data in a secured way

2.6.Context Awareness
Due to the large amount of information which comes from various devices are involved in pervasive computing, extracting and providing user services based on their needs efficiently and accurately is a daunting task.A sound mathematical abstraction is needed for the same.Situation lattices for context awareness have been widely discussed to study the semantics in pervasive computing due to its ability of managing the semantics of sensor data.

2.7.Mobile Code Security
Since most of the devices used for pervasive computing have different configuration and interfaces there is a need to implement mobile code that can be used by different smart devices.The security of such a mobile code is very much desirable.

3.1.Lattices
A lattice consists of linearly independent vectors that are linearly combined with each other and thereby generate lattice points.The difference between lattices and a "normal" vector space is the fact that the vectors are multiplied with integer factors instead of real factors.All the vectors form a so called basis for the lattice.This basis can be written in the form of a matrix.The vectors can be written down in column notation, this is the most common way in papers.The vectors define so-called parallelepipeds, in the two-dimensional case these are parallelograms.The volume of this parallelepiped is equal to the absolute value of the determinant.

3.1.1.Lattice Problems
An important characteristic of lattices is the fact that they can have different bases producing the same lattice.The determinants of all these bases have the same value.Regarding lattices, vectors with minimum length are interesting.The problem to find these vectors is called the Shortest Vector Problem (SVP) and relates to the search for "successive minima".The first minimum is the shortest vector.All other vectors are linearly independent to this and to each other; they are also as short as possible.An upper bound for the shortest vector is determined by the Hermite constant.The shortest vector is also interesting for the packing density of a lattice.Here circles are constructed around each Lattice point being as large as possible without overlapping each other (both the Hermite circuit and the package circuits can be enabled in the settings).It can be easily observed that after reduction the vectors are very much orthogonal to each other, ideally they even have the angle of 90.Another interesting problem is the Closest Vector Problem (CVP).Here an arbitrary point is specified and then we search for a lattice point which is closest to this arbitrary point .

3.1.2.Lattice Reduction
There are two important methods that implement the search for shortest vectors.One of these is the Gaussian algorithm for dimension 2 and secondly the LLL algorithm, named after Arjen Lenstra, Hendrik Lenstra for an arbitrary lattice dimension.The Gaussian algorithm works similar to the Euclidean algorithm for searching the greatest common divisor (gcd) of two integers.By combining and subtracting of two vectors the basis improves after each iteration with a shorter vector.The LLL algorithm works similar to the Gauss algorithm, but for higher dimensions it produces only an approximation to the shortest vector.An important part of the algorithm is the Gram-Schmidt orthogonalization.

3.1.3.Cryptanalysis
After the publication of the LLL algorithm in 1982, many possible applications were found for it, cryptanalysis being one of them.The Merkle-Hellman knapsack cryptosystem, designed in 1978 and named after its two inventors Ralph C. Merkle and Martin E. Hellman, could impressively be broken with the help of lattices.This cryptosystem is based on the knapsack problem, for which a general solution is difficult to find.But it could be demonstrated, that the problem of decrypting a ciphertext can be reformulated as a search for a shortest vector.The well-known asymmetric encryption scheme RSA (named after its inventors Ronald L. Rivest, Adi Shamir and Leonard Adleman) was developed at about the same time as the Merkle-Hellman cryptosystem.It is based on the problem of the prime factorization of big integers.Using lattices, Don Coppersmith was able to show that certain messages, for which a part of the plaintext is known, can be deciphered.The messages in this case are so called "stereotypical messages", for example "Your new PIN is: ****".The first part of the messages, which is always the same, must be known to the attacker.A prerequisite for this attack is that the public exponent e is very small, Another attack scenario that uses lattices involves a partially known private key.In contrast to the Merkle-Hellman cryptosystem, RSA was not broken and can as yet be considered safe, provided some constraints on the parameters are respected.

3.1.4.Lattice Based Cryptosystems
Cryptosystems that are based on lattices exploit the hardness of certain lattice problems, in particular the Shortest Vector Problem (SVP) and the Closest Vector Problem (CVP).As in the case of RSA, these cryptosystems are asymmetric public-key cryptosystems.The foundations for lattice-based cryptography were laid by Miklos Ajtai in 1986, when he demonstrated how lattices could be used for cryptography.
In cooperation with Cynthia Dwork, Ajtai published the Ajtai-Dwork cryptosystem a short time later in 1997.Its security is based on the hardness of SVP.In the same year, Oded Goldreich, Shafi Goldwasser and Shai Halevi published the GGH cryptosystem.Improvements by Daniele Micciancio made the system practicable.
The latest lattice-based cryptosystem is Learning With Errors (LWE), which was published by Oded Regev in 2005.It too is based on hard lattice problems, like SVP.Compared to established public-key cryptosystems like RSA, lattice-based cryptosystems have to handle larger key sizes and also larger ciphertexts.On the other hand, they have the advantage of being faster and, in contrast to RSA; they are not (yet) vulnerable to quantum computing attacks.

4.GGH CRYPTOSYSTEM
The GGH cryptosystem is based on the hypothesis, that it is very easy to construct a vector from a basis B and a small error vector e, which lies in the vector space V and is close to a lattice point in the lattice L. On the other hand, it is very hard to reconstruct the original lattice point lying close to the vector if only the vector is known.If one could find a very small basis, the search for the original lattice point would be much easier.This problem corresponds to the Shortest Basis Problem (SBP), where, a basis is small if the base vectors are pairwise nearly orthogonal, thus having a very small orthogonality defect.
Two n x n basis matrices are obligatory for both encryption and decryption.The same fulldimensional lattice are generated by these matrices over Z^n.The basis matrix B serves as the public key.By multiplication with a unimodular matrix, B can be transformed into the private key R.The security of the system relies on a high lattice dimension n and on a parameter.By these parameters and the lattice dimensions, the error vector e is determined in turn.
With the definition of the private key R, the key generation process starts.It should be seen that the vectors of the matrix are as orthogonal as possible.Then, a matrix R' is chosen, with random equal distribution, whose entries are obtained from the set {-l,...,l}.R' is then added with the product of the value k and the identity matrix I. Thus the resulting private basis is: R := R' + kI, where k is a natural number.
The public key B arises from the multiplication of R with a random unimodular transformation matrix U: B := R * U.
For encrypting a message m in Z^n, the public key B is multiplied with the plaintext vector, resulting in a new lattice point.The error vector e is added to make the reconstruction of this lattice point difficult.e is a vector consisting of random values selected with equal distribution from the set {-Sigma, Sigma} .We assume the value of Sigma=1, in this paper.
The resulting ciphertext is c = Bm + e.
For decrypting a message, the original lattice point has to be reconstructed.In the year 1986, László Babai came up with an algorithm that produces an approximate lattice point for a given point of the vector space [3].
For this purpose, the point is regarded as a linear combination of the lattice basis vectors.Later on the coefficients obtained from the linear combination are then rounded up to the next integer, so that the result is a vector of the lattice.This method only works, if the basis vectors are nearly orthogonal.The given target point lies inside a parallelepiped, which is spanned by the basis vectors.With Babai's rounding method, the closest vertex of this parallelepiped will be given as the solution.If the basis vectors are less orthogonal, the rounding error will increase as the parallelepiped will be more and more elongated and the vertices will move away from the true closest lattice point [4], showing a basis with less orthogonal vectors and thus unsuitable for Babai's method).
If the basis is not reduced, the result of the rounding may not be better than a randomly generated vector and no new information with this method is gained.However, the owner of the private key, can apply Babai's method, as the private key fulfills the requirements on the orthogonality of the basis.

4.1.GGH Security
The security of GGH is based on the hardness of Closest Vector Problem.GGH can also be used to generate electronic signatures.Both cryptosystems, Ajtai-Dwork and GGH, after having been successfully attacked and broken, the cryptosystem NTRU (Number Theory Research Unit) was presented by Jeffrey Hoffstein, Jill Pipher and Joseph H. Silverman in 1998.It can encrypt (NTRUEncrypt) as well as create electronic signatures (NTRUSign).
The security and strength of NTRU depends on the hardness of SVP.The advantages of NTRU are the fast encryption and decryption speed and the fact that, unlike in the case of RSA, no quantum algorithm for attacking it in polynomial time is as yet known.

5.LWE CRYPTOSYSTEM
Learning With Errors (LWE) is a problem that was introduced by Oded Regev in the year 2005 [5].Definition of it is as follows: Let m, n and q be integers and X a (normal) random distribution over Zq.Given is the pair (A, b), with a random quadratic matrix A over Zq^(m x n) and a vector b = As + e, where s is a random vector over Zq^n and e is an error vector over Zq^m, whose elements are selected according to the distribution X.Then the LWE problem is to determine the vector s.
In other words, from a set of 'approximated' linear equations find the vector s in Zq^n (Consider an example given below).Suppose that no error vector e was used, then the Gaussian elimination method could be used to solve the linear equations.However, the approximation makes this problem much more difficult.
The equations are correct apart from a small error value, for example 1, which was added.In this example the vector is s = [5 7 11].
The error distribution is a normal distribution that is rounded up to the next integer and taken modulo q.The standard deviation is sigma = alpha * q, with alpha > 0. For an example of such a distribution figure below [7], The error distribution is given as q = 113 and alpha = 0.05.
The private key is s, the public key is b = As + e, where A is random and the value of e is produced according to the distribution X.A random vector r in {0,1}^m is generated for encryption.It is used to determine a subset of A, as not the entire matrix A is used for the encryption process.In the next step, calculate u = r^T * A. The Ciphertext can be generated based on the equation; c = r^T * b + Bit * [q / 2] (This is a floor function).The encryption is executed bitwise.The value of [q / 2] is either added or not added, depending on the value of the plaintext bit.After that the sender sends the value of (u, c) to the owner of the private key.Now whether cu*s is closer to 0 or [q / 2] can be easily determined.The plaintext bit was 0 or 1 can be very easily identified now.It was 0 if it is closer to 0; otherwise the plaintext bit was 1.The LWE cryptosystem was designed as a single-bit encryption.This means that when encrypting a plaintext vector, each bit has to be encrypted separately.Tore Kasper Frederiksen in 2010 [6] presented a multi-bit variant of the same.

6.1.Cryptanalysis
Lot of work in the recent years [18] [19] have shown that due to the tangible hardness presented by lattice problems, lattice based cryptography has started showing its prominence in all modern research areas.More work is still demanded in order to guarantee its widespread usage.

6.2.Building Robust Cryptosystems
The above presented cryptosystems have a good security proof in the worst-case.Further these cryptosystems can be improved and made much more efficient in order to generate a standard model that can be widely accepted and applied.

6.3.Efficient Signature scheme Generation
Usage of ideal lattices can result in an efficient signature scheme that can be provably secure compared to the existing signature schemes and attacks.Such an ideal lattice based signature scheme can be very beneficial for an embedded system.

6.4.Quantum algorithms and Lattices
At present there are no quantum algorithms that are capable of solving lattice hard problems and perform better than the non-quantum algorithms available.

7.CONCLUSION
In this paper we have discussed the various techniques of lattice based cryptography that can be useful for a pervasive computing environment.We have also discussed the security issues involved in a pervasive computing environment.The usage of lattices for generating an efficient cryptosystem has been discussed along with the security issues and examples.In this way lattice based cryptography can be promising for tackling the security issues in pervasive computing environment.

8.ACKNOWLEDGMENTS
We extend our thanks to our Prof.Dr. D. H. Rao for his discussions, time and ideas given during the course of our work.