Middle-Product Learning With Errors

Size: px

Start display at page:

Download "Middle-Product Learning With Errors"

Douglas McKenzie
5 years ago
Views:

1 Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

2 Preview We define an LWE variant which: is at least as hard as exponentially many PLWE instances allows efficient public key encryption Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

3 Intro Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

4 Lattice based cryptography OWF Signatures PKE FHE SIS LWE IBE [Ajt96] [Reg05] ApproxSVP Advantage: all known algorithms are exponential in dimension n Major drawbacks: large keys and slow computations Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

5 How to fix this? Put some extra algebraic structure on the objects! PSIS f PLWE f [LM06],[PR07] [SSTX09],[LPR10] ApproxSVP f Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

6 ApproxSVP could be easy for some f s [BS15]: quantum poly. time algorithm to find a generator of a principal ideal in any number field The case of cyclotomics of prime power index: [CDPR16]: quantum poly. time algorithm to find a short generator of a principal ideal for 2 O( n) approx. factor [CDW17]: quantum poly. time algorithm to solve ApproxSVP for all ideals for 2 O( n) approx. factor The case of multiquadratics: [BBdVLvV17]: quasipoly. time algorithm to find a short generator of a principal ideal Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

7 ApproxSVP Time arbitrary lattices ideal lattices in cyclotomic fields of prime power index 2 n 2 n poly(n) 2 n 2 n Approx. factor Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

8 What should be done? use non-cyclotomic polynomials: [BCLvV16], [PRSD17] use problems which are provably at least as hard as PSIS f or PLWE f for a wide class of polynomials f : [Lyu16] Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

9 [Lyu16]: PSIS over Z q [x] PSIS f k,β Given a 1,..., a k Z q [x]/f, find a nontrivial sol. for i a iz i = 0 mod f such that z i β. PSIS <n k,d,β Given a 1,..., a k Z <n q [x], find a nontrivial sol. for i a iz i = 0 such that z i β and deg z i < d. PSIS f k,β reduces to PSIS <n k,β,d for any polynomial f s.t. d deg(f ) n. Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

10 Our contribution: the LWE case Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

11 The LWE case we introduce MP-LWE, by making use of the middle product of polynomials we give a reduction from (decision) PLWE f to (decision) MP-LWE for a wide class of polynomials f Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

12 Middle Product of two polynomials Let R be a ring, a R <n [x] and b R <2n 1 [x] two polynomials. Their product is: c c n 2 x n 2 +c n 1 x n 1 +c n x n + +c 2n 2 x 2n 2 +c 2n 1 x 2n c 3n 3 x 3n 3 R <3n 2 [x] Their middle product is: a n b := c n 1 + c n x c 2n 2 x n 1 R <n [x] Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

13 Matrix interpretation of the middle product a 0 a 1... a n a 0... a n 2 a n a 0... a n 2 a n 1 b 2n 2 b 2n b 0 = c 2n 2 c 2n 3.. c n 1 * all the results generalize to any d middle coefficients Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

14 PLWE and MP-LWE distributions D α q : Gaussian on R <n [x] with standard deviation α q. P f q,α(s) for a polynomial f of degree n and s Z q [x]/f sample a U(Z q [x]/f ) and e D α q return (a, b = a s + e) Z q [x]/f R q [x]/f MP n q,α(s) for s Z <2n 1 q [x] sample a U(Z <n q [x]) and e D α q return (a, b = a n s + e) Z <n q [x] R <n q [x] * We use the notation R q := R/qZ Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

15 PLWE and MP-LWE problems (decision) PLWE f q,α With non-negligible probability over s U(Z q [x]/f ), distinguish between P f q,α(s) and U(Z q [x]/f R q [x]/f ) (decision) MP-LWE n q,α With non-negligible probability over s U(Z <2n 1 q ), distinguish between MP n q,α(s) and U(Z <n q [x] R <n q [x]) Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

16 Hardness of MP-LWE Let n, S > 0, q 2, and α (0, 1). PLWE f q,α reduces to MP-LWE n q,α n S for any monic f Z[x] s.t. deg(f ) = n gcd(f 0, q) = 1 EF(f ) := max { g mod f g : g Z <2n 1 [x] \ {0} } < S Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

17 Proof idea = Rot f (b) Rot f (a) Rot f (s) + Rot f (e) Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

18 Proof idea = Rot f (b) Rot f (a) Rot f (s) + Rot f (e) Take first column M f b = Rot f (a) M f s + M f e Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

19 Proof idea = Rot f (b) Rot f (a) Rot f (s) + Rot f (e) Take first column M f b = Rot f (a) M f s + M f e Decompose Rot f (a) b = Toep(a) Rot f (1) M f s + M f e Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

20 Proof idea = Rot f (b) Rot f (a) Rot f (s) + Rot f (e) Take first column M f b = Rot f (a) M f s + M f e Decompose Rot f (a) b = Toep(a) Rot f (1) M f s + M f e Rename b = Toep(a) s + e Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

21 Application of MP-LWE Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

22 Public-Key Encryption from MP-LWE Let q be an odd integer. KeyGen(1 λ ) : sk := s U(Z <2n 1 q [x]) for i t = O(log q) a i U(Z <n q [x]) e i D αq n b i = a i n s + 2 e i pk := (a i, b i ) i Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

23 Public-Key Encryption from MP-LWE Let µ {0, 1} <n/2 [x] be a message. Encrypt(µ) : for i t, sample r i U({0, 1} <n/2+1 [x]) return c = (c 1, c 2 ) with: c 1 = r i a i, c 2 = µ + r i n/2 b i. Decrypt(c) : return the message µ = (c 2 c 1 n/2 s mod q) mod 2. Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

24 Correctness For all polynomials of compatible degrees: r n/2 (a n s) = (r a) n/2 s c 2 c 1 s = µ + r i b i ( r i a i ) s = µ + ( ri (a i n s + 2 e i ) (r i a i ) s ) = µ + 2 r i e i * If µ + 2 r i e i < q/2, then we can recover µ. Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

25 Security replace the public key with a truly uniform one (that s fine, thanks to the MP-LWE assumption) use the generalized Leftover Hash Lemma to prove that (a i, b i ) i, ri a i, ri n/2 b i and (a i, b i ) i, ri a i, u are statistically close. Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

26 Open Problems build other cryptographic primitives using MP-LWE better understand the link between PLWE and Ring-LWE give an algebraic interpretation of the middle product Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

27 Thank you. Miruna Roşca Middle-Product Learning With Errors 23/08/ / 24

Middle-Product Learning With Errors

Middle-Product Learning With Errors Miruna Roşca 1,2, Amin Sakzad 3, Damien Stehlé 1, and Ron Steinfeld 3 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), France 2 Bitdefender, Romania