SIS-based Signatures

Similar documents
How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Lecture 6: Lattice Trapdoor Constructions

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Cryptology. Scribe: Fabrice Mouhartem M2IF

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Ideal Lattices and NTRU

Homomorphic Signatures for Polynomial Functions

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Transitive Signatures Based on Non-adaptive Standard Signatures

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Attribute-based Encryption & Delegation of Computation

1 Number Theory Basics

Sampling Lattice Trapdoors

Efficient Identity-Based Encryption Without Random Oracles

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

Constructing secure MACs Message authentication in action. Table of contents

Foundations of Cryptography

Gentry s SWHE Scheme

Short and Stateless Signatures from the RSA Assumption

Classical hardness of Learning with Errors

6.892 Computing on Encrypted Data October 28, Lecture 7

Secure Hash-and-Sign Signatures Without the Random Oracle

Uninstantiability of Full-Domain Hash

Lattice-based Multi-signature with Linear Homomorphism

Lecture 18: Message Authentication Codes & Digital Signa

PSS Is Secure against Random Fault Attacks

John Hancock enters the 21th century Digital signature schemes. Table of contents

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Efficient Identity-based Encryption Without Random Oracles

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Classical hardness of the Learning with Errors problem

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures

6.892 Computing on Encrypted Data September 16, Lecture 2

A survey on quantum-secure cryptographic systems

Anonymous Signatures Made Easy

Katz, Lindell Introduction to Modern Cryptrography

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Schnorr Signature. Schnorr Signature. October 31, 2012

A Group Signature Scheme from Lattice Assumptions

Efficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption

Public Key Cryptography

Short Signatures from Diffie-Hellman, Revisited: Sublinear Public Key, CMA Security, and Tighter Reduction

Digital Signatures. Adam O Neill based on

Asymptotically Efficient Lattice-Based Digital Signatures

Tightly-Secure Signatures From Lossy Identification Schemes

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

Asymptotically Efficient Lattice-Based Digital Signatures

A Full Homomorphic Message Authenticator with Improved Efficiency

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

10 Concrete candidates for public key crypto

Block Ciphers/Pseudorandom Permutations

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Short Signatures Without Random Oracles

Lattice Cryptography

Threshold RSA for Dynamic and Ad-Hoc Groups

Lecture Notes on Secret Sharing

Introduction to Cryptography

Homomorphic Signatures for Polynomial Functions

Classical hardness of Learning with Errors

An improved compression technique for signatures based on learning with errors

Post-quantum verifiable random functions from ring signatures

Parameter selection in Ring-LWE-based cryptography

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Practice Exam Winter 2018, CS 485/585 Crypto March 14, 2018

Some security bounds for the DGHV scheme

II. Digital signatures

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lossy Trapdoor Functions and Their Applications

Open problems in lattice-based cryptography

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Digital signature schemes

Design Validations for Discrete Logarithm Based Signature Schemes

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

Notes for Lecture 16

Provably Secure Partially Blind Signatures

Lattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris

Gentry s Fully Homomorphic Encryption Scheme

Digital Signatures. p1.

Short Signature Scheme From Bilinear Pairings

CS Topics in Cryptography January 28, Lecture 5

Comparing With RSA. 1 ucl Crypto Group

Upper Bound on λ 1. Science, Guangzhou University, Guangzhou, China 2 Zhengzhou University of Light Industry, Zhengzhou, China

ECS 189A Final Cryptography Spring 2011

Chosen-Ciphertext Security from Subset Sum

A Digital Signature Scheme based on CVP

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Realizing Hash-and-Sign Signatures under Standard Assumptions

Code-based public-key encryption resistant to key leakage

Practice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017

Lattice Mixing and Vanishing Trapdoors

Background: Lattices and the Learning-with-Errors problem

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

COS598D Lecture 3 Pseudorandom generators from one-way functions

CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD

Transcription:

Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n log, the Gaussian parameter. SIS-based Signatures Scribe: Fernando Krell For a matrix A Z n m and vector u Z n denote L (A) = { x Z m A x = 0 mod } L u (A) = { x Zm A x = u mod } Micciancio and Peikert 2012 [MP12] describe the following useful procedures (A, t) TrapSamp(r, m,, s) such that: A is nearly uniform in Z n m. Given A and t, it is easy to solve SIS in L (A). Even more, we have a procedure y PreImageSamp(A, t, s, u) such that y is close to discrete Gaussian in lattice L u with small parameter s m. Namely y D L u (A),s. Note that D L u (A),s = D Z n,s Ax = u mod. That is, sampling from discrete Gaussian over the lattice L u (A), is the same as sampling from Gaussian in Zn conditioned on that the sampled points x satisfy Ax = u mod. Definition 1 (Signature Scheme). A signature scheme is a tuple of three polynomial time algorithms KeyGen, Sign, and Verify such that (pk, sk) KeyGen(1 n ) σ Sign(m, sk). Accept/Reject Verify(σ, m, pk). For all (pk, sk) KeyGen(1 n ), and for every message m and for every possible σ Sign(m, sk), it holds that Pr[Verify(σ, m, pk)] = 1 1

Definition 2 ([GMR86]). A signature scheme S = (KeyGen, Sign, Verify) is strong existentially unforgeable under adaptive chosen message attack is for every feasible attacker F that is given a public key pk, corresponding to secret key sk, and oracle access to Sign(, sk), and outputs pair (m, σ ) Pr[Verify(σ, m, pk) (m, σ ) (m i, σ i ) i] = negl(n) Where m i denotes the i-th message ueried to the oracle Sign(, sk), and σ i its answer. The GPV signature scheme presented next is secure in the sense of the above definition, in the Random Oracle Model (ROM), under the assumed hardness of SIS problem. The Random Oracle Model. Schemes in this model have access to a function H : Σ Z n. In the security analysis, we pretend that this function is a truly random function, that is, H assigns to every message a uniformly random vector y = H(m) Z n. The GPV Signature Scheme [GPV08] Let H : Σ Z n be a hash function. The GPV signature scheme using H consists of the following algorithms: KeyGen(1 n ): Run TrapSamp(n, m,, s) to get pair (A, t). Output (pk = A, sk = (A, t)). Sign(m, sk = (A, t)): Compute y = H(m), and output short vector u PreImageSamp(A, t, s, y Verify( u, m, pk = A): Compute y = H(m). u < 6n log. Output Accept if and only if A u = y and Remark 1. We need to make sure that we always output the same signature for the same message. Otherwise, the scheme can be broken. We can do this by keeping a table of all signatures computed so far, or by using a pseudorandom function, computing the random coins for the PreImageSamp procedure as PRF(m). Correctness Since the vector u was computed using PreImageSamp algorithm, it is distributed close to D L y,s, thus A u = y. Moreover, using s = 2 n log > η 2 n(l (A)) with high probability 1, so it s expected size is 2s m = 4 2n log < 6n log, and Pr[ u > 6n log ] < 2 n. Remark 2. Recall from lecture 5 that the smoothing parameter η α of a lattice L is the smallest Gaussian parameter s such that ρ 1/s (L \ {0}) α. Where ρ s ( x) = e π( x / s )2 is the Gaussian probability density function with parameter s (centered at 0). If α is not too large then η α 1 λ 1 (L ) λ n(l). Also, a vector x sampled from this distribution has length s k with high probability, where k is the dimension of the lattice. 1 We prove this later 2

Security We prove security by showing that if a forger F, running in time T, has success probability ε relative to a random function H, then there is a solver S that uses F to solve the SIS problem with probability ε in time T. Solver A Z n m pk m 1 σ 1. m i σ i F m i H(m i ) u L (A) (m, σ ) The solver S: gets as input matrix A. To run the forger F, S need to provide a public key, oracle response to hash function and oracle response to signatures ueries. Set A as the public key. For each random oracle uery H(m i ), sample x i D Z n,s. set y i = A x i mod, reply with H(m i ) = y i. Record tuple (m i, x i, y i ) for future ueries. For each signature uery Sign(m i ). get H(m i ) executing the procedure above. Finds tuple (m i, x i, y i ) and outputs x i as the signature. At the end of the interaction F outputs a forgery (m, u ). S now execute one more random oracle uery on m to get x and returns x u as the SIS solution. To prove that S solves SIS with probability ε, we need to show two things: 1. The answers that F gets from S are distributed close to the same distribution as when F interacts with the scheme. Proof. In the scheme H(m) = y m R Z n x D L y,s. In contrast, the solver chooses first x from D Z m,s and compute y as Ax mod. Conditioned in y, we can see this as sampling x from D L y,s If s > η 2 n(l (A)), then x reduced modulo basic cell of L (A) is nearly uniform. In problem set 4, problem 2, we prove that this implies that A x = y is nearly uniform in Z n. Thus, the distribution of y is teh same as in the scheme. At the same time, the distribution of x conditioned on y are also the same in the scheme and in the solver since D L y (A),s is the same as D Z m,s conditioned on the outcome satisfying A x = y. 3

2. If (m, u ) is a valid forgery, then S outputs a solution to SIS (with high probability). Proof. By the proof above F outputs a valid forgery with probability ε when interacting with S. This implies that for y = H(m ), it holds that y = A u = Ax, hence A( x u ) = 0 mod, and thus ( x u ) L (A). Also, u < 6n log because u is a valid forgery. Now, x < 6n log because x was sampled from a Gaussian distribution with parameter s. Therefore, x y < 12n log. We need to prove that x u. Two cases to analyze: If F asked for a signature of m, then it received x, thus u x, since u is a valid new forgery. If F did not asked for a signature on m then F can only know about x what s implied by y. So from F point of view, the min-entropy of x is H (D L y (A) ). If s > η 2 n(l y (A)), then x has min entropy n bits. Hence, Pr[ x = u ] < 2 n. We end the security proof by showing that s is lager than the smoothness parameter with parameter α = 2 n. Claim 1. s > η 2 n(l (A)). Proof. Denote L(A) = { u Z n v Z n such that u = va}. Observe that this lattice is almost dual of L (A). In fact, (L (A)) = L(A)/. We show that with high probability over A R Z n m, λ 1 (L(A)) > 4. Where λ 1 denotes the successive minima in infinity norm. Fix any short non-zero vector u Z n such that u < 4. What is the probability that u L(A)? Pr[ u L(A)] = Pr [ v A A Zn such that va = u mod ] v Z n \{ 0} m n Pr[ va = u mod ] A There are ( m 2) possible vectors u 0 with u 4 Hence (coordinates between -/4 and /4). Pr[ u 0 u 4 u L(A)] ( 2 ) m n m n 2 m 2 n Where last ineuality holds since m 2n log. This implies that λ 1 (L (A) ) = λ 1(L(A)) > 1 4. Thus, 4

η 2 n(l (A)) 1 log(2n(1 + 2 n )) λ 1 ((L (A)) ) π log n + n + 2 4 π 4 log n + n < s [GMR86] S. Goldwasser, S. Micali, R. Rivest. A Digital Signature Scheme Secure Against Adaptive Chosen-Message Attacks. In SIAM Journal of Computing, 1988. Trapdoors for hard lattices and new crypto- [GPV08] C. Gentry, C. Peikert, V. Vaikuntanathan. graphic constructions. In STOC, 2008. [MP12] D. Micciancio, C. Peikert. Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller. In Advances in Cryptology - EUROCRYPT 2012. 5

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback