Part 2 LWE-based cryptography

Similar documents
Practical, Quantum-Secure Key Exchange from LWE

Post-quantum key exchange based on Lattices

Post-quantum key exchange for the Internet based on lattices

From NewHope to Kyber. Peter Schwabe April 7, 2017

Classical hardness of the Learning with Errors problem

Classical hardness of Learning with Errors

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Classical hardness of Learning with Errors

Background: Lattices and the Learning-with-Errors problem

Lattice Based Crypto: Answering Questions You Don't Understand

Leakage of Signal function with reused keys in RLWE key exchange

Hardness and advantages of Module-SIS and Module-LWE

FrodoKEM Learning With Errors Key Encapsulation. Algorithm Specifications And Supporting Documentation

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

Report on Learning with Errors over Rings-based HILA5 and its CCA Security

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Post-Quantum Cryptography

Lattice-Based Cryptography

Open problems in lattice-based cryptography

Improved Parameters for the Ring-TESLA Digital Signature Scheme

Parameter selection in Ring-LWE-based cryptography


Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

Notes for Lecture 16

Solving LWE with BKW

Weaknesses in Ring-LWE

CRYPTANALYSIS OF COMPACT-LWE

Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR

Cryptology. Scribe: Fabrice Mouhartem M2IF

Post-Quantum Cryptography & Privacy. Andreas Hülsing

NewHope for ARM Cortex-M

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Quantum-resistant cryptography

6.892 Computing on Encrypted Data September 16, Lecture 2

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Shai Halevi IBM August 2013

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

A simple lattice based PKE scheme

Practical Analysis of Key Recovery Attack against Search-LWE Problem

FULLY HOMOMORPHIC ENCRYPTION

ASYMMETRIC ENCRYPTION

Lossy Trapdoor Functions and Their Applications

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Lattice Cryptography

Implementing Ring-LWE cryptosystems

Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)

On error distributions in ring-based LWE

A Framework to Select Parameters for Lattice-Based Cryptography

Jintai Ding*, Saraswathy RV. Lin Li, Jiqiang Liu

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Introduction to Quantum Safe Cryptography. ENISA September 2018

Lattice Cryptography

Recent Advances in Identity-based Encryption Pairing-free Constructions

The quantum threat to cryptography

Some security bounds for the DGHV scheme

Fault Attacks Against Lattice-Based Signatures

Chosen-Ciphertext Security from Subset Sum

6.892 Computing on Encrypted Data October 28, Lecture 7

Markku-Juhani O. Saarinen

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Introduction to Cybersecurity Cryptography (Part 4)

An intro to lattices and learning with errors

Multikey Homomorphic Encryption from NTRU

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Report Fully Homomorphic Encryption

Introduction to Cybersecurity Cryptography (Part 4)

Ideal Lattices and NTRU

Fully Homomorphic Encryption and Bootstrapping

Short generators without quantum computers: the case of multiquadratics

Practical CCA2-Secure and Masked Ring-LWE Implementation

Post-quantum security models for authenticated encryption

Practical Fully Homomorphic Encryption without Noise Reduction

Public Key Cryptography

CS Topics in Cryptography January 28, Lecture 5

Revisiting Lattice Attacks on overstretched NTRU parameters

How to validate the secret of a Ring Learning with Errors (RLWE) key

Picnic Post-Quantum Signatures from Zero Knowledge Proofs

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Proving Hardness of LWE

An improved compression technique for signatures based on learning with errors

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

Key Recovery for LWE in Polynomial Time

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Multi-key fully homomorphic encryption report

An introduction to supersingular isogeny-based cryptography

MATH 158 FINAL EXAM 20 DECEMBER 2016

A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors

UNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.

A Generic Attack on Lattice-based Schemes using Decryption Errors

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Supersingular Isogeny Key Encapsulation

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Ring-SIS and Ideal Lattices

Ring-LWE: Applications to cryptography and their efficient realization

1 Public-key encryption

Transcription:

Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements:

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 2 Post-quantum crypto Classical crypto with no known exponential quantum speedup Hash-based Code-based Multivariate Latticebased Isogenies Merkle signatures Sphincs McEliece Niederreiter multivariate quadratic NTRU learning with errors ring-lwe supersingular elliptic curve isogenies

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 3 Quantum-safe crypto Classical post-quantum crypto Quantum crypto Quantum key distribution Hash-based Merkle signatures Sphincs Code-based McEliece Niederreiter Multivariate multivariate quadratic Latticebased NTRU learning with errors ring-lwe Isogenies supersingular elliptic curve isogenies Quantum random number generators Quantum channels Quantum blind computation

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 4 Today's agenda 1. Quantum computing and its impact on cryptography (Mosca) 2. LWE-based cryptography (Stebila) 3. Isogeny-based cryptography (Jao) 4. Additional topics Security models for post-quantum cryptography (Jao) Applications (Stebila) Topics excluded: Code-based cryptography Hash-based signatures Multivariate cryptography

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 5 Learning with errors problems

Linear system problem: given blue, find red SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 6 Solving systems of linear equations Z 7 4 13 4 1 11 10 5 5 9 5 3 9 0 10 1 3 3 2 12 7 3 4 6 5 11 4 3 3 5 0 secret Z 4 1 13 = Z 7 1 13 4 8 1 10 4 12 9

Linear system problem: given blue, find red SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 7 Solving systems of linear equations Z 7 4 13 4 1 11 10 5 5 9 5 3 9 0 10 1 3 3 2 12 7 3 4 6 5 11 4 3 3 5 0 secret Z 4 1 13 6 9 = 11 11 Z 7 1 13 4 8 1 10 4 12 9

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 8 Learning with errors problem random secret small noise Z 7 4 13 Z 4 1 13 Z 7 1 13 Z 7 1 13 4 1 11 10 5 5 9 5 3 9 0 10 1 3 3 2 12 7 3 4 6 5 11 4 3 3 5 0 6 0 9 11-1 + = 1 11 1 1 0-1 4 7 2 11 5 12 8

Search LWE problem: given blue, find red SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 9 Learning with errors problem random secret small noise Z 7 4 13 Z 4 1 13 Z 7 1 13 Z 7 1 13 4 1 11 10 5 5 9 5 3 9 0 10 1 3 3 2 12 7 3 4 6 5 11 4 3 3 5 0 + = 4 7 2 11 5 12 8

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 10 Search LWE problem Let n, m, and q be positive integers. Let s and e be distributions over Z. Let s $ n $ s. Let a i U(Z n $ q ), e i e, and set b i ha i, si + e i mod q, for i =1,...,m. The search LWE problem for (n, m, q, s, e) is to find s given (a i,b i ) m i=1. In particular, for algorithm A, define the advantage Adv lwe n,m,q, s, e (A) =Pr s $ n s ; a i $ U(Z n q ); e i $ b i ha i, s i i + e mod q : A((a i,b i ) m i=1) =s). e;

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 11 Decision learning with errors problem random secret small noise looks random Z 7 4 13 Z 4 1 13 Z 7 1 13 Z 7 1 13 4 1 11 10 5 5 9 5 3 9 0 10 1 3 3 2 12 7 3 4 6 5 11 4 3 3 5 0 + = 4 7 2 11 5 12 8 Decision LWE problem: given blue, distinguish green from random

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 12 Decision LWE problem Let n and q be positive integers. Let s and e be distributions over Z. Let s $ n s. Define the following two oracles: O e,s: a $ U(Z n q ), e $ e;return(a, ha, si + e mod q). U: a $ U(Z n q ), u $ U(Z q ); return (a,u). The decision LWE problem for (n, q, s, e) is to distinguish O,s from U. In particular, for algorithm A, define the advantage Adv dlwe n,q, s, e (A) = Pr(s $ Z n q : A O e,s () = 1) Pr(A U () = 1).

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 13 Choice of error distribution Usually a discrete Gaussian distribution of width s = q < 1 for error rate Define the Gaussian function s (x) =exp( kxk 2 /s 2 ) The continuous Gaussian distribution has probability density function Z f(x) = s (x)/ s (z)dz = s (x)/s n R n

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 14 Short secrets The secret distribution s was originally taken to be the uniform distribution Short secrets: use s = e There's a tight reduction showing that LWE with short secrets is hard if LWE with uniform secrets is hard

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 15 Toy example versus real-world example Z 7 4 13 4 1 11 10 5 5 9 5 3 9 0 10 1 3 3 2 12 7 3 4 6 5 11 4 3 3 5 0 752 2738 3842 3345 2979 2896 595 3607 377 1575 2760 Z 752 8 2 15 8 752 8 15 bits = 11 KiB

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 16 Ring learning with errors problem random Z 7 4 13 4 1 11 10 10 4 1 11 11 10 4 1 1 11 10 4 4 1 11 10 10 4 1 11 11 10 4 1 Each row is the cyclic shift of the row above

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 17 Ring learning with errors problem random Z 7 4 13 4 1 11 10 3 4 1 11 2 3 4 1 12 2 3 4 9 12 2 3 10 9 12 2 11 10 9 12 Each row is the cyclic shift of the row above with a special wrapping rule: x wraps to x mod 13.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 18 Ring learning with errors problem random Z 7 4 13 4 1 11 10 Each row is the cyclic shift of the row above with a special wrapping rule: x wraps to x mod 13. So I only need to tell you the first row.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 19 Ring learning with errors problem 4 + 1x + 11x 2 + 10x 3 Z 13 [x]/hx 4 +1i random + 6 + 9x + 11x 2 + 11x 3 0 1x + 1x 2 + 1x 3 secret small noise = 10 + 5x + 10x 2 + 7x 3

Search ring-lwe problem: given blue, find red SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 20 Ring learning with errors problem 4 + 1x + 11x 2 + 10x 3 Z 13 [x]/hx 4 +1i random secret + small noise = 10 + 5x + 10x 2 + 7x 3

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 21 Search ring-lwe problem Let R = Z[X]/hX n +1i, wheren is a power of 2. Let q be an integer, and define R q = R/qR, i.e.,r q = Z q [X]/hX n +1i. Let s and e be distributions over R q. Let s $ s. Let a $ U(R q ), e $ e, and set b as + e. The search ring-lwe problem for (n, q, s, e) is to find s given (a, b). In particular, for algorithm A define the advantage Adv rlwe n,q, s, e (A) =Pr s $ s; a $ U(R q ); e $ e; b as + e : A(a, b) =s.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 22 Decision ring-lwe problem Let n and q be positive integers. Let s and e be distributions over R q. Let s $ s. Define the following two oracles: O e,s: a $ U(R q ), e $ e;return(a, as + e). U: a, u $ U(R q ); return (a, u). The decision ring-lwe problem for (n, q, s, e) is to distinguish O e,s from U. In particular, for algorithm A, define the advantage Adv drlwe n,q, s, e (A) = Pr(s $ R q : A O e,s () = 1) Pr(A U () = 1).

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 23 Problems Computational LWE problem Decision LWE problem with or without short secrets Computational ring-lwe problem Decision ring-lwe problem

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 24 Search-decision equivalence Easy fact: If the search LWE problem is easy, then the decision LWE problem is easy. Fact: If the decision LWE problem is easy, then the search LWE problem is easy. Requires nq calls to decision oracle Intuition: test the each value for the first component of the secret, then move on to the next one, and so on.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 25 NTRU problem For an invertible s 2 R q and a distribution on R, define N s, to be the distribution that outputs e/s 2 R q where e $. The NTRU learning problem is: given independent samples a i 2 R q where every sample is distributed according to either: (1) N s, for some randomly chosen s 2 R q (fixed for all samples), or (2) the uniform distribution, distinguish which is the case.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 26 "Lattice-based"

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 27 Hardness of decision LWE "lattice-based" worst-case gap shortest vector problem (GapSVP) poly-time [Regev05, BLPRS13] decision LWE

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 28 Lattices Let B = {b 1, b n } Z n n q be a set of linearly independent basis vectors for Z n q. Define the corresponding lattice ( n ) X L = L(B) = z i b i : z i 2 Z. (In other words, a lattice is a set of integer linear combinations.) i=1 Define the minimum distance of a lattice as 1(L) = min kvk. v2l\{0}

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 29 Shortest vector problem The shortest vector problem (SVP) is: given a basis B for some lattice L = L(B), find a shortest non-zero vector, i.e., find v 2 L such that kvk = 1 (L). The decision approximate shortest vector problem (GapSVP ) is: given a basis B for some lattice L = L(B) whereeither 1(L) apple 1 or 1(L) >, determine which is the case.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 30 Regev's iterative reduction Theorem. [Reg05] For any modulus q apple 2 poly(n) and any discretized Gaussian error distribution of parameter q 2 p n where 0 < < 1, solving the decision LWE problem for (n, q, U, ) with at most m = poly(n) samples is at least as hard as quantumly solving GapSVP and SIVP on arbitrary n- dimensional lattices for some = Õ(n/ ). The polynomial-time reduction is extremely non-tight: approximately O(n 13 ). [Regev; STOC 2005]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 31 Solving the (approximate) shortest vector problem The complexity of GapSVP depends heavily on how and n relate, and get harder for smaller. Algorithm Time Approx. factor LLL algorithm poly(n) (n log log n/ log n) 2 various 2 (n log n) poly(n) various 2 (n) time and space poly(n) Sch87 2 (n/k) 2 k p NP \ co-np n NP-hard n o(1) In cryptography, we tend to use n.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 32 Picking parameters Estimate parameters based on runtime of lattice reduction algorithms. Based on reductions: Calculate required runtime for GapSVP or SVP based on tightness gaps and constraints in each reduction Pick parameters based on best known GapSVP or SVP solvers or known lower bounds Based on cryptanalysis: Ignore tightness in reductions. Pick parameters based on best known LWE solvers relying on lattice solvers.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 33 Ring-LWE LWE Cyclic structure Z 7 4 13 4 1 11 10 Þ Save communication, more efficient computation 4 KiB representation 752 2738 3842 3345 2979 2896 595 3607 377 1575 2760 Z 752 8 2 15 8 752 8 15 bits = 11 KiB

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 34 Why consider (slower, bigger) LWE? Generic vs. ideal lattices Ring-LWE matrices have additional structure Relies on hardness of a problem in ideal lattices LWE matrices have no additional structure Relies on hardness of a problem in generic lattices Currently, best algorithms for ideal lattice problems are essentially the same as for generic lattices Small constant factor improvement in some cases Very recent quantum polynomial time algorithm for Ideal-SVP (http://eprint.iacr.org/2016/885) but not immediately applicable to ring- LWE NTRU also relies on a problem in a type of ideal lattices If we want to eliminate this additional structure, can we still get an efficient protocol?

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 35 Public key encryption from LWE

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 36 Regev's public key encryption scheme Let n, m, q, be LWE parameters. KeyGen(): s $ Z n q. A $ Z m n q. e $ (Z m q ). b As + e. Return pk (A, b), sk s. Enc(pk, x 2 {0, 1}): s 0 $ {0, 1} m. b 0 s 0 A. v 0 hs 0, bi. c x encode(v 0 ). Return (b 0,c). Dec(sk, (b 0,c)): v hb 0, si. Returndecode(v). [Regev; STOC 2005]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 37 Encode/decode encode(x 2 {0, 1}) j q x 2k ( decode(x 2 Z q ) 0, if x 2 [ 1, otherwise q 4, q 4 ) [Regev; STOC 2005]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 38 Lindner Peikert public key encryption Let n, q, be LWE parameters. KeyGen(): s $ (Z n ). A $ Z n n q. e $ (Z n ). b As + e. Return pk (A, b) and sk s. Enc(pk, x 2 {0, 1}): s 0 $ (Z n ). e 0 $ (Z n ). b 0 s 0 A + e 0. e 00 $ ṽ 0 hs 0, bi + e 00. c encode(x)+ṽ 0.Returnctxt ( b 0,c). (Z). Dec(sk, ( b 0,c)): v h b 0, si. Returndecode(c v). [Lindner, Peikert; CT-RSA 2011]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 39 Correctness Sender and receiver approximately compute the same shared secret s 0 As ṽ 0 = hs 0, bi + e 00 = s 0 (As + e)+e 00 = s 0 As + hs 0, ei + e 00 s 0 As v = h b 0, si =(s 0 A + e 0 )s = s 0 As + he 0, si s 0 As

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 40 Difference between Regev and Lindner Peikert Regev: Bob s public key is s 0 A where s 0 $ {0, 1} m Encryption mask is hs 0, bi Lindner Peikert: Bob s public key is s 0 A + e 0 where s 0 $ e Encryption mask is hs 0, bi + e 00 In Regev, Bob s public key is a subset sum instance. In Lindner Peikert, Bob s public key and encryption mask is just another LWE instance.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 41 IND-CPA security of Lindner Peikert Indistinguishable against chosen plaintext attacks Theorem. If the decision LWE problem is hard, then Lindner Peikert is IND- CPA-secure. Let n, q, be LWE parameters. Let A be an algorithm. Then there exist algorithms B 1, B 2 such that Adv ind-cpa LP[n,q, ](A) apple Advdlwe n,q, (A B 1 )+Adv dlwe n,q, (A B 2 ) [Lindner, Peikert; CT-RSA 2011]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 42 IND-CPA security of Lindner Peikert Game 0: Decision-LWE Game 1: Rewrite Game 2: 1: A $ U(Z n n q ) 2: s, e $ (Z n q ) 3: b As + e 4: s 0, e 0 $ (Z n q ) 5: b0 s 0 A + e 0 6: e 00 $ (Z q ) 7: ṽ 0 s 0 b + e 00 8: c 0 encode(0) + ṽ 0 9: c 1 encode(1) + ṽ 0 10: b $ U({0, 1}) 11: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0, e 0 $ (Z n q ) 4: b0 s 0 A + e 0 5: e 00 $ (Z q ) 6: ṽ 0 s 0 b + e 00 7: c 0 encode(0) + ṽ 0 8: c 1 encode(1) + ṽ 0 9: b $ U({0, 1}) 10: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0 $ 4: [e 0 ke 00 ] 5: (Z n q ) $ (Z n+1 q ) [ b 0 kṽ 0 ] s 0 [Ak b]+[e 0 ke 00 ] 6: c 0 encode(0) + ṽ 0 7: c 1 encode(1) + ṽ 0 8: b $ U({0, 1}) 9: return (A, b, b 0,c b ) [Lindner, Peikert; CT-RSA 2011]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 43 IND-CPA security of Lindner Peikert Game 2: Decision-LWE Game 3: Rewrite Game 4: 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0 $ 4: [e 0 ke 00 ] 5: (Z n q ) $ (Z n+1 q ) [ b 0 kṽ 0 ] s 0 [Ak b]+[e 0 ke 00 ] 6: c 0 encode(0) + ṽ 0 7: c 1 encode(1) + ṽ 0 8: b $ U({0, 1}) 9: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: [ b 0 kṽ 0 ] $ U(Z n+1 q ) 4: c 0 encode(0) + ṽ 0 5: c 1 encode(1) + ṽ 0 6: b $ U({0, 1}) 7: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: [ b 0 kṽ 0 ] $ U(Z n+1 q ) 4: b $ U({0, 1}) 5: return (A, b, b 0, ṽ 0 ) Independent of hidden bit [Lindner, Peikert; CT-RSA 2011]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 44 Public key validation No public key validation possible in IND-CPA KEMs/PKEs from LWE/ring- LWE Key reuse in LWE/ring-LWE leads to real attacks following from searchdecision equivalence Comment in [Peikert, PQCrypto 2014] Attack described in [Fluhrer, Eprint 2016] Need to ensure usage is okay with just IND-CPA Or construct IND-CCA KEM/PKE using Fujisaki Okamoto transform or quantum-resistant variant [Targhi Unruh, TCC 2016] [Hofheinz et al., Eprint 2017]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 45 Direct key agreement

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 46 LWE and ring-lwe public key encryption and key exchange Regev STOC 2005 Public key encryption from LWE Lyubashevsky, Peikert, Regev Eurocrypt 2010 Public key encryption from ring-lwe Lindner, Peikert eprint 2010, CT-RSA 2011 Public key encryption from LWE and ring-lwe Approximate key exchange from LWE Ding, Xie, Lin eprint 2012 Key exchange from LWE and ring-lwe with single-bit reconciliation Peikert PQCrypto 2014 Key encapsulation mechanism based on ring-lwe and variant single-bit reconciliation Bos, Costello, Naehrig, Stebila IEEE S&P 2015 Implementation of Peikert's ring-lwe key exchange, testing in TLS 1.2

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 47 Basic LWE key agreement (unauthenticated) Based on Lindner Peikert LWE public key encryption scheme Alice public: big A in Z q n x m Bob secret: random small s, e in Z q m b = As + e secret: random small s', e' in Z q n b' = s'a + e' shared secret: b's = s'as + e's s'as shared secret: s'b s'as These are only approximately equal need rounding

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 48 Rounding Each coefficient of the polynomial is an integer modulo q Treat each coefficient independently Techniques by Ding [Din12] and Peikert [Pei14] [Ding; eprint 2012] [Peikert; PQCrypto 2014]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 49 Basic rounding Round either to 0 or q/2 Treat q/2 as 1 q/4 This works most of the time: prob. failure 2-10. q/2 round to 1 round to 0 0 Not good enough: we need exact key agreement. 3q/4

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 50 Rounding (Peikert) Bob says which of two regions the value is in: or q/4 q/4 If q/2 0 q/2 0 3q/4 q/4 3q/4 If q/2 0 3q/4 [Peikert; PQCrypto 2014]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 51 Rounding (Peikert) If alice bob q/8, then this always works. q/4 bob alice alice If q/2 0 alice 3q/4 Security not affected: revealing or leaks no information [Peikert; PQCrypto 2014]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 52 Exact LWE key agreement (unauthenticated) Alice public: big A in Z q n x m Bob secret: random small s, e in Z q m b = As + e secret: random small s', e' in Z q n b' = s'a + e', or shared secret: round(b's) shared secret: round(s'b)

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 53 Exact ring-lwe key agreement (unauthenticated) Alice public: big a in R q = Z q [x]/(x n +1) Bob secret: random small s, e in R q b = a s + e secret: random small s, e in R q b = a s + e, or shared secret: round(s b ) shared secret: round(b s )

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 54 Exact LWE key agreement "Frodo" Uses two matrix forms of LWE: Public key is n x n matrix Shared secret is m x n matrix A generated pseudorandomly Secure if decision learning with errors problem is hard (and Gen is a random oracle). [Bos et al.; ACM CCS 2016]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 55 Rounding Error distribution We extract 4 bits from each of the 64 matrix entries in the shared secret. 1400 1200 1000 More granular form of Peikert s 400 rounding. 200 1 15 800 600 0 104 406 919 1206 var. = 1.75 919 406 104 15 1-5 -4-3 -2-1 0 1 2 3 4 5 Parameter sizes, rounding, and error distribution all found via search scripts. Close to discrete Gaussian in terms of Rényi divergence (1.000301) Only requires 12 bits of randomness to sample

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 56 Parameters Recommended All known variants of the sieving algorithm require a list of vectors to be created of this size Paranoid 144-bit classical security, 130-bit quantum security, 103-bit plausible lower bound n = 752, m = 8, q = 2 15 χ = approximation to rounded Gaussian with 11 elements Failure: 2-38.9 Total communication: 22.6 KiB 177-bit classical security, 161-bit quantum security, 128-bit plausible lower bound n = 864, m = 8, q = 2 15 χ = approximation to rounded Gaussian with 13 elements Failure: 2-33.8 Total communication: 25.9 KiB

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 57 Exact ring-lwe key agreement "BCNS15" [Bos, Costello, Naehrig, Stebila; IEEE S&P 2015]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 58 Parameters 160-bit classical security, 80-bit quantum security n = 1024 q = 2 32 1 χ = discrete Gaussian with parameter sigma = 8/sqrt(2π) Failure: 2-12800 Total communication: 8.1 KiB

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 59 Implementation aspect 1: Polynomial arithmetic Polynomial multiplication in R q = Z q [x]/(x 1024 +1) done with Nussbaumer s FFT: If 2 m = rk, then R[X] hx 2m +1i = R[Z] hz r +1i [X] hx k Zi Rather than working modulo degree-1024 polynomial with coefficients in Z q, work modulo: degree-256 polynomial whose coefficients are themselves polynomials modulo a degree-4 polynomial, or degree-32 polynomials whose coefficients are polynomials modulo degree-8 polynomials whose coefficients are polynomials or

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 60 Implementation aspect 2: Sampling discrete Gaussians D Z, (x) = 1 S e x 2 2 2 for x 2 Z, 3.2,S =8 Security proofs require small elements sampled within statistical distance 2-128 of the true discrete Gaussian We use inversion sampling: precompute table of cumulative probabilities For us: 52 elements, size = 10000 bits Sampling each coefficient requires six 192-bit integer comparisons and there are 1024 coefficients 51 1024 for constant time

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 61 Sampling is expensive [Bos, Costello, Naehrig, Stebila; IEEE S&P 2015]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 62 NewHope Alkim, Ducas, Pöppelman, Schwabe. USENIX Security 2016 New parameters Different error distribution Improved performance Pseudorandomly generated parameters Further performance improvements by others [GS16,LN16,AOPPS17, ] https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 63 Implementations Our implementations Ring-LWE BCNS15 LWE Frodo Pure C implementations Constant time Compare with others RSA 3072-bit (OpenSSL 1.0.1f) ECDH nistp256 (OpenSSL) Use assembly code Ring-LWE NewHope NTRU EES743EP1 SIDH (Isogenies) (MSR) Pure C implementations

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 64 Post-quantum key exchange performance Speed Communication RSA 3072-bit Fast 4 ms Small 0.3 KiB ECDH nistp256 Very fast 0.7 ms Very small 0.03 KiB Code-based Very fast 0.5 ms Very large 360 KiB NTRU Very fast 0.3 1.2 ms Medium 1 KiB Ring-LWE Very fast 0.2 1.5 ms Medium 2 4 KiB LWE Fast 1.4 ms Large 11 KiB SIDH Med. slow 15 400 ms Small 0.5 KiB See [Bos, Costello, Ducas, Mironov, Naehrig, Nikolaenko, Raghunathan, Stebila, ACM CCS 2016] for details/methodology

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 65 Other applications of LWE

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 66 Fully homomorphic encryption from LWE KeyGen(): s $ (Z n q ) Enc(sk, µ 2 Z 2 ): Pick c 2 Z n q satisfies e µ mod 2. such that hs, ci = e mod q where e 2 Z Dec(sk, c): Compute hs, ci 2Z q, represent this as e 2 Z \ [ Return µ 0 e mod 2. q 2, q 2 ). [Brakerski, Vaikuntanathan; FOCS 2011]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 67 Fully homomorphic encryption from LWE c 1 + c 2 encrypts µ 1 + µ 2 : hs, c 1 + c 2 i = hs, c 1 i + hs, c 2 i = e 1 + e 2 mod q Decryption will work as long as the error e 1 + e 2 remains below q/2. [Brakerski, Vaikuntanathan; FOCS 2011]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 68 Fully homomorphic encryption from LWE Let c 1 c 2 =(c 1,i c 2,j ) i,j 2 Z n2 q be the tensor product (or Kronecker product). c 1 c 2 is the encryption of µ 1 µ 2 under secret key s s: hs s, c 1 c 2 i = hs, c 1 i hs, c 2 i = e 1 e 2 mod q Decryption will work as long as the error e 1 e 2 remains below q/2. [Brakerski, Vaikuntanathan; FOCS 2011]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 69 Fully homomorphic encryption from LWE Error conditions mean that the number of additions and multiplications is limited. Multiplication increases the dimension (exponentially), so the number of multiplications is again limited. There are techniques to resolve both of these issues. Key switching allows converting the dimension of a ciphertext. Modulus switching and bootstrapping are used to deal with the error rate.

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 70 Digital signatures [Lyubashevsky 2011] KeyGen(): S $ { d,..., 0,...,d} m k, A $ Z n m q, T AS. Secret key: S; publickey:(a, T). Sign(S,µ): y $ m ; c H(Ay,µ); z Sc + y. With prob. p(z) output (z, c), else restart Sign. "Rejection sampling" Vfy((A, T),µ,(z, c)): Accept i kzk apple p m and c = H(Az Tc,µ) [Lyubashevsky; Eurocrypt 2012]

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 71 Post-quantum signature sizes Public key Signature RSA 3072-bit Small 0.3 KiB Small 0.3 KiB ECDSA nistp256 Very small 0.03 KiB Very small 0.03 KiB Hash-based (stateful) Small 0.9 KiB Medium 3.6 KiB Hash-based (stateless) Small 1 KiB Large 32 KiB Lattice-based (ignoring tightness) Lattice-based (respecting tightness) Medium 1.5 8 KiB Medium 3 9 KiB Very large 1330 KiB Small 1.2 KiB SIDH Small 0.3 0.75 KiB Very large 120 138 KiB See [Bindel, Herath, McKague, Stebila PQCrypto 2017] for details

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 72 Summary

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 73 Summary LWE and ring-lwe problems Search, decision, short secrets Reduction from GapSVP to LWE Public key encryption from LWE Regev Lindner Peikert Key exchange from LWE / ring-lwe Other applications of LWE

SAC Summer School 2017-08-14 Post-Quantum Cryptography Part 2 LWE-based cryptography 74 More reading Post-Quantum Cryptography by Bernstein, Buchmann, Dahmen A Decade of Lattice Cryptography by Chris Peikert https://web.eecs.umich.edu/~cpeikert/pubs/lattice-survey.pdf

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback