Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 1/ 23
Introduction Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module SIS and LWE Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 2/ 23
Lattice-based cryptography Worst-case to average-case reduction Learning With Errors dimension n, modulo q Lattice b 1 solve GapSVP/SIVP m Given A, A s + e find s and/or SIS n A Uniform in Z m n q s Uniform in Z n q e is a small error m n LWE-based Encryption Security proof Construction SIS-based Signature LWE and SIS-based advanced construction Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 3/ 23
Lattice-based cryptography From basic to very advanced primitives Public key encryption and Signature scheme (practical), [Regev 05, Gentry, Peikert and Vaikuntanathan 08, Lyubashevsky 12...]; Identity/Attribute-based encryption, [GPV 08 Gorbunov, Vaikuntanathan and Wee 13...]; Fully homomorphic encryption, [Gentry 09, BV 11,...]. Advantages (Asymptotically) efficient; Security proofs from the hardness of lattice problems; Likely to resist attacks from quantum computers. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 4/ 23
NIST competition From 2017 to 2024, NIST competition to find standard on post-quantum cryptography Total: 69 accepted submissions (round 1) Signature (5 lattice-based), Public key encryption / Key exchange mechanism (21 lattice-based) Other candidates: 17 code-based PKE/KEM, 7 multivariate signatures, 3 hash-based signatures, 7 from other assumptions (isogenies, PQ RSA...) and 4 attacked + 5 withdrawn. lattice-based constructions seem to be serious candidates (Assumptions: NTRU, SIS/LWE/LWR, Ring/Module-SIS/LWE/LWR, MP-LWE) Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 5/ 23
Foundamental problems to build cryptography Parameters: dimension n, m n, moduli q. For A U(Z m n q ): SIS β LWE α x m A = 0 mod q A, A s + e n s U(Z n q ), e a small error αq. Goal: Given A U(Z m n q ), Goal: Given ( A, A s + e ), find x s.t. 0 < x β. find s. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 6/ 23
Foundamental problems to build cryptography Parameters: dimension n, m n, moduli q. For A U(Z m n q ): SIS β LWE α x m A = 0 mod q A, A s + e n s U(Z n q ), e a small error αq. Find a small vector in Λ q ( A ) Solve BDD in Λ q ( A ) = { x Z m x T A = 0 mod q} = {y Z m : y = A s mod q for some s Z n } Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 6/ 23
Hardness results Worst-case to average-case reductions from lattice problems Hardness of the SIS problem [Ajtai 96, MR 04, GPV 08,...] Hardness of the LWE problem [Regev 05, Peikert 09, BLPRS 13...] Also in [BLPRS 13] Shrinking modulus / Expanding dimension: A reduction from LWE n q to LWE nk k q. Expanding modulus / Shrinking dimension: A reduction from LWE n q to LWE n/k q k. The hardness of LWE n q is a function of n log q. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 7/ 23
Lattice-based signature scheme Trapdoor for SIS TrapGen (A, T A ) such that T A allows to find short x( s) x A = 0 mod q With T A, we can solve SIS. Computing T A given A is hard, Constructing A and T A is easy. T A is a short basis of Λ q (A) = {x Z m x T A = 0 mod q} In a public key scheme: public key: A secret key: TA Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 8/ 23
Lattice-based signature scheme Signature scheme Key generation: pk = A, (Ai) i sk = TA To sign a message M: use TA to solve SIS: find small x such that x T A M = 0 mod q. To verify a signature x given M: check x T A M = 0 mod q and x small where: [ ] A A M = A 0 + i M in [Boyen 10] for example, ia i Knowing a trapdoor for A knowing a trapdoor for A M, Several known constructions [Boyen 10, CHKP 10..] Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 9/ 23
From SIS/LWE to structured variants Problem: constructions based on SIS/LWE enjoy a nice guaranty of security but are too costly in practice. replace Z n by a Ring, for example R = Z[x]/ x n + 1 (n = 2 k ). Ring variants since 2006: Rot(a 1 ) A Rot(a m ) Structured A Z m n n q represented by m n elements, Product with matrix/vector more efficient, Hardness of Ring-SIS, [Lyubashevsky and Micciancio 06] and [Peikert and Rosen 06] Hardness of Ring-LWE [Lyubashevsky, Peikert and Regev 10]. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 10/ 23
Ring-SIS based signature scheme [BFRS 18] Underlying to [ABB10] KeyGen(λ) (vk,sk) For M: choose uniform a Rq m 2 sk= T R (m 2) 2 gaussian pk= a = ( a T a T T ) T a M = ( a T H(M)g a T T ) T Discrete Gaussian short elements in R MP12 Trapdoors: a looks uniform, T trapdoor (allows to solve Ring-SIS) Sign(a, T, M) x Using T, find small x R m q with x T a M = 0, g gadget vector H : {0, 1} n R q Verify(a, x, M) {0, 1} Accept iff x T a M = 0 mod qr and x small. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 11/ 23
Implementing such a scheme Lot of conditions on parameters: hardness of Ring-SIS, correctness... How to be efficient? Preimage sampling [MP 12, GM 18], Fast multiplication of ring elements in R q = Z q / x n + 1 For example: use the NFLlib library [Aguilar et al. 16] Two important conditions: n = 2 k and q = 1 mod 2n x n + 1 splits completely into linear factors 3 main constraints on q = q i described to use the NTT Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 12/ 23
Example of parameters Table: Parameters set for the signature scheme n log q σ R-LWE σ δ R-SIS λ 512 30 4.2 2 64 1.011380 2 74 60 1024 24 5.8 2 378 1.008012 2 156 140 1024 30 6.3 2 246 1.007348 2 184 170 Gap in security because of the constraints on the parameter. Module variants tradeoff between security and efficiency Hardness of Module SIS and LWE [LS15,AD17] Dilithium & Kyber - Crystals NIST submissions [Avanzi et al.] Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 13/ 23
Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module variants Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 14/ 23
Module variants m Rot(a 1 ) Rot(a 1,1) Rot(a 1,d) A n Rot(a mr ) m r = m/n blocks of size n Rot(a mm,1) m m d blocks of size n d = n/d Rot(a mm,d) a i Z n q (a i, a i, s + e i ) s Z n q, e i Z R = Z[x]/ x n + 1 R = Z[x]/ x nd + 1 a i R q a i (R q ) d (a i, a i s + e i ) (a i, a i, s + e i ) s R q, e i R s (R q ) d, e i R Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 15/ 23
Module SIS and LWE For example in: R = Z[x]/ x n + 1 and R q = R/qR. Module-SIS q,m,β Given a 1,..., a m R d q independent and uniform, find z 1,..., z m R such that m i=1 a i z i = 0 mod q and 0 < z β. Let α > 0 and s (R q ) d, the distribution A (M) s,ν α is: a (R q ) d uniform, e sampled from D α, ) Outputs: (a, 1q a, s + e. Module-LWE q,να let s (R q ) d uniform, distinguish between an arbitrary number of samples from A (M) s,d α, or the same number from U((R q ) d T R ). A (M) s,d α c U((R q ) d T R ). Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 16/ 23
From Ring-SIS/LWE to Module-SIS/LWE SIS Ring-SIS-instance: a 1,..., a m R q, For 2 i d, 1 j m: sample a i,j, a j = (a j, a 2,j,..., a d,j ), Module-SIS: gives small z such that j a j z j = 0 j a j z j = 0 LWE Ring-LWE instance: (a, b = a s + e), Sample a 2,..., a d and s 2,..., s d, New sample: (a = (a, a 2,..., a d ), b + d i=2 a i s i ). s = (s, s1,..., s d ) (R q) d, then b + d i=2 ai si = a, s + e Module-LWE instance Module-SIS/LWE n,d,q at least as hard as Ring-SIS/LWE n,q Module-SIS/LWE n,d,q at least as hard as Ideal-SIVP n Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 17/ 23
Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module variants Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 18/ 23
Ideal and Module SIVP Shortest Independent Vector problem (SIVP γ ) Input: a basis B of a lattice, Output: find n = dim(l(b)) linearly independent s i such that max i s i γ λ n (L(B)). Ideal-SIVP problem restricted to ideal lattices. Module-SIVP problem restricted to module lattices. Let K be a number field, R its ring of integers, Let σ be an embedding from K to R n, σ(i) is an ideal lattice where I is an ideal of R, Let (σ,..., σ) be an embedding from K d to R n d d, σ(m) is a module lattice where M K d is a module of R. M can be represented by a pseudo basis: M = k I k b k, where (I k ) non zero ideals of R, (b k ) linearly indep. vectors of R d. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 19/ 23
Hardness Results Langlois Stehlé 2015 Reduction from Module-SIVP to Module-SIS. Quantum reduction from Module-SIVP to Module-LWE. Reduction from search to decision Module-LWE. Parameters: Module-SIVP SIVP LWE Ideal-SIVP Module-LWE Ring-LWE [LS 15] [Regev 05] [LPR 10] d, n d d = n et n d = 1 γ n d. d/α γ n/α d = 1 et n d = n γ n/α arbitrary q q prime q prime q d/α q n/α q = 1 mod 2n q 1/α Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 20/ 23
Hardness Results Langlois Stehlé 2015 Reduction from Module-SIVP to Module-SIS. Quantum reduction from Module-SIVP to Module-LWE. Reduction from search to decision Module-LWE. Converse reductions For R = Z[x]/ x n + 1 with n = 2 k, Reduction from Module-SIS to Module-SIVP, Reduction from Module-LWE to Module-SIVP. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 21/ 23
Hardness Results Albrecht Deo 2017 R is a power-of-two cyclotomic ring: the same for both problems, Reduction from Module-LWE to Module-LWE in rank d with modulus q, in rank d/k with modulus q k. If k = d Reduction from (search) Module-LWE with rank d and modulus q to (search) Ring-LWE with modulus q d. with error rate expansion: from α to α n 2 d. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 22/ 23
Hardness results Consequences [LS15] + [AD17] Module-SIVP γ Module-LWE d,q,α Ring-LWE qd,α α = α n 2 d, 3/2 n5/2 d γ = O( α ) Interpretation [BLPRS 13]: Ring-LWE in dimension n with exponential modulus is hard under hardness of general lattices problems. [LS15] + [AD17]: Ring-LWE in dimension n with exponential modulus is hard under hardness of module lattices problems. Cryptanalysis observation: Ring-LWE becomes harder when q increases. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 23/ 23
Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module variants Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 24/ 23
Open problems Conclusion Module problems hard and interesting to build cryptographic constructions, serious NIST submissions: Dilithium (signature - MSIS/MLWE): n = 256, m, d = 3, 4. Kyber (KEM - MLWE) Saber / 3-bears (KEM - MLWR) Open problems Hardness of Module Learning With Rounding Problem used in several NIST submission, A better understanding of Ring-LWE / Module-LWE A better understanding of SIVP on module lattices Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 25/ 23