Hardness and advantages of Module-SIS and Module-LWE

Similar documents
Classical hardness of Learning with Errors

Classical hardness of Learning with Errors

Classical hardness of the Learning with Errors problem

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio

Weaknesses in Ring-LWE

Background: Lattices and the Learning-with-Errors problem

A Framework to Select Parameters for Lattice-Based Cryptography

Middle-Product Learning With Errors

Open problems in lattice-based cryptography

Dimension-Preserving Reductions Between Lattice Problems

On error distributions in ring-based LWE

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Solving LWE with BKW

CRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018

Implementing Ring-LWE cryptosystems

Part 2 LWE-based cryptography

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

On Ideal Lattices and Learning with Errors Over Rings

Post-quantum key exchange for the Internet based on lattices

Lattice Based Crypto: Answering Questions You Don't Understand

Weak Instances of PLWE

Parameter selection in Ring-LWE-based cryptography

Revisiting Lattice Attacks on overstretched NTRU parameters

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Improved Parameters for the Ring-TESLA Digital Signature Scheme

Recovering Short Generators of Principal Ideals in Cyclotomic Rings

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Cryptology. Scribe: Fabrice Mouhartem M2IF

On Ideal Lattices and Learning with Errors Over Rings

Lattice-Based Cryptography

Post-Quantum Cryptography

GGHLite: More Efficient Multilinear Maps from Ideal Lattices

Lattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.

Improved Zero-knowledge Protocol for the ISIS Problem, and Applications

Finding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan

Notes for Lecture 16

CRYPTANALYSIS OF COMPACT-LWE

Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech

Leakage of Signal function with reused keys in RLWE key exchange

Short Stickelberger Class Relations and application to Ideal-SVP

Proving Hardness of LWE

Post-Quantum Cryptography & Privacy. Andreas Hülsing

Multikey Homomorphic Encryption from NTRU

Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions

SIS-based Signatures

Making NTRU as Secure as Worst-Case Problems over Ideal Lattices

Lattice Cryptography

Lattice Cryptography

FULLY HOMOMORPHIC ENCRYPTION

An improved compression technique for signatures based on learning with errors

On the Ring-LWE and Polynomial-LWE problems

Lossy Trapdoor Functions and Their Applications

Middle-Product Learning With Errors

Markku-Juhani O. Saarinen

Practical Lattice-Based Digital Signature Schemes

Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR

On the Leakage Resilience of Ideal-Lattice Based Public Key Encryption

Asymptotically Efficient Lattice-Based Digital Signatures

From NewHope to Kyber. Peter Schwabe April 7, 2017

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

Fast Lattice-Based Encryption: Stretching SPRING

CS Topics in Cryptography January 28, Lecture 5

CRPSF and NTRU Signatures over cyclotomic fields

Lecture 6: Lattice Trapdoor Constructions

LARA A Design Concept for Lattice-based Encryption

Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures

FrodoKEM Learning With Errors Key Encapsulation. Algorithm Specifications And Supporting Documentation

Post-quantum key exchange based on Lattices

Density of Ideal Lattices

Ideal Lattices and NTRU

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

A Decade of Lattice Cryptography

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

6.892 Computing on Encrypted Data September 16, Lecture 2

Classical Hardness of Learning with Errors

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Key Recovery for LWE in Polynomial Time

A Toolkit for Ring-LWE Cryptography

Large Modulus Ring-LWE Module-LWE

Lattice Signatures Without Trapdoors

An Algebraic Approach to NTRU (q = 2 n ) via Witt Vectors and Overdetermined Systems of Nonlinear Equations

Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Lattice Signatures Without Trapdoors

Ring-LWE security in the case of FHE

On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem

Noise Distributions in Homomorphic Ring-LWE

Shai Halevi IBM August 2013

Ring-SIS and Ideal Lattices

Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors

Recent Advances in Identity-based Encryption Pairing-free Constructions

Short generators without quantum computers: the case of multiquadratics

A simple lattice based PKE scheme

Transcription:

Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 1/ 23

Introduction Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module SIS and LWE Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 2/ 23

Lattice-based cryptography Worst-case to average-case reduction Learning With Errors dimension n, modulo q Lattice b 1 solve GapSVP/SIVP m Given A, A s + e find s and/or SIS n A Uniform in Z m n q s Uniform in Z n q e is a small error m n LWE-based Encryption Security proof Construction SIS-based Signature LWE and SIS-based advanced construction Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 3/ 23

Lattice-based cryptography From basic to very advanced primitives Public key encryption and Signature scheme (practical), [Regev 05, Gentry, Peikert and Vaikuntanathan 08, Lyubashevsky 12...]; Identity/Attribute-based encryption, [GPV 08 Gorbunov, Vaikuntanathan and Wee 13...]; Fully homomorphic encryption, [Gentry 09, BV 11,...]. Advantages (Asymptotically) efficient; Security proofs from the hardness of lattice problems; Likely to resist attacks from quantum computers. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 4/ 23

NIST competition From 2017 to 2024, NIST competition to find standard on post-quantum cryptography Total: 69 accepted submissions (round 1) Signature (5 lattice-based), Public key encryption / Key exchange mechanism (21 lattice-based) Other candidates: 17 code-based PKE/KEM, 7 multivariate signatures, 3 hash-based signatures, 7 from other assumptions (isogenies, PQ RSA...) and 4 attacked + 5 withdrawn. lattice-based constructions seem to be serious candidates (Assumptions: NTRU, SIS/LWE/LWR, Ring/Module-SIS/LWE/LWR, MP-LWE) Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 5/ 23

Foundamental problems to build cryptography Parameters: dimension n, m n, moduli q. For A U(Z m n q ): SIS β LWE α x m A = 0 mod q A, A s + e n s U(Z n q ), e a small error αq. Goal: Given A U(Z m n q ), Goal: Given ( A, A s + e ), find x s.t. 0 < x β. find s. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 6/ 23

Foundamental problems to build cryptography Parameters: dimension n, m n, moduli q. For A U(Z m n q ): SIS β LWE α x m A = 0 mod q A, A s + e n s U(Z n q ), e a small error αq. Find a small vector in Λ q ( A ) Solve BDD in Λ q ( A ) = { x Z m x T A = 0 mod q} = {y Z m : y = A s mod q for some s Z n } Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 6/ 23

Hardness results Worst-case to average-case reductions from lattice problems Hardness of the SIS problem [Ajtai 96, MR 04, GPV 08,...] Hardness of the LWE problem [Regev 05, Peikert 09, BLPRS 13...] Also in [BLPRS 13] Shrinking modulus / Expanding dimension: A reduction from LWE n q to LWE nk k q. Expanding modulus / Shrinking dimension: A reduction from LWE n q to LWE n/k q k. The hardness of LWE n q is a function of n log q. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 7/ 23

Lattice-based signature scheme Trapdoor for SIS TrapGen (A, T A ) such that T A allows to find short x( s) x A = 0 mod q With T A, we can solve SIS. Computing T A given A is hard, Constructing A and T A is easy. T A is a short basis of Λ q (A) = {x Z m x T A = 0 mod q} In a public key scheme: public key: A secret key: TA Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 8/ 23

Lattice-based signature scheme Signature scheme Key generation: pk = A, (Ai) i sk = TA To sign a message M: use TA to solve SIS: find small x such that x T A M = 0 mod q. To verify a signature x given M: check x T A M = 0 mod q and x small where: [ ] A A M = A 0 + i M in [Boyen 10] for example, ia i Knowing a trapdoor for A knowing a trapdoor for A M, Several known constructions [Boyen 10, CHKP 10..] Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 9/ 23

From SIS/LWE to structured variants Problem: constructions based on SIS/LWE enjoy a nice guaranty of security but are too costly in practice. replace Z n by a Ring, for example R = Z[x]/ x n + 1 (n = 2 k ). Ring variants since 2006: Rot(a 1 ) A Rot(a m ) Structured A Z m n n q represented by m n elements, Product with matrix/vector more efficient, Hardness of Ring-SIS, [Lyubashevsky and Micciancio 06] and [Peikert and Rosen 06] Hardness of Ring-LWE [Lyubashevsky, Peikert and Regev 10]. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 10/ 23

Ring-SIS based signature scheme [BFRS 18] Underlying to [ABB10] KeyGen(λ) (vk,sk) For M: choose uniform a Rq m 2 sk= T R (m 2) 2 gaussian pk= a = ( a T a T T ) T a M = ( a T H(M)g a T T ) T Discrete Gaussian short elements in R MP12 Trapdoors: a looks uniform, T trapdoor (allows to solve Ring-SIS) Sign(a, T, M) x Using T, find small x R m q with x T a M = 0, g gadget vector H : {0, 1} n R q Verify(a, x, M) {0, 1} Accept iff x T a M = 0 mod qr and x small. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 11/ 23

Implementing such a scheme Lot of conditions on parameters: hardness of Ring-SIS, correctness... How to be efficient? Preimage sampling [MP 12, GM 18], Fast multiplication of ring elements in R q = Z q / x n + 1 For example: use the NFLlib library [Aguilar et al. 16] Two important conditions: n = 2 k and q = 1 mod 2n x n + 1 splits completely into linear factors 3 main constraints on q = q i described to use the NTT Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 12/ 23

Example of parameters Table: Parameters set for the signature scheme n log q σ R-LWE σ δ R-SIS λ 512 30 4.2 2 64 1.011380 2 74 60 1024 24 5.8 2 378 1.008012 2 156 140 1024 30 6.3 2 246 1.007348 2 184 170 Gap in security because of the constraints on the parameter. Module variants tradeoff between security and efficiency Hardness of Module SIS and LWE [LS15,AD17] Dilithium & Kyber - Crystals NIST submissions [Avanzi et al.] Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 13/ 23

Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module variants Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 14/ 23

Module variants m Rot(a 1 ) Rot(a 1,1) Rot(a 1,d) A n Rot(a mr ) m r = m/n blocks of size n Rot(a mm,1) m m d blocks of size n d = n/d Rot(a mm,d) a i Z n q (a i, a i, s + e i ) s Z n q, e i Z R = Z[x]/ x n + 1 R = Z[x]/ x nd + 1 a i R q a i (R q ) d (a i, a i s + e i ) (a i, a i, s + e i ) s R q, e i R s (R q ) d, e i R Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 15/ 23

Module SIS and LWE For example in: R = Z[x]/ x n + 1 and R q = R/qR. Module-SIS q,m,β Given a 1,..., a m R d q independent and uniform, find z 1,..., z m R such that m i=1 a i z i = 0 mod q and 0 < z β. Let α > 0 and s (R q ) d, the distribution A (M) s,ν α is: a (R q ) d uniform, e sampled from D α, ) Outputs: (a, 1q a, s + e. Module-LWE q,να let s (R q ) d uniform, distinguish between an arbitrary number of samples from A (M) s,d α, or the same number from U((R q ) d T R ). A (M) s,d α c U((R q ) d T R ). Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 16/ 23

From Ring-SIS/LWE to Module-SIS/LWE SIS Ring-SIS-instance: a 1,..., a m R q, For 2 i d, 1 j m: sample a i,j, a j = (a j, a 2,j,..., a d,j ), Module-SIS: gives small z such that j a j z j = 0 j a j z j = 0 LWE Ring-LWE instance: (a, b = a s + e), Sample a 2,..., a d and s 2,..., s d, New sample: (a = (a, a 2,..., a d ), b + d i=2 a i s i ). s = (s, s1,..., s d ) (R q) d, then b + d i=2 ai si = a, s + e Module-LWE instance Module-SIS/LWE n,d,q at least as hard as Ring-SIS/LWE n,q Module-SIS/LWE n,d,q at least as hard as Ideal-SIVP n Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 17/ 23

Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module variants Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 18/ 23

Ideal and Module SIVP Shortest Independent Vector problem (SIVP γ ) Input: a basis B of a lattice, Output: find n = dim(l(b)) linearly independent s i such that max i s i γ λ n (L(B)). Ideal-SIVP problem restricted to ideal lattices. Module-SIVP problem restricted to module lattices. Let K be a number field, R its ring of integers, Let σ be an embedding from K to R n, σ(i) is an ideal lattice where I is an ideal of R, Let (σ,..., σ) be an embedding from K d to R n d d, σ(m) is a module lattice where M K d is a module of R. M can be represented by a pseudo basis: M = k I k b k, where (I k ) non zero ideals of R, (b k ) linearly indep. vectors of R d. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 19/ 23

Hardness Results Langlois Stehlé 2015 Reduction from Module-SIVP to Module-SIS. Quantum reduction from Module-SIVP to Module-LWE. Reduction from search to decision Module-LWE. Parameters: Module-SIVP SIVP LWE Ideal-SIVP Module-LWE Ring-LWE [LS 15] [Regev 05] [LPR 10] d, n d d = n et n d = 1 γ n d. d/α γ n/α d = 1 et n d = n γ n/α arbitrary q q prime q prime q d/α q n/α q = 1 mod 2n q 1/α Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 20/ 23

Hardness Results Langlois Stehlé 2015 Reduction from Module-SIVP to Module-SIS. Quantum reduction from Module-SIVP to Module-LWE. Reduction from search to decision Module-LWE. Converse reductions For R = Z[x]/ x n + 1 with n = 2 k, Reduction from Module-SIS to Module-SIVP, Reduction from Module-LWE to Module-SIVP. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 21/ 23

Hardness Results Albrecht Deo 2017 R is a power-of-two cyclotomic ring: the same for both problems, Reduction from Module-LWE to Module-LWE in rank d with modulus q, in rank d/k with modulus q k. If k = d Reduction from (search) Module-LWE with rank d and modulus q to (search) Ring-LWE with modulus q d. with error rate expansion: from α to α n 2 d. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 22/ 23

Hardness results Consequences [LS15] + [AD17] Module-SIVP γ Module-LWE d,q,α Ring-LWE qd,α α = α n 2 d, 3/2 n5/2 d γ = O( α ) Interpretation [BLPRS 13]: Ring-LWE in dimension n with exponential modulus is hard under hardness of general lattices problems. [LS15] + [AD17]: Ring-LWE in dimension n with exponential modulus is hard under hardness of module lattices problems. Cryptanalysis observation: Ring-LWE becomes harder when q increases. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 23/ 23

Lattice-based cryptography: why using module lattices? Definition of Module SIS and LWE Hardness results on Module variants Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 24/ 23

Open problems Conclusion Module problems hard and interesting to build cryptographic constructions, serious NIST submissions: Dilithium (signature - MSIS/MLWE): n = 256, m, d = 3, 4. Kyber (KEM - MLWE) Saber / 3-bears (KEM - MLWR) Open problems Hardness of Module Learning With Rounding Problem used in several NIST submission, A better understanding of Ring-LWE / Module-LWE A better understanding of SIVP on module lattices Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 25/ 23

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback