Sampling Lattice Trapdoors

Similar documents
Notes for Lecture 16

SIS-based Signatures

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

Optimal Security Reductions for Unique Signatures: Bypassing Impossibilities with A Counterexample

1 Number Theory Basics

An Equivalence Between Attribute-Based Signatures and Homomorphic Signatures, and New Constructions for Both

FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Lattice-based DAPS and Generalizations

Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller

Lossy Trapdoor Functions and Their Applications

Cryptology. Scribe: Fabrice Mouhartem M2IF

Foundations of Cryptography

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Homomorphic Signatures for Polynomial Functions

Post-quantum security models for authenticated encryption

Katz, Lindell Introduction to Modern Cryptrography

Linearly Homomorphic Signatures over Binary Fields and New Tools for Lattice-Based Signatures

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

II. Digital signatures

Transitive Signatures Based on Non-adaptive Standard Signatures

Tightly-Secure Signatures From Lossy Identification Schemes

John Hancock enters the 21th century Digital signature schemes. Table of contents

Lossy Trapdoor Functions and Their Applications

Lattice-based Multi-signature with Linear Homomorphism

An update on Hash-based Signatures. Andreas Hülsing

Digital Signatures. p1.

10 Concrete candidates for public key crypto

The Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography

6.892 Computing on Encrypted Data October 28, Lecture 7

Advanced Cryptography 03/06/2007. Lecture 8

Authentication. Chapter Message Authentication

Functional Encryption for Inner Product Predicates from Learning with Errors

How to Use Linear Homomorphic Signature in Network Coding

Lecture Notes on Secret Sharing

Introduction to Elliptic Curve Cryptography

Attribute-based Encryption & Delegation of Computation

Block Ciphers/Pseudorandom Permutations

Lecture 16: Public Key Encryption:II

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

Computing on Authenticated Data for Adjustable Predicates

From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited

Lattice Cryptography

XMSS A Practical Forward Secure Signature Scheme based on Minimal Security Assumptions

Secure Signatures and Chosen Ciphertext Security in a Post-Quantum World

Lecture 10 - MAC s continued, hash & MAC

Short Signatures Without Random Oracles

Lecture 6: Lattice Trapdoor Constructions

Lattice Cryptography

Cryptographic Hardness Assumptions

Digital Signatures. Adam O Neill based on

1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:

Relaxed Lattice-Based Signatures with Short Zero-Knowledge Proofs

Lattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris

CS 355: TOPICS IN CRYPTOGRAPHY

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Adaptively Secure Fully Homomorphic Signatures Based on Lattices

Schnorr Signature. Schnorr Signature. October 31, 2012

G /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge

Notes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.

Asymptotically Efficient Lattice-Based Digital Signatures

Masking the GLP Lattice-Based Signature Scheme at Any Order

Outline. Provable Security in the Computational Model. III Signatures. Public-Key Encryption. Outline. David Pointcheval.

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Lecture 11: Key Agreement

Lattice Signatures Without Trapdoors

Codes and Cryptography. Jorge L. Villar. MAMME, Fall 2015 PART XII

A survey on quantum-secure cryptographic systems

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Predicate Encryption for Multi-Dimensional Range Queries from Lattices

Lecture 1: Introduction to Public key cryptography

6.892 Computing on Encrypted Data September 16, Lecture 2

Lecture 22: RSA Encryption. RSA Encryption

Malleable Signatures: Complex Unary Transformations and Delegatable Anonymous Credentials

On the Security Notions for Homomorphic Signatures

Constructing secure MACs Message authentication in action. Table of contents

Enforcing honesty of certification authorities: Tagged one-time signature schemes

Digital signature schemes

from Standard Lattice Assumptions

Digital Signatures from Strong RSA without Prime Genera7on. David Cash Rafael Dowsley Eike Kiltz

Circular chosen-ciphertext security with compact ciphertexts

Middle-Product Learning With Errors

An improved compression technique for signatures based on learning with errors

Hash-based signatures & Hash-and-sign without collision-resistance

Q B (pk, sk) Gen x u M pk y Map pk (x) return [B(pk, y)? = x]. (m, s) A O h

Uninstantiability of Full-Domain Hash

Short Unique Signatures from RSA with a Tight Security Reduction (in the Random Oracle Model)

Lecture 18: Message Authentication Codes & Digital Signa

Lecture V : Public Key Cryptography

Signatures with Flexible Public Key: A Unified Approach to Privacy-Preserving Signatures (Full Version)

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Anonymous Signatures Made Easy

Lectures 2+3: Provable Security

Background: Lattices and the Learning-with-Errors problem

Mitigating Multi-Target-Attacks in Hash-based Signatures. Andreas Hülsing joint work with Joost Rijneveld, Fang Song

b = 10 a, is the logarithm of b to the base 10. Changing the base to e we obtain natural logarithms, so a = ln b means that b = e a.

Lattice Signatures Without Trapdoors

If you wish to cite this paper, please use the following reference:

Available online at J. Math. Comput. Sci. 6 (2016), No. 3, ISSN:

Transcription:

Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a matrix A and that it was sufficient for solving LWE and ISIS with matrix A The difficulty is in sampling uniform A along with a trapdoor Today we will look at a particular matrix for which we can easily describe a trapdoor With this matrix in hand, it will suffice to sample a different type of trapdoor a task that will be simpler Finally, we will demonstrate a simple digital signature scheme based on the above 1 2 types of trapdoors 11 Type 1 This is the notion of a trapdoor that we saw last class Definition 11 (L (A)) For a matrix A Z n m, we denote by L the dual lattice of A composed of all vectors in the kernal of A (arithmetic done mod ): L (A) {x Z m : Ax = 0 mod } A trapdoor T for A is a short basis for the lattice L (A) Definition 12 ( Type 1 Trapdoor) For matrices A Z n m and T Z m m, T is a trapdoor for A if: 1 AT 0 n m mod 2 T is full rank over Z 3 Each column t i of T = [t 1 t 2 t m is short Last class, we saw that, given such a trapdoor T for A, one could efficiently solve LWE and ISIS 1

12 The Gadget Matrix A special matrix that will be important for us later is the gadget matrix G, whose trapdoor is very easily understood Definition 13 (Gadget Matrix G) Let g = [1 2 4 2 log 1 n n log The gadget matrix G Z is G g I n : g 0 0 0 g 0 G = 0 0 g The vector g can be thought of a binary recomposition 1 operator, taking the binary representation (as a column vector) binary(x) Z n log of an integer x Z, and mapping it to g T binary(x) = x Likewise, for integers x 1,, x n Z, G is the operator mapping b Z n2 log to Gb: binary(x 1 ) x 1 b = Gb = binary(x n ) One possible trapdoor T g for g is: 2 0 0 0 1 2 0 0 0 1 2 0 binary() T g 0 0 0 2 0 0 0 1 log 1 where binary() Z is the binary expansion of It is easy to verify that gt g = 0 and that each column has short length (all are either 5 or O( log )) Let k = log 1 and b = binary() Then det(t g ) = k ( 1) i 1 b[i 2 i 1 ( 1) k i = ( 1) k 1 i=1 and therefore T g is full rank over Z (though not full-rank over Z ) Finally, we define the gadget matrix T G fo the matrix G: T g 0 0 0 T g 0 T G T g I n = 0 0 T g x n k b[i 2 i 1 = ( 1) k 1 0 Just as with T g, T G is full-rank over Z, has short entries, and is in the null space of G Last class, we saw that a (type 1) trapdoor for A suffices to solve LWE and ISIS Because of the structure of G, solving these problems with respect to G is particularly efficient 1 The inverse of binary decomposition i=1 2

13 Type 2 Our goal is to sample a uniform matrix A along with some auxiliary information that makes solving LWE (recovering s T given s T A + e) with matrix A tractable The trapdoor T G for G enabling us to solve LWE instances with matrix G efficiently Therefore it suffices to have auxiliary information about A that allows us to transform LWE samples for A to LWE samples for G with the same secret This information will be a type 2 trapdoor for A Definition 14 ( Type 2 Trapdoor) For matrices A Z n m and R Z for A if: 1 AR = G 2 Each column r i of R = [r 1 r 2 r m is short m n log, R is a trapdoor Remark We could similarly define a type 2 trapdoor with respect to any full rank matrix G for which we knew a trapdoor, and the reductions below would suffice The reason for preferring this particular gadget matrix G is that its structure makes solving LWE and ISIS conceptually simple and concretely efficient Solving LWE and ISIS Given an LWE sample s T A + e T and a (type 2) trapdoor R for A: (s T A + e T )R = s T G + (e T R) This is an LWE sample for G with error e = e T R Similarly, given an ISIS challenge (A, v), we can find a short e such that Ae = v by solving the corresponding problem with respect to G, and multiplying the solution by R Ae = A(Re ) = Ge = v Since G is the binary recomposition matrix, a solution to the above is e = [binary(v 1 ) binary(v n ) T This e is composed only of 0s and 1s and thus e < n 2 Sampling Trapdoors Though we ve seen that sampling matrices A and associated type 2 trapdoors R suffices for solving lattice problems, how do we sample such matrices? 1 Sample uniformly A 0 Z n m 0 2 2 Sample random R 0 Z m 0 n log() probability with each entry R i,j Bernoulli( 1 2 ) is 0 or 1 with eual 2 We shall see below that m 0 = n log + 2n suffices 3

3 A [ A 0 A 0 R 0 + G R [ R0 I It is easy to verify that AR = G, and that the columns r i of R are short with high probability (in particular, ) We now demonstrate that A sampled as above is statistically-close to uniform To prove this, we use the Leftover Hash Lemma Each column of R 0 has m 0 := n log + 2n bits of entropy This implies that for each column r i, (A 0, A 0 r i ) 2 n (A 0, u) where u Z n is sampled uniformly Combining for all the columns, we get that [A 0 A 0 R 0 + G is statistically-close to [A 0 U, a completely uniform n m-matrix 3 Application to Digital Signatures Now we ll see an application of lattice trapdoors in building a simple signature scheme Observe that we can already build a signature from lattices assuming that there is a lattice-based one-way function a la Ajtai [?, using generic constructions of digital signatures from OWFs [? In contrast, we will see a relatively simple and efficient scheme based on [? Previously, there were a number of flawed proposals We consider a weak form of security, where the adversary is reuired to forge a signature on a specific challenge message msg and the adversary receives signatures on random messages rather than messages of his choice Definition 31 (Digital Signatures) A digital signature scheme for messages in M is a tuple of algorithms (Keygen, Sign, Verify) satisfying the following properties: Syntax: Keygen(1 n ) sk, vk is a randomized algorithm taking a security parameter λ N in unary, and outputting a signing key sk and a verification key vk Sign(sk, msg) sig is a randomized algorithm taking a signing key sk and a message msg M as inputs, and outputting a signature sig Verify(vk, sig, msg) {0, 1} is a deterministic algorithm taking a verification key vk, a signature sig, and a message msg, and outputting b {0, 1} Correctness: A digital signature is correct if validly generated signatures verify Namely, for all λ N, for all sk, vk Keygen(1 n ), and for all msg M: Verify(vk, Sign(sk, msg), msg) = 1 Security: 3 A digital signature scheme is secure if for large enough n N, all probabilistic polynomialtime algorithms A have negligible probability of winning in the following game: sk, vk Keygen(1 n ) msg M state 0 A(vk, msg ); // The challenge message 4

While done A(state i, sig i ) state i+1 A(state i, sig i ) msg i+1 M sig i+1 Sign(sk, msg i+1 ) sig A(state final ) A wins if ( Verify(vk, sig, msg ) = 1 ) 31 A First Attempt Suppose we have an algorithm A, R TrapSamp(n, m, ) that samples matrices A Z n m m n log with an associated (type 2) trapdoor R Z Let M = Z m along Keygen(1 n ) : Sample A, R TrapSamp(n,??,??) Output sk = R and vk = A Sign(sk, msg) : Solve Ae = y for y := msg, and a short e Z m Output sig = e Verify(vk, sig, msg): Output 1 if ( Ae = msg ) ( e poly(n) ) Otherwise, output 0 Forging a signature on msg reuires finding a short solution to Ae = b for a random value b = msg Given no (msg i, sig i ) pairs, this is infeasible by the difficulty of ISIS But what about when given many pairs, all with respect to the same signing key A? Suppose we use the solver for ISIS from Section 13 with the trapdoors from Section 2 Then the adversary receives many signatures of the form sig = Re = [ R0 e = [ R0 e e, where e is I the binary decomposition of msg With sufficiently many samples, the adversary could efficiently solve for R 0 the system of euations (sig 1 sig m ) = R 0 E where E = (e 1 e m) can be easily constructed by the adversary Given enough signatures, the adversary can reconstruct the trapdoor R, let alone forge signatures 32 A better Solve step We will fix the above scheme by reuiring that solve step hereafter named Solve(A, R, y) in the Sign algorithm satisfies some additional property After defining what a good solver is, we demonstrate that it suffices to prove existential unforgeability under chosen-message attack Next lecture, we will look at such a good Solve algorithm, based on discrete Guassian sampling We will call Solve good if its outputs statistically hide the trapdoor R in the following strong sense Definition 32 (Good Solve) Let Solve(A, R, y) be an algorithm that outputs short solutions to Ae = y Solve is good if for some σ > 0, for every short trapdoor R: ( ) ( ) A Z n m, e D Z m,σ, y := Ae s A Z n m, Solve(A, R, y), y Z m where s denotes statistical closeness 2 n 4 and D Z m,σ denotes the discrete Guassian distribution on Z m with standard deviation σ 4 Computational, rather than statistical, indistinguishability would suffice 5

That is, the output distribution of e Solve(A, R, y) is statistically close to sampling e from discrete Guassian conditioned on Ae = y We now reduce solving SIS to violating the security of the signature scheme in Section 31 instantiated with a good Solve algorithm Reducing SIS to forging: Given an SIS challenge A Z n m, our goal is to find a short e Z m such that Ae 0 n mod Run the adversary A for the signature scheme, but generate messagesignature pairs by sampling sig := e D Z m,σ from a discrete Guassian and setting msg := y = Ae Additionally, choose e D Z m,σ and set the challenge message msg = Ae By the goodness of Solve, this distribution on messages and signatures is statistically indistinguishable from the real distribution (random messages and signatures generated by Solve(A, R, y)) Any A that forges when given samples from the latter must also forge when given samples from the former Thus, with noticeable probability, A will output a signature sig = e such that Ae = Ae and e is short With high probability e e Therefore, e e 0 is a solution to SIS for matrix A 6

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback