1 / 24

Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings

Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings. Vadim Lyubashevsky IBM Research -- Zurich. Lattice Cryptography. SIVP. BDD. Worst-Case. quantum. [Reg ‘05]. [Ajt ‘96]. Average-Case. Learning With Errors Problem (LWE). Small Integer Solution

dgrant
Télécharger la présentation

Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings Vadim Lyubashevsky IBM Research -- Zurich

  2. Lattice Cryptography SIVP BDD Worst-Case quantum [Reg ‘05] [Ajt ‘96] Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)

  3. Why are SIS and LWE hard? • Solving SIS  Solving SIVP in all lattices • Solving LWE  Solving BDD in all lattices Gives us confidence in the design of SIS / LWE (setting parameters is a completely different matter)

  4. Source of Inefficiency 4 11 6 8 10 7 6 14 1 7 7 1 2 13 0 3 0 0 = n 2 9 12 5 1 2 5 9 0 1 3 14 9 7 1 11 1 1 0 m 1 1 0 Requires O(nm) storage Computing the function takes O(nm) time

  5. Switching to Polynomials 4 -1 -2 -7 10 -7 -1 -13 1 7 4 -1 -2 13 10 -7 -1 0 = n 2 7 4 -1 1 13 10 -7 0 1 2 7 4 7 1 13 10 1 0 m 1 1 Now A only requires O(m) storage Product can be computed faster as well 0

  6. Polynomial Multiplication = Matrix-Vector Multiplication a∙b = (a0+a1x+a2x2+a3x3) ∙ b = a0 ∙ b + a1 ∙ bx + a2 ∙ bx2 + a3 ∙ bx3 b 0 0 0 a0 a1 a2 a3 0 bx 0 0 Multiplication over Z[x] 0 0 bx2 0 0 0 0 bx3 b a0 a1 a2 a3 Multiplication over Z[x]/( f(x) ) bx mod f bx2 mod f bx3 mod f

  7. Switching to Polynomials (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn+1)

  8. Ring-SIS Given k random polynomials a1, … ,ak in Zp[x]/(xn+1), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0

  9. General f-SIS Given k random polynomials a1, … ,ak in Zp[x]/(f(x)), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0 Thm: [LM ‘06, PR ‘07] Solving f-SIS implies finding short vectors in any ideal of Z[x]/(f(x))

  10. Same Source of Inefficiency in LWE Constructions 4 11 6 8 7 7 1 2 2 9 12 5 1 3 14 9 + = m 10 7 6 14 13 0 3 0 1 2 5 9 7 1 11 1 n

  11. Convert to Polynomial Multiplication 4 -1 -2 -7 7 4 -1 -2 2 7 4 -1 1 2 7 4 + = m 10 -7 -1 -13 13 10 -7 -1 1 13 10 -7 7 1 13 10 n

  12. (Decision) Ring-LWE in Z[x]/( f(x) ) • Decision Ring-LWE • Given: • a1, b1 • a2, b2 • … • ak, bk • Question: Does there exist an s and “small” • e1, … , ek such that bi=ais+ei • or are all bi uniformly random in R? Ring-LWE Given: a1, a1s+e1 a2, a2s+e2 … ak, aks+ek Find: s s is random in R eiare “small” (distribution symmetric around 0) Thm: [LPR ‘10] Solving f-LWE implies a quantum algorithm for finding short vectors in any ideal of Z[x]/(f(x))

  13. Lattice Cryptography over Polynomial Rings SVP over Z[x]/f(x) Worst-Case quantum Average-Case LWE over Z[x]/f(x) SIS over Z[x]/f(x) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)

  14. Are all rings “equally hard”? For f=xn+1 ,[CDW ‘16], polynomial-time quantum algorithm for sub-exponential approximations to SVP (the complexity of ring-LWE is still unchanged – just the underlying assumption is affected) Is f=xn+1 resulting an easier ring, or just a ring for which an attack is easier to find? More preferable state of affairs: schemes based on the hardness of lattice problems in every ring

  15. Result of this Paper SVP over Z[x]/f(x) for any f(x) SVP over f(x) Worst-Case quantum Average-Case LWE over f(x) SIS over Z[x] One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)

  16. An Amazing Open Problem SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) Worst-Case Average-Case quantum? Some Problem SIS over Z[x] One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania) More efficient than LWE-based

  17. Z<n[x] -SISd Def: Z<n[x] = all polynomials in Z[x] with degree less than n Given k random polynomials a1, … ,ak in Zp<n[x], find “small” polynomials z1, … ,zk in Zp<d[x] such that a1z1+ … +akzk = 0

  18. f - SIS < Z<n[x]-SISdwhen d ≤ deg(f) ≤ n Given instance a1, …, ak of f - SIS, where deg(f)=m. Pick random r1, …, rk in Zp<n-m+1[x] Set bi = ai+ri ∙ f (bi are uniformly random in Zp<n[x] Give (b1, … ,bk) to the Zp<n[x]-SISd solver If solution is (z1, … ,zk) such that b1z1+ … +bkzk = 0 Then a1z1+ … +akzk = 0 mod f Since deg(zi) < d ≤ deg(f), zi ≠ 0 mod f Main observation: f-SIS input has nothing to do with f (just the degree of f)

  19. f-SIS with f=xn+1 1 0 4 -1 -2 -7 10 -7 -1 -13 7 -6 -5 -1 0 = 7 4 -1 -2 13 10 -7 -1 1 7 -6 -5 1 2 7 4 -1 1 13 10 -7 5 1 7 -6 0 1 2 7 4 7 1 13 10 6 5 1 7 1 1 0 1 1 1 0

  20. Z[x]-SIS 1 0 4 0 0 0 10 0 0 0 7 0 0 0 0 7 4 0 0 13 10 0 0 1 7 0 0 = 1 2 7 4 0 1 13 10 0 5 1 7 0 0 1 2 7 4 7 1 13 10 6 5 1 7 1 0 1 2 7 0 7 1 13 0 6 5 1 1 0 0 1 2 0 0 7 1 0 0 6 5 0 0 0 0 1 0 0 0 7 0 0 0 6 1 1 1 0

  21. Signature Scheme Secret Key: s1, … ,sk in Z<d[x] with small coefficients Public Key: random a1, … ,ak in Zp<n[x], a1s1+…+aksk=t in Zp<n+d-1[x] Sign(μ) Pick y1, … ,yk in Z<n[x] according to Dσ Compute c=H(a1y1+ … +akyk,μ) in Z<n-d+1[x] Set zi= yi+csi Do rejection sampling (maybe restart) Output (z1, … ,zk,c)

  22. Verification and Security Verify(z1, … ,zk,c,μ) Check that zi have small norms and c=H(a1z1+ … +akzk - tc,μ) Security proof: As in “Okamoto”-style digital signatures Given a1, … ,ak , create a valid t= a1s1+…+aksk With high probability, there exist si’ where t= a1s1’+…+aksk’ Use the si to sign. From adversary’s signature extract short wi , b such that a1w1+…+akwk = tb = (a1s1+…+aksk)b a1(w1-bs1)+…+ak(wk-bsk)=0 With non-negligible probability the coefficients of the Z[x]-SIS solution are non-zero

  23. Parameters Why so much less efficient? Based on Ring-SIS and Ring-LWE There is a unique secret key for every public key Need (a1, … ,ak , t= a1s1+…+aksk) to look random

  24. Solve This Problem!!! Worst-Case SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) Average-Case quantum? Some Problem SIS over Z[x] One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)

More Related