240 likes | 262 Vues
Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings. Vadim Lyubashevsky IBM Research -- Zurich. Lattice Cryptography. SIVP. BDD. Worst-Case. quantum. [Reg ‘05]. [Ajt ‘96]. Average-Case. Learning With Errors Problem (LWE). Small Integer Solution
E N D
Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings Vadim Lyubashevsky IBM Research -- Zurich
Lattice Cryptography SIVP BDD Worst-Case quantum [Reg ‘05] [Ajt ‘96] Average-Case Learning With Errors Problem (LWE) Small Integer Solution Problem (SIS) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)
Why are SIS and LWE hard? • Solving SIS Solving SIVP in all lattices • Solving LWE Solving BDD in all lattices Gives us confidence in the design of SIS / LWE (setting parameters is a completely different matter)
Source of Inefficiency 4 11 6 8 10 7 6 14 1 7 7 1 2 13 0 3 0 0 = n 2 9 12 5 1 2 5 9 0 1 3 14 9 7 1 11 1 1 0 m 1 1 0 Requires O(nm) storage Computing the function takes O(nm) time
Switching to Polynomials 4 -1 -2 -7 10 -7 -1 -13 1 7 4 -1 -2 13 10 -7 -1 0 = n 2 7 4 -1 1 13 10 -7 0 1 2 7 4 7 1 13 10 1 0 m 1 1 Now A only requires O(m) storage Product can be computed faster as well 0
Polynomial Multiplication = Matrix-Vector Multiplication a∙b = (a0+a1x+a2x2+a3x3) ∙ b = a0 ∙ b + a1 ∙ bx + a2 ∙ bx2 + a3 ∙ bx3 b 0 0 0 a0 a1 a2 a3 0 bx 0 0 Multiplication over Z[x] 0 0 bx2 0 0 0 0 bx3 b a0 a1 a2 a3 Multiplication over Z[x]/( f(x) ) bx mod f bx2 mod f bx3 mod f
Switching to Polynomials (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn+1)
Ring-SIS Given k random polynomials a1, … ,ak in Zp[x]/(xn+1), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0
General f-SIS Given k random polynomials a1, … ,ak in Zp[x]/(f(x)), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0 Thm: [LM ‘06, PR ‘07] Solving f-SIS implies finding short vectors in any ideal of Z[x]/(f(x))
Same Source of Inefficiency in LWE Constructions 4 11 6 8 7 7 1 2 2 9 12 5 1 3 14 9 + = m 10 7 6 14 13 0 3 0 1 2 5 9 7 1 11 1 n
Convert to Polynomial Multiplication 4 -1 -2 -7 7 4 -1 -2 2 7 4 -1 1 2 7 4 + = m 10 -7 -1 -13 13 10 -7 -1 1 13 10 -7 7 1 13 10 n
(Decision) Ring-LWE in Z[x]/( f(x) ) • Decision Ring-LWE • Given: • a1, b1 • a2, b2 • … • ak, bk • Question: Does there exist an s and “small” • e1, … , ek such that bi=ais+ei • or are all bi uniformly random in R? Ring-LWE Given: a1, a1s+e1 a2, a2s+e2 … ak, aks+ek Find: s s is random in R eiare “small” (distribution symmetric around 0) Thm: [LPR ‘10] Solving f-LWE implies a quantum algorithm for finding short vectors in any ideal of Z[x]/(f(x))
Lattice Cryptography over Polynomial Rings SVP over Z[x]/f(x) Worst-Case quantum Average-Case LWE over Z[x]/f(x) SIS over Z[x]/f(x) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)
Are all rings “equally hard”? For f=xn+1 ,[CDW ‘16], polynomial-time quantum algorithm for sub-exponential approximations to SVP (the complexity of ring-LWE is still unchanged – just the underlying assumption is affected) Is f=xn+1 resulting an easier ring, or just a ring for which an attack is easier to find? More preferable state of affairs: schemes based on the hardness of lattice problems in every ring
Result of this Paper SVP over Z[x]/f(x) for any f(x) SVP over f(x) Worst-Case quantum Average-Case LWE over f(x) SIS over Z[x] One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)
An Amazing Open Problem SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) Worst-Case Average-Case quantum? Some Problem SIS over Z[x] One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania) More efficient than LWE-based
Z<n[x] -SISd Def: Z<n[x] = all polynomials in Z[x] with degree less than n Given k random polynomials a1, … ,ak in Zp<n[x], find “small” polynomials z1, … ,zk in Zp<d[x] such that a1z1+ … +akzk = 0
f - SIS < Z<n[x]-SISdwhen d ≤ deg(f) ≤ n Given instance a1, …, ak of f - SIS, where deg(f)=m. Pick random r1, …, rk in Zp<n-m+1[x] Set bi = ai+ri ∙ f (bi are uniformly random in Zp<n[x] Give (b1, … ,bk) to the Zp<n[x]-SISd solver If solution is (z1, … ,zk) such that b1z1+ … +bkzk = 0 Then a1z1+ … +akzk = 0 mod f Since deg(zi) < d ≤ deg(f), zi ≠ 0 mod f Main observation: f-SIS input has nothing to do with f (just the degree of f)
f-SIS with f=xn+1 1 0 4 -1 -2 -7 10 -7 -1 -13 7 -6 -5 -1 0 = 7 4 -1 -2 13 10 -7 -1 1 7 -6 -5 1 2 7 4 -1 1 13 10 -7 5 1 7 -6 0 1 2 7 4 7 1 13 10 6 5 1 7 1 1 0 1 1 1 0
Z[x]-SIS 1 0 4 0 0 0 10 0 0 0 7 0 0 0 0 7 4 0 0 13 10 0 0 1 7 0 0 = 1 2 7 4 0 1 13 10 0 5 1 7 0 0 1 2 7 4 7 1 13 10 6 5 1 7 1 0 1 2 7 0 7 1 13 0 6 5 1 1 0 0 1 2 0 0 7 1 0 0 6 5 0 0 0 0 1 0 0 0 7 0 0 0 6 1 1 1 0
Signature Scheme Secret Key: s1, … ,sk in Z<d[x] with small coefficients Public Key: random a1, … ,ak in Zp<n[x], a1s1+…+aksk=t in Zp<n+d-1[x] Sign(μ) Pick y1, … ,yk in Z<n[x] according to Dσ Compute c=H(a1y1+ … +akyk,μ) in Z<n-d+1[x] Set zi= yi+csi Do rejection sampling (maybe restart) Output (z1, … ,zk,c)
Verification and Security Verify(z1, … ,zk,c,μ) Check that zi have small norms and c=H(a1z1+ … +akzk - tc,μ) Security proof: As in “Okamoto”-style digital signatures Given a1, … ,ak , create a valid t= a1s1+…+aksk With high probability, there exist si’ where t= a1s1’+…+aksk’ Use the si to sign. From adversary’s signature extract short wi , b such that a1w1+…+akwk = tb = (a1s1+…+aksk)b a1(w1-bs1)+…+ak(wk-bsk)=0 With non-negligible probability the coefficients of the Z[x]-SIS solution are non-zero
Parameters Why so much less efficient? Based on Ring-SIS and Ring-LWE There is a unique secret key for every public key Need (a1, … ,ak , t= a1s1+…+aksk) to look random
Solve This Problem!!! Worst-Case SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) Average-Case quantum? Some Problem SIS over Z[x] One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)