Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice Signature Schemes

Similar presentations


Presentation on theme: "Lattice Signature Schemes"— Presentation transcript:

1 Lattice Signature Schemes
Vadim Lyubashevsky INRIA / ENS Paris

2 digital signature schemes

3 Digital Signatures (sk,pk) KeyGen Sign(sk,mi) = si
Verify(pk,mi,si) = YES / NO Correctness: Verify(pk, mi, Sign(sk,mi)) = YES Security: Unforgeability Adversary gets pk Adversary asks for signatures of m1, m2, … Adversary outputs (m,s) where m ≠ mi and wins if Verify(pk,m,s) = YES

4 Signature Schemes Hash-and-Sign Fiat-Shamir transformation
Requires a trap-door function Fiat-Shamir transformation Conversion from an identification scheme No trap-door function needed

5 fiat-shamir Signature Schemes

6 Signature Scheme (Main Idea)
Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) Verify(z,c) Check that z is “small” and c = H(Az – Tc mod q, μ)

7 Main Security Intuition
Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) Verify(z,c) Check that z is “small” and c = H(Az – Tc mod q, μ) Signature is independent of the secret key

8 Signature Scheme Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) make y uniformly random mod q? then z is too big and forging is easy 

9 Signature Scheme Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) make y small? then z will not be independent of S 

10 Rejection Sampling Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) if z meets certain criteria, else repeat make y small

11 Rejection Sampling g(x) Have access to samples from g(x) Want f(x)

12 Rejection Sampling g(x) Have access to samples from g(x) Want f(x)
f(x)/M Sample from g(x), accept x with probability f(x)/Mg(x) ≤ 1 Pr[x] = g(x)∙(f(x)/Mg(x)) = f(x)/M Something is output with probability 1/M

13 Rejection Sampling Impossible to tell whether g(x) or h(x) was the original distribution Have access to samples from g(x) Want f(x) g(x) f(x)/M h(x) Sample from g(x), accept x with probability f(x)/Mg(x) ≤ 1 or … Sample from h(x), accept x with probability f(x)/Mh(x) ≤ 1 Pr[x] = g(x)∙(f(x)/Mg(x)) = f(x)/M = h(x)∙(f(x)/Mh(x)) Something is output with probability 1/M

14 Rejection Sampling Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y
Output(z,c) w.p. … f(y+Sc) f(y)

15 Normal Distribution 1-dimensional Normal distribution:
ρσ(x) = 1/(√2πσ)e-x2/2σ2 It is: Centered at 0 Standard deviation: σ

16 Examples

17 Shifted Normal Distribution
1-dimensional shifted Normal distribution: ρσ,v(x) = 1/(√2πσ)e-(x-v)2/2σ2 It is: Centered at v Standard deviation: σ

18 n-Dimensional Normal Distribution
n-dimensional shifted Normal distribution: ρσ,v(x) = 1/(√2πσ)ne-||x-v||2/2σ2 It is: Centered at v Standard deviation: σ

19 2-Dimensional Example

20 n-Dimensional Normal Distribution
n-dimensional shifted Normal distribution: ρσ,v(x) = 1/(√2πσ)ne-||x-v||2/2σ2 It is: Centered at v Standard deviation: σ Discrete Normal: for x in Zn, Dσ,v (x)= ρσ,v(x) / ρσ,v(Zn)

21 Rejection Sampling v=max ||Sc|| Pick a random y
Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) w.p. Dσ,0 (z) / (MDσ,Sc (z)) -v v v=max ||Sc|| for σ = 12v, Dσ,0 (z) / (MDσ,Sc (z)) ≈ e/M

22 Security Reduction A A,AS Pick random S μi (zi,ci)=Sign(μi) (zi,ci) …
Simulator Adversary A A,AS Pick random S μi (zi,ci)=Sign(μi) (zi,ci) A(z-z’)+T(c’-c)=0 μ, (z,c) A(z-z’+Sc’-Sc)=0 μ, (z’,c’) If this is not 0, then SIS is solved. Important for adversary to not know S.

23 Interlude: The SIS problem

24 A The SIS Problem = 0 (mod q) s Given a random A in Zqn x m,
Find a “small” s such that As = 0 mod q A s = 0 (mod q) n m

25 The LWE Problem A s e b mod q m + = n ||e|| is small find s

26 Valid LWE Distribution
Decision LWE Valid LWE Distribution Uniformly Random A s e b A b + =

27 Solve SIS to Solve LWE v A = 0 mod q

28 Solve SIS to Solve LWE v b

29 Solve SIS to Solve LWE v A s e +

30 Solve SIS to Solve LWE Compute v∙b mod q. If b=As+e, then v∙b = v∙e is small. If b is uniform, then v∙b mod q is uniform. v b

31 back to signatures…

32 Improving the Rejection Sampling
Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) w.p. Dσ,0 (z) / (MDσ,Sc (z)) Rejection Sampling from [Lyu12]

33 Bimodal Gaussians [DDLL ‘13]
Pick a random y Compute c=H(Ay mod q,μ) Pick a random b in {-1,1} z=bSc+y Output(z,c) w.p. Dσ,0 (z) / M(½Dσ,Sc (z) + ½Dσ,-Sc (z)) for σ = max ||Sc|| / √2 Dσ,0 (z) / M(½Dσ,Sc (z) + ½Dσ,-Sc (z)) ≈ e / M Verify(z,c) Check that z is “small” and c = H(Az – Tc mod q, μ) Az – Tc = A(bSc+y) - Tc = bTc - Tc + Ay Want: Tc = - Tc

34 Optimizations Base problem on the hardness of the NTRU problem
Compress the signature  not all of z needs to be output if H only acts on the high order bits A few other small tricks

35 Performance of the Bimodal LattIce Signature Scheme

36 Hash-and-Sign Signature Schemes

37 Constructing the Trapdoor
+ A’ A’ R G Random matrix with small coefficients Random matrix Special matrix that is easy to invert

38 Easily-Invertible Matrix
Want: Matrix G such that: For any b in Zqn , you can find a 0/1 vector s such that Gs=b mod q … q/2 G =

39 Inverting with a Trapdoor
A = [A’ | A’R+G] Want to find a small s such that As=b s = (s1,s2) b = As = A’s1+(A’R+G)s2 = A’(s1+Rs2) + Gs2 b = Gs2 s1 = - Rs2 set to 0 Revealing R! (probably bad…)

40 Inverting with a Trapdoor
A = [A’ | A’R+G] Want to find a small s such that As=b s = (s1,s2) b = As = A’s1+(A’R+G)s2 = A’(s1+Rs2) + Gs2 b - A’y = Gs2 s1 = y - Rs2 Maybe y hides R? small y

41 Signature Scheme Secret (Signing) Key: R Public (Verification) Key: A = [A’ | A’R+G] Random Oracle H: {0,1}*  Zqn Sign(m): Find short s such that As = H(m,u) Verify (s,u,m) Check that s is short, and As=H(m,u)

42 Security Proof Sketch A sign mi = = H(mi,ui ) pick from D
program the random oracle sign mi

43 Security Proof Sketch A give me H(mi,uj) = = H(mi,uj ) pick from D
program the random oracle give me H(mi,uj)

44 Security Proof Sketch A A To forge on m, the Adversary needs H(m,u)
= = I will forge the signature of m To forge on m, the Adversary needs H(m,u) So m is one of the mj he asked for H(mi,uj) Thus we know an sj such that Asj=H(mi,uj)

45 if it’s non-zero, then we have a solution to SIS
Security Proof Sketch A = - short and hopefully non-zero if it’s non-zero, then we have a solution to SIS

46 Properties Needed A b = s
Can sample the distribution D of s without knowing the trapdoor. The following produce the same distribution of (s,b) (a) Choose s ~ D. Set b=As (b) Choose random b. Use the trapdoor to find an s such that As=b. 3. For a random b, there is more than one likely possible output s such that b=As.

47 Inverting with a Trapdoor
A = [A’ | A’R+G] Want to find a small s such that As=b s = (s1,s2) H(m,u) = As = A’s1+(A’R+G)s2 = A’(s1+Rs2) + Gs2 H(m,u) - A’y = Gs2 s1 = y - Rs2 Maybe y hides R? small y

48 Rejection Sampling H(m,u) - A’y = Gs2 s1 = y - Rs2 Choose y to be a Gaussian. If y has a lot of entropy, the distribution of s2 is uniform and does not depend on the exact value of y. s1 = y-Rs2 is now a shifted Gaussian. Use rejection sampling as before (this requires a proof).

49 Another Approach for Sampling
Suppose we have a matrix A and a trapdoor R such that AR=G. Here is another way to generate an s such that As=b Sample some vector p Sample a z such that Gz = b - Ap Output s = p + Rz ( so As=Ap+Gz=b)

50 Correcting the Distribution
Sample some vector p Sample a z such that Gz = b - Ap Output s = p + Rz ( so As=Ap+Gz=b) How to make the distribution of s independent of R? Tailor the distribution of p to R

51 p Rz + = s

52 identity-Based encryption

53 “Dual” Cryptosystem A A s t r t = + + = u v Public Key Secret Key
m = Public Key Secret Key (short) u v

54 “Dual” Cryptosystem A A s t r t = + + = - = + v u s u v m
m = - = + v u s m u v represent 0 by m=0 represent 1 by m=(q-1)/2

55 “Dual” Cryptosystem Security
= + + Pseudorandom m = Random u v

56 Identity-Based Encryption
Key Authority Master Public Key Master Secret Key Secret Key = s Public Key = Bob

57 Identity-Based Encryption
Key Authority Master Public Key Master Secret Key Secret Key = sBob Public Key = Bob Encrypt(Chris,msg) Secret Key = sChris Public Key = Chris Secret Key = sDave Public Key = Dave

58 Security for IBE Key Authority Master Public Key Master Secret Key
Secret Key = sBob Public Key = Bob Encrypt(Chris,msg) Secret Key = sChris Public Key = Chris CPA-Security: For all mi Encrypt(Chris,mi) are computationally indistinguishable from each other Secret Key = sDave Public Key = Dave

59 IBE Based on LWE A b = s Master Public Key: A Master Secret Key: R
Identity = “Bob” b = H(Bob) Use the sampling algorithm to find a short s such that As = b mod q Use “Dual” LWE encryption to Encrypt to Bob

60 Security Proof Sketch A A t u v
Show that breaking IBE implies breaking the “Dual” cryptosystem public key master public key A t A = = H(Bob) ciphertext pick from D u v program the random oracle Bob

61 Security Proof Sketch A A t u v
Show that breaking IBE implies breaking the “Dual” cryptosystem public key master public key A t A = = H(Bob) ciphertext u v program the random oracle Bob

62 Security Proof Sketch A A t t u v u v
Show that breaking IBE implies breaking the “Dual” cryptosystem public key master public key A t A t = H(Dave) ciphertext u v u v Decryption I will break an encryption to Dave

63 Signatures without random oracles

64 Signatures without Random Oracles
Public Key: [ A | AR ], b Messages will be square invertible matrices M To sign M, find a short s such that [ A | AR+MG ]s = b A(s1+Rs2)+MGs2 = b Gs2 = M-1(b - A(s1+Rs2)) s1 = s1+Rs2 - Rs2

65 Proof of “Selective” Security
In a selectively secure scheme, the adversary declares the message he will forge on before seeing the public key.

66 Proof of “Selective” Security
Given A, b, want to find a short r such that Ar=b. Adversary gives message M’ on which he will forge We want to construct a public key [A | B] so that a signature of M’ will be an s that [ A | B + M’G]s = b will let us find the short r Pick a trap-door R and let B = AR - M’G Then if the adversary can forge, we will get [A|AR]s =b So A(s1+Rs2)=b, and so s1+Rs2 is the r we need.

67 Proof of “Selective” Security
Adversary designed to work on public key [A | AR] We give it public key [A | AR - M’G] Will it still succeed in forging? Yes, if [A | AR] is uniformly random, then [A | AR] has the same distribution as [A | AR - M’G] Adversary may ask us to sign other messages M. How do we do it?

68 Proof of “Selective” Security
To sign M, we need to find an s such that [A | AR - M’G + MG]s = b A(s1+Rs2) + (M-M’)Gs2 = b Gs2 = (M-M’)-1(b - A(s1+Rs2)) s1=s1+Rs2 - Rs2 Need M-M’ to always be invertible. Such a set of size qn is easy to construct. Hint: consider a field F of order qn. Every difference of polynomials in the field is invertible. How do you map this to matrices?


Download ppt "Lattice Signature Schemes"

Similar presentations


Ads by Google