1. Lattice Signature Schemes
Vadim Lyubashevsky
INRIA / ENS Paris

2. digital signature schemes

3. Digital Signatures (sk,pk) KeyGen Sign(sk,mi) = si
Verify(pk,mi,si) = YES / NO
Correctness: Verify(pk, mi, Sign(sk,mi)) = YES
Security: Unforgeability
Adversary gets pk
Adversary asks for signatures of m1, m2, …
Adversary outputs (m,s) where m ≠ mi and wins if Verify(pk,m,s) = YES

4. Signature Schemes Hash-and-Sign Fiat-Shamir transformation
Requires a trap-door function
Fiat-Shamir transformation
Conversion from an identification scheme
No trap-door function needed

5. fiat-shamir Signature Schemes

6. Signature Scheme (Main Idea)
Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c)
Verify(z,c)
Check that z is “small”
and
c = H(Az – Tc mod q, μ)

7. Main Security Intuition
Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c)
Verify(z,c)
Check that z is “small”
and
c = H(Az – Tc mod q, μ)
Signature is independent of the secret key

8. Signature Scheme
Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c)
make y uniformly random mod q?
then z is too big and forging is easy 

9. Signature Scheme
Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c)
make y small?
then z will not be independent of S 

10. Rejection Sampling
Secret Key: S Public Key: A, T=AS mod q Sign(μ) Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y Output(z,c) if z meets certain criteria, else repeat
make y small

11. Rejection Sampling g(x) Have access to samples from g(x) Want f(x)

12. Rejection Sampling g(x) Have access to samples from g(x) Want f(x)
f(x)/M
Sample from g(x), accept x with probability f(x)/Mg(x) ≤ 1
Pr[x] = g(x)∙(f(x)/Mg(x)) = f(x)/M
Something is output with probability 1/M

13. Rejection Sampling
Impossible to tell whether g(x) or h(x) was the original distribution
Have access to samples from g(x)
Want f(x)
g(x)
f(x)/M
h(x)
Sample from g(x), accept x with probability f(x)/Mg(x) ≤ 1
or … Sample from h(x), accept x with probability f(x)/Mh(x) ≤ 1
Pr[x] = g(x)∙(f(x)/Mg(x)) = f(x)/M = h(x)∙(f(x)/Mh(x))
Something is output with probability 1/M

14. Rejection Sampling Pick a random y Compute c=H(Ay mod q,μ) z=Sc+y
Output(z,c) w.p. …
f(y+Sc)
f(y)

15. Normal Distribution 1-dimensional Normal distribution:
ρσ(x) = 1/(√2πσ)e-x2/2σ2
It is:
Centered at 0
Standard deviation: σ

16. Examples

17. Shifted Normal Distribution
1-dimensional shifted Normal distribution:
ρσ,v(x) = 1/(√2πσ)e-(x-v)2/2σ2
It is:
Centered at v
Standard deviation: σ

18. n-Dimensional Normal Distribution
n-dimensional shifted Normal distribution:
ρσ,v(x) = 1/(√2πσ)ne-||x-v||2/2σ2
It is:
Centered at v
Standard deviation: σ

19. 2-Dimensional Example

20. n-Dimensional Normal Distribution
n-dimensional shifted Normal distribution:
ρσ,v(x) = 1/(√2πσ)ne-||x-v||2/2σ2
It is:
Centered at v
Standard deviation: σ
Discrete Normal: for x in Zn,
Dσ,v (x)= ρσ,v(x) / ρσ,v(Zn)

21. Rejection Sampling v=max ||Sc|| Pick a random y
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) w.p. Dσ,0 (z) / (MDσ,Sc (z)) -v v
v=max ||Sc||
for σ = 12v,
Dσ,0 (z) / (MDσ,Sc (z)) ≈ e/M

22. Security Reduction A A,AS Pick random S μi (zi,ci)=Sign(μi) (zi,ci) …
Simulator
Adversary A
A,AS
Pick random S μi
(zi,ci)=Sign(μi)
(zi,ci) …
A(z-z’)+T(c’-c)=0
μ, (z,c)
A(z-z’+Sc’-Sc)=0
μ, (z’,c’)
If this is not 0, then SIS is solved.
Important for adversary to not know S.

23. Interlude: The SIS problem

24. A The SIS Problem = 0 (mod q) s Given a random A in Zqn x m,
Find a “small” s such that As = 0 mod q A s
= 0 (mod q) n m

25. The LWE Problem A s e b
mod q m + = n
||e|| is small
find s

26. Valid LWE Distribution
Decision LWE
Valid LWE Distribution
Uniformly Random A s e b A b + =

27. Solve SIS to Solve LWE v A
= 0 mod q

28. Solve SIS to Solve LWE v b

29. Solve SIS to Solve LWE v A s e +

30. Solve SIS to Solve LWE
Compute v∙b mod q. If b=As+e, then v∙b = v∙e is small.
If b is uniform, then v∙b mod q is uniform. v b

31. back to signatures…

32. Improving the Rejection Sampling
Pick a random y
Compute c=H(Ay mod q,μ)
z=Sc+y
Output(z,c) w.p. Dσ,0 (z) / (MDσ,Sc (z))
Rejection Sampling from [Lyu12]

33. Bimodal Gaussians [DDLL ‘13]
Pick a random y
Compute c=H(Ay mod q,μ)
Pick a random b in {-1,1}
z=bSc+y
Output(z,c) w.p. Dσ,0 (z) / M(½Dσ,Sc (z) + ½Dσ,-Sc (z))
for σ = max ||Sc|| / √2
Dσ,0 (z) / M(½Dσ,Sc (z) + ½Dσ,-Sc (z)) ≈ e / M
Verify(z,c)
Check that z is “small”
and
c = H(Az – Tc mod q, μ)
Az – Tc = A(bSc+y) - Tc = bTc - Tc + Ay
Want: Tc = - Tc

34. Optimizations Base problem on the hardness of the NTRU problem
Compress the signature  not all of z needs to be output if H only acts on the high order bits
A few other small tricks

35. Performance of the Bimodal LattIce Signature Scheme

36. Hash-and-Sign Signature Schemes

37. Constructing the Trapdoor+ A’ A’ R G
Random matrix with small coefficients
Random matrix
Special matrix that is easy to invert

38. Easily-Invertible Matrix
Want: Matrix G such that: For any b in Zqn , you can find a 0/1 vector s such that Gs=b mod q
… q/2
G =

39. Inverting with a Trapdoor
A = [A’ | A’R+G] Want to find a small s such that As=b s = (s1,s2) b = As = A’s1+(A’R+G)s2 = A’(s1+Rs2) + Gs2 b = Gs2 s1 = - Rs2
set to 0
Revealing R!
(probably bad…)

40. Inverting with a Trapdoor
A = [A’ | A’R+G] Want to find a small s such that As=b s = (s1,s2) b = As = A’s1+(A’R+G)s2 = A’(s1+Rs2) + Gs2 b - A’y = Gs2 s1 = y - Rs2
Maybe y hides R?
small y

41. Signature Scheme
Secret (Signing) Key: R Public (Verification) Key: A = [A’ | A’R+G] Random Oracle H: {0,1}*  Zqn Sign(m): Find short s such that As = H(m,u) Verify (s,u,m) Check that s is short, and As=H(m,u)

42. Security Proof Sketch A sign mi = = H(mi,ui ) pick from D
program the random oracle
sign mi

43. Security Proof Sketch A give me H(mi,uj) = = H(mi,uj ) pick from D
program the random oracle
give me H(mi,uj)

44. Security Proof Sketch A A To forge on m, the Adversary needs H(m,u)= =
I will forge the signature of m
To forge on m, the Adversary needs H(m,u)
So m is one of the mj he asked for H(mi,uj)
Thus we know an sj such that Asj=H(mi,uj)

45. if it’s non-zero, then we have a solution to SIS
Security Proof Sketch A = -
short and hopefully non-zero
if it’s non-zero, then we have a solution to SIS

46. Properties Needed A b = s
Can sample the distribution D of s without knowing the trapdoor.
The following produce the same distribution of (s,b)
(a) Choose s ~ D. Set b=As
(b) Choose random b. Use the trapdoor to find an s such that As=b.
3. For a random b, there is more than one likely possible output s such that b=As.

47. Inverting with a Trapdoor
A = [A’ | A’R+G] Want to find a small s such that As=b s = (s1,s2) H(m,u) = As = A’s1+(A’R+G)s2 = A’(s1+Rs2) + Gs2 H(m,u) - A’y = Gs2 s1 = y - Rs2
Maybe y hides R?
small y

48. Rejection Sampling
H(m,u) - A’y = Gs2 s1 = y - Rs2 Choose y to be a Gaussian. If y has a lot of entropy, the distribution of s2 is uniform and does not depend on the exact value of y. s1 = y-Rs2 is now a shifted Gaussian. Use rejection sampling as before (this requires a proof).

49. Another Approach for Sampling
Suppose we have a matrix A and a trapdoor R such that AR=G. Here is another way to generate an s such that As=b Sample some vector p Sample a z such that Gz = b - Ap Output s = p + Rz ( so As=Ap+Gz=b)

50. Correcting the Distribution
Sample some vector p Sample a z such that Gz = b - Ap Output s = p + Rz ( so As=Ap+Gz=b) How to make the distribution of s independent of R? Tailor the distribution of p to R

51. p Rz + = s

52. identity-Based encryption

53. “Dual” Cryptosystem A A s t r t = + + = u v Public Key Secret Keym =
Public Key
Secret Key
(short) u v

54. “Dual” Cryptosystem A A s t r t = + + = - = + v u s u v mm = - = + v u s m u v
represent 0 by m=0
represent 1 by m=(q-1)/2

55. “Dual” Cryptosystem Security= + +
Pseudorandom m =
Random u v

56. Identity-Based Encryption
Key Authority
Master Public Key
Master Secret Key
Secret Key = s
Public Key = Bob

57. Identity-Based Encryption
Key Authority
Master Public Key
Master Secret Key
Secret Key = sBob
Public Key = Bob
Encrypt(Chris,msg)
Secret Key = sChris
Public Key = Chris
Secret Key = sDave
Public Key = Dave

58. Security for IBE Key Authority Master Public Key Master Secret Key
Secret Key = sBob
Public Key = Bob
Encrypt(Chris,msg)
Secret Key = sChris
Public Key = Chris
CPA-Security: For all mi Encrypt(Chris,mi) are computationally indistinguishable from each other
Secret Key = sDave
Public Key = Dave

59. IBE Based on LWE A b = s Master Public Key: A Master Secret Key: R
Identity = “Bob”
b = H(Bob)
Use the sampling algorithm to find a short s such that As = b mod q
Use “Dual” LWE encryption to Encrypt to Bob

60. Security Proof Sketch A A t u v
Show that breaking IBE implies breaking the “Dual” cryptosystem
public key
master public key A t A =
= H(Bob)
ciphertext
pick from D u v
program the random oracle
Bob

61. Security Proof Sketch A A t u v
Show that breaking IBE implies breaking the “Dual” cryptosystem
public key
master public key A t A =
= H(Bob)
ciphertext u v
program the random oracle
Bob

62. Security Proof Sketch A A t t u v u v
Show that breaking IBE implies breaking the “Dual” cryptosystem
public key
master public key A t A t
= H(Dave)
ciphertext u v u v
Decryption
I will break an encryption to Dave

63. Signatures without random oracles

64. Signatures without Random Oracles
Public Key: [ A | AR ], b Messages will be square invertible matrices M To sign M, find a short s such that [ A | AR+MG ]s = b A(s1+Rs2)+MGs2 = b Gs2 = M-1(b - A(s1+Rs2)) s1 = s1+Rs2 - Rs2

65. Proof of “Selective” Security
In a selectively secure scheme, the adversary declares the message he will forge on before seeing the public key.

66. Proof of “Selective” Security
Given A, b, want to find a short r such that Ar=b. Adversary gives message M’ on which he will forge We want to construct a public key [A | B] so that a signature of M’ will be an s that [ A | B + M’G]s = b will let us find the short r Pick a trap-door R and let B = AR - M’G Then if the adversary can forge, we will get [A|AR]s =b So A(s1+Rs2)=b, and so s1+Rs2 is the r we need.

67. Proof of “Selective” Security
Adversary designed to work on public key [A | AR] We give it public key [A | AR - M’G] Will it still succeed in forging? Yes, if [A | AR] is uniformly random, then [A | AR] has the same distribution as [A | AR - M’G] Adversary may ask us to sign other messages M. How do we do it?

68. Proof of “Selective” Security
To sign M, we need to find an s such that [A | AR - M’G + MG]s = b A(s1+Rs2) + (M-M’)Gs2 = b Gs2 = (M-M’)-1(b - A(s1+Rs2)) s1=s1+Rs2 - Rs2 Need M-M’ to always be invertible. Such a set of size qn is easy to construct. Hint: consider a field F of order qn. Every difference of polynomials in the field is invertible. How do you map this to matrices?