Download presentation
Presentation is loading. Please wait.
1
Vadim Lyubashevsky IBM Research -- Zurich
Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings Vadim Lyubashevsky IBM Research -- Zurich
2
Lattice Cryptography SIVP BDD quantum [Ajt ‘96] [Reg ‘05] Worst-Case
Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)
![Lattice Cryptography SIVP BDD quantum [Ajt ‘96] [Reg ‘05] Worst-Case](http://slideplayer.com/slide/15017921/91/images/2/Lattice+Cryptography+SIVP+BDD+quantum+%5BAjt+%E2%80%9896%5D+%5BReg+%E2%80%9805%5D+Worst-Case.jpg "Average-Case. Small Integer Solution. Problem (SIS) Learning With Errors. Problem (LWE) One-Way Functions. Collision-Resistant Hash Functions. Digital Signatures. Identification Schemes. (Minicrypt) Public Key Encryption. More Efficient Digital Signatures. Identity-Based Encryption. Fully-Homomorphic Encryption. … (Cryptomania)")
3
Why are SIS and LWE hard? Solving SIS Solving SIVP in all lattices
Solving LWE Solving BDD in all lattices Gives us confidence in the design of SIS / LWE (setting parameters is a completely different matter)
4
Source of Inefficiency
4 11 6 8 10 7 6 14 1 7 7 1 2 13 3 = n 2 9 12 5 1 2 5 9 1 3 14 9 7 1 11 1 1 m 1 1 Requires O(nm) storage Computing the function takes O(nm) time
5
Switching to Polynomials
4 -1 -2 -7 10 -7 -1 -13 1 7 4 -1 -2 13 10 -7 -1 = n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 1 m 1 1 Now A only requires O(m) storage Product can be computed faster as well
6
Polynomial Multiplication = Matrix-Vector Multiplication
a∙b = (a0+a1x+a2x2+a3x3) ∙ b = a0 ∙ b + a1 ∙ bx + a2 ∙ bx2 + a3 ∙ bx3 a0 a1 a2 a3 b bx Multiplication over Z[x] bx2 bx3 a0 a1 a2 a3 b Multiplication over Z[x]/( f(x) ) bx mod f bx2 mod f bx3 mod f
7
Switching to Polynomials
(4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn+1)
8
Ring-SIS Given k random polynomials a1, … ,ak in Zp[x]/(xn+1), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0
![Ring-SIS Given k random polynomials a1, … ,ak in Zp[x]/(xn+1), find small polynomials z1, … ,zk such that a1z1+ … +akzk = 0](http://slideplayer.com/slide/15017921/91/images/8/Ring-SIS+Given+k+random+polynomials+a1%2C+%E2%80%A6+%2Cak+in+Zp%5Bx%5D%2F%28xn%2B1%29%2C+find+small+polynomials+z1%2C+%E2%80%A6+%2Czk+such+that+a1z1%2B+%E2%80%A6+%2Bakzk+%3D+0.jpg "Ring-SIS Given k random polynomials a1, … ,ak in Zp[x]/(xn+1), find small polynomials z1, … ,zk such that a1z1+ … +akzk = 0")
9
General f-SIS Given k random polynomials a1, … ,ak in Zp[x]/(f(x)), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0 Thm: [LM ‘06, PR ‘07] Solving f-SIS implies finding short vectors in any ideal of Z[x]/(f(x))
10
Same Source of Inefficiency in LWE Constructions
4 11 6 8 7 7 1 2 2 9 12 5 1 3 14 9 + m = 10 7 6 14 13 3 1 2 5 9 7 1 11 1 n
11
Convert to Polynomial Multiplication
4 -1 -2 -7 7 4 -1 -2 2 7 4 -1 1 2 7 4 + m = 10 -7 -1 -13 13 10 -7 -1 1 13 10 -7 7 1 13 10 n
12
(Decision) Ring-LWE in Z[x]/( f(x) )
Given: a1, b1 a2, b2 … ak, bk Question: Does there exist an s and “small” e1, … , ek such that bi=ais+ei or are all bi uniformly random in R? Ring-LWE Given: a1, a1s+e1 a2, a2s+e2 … ak, aks+ek Find: s s is random in R ei are “small” (distribution symmetric around 0) Thm: [LPR ‘10] Solving f-LWE implies a quantum algorithm for finding short vectors in any ideal of Z[x]/(f(x))
![(Decision) Ring-LWE in Z[x]/( f(x) )](http://slideplayer.com/slide/15017921/91/images/12/%28Decision%29+Ring-LWE+in+Z%5Bx%5D%2F%28+f%28x%29+%29.jpg "Given: a1, b1. a2, b2. … ak, bk. Question: Does there exist an s and small e1, … , ek such that bi=ais+ei. or are all bi uniformly random in R Ring-LWE Given: a1, a1s+e1 a2, a2s+e2 … ak, aks+ek Find: s s is random in R ei are small (distribution symmetric around 0) Thm: [LPR ‘10] Solving f-LWE implies a quantum algorithm for finding short vectors in any ideal of Z[x]/(f(x))")
13
Lattice Cryptography over Polynomial Rings
SVP over Z[x]/f(x) Worst-Case quantum Average-Case SIS over Z[x]/f(x) LWE over Z[x]/f(x) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)
14
Are all rings “equally hard”?
For f=xn+1 ,[CDW ‘16], polynomial-time quantum algorithm for sub-exponential approximations to SVP (the complexity of ring-LWE is still unchanged – just the underlying assumption is affected) Is f=xn+1 resulting an easier ring, or just a ring for which an attack is easier to find? More preferable state of affairs: schemes based on the hardness of lattice problems in every ring
15
Result of this Paper SVP over Z[x]/f(x) for any f(x) SVP over f(x)
Worst-Case quantum Average-Case SIS over Z[x] LWE over f(x) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)
![Result of this Paper SVP over Z[x]/f(x) for any f(x) SVP over f(x)](http://slideplayer.com/slide/15017921/91/images/15/Result+of+this+Paper+SVP+over+Z%5Bx%5D%2Ff%28x%29+for+any+f%28x%29+SVP+over+f%28x%29.jpg "Worst-Case. quantum. Average-Case. SIS over Z[x] LWE over f(x) One-Way Functions. Collision-Resistant Hash Functions. Digital Signatures. Identification Schemes. (Minicrypt) Public Key Encryption. More Efficient Digital Signatures. Identity-Based Encryption. Fully-Homomorphic Encryption. … (Cryptomania)")
16
An Amazing Open Problem
SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) Worst-Case quantum? Average-Case SIS over Z[x] Some Problem One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania) More efficient than LWE-based
17
Z<n[x] -SISd Def: Z<n[x] = all polynomials in Z[x] with degree less than n Given k random polynomials a1, … ,ak in Zp<n[x], find “small” polynomials z1, … ,zk in Zp<d[x] such that a1z1+ … +akzk = 0
![Z<n[x] -SISd](http://slideplayer.com/slide/15017921/91/images/17/Z%3Cn%5Bx%5D+-SISd.jpg "Def: Z<n[x] = all polynomials in Z[x] with degree less than n Given k random polynomials a1, … ,ak in Zp<n[x], find small polynomials z1, … ,zk in Zp<d[x] such that a1z1+ … +akzk = 0")
18
f - SIS < Z<n[x]-SISd when d ≤ deg(f) ≤ n
Given instance a1, …, ak of f - SIS, where deg(f)=m. Pick random r1, …, rk in Zp<n-m+1[x] Set bi = ai+ri ∙ f (bi are uniformly random in Zp<n[x] Give (b1, … ,bk) to the Zp<n[x]-SISd solver If solution is (z1, … ,zk) such that b1z1+ … +bkzk = 0 Then a1z1+ … +akzk = 0 mod f Since deg(zi) < d ≤ deg(f), zi ≠ 0 mod f Main observation: f-SIS input has nothing to do with f (just the degree of f)
![f - SIS < Z<n[x]-SISd when d ≤ deg(f) ≤ n](http://slideplayer.com/slide/15017921/91/images/18/f+-+SIS+%3C+Z%3Cn%5Bx%5D-SISd+when+d+%E2%89%A4+deg%28f%29+%E2%89%A4+n.jpg "Given instance a1, …, ak of f - SIS, where deg(f)=m. Pick random r1, …, rk in Zp<n-m+1[x] Set bi = ai+ri ∙ f (bi are uniformly random in Zp<n[x] Give (b1, … ,bk) to the Zp<n[x]-SISd solver If solution is (z1, … ,zk) such that b1z1+ … +bkzk = 0 Then a1z1+ … +akzk = 0 mod f Since deg(zi) < d ≤ deg(f), zi ≠ 0 mod f Main observation: f-SIS input has nothing to do with f (just the degree of f)")
19
= f-SIS with f=xn+1 1 4 -1 -2 -7 10 -7 -1 -13 7 -6 -5 -1 7 4 -1 -2 13
4 -1 -2 -7 10 -7 -1 -13 7 -6 -5 -1 = 7 4 -1 -2 13 10 -7 -1 1 7 -6 -5 1 2 7 4 -1 1 13 10 -7 5 1 7 -6 1 2 7 4 7 1 13 10 6 5 1 7 1 1 1 1 1
20
Z[x]-SIS 1 4 10 7 7 4 13 10 1 7 = 1 2 7 4 1 13 10 5 1 7 1 2 7 4 7 1 13 10 6 5 1 7 1 1 2 7 7 1 13 6 5 1 1 1 2 7 1 6 5 1 7 6 1 1 1
![Z[x]-SIS =](http://slideplayer.com/slide/15017921/91/images/20/Z%5Bx%5D-SIS+%3D.jpg)
21
Signature Scheme Secret Key: s1, … ,sk in Z<d[x] with small coefficients Public Key: random a1, … ,ak in Zp<n[x], a1s1+…+aksk=t in Zp<n+d-1[x] Sign(μ) Pick y1, … ,yk in Z<n[x] according to Dσ Compute c=H(a1y1+ … +akyk,μ) in Z<n-d+1[x] Set zi= yi+csi Do rejection sampling (maybe restart) Output (z1, … ,zk,c)
22
Verification and Security
Verify(z1, … ,zk,c, μ) Check that zi have small norms and c=H(a1z1+ … +akzk - tc,μ) Security proof: As in “Okamoto”-style digital signatures Given a1, … ,ak , create a valid t= a1s1+…+aksk With high probability, there exist si’ where t= a1s1’+…+aksk’ Use the si to sign. From adversary’s signature extract short wi , b such that a1w1+…+akwk = tb = (a1s1+…+aksk)b a1(w1-bs1)+…+ak(wk-bsk)=0 With non-negligible probability the coefficients of the Z[x]-SIS solution are non-zero
23
Current ring-based signatures
Parameters Current ring-based signatures Z[x]-SIS Signature Public key size 1 – 2 KB 9 KB Secret Key size 1 KB 10 KB Signature size 27 KB Why so much less efficient? Based on Ring-SIS and Ring-LWE There is a unique secret key for every public key Need (a1, … ,ak , t= a1s1+…+aksk) to look random
24
Solve This Problem!!! SVP over Z[x]/f(x) for any f(x)
Worst-Case SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) quantum? Average-Case SIS over Z[x] Some Problem One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)
![Solve This Problem!!! SVP over Z[x]/f(x) for any f(x)](http://slideplayer.com/slide/15017921/91/images/24/Solve+This+Problem%21%21%21+SVP+over+Z%5Bx%5D%2Ff%28x%29+for+any+f%28x%29.jpg "Worst-Case. SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) quantum Average-Case. SIS over Z[x] Some Problem. One-Way Functions. Collision-Resistant Hash Functions. Digital Signatures. Identification Schemes. (Minicrypt) Public Key Encryption. More Efficient Digital Signatures. Identity-Based Encryption. Fully-Homomorphic Encryption. … (Cryptomania)")
Similar presentations
