Applications of Middle-Product Learning with Errors (MP-LWE) Ron - - PowerPoint PPT Presentation

Applications of Middle-Product Learning with Errors (MP-LWE)

Ron Steinfeld

Monash University ron.steinfeld@monash.edu CIS 2019 Winter School based on joint work [RSSS17], [SSZ17], [B+19] (work in progress, in submission) with subsets of: Shi Bai, Dispayan Das, Ryo Hiramasa, Miruna Rosca, Amin Sakzad, Damien Stehle, Raymond K. Zhao, Zhenfei Zhang.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 1 / 43

Outline of the talk

1- Recap: MP-LWE and risk-performance balance goal 2- Application: Pub. Key Encryption from MP-LWE

Primal Regev IND-CPA PKE [RSSS17] Dual Regev IND-CPA PKE [LVV19]

3- Application: Digital Signatures from MP-LWE

PSIS∅-based construction [L16] MP-LWE-based construction [R18, B+19]

4- Summary and Problems

MP-LWE-based construction [LVV19]

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 2 / 43

Risk-Performance balance and MP-LWE: Recap

Rosca et al [RSSS17] – first positive answer for encryption: Middle-Product LWE (MP-LWE): poly. variant of LWE problem as secure as the hardest PLWEf for a big family F of f ’s

Basic Idea: work in a polynomial ring Z[x] with a modified ‘middle-product’ ring mult.

Designed a public-key encryption scheme Optimized NIST PQC encryption submission: Titanium [RSZ17] Security-Risk-vs.-Perf. Balance: Lower security risk guarantee than PLWEf schemes, better performance than LWE schemes Designed improved digital signature schemes [B+18]

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 3 / 43

Application: Public-Key Encryption from MP-LWE

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 4 / 43

Titanium-CPA: Primal Regev PKE from MP-LWE – Construction [RSSS17,BSZ19]

Algorithm 1 : Titanium-CPA.KeyGen Input: 1λ. Output: pk and sk.

1: function KeyGen(1λ) 2:

Let s ← ֓ U(Z<n+d+k−1

q

[x]).

3:

Let (a1, . . . , at) ← ֓ U(Z<n

q [x])t.

4:

Let (e1, . . . , et) ← ֓ χe ∈ (Z<d+k

q

[x])t.

5:

for i ≤ t do

6:

Let bi = ai ⊙d+k s + ei ∈ Z<d+k

q

[x].

7:

end for

8:

Let pk = ((a1, . . . , at), (b1, . . . , bt)) and sk = s.

9: end function

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 5 / 43

Titanium-CPA: Primal Regev PKE from MP-LWE – Construction [RSSS17,BSZ19]

Algorithm 2 : Titanium-CPA.Encrypt Input: pk = ((a1, . . . , at), (b1, . . . , bt)) and m ∈ Z<d

p [x].

Output: ct = (c′

1, c′ 2).

1: function Encrypt(pk, m) 2:

Let (r1, . . . , rt) ← ֓ χr ∈ (Z<k+1

q

[x])t.

3:

Let c′

1 = t i=1 ri · ai

4:

Let c′

2 = t i=1 ri ⊙d bi + ⌊q/p⌋ · m ∈ Z<d q [x].

5: end function

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 6 / 43

Titanium-CPA Decryption Algorithm [RSSS17,BSZ19]

Algorithm 3 : Titanium-CPA.Decrypt Input: sk = s and ct = (c′

1, c′ 2).

Output: m′.

1: function Decrypt(sk, ct) 2:

Let c′ = c′

2 − c′ 1 ⊙d s ∈ Z<d q [x].

3:

Let m′ = Round(⌊q/p⌋, c′) ∈ Z<d

p [x].

4: end function

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 7 / 43

Correctness of Titanium-CPA

Looking at decryption Algorithm:

c′ = c′

2 − c′ 1 ⊙d s Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 8 / 43

Correctness of Titanium-CPA

Looking at decryption Algorithm:

c′ = c′

2 − c′ 1 ⊙d s

=

t

• i=1

ri ⊙d bi + ⌊q/p⌋ · m −

• t
• i=1

ri · ai

• ⊙d s

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 8 / 43

Correctness of Titanium-CPA

Looking at decryption Algorithm:

c′ = c′

2 − c′ 1 ⊙d s

=

t

• i=1

ri ⊙d bi + ⌊q/p⌋ · m −

• t
• i=1

ri · ai

• ⊙d s

=

t

• i=1

ri ⊙d (ai ⊙d+k s + ei) + ⌊q/p⌋ · m −

t

• i=1

(ri · ai) ⊙d s

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 8 / 43

Correctness of Titanium-CPA

Looking at decryption Algorithm:

c′ = c′

2 − c′ 1 ⊙d s

=

t

• i=1

ri ⊙d bi + ⌊q/p⌋ · m −

• t
• i=1

ri · ai

• ⊙d s

=

t

• i=1

ri ⊙d (ai ⊙d+k s + ei) + ⌊q/p⌋ · m −

t

• i=1

(ri · ai) ⊙d s = ⌊q/p⌋ · m +

t

• i=1

ri ⊙d ei ∈ Zd

q[x] ≈ ⌊q/p⌋ · m,

using ‘associative’ property of middle-product: ri ⊙d (ai ⊙d+k s) = (ri · ai) ⊙d s Compute tight upper bound on decryption error prob. pe (Hoeffding)

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 8 / 43

Security of Titanium-CPA: Primal Regev PKE from MP-LWE

Recall Titanium-CPA ciphertext form c1 =

• 1≤i≤t

ri · ai and c2 =

• 1≤i≤t

ri ⊙d bi + m · ⌊q/2⌋, using random ri’s with ‘small’ coefficients each with entropy bLHL. Security Proof idea : Replace key gen. (ai ← ֓ U(Z<n

q [x]), bi = ai ⊙d+k s + ei) with

uniformly pairs (ai ← ֓ U(Z<n

q [x]), bi ←

֓ U(Z<d+k

q

[x])).

MP-LWEn

q,α,χ,d′=d+k hardness implies attacker’s view stays comp.

indistinguishable

Now

1≤i≤t ri ⊙d bi is stat. indistinguishable from uniform on

Z<d

q [x] (given pub key and c1) → stat. masks message m in c2

Implied by Generalized Leftover Hash Lemma (LHL) if q prime and min-entropy of ri’s sufficiently exceeds max-entropy of ciphertext space c1 = ‘auxilliary information’ on ri’s, not uniform (no security impact)

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 9 / 43

Security of Titanium-CPA: Generalised LHL

Recall: we use the generalized Leftover Hash Lemma (GLHL) to prove that (ai, bi)i, c1 =

• ri · ai,

c2 =

• i

ri ⊙d bi is statistically close to (ai, bi)i,

• ri · ai,

U(Z<d

q [x])

The GLHL lemma requires function fb(r) →

i ri ⊙d bi is universal hash family

Need to show that Prb[fb(r) = 0] = q−d for any non-zero r. Follows from fb(r) =

i Toep(ri) · bi and fact that one of Toep(ri)’s

has a non-zero diagonal.

(r1, . . . , rt) have sufficient min-entropy conditioned on c1: t ≥ 2 · (log(∆−1

LHL) − 1) + (n + d + k) · log q

(k + 1) · bLHL .

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 10 / 43

Security of Titanium-CPA: Limitation of MP-LWE – no

• exp. close standard LHL

Q: Why not use standard LHL, as in LWE-based Primal Regev scheme? Can we show c1 =

i≤t ri · ai is also statistically exp. close to

uniform (conditioned on ai’s)? A: MP-LWE LHL Limitation: For small t,c1 =

i≤t ri · ai is noticeably far

from uniform conditioned on ai’s – no exp. close standard LHL! Observation 1: The map ai ∈ Z<n

q [x] → ri · ai ∈ Zn+k−1 q

is expanding = ⇒ fa(r) =

i≤t ri · ai is not a universal hash family.

Observation 2: The constant coefficient c1[0] =

i≤t ri[0] · ai[0]

depends only on the t constant coeffs a1[0], . . . , at[0]. = ⇒ with prob. 1/qt over ai’s, c1[0] = 0 with prob. 1, conditioned

• n the ai’s.

= ⇒ for small t, a non-negligible bias 1/qt on distribution of c1[0] conditioned on ai’s.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 11 / 43

Titanium-CPA: Primal Regev based on MP-LWE - Parameter Considerations

pub key length is linear in number of MP-LWE samples t in the pub. key Asymptotically, can use t = O(log λ), q = λO(1), d, n = O(λ) = ⇒ enc/dec/kg time = O(λ) for security parameter λ = ⇒ length of pk, ct = O(λ) In practice, the following are efficiency bottlenecks: t ≈ 10 cannot be too small due to statistical LHL condition (compared to t = 1 for PLWEf schemes) q also relatively large (compared with PLWEf schemes) to reduce decryption error probability. Q: Why not use computational LHL, as in PLWEf schemes to reduce t? A: Limitation: In MP-LWE-based Primal Regev, we have no computational LHL! Need hardness of recovering ‘small’ ri’s from c1 =

i ai · ri

This is the insecure variant of I-MP-PSIS problem (vs. secure PLWEf in ring setting) for small t!

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 12 / 43

Optimized Implementation Aspects

Fast Middle Product Algorithm and Optimisations:

1 MP-NTT: NTT-based algorithm for c = a ⊙d b

Generalized/Optimized version of MP alg. in [HQZ04] Faster than NTT-based multiplication and then middle-truncation Uses NTTs in dimension D = dim(b) rather than dim(b) + dim(d).

2 Main computation:

c = Trunc

• NTT−1

D (NTTD (Rev(a)) ◦ NTTD (b))

• ,

3 Optimisations:

Exploits input zero-padding of a to dim(b) to speed up NTT(a) Exploits output truncation to speed up NTT−1 Fast mod q reduction (Barret and Mongomery)

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 13 / 43

Optimized Implementation Aspects

Fast Middle Product Algorithm and Optimisations Application to Titanium: 3 NTT dims needed: d1 ≥ d + k, d2 ≥ n + k, d3 ≥ n + d + k − 1 Choice of NTT dims: small multiples of 256

Core optimised NTT module = radix 2 algorithm in dim. 256 (similar choice in Kyber) Choice of parameters k, n: close to multiples of 256 (min. pad) Choice of q: ‘NTT-friendly’ prime wrt d1, d2, d3.

Precomputation Optimisations:

Precompute pub-key NTT in keygen. (save NTT from enc/CCA dec) Sample secret key directly in NTT domain (save NTT)

Constant-time implementation:

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 14 / 43

Optimized Implementation Aspects

Choice of Error distributions:

1 Secret key: Uniform distrib. coeffs over Zq

sample directly in the NTT domain from seedsk (save NTT)

2 Enc randomness: Uniform distrib. over [−2b, 2b]

Shape: max. min-entropy (LHL) for given variance (dec. error probability) Size of b: optimize to reduce pk+ciph size given

LHL security constraint word-size q constraint for efficient modular arithmetic

Power of 2: efficient sampling

3 ‘Binomial Difference’ distribution for errors

• std. dev. of error coeff. =

√ 2, fast constant-time sampling ≈ Gaussian shape as in worst-case hardness proofs

Decryption error probability pe:

1 A moderate goal pe = 2−30 for Titanium-CPA, and 2 Set to a cryptographically negligible value for Titanium-CCA

(provably avoid decryption failure attacks)

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 15 / 43

Titanium-CPA Parameters

Table: Determined Titanium-CPA core parameters.

Parameter Toy64 Lite96 Std128 Med160 Hi192 Super256 n 684 800 1024 1280 1536 2048 k 255 479 511 511 767 1023 d 256 256 256 256 256 256 t 10 8 9 9 7 7 q 240641 84481 86017 301057 737281 1198081 p 2 2 2 2 2 2 cmp 10 9 9 11 12 13

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 16 / 43

Titanium-CCA Parameters

Table: Determined Titanium-CCA core parameters.

Parameter Toy64 Lite96 Std128 Med160 Hi192 Super256 n 684 800 1024 1280 1536 2048 k 255 479 511 511 767 1023 d 256 256 256 256 256 256 t 10 9 10 10 8 8 q 471041 115201 118273 430081 783361 1198081 p 2 2 2 2 2 2 cmp 11 9 9 11 12 13

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 17 / 43

Performance comparison with some other proposals

• Prelim. Comparison with some NIST Level 1 proposals:

Large time gain over FrodoKEM without AES-NI instructions Does not take into account larger PLWEf security margin for Titanium

Scheme Hard

• Eff. Aspects

Problem F Size Size (Bytes) Time (Cycles) Kyber-512 Module 1 |pk| = 736 K : 141872 PLWEf |sk| = 1632 E : 205468 |ct| = 800 D : 246040 Titanium-CCA-Std128 MP-LWE ≥ 3256 |pk| = 16352 K : 1806119 |sk| = 16384 E : 1446751 |ct| = 3552 D : 1671578 FrodoKEM-640 − cSHAKE LWE n/a |pk| = 9616 K : 8297000 |sk| = 19872 E : 9082000 |ct| = 9736 D : 9077000

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 18 / 43

Dual Regev PKE from MP-LWE – Construction idea [LVV19]

Dual Regev scheme [GPV08]: swaps key generation and encryption

• perations. Dual Regev PKE based on MP-LWE ([LVV19], simplified):

Keygen: (a1, . . . , at) ← ֓ U(Z<n

q [x])t, ri ← χr ∈ Z<k+1 q

[x] for i ∈ [t], u =

• i

ri · ai ∈ Z<n+k

q

Return pk = (a1, . . . , at, u) and sk = (r1, . . . , rt). Encrypt(m, pk): bi = ai ⊙d+k s + ei for i ∈ [t], where s ← U(Z<n+d+k−1

q

[x]), ei ← χe, and c = u ⊙d s + ⌊q/p⌋ · m ∈ Z<d

q [x]

Return ct = (c, b1, . . . , bt). Decrypt(ct, sk): c′ = c −

i ri ⊙d bi ∈ Z<d q [x]. Return

m′ = Round(⌊q/p⌋, c′) ∈ Z<d

p [x]

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 19 / 43

Dual Regev PKE from MP-LWE – Security idea [LVV19]

Two main ingredients in security analysis [LVV19]: Weak Leftover Hash Lemma: Shows c1 =

i≤t ri · ai is within

statistical distance ∆ = O(q/2bt/2), where b << log q is coord. min-entropy of χr

Similar to non-uniformity bias lower bound 1/qt : not exponentially small in λ when t = O(log λ) small and q = poly(λ). Limitation: For t = O(log λ) small, and q = poly(λ), only suffices to show ‘weak’ security: rule out attacks with advantage > 1/λO(λ).

= ⇒ can replace u in pk by uniformly random polynomial in Z<n+k

q

[x]. Hardness of ‘parameterised degree’ MP-LWE variant: u has different degree to ai’s.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 20 / 43

Application: Digital Signatures from MP-LWE

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 21 / 43

Overview

a digital signature scheme based on PSIS∅ [Lyu16] a digital signature scheme based on small secret MP-LWE [B+19]

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 22 / 43

Introduction

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 23 / 43

Digital signature DS = (Gen, Sign, Ver)

(m, σ = Signsk(m)) Verpk(m, σ) ∈ {0, 1}

sk pk

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 24 / 43

Digital signature DS = (Gen, Sign, Ver)

(m, σ = Signsk(m)) Verpk(m, σ) ∈ {0, 1}

sk pk Correctness: Verpk(m, Signsk(m)) = 1 w.h.p.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 24 / 43

Digital signature DS = (Gen, Sign, Ver)

(m, σ = Signsk(m)) Verpk(m, σ) ∈ {0, 1}

sk pk Correctness: Verpk(m, Signsk(m)) = 1 w.h.p. Security: DS is secure if no adversary, having access to many signatures, is able to produce a signature for a new message.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 24 / 43

Digital signature based on PSIS∅ [Lyu16]

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 25 / 43

Identification scheme ID = (IGen, P, V)

Security: ID is secure if no adversary having access to multiple transcripts (W,c,Z) is able to fool the verifier.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 26 / 43

An example: Schnorr

sk = x ← Zq vk consists of a group G =< g > of order q and y := gx

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 27 / 43

Fiat-Shamir: from identification schemes to signatures

to sign a message M, the signer computes c = H(W ||M) and Signsk(M) = (W , Z) to verify a signature (W , Z) of M, the verifier computes c = H(W ||M) and V (pk, W , c, Z)

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 28 / 43

Security of Fiat-Shamir: Classical Rewinding Approach

Fiat-Shamir ’86

ID has some "good properties" ⇒ DS is secure in the random oracle model (ROM)

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 29 / 43

Security of Fiat-Shamir: Classical Rewinding Approach

Fiat-Shamir ’86

ID has some "good properties" ⇒ DS is secure in the random oracle model (ROM) "good properties": Special Soundness: Given two accepting transcripts (W , c, Z), (W , c′, z′) with c = c′ for the same commitment W , there is an efficient extractor algorithm that compute the solution to a hard computational problem. the transcripts are publicly simulatable

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 29 / 43

Security of Fiat-Shamir: Classical Rewinding Approach

Fiat-Shamir ’86

ID has some "good properties" ⇒ DS is secure in the random oracle model (ROM) "good properties": Special Soundness: Given two accepting transcripts (W , c, Z), (W , c′, z′) with c = c′ for the same commitment W , there is an efficient extractor algorithm that compute the solution to a hard computational problem. the transcripts are publicly simulatable security in ROM: classical adversary, classical access to H, classical access to signing oracle

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 29 / 43

PSIS∅ based identification scheme [Lyu16]

IGen a1, . . . , ak

$

← Z<n

q [x]

s1, . . . , sk

$

← Z<d1

≤s [x]

t =

i≤k si · ai

pk = (a1, . . . , ak, t) sk = (s1, . . . , sk) Output (pk, sk) P1(sk) y1, . . . , yk ← Dn+d−1

Z,σ

∈ Z<n+d−1[x] w =

i≤k yi · ai

Output W = w, St = (w, y1, . . . , yk) P2(sk, W = w, c, St = (w, y1, . . . , yk)) zi = si · c + yi for i ∈ [k] if zi∞ > A′ for some i ∈ [k] then (z1, . . . , zk) =⊥ Output Z = (z1, . . . , zk) V(pk, W = w, c, Z = (z1, . . . , zk)) If w =

i≤k ai · zi − t · c, zi∞ ≤ A′

for i ∈ [k], accept else reject

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 30 / 43

PSIS∅-based id scheme [Lyu16] - Parameter Considerations

Special Soundness proof idea: From two accepting transcripts (W , c, Z) = (W , c′, Z ′) with same commitment, we have

• i≤k

(zi − z′

i ) · ai = t · (c − c′)

= ⇒ get a solution to the I-PSIS∅ problem. Using the hardness reduction for I-PSIS∅ with sufficiently ‘large’ secret coordinates (s >> q1/k), get a solution to PSIS∅. n practice, the following are efficiency bottlenecks: k ≈ 6 cannot be too small due to ‘large’ secret condition, to keep q small. ‘Large’ secret coordinates = ⇒ long signatures. Q: Why not use short secret coords, to reduce sig. length? A: Limitation: Insecure I-PSIS∅ with short secret s << q1/k!

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 31 / 43

Digital signature based on MP-LWE [Hir18,B+19]

Based on work in submission [B+19]: Miruna Rosca, Shi Bai, Dipayan Das, Ryo Hiromasa, Amin Sakzad, Damien Stehlé, Ron Steinfeld, Zhenfei Zhang. ‘MPSign: A Signature from Small-Secret Middle-Product Learning with Errors’.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 32 / 43

Security of Fiat-Shamir: Lossy pk Approach

[KLS18]

ID has some "good properties" ⇒ DS is tightly secure in the quantum random oracle model (QROM)

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 33 / 43

Security of Fiat-Shamir: Lossy pk Approach

[KLS18]

ID has some "good properties" ⇒ DS is tightly secure in the quantum random oracle model (QROM) "good properties": pk is indistinguishable from uniform relatively to an unifom pk, no adversary can impersonate the prover the transcripts are publicly simulatable W has high entropy

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 33 / 43

Security of Fiat-Shamir: Lossy pk Approach

[KLS18]

ID has some "good properties" ⇒ DS is tightly secure in the quantum random oracle model (QROM) "good properties": pk is indistinguishable from uniform relatively to an unifom pk, no adversary can impersonate the prover the transcripts are publicly simulatable W has high entropy security in QROM: quantum adversary, quantum access to H, classical access to signing oracle

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 33 / 43

Our MP-LWE based identification scheme

IGen a

$

← Z<n

q [x]

s

$

← DZn+d+k−1,α′q e

$

← DZd+k,α′′q b = a ⊙d+k s + e pk = (a, b) sk = (s, e) Output (pk, sk) P1(sk) y1

$

← Z<n+d−1

≤a′

[x] y2

$

← Z<d

≤a′′[x]

w = a ⊙d y1 + y2 Output W = w, St = (w, y1, y2) P2(sk, W = w, c, St = (w, y1, y2)) z1 = c ⊙n+d−1 s + y1 z2 = c ⊙d e + y2 if z1∞ > A′ or z2∞ > A′′ then (z1, z2) =⊥ Output Z = (z1, z2) V(pk, W = w, c, Z = (z1, z2)) If w = a⊙dz1+z2−c⊙db, z1∞ ≤ A′ and z2∞ ≤ A′′, accept else reject

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 34 / 43

Our digital signature MPSign

• btained by applying the Fiat-Shamir transform to the above

identification scheme we fix the wrong security analysis from [Hir18]

they assume a ⊙n y is uniform for fixed y and uniform a

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 35 / 43

Concrete parameters for MPSign

λ = 143 λ = 89 n 3800 2500 d 1910 1300 k 512 512 q ≈ 291 ≈ 287 δ 1.004126 1.005 public key size 26.9 KB 19.5 KB secret key size 1.1 KB 0.8 KB signature size 20.1 KB 12.8 KB chosen accordingly to the best known attacks code: https://github.com/pqc-ntrust/middle-product-LWE-signature.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 36 / 43

MP-LWE-based id scheme [B+19] - Security Proof idea

Challenge space: DH := {c ∈ {0, 1, −1}<k+1[x] with c1 = κ} Lossy key proof idea: pk indistinguishable from uniform by hardness of small secret variant

• f MP-LWE.

Hardness of forging a signature for a lossy (uniform) key b boils down to bounding P := Pr(∃ z1 ∈ Z<n+d−1

≤A′

[x], z2 ∈ Z<d

≤A′′[x] : a⊙d z1+z2−c ⊙d b = w),

where w is chosen by attacker (dependent on the uniform b and a) and then a random challenge c ∈ DH is chosen.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 37 / 43

MP-LWE-based id scheme [B+19] - Security Proof idea

We bound P as a sum of two probabilities: P1 : prob. that (a, b) are in set S for which there exists ≤ 1 challenge c which can be answered correctly with some ‘small’ z1, z2, and that c hits that unique challenge. = ⇒ P1 ≤ 1/|DH|. P2 : prob. that (a, b) are not in set S, i.e. there is a pair of distinct challenges c = c′ that can be answered correctly with small (z1, z2), (z′

1, z′ 2), resp. =

⇒ P2 ≤ Pr(∃ ec ∈ DH − DH \ {0}, e1 ∈ Z<n+d−1

≤2A′

, e2 ∈ Z<d

≤2A′′ : a ⊙d e1 + e2 − ec ⊙d b = 0).

= ⇒ Fixing ‘small’ valies for ec = 0 and e1, e2, above holds with

• prob. 1/qd over choice of b, since Toep(ec) has full rank d.

= ⇒ we take a union bound over all small ec, e1, e2 to get: P2 ≤ P2 ≤ (4A′ + 1)n+d−1 · (4A′′ + 1)d · |DH|2 · q−d. We choose q big enough to make P2 ≤ 2−λ negligible.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 38 / 43

MP-LWE-based id scheme [B+19] - Parameter Considerations

In practice, the following are efficiency bottlenecks: q ≈ 290 must be very large due to lossiness’ condition. ‘Large’ q = ⇒ long pub. key. Q: Why use lossiness and not use shorter q, to reduce sig. length? A: Limitation: Insecure I-MP-PSIS∅ with A′, A′′ >> q1/2!

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 39 / 43

MPSign vs [Lyu16]

MPSign [Lyu16] public key size 19.5 KB 9.6 KB secret key size 0.8 KB 8.8 KB signature size 12.8 KB 27 KB

• ur security proof is tight, while [Lyu16] is not

we give an efficient key recovery attack on [Lyu16] when sk has very small coefficients ⇒ cannot decrease too much the size of the secret key/sig. in [Lyu16]

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 40 / 43

Summary and Some Problems

MP-LWE and PSIS∅ Applications: Can be used to construct public key encryption and signature

• schemes. (Even IBE/trapdoor functions, but with limited security
• guarantees. )

lower risk than fixed-ring RLWE/RSIS: as hard as hardest RLWEf /PSISf for exponentially large family of f ’s, higher scheme efficiency than LWE/SIS schemes

Also have some unpleasant properties, limiting efficiency and security

• f existing constructions

Non-symmetric ‘hardness-norm’ dependence, lack of computational LHL, lack of good statistical LHL.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 41 / 43

Summary and Some Problems

A few problems: Improve the efficiency of existing crypto. primitives based on MP-LWE? Construct more powerful risk-performance balance crypto. primitives based on MP-LWE with strong security guarantees. More efficient MP-LWE-based public-key encryption not relying on Leftover Hash Lemma?

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 42 / 43

Thank you.

Ron Steinfeld (Monash University)

• App. of MP-LWE

28/03/2018 43 / 43