Applications of Middle-Product Learning with Errors (MP-LWE) Ron - PowerPoint PPT Presentation

Applications of Middle-Product Learning with Errors (MP-LWE) Ron Steinfeld Monash University ron.steinfeld@monash.edu CIS 2019 Winter School based on joint work [RSSS17], [SSZ17], [B+19] (work in progress, in submission) with subsets of: Shi Bai, Dispayan Das, Ryo Hiramasa, Miruna Rosca, Amin Sakzad, Damien Stehle, Raymond K. Zhao, Zhenfei Zhang. Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 1 / 43

Outline of the talk 1- Recap: MP-LWE and risk-performance balance goal 2- Application: Pub. Key Encryption from MP - LWE Primal Regev IND-CPA PKE [RSSS17] Dual Regev IND-CPA PKE [LVV19] 3- Application: Digital Signatures from MP - LWE PSIS ∅ -based construction [L16] MP-LWE-based construction [R18, B+19] 4- Summary and Problems MP-LWE-based construction [LVV19] Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 2 / 43

Risk-Performance balance and MP-LWE: Recap Rosca et al [RSSS17] – first positive answer for encryption: Middle-Product LWE ( MP - LWE ): poly. variant of LWE problem as secure as the hardest PLWE f for a big family F of f ’s Basic Idea: work in a polynomial ring Z [ x ] with a modified ‘middle-product’ ring mult. Designed a public-key encryption scheme Optimized NIST PQC encryption submission: Titanium [RSZ17] Security-Risk-vs.-Perf. Balance: Lower security risk guarantee than PLWE f schemes, better performance than LWE schemes Designed improved digital signature schemes [B+18] Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 3 / 43

Application: Public-Key Encryption from MP - LWE Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 4 / 43

Titanium-CPA: Primal Regev PKE from MP-LWE – Construction [RSSS17,BSZ19] Algorithm 1 : Titanium-CPA . KeyGen Input: 1 λ . Output: pk and sk. 1: function KeyGen(1 λ ) ֓ U ( Z < n + d + k − 1 Let s ← [ x ]). 2: q ֓ U ( Z < n q [ x ]) t . Let ( a 1 , . . . , a t ) ← 3: ֓ χ e ∈ ( Z < d + k [ x ]) t . Let ( e 1 , . . . , e t ) ← 4: q for i ≤ t do 5: Let b i = a i ⊙ d + k s + e i ∈ Z < d + k [ x ]. 6: q end for 7: Let pk = (( a 1 , . . . , a t ) , ( b 1 , . . . , b t )) and sk = s . 8: 9: end function Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 5 / 43

Titanium-CPA: Primal Regev PKE from MP-LWE – Construction [RSSS17,BSZ19] Algorithm 2 : Titanium-CPA . Encrypt Input: pk = (( a 1 , . . . , a t ) , ( b 1 , . . . , b t )) and m ∈ Z < d p [ x ]. Output: ct = ( c ′ 1 , c ′ 2 ). 1: function Encrypt(pk , m) ֓ χ r ∈ ( Z < k +1 [ x ]) t . Let ( r 1 , . . . , r t ) ← 2: q 1 = � t Let c ′ i =1 r i · a i 3: 2 = � t Let c ′ i =1 r i ⊙ d b i + ⌊ q / p ⌋ · m ∈ Z < d q [ x ]. 4: 5: end function Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 6 / 43

Titanium-CPA Decryption Algorithm [RSSS17,BSZ19] Algorithm 3 : Titanium-CPA . Decrypt Input: sk = s and ct = ( c ′ 1 , c ′ 2 ). Output: m ′ . 1: function Decrypt(sk , ct) Let c ′ = c ′ 2 − c ′ 1 ⊙ d s ∈ Z < d q [ x ]. 2: Let m ′ = Round( ⌊ q / p ⌋ , c ′ ) ∈ Z < d p [ x ]. 3: 4: end function Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 7 / 43

Correctness of Titanium-CPA Looking at decryption Algorithm: c ′ c ′ 2 − c ′ = 1 ⊙ d s Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 8 / 43

Correctness of Titanium-CPA Looking at decryption Algorithm: c ′ c ′ 2 − c ′ = 1 ⊙ d s � � � t � t = r i ⊙ d b i + ⌊ q / p ⌋ · m − r i · a i ⊙ d s i =1 i =1 Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 8 / 43

Correctness of Titanium-CPA Looking at decryption Algorithm: c ′ c ′ 2 − c ′ = 1 ⊙ d s � � � t � t = r i ⊙ d b i + ⌊ q / p ⌋ · m − r i · a i ⊙ d s i =1 i =1 � t � t = r i ⊙ d ( a i ⊙ d + k s + e i ) + ⌊ q / p ⌋ · m − ( r i · a i ) ⊙ d s i =1 i =1 Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 8 / 43

Correctness of Titanium-CPA Looking at decryption Algorithm: c ′ c ′ 2 − c ′ = 1 ⊙ d s � � � t � t = r i ⊙ d b i + ⌊ q / p ⌋ · m − r i · a i ⊙ d s i =1 i =1 � t � t = r i ⊙ d ( a i ⊙ d + k s + e i ) + ⌊ q / p ⌋ · m − ( r i · a i ) ⊙ d s i =1 i =1 � t r i ⊙ d e i ∈ Z d = ⌊ q / p ⌋ · m + q [ x ] ≈ ⌊ q / p ⌋ · m , i =1 using ‘associative’ property of middle-product: r i ⊙ d ( a i ⊙ d + k s ) = ( r i · a i ) ⊙ d s Compute tight upper bound on decryption error prob. p e (Hoeffding) Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 8 / 43

Security of Titanium-CPA: Primal Regev PKE from MP-LWE Recall Titanium-CPA ciphertext form � � c 1 = r i · a i and c 2 = r i ⊙ d b i + m · ⌊ q / 2 ⌋ , 1 ≤ i ≤ t 1 ≤ i ≤ t using random r i ’s with ‘small’ coefficients each with entropy b LHL . Security Proof idea : ֓ U ( Z < n Replace key gen. ( a i ← q [ x ]) , b i = a i ⊙ d + k s + e i ) with ֓ U ( Z < n ֓ U ( Z < d + k uniformly pairs ( a i ← q [ x ]) , b i ← [ x ])). q MP - LWE n q ,α,χ, d ′ = d + k hardness implies attacker’s view stays comp. indistinguishable Now � 1 ≤ i ≤ t r i ⊙ d b i is stat. indistinguishable from uniform on Z < d q [ x ] (given pub key and c 1 ) → stat. masks message m in c 2 Implied by Generalized Leftover Hash Lemma (LHL) if q prime and min-entropy of r i ’s sufficiently exceeds max-entropy of ciphertext space c 1 = ‘auxilliary information’ on r i ’s, not uniform (no security impact) Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 9 / 43

Security of Titanium-CPA: Generalised LHL Recall: we use the generalized Leftover Hash Lemma (GLHL) to prove that � � ( a i , b i ) i , c 1 = r i · a i , c 2 = r i ⊙ d b i i is statistically close to � U ( Z < d ( a i , b i ) i , r i · a i , q [ x ]) The GLHL lemma requires function f b ( r ) �→ � i r i ⊙ d b i is universal hash family Need to show that Pr b [ f b ( r ) = 0] = q − d for any non-zero r . Follows from f b ( r ) = � i Toep( r i ) · b i and fact that one of Toep( r i )’s has a non-zero diagonal. ( r 1 , . . . , r t ) have sufficient min-entropy conditioned on c 1 : t ≥ 2 · (log(∆ − 1 LHL ) − 1) + ( n + d + k ) · log q . ( k + 1) · b LHL Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 10 / 43

Security of Titanium-CPA: Limitation of MP-LWE – no exp. close standard LHL Q: Why not use standard LHL, as in LWE-based Primal Regev scheme? Can we show c 1 = � i ≤ t r i · a i is also statistically exp. close to uniform (conditioned on a i ’s)? A: MP-LWE LHL Limitation: For small t , c 1 = � i ≤ t r i · a i is noticeably far from uniform conditioned on a i ’s – no exp. close standard LHL! q [ x ] �→ r i · a i ∈ Z n + k − 1 Observation 1: The map a i ∈ Z < n is q ⇒ f a ( r ) = � expanding = i ≤ t r i · a i is not a universal hash family. Observation 2: The constant coefficient c 1 [0] = � i ≤ t r i [0] · a i [0] depends only on the t constant coeffs a 1 [0] , . . . , a t [0]. ⇒ with prob. 1 / q t over a i ’s, c 1 [0] = 0 with prob. 1, conditioned = on the a i ’s. ⇒ for small t , a non-negligible bias 1 / q t on distribution of c 1 [0] = conditioned on a i ’s. Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 11 / 43

Titanium-CPA: Primal Regev based on MP-LWE - Parameter Considerations pub key length is linear in number of MP-LWE samples t in the pub. key Asymptotically, can use t = O (log λ ), q = λ O (1) , d , n = � O ( λ ) ⇒ enc/dec/kg time = � = O ( λ ) for security parameter λ ⇒ length of pk , ct = � = O ( λ ) In practice, the following are efficiency bottlenecks: t ≈ 10 cannot be too small due to statistical LHL condition (compared to t = 1 for PLWE f schemes) q also relatively large (compared with PLWE f schemes) to reduce decryption error probability. Q: Why not use computational LHL, as in PLWE f schemes to reduce t ? A: Limitation: In MP-LWE-based Primal Regev, we have no computational LHL! Need hardness of recovering ‘small’ r i ’s from c 1 = � i a i · r i This is the insecure variant of I-MP-PSIS problem (vs. secure PLWE f in ring setting) for small t ! Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 12 / 43

Optimized Implementation Aspects Fast Middle Product Algorithm and Optimisations: 1 MP-NTT: NTT-based algorithm for c = a ⊙ d b Generalized/Optimized version of MP alg. in [HQZ04] Faster than NTT-based multiplication and then middle-truncation Uses NTTs in dimension D = dim ( b ) rather than dim ( b ) + dim( d ). 2 Main computation: � � NTT − 1 c = Trunc D (NTT D (Rev( a )) ◦ NTT D ( b )) , 3 Optimisations: Exploits input zero-padding of a to dim ( b ) to speed up NTT( a ) Exploits output truncation to speed up NTT − 1 Fast mod q reduction (Barret and Mongomery) Ron Steinfeld (Monash University) App. of MP-LWE 28/03/2018 13 / 43