COSIC A Framework for Cryptographic Problems from Linear Algebra - - PowerPoint PPT Presentation

A Framework for Cryptographic Problems from Linear Algebra

Carl Bootland, Wouter Castryck, Alan Szepieniec and Frederik Vercauteren

• Dept. of Electrical Engineering, COSIC

KU Leuven

COSIC

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1/28

Post-Quantum Cryptography Standardization Process

Aim: “to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.”

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1/28

Post-Quantum Cryptography Standardization Process

Round 1 submission categorization Signature KEM/Encryption Total Lattice Based 5 21 26 Code Based 2 17 19 Multi-variate 7 2 9 Hash based 3 3 Other 2 5 7 Round 2 candidates (announced January 30, 2019) Signature KEM/Encryption Total Lattice Based 3 8 11 Code Based 7 7 Multi-variate 4 4 Hash based 1 1 Other 1 2 3

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 2/28

Learning with errors (LWE)

Problem: Solve a system of random ‘noisy’ linear equations

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 3/28

Learning with errors (LWE)

Problem: Solve a system of random ‘noisy’ linear equations           b1 b2 . . . bi . . . bm           =           a1,1 a1,2 · · · a1,n a2,1 a2,2 · · · a2,n . . . . . . . . . ai,1 ai,2 · · · ai,n . . . . . . . . . am,1 am,2 · · · am,n                s1 s2 . . . sn     

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 3/28

Learning with errors (LWE)

Problem: Solve a system of random ‘noisy’ linear equations           b1 b2 . . . bi . . . bm           =           a1,1 a1,2 · · · a1,n a2,1 a2,2 · · · a2,n . . . . . . . . . ai,1 ai,2 · · · ai,n . . . . . . . . . am,1 am,2 · · · am,n                s1 s2 . . . sn      +           e1 e2 . . . ei . . . em           mod q ◮ ei small ‘errors’ ◮ uniformly random ai,j Leads to schemes with large key sizes

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 3/28

Ring-LWE (informally)

Problem: Solve a system of structured ‘noisy’ linear equations           b1 b2 . . . bi . . . bm           =            A1 . . . . . . . . . Am/n                 s1 s2 . . . sn      +           e1 e2 . . . ei . . . em           mod q ◮ Ai independent structured n × n matrices

◮ e.g. anti-circulant

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 4/28

Module-LWE (informally)

Problem: Solve a system of structured ‘noisy’ linear equations           b1 b2 . . . bi . . . bm           =            A1,1 · · · A1,r . . . . . . . . . Amr/n,1 · · · Amr/n,r                 s1 s2 . . . sn      +           e1 e2 . . . ei . . . em           mod q ◮ Ai,j independent structured n/r × n/r matrices ◮ r is rank of module

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 5/28

The Ring in Ring-LWE

◮ Identify the vector space Zn

q with the ring

Zn

q ↔ Rq := Zq[x]

(f (x))

◮ f (x) monic of degree n

(s1, s2, . . . , sn)T ↔ s(x) = s1 + s2x + · · · + snxn−1 ◮ Ai are matrices of multiplication by ai(x) ∈ Rq

◮ Anti-circulant matrices = ⇒ f (x) = xn + 1

◮ We don’t need q to be prime

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 6/28

Ring-LWE (More formally)

Ring-LWE Search problem: ◮ f (x) irreducible ◮ Samples (ai(x), bi(x)) ∈ Rq × Rq bi(x) = ai(x)s(x) + ei(x)

◮ uniformly random ai(x) ◮ uniformly random s(x) ◮ ei(x) ← χ (distribution of small elements)

◮ recover s(x)

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 7/28

Ring-LWE (More formally)

Ring-LWE Search problem: ◮ f (x) irreducible ◮ Samples (ai(x), bi(x)) ∈ Rq × Rq bi(x) = ai(x)s(x) + ei(x)

◮ uniformly random ai(x) ◮ uniformly random s(x) ◮ ei(x) ← χ (distribution of small elements)

◮ recover s(x) ◮ Called Poly-LWE when s(x) ← Rq

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 7/28

Interesting Submissions to the NIST Competition

Three submissions use problems which look very much like LWE but use large integer arithmetic: ◮ Mersenne-756839 ◮ Ramstake ◮ Three Bears Mersenne-756839 and Ramstake: ◮ Mersenne Low Hamming Combination (MLHC) Three Bears: ◮ module version of Integer-RLWE

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 8/28

The Mersenne Low Hamming Combination Search Problem

◮ p = 2n − 1 a Mersenne prime Zp ↔ {bit strings of length n} \ {11 . . . 1} Problem: ◮ Samples (ai, bi) ∈ Zp × Zp bi = ais + ei

◮ ai uniformly random ◮ s, ei Hamming weight h ≪ n

◮ determine s

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 9/28

The Mersenne Low Hamming Combination Search Problem

◮ p = 2n − 1 a Mersenne prime Zp ↔ {bit strings of length n} \ {11 . . . 1} Problem: ◮ Samples (ai, bi) ∈ Zp × Zp bi = ais + ei

◮ ai uniformly random ◮ s, ei Hamming weight h ≪ n

◮ determine s Integer-RLWE: p = 2n − 1 → p = qn + 1

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 9/28

Unifying the MLHC and Poly-LWE problems

Similar problems, different rings Small elements ◮ Poly-LWE

◮ e(x) = e1 + e2x + · · · + enxn−1 ◮ (e1, . . . , en) a short vector (e.g. from spherical Gaussian)

◮ MLHC

◮ e = e1 + e22 + · · · + en2n−1 ◮ (e1, . . . , en) a short vector (Hamming weight h)

◮ Important point: coefficient vector is short ◮ Difference in expansion:

◮ Poly-LWE: Use explicit base x ◮ MLHC: Use implicit base 2

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 10/28

Unifying the MLHC and Poly-LWE problems

Since p = 2n − 1 rewrite Zp as Z[x] (xn − 1, x − 2) and Rq as Z[x] (f (x), q)

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 11/28

Unifying the MLHC and Poly-LWE problems

Since p = 2n − 1 rewrite Zp as Z[x] (xn − 1, x − 2) and Rq as Z[x] (f (x), q) View Zp as Rq ◮ f (x) = xn − 1 ◮ q replaced by x − 2

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 11/28

Three Bears

Use a Solinas prime p = 23120 − 21560 − 1 hence Zp ∼ = Z[x] (x312 − x156 − 1, x − 210) View Zp as Rq ◮ f (x) = x312 − x156 − 1 ◮ q replaced by x − 210

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 12/28

Three Bears

Use a Solinas prime p = f (b) hence Zp ∼ = Z[x] (f (x), x − b) View Zp as Rq ◮ f (x) low-degree, small coefficients ◮ q replaced by x − b

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 12/28

Generalising the ring

The second modulus ◮ Standard LWE-type problems: integer q ◮ Large integer arithmetic schemes: linear x − b ◮ General problem: arbitrary g(x) Rg := Z[x] (f (x), g(x))

◮ g(x) coprime to f (x) = ⇒ Rg finite ◮ Small elements defined in R = Z[x]/(f (x))

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 13/28

A condition of convenience

We want the ring Rg to be easy to work with: ◮ Restrict possible g so that (f (x), g(x)) = (a, r(x))

◮ a an integer ◮ r(x) monic

◮ Unique representative in

• α0 + α1x + · · · + αdeg(r)−1xdeg(r)−1
• αi ∈ {0, 1, . . . , a − 1}
• ◮ Not too restrictive

◮ 6/π2 ≈ 60.8% of randomly chosen pairs f , g ◮ r linear with overwhelming probability

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 14/28

Other problems (Informally)

Generalise from Rq to Rg in other problems NTRU: ◮ Given h ∈ Rq h = u/v mod q

◮ u, v small

◮ find small u′, v′ such that h = u′/v′ mod q

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 15/28

Other problems (Informally)

Generalise from Rq to Rg in other problems Ring-SIS: ◮ Given a1, . . . , am ∈ Rq

◮ ai uniformly random ◮ m n log q

◮ find small z1, . . . , zm, not all zero, such that

m

• i=1

aizi = 0

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 15/28

Why is this interesting? Security?

Lattice Attacks on LWE based primitives: ◮ strong lattice basis reduction

◮ e.g. BKZ2.0 ◮ most practical attacks ◮ works on integer lattices ◮ find short(est) vectors ◮ recover secret information

◮ Work in Rg but smallness defined only in R = Z[x]/(f (x))

◮ dimension depends on deg(f ) ◮ include generators xig(x) mod f (x)

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 16/28

Example Lattice: The Primal Attack on Poly-LWE

                          — b1 — · · · — bℓ — w — a1 — · · · — aℓ — . . . . . . — xn−1a1 mod f — · · · — xn−1aℓ mod f — qIn ... qIn                          

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 17/28

Example Lattice: The Primal Attack on Poly-LWE

                          — b1 — · · · — bℓ — w — a1 — · · · — aℓ — . . . . . . — xn−1a1 mod f — · · · — xn−1aℓ mod f — qIn ... qIn                           ( — e1 — | | — eℓ — | w )

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 17/28

Example Lattice: What about for the ring Rg?

                          — b1 — · · · — bℓ — w — a1 — · · · — aℓ — . . . . . . — xn−1a1 mod f — · · · — xn−1aℓ mod f — — g mod f — . . . — xn−1g mod f — ... — g mod f — . . . — xn−1g mod f —                          

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 18/28

Example Lattice: What about for the Mersenne prime ring?

                          — b1 — · · · — bℓ — w — a1 — · · · — aℓ — . . . . . . — 2n−1a1 mod p — · · · — 2n−1aℓ mod p — −2 1 0 · · · ... 1 0 · · · − 2 ... −2 1 0 · · · ... 1 0 · · · − 2                          

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 19/28

Example Lattice: What about for the Mersenne prime ring?

                          — b1 — · · · — bℓ — w — a1 — · · · — aℓ — . . . . . . — 2n−1a1 mod p — · · · — 2n−1aℓ mod p — −2 1 0 · · · ... 1 0 · · · − 2 ... −2 1 0 · · · ... 1 0 · · · − 2                           ( −2 1 0 · · · 0 | | | )

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 19/28

A Combinatorial Attack

◮ short vector we want has low hamming weight ◮ Idea:

◮ partition {0, . . . , n − 1} into consecutive active and inactive blocks ◮ hope all 1s fall into active blocks

Sparse integer Successful partitioning ◮ Perform simple lattice reduction: recover secret if partition is correct

◮ Unlikely to guess a correct partition ◮ Attack is exponential in the hamming weight h

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 20/28

Example Lattice: The Mersenne prime ring

                          — b′

1

— · · · — b′

ℓ

— w′ — a′

1

— · · · — a′

ℓ

— . . . . . . — 2n−1a′

1 mod p

— · · · — 2n−1a′

ℓ mod p

— −2λ1 1 0 · · · ... 1 0 · · · − 2λk ... −2µ1 1 0 · · · ... 1 0 · · · − 2µj                          

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 21/28

Example Lattice: The Mersenne prime ring

                          — b′

1

— · · · — b′

ℓ

— w′ — a′

1

— · · · — a′

ℓ

— . . . . . . — 2n−1a′

1 mod p

— · · · — 2n−1a′

ℓ mod p

— −2λ1 1 0 · · · ... 1 0 · · · − 2λk ... −2µ1 1 0 · · · ... 1 0 · · · − 2µj                           ( — e′

1

— | | — e′

ℓ

— | w′ )

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 21/28

The attacks: Why they work?

Standard LWE Family: ◮ q a large integer in comparison to the coefficients of small elements ◮ No small intrinsic vectors

◮ strong lattice reduction works

Large Integer Arithmetic LWE Family: ◮ x − 2 has small coefficients

◮ small elements are very sparse (lots of zeros)

◮ Guessing attacks work

◮ avoids small intrinsic vectors

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 22/28

The middle ground

◮ Two extremes

◮ large integer q ◮ polynomial with small coefficients like x − 2

◮ Large middle ground for g

◮ which attack is the most efficient? ◮ do other attacks apply?

◮ Interesting research question

◮ determine regions where each attack is most efficient ◮ find new attacks?

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 23/28

A recipe for constructing (potentially) hard problems

• 1. Select the parent ring R = Z[x]/(f (x)) by choosing f .
• 2. Select the error distribution on R.
• 3. Select the ciphertext modulus g(x) subject to constraints.
• 4. Select the rank m of the module.
• 5. Select the hard problem family:

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 24/28

A recipe for constructing (potentially) hard problems

• 1. Select the parent ring R = Z[x]/(f (x)) by choosing f .
• 2. Select the error distribution on R.
• 3. Select the ciphertext modulus g(x) subject to constraints.
• 4. Select the rank m of the module.
• 5. Select the hard problem family:

Ideal-LWE, Ideal-NTRU or Ideal-SIS

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 24/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) 1 . . . m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) 1 . . .

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) 1 . . . m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE 1 . . .

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) RLWE 1 . . . m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE 1 . . .

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) RLWE 1 . . . m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE M-LWE 1 . . .

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) RLWE 1 I-RLWE, MLHC . . . m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE M-LWE 1 . . .

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) RLWE 1 I-RLWE, MLHC . . . m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE M-LWE 1 I-MLWE (Three Bears) . . .

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) 1-dimensional LWE RLWE 1 I-RLWE, MLHC . . . m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE, LPN, matrix LWE M-LWE 1 I-MLWE (Three Bears) . . .

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) 1-dimensional LWE RLWE 1 ∗ I-RLWE, MLHC . . . ∗ m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE, LPN, matrix LWE M-LWE 1 ∗ I-MLWE (Three Bears) . . . ∗

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-LWE

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) 1-dimensional LWE RLWE 1 ∗ I-RLWE, MLHC . . . ∗ ? m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) LWE, LPN, matrix LWE M-LWE 1 ∗ I-MLWE (Three Bears) . . . ∗ ?

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 25/28

Problems using Ideal-NTRU

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) ? NTRU, NTRU Prime 1 ∗ MLHR . . . ∗ ? m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) matrix NTRU MaTRU 1 ∗ ? . . . ∗ ?

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 26/28

Problems using Ideal-SIS

m = 1 deg(f ) = 1 deg(f ) > 1 deg(g) modular SSP Ring-SIS 1 ∗ ? . . . ∗ ? m > 1 deg(f ) = 1 deg(f ) > 1 deg(g) SIS M-SIS 1 ∗ ? . . . ∗ ?

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 27/28

Thank you! Questions?

A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 28/28