Hardness and advantages of Module-SIS and Module-LWE Adeline - PowerPoint PPT Presentation

Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 1/ 23

Introduction ◮ Lattice-based cryptography: why using module lattices? ◮ Definition of Module SIS and LWE ◮ Hardness results on Module SIS and LWE ◮ Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 2/ 23

Lattice-based cryptography Lattice Worst-case to average-case reduction • • • • • • • • • • • b 1 • • • • • • → solve GapSVP/SIVP Learning With Errors dimension n , modulo q m s + e find s Given , A A n m ≥ n and/or A ← Uniform in Z m × n LWE-based SIS q s ← Uniform in Z n Encryption q e is a small error SIS-based Signature Security proof Construction LWE and SIS-based advanced construction Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 3/ 23

Lattice-based cryptography From basic to very advanced primitives ◮ Public key encryption and Signature scheme (practical), [Regev 05, Gentry, Peikert and Vaikuntanathan 08, Lyubashevsky 12 ...] ; ◮ Identity/Attribute-based encryption, [GPV 08 Gorbunov, Vaikuntanathan and Wee 13 ...] ; ◮ Fully homomorphic encryption, [Gentry 09, BV 11, ...] . Advantages ◮ (Asymptotically) efficient; ◮ Security proofs from the hardness of lattice problems ; ◮ Likely to resist attacks from quantum computers. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 4/ 23

NIST competition From 2017 to 2024, NIST competition to find standard on post-quantum cryptography Total: 69 accepted submissions (round 1) ◮ Signature (5 lattice-based), ◮ Public key encryption / Key exchange mechanism (21 lattice-based) Other candidates: 17 code-based PKE/KEM, 7 multivariate signatures, 3 hash-based signatures, 7 from ”other” assumptions (isogenies, PQ RSA ...) and 4 attacked + 5 withdrawn. ⇒ lattice-based constructions seem to be serious candidates (Assumptions: NTRU, SIS/LWE/LWR, Ring/Module-SIS/LWE/LWR, MP-LWE) Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 5/ 23

Foundamental problems to build cryptography Parameters: dimension n , m ≥ n , moduli q . For A ← U ( Z m × n ): q SIS β LWE α x m s A A A + e = 0 mod q , n s ← U ( Z n q ), e a small error ≈ αq . Goal: Given A ← U ( Z m × n ), Goal: Given ( A , A s + e ), q find x s.t. 0 < � x � ≤ β . find s . Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 6/ 23

Foundamental problems to build cryptography Parameters: dimension n , m ≥ n , moduli q . For A ← U ( Z m × n ): q SIS β LWE α x m s A A A + e = 0 mod q , n s ← U ( Z n q ), e a small error ≈ αq . Find a small vector in Λ ⊥ q ( A ) Solve BDD in Λ q ( A ) = { x ∈ Z m | x T A = 0 mod q } = { y ∈ Z m : y = A s mod q for some s ∈ Z n } Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 6/ 23

Hardness results Worst-case to average-case reductions from lattice problems ◮ Hardness of the SIS problem [Ajtai 96, MR 04, GPV 08, ...] ◮ Hardness of the LWE problem [Regev 05, Peikert 09, B L PRS 13...] Also in [B L PRS 13] ◮ Shrinking modulus / Expanding dimension : A reduction from LWE n q k to LWE nk q . ◮ Expanding modulus / Shrinking dimension : q to LWE n/k A reduction from LWE n q k . ⇒ The hardness of LWE n q is a function of n log q . Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 7/ 23

Lattice-based signature scheme Trapdoor for SIS ◮ TrapGen � ( A , T A ) such that T A allows to find short x (’s) x = 0 mod q A Computing T A given A is hard, With T A , we can solve SIS. Constructing A and T A is easy. q ( A ) = { x ∈ Z m | x T A = 0 mod q } ◮ T A is a short basis of Λ ⊥ ◮ In a public key scheme: ◮ public key: A ◮ secret key: T A Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 8/ 23

Lattice-based signature scheme ◮ To sign a message M : Signature scheme ◮ use T A to solve SIS: find small x such ◮ Key generation: that x T A M = 0 mod q . ◮ pk = A , ( A i ) i ◮ To verify a signature x given M : ◮ sk = T A ◮ check x T A M = 0 mod q and x small where: � � A ◮ A M = in [Boyen 10] for example, A 0 + � i M i A i ◮ Knowing a trapdoor for A ⇒ knowing a trapdoor for A M , ◮ Several known constructions [Boyen 10, CHKP 10 ..] Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 9/ 23

From SIS/LWE to structured variants ◮ Problem: constructions based on SIS/LWE enjoy a nice guaranty of security but are too costly in practice. → replace Z n by a Ring, for example R = Z [ x ] / � x n + 1 � ( n = 2 k ). ◮ Ring variants since 2006: Rot( a 1 ) A Rot( a m ) ◮ Structured A ∈ Z m · n × n represented by m · n elements , q ◮ Product with matrix/vector more efficient, ◮ Hardness of Ring-SIS, [Lyubashevsky and Micciancio 06] and [Peikert and Rosen 06] ◮ Hardness of Ring-LWE [Lyubashevsky, Peikert and Regev 10] . Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 10/ 23

Ring-SIS based signature scheme [BF R S 18] Underlying to [ABB10] Discrete Gaussian ⇒ short elements in R ◮ KeyGen ( λ ) → (vk,sk) ◮ choose uniform a ′ ∈ R m − 2 q ◮ sk= T ∈ R ( m − 2) × 2 gaussian MP12 Trapdoors: a ′ T | − a ′ T T � T ◮ pk= a = � − a looks uniform, − T trapdoor (allows a ′ T | H ( M ) g − a ′ T T � T � For M : a M = to solve Ring-SIS) g gadget vector ◮ Sign ( a , T , M ) → x H : { 0 , 1 } n → R q ◮ Using T , find small x ∈ R m q with x T a M = 0, ◮ Verify ( a , x , M ) → { 0 , 1 } ◮ Accept iff x T a M = 0 mod qR and � x � small. Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 11/ 23

Implementing such a scheme Lot of conditions on parameters: hardness of Ring-SIS, correctness ... How to be efficient ? ◮ Preimage sampling [MP 12, GM 18], ◮ Fast multiplication of ring elements in R q = Z q / � x n + 1 � For example: use the NFLlib library [Aguilar et al. 16] ◮ Two important conditions: n = 2 k and q = 1 mod 2 n x n + 1 splits completely into linear factors ⇒ 3 main constraints on q = � q i described to use the NTT Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 12/ 23

Example of parameters Table: Parameters set for the signature scheme n log q σ R-LWE σ δ R-SIS λ 2 64 2 74 512 30 4.2 1.011380 60 2 378 2 156 1024 24 5.8 1.008012 140 2 246 2 184 1024 30 6.3 1.007348 170 → Gap in security because of the constraints on the parameter. Module variants ⇒ tradeoff between security and efficiency ◮ Hardness of Module SIS and LWE [LS15,AD17] ◮ Dilithium & Kyber - Crystals NIST submissions [Avanzi et al.] Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 13/ 23

◮ Lattice-based cryptography: why using module lattices? ◮ Definition of Module SIS and LWE ◮ Hardness results on Module variants ◮ Conclusion and open problems Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 14/ 23

Module variants Rot( a 1 , 1 ) Rot( a 1 ,d ) Rot( a 1 ) m A Rot( a m r ) Rot( a m m , 1 ) Rot( a m m ,d ) n m r = m/n blocks m m × d blocks of size n of size n d = n/d R = Z [ x ] / � x n + 1 � R = Z [ x ] / � x n d + 1 � a i ∈ Z n a i ∈ ( R q ) d a i ∈ R q q ( a i , � a i , s � + e i ) ( a i , a i · s + e i ) ( a i , � a i , s � + e i ) s ∈ Z n q , e i ∈ Z s ∈ ( R q ) d , e i ∈ R s ∈ R q , e i ∈ R Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 15/ 23

Module SIS and LWE For example in: R = Z [ x ] / � x n + 1 � and R q = R/qR . Module-SIS q,m,β Given a 1 , . . . , a m ∈ R d q independent and uniform, find z 1 , . . . , z m ∈ R such that � m i =1 a i · z i = 0 mod q and 0 < � z � ≤ β . Let α > 0 and s ∈ ( R q ) d , the distribution A ( M ) s ,ν α is: ◮ a ∈ ( R q ) d uniform, ◮ e sampled from D α , � � a , 1 Outputs: q � a , s � + e . Module-LWE q,ν α let s ∈ ( R q ) d uniform, distinguish between an arbitrary number of s ,D α , or the same number from U (( R q ) d × T R ). samples from A ( M ) s ,D α ≈ c U (( R q ) d × T R ) . A ( M ) Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 16/ 23

From Ring-SIS/LWE to Module-SIS/LWE SIS ◮ Ring-SIS-instance: a 1 , . . . , a m ∈ R q , ◮ For 2 ≤ i ≤ d , 1 ≤ j ≤ m : sample a i,j , a j = ( a j , a 2 ,j , . . . , a d,j ), ◮ Module-SIS: gives small z such that � j a j · z j = 0 ⇒ � j a j · z j = 0 LWE ◮ Ring-LWE instance: ( a, b = a · s + e ), ◮ Sample a 2 , . . . , a d and s 2 , . . . , s d , ◮ New sample: ( a = ( a, a 2 , . . . , a d ) , b + � d i =2 a i · s i ). ◮ s = ( s, s 1 , . . . , s d ) ∈ ( R q ) d , ◮ then b + � d i =2 a i · s i = � a , s � + e ⇒ Module-LWE instance Module-SIS/LWE n,d,q at least as hard as Ring-SIS/LWE n,q ⇒ Module-SIS/LWE n,d,q at least as hard as Ideal-SIVP n Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018 17/ 23