How to Share a Lattice Trapdoor: Threshold Protocols for Signatures - - PowerPoint PPT Presentation

How to Share a Lattice Trapdoor:

Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel, Chris Peikert

Georgia Institute of Technology

June 26, 2013

ACNS 2013, Banff, Alberta, Canada 1/11

Threshold Cryptography

Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties.

ACNS 2013, Banff, Alberta, Canada 2/11

Threshold Cryptography

Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties.

Digital signature scheme:

◮ KeyGen → sk to a privileged party, publish vk ◮ Sign(µ, sk) → σ ◮ Verify(µ, σ, vk) → accept or reject Properties:

⋆ Correctness: Verify accepts (µ, σ) from Sign. ⋆ Unforgeability: infeasible to sign µ without sk.

ACNS 2013, Banff, Alberta, Canada 2/11

Threshold Cryptography

Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties.

Threshold signatures:

◮ KeyGen → ski to each party i, publish vk ◮ Sign(µ, ski from ≥ h honest parties) → σ ◮ Verify(µ, σ, vk) → accept or reject Properties:

⋆ Correctness: Verify accepts (µ, σ) from Sign. ⋆ Unforgeability: infeasible to sign µ without sk.

si is i’s share of secret s (e.g. [Shamir’79])

ACNS 2013, Banff, Alberta, Canada 2/11

Threshold Cryptography

Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties.

Threshold signatures:

◮ KeyGen → ski to each party i, publish vk ◮ Sign(µ, ski from ≥ h honest parties) → σ ◮ Verify(µ, σ, vk) → accept or reject Properties:

⋆ Correctness: Verify accepts (µ, σ) from Sign. ⋆ Unforgeability: infeasible to sign µ with ≤ t shares of sk.

si is i’s share of secret s (e.g. [Shamir’79])

ACNS 2013, Banff, Alberta, Canada 2/11

Threshold Cryptography

Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties.

Threshold signatures:

◮ KeyGen → ski to each party i, publish vk ◮ Sign(µ, ski from ≥ h honest parties) → σ ◮ Verify(µ, σ, vk) → accept or reject Properties:

⋆ Correctness: Verify accepts (µ, σ) from Sign. ⋆ Unforgeability: infeasible to sign µ with ≤ t shares of sk. ⋆ Threshold efficiency:

• Verify runtime and vk size independent of ℓ
• Efficient and minimally interactive Sign (not general MPC!)

si is i’s share of secret s (e.g. [Shamir’79])

ACNS 2013, Banff, Alberta, Canada 2/11

Threshold Versions of Classical Cryptoschemes

◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA

ACNS 2013, Banff, Alberta, Canada 3/11

Threshold Versions of Classical Cryptoschemes

◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ◮ All broken by the quantum algorithm of Shor ’97.

ACNS 2013, Banff, Alberta, Canada 3/11

Threshold Versions of Classical Cryptoschemes

◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ◮ All broken by the quantum algorithm of Shor ’97. ◮ Lattices for the post-quantum world...

(Image courtesy wikipedia.org)

ACNS 2013, Banff, Alberta, Canada 3/11

The GPV Schemes [GentryPeikertVaikuntanathan’08]

GPV Signatures:

◮ KeyGen(1n):

⋆ sk = R, vk = unif A ∈ Zn×m

q

with trapdoor R.

ACNS 2013, Banff, Alberta, Canada 4/11

The GPV Schemes [GentryPeikertVaikuntanathan’08]

GPV Signatures:

◮ KeyGen(1n):

⋆ sk = R, vk = unif A ∈ Zn×m

q

with trapdoor R.

◮ Sign(sk, µ):

⋆ Sample x ∈ Zm

q : Ax = H(µ) ∈ Zn q .

(Image courtesy cryptoexperts.com/tlepoint)

ACNS 2013, Banff, Alberta, Canada 4/11

The GPV Schemes [GentryPeikertVaikuntanathan’08]

GPV Signatures:

◮ KeyGen(1n):

⋆ sk = R, vk = unif A ∈ Zn×m

q

with trapdoor R.

◮ Sign(sk, µ):

⋆ Sample x ∈ Zm

q : Ax = H(µ) ∈ Zn q .

◮ Verify(vk, µ, x):

⋆ Accept iff x is short and Ax = H(µ). (Image courtesy cryptoexperts.com/tlepoint)

ACNS 2013, Banff, Alberta, Canada 4/11

The GPV Schemes [GentryPeikertVaikuntanathan’08]

GPV Signatures:

◮ KeyGen(1n):

⋆ sk = R, vk = unif A ∈ Zn×m

q

with trapdoor R.

◮ Sign(sk, µ):

⋆ Sample x ∈ Zm

q : Ax = H(µ) ∈ Zn q .

◮ Verify(vk, µ, x):

⋆ Accept iff x is short and Ax = H(µ).

IBE using sampling for key extraction [GPV’08] HIBE using trapdoor delegation [CHKP’10] ABE, group signatures, . . . [AFV’11, GKV’10]

(Image courtesy cryptoexperts.com/tlepoint)

ACNS 2013, Banff, Alberta, Canada 4/11

Threshold Lattice-Based Schemes

Challenges: ◮ Complex early KeyGen algorithms [Ajtai’99, AlwenPeikert’09] ◮ GPV sampling involves adaptive iterations

ACNS 2013, Banff, Alberta, Canada 5/11

Threshold Lattice-Based Schemes

Challenges: ◮ Complex early KeyGen algorithms [Ajtai’99, AlwenPeikert’09] ◮ GPV sampling involves adaptive iterations Prior work: ◮ Encryption [BD’10, MSs’11, XXZ’11] ◮ Signatures [CLRS’10, FGM’10]

ACNS 2013, Banff, Alberta, Canada 5/11

Contribution

Threshold Protocols: trapdoor generation, discrete Gaussian sampling, and trapdoor delegation = ⇒ lattice-based threshold signatures and (H)IBE

Properties:

◮ Information-theoretic security ◮ Optimal thresholds ◮ Efficiency/security params independent of # parties ◮ Inefficiency/interactivity limited to offline phase

⋆ Offline phase: computation at keygen time ⋆ Online phase: computation once syndrome is known

ACNS 2013, Banff, Alberta, Canada 6/11

New Lattice Trapdoors [MicciancioPeikert’12]

◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12]

ACNS 2013, Banff, Alberta, Canada 7/11

New Lattice Trapdoors [MicciancioPeikert’12]

◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12]

Definition

Short R is a trapdoor for A if AR = G.

ACNS 2013, Banff, Alberta, Canada 7/11

New Lattice Trapdoors [MicciancioPeikert’12]

◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12]

Definition

Short R is a trapdoor for A if AR = G. ◮ Key Generation:

⋆ Sample uniform ¯

A and random short ¯ R.

⋆ Output A = [ ¯

A | G − ¯ A ¯ R] and R = ¯

R I

• .

ACNS 2013, Banff, Alberta, Canada 7/11

New Lattice Trapdoors [MicciancioPeikert’12]

◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12]

Definition

Short R is a trapdoor for A if AR = G. ◮ Key Generation:

⋆ Sample uniform ¯

A and random short ¯ R.

⋆ Output A = [ ¯

A | G − ¯ A ¯ R] and R = ¯

R I

• .

◮ Given u, how to sample short Gaussian x with Ax = u using R?

ACNS 2013, Banff, Alberta, Canada 7/11

The Convolution Approach for Sampling [P’10, MP’12]

Given A, R, and u, sample short Gaussian x with Ax = u.

ACNS 2013, Banff, Alberta, Canada 8/11

The Convolution Approach for Sampling [P’10, MP’12]

Given A, R, and u, sample short Gaussian x with Ax = u. ◮ Easy to sample short z with Gz = A(Rz) = u.

ACNS 2013, Banff, Alberta, Canada 8/11

The Convolution Approach for Sampling [P’10, MP’12]

Given A, R, and u, sample short Gaussian x with Ax = u. ◮ Easy to sample short z with Gz = A(Rz) = u; but Rz is skewed.

ACNS 2013, Banff, Alberta, Canada 8/11

The Convolution Approach for Sampling [P’10, MP’12]

Given A, R, and u, sample short Gaussian x with Ax = u. ◮ Easy to sample short z with Gz = A(Rz) = u; but Rz is skewed. ◮ Convolution lemma [P’10]: covariance and syndrome are additive = ⇒ add p from a different skewed Gaussian.

ACNS 2013, Banff, Alberta, Canada 8/11

The Convolution Approach for Sampling [P’10, MP’12]

Given A, R, and u, sample short Gaussian x with Ax = u. ◮ Easy to sample short z with Gz = A(Rz) = u; but Rz is skewed. ◮ Convolution lemma [P’10]: covariance and syndrome are additive = ⇒ add p from a different skewed Gaussian.

Standalone sample algorithm:

◮ Offline: Sample p, store with w = Ap. ◮ Online: Given u, sample z with Gz = u − w. Output x = p + Rz.

ACNS 2013, Banff, Alberta, Canada 8/11

Sampling in a Threshold Setting

Given A, R, and u, sample short Gaussian x with Ax = u. Offline: ◮ Threshold sample shares of p and store with public w = Ap. ◮ Threshold sample and store shares of syndrome correction data. Online: (party i) ◮ Retrieve pi and w. ◮ Assemble Rzi for Gaussian z with Gz = u − w. ◮ Broadcast xi = pi + Rzi and reconstruct x.

ACNS 2013, Banff, Alberta, Canada 9/11

Sampling in a Threshold Setting

Given A, R, and u, sample short Gaussian x with Ax = u. Offline: ◮ Threshold sample shares of p and store with public w = Ap. ◮ Threshold sample and store shares of syndrome correction data. Online: (party i) ◮ Retrieve pi and w. ◮ Assemble Rzi for Gaussian z with Gz = u − w. ◮ Broadcast xi = pi + Rzi and reconstruct x.

ACNS 2013, Banff, Alberta, Canada 9/11

Sampling in a Threshold Setting

Given A, R, and u, sample short Gaussian x with Ax = u. Offline: ◮ Threshold sample shares of p and store with public w = Ap. ◮ Threshold sample and store shares of syndrome correction data. Online: (party i) ◮ Retrieve pi and w. ◮ Assemble Rzi for Gaussian z with Gz = u − w. ◮ Broadcast xi = pi + Rzi and reconstruct x. ◮ Public w = Ap seems necessary

ACNS 2013, Banff, Alberta, Canada 9/11

Sampling in a Threshold Setting

Given A, R, and u, sample short Gaussian x with Ax = u. Offline: ◮ Threshold sample shares of p and store with public w = Ap. ◮ Threshold sample and store shares of syndrome correction data. Online: (party i) ◮ Retrieve pi and w. ◮ Assemble Rzi for Gaussian z with Gz = u − w. ◮ Broadcast xi = pi + Rzi and reconstruct x. ◮ Public w = Ap seems necessary

Lemma

Ap is negl(n) far from uniform, so we can simulate it without knowing p.

ACNS 2013, Banff, Alberta, Canada 9/11

Sampling in a Threshold Setting

Given A, R, and u, sample short Gaussian x with Ax = u. Offline: ◮ Threshold sample shares of p and store with public w = Ap. ◮ Threshold sample and store shares of syndrome correction data. Online: (party i) ◮ Retrieve pi and w. ◮ Assemble Rzi for Gaussian z with Gz = u − w. ◮ Broadcast xi = pi + Rzi and reconstruct x. ◮ Public w = Ap seems necessary

Lemma

Ap is negl(n) far from uniform, so we can simulate it without knowing p.

ACNS 2013, Banff, Alberta, Canada 9/11

Syndrome Correction

Given v ∈ Zn

q , get Rzi for Gaussian z with Gz = v.

ACNS 2013, Banff, Alberta, Canada 10/11

Syndrome Correction

Given v ∈ Zn

q , get Rzi for Gaussian z with Gz = v.

gt :=

• 1, 2, . . . , 2k−1

∈ Zk

q

(let q = poly(n), k = ⌈lg q⌉)

ACNS 2013, Banff, Alberta, Canada 10/11

Syndrome Correction

Given v ∈ Zn

q , get Rzi for Gaussian z with Gz = v.

gt :=

• 1, 2, . . . , 2k−1

∈ Zk

q

(let q = poly(n), k = ⌈lg q⌉)

G :=      · · · gt · · · · · · gt · · · ... · · · gt · · ·      ∈ Zn×nk

q

ACNS 2013, Banff, Alberta, Canada 10/11

Syndrome Correction

Given v ∈ Zn

q , get Rzi for Gaussian z with Gz = v.

gt :=

• 1, 2, . . . , 2k−1

∈ Zk

q

(let q = poly(n), k = ⌈lg q⌉)

G :=      · · · gt · · · · · · gt · · · ... · · · gt · · ·      ∈ Zn×nk

q

◮ Easy to sample z ∈ Zk

q with gtz = v ∈ Zq: only q syndromes

ACNS 2013, Banff, Alberta, Canada 10/11

Syndrome Correction

Given v ∈ Zn

q , get Rzi for Gaussian z with Gz = v.

gt :=

• 1, 2, . . . , 2k−1

∈ Zk

q

(let q = poly(n), k = ⌈lg q⌉)

G :=      · · · gt · · · · · · gt · · · ... · · · gt · · ·      ∈ Zn×nk

q

◮ Easy to sample z ∈ Zk

q with gtz = v ∈ Zq: only q syndromes

Concat n samples = ⇒ z ∈ Znk

q

with Gz = v ∈ Zn

q .

ACNS 2013, Banff, Alberta, Canada 10/11

Syndrome Correction

Given v ∈ Zn

q , get Rzi for Gaussian z with Gz = v.

gt :=

• 1, 2, . . . , 2k−1

∈ Zk

q

(let q = poly(n), k = ⌈lg q⌉)

G :=      · · · gt · · · · · · gt · · · ... · · · gt · · ·      ∈ Zn×nk

q

◮ Easy to sample z ∈ Zk

q with gtz = v ∈ Zq: only q syndromes

Concat n samples = ⇒ z ∈ Znk

q

with Gz = v ∈ Zn

q .

◮ Ri, zi → Rzi interactive, so mult nq partial samples offline

ACNS 2013, Banff, Alberta, Canada 10/11

Final Notes

◮ Protocols for precomp need shares of Gaussian-distributed integers

⋆ We show distributed integer sampling with MPC ⋆ An efficient protocol remains an open problem

ACNS 2013, Banff, Alberta, Canada 11/11

Final Notes

◮ Protocols for precomp need shares of Gaussian-distributed integers

⋆ We show distributed integer sampling with MPC ⋆ An efficient protocol remains an open problem

◮ Learning-with-errors (LWE) inversion:

⋆ Basis of some CCA-secure cryptoschemes (eg [P’09, MP’12]) ⋆ Possible from discrete Gaussian sampling [CHKP’10, MP’12],

but direct protocol could be more efficient

ACNS 2013, Banff, Alberta, Canada 11/11

Final Notes

◮ Protocols for precomp need shares of Gaussian-distributed integers

⋆ We show distributed integer sampling with MPC ⋆ An efficient protocol remains an open problem

◮ Learning-with-errors (LWE) inversion:

⋆ Basis of some CCA-secure cryptoschemes (eg [P’09, MP’12]) ⋆ Possible from discrete Gaussian sampling [CHKP’10, MP’12],

but direct protocol could be more efficient

◮ Thanks!

ACNS 2013, Banff, Alberta, Canada 11/11