Lattice-based signatures Extra lecture for the Digital Signatures - - PowerPoint PPT Presentation

Lattice-based signatures

Extra lecture for the “Digital Signatures” course 2020 Dennis Hofheinz ETH Zürich

Quantum computers

• Grover’s algorithm: speed up searches (N → O(√N))
• Bigger problem for cryptography: Shor’s algorithm
• Runs in polynomial time on a (universal) quantum computer
• Solves a problem that in turn solves DLog and Factoring/RSA
• Breaks most of the signature schemes we have seen

– Which ones (that we have seen) are not broken?

• Current status of quantum computers unclear
• If we manage to build them → panic!
• Massive company involvement, not quite there yet
• Should look at post-quantum cryptography!

Post-quantum cryptography

• Assume a quantum computer is here…
• … use things based on symmetric crypto (e.g., hash functions)

– Not always possible (PKE, IBE, …) or effjcient (signatures)

• … use lattice-based constructions

– Very versatile, many nice algebraic properties

• … use coding-based constructions

– Useful problem: decode noisy codewords – Code-based PKE and signatures exist, but less versatile

• … use other platforms (isogenies, nonlinear multivariate

equation systems)

– Not as well-understood as lattices or codes

• Let‘s look at lattices!

• A lattice:
• Formally: L = { ∑ ci ui | ci ∊ Z } for (real) vectors ui
• For our purposes: lattices with ui ∊ Zn (or ui ∊ Zq

n) suitable

• Hard problems (closely related to NP-hardness):

– SVP: Find shortest (nonzero) vector in L – CVP: Given y, fjnd vector in L closest to y – Even decisional variants of SVP, CVP hard

Lattices

• Closely related, but handier: Learning With Errors
• Consider an oracle LWEs, for fjxed but uniform s ∊ Zq

n

• Each time when activated, LWEs picks…

– … a uniform a ∊ Zq n, – … a short noise scalar e ∊ Zq, – … and then outputs a and <a;s>+e = ∑ ai si + e ∊ Zq

• Search-LWE: given (poly-often) access to LWEs, fjnd s
• Decision-LWE: distinguish LWEs from randomness oracle
• Most interesting case: q polynomially small
• Then: GapSVP hard ⇒ Search-LWE hard ⇔ Decision-LWE hard
• Dep. on size of noise: LWE easy/hard/NP-hard/impossible

–

Hard (but not NP-hard) region useful for cryptography

Learning with errors

• Simple PKE scheme from LWE:
• Observation: LWE ⇒ ( A, As+e ) ≈ ( A, r )

(A ∊ Zq

m⨯n, s ∊ Zq n, r ∊ Zq m all uniform, e ∊ Zq n short, ≈ means comp.ind., m ≫ n)

• Graphically:

given , + ≈

• Key observation: As+e “almost” behaves like As for short z:

+ = + “small”

Encryption from LWE

A A s e r A s e zt A s zt

( )

• Simple PKE scheme from LWE:
• Simple (and insecure) public-key encryption scheme:

– pk = ( A, As )

(A ∊ Zq

m⨯n, s ∊ Zq n)

– sk = s – Enc(pk,M) = ( ztA, ztAs+M )

(z ∊ Zq

m, M ∊ Zq)

– Dec(sk,(C1,C2)) = C2 – C1s

• Decryption, graphically:
• Problem: completely insecure (can fjnd s from As)

Encryption from LWE

A s zt A s zt

( )

+ M –

( )

• Simple PKE scheme from LWE:
• Idea: add noise, use LWE (→ linear algebra with noise hard)

– pk = ( A, As+e )

(A ∊ Zq

m⨯n, s ∊ Zq n, e ∊ Zq n short)

– sk = s – Enc(pk,M) = ( ztA, zt(As+e)+M)

(z ∊ Zq

m short, M ∊ Zq)

– Dec(sk,(C1,C2)) = C2 – C1s

• New problem: decryption only retrieves M + zte
• Solution: encrypt only M=0 or M=[q/2] (so really encrypt only one bit)
• Claim: this is IND-CPA-secure under the LWE assumption

–

Step 1: substitute As+e in public key with uniformly random r

–

Step 2: observe that now r extracts entropy from z

• Formally: (ztA, r, ztr) statistically close to (ztA, r, rand)
• Hence, encryption becomes “lossy”

Encryption from LWE

• Strangeness: while generically, signatures easier…
• Existence of signatures equivalent to existence of OWFs
• This is not known about PKE!
• In fact, there are oracle separations between PKE and OWFs
• … practical signatures harder than practical PKE
• We have effjcient PKE schemes from DDH, Factoring, LWE, …
• … but for signature schemes, this appears much harder

–

… we can resort to the random oracle model (RSA-FDH, BLS, Schnorr) …

–

… and/or stronger assumptions (GHR, Cramer-Shoup signatures)…

–

… and/or pairings (BLS, Waters, Boneh-Boyen signatures)…

–

… but it seems we need to pay a price

• Unfortunately, lattices/LWE no exception

What about signatures?

• Additional tool: lattice trapdoors
• Consider the functions (for given A ∊ Zq

m⨯n for m ≫ n, and short z,e)

fA(z) = ztA gA(s,e) = As+e

• Note 1: fA highly non-injective, gA injective
• Note 2: both fA and gA are one-way functions (assuming LWE)

–

Clear for gA

–

LWE hard ⇒ can’t invert fA on 0 (“SIS problem”) ⇒ fA one-way

• Now: can compute (almost-)uniform A along with trapdoor TA

–

TA is “short basis” for lattice LA

⊥ = { z | ztA=0 } associated with A –

TA consists of m linearly independent short z with fA(z)=0

–

In case of fA, trapdoor allows to sample short z with fA(z)=y

We need more tools!

• Simple LWE-based signatures in ROM
• Consider the functions (for given A ∊ Zq

m⨯n for m ≫ n, and short z,e)

fA(z) = ztA gA(s,e) = As+e

• Consider the following signature scheme:

pk = A sk = TA σM = short z with fA(z)=H(M) (with H(M) interpreted as element from Zq

n)

• Signing uses trapdoor TA to invert fA, verifjcation evaluates fA
• … looks a lot like RSA-FDH and BLS…
• … and indeed, proof works in the same way (→ no tight security!)

Signatures from LWE in ROM

• We can do more with LWE
• Consider the functions (for given A ∊ Zq

m⨯n for m ≫ n, and short z,e)

fA(z) = ztA gA(s,e) = As+e

• Previously: both fA and gA have (the same) trapdoor TA

–

This TA consists of a short basis, i.e., short vectors z with ztA=0

• Now: trapdoors can be delegated:

TA, B → T

• Note: T consists of short z= with z1tA+z2tB=0
• Idea to generate such z: choose z2 short, generate z1 using TA
• Generalizes to more matrices (need one trapdoor)

T

• ol: trapdoor delegation

A B

[ ]

A B

[ ]

z1 z2

[ ]

• Delegation allows to get rid of ROs
• Signature scheme:

pk = (A0, (Ai,b)i ∊ {1,…,k}, b ∊ {0,1}) sk = TA0 Helpful notation: A(M) = for M=(M1, …, Mk) σM = TA(M)

• Signatures in scheme generated by delegating using TA0
• Reduction will not know TA0, but a subset of the TAi,b

–

Reduction can generate σM ifg TAi,b for one involved Ai,b known

Signatures w/o ROs

A0 A1,M1 … Ak,Mk

• Delegation allows to get rid of ROs
• Signature scheme:

pk = (A0, (Ai,b)i ∊ {1,…,k}, b ∊ {0,1}) sk = TA0 σM = TA(M)

• Scheme less effjcient than generic OWF-based approach, but:

–

Better, more compact delegation (and defjnition of A(M)) possible

–

Also: can have only part of trapdoor in signature (and not full TA(M))

• Scheme can be extended to IBE scheme:

–

Signature pk → IBE master public key mpk

–

Signed message M → IBE identity id

–

Signature σM = TA(M) → IBE secret key uskid for identity id(=M)

–

Idea: using this infrastructure, use A(M) as pk for PKE instance for id

Signatures w/o ROs

• Lattices currently most popular post-quantum tool
• Hard problems (even connected to NP-hardness)
• Highly useful hard problem: LWE
• Can get OWFs (→ signatures), CRHFs, PKE, IBE, FHE*, …
• What we did not cover today
• Fully homomorphic encryption/commitments
• Better delegation methods
• Cryptanalysis/attacks on lattice problems
• Parameters (matrix sizes, noise levels, …)

Wrapping up