Practical Implementation of Ring-SIS/LWE based Signature and IBE - PowerPoint PPT Presentation

Practical Implementation of Ring-SIS/LWE based Signature and IBE Pauline Bert, Pierre-Alain Fouque, Adeline Roux-Langlois, and Mohamed Sabt PQCrypto 2018, April 11 Univ Rennes, CNRS, IRISA 1

Identity Based Encryption Private Key Generator E x ( mpk , msk ) ← Setup ( 1 λ ) t r a c t ( i d Bob sk id Bob ) C ← Encrypt ( mpk , id Bob , M ) Alice Bob id Bob = ‘bob@bob.fr’ M ← Decrypt ( mpk , sk id Bob , C ) Advantages • We no longer need certificates, PKI... • We can add extra information to the identity. Some Post-Quantum IBEs 2008 First lattice based IBE, by Gentry, Peikert, and Vaikuntanathan (ROM) 2010 First lattice based IBE in the standard model by Cash, Hofheinz, Kiltz, and Peikert following by work of Agrawal, Boneh, and Boyen, 2017 First code based IBE, by Gaborit, Hauteville, Phan and Tillich (ROM). 2

Identity Based Encryption Private Key Generator E x ( mpk , msk ) ← Setup ( 1 λ ) t r a c t ( i d Bob sk id Bob ) C ← Encrypt ( mpk , id Bob , M ) Alice Bob id Bob = ‘bob@bob.fr’ M ← Decrypt ( mpk , sk id Bob , C ) Contributions • We propose an IBE scheme by mixing the Ring version of the IBE scheme à la ABB with the efficient trapdoor of Micciancio and Peikert, • We also take a look at the underlying signature scheme, • We implement these schemes in plain C++. → Both scheme have efficiency comparable to the DLP 1 IBE, and the Falcon − NIST submission, with different assumptions (Ring-LWE/SIS vs NTRU). 1 Ducas, Lyubashevsky, and Prest (2014). “Efficient Identity-Based Encryption over NTRU Lattices”. In: ASIACRYPT . 2

Outline Hard Lattice Problems and Standard Model IBE framework Ring Identity Based Encryption Scheme Underlying Signature Scheme Conclusion 3

Hard Lattice Problems and Standard Model IBE framework

LWE 2 /SIS 3 problems Learning With Errors Short Integer Solution Given Given an uniformly random matrix � � s e ֓ U ( Z n × m , A ← ) , find a non trivial A A + q short vector x ∈ Z m such that where � x � ≤ β and: ֓ U ( Z n × m • A ← ) , q • s ∈ Z n q , x = u mod q . A • e ← ֓ D Z m , α q . − → LWE/SIS are hard: The search problem is to find s . The decision problem is to distinguish Regev/Ajtai gave reductions from � A , s T A + e T � worst-case problems on lattices to from � A , b T � � � Z n × m × Z m the average-case LWE/SIS ← ֓ U . q q problems. 2 Regev (2005). “On lattices, learning with errors, random linear codes, and cryptography”. In: STOC . 3 Ajtai (1996). “Generating Hard Instances of Lattice Problems”. In: STOC . 4

Full trapdoor for LWE and SIS A full trapdoor for the LWE and SIS problems is a short basis T A of the lattice q ( A ) = { x ∈ Z m such that Ax = 0 Λ ⊥ mod q } . • Given A , it’s hard to find such basis, • we can generate A together with T A , thanks to algorithm TrapGen ( n , m , q ) , • we can use T A to solve the SIS problem, • for the matrix A , • for a matrix of the form ( A | A ′ ) ∈ Z n × ( m + m ′ ) , q i.e find a short non zero x ∈ Z m + m ′ such that ( A | A ′ ) x = u mod q . 5

Public Key Encryption of Dual-Regev 4 ֓ U ( Z n × m In this scheme, users can share a public matrix A ← ) . q Alice Bob pk = ( A , u = Ax ) sk = x ← ֓ D Z m , ζ 0 = s T A + e T c T ֓ U ( Z n s ← q ) , e ← ֓ D Z m , τ c 1 − c T c 1 = s T u + e ′ + M . ⌊ q / 2 ⌋ 0 x = e ′ − e T x M ∈ { 0 , 1 } , e ′ ← + M . ⌊ q / 2 ⌋ ֓ D Z , τ � �� � small − → IND-CPA secure based on the hardness of LWE. 4 Gentry, Peikert, and Vaikuntanathan (2008). “Trapdoors for hard lattices and new cryptographic constructions”. In: STOC . 6

Standard Model Framework 5 PKG x Bob such that ֓ U ( Z n u ← q ) ( A , T A ) ← TrapGen ( n , m , q ) A Bob x Bob = u mod q mpk = ( A , u , · · · ) and msk = T A x Bob Alice Bob sk = x Bob ֓ U ( Z n c T 0 = s T A Bob + e T s ← q ) , e ← ֓ D Z m + m ′ , τ pk = ( A Bob , u ) c 1 − c T c 1 = s T u + e ′ + M . ⌊ q / 2 ⌋ 0 x Bob = M ∈ { 0 , 1 } , e ′ − e T x Bob + M . ⌊ q / 2 ⌋ e ′ ← ֓ D Z , τ � �� � A Bob = ( A | F ( id Bob )) ∈ Z n × ( m + m ′ ) small q where F depends on the construction 5 Cash et al. (2010). “Bonsai Trees, or How to Delegate a Lattice Basis”. In: EUROCRYPT ; Agrawal, Boneh, and Boyen (2010). “Efficient Lattice (H)IBE in the Standard Model”. In: EUROCRYPT . 7

Ring Identity Based Encryption Scheme

From random lattice to ideal lattice Consider the rings R = Z [ x ] / ( x n + 1 ) or R q = R / qR , with n a power of 2. If we have s , a ∈ R q , s = s 0 + s 1 x + · · · + s n − 1 x n − 1 ,   a 0 a 1 · · · a n − 1  − a n − 1 · · ·  a 0 a n − 2 � �   s · a = · · · s 0 s 1 s n − 1   ...     − a 1 − a 2 · · · a 0 − → Smaller storage, faster operations. � � Ring-LWE: Given a ∈ R m / n A , s T A + e T LWE: Given mod q , and q � � find s ∈ Z n q . s · a 1 + e 1 , · · · , s · a m / n + e m / n , find SIS: Given A , find a short vector s ∈ R q . x ∈ Z m such that Ax = u mod q . Ring-SIS: Given a ∈ R m / n , find q x ∈ R m / n such that a T x = u mod q . 8

Ring Gadget Trapdoor of [MP12] The trapdoor construction consists in an almost uniformly random vector of polynomials a = ( a 1 , · · · , a m ) ∈ R m q , � a ′ T � � T � h g − a ′ T T � a = . where: • a ′ ← ֓ U ( R m − k ) , q • g = ( 1 , 2 , 4 , · · · , 2 k − 1 ) ∈ R k q with k = ⌈ log 2 q ⌉ is the ‘gadget vector’, • h ∈ R q is an invertible polynomial, called the tag, • T ← ֓ D R ( m − k ) × k , σ is the trapdoor composed of Gaussian polynomials. FRD map [ABB10] A function H : { 0 , 1 } n → R q is an encoding with Full-Rank Differences if: • for all id , H ( id ) is invertible, • for all id � = id ′ , H ( id ) − H ( id ′ ) ∈ R q is invertible. 9

Contribution: Ring IBE construction PKG ֓ U ( R q ) , a ′ ← ֓ U ( R m − k u ← ) q x Bob such that T ← ֓ D R ( m − k ) × k , σ , a T Bob x Bob = u mod q a = ( a ′ T | − a ′ T T ) T x Bob mpk = ( a , u ) and msk = T Alice Bob s ← ֓ U ( R q ) , c T 0 = a Bob s + ( e T 0 | e T 1 ) T sk = x Bob e 0 ← ֓ D R m − k , τ , pk = ( a Bob , u ) e 1 ← ֓ D R k , γ c 1 − c T 0 x Bob = c 1 = u · s + e ′ + M . ⌊ q / 2 ⌋ e ′ − ( e T M ∈ R 2 , e ′ ← 0 | e T 1 ) T x Bob ֓ D R , τ + M . ⌊ q / 2 ⌋ � �� � a Bob = a + ( 0 | H ( id Bob ) g ) T small a ′ T � � � T � H ( id Bob ) g − a ′ T T � = 10

Implementation Choices • Plain C++ implementation using the NFLlib library 6 , • Preimage sampling à la MP12, recently improved by Micciancio and Genise 7 , • By setting m − k = 2, and a ′ = ( 1 , a ) we get a = ( 1 , a | h · g 1 − ( a · t 2 , 1 + t 1 , 1 ), · · · , h · g k − ( a · t 2 , k + t 1 , k )) − → Hardness of Ring-LWE with Gaussian secret of parameter σ , 6 Aguilar Melchor et al. (2016). “NFLlib: NTT-Based Fast Lattice Library”. In: CT-RSA . 7 Genise and Micciancio (2018). “Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus”. In: EUROCRYT . 11

Parameter Choices We need to ensure: • the hardness of two Ring-LWE instances, of parameter q , n and: • Gaussian parameter σ , corresponding to the public key, • Gaussian parameter τ , corresponding to the encryption part, • the correctness of the scheme: � e ′ − ( e T 0 | e T 1 ) T x � < q / 4 , − → Estimation of the hardness of these LWE instances using the LWE estimator of Albrecht et al. 8 . − → Example, for λ = 80, we get log 2 q = 51, n = 1024, and σ , τ ≈ 5. 8 Albrecht, Player, and Scott (2015). “On the concrete hardness of Learning with Errors”. In: J. Mathematical Cryptology . 12

Experimental Results (IBE) Setup Extract Encrypt Decrypt Scheme ( λ , n ) (ms) (ms) (KB/s) (KB/s) BF-128 9 ( 128 , − ) – 0 . 55 4 . 10 6 . 19 DLP-14 10 ( 80 , 512 ) 4034 3 . 8 587 1405 This paper 11 ( 80 , 1024 ) 1 . 67 4 . 02 230 1042 9 Fouotsa (2013). “Calcul des couplages et arithmétique des courbes elliptiques pour la cryptographie”. PhD thesis. 10 McCarthy, Smyth, and O’Sullivan (2017). “A Practical Implementation of Identity-Based Encryption Over NTRU Lattices”. In: IMACC . 11 Timings obtained on a Intel i7-5600 2.6 GHz CPU. 13

Underlying Signature Scheme

Underlying Signature KeyGen ( 1 λ ) → ( vk , sk ) 1. Choose random a ′ ← ֓ U ( R m − k ) , q 2. Sample T ← ֓ D R ( m − k ) × k , σ , 3. Compute a = ( a ′ T | − a ′ T T ) T , 4. Output mpk = a ∈ R m q and msk = T ∈ R ( m − k ) × k . We can compute a M as a M = a T + ( 0 | H ( M ) g ) T = ( a ′ T | H ( M ) g − a ′ T T ) T . Sign ( vk = a , sk = T , M ) → ν 1. Sample x ← Extract (( a , 0 ), T , M ) , satisfying a T M x = 0 ∈ R q , 2. Output ν = x ∈ R m q . Verify ( vk = a , ν = x , M ) → { accept , reject } M x = 0 mod q and � x � ≤ t ζ √ mn . 1. Accept iff a T 14