Round5 with ring lifting CWG, September 14, 2018 Sauvik - PowerPoint PPT Presentation

Round5 with ring lifting CWG, September 14, 2018 Sauvik Bhattacharya, Scott Fluhrer, Oscar Garcia-Morchon, Mike Hamburg, Thijs Laarhoven, Ronald Rietman, Markku-Juhani O. Saarinen, Ludo Tolhuizen, Zhenfei Zhang 1 / 1

Outline 2 / 1

Introducing Round5 NIST Post-Quantum Cryptography Standardization project NIST asked to merge proposals We looked for merge combinations with low bandwidth/communication requirements Round5 combines Round2 and HILA5 3 / 1

Round2: (R)LWR-based KEM and PKE with sparse ternary secrets Round2: KEM and PKE based on (Ring) Learning with Rounding No explicit noise generation required, less calls to random Smaller alphabet sizes for public key and ciphertext Prime cyclotomic polynomial φ n +1 ( x ) = 1 + x + . . . + x n with n prime, and φ n +1 ( x ) irreducible modulo two Sparse ternary secrets 4 / 1

Round2 description Alice Bob $ $ ← Z q [ x ] /φ ( x ), s ← S a a , b = �⌊ p q � as � φ ⌉� p − − − − − − − − − − → $ r ← S ; u = �⌊ p q � ar � φ ⌉� p ← − − − − − − − − − v = � t 2 m + S µ ( ⌊ t p � br � φ ⌉ ) � t ← − − − − − − − − − − − − − − − w = � q t v − q p S µ ( � us � φ ) � q m = �⌊ 2 q w + 1 ˆ 2 ⌋� 2 S is a subset of all balanced ternary polynomials of Hamming weight h ; φ ( x ) = 1 + x + . . . + x n S µ ( f ): µ highest order coefficients of f . 5 / 1

HILA5: RLWE- based KEM with error correction HILA5: KEM based on Ring Learning with Errors Failure probability reduction by error correcting code Xe5, resulting in smaller public keys and ciphertexts Decoding Xe5 avoids table-lookups and conditions altogether and therefore is resistant to timing attacks. Five error correction by majority voting. For each information bit m i , there are disjoint sets S i 1 , . . . , S i 10 of parity bit indices such that � m i = p j for 1 ≤ k ≤ 10 . j ∈ S i k Information bit i is flipped iff six or more sums equal one. 6 / 1

Round5 = Round2 + HILA5 Alice Bob $ $ a ← Z q [ x ] /φ ( x ), s ← S a , b = �⌊ p q � as � φ ⌉� p − − − − − − − − − − → $ ← S ; r u = �⌊ p q � ar � φ ⌉� p ← − − − − − − − − − c = Encode( m ) v = � t 2 c + S µ ( ⌊ t p � br � φ ⌉ ) � t ← − − − − − − − − − − − − − − w = � q t v − q p S µ ( � us � φ ) � q c = �⌊ 2 q w + 1 ˆ 2 ⌋� 2 m = Decode (ˆ ˆ c ) S is a subset of all balanced ternary polynomials of Hamming weight h ; φ ( x ) = 1 + x + . . . + x n S µ ( f ): µ highest order coefficients of f . 7 / 1

Benefit of error-correction Round5 combines the LWR-based approach of Round2 and the error correcting code of HILA5. Smaller public keys and ciphertext. However, this assumes independence of errors... 8 / 1

9 / 1

Simulation results: error values for prime cyclotomic ring 0 -5 -10 -15 -20 bit error prob. conditional bit error prob. -25 0 1 2 3 4 5 6 7 8 9 log 2 (Prob(error value ≥ x )). 10 / 1

Issue with prime cyclotomic ring: correlated errors One of the terms in the error in reconstruction is �� se � φ � q . n − 1 � [ c k ( s , e ) − c n ( s , e )] x k , � se � φ = k =0 where � c j ( s , e ) = s i e � j − i � n +1 . i Hence, if c n ( s , e ) is large, then many coefficients of � se � φ may be large. 11 / 1

Round5 with ring lifting Alice Bob $ $ a ← Z q [ x ] /φ ( x ), s ← S a , b = �⌊ p q � as � φ ⌉� p − − − − − − − − − − → $ ← S ; r u = �⌊ p q � ar � φ ⌉� p ← − − − − − − − − − c = Encode( m ) v = � t 2 c + S µ ( ⌊ t p � br � N ⌉ ) � t ← − − − − − − − − − − − − − − w = � q t v − q p S µ ( � us � N � q c = �⌊ 2 q w + 1 ˆ 2 ⌋� 2 m = Decode (ˆ c ) S is a subset of all balanced ternary polynomials of Hamming weight h ; φ ( x ) = 1 + x + . . . + x n S µ ( f ): µ highest order coefficients of f . N ( x ) = ( x − 1) φ ( x ) = x n +1 − 1 12 / 1

Why this works (1) q p b = � as � φ + e + q λ with | e | ≤ q 2 p . q p br = � as � φ r + er = ( as + λ 1 φ ) r + er + q λ 2 . As r ( x ) = ( x − 1) ρ ( x ) + r (1) for some ρ ∈ Z [ x ]: �� r � N � q = 0. q p br ≡ asr + er (mod N . q ) q p us ≡ asr + e ′ s (mod N , q ) . q p ( br − us ) ≡ er − e ′ s (mod N , q ) . 13 / 1

Why this works (2) p t ⌊ t p � br � N ⌉ = � br � N + e ” (mod N , p ) q t v = q 2 m + S µ ( q p � br � N + q p e ”) (mod N , q ) w = q 2 m + S µ ( er − e ′ s + q p e ”) (mod N , q ) . So if � er − e ′ s � N + q p e ” is small (modulo q), then w ≈ q 2 m . We got rid of the correlation between coefficients of � er − e ′ s � φ caused by a large common term. 14 / 1

Simulation results: errors values in cyclic ring 0 -5 -10 -15 -20 -25 bit error prob. conditional bit error prob. -30 0 1 2 3 4 5 6 7 8 9 log 2 (Prob(error value ≥ x )). 15 / 1

Simulation results: errors values for both rings 0 -5 -10 -15 -20 -25 cycl. bit error prob. NTRU bit error prob. -30 0 1 2 3 4 5 6 7 8 9 log 2 (Prob(error value ≥ x )). 16 / 1

Benefits of ring lifting Parameters No FEC, No FEC, Xef FEC, (CCA NIST3) cyclotomic ring lifting ring lifting d , n , h 852, 852, 212 820, 820, 254 756, 756, 242 2 12 , 2 9 , 2 5 2 12 , 2 9 , 2 3 2 12 , 2 8 , 2 3 q , p , t B , ¯ n , ¯ m , f 1, 1, 1, 0 1, 1, 1, 0 1, 1, 1, 5 µ 192 192 192 + 231 Bandwidth 2087 B 1967 B 1720 B Public key 984 B 948 B 781 B Ciphertext 1103 B 1019 B 939 B 2 181 2 176 2 181 PQ Security 2 193 2 192 2 193 Classical 2 − 146 2 − 162 2 − 255 Failure rate 17 / 1

S µ stops the ”evaluate at x = 1” attack ”Evaluate at x = 1 attack” is a distinguishing attack Consider RLWE sample ( b , v = � br �� N + e ” + q 2 m ) � q with � r (1) � q = 0. As ( x − 1) | N ( x ) v (1) ≡ e (1) + q 2 m (1) (mod q ) so � v (1) � q is not uniformly distributed. If µ < n , not all coefficients of � br � N are available, so the evaluate at x = 1 attack does not apply. 18 / 1

CPA-Security proof for Round2 (1) CPA: Chosen plaintext attack. Adversary chooses two plaintexts, m 0 and m 1 , after having seen a and b : ( m 0 , m 1 ) = A 1 ( a , b ) . Adversary randomly chooses k ∈ { 0 , 1 } and encrypts m k Algorithm A 2 runs on input ( a , b , m 0 , m 1 , u , v ) with output 0 or 1. Output of game equals 1 if A 2 ( a , b , m 0 , m 1 , u , v ) = k and zero otherwise. The advantage of ( A 1 , A 2 ) equals | Prob[game output = 1] − 1 2 | where the probability over in the randomness in ( a , b , u , v ). 19 / 1

CPA-Security proof for Round2 (2) Sequence of CPA games. Gradual replacement of variables, ending with all variables being uniform. Two consecutive games can be used to construct a distinguisher between samples of the random variables in which these games differ. Advantage of the constructed distinguisher equals the absolute value of the difference of the probabilities that the respective games output a 1. The advantage of the original CPA game is at most the sum of the advantages of the distinguishers for the replaced variables. If the original CPA game has a large advantage, at least one of the distinghuishers has a large advantage. 20 / 1

Adapting the reduction for Round5 with ring lifting The reduction proof from Round2 does not work for Round5 with ring lifting in the step where the distribution of � � ⌊ z � u � q � ar � φ ⌉ = v ′ S µ ( ⌊ z q � br � N ⌉ ) is replaced by a uniform distribution. � u � With Round2, v ′ also involves rounding modulo φ , so has two v ′ R-LWR samples from the same ring. � u � With Round5 with ring lifting, has two R-LWR samples v ′ involving r from different rings. 21 / 1

Related result for lifted RLWE [1, Lemma 11] Let n + 1 be prime, and let q be relatively prime to n + 1. Assume that it is hard to distinguish samples ( a i , b i = a i s + e i ) ∈ ( Z q [ x ] / Φ n +1 ( x )) 2 from uniform, Then the samples ( L q ( a i ) , L q ((1 − x ) b i )) ∈ S 2 n +1 , q are also hard to distinguish from uniform. i =0 a i x i | � n i =0 a i x i ≡ 0 (mod q ) } , and Here S n +1 , q = { � n L q ( a ( x )) = a ( x ) − ( n + 1) − 1 · a (1)Φ n +1 ( x ). [1] G. Bonnoron, L. Ducas and M. Fillinger, ”Large FHE gates from Tensored Homomorphic Accumulator”, iacr preprint Report 2017-996. 22 / 1

Applicability to Round5 In the proof in [1], the error polynomial e i is lifted to L q (( x − 1) e i ( x )) = ( x − 1) e i ( x ). Hence, if coefficients of each e i are drawn independently, this is not true anymore for the coefficients after lifting. Different even coefficients of ( x − 1) f ( x ) do not contain a common coefficient from f . Hence, if µ < n / 2, we can let S µ select µ even coefficients of a polynomial, and the dependence has been removed. Can we generalize this RLWE result to RLWR? 23 / 1