SLIDE 1
Round5 with ring lifting CWG, September 14, 2018 Sauvik - - PowerPoint PPT Presentation
Round5 with ring lifting CWG, September 14, 2018 Sauvik - - PowerPoint PPT Presentation
Round5 with ring lifting CWG, September 14, 2018 Sauvik Bhattacharya, Scott Fluhrer, Oscar Garcia-Morchon, Mike Hamburg, Thijs Laarhoven, Ronald Rietman, Markku-Juhani O. Saarinen, Ludo Tolhuizen, Zhenfei Zhang 1 / 1 Outline 2 / 1
SLIDE 2
SLIDE 3
Introducing Round5
NIST Post-Quantum Cryptography Standardization project NIST asked to merge proposals We looked for merge combinations with low bandwidth/communication requirements Round5 combines Round2 and HILA5
3 / 1
SLIDE 4
Round2: (R)LWR-based KEM and PKE with sparse ternary secrets
Round2: KEM and PKE based on (Ring) Learning with Rounding No explicit noise generation required, less calls to random Smaller alphabet sizes for public key and ciphertext Prime cyclotomic polynomial φn+1(x) = 1 + x + . . . + xn with n prime, and φn+1(x) irreducible modulo two Sparse ternary secrets
4 / 1
SLIDE 5
Round2 description
Alice Bob a
$
← Zq[x]/φ(x), s
$
← S
a,b=⌊ p
q asφ⌉p
− − − − − − − − − − →
r
$
← S;
u=⌊ p
q arφ⌉p
← − − − − − − − − −
v= t
2 m+Sµ(⌊ t p brφ⌉)t
← − − − − − − − − − − − − − − −
w = q
t v − q pSµ(usφ)q
ˆ m = ⌊ 2
qw + 1 2⌋2
S is a subset of all balanced ternary polynomials of Hamming weight h; φ(x) = 1 + x + . . . + xn Sµ(f ): µ highest order coefficients of f .
5 / 1
SLIDE 6
HILA5: RLWE- based KEM with error correction
HILA5: KEM based on Ring Learning with Errors Failure probability reduction by error correcting code Xe5, resulting in smaller public keys and ciphertexts Decoding Xe5 avoids table-lookups and conditions altogether and therefore is resistant to timing attacks. Five error correction by majority voting. For each information bit mi, there are disjoint sets Si
1, . . . , Si 10 of parity bit indices
such that mi =
- j∈Si
k
pj for 1 ≤ k ≤ 10. Information bit i is flipped iff six or more sums equal one.
6 / 1
SLIDE 7
Round5 = Round2 + HILA5
Alice Bob a
$
← Zq[x]/φ(x), s
$
← S
a,b=⌊ p
q asφ⌉p
− − − − − − − − − − →
r
$
← S;
u=⌊ p
q arφ⌉p
← − − − − − − − − −
c = Encode(m)
v= t
2 c+Sµ(⌊ t p brφ⌉)t
← − − − − − − − − − − − − − −
w = q
t v − q pSµ(usφ)q
ˆ c = ⌊ 2
qw + 1 2⌋2
ˆ m = Decode (ˆ c)
S is a subset of all balanced ternary polynomials of Hamming weight h; φ(x) = 1 + x + . . . + xn Sµ(f ): µ highest order coefficients of f .
7 / 1
SLIDE 8
Benefit of error-correction
Round5 combines the LWR-based approach of Round2 and the error correcting code of HILA5. Smaller public keys and ciphertext. However, this assumes independence of errors...
8 / 1
SLIDE 9
9 / 1
SLIDE 10
Simulation results: error values for prime cyclotomic ring
- 25
- 20
- 15
- 10
- 5
1 2 3 4 5 6 7 8 9 bit error prob. conditional bit error prob.
log2(Prob(error value ≥ x)).
10 / 1
SLIDE 11
Issue with prime cyclotomic ring: correlated errors
One of the terms in the error in reconstruction is seφq. seφ =
n−1
- k=0
[ck(s, e) − cn(s, e)]xk, where cj(s, e) =
- i
siej−in+1. Hence, if cn(s, e) is large, then many coefficients of seφ may be large.
11 / 1
SLIDE 12
Round5 with ring lifting
Alice Bob a
$
← Zq[x]/φ(x), s
$
← S
a,b=⌊ p
q asφ⌉p
− − − − − − − − − − →
r
$
← S;
u=⌊ p
q arφ⌉p
← − − − − − − − − −
c = Encode(m)
v= t
2 c+Sµ(⌊ t p brN⌉)t
← − − − − − − − − − − − − − −
w = q
t v − q pSµ(usNq
ˆ c = ⌊ 2
qw + 1 2⌋2
m = Decode (ˆ c)
S is a subset of all balanced ternary polynomials of Hamming weight h; φ(x) = 1 + x + . . . + xn Sµ(f ): µ highest order coefficients of f . N(x) = (x − 1)φ(x) = xn+1 − 1
12 / 1
SLIDE 13
Why this works (1)
q p b = asφ + e + qλ with |e| ≤ q 2p. q p br = asφr + er = (as + λ1φ)r + er + qλ2. As r(x) = (x − 1)ρ(x) + r(1) for some ρ ∈ Z[x]: rNq = 0. q p br ≡ asr + er (mod N.q) q p us ≡ asr + e′s (mod N, q). q p (br − us) ≡ er − e′s (mod N, q).
13 / 1
SLIDE 14
Why this works (2)
p t ⌊ t pbrN⌉ = brN + e” (mod N, p)
q t v = q 2m + Sµ(q p brN + q p e”) (mod N, q) w = q 2m + Sµ(er − e′s + q p e”) (mod N, q). So if er − e′sN + q
pe” is small (modulo q), then w ≈ q 2m.
We got rid of the correlation between coefficients of er − e′sφ caused by a large common term.
14 / 1
SLIDE 15
Simulation results: errors values in cyclic ring
- 30
- 25
- 20
- 15
- 10
- 5
1 2 3 4 5 6 7 8 9 bit error prob. conditional bit error prob.
log2(Prob(error value ≥ x)).
15 / 1
SLIDE 16
Simulation results: errors values for both rings
- 30
- 25
- 20
- 15
- 10
- 5
1 2 3 4 5 6 7 8 9
- cycl. bit error prob.
NTRU bit error prob.
log2(Prob(error value ≥ x)).
16 / 1
SLIDE 17
Benefits of ring lifting
Parameters No FEC, No FEC, Xef FEC, (CCA NIST3) cyclotomic ring lifting ring lifting d, n, h 852, 852, 212 820, 820, 254 756, 756, 242 q, p, t 212, 29, 25 212, 29, 23 212, 28, 23 B, ¯ n, ¯ m, f 1, 1, 1, 0 1, 1, 1, 0 1, 1, 1, 5 µ 192 192 192 + 231 Bandwidth 2087 B 1967 B 1720 B Public key 984 B 948 B 781 B Ciphertext 1103 B 1019 B 939 B PQ Security 2181 2176 2181 Classical 2193 2192 2193 Failure rate 2−146 2−162 2−255
17 / 1
SLIDE 18
Sµ stops the ”evaluate at x = 1” attack
”Evaluate at x = 1 attack” is a distinguishing attack Consider RLWE sample (b, v = brN + e” + q
2m)q with
r(1)q = 0. As (x − 1)|N(x) v(1) ≡ e(1) + q 2m(1) (mod q) so v(1)q is not uniformly distributed. If µ < n, not all coefficients of brN are available, so the evaluate at x = 1 attack does not apply.
18 / 1
SLIDE 19
CPA-Security proof for Round2 (1)
CPA: Chosen plaintext attack. Adversary chooses two plaintexts, m0 and m1, after having seen a and b: (m0, m1) = A1(a, b). Adversary randomly chooses k ∈ {0, 1} and encrypts mk Algorithm A2 runs on input (a, b, m0, m1, u, v) with output 0 or 1. Output of game equals 1 if A2(a, b, m0, m1, u, v) = k and zero
- therwise. The advantage of (A1, A2) equals
| Prob[game output = 1] − 1 2 | where the probability over in the randomness in (a, b, u, v).
19 / 1
SLIDE 20
CPA-Security proof for Round2 (2)
Sequence of CPA games. Gradual replacement of variables, ending with all variables being uniform. Two consecutive games can be used to construct a distinguisher between samples of the random variables in which these games differ.
Advantage of the constructed distinguisher equals the absolute value of the difference of the probabilities that the respective games output a 1.
The advantage of the original CPA game is at most the sum
- f the advantages of the distinguishers for the replaced
variables.
If the original CPA game has a large advantage, at least one of the distinghuishers has a large advantage.
20 / 1
SLIDE 21
Adapting the reduction for Round5 with ring lifting
The reduction proof from Round2 does not work for Round5 with ring lifting in the step where the distribution of u v′
- =
- ⌊ z
qarφ⌉
Sµ(⌊ z
qbrN⌉)
- is replaced by a uniform distribution.
With Round2, v′ also involves rounding modulo φ, so u v′
- has two
R-LWR samples from the same ring. With Round5 with ring lifting, u v′
- has two R-LWR samples
involving r from different rings.
21 / 1
SLIDE 22
Related result for lifted RLWE [1, Lemma 11]
Let n + 1 be prime, and let q be relatively prime to n + 1. Assume that it is hard to distinguish samples (ai, bi = ais + ei) ∈ (Zq[x]/Φn+1(x))2 from uniform, Then the samples (Lq(ai), Lq((1 − x)bi)) ∈ S2
n+1,q are also hard to
distinguish from uniform. Here Sn+1,q = {n
i=0 aixi | n i=0 aixi ≡ 0 (mod q)}, and
Lq(a(x)) = a(x) − (n + 1)−1 · a(1)Φn+1(x).
[1] G. Bonnoron, L. Ducas and M. Fillinger, ”Large FHE gates from Tensored Homomorphic Accumulator”, iacr preprint Report 2017-996.
22 / 1
SLIDE 23
Applicability to Round5
In the proof in [1], the error polynomial ei is lifted to Lq((x − 1)ei(x)) = (x − 1)ei(x). Hence, if coefficients of each ei are drawn independently, this is not true anymore for the coefficients after lifting. Different even coefficients of (x − 1)f (x) do not contain a common coefficient from f . Hence, if µ < n/2, we can let Sµ select µ even coefficients of a polynomial, and the dependence has been removed. Can we generalize this RLWE result to RLWR?
23 / 1
SLIDE 24
Direction to make the proof work for R-LWR
From a discussion with L´ eo Ducas, we gathered the following possible way forward. Compute b = ⌊ p
qasN⌋.
Transmit ˜ bp, where ˜ b is the closest vector to b in the root lattice {(x0, . . . , xn) ∈ Zn+1 |
n
- i=0
xi = 0}. If a(1) = 0 or s(1) = 0, the noise introduced by transforming b to ˜ b has a root at zero. ˜ b can be found in time O(n log n), see MCKilliam, Clarkson, Quinn, ”An algorithm to compute the nearest point in the lattice A∗
n, arxiv.org, Report 0801.1364, 2008.
24 / 1
SLIDE 25