Wave: A new family of trapdoor and Jean-Pierre Tillich preimage - - PowerPoint PPT Presentation

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Wave: A new family of trapdoor preimage sampleable functions

Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich

Information Security Group, Royal Holloway, University of London, UK

September 18, 2019 London-ish Lattice Meeting

1 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Results

• The first code-based “hash-and-sign” that follows the GPV

strategy (Trapdoor Preimage Sampleable functions) ;

• Security reduction to two problems (NP-complete) of coding

theory:

• Generic decoding of a linear code;
• Distinguish between random codes and generalized

(U, U + V )-codes.

• Key Size ≈3MB, signature size ≈13Kb, signing time ≈ 0.1s

(non-optimized);

• Nice feature: uniform signatures through an efficient rejection

sampling, one rejection every ≈ 100 signatures.

2 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

1 Introduction 2 Hardness of Syndrome Decoding for Large Weight 3 Our Trapdoor and its Associated Decoder 4 Reaching Uniform Signatures 5 Security Proof 6 Conclusion

3 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Digital signature scheme

Alice: m m′: Bob Unsecure channel Alice wants to ensure Bob that:

• m has not been corrupted (m = m′).
• m comes from Alice

→ Idea: add a signature to m

4 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Digital signature scheme

Alice first makes the following operations:

• Generation of (pk, sk).
• Send pk to everyone.

Alice: (m, σ) (m′, σ′): Bob Unsecure channel (m, sk) σ Sgn ((m′, σ′), pk) b ∈ {0, 1} Vrfy

5 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Full Domain Hash Signature

• f be a trapdoor one-way function

x f (x) Easy Hard Easy with trap.

• To sign m one computes y = H(m) (hash) and σ ∈ f −1(y).

→ It is required to invert f on all vectors (full domain).

• Verification f (σ) = H(m)?

6 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

... with Bijective Trapdoors OW?

• Let f be a bijective trapdoor one-way function
• To sign m, compute σ=f −1(H(m)) (H hash function)

H(m) is uniform (ROM) ⇒ σ is uniform too! (no leakage) Signature schemes DSA, RSA meet this nice feature Hard condition to meet in code/lattice-based cryptography...

7 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Gentry-Peikert-Vaikuntanathan (GPV) Approach

It is based on trapdoor one-way preimage sampleable function! A family of trapdoor one way-functions (fa)a and a distribution D such that

• fa(x) is uniformly distributed when x

$

← D,

• algorithm computing x ← f −1

a

(y) with the trapdoor is distributed according to D

8 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Gentry-Peikert-Vaikuntanathan (GPV) Approach

It is based on trapdoor one-way preimage sampleable function! A family of trapdoor one way-functions (fa)a and a distribution D such that

• fa(x) is uniformly distributed when x

$

← D,

• algorithm computing x ← f −1

a

(y) with the trapdoor is distributed according to D D = uniform over words of fixed Hamming weight in our case gaussian for lattices

8 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Trapdoor One-way of Wave

Our one-way will be (| · | Hamming weight) fH : {e ∈ Fn

q : |e| = w}

− → Fn−k

q

e − → He⊺ Inverting fH amounts to solve the following problem: Problem (Syndrome Decoding with fixed weight) Given H ∈ F(n−k)×n

q

, s ∈ Fn−k

q

, and an integer w, find e ∈ Fn

q such

that He⊺ = s⊺ and |e| = w. → Generic problem upon which all code-based cryptography relies → Putting a trapdoor on fH consists in putting a structure on H! Public-Key: Hpk Signature of H(m): e of weight w with Hpke⊺ = H(m).

9 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Codes: Basic Definition

A code C is a subspace of Fn

q

When C is of dimension k it is defined by a parity-check matrix H ∈ F(n−k)×n

q

• f full-rank as:

C

△

={c ∈ Fn

q : Hc⊺ = 0}

10 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

The Trapdoor(I)

Hpk parity-check matrix of a permuted generalized (U, U + V ) code:

• A permutation P,
• Two codes U and V of length n/2,
• Four vectors a, b, c, d over Fn/2

q

such that aidi − bici = 0 and aici = 0 (a ⊙ U + b ⊙ V , c ⊙ U + d ⊙ V )P

△

={(a ⊙ u + b ⊙ v, c ⊙ u + d ⊙ v)P : u ∈ U, v ∈ V } with x ⊙ y

△

=(x1y1, x2y2, · · · , xn/2yn/2)

11 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

The Trapdoor(II)

Example of generalized (U, U + V )-code:

• (U, U + V )

△

={(u, u + v) : u ∈ U, v ∈ V };

• (U + V , U − V )

△

={(u + v, u − v) : u ∈ U, v ∈ V };

• ...
• More generally, for all u = (u1, · · · , un/2) ∈ U and

v = (v1, · · · , vn/2) ∈ V : n/2

• u1,

; u1 + v1, u2 + v2,· · · u2 − v2,· · · ,un/2 + vn/2 ,vn/2 − un/2 +n/2 symbols

12 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

The Trapdoor(II)

Example of generalized (U, U + V )-code:

• (U, U + V )

△

={(u, u + v) : u ∈ U, v ∈ V };

• (U + V , U − V )

△

={(u + v, u − v) : u ∈ U, v ∈ V };

• ...
• More generally, for all u = (u1, · · · , un/2) ∈ U and

v = (v1, · · · , vn/2) ∈ V : n/2

• u1,

; u1 + v1, u2 + v2,· · · u2 − v2,· · · ,un/2 + vn/2 ,vn/2 − un/2 +n/2 symbols Proposition Decide if a code is a permuted generalized (U, U + V )-code or not is NP-complete.

12 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Security Reduction

We reduce the security to two problems:

• Distinguishing between a permuted generalized (U, U + V ) code

and a random code;

• Hardness of finding e of weight w s.t: He⊺ = s⊺ (Syndrome

Decoding). (both are NP-complete)

13 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Hardness of Decoding

hard easy hard w n w −

easy

w +

easy

14 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Hardness of Decoding

hard easy hard w n w −

easy

w +

easy

w −

UV

w +

UV

easy with (U, U + V ) trapdoor

14 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Hardness of Decoding

hard easy hard w n w −

easy

w +

easy

w −

UV

w +

UV

easy with (U, U + V ) trapdoor no leakage with (U, U + V ) trapdoor

14 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Hardness of Decoding

hard easy hard w n w −

easy

w +

easy

w −

UV

w +

UV

easy with (U, U + V ) trapdoor no leakage with (U, U + V ) trapdoor

Far far away...

14 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

1 Introduction 2 Hardness of Syndrome Decoding for Large Weight 3 Our Trapdoor and its Associated Decoder 4 Reaching Uniform Signatures 5 Security Proof 6 Conclusion

15 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange Step

Given: H random of size (n − k) × n, rank n − k and s ∈ Fn−k

q

; Find: e ∈ Fn

q such that He⊺ = s⊺.

16 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange Step

Given: H random of size (n − k) × n, rank n − k and s ∈ Fn−k

q

; Find: e ∈ Fn

q such that He⊺ = s⊺.

Choose n − k columns and split H and e as : H = A B and e = (e′, e′′) where B ∈ F(n−k)×(n−k)

q

is non-singular and e′′ ∈ Fn−k

q

He⊺ = s⊺ ⇐ ⇒ Ae′⊺ + Be′′⊺ = s⊺ e′′ = B−1 s⊺ − Ae′⊺

• e′ ∈ Fk

q free to choose,

• e′′ ∈ Fn−k

q

uniformly distributed as s is uniform

16 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange Step

Given: H random of size (n − k) × n, rank n − k and s ∈ Fn−k

q

; Find: e ∈ Fn

q such that He⊺ = s⊺.

17 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange Step

Given: H random of size (n − k) × n, rank n − k and s ∈ Fn−k

q

; Find: e ∈ Fn

q such that He⊺ = s⊺.

n − k bits (function of e′) k bits (to choose) e′ e′′

• e′′ follows a uniform law over Fn−k

q

, therefore ∀ε > 0, ∃α > 0: E(|e′′|) = q − 1 q (n−k) ; P

• |e′′| − q − 1

q (n − k)

• ≥ εn
• = e−αn

17 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange Step

Given: H random of size (n − k) × n, rank n − k and s ∈ Fn−k

q

; Find: e ∈ Fn

q such that He⊺ = s⊺.

n − k bits (function of e′) k bits (to choose) e′ e′′

• e′′ follows a uniform law over Fn−k

q

, therefore ∀ε > 0, ∃α > 0: E(|e′′|) = q − 1 q (n−k) ; P

• |e′′| − q − 1

q (n − k)

• ≥ εn
• = e−αn
• We get an error e = (e′, e′′) such that for some β > 0:

E(|e|) = E(|e′|)+q − 1 q (n − k) P

• |e| ≥ (1 + ε)
• E(|e′|)+q − 1

q (n − k)

• = e−βn

17 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange Algorithm

To reach an error of weight w: repeat Prange Step until getting an error of weight w. n − k bits (function of e′) k bits (to choose) e′ e′′

• e′′ follows a uniform law over Fn−k

q

• Choice over e′.

Figure: Complexity (number of calls) to reach some weight w

exponential polynomial exponential w n

q−1 q (n − k)

k + q−1

q (n − k)

18 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Exponent of the Prange Algorithm for q = 2

Complexity: 2αn where α function of w/n.

Figure: Exponent vs Relative Weight

R = dimension of the code length of the code

19 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Exponent of the Prange Algorithm for q = 3

Complexity: 2αn where α function of w/n.

Figure: Exponent vs Relative Weight

R = dimension of the code length of the code

20 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Generic Decoding Algorithms

Coding theory has never come up with a polynomial algorithm

• utside the range q−1

q (n − k), k + q−1 q (n − k)

Modern algorithms have decreased the exponent of Prange in the exponential areas of complexity But not changed the range of polynomial complexity! → Where is the worse case?

21 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Worse Case for Generic Decoding Algorithm

When w = Θ(n), complexity is given by: 2c·n(1+o(1)) where c depends of k, w and q. Key Size: n × R × (1 − R) where c × n = 128 and R

△

= k/n − → Goal : min

k,w,q{n × R × (1 − R) : n = 128/c}

22 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Worse Case for Generic Decoding Algorithm

When w = Θ(n), complexity is given by: 2c·n(1+o(1)) where c depends of k, w and q. Key Size: n × R × (1 − R) where c × n = 128 and R

△

= k/n − → Goal : min

k,w,q{n × R × (1 − R) : n = 128/c}

• Usually: q = 2 and w equals to Gilbert-Varshamov bound (small

weight),

• Recent work [BCDL19]: choose q = 3 and large weight.

22 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Minimum input sizes (in kbits) for a time complexity of 2128

Algorithm q = 2 q = 3 and w/n > 1/2 Prange 275 44 Dumer/Wagner 295 83 BJMM/Our algorithm 374 99

23 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Exponent of the Prange Algorithm for q = 3

Complexity: 2αn where α function of w/n.

Figure: Exponent vs Relative Weight

R = dimension of the code length of the code

24 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Exponent of the Prange Algorithm for q = 3

Complexity: 2αn where α function of w/n.

Figure: Exponent vs Relative Weight

R = dimension of the code length of the code

25 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

1 Introduction 2 Hardness of Syndrome Decoding for Large Weight 3 Our Trapdoor and its Associated Decoder 4 Reaching Uniform Signatures 5 Security Proof 6 Conclusion

26 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Our trapdoor

Our trapdoor consists in generalized (U, U + V )-codes. Example:

• (U, U + V )

△

={(u, u + v) : u ∈ U, v ∈ V };

• (U + V , U − V )

△

={(u + v, u − v) : u ∈ U, v ∈ V };

• More generally, for all u = (u1, · · · , un/2) ∈ U and

v = (v1, · · · , vn/2) ∈ V : n/2

• u1,

; u1 + v1, u2 + v2,· · · u2 − v2,· · · ,un/2 + vn/2 ,vn/2 − un/2 +n/2 bits

27 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Our trapdoor

Our trapdoor consists in generalized (U, U + V )-codes. Example:

• (U, U + V )

△

={(u, u + v) : u ∈ U, v ∈ V };

• (U + V , U − V )

△

={(u + v, u − v) : u ∈ U, v ∈ V };

• More generally, for all u = (u1, · · · , un/2) ∈ U and

v = (v1, · · · , vn/2) ∈ V : n/2

• u1,

; u1 + v1, u2 + v2,· · · u2 − v2,· · · ,un/2 + vn/2 ,vn/2 − un/2 +n/2 bits We will restrict in this talk our study to the case of: (U, U + V ) − codes ; q = 3 with F3 = {−1, 0, 1}

27 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

(U, U + V )-decoder (I)

U (resp. V ) random code of dimension kU (resp. kV ) defined by HU (resp. HV ). → The (U, U + V )-code is defined by: H

△

= HU −HV HV

• Let,

e = (eU, eU + eV ) ; s = (sU, sV ) He⊺ = s⊺ ⇐ ⇒ HUe⊺

U = s⊺ U

HV e⊺

V = s⊺ V

→ No gain when decoding independently with the Prange algorithm...

28 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

(U, U + V )-decoder (II)

We look for e = (eU, eU + eV ) such that: HUe⊺

U = s⊺ U

; HV e⊺

V = s⊺ V

→ We use the Prange algorithm! Polar code strategy: (i) firstly to decode in V to get eV ; (ii) then to decode in U to get eU using the knowledge of eV We have the freedom to choose:

• kV (dimension of V ) symbols of eV ;
• kU (dimension of U) symbols of eU.

29 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

(U, U + V )-decoder (III)

We get a final error e = (eU, eU + eV ) ∈ Fn

3 of shape:

e′

U

e′′

U

e′

U

e′′

U + e′′ V

e′′

V

eV = e = To reach an error of minimum weight:

• Put as many 0’s as possible in e′

U(i) (they are doubled in e).

To reach an error of maximum weight

• Choose kU symbols eU(i) such that:

eU(i) = 0 eU(i) + eV (i) = 0 → Possible as q = 3 and do not depend of eV (i)!

30 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Relative Distances of Signature

31 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

1 Introduction 2 Hardness of Syndrome Decoding for Large Weight 3 Our Trapdoor and its Associated Decoder 4 Reaching Uniform Signatures 5 Security Proof 6 Conclusion

32 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Achieving the Uniform Distribution(I)

Let, esgn △ =(eU, eU + eV ) (resp. eunif △ =(e1, e2)) be a signature (resp. be a uniform word of weight w). We would like, esgn ∼ eunif We remark,

• eU ∼ e1

eV ∼ e2 − e1 But here, eV = Prange (HV , sV ) In a first approximation we would like: E (|eV |) = E (|e2 − e1|) → How to adjust E (|eV |) with the Prange algorithm?

33 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Achieving the Uniform Distribution(II)

• We look for E(|eV |) = E(|e2 − e1|) where eunif △

=(e1, e2) eV = n/2 − kV bits kV bits e′

V

e′′

V

• e′′

V follows a uniform law over Fn/2−k 3

: E(|e′′

V |) = 2 3(n/2 − kV )

• e′

V such that: E (|e′ V |) = (1 − α)kV with a fixed α.

→ Choose kV such that: (1 − α)kV + 2

3(n/2 − kV ) = E (|e2 − e1|)

34 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange vs Uniform Distribution for V

P(accept) = min

j

P(|eV | = i) P(|e2 − e1| = j)

35 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange vs Uniform Distribution for V

P(accept) = min

j

P(|eV | = i) P(|e2 − e1| = j)

36 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Achieving the Uniform Distribution(III)

eV = n/2 − kV bits kV bits e′

V

e′′

V

• e′′

V follows a uniform law: its variance is fixed

• Choose e′

V such that: E (|e′ V |) = (1 − α)kV and high variance!

37 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange vs Uniform Distribution for V

Now we can sometimes reject some outputs of the Prange algorithm!

38 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Prange vs Uniform Distribution for V

Now we can sometimes reject some outputs of the Prange algorithm!

39 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Achieving the Uniform Distribution(IV)

By making a rejection sampling on |eV |: “accept |eV | = i” with probability: 1 M P(|e2 − e1| = i) P(|eV | = i) with M

△

= max

j

P(|e2 − e1| = j) P(|eV | = j) → This ensures |eV | ∼ |e1 − e2| (1) Distribution of the Prange algorithm is only function of the weight: P(Prange(·) = e | |Prange(·)| = |e|) = 1 #{x : |x| = |e|} → Combined with (1) it gives: eV ∼ e2 − e1

40 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Achieving the Uniform Distribution(V)

To end, rejection sampling on |eU| which gives: Distribution of signatures = Uniform over words of weight w → Impossible attack with the knowledge of signatures! With our parameter: P(a reject) ≈ 0.01

41 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Relative Distance with No Leakage

42 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

1 Introduction 2 Hardness of Syndrome Decoding for Large Weight 3 Our Trapdoor and its Associated Decoder 4 Reaching Uniform Signatures 5 Security Proof 6 Conclusion

43 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Security Model: a Strong One

Any adversary can have access to:

• qsign signatures (m, σ) of its choice;
• qhash hash results H(m).

→ His goal: produce one signature he did not request!

44 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

The Decoding Problem

Problem (DOOM − Decoding One Out of Many) Instance : H ; s1, · · · , sN ; w Output : (e, i) with |e| = w such that He⊺ = s⊺

i

Computational success in time t of breaking DOOM: SuccN

DOOM(t) = max |A|≤t

• SuccN

DOOM (A)

• where SuccN

DOOM (A) is the probability for A to break DOOM.

45 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Security Reduction

• ρ (D0, D1): statistical distance between D0 and D1;
• ρc (D0, D1) (t) = max

|A|≤t {P (A(D0) = 0) − P (A(D1) = 0)}

Theorem (Security Reduction) When H is a random function, we have for all time t: SecurityWave(t, qhash, qsign) ≤ 2Succqhash

DOOM(tc)

+ ρc (Random Code, Permuted Gen. (U, U + V )-code) (tc) + qsignρ (Signature, Uniformw) + 1 2qhash

• ρ (Hpke⊺

w, s⊺ unif)

where tc = t + O

• qhash · n2

.

ρ (Hpke⊺

w, s⊺ unif) = negligible() (left-over hash lemma)

• ρ (Signature, Uniformw) = 0 (rejection sampling)

46 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

1 Introduction 2 Hardness of Syndrome Decoding for Large Weight 3 Our Trapdoor and its Associated Decoder 4 Reaching Uniform Signatures 5 Security Proof 6 Conclusion

47 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Conclusion

• The first code-based “hash-and-sign” based on NP-complete

problems that strictly follows the GPV strategy; Ongoing Work:

• We generalized decoding algorithms in F3 for high weights;
• Best algorithms to distinguish (U, U + V )-codes and random

codes: decoding algorithms;

• Hope to remove the rejection sampling

→ Many degrees of freedom in the Prange algorithm!

48 / 48

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight Our Trapdoor and its Associated Decoder Reaching Uniform Signatures Security Proof Conclusion

Conclusion

• The first code-based “hash-and-sign” based on NP-complete

problems that strictly follows the GPV strategy; Ongoing Work:

• We generalized decoding algorithms in F3 for high weights;
• Best algorithms to distinguish (U, U + V )-codes and random

codes: decoding algorithms;

• Hope to remove the rejection sampling

→ Many degrees of freedom in the Prange algorithm!

Thank You!

48 / 48