Improvement and Efficient Implementation of a Lattice-based Signature scheme

Size: px

Start display at page:

Download "Improvement and Efficient Implementation of a Lattice-based Signature scheme"

Sara Eaton
5 years ago
Views:

1 Improvement and Efficient Implementation of a Lattice-based Signature scheme, Johannes Buchmann Technische Universität Darmstadt TU Darmstadt August 2013 Lattice-based Signatures1

2 Outline Introduction to Lattice-based Crypto Lattice-based Hash Function Lattice-based Signature Scheme Contributions Experimental Resaults Lattice-based Signatures2

3 Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R n : L = n b i Z = {Bx : x Z n } R n i=1 A lattice has infinitely many bases: L = n c i Z i=1 Definition (Lattices) A discrete additive subgroup of R n Lattice-based Signatures3

4 Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R n : L = n b i Z = {Bx : x Z n } R n i=1 A lattice has infinitely many bases: L = n c i Z i=1 Definition (Lattices) A discrete additive subgroup of R n Lattice-based Signatures3

5 Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = {b 1,..., b n } R n : L = n b i Z = {Bx : x Z n } R n i=1 A lattice has infinitely many bases: L = n c i Z i=1 Definition (Lattices) A discrete additive subgroup of R n Lattice-based Signatures3

6 Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = v to the origin λ 1 (L) = min x x 0, x L More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Lattice-based Signatures4

7 Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = v to the origin λ 1 (L) = min x x 0, x L More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Lattice-based Signatures4

8 Computational Problems Definition (Shortest Vector Problem) Given a basis B = {b 1,..., b n }, find the shortest nonzero vector v in the lattice L(B), i.e. v = λ 1 Lattice-based Signatures5

9 Computational Problems Definition (Shortest Vector Problem) Given a basis B = {b 1,..., b n }, find the shortest nonzero vector v in the lattice L(B), i.e. v = λ 1 Lattice-based Signatures5

10 Computational Problems Definition (Shortest Vector Problem) Given a basis B = {b 1,..., b n }, find the shortest nonzero vector v in the lattice L(B), i.e. v = λ 1 Lattice-based Signatures5

11 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6

12 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6

13 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6

14 Hash function Lattice-based hash function [Ajtai96]: f A (x) = A x mod q Input parameters: q Z (e.g ) Choose A Z n m q uniformly at random, n (e.g. n=256) is main security parameter m > n log 2 q x is from a bounded domain, e.g. x {0, 1} n Lattice-based Signatures6

15 Hash Function f A (x) = A x mod q: is a compression function maps m bits to n log 2 q bits inversion and finding collisions as hard as worst-case lattice problems Lattice-based Signatures7

16 Hash Function Hardness of finding collisions Finding collisions in the average case, where A is chosen at random, is hard, provided approximating SIVP is hard in the worst-case Lattice-based Signatures8

17 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9

18 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9

19 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9

20 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9

21 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9

22 From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A Zq n m and trapdoor R, RO H( ), PSTF: f A (x) = A x mod q Signing of message m: signature σ = f 1 A (H(m)) using trapdoor R. Verification: σ bound and f A (σ) = H(m) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Lattice-based Signatures9

23 From Hash Hunctions to a Signature Scheme Main challenge: How to generate random Matrix A, enabling the signer to sign messages? Solution: Use the trapdoor R to generate a random matrix A. Lattice-based Signatures10

24 From Hash Functions to a Signature Scheme Construction of A according to Micciancio an Peikert [MP12]: Parameters: A = [ Ā G ĀR ] Ā Z n n q is uniformly dist. R Z n nk is the secret/trapdoor (small entries) A is pseudorandom (comp. instantiation) Lattice-based Signatures11

25 From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian k 1 0 G = k 1 Lattice-based Signatures12

26 From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian k 1 0 G = k 1 Lattice-based Signatures12

27 From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian k 1 0 G = k 1 Lattice-based Signatures12

28 From Hash Functions to a Signature Scheme How to compute signature f 1 u 2 (u), u =. Zn q: u n Sample x Z nk according to the discrete Gaussian distribution s.th. G x = u mod q [ ] R Then signature σ = x is a preimage of u I Proof: A σ = [ Ā G ĀR ] u 1 [ ] R x = I ĀR x + (G ĀR) x = G x = u Lattice-based Signatures13

29 From Hash Functions to a Signature Scheme How to compute signature f 1 u 2 (u), u =. Zn q: u n Sample x Z nk according to the discrete Gaussian distribution s.th. G x = u mod q [ ] R Then signature σ = x is a preimage of u I Proof: A σ = [ Ā G ĀR ] u 1 [ ] R x = I ĀR x + (G ĀR) x = G x = u Lattice-based Signatures13

30 From Hash Functions to a Signature Scheme How to compute signature f 1 u 2 (u), u =. Zn q: u n Sample x Z nk according to the discrete Gaussian distribution s.th. G x = u mod q [ ] R Then signature σ = x is a preimage of u I Proof: A σ = [ Ā G ĀR ] u 1 [ ] R x = I ĀR x + (G ĀR) x = G x = u Lattice-based Signatures13

31 From Hash Hunctions to a Signature Scheme Problem: Distribution of σ is skewed Leaks information about the trapdoor Need for spherically distributed signatures Lattice-based Signatures14

32 Signature Scheme Solution: Add perturbations p to correct distribution of signature Sample perturbations p with covariance matrix [ ] C = s 2 I r 2 RR R and perturbation matrix C R I Compute perturbed syndrome v = H(m) Ap = u Ap Sample x such that Gx = v [ ] R Signatures: σ = x + p I Distribution of signatures independent from secret key Lattice-based Signatures15

33 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16

34 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16

35 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16

36 Contributions Implementation and Improvements: Construction of the ring variant for more efficiency and practicality Space improvement of perturbation matrix used to sample preimages Runtime improvement of Keygen and Signing due to improved perturbation matrix (sparse) and ring variant Implementation of the signature scheme (ring and matrix variant) Lattice-based Signatures16

37 Contributions Ring variant: Consider the Ring R q = Z q [X ]/x n + 1 for n = 2 d and q = 2 k Choose a polynomial a uniformly at random from R q Draw k Ring-LWE-samples ar i + e i Furthermore, consider the primitive vector of polynomials g = [1,..., 2 k 1 ] The public key is A = [1, a, g 1 (ar 1 + e 1 ),..., g k (ar k + e k )] Lattice-based Signatures17

38 Contributions A = [1, a, g 1 (ar 1 + e 1 ),..., g k (ar k + e k )] A primitive matrix of polynomials G is explicitly not required [a, ar 1 + e 1,..., ar k + e k ] is pseudorandom Sampling preimages slightly differs from the matrix variant Lattice-based Signatures18

39 Contributions How to sample x R k 1 q such that g x = k 1 Consider matrix expansion of g : i=0 G = [I n 2I n... 2 k 1 I n ] There exists permutation matrix P s.th. G = G P = G from matrix variant k i x i = u R q k 1 P Lattice-based Signatures19

40 Contributions How to sample x R k 1 q We have Thus, sample x s.th. G x = u such that g x = u R q x 1 G... = u x k 1 x = P x is a preimage for G since G x = G PP x = Gx = u If x spherically distributed, then so x. Lattice-based Signatures20

41 Contributions How to sign a message m: Sample perturbation polynomials p = [p 1,..., p k+2 ] Compute perturbed syndrome v = H(m) A p Sample x R k s.th. g x = v Signature is σ = p + [ex, rx, r 1 x 1,..., r k x k ] Signature is spherically distributed Lattice-based Signatures21

42 Experimental results Running times for ring (polynomials) and matrix version Lattice-based Signatures22

43 Experimental results Sizes for ring (polynomials) and matrix version Lattice-based Signatures23

44 Thanks for your attention! Lattice-based Signatures24

Introduction to the Lattice Crypto Day

MAYA Introduction to the Lattice Crypto Day Phong Nguyễn http://www.di.ens.fr/~pnguyen May 2010 Summary History of Lattice-based Crypto Background on Lattices Lattice-based Crypto vs. Classical PKC Program