A Framework for Cryptographic Problems from Linear Algebra Carl Bootland , Wouter Castryck, Alan Szepieniec and Frederik Vercauteren Dept. of Electrical Engineering, COSIC KU Leuven COSIC A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 / 28
Post-Quantum Cryptography Standardization Process Aim: “to solicit, evaluate, and standardize one or more quantum-resistant public-key cryptographic algorithms.” A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 1 / 28
Post-Quantum Cryptography Standardization Process Round 1 submission categorization Signature KEM/Encryption Total Lattice Based 5 21 26 Code Based 2 17 19 Multi-variate 7 2 9 Hash based 3 0 3 Other 2 5 7 Round 2 candidates (announced January 30, 2019) Signature KEM/Encryption Total Lattice Based 3 8 11 Code Based 0 7 7 Multi-variate 4 0 4 Hash based 1 0 1 Other 1 2 3 A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 2 / 28
Learning with errors (LWE) Problem: Solve a system of random ‘noisy’ linear equations A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 3 / 28
Learning with errors (LWE) Problem: Solve a system of random ‘noisy’ linear equations b 1 a 1 , 1 a 1 , 2 · · · a 1 , n · · · b 2 a 2 , 1 a 2 , 2 a 2 , n s 1 . . . . . . . . s 2 . . . . = . . b i a i , 1 a i , 2 · · · a i , n . . . . . . . . . s n . . . . · · · b m a m , 1 a m , 2 a m , n A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 3 / 28
Learning with errors (LWE) Problem: Solve a system of random ‘noisy’ linear equations b 1 a 1 , 1 a 1 , 2 · · · a 1 , n e 1 · · · b 2 a 2 , 1 a 2 , 2 a 2 , n e 2 s 1 . . . . . . . . . . s 2 . . . . . = + mod q . . b i a i , 1 a i , 2 · · · a i , n e i . . . . . . . . . . . s n . . . . . · · · b m a m , 1 a m , 2 a m , n e m ◮ e i small ‘errors’ ◮ uniformly random a i , j Leads to schemes with large key sizes A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 3 / 28
Ring-LWE (informally) Problem: Solve a system of structured ‘noisy’ linear equations b 1 e 1 A 1 b 2 e 2 s 1 . . . . s 2 . . . . . . . . = + mod q . . . . . b i e i . . . . . s n . . A m / n b m e m ◮ A i independent structured n × n matrices ◮ e.g. anti-circulant A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 4 / 28
Module-LWE (informally) Problem: Solve a system of structured ‘noisy’ linear equations b 1 e 1 · · · A 1 , 1 A 1 , r b 2 e 2 s 1 . . . . s 2 . . . . . . . . = + mod q . . . . . b i e i . . . . . s n . . A mr / n , 1 · · · A mr / n , r b m e m ◮ A i , j independent structured n / r × n / r matrices ◮ r is rank of module A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 5 / 28
The Ring in Ring-LWE ◮ Identify the vector space Z n q with the ring q ↔ R q := Z q [ x ] Z n ( f ( x )) ◮ f ( x ) monic of degree n ( s 1 , s 2 , . . . , s n ) T ↔ s ( x ) = s 1 + s 2 x + · · · + s n x n − 1 ◮ A i are matrices of multiplication by a i ( x ) ∈ R q ⇒ f ( x ) = x n + 1 ◮ Anti-circulant matrices = ◮ We don’t need q to be prime A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 6 / 28
Ring-LWE (More formally) Ring-LWE Search problem: ◮ f ( x ) irreducible ◮ Samples ( a i ( x ) , b i ( x )) ∈ R q × R q b i ( x ) = a i ( x ) s ( x ) + e i ( x ) ◮ uniformly random a i ( x ) ◮ uniformly random s ( x ) ◮ e i ( x ) ← χ (distribution of small elements) ◮ recover s ( x ) A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 7 / 28
Ring-LWE (More formally) Ring-LWE Search problem: ◮ f ( x ) irreducible ◮ Samples ( a i ( x ) , b i ( x )) ∈ R q × R q b i ( x ) = a i ( x ) s ( x ) + e i ( x ) ◮ uniformly random a i ( x ) ◮ uniformly random s ( x ) ◮ e i ( x ) ← χ (distribution of small elements) ◮ recover s ( x ) ◮ Called Poly-LWE when s ( x ) ← R q A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 7 / 28
Interesting Submissions to the NIST Competition Three submissions use problems which look very much like LWE but use large integer arithmetic: ◮ Mersenne-756839 ◮ Ramstake ◮ Three Bears Mersenne-756839 and Ramstake: ◮ Mersenne Low Hamming Combination (MLHC) Three Bears: ◮ module version of Integer-RLWE A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 8 / 28
The Mersenne Low Hamming Combination Search Problem ◮ p = 2 n − 1 a Mersenne prime Z p ↔ { bit strings of length n } \ { 11 . . . 1 } Problem: ◮ Samples ( a i , b i ) ∈ Z p × Z p b i = a i s + e i ◮ a i uniformly random ◮ s , e i Hamming weight h ≪ n ◮ determine s A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 9 / 28
The Mersenne Low Hamming Combination Search Problem ◮ p = 2 n − 1 a Mersenne prime Z p ↔ { bit strings of length n } \ { 11 . . . 1 } Problem: ◮ Samples ( a i , b i ) ∈ Z p × Z p b i = a i s + e i ◮ a i uniformly random ◮ s , e i Hamming weight h ≪ n ◮ determine s Integer-RLWE: p = 2 n − 1 → p = q n + 1 A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 9 / 28
Unifying the MLHC and Poly-LWE problems Similar problems, different rings Small elements ◮ Poly-LWE ◮ e ( x ) = e 1 + e 2 x + · · · + e n x n − 1 ◮ ( e 1 , . . . , e n ) a short vector (e.g. from spherical Gaussian) ◮ MLHC ◮ e = e 1 + e 2 2 + · · · + e n 2 n − 1 ◮ ( e 1 , . . . , e n ) a short vector (Hamming weight h ) ◮ Important point: coefficient vector is short ◮ Difference in expansion: ◮ Poly-LWE: Use explicit base x ◮ MLHC: Use implicit base 2 A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 10 / 28
Unifying the MLHC and Poly-LWE problems Since p = 2 n − 1 rewrite Z p as Z [ x ] ( x n − 1 , x − 2) and R q as Z [ x ] ( f ( x ) , q ) A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 11 / 28
Unifying the MLHC and Poly-LWE problems Since p = 2 n − 1 rewrite Z p as Z [ x ] ( x n − 1 , x − 2) and R q as Z [ x ] ( f ( x ) , q ) View Z p as R q ◮ f ( x ) = x n − 1 ◮ q replaced by x − 2 A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 11 / 28
Three Bears Use a Solinas prime p = 2 3120 − 2 1560 − 1 hence Z [ x ] Z p ∼ = ( x 312 − x 156 − 1 , x − 2 10 ) View Z p as R q ◮ f ( x ) = x 312 − x 156 − 1 ◮ q replaced by x − 2 10 A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 12 / 28
Three Bears Use a Solinas prime p = f ( b ) hence Z [ x ] Z p ∼ = ( f ( x ) , x − b ) View Z p as R q ◮ f ( x ) low-degree, small coefficients ◮ q replaced by x − b A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 12 / 28
Generalising the ring The second modulus ◮ Standard LWE-type problems: integer q ◮ Large integer arithmetic schemes: linear x − b ◮ General problem: arbitrary g ( x ) Z [ x ] R g := ( f ( x ) , g ( x )) ◮ g ( x ) coprime to f ( x ) = ⇒ R g finite ◮ Small elements defined in R = Z [ x ] / ( f ( x )) A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 13 / 28
A condition of convenience We want the ring R g to be easy to work with: ◮ Restrict possible g so that ( f ( x ) , g ( x )) = ( a , r ( x )) ◮ a an integer ◮ r ( x ) monic ◮ Unique representative in � α 0 + α 1 x + · · · + α deg( r ) − 1 x deg( r ) − 1 � � � α i ∈ { 0 , 1 , . . . , a − 1 } � ◮ Not too restrictive ◮ 6 /π 2 ≈ 60 . 8% of randomly chosen pairs f , g ◮ r linear with overwhelming probability A Framework for Cryptographic Problems from Linear Algebra NutMiC, Paris, June 25, 2019 14 / 28
Recommend
More recommend
