From Identification using Rejection Sampling to Signatures via the - PowerPoint PPT Presentation

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform: Application to the BLISS Signature Pauline Bert and Adeline Roux-Langlois Journées C2 2018 Univ Rennes, CNRS, IRISA 1

Contribution • Fiat-Shamir black-box transformation 1 from identification schemes to signature schemes Identification Scheme Digital Signature − → We propose a transformation taking into account 1. The rejection sampling technique used mainly in lattice-based schemes, 2. Both lossy and non-lossy cases. Identification Digital Signature Scheme using RS • Application of our black-box transformation to the BLISS lattice-based signature 1 Amos Fiat and Adi Shamir (1986). “How to Prove Yourself: Practical Solutions to Identification and Signature Problems”. In: CRYPTO . 2

Context: Fiat-Shamir Transforms • Minimal security 2 Identification Scheme Digital Signature imp-pa secure uf-cma secure • Introduction of the lossy case 3 Lossy Identifi- Tight Digital Signature cation Scheme uf-cma secure los-imp-pa secure 2 Michel Abdalla et al. (2002). “From Identification to Signatures via the Fiat-Shamir Transform: Minimizing Assumptions for Security and Forward-Security”. In: EUROCRYPT . 3 Michel Abdalla et al. (2012). “Tightly-Secure Signatures from Lossy Identification Schemes”. In: EUROCRYPT . 3

Context: Lattice-Based Signatures Lattice-based cryptography: 1996 Ajtai described the SIS problem − → signature, hash function... 2005 Regev described the LWE problem − → PKE, FHE... − → post-quantum NIST "Competition": • Aim to standardize signature, KEM, and PKE • Using post-quantum hypothesis like codes, lattices, isogenies, MQ... Lattice-based signatures: • Hash-and-Sign: GGH, NTRUSign, GPV, Falcon... • Fiat-Shamir: Lyubashevsky 4 , BLISS, qTESLA, Dilithium... − → qTESLA and Dilithium are proved using black-box transformations 4 Vadim Lyubashevsky (2008). “Lattice-Based Identification Schemes Secure Under Active Attacks”. In: Public Key Cryptography . 4

Context: Rejection Sampling = Technique to sample from an arbitrary probability distribution f given access to another one g v − → If M · g v ( x ) ≥ f ( x ) for some M , then the two following procedures output the same distribution $ $ x ← f x ← g v f ( x ) return x with probability 1 / M return x with probability M · g v ( x ) Pros: A sample from g v is made independent from v − → v can depend on a secret Cons: To get a sample, this procedure will be repeated on average M times − → not constant time − → From bimodal Gaussian to unimodal centered Gaussian 5

Context: Rejection Sampling = Technique to sample from an arbitrary probability distribution f given access to another one g v − → If M · g v ( x ) ≥ f ( x ) for some M , then the two following procedures output the same distribution $ $ x ← f x ← g v f ( x ) return x with probability 1 / M return x with probability M · g v ( x ) Pros: A sample from g v is made independent from v − → v can depend on a secret Cons: To get a sample, this procedure will be repeated on average M times − → not constant time − → From bimodal Gaussian to unimodal centered Gaussian 5

From Identification using Rejection Sampling to Signatures via the Fiat-Shamir Transform

Classical Identification Scheme P V pk , sk pk Cmt − − − − → Ch $ ← − − − − Ch ← C $ Rsp ← g v f ( x ) With proba M · g v ( x ) , output Rsp Rsp − − − − → Dec ← V ( pk , Cmt || Ch || Rsp ) 6

Identification Scheme using Rejection Sampling P V pk , sk pk Cmt − − − − → Ch $ ← − − − − Ch ← C $ Rsp ← g v f ( x ) With proba M · g v ( x ) , output Rsp Rsp Otherwise output Rsp ← ⊥ − − − − → Dec ← V ( pk , Cmt || Ch || Rsp ) 6

Properties Non-Lossy Lossy Correctness Error The probability that Rsp = ⊥ is small. Simulatability/naHVZK We can construct an algorithm Sim that outputs transcripts Cmt || Ch || Rsp statistically closed to the original ones without having access to the secret key. Key-Indistinguishability A lossy key generation algorithm LossyKeyGen ( 1 k ) → pk outputs a lossy public key pk computationally indistinguishable from a honestly generated one. 7

Security Non-Lossy Lossy sim-imp-pa los-imp-pa Passive impersonation where the Passive impersonation where the adversary has access to the public key adversary has access to a lossy public of the scheme and the simulated key of the scheme and the simulated algorithm Sim . algorithm Sim . Exp imp-pa ID , I ( k ) $ $ ← KeyGen ( 1 k ) or pk ← LossyKeyGen ( 1 k ) ( pk , sk ) $ ← I Sim ( pk ) st � Cmt $ Ch ← C $ Rsp ← I ( st , Ch ) Dec ← V ( pk , Cmt || Ch || Rsp ) return Dec 8

Fiat-Shamir Transform Identification Digital Signature Scheme using RS KeyGen KeyGen Sign, Verify P, V, C H : { 0 , 1 } ∗ → C g v , f Sign ( sk , m ) : Verify ( pk , m , σ ) : while Rsp = ⊥ do parse σ as ( Cmt , Rsp ) Cmt ← P ( sk ) Ch ← H ( Cmt , m ) Ch ← H ( Cmt , m ) return V ( pk , Cmt || Ch || Rsp ) $ Rsp ← g v return σ = ( Cmt , Rsp ) with f ( x ) probability M · g v ( x ) , otherwise Rsp ← ⊥ end while 9

Contribution Identification Scheme using RS N Simulatability o n - Correctness Error t i g h t sim-imp-pa secure Digital Signature uf-cma secure Lossy Identification Scheme using RS t h g i Simulatability T Correctness Error Key-Indistinguishability los-imp-pa secure 10

Application to the BLISS Signature

Application to the BLISS signature 6 • Originally the BLISS signature was proved directly in the ROM • Its security is based on the SIS 5 problem Short Integer Solution ֓ U ( Z n × m Given an uniformly random matrix A ← ) , find a non trivial short q vector x ∈ Z m such that � x � ≤ β and: x u mod q . A = • We can apply our first non-tight reduction as an example to BLISS 5 Miklós Ajtai (1996). “Generating Hard Instances of Lattice Problems (Extended Abstract)”. In: STOC . 6 Léo Ducas et al. (2013). “Lattice Signatures and Bimodal Gaussians”. In: CRYPTO (1) . 11

BLISS (1) Settings • Public Key: A ∈ Z n × m 2 q • Secret Key: Short S ∈ Z m × n such that AS = q I n mod 2 q 2 q • Challenge Space: C = { c : c ∈ { 0 , 1 } n , � c � 1 ≤ κ } � 1 2 D m − Sc , σ + 1 2 D m and f = D m • Probability Distributions: M · g Sc = M · � Sc , σ σ P V pk = A , sk = S pk = A u y ← D m − − − − → σ u ← Ay mod 2 q c $ $ ← { 0 , 1 } ← − − − − c ← C b z ← ( − 1 ) b Sc + y Output 1 iff � z � ≤ ησ √ m , z f ( z ) Output z with probability − − − − → M · g Sc ( z ) otherwise output z ← ⊥ Az + q c = u mod 2 q 12

BLISS (2) By applying our first non-tight reduction we get � Adv uf-cma BLISS , F � q H Adv SIS + · · · where q H is the number of hash queries. 13

Conclusion N o n - t i g h t Non-Lossy Identification Digital Signature Scheme using RS Lossy h t T i g Pros: All mentions of random oracles are delegated to the black-box transformation, it is enough to only prove certain properties Cons: Looses a factor roughly √ q H compared to the original BLISS proof − → To get a lossy identification scheme and a tight signature, we can use the LWE problem instead of the SIS problem (eg. qTESLA and Dilithium NIST candidates) Thank You! 14

Conclusion N o n - t i g h t Non-Lossy Identification Digital Signature Scheme using RS Lossy h t T i g Pros: All mentions of random oracles are delegated to the black-box transformation, it is enough to only prove certain properties Cons: Looses a factor roughly √ q H compared to the original BLISS proof − → To get a lossy identification scheme and a tight signature, we can use the LWE problem instead of the SIS problem (eg. qTESLA and Dilithium NIST candidates) Thank You! 14