Lattice-based signatures Extra lecture for the Digital Signatures - PowerPoint PPT Presentation

Lattice-based signatures Extra lecture for the “Digital Signatures” course 2020 Dennis Hofheinz ETH Zürich

Quantum computers ● Grover’s algorithm: speed up searches (N → O(√N)) ● Bigger problem for cryptography: Shor’s algorithm Runs in polynomial time on a (universal) quantum computer ● Solves a problem that in turn solves DLog and Factoring/RSA ● Breaks most of the signature schemes we have seen ● – Which ones (that we have seen) are not broken? ● Current status of quantum computers unclear If we manage to build them → panic! ● Massive company involvement, not quite there yet ● Should look at post-quantum cryptography! ●

Post-quantum cryptography ● Assume a quantum computer is here… … use things based on symmetric crypto (e.g., hash functions) ● – Not always possible (PKE, IBE, …) or effjcient (signatures) … use lattice-based constructions ● – Very versatile, many nice algebraic properties … use coding-based constructions ● – Useful problem: decode noisy codewords – Code-based PKE and signatures exist, but less versatile … use other platforms (isogenies, nonlinear multivariate ● equation systems) – Not as well-understood as lattices or codes ● Let‘s look at lattices!

Lattices ● A lattice: ● Formally: L = { ∑ c i u i | c i ∊ Z } for (real) vectors u i For our purposes: lattices with u i ∊ Z n (or u i ∊ Z q n ) suitable ● Hard problems (closely related to NP-hardness): ● – SVP: Find shortest (nonzero) vector in L – CVP: Given y, fjnd vector in L closest to y – Even decisional variants of SVP, CVP hard

Learning with errors ● Closely related, but handier: L earning W ith E rrors n Consider an oracle LWE s , for fjxed but uniform s ∊ Z q ● Each time when activated, LWE s picks… ● n , – … a uniform a ∊ Z q – … a short noise scalar e ∊ Z q , – … and then outputs a and < a ; s >+e = ∑ a i s i + e ∊ Z q Search-LWE: given (poly-often) access to LWE s , fjnd s ● Decision-LWE: distinguish LWE s from randomness oracle ● Most interesting case: q polynomially small ● Then: GapSVP hard ⇒ Search-LWE hard ⇔ Decision-LWE hard ● Dep. on size of noise: LWE easy/hard/NP-hard/impossible ● Hard (but not NP-hard) region useful for cryptography –

Encryption from LWE ● Simple PKE scheme from LWE: Observation: LWE ⇒ ( A , As + e ) ≈ ( A , r ) ● n , r ∊ Z q m all uniform, e ∊ Z q n short, ≈ means comp.ind., m ≫ n) m⨯n , s ∊ Z q ( A ∊ Z q Graphically: ● s given , + ≈ A A e r Key observation: As + e “almost” behaves like As for short z : ● ( ) s s + = + “small” A e A z t z t

Encryption from LWE ● Simple PKE scheme from LWE: Simple (and insecure) public-key encryption scheme: ● – pk = ( A , As ) n ) m⨯n , s ∊ Z q ( A ∊ Z q – sk = s – Enc(pk,M) = ( z t A , z t As +M ) m , M ∊ Z q ) ( z ∊ Z q – Dec(sk,( C 1 ,C 2 )) = C 2 – C 1 s Decryption, graphically: ● ( ) ( ) s s + M – A A z t z t Problem: completely insecure (can fjnd s from As ) ●

Encryption from LWE ● Simple PKE scheme from LWE: Idea: add noise, use LWE (→ linear algebra with noise hard) ● – pk = ( A , As + e ) n , e ∊ Z q n short) m⨯n , s ∊ Z q ( A ∊ Z q – sk = s – Enc(pk,M) = ( z t A , z t ( As +e)+M) m short, M ∊ Z q ) ( z ∊ Z q – Dec(sk,( C 1 ,C 2 )) = C 2 – C 1 s New problem: decryption only retrieves M + z t e ● Solution: encrypt only M=0 or M=[q/2] (so really encrypt only one bit) ● Claim: this is IND-CPA-secure under the LWE assumption ● Step 1: substitute As + e in public key with uniformly random r – Step 2: observe that now r extracts entropy from z – ● Formally: ( z t A , r , z t r ) statistically close to ( z t A , r , rand) ● Hence, encryption becomes “lossy”

What about signatures? ● Strangeness: while generically, signatures easier… Existence of signatures equivalent to existence of OWFs ● This is not known about PKE! ● In fact, there are oracle separations between PKE and OWFs ● ● … practical signatures harder than practical PKE We have effjcient PKE schemes from DDH, Factoring, LWE, … ● … but for signature schemes, this appears much harder ● … we can resort to the random oracle model (RSA-FDH, BLS, Schnorr) … – … and/or stronger assumptions (GHR, Cramer-Shoup signatures)… – … and/or pairings (BLS, Waters, Boneh-Boyen signatures)… – … but it seems we need to pay a price – ● Unfortunately, lattices/LWE no exception

We need more tools! ● Additional tool: lattice trapdoors Consider the functions (for given A ∊ Z q m⨯n for m ≫ n, and short z , e ) ● f A ( z ) = z t A g A ( s , e ) = As + e Note 1: f A highly non-injective, g A injective ● Note 2: both f A and g A are one-way functions (assuming LWE) ● Clear for g A – LWE hard ⇒ can’t invert f A on 0 (“SIS problem”) ⇒ f A one-way – Now: can compute (almost-)uniform A along with trapdoor T A ● ⊥ = { z | z t A = 0 } associated with A T A is “short basis” for lattice L A – T A consists of m linearly independent short z with f A ( z )= 0 – In case of f A , trapdoor allows to sample short z with f A ( z )= y –

Signatures from LWE in ROM ● Simple LWE-based signatures in ROM Consider the functions (for given A ∊ Z q m⨯n for m ≫ n, and short z , e ) ● f A ( z ) = z t A g A ( s , e ) = As + e Consider the following signature scheme: ● pk = A sk = T A σ M = short z with f A ( z )=H(M) (with H(M) interpreted as element from Z q n ) Signing uses trapdoor T A to invert f A , verifjcation evaluates f A ● … looks a lot like RSA-FDH and BLS… ● … and indeed, proof works in the same way (→ no tight security!) ●

T ool: trapdoor delegation ● We can do more with LWE Consider the functions (for given A ∊ Z q m⨯n for m ≫ n, and short z , e ) ● f A ( z ) = z t A g A ( s , e ) = As + e Previously: both f A and g A have (the same) trapdoor T A ● This T A consists of a short basis, i.e., short vectors z with z t A = 0 – Now: trapdoors can be delegated: ● T A , B → T [ ] A B [ ] z 1 Note: T consists of short z = with z 1t A + z 2t B = 0 [ ] ● A z 2 B Idea to generate such z : choose z 2 short, generate z 1 using T A ● Generalizes to more matrices (need one trapdoor) ●

Signatures w/o ROs ● Delegation allows to get rid of ROs Signature scheme: ● pk = ( A 0 , ( A i,b ) i ∊ {1,…,k}, b ∊ {0,1} ) sk = T A 0 A 0 A 1,M1 Helpful notation: A (M) = for M=(M 1 , …, M k ) … A k,Mk σ M = T A (M) Signatures in scheme generated by delegating using T A 0 ● Reduction will not know T A 0 , but a subset of the T A i,b ● Reduction can generate σ M ifg T A i,b for one involved A i,b known –

Signatures w/o ROs ● Delegation allows to get rid of ROs Signature scheme: ● pk = ( A 0 , ( A i,b ) i ∊ {1,…,k}, b ∊ {0,1} ) sk = T A 0 σ M = T A (M) Scheme less effjcient than generic OWF-based approach, but: ● Better, more compact delegation (and defjnition of A (M)) possible – Also: can have only part of trapdoor in signature (and not full T A (M) ) – Scheme can be extended to IBE scheme: ● Signature pk → IBE master public key mpk – Signed message M → IBE identity id – Signature σ M = T A (M) → IBE secret key usk id for identity id(=M) – Idea: using this infrastructure, use A (M) as pk for PKE instance for id –

Wrapping up ● Lattices currently most popular post-quantum tool Hard problems (even connected to NP-hardness) ● Highly useful hard problem: LWE ● Can get OWFs (→ signatures), CRHFs, PKE, IBE, FHE*, … ● ● What we did not cover today Fully homomorphic encryption/commitments ● Better delegation methods ● Cryptanalysis/attacks on lattice problems ● Parameters (matrix sizes, noise levels, …) ●