Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron - PowerPoint PPT Presentation

Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron Steinfeld Monash University ron.steinfeld@monash.edu CIS 2019 Winter School based on joint work [RSSS17], [SSZ17], [B+19] (work in progress, in submission) with subsets of: Shi Bai, Dispayan Das, Ryo Hiramasa, Miruna Rosca, Amin Sakzad, Damien Stehle, Raymond K. Zhao, Zhenfei Zhang. Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 1 / 42

Outline of the talk 1- Introduction: Risk-Performance balance approach to Lattice Cryptography 2- Security Foundations: Polynomial-SIS over Z q [ x ] (PSIS ∅ ) Problem Definition of the problem [L16] Hardness reduction from hardest PSIS f for family of f ’s [L16] Known attacks Variant: Inhomogenous P-SIS (I-PSIS ∅ ) and its hardness with large secrets [L16] and insecurity with small secrets [B+19] Middle-Product LWE (MP-LWE) Problem Definition of the problem [RSSS17] Hardness reduction [RSSS17] and variants [SSZ17, SSZ19, LVV19, PP19] Known Attacks [SSZ17,SSZ19] Variant: MPLWE with small secrets and its hardness [B+19] Variant: MPLWE with large errors and its insecurity [B+19] 3- Summary and Open Problems Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 2 / 42

Intro Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 3 / 42

Motivation for the Research field Lattice-Based Cryptography is a cutting-edge cryptographic ‘technology’. Has several interesting properties: High Computational Efficiency Novel and Powerful Cryptographic Functionalities/Applications Strong provable security Guarantees Believed ‘Post-Quantum’ Security Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 4 / 42

Lattices Background: Approx-SVP Lattice ≡ { � i ≤ n x i b i : x i ∈ Z } , for some lin. independent b i ’s. Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 5 / 42

Lattices Background: Approx-SVP Lattice ≡ { � i ≤ n x i b i : x i ∈ Z } , for some lin. independent b i ’s. Minimum: λ ( L ) = min( � b � : b ∈ L \ 0 ) γ -SVP Find b ∈ L with: 0 < � b � ≤ γ · λ ( L ) . Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 5 / 42

Lattices Background: Approx-SVP Lattice ≡ { � i ≤ n x i b i : x i ∈ Z } , for some lin. independent b i ’s. Minimum: λ ( L ) = min( � b � : b ∈ L \ 0 ) γ -SVP Find b ∈ L with: 0 < � b � ≤ γ · λ ( L ) . No known sub-exp. algorithm for γ = poly ( n ). Not even quantumly. Seems harder than Int-Fac and DLog. But... hardness can depend on the choice of lattice L ! Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 5 / 42

Low Security Risk Crypto: LWE Approach Problem (Search Learning-with-Errors Search − LWE q , m , n ,α ) ֓ U ( Z m × n ) and y = A · s + e mod Z m Given A ← q (with e ‘small’), find s . q Advantage : Low Security Risk – no lattice structure, quantum reduction from worst-case arbitrary lattices in dim. n [R05] Drawback : Low Performance – large ≥ n × n matrices, slow computation Example cryptosystem: Frodo [BCD+16] / Frodo-KEM [ABD+17] Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 6 / 42

High Performance Crypto: PLWE f Approach Q : How to fix performance? A : Add extra algebraic structure! Problem (Search Poly. Learning-with-Errors Search − PLWE f q , m , n ,α ) Let R q = Z q [ x ] / ( f ( x )) (e.g. f ( x ) = x n + 1 ). Given A ← ֓ U ( R m × 1 ) and q y = A · s + e mod R q (with e ‘small’), find s . Advantage : High Performance – succinct matrix, fast poly arith. (FFT) Drawback : High Security Risk – rely on PLWE f for a fixed f ... (reduction from ApproxSVP f : restricted to structured (‘ f -ideal’) lattices) Example cryptosystem: New Hope [ADPS16] Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 7 / 42

ApproxSVP f could be easy for some f ’s Problem ApproxSVP f Problem : ApproxSVP restricted to ideals in Z [ x ] / f ( x ) [BS15]: quantum poly. time algorithm to find a generator of a principal ideal in any number field Weak f ’s for ApproxSVP f : The case of cyclotomics of prime power index : [CDPR16]: quantum poly. time algorithm to find a short generator of a principal ideal for 2 O ( √ n ) approx. factor [CDW17]: quantum poly. time algorithm to solve ApproxSVP for all ideals for 2 O ( √ n ) approx. factor The case of multiquadratics: [BBdVLvV17]: quasipoly. time algorithm to find a short generator of a principal ideal Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 8 / 42

ApproxSVP arbitrary lattices ideal lattices in cyclotomic fields of prime power index Time 2 n √ n 2 Approx. factor √ n 2 n poly ( n ) 2 Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 9 / 42

How to balance security risk and performance? Two prior approaches: Non-cyclotomic f : Use PLWE f with non-cyclotomic polynomial f [BCLvV16], [PRSD17] (example cryptosystem: NTRUPrime) Module PLWE f : Replace s ∈ Z q [ x ] / ( f ( x )) with s ∈ Z q [ x ] / ( f ( x )) k for small k [BGV11,LSS15,BDK+17] (example cryptosystem: Kyber) Remaining ‘all eggs in one basket’ risk: which f gives a hard problem? Q: Is there an approach balancing ‘one f ’ risk and performance? Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 10 / 42

How to balance security risk and performance? Lyubashevsky [Lyu16] – first positive answer for digital signatures: PSIS : SIS variant as secure as hardest PSIS f for wide class F of f ’s. Designed a signature scheme based on PSIS Basic Idea: work in a polynomial ring Z [ x ] – mult. with no mod f !! Low security risk: Hedge risk across a huge class F e.g. F = { x m + f L x L + f L − 1 x L − 1 + · · · + f 1 x + f 0 , f i ∈ {− 1 , 0 , 1 }} Size of F exponential in L ! High Performance: polynomial ring Z [ x ] can still support fast arithmetic! But, PSIS [Lyu16] cannot be used for encryption More efficient lattice signature techniques require also an LWE variant Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 11 / 42

Risk-Performance balance Crypto: MPLWE Approach Rosca et al [RSSS17] – first positive answer for encryption: Middle-Product LWE ( MP - LWE ): poly. variant of LWE problem as secure as the hardest PLWE f for a big family F of f ’s Basic Idea: work in a polynomial ring Z [ x ] with a modified ‘middle-product’ ring mult. Designed a public-key encryption scheme Optimized NIST PQC encryption submission: Titanium [RSZ17] Security-Risk-vs.-Perf. Balance: Lower security risk guarantee than PLWE f schemes, better performance than LWE schemes Designed improved digital signature schemes [B+18] Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 12 / 42

Security Foundations: Poly-SIS ∅ (PSIS ∅ ) Problem Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 13 / 42

Review: PSIS f : PSIS over Z q [ x ] / f ( x ) Recall definition of (Ring) Polyonomial SIS in a polynomial ring Z q [ x ] / f with a modulus polynomial f of degree n (usually, f = x n + 1). Polynomial-based definition: PSIS f q , n , k ,β Given a 1 , . . . , a k ← Z q [ x ] / f , find non-zero polynomials ( z 1 , . . . , z k ) with deg z i < n such that � i ≤ k z i · a i = 0 mod f and || z i || ∞ ≤ β for i ∈ [ k ]. Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 14 / 42

Review: PSIS f matrix interpretation A polynomial a ( x ) = a [0] + a [1] · x . . . + a [ n − 1] · x n − 1 with a [ i ] ∈ Z is represented by its coefficient vector a T = [ a [0] , a [1] , . . . , a [ n − 1]]. For two polynomials a ( x ) , z ( x ) ∈ Z q [ x ] of deg. < n , if c ( x ) = z ( x ) · a ( x ) mod f ( x ) then i < n z [ i ] · ( x i · a ( x ) mod f ( x )), so c ( x ) = � c T = z T · Rot f ( a ) , where Rot f ( a ) denotes matrix whose i ’th row is ( x j · a ( x ) mod f ( x )). e.g. for f ( x ) = x n + 1, since x n mod x n + 1 = − 1, we have a [0] a [1] a [2] · · · a [ n − 1]   − a [ n − 1] a [0] a [1] · · · a [ n − 2] − a [ n − 2] − a [ n − 1] a [0] · · · a [ n − 3]   [ c [0] , . . . , c [ n − 1]] = [ z [0] , . . . , z [ n − 1]] ·  . . . . .  . . . . . . . · · · . − a [1] − a [2] − a [3] · · · a [0] Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 15 / 42

PSIS ∅ : PSIS over Z q [ x ] Q: Can we define a variant of PSIS that is as hard as PSIS f for many f ’s, rather than just one f ? i z i ( x ) · a i ( x ) = 0 in Z q [ x ] (i.e. no mod f ), Observation [L16]: If � then � i z i ( x ) · a i ( x ) = 0 mod f ( x ) for any f . Led Lyubashevsky [L16] to define PSIS ∅ . PSIS ∅ q , n , k , d ,β Given a 1 , . . . , a k ← Z < n i ≤ k z i · a i = 0 with q [ x ], find a nontrivial sol. for � � z i � ∞ ≤ β and deg z i < d for i ∈ [ k ]. Notation: Z < n q [ x ] is the set of polynomials over Z q of deg. < n . Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 16 / 42