mpsign a signature from small secret middle product
play

MPSign: A Signature from Small-Secret Middle-Product Learning with - PowerPoint PPT Presentation

Dec 08, 2022 •161 likes •820 views

MPSign: A Signature from Small-Secret Middle-Product Learning with Errors Shi Bai Dipayan Das Ryo Hiromasa Miruna Rosca Amin Sakzad Damien Stehl Ron Steinfeld Zhenfei Zhang Miruna Rosca MPSign PKC 2020 1 / 22 What is this talk about?

  1. MPSign: A Signature from Small-Secret Middle-Product Learning with Errors Shi Bai Dipayan Das Ryo Hiromasa Miruna Rosca Amin Sakzad Damien Stehlé Ron Steinfeld Zhenfei Zhang Miruna Rosca MPSign PKC 2020 1 / 22

  2. What is this talk about? A digital signature scheme whose security in the QROM relies on the hardness of solving ApproxSVP f for many polynomials f . Main ingredient: A reduction from small secret PLWE f to small secret MP-LWE which works for many f ’s. Miruna Rosca MPSign PKC 2020 2 / 22

  3. Overview 1. Background 2. Hardness of MP-LWE with small secrets 3. MPSign: our digital signature based on small secret MP-LWE Miruna Rosca MPSign PKC 2020 3 / 22

  4. Background Miruna Rosca MPSign PKC 2020 4 / 22

  5. Digital signature DS = ( Gen , Sign , Ver ) pk sk Miruna Rosca MPSign PKC 2020 5 / 22

  6. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Miruna Rosca MPSign PKC 2020 5 / 22

  7. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Ver pk ( m, σ ) ∈ { 0 , 1 } Miruna Rosca MPSign PKC 2020 5 / 22

  8. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Ver pk ( m, σ ) ∈ { 0 , 1 } Correctness : Ver pk ( m, Sign sk ( m )) = 1 w.h.p. Miruna Rosca MPSign PKC 2020 5 / 22

  9. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Ver pk ( m, σ ) ∈ { 0 , 1 } Correctness : Ver pk ( m, Sign sk ( m )) = 1 w.h.p. ufCMA Security : DS is secure if no adversary, having access to many signatures, is able to produce a signature for a new message. Miruna Rosca MPSign PKC 2020 5 / 22

  10. How to build lattice-based crypto? PSIS f PLWE f [LM06],[PR07] [SSTX09],[LPR10] ApproxSVP f Miruna Rosca MPSign PKC 2020 6 / 22

  11. How to build lattice-based crypto? PSIS f PLWE f [LM06],[PR07] [SSTX09],[LPR10] ApproxSVP f [CDPR16], [BBV+17], [CDW17], etc. ApproxSVP f is easier than ApproxSVP for some f ’s in some parameter regimes and setups. Miruna Rosca MPSign PKC 2020 6 / 22

  12. [Lyu16]: A problem at least as hard as many PSIS f PSIS over Z q [ x ] . . . . . . PSIS f 1 PSIS f 2 PSIS f m Miruna Rosca MPSign PKC 2020 7 / 22

  13. [Lyu16]: A problem at least as hard as many PSIS f PSIS over Z q [ x ] . . . . . . PSIS f 1 PSIS f 2 PSIS f m Application : digital signature scheme Miruna Rosca MPSign PKC 2020 7 / 22

  14. [RSSS17]: A problem at least as hard as many PLWE f MP - LWE . . . . . . PLWE f 1 PLWE f 2 PLWE f m Miruna Rosca MPSign PKC 2020 8 / 22

  15. [RSSS17]: A problem at least as hard as many PLWE f MP - LWE . . . . . . PLWE f 1 PLWE f 2 PLWE f m Applications of MP-LWE public key encryption: [RSSS17], [SSZ18], [BBD+19] identity based encryption: [LVV19] Miruna Rosca MPSign PKC 2020 8 / 22

  16. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 Miruna Rosca MPSign PKC 2020 9 / 22

  17. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) Miruna Rosca MPSign PKC 2020 9 / 22

  18. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 Distinguish between P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n Miruna Rosca MPSign PKC 2020 9 / 22

  19. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 Distinguish between P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  20. The PLWE f and MP-LWE problems f poly. of degree n PLWE f MP-LWE n,d q,χ 1 ,χ 2 q,χ 1 ,χ 2 Distinguish between P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  21. The PLWE f and MP-LWE problems f poly. of degree n PLWE f MP-LWE n,d q,χ 1 ,χ 2 q,χ 1 ,χ 2 Distinguish between MP n,d P f q,χ 1 ( s ) for s ∈ Z <n + d − 1 q,χ 1 ( s ) for s ∈ Z q [ x ] /f [ x ] q ֓ U ( Z <n a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 a ← q [ x ]) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) return ( a, b = a ⊙ d s + e ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  22. The PLWE f and MP-LWE problems f poly. of degree n PLWE f MP-LWE n,d q,χ 1 ,χ 2 q,χ 1 ,χ 2 Distinguish between Distinguish between MP n,d P f q,χ 1 ( s ) for s ∈ Z <n + d − 1 q,χ 1 ( s ) for s ∈ Z q [ x ] /f [ x ] q ֓ U ( Z <n a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 a ← q [ x ]) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) return ( a, b = a ⊙ d s + e ) and and U ( Z q [ x ] /f × R q [ x ] /f ) <n U ( Z <n q [ x ] × R <d q [ x ]) with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  23. Hardness of MP-LWE with small secrets Miruna Rosca MPSign PKC 2020 10 / 22

  24. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , U [RSSS17] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  25. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , D ? MP-LWE n,d q, D , U [RSSS17] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  26. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , D ? MP-LWE n,d PLWE f q, D , U q, D , D [RSSS17] [ACPS09] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  27. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , D This work MP-LWE n,d PLWE f q, D , U q, D , D [RSSS17] [ACPS09] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  28. From PLWE f to MP-LWE for many f ’s * f ∈ Z [ x ] of degree n , d ≤ n * D R ,σ : Gaussian on R with standard deviation σ * D Z ,σ : Gaussian on Z with standard deviation σ MP-LWE n,d PLWE f [RSSS17] q,χ 1 ,χ 2 q,χ 1 ,χ 2 χ 1 D R d ,α ′ q D R n ,αq U ( Z n + d − 1 U ( Z n χ 2 ) q ) q MP-LWE n,d PLWE f This work q,χ 1 ,χ 2 q,χ 1 ,χ 2 χ 1 D Z d ,α ′′ q D Z n ,αq χ 2 D Z n + d − 1 ,α ′ q D Z n ,αq Miruna Rosca MPSign PKC 2020 12 / 22

  29. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Miruna Rosca MPSign PKC 2020 13 / 22

  30. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Take first column M f b = Rot f ( a ) M f s + M f e × Miruna Rosca MPSign PKC 2020 13 / 22

  31. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Take first column M f b = Rot f ( a ) M f s + M f e × Decompose Rot f ( a ) b ′ = Rot f (1) M f s M f e Toep ( a ) + × Miruna Rosca MPSign PKC 2020 13 / 22

  32. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Take first column M f b = Rot f ( a ) M f s + M f e × Decompose Rot f ( a ) b ′ = Rot f (1) M f s M f e Toep ( a ) + × Rename b ′ = s ′ e ′ Toep ( a ) + × Miruna Rosca MPSign PKC 2020 13 / 22

  33. From small secret PLWE f to small secret MP-LWE M f e + e Miruna Rosca MPSign PKC 2020 14 / 22

  34. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ Miruna Rosca MPSign PKC 2020 14 / 22

  35. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ We need a lower bound on the smallest singular value of M f . Miruna Rosca MPSign PKC 2020 14 / 22

  36. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ We need a lower bound on the smallest singular value of M f .  0 0  ∗ ∗ ∗ ∗ 0 0 0 ∗ ∗ ∗   • more restrictive family of f ’s   0 0 0 0 ∗ ∗   M f =   0 0 0 0 0  ∗     0 0 0 0 0  ∗   0 0 0 0 0 ∗ Miruna Rosca MPSign PKC 2020 14 / 22

  37. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ We need a lower bound on the smallest singular value of M f .  0 0  ∗ ∗ ∗ ∗ 0 0 0 ∗ ∗ ∗   • more restrictive family of f ’s   0 0 0 0 ∗ ∗   M f =   • larger noise amplification 0 0 0 0 0  ∗     0 0 0 0 0  ∗   0 0 0 0 0 ∗ Miruna Rosca MPSign PKC 2020 14 / 22

Recommend

The Secret of Success In Iraq: Its All About The People SAME Mid-Atlantic/ Middle East

The Secret of Success In Iraq: Its All About The People SAME Mid-Atlantic/ Middle East

The Secret of Success In Iraq: Its All About The People SAME Mid-Atlantic/ Middle East Regional Conference October 11, 2007 Cultural Challenges In Iraq &amp; Beyond DoD &amp; Industry Will Continue To Work Globally &amp; Face

615 views • 38 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
The Secret to Managing Shared Secrets ActiveState State Tool Webinar The Secret to

The Secret to Managing Shared Secrets ActiveState State Tool Webinar The Secret to

The Secret to Managing Shared Secrets ActiveState State Tool Webinar The Secret to Managing Shared Secrets Welcome Pete Garcin Dana Crane Senior Product Manager Product Marketing ActiveState (@rawktron) Manager, ActiveState The

814 views • 35 slides
INTRODUCTION: A DIFFERENT KIND OF SERMON. 1 The Secret Shame of Middle Class Americans

INTRODUCTION: A DIFFERENT KIND OF SERMON. 1 The Secret Shame of Middle Class Americans

INTRODUCTION: A DIFFERENT KIND OF SERMON. 1 The Secret Shame of Middle Class Americans FED: 47% &lt; $400 2 Sermon on Contentment Slides.key - May 9, 2016 1. YOU CANT TAKE IT WITH YOU the world and its desire are passing away,

420 views • 16 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
LESER Product Range, Developments &amp; Specialties of Middle East Rupendra Singh, LESER Middle

LESER Product Range, Developments &amp; Specialties of Middle East Rupendra Singh, LESER Middle

Tamilnadu Engineers Forum Kuwait 5th Technological Innovations Conference &amp; Exhibition 2 November 2014 LESER Product Range, Developments &amp; Specialties of Middle East Rupendra Singh, LESER Middle East Objectives of todays presentation

404 views • 39 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

NEW YORK LONDON SHANGHAI VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret Sport WE ARE MISSION VISION VALUES 8.1% GROWTH BY 2022 3BN DOMESTIC VALUE STATS WE OFFER LINGERIE PANTIES

340 views • 30 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin R. Albrecht Information Security Group, Royal Holloway, University of London Learning with Errors or 1 Oded Regev. On lattices, learning with

586 views • 26 slides
PPR control and eradication challenges in the Middle East Middle East characteristics Large

PPR control and eradication challenges in the Middle East Middle East characteristics Large

Ghazi Yehia Xavier Pacholek OIE Regional Representation for the Middle East PPR control and eradication challenges in the Middle East Middle East characteristics Large small ruminants (SR) population 10% world sheep herd o 105 million

420 views • 16 slides
Edge Working Group and Activities The Vision thing - Product goals and objects. The Secret Sauce:

Edge Working Group and Activities The Vision thing - Product goals and objects. The Secret Sauce:

Edge Working Group and Activities The Vision thing - Product goals and objects. The Secret Sauce: Tools and Automation Pain Points and the Ask Confidential and proprietary materials for authorized Verizon personnel and outside agencies only.

557 views • 20 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not

A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not

Mailchimp Scale: A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not much of a secret. 2 Focus on the small business Empowering the Underdog 3 We give marketers production-ready

940 views • 82 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp.

Secret Sharing See: Shamir, How to Share a Secret , CACM, Vol. 22, No. 11, November 1979, pp. 612613 Eli Biham - May 3, 2005 c 497 Secret Sharing (17) How to Keep a Secret Key Securely Information can be secured by encryption under a

597 views • 23 slides
Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor

Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor

Operation Signature Protecting the vulnerable from Fraud Sarah Cohen Crime Prevention Advisor How it all began Tom Beckett from West Sussex sent over 100,000 to Scammers Scam the Secret Crime Click on this link to play a short

324 views • 14 slides
Laboratories for Small Brewers Kevin Mutch Peripatetic Brewer 11 April 19 Topics Product

Laboratories for Small Brewers Kevin Mutch Peripatetic Brewer 11 April 19 Topics Product

Laboratories for Small Brewers Kevin Mutch Peripatetic Brewer 11 April 19 Topics Product consistency Sample Plan Product Specification Product testing In-process Post-process Equipment Required Methodologies Product Consistency

605 views • 44 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
businesses EBRD know how Advice for Small Businesses Where we are Main product Ice-cream

businesses EBRD know how Advice for Small Businesses Where we are Main product Ice-cream

Advice for Small Businesses Advice for small businesses EBRD know how Advice for Small Businesses Where we are Main product Ice-cream Number of employees 120 Turnover 991500 Key priority Manufactu 26 26 cou count ntries es

452 views • 14 slides
set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the

set to take off at the secret is out! The Secret is out! This years Emmys gift bags will be the international launchpad of a new Australian owned moisturizer specifically formulated for airline passengers and cabin crew. Aviation

493 views • 3 slides
Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last

Advanced Tools from Modern Cryptography Lecture 3 Secret-Sharing (ctd.) Secret-Sharing Last time (n,t) secret-sharing (n,n) via additive secret-sharing Shamir secret-sharing for general (n,t) Shamir secret-sharing is a linear

611 views • 14 slides

More recommend