SPRING Fast Pseudorandom Functions from Rounded Ring Products G. - PowerPoint PPT Presentation

1 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING Fast Pseudorandom Functions from Rounded Ring Products G. Leurent () . . . . . . . . . . . . . . . Abhishek Banerjee 1 Hai Brenner 2 Gaëtan Leurent 3 Chris Peikert 1 Alon Rosen 2 1 Georgia Institute of Technology 2 IDC Herzliya 3 UCL  Inria FSE 2014

2 / 16 SPRING FSE 2014 Tweaks SPRING Implementation Motivation G. Leurent () Bridging the gap Public key Secret key . . . . . . . . . . . . . . . ▶ Strong algebraic ▶ Security from structure cryptanalysis ▶ Security reduction ▶ Fast ▶ Slow . . . ▶ Can we have an efficient design with strong algebraic structure? ▶ Security reduction from a wellunderstood problem? ▶ Extra features? ▶ Previous examples: SWIFFT, FSB, Lapin, HB family

2 / 16 SPRING FSE 2014 Tweaks SPRING Implementation Motivation G. Leurent () Bridging the gap Public key Secret key . . . . . . . . . . . . . . . ▶ Strong algebraic ▶ Security from structure cryptanalysis ▶ Security reduction ▶ Fast ▶ Slow . . . ▶ Can we have an efficient design with strong algebraic structure? ▶ Security reduction from a wellunderstood problem? ▶ Extra features? ▶ Previous examples: SWIFFT, FSB, Lapin, HB family

3 / 16 ⎛ 􏾠 ⎟ ⎟ ⎝ ⎜ ⎜ ⎠ SPRING G. Leurent () Subset Product with Rounding over a ring SPRING construction Implementation SPRING Tweaks FSE 2014 ⎞ . . . . . . . . . . . . . . . k x j F a ,⃗ s ( x 1 , … , x k ) ∶= S a ⋅ s j j = 1 ▶ Latticebased PRF [BPR, Eurocrypt ’12] ▶ Polynomial ring R p = ℤ p [ X ]/( X n + 1 ) ▶ Key: a , ( s i ) k i = 1 ∈ R p ▶ Rounding function S ▶ e.g. MSB of each polynomial coefficient

4 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING security G. Leurent () . . . . . . . . . . . . . . . ▶ Based on the RL W E assumption ▶ Secret polynomial s ∈ R p , R p = ℤ p [ X ]/( X n + 1 ) ▶ Distinguish ( a i , a i ⋅ s + e i ) from uniform ▶ Reduction to worstcase ideal lattice problems ▶ Deterministic version: RL W R assumption ▶ Secret polynomial s ∈ R p ▶ Distinguish ( a i , ⌊ a i ⋅ s ⌉) from uniform ▶ Rounding removes information, like adding noise ▶ Two SPRING outputs gives something similar to an LWR sample x j s ( x 1 , … , x k ) ∶= S 􏿶 a ⋅ ∏ k ▶ F a ,⃗ j = 1 s j 􏿹 ▶ Secret polynomials s , t ▶ Output (⌊ t ⌉, ⌊ t ⋅ s ⌉)

4 / 16 SPRING FSE 2014 Tweaks SPRING Implementation SPRING security G. Leurent () . . . . . . . . . . . . . . . ▶ Based on the RL W E assumption ▶ Secret polynomial s ∈ R p , R p = ℤ p [ X ]/( X n + 1 ) ▶ Distinguish ( a i , a i ⋅ s + e i ) from uniform ▶ Reduction to worstcase ideal lattice problems ▶ Deterministic version: RL W R assumption ▶ Secret polynomial s ∈ R p ▶ Distinguish ( a i , ⌊ a i ⋅ s ⌉) from uniform ▶ Rounding removes information, like adding noise ▶ Two SPRING outputs gives something similar to an LWR sample x j s ( x 1 , … , x k ) ∶= S 􏿶 a ⋅ ∏ k ▶ F a ,⃗ j = 1 s j 􏿹 ▶ Secret polynomials s , t ▶ Output (⌊ t ⌉, ⌊ t ⋅ s ⌉)

5 / 16 SPRING FSE 2014 Tweaks SPRING Implementation From provable security to efficiency G. Leurent () . . . . . . . . . . . . . . . ▶ Security reduction require huge parameters ▶ What happens when we use small parameters? ▶ Security reduction not applicable as such ▶ Guideline towards reasonable constructions (mode of operation?) ▶ Bias can appear (was negligible with large parameters) ▶ Concrete security evaluation needed

6 / 16 SPRING FSE 2014 Tweaks SPRING Implementation Choice of ring SPRING G. Leurent () . . . . . . . . . . . . . . . x j s ( x 1 , … , x k ) ∶= S 􏿶 a ⋅ ∏ k over R p = ℤ p [ X ]/( X n + 1 ) F a ,⃗ j = 1 s j 􏿹 ▶ Select parameters with fast polynomial product 1 Polynomial product very efficient using FFT algorithm 2 Arithmetic mod 2 i + 1 is efficient in software ▶ Problem was studied for SWIFFT ▶ Use p = 257, n = 128

7 / 16 SPRING FSE 2014 Tweaks SPRING Implementation G. Leurent () . . . . . . . . . . . . . . . Product in the ring R 257 Fast polynomial product h = f ⋅ g 1 Evaluate f and g : f i = f ( x i ) , g i = g ( x i ) (256 points) 2 Multiply values coefficientswise 3 Interpolate h s.t. h ( x i ) = f i × g i (degree 256) ▶ Let 𝜕 be a 256th root of unity, x i = 𝜕 i , 𝜕 = 41 Use FFT for evaluation/interpolation in n log ( n ) ▶ We want f ⋅ g mod x 128 + 1 ▶ x 128 + 1 = ∏( x − 𝜕 2 i + 1 ) ▶ Chinese Remainder: compute h mod x − 𝜕 2 i + 1 i.e. h (𝜕 2 i + 1 ) ▶ Evaluating f (𝜕 2 i + 1 ) ▶ 𝜚 ∶ ∑ b i ⋅ x i ↦ ∑( b i ⋅ 𝜕 i ) ⋅ x i ▶ 𝜚( f )(𝜕 2 i ) = f (𝜕 2 i + 1 ) ▶ FFT 128 (𝜚( f ⋅ g )) = FFT 128 (𝜚( f )) × FFT 128 (𝜚( g )) (coeff.wise × )

7 / 16 SPRING FSE 2014 Tweaks SPRING Implementation G. Leurent () . . . . . . . . . . . . . . . Product in the ring R 257 Fast polynomial product h = f ⋅ g 1 Evaluate f and g : f i = f ( x i ) , g i = g ( x i ) (256 points) 2 Multiply values coefficientswise 3 Interpolate h s.t. h ( x i ) = f i × g i (degree 256) ▶ Let 𝜕 be a 256th root of unity, x i = 𝜕 i , 𝜕 = 41 Use FFT for evaluation/interpolation in n log ( n ) ▶ We want f ⋅ g mod x 128 + 1 ▶ x 128 + 1 = ∏( x − 𝜕 2 i + 1 ) ▶ Chinese Remainder: compute h mod x − 𝜕 2 i + 1 i.e. h (𝜕 2 i + 1 ) ▶ Evaluating f (𝜕 2 i + 1 ) ▶ 𝜚 ∶ ∑ b i ⋅ x i ↦ ∑( b i ⋅ 𝜕 i ) ⋅ x i ▶ 𝜚( f )(𝜕 2 i ) = f (𝜕 2 i + 1 ) ▶ FFT 128 (𝜚( f ⋅ g )) = FFT 128 (𝜚( f )) × FFT 128 (𝜚( g )) (coeff.wise × )

7 / 16 SPRING FSE 2014 Tweaks SPRING Implementation G. Leurent () . . . . . . . . . . . . . . . Product in the ring R 257 Fast polynomial product h = f ⋅ g 1 Evaluate f and g : f i = f ( x i ) , g i = g ( x i ) (256 points) 2 Multiply values coefficientswise 3 Interpolate h s.t. h ( x i ) = f i × g i (degree 256) ▶ Let 𝜕 be a 256th root of unity, x i = 𝜕 i , 𝜕 = 41 Use FFT for evaluation/interpolation in n log ( n ) ▶ We want f ⋅ g mod x 128 + 1 ▶ x 128 + 1 = ∏( x − 𝜕 2 i + 1 ) ▶ Chinese Remainder: compute h mod x − 𝜕 2 i + 1 i.e. h (𝜕 2 i + 1 ) ▶ Evaluating f (𝜕 2 i + 1 ) ▶ 𝜚 ∶ ∑ b i ⋅ x i ↦ ∑( b i ⋅ 𝜕 i ) ⋅ x i ▶ 𝜚( f )(𝜕 2 i ) = f (𝜕 2 i + 1 ) ▶ FFT 128 (𝜚( f ⋅ g )) = FFT 128 (𝜚( f )) × FFT 128 (𝜚( g )) (coeff.wise × )

7 / 16 SPRING FSE 2014 Tweaks SPRING Implementation G. Leurent () . . . . . . . . . . . . . . . Product in the ring R 257 Fast polynomial product h = f ⋅ g mod x 128 + 1 1 Evaluate f and g : f i = f ( x i ) , g i = g ( x i ) (128 points) 2 Multiply values coefficientswise 3 Interpolate h s.t. h ( x i ) = f i × g i (degree 128) ▶ Let 𝜕 be a 256th root of unity, x i = 𝜕 2 i + 1 , 𝜕 = 41 Use FFT for evaluation/interpolation in n log ( n ) ▶ We want f ⋅ g mod x 128 + 1 ▶ x 128 + 1 = ∏( x − 𝜕 2 i + 1 ) ▶ Chinese Remainder: compute h mod x − 𝜕 2 i + 1 i.e. h (𝜕 2 i + 1 ) ▶ Evaluating f (𝜕 2 i + 1 ) ▶ 𝜚 ∶ ∑ b i ⋅ x i ↦ ∑( b i ⋅ 𝜕 i ) ⋅ x i ▶ 𝜚( f )(𝜕 2 i ) = f (𝜕 2 i + 1 ) ▶ FFT 128 (𝜚( f ⋅ g )) = FFT 128 (𝜚( f )) × FFT 128 (𝜚( g )) (coeff.wise × )

8 / 16 SPRING FSE 2014 Tweaks SPRING Implementation Implementation tricks SPRING PRF G. Leurent () . . . . . . . . . . . . . . . x j s ( x 1 , … , x k ) ∶= S 􏿶 a ⋅ ∏ k F a ,⃗ j = 1 s j 􏿹 ▶ Use FFT for the subset product ▶ ∏ x j = 1 s j = 𝜚 − 1 􏿶 FFT − 1 􏿶⨉ x j = 1 FFT (𝜚( s j ))􏿹􏿹 ▶ Store ̃ s j ∶= FFT (𝜚( s j )) (equivalent key) ▶ ∏ x j = 1 s j = 𝜚 − 1 􏿶 FFT − 1 􏿶⨉ x j = 1 ̃ s j 􏿹􏿹 (coefficientswise product) ▶ Use counter mode for a stream cipher ▶ Single addition instead of subsetsum

8 / 16 SPRING FSE 2014 Tweaks SPRING Implementation Implementation tricks SPRING PRF G. Leurent () . . . . . . . . . . . . . . . x j s ( x 1 , … , x k ) ∶= S 􏿶 a ⋅ ∏ k F a ,⃗ j = 1 s j 􏿹 ▶ Use FFT for the subset product ▶ ∏ x j = 1 s j = 𝜚 − 1 􏿶 FFT − 1 􏿶⨉ x j = 1 FFT (𝜚( s j ))􏿹􏿹 ▶ Store 􏾨 s ij ∶= log 􏿵􏾫 s ij 􏿸 , ̃ s j ∶= FFT (𝜚( s j )) (equivalent key) ▶ ∏ x j = 1 s j = 𝜚 − 1 􏿶 FFT − 1 􏿶 exp 􏿶∑ x j = 1 􏾨 s j 􏿹􏿹􏿹 (coefficientswise product) ▶ Use counter mode for a stream cipher ▶ Single addition instead of subsetsum

8 / 16 SPRING FSE 2014 Tweaks SPRING Implementation Implementation tricks SPRING PRF G. Leurent () . . . . . . . . . . . . . . . x j s ( x 1 , … , x k ) ∶= S 􏿶 a ⋅ ∏ k F a ,⃗ j = 1 s j 􏿹 ▶ Use FFT for the subset product ▶ ∏ x j = 1 s j = 𝜚 − 1 􏿶 FFT − 1 􏿶⨉ x j = 1 FFT (𝜚( s j ))􏿹􏿹 ▶ Store 􏾨 s ij ∶= log 􏿵􏾫 s ij 􏿸 , ̃ s j ∶= FFT (𝜚( s j )) (equivalent key) ▶ ∏ x j = 1 s j = 𝜚 − 1 􏿶 FFT − 1 􏿶 exp 􏿶∑ x j = 1 􏾨 s j 􏿹􏿹􏿹 (coefficientswise product) ▶ Use counter mode for a stream cipher ▶ Single addition instead of subsetsum