Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for Large Weight Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Our Trapdoor and its Associated Decoder Information Security Group, Royal Holloway, University of London, UK Reaching Uniform Signatures September 18, 2019 Security Proof London-ish Lattice Meeting Conclusion 1 / 48
Wave: A new family of trapdoor Results preimage sampleable functions Thomas Debris-Alazard, • The first code-based “hash-and-sign” that follows the GPV Nicolas Sendrier and Jean-Pierre strategy (Trapdoor Preimage Sampleable functions) ; Tillich Introduction • Security reduction to two problems (NP-complete) of coding Hardness of Syndrome theory: Decoding for Large Weight • Generic decoding of a linear code; Our Trapdoor and its • Distinguish between random codes and generalized Associated ( U , U + V )-codes. Decoder Reaching Uniform Signatures • Key Size ≈ 3MB, signature size ≈ 13Kb, signing time ≈ 0 . 1s Security Proof (non-optimized); Conclusion • Nice feature: uniform signatures through an efficient rejection sampling, one rejection every ≈ 100 signatures. 2 / 48
Wave: A new family of trapdoor preimage sampleable functions 1 Introduction Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich 2 Hardness of Syndrome Decoding for Large Weight Introduction Hardness of Syndrome 3 Our Trapdoor and its Associated Decoder Decoding for Large Weight Our Trapdoor and its 4 Reaching Uniform Signatures Associated Decoder Reaching Uniform Signatures 5 Security Proof Security Proof Conclusion 6 Conclusion 3 / 48
Wave: A new family of trapdoor Digital signature scheme preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Unsecure channel Introduction Hardness of Syndrome Decoding for Large Weight m ′ : Bob Alice: m Our Trapdoor and its Associated Alice wants to ensure Bob that: Decoder Reaching • m has not been corrupted ( m = m ′ ). Uniform Signatures • m comes from Alice Security Proof Conclusion → Idea: add a signature to m 4 / 48
Wave: A new family of trapdoor Digital signature scheme preimage sampleable functions Thomas Debris-Alazard, Alice first makes the following operations: Nicolas Sendrier and Jean-Pierre • Generation of ( pk , sk ). Tillich • Send pk to everyone . Introduction Hardness of Syndrome Decoding for Unsecure channel Large Weight Our Trapdoor and its Associated ( m ′ , σ ′ ): Bob Decoder Alice: ( m , σ ) Reaching Uniform (( m ′ , σ ′ ) , pk ) σ ( m , sk ) b ∈ { 0 , 1 } Signatures Security Proof Conclusion Sgn Vrfy 5 / 48
Wave: A new family of trapdoor Full Domain Hash Signature preimage sampleable functions Thomas Debris-Alazard, • f be a trapdoor one-way function Nicolas Sendrier and Jean-Pierre Tillich Easy Introduction Hardness of Syndrome Decoding for x f ( x ) Large Weight Our Trapdoor and its Associated Decoder Hard Reaching Uniform Easy with trap. Signatures Security Proof Conclusion • To sign m one computes y = H ( m ) (hash) and σ ∈ f − 1 ( y ). → It is required to invert f on all vectors (full domain). • Verification f ( σ ) = H ( m )? 6 / 48
Wave: A new family of trapdoor ... with Bijective Trapdoors preimage sampleable functions OW? Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich • Let f be a bijective trapdoor one-way function Introduction Hardness of Syndrome • To sign m , compute σ = f − 1 ( H ( m )) ( H hash function) Decoding for Large Weight Our Trapdoor H ( m ) is uniform (ROM) ⇒ σ is uniform too! and its Associated Decoder (no leakage) Reaching Uniform Signatures Security Proof Conclusion Signature schemes DSA, RSA meet this nice feature Hard condition to meet in code/lattice-based cryptography... 7 / 48
Wave: A new family of trapdoor Gentry-Peikert-Vaikuntanathan preimage sampleable functions (GPV) Approach Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight It is based on trapdoor one-way preimage sampleable function! Our Trapdoor and its Associated A family of trapdoor one way-functions ( f a ) a and a distribution D Decoder such that Reaching Uniform Signatures $ • f a ( x ) is uniformly distributed when x ← D , Security Proof Conclusion • algorithm computing x ← f − 1 ( y ) with the trapdoor is a distributed according to D 8 / 48
Wave: A new family of trapdoor Gentry-Peikert-Vaikuntanathan preimage sampleable functions (GPV) Approach Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight It is based on trapdoor one-way preimage sampleable function! Our Trapdoor and its Associated A family of trapdoor one way-functions ( f a ) a and a distribution D Decoder such that Reaching Uniform Signatures $ • f a ( x ) is uniformly distributed when x ← D , Security Proof Conclusion • algorithm computing x ← f − 1 ( y ) with the trapdoor is a distributed according to D � uniform over words of fixed Hamming weight in our case D = gaussian for lattices 8 / 48
Wave: A new family of trapdoor Trapdoor One-way of Wave preimage sampleable functions Our one-way will be ( | · | Hamming weight) Thomas Debris-Alazard, { e ∈ F n F n − k Nicolas Sendrier f H : q : | e | = w } − → q and Jean-Pierre Tillich He ⊺ e �− → Introduction Inverting f H amounts to solve the following problem: Hardness of Syndrome Decoding for Large Weight Problem (Syndrome Decoding with fixed weight) Our Trapdoor and its Associated Given H ∈ F ( n − k ) × n , s ∈ F n − k , and an integer w, find e ∈ F n q such Decoder q q that He ⊺ = s ⊺ and | e | = w. Reaching Uniform Signatures Security Proof → Generic problem upon which all code-based cryptography relies Conclusion → Putting a trapdoor on f H consists in putting a structure on H ! Public-Key: H pk Signature of H ( m ): e of weight w with H pk e ⊺ = H ( m ). 9 / 48
Wave: A new family of trapdoor Codes: Basic Definition preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of A code C is a subspace of F n Syndrome q Decoding for Large Weight When C is of dimension k it is defined by a parity-check matrix Our Trapdoor H ∈ F ( n − k ) × n and its of full-rank as: Associated q Decoder q : Hc ⊺ = 0 } Reaching △ = { c ∈ F n C Uniform Signatures Security Proof Conclusion 10 / 48
Wave: A new family of trapdoor The Trapdoor(I) preimage sampleable functions Thomas H pk parity-check matrix of a permuted generalized ( U , U + V ) code: Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich • A permutation P , Introduction • Two codes U and V of length n / 2, Hardness of Syndrome Decoding for • Four vectors a , b , c , d over F n / 2 such that Large Weight q Our Trapdoor and its a i d i − b i c i � = 0 and a i c i � = 0 Associated Decoder Reaching Uniform Signatures △ ( a ⊙ U + b ⊙ V , c ⊙ U + d ⊙ V ) P = { ( a ⊙ u + b ⊙ v , c ⊙ u + d ⊙ v ) P Security Proof : u ∈ U , v ∈ V } Conclusion with △ x ⊙ y =( x 1 y 1 , x 2 y 2 , · · · , x n / 2 y n / 2 ) 11 / 48
Wave: A new family of trapdoor The Trapdoor(II) preimage sampleable functions Example of generalized ( U , U + V )-code: Thomas Debris-Alazard, △ Nicolas Sendrier • ( U , U + V ) = { ( u , u + v ) : u ∈ U , v ∈ V } ; and Jean-Pierre Tillich △ • ( U + V , U − V ) = { ( u + v , u − v ) : u ∈ U , v ∈ V } ; Introduction • ... Hardness of Syndrome Decoding for • More generally, for all u = ( u 1 , · · · , u n / 2 ) ∈ U and Large Weight v = ( v 1 , · · · , v n / 2 ) ∈ V : Our Trapdoor and its Associated + n / 2 symbols Decoder Reaching , u n / 2 + v n / 2 , v n / 2 − u n / 2 � u 1 , u 2 + v 2 , · · · ; u 1 + v 1 , u 2 − v 2 , · · · � Uniform Signatures Security Proof n / 2 Conclusion 12 / 48
Wave: A new family of trapdoor The Trapdoor(II) preimage sampleable functions Example of generalized ( U , U + V )-code: Thomas Debris-Alazard, △ Nicolas Sendrier • ( U , U + V ) = { ( u , u + v ) : u ∈ U , v ∈ V } ; and Jean-Pierre Tillich △ • ( U + V , U − V ) = { ( u + v , u − v ) : u ∈ U , v ∈ V } ; Introduction • ... Hardness of Syndrome Decoding for • More generally, for all u = ( u 1 , · · · , u n / 2 ) ∈ U and Large Weight v = ( v 1 , · · · , v n / 2 ) ∈ V : Our Trapdoor and its Associated + n / 2 symbols Decoder Reaching , u n / 2 + v n / 2 , v n / 2 − u n / 2 � u 1 , u 2 + v 2 , · · · ; u 1 + v 1 , u 2 − v 2 , · · · � Uniform Signatures Security Proof n / 2 Conclusion Proposition Decide if a code is a permuted generalized ( U , U + V ) -code or not is NP-complete. 12 / 48
Recommend
More recommend
