Middle-Product Learning with Errors (MP-LWE) and its Hardness Ron - - PowerPoint PPT Presentation

Middle-Product Learning with Errors (MP-LWE) and its Hardness

Ron Steinfeld

Monash University ron.steinfeld@monash.edu CIS 2019 Winter School based on joint work [RSSS17], [SSZ17], [B+19] (work in progress, in submission) with subsets of: Shi Bai, Dispayan Das, Ryo Hiramasa, Miruna Rosca, Amin Sakzad, Damien Stehle, Raymond K. Zhao, Zhenfei Zhang.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 1 / 42

Outline of the talk

1- Introduction: Risk-Performance balance approach to Lattice Cryptography 2- Security Foundations:

Polynomial-SIS over Zq[x] (PSIS∅) Problem

Definition of the problem [L16] Hardness reduction from hardest PSISf for family of f ’s [L16] Known attacks Variant: Inhomogenous P-SIS (I-PSIS∅) and its hardness with large secrets [L16] and insecurity with small secrets [B+19]

Middle-Product LWE (MP-LWE) Problem

Definition of the problem [RSSS17] Hardness reduction [RSSS17] and variants [SSZ17, SSZ19, LVV19, PP19] Known Attacks [SSZ17,SSZ19] Variant: MPLWE with small secrets and its hardness [B+19] Variant: MPLWE with large errors and its insecurity [B+19]

3- Summary and Open Problems

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 2 / 42

Intro

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 3 / 42

Motivation for the Research field

Lattice-Based Cryptography is a cutting-edge cryptographic ‘technology’. Has several interesting properties: High Computational Efficiency Novel and Powerful Cryptographic Functionalities/Applications Strong provable security Guarantees Believed ‘Post-Quantum’ Security

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 4 / 42

Lattices Background: Approx-SVP

Lattice ≡ {

i≤n xibi : xi ∈ Z},

for some lin. independent bi’s.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 5 / 42

Lattices Background: Approx-SVP

Lattice ≡ {

i≤n xibi : xi ∈ Z},

for some lin. independent bi’s. Minimum: λ(L) = min(b : b ∈ L \ 0)

γ-SVP

Find b ∈ L with: 0 < b ≤ γ · λ(L).

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 5 / 42

Lattices Background: Approx-SVP

Lattice ≡ {

i≤n xibi : xi ∈ Z},

for some lin. independent bi’s. Minimum: λ(L) = min(b : b ∈ L \ 0)

γ-SVP

Find b ∈ L with: 0 < b ≤ γ · λ(L). No known sub-exp. algorithm for γ = poly(n). Not even quantumly. Seems harder than Int-Fac and DLog. But... hardness can depend on the choice of lattice L!

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 5 / 42

Low Security Risk Crypto: LWE Approach

Problem (Search Learning-with-Errors Search − LWEq,m,n,α)

Given A ← ֓ U(Zm×n

q

) and y = A · s + e mod Zm

q (with e ‘small’), find s.

Advantage: Low Security Risk – no lattice structure, quantum reduction from worst-case arbitrary lattices in dim. n [R05] Drawback: Low Performance – large ≥ n × n matrices, slow computation Example cryptosystem: Frodo [BCD+16] / Frodo-KEM [ABD+17]

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 6 / 42

High Performance Crypto: PLWEf Approach

Q: How to fix performance? A: Add extra algebraic structure!

Problem (Search Poly. Learning-with-Errors Search − PLWE f

q,m,n,α)

Let Rq = Zq[x]/(f (x)) (e.g. f (x) = xn + 1). Given A ← ֓ U(Rm×1

q

) and y = A · s + e mod Rq (with e ‘small’), find s. Advantage: High Performance – succinct matrix, fast poly arith. (FFT) Drawback: High Security Risk – rely on PLWEf for a fixed f ... (reduction from ApproxSVPf : restricted to structured (‘f -ideal’) lattices) Example cryptosystem: New Hope [ADPS16]

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 7 / 42

ApproxSVPf could be easy for some f ’s

Problem

ApproxSVPf Problem: ApproxSVP restricted to ideals in Z[x]/f (x) [BS15]: quantum poly. time algorithm to find a generator of a principal ideal in any number field Weak f ’s for ApproxSVPf : The case of cyclotomics of prime power index: [CDPR16]: quantum poly. time algorithm to find a short generator of a principal ideal for 2O(√n) approx. factor [CDW17]: quantum poly. time algorithm to solve ApproxSVP for all ideals for 2O(√n) approx. factor The case of multiquadratics: [BBdVLvV17]: quasipoly. time algorithm to find a short generator of a principal ideal

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 8 / 42

ApproxSVP

• Approx. factor

Time poly(n) 2

√n

2n 2

√n

2n

arbitrary lattices ideal lattices in cyclotomic fields of prime power index

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 9 / 42

How to balance security risk and performance?

Two prior approaches: Non-cyclotomic f : Use PLWEf with non-cyclotomic polynomial f [BCLvV16], [PRSD17] (example cryptosystem: NTRUPrime) Module PLWEf : Replace s ∈ Zq[x]/(f (x)) with s ∈ Zq[x]/(f (x))k for small k [BGV11,LSS15,BDK+17] (example cryptosystem: Kyber) Remaining ‘all eggs in one basket’ risk: which f gives a hard problem? Q: Is there an approach balancing ‘one f ’ risk and performance?

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 10 / 42

How to balance security risk and performance?

Lyubashevsky [Lyu16] – first positive answer for digital signatures: PSIS: SIS variant as secure as hardest PSISf for wide class Fof f ’s. Designed a signature scheme based on PSIS

Basic Idea: work in a polynomial ring Z[x] – mult. with no mod f !!

Low security risk: Hedge risk across a huge class F

e.g. F = {xm + fLxL + fL−1xL−1 + · · · + f1x + f0, fi ∈ {−1, 0, 1}} Size of F exponential in L!

High Performance:

polynomial ring Z[x] can still support fast arithmetic!

But, PSIS [Lyu16] cannot be used for encryption More efficient lattice signature techniques require also an LWE variant

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 11 / 42

Risk-Performance balance Crypto: MPLWE Approach

Rosca et al [RSSS17] – first positive answer for encryption: Middle-Product LWE (MP-LWE): poly. variant of LWE problem as secure as the hardest PLWEf for a big family F of f ’s

Basic Idea: work in a polynomial ring Z[x] with a modified ‘middle-product’ ring mult.

Designed a public-key encryption scheme Optimized NIST PQC encryption submission: Titanium [RSZ17] Security-Risk-vs.-Perf. Balance: Lower security risk guarantee than PLWEf schemes, better performance than LWE schemes Designed improved digital signature schemes [B+18]

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 12 / 42

Security Foundations: Poly-SIS∅ (PSIS∅) Problem

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 13 / 42

Review: PSISf : PSIS over Zq[x]/f (x)

Recall definition of (Ring) Polyonomial SIS in a polynomial ring Zq[x]/f with a modulus polynomial f of degree n (usually, f = xn + 1). Polynomial-based definition:

PSISf

q,n,k,β

Given a1, . . . , ak ← Zq[x]/f , find non-zero polynomials (z1, . . . , zk) with deg zi < n such that

i≤k zi · ai = 0 mod f and ||zi||∞ ≤ β for i ∈ [k].

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 14 / 42

Review: PSISf matrix interpretation

A polynomial a(x) = a[0] + a[1] · x . . . + a[n − 1] · xn−1 with a[i] ∈ Z is represented by its coefficient vector aT = [a[0], a[1], . . . , a[n − 1]]. For two polynomials a(x), z(x) ∈ Zq[x] of deg. < n, if c(x) = z(x) · a(x) mod f (x) then c(x) =

i<n z[i] · (xi · a(x) mod f (x)), so

cT = zT · Rotf (a), where Rotf (a) denotes matrix whose i’th row is (xj · a(x) mod f (x)). e.g. for f (x) = xn + 1, since xn mod xn + 1 = −1, we have

[c[0], . . . , c[n − 1]] = [z[0], . . . , z[n − 1]] ·

  

a[0] a[1] a[2] · · · a[n − 1] −a[n − 1] a[0] a[1] · · · a[n − 2] −a[n − 2] −a[n − 1] a[0] · · · a[n − 3] . . . . . . . . . · · · . . . −a[1] −a[2] −a[3] · · · a[0]

   .

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 15 / 42

PSIS∅: PSIS over Zq[x]

Q: Can we define a variant of PSIS that is as hard as PSISf for many f ’s, rather than just one f ? Observation [L16]: If

i zi(x) · ai(x) = 0 in Zq[x] (i.e. no mod f ),

then

i zi(x) · ai(x) = 0 mod f (x) for any f .

Led Lyubashevsky [L16] to define PSIS∅.

PSIS∅

q,n,k,d,β

Given a1, . . . , ak ← Z<n

q [x], find a nontrivial sol. for i≤k zi · ai = 0 with

zi∞ ≤ β and deg zi < d for i ∈ [k]. Notation: Z<n

q [x] is the set of polynomials over Zq of deg. < n.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 16 / 42

PSIS∅: Toeplitz marix interpretation

For two polynomials a(x) ∈ Z<n

q [x] and z(x) ∈ Z<d q [x], if

c(x) = z(x) · a(x) ∈ Z<d+n−1

q

[x] then c(x) =

i<d z[i] · (xi · a(x)), so

cT = zT · Toepd,n(a), where Toepd,n(a) is the d × (n + d − 1) matrix whose i-th row contains coefficients of the polynomial xi−1 · a, i.e.: cT = zT ·

        

a[0] a[1] . . . a[n − 1] . . . . . . a[0] . . . a[n − 2] a[n − 1] . . . . . . . . . ... ... . . . ... ... . . . . . . a[0] . . . a[n − 2] a[n − 1]

        

.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 17 / 42

PSIS∅: Hardness reduction

Theorem (Hardness of PSIS∅ [L16] )

PSISf

q,n,k,β reduces to PSIS∅ q,n,k,d,β for any monic f ∈ Z[x] in family F s.t.

d ≤ deg f ≤ n. Proof Idea: Let m := deg f . Given PSISf inst. (a1, . . . , ak), ai ∈ Z<m

q

. If m = n, run PSIS algorithm on (a1, . . . , ak) to get z1, . . . , zk. Then

• zi · ai = 0 =

⇒

• zi · ai = 0 mod f ,

z = 0 and deg z < d ≤ m = ⇒ z = 0 mod f . If m < n, randomly lift ai to a′

i = ai + ri · f , where ri ← Z<n−m q

[x], run PSIS algorithm on (a′

1, . . . , a′ k).

a′

i mod f = ai so i zi · a′ i = 0 =

⇒

i zi · ai = 0 mod f - as above.

a′

i is uniformly random in Z<n q [x]: Top n − m coeffs due to ri, bottom

m due to ai.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 18 / 42

PSIS∅: Known Attacks

Known attack on PSIS∅: known attack on SIS, optimised to take advantage of zero triangles in Topelitz blocks. Fact 1. For 1 ≤ d′ ≤ d, PSIS∅

q,n,k,d,β reduces to PSIS∅ q,n,k,d′,β.

(Proof: Remove from the matrix the last d − d′ rows of each Toeplitz block.) Fact 2. For 1 ≤ d′ ≤ d, PSIS∅

q,n,k,d′,β is an instance of

SISq,n+d′−1,m=k·d′,β Optimise the choice of d′.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 19 / 42

PSIS∅: Known Attacks

Known attack on PSIS∅: known attack on SIS, optimised to take advantage of zero triangles in Topelitz blocks. Optimised Lattice Attack – Root Hermite factor δ lattice reduction: PSIS∅

q,n,k lattice

L(m) := {(z1, . . . , zk) ∈ (Z<m/k

q

[x])k :

i zi · ai = 0 mod q}

det(L(m)) = qn+m/k−1 Norm of attack output SIS vector: ℓ(m) = δm · q(n+m/k−1)/m ≈ q1/k · δm · qn/m. Attack optimal SIS solution norm: ℓ(m∗) ≈ q1/k · 22√

m log q log δ, m∗ ≈

• m log q

log δ .

Conclusions:

Extra ≈ q1/k factor in ℓ(m∗) compared to SISq,n. = ⇒ PSIS∅ attack cost > SISq,n attack cost for k small, = ⇒ PSIS∅ attack cost ≈ SISq,n attack cost for k >> log q.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 20 / 42

Variant: Inhomogenous PSIS∅ – I-PSIS∅

In applications to signatures (next talk), we need an Inhomogenous variant

• f PSIS∅.

PSIS∅

q,n,k,d1,d2,s,c,β [L16]

Assume s ≤ β. Given a1, . . . , ak ← Z<n

q [x] and t = i≤k si · ai with

si ← ֓ (−s, s)<d1, find (z1, . . . , zk) with zi ∈ Z<d2

q

, zi∞ ≤ β for i ∈ [k] and c ∈ Z<d2−d1+1

q

with 0 < c1 ≤ c such that

• i≤k

zi · ai = t · c.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 21 / 42

Variant: I-PSIS∅ – Hardness with ‘Large’ secrets

For sufficiently ‘large; secret coordinates, I-PSIS∅ is as hard as PSIS∅. Sufficiently ‘large’ = ⇒ I-PSIS∅ has multiple solutions

Theorem (Hardness of I-PSIS∅ with ‘large’ secrets [L16])

If (for security parameter λ): d1 < d2 ≤ n and sc < q/4 ‘large’ secret: s > 2

λ kd1 −1 · q 1 k ·(n/d1+1),

then PSIS∅

q,n,k,d2,β+sc reduces to I-PSIS∅ q,n,k,d1,d2,s,c,β.

Main proof idea: Given PSIS∅ instance (a1, . . . , ak), si ← (−s, s)<d1, compute t =

i≤k si · ai, run I-PSIS∅ alg. on

(a1, . . . , ak, t), get (z1, . . . , zk, c), ret. z′

i = zi − si · c for i ∈ [k].

• i zi · ai = t · c =

i(si · c) · ai =

⇒

i z′ i · ai = 0.

’large’ secret = ⇒ t has ≥ 2 preimages wrt (s′

1, . . . , s′ k) → i≤k s′ i · ai

whp, and conditioned on t, (s1, . . . , sk) is equaly probable to be either = ⇒ z′

i = 0 for at least one (cond. prob. ≥ 1/2).

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 22 / 42

Variant: I-PSIS∅ – Insecurity with ‘Small’ secrets

For sufficiently ‘small’ secret coordinates, I-PSIS∅ is easy, for k = O(1). Sufficiently ‘small’ = ⇒ I-PSIS∅ has a unique solution.

Lemma (Insecurity of I-PSIS∅ with ‘small’ secrets, small k [B+19])

If q is prime, d = d1 = d2 ≤ n, s = β, c = 1 ‘small’ secret: s ≤ (1−ε)·q1/k−1

4

, then, with prob. ≥ 1 − ε over choice of (a1, . . . , ak), the solution to I-PSIS∅

q,n,k,d,d,s,1,s is unique and there’s an algorithm that returns it in

time O((2β + 1)k · poly(k, d, log q)).

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 23 / 42

Variant: I-PSIS∅ – Insecurity with ‘Small’ secrets

For sufficiently ‘small’ secret coordinates, I-PSIS∅ is easy, for k small. Main idea: Exploit the zero triangles in Toeplitz matrices for the ai’s. Reduce the problem to a sequence of k-dimensional knapsack probs -

• eff. solvable if k small:

The x0 coeff t[0] of t =

i≤k si(x) · ai(x) depends only on the x0

coeffs s1[0], . . . , sk[0] of s1, . . . , sk resp: t[0] =

• i≤k

si[0] · ai[0] Find the unique solution (s1[0], . . . , sk[0]) to above k-dim. knapsack problem (unique with prob ≥ ε if (4β + 1)k < (1 − ε)q). Similarly, for r ≥ 1, t[r] depends only on s1[r], . . . , sk[r] and < r coeffs

• f si’s =

⇒ solve k-dim. knapsack for xr coeffs of si’s for each r = 1, . . . , d.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 24 / 42

Security Foundations: Middle-Product LWE (MP-LWE) Problem

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 25 / 42

Middle Product LWE: Intuition

Q: What should be the LWE counterpart for PSIS∅? A: Use the same duality lattice transformation to get LWE from SIS: SIS lattice: L⊥

q (A) = {v · A = 0 mod q}

LWE lattice: Lq(A) = {y = A · s + q · Zm} – multiply same SIS matrix A on right! Recall: For PSIS∅, A is a block Topelitz matrix for (a1, . . . , ak): LPSIS∅(A) := {(v1, . . . , vk) :

• i≤k

vi · Toep(ai) = 0 mod q} = ⇒ Define its LWE dual lattice (MPLWE lattice) using above transformation: LMP-LWE := {(y1, . . . , yk) : yi = Toep(ai) · s + q · Zm, for i ∈ [k]}. = ⇒ leads to the middle-product operation on polynomials!

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 26 / 42

Middle Product of two polynomials

Let R be a ring, a ∈ R<n[x] and b ∈ R<n+d−1[x] two polynomials. Their product is: c0 + · · · + cn−2xn−2 +cn−1xn−1+cnxn + · · · +cn+d−2xn+d−2 +cn+d−1xn+d−1 + · · · + c2n+d−3x2n+d−3 ∈ R<2n+d−2[x] Their middle product is: a ⊙d b := cn−1 + cn · x + · · · + cn+d−2 · xd−1 ∈ R<d[x]

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 27 / 42

Matrix interpretation of the middle product

• Fact. For two polynomials a(x) ∈ Z<n

q [x] and b(x) ∈ Z<n+d−1 q

[x], c(x) = a(x) ⊙d b(x) ∈ Z<d

q [x] =

⇒ c = Toepd,n(a) · b, where b denoted the reverse ordering of b, i.e.:

    

c[n + d − 2] c[n + d − 3] . . . . . . c[n − 1]

     =     

a[0] a[1] . . . a[n − 1] . . . . . . a[0] . . . a[n − 2] a[n − 1] . . . . . . . . . ... ... . . . ... ... . . . . . . a[0] . . . a[n − 2] a[n − 1]

     ·          

b[n + d − 2] b[n + d − 3] . . . . . . . . . . . . b[0]

         

.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 28 / 42

PLWE and MP-LWE problems

χs := probability distribution of secret s coordinates χe := probability distribution of error ei coordinates Typically χs is uniform over whole underlying ring. χe is concentrated on small coordinate values, e.g. Gaussian coordinates Dαq for small parameter αq << q. Recall: f is a modulus polynomial of deg. n.

Decision PLWEf

q,n,k,χs,χe Problem

Let s ← ֓ χs in Zq[x]/f , ai ← ֓ U(Zq[x]/f ) and ei ← ֓ χe in Zq[x]/f ‘small’. Distinguish between (ai, bi = ai · s + ei)i and (ai, bi ← ֓ U(Zq[x]/f ))i

Decision MP-LWEn

q,n,k,α,χs,χe,d Problem

Let s ← ֓ χs ∈ Zq[x]<n+d−1, ai ← ֓ U(Z<n

q [x]) and ei ←

֓ χe ‘small’. Distinguish between (ai, bi = ai ⊙d s + ei)i and (ai, bi ← ֓ U(Z<d

q [x]))i

Search variant of above problems: find s.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 29 / 42

Hardness of MP-LWE

Let n ≥ 1, q ≥ 2, and α ∈ (0, 1), χ balanced.

Theorem (Hardness of MP-LWEq,n,k,d,χs,χe (RSSS17+SSZ17))

PLWEf

q,m,k,χs,χe reduces to MP-LWEq,n,k,d,χ′

s,χ′ e where

χ′

s = χs = U(Zq) uniform secret χ′ e = χe same small distribution

for any monic f ∈ Z[x] in family F s.t. f (x) = xm +

i≤ℓ(m) fixi

d ≤ m ≤ n ℓ(m) = min(m/2 + 1, m + 1 − d) f0 ∈ {−1, 1}. Note: Above variant [SSZ19] is tight in terms of error amplification, constraints on f can be relaxed for a looser reduction. [RSSS17,LVV19,PP19]

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 30 / 42

MP-LWE Hardness Theorem: Variants – Wider Family F

f ∈ Z[x] of degree m Dσ: Gaussian on R with standard deviation σ DZ,σ: Gaussian on Z with standard deviation σ

Variant 1: Wider Family F [RSSS17, refined in LVV19,PP19]

[RSSS17/LVV19] MP-LWEq,n,k,d,χ′

e,χ′ s PLWEf

q,m,k,χs,χe

χ′

e/χe

Dα′q Dαq χ′

s/χs

U(Zq) U(Zq) Drawback: looser reduction: ‘error amplification’ – α′ > α. e.g. α′/α = poly(n) for m ≤ (1 − ε) · n for c ∈ (0, 1) and f 1 = O(poly(n)).

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 31 / 42

MP-LWE Hardness Theorem: Variants – Small Secret

f ∈ Z[x] of degree m Dσ: Gaussian on R with standard deviation σ DZ,σ: Gaussian on Z with standard deviation σ

Variant 2: ‘Small’ Secret [B+19]

[B+19] MP-LWEq,n,k,χ′

e,χ′ s

PLWEf

q,m,k,χs,χe

χ′

e/χe

DZd,α′′q DZm,αq χ′

s/χs

DZn+d−1,α′q DZm,αq Drawback: looser reduction: ‘error/secret amplification’ – α′, α′′ > α.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 32 / 42

MP-LWE Hardness Theorem: Variants – Generalization

Generalization [PP19]: Defines a general algebraic number theory framework for LWE: LWE

• ver number field lattices

MP-LWE shown to fit into this framework. Generalizes the reductions in [RSSS17/SSZ19] to start from a family

• f number field lattices.

Widens the family F (somewhat relaxed constraints on f ).

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 33 / 42

MP-LWE Hardness Theorem: Variants – Rounded errors

LWR Variant [BBDLWZ19]: Defines a rounded error variant of MP-LWE: MP Learning with Rounding Reduces from MP-LWE Currently restricted to search variant of MP-LWR

Handles different error distributions via a Renyi divergence analysis [B+15]

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 34 / 42

Proof idea: Relation b/w middle-prod and modf prod

Recall: Rotf (a) has coeffs of a(x) · xi mod f (x) on its i’th row Toepd,n(a) has coeffs of a(x) · xi on its i’th row a(x) · xi mod f = (

• j<n

a[j] · xj+i) mod f =

• j<n

a[j] · (xj+i mod f ) so, Extending Rotf (1) to n + d − 1 rows, it has xj mod f on its j’th row and we get: Rotd,n

f

(a) = Toepd,n(a) · Rotn+d−1,n

f

(1). i.e.:

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 35 / 42

Proof idea: apply the relation

= Rotf (b) Rotf (a) × Rotf (s) + Rotf (e)

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 36 / 42

Proof idea: apply the relation

= Rotf (b) Rotf (a) × Rotf (s) + Rotf (e) Take first column Mf b = Rotf (a) × Mf s + Mf e

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 36 / 42

Proof idea: apply the relation

= Rotf (b) Rotf (a) × Rotf (s) + Rotf (e) Take first column Mf b = Rotf (a) × Mf s + Mf e Decompose Rotf (a) b′ = Toep(a) × Rotf (1) Mf s + Mf e

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 36 / 42

Proof idea: apply the relation

= Rotf (b) Rotf (a) × Rotf (s) + Rotf (e) Take first column Mf b = Rotf (a) × Mf s + Mf e Decompose Rotf (a) b′ = Toep(a) × Rotf (1) Mf s + Mf e Rename b′ = Toep(a) × s′ + e′

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 36 / 42

Example: Polynomial Family F1 = F(n, m′, d′) of f for Titanium security foundation

f (x) = xm +

i≤ℓ(m) fixi,

Family degree range mmin ≤ m ≤ mmax = n

• Deg. of largest non-leading monomial ℓ(mmin) = gap2 = mmin − d′

Parameters of F1 for Titanium-CCA:

Parameter Toy64 Lite96 Std128 Med160 Hi192 Super256 mmin = m′ 654 770 896 1230 1486 1998 mmax = n 684 800 1024 1280 1536 2048 ℓ(m′) = gap2 142 35 128 462 462 718 lo bnd on log3(|F1|) 172 65 256 512 512 768 power-of-two inclusion

• Ron Steinfeld (Monash University)

MP-LWE and its hardness 28/03/2018 37 / 42

Known attacks: Is MP-LWE harder than PLWEf ?

The hardness result shows MP-LWEq,n,k,d,χs,χe is at least as hard as PLWEf

q,n,k,χs,χe.

Is it actually harder for small no. of MP-LWE samples k? Similar situation to PSIS∅: Best known attack on MP-LWEq,n,k,d,χs,χe has higher complexity than best attack on LWEq,n: Generic LWE attack on MP-LWEq,n,k,d,χs,χe uses secret in dimension n + d, versus ≤ n for PLWEf

q,α,χ

Similar to PSIS∅, can improve the attack by exploiting the zero triangles in the Topelitz matrix:

Fact 1. For 1 ≤ d′ ≤ d, MP-LWEq,n,k,d,χs,χe reduces to MP-LWEq,n,k,d′,χs,χe. (Proof: Remove from the matrix the last d − d′ rows of each Toeplitz block.) Fact 2. For 1 ≤ d′ ≤ d, MP-LWEq,n,k,d,χs,χe is an instance of LWEq,n+d′−1,m=k·d′,β Optimise the choice of d′.

Conclusion: Similar to PSIS∅, leaves a hardness gap of q1/k in approx.-SVP factor to best known attack on LWEq,n.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 38 / 42

Variant: Inhomogenous MP-PSIS∅ – I-MPPSIS∅

In applications to signatures (next talk), we need to analyse a middle-product variant of Inhomogenous PSIS∅. Can also be viewed as a ‘uniform target value’ variant of MP-LWE with multiple (k − 1) secrets. ‘large’ secret/error = ⇒ multiple non-unique solutions ‘small’ secret/error = ⇒ no solution with probability close to 1.

I-MP-PSIS∅

q,n,k,d,β [B19+]

Given a1, . . . , ak ← Z<n

q [x] and t ← Zq[x]<d, find (z1, . . . , zk) with

zi ∈ Z<n+d−1

q

, for i ∈ [k], zk ∈ Z<d

q [x], such that

• i≤k−1

zi ⊙d ai + zk = t

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 39 / 42

Variant: I-MPPSIS∅ – Insecurity with ‘large’ secrets

For sufficiently ‘large’ secret coordinates, I-MPPSIS∅ is easy, for k small. ‘large’ = ⇒ (2β + 1)k > q Main idea: Dual variant of the attack on small secret PSIS Exploit the zero triangles in Toeplitz matrices for the ai’s. Reduce the problem to a sequence of k-dimensional knapsack probs -

• eff. solvable if k small!

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 40 / 42

Summary and Some Problems

MP-LWE and PSIS∅: New variants of LWE/SIS with intermediate risk-performance balance

lower risk than fixed-ring RLWE/RSIS: as hard as hardest RLWEf /PSISf for exponentially large family of f ’s, higher potential scheme efficiency than LWE/SIS

Non-symmetric ‘hardness-norm’ dependence:

PSIS∅: ‘large’ secret = ⇒ hard, ‘small’ secret = ⇒ easy. MP-LWE: ‘large’ secret (I-MP-PSIS) = ⇒ easy, ‘small’ secret = ⇒ hard. higher potential scheme efficiency than LWE/SIS

A few problems: Variants of MP-LWE and PSIS∅ with similar eff/sec guarantees but symmetric ‘hardness-norm’ dependence? Concrete hardness of MP-LWE and PSIS∅ for small no samples? Is MP-LWE hard to break even if PLWEf is insecure for all f ?

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 41 / 42

Thank you.

Ron Steinfeld (Monash University) MP-LWE and its hardness 28/03/2018 42 / 42