MPSign: A Signature from Small-Secret Middle-Product Learning with - - PowerPoint PPT Presentation

MPSign: A Signature from Small-Secret Middle-Product Learning with Errors

Shi Bai Dipayan Das Ryo Hiromasa Miruna Rosca Amin Sakzad Damien Stehlé Ron Steinfeld Zhenfei Zhang

Miruna Rosca MPSign PKC 2020 1 / 22

What is this talk about?

A digital signature scheme whose security in the QROM relies on the hardness of solving ApproxSVPf for many polynomials f.

Main ingredient:

A reduction from small secret PLWEf to small secret MP-LWE which works for many f’s.

Miruna Rosca MPSign PKC 2020 2 / 22

Overview

• 1. Background
• 2. Hardness of MP-LWE with small secrets
• 3. MPSign: our digital signature based on small secret MP-LWE

Miruna Rosca MPSign PKC 2020 3 / 22

Background

Miruna Rosca MPSign PKC 2020 4 / 22

Digital signature DS = (Gen, Sign, Ver)

sk pk

Miruna Rosca MPSign PKC 2020 5 / 22

Digital signature DS = (Gen, Sign, Ver)

(m, σ = Signsk(m))

sk pk

Miruna Rosca MPSign PKC 2020 5 / 22

Digital signature DS = (Gen, Sign, Ver)

(m, σ = Signsk(m)) Verpk(m, σ) ∈ {0, 1}

sk pk

Miruna Rosca MPSign PKC 2020 5 / 22

Digital signature DS = (Gen, Sign, Ver)

(m, σ = Signsk(m)) Verpk(m, σ) ∈ {0, 1}

sk pk Correctness: Verpk(m, Signsk(m)) = 1 w.h.p.

Miruna Rosca MPSign PKC 2020 5 / 22

Digital signature DS = (Gen, Sign, Ver)

(m, σ = Signsk(m)) Verpk(m, σ) ∈ {0, 1}

sk pk Correctness: Verpk(m, Signsk(m)) = 1 w.h.p. ufCMA Security: DS is secure if no adversary, having access to many signatures, is able to produce a signature for a new message.

Miruna Rosca MPSign PKC 2020 5 / 22

How to build lattice-based crypto?

PSISf PLWEf ApproxSVPf [LM06],[PR07] [SSTX09],[LPR10]

Miruna Rosca MPSign PKC 2020 6 / 22

How to build lattice-based crypto?

PSISf PLWEf ApproxSVPf [LM06],[PR07] [SSTX09],[LPR10]

[CDPR16], [BBV+17], [CDW17], etc.

ApproxSVPf is easier than ApproxSVP for some f’s in some parameter regimes and setups.

Miruna Rosca MPSign PKC 2020 6 / 22

[Lyu16]: A problem at least as hard as many PSISf

PSISf1 PSISf2 . . . . . . PSISfm PSIS over Zq[x]

Miruna Rosca MPSign PKC 2020 7 / 22

[Lyu16]: A problem at least as hard as many PSISf

PSISf1 PSISf2 . . . . . . PSISfm PSIS over Zq[x] Application: digital signature scheme

Miruna Rosca MPSign PKC 2020 7 / 22

[RSSS17]: A problem at least as hard as many PLWEf

PLWEf1 PLWEf2 . . . . . . PLWEfm MP-LWE

Miruna Rosca MPSign PKC 2020 8 / 22

[RSSS17]: A problem at least as hard as many PLWEf

PLWEf1 PLWEf2 . . . . . . PLWEfm MP-LWE

Applications of MP-LWE

public key encryption: [RSSS17], [SSZ18], [BBD+19] identity based encryption: [LVV19]

Miruna Rosca MPSign PKC 2020 8 / 22

The PLWEf and MP-LWE problems

f poly. of degree n PLWEf

q,χ1,χ2

Miruna Rosca MPSign PKC 2020 9 / 22

The PLWEf and MP-LWE problems

f poly. of degree n PLWEf

q,χ1,χ2

Pf

q,χ1(s) for s ∈ Zq[x]/f

a ← ֓ U(Zq[x]/f) and e ← ֓ χ1 return (a, b = a · s + e mod f)

Miruna Rosca MPSign PKC 2020 9 / 22

The PLWEf and MP-LWE problems

f poly. of degree n PLWEf

q,χ1,χ2

Distinguish between

Pf

q,χ1(s) for s ∈ Zq[x]/f

a ← ֓ U(Zq[x]/f) and e ← ֓ χ1 return (a, b = a · s + e mod f) and U(Zq[x]/f × Rq[x]/f)<n

Miruna Rosca MPSign PKC 2020 9 / 22

The PLWEf and MP-LWE problems

f poly. of degree n PLWEf

q,χ1,χ2

Distinguish between

Pf

q,χ1(s) for s ∈ Zq[x]/f

a ← ֓ U(Zq[x]/f) and e ← ֓ χ1 return (a, b = a · s + e mod f) and U(Zq[x]/f × Rq[x]/f)<n with non-negl. probability over the choice of s ← ֓ χ2.

Miruna Rosca MPSign PKC 2020 9 / 22

The PLWEf and MP-LWE problems

f poly. of degree n PLWEf

q,χ1,χ2

MP-LWEn,d

q,χ1,χ2

Distinguish between

Pf

q,χ1(s) for s ∈ Zq[x]/f

a ← ֓ U(Zq[x]/f) and e ← ֓ χ1 return (a, b = a · s + e mod f) and U(Zq[x]/f × Rq[x]/f)<n with non-negl. probability over the choice of s ← ֓ χ2.

Miruna Rosca MPSign PKC 2020 9 / 22

The PLWEf and MP-LWE problems

f poly. of degree n PLWEf

q,χ1,χ2

MP-LWEn,d

q,χ1,χ2

Distinguish between

Pf

q,χ1(s) for s ∈ Zq[x]/f

a ← ֓ U(Zq[x]/f) and e ← ֓ χ1 return (a, b = a · s + e mod f)

MPn,d

q,χ1(s) for s ∈ Z<n+d−1 q

[x]

a ← ֓ U(Z<n

q [x]) and e ←

֓ χ1 return (a, b = a ⊙d s + e) and U(Zq[x]/f × Rq[x]/f)<n with non-negl. probability over the choice of s ← ֓ χ2.

Miruna Rosca MPSign PKC 2020 9 / 22

The PLWEf and MP-LWE problems

f poly. of degree n PLWEf

q,χ1,χ2

MP-LWEn,d

q,χ1,χ2

Distinguish between Distinguish between

Pf

q,χ1(s) for s ∈ Zq[x]/f

a ← ֓ U(Zq[x]/f) and e ← ֓ χ1 return (a, b = a · s + e mod f)

MPn,d

q,χ1(s) for s ∈ Z<n+d−1 q

[x]

a ← ֓ U(Z<n

q [x]) and e ←

֓ χ1 return (a, b = a ⊙d s + e) and and U(Zq[x]/f × Rq[x]/f)<n U(Z<n

q [x] × R<d q [x])

with non-negl. probability over the choice of s ← ֓ χ2.

Miruna Rosca MPSign PKC 2020 9 / 22

Hardness of MP-LWE with small secrets

Miruna Rosca MPSign PKC 2020 10 / 22

Towards the hardness of MP-LWE with small secret

* D: distribution which produces small elements w.h.p * U: uniform distribution

MP-LWEn,d

q,D,U

PLWEf

q,D,U

error secret

[RSSS17]

Miruna Rosca MPSign PKC 2020 11 / 22

Towards the hardness of MP-LWE with small secret

* D: distribution which produces small elements w.h.p * U: uniform distribution

MP-LWEn,d

q,D,U

MP-LWEn,d

q,D,D

PLWEf

q,D,U

error secret

[RSSS17] ?

Miruna Rosca MPSign PKC 2020 11 / 22

Towards the hardness of MP-LWE with small secret

* D: distribution which produces small elements w.h.p * U: uniform distribution

MP-LWEn,d

q,D,U

MP-LWEn,d

q,D,D

PLWEf

q,D,U

PLWEf

q,D,D

error secret

[RSSS17] [ACPS09] ?

Miruna Rosca MPSign PKC 2020 11 / 22

Towards the hardness of MP-LWE with small secret

* D: distribution which produces small elements w.h.p * U: uniform distribution

MP-LWEn,d

q,D,U

MP-LWEn,d

q,D,D

PLWEf

q,D,U

PLWEf

q,D,D

error secret

[RSSS17] [ACPS09] This work

Miruna Rosca MPSign PKC 2020 11 / 22

From PLWEf to MP-LWE for many f’s

* f ∈ Z[x] of degree n, d ≤ n * DR,σ: Gaussian on R with standard deviation σ * DZ,σ: Gaussian on Z with standard deviation σ

[RSSS17] MP-LWEn,d

q,χ1,χ2

PLWEf

q,χ1,χ2

χ1 DRd,α′q DRn,αq χ2 U(Zn+d−1

q

) U(Zn

q )

This work MP-LWEn,d

q,χ1,χ2

PLWEf

q,χ1,χ2

χ1 DZd,α′′q DZn,αq χ2 DZn+d−1,α′q DZn,αq

Miruna Rosca MPSign PKC 2020 12 / 22

Recall [RSSS17]

= Rotf(b) Rotf(a) × Rotf(s) + Rotf(e)

Miruna Rosca MPSign PKC 2020 13 / 22

Recall [RSSS17]

= Rotf(b) Rotf(a) × Rotf(s) + Rotf(e) Take first column Mf b = Rotf(a) × Mf s + Mf e

Miruna Rosca MPSign PKC 2020 13 / 22

Recall [RSSS17]

= Rotf(b) Rotf(a) × Rotf(s) + Rotf(e) Take first column Mf b = Rotf(a) × Mf s + Mf e Decompose Rotf(a) b′ = Toep(a) × Rotf(1) Mf s + Mf e

Miruna Rosca MPSign PKC 2020 13 / 22

Recall [RSSS17]

= Rotf(b) Rotf(a) × Rotf(s) + Rotf(e) Take first column Mf b = Rotf(a) × Mf s + Mf e Decompose Rotf(a) b′ = Toep(a) × Rotf(1) Mf s + Mf e Rename b′ = Toep(a) × s′ + e′

Miruna Rosca MPSign PKC 2020 13 / 22

From small secret PLWEf to small secret MP-LWE

Mf e + e

Miruna Rosca MPSign PKC 2020 14 / 22

From small secret PLWEf to small secret MP-LWE

Mf e + e DZ,α + DZ,β ≈ DZ,γ

Miruna Rosca MPSign PKC 2020 14 / 22

From small secret PLWEf to small secret MP-LWE

Mf e + e DZ,α + DZ,β ≈ DZ,γ We need a lower bound on the smallest singular value of Mf.

Miruna Rosca MPSign PKC 2020 14 / 22

From small secret PLWEf to small secret MP-LWE

Mf e + e DZ,α + DZ,β ≈ DZ,γ We need a lower bound on the smallest singular value of Mf.

• more restrictive family of f’s

Mf =

        

∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

        

Miruna Rosca MPSign PKC 2020 14 / 22

From small secret PLWEf to small secret MP-LWE

Mf e + e DZ,α + DZ,β ≈ DZ,γ We need a lower bound on the smallest singular value of Mf.

• more restrictive family of f’s
• larger noise amplification

Mf =

        

∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

        

Miruna Rosca MPSign PKC 2020 14 / 22

From small secret PLWEf to small secret MP-LWE

Mf e + e DZ,α + DZ,β ≈ DZ,γ We need a lower bound on the smallest singular value of Mf.

• more restrictive family of f’s
• larger noise amplification
• α is related to the family

Mf =

        

∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗ ∗

        

Miruna Rosca MPSign PKC 2020 14 / 22

Digital signature based on MP-LWE

Miruna Rosca MPSign PKC 2020 15 / 22

Identification scheme ID = (IGen, P, V)

sk vk

Miruna Rosca MPSign PKC 2020 16 / 22

Identification scheme ID = (IGen, P, V)

sk vk

Miruna Rosca MPSign PKC 2020 16 / 22

Identification scheme ID = (IGen, P, V)

W

sk vk

Miruna Rosca MPSign PKC 2020 16 / 22

Identification scheme ID = (IGen, P, V)

W c ← ֓ ChallengeSet

sk vk

Miruna Rosca MPSign PKC 2020 16 / 22

Identification scheme ID = (IGen, P, V)

W c ← ֓ ChallengeSet Z

sk vk

Miruna Rosca MPSign PKC 2020 16 / 22

Identification scheme ID = (IGen, P, V)

W c ← ֓ ChallengeSet Z

sk vk

V(W, c, Z) ∈ {0, 1} Miruna Rosca MPSign PKC 2020 16 / 22

Identification scheme ID = (IGen, P, V)

W c ← ֓ ChallengeSet Z

sk vk

V(W, c, Z) ∈ {0, 1}

Security: ID is secure if no adversary having access to multiple transcripts (W,c,Z) is able to fool the verifier.

Miruna Rosca MPSign PKC 2020 16 / 22

Our identification scheme based on MP-LWE

(s, e) (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 17 / 22

Our identification scheme based on MP-LWE

y1, y2 small

W = a ⊙ y1 + y2 (s, e) (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 17 / 22

Our identification scheme based on MP-LWE

y1, y2 small

W = a ⊙ y1 + y2 c ← ֓ ChallengeSet (s, e) (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 17 / 22

Our identification scheme based on MP-LWE

y1, y2 small z1 = c ⊙ s + y1 z2 = c ⊙ e + y2 reject z1, z2?

W = a ⊙ y1 + y2 c ← ֓ ChallengeSet Z = (z1, z2) (s, e) (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 17 / 22

Our identification scheme based on MP-LWE

y1, y2 small z1 = c ⊙ s + y1 z2 = c ⊙ e + y2 reject z1, z2? check if: W = a ⊙ z1 + z2 − c ⊙ b z1, z2 small

W = a ⊙ y1 + y2 c ← ֓ ChallengeSet Z = (z1, z2) (s, e) (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 17 / 22

MPSign: from ID to DS using Fiat-Shamir

(s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

MPSign: from ID to DS using Fiat-Shamir

y1, y2 small W = a ⊙ y1 + y2

(s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

MPSign: from ID to DS using Fiat-Shamir

y1, y2 small W = a ⊙ y1 + y2 c = H(W||m)

(s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

MPSign: from ID to DS using Fiat-Shamir

y1, y2 small W = a ⊙ y1 + y2 c = H(W||m) z1 = c ⊙ s + y1 z2 = c ⊙ e + y2 reject z1, z2?

(s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

MPSign: from ID to DS using Fiat-Shamir

y1, y2 small W = a ⊙ y1 + y2 c = H(W||m) z1 = c ⊙ s + y1 z2 = c ⊙ e + y2 reject z1, z2?

(s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

MPSign: from ID to DS using Fiat-Shamir

y1, y2 small W = a ⊙ y1 + y2 c = H(W||m) z1 = c ⊙ s + y1 z2 = c ⊙ e + y2 reject z1, z2?

(m, (z1, z2, c)) (s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

MPSign: from ID to DS using Fiat-Shamir

y1, y2 small W = a ⊙ y1 + y2 c = H(W||m) z1 = c ⊙ s + y1 z2 = c ⊙ e + y2 reject z1, z2? W = a ⊙ z1 + z2 − c ⊙ b

(m, (z1, z2, c)) (s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

MPSign: from ID to DS using Fiat-Shamir

y1, y2 small W = a ⊙ y1 + y2 c = H(W||m) z1 = c ⊙ s + y1 z2 = c ⊙ e + y2 reject z1, z2? check if: c = H(W, m) z1, z2 small W = a ⊙ z1 + z2 − c ⊙ b

(m, (z1, z2, c)) (s, e) m (a, b = a ⊙ s + e)

Miruna Rosca MPSign PKC 2020 18 / 22

Correctness and Security of MPSign

• correctness uses the associativity property of middle product

Miruna Rosca MPSign PKC 2020 19 / 22

Correctness and Security of MPSign

• correctness uses the associativity property of middle product
• we fix the wrong security analysis from [Hir18]
• they incorrectly assume a ⊙n y is uniform for fixed y and uniform a

[KLS18]: ID has some "good properties" ⇒ DS is tightly secure in QROM

Miruna Rosca MPSign PKC 2020 19 / 22

Concrete parameters for MPSign

λQ = 143 λQ = 89 degree of a 3800 2500 degree of z2 1910 1300 degree of c 512 512 q ≈ 291 ≈ 287 public key size 26.9 KB 19.5 KB secret key size 1.1 KB 0.8 KB signature size 20.1 KB 12.8 KB

• chosen accordingly to the best known attacks with the coreSVP

hardness methodology

Miruna Rosca MPSign PKC 2020 20 / 22

MPSign vs [Lyu16]

λ = 89 MPSign [Lyu16] public key size 19.5 KB 9.6 KB secret key size 0.8 KB 8.8 KB signature size 12.8 KB 27 KB

Miruna Rosca MPSign PKC 2020 21 / 22

MPSign vs [Lyu16]

λ = 89 MPSign [Lyu16] public key size 19.5 KB 9.6 KB secret key size 0.8 KB 8.8 KB signature size 12.8 KB 27 KB

• our security proof is tight, while [Lyu16] is not
• we give an efficient key recovery attack on [Lyu16] when sk has very

small coefficients

⇒ you cannot decrease too much the size of the secret key in [Lyu16] to improve it

Miruna Rosca MPSign PKC 2020 21 / 22

Summary

• we proved hardness of MP-LWE with short secrets
• we built a digital signature scheme whose security in QROM is based
• n it
• we provide concrete parameters for our scheme
• we provide a proof-of-concept implementation in Sage
• https://github.com/pqc-ntrust/middle-product-LWE-signature

Miruna Rosca MPSign PKC 2020 22 / 22