Vadim Lyubashevsky IBM Research -- Zurich Digital Signatures Based on the Hardness of Ideal Lattice Problems in all Rings Vadim Lyubashevsky IBM Research -- Zurich

Lattice Cryptography SIVP BDD quantum [Ajt ‘96] [Reg ‘05] Worst-Case Average-Case Small Integer Solution Problem (SIS) Learning With Errors Problem (LWE) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)

Why are SIS and LWE hard? Solving SIS  Solving SIVP in all lattices Solving LWE  Solving BDD in all lattices Gives us confidence in the design of SIS / LWE (setting parameters is a completely different matter)

Source of Inefficiency 4 11 6 8 10 7 6 14 1 7 7 1 2 13 3 = n 2 9 12 5 1 2 5 9 1 3 14 9 7 1 11 1 1 m 1 1 Requires O(nm) storage Computing the function takes O(nm) time

Switching to Polynomials 4 -1 -2 -7 10 -7 -1 -13 1 7 4 -1 -2 13 10 -7 -1 = n 2 7 4 -1 1 13 10 -7 1 2 7 4 7 1 13 10 1 m 1 1 Now A only requires O(m) storage Product can be computed faster as well

Polynomial Multiplication = Matrix-Vector Multiplication a∙b = (a0+a1x+a2x2+a3x3) ∙ b = a0 ∙ b + a1 ∙ bx + a2 ∙ bx2 + a3 ∙ bx3 a0 a1 a2 a3 b bx Multiplication over Z[x] bx2 bx3 a0 a1 a2 a3 b Multiplication over Z[x]/( f(x) ) bx mod f bx2 mod f bx3 mod f

Switching to Polynomials (4+7x+2x2+x3)(1+x3) +(10+13x+x2+7x3)(x+x2) in Zp[x]/(xn+1)

Ring-SIS Given k random polynomials a1, … ,ak in Zp[x]/(xn+1), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0

General f-SIS Given k random polynomials a1, … ,ak in Zp[x]/(f(x)), find “small” polynomials z1, … ,zk such that a1z1+ … +akzk = 0 Thm: [LM ‘06, PR ‘07] Solving f-SIS implies finding short vectors in any ideal of Z[x]/(f(x))

Same Source of Inefficiency in LWE Constructions 4 11 6 8 7 7 1 2 2 9 12 5 1 3 14 9 + m = 10 7 6 14 13 3 1 2 5 9 7 1 11 1 n

Convert to Polynomial Multiplication 4 -1 -2 -7 7 4 -1 -2 2 7 4 -1 1 2 7 4 + m = 10 -7 -1 -13 13 10 -7 -1 1 13 10 -7 7 1 13 10 n

(Decision) Ring-LWE in Z[x]/( f(x) ) Given: a1, b1 a2, b2 … ak, bk Question: Does there exist an s and “small” e1, … , ek such that bi=ais+ei or are all bi uniformly random in R? Ring-LWE Given: a1, a1s+e1 a2, a2s+e2 … ak, aks+ek Find: s s is random in R ei are “small” (distribution symmetric around 0) Thm: [LPR ‘10] Solving f-LWE implies a quantum algorithm for finding short vectors in any ideal of Z[x]/(f(x))

Lattice Cryptography over Polynomial Rings SVP over Z[x]/f(x) Worst-Case quantum Average-Case SIS over Z[x]/f(x) LWE over Z[x]/f(x) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)

Are all rings “equally hard”? For f=xn+1 ,[CDW ‘16], polynomial-time quantum algorithm for sub-exponential approximations to SVP (the complexity of ring-LWE is still unchanged – just the underlying assumption is affected) Is f=xn+1 resulting an easier ring, or just a ring for which an attack is easier to find? More preferable state of affairs: schemes based on the hardness of lattice problems in every ring

Result of this Paper SVP over Z[x]/f(x) for any f(x) SVP over f(x) Worst-Case quantum Average-Case SIS over Z[x] LWE over f(x) One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)

An Amazing Open Problem SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) Worst-Case quantum? Average-Case SIS over Z[x] Some Problem One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania) More efficient than LWE-based

Z<n[x] -SISd Def: Z<n[x] = all polynomials in Z[x] with degree less than n Given k random polynomials a1, … ,ak in Zp<n[x], find “small” polynomials z1, … ,zk in Zp<d[x] such that a1z1+ … +akzk = 0

f - SIS < Z<n[x]-SISd when d ≤ deg(f) ≤ n Given instance a1, …, ak of f - SIS, where deg(f)=m. Pick random r1, …, rk in Zp<n-m+1[x] Set bi = ai+ri ∙ f (bi are uniformly random in Zp<n[x] Give (b1, … ,bk) to the Zp<n[x]-SISd solver If solution is (z1, … ,zk) such that b1z1+ … +bkzk = 0 Then a1z1+ … +akzk = 0 mod f Since deg(zi) < d ≤ deg(f), zi ≠ 0 mod f Main observation: f-SIS input has nothing to do with f (just the degree of f)

= f-SIS with f=xn+1 1 4 -1 -2 -7 10 -7 -1 -13 7 -6 -5 -1 7 4 -1 -2 13 4 -1 -2 -7 10 -7 -1 -13 7 -6 -5 -1 = 7 4 -1 -2 13 10 -7 -1 1 7 -6 -5 1 2 7 4 -1 1 13 10 -7 5 1 7 -6 1 2 7 4 7 1 13 10 6 5 1 7 1 1 1 1 1

Z[x]-SIS 1 4 10 7 7 4 13 10 1 7 = 1 2 7 4 1 13 10 5 1 7 1 2 7 4 7 1 13 10 6 5 1 7 1 1 2 7 7 1 13 6 5 1 1 1 2 7 1 6 5 1 7 6 1 1 1

Signature Scheme Secret Key: s1, … ,sk in Z<d[x] with small coefficients Public Key: random a1, … ,ak in Zp<n[x], a1s1+…+aksk=t in Zp<n+d-1[x] Sign(μ) Pick y1, … ,yk in Z<n[x] according to Dσ Compute c=H(a1y1+ … +akyk,μ) in Z<n-d+1[x] Set zi= yi+csi Do rejection sampling (maybe restart) Output (z1, … ,zk,c)

Verification and Security Verify(z1, … ,zk,c, μ) Check that zi have small norms and c=H(a1z1+ … +akzk - tc,μ) Security proof: As in “Okamoto”-style digital signatures Given a1, … ,ak , create a valid t= a1s1+…+aksk With high probability, there exist si’ where t= a1s1’+…+aksk’ Use the si to sign. From adversary’s signature extract short wi , b such that a1w1+…+akwk = tb = (a1s1+…+aksk)b a1(w1-bs1)+…+ak(wk-bsk)=0 With non-negligible probability the coefficients of the Z[x]-SIS solution are non-zero

Current ring-based signatures Parameters Current ring-based signatures Z[x]-SIS Signature Public key size 1 – 2 KB 9 KB Secret Key size 1 KB 10 KB Signature size 27 KB Why so much less efficient? Based on Ring-SIS and Ring-LWE There is a unique secret key for every public key Need (a1, … ,ak , t= a1s1+…+aksk) to look random

Solve This Problem!!! SVP over Z[x]/f(x) for any f(x) Worst-Case SVP over Z[x]/f(x) for any f(x) SVP over Z[x]/f(x) for any f(x) quantum? Average-Case SIS over Z[x] Some Problem One-Way Functions Collision-Resistant Hash Functions Digital Signatures Identification Schemes (Minicrypt) Public Key Encryption More Efficient Digital Signatures Identity-Based Encryption Fully-Homomorphic Encryption … (Cryptomania)