Lattice-based Signatures

Lattice based signatures
Zhenfei Zhang
zzhang@onboardsecurity.com
April 27, 2018
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 1 / 29

Our company
Previously known as NTRU Cryptosystem Inc., . . .
. . . then Security Innovation, . . .
Three focus area:
Lattice based cryptographic research;
V2X security;
Editor of IEEE 1609.2 WAVE standard
Trusted Computing and TPMs;
Chair for TCG software stack working group and Virtualized Platform
working group

Why lattice

Why lattice
Lattice leads to the knowledge of everything!

Why lattice
Lattice leads to the knowledge of everything!
(WRONG!)

Why lattice
the real reason
1994, Shor’s algorithm, break RSA and ECC with quantum
computers;
2015, NSA announcement: prepare for the quantum apocalypse;
2017, NIST call for competition/standardization;
2030(?), predicted general purpose quantum computers;
bonus points
Good understanding of underlying hard problem;
Fast, parallelable, hardware friendly;
Numerous applications: FHE, ABE, MMap, obfuscation, . . .

Why lattice
the real reason
2030(?), predicted general purpose quantum computers;
Data vaulting attack
A.k.a., harvest-then-decrypt attack
Data need to be secret for, say, 30 years;
Quantum computer arrives in, say, 15 years;
Perhaps the most practical attack in cryptography!

Figure source: https://nsa.gov1.info/utah-data-center/

Figure source: https://csrc.nist.gov/projects/post-quantum-
cryptography/post-quantum-cryptography-standardization

Source: https://csrc.nist.gov/Presentations/2018/PQ-Crypto-A-New-
Proposed-Framework

This talk

Figure source: Wendy Cordero’s High School Math Site

Lattice
Deﬁnition of a Lattice
All the integral combinations of d ≤ n linearly independent vectors
over R
L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z}
d dimension.
B = (b1, . . . , bd ) is a basis.
An example
B =
5 1
2
√
3
3
5
√
2 1
d = 2 ≤ n = 3
In this talk, full rank integer Basis: B ∈ Zn,n.

Example
A lattice L
B =
8 5
5 16
All lattice crypto talks start with an image of a dim-2 lattice

Example
A lattice L
UB =
1 0
−1 1
8 5
5 16
=
8 5
−3 11
An inﬁnity of basis

Example
A lattice L
UB =
1 0
1 1
8 5
5 16
=
8 5
13 21

Example
A lattice L
UB =
3 1
2 1
8 5
5 16
=
29 31
21 26

Example
The Shortest Vector and The First Minima
v = 8 5 , with λ1 = 82 + 52 = 9.434
The Shortest Vector

Example
The Determinant
det L = det (BBT ) = 103
The Fundamental Parallelepiped

NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2

NTRU lattice
NTRU ring
Ring multiplications: h(x) = f (x) · g(x)
Compute h (x) = f (x) × g(x) over Z[x]
Reduce h (x) mod (xN − 1) mod q

NTRU lattice
NTRU ring
Ring multiplications: h(x) = f (x) · g(x), alternatively
h0, . . . , hN−1 = f0, . . . , fN−1 ×







g0 g1 g2 . . . gN−1
gN−1 g0 g1 . . . gN−2
gN−2 gN−1 g0 . . . gN−3
...
...
...
...
...
g1 g2 g3 . . . g0







mod q

NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, ﬁnd f and g.

NTRU lattice
NTRU assumption
NTRU lattice
qIN 0
H IN
..=














q 0 . . . 0 0 0 . . . 0
0 q . . . 0 0 0 . . . 0
...
...
...
...
...
...
...
...
0 0 . . . q 0 0 . . . 0
h0 h1 . . . hN−1 1 0 . . . 0
hN−1 h0 . . . hN−2 0 1 . . . 0
...
...
...
...
...
...
...
...
h1 h2 . . . h0 0 0 . . . 1















NTRU lattice
NTRU assumption
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: ﬁnd those vectors.
Both are hard for random lattices.

NTRU lattice
The real NTRU assumption
NTRU lattice behaves the same as random lattices.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: ﬁnd those vectors.
Both are hard for random lattices.

NTRU lattice vs random lattice
256 0
172 1
256 0
17 1
(g, f ) = (1, 3) v = (17, 1)

Lattice signatures
GGHSign hash-then-sign generic lattice
NTRUSign hash-then-sign NTRU lattice
Fiat Shamir with abort FS, Rejection sampling generic lattice
GPV hash-then-sign generic lattice
BLISS FS, Rejection sampling NTRU lattice
Dilithium FS, Rejection sampling generic lattice
Falcon hash-then-sign NTRU lattice
pqNTRUSign HTS, Rejection sampling NTRU lattice

GGHSign
Signing key: a good basis B
Verification key a bad basis H
Sign
Hash message to a vector v
Use B to find the closest vector c (Babai’s algorithm)
Verification
Check Dist(v − c) is small
NTRUSign
Good basis: (g,f)
Bad basis: h

Transcript security
Breaks GGHSign, NTRUSign;
Each signature is a vector close
to the lattice (info leakage);
Recover enough of distance
vectors (blue dots) gives away a
good basis of the lattice;
Seal the leakage with rejection
sampling.

GPV sampler: a randomized Babai function
The idea
A trapdoored lattice L, i.e.
L⊥
A := {v : Av = 0 mod q}, Lh := {(u, v) : uh = v mod q}
A trapdoor S, or (g, f ), and a smooth parameter ηε(L)
A target lattice point v
Outputs another vector s, s.t.
s is uniform over L
dist(s, v) Gaussian over Zn
Bottle neck: trapdoor generation
Bonsai Tree, Gadget matrix, . . .
Falcon = GPV + NTRUSign + more ticks

Falcon
Public key security: recover f and g from h;
Forgery: as hard as ﬁnding a preimage for GPV without secret key
Transcript security: output is already Gaussian
independent from secret basis; no need for rejection sampling.

Modular Lattice Signatures
The core idea
Given a lattice L with a trapdoor T, a message m, find a vector v
v ∈ L
v ≡ hash(m) mod p
Can be instantiated via any trapdoored lattice
SIS, R-SIS, R-LWE, etc
pqNTRUSign is an efficient instantiation using NTRU lattice
Efficient trapdoor f , g.

pqNTRUSign
Sign (f , g, h = g/f , p = 3, R, m)
Hash message into a “mod p” vector vp, up = hash(m|h)
Repeat with rejection sampling:
Sample v0 from certain distribution; compute v1 = p × v0 + vp
Find a random lattice vector v1, u1 = v1 · I, h
“v-side” meets the congruent condition.
Micro-adjust “u-side” using trapdoor f and g
Compute a = (u1 − up) · g−1
mod p
Compute v2, u2 = a · p × f , g
Compute v, u = v1, u1 + v2, u2
Output v as signature
Remark
v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp

pqNTRUSign
Verify (h, p = 3, R, m, v)
Hash message into a “mod p” vector vp, up = hash(m|h)
Reconstruct the lattice vector v, u = v · I, h
Check vp, up = hash(m|h)

pqNTRUSign
Public key security: recover f and g from h;
Forgery: as hard as solving an approx.-SVP in an intersected lattice;
Transcript security - achieved via rejection sampling.

Rejection Sampling
Consider b ..= v0 + a · f
“large” v0 drawn from uniform or Gaussian;
“small” a drawn from sparse trinary/binary;
sparse trinary/binary f is the secret.
RS on b
b follows certain publicly known distribution independent from f ;
for two secret keys f1, f2 and a signature b, one is not able to tell
which key signs b - witness indistinguishability.

Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , q
2 ]N
Accept b when b is in [−q
2 + B, q
2 − B]N
Before rejection
0.0005
0.0006
0.0007
0.0008
0.0009
0.001
0.0011
-600 -400 -200 0 200 400 600
"notuniforminq"
1/1031.0

Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , q
2 ]N
Accept b when b is in [−q
2 + B, q
2 − B]N
After rejection
0
0.0002
0.0004
0.0006
0.0008
0.001
0.0012
-600 -400 -200 0 200 400 600
"uniforminq"
1/1021.0

Rejection Sampling
Rejection sampling on Gaussian
Sample v0 from discrete Gaussian χN
σ
Accept b when b is Gaussian
Before/after rejection

Thanks!
to study the underlying principle to acquire knowledge (idiom);
pursuing knowledge to the end.
Figure source: Google Image & www.hsjushi.com

Lattice-based Signatures

Related slideshows

More Related Content

Lattice-based Signatures