Content deleted Content added
m →Background: Task 16: replaced (2×) / removed (0×) deprecated |dead-url= and |deadurl= with |url-status=; |
Link suggestions feature: 3 links added. |
||
| (18 intermediate revisions by 12 users not shown) | |||
Line 1:
[[Digital signature]]s are a means to protect [[Digital data|digital information]] from intentional modification and to authenticate the source of digital information.
== Background ==
Developments in [[quantum computing]] over the past decade and the optimistic prospects for real quantum computers within 20 years have begun to threaten the basic cryptography that secures the internet.<ref>{{Cite web|title = Quantum computing breakthrough claim from IBM|url = http://www.cio.co.uk/news/r-and-d/quantum-computing-breakthrough-claim-from-ibm-3609914/|
One of the most widely used public key algorithm used to create [[digital signatures]] is known as [[RSA (cryptosystem)|RSA]]. Its security is based on the classical difficulty of factoring the product of two large and unknown primes into the constituent primes. The [[integer factorization problem]] is believed to be intractable on any conventional computer if the primes are chosen at random and are sufficiently large. However, to factor the product of two n-bit primes, a quantum computer with roughly 6n bits of logical
Even though we do not know when a quantum computer to break RSA and other digital signature algorithms will exist, there has been active research over the past decade to create cryptographic algorithms which remain secure even when an attacker has the resources of a quantum computer at their disposal.<ref name=":2" /><ref name=":4">{{Cite web|title = Introduction|url = http://pqcrypto.org/|website = pqcrypto.org|
The creators of the Ring
The first RLWE based signature was developed by Lyubashevsky in his paper "Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures"<ref name=":5">{{Cite book|publisher = Springer Berlin Heidelberg|date = 2009-01-01|isbn = 978-3-642-10365-0|pages = 598–616|series = Lecture Notes in Computer Science|first = Vadim|last = Lyubashevsky|editor-first = Mitsuru|editor-last = Matsui|doi = 10.1007/978-3-642-10366-7_35|title = Advances in Cryptology – ASIACRYPT 2009|volume = 5912|chapter = Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures}}</ref> and refined in "Lattice Signatures Without Trapdoors" in 2011.<ref name=":1">{{Cite journal|title = Lattice Signatures Without Trapdoors|url = http://eprint.iacr.org/2011/537|date = 2011|first = Vadim|last = Lyubashevsky| journal=Cryptology ePrint Archive }}</ref> A number of refinements and variants have followed. This article highlights the fundamental [[mathematical structure]] of RLWE signatures and follows the original Lyubashevsky work and the work of Guneysu, Lyubashevsky and Popplemann ([https://web.archive.org/web/20140518004537/http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf GLP]).<ref name=":0" /> This presentation is based on a 2017 update to the GLP scheme called GLYPH.<ref name=":3">{{Cite web|url=https://eprint.iacr.org/2017/766.pdf|title=GLYPH: A New Instantiation of the GLP Digital Signature Scheme|last=Chopra|first=Arjun|date=2017|website=International Association of Cryptographic Research eprint Archive|archive-url=https://web.archive.org/web/20170828012937/https://eprint.iacr.org/2017/766.pdf|archive-date=
A RLWE-SIG works in the quotient [[ring of polynomials]] modulo a degree n polynomial Φ(x) with coefficients in the [[finite field]] Z<sub>q</sub> for an odd prime q ( i.e. the ring Z<sub>q</sub>[x]/Φ(x) ).<ref name=":1" /> Multiplication and addition of polynomials will work in the usual fashion with results of a multiplication reduced mod Φ(x).
<math>a(x) = a_0 + a_1x + a_{2}x^2 + \ldots + a_{n-3}x^{n-3} + a_{n-2}x^{n-2} + a_{n-1}x^{n-1}</math>
The field Z<sub>q</sub> has its representative elements in the set { -(q-1)/2, ...-1, 0, 1, ... (q-1)/2 }. When n is a power of 2, the polynomial Φ(x) will be the [[cyclotomic polynomial]] x<sup>n</sup> + 1. Other choices of n are possible but the corresponding cyclotomic polynomials are more complicated or their security not as well studied.
=== Generating "small" polynomials. ===
Line 30:
A key feature of RLWE signature algorithms is the use of a technique known as [[rejection sampling]].<ref name=":1" /><ref name=":5" /> In this technique, if the [[infinity norm]] of a signature polynomial exceeds a fixed bound, '''β,''' that polynomial will be discarded and the signing process will begin again. This process will be repeated until the infinity norm of the signature polynomial is less than or equal to the bound. Rejection sampling ensures that the output signature is not exploitably correlated with the signer's secret key values.
In the example which follows, the bound, '''β,''' will be (b - k), where b is the range of the uniform sampling described above and k will be the number of non-zero coefficients allowed in
=== Other parameters ===
Line 38:
== Public key generation ==
An entity wishing to sign messages generates its public key through the following steps:
# Generate two small polynomials s(x) and e(x) with coefficients chosen uniformly from the set {-b,...-1, 0, 1, ..., b}
# Compute t(x) = a(x)·s(x) + e(x)
# Distribute t(x) as the entity's public key
The polynomials s(x) and e(x) serve as the private key and t(x) is the corresponding public key. The security of this signature scheme is based on the following problem. Given a polynomial t(x) find small polynomials f<sub>1</sub>(x) and f<sub>2</sub>(x) such that: a(x)·f<sub>1</sub>(x) + f<sub>2</sub>(x) = t(x)
If this problem is difficult to solve, then the signature scheme will be difficult to forge. [See the Wikipedia article on [[Ring Learning with Errors]] or
== Signature generation ==
Following GLYPH,<ref name=":3" /> to sign a message m expressed as a bit string, the signing entity does the following:
# Generate two small polynomials y<sub>1</sub>(x) and y<sub>2</sub>(x) with coefficients from the set {-b, ..., 0, ...., b}
# Compute w(x) = a(x)·y<sub>1</sub>(x) + y<sub>2</sub>(x)
# Map w(x) into a bit string ω
# Compute c(x) = POLYHASH(ω | m) (This is a polynomial with k non-zero coefficients. The "|" denotes concatenation of strings)
# Compute z<sub>1</sub>(x) = s(x)·c(x) + y<sub>1</sub>(x)
# Compute z<sub>2</sub>(x) = e(x)·c(x) + y<sub>2</sub>(x)
# Until the infinity norms of z<sub>1</sub>(x) and z<sub>2</sub>(x) ≤ '''β = ('''B - k) go to step 1.
# The signature is the triple of polynomials c(x), z<sub>1</sub>(x) and z<sub>2</sub>(x)
# Transmit the message along with c(x), z<sub>1</sub>(x) and z<sub>2</sub>(x) to the verifier.
Line 81:
* Work by Bai and Galbraith on short signatures documented [https://eprint.iacr.org/2013/838 here].<ref>{{Cite web|title = Cryptology ePrint Archive: Report 2013/838|url = https://eprint.iacr.org/2013/838|website = eprint.iacr.org|access-date = 2016-01-17}}</ref>
* Work by Akleylek, Bindel, Buchmann, Kramer and Marson on security proofs for the signature with fewer security assumptions and documented [https://eprint.iacr.org/2015/755 here].<ref>{{Cite web|title = Cryptology ePrint Archive: Report 2015/755|url = https://eprint.iacr.org/2015/755|website = eprint.iacr.org|access-date = 2016-01-17}}</ref>
Another approach to signatures based on lattices over Rings is a variant of the patented NTRU family of lattice based cryptography. The primary example of this approach is a signature known as the Bimodal Lattice Signature Scheme (BLISS). It was developed by Ducas, Durmas, Lepoint and Lyubashevsky and documented in their paper "Lattice Signatures and Bimodal Gaussians."<ref>{{Cite web|title = Cryptology ePrint Archive: Report 2013/383|url = https://eprint.iacr.org/2013/383|website = eprint.iacr.org|access-date = 2016-01-17}}</ref> See [[BLISS signature scheme]]
Line 93 ⟶ 87:
{{Reflist}}
==External links==
{{ Cryptography navbox | public-key }}
[[Category:Post-quantum cryptography]]
[[Category:Lattice-based cryptography]]
| |||