Ring learning with errors signature: Difference between revisions

The creators of the Ring based Learning with Errors (RLWE) basis for cryptography believe that an important feature of these algorithms based on Ring-Learning with Errors is their provable reduction to known hard problems.<ref>{{Cite journal|title = On ideal lattices and learning with errors over rings|url = http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.297.6108|publisher = Springer|journal = In Proc. of EUROCRYPT, volume 6110 of LNCS|date = 2010|pages = 1–23|first = Vadim|last = Lyubashevsky|first2 = Chris|last2 = Peikert|first3 = Oded|last3 = Regev}}</ref><ref>{{Cite web|title = What does GCHQ's "cautionary tale" mean for lattice cryptography?|url = http://www.cc.gatech.edu/~cpeikert/soliloquy.html|website = www.cc.gatech.edu|accessdate = 2015-07-05}}</ref> The signature described below has a provable reduction to the [[Shortest vector problem|Shortest Vector Problem]] in an [[Ideal lattice cryptography|ideal lattice]].<ref name=":0">{{Cite book|title=Cryptographic Hardware and Embedded Systems – CHES 2012|last=Güneysu|first=Tim|last2=Lyubashevsky|first2=Vadim|last3=Pöppelmann|first3=Thomas|date=2012|publisher=Springer Berlin Heidelberg|year=|isbn=978-3-642-33026-1|editor-last=Prouff|editor-first=Emmanuel|series=Lecture Notes in Computer Science|volume=7428|___location=|pages=530–547|chapter=Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems|doi=10.1007/978-3-642-33027-8_31|editor-last2=Schaumont|editor-first2=Patrick}}</ref> This means that if an attack can be found on the Ring-LWE cryptosystem then a whole class of presumed hard computational problems will have a solution.<ref>{{Cite journal|title = The shortest vector in a lattice is hard to approximate to within some constant|url = http://citeseer.ist.psu.edu/viewdoc/summary?doi=10.1.1.109.7305|journal = in Proc. 39th Symposium on Foundations of Computer Science|date = 1998|pages = 92–98|first = Daniele|last = Micciancio}}</ref>

The first RLWE based signature was developed by Lyubashevsky in his paper "Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures"<ref name=":5">{{Cite book|title = Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures|url = http://link.springer.com/chapter/10.1007/978-3-642-10366-7_35|publisher = Springer Berlin Heidelberg|date = 2009-01-01|isbn = 978-3-642-10365-0|pages = 598–616|series = Lecture Notes in Computer Science|first = Vadim|last = Lyubashevsky|editor-first = Mitsuru|editor-last = Matsui}}</ref> and refined in "Lattice Signatures Without Trapdoors" in 2011.<ref name=":1">{{Cite journal|title = Lattice Signatures Without Trapdoors|url = http://eprint.iacr.org/2011/537|date = 2011|first = Vadim|last = Lyubashevsky}}</ref> A number of refinements and variants have followed. This article highlights the fundamental mathematical structure of RLWE signatures and follows the original Lyubashevsky work and the work of Guneysu, Lyubashevsky and Popplemann ([http://www.di.ens.fr/~lyubash/papers/signaturechess.pdf GLP]).<ref name=":0" /> This presentation is based on a 2017 update to the GLP scheme called GLYPH.<ref name=":3">{{Cite web|url=https://eprint.iacr.org/2017/766.pdf|title=GLYPH: A New Instantiation of the GLP Digital Signature Scheme|last=Chopra|first=Arjun|date=2017|website=International Association of Cryptographic Research eprint Archive|archive-url=https://eprint.iacr.org|archive-url=|archive-date=26 August 2017|dead-url=|access-date=26 August 2017}}</ref>

A RLWE-SIG signature uses polynomials which are considered "small" with respect to a measure called the "[[infinity norm]]". The [[infinity norm]] for a polynomial is simply the largest absolute value of the coefficients of the polynomial when those coefficients are viewed as integers in Z rather than Z_q .<ref name=":0" /> The signature algorithm will create random polynomials which are small with respect to a particular infinity norm bound. This is easily done by randomly generating all of the [[Coefficient|coefficients of the polynomial]] (a₀, ..., a_n-1) in a manner which is guaranteed or very likely to be less than or equal to this bound. In the literature on Ring Learning with Errors, there are two common ways to do this:<ref name=":1" />

In the RLWE-SIG ofsignature Gunesyu, Lyubashevsky, and PopplemannGLYPH used as an example below, coefficients for the "small" polynomials will use the [[Uniform distribution (discrete)|uniform sampling]] method and the value b will be much smaller than the value q.<ref name=":0" />

Most RLWE-SIG signature algorithms also require the ability to [[Cryptographic hash function|cryptographically hash]] arbitrary bit strings into small polynomials according to some distribution. The example below uses a hash function, POLYHASH(ω), which accepts a bit string, ω, as input and outputs a polynomial with n coefficients such that exactly k of these coefficients arehave eitherabsolute -1value orgreater 1than zero and theless remainingthen coefficientsan areinteger 0.bound b The(see [http://wwwabove).di.ens.fr/~lyubash/papers/signaturechess.pdf GLP] paper provides details on one way this can be easily done.<ref name=":0">{{Cite book|url = http://link.springer.com/chapter/10.1007/978-3-642-33027-8_31|publisher = Springer Berlin Heidelberg|date = 2012|isbn = 978-3-642-33026-1|pages = 530–547|series = Lecture Notes in Computer Science|first = Tim|last = Güneysu|first2 = Vadim|last2 = Lyubashevsky|first3 = Thomas|last3 = Pöppelmann|editor-first = Emmanuel|editor-last = Prouff|editor-first2 = Patrick|editor-last2 = Schaumont|doi = 10.1007/978-3-642-33027-8_31|chapter = Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems|title = Cryptographic Hardware and Embedded Systems – CHES 2012|volume = 7428}}</ref> Other more efficient techniques exist.

A key feature of RLWE-SIG signature algorithms is the use of a technique known as [[rejection sampling]].<ref name=":1" /><ref name=":5" /> In this technique, if the [[infinity norm]] of a signature polynomial exceeds a fixed bound, '''β,''' that polynomial will be discarded and the signing process will begin again. This process will be repeated until the infinity norm of the signature polynomial is less than or equal to the bound. Rejection sampling ensures that the output signature is not exploitably correlated with the signer's secret key values.

Following GLPGLYPH and as noted above, the maximum degree of the polynomials will be n-1 and therefore have n coefficients.<ref name=":0" /> Typical values for n are 512, and 1024.<ref name=":0" /> The coefficients of these polynomials will be from the field F_q where q is an odd prime congruent to 1 mod 4. For n =5121024, theGLYPH authors of GLP setsets q to= be59393, ab=16383 22and bit prime andk the correspondingnumber bof valuenon-zero tocoefficients bein 2¹⁴.the output Forof n=1024,Polyhash GLP sets qequal to be a 23-bit prime and b to be 2¹⁵16.<ref name=":03" /> The number of non-zero coefficients k produced by the hash function is equal to 32 for both cases.<ref name=":0" /> The security of the signature scheme is closely tied to the relative sizes of n, q, b, and k. Details on setting these parameters can be found in references 5 and 6 below.<ref name=":1" /><ref name=":0" /><ref name=":3" />

As noted above, the polynomial Φ(x) which defines the ring of polynomials used will be xⁿ + 1. Finally, a(x) will be a randomly chosen and fixed polynomial with coefficients from the set { -(q-1)/2 to (q-1)/2 }. The polynomial a(x) should be chosen in a "[[Nothing up my sleeve number|Nothing Up My Sleeve]]" manner such as [[One-way function|one-way hashing]] the output of a true noise random number generator (TRNG) or using the digital expansion of well known mathematical constans such as pi or e. All signers and verifiers of signatures will know n, q, b, k, Φ(x), a(x) and '''β''' = b-k.

# Generate two small polynomials s₀(x) and s₁e(x) with coefficients chosen uniformly from the set {-b,...-1, 0, 1, ..., b}

# Compute t(x) = a(x)·s₀(x) + s₁e(x)

The polynomials s₀(x) and s₁e(x) serve as the private key and t(x) is the corresponding public key. The security of this signature scheme is based on the following problem. Given a polynomial t(x) find small polynomials f₁(x) and f₂(x) such that: a(x)·f₁(x) + f₂(x) = t(x)

Following GLPGLYPH,<ref name=":03" /> to sign a message m expressed as a bit string, the signing entity does the following:

# Generate two small polynomials y₀₁(x) and y₁₂(x) with coefficients from the set {-b, ..., 0, ...., b}

# Compute w(x) = a(x)·y₀₁(x) + y₁₂(x)

# Compute z₀₁(x) = s₀(x)·c(x) + y₀₁(x)

# Compute z₁(x) = s₁e(x)·c(x) + y₁₂(x)

# Until the infinity norms of z₀₁(x) and z₁₂(x) ≤ '''β = ('''B - k) go to step 1. (This is the rejection sampling step noted above)

# The signature is the triple of polynomials c(x), z₀₁(x) and z₁₂(x)

# Transmit the message along with c(x), z₀₁(x) and z₁₂(x) to the verifier.

Following GLPGLYPH,<ref name=":03" /> to verify a message m expressed as a bit string, the verifying entity must possess the signer's public key (t(x)), the signature (c(x), z₀(x), z₁(x)), and the message m. The verifier does the following:

# Verify that the infinity norms of z₀₁(x) and z₁₂(x) ≤ '''β''' , if not reject the signature.

# Compute w'(x) = a(x)·z₀₁(x) + z₁₂(x) - t(x)c(x)

# Compute c'(x) = HASHPOLYHASH(ω' | m)

a(x)·z₀₁(x) + z₁₂(x) - t(x)c(x) = a(x)·[s₀(x)·c(x) + y₀₁(x)] + z₁₂(x) - [a(x)·s₀(x) + s₁e(x)]c(x)

{{=}} a(x)·y₀₁(x) + z₁₂(x) - s₁e(x)·c(x)

{{=}} a(x)y₀₁(x) + s₁e(x)·c(x) + y₁₂(x) - s₁e(x)·c(x)

{{=}} a(x)y₀₁(x) + y₁₂(x) = w(x) (as defined above)