Provably weak instances of Ring-LWE revisited

Size: px

Start display at page:

Download "Provably weak instances of Ring-LWE revisited"

Justin Boyd
5 years ago
Views:

1 Provably weak instances of Ring-LWE revisited Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 1/1

2 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors investigate if evaluation-at-1-attacks apply to Ring-LWE, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/1

3 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors investigate if evaluation-at-1-attacks apply to Ring-LWE, claim to have indeed found vulnerable instances. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/1

4 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors investigate if evaluation-at-1-attacks apply to Ring-LWE, claim to have indeed found vulnerable instances. Vulnerable meaning: leak partial information about the secret with non-negligible probability. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/1

5 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors investigate if evaluation-at-1-attacks apply to Ring-LWE, claim to have indeed found vulnerable instances. Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, they did not set up Ring-LWE as described in [LPR]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/1

6 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors investigate if evaluation-at-1-attacks apply to Ring-LWE, claim to have indeed found vulnerable instances. Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, they did not set up Ring-LWE as described in [LPR]. Their instantiation generates many noise-free equations EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/1

7 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors investigate if evaluation-at-1-attacks apply to Ring-LWE, claim to have indeed found vulnerable instances. Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, they did not set up Ring-LWE as described in [LPR]. Their instantiation generates many noise-free equations allowing to recover the entire secret with near certainty. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/1

8 Abstract We revisit the paper Provably weak instances of Ring-LWE by Y. Elias, K. Lauter, E. Ozman, K. Stange, CRYPTO 2015 in which the authors investigate if evaluation-at-1-attacks apply to Ring-LWE, claim to have indeed found vulnerable instances. Vulnerable meaning: leak partial information about the secret with non-negligible probability. However, they did not set up Ring-LWE as described in [LPR]. Their instantiation generates many noise-free equations allowing to recover the entire secret with near certainty. Currently no threat to Ring-LWE. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 2/1

9 1. Learning With Errors (LWE) The LWE problem (O. Regev, 05): solve a linear system b 0 a 10 a a 1,n 1 s 0 b 1. a 20 a a 2,n s 1. b m 1 a m0 a m1... a m,n 1 s n 1 over a finite field F p for a secret (s 0, s 1,..., s n 1 ) F n p where EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/1

10 1. Learning With Errors (LWE) The LWE problem (O. Regev, 05): solve a linear system b 0 a 10 a a 1,n 1 s 0 b 1. a 20 a a 2,n s 1. b m 1 a m0 a m1... a m,n 1 s n 1 over a finite field F p for a secret (s 0, s 1,..., s n 1 ) F n p where each equation is perturbed by a small error, i.e. b i = a i0 s 0 + a i1 s a i,n 1 s n 1 + e i, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/1

11 1. Learning With Errors (LWE) The LWE problem (O. Regev, 05): solve a linear system b 0 a 10 a a 1,n 1 s 0 b 1. a 20 a a 2,n s 1. b m 1 a m0 a m1... a m,n 1 s n 1 over a finite field F p for a secret (s 0, s 1,..., s n 1 ) F n p where each equation is perturbed by a small error, i.e. b i = a i0 s 0 + a i1 s a i,n 1 s n 1 + e i, the a ij F p are chosen uniformly randomly, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/1

12 1. Learning With Errors (LWE) The LWE problem (O. Regev, 05): solve a linear system b 0 a 10 a a 1,n 1 s 0 b 1. a 20 a a 2,n s 1. b m 1 a m0 a m1... a m,n 1 s n 1 over a finite field F p for a secret (s 0, s 1,..., s n 1 ) F n p where each equation is perturbed by a small error, i.e. b i = a i0 s 0 + a i1 s a i,n 1 s n 1 + e i, the a ij F p are chosen uniformly randomly, an adversary can ask for new equations (m > n). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/1

13 1. Learning With Errors (LWE) The LWE problem (O. Regev, 05): solve a linear system b 0 a 10 a a 1,n 1 s 0 e 0 b 1. = a 20 a a 2,n s 1. + e 1. b m 1 a m0 a m1... a m,n 1 s n 1 e n 1 over a finite field F p for a secret (s 0, s 1,..., s n 1 ) F n p where each equation is perturbed by a small error, i.e. b i = a i0 s 0 + a i1 s a i,n 1 s n 1 + e i, the a ij F p are chosen uniformly randomly, an adversary can ask for new equations (m > n). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 3/1

14 1. Learning With Errors (LWE) Features: hardness reduction from classical lattice problems, versatile building block for cryptography, enabling exciting applications (FHE, PQ crypto,... ) EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 4/1

15 1. Learning With Errors (LWE) Features: hardness reduction from classical lattice problems, versatile building block for cryptography, enabling exciting applications (FHE, PQ crypto,... ) Drawback: key size. To hide the secret one needs an entire linear system: b 0 a 10 a a 1,n 1 s 0 b 1. a 20 a a 2,n s 1.. b m 1 a m0 a m1... a m,n 1 s n 1 m log p mn log p n log p EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 4/1

16 2. Ring-based LWE Solution: Identify key space F n p with Z[x] (p, f (x)) for some monic deg n polynomial f (x) Z[x], by viewing (s 0, s 1,..., s n 1 ) as s 0 + s 1 x + s 2 x s n 1 x n 1. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 5/1

17 2. Ring-based LWE Solution: Identify key space F n p with Z[x] (p, f (x)) for some monic deg n polynomial f (x) Z[x], by viewing (s 0, s 1,..., s n 1 ) as s 0 + s 1 x + s 2 x s n 1 x n 1. Use samples of the form b 0 s 0 b 1. A s 1 a. b n 1 s n 1 with A a the matrix of multiplication by some random a(x) = a 0 + a 1 x + + a n 1 x n 1. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 5/1

18 2. Ring-based LWE Solution: Identify key space F n p with Z[x] (p, f (x)) for some monic deg n polynomial f (x) Z[x], by viewing (s 0, s 1,..., s n 1 ) as s 0 + s 1 x + s 2 x s n 1 x n 1. Use samples of the form b 0 s 0 b 1. A s 1 a. b n 1 s n 1 with A a the matrix of multiplication by some random a(x) = a 0 + a 1 x + + a n 1 x n 1. Store a(x) rather than A a : saves factor n. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 5/1

19 2. Ring-based LWE Example: if f (x) = x n 1, then A a is the circulant matrix a 0 a n 1... a 2 a 1 a 1 a 0... a 3 a 2 a 2 a 1... a 4 a a n 1 a n 2... a 1 a 0 of which it suffices to store the first column. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 6/1

20 2. Ring-based LWE Example: if f (x) = x n 1, then A a is the circulant matrix a 0 a n 1... a 2 a 1 a 1 a 0... a 3 a 2 a 2 a 1... a 4 a a n 1 a n 2... a 1 a 0 of which it suffices to store the first column. Bad example, because of... EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 6/1

21 3. Evaluation-at-1 attack Potential threat: Suppose f (1) 0 mod p, then Z[x] (p, f (x)) F p : r(x) r(1) = r 0 + r r n 1, is a well-defined ring homomorphism. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/1

22 3. Evaluation-at-1 attack Potential threat: Suppose f (1) 0 mod p, then Z[x] (p, f (x)) F p : r(x) r(1) = r 0 + r r n 1, is a well-defined ring homomorphism. Our ring-based LWE samples b(x) = a(x) s(x) + e(x) evaluate to b(1) = a(1) s(1) + e(1). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/1

23 3. Evaluation-at-1 attack Potential threat: Suppose f (1) 0 mod p, then Z[x] (p, f (x)) F p : r(x) r(1) = r 0 + r r n 1, is a well-defined ring homomorphism. Our ring-based LWE samples b(x) = a(x) s(x) + e(x) evaluate to b(1) = a(1) s(1) + e(1). For each guess for s(1) F p, analyze distribution of e(1). EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/1

24 3. Evaluation-at-1 attack Potential threat: Suppose f (1) 0 mod p, then Z[x] (p, f (x)) F p : r(x) r(1) = r 0 + r r n 1, is a well-defined ring homomorphism. Our ring-based LWE samples b(x) = a(x) s(x) + e(x) evaluate to b(1) = a(1) s(1) + e(1). For each guess for s(1) F p, analyze distribution of e(1). Non-uniformity might reveal s(1), and maybe more... EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/1

25 3. Evaluation-at-1 attack Potential threat: Suppose f (1) 0 mod p, then Z[x] (p, f (x)) F p : r(x) r(1) = r 0 + r r n 1, is a well-defined ring homomorphism. Our ring-based LWE samples b(x) = a(x) s(x) + e(x) evaluate to b(1) = a(1) s(1) + e(1). For each guess for s(1) F p, analyze distribution of e(1). Non-uniformity might reveal s(1), and maybe more... Safety measure: restrict to irreducible f (x) Z[x]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 7/1

26 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 with the e i sampled independently from N(0, σ) for some fixed small σ = σ(n). e n 1 EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/1

27 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 with the e i sampled independently from N(0, σ) for some fixed small σ = σ(n). This is not Ring-LWE! e n 1 EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/1

28 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 with the e i sampled independently from N(0, σ) for some fixed small σ = σ(n). e n 1 This is not Ring-LWE! Not backed up by hardness statement. Evaluation-at-1 known to work in special cases [ELS]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/1

b n 1 s n 1 with the e i sampled independently from N(0, σ) for some fixed small σ = σ(n).

29 4. Ring-LWE Direct ring-based analogue of LWE-sample would read b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 with the e i sampled independently from N(0, σ) for some fixed small σ = σ(n). e n 1 This is not Ring-LWE! Not backed up by hardness statement. Evaluation-at-1 known to work in special cases [ELS]. Sometimes called Poly-LWE. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 8/1

30 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 e n 1 EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/1

31 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. where b n 1 s n 1 B is the canonical embedding matrix, A f (x) compensates for the fact that one actually picks secrets from the dual. e n 1 EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/1

32 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. where b n 1 s n 1 B is the canonical embedding matrix, A f (x) compensates for the fact that one actually picks secrets from the dual. Hardness reduction from ideal lattice problems. e n 1 EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/1

33 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. where b n 1 s n 1 B is the canonical embedding matrix, A f (x) compensates for the fact that one actually picks secrets from the dual. Hardness reduction from ideal lattice problems. Note: e n 1 factor A f (x) B 1 might skew the error distribution, EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/1

34 4. Ring-LWE So what is Ring-LWE according to [LPR]? Samples look like b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. where b n 1 s n 1 B is the canonical embedding matrix, A f (x) compensates for the fact that one actually picks secrets from the dual. Hardness reduction from ideal lattice problems. Note: e n 1 factor A f (x) B 1 might skew the error distribution, but also scales it! EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 9/1

35 4. Ring-LWE... but also scales it! b 0 b 1. = A a b n 1 Indeed, one has det A f (x) = with s 0 s 1. s n 1 + A f (x) B 1 e 0 e 1. e n 1 = disc f (x), could be huge EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 10/1

36 4. Ring-LWE... but also scales it! b 0 b 1. = A a b n 1 Indeed, one has det A f (x) = with s 0 s 1. s n 1 + A f (x) B 1 e 0 e 1. e n 1 = disc f (x), could be huge det B 1 = 1/. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 10/1

37 4. Ring-LWE... but also scales it! b 0 b 1. = A a b n 1 Indeed, one has det A f (x) = with s 0 s 1. s n 1 + A f (x) B 1 e 0 e 1. e n 1 = disc f (x), could be huge det B 1 = 1/. So on average, each e i is scaled up by 1/n but remember: skewness. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 10/1

38 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 e n 1. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 11/1

39 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 e n 1. Recall: det B 1 = 1/, so the errors get squeezed. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 11/1

40 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b 0 s 0 e 0 b 1. = A s 1 a. + A f (x) B 1 e 1. b n 1 s n 1 e n 1. Recall: det B 1 = 1/, so the errors get squeezed. To compensate, they scale up the errors by a factor 1/n. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 11/1

41 5. Provably weak instances of Ring-LWE revisited [ELOS] constructed families of polynomials f (x) that are vulnerable to an evaluation-at-1 attack. For convenience they picked non-dual secrets: b 0 s 0 e 0 b 1. = A s 1 a. + 1/n B 1 e 1. b n 1 s n 1 e n 1. Recall: det B 1 = 1/, so the errors get squeezed. To compensate, they scale up the errors by a factor 1/n. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 11/1

42 5. Provably weak instances of Ring-LWE revisited Issue: b 0 b 1. b n 1 = A a s 0 s 1. s n 1 + 1/n B 1 e 0 e 1. e n 1. The factor 1/n compensates for B 1 only on average. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 12/1

43 5. Provably weak instances of Ring-LWE revisited Issue: b 0 b 1. b n 1 = A a s 0 s 1. s n 1 + 1/n B 1 e 0 e 1. e n 1. The factor 1/n compensates for B 1 only on average. In some coordinates B 1 could scale down much more. Compensation factor is insufficient merely rounding yields exact equations in the secret! EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 12/1

44 5. Provably weak instances of Ring-LWE revisited All instances from [ELOS] suffer from this skewness. Example: f (x) = x , p = note: f (1) 0 mod p Standard deviations even form a geometric series! Error distribution in each coordinate (experimental): 3σ 1,200 1, σ µ coordinate index EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 13/1

45 5. Provably weak instances of Ring-LWE revisited All instances from [ELOS] suffer from this skewness. Example: f (x) = x , p = note: f (1) 0 mod p Standard deviations even form a geometric series! Error distribution in each coordinate (experimental): 3σ 6 4 σ 1 2 µ coordinate index EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 13/1

46 5. Provably weak instances of Ring-LWE revisited Evaluation-at-1 allowed [ELOS] to recover s(1), using about 20 samples with a success rate of 20%. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 14/1

47 5. Provably weak instances of Ring-LWE revisited Evaluation-at-1 allowed [ELOS] to recover s(1), using about 20 samples with a success rate of 20%. But after rounding, the last n/7 equations become exact, so 7 or 8 samples suffice to recover s(x) exactly. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 14/1

48 5. Provably weak instances of Ring-LWE revisited Evaluation-at-1 allowed [ELOS] to recover s(1), using about 20 samples with a success rate of 20%. But after rounding, the last n/7 equations become exact, so 7 or 8 samples suffice to recover s(x) exactly. Similar remarks apply to the other instances from [ELOS]. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 14/1

49 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/1

50 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: Currently, evaluation-at-1 is not a threat to Ring-LWE. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/1

51 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: Currently, evaluation-at-1 is not a threat to Ring-LWE. Both B 1 and A f (x) B 1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/1

52 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: Currently, evaluation-at-1 is not a threat to Ring-LWE. Both B 1 and A f (x) B 1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. To compensate for A f (x) a factor 1/n makes more sense. Does scaling this way lead to a provably hard problem? EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/1

53 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: Currently, evaluation-at-1 is not a threat to Ring-LWE. Both B 1 and A f (x) B 1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. To compensate for A f (x) a factor 1/n makes more sense. Does scaling this way lead to a provably hard problem? If one does scale the [ELOS] examples sufficiently, then the error coordinates of low index become uniform. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/1

54 5. Provably weak instances of Ring-LWE revisited Concluding thoughts/remarks: Currently, evaluation-at-1 is not a threat to Ring-LWE. Both B 1 and A f (x) B 1 can be very skew, so mostly a matter of insufficient scaling, rather than dual vs. non-dual. To compensate for A f (x) a factor 1/n makes more sense. Does scaling this way lead to a provably hard problem? If one does scale the [ELOS] examples sufficiently, then the error coordinates of low index become uniform. The cyclotomic case seems naturally protected against geometric growth. EUROCRYPT, May 9, 2016 Provably weak instances of Ring-LWE revisited 15/1

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

7 Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 Cryptography studies techniques for secure communication in the presence of third parties. A typical