Polly Cracker, Revisited - WordPress.com · 27.06.2012 · Polly Cracker, Revisited Martin...
Transcript of Polly Cracker, Revisited - WordPress.com · 27.06.2012 · Polly Cracker, Revisited Martin...
Polly Cracker, Revisited
Martin Albrecht1 Pooya Farshim2 Jean-Charles Faugere1
Gottfried Herold3 Ludovic Perret1
1 POLSYS Project - INRIA, UPMC, Univ Paris 062 Information Security Group, Royal Holloway, University of London
3 Ruhr Universitat Bochum
Bristol, 27.July 2012
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Homomorphic Encryption
I Homomorphic encryption is a cryptographic primitive which allowsto perform arbitrary computation over encrypted data.
I Given a function f and a ciphertext c encrypting a plaintext m, it ispossible to transform c to a new ciphertext c ′ which encrypts f (m).
We can evaluate multivariate (Boolean) polynomials over ciphertexts.
Craig Gentry.Fully homomorphic encryption using ideal lattices.In STOC 09: Proceedings of the 41st annual ACM symposium onTheory of computing, pages 169–178, 2009.
An abstract scheme
Let I ⊂ P be some ideal in some ring and denote by Encode() afunction with inverse Decode() that maps bit-strings to elements in thequotient ring P/I.
If
Decode(Encode(m0) Encode(m1)) = m0 m1 for ∈ +, ·,
we can encrypt a message m as
c = f + Encode(m) for f randomly chosen in I.
Decryption is equivalent computing remainders modulo I in P.
Homomorphic features follow from the definition of an ideal.
“Instantiations” of this scheme I
I P = ZI I = 〈p〉 where p is an odd integer
I Encode(·) is not injective
Marten van Dijk, Craig Gentry, Shai Halevi, and VinodVaikuntanathan.Fully homomorphic encryption over the integers.In Advances in Cryptology – EUROCRYPT 2010, volume 6110 ofLecture Notes in Computer Science, pages 24–43, 2010.
Approximate GCD
Given qip + ri where ri p, compute p.
“Instantiations” of this scheme II
I P = Fq[x1, . . . , xn]
I I = 〈x1 − s1, . . . , xn − sn〉I Encode(·) is not injective
Zvika Brakerski and Vinod Vaikuntanathan.Efficient fully homomorphic encryption from (standard) LWE.FOCS 2011, 2011.
LWE
Given∑
j aijxj −∑
j aijsj + ei compute s1, . . . , sn.
“Instantiations” of this scheme III
I P = Fq[x1, . . . , xn]
I I ≈ 〈x1 − s1, . . . , xn − sn〉I Encode(·) is injective: PoSSo
Neal Koblitz, Alfred J. Menezes, Yi-Hong Wu, and Robert J.Zuccherato.Algebraic aspects of cryptography.Springer Verlag, Berlin, Heidelberg, New York, 1998.
PoSSo/GB
Given∑
hi fi for fi ∈ I compute the Grobner basis of 〈f1, . . . , fm〉.
These schemes are known as Polly Cracker.
Our contribution
We show that all these schemes can be seen as special instances ofproblem, which we call Grobner basis with noise (GBN).
Put differently, in response to
Boo Barkee, Deh Cac Can, Julia Ecks, Theo Moriarty, and R. F. Ree.
Why you cannot even hope to use Grobner bases in Public KeyCryptography: An open letter to a scientist who failed and achallenge to those who have not yet failed.Journal of Symbolic Computations, 18(6):497–501, 1994.
. . . we say: yes we can! . . . if we add noise
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Notation & Definitions I
I P = F[x1, . . . , xn] with some degree-compatible order on monomials.
I P≤b elements in P of degree at most b.
I LM(f ) is the leading monomial appearing in f ∈ P.
I LC(f ) is the coefficient corresponding to LM(f ) in f .
I LT(f ) is LC(f )LM(f ).
I d is the degree of Grobner bases in this talk.
I b is the degree of random ideal elements in this talk.
Notation & Definitions II
An example in F[x , y , z ] with term ordering deglex:
f = 3yz + 2x + 1
I LM(f ) = yz ,
I LC(f ) = 3 and
I LT(f ) = 3yz .
Notation & Definitions III
Definition (Generated Ideal)
Let f1, . . . , fm be polynomials in P. Define the set
〈f1, . . . , fm〉 :=
m∑i=1
hi fi : h1, . . . , hm ∈ P
.
This set I is an ideal called the ideal generated by f1, . . . , fm.
Notation & Definitions IV
Definition (Grobner Basis)
Let I be an ideal of F[x1, . . . , xn] and fix a monomial ordering. A finitesubset
G = g1, . . . , gm ⊂ I
is said to be a Grobner basis of I if for any f ∈ I there exists gi ∈ Gwith
LM(gi ) | LM(f ).
I If all fi linear, then Grobner bases coincide with row echelon forms.
I If all fi ∈ F[x ] then Grobner bases coincide with GCDs.
Notation & Definitions V
For each ideal I and monomial ordering there is a unique reducedGrobner basis which can be computed in polynomial time from anyGrobner basis.
if you know the Grobner basis you “understand” the ideal.
Grobner bases allow to compute remainders modulo I:
f mod I = f mod G .
Generating Grobner bases for Crypto I
Definition (S-Polynomial)
The S-polynomial of f and g is defined as
S(f , g) =LCM(LM(f ),LM(g))
LT(f )· f − LCM(LM(f ),LM(g))
LT(g)· g .
Theorem
A basis G = g1, . . . , gs for an ideal I is a Grobner basis if and only ifall S(gi , gj) reduce to zero by polynomial division.
Generating Grobner bases for Crypto II
beginfor 0 ≤ i < n do
if i > n − `− 1 thengi ← xdi ;
elsegi ← xi ;
for mj ∈ M<LM(gi ) docij ←$ Fq;gi ← gi + cijmj ;
return g0, . . . , gn−1;
Theorem
Let f , g ∈ F[x0, . . . , xn−1] witha = LM(f ) and b = LM(g) and
LCM(a, b) = a · b.
ThenS(f , g) −→
f ,g0.
Sampling Elements in I
beginf ←$ P≤b;f ← f − f mod G ;return f ;
Algorithm 1: Sample()
This sampling is uniform for elements f ∈ I with deg(f ) ≤ b becauseP = I ⊕ P/I.
Classical Computational Problems I
GB Given access to m samples from I recover G .
IM Given access to m samples from I and a challenge f ∈ P,decide if f mod G = 0.
Hardness I
Lemma (IM <=> GB)
If we have an oracle which solves the IM problem with overwhelmingprobability, we can construct an algorithm which solves the GB problemand vice versa.
Proof for first direction.
Let gi ∈ G arbitrary and let mi = LM(gi )
Pick a random ri ∈ P/I and ask for ideal membership of gi = mi + ri . Iftrue, then mi + ri ∈ 〈G 〉 with leading monomial mi . Add it to a list G .
Repeat this process for all leading monomials m and all tails ri .
The list G is a list of elements ∈ 〈G 〉 with LM(G ) ⊇ LM(G ) whichimplies G is a Grobner basis.
Hardness II
Assuming that f1, . . . , fm is a random system, the complexity of currentlybest known algorithms (i.e. with F5) to solve the GB problem is given by
O((
n + D
D
)ω)= O
((nD)ω
)where 2 ≤ ω < 3 is the linear algebra constant, and D is given by theindex of the first non-positive coefficient of:
∑k≥0
ckzk =
(1− zb)m
(1− z)n.
Thus Grobner bases are exponential in n, if D is polynomial in n.
Hardness III
Definition (GB/IM Assumption)
Let P be such that n(λ) = Ω(λ). Assume b − d > 0, b > 1, and thatm(λ) = c · n(λ) for a constant c ≥ 1. Then the advantage of any pptalgorithm in solving the GB/IM problem is negligible as function of λ.
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Symmetric PollyCracker I
GenP,GBGen(·),d,b(1λ):
beginP ←$ Pλ;G ←$ GBGen(1
λ,P, d , `);SK← (G ,P, b);PK← (P, b);return (SK,PK);
end
Enc(m, SK):
beginf ←$ P≤b;f ′ ← f mod G ;f ← f − f ′;c← m+ f ;return c;
endDec(c,SK):
beginm← c mod G ;return m;
end
Eval(c0, . . . , ct−1,C ,PK):
beginapply the Add and Multgates of C over P;
return the result;end
Figure: The noise-free symmetric Polly Cracker scheme SPCP,GBGen(·),d,b.
Security
The m(·)-time IND-CPA security is defined by requiring that theadvantage of any ppt A
Advind-bcpam(·),SKE,A(λ) := 2 · Pr[IND-BCPAAm(·),SKE(λ)⇒ T
]− 1
is negligible in λ. The difference with the usual CPA security is that theadversary can query the encryption oracle at most m(λ) times.
Theorem
For any A against the m-time IND-BCPA security of SPC there exists aB against the IM problem such that
Advind-bcpam,SPC,A(λ) = 2 · AdvimP,GBGen(·),d,b,m,B(λ).
Conversely, fory any A against the IM problem there exists a B againstthe m-time IND-BCPA security of SPC such that
AdvimP,GBGen(·),d,b,m,A(λ) = Advind-bcpam,SPC,B(λ).
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Conversions in the Literature
I There are a few techniques in the literature, which convert anIND-CPA symmetric additive homomorphic scheme to an IND-CPApublic-key additive homomorphic scheme.
I One such conversion is to publish N encryptions of zero f1, . . . , fNand to encrypt as
c =∑s∈S
fs + m
where S is a small subset of 1, . . . ,N.
While PollyCracker is additive homomorphic and secure up to somebound, none of the proposed conversions give a secure scheme.
Impossibility Result I
Theorem (Dickenstein, Fitchas, Giusti, and Sessa)
Let I = 〈f1, . . . , fm〉 be an ideal in P = F[x1, . . . , xn], h be such thatdeg(h) ≤ D, and
h − (h mod I) =m∑i=1
hi fi ,
where hi ∈ P and deg(hi fi ) ≤ D.
Let G be the output of some Grobner basis computation algorithm up todegree D (i.e., all computations with degree greater than D are ignoredand dropped).
Then h mod I can be computed by polynomial reduction of h via G.
Impossibility Result II
Theorem
Let I = 〈f1, . . . , fm〉 be an ideal in P = F[x1, . . . , xn]. If there is a pptalgorithm A which samples elements from I uniformly given only(f1, . . . , fm) ∈ I, then there exists a ppt algorithm B which computes aGrobner basis for I.
Proof.
1. We can compute the normal forms of any f produced by A inpolynomial time since we know f1, . . . , fm.
2. If f is arbitrary in the ideal I, we know that normals forms areequivalent to Grobner basis computations.
Thus, we have a polynomial time algorithm for computing Grobnerbases.
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Foreword
We will now focus on linear Grobner bases for the rest of this talk
I here things thing is nice and easy;
I we can get multiplicative homomorphicity; and
I we have a close relation to LWE.
To see what issues arise for d > 1, read [1, 2] or ask during the Q&A.
Gottfried HeroldPolly Cracker, revisited, revisitedPKC 2012, Springer Verlag 2012
with P. Farshim, J.-C. Faugere, G. Herold and L. PerretPolly Cracker, revisitedfull version, in preparation
Discrete Gaussian
Definition (Discrete Gaussian Distribution)
Let α > 0 be a real number and q ∈ N. The discrete Gaussiandistribution χα,q, is a Gaussian distribution rounded to the nearestinteger and reduced modulo q with mean zero and standard deviation αq.
Sampling Noisy Elements in I
beginf ←$ P≤b;f ← f − (f mod G );e ←$ χ;return f + e;
Algorithm 2: Sample()
Noisy Variants of Classical Computational Problems I
GBN Given access to m noisy samples from I recover G .
IMN Given access to m noisy samples from I and a challengef ∈ P, recover if f mod G ≈ 0.
Our Ideal Membership with Noise (IMN) is essentially Gentry’s IdealCoset problem for noisy polynomials.
Lemma (IMN Hard ⇔ GBN Hard)
For any ppt adversary A against the IMN problem for d = 1 andq = poly(n), there exists a ppt adversary B against the GBN problemsuch that
AdvimnP,GBGen(·),d,`,b,χ,A(λ) ≤ AdvgbnP,GBGen(·),d,`,b,χ,B(λ).
. . . and vice versa.
Proof Sketch.
The proof proceeds as in the GB ⇔ IM case except that we can amplifyour confidence in the output.
Security I
Lemma (LWE Hard ⇒ GBN Hard for d = 1, b = 1)
Let q be a prime number. Then for any ppt adversary A against theGBN problem with b = d = 1, there exists a ppt adversary B against theLWE problem such that
AdvgbnP,GBGen(·),1,1,χ,A(λ) = Advlwen,q,χ,B(λ).
Proof.
Whenever A calls its Sample oracle, B queries its own Sample oracle toobtain (a, b) where a = (a0, . . . , an−1). It returns
∑aixi − b to A. When
A calls its Finalize on G , since d = 1, we may assume that G is of theform [x0 − s0, . . . , xn−1 − sn−1] with si ∈ Fq. Algorithm B terminates bycalling its Finalize oracle on s = (s0, . . . , sn−1).
Security II
Lemma (GBN Hard for 2b ⇒ GBN Hard for b)
For any ppt adversary A against the GBN problem at degree b with noiseχα,q, there exists a ppt adversary B against the GBN problem at degree2b with noise χ√2Nα2q,q such that
AdvgbnP,GBGen(·),d,b,χα,q,A(λ) = AdvgbnP,GBGen(·),d,2b,χ√2Nα2q,q,B
(λ)
for N =(n+bb
).
Proof.
Multiply samples fi , fj to get fi,j = fi · fj . To ensure sufficient randomness,sum up 2N such products.
Security III
Approximate GCD:
I The GBN problem for n = 1 is the approx. GCD problem over Fq[x ].
I This problem has not yet received much attention, and hence it isunclear under which parameters it is hard.
I However, the notion of a Grobner basis can been extended toZ[x0, . . . , xn−1].
I This implies a version of the GBN problem over Z.
I This can be seen as a direct generalisation of the approximate GCDproblem in Z.
Security IV
GBN over F2:
I For d = 1 and q = 2 we can reduce Max-3SAT instances to GBNinstances by translating each clause individually to a Booleanpolynomial.
I The Grobner basis returned by an arbitrary algorithm A solving GBNusing a bounded number of samples will provide a solution to theMax-3SAT problem.
I Vice versa, we may convert a GBN problem for d = 1 to a Max-SATproblem (more precisely Partial Max-Sat) by running an ANF toCNF conversion algorithm.
Security V
Best known attack (for d = 1):
I We reduce GBN to a larger LWE instance.
I Denote by N =(n+bb
)the number of monomials up to degree b.
I Let M : P → FNq be a function which maps polynomials in P to
vectors in FNq by assigning the i-th component of the image vector
the coefficient of the i-th monomial ∈ M≤b.
I Reply to each Sample query by the LWE oracle by calling the GBNSample oracle to retrieve f , compute v =M(f ) and return (a, b)with a = (vN−1, . . . , v1) and b = −v0.
I When the LWE oracle queries its Finalize with s query the GBNFinalize with [x0 − s0, . . . , xn−1 − sn−1].
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Polly Cracker with Noise
I GBN/IMN allow to construct a noisy version of our symmetric PollyCracker scheme: SPCN .
I SPCN is IND-CPA under the GBN assumption.
I Using any symmetric-to-asymmetric conversion from literature thisleads to a public-key Polly Cracker scheme.
I This scheme is somewhat homomorphic and can support a fixed butarbitrary number of multiplications.
I This also implies that Regev’s public-key scheme based on LWE ismultiplicative homomorphic under some choice of parameters.
c0 · c1 = (m0 + 2e1 +∑
h0igi ) · (m1 + 2e1 +∑
h1igi )
= m0m1 + 2e0e1 + 2e +∑
higi
Outline
Introduction
An Old (?) Computational Problem: Grobner Bases
Symmetric Polly Cracker
Symmetric to Asymmetric Conversion
The New Computational Problem: Grobner Bases with Noise
An Application: Homomorphic Encryption
Appendix
Abstract Nonsense?
Generalising and unifying known things is fun, but is it useful? That is,do results from one instantiation carry over to another?
Arora&Ge’s algorithm for LWE
1. Compute hi = fi ·∏|r |
j=1 ((fi + j) · (fi − j)) for samples fi .
2. Compute the Grobner basis of 〈h0, . . . , hm−1〉.
Chen&Nguyen’s algorithm for AGCD
1. Compute h1 = f ·∏|r |
j=1 ((f + j) · (f − j)) mod h0 for noisy sample fand clean sample h0.
2. Compute the Grobner basis of 〈h0, h1〉.
Ring-LWE I
Compute a−1i · (ai · s + ei ) ≈ s where all computations are modxn + 1.
Given that this new approach allows one to cast both LWE andapproximate GCD in the same framework, can one also capturering-LWE.
– Bristol Cryptography Blog
To compute a−1i in P = Fq[x ]/〈xn + 1〉 we run the extended GCDalgorithm which returns (g , v ,w) for inputs a, b such that
g = v · a + w · a.
Hence, for our inputs it will compute
1 = v · ai + w · (xn + 1) and thus v ≡ a−1i mod xn + 1.
Ring-LWE II
In the language of Grobner bases the extended GCD equivalent is oftencalled “lifting”.
Given an ideal I = (f1, ..., fr ) and some g ∈ I, find s1, . . . , sr such thatg = s1f1 + · · ·+ sr fr .
I The problem is easy given a Grobner basis g1, . . . , gr (in our casexn + 1), since every element h ∈ 〈g1, . . . , gr 〉 can be written ash =
∑hi · gi where LM(higi ) ≤ LM(h).
I In general, it is hard because the degree of the output may be large.
In any case, instead of solving solving GBN, we are now lifting with GBN,i.e., we keep track of our computation.
Ring-LWE III
Example:
sage : P.<x , y , z> = Polynomia lR ing (GF(127) , o r d e r=’ d eg l e x ’ )sage : I = I d e a l (P . random element ( ) f o r i n range ( 4 ) )sage : s = I . gens ( )sage : I . g r o e b n e r b a s i s ( )[ x − 24 , y − 20 , z − 17 ]sage : b = P . random element ( )sage : b −= b . r educe ( I )sage : b i n ITruesage : a = b . l i f t ( s )sage : sum( a [ i ]∗ s [ i ] f o r i i n range ( s ) )16∗ x∗ z + 50∗ yˆ2 + 53∗ z ˆ2 − 57∗ x + 36sage : b16∗ x∗ z + 50∗ yˆ2 + 53∗ z ˆ2 − 57∗ x + 36
Given tuples (a, b) find s.
Thank you for your attention
Questions?