Public Key CryptographyBased on Partial Knowledgeof Finite Fourier Transforms

Joseph H. Silverman

Brown UniversityJoint work with J. Hoffstein and J. Pipher (Brown

University) and J. Schanck and W. Whyte(Security Innovations)

Colloquium, Microsoft Research, Redmond, WA

July 2013

0

Introduction 1

Introduction

The shortest and closest vector problems (SVP, CVP)are interesting hard lattice problems.

There is a long history of cryptographic constructionsbased on problems that are equivalent to SVP and/orCVP in certain classes of lattices. For example:

1982 Merkle–Hellman: knapsack-based PKC1997 Ajtai–Dwork: average case/worst case equivalence1997 Goldwasser–Goldreich–Halevi: direct CVP-based

PKC (very large key sizes)1998 Hoffstein–Pipher–Silverman: NTRU via SVP

and CVP in cyclic modular lattices (with practicalkey and ciphertext sizes)

And to the extent that I understand them, “learningwith errors” (LWE) problems are (mostly?) reducible toSVP/CVP problems in certain lattices.

Introduction 2

Outline

In 1999 a digital signature scheme called PASS was in-troduced by Hoffstein, Lieman, and Silverman. PASS isbased on partial evaluation of Finite Fourier Transforms(FFT), which may be reduced to SVP/CVP in certainmodular lattices. Unfortunately, PASS was vulnerableto transcript attacks.

In this talk I will describe a new PKC based on thepartial-FFT problem, and a new variant of PASS thatuses rejection sampling to eliminate transcript attacks.

OUTLINE• Finite Fourier transforms and convolution products• PASSEncrypt — A public key cryptostystem based

on partial-FFT information• PASSSign — A digital signature scheme based on

partial-FFT information• Partial FFT problems and lattice problems

Finite Fourier Transforms 3

Notation

We fix two public parameters:

N a prime number (say between 500 and 2000).

q a prime number satisfying q ≡ 1 (mod N).

We writeFq = Z/qZ

for the finite field with q elements. The assumption on qand N means that we can find a primitive N ’th root ofunity w in Fq. In other words,

w ∈ Fq satisfies w 6= 1 and wN = 1.

We work with N -dimensional vectors in Fq,

a = (a0, . . . , aN−1) ∈ FNq .

Finite Fourier Transforms 4

Finite Fourier Transforms

The Finite Fourier Transform (FFT) of a vectora ∈ FNq is the vector

F(a) = a = (a0, . . . , aN−1)

whose k’th coefficient is given by the formula

ak = a0 + a1wk + a2w

2k + · · · + aN−1w(N−1)k.

F : FNq → FNq is a function mapping vectors to vectors.

The map F is a bijection. Its inverse is

F−1(b)k =1

N

(b0 + b1w

−k + · · · + bN−1w−(N−1)k

).

Thus F is very far from being a one-way function.

Finite Fourier Transforms 5

Partial Knowledge of FFT

We partition the set of indices into two disjoint sets

{0, 1, . . . , N − 1} = S ∪ T,say with

s = #S ≈ N/2 and t = #T ≈ N/2,

and we define Partial FFTs

FS(a) = (ai)i∈S and FT (a) = (ai)i∈T .

The map FS : FNq → Fsq does not have an easily com-putable inverse, but unfortunately that’s because it doesn’thave an inverse at all! It’s not even close to being injec-tive.

So we restrict the domain of FS to a subset where it is(probably) injective.

Finite Fourier Transforms 6

Partial FFTs and Short Vectors

Let

TN = {−1, 0, 1}N = {dim N ternary vectors}.

We call elements of TN short vectors. The map

FS : TN −→ Fsqis almost certainly injective, but it is difficult to recoverthe ternary vector a ∈ TN from knowledge of onlyFS(a). It is this hard problem that we exploit to create apublic key cryptosystem and a digital signature scheme.

The Short Vector Recovery from Partial FiniteFourier Transform Problem (SVR-PFFT) is theproblem of determining a ternary vector a ∈ TN fromits partial-FFT FS(a).

At the end I will explain how SVR-PFFT is naturallyequivalent to a closest vector lattice problem.

Finite Fourier Transforms 7

An Obvious Ring Structure on FNqWe add vectors in the usual way:

a + b = (a0 + b0, . . . , aN−1 + bN−1).

We can also multiply vectors in the obvious way, coordi-nate-by-coordinate:

a� b = (a0b0, . . . , aN−1bN−1).

The operations + and � make FNq into a ring, so forexample,

(a� b)� c = a� (b� c) Associative Law,

a� (b + c) = a� b + a� c Distributive Law,... ...

Finite Fourier Transforms 8

Convolution Products

There is another kind of multiplication called convolu-tion product whose definition is more complicated:

c = a ? b with ck =∑

i+j≡k (mod N)

aibj.

Surprisingly, + and ? also make FNq into a ring, so ? isassociative, and ? distributes over +.

Further, the FFT is a ring homomorphism between thesetwo rings. In other words,

F(a + b) = F(a) + F(b),

F(a ? b) = F(a)�F(b).

Thus F changes convolution product ? into coordinateproduct �.

PASSEncrypt 9

PASSEncrypt — A Partial-FFT PKC

System Parameters: N , q, and a small prime p (e.g.,p = 2).Key Creation:

f ∈ TN private key is a small vector.

FT (f ) ∈ Ftq public key is the T -partial-FFT of f .

Encryption:

m ∈ TN (padded) plaintext is a small vector.

r ∈ TN nonce is a small vector.

The ciphertext (e, e′, e′′) is three partial-FFTs:

e = FS(r),

e′ = FS(m),

e′′ = pFT (r)�FT (f ) + FT (m).

PASSEncrypt 10

PASSEncrypt (continued)

Decryption:1. Use f to compute FS(f ).2. Use e = FS(r) and e′ = FS(m) to compute

pe�FS(f ) + e′ = pFS(r)�FS(f ) + FS(m).

3. Use this and e′′ to recover the full FFT

pF(r)�F(f ) + F(m) = F(pr ? f + m).

4. Apply F−1 to compute

pr ? f + m ∈ FNq .

5. Since r, f , and m are small vectors, choosing co-ordinates between 0 and q − 1, we recover exactly thevector

pr ? f + m ∈ ZN .6. Reduce modulo p to recover the plaintext m.

PASSEncrypt 11

PASSEncrypt Summary

Public knowledge consists of:T -partial-FFT of the private key f .S-partial-FFT of the (padded) plaintext m.S-partial-FFT of the nonce r.T -partial-FFT of the quantity pr ? f + m.

Using f , can compute the full FFT F(pr ? f + m).

The inverse FFT gives pr ? f + m in FNq .

Smallness of r, f , and m gives pr ? f + m exactly.

Reducion mod p gives m.

The hard problem is to recover any one of the smallvectors f , m, r from their partial-FFTs.

PASSSign 12

Some Additional Notation

Before describing the digital signature scheme PASSSignbased on partial-FFT, we need one more piece of nota-tion.

The infinity norm of a vector a ∈ FNq is the quantity

‖a‖ = max{|a0|, . . . , |aN−1|

},

where we choose −12q < ai ≤ 1

2q. We also let

TN (b) = {a ∈ TN : at most b nonzero coordinates}.

We note that if f ∈ TN and c ∈ TN (b), then

‖f ? c‖ ≤ b.

PASSSign 13

PASSSign: Preliminary Version

System Parameters: N , q ≡ 1 (mod N), wN = 1in Fq, S ∪T = {0, . . . , N − 1}, norm bound k, commit-ment bound b.Key Creation:

f ∈ TN private key is a small vector.

FT (f ) ∈ Ftq public key is the T -partial-FFT of f .

Signing:

m ∈ T∗ document is a small vector.

r ∈ FNq nonce is a vector with ‖r‖ ≤ k.

c ∈ TN (b) commitment equals Hash(FT (r),m

).

z ∈ FNq equals f ? c + r.

The signature is the triple

(z, c,m).

PASSSign 14

PASSSign: Preliminary Version (continued)

Verification:1. If ‖z‖ > b + k or c /∈ TN (b), return Invalid.2. Compute

c′ = Hash(FT (z)−FT (f )�FT (c),m

).

3. If c′ 6= c, return Invalid.4. Return Valid.

Why It Works:

c′ = Hash(FT (z)−FT (f )�FT (c),m

)= Hash

(FT (z − f ? c),m

)= Hash

(FT (r),m

)= c. X

PASSSign 15

Why Is It Hard To Forge?

What does a forger need to do?

1. She starts with an arbitray vector r ∈ Ftq.2. Next she sets

c = Hash(r,m

).

3. Finally she selects a vector z ∈ FNq whose partial-FFT satisfies

FT (z) = FT (r) + FT (f )�FT (c).

4. So far, this is easy. But in order for (z, c,m) to bea valid signature, it is necessary that z have fairly smallcoefficients. And finding a small’ish z with specified par-tial FFT is a hard problem.

PASSSign 16

Transcript Attacks

If each signature reveals a tiny, but nonzero, amount ofinformation about the private key, then a DSS may bevulnerable to a transcript attack in which a long list ofsignatures is used to break the system.

The original PASSSign scheme had this weakness, asdoes NTRUSign. Various methods had been proposedthat reduced (but never eliminated) the rate at whichinformation leaks.

A few years ago Lyubashevsky described how to use re-jection sampling to eliminate transcript leakage incertain lattice-based DSS.

We have adapted these ideas to make PASSSign immuneto transcript attacks.

PASSSign 17

A Transcript Attack on Proto-PASSSign

Transcript attacks on proto-PASSSign use vector re-versals

a = (a0, . . . , aN−1) = (a0, aN−1, . . . , a1).

Let (z1, c1,m1), (z2, c2,m2), . . . be a list of signatures.Then one can show that

Average of zi ? ci converges to κf ? f ,

where κ 6= 0 is an easily computable constant. So aPASSSign transcript can be used to compute f ?f , fromwhich one can recover f .

PASSSign 18

Rejection Sampling

The idea of rejection sampling is:

When signing, if ‖z‖ > k − b,reject the signature and sign againusing a new nonce r.

For appropriate choices of k and b, it may take 5 to 10attempts to find a non-rejected signature.

With rejection sampling, one can show (under reason-able assumptions) that the signatures are uniformly dis-tributed among all pairs of vectors{

(z, c) : ‖z‖ ≤ k − b and c ∈ TN (b)}.

Hence a transcript reveals no information about theprivate key f .

Partial FFT and Lattice Problems 19

Lattices Associated to Partial-FFTs

For simplicity, we will suppose that T = {0, 1, . . . , t−1}.For a given public key FT (f ), consider the lattice Lfspanned by the rows of the N +1+ t dimensional matrix

1 0 · · · 00 1 · · · 0... . . . ...0 0 · · · 1

00...0

1 1 · · · 1

1 w · · · wt−1

... . . . ...

1 wN−1 · · · w(t−1)(N−1)

0 0 · · · 0 1 f0 f1 · · · ft−1

0 0 · · · 00 0 · · · 0... . . . ...0 0 · · · 0

00...0

q 0 · · · 00 q · · · 0... . . . ...0 0 · · · q

The lattice Lf contains the short target vector

τf = [f | 1 | 0].

Partial FFT and Lattice Problems 20

Lattice Reduction Solution of SVR-PFFT

One can reduce the lattice dimension (without reducingthe discriminant) by noting that τf lies in

L′f = L ∩ (RN+1 × 0).

Recovering τf is a standard shortest vector problem whosedifficulty may be estimated experimentally using (say)LLL-BKZ or other lattice reduction algorithms.

If we take #S = #T ≈ 12N , then recovering f and m

are equally difficult, and our lattice problem has

dim(L′f ) ≈ N and Disc(L′) ≈ qN/2,

solength of target τf

Gaussian expected value≈√πe

2q≈ 2√q.

In Conclusion 21

Directions and Questions

• The FFT is a ring homomorphism, and inversion ofthe partial-FFT of small vectors is a hard problem.So SVR-PFFT seems like a natural candidate for (lev-eled) homomorphic encryption.

• There is a hybrid PASS–NTRU encryption schemethat has some interesting operating characteristics interms of tradeoffs between the difficulty of key recov-ery and plaintext recovery via lattice reduction.

• Both PASSEncrypt and PASSSign are “quantum re-sistant” in the sense that there are no known quantumalgorithms to efficiently solve their underlying hard(lattice) problems.

I want to thank you for your attention, and KristenLauter and her group for inviting me to speak.

Public Key CryptographyBased on Partial Knowledgeof Finite Fourier Transforms

Joseph H. Silverman

Brown UniversityJoint work with J. Hoffstein and J. Pipher (Brown

University) and J. Schanck and W. Whyte(Security Innovations)

Colloquium, Microsoft Research, Redmond, WA

July 2013