1. Trang chủ
  2. » Kinh Doanh - Tiếp Thị

Public key cryptography PKC 2018 part II

760 44 0

Đang tải... (xem toàn văn)

Tài liệu hạn chế xem trước, để xem đầy đủ mời bạn chọn Tải xuống

THÔNG TIN TÀI LIỆU

Thông tin cơ bản

Định dạng
Số trang 760
Dung lượng 21,29 MB

Nội dung

LNCS 10770 Michel Abdalla Ricardo Dahab (Eds.) Public-Key Cryptography – PKC 2018 21st IACR International Conference on Practice and Theory of Public-Key Cryptography Rio de Janeiro, Brazil, March 25–29, 2018 Proceedings, Part II 123 Lecture Notes in Computer Science Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, Lancaster, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M Kleinberg Cornell University, Ithaca, NY, USA Friedemann Mattern ETH Zurich, Zurich, Switzerland John C Mitchell Stanford University, Stanford, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel C Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Dortmund, Germany Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max Planck Institute for Informatics, Saarbrücken, Germany 10770 More information about this series at http://www.springer.com/series/7410 Michel Abdalla Ricardo Dahab (Eds.) • Public-Key Cryptography – PKC 2018 21st IACR International Conference on Practice and Theory of Public-Key Cryptography Rio de Janeiro, Brazil, March 25–29, 2018 Proceedings, Part II 123 Editors Michel Abdalla CNRS and École Normale Supérieure Paris France Ricardo Dahab University of Campinas Campinas, SP Brazil ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-319-76580-8 ISBN 978-3-319-76581-5 (eBook) https://doi.org/10.1007/978-3-319-76581-5 Library of Congress Control Number: 2018934351 LNCS Sublibrary: SL4 – Security and Cryptology © International Association for Cryptologic Research 2018 This work is subject to copyright All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed The use of general descriptive names, registered names, trademarks, service marks, etc in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication Neither the publisher nor the authors or the editors give a warranty, express or implied, with respect to the material contained herein or for any errors or omissions that may have been made The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations Printed on acid-free paper This Springer imprint is published by the registered company Springer International Publishing AG part of Springer Nature The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland Preface The 21st IACR International Conference on Practice and Theory of Public-Key Cryptography (PKC 2018) was held March 25–29, 2018, in Rio de Janeiro, Brazil The conference is sponsored by the International Association for Cryptologic Research (IACR) and focuses on all technical aspects of public-key cryptography These proceedings consist of two volumes including 49 papers that were selected by the Program Committee from 186 submissions Each submission was assigned to at least three reviewers while submissions co-authored by Program Committee members received at least four reviews Following the initial reviewing phase, the submissions were discussed over a period of five weeks During this discussion phase, the Program Committee used quite intensively a recent feature of the review system, which allows Program Committee members to anonymously ask questions to the authors The reviewing and selection process was a challenging task and I am deeply grateful to the Program Committee members and external reviewers for their hard and thorough work Many thanks also to Shai Halevi for his assistance with the Web submission and review software and for his constant availability The conference program also included invited talks by Elette Boyle (IDC Herzliya, Israel) and Hugo Krawczyk (IBM Research, USA) I would like to thank both of them as well as all the other speakers for their contributions to the program Finally, I would like to thank Ricardo Dahab, the general chair, for organizing a great conference and all the conference attendees for making this a truly intellectually stimulating event through their active participation March 2018 Michel Abdalla PKC 2018 21st International Conference on Practice and Theory of Public-Key Cryptography Rio de Janeiro, Brazil March 25–29, 2018 Sponsored by The International Association of Cryptologic Research General Chair Ricardo Dahab University of Campinas, Brazil Program Chair Michel Abdalla CNRS and École Normale Supérieure, France Program Committee Shweta Agrawal Prabhanjan Ananth Diego Aranha Mihir Bellare Chris Brzuska Dario Catalano Jie Chen Yilei Chen Céline Chevalier Kai-Min Chung Dana Dachman-Soled Bernardo David Léo Ducas Nico Döttling Pierre-Alain Fouque Sergey Gorbunov Aurore Guillevic Carmit Hazay Julia Hesse Zahra Jafargholi Tibor Jager Bhavana Kanukurthi Markulf Kohlweiss Indian Institute of Technology, Madras, India UCLA and MIT, USA University of Campinas, Brazil University of California, San Diego, USA Hamburg University of Technology, Germany Università di Catania, Italy East China Normal University, China Boston University, USA Université Panthéon-Assas Paris 2, France Academia Sinica, Taiwan University of Maryland, USA Tokyo Institute of Technology, Japan CWI Amsterdam, The Netherlands FAU Erlangen-Nürnberg, Germany Rennes University, France University of Waterloo, Canada Inria, France Bar-Ilan University, Israel Karlsruhe Institute of Technology, Germany Aarhus University, Denmark Paderborn University, Germany Indian Institute of Science, India Microsoft Research and University of Edinburgh, UK VIII PKC 2018 Adeline Langlois Payman Mohassel Ryo Nishimaki Alain Passelègue Arpita Patra Antigoni Polychroniadou Carla Ràfols Salvador Alessandra Scafuro Christian Schaffner Gil Segev Jae Hong Seo Qiang Tang Mehdi Tibouchi Bogdan Warinschi Mor Weiss CNRS and Rennes University, France Visa Research, USA NTT Secure Platform Labs, Japan UCLA, USA Indian Institute of Science, India Cornell University, USA Universitat Pompeu Fabra, Spain North Carolina State University, USA University of Amsterdam & QuSoft, The Netherlands Hebrew University, Israel Myongji University, South Korea New Jersey Institute of Technology, USA NTT Secure Platform Laboratories, Japan University of Bristol, UK Northeastern University, USA Additional Reviewers Masayuki Abe Shashank Agrawal Erdem Alkım Nuttapong Attrapadung Saikrishna Badrinarayanan Shi Bai Christian Bardertscher Hridam Basu Balthazar Bauer Carsten Baum Pascal Bemmann Fabrice Benhamouda David Bernhard Pauline Bert Olivier Blazy Guillaume Bonnoron Niek Bouman Florian Bourse Jacqueline Brendel Ran Canetti Guilhem Castagnos Suvradip Chakraborty Nishanth Chandran Sanjit Chatterjee Binyi Chen Long Chen Rongmao Chen Yu Chen Nai-Hui Chia Arka Rai Choudhuri Ashish Choudhury Peter Chvojka Michele Ciampi Ran Cohen Sandro Coretti Craig Costello Geoffroy Couteau Jan Czajkowski Anders Dalskov Luca De Feo Jean Paul Degabriele David Derler Apoorvaa Deshpande Mario Di Raimondo Luis J Dominguez Perez Rafael Dowsley Yfke Dulek Lisa Eckey PKC 2018 Andrew Ellis Lucas Enloe Naomi Ephraim Thomas Espitau Leo Fan Xiong Fan Antonio Faonio Prastudy Fauzi Armando Faz-Hernández Rex Fernando Houda Ferradi Claus Fieker Dario Fiore Marc Fischlin Benjamin Fuller Philippe Gaborit Nicolas Gama Chaya Ganesh Romain Gay Kai Gellert Ran Gelles Nicholas Genise Paul Germouty Essam Ghadafi Satrajit Ghosh Irene Giacomelli Huijing Gong Junqing Gong Alonso González Conrado Porto Lopes Gouvêa Rishab Goyal Paul Grubbs Siyao Guo Divya Gupta Kyoohyung Han Javier Herranz Justin Holmgren Kristina Hostakova Zhengan Huang Andreas Huelsing Robin Hui Shih-Han Hung Aaron Hutchinson Ilia Iliashenko Sorina Ionica Malika Izabachène Michael Jacobson Joseph Jaeger Aayush Jain Christian Janson Stacey Jeffery Saqib Kakvi Shuichi Katsumata Natasha Kharchenko Sam Kim Taechan Kim Elena Kirshanova Fuyuki Kitagawa Susumu Kiyoshima Konrad Kohbrok Lisa Kohl Ilan Komargodski Stephan Krenn Ashutosh Kumar Rafael Kurek Eyal Kushilevitz Russell Lai Kim Laine Mario Larangeira Changmin Lee Hyung Tae Lee Kwangsu Lee Moon Sung Lee Nikos Leonardos Iraklis Leontiadis Qinyi Li Bent Libert Weikai Lin Feng-Hao Liu Shengli Liu Tianren Liu Alex Lombardi Vadim Lyubashevsky Fermi Ma IX X PKC 2018 Gilles Macario-Rat Varun Madathil Bernardo Magri Monosij Maitra Christian Majenz Hemanta K Maji Giulio Malavolta Mary Maller Mark Manulis Giorgia Azzurra Marson Takahiro Matsuda Sogol Mazaheri Thierry Mefenza Peihan Miao Ian Miers Ameer Mohammed Paz Morillo Fabrice Mouhartem Pratyay Mukherjee Pierrick Méaux Gregory Neven Khoa Nguyen David Niehues Luca Nizzardo Sai Lakshmi Bhavana Obbattu Cristina Onete Michele Orrù Emmanuela Orsini Jheyne N Ortiz Daniel Escudero Ospina Maris Ozols Jiaxin Pan Tapas Pandit Dimitris Papadopoulos Filip Pawlega Thomas Peters Doung Hieu Phan Cecile Pierrot Zaira Pindado Oxana Poburinnaya Chen Qian Elizabeth Quaglia Liz Quaglia Ananth Raghunathan Srinivasan Raghuraman Somindu C Ramanna Divya Ravi Guénaël Renault Peter Rindal Miruna Rosca Lior Rotem Kai Samelin Pratik Sarkar Sajin Sasy John Schanck Peter Scholl Dominique Schröder Adam Sealfon Sruthi Sekar Nicolas Sendrier Barak Shani Abhishek Shetty Javier Silva Mark Simkin Luisa Siniscalchi Daniel Slamanig Ben Smith Fang Song Eduardo Soria-Vazquez Akshayaram Srinivasan Ron Steinfeld Mario Strefler Christoph Striecks Atsushi Takayasu Benjamin Hong Meng Tan Emmanuel Thomé Sri Aravinda Thyagarajan Ni Trieu Rotem Tsabary Jorge L Villar Dhinakaran Vinayagamurthy Satyanarayana Vusirikala Riad S Wahby Kun-Peng Wang Mingyuan Wang Xiao Wang Yuyu Wang Yohei Watanabe Weiqiang Wen Benjamin Wesolowski David Wu Keita Xagawa Rounded Gaussians 745 The statements in the lemmas proven here differ slightly from those in [16] but serve analogous purposes First we look at the inner product of a rounded Gaussian variable with any vector in Rm Lemma A.1 For any fixed vector u ∈ Rm and any σ, r > 0, we have −2 $ Pr[| z + y, u | > r; z ← − Rσm ] ≤ 2e m where y ∈ − 12 , 12 σ2 minimizes exp r2 u σ2 , z + y, u m Proof Let u ∈ Rm be fixed and let y ∈ − 12 , 12 be such that exp is minimized For any t > 0, we have for the expectation of exp taken over all z sampled from Rσm : E exp t σ2 z + y, u = exp = exp = ≤ = = t σ2 t σ2 z∈Zm Az z∈Zm Az z∈Zm Az z∈Zm = exp z + y, u z + y, u , E exp σt2 z, u Pr[z] exp σ12 z, tu y, u y, u z∈Zm m √ 2πσ √ 2πσ m √ 2πσ m m Rtu,σ (z) exp t2 u 2σ σ2 t σ2 t − x 2σ exp − x 2σ exp u 2σ 2 exp − x−tu 2σ exp dx exp σ2 exp σ2 z + y, tu x, tu t u 2σ dx dx , where the last equality follows from the fact that z∈Zm m Rtu,σ (z) = because it is the sum over the entire range of the probability density function We proceed to prove the claim of the lemma by applying Markov’s inequality first and then the above result For any t > 0, we have: Pr [ z + y, u > r] = Pr exp σt2 z + y, u > exp tr/σ ≤ (E exp t z + y, u /σ )/(exp tr/σ ) ≤ exp (t2 u − 2tr)/(2σ ) The function on the right assumes its maximum at t = r/ u , so we get Pr [ z + y, u > r] ≤ exp −r2 /(2 u σ ) Because the distribution is symmetric around the origin we also know Pr[ z + y, u < −r] ≤ exp −r2 /(2 u σ ) By applying the union bound to the two inequalities, we get the probability for | z + y, u | > r, which results in the claim of the lemma Lemma A.2 Under the conditions of Lemma A.1 we have: $ − For any kσ > 1/4(σ + 1), σ ≥ 1, Pr |z| > kσ; z ← For any z ∈ Z m and σ ≥ For any k > 1, Pr z > Rσ1 ≤ 2e 2/π, Rσm (z) ≤ 2−m √ m $ kσ m; z ← − Rσm < 2k m e (1−k ) − k− 2 ( ) 746 Andreas Hă ulsing, Tanja Lange, Kit Smeets Proof Item follows from Lemma A.1 by substituting m = 1, r = kσ − 12 and u = This gives 1 |z + y| = |z| − > r = kσ − 2 In other words, |z| > kσ Then we have for the upper bound of the probability: r2 exp − u σ2 kσ − 12 = exp − 2σ 2 2 k − 12 σ ≤ exp − 2σ , where we use − kσ − 12 ≤ − k − 12 σ for σ ≥ in the inequality Note that for 0.44 < k < 1.89 item actually provides a better bound To prove Item 2, we write Rσm (z) = ≤ √ 2πσ √ 2πσ m m Az e− x /(2σ ) − x · max e dx /(2σ ) x∈Az · vol(Az ) ≤ √ 2πσ m , where the first inequality follows from the fact that integrating a continuous function on a bounded area is bounded from above by the maximum of the function on the area times the volume of the area The second inequality follows 2 from the fact that the volume of the area Az is equal to and e− x /(2σ ) ≤ for all x ∈ Az for all z ∈ Zm Thus if σ ≥ 2/π, we have Rσm ≤ 2−m For Item 3, we write the following: √ $ − Rσm Pr z > kσ m; z ← = z∈Zm , √ z >kσ m m ≤ √ 2πσ ≤ √ 2πσ m √ 2πσ m Az √ z >kσ m x max e− √ z∈Zm , z >kσ m z∈Zm , e− /(2σ ) x dx /(2σ ) x∈Az − z+y e /(2σ ) · vol(Az ) (2) , where y ∈ [− 12 , 12 ]m is chosen such that the maximum is attained, i.e for each zi we pick yi , i = 1, , m in the following way: ⎧ ⎨ − if zi > 0, if zi = 0, yi = (3) ⎩ if z < i We use the second√part of a lemma by Banaszczyk [2, Lemma 1.5], saying that for each c ≥ 1/ 2π, lattice L of dimension m and u ∈ Rm , we have √ n −π z+u −π z √ < c 2πee−πc , and put u = y If z∈L, z >c m e z∈L e we scale the lattice L by a factor of 1/s for some constant s, we have that for all s, √ 2 m 2 e−π z+y /s < c 2πee−πc e−π z /s √ z∈L, z >cs m z∈L Rounded Gaussians √ Setting L = Zm and s = √ z∈Zm , z >c 2πσ m e− z+y 747 2πσ, we obtain √ < c 2πee−πc /(2σ ) m e− z /(2σ ) z∈Zm √ Finally, by setting c = k/ 2π in the upper bound for the probability and applying it to Eq (2), we get √ m $ − Rσm < 2k m e (1−k ) z > kσ m; z ← Pr √ 2πσ m e− z /(2σ ) z∈Zm m √ exp(− z /(2σ )) = 1, since it is the probability 2πσ z∈Zm function Rσm (z) summed over all possible values Thus we have Note that density √ m $ z > kσ m; z ← − Rσm < 2k m e (1−k ) Pr The following is the proof of Lemma 3.1 from Sect Proof By definition we have Rσm (z) = m (z) Rv,σ Az Az ρm σ (x)dx ρm v,σ (x)dx max e− ≤ x Az /(2σ ) x∈Az e− x−v Az = exp(− x /(2σ ))dx exp(− x − v /(2σ ))dx · vol(Az ) /(2σ ) x∈Az · vol(Az ) = exp(− z + y1 /(2σ )) , exp(− z − v + y2 /(2σ )) where the inequality follows from the fact that integrating a continuous function on a bounded area is bounded from below by its minimum on the area times the m volume of the area; y1 ∈ − 12 , 12 is chosen such that the maximum is achieved m is chosen such that the minimum is achieved for z + y1 , and y2 ∈ − 21 , 12 m is defined as in Eq (3) and for for z − v + y2 In other words, y1 ∈ − 12 , 12 m we have for each zi − vi , i = 1, , m: y2 ∈ − 12 , 12 y2,i = − 12 if zi < vi , if zi ≥ vi (4) This results in the following formula: e− e− z+y1 /(2σ ) z−v+y2 /(2σ ) exp y2 − y1 + z, y2 − y1 2σ − z + y2 , v + v We want to combine y2 − y1 + z, y2 − y1 with the inner product z + y2 , v into an inner product of the form z + y, v + a for some a, where 748 Andreas Hă ulsing, Tanja Lange, Kit Smeets y ∈ [−1/2, 1/2]m minimizes z + y, v + a , such that we can apply Lemma A.1, where we set u = v + a We can write m y2 − y1 + z, y2 − y1 = 2 y2,i − y1,i + 2zi (y2,i − y1,i ) i=1 Using the definition of y1,i and y2,i , for i = 1, , m we get the following expression: ⎧ = −2zi if zi < vi ∧ zi < 0, ⎪ ⎪ ⎨ if zi = 0, =4 2 y2,i − y1,i + 2zi (y2,i − y1,i ) = (5) if zi ≥ vi ∧ zi > 0, = 2z ⎪ i ⎪ ⎩ =0 otherwise m To create an upper bound of the form −2 z + y, a , where y ∈ − 12 , 12 minimizes z + y, v + a , we need to determine an expression for a, i.e we determine such that it fits Eq (5) This gives us the following expressions for the coordinates i = 1, , m: ⎧ ⎨ −2ai zi + if zi < 0, −ai if zi = 0, −2ai zi − 2ai yi = ⎩ −2ai zi − if zi > m Now we can write i=1 ⇒ ⎧ 2zi ⎨ − −2zi +1 if zi < 0, if zi = 0, = − ⎩ i if zi > − 2z2z +1 i 2 y2,i − y1,i + 2zi (y2,i − y1,i ) ≤ −2 z + y, a , where a is chosen as above such that −zi ≤ and |ai | ≤ for i = 1, , m and y minimizes z + y, a Given y2 and y, we can write y2 = y + b, where we pick bi ∈ {−1, 0, 1} for i = 1, , m such that the equation holds Then we can write z + y2 , v = z + y, v + b, v We have |2 b, v | = m 2bi vi ≤ v , i=1 because bi ∈ {−1, 0, 1}, dependent on the value of zi and vi Combining these bounds and applying them to the previous result, gives us exp ( y2 − y1 + z, y2 − y1 − z + y2 , v + v )/(2σ ) ≤ exp (−2 z + y, a − z + y, v − b, v + v )/(2σ ) ≤ exp (−2 z + y, v + a + v )/(2σ ) √ Lemma A.1 tells us that | z + y, v + a | ≤ σ log m v + a with probability at least − 2− log m if y minimizes z + y, v + a and if v + a ∈ Zm Since both conditions hold, we have exp −2 z+y2 ,v+a +3 v 2σ √ log m v+a √ ≤ exp log m v √ 2 log m v+a +3 v 2σ √ v v +2 log m v+a = exp 2 log m v log m v < exp + where the second inequality uses σ = ω( v a being small √ = O(1), log m) and the final equality uses Rounded Gaussians A.1 749 Comparison of Proofs for Rounded Gaussians vs Discrete Gaussians As we have mentioned at the beginning of this section, the theorems and proofs follow the line of the theorems and proofs of Lyubashevsky [16] closely Here we give a quick overview of the changes made in the lemmas and theorems next to replacing the discrete Gaussian with the rounded Gaussian We not state in detail where the proofs differ, since we require different techniques to end up with similar results m minimizing In Lemma A.1 we use z + y, u with y ∈ − 21 , 12 exp σ2 z + y, u instead of the z, u that is used in [16, Lemma 4.3] In Lemma A.2 we require for Item that kσ > 1/4(σ + 1) and σ ≥ instead of the k > from [16, Lemma 4.4] Next to that, we get that the probability 2 −(k− 12 ) For Item we have σ ≥ 2/π < exp instead of the < exp −k 2 √ 2 m m instead of σ ≥ 3/ 2π For Item we have 2k m e (1−k ) instead of k m e (1−k ) Theorem 3.1 follows through directly based on the previous lemmas B R´ enyi Divergence An adversary wins if within qs signing queries he can distinguish the perfect scheme and an implementation thereof or if he breaks the scheme with the perfect implementation We will upper bound the success probability of any such adversary dependent on the precision used in the computation First we analyze the statistical distance (SD) and then R´enyi divergences (RD) of order and ∞ (Definition 5.1) Based on [1] we expect a lower precision requirement from the RD analysis We use the definition of R´enyi divergence as given in [1] and copy the relevant properties of RD from there; see [25] for a proof of the following lemmas and note that the definitions agree up to taking logarithms For completeness we include the statistical difference Definition B.1 The statistical distance Δ(P ; Q) between two discrete probability functions P and Q is defined by Δ(P ; Q) = |P (x) − Q(x)| , x∈V where V = Supp(P ) ∪ Supp(Q) denotes the union of the support of P and the support of Q Definition B.2 For any two discrete probability distributions P and Q, such that Supp(P ) ⊆ Supp(Q) the R´enyi divergences of order is defined by ⎞ ⎛ P (x) ⎠ P (x) log RD1 (P || Q) = exp ⎝ Q(x) x∈Supp(P ) For RD the measures are related multiplicatively 750 Andreas Hă ulsing, Tanja Lange, Kit Smeets Lemma B.1 (Multiplicativity) Let a ∈ {1, +∞} Let P and Q be two distributions with Supp(P ) ⊆ Supp(Q) of a pair of random variables (Y1 , Y2 ) and let Y1 and Y2 be independent Then we have: RDa (P || Q) = RDa (P1 || Q1 ) · RDa (P2 || Q2 ) We will use the following probability preservation property to quantify the probability of distinguishing the perfect rounded Gaussian distribution from the one implemented with finite precision Lemma B.2 (Probability Preservation) Let P and Q denote distributions with Supp(P ) ⊆ Supp(Q) Let A ⊆ Supp(Q) be an arbitrary event Then Q(A) ≥ P (A) /R∞ (P || Q) B.1 Precision for Rounded Gaussians We now give a formal analysis linking the precision p of the implementation to the security level of the signature scheme Computing with floating-point precision p means that the intermediate value x will be output with a certain error η We can write this as x = x + η, with |η| ≤ 2−p x After this, x is rounded to the nearest integer, i.e z = x Note that this implies that for computing the probability of sampling z only the interval changes from [z − 12 , z + 12 ) to [z − 12 − el , z + 12 + er ), with |el | ≤ 2−p z − 12 and |er | ≤ 2−p z + 12 The tail cut √ −(τ − 12 )2 forces |z| ≤ τ σ and for τ = O( λ) Lemma A.2 implies that exp ≈ 2σ 2−λ , i.e with all but negligible probability the sampled value lies within the tail bound For all practical values λ 2p First we analyze the SD to gain a basic understanding of the precision needed for our sampler in BLISS After this we analyze two different kinds of RD, since we expect that the required floating point precision will be smaller, because the bounds are tighter for other samplers At the end of this section, we compare all of these bounds on the precision SD-based analysis We follow [1] in assuming that any forging adversary A with success probability ≤ δ on the scheme implemented with the perfect mq rounded Gaussian sampling has a success probability ≤ δ + Δ(R σ s ; Rσmqs ) against the scheme implemented with the truncated rounded Gaussian sampling, with Rσmqs , i.e the success probability on the truncated scheme is upper bounded by the success probability on the perfect scheme δ and the extra informq mation we gain by comparing the distributions R σ s and Rσmqs For a target success probability we have to choose δ ≤ /2 for the success probability on the perfect scheme and we want to determine the lower bound on p such that mq Δ(R σ s ; Rσmqs ) ≤ /2 By the union bound this means that we require Δ(R σ ; Rσ ) ≤ /(mqs ) We only look at values between the tail bounds, i.e z ∈ [−τ σ, τ σ], since any element Rounded Gaussians 751 lying outside of the tail bounds is rejected and thus not in the support of Rσ Next to that, we assume that er , el ≤ 2−p τ σ, which is the worst case setting Δ(R σ (z); Rσ1 (z)) τσ = ≤ ≤ 1√ 2πσ z=−τ σ τσ z=−τ σ 2 z+ 12 +er √ e−x /(2σ ) dx z− 12 −el 2πσ 2 z− 12 √ e−x /(2σ ) dx z− 12 −|el | 2πσ −1 z=−τ σ +|el | + |er | + ≤ 2−p τ σ 1√ 2πσ τσ + z=1 ≤ 2−p τ σ √ 2πσ −(z− 12 ) 2σ |el | exp τσ exp −(z− 12 ) 2σ τσ exp z=1 −(z+ 12 +|er |) 2σ + |er | exp z=−τ σ −(z− 12 −2−p τ σ ) exp 2σ 1+ 2 z+ 12 +|er | √ e−x /(2σ ) dx z+ 12 2πσ + −(z− 12 −|el |) 2σ |el | exp z=1 −1 2 z+ 12 √ e−x /(2σ ) dx z− 12 2πσ − −(z+ 12 ) 2σ + |er | exp 2 −(z+ 12 +2−p τ σ ) 2σ + exp + exp −(z− 12 −2−p τ σ ) 2σ −(z+ 12 ) 2σ +2 2 + exp −(z+ 12 ) 2σ 2 , where we use in the second to last inequality the assumption that |el |, |er | ≤ 2−p τ σ and in the last inequality we note that for z < we have 2 (z− ) (|z|+ ) exp − 2σ22 = exp − 2σ22 , which matches the term in the sum for z > Similarly we have exp − (z+ 12 +2−p τ σ) = exp − 2σ 2 (|z|− 12 −2−p τ σ) 2σ This means that we can group both sums under one sum running from to τ σ, which we need to multiply by to compensate for having both distributions in one sum Note that this result looks like a rounded Gaussian centered around 12 and a rounded Gaussian centered around 12 +2−p τ σ, except that all values for z ≤ are missing Due to the symmetric property of the rounded Gaussian distribution, we know that both rounded Gaussians sum up to ≤ 12 This gives us: 2−p τ σ √ 2πσ 2 τσ 1+ exp z=1 ≤ 2−p τ σ √ 2πσ −(z− 12 −2−p τ σ ) 2σ + + 2 + exp = 2−p τ σ √ 2πσ −(z+ 12 ) 2σ +1 + ≤ ( /2)/(mqs ) Note that < < and thus We require 2−p τ σ √2πσ that log < This means that a smaller requires a higher level of floating point precision This is what we expect; if we want an adversary A to be less likely to be successful, we need to be more precise in our computations If we use the common setting = 2−λ , we get the precision requirement √ √ (6) 2πσ + + λ − log 2πσ + p ≥ log mqs 752 Andreas Hă ulsing, Tanja Lange, Kit Smeets RD1 -based analysis According to [1], if a = we have for an arbitrary event A ⊆ Supp(Q) that Q(A) ≥ P (A) − ln RD1 (P || Q)/2, which is the probability preservation property (Lemma B.2) for a = This means that we have δ ≥ − ln RD1 (R σmqs || Rσmqs ) /2 We follow [1] in bounding the righthand side by /2 By the multiplicative property of the RD over the mqs indemq pendent samples needed for signing qs times, we get RD1 R σ s || Rσmqs ≤ mqs RD1 R σ || Rσ1 Recall that for the ln function we have ln(x) ≤ x − for x > Note that we are working with positive numbers, since probabilities lie between zero and one If we only look at the elements between −τ σ and τ σ, we know that they have a probability > Now we compute the 1-dimensional case ln RD1 R σ || Rσ1 R 1σ (z) (z) Rσ = z∈Supp(R ≤ z∈Supp(R 1) σ 1) σ R σ (z) ln √ 2πσ √ ≤ 2πσ σ) ⎛z∈Supp(R ·⎝ z− z− −|el | R σ (z) z∈Supp(R 1σ⎛ ) z+ 12 +er z− 12 −el x dx ⎝ exp − 2σ z+ 12 +er z− 12 −el x dx exp − 2σ 2 x exp − 2σ dx+ z+ z− ≤ exp 2 z+ +|er | z+ x2 − 2σ dx R 1σ (z) (z) Rσ −1 ⎞ z+ +er x2 exp − 2σ dx z− −el z+ 2 exp − x dx 2σ z− − 1⎠ ⎞ x exp − 2σ dx ⎠ (7) We now want to bound this equation We first look at a bound in the case z > for the following part of the equation: ⎛ z+ +er z− −el 2 x dx ⎝ exp − 2σ ≤ (1 + el + er ) exp · |el | exp z− z− −|el | 2 exp − x 2σ z+ z− 2 −(z− −el ) exp 2σ 2 −(z− −|el |) ≤ (1 + er + el ) |el | exp 2σ dx+ exp z+ +|er | z+ 2 − x dx 2σ exp − x 2σ ⎞ dx ⎠ (z+ )2 2σ + |er | exp 2 −(z+ 2) 2σ −(z+ −2(1+|el |)) +2(1+|el |)2 2σ + |er | exp −(z− −el ) 2σ If we can find an equivalent bound like this for z < and for z = 0, we can use the above formula to bound Eq (7) For z < 0, we have the following equation that gives an upper bound: Rounded Gaussians ⎛ z+ +er z− −el exp x2 − 2σ dx ⎝ ≤ (1 + el + er ) exp exp − x 2σ −(z− 2) ≤ (1 + er + el ) |el | exp exp − x 2σ ⎞ dx ⎠ −(z+ +|er |) + |er | exp 2σ ≤ (1 + er + el ) |el | exp exp z+ +|er | z+ 2 − x dx 2σ (z− )2 2σ exp 2σ dx+ z+ z− 2 −(z+ +er ) · |el | exp +|er | exp z− z− −|el | 753 −(z+ +er ) 2σ 2 −(z− +2(1+|er |)) +2(1+|er |)2 + |er | exp 2σ 2σ 2 −(|z|− −er ) 2σ 2 −(|z|+ −2(1+|er |)) +2(1+|er |)2 2σ This means that we have the same result for z > and z < 0, except that the el ’s change into er ’s and vice versa Since el , er ≤ 2−p τ σ, we end up with the following result for z < and z > 0: ⎛ ⎞ 1 z+ 12 +er z− 12 −el exp x2 − 2σ dx ⎝ z− z− −|el | 2 x exp − 2σ dx+ z+ +|er | z+ x2 − 2σ dx −( ≤ + 2−p+1 τ σ 2−p τ σ exp ⎠ ) + exp x exp − 2σ dx z+ exp z− 2 |z|− −2−p τ σ 2σ 2 −(|z|+ 12 −2(1+2−p τ σ )) +2(1+2−p τ σ ) 2σ Now that we have found a bound for z < and z > 0, we also need to find a bound for z = If z = 0, we have ⎛ ⎞ 1 z+ 12 +er z− 12 −el x dx ⎝ exp − 2σ z− z− −|el | 2 x exp − 2σ dx+ z+ z− exp z+ +|er | z+ x2 − 2σ dx x exp − 2σ dx ⎠ ≤ (1 + el + er ) exp 8σ1 |el | exp − 8σ1 + |er | exp − 8σ1 = (1 + el + er ) (|el | + |er |) ≤ + 2−p+1 τ σ 2−p+1 τ σ, where we use el , er < 2−p τ σ in the second inequality Combining the result for z = with the results for z < and z > gives us: ln RD1 R σ || Rσ1 ≤ + 2−p+1 τ σ 2−p+1 τ σ + z∈Supp(R + exp ),z>0 σ √ 2πσ + 2−p+1 τ σ 2−p+1 τ σ exp −(|z|+ 12 −2(1+2−p τ σ )) +2(1+2−p τ σ ) 2σ = + 2−p+1 τ σ 2−p+1 τ σ + + exp 2 −(|z|− 12 −2−p τ σ ) 2σ ∞ √ 2πσ exp z=0 2 −(z+ 12 −2(1+2−p τ σ )) +2(1+2−p τ σ ) 2σ ≤ + 2−p+1 τ σ 2−p+1 τ σ + exp 4σ , −(z− 12 2p ) 2 754 Andreas Hă ulsing, Tanja Lange, Kit Smeets ∞ where we use in the last inequality that z=0 √ 2πσ −(z− 12 −2−p τ σ ) 2σ exp ≤ 1, −p as this sums over parts of a Gaussian centered at −1/2 − τ σ Similarly, ∞ −(z+ 12 −2(1+2−p τ σ )) √ exp ≤ and < (1 + 2−p τ σ) < 32 , since < 2 2σ 2πσ z=0 −p τ σ < 12 We note that we could use the stronger bound τ σ < 2−p/2+1 here, which implies that we can use a smaller number in the exp function However, the goal is to get rid of p with this equation and for this the current estimate is sufficient This means that we can use the equation above to compute the floating mq point precision needed in the RD1 setting First we look at ln RD1 (R σ s || Rσmqs )/2, before we determine the precision p: mq ln RD1 (R σ s || Rσmqs )/2 ≤ mqs ln RD1 (R σ || Rσ1 )/2 s + 2−p+1 τ σ 2−p+1 τ σ + exp 4σ9 ≤ mq = mqs 2−p+1 τ σ + 2 − + exp 4σ If we now bound this expression by /4 and determine p, we know that this p also holds in the setting ln RD1 (R σmqs || Rσmqs )/2 ≤ /2 This results in: mqs 2−p+1 τ σ + ⇔ 2−p+1 τ σ + ⇔ 2−p+1 ≤ 2 ≤ +mq s − 14 + exp 4σ9 2 +mqs (1+exp( 4σ92 )) ≤ 4mqs (1+exp( 4σ92 )) (1+exp( 4σ92 ))− mqs (1+exp( 4σ92 )) 2τ σ mqs (1+exp( 4σ92 )) This means that we have as the floating point precision requirement ⎛ p ≥ log ⎝ τσ mqs + exp + mqs + exp 4σ − ⎞ 4σ mqs + exp ⎠ + (8) 4σ RD∞ -based analysis For a = +∞, we follow [1] such that we have that any forging adversary A having success probability on the scheme implemented with imperfect rounded Gaussian sampling has a success probability mq δ ≥ /RD∞ (R σ s || Rσmqs ) on the scheme implemented with the perfect rounded Gaussian, because of the multiplicative property of the RD, as given in mq Lemma B.1 If RD∞ (R σ s || Rσmqs ) ≤ O(1), then δ = Ω( ) We need mqs samples to create qs signatures By the multiplicative property mq of the RD, we have RD∞ (R σ s || Rσmqs ) ≤ RD∞ (R σ || Rσ1 )mqs We target 1 δ ≥ / exp(1) We first compute R σ (z)/Rσ (z) from which the maximum will automatically follow: R σ (z) (z) Rσ = ≤1 z+ +er 2 √ e−x /(2σ ) dx z− −el 2πσ 2 z− 2 + e−x /(2σ ) dx + z− −|el | z+ 2 √ e−x /(2σ ) dx z− 2πσ 2 z+ +|er | −x2 /(2σ ) z+ 2 e dx z+ z− 2 /(2σ ) e−x (9) dx Rounded Gaussians 755 Now we need to find a lower bound for the integral in the denominator We start by looking into the case z > We have the following bounds: z+ 12 z− 12 e−x z = /(2σ ) exp z− 12 + z1 −x2 /(2σ ) e dx z− 12 1 −(z− ) −2(z− ) z − z2 ≥ z1 2σ dx ≥ ≥ z exp −(z− 12 + z1 )2 2σ exp −(z− 12 )2 2σ exp −1 σ2 (10) , where we use that z2 (z − 12 ) + z12 ≤ for z ≥ and z ∈ Z We bound the integrals in the numerator the same way as in the RD1 analysis and combine this with the lower bound from Eq (9): z− 1+ z− −|el | e−x |el | exp ≤1+ = + z exp σ2 ≤ + z exp σ2 σ2 ≤ + z exp /(2σ ) dx + −(z− −|el |)2 2σ exp z+ +|er | −x2 /(2σ ) e dx z+ −(z+ )2 2σ + |er | exp (z− )2 2σ |el | exp z+ z− z −(z− −|el |)2 2σ |el | exp /(2σ ) dx −(z− )2 2σ exp + |er | exp |el |(2z−1−|el |) + |er | exp −z 2σ σ2 |el |z −p + |er | ≤ + (τ σ)2 exp σ2 |el | exp e−x σ2 exp −1 σ2 −(z+ )2 2σ exp 2−p (τ σ)2 σ2 +1 , where we use in the last inequality that |el |, |er | ≤ 2−p τ σ and that |z| ≤ τ σ We note that 2−p+1 ≤ (τ σ)2 , which gives us + 2−p (τ σ)2 exp σ2 2−p (τ σ)2 σ2 exp ≤ + 2−p (τ σ)2 exp +1 ≤ exp 2−p (τ σ)2 exp 2σ exp 2σ +1 σ2 exp 2σ +1 mq We have found an upper bound for R σ s /Rσmqs if z > We need to check if this bound works for any value of z ∈ Z First we look into the case z < We want to find a similar bound as in Eq (10) We have z+ z− e−x = ≥ /(2σ ) dx |z| |z| exp exp ≥ z+ z+ +z e−x /(2σ ) dx −(z+ −2(z+ · − 12 2) 2) z z 2σ −( |z|− 2σ ) exp −1 σ2 ≥ = |z| |z| exp exp −(z+ +z ) 2σ 2 −(|z|− −2(|z|− · − 12 2) ) |z| |z| 2σ (11) , which is the same expression as we had for z > We note that the only difference between z < and z > is the el and the er , which we already have seen in the case of RD1 Since we use |el |, |er | ≤ 2−p τ σ, we can use the bound found for z > also in the case z < Now we check if this maximum also works for z = 0: z+ +er z+ 2 2 1 √ e−x /(2σ ) dx e−x /(2σ ) dx 2 1 2πσ 2πσ z− −el z− −p −p ≤ + |er | + |el | ≤ + · + · = + 2−p , 2 R (z) R1 (z) 756 Andreas Hă ulsing, Tanja Lange, Kit Smeets as we have seen in the computations for RD1 Since this is less than the maximum, we can use the upper bound exp 2−p (τ σ)2 exp σ12 exp 2σ1 + to determine the floating point precision p needed mq We have RD∞ (R σ s || Rσmqs ) ≤ RD∞ (R σ || Rσ1 )mqs and want to find an expression for p from this This results in the following equations: mqs RD∞ (R σ || Rσmqs ) ≤ RD∞ (R σ || Rσ1 )mqs ≤ exp 2−p (τ σ)2 exp σ12 exp 2σ +1 mqs We set the floating point precision p such that exp mqs 2−p (τ σ)2 exp σ2 exp 2σ +1 ≤ exp(1) This yields a precision argument p ≥ log mqs (τ σ)2 exp σ2 exp 2σ +1 (12) Recall that we assumed that τ σ 2−p/2 , i.e p > log(τ σ) We need to check if this is true for the result we got We see that indeed we get p ≥ log mqs (τ σ)2 exp σ12 exp = log (τ σ) + log mqs exp σ12 2σ +1 exp 2σ1 + > log(τ σ), since all the logarithms give a positive result Note that, as in the analysis of the discrete Gaussian in [1], Eq (12) does not explicitly depend on However, the dependency on is hidden in the security parameter λ, which is still dependent on Equation (12) eliminates the term from the floating point precision p, which was needed for the SD-based and the RD1 -based analyses However, m, qs and are dependent on λ, i.e the resulting floating point precision p is not independent of , since it is not independent of λ We summarize the results in Table B.1 Before we can numerically compute this p, we need to know the value of m and against how many signing queries qs we want to be protected Note that the precision plays different roles per sampler and implementation In our sampling approach, each computation step has the potential to decrease the precision, but all considerations are worst-case considerations The CDT sampler that we considered for comparison has a stored table of fixed precision To compare the precision bounds as described in Table B.1 to the precision bounds found in [1] for BLISS-I we use the same values for the variables, that is, we use = 2−128 , dimension m = 1024, qs = 264 sign queries, σ = 215 and tail bound τ = (2 · 128 · log(2)) = 13.32087377852 The results can be found in Table B.2 Here we can see that rounded Gaussians need more precision than discrete Gaussians, but rounded Gaussians come with the advantage that they can easily be implemented in constant time and without table look ups, which Rounded Gaussians 757 Table B.1 Comparison of the precision p to handle adversaries with success probability ≥ making ≤qs signing queries to BLISS signature generation with Box-Muller transformation SD (Eq (6)) Lower bound on the precision p √ √ p ≥ log mqs τ σ 2πσ + + λ − log 2πσ + ⎛ ⎞ RD1 (Eq (8)) p ≥ log ⎝ τσ +mq s mqs 1+exp 1+exp RD∞ (Eq (12)) p ≥ log mqs (τ σ)2 exp 4σ σ2 − exp 4σ mqs 1+exp τ 2σ 4σ ⎠+2 +1 Table B.2 Comparison of the precision p needed for BLISS-I implemented with rounded Gaussians and implemented with discrete Gaussians Example p for rounded Gaussians Example p for discrete Gaussians SD p ≥ 215 p ≥ 207 RD1 p ≥ 346 p ≥ 168 RD∞ p ≥ 98 p ≥ 79 makes it suitable to use rounded Gaussians in practice for BLISS Furthermore, the estimates are less tight because of the approximation of integrals and errors by their worst case value Note that the values in Table B.2 tell us the resulting precision needed If we want to know the implementations precision, i.e the precision before the implementation makes any changes, we need to compute how much precision is lost by the implementation For our implementation of BLISS-I we have computed the loss of precision in Sect 5.2 Author Index Agrikola, Thomas II-341 Alamati, Navid II-619 Au, Man Ho I-253 Auerbach, Benedikt I-348, II-403 Badertscher, Christian I-494 Bellare, Mihir I-348 Benhamouda, Fabrice II-644 Blazy, Olivier II-644 Bootle, Jonathan II-561 Brakerski, Zvika II-702 Broadnax, Brandon II-312 Chen, Ming-Shing II-3 Chen, Wenbin I-253 Chen, Yu II-589 Dachman-Soled, Dana II-281 Damgård, Ivan II-530 Data, Deepesh I-675 Datta, Pratish II-245 Deng, Yi II-589 Derler, David I-219 Doröz, Yarkın I-125 Döttling, Nico I-3 Ducas, Léo II-644 El Kaafarani, Ali II-89 Fan, Xiong II-218 Farshim, Pooya II-371 Fetzer, Valerie II-312 Frederiksen, Tore K I-587 Fuchsbauer, Georg I-315, II-153 Ganesh, Chaya II-499 Garay, Juan A II-465 Garg, Sanjam I-3 Gay, Romain II-153 Gentry, Craig II-34 Giacon, Federico I-159, I-190 Groth, Jens II-561 Gu, Dawu I-62 Hajiabadi, Mohammad I-3 Hamlin, Ariel I-95 Han, Shuai I-62 Hanaoka, Goichiro I-437 Hart, Daniel I-381 Herold, Gottfried I-407 Hesse, Julia II-371 Heuer, Felix I-190 Hoffstein, Jeffrey I-125 Hofheinz, Dennis II-341, II-371 Huang, Zhengan I-253 Hülsing, Andreas II-3, II-728 Ishai, Yuval I-698 Jarecki, Stanislaw I-644, II-431 Jutla, Charanjit S II-123 Kashiwabara, Kenji I-437 Katsumata, Shuichi II-89 Kiayias, Aggelos II-465 Kiltz, Eike I-159, I-348 Kim, DoHoon I-381 Kirshanova, Elena I-407, II-702 Kitagawa, Fuyuki I-32, II-187 Kondi, Yashvanth II-499 Krawczyk, Hugo II-431 Krenn, Stephan I-219 Kulkarni, Mukul II-281 Laarhoven, Thijs I-407 Lai, Junzuo I-253 Lange, Tanja II-728 Larraia, Enrique II-371 Leonardos, Nikos II-465 Li, Baiyu I-527 Li, Jin I-253 Lindell, Yehuda I-620 Ling, San II-58 760 Author Index Liu, Shengli I-62 Lorünser, Thomas I-219 Luo, Ji II-530 Lyu, Lin I-62 Masny, Daniel I-3 Matsuda, Takahiro I-280 Maurer, Ueli I-494 Mechler, Jeremias I-463 Micciancio, Daniele I-527 Micheli, Giacomo I-381 Mittal, Manika I-698 Müller-Quade, Jörn I-463, II-312 Nguyen, Khoa II-58 Nilges, Tobias I-463 Nishimaki, Ryo II-187 O’Neill, Adam II-34 Oechsner, Sabine II-530 Ohkubo, Miyako II-123 Okamoto, Tatsuaki II-245 Ostrovsky, Rafail I-698 Panagiotakos, Giorgos II-465 Pascual-Perez, Guillermo I-381 Patra, Arpita II-499 Peikert, Chris II-619, II-675 Peng, Zhen I-253 Petit, Christophe I-381 Pinkas, Benny I-587 Pipher, Jill I-125 Poettering, Bertram I-159, I-190, II-403 Prabhakaran, Manoj I-675 Quach, Willy II-644 Quek, Yuxuan I-381 Ramacher, Sebastian I-219 Reyzin, Leonid II-34 Rijneveld, Joost II-3 Roy, Arnab II-123 Rupp, Andy II-312 Samardjiska, Simona II-3 Sarkar, Pratik II-499 Saxena, Nitesh II-431 Scholl, Peter I-554, II-530 Schuldt, Jacob C N I-280 Schwabe, Peter II-3 Shahverdi, Aria II-281 Shelat, Abhi I-95 Shiehian, Sina II-675 Shirvanian, Maliheh II-431 Silverman, Joseph H I-125 Simkin, Mark II-530 Slamanig, Daniel I-219 Smeets, Kit II-728 Song, Xuyang II-589 Stehlé, Damien II-702 Stephens-Davidowitz, Noah II-619 Striecks, Christoph I-219 Sunar, Berk I-125 Tackmann, Björn I-494 Tanaka, Keisuke I-32, II-187 Tang, Qiang II-218 Teruya, Tadanori I-437 Tomida, Junichi II-245 Wang, Huaxiong II-58 Weiss, Mor I-95 Wen, Weiqiang II-702 Whyte, William I-125 Wichs, Daniel I-95 Xu, Yanhong II-58 Yanai, Avishay I-587, I-620 Yu, Jingyue II-589 Zhang, Zhenfei I-125 ... Brazil ISSN 030 2-9 743 ISSN 161 1-3 349 (electronic) Lecture Notes in Computer Science ISBN 97 8-3 -3 1 9-7 658 0-8 ISBN 97 8-3 -3 1 9-7 658 1-5 (eBook) https://doi.org/10.1007/97 8-3 -3 1 9-7 658 1-5 Library of Congress... (Eds.) • Public-Key Cryptography – PKC 2018 21st IACR International Conference on Practice and Theory of Public-Key Cryptography Rio de Janeiro, Brazil, March 25–29, 2018 Proceedings, Part II 123... Cryptologic Research 2018 M Abdalla and R Dahab (Eds.): PKC 2018, LNCS 10770, pp 34–57, 2018 https://doi.org/10.1007/97 8-3 -3 1 9-7 658 1-5 _2 A Unified Framework for Trapdoor-Permutation-Based SAS 35 messages

Ngày đăng: 15/09/2020, 11:39

TÀI LIỆU CÙNG NGƯỜI DÙNG

TÀI LIỆU LIÊN QUAN