polly cracker, revisited - wordpress.com · 27.06.2012  · polly cracker, revisited martin...

Polly Cracker, Revisited

Martin Albrecht1 Pooya Farshim2 Jean-Charles Faugere1

Gottfried Herold3 Ludovic Perret1

1 POLSYS Project - INRIA, UPMC, Univ Paris 062 Information Security Group, Royal Holloway, University of London

3 Ruhr Universitat Bochum

Bristol, 27.July 2012

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Homomorphic Encryption

I Homomorphic encryption is a cryptographic primitive which allowsto perform arbitrary computation over encrypted data.

I Given a function f and a ciphertext c encrypting a plaintext m, it ispossible to transform c to a new ciphertext c ′ which encrypts f (m).

We can evaluate multivariate (Boolean) polynomials over ciphertexts.

Craig Gentry.Fully homomorphic encryption using ideal lattices.In STOC 09: Proceedings of the 41st annual ACM symposium onTheory of computing, pages 169–178, 2009.

An abstract scheme

Let I ⊂ P be some ideal in some ring and denote by Encode() afunction with inverse Decode() that maps bit-strings to elements in thequotient ring P/I.

If

Decode(Encode(m0) Encode(m1)) = m0 m1 for ∈ +, ·,

we can encrypt a message m as

c = f + Encode(m) for f randomly chosen in I.

Decryption is equivalent computing remainders modulo I in P.

Homomorphic features follow from the definition of an ideal.

“Instantiations” of this scheme I

I P = ZI I = 〈p〉 where p is an odd integer

I Encode(·) is not injective

Marten van Dijk, Craig Gentry, Shai Halevi, and VinodVaikuntanathan.Fully homomorphic encryption over the integers.In Advances in Cryptology – EUROCRYPT 2010, volume 6110 ofLecture Notes in Computer Science, pages 24–43, 2010.

Approximate GCD

Given qip + ri where ri p, compute p.

“Instantiations” of this scheme II

I P = Fq[x1, . . . , xn]

I I = 〈x1 − s1, . . . , xn − sn〉I Encode(·) is not injective

Zvika Brakerski and Vinod Vaikuntanathan.Efficient fully homomorphic encryption from (standard) LWE.FOCS 2011, 2011.

LWE

Given∑

j aijxj −∑

j aijsj + ei compute s1, . . . , sn.

“Instantiations” of this scheme III

I P = Fq[x1, . . . , xn]

I I ≈ 〈x1 − s1, . . . , xn − sn〉I Encode(·) is injective: PoSSo

Neal Koblitz, Alfred J. Menezes, Yi-Hong Wu, and Robert J.Zuccherato.Algebraic aspects of cryptography.Springer Verlag, Berlin, Heidelberg, New York, 1998.

PoSSo/GB

Given∑

hi fi for fi ∈ I compute the Grobner basis of 〈f1, . . . , fm〉.

These schemes are known as Polly Cracker.

Our contribution

We show that all these schemes can be seen as special instances ofproblem, which we call Grobner basis with noise (GBN).

Put differently, in response to

Boo Barkee, Deh Cac Can, Julia Ecks, Theo Moriarty, and R. F. Ree.

Why you cannot even hope to use Grobner bases in Public KeyCryptography: An open letter to a scientist who failed and achallenge to those who have not yet failed.Journal of Symbolic Computations, 18(6):497–501, 1994.

. . . we say: yes we can! . . . if we add noise

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Notation & Definitions I

I P = F[x1, . . . , xn] with some degree-compatible order on monomials.

I P≤b elements in P of degree at most b.

I LM(f ) is the leading monomial appearing in f ∈ P.

I LC(f ) is the coefficient corresponding to LM(f ) in f .

I LT(f ) is LC(f )LM(f ).

I d is the degree of Grobner bases in this talk.

I b is the degree of random ideal elements in this talk.

Notation & Definitions II

An example in F[x , y , z ] with term ordering deglex:

f = 3yz + 2x + 1

I LM(f ) = yz ,

I LC(f ) = 3 and

I LT(f ) = 3yz .

Notation & Definitions III

Definition (Generated Ideal)

Let f1, . . . , fm be polynomials in P. Define the set

〈f1, . . . , fm〉 :=

m∑i=1

hi fi : h1, . . . , hm ∈ P

.

This set I is an ideal called the ideal generated by f1, . . . , fm.

Notation & Definitions IV

Definition (Grobner Basis)

Let I be an ideal of F[x1, . . . , xn] and fix a monomial ordering. A finitesubset

G = g1, . . . , gm ⊂ I

is said to be a Grobner basis of I if for any f ∈ I there exists gi ∈ Gwith

LM(gi ) | LM(f ).

I If all fi linear, then Grobner bases coincide with row echelon forms.

I If all fi ∈ F[x ] then Grobner bases coincide with GCDs.

Notation & Definitions V

For each ideal I and monomial ordering there is a unique reducedGrobner basis which can be computed in polynomial time from anyGrobner basis.

if you know the Grobner basis you “understand” the ideal.

Grobner bases allow to compute remainders modulo I:

f mod I = f mod G .

Generating Grobner bases for Crypto I

Definition (S-Polynomial)

The S-polynomial of f and g is defined as

S(f , g) =LCM(LM(f ),LM(g))

LT(f )· f − LCM(LM(f ),LM(g))

LT(g)· g .

Theorem

A basis G = g1, . . . , gs for an ideal I is a Grobner basis if and only ifall S(gi , gj) reduce to zero by polynomial division.

Generating Grobner bases for Crypto II

beginfor 0 ≤ i < n do

if i > n − `− 1 thengi ← xdi ;

elsegi ← xi ;

for mj ∈ M<LM(gi ) docij ←$ Fq;gi ← gi + cijmj ;

return g0, . . . , gn−1;

Theorem

Let f , g ∈ F[x0, . . . , xn−1] witha = LM(f ) and b = LM(g) and

LCM(a, b) = a · b.

ThenS(f , g) −→

f ,g0.

Sampling Elements in I

beginf ←$ P≤b;f ← f − f mod G ;return f ;

Algorithm 1: Sample()

This sampling is uniform for elements f ∈ I with deg(f ) ≤ b becauseP = I ⊕ P/I.

Classical Computational Problems I

GB Given access to m samples from I recover G .

IM Given access to m samples from I and a challenge f ∈ P,decide if f mod G = 0.

Hardness I

Lemma (IM <=> GB)

If we have an oracle which solves the IM problem with overwhelmingprobability, we can construct an algorithm which solves the GB problemand vice versa.

Proof for first direction.

Let gi ∈ G arbitrary and let mi = LM(gi )

Pick a random ri ∈ P/I and ask for ideal membership of gi = mi + ri . Iftrue, then mi + ri ∈ 〈G 〉 with leading monomial mi . Add it to a list G .

Repeat this process for all leading monomials m and all tails ri .

The list G is a list of elements ∈ 〈G 〉 with LM(G ) ⊇ LM(G ) whichimplies G is a Grobner basis.

Hardness II

Assuming that f1, . . . , fm is a random system, the complexity of currentlybest known algorithms (i.e. with F5) to solve the GB problem is given by

O((

n + D

D

)ω)= O

((nD)ω

)where 2 ≤ ω < 3 is the linear algebra constant, and D is given by theindex of the first non-positive coefficient of:

∑k≥0

ckzk =

(1− zb)m

(1− z)n.

Thus Grobner bases are exponential in n, if D is polynomial in n.

Hardness III

Definition (GB/IM Assumption)

Let P be such that n(λ) = Ω(λ). Assume b − d > 0, b > 1, and thatm(λ) = c · n(λ) for a constant c ≥ 1. Then the advantage of any pptalgorithm in solving the GB/IM problem is negligible as function of λ.

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Symmetric PollyCracker I

GenP,GBGen(·),d,b(1λ):

beginP ←$ Pλ;G ←$ GBGen(1

λ,P, d , `);SK← (G ,P, b);PK← (P, b);return (SK,PK);

end

Enc(m, SK):

beginf ←$ P≤b;f ′ ← f mod G ;f ← f − f ′;c← m+ f ;return c;

endDec(c,SK):

beginm← c mod G ;return m;

end

Eval(c0, . . . , ct−1,C ,PK):

beginapply the Add and Multgates of C over P;

return the result;end

Figure: The noise-free symmetric Polly Cracker scheme SPCP,GBGen(·),d,b.

Security

The m(·)-time IND-CPA security is defined by requiring that theadvantage of any ppt A

Advind-bcpam(·),SKE,A(λ) := 2 · Pr[IND-BCPAAm(·),SKE(λ)⇒ T

]− 1

is negligible in λ. The difference with the usual CPA security is that theadversary can query the encryption oracle at most m(λ) times.

Theorem

For any A against the m-time IND-BCPA security of SPC there exists aB against the IM problem such that

Advind-bcpam,SPC,A(λ) = 2 · AdvimP,GBGen(·),d,b,m,B(λ).

Conversely, fory any A against the IM problem there exists a B againstthe m-time IND-BCPA security of SPC such that

AdvimP,GBGen(·),d,b,m,A(λ) = Advind-bcpam,SPC,B(λ).

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Conversions in the Literature

I There are a few techniques in the literature, which convert anIND-CPA symmetric additive homomorphic scheme to an IND-CPApublic-key additive homomorphic scheme.

I One such conversion is to publish N encryptions of zero f1, . . . , fNand to encrypt as

c =∑s∈S

fs + m

where S is a small subset of 1, . . . ,N.

While PollyCracker is additive homomorphic and secure up to somebound, none of the proposed conversions give a secure scheme.

Impossibility Result I

Theorem (Dickenstein, Fitchas, Giusti, and Sessa)

Let I = 〈f1, . . . , fm〉 be an ideal in P = F[x1, . . . , xn], h be such thatdeg(h) ≤ D, and

h − (h mod I) =m∑i=1

hi fi ,

where hi ∈ P and deg(hi fi ) ≤ D.

Let G be the output of some Grobner basis computation algorithm up todegree D (i.e., all computations with degree greater than D are ignoredand dropped).

Then h mod I can be computed by polynomial reduction of h via G.

Impossibility Result II

Theorem

Let I = 〈f1, . . . , fm〉 be an ideal in P = F[x1, . . . , xn]. If there is a pptalgorithm A which samples elements from I uniformly given only(f1, . . . , fm) ∈ I, then there exists a ppt algorithm B which computes aGrobner basis for I.

Proof.

1. We can compute the normal forms of any f produced by A inpolynomial time since we know f1, . . . , fm.

2. If f is arbitrary in the ideal I, we know that normals forms areequivalent to Grobner basis computations.

Thus, we have a polynomial time algorithm for computing Grobnerbases.

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Foreword

We will now focus on linear Grobner bases for the rest of this talk

I here things thing is nice and easy;

I we can get multiplicative homomorphicity; and

I we have a close relation to LWE.

To see what issues arise for d > 1, read [1, 2] or ask during the Q&A.

Gottfried HeroldPolly Cracker, revisited, revisitedPKC 2012, Springer Verlag 2012

with P. Farshim, J.-C. Faugere, G. Herold and L. PerretPolly Cracker, revisitedfull version, in preparation

Discrete Gaussian

Definition (Discrete Gaussian Distribution)

Let α > 0 be a real number and q ∈ N. The discrete Gaussiandistribution χα,q, is a Gaussian distribution rounded to the nearestinteger and reduced modulo q with mean zero and standard deviation αq.

Sampling Noisy Elements in I

beginf ←$ P≤b;f ← f − (f mod G );e ←$ χ;return f + e;

Algorithm 2: Sample()

Noisy Variants of Classical Computational Problems I

GBN Given access to m noisy samples from I recover G .

IMN Given access to m noisy samples from I and a challengef ∈ P, recover if f mod G ≈ 0.

Our Ideal Membership with Noise (IMN) is essentially Gentry’s IdealCoset problem for noisy polynomials.

Lemma (IMN Hard ⇔ GBN Hard)

For any ppt adversary A against the IMN problem for d = 1 andq = poly(n), there exists a ppt adversary B against the GBN problemsuch that

AdvimnP,GBGen(·),d,`,b,χ,A(λ) ≤ AdvgbnP,GBGen(·),d,`,b,χ,B(λ).

. . . and vice versa.

Proof Sketch.

The proof proceeds as in the GB ⇔ IM case except that we can amplifyour confidence in the output.

Security I

Lemma (LWE Hard ⇒ GBN Hard for d = 1, b = 1)

Let q be a prime number. Then for any ppt adversary A against theGBN problem with b = d = 1, there exists a ppt adversary B against theLWE problem such that

AdvgbnP,GBGen(·),1,1,χ,A(λ) = Advlwen,q,χ,B(λ).

Proof.

Whenever A calls its Sample oracle, B queries its own Sample oracle toobtain (a, b) where a = (a0, . . . , an−1). It returns

∑aixi − b to A. When

A calls its Finalize on G , since d = 1, we may assume that G is of theform [x0 − s0, . . . , xn−1 − sn−1] with si ∈ Fq. Algorithm B terminates bycalling its Finalize oracle on s = (s0, . . . , sn−1).

Security II

Lemma (GBN Hard for 2b ⇒ GBN Hard for b)

For any ppt adversary A against the GBN problem at degree b with noiseχα,q, there exists a ppt adversary B against the GBN problem at degree2b with noise χ√2Nα2q,q such that

AdvgbnP,GBGen(·),d,b,χα,q,A(λ) = AdvgbnP,GBGen(·),d,2b,χ√2Nα2q,q,B

(λ)

for N =(n+bb

).

Proof.

Multiply samples fi , fj to get fi,j = fi · fj . To ensure sufficient randomness,sum up 2N such products.

Security III

Approximate GCD:

I The GBN problem for n = 1 is the approx. GCD problem over Fq[x ].

I This problem has not yet received much attention, and hence it isunclear under which parameters it is hard.

I However, the notion of a Grobner basis can been extended toZ[x0, . . . , xn−1].

I This implies a version of the GBN problem over Z.

I This can be seen as a direct generalisation of the approximate GCDproblem in Z.

Security IV

GBN over F2:

I For d = 1 and q = 2 we can reduce Max-3SAT instances to GBNinstances by translating each clause individually to a Booleanpolynomial.

I The Grobner basis returned by an arbitrary algorithm A solving GBNusing a bounded number of samples will provide a solution to theMax-3SAT problem.

I Vice versa, we may convert a GBN problem for d = 1 to a Max-SATproblem (more precisely Partial Max-Sat) by running an ANF toCNF conversion algorithm.

Security V

Best known attack (for d = 1):

I We reduce GBN to a larger LWE instance.

I Denote by N =(n+bb

)the number of monomials up to degree b.

I Let M : P → FNq be a function which maps polynomials in P to

vectors in FNq by assigning the i-th component of the image vector

the coefficient of the i-th monomial ∈ M≤b.

I Reply to each Sample query by the LWE oracle by calling the GBNSample oracle to retrieve f , compute v =M(f ) and return (a, b)with a = (vN−1, . . . , v1) and b = −v0.

I When the LWE oracle queries its Finalize with s query the GBNFinalize with [x0 − s0, . . . , xn−1 − sn−1].

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Polly Cracker with Noise

I GBN/IMN allow to construct a noisy version of our symmetric PollyCracker scheme: SPCN .

I SPCN is IND-CPA under the GBN assumption.

I Using any symmetric-to-asymmetric conversion from literature thisleads to a public-key Polly Cracker scheme.

I This scheme is somewhat homomorphic and can support a fixed butarbitrary number of multiplications.

I This also implies that Regev’s public-key scheme based on LWE ismultiplicative homomorphic under some choice of parameters.

c0 · c1 = (m0 + 2e1 +∑

h0igi ) · (m1 + 2e1 +∑

h1igi )

= m0m1 + 2e0e1 + 2e +∑

higi

Outline

Introduction

An Old (?) Computational Problem: Grobner Bases

Symmetric Polly Cracker

Symmetric to Asymmetric Conversion

The New Computational Problem: Grobner Bases with Noise

An Application: Homomorphic Encryption

Appendix

Abstract Nonsense?

Generalising and unifying known things is fun, but is it useful? That is,do results from one instantiation carry over to another?

Arora&Ge’s algorithm for LWE

1. Compute hi = fi ·∏|r |

j=1 ((fi + j) · (fi − j)) for samples fi .

2. Compute the Grobner basis of 〈h0, . . . , hm−1〉.

Chen&Nguyen’s algorithm for AGCD

1. Compute h1 = f ·∏|r |

j=1 ((f + j) · (f − j)) mod h0 for noisy sample fand clean sample h0.

2. Compute the Grobner basis of 〈h0, h1〉.

Ring-LWE I

Compute a−1i · (ai · s + ei ) ≈ s where all computations are modxn + 1.

Given that this new approach allows one to cast both LWE andapproximate GCD in the same framework, can one also capturering-LWE.

– Bristol Cryptography Blog

To compute a−1i in P = Fq[x ]/〈xn + 1〉 we run the extended GCDalgorithm which returns (g , v ,w) for inputs a, b such that

g = v · a + w · a.

Hence, for our inputs it will compute

1 = v · ai + w · (xn + 1) and thus v ≡ a−1i mod xn + 1.

Ring-LWE II

In the language of Grobner bases the extended GCD equivalent is oftencalled “lifting”.

Given an ideal I = (f1, ..., fr ) and some g ∈ I, find s1, . . . , sr such thatg = s1f1 + · · ·+ sr fr .

I The problem is easy given a Grobner basis g1, . . . , gr (in our casexn + 1), since every element h ∈ 〈g1, . . . , gr 〉 can be written ash =

∑hi · gi where LM(higi ) ≤ LM(h).

I In general, it is hard because the degree of the output may be large.

In any case, instead of solving solving GBN, we are now lifting with GBN,i.e., we keep track of our computation.

Ring-LWE III

Example:

sage : P.<x , y , z> = Polynomia lR ing (GF(127) , o r d e r=’ d eg l e x ’ )sage : I = I d e a l (P . random element ( ) f o r i n range ( 4 ) )sage : s = I . gens ( )sage : I . g r o e b n e r b a s i s ( )[ x − 24 , y − 20 , z − 17 ]sage : b = P . random element ( )sage : b −= b . r educe ( I )sage : b i n ITruesage : a = b . l i f t ( s )sage : sum( a [ i ]∗ s [ i ] f o r i i n range ( s ) )16∗ x∗ z + 50∗ yˆ2 + 53∗ z ˆ2 − 57∗ x + 36sage : b16∗ x∗ z + 50∗ yˆ2 + 53∗ z ˆ2 − 57∗ x + 36

Given tuples (a, b) find s.

Thank you for your attention

Questions?