Advances in Cryptology – ASIACRYPT 2019: 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8–12, 2019, Proceedings, Part I [1st ed. 2019] 978-3-030-34577-8, 978-3-030-34578-5

The three-volume set of LNCS 11921,11922, and 11923 constitutes the refereed proceedings of the 25th International Confe

470 100 16MB

English Pages XV, 711 [711] Year 2019

Report DMCA / Copyright

DOWNLOAD FILE

Polecaj historie

Advances in Cryptology – ASIACRYPT 2019: 25th International Conference on the Theory and Application of Cryptology and Information Security, Kobe, Japan, December 8–12, 2019, Proceedings, Part I [1st ed. 2019]
 978-3-030-34577-8, 978-3-030-34578-5

Table of contents :
Front Matter ....Pages i-xv
Front Matter ....Pages 1-1
Streamlined Blockchains: A Simple and Elegant Approach (A Tutorial and Survey) (Elaine Shi)....Pages 3-17
Front Matter ....Pages 19-19
Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes (Thomas Debris-Alazard, Nicolas Sendrier, Jean-Pierre Tillich)....Pages 21-51
Front Matter ....Pages 53-53
Middle-Product Learning with Rounding Problem and Its Applications (Shi Bai, Katharina Boudgoust, Dipayan Das, Adeline Roux-Langlois, Weiqiang Wen, Zhenfei Zhang)....Pages 55-81
A Novel CCA Attack Using Decryption Errors Against LAC (Qian Guo, Thomas Johansson, Jing Yang)....Pages 82-111
Towards Attribute-Based Encryption for RAMs from LWE: Sub-linear Decryption, and More (Prabhanjan Ananth, Xiong Fan, Elaine Shi)....Pages 112-141
Front Matter ....Pages 143-143
4-Round Luby-Rackoff Construction is a qPRP (Akinori Hosoyamada, Tetsu Iwata)....Pages 145-174
Indifferentiability of Truncated Random Permutations (Wonseok Choi, Byeonghak Lee, Jooyoung Lee)....Pages 175-195
Anomalies and Vector Space Search: Tools for S-Box Analysis (Xavier Bonnetain, Léo Perrin, Shizhu Tian)....Pages 196-223
Front Matter ....Pages 225-225
CSI-FiSh: Efficient Isogeny Based Signatures Through Class Group Computations (Ward Beullens, Thorsten Kleinjung, Frederik Vercauteren)....Pages 227-247
Verifiable Delay Functions from Supersingular Isogenies and Pairings (Luca De Feo, Simon Masson, Christophe Petit, Antonio Sanso)....Pages 248-277
Strongly Secure Authenticated Key Exchange from Supersingular Isogenies (Xiu Xu, Haiyang Xue, Kunpeng Wang, Man Ho Au, Song Tian)....Pages 278-308
Front Matter ....Pages 309-309
Dual-Mode NIZKs from Obfuscation (Dennis Hofheinz, Bogdan Ursu)....Pages 311-341
Output Compression, MPC, and iO for Turing Machines (Saikrishna Badrinarayanan, Rex Fernando, Venkata Koppula, Amit Sahai, Brent Waters)....Pages 342-370
Collusion Resistant Watermarking Schemes for Cryptographic Functionalities (Rupeng Yang, Man Ho Au, Junzuo Lai, Qiuliang Xu, Zuoxia Yu)....Pages 371-398
Front Matter ....Pages 399-399
Valiant’s Universal Circuits Revisited: An Overall Improvement and a Lower Bound (Shuoyao Zhao, Yu Yu, Jiang Zhang, Hanlin Liu)....Pages 401-425
The Broadcast Message Complexity of Secure Multiparty Computation (Sanjam Garg, Aarushi Goel, Abhishek Jain)....Pages 426-455
Beyond Honest Majority: The Round Complexity of Fair and Robust Multi-party Computation (Arpita Patra, Divya Ravi)....Pages 456-487
Card-Based Cryptography Meets Formal Verification (Alexander Koch, Michael Schrempp, Michael Kirsten)....Pages 488-517
Front Matter ....Pages 519-519
Quantum Algorithms for the Approximate k-List Problem and Their Application to Lattice Sieving (Elena Kirshanova, Erik Mårtensson, Eamonn W. Postlethwaite, Subhayan Roy Moulik)....Pages 521-551
Quantum Attacks Without Superposition Queries: The Offline Simon’s Algorithm (Xavier Bonnetain, Akinori Hosoyamada, María Naya-Plasencia, Yu Sasaki, André Schrottenloher)....Pages 552-583
Quantum Random Oracle Model with Auxiliary Input (Minki Hhan, Keita Xagawa, Takashi Yamakawa)....Pages 584-614
QFactory: Classically-Instructed Remote Secret Qubits Preparation (Alexandru Cojocaru, Léo Colisson, Elham Kashefi, Petros Wallden)....Pages 615-645
Front Matter ....Pages 647-647
Quisquis: A New Design for Anonymous Cryptocurrencies (Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, Claudio Orlandi)....Pages 649-678
Divisible E-Cash from Constrained Pseudo-Random Functions (Florian Bourse, David Pointcheval, Olivier Sanders)....Pages 679-708
Back Matter ....Pages 709-711

Citation preview

LNCS 11921

Steven D. Galbraith Shiho Moriai (Eds.)

Advances in Cryptology – ASIACRYPT 2019 25th International Conference on the Theory and Application of Cryptology and Information Security Kobe, Japan, December 8–12, 2019 Proceedings, Part I

Lecture Notes in Computer Science Founding Editors Gerhard Goos Karlsruhe Institute of Technology, Karlsruhe, Germany Juris Hartmanis Cornell University, Ithaca, NY, USA

Editorial Board Members Elisa Bertino Purdue University, West Lafayette, IN, USA Wen Gao Peking University, Beijing, China Bernhard Steffen TU Dortmund University, Dortmund, Germany Gerhard Woeginger RWTH Aachen, Aachen, Germany Moti Yung Columbia University, New York, NY, USA

11921

More information about this series at http://www.springer.com/series/7410

Steven D. Galbraith Shiho Moriai (Eds.) •

Advances in Cryptology – ASIACRYPT 2019 25th International Conference on the Theory and Application of Cryptology and Information Security Kobe, Japan, December 8–12, 2019 Proceedings, Part I

123

Editors Steven D. Galbraith University of Auckland Auckland, New Zealand

Shiho Moriai Security Fundamentals Lab NICT Tokyo, Japan

ISSN 0302-9743 ISSN 1611-3349 (electronic) Lecture Notes in Computer Science ISBN 978-3-030-34577-8 ISBN 978-3-030-34578-5 (eBook) https://doi.org/10.1007/978-3-030-34578-5 LNCS Sublibrary: SL4 – Security and Cryptology © International Association for Cryptologic Research 2019 This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed. The use of general descriptive names, registered names, trademarks, service marks, etc. in this publication does not imply, even in the absence of a specific statement, that such names are exempt from the relevant protective laws and regulations and therefore free for general use. The publisher, the authors and the editors are safe to assume that the advice and information in this book are believed to be true and accurate at the date of publication. Neither the publisher nor the authors or the editors give a warranty, expressed or implied, with respect to the material contained herein or for any errors or omissions that may have been made. The publisher remains neutral with regard to jurisdictional claims in published maps and institutional affiliations. This Springer imprint is published by the registered company Springer Nature Switzerland AG The registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

ASIACRYPT 2019, the 25th Annual International Conference on Theory and Application of Cryptology and Information Security, was held in Kobe, Japan, during December 8–12, 2019. The conference focused on all technical aspects of cryptology, and was sponsored by the International Association for Cryptologic Research (IACR). We received a total of 307 submissions from all over the world. This was a significantly higher number of submissions than recent Asiacrypt conferences, which necessitated a larger Program Committee (PC) than we had originally planned. We thank the seven additional PC members who accepted our invitation at extremely short notice. They are Gorjan Alagic, Giorgia Azzurra Marson, Zhenzhen Bao, Olivier Blazy, Romain Gay, Takanori Isobe, and Daniel Masny. The PC selected 71 papers for publication in the proceedings of the conference. The two program chairs were supported by a PC consisting of 55 leading experts in aspects of cryptology. Each submission was reviewed by at least three Program Committee members (or their sub-reviewers) and five PC members were assigned to submissions co-authored by PC members. The strong conflict of interest rules imposed by the IACR ensure that papers are not handled by PC members with a close working relationship with authors. There were approximately 380 external reviewers, whose input was critical to the selection of papers. The review process was conducted using double-blind peer review. The conference operated a two-round review system with a rebuttal phase. After the reviews and first-round discussions the PC selected 193 submissions to proceed to the second round. The authors of those 193 papers were then invited to provide a short rebuttal in response to the referee reports. The second round involved extensive discussions by the PC members. Indeed, the total number of text items in the online discussion (including reviews, rebuttals, questions to authors, and PC member comments) exceeded 3,000. The three volumes of the conference proceedings contain the revised versions of the 71 papers that were selected, together with 1 invited paper. The final revised versions of papers were not reviewed again and the authors are responsible for their contents. The program of Asiacrypt 2019 featured excellent invited talks by Krzysztof Pietrzak and Elaine Shi. The conference also featured a rump session which contained short presentations on the latest research results of the field. The PC selected the work “Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes” by Thomas Debris-Alazard, Nicolas Sendrier, and Jean-Pierre Tillich for the Best Paper Award of Asiacrypt 2019. Two more papers were solicited to submit a full version to the Journal of Cryptology. They are “An LLL Algorithm for Module Lattices” by Changmin Lee, Alice Pellet-Mary, Damien Stehlé, and Alexandre Wallet, and “Numerical Method for Comparison on Homomorphically Encrypted Numbers” by Jung Hee Cheon, Dongwoo Kim, Duhyeong Kim, Hun Hee Lee, and Keewoo Lee.

vi

Preface

The Program Chairs are delighted to recognize the outstanding work by Mark Zhandry and Shweta Agrawal, by awarding them jointly the Best PC Member Award. Many people have contributed to the success of Asiacrypt 2019. We would like to thank the authors for submitting their research results to the conference. We are very grateful to the PC members and external reviewers for contributing their knowledge and expertise, and for the tremendous amount of work that was done with reading papers and contributing to the discussions. We are greatly indebted to Mitsuru Matsui, the general chair, for his efforts and overall organization. We thank Mehdi Tibouchi for expertly organizing and chairing the rump session. We are extremely grateful to Lukas Zobernig for checking all the latex files and for assembling the files for submission to Springer. Finally we thank Shai Halevi and the IACR for setting up and maintaining the Web Submission and Review software, used by IACR conferences for the paper submission and review process. We also thank Alfred Hofmann, Anna Kramer, Ingrid Haas, Anja Sebold, Xavier Mathew, and their colleagues at Springer for handling the publication of these conference proceedings. December 2019

Steven Galbraith Shiho Moriai

ASIACRYPT 2019 The 25th Annual International Conference on Theory and Application of Cryptology and Information Security Sponsored by the International Association for Cryptologic Research (IACR) Kobe, Japan, December 8–12, 2019

General Chair Mitsuru Matsui

Mitsubishi Electric Corporation, Japan

Program Co-chairs Steven Galbraith Shiho Moriai

University of Auckland, New Zealand NICT, Japan

Program Committee Shweta Agrawal Gorjan Alagic Shi Bai Zhenzhen Bao Paulo S. L. M. Barreto Lejla Batina Sonia Belaïd Olivier Blazy Colin Boyd Xavier Boyen Nishanth Chandran Melissa Chase Yilei Chen Chen-Mou Cheng Nils Fleischhacker Jun Furukawa David Galindo Romain Gay Jian Guo Seokhie Hong Andreas Hülsing Takanori Isobe David Jao

IIT Madras, India University of Maryland, USA Florida Atlantic University, USA Nanyang Technological University, Singapore UW Tacoma, USA Radboud University, The Netherlands CryptoExperts, France University of Limoges, France NTNU, Norway Queensland University of Technology, Australia Microsoft Research, India Microsoft Research, USA Visa Research, USA Osaka University, Japan Ruhr-University Bochum, Germany NEC Israel Research Center, Israel University of Birmingham and Fetch AI, UK UC Berkeley, USA Nanyang Technological University, Singapore Korea University, South Korea Eindhoven University of Technology, The Netherlands University of Hyogo, Japan University of Waterloo and evolutionQ, Inc., Canada

viii

ASIACRYPT 2019

Jérémy Jean Elena Kirshanova Virginie Lallemand Jooyoung Lee Helger Lipmaa Feng-Hao Liu Atul Luykx Hemanta K. Maji Giorgia Azzurra Marson Daniel Masny Takahiro Matsuda Brice Minaud David Naccache Kartik Nayak Khoa Nguyen Svetla Nikova Carles Padró Jiaxin Pan Arpita Patra Thomas Peters Duong Hieu Phan Raphael C.-W. Phan Carla Ràfols Ling Ren Yu Sasaki Junji Shikata Ron Steinfeld Qiang Tang Mehdi Tibouchi Hoeteck Wee Mark Zhandry Fangguo Zhang

ANSSI, France ENS Lyon, France CNRS, France KAIST, South Korea Simula UiB, Norway Florida Atlantic University, USA Swirlds Inc., USA Purdue, USA NEC Laboratories Europe, Germany Visa Research, USA AIST, Japan Inria and ENS, France ENS, France Duke University and VMware Research, USA Nanyang Technological University, Singapore KU Leuven, Belgium UPC, Spain NTNU, Norway, and KIT, Germany Indian Institute of Science, India UCL, Belgium University of Limoges, France Monash University, Malaysia Universitat Pompeu Fabra, Spain VMware Research and University of Illinois, Urbana-Champaign, USA NTT laboratories, Japan Yokohama National University, Japan Monash University, Australia New Jersey Institute of Technology, USA NTT Laboratories, Japan CNRS and ENS, France Princeton University, USA Sun Yat-sen University, China

Local Organizing Committee General Chair Mitsuru Matsui

Mitsubishi Electric Corporation, Japan

Honorary Advisor Tsutomu Matsumoto

Yokohama National University, Japan

ASIACRYPT 2019

External Reviewers Masayuki Abe Parhat Abla Victor Arribas Abril Divesh Aggarwal Martin Albrecht Bar Alon Prabhanjan Ananth Elena Andreeva Yoshinori Aono Daniel Apon Toshinori Araki Seiko Arita Tomer Ashur Nuttapong Attrapadung Man Ho Allen Au Benedikt Auerbach Saikrishna Badrinarayanan Vivek Bagaria Josep Balasch Gustavo Banegas Laasya Bangalore Subhadeep Banik Achiya Bar-On Manuel Barbosa James Bartusek Carsten Baum Arthur Beckers Rouzbeh Behnia Francesco Berti Alexandre Berzati Ward Beullens Shivam Bhasin Nina Bindel Nicolas Bordes Jannis Bossert Katharina Boudgoust Christina Boura Florian Bourse Zvika Brakerski Anne Broadbent Olivier Bronchain Leon Groot Bruinderink

Megha Byali Eleonora Cagli Ignacio Cascudo Pyrros Chaidos Avik Chakraborti Donghoon Chang Hao Chen Jie Chen Long Chen Ming-Shing Chen Qian Chen Jung Hee Cheon Céline Chevalier Ilaria Chillotti Wonhee Cho Wonseok Choi Wutichai Chongchitmate Jérémy Chotard Arka Rai Choudhuri Sherman Chow Michele Ciampi Michael Clear Thomas De Cnudde Benoît Cogliati Sandro Coretti-Drayton Edouard Cuvelier Jan Czajkowski Dana Dachman-Soled Joan Daemen Nilanjan Datta Gareth T. Davies Patrick Derbez Apporva Deshpande Siemen Dhooghe Christoph Dobraunig Rafael Dowsley Yfke Dulek Avijit Dutta Sébastien Duval Keita Emura Thomas Espitau Xiong Fan Antonio Faonio

Oriol Farràs Sebastian Faust Prastudy Fauzi Hanwen Feng Samuele Ferracin Dario Fiore Georg Fuchsbauer Thomas Fuhr Eiichiro Fujisaki Philippe Gaborit Tatiana Galibus Chaya Ganesh Daniel Gardham Luke Garratt Pierrick Gaudry Nicholas Genise Esha Ghosh Satrajit Ghosh Kristian Gjøsteen Aarushi Goel Huijing Gong Junqing Gong Alonso González Dahmun Goudarzi Rishabh Goyal Jiaxin Guan Aurore Guillevic Chun Guo Kaiwen Guo Qian Guo Mohammad Hajiabadi Carmit Hazay Jingnan He Brett Hemenway Nadia Heninger Javier Herranz Shoichi Hirose Harunaga Hiwatari Viet Tung Hoang Justin Holmgren Akinori Hosoyamada Kexin Hu Senyang Huang

ix

x

ASIACRYPT 2019

Yan Huang Phi Hun Aaron Hutchinson Chloé Hébant Kathrin Hövelmanns Ilia Iliashenko Mitsugu Iwamoto Tetsu Iwata Zahra Jafargholi Christian Janson Ashwin Jha Dingding Jia Sunghyun Jin Charanjit S. Jutla Mustafa Kairallah Saqib A. Kakvi Marc Kaplan Emrah Karagoz Ghassan Karame Shuichi Katsumata Craig Kenney Mojtaba Khalili Dakshita Khurana Duhyeong Kim Hyoseung Kim Sam Kim Seongkwang Kim Taechan Kim Agnes Kiss Fuyuki Kitagawa Michael Kloob François Koeune Lisa Kohl Stefan Kölbl Yashvanth Kondi Toomas Krips Veronika Kuchta Nishant Kumar Noboru Kunihiro Po-Chun Kuo Kaoru Kurosawa Ben Kuykendall Albert Kwon Qiqi Lai Baptiste Lambin Roman Langrehr

Jason LeGrow ByeongHak Lee Changmin Lee Keewoo Lee Kwangsu Lee Youngkyung Lee Dominik Leichtle Christopher Leonardi Tancrède Lepoint Gaëtan Leurent Itamar Levi Baiyu Li Yanan Li Zhe Li Xiao Liang Benoît Libert Fuchun Lin Rachel Lin Wei-Kai Lin Eik List Fukang Liu Guozhen Liu Meicheng Liu Qipeng Liu Shengli Liu Zhen Liu Alex Lombardi Julian Loss Jiqiang Lu Xianhui Lu Yuan Lu Lin Lyu Fermi Ma Gilles Macario-Rat Urmila Mahadev Monosij Maitra Christian Majenz Nikolaos Makriyannis Giulio Malavolta Sogol Mazaheri Bart Mennink Peihan Miao Shaun Miller Kazuhiko Minematsu Takaaki Mizuki Amir Moradi

Kirill Morozov Fabrice Mouhartem Pratyay Mukherjee Pierrick Méaux Yusuke Naito Mridul Nandi Peter Naty María Naya-Plasencia Anca Niculescu Ventzi Nikov Takashi Nishide Ryo Nishimaki Anca Nitulescu Ariel Nof Sai Lakshmi Bhavana Obbattu Kazuma Ohara Emmanuela Orsini Elena Pagnin Wenlun Pan Omer Paneth Bo Pang Lorenz Panny Jacques Patarin Sikhar Patranabis Alice Pellet-Mary Chun-Yo Peng Geovandro Pereira Olivier Pereira Léo Perrin Naty Peter Cécile Pierrot Jeroen Pijnenburg Federico Pintore Bertram Poettering David Pointcheval Yuriy Polyakov Eamonn Postlethwaite Emmanuel Prouff Pille Pullonen Daniel Puzzuoli Chen Qian Tian Qiu Willy Quach Håvard Raddum Ananth Raghunathan

ASIACRYPT 2019

Somindu Ramanna Kim Ramchen Shahram Rasoolzadeh Mayank Rathee Divya Ravi Joost Renes Angela Robinson Thomas Roche Miruna Rosca Mélissa Rossi Mike Rosulek Yann Rotella Arnab Roy Luis Ruiz-Lopez Ajith Suresh Markku-Juhani O. Saarinen Yusuke Sakai Kazuo Sakiyama Amin Sakzad Louis Salvail Simona Samardjiska Pratik Sarkar Christian Schaffner John Schanck Berry Schoenmakers Peter Scholl André Schrottenloher Jacob Schuldt Sven Schäge Sruthi Sekar Srinath Setty Yannick Seurin Barak Shani Yaobin Shen Sina Shiehian Kazumasa Shinagawa Janno Siim Javier Silva Mark Simkin

Boris Skoric Maciej Skórski Yongsoo Song Pratik Soni Claudio Soriente Florian Speelman Akshayaram Srinivasan François-Xavier Standaert Douglas Stebila Damien Stehlé Patrick Struck Valentin Suder Bing Sun Shifeng Sun Siwei Sun Jaechul Sung Daisuke Suzuki Katsuyuki Takashima Benjamin Hong Meng Tan Stefano Tessaro Adrian Thillard Yan Bo Ti Jean-Pierre Tillich Radu Ţiţiu Yosuke Todo Junichi Tomida Viet Cuong Trinh Rotem Tsabary Hikaru Tsuchida Yi Tu Nirvan Tyagi Bogdan Ursu Damien Vergnaud Jorge Luis Villar Srinivas Vivek Christine van Vredendaal Satyanarayana Vusirikala Sameer Wagh Hendrik Waldner

Alexandre Wallet Michael Walter Han Wang Haoyang Wang Junwei Wang Mingyuan Wang Ping Wang Yuyu Wang Zhedong Wang Yohei Watanabe Gaven Watson Weiqiang Wen Yunhua Wen Benjamin Wesolowski Keita Xagawa Zejun Xiang Hanshen Xiao Shota Yamada Takashi Yamakawa Kyosuke Yamashita Avishay Yanai Guomin Yang Kan Yasuda Masaya Yasuda Aaram Yun Alexandros Zacharakis Michal Zajac Bin Zhang Cong Zhang En Zhang Huang Zhang Xiao Zhang Zheng Zhang Chang-An Zhao Raymond K. Zhao Yongjun Zhao Yuanyuan Zhou Jiamin Zhu Yihong Zhu Lukas Zobernig

xi

Contents – Part I

Invited Talk Streamlined Blockchains: A Simple and Elegant Approach (A Tutorial and Survey) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Elaine Shi

3

Best Paper Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Thomas Debris-Alazard, Nicolas Sendrier, and Jean-Pierre Tillich

21

Lattices (1) Middle-Product Learning with Rounding Problem and Its Applications . . . . . Shi Bai, Katharina Boudgoust, Dipayan Das, Adeline Roux-Langlois, Weiqiang Wen, and Zhenfei Zhang

55

A Novel CCA Attack Using Decryption Errors Against LAC . . . . . . . . . . . . Qian Guo, Thomas Johansson, and Jing Yang

82

Towards Attribute-Based Encryption for RAMs from LWE: Sub-linear Decryption, and More . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Prabhanjan Ananth, Xiong Fan, and Elaine Shi

112

Symmetric Cryptography 4-Round Luby-Rackoff Construction is a qPRP . . . . . . . . . . . . . . . . . . . . . Akinori Hosoyamada and Tetsu Iwata

145

Indifferentiability of Truncated Random Permutations . . . . . . . . . . . . . . . . . Wonseok Choi, Byeonghak Lee, and Jooyoung Lee

175

Anomalies and Vector Space Search: Tools for S-Box Analysis . . . . . . . . . . Xavier Bonnetain, Léo Perrin, and Shizhu Tian

196

Isogenies (1) CSI-FiSh: Efficient Isogeny Based Signatures Through Class Group Computations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Ward Beullens, Thorsten Kleinjung, and Frederik Vercauteren

227

xiv

Contents – Part I

Verifiable Delay Functions from Supersingular Isogenies and Pairings . . . . . . Luca De Feo, Simon Masson, Christophe Petit, and Antonio Sanso Strongly Secure Authenticated Key Exchange from Supersingular Isogenies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Xiu Xu, Haiyang Xue, Kunpeng Wang, Man Ho Au, and Song Tian

248

278

Obfuscation Dual-Mode NIZKs from Obfuscation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . Dennis Hofheinz and Bogdan Ursu

311

Output Compression, MPC, and iO for Turing Machines . . . . . . . . . . . . . . . Saikrishna Badrinarayanan, Rex Fernando, Venkata Koppula, Amit Sahai, and Brent Waters

342

Collusion Resistant Watermarking Schemes for Cryptographic Functionalities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Rupeng Yang, Man Ho Au, Junzuo Lai, Qiuliang Xu, and Zuoxia Yu

371

Multiparty Computation (1) Valiant’s Universal Circuits Revisited: An Overall Improvement and a Lower Bound. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Shuoyao Zhao, Yu Yu, Jiang Zhang, and Hanlin Liu The Broadcast Message Complexity of Secure Multiparty Computation . . . . . Sanjam Garg, Aarushi Goel, and Abhishek Jain Beyond Honest Majority: The Round Complexity of Fair and Robust Multi-party Computation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Arpita Patra and Divya Ravi Card-Based Cryptography Meets Formal Verification . . . . . . . . . . . . . . . . . Alexander Koch, Michael Schrempp, and Michael Kirsten

401 426

456 488

Quantum Quantum Algorithms for the Approximate k-List Problem and Their Application to Lattice Sieving . . . . . . . . . . . . . . . . . . . . . . . . . . Elena Kirshanova, Erik Mårtensson, Eamonn W. Postlethwaite, and Subhayan Roy Moulik Quantum Attacks Without Superposition Queries: The Offline Simon’s Algorithm. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Xavier Bonnetain, Akinori Hosoyamada, María Naya-Plasencia, Yu Sasaki, and André Schrottenloher

521

552

Contents – Part I

xv

Quantum Random Oracle Model with Auxiliary Input . . . . . . . . . . . . . . . . . Minki Hhan, Keita Xagawa, and Takashi Yamakawa

584

QFactory: Classically-Instructed Remote Secret Qubits Preparation . . . . . . . . Alexandru Cojocaru, Léo Colisson, Elham Kashefi, and Petros Wallden

615

E-cash and Blockchain Quisquis: A New Design for Anonymous Cryptocurrencies . . . . . . . . . . . . . Prastudy Fauzi, Sarah Meiklejohn, Rebekah Mercer, and Claudio Orlandi

649

Divisible E-Cash from Constrained Pseudo-Random Functions . . . . . . . . . . . Florian Bourse, David Pointcheval, and Olivier Sanders

679

Author Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

709

Invited Talk

Streamlined Blockchains: A Simple and Elegant Approach (A Tutorial and Survey) Elaine Shi(B) Cornell University, Ithaca, USA [email protected]

Abstract. A blockchain protocol (also called state machine replication) allows a set of nodes to agree on an ever-growing, linearly ordered log of transactions. The classical consensus literature suggests two approaches for constructing a blockchain protocol: (1) through composition of single-shot consensus instances often called Byzantine Agreement; and (2) through direct construction of a blockchain where there is no clear-cut boundary between single-shot consensus instances. While conceptually simple, the former approach precludes cross-instance optimizations in a practical implementation. This perhaps explains why the latter approach has gained more traction in practice: specifically, well-known protocols such as Paxos and PBFT all follow the direct-construction approach. In this tutorial, we present a new paradigm called “streamlined blockchains” for directly constructing blockchain protocols. This paradigm enables a new family of protocols that are extremely simple and natural: every epoch, a proposer proposes a block extending from a notarized parent chain, and nodes vote if the proposal’s parent chain is not too old. Whenever a block gains enough votes, it becomes notarized. Whenever a node observes a notarized chain with several blocks of consecutive epochs at the end, then the entire chain chopping off a few blocks at the end is final. By varying the parameters highlighted in blue, we illustrate two variants for the partially synchronous and synchronous settings respectively. We present very simple proofs of consistency and liveness. We hope that this tutorial provides a compelling argument why this new family of protocols should be used in lieu of classical candidates (e.g., PBFT, Paxos, and their variants), both in practical implementation and for pedagogical purposes.

1

Introduction

In a blockchain protocol, a set of nodes seek to reach agreement on an evergrowing, linearly ordered log. It is helpful to think of this log as an ordered chain of blocks where each block may contain application-specific payload as well as metadata pertaining to the consensus protocol, and hence the name blockchain. In this tutorial, we consider how to construct a blockchain protocol in a “permissioned” setting, assuming the existence of a public-key infrastructure c International Association for Cryptologic Research 2019  S. D. Galbraith and S. Moriai (Eds.): ASIACRYPT 2019, LNCS 11921, pp. 3–17, 2019. https://doi.org/10.1007/978-3-030-34578-5_1

4

E. Shi

and that the public key of every consensus node is common knowledge. This is the also the classical setting under which consensus has been studied for more than three decades. Classically, this problem was often called “State Machine Replication” [12,13,15] or “Byzantine Fault Tolerance” [3,9]. In this work, we also refer to it as “consensus” for short. Such permissioned blockchains can serve as the cornerstone not only for a private, consortium blockchain, but also for building open-access “proof-of-stake” systems. In a proof-of-stake setting, a set of nodes (called a committee) are elected based on their stake in the system to vote in the consensus protocol. The election is typically repeated over time, using the blockchain protocol itself to agree on the next committee (and assuming the existence of an initial committee that is common knowledge). The goal of this tutorial is to illustrate a new paradigm called “streamlined blockchains” that enables extremely simple and natural blockchain constructions. This new paradigm emerged as a result of the community’s joint push at building better consensus protocols in the past few years, motivated by largescale cryptocurrency applications. Elements of this idea were developed and improved in a sequence of works, including Casper-FFT [16], Dfinity [8], Hotstuff [1], Pili [5] and Pala [4], but understanding of this line of work still appears somewhat “scattered”. In this tutorial, we hope to describe the simplest possible embodiments of this idea, with concise and clean proofs that are suitable for pedagogy. We hope that this tutorial helps to illustrate the most compelling advantage of this new paradigm, i.e., its conceptual simplicity, making the resulting protocols desirable for practical implementation. We also contrast this new paradigm with classical blockchain constructions represented by Paxos [9], PBFT [3], and their variants. We hope that this will shed light on how the community’s push in the past few years has enabled a leap: we now have practical blockchain constructions that are significantly simpler and fundamentally better than classical approaches. 1.1

Problem Statement

Slightly informally, we would like to construct a blockchain protocol satisfying two properties for all but a negligible fraction of executions: • Consistency: if two blockchains chain and chain are ever considered final by two honest nodes, it must be that chain  chain or chain  chain where  means “is a prefix of or equal to”. • Liveness: if an honest node receives a transaction, the transaction will appear in every honest node’s finalized blockchain in a bounded amount of time. In a cryptocurrency application, all transactions contained in a final chain are considered confirmed and the merchant may ship the product. If all nodes are honest and always correctly follow the prescribed protocol, then designing a blockchain protocol is trivial. We consider a setting where a subset of the nodes can be corrupt; corrupt nodes are controlled by a single adversary and they can

Streamlined Blockchains: A Simple and Elegant Approach

5

deviate from the protocol arbitrarily—such a fault model is commonly referred to as Byzantine Faults in the classical distributed consensus literature. In general, we can construct a blockchain protocol in two ways: (1) through composition of single-shot consensus instances; and (2) direct construction of a blockchain protocol where there is no clearly defined boundary between consensus instances. From a historical perspective, the study of distributed consensus in fact originated from the study of one-shot consensus protocols, often called Byzantine Agreement [10]. While composing single-shot instances is a conceptually clean approach towards building a blockchain, cross-instance performance optimizations are often challenging. This is arguably why later approaches such as Paxos and PBFT and their variants—also coinciding with most deployed systems—adopt the direct-construction approach. In this tutorial we will also focus on the direct-construction approach. 1.2

Classical Blockchain Protocols: A Bi-modal Approach

Most approaches in the classical consensus literature adopt a bi-model approach. We illustrate the idea assuming that fewer than n/3 nodes are corrupt where n denotes the total number of nodes1 . 1.2.1 Normal Mode: A Natural Voting Protocol The normal mode is simple and natural and works by super-majority voting. We shall explain the idea semi-formally, since this is the nice part of the protocol we would like to preserve in our new paradigm. Recall that every block is part of a blockchain and henceforth its index within the blockchain is called its position. We assume that every block encodes its own position. Imagine that a designated proposer proposes blocks, and nodes vote on the proposed blocks by signing the block’s hash. Whenever a block gains votes from at least 2n/3 distinct nodes, it becomes final. If in a blockchain every block is final, then the chain is considered final too. An important invariant is that an honest node never votes for two distinct blocks at the same position (even if the proposer is corrupt and proposes multiple blocks at the same position). This enforces consistency at every position, i.e., at each position, there cannot be two different blocks both gaining at least 2n/3 votes. The proof of consistency is extremely simple: suppose that two different blocks at the same position both gain at least 2n/3 votes. It must be that a set of at least 2n/3 distinct nodes denoted S1 have voted for one, and a set of at least 2n/3 distinct nodes denoted S2 have voted for the other. Obviously |S1 ∩ S2 | ≥ 2n/3 + 2n/3 − n = n/3. Since fewer than n/3 nodes are corrupt, it must be that an honest node lives in the intersection S1 ∩ S2 and has voted for 1

Our exposition in spirit illustrates the ideas behind most classical blockchain constructions although our exposition is not necessarily faithful to any particular protocol. In fact, we give a simplified exposition of the technical ideas to maximally aid understanding.

6

E. Shi

both blocks at the same position—but this is ruled out by the aforementioned invariant. Such a normal-mode protocol is extremely simple and natural, and it gives consistency as long as fewer than n/3 nodes are corrupt; and moreover, consistency does not rely on the proposer being honest. However, if the proposer is corrupt, e.g., if it stops making proposals or makes different proposals to different nodes, then liveness can be stalled and the blockchain can stop growing. We note also that here, consistency is guaranteed without having to make any network timing assumptions such as synchrony assumptions. 1.2.2 Recovery Mode: Ensuring Liveness Given the aforementioned normal-mode protocol, the only remaining problem is how to achieve liveness when the proposer is corrupt. We informally explain how classical protocols deal with this problem without going into details, since this is the complicated part of classical approaches that we would ideally like to get rid of. Most classical protocols such as Paxos, PBFT and their variants solve this problem by falling back to a recovery mode (often called “view change”) whenever liveness is stalled. Typically the view change implements a mechanism to rotate to the next proposer such that progress can be resumed. Thus a view can be regarded as a phase of the protocol in which a specific node acts as the proposer. Without going into details, and perhaps unsurprisingly, from a technical standpoint the view change protocol must be a full-fledged consensus protocol offering both consistency and liveness (c.f. the normal mode guarantees only consistency assuming fewer than n/3 corrupt). At an intuitive level, this perhaps explains why in most classical consensus approaches, the view change is often much more complicated to understand and subtle to implement correctly than the normal mode. In fact, the need for such a recovery mode often imposes more requirements on the normal mode too—and this is why most actual instantiations of this bi-modal idea such as Paxos and PBFT introduce more iterations of voting in the normal mode (unlike our earlier description that has only one iteration of voting). Very roughly, the additional iterations of voting in the normal mode give amplified properties that the recovery mode can make use of. 1.3

Streamlined Blockchains: A New Paradigm

Classical approaches are somewhat undesirable because most of the time we expect that the protocol should operate in the normal mode (since faults should not happen very often); however, the conceptual complications and the heavylifting in implementation stem from the complicated recovery path. Ideally, we would like to achieve the following holy grail: Can we have a blockchain protocol that is (almost) as simple as the normal mode?

Streamlined Blockchains: A Simple and Elegant Approach

7

Amazingly, it turns out that this is in fact possible! All the protocols we describe in this tutorial, for different settings, can be obtained by making small tweaks to the aforementioned normal-path voting protocol. Through these tweaks we now offer not just consistency but also liveness and thus there is no need for a separate recovery mode! Specifically, the entire protocol always follows a unified propose-vote paradigm as described below: • Every epoch, a proposer proposes a block extending from a parent chain. Every block encodes its own epoch. • Nodes vote on the proposed block if they have seen the parent chain’s notarization and if the parent chain is not too old (where “old” means that the block contains a small epoch number, and we will specify the concrete parameter in the later sections). • Whenever a block gains sufficiently many votes, it becomes notarized. • Notarized does not mean final. Finality is determined as follows: if all blocks in a blockchain are notarized and the chain ends at several blocks of consecutive epochs, then the entire chain chopping off the trailing few blocks are considered final. We show how to use this simple paradigm to obtain protocols under various network assumptions, by modifying the parameters highlighted in blue, and by slightly varying a couple other details such as how epochs are determined for different settings. So What Became of the View Change? As mentioned earlier, in classical approaches the view change was necessary to attain liveness under a corrupt proposer. So technically, how can we achieve both consistency and liveness without the view change? In the streamlined blockchain paradigm described in this tutorial, basically every epoch embeds a proposer-rotation opportunity, and thus an implicit view change mechanism is already inherently baked in the protocol everywhere. This is arguably the coolest feature of this new paradigm: we show that the traditionally complicated view change can be embedded into an extremely simple paradigm by small tweaks to the normal-path voting protocol. For this reason, another advantage of our streamlined blockchain protocols is that they readily support two distinct proposer-rotation policies: the democracyfavoring policy where one wishes to rotate proposer every block; and the classical stability-favoring policy (adopted by classical approaches such as Paxos and PBFT) where we stick to the same proposer until it starts to misbehave. In new cryptocurrency applications, the democracy-favoring policy may be more desired due to better decentralization; however, a stability-favoring policy is likely more friendly towards performance optimizations. Throughout this paper, we use the democracy-favoring policy for exposition. Some recent works [4,5] have shown how minor tweaks to the protocol can support a stability-favoring policy2 . 2

Author’s note: even if the syntactical changes to the protocol are minor, it is important that they be done correctly since some additional subtleties arise in the liveness proof for a stability-favoring policy. See the recent works [4, 5] for more explanation.

8

2

E. Shi

A Blockchain Tolerating chain [−1].e. For a blockchain chain, chain[−1].e is also said to be the blockchain chain’s epoch number.

Streamlined Blockchains: A Simple and Elegant Approach

2.2

9

Protocol

Now, imagine that the protocol proceeds in epochs numbered 1, 2, . . .. Each epoch is 2Δ rounds, i.e., the maximum round-trip delay during a period of synchrony. In each epoch e ∈ {1, 2, . . . , }, we use a hash function H ∗ (i.e., a random oracle) to select a random node (H ∗ (e) mod n) to be the designated proposer—note that here we are using a democracy-favoring proposer-rotation policy as an example. The protocol proceeds as follows where we assume that a node always signs every message it wants to send, and that every valid message must be tagged with the purported sender; further, nodes discard messages with invalid signatures. The notation “ ” denotes a wildcard field. Notarization: A valid vote for chain from node i is a valid signature from node i on H(chain) where H is a global hash function chosen at random from a collision-resistant hash family upfront. A collection of at least 2n/3 votes from distinct nodes on some chain is said to be a notarization for chain. For each epoch e = 1, 2, . . .: • Propose: At the beginning of the epoch, node (H ∗ (e) mod n) proposes a new block B := (e, TXs, h−1 ) extending the freshest notarized chain in its view denoted chain. Here TXs denotes a set of outstanding transactions to confirm and h−1 = H(chain). The proposal, containing chain||B and a notarization for chain, is signed and multicast to everyone—here chain is referred to as the parent chain of B. • Vote: Every node performs the following: when the first valid proposal of the form chain||(e, , ) is received from node (H ∗ (e) mod n) with a valid notarization on chain, vote on the proposal iff chain is at least as fresh as the freshest notarized chain the node has observed at the beginning of the previous epoch or if the current epoch e = 1. To vote on chain||B, simply multicast a signature on the value H(chain||B) to everyone. Finalization: At any time, if a notarized chain has been observed ending at three consecutive epochs, then chain[: −2] is considered final. Remark 2 (Block and chain as aliases of each other). Suppose that there are no hash collisions, then due to the structure of the blockchain where every block must refer to its parent’s hash, in fact a block chain[] and the chain chain[: ] can be used interchangeably, since the block chain[] uniquely defines the entire prefix chain[: ]. Therefore, henceforth whenever convenient, we use “a vote or a notarization for chain[]” and “a vote or notarization for chain[: ]” interchangeably. Remark 3 (Practical considerations). The above protocol is described in a way that maximizes conceptual simplicity. In practice, a couple of obvious optimizations can be made. First, the hash H can be computed incrementally by hashing the parent block’s hash and the current block’s contents. Second, the proposer

10

E. Shi

need not include the entire parent chain in the proposal, it suffices to include the hash h−1 = H(chain). When a proposal is received, if the recipient has not received a parent chain consistent with h−1 , it buffers this proposal until it has received a consistent parent chain. 2.3

Consistency Proof

We now present a very simple consistency proof. Recall that the adversary controls strictly fewer than n/3 nodes. Throughout, we assume that the signature and hash schemes are ideal, i.e., the adversary cannot forge honest nodes’ signatures or find hash collisions. Technically we are removing from our consideration the negligible fraction of bad executions in which an honest node’s signature is forged or hash collisions are found—all the lemmas and theorems below hold for all but the negligible fraction of such bad executions. We say that some string is in honest view iff some honest node observes it at some point during the execution. The following simply lemma is in fact already proven in Sect. 1, but we restate it for completeness. A simple fact is the following: if there is a notarization for chain in honest view, there must be a notarization chain[: −1] in honest view since if not, no honest node would have voted for chain and chain cannot gain notarization in honest view. Applying this argument inductively, if there is a notarization of chain in honest view then there must be a notarization of every prefix of chain in honest view. Lemma 2.1 (Uniqueness per epoch). There cannot be two different blocks of epoch e both notarized in honest view. Proof. Suppose that two different blocks B1 and B2 of epoch e both gained notarization in honest view. Let S1 be the set of at least 2n/3 nodes who have signed B1 and let S2 be the set of at least 2n/3 nodes who have signed B2 . It must be that |S1 ∩ S2 | ≥ 2n/3 + 2n/3 − n = n/3. This means that at least one honest node is in S1 ∩ S2 , and this honest node must have signed both B1 and B2 in epoch e. By our protocol definition, every honest node signs only one epoch-e block in each epoch e. Thus we have reached a contradiction.   Theorem 2.2 (Consistency). Suppose that chain and chain are notarized chains in honest view both ending at three consecutive epochs, it must be that chain[: −2]  chain [: −2] or chain [: −2]  chain[: −2]. Proof. Suppose that chain ends with three blocks of epochs e − 2, e − 1, and e, and chain ends with three blocks of epochs e − 2, e − 1, and e . Without loss of generality, assume that e ≥ e. For the sake of reaching a contradiction, suppose that chain[: −2] and chain [: −2] are not prefixes of each other. Due to Lemma 2.1, chain cannot have a block at epochs e − 2, e − 1, or e; since otherwise chain [: −2] must contain the prefix chain[: −2] which ends at a block of epoch e − 2. Therefore, there is some block in chain with an epoch number greater than e. Let e > e be the smallest epoch number greater than e in chain ,

Streamlined Blockchains: A Simple and Elegant Approach

11

and let chain [] be the block in chain with epoch number e . It must be that chain [ − 1] has epoch smaller than e − 2. Since (every prefix of) chain gained notarization in honest view, it must be that at least 2n/3 distinct nodes have signed the block chain[−1] of epoch e − 1, meaning that more than n/3 honest nodes have signed this block. Moreover, honest nodes can only sign this block in epoch e − 1. This means that more than n/3 honest nodes have observed a notarization for chain[: −2] of epoch e − 2 in epoch e − 1, i.e., before the beginning of epoch e—let S denote this set of more than n/3 honest nodes. The set S therefore will not vote for chain [] in epoch e > e which extends from a parent chain of epoch less than e − 2; and thus   chain [] cannot have gained notarization in honest view. 2.4

Liveness Proof

Message Delivery Assumption During Periods of Synchrony. As mentioned earlier, a period of synchrony is a period with good network conditions such that all messages sent by honest nodes are delivered to the recipients within at most Δ rounds. Without loss of generality, we shall assume that every honest node always echos (i.e., multicasts) every fresh message as soon as it is observed. Thus, during a period of synchrony, the following holds: If an honest node has observed a message m n round t, then all honest nodes must have observed m by the beginning of round t + Δ if not earlier. Liveness Proof. Suppose a period of synchrony eventually takes place. We now prove liveness during such a period of synchrony. Specifically, we prove that during a period of synchrony, honest nodes’ finalized blockchains will grow whenever there are 3 consecutive epochs with honest proposers (note that under random proposer election, this takes O(1) number of epochs in expectation). To see this, it suffices to show that every honest node will vote on the proposal of an honest proposer—since an honest proposer makes a proposal at the beginning of the epoch e, as long as every honest node votes on it, the honest votes will have been received by all honest nodes by the beginning of epoch e+1; and thus epoch (e + 1)’s proposer, if honest, will propose to extend a notarized chain ending at epoch e + 1. We now prove this. If an honest node i rejects a proposal from an honest proposer j, it must be that the proposed block extends from a parent chain that is less fresh than the freshest notarized chain (denoted chain∗ ) observed at the beginning of the previous epoch. However, if i has observed chain∗ at the beginning of the previous epoch, then due to the message delivery assumption during a period of synchrony, by the beginning of this epoch, node j must have observed it and thus j cannot have proposed to extend from a less fresh parent chain.

12

E. Shi

Remark 4. Alternatively, we can modify the proposer rotation policy for the same node to serve as a proposer for three consecutive epochs. In this case, progress will be made whenever an honest proposer makes proposals for 3 consecutive epochs.

3

A Synchronous Blockchain Tolerating Minority Corruptions

In the previous section, we presented a streamlined blockchain protocol whose consistency guarantee holds with arbitrary network delays, but whose liveness guarantee may hold only during periods of synchrony—such protocols are said to be secure in a “partially synchronous” network [6]. Due to a well-known lower bound by Dwork et al. [6], no partially synchronous protocol can tolerate n/3 or more corruptions, and therefore the protocol in the previous section is in fact optimal in resilience. In this section we illustrate another streamlined blockchain protocol that tolerates up to minority corruptions. To achieve this, however, we must make a synchrony assumption even for the consistency proof. Recall that earlier in Sect. 2.4 we made the following synchrony assumption for proving liveness: If an honest node has observed a message m in round t, then all honest nodes must have observed m by the beginning of round t + Δ if not earlier. In this section, we shall make this assumption for proving both consistency and liveness. Remark 5. The consensus problem would be trivial if all honest nodes must observe every message m in the same round. In fact, in the synchronous setting, the crux of the consensus problem is essentially to overcome the Δ difference in the timing at which honest nodes observe the same message m. 3.1

Protocol

The protocol is almost identical as the one in Sect. 2 except for two modifications: (1) the parameters for forming a notarization and for finalizations are chosen differently; and (2) the finalization rule makes an additional check for conflicting proposals. The protocol is described below and the difference from the earlier protocol in Sect. 2 is highlighted in blue.

Streamlined Blockchains: A Simple and Elegant Approach

13

Notarization: A valid vote for chain from node i is a valid signature from node i on H(chain) where H is a hash function chosen at random from a collisionresistant hash family. A collection of at least n/2 votes from distinct nodes on some chain is said to be a notarization for chain. For each epoch e = 1, 2, . . .: • Propose: At the beginning of the epoch, node (H ∗ (e) mod n) proposes a new block B := (e, TXs, h−1 ) extending the freshest notarized chain in its view denoted chain. Here TXs denotes a set of outstanding transactions to confirm and h−1 = H(chain). The proposal, containing chain||B and a notarization for chain, is signed and multicast to everyone—here chain is referred to as the parent chain of B. • Vote: Every node performs the following: when the first valid proposal of the form chain||(e, , ) is received from node (H ∗ (e) mod n) with a valid notarization on chain, vote on the proposal iff chain is at least as fresh as the freshest notarized chain the node has observed at the beginning of the previous epoch or if the current epoch e = 1. To vote on chain||B, simply multicast a signature on the value H(chain||B) to everyone. Finalization: At any time, if a notarized chain has been observed ending at 6 blocks with consecutive epoch numbers, and moreover for each these 6 epoch numbers, no conflicting proposal (from an eligible proposer) for a different block has been seen, then the prefix chain[: −5] is final.

3.2

Consistency Proof

In comparison with Sect. 2.3, under minority corruption, the “uniqueness per epoch” lemma (Lemma 2.1) no longer holds. Consistency now crucially relies on the new finalization rule which additionally checks for conflicting proposals. We thus present a different but nonetheless simple consistency proof. Henceforth we use the notation chain e to denote the block at epoch e in chain, and we use chain : e to denote the prefix of chain up to and including the block of epoch e. Lemma 3.1 (No contiguous skipping). Suppose that a notarized chain with two consecutive epoch numbers e and e+ 1 appear in honest view. Then, no notarized chain in honest view whose ending epoch at least e can skip all of the epochs e, e + 1, e + 2, e + 3 (i.e., one of these epochs must be contained in the notarized chain). Proof. Let chain be the notarized chain in honest view with two consecutive epochs e and e + 1. It must be that at least one honest node i has voted for chain : e + 1 during epoch e + 1, and thus i has observed a notarization for chain : e in epoch e + 1. Therefore all honest nodes must have observed a notarization for chain : e in epoch e + 2, i.e., by the beginning of epoch e + 3.

14

E. Shi

Thus in any epoch e > e + 3 no honest node will vote to extend a parent chain whose epoch is smaller than e. Suppose chain is a notarized chain in honest view whose ending epoch is at least e + 4 and moreover chain does not contain the epochs e, e + 1, e + 2, e + 3. Let e be the smallest epoch in chain that is greater than e + 3. It must be that at least one honest node voted on chain : e during epoch e but this is   impossible because chain : e ’s parent has epoch smaller than e. Theorem 3.2 (Consistency). Suppose that an honest node i triggered the finalization rule on chain and an honest node j triggered the finalization rule on chain , then it must be that either chain[: −5]  chain [: −5] or chain [: −5]  chain[: −5]. Note that i and j can be the same or different node in the above theorem. Proof. Suppose that chain ends at 6 consecutive epochs e − 5, e − 4, . . . , e and chain ends at 6 consecutive epochs e −5, e −4, . . . , e . Without loss of generality, assume that e ≥ e. Since chain contains two consecutive epochs e−5 and e−4, due to Lemma 3.1, chain cannot skip all of epochs e − 5, e − 4, e − 3, e − 2. Therefore there must be a block in chain at epoch e ∈ {e − 5, e − 4, e − 3, e − 2}. Thus, at least one e in epoch e, and this honest node must honest node must have voted for chain  e from an eligible proposer in epoch e. This have observed a proposal for chain  e from means that all honest nodes must have observed a proposal for chain  an eligible proposer by the beginning of e + 2 ≤ e. Notice that a notarization for chain cannot appear in honest view before epoch e since honest nodes will only vote for chain in epoch e. Thus the finalization rule for chain must be triggered after epoch e starts, but by this time all honest nodes have observed a proposal for chain : e . Therefore it must be that chain : e = chain : e since otherwise the finalization rule cannot trigger on chain due to seeing a conflicting proposal for e.   3.3

Liveness Proof

We can show that honest nodes’ finalized chains must grow whenever there are 6 consecutive epochs all with honest proposers. The proof follows almost identically as in Sect. 2.4, where we can prove that an honest proposer’s proposal never gets rejected by honest recipients. The liveness claim therefore follows by observing that an honest proposer does not propose two blocks of the same epoch.

4

Additional Improvements and References

Optimistic Responsiveness. The protocols described earlier are preconfigured with an anticipated delay parameter Δ, and a new block can only be confirmed per Θ(Δ) rounds (also called an epoch earlier). In practice, if and whenever

Streamlined Blockchains: A Simple and Elegant Approach

15

the actual network delay δ is much smaller than Δ, it would be desirable to confirm transactions as fast as the network makes progress, i.e., the confirmation time should be dependent only on the actual delay δ and not on the a-priori upper bound Δ. Protocols that achieve this property are said to be optimistically responsive [14]. In Pala [4] and Pili [5], the authors show that with very minor tweaks to protocols described in this tutorial, one can achieve optimistic responsiveness in the partial synchronous and synchronous settings respectively. Later versions of the Hotstuff [1] paper and subsequently Sync Hotstuff [2] also achieved optimistic responsiveness. Synchronous and Yet Partition Tolerant. The synchronous, honestmajority protocol described in Sect. 3 makes a strong network synchrony assumption for its consistency proof. Specifically, every honest node’s messages must be delivered within Δ delay. In other words, if an honest node ever temporarily drops offline and violates the Δ bound, it is treated as corrupt by the model and the consensus protocol is no longer required to provide consistency and liveness guarantees for this node. In practice, typically no one can deliver 100% uptime—since blockchains are long running, every node may become offline at some point, and thus at the end time, the classical synchronous model will treat everyone as corrupt! This means that protocols proven secure in the classical synchronous model do not necessarily offer strong enough robustness for practical deployment. A symptom of this is that almost all known synchronous consensus protocols appear under-specified and unimplementable: typically these protocols do not fully specify what a node should do if it receives messages out of sync, e.g., after coming back online after a short outage (and it is dangerous to leave this decision entirely to an ordinary implementer). Recently, Guo, Pass, and Shi [7] propose a new model that allows one to capture a notion of “best-possible partition tolerance” while making mild network timing assumptions. Specifically, in their model, a secure consensus protocol must provide both consistency and liveness to all honest nodes, even those who might have suffered from temporary outages but have come back online, as long as at any point of time, there exists a set of honest and online nodes that are majority in size. Moreover, this honest and online set may even churn rapidly over time. Given Guo et al.’s model, a recent work called Pili showed how to achieve this notion of best-possible partition tolerance through very minor tweaks to the protocol described in Sect. 3 (and at the same time offering optimistic responsiveness too). Reference Implementation. We refer the reader to an open-source implementation of Pala (https://github.com/thundercore/pala). This implementation adopted a doubly-streamlined, and optimistically responsive variant of the protocol described in Sect. 2. We briefly explain the “doubly-streamlined” idea: in the protocol in Sect. 2, a node must have received the parent chain’s notarization to vote on the next block—this can lead to pipeline stalls in settings with

16

E. Shi

long delay and large bandwidth. Double streamlining is a generalization of the protocol in Sect. 2 such that nodes can propose and vote on a block as long as its k-th ancestor’s notarization has been received; however, for finalization, one has to chop off roughly k blocks too. Acknowledgments. We gratefully acknowledge Kartik Nayak, Ling Ren, Robbert van Renesse, and Steven Galbraith for helpful feedback on improving the writeup. The author would like to thank T-H. Hubert Chan and Rafael Pass for inspiring discussions.

A

Notations

Variable

Meaning

chain chain[: ] chain[: −] Δ

Blockchain Prefix of chain upto and including the -th block Prefix of chain after removing the trailing  blocks maximum network delay between honest nodes (during a period of synchrony) Epoch number, i.e., a collection of 2Δ rounds Number of nodes Parent hash encoded in a block Application-specific payload in a block, e.g., a set of transactions to confirm Collision-resistant hash function for hashing blockchains A random oracle for proposer election

e n h−1 TXs H H∗

References 1. Abraham, I., Gueta, G., Malkhi, D.: Hot-stuff the linear, optimal-resilience, onemessage BFT devil. CoRR, abs/1803.05069 (2018) 2. Abraham, I., Malkhi, D., Nayak, K., Ren, L., Yin, M.: Sync HotStuff: simple and practical synchronous state machine replication. Cryptology ePrint Archive, Report 2019/270 (2019). https://eprint.iacr.org/2019/270 3. Castro, M., Liskov, B.: Practical Byzantine fault tolerance. In: OSDI (1999) 4. Hubert Chan, T.-H., Pass, R., Shi, E.: Pala: a simple partially synchronous blockchain. Manuscript (2018). https://eprint.iacr.org/2018/981 5. Hubert Chan, T.-H., Pass, R., Shi, E.: Pili: a simple, fast, and robust family of blockchain protocols. Cryptology ePrint Archive, Report 2018/980 (2018). https:// eprint.iacr.org/2018/980 6. Dwork, C., Lynch, N., Stockmeyer, L.: Consensus in the presence of partial synchrony. J. ACM 35, 288–323 (1988) 7. Guo, Y., Pass, R., Shi, E.: Synchronous, with a chance of partition tolerance. Cryptology ePrint Archive (2018)

Streamlined Blockchains: A Simple and Elegant Approach

17

8. Hanke, T., Movahedi, M., Williams, D.: Dfinity technology overview series: consensus system. https://dfinity.org/tech 9. Lamport, L.: The part-time parliament. ACM Trans. Comput. Syst. 16(2), 133–169 (1998) 10. Lamport, L., Shostak, R., Pease, M.: The Byzantine generals problem. ACM Trans. Program. Lang. Syst. 4(3), 382–401 (1982) 11. Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008) 12. Pass, R., Shi, E.: Hybrid consensus: efficient consensus in the permissionless model. In: DISC (2017) 13. Pass, R., Shi, E.: Rethinking large-scale consensus. In: CSF (2017) 14. Pass, R., Shi, E.: Thunderella: blockchains with optimistic instant confirmation. In: Nielsen, J.B., Rijmen, V. (eds.) EUROCRYPT 2018. LNCS, vol. 10821, pp. 3–33. Springer, Cham (2018). https://doi.org/10.1007/978-3-319-78375-8 1 15. Schneider, F.B.: Implementing fault-tolerant services using the state machine approach: a tutorial. ACM Comput. Surv. 22(4), 299–319 (1990) 16. Griffith, V., Buterin, V.: Casper the friendly finality gadget. https://arxiv.org/ abs/1710.09437

Best Paper

Wave: A New Family of Trapdoor One-Way Preimage Sampleable Functions Based on Codes Thomas Debris-Alazard1,2(B) , Nicolas Sendrier2 , and Jean-Pierre Tillich2 1

Sorbonne Universit´e, Coll`ege Doctoral, 75005 Paris, France 2 Inria, Paris, France {thomas.debris,nicolas.sendrier,jean-pierre.tillich}@inria.fr

Abstract. We present here a new family of trapdoor one-way functions that are Preimage Sampleable on Average (PSA) based on codes, the Wave-PSA family. The trapdoor function is one-way under two computational assumptions: the hardness of generic decoding for high weights and the indistinguishability of generalized (U, U + V )-codes. Our proof follows the GPV strategy [28]. By including rejection sampling, we ensure the proper distribution for the trapdoor inverse output. The domain sampling property of our family is ensured by using and proving a variant of the left-over hash lemma. We instantiate the new Wave-PSA family with ternary generalized (U, U + V )-codes to design a “hash-and-sign” signature scheme which achieves existential unforgeability under adaptive chosen message attacks (EUF-CMA) in the random oracle model.

1

Introduction

Code-Based Signature Schemes. It is a long standing open problem to build an efficient and secure digital signature scheme based on the hardness of decoding a linear code which could compete with widespread schemes like DSA or RSA. Those signature schemes are well known to be broken by quantum computers and code-based schemes could indeed provide a valid quantum resistant replacement. A first answer to this question was given by the CFS scheme proposed in [15]. such that the solution e It consisted in finding parity-check matrices H ∈ Fr×n 2 of smallest weight of the equation 

eH = s.

(1)

could be found for a non-negligible proportion of all s in Fr2 . This task was achieved by using high rate Goppa codes. This signature scheme has however two drawbacks: (i) for high rates Goppa codes the indistinguishability assumption used in its security proof has been invalidated in [22], (ii) security scales only This work was supported by the ANR CBCRYPT project, grant ANR-17-CE39-0007 of the French Agence Nationale de la Recherche. c International Association for Cryptologic Research 2019  S. D. Galbraith and S. Moriai (Eds.): ASIACRYPT 2019, LNCS 11921, pp. 21–51, 2019. https://doi.org/10.1007/978-3-030-34578-5_2

22

T. Debris-Alazard et al.

weakly superpolynomially in the keysize for polynomial time signature generation. A crude extrapolation of parallel CFS [23] and its implementations [10,35] yields for 128 bits of classical security a public key size of several gigabytes and a signature time of several seconds. Those figures even grow to terabytes and hours for quantum-safe security levels, making the scheme unpractical. This scheme was followed by other proposals using other code families such as for instance [4,29,36]. All of them were broken, see for instance [40,42]. Other signature schemes based on codes were also given in the literature such as for instance the KKS scheme [33,34], its variants [7,27] or the RaCoSS proposal [25] to the NIST. But they can be considered at best to be one-time signature schemes and great care has to be taken to choose the parameters of these schemes in the light of the attacks given in [13,31,41]. Finally, another possibility is to use the Fiat-Shamir heuristic. For instance by turning the Stern zero-knowledge authentication scheme [46] into a signature scheme but this leads to rather large signature lengths (hundred(s) of kilobits). There has been some recent progress in this area for another metric, namely the rank metric. A hash and sign signature scheme was proposed, RankSign [26], that enjoys remarkably small key sizes, but it got broken too in [20]. On the other hand, following the Schnorr-Lyubashevsky [37] approach, a new scheme was recently proposed, namely Durandal [2]. This scheme enjoys small key sizes and managed to meet the challenge of adapting the Lyubashevsky [37] approach for code-based cryptography. However, there is a lack of genericity in its security reduction to a rather convoluted problem, namely PSSI+ (see [2, §4.1]). One-Way Preimage Sampleable Trapdoor Functions. There is a very powerful tool for building a hash-and-sign signature scheme. It is based on the notion of one-way trapdoor preimage sampleable function [28, §5.3]. Roughly speaking, this is a family of trapdoor one-way functions (fa )a such that with overwhelming probability over the choice of fa (i) the distribution of the images fa (e) is very close to the uniform distribution over its range (ii) the distribution of the output of the trapdoor algorithm inverting fa samples from all possible preimages in an appropriate way. This trapdoor inversion algorithm should sample its outputs e for any x in the domain of fa such that the distribution of e is indistinguishable in a statistical sense from the input distribution of fa conditioned by fa (e) = x. This notion and its lattice-based instantiation was used in [28] to give a full-domain hash (FDH) signature scheme with a tight security reduction based on lattice assumptions, namely that the Short Integer Solution (SIS) problem is hard on average. Furthermore, this approach also allowed to build the first identity based encryption scheme that could be resistant to a quantum computer. We will refer to this approach for obtaining a FDH scheme as the GPV strategy. This strategy has also been adopted in Falcon [24], a lattice based signature submission to the NIST call for post-quantum cryptographic primitives that was recently selected as a second round candidate. This preimage sampleable primitive is notoriously difficult to obtain when the functions fa are not trapdoor permutations but many-to-one functions. This is

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

23

typically the case when one wishes quantum resistant primitives based on lattice based assumptions. The reason is the following. The hard problem on which this primitive relies is the SIS problem where we want to find for a matrix A in Zn×m q (with m ≥ n) and an element s ∈ Znq a short enough (for the Euclidean norm) solution e ∈ Zm q to the equation 

eA = s mod q.

(2) 

A defines a preimage sampleable function as fA (e) = eA and the input to fA is chosen according to a (discrete) Gaussian distribution of some variance σ 2 . Obtaining a nearly uniform distribution for the fA (e)’s over its range requires to choose σ 2 so large so that there are actually exponentially many solutions to (2). It is a highly non-trivial task to build in this case a trapdoor inversion algorithm that samples appropriately among all possible preimages, i.e. oblivious to the trapdoor. The situation is actually exactly the same if we want to use another candidate problem for building this preimage sampleable primitive for being resistant to a quantum computer, namely the decoding problem in code-based cryptography. Here we rely on the difficulty of finding a solution e of Hamming weight exactly w with coordinates in a finite field Fq for the equation 

eH = s.

(3)

where H is a given matrix and s (usually called a syndrome) a given vector with entries in Fq . The weight w has to be chosen large enough so that this equation has always exponentially many solutions (in n the length of e). As in the lattice based setting, it is non-trivial to build trapdoor candidates with a trapdoor inversion algorithm for fH (defined as fH (e) = eH ) that is oblivious to the trapdoor. Our Contribution: A Code-Based PSA Family and a FDH Scheme. Our main contribution is to give here a code-based one way trapdoor function that meets the preimage sampleable property in a slighty relaxed way: it meets this property on average. We call such a function Preimage Sampleable on Average, PSA in short. This property on average turns out to be enough for giving a security proof for the signature scheme built from it. Our family relies here on the difficulty of solving (3). We derive from it a FDH signature scheme which is shown to be existentially unforgeable under a chosen-message attack (EUF-CMA) with a tight reduction to solving two code-based problems: one is a distinguishing problem related to the trapdoor used in our scheme, the other one is a multiple targets version of the decoding problem (3), the so called “Decoding One Out of Many” problem (DOOM in short) [44]. In [28] a signature scheme based on preimage sampleable functions is given that is shown to be strongly existentially unforgeable under a chosen-message attack if in addition the preimage sampleable functions are also collision resistant. With our choice of w and Fq , our preimage sampleable functions are not collision resistant. However, as observed in [28], collision resistance allows a tight security reduction

24

T. Debris-Alazard et al.

but is not necessary: a security proof could also be given when the function is “only” preimage sampleable. Here we will show that it is even enough to have such a property on average. Moreover, in contrast with the lattice setting where the size of the alphabet q grows with n, our alphabet size will be constant in our proposal, it is fixed to q = 3. Our Trapdoor: Generalized (U,U+V)-Codes. In [28] the trapdoor consists in a short basis of the lattice considered in the construction. Our trapdoor will be of a different nature, it consists in choosing parity-check matrices of generalized (U, U + V )-codes. In our construction, U and V are chosen as random codes. The number of such generalized (U, U + V )-codes of dimension k and length n is of the same order as the number of linear codes with the same parameters, 2 namely q Θ(n ) when k = Θ (n). A generalized (U, U + V ) code C of length n over Fq is built from two codes U and V of length n/2 and 4 vectors a, b, c and d in n/2 Fq as the following “mixture” of U and V : C = {(a  u + b  v, c  u + d  v) : u ∈ U, v ∈ V } where xy stands for the component-wise product, also called the Hadamard or  Schur product. It is defined as: xy =(x1 y1 , · · · , xn/2 yn/2 ). Standard (U, U +V )codes correspond to a = c = d = 1n/2 and b = 0n/2 , the all-one and the all-zero vectors respectively. The point of introducing such codes is that they have a natural decoding algorithm DU V solving the decoding problem (3) that is based on a generic decoding algorithm Dgen for linear codes. Dgen will be here a very simple decoder, namely a variation of the Prange decoder [43] that is able to easily produce for a solution of (3) for any w in the range any parity-check matrix H ∈ Fr×n q r r, n − . Note that this algorithm works in polynomial time and that the  q−1 q q complexity of the best known algorithms is exponential in n for weights w of the ρ form w = ωn where ω is a constant that lies outside the interval [ q−1 q ρ, 1− q ] with 

ρ = nr . DU V works by combining the decoding of V with Dgen with the decoding of U by Dgen . The nice feature is that DU V is more powerful than Dgen applied directly on the generalized (U, U + V )-code: the weight of the error produced by r DU V in polynomial time can be made to lie outside the interval  q−1 q r, n − q . This is in essence the trapdoor of our signature scheme. A tweak in this decoder consisting in performing only a small amount of rejection sampling (with our choice of parameters one rejection every 10 or 12 signatures, see the full paper [18]) allows to obtain solutions that are uniformly distributed over the words of weight w. This is the key for obtaining a PSA family and a signature scheme from it. Finally, a variation of the proof technique of [28] allows to give a tight security proof of our signature scheme that relies only on the hardness of two problems, namely Decoding Problem: Solving at least one instance of the decoding problem (1) r out of multiple instances for a certain w that is outside the range  q−1 q r, n− q 

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

25

Distinguishing Problem: Deciding whether a linear code is a permuted generalized (U, U + V ) code or not. Hardness of the Decoding Problem. All code-based cryptography relies upon that problem. Here we are in a case where there are multiple solutions of (3) and the adversary may produce any number of instances of (3) with the same matrix H and various syndromes s and is interested in solving only one of them. This relates to the, so called, Decoding One Out of Many (DOOM) problem. This problem was first considered in [32]. It was shown there how to adapt the known algorithms for decoding a linear code in order to solve this modified problem. This modification was later analyzed in [44]. The parameters of the known algorithms for solving (3) can be easily adapted to this scenario where we have to decode simultaneously multiple instances which all have multiple solutions. Hardness of the Distinguishing Problem. This problem might seem at first sight to be ad-hoc. However, even in the very restricted case of (U, U + V )codes, deciding whether a code is a permuted (U, U + V )-code or not is an NPcomplete problem. Therefore the Distinguishing Problem is also NP-complete for generalized (U, U +V )-codes. This theorem is proven in the case of binary (U, U + V )-codes in [17, §7.1, Thm 3] and the proof carries over to an arbitrary finite field Fq . However as observed in [17, p. 3], these NP-completeness reductions hold in the particular case where the dimensions kU and kV of the code U and V satisfy kU < kV . If we stick to the binary case, i.e. q = 2, then in order that our (U, U + V ) decoder works outside the integer interval  2r , n − 2r  it is necessary that kU > kV . Unfortunately in this case there is an efficient probabilistic algorithm solving the distinguishing problem that is based on the fact that in this case the hull of the permuted (U, U + V )-code is typically of large dimension, namely kU − kV (see [16, §1 p. 1–2]). This problem can not be settled in the binary case by considering generalized (U, U + V )-codes instead of just plain (U, U + V )-codes, since it is only for the restricted class of (U, U + V )codes that the decoder considered in [16] is able to work properly outside the critical interval  2r , n− 2r . This explains why the ancestor Surf [16] of the scheme proposed here that relies on binary (U, U + V )-codes can not work. This situation changes drastically when we move to larger finite fields. In order to have a decoding algorithm DU V that has an advantage over the generic decoder Dgen we do not need to have a = c = d = 1n/2 and b = 0n/2 (i.e. (U, U + V )-codes) we just need that ac and ad−bc are vectors with only non-zero components. This freedom of choice for the a, b, c and d thwarts completely the attacks based on hull considerations and changes completely the nature of the distinguishing problem. In this case, it seems that the best approach for solving the distinguishing problem is based on the following observation. The generalized (U, U + V )-code has codewords of weight slightly smaller than the minimum distance of a random code of the same length and dimension. It is very tempting to conjecture that the best algorithms for solving the Distinguishing Problem

26

T. Debris-Alazard et al.

come from detecting such codewords. This approach can be easily thwarted by choosing the parameters of the scheme in such a way that the best algorithms for solving this task are of prohibitive complexity. Notice that the best algorithms that we have for detecting such codewords are in essence precisely the generic algorithms for solving the Decoding Problem. In some sense, it seems that we might rely on the very same problem, namely solving the Decoding Problem, even if our proof technique does not show this. Large Weights Decoding and q = 3. In terms of simplicity of the decoding procedure used in the signing process, it seems that defining our codes over the finite field F3 is particularly attractive. In such a case, the biggest advantage of DU V over Dgen is obtained for large weights rather than for small weights (there is an explanation for this asset in Sect. 4.3). This is a bit unusual in code-based cryptography to rely on the difficulty of finding solutions of large weight to the decoding problem. However, it also opens the issue of whether or not it would be advantageous to have (non-binary) code-based primitives rely on the hardness of solving the decoding problem for large weights rather than for small weights. Of course these two problems are equivalent in the binary case, i.e. q = 2, but this is not the case for larger alphabets anymore and still everything seems to point to the direction that large weights problem is by no means easier than its small weight counterpart. All in all, this gives the first practical signature scheme based on ternary codes which comes with a security proof and which scales well with the parameters: it can be shown that if one wants a security level of 2λ , then the signature size is of order O(λ), the public key size is of order O(λ2 ), and the computational effort is of order O(λ3 ) for generating a signature and O(λ2 ) for verifying it. It should be noted that contrarily to the current thread of research in code-based or lattice-based cryptography which consists in relying on structured codes or lattices based on ring structures in order to decrease the key-sizes we did not follow this approach here. This allows for instance to rely on the NP-complete Decoding Problem which is generally believed to be hard on average rather that on decoding in quasi-cyclic codes for instance whose status is still unclear with a constant number of circulant blocks. Despite the fact that we did not use the standard approach for reducing the key sizes relying on quasi-cyclic codes for instance, we obtain acceptable key sizes (about 3.2 megabytes for 128 bits of security) which compare very favorably to unstructured lattice-based signature schemes such as TESLA for instance [1]. This is due in part to the tightness of our security reduction.

2

Notation 

General Notation. The notation x = y defines x to be equal to y. We denote by Fq the finite field with q elements and by Sw,n , or Sw when n is clear from the context, the subset of Fnq of words of weight w. For a and b integers with

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

27

a ≤ b, we denote by a, b the set of integers {a, a + 1, . . . , b}. Furthermore, h3 

will denote the function: h3 (x) = −x log3 (x) − (1 − x) log3 (1 − x) defined on [0, 1]. Vector and Matrix Notation. Vectors will be written with bold letters (such as e) and uppercase bold letters are used to denote matrices (such as H). Vectors are in row notation. Let x and y be two vectors, we will write (x, y) to denote their concatenation. We also denote by xI the vector whose coordinates are those of x = (xi )1≤i≤n which are indexed by I, i.e. xI = (xi )i∈I . We will denote by HI the matrix whose columns are those of H which are indexed by I. We may denote by x(i) the i-th entry of a vector x, or by A(i, j) the entry in row i and column j of a matrix A. We define the support of x = (xi )1≤i≤n 

as Supp(x) ={i ∈ {1, · · · , n} such that xi = 0}. The Hamming weight of x is denoted by |x|. By some abuse of notation, we will use the same notation to denote the size of a finite set: |S| stands for the size of the finite set S. For a vector a ∈ Fnq , we denote by Diag(a) the n × n diagonal matrix A with its entries given by a, i.e. A(i, i) = ai for all i ∈ 1, n and A(i, j) = 0 for i = j. Probabilistic Notation. Let S be a finite set, then x ← S means that x is assigned to be a random element chosen uniformly at random in S. For two random variables X, Y , X ∼ Y means that X and Y are identically distributed. We will also use the same notation for a random variable and a distribution D, where X ∼ D means that X is distributed according to D. We denote the uniform distribution on Sw by Uw . The statistical distance between two discrete probability distribu  tions over a same space E is defined as: ρ(D0 , D1 ) = 12 x∈E |D0 (x) − D1 (x)|. Recall that a function f (n) is said to be negligible, and we denote this by f ∈ negl(n), if for all polynomials p(n), |f (n)| < p(n)−1 for sufficiently large n. Coding Theory. For any matrix M we denote by M the vector space spanned by its rows. A q-ary linear code C of length n and dimension k is a subspace of Fnq of dimension k. A parity-check matrix H over Fq of size r × n is such that   C = H ⊥ = x ∈ Fnq : xH = 0 . When H is of full rank we have r = n − k. The code rate, usually denoted by R, is defined as the ratio k/n. An information set of a code C of length n is a set of k coordinate indices I ⊂ 1, n such that its complement indexes n − k independent columns on any parity-check matrix. (n−k)×n , H ∈ Fq , and any information set I of C = H ⊥ , for For any s ∈ Fn−k q all x ∈ Fnq there exists a unique e ∈ Fnq such that eH = s and xI = eI .

3 3.1

The Wave-family of Trapdoor One-Way Preimage Sampleable Functions One-Way Preimage Sampleable Code-Based Functions

In this work we will use the FDH paradigm [9,14] using as one-way the syndrome function: fH : e ∈ Sw −→ eH ∈ Fn−k q

28

T. Debris-Alazard et al.

−1 The corresponding FDH signature uses a trapdoor to choose σ ∈ fw,H (h) where h is the digest of the message to be signed. Here, the signature domain is Sw and its range is the set of syndromes Fn−k according to H, an (n − k) × n parity q check matrix of some q-ary linear [n, k] code. The weight w is chosen such that the one-way function fw,H is surjective but not bijective. Building a secure FDH signature in this situation can be achieved by imposing additional properties [28] to the one-way function (we will speak of the GPV strategy). This is mostly captured by the notion of Preimage Sampleable Functions, see [28, Definition 5.3.1]. We express below this notion in our code-based context with a slightly relaxed definition dropping the collision resistance condition and only assuming that the preimage sampleable property holds on average and not for any possible element in the function range. This will be sufficient for proving the security of our code-based FDH scheme.

Definition 1 ( Trapdoor One-way Preimage Sampleable on Average Code-based Functions). It is a pair of probabilistic polynomial-time algorithms (Trapdoor, InvAlg) together with a triple of functions (n(λ), k(λ), w(λ)) growing polynomially with the security parameter λ and giving the length and dimension of the codes and the weights we consider for the syndrome decoding problem, such that – Trapdoor when given λ, outputs (H, T ) where H is an (n − k) × n matrix over Fq and T the trapdoor corresponding to H. – InvAlg is a probabilistic algorithm which takes as input T and an element and outputs an e ∈ Sw,n such that eH = s. s ∈ Fn−k q The following properties have to hold for all but a negligible fraction of H output by Trapdoor. 1. Domain Sampling with uniform output: 

ρ(eH , s) ∈ negl(λ), where e ← Sw,n and s ← Fn−k . q 2. Preimage Sampling on Average (PSA) with trapdoor: . ρ (InvAlg(s, T ), e) ∈ negl(λ), where e ← Sw,n and s ← Fn−k q 3. One wayness without trapdoor: for any probabilistic poly-time algorithm A (n−k)×n and s ∈ Fn−k , the outputting an element e ∈ Sw,n when given H ∈ Fq q  probability that eH = s is negligible, where the probability is taken over the choice of H, the target value s chosen uniformly at random, and A’s random coins. Remark 1. 1. The preimage property as defined in [28] would translate in our we should have setting in the following way. For any s ∈ Fn−k q    ρ (InvAlg(s, T ), es ) ∈ negl(λ), where es ← e ∈ Sw,n : eH = s .

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

As observed by an anonymous reviewer, we have ρ (InvAlg(s, T ), e) =

=









s

−1 e∈fH (s)

  1   |Sw | −

s e∈f −1 (s) H



 s

=

1



q n−k



  1  |Sw | −

1 −1 q n−k |fH (s)|

−1 e∈fH (s)

+

1 P(InvAlg(s, T ) q n−k

1 −1 q n−k |fH (s)|

  = e)

  − qn−k P(InvAlg(s, T ) = e) 1

    1    |f −1 (s)|  −1  H − − P(InvAlg(s, T ) = e) − s  |Sw |  |fH (s)| 

1 ρ (InvAlg(s, T ), es ) q n−k

29

1

q n−k

   



− ρ(eH , s).

s∈Fn−k q

Therefore with the domain sampling property and our definition of the preimage sampling property the average of the ρ (InvAlg(s, T ), es )’s is negligible too, whereas [28] requires that all terms ρ (InvAlg(s, T ), es ) are negligible. Note that our property that holds for the average implies that this property holds for all but a negligible fraction of s’s. Indeed, if we have  1 ρ (InvAlg(s, T ), es ) = ε, n−k q n−k s∈Fq

√ # {s : ρ (InvAlg(s, T ), es ) ≥ ε} √ ≤ ε. q n−k As noted by the anonymous reviewer, this relaxed property is enough to apply the GPV proof technique. 2. It turns out that this relaxed definition of preimage sampleable function is enough to prove the security of the associated signature scheme using a salt as given in the next paragraph. This relaxed definition is of independent interest, since it can be easier to find trapdoor one-way functions meeting this property than the more stringent definition given in [28]. then

Given a one-way preimage sampleable code-based function (Trapdoor, InvAlg) we easily define a code-based FDH signature scheme as follows. We generate the public/secret key as (pk, sk) = (H, T ) ← Trapdoor(λ). We also select a and a salt r of size λ0 . The cryptographic hash function Hash : {0, 1}∗ → Fn−k q sk pk algorithms Sgn and Vrfy are defined as follows Sgnsk (m): r ← {0, 1}λ0 s ← Hash(m, r) e ← InvAlg(s, T ) return(e, r)

Vrfypk (m, (e , r)): s ← Hash(m, r) if e H = s and |e | = w return 1 else return 0

A tight security reduction in the random oracle model is given in [28] for the associated signature schemes. It requires collision resistance. Our construction uses a ternary alphabet q = 3 together with large values of w and collision resistance is not met. Still, we achieve a tight security proof [18, §7] by considering a reduction to the multiple target decoding problem.

30

3.2

T. Debris-Alazard et al.

The Wave Family of PSA Functions

The trapdoor family of codes which gives an advantage for inverting fw,H is built upon the following transformation: n/2

Definition 2. Let a, b, c and d be vectors of Fq . We define ϕa,b,c,d : (x, y) ∈ Fn/2 × Fn/2 → (a  x + b  y, c  x + d  y) ∈ Fn/2 × Fn/2 q q q q We will say that ϕa,b,c,d is UV-normalized if ∀i ∈ 1, n/2,

ai di − bi ci = 1, ai ci = 0. n/2

For any two subspaces U and V of Fq , we extend the notation 

ϕa,b,c,d (U, V ) = {ϕa,b,c,d (u, v) : u ∈ U, v ∈ V } Proposition 1 (Normalized Generalized (U, U + V )-code). Let n be an even integer and let ϕ = ϕa,b,c,d be a UV-normalized mapping. The mapping ϕ is bijective with ϕ−1 (x, y) = (d  x − b  y, −c  x + a  y). n/2 For any two subspaces U and V of Fq of parity check matrices HU and HV , the vector space ϕ(U, V ) is called a normalized generalized (U, U + V )-code. It has dimension dim U + dim V and admits the following parity check matrix   HU D −HU B  H(ϕ, HU , HV ) = −HV C HV A 







where A = Diag(a), B = Diag(b), C = Diag(c) and D = Diag(d). In the sequel, a UV-normalized mapping ϕ implicitly defines a quadruple of vectors (a, b, c, d) such that ϕ = ϕa,b,c,d . We will use this implicit notation and drop the subscript whenever no ambiguity may arise. Remark 2. – This construction can be viewed as taking two codes of length n/2 and making a code of length n by “mixing” together a codeword u in U and a codeword v in V as the vector formed by the set of ai ui + bi vi ’s and ci ui + di vi ’s. – The condition ai ci = 0 is here to ensure that coordinates of U appear in all the coordinates of the normalized generalized (U, U + V ) codeword. This is essential for having a decoding algorithm for the generalized (U, U + V )-code that has an advantage over standard information set decoding algorithms for linear codes. The trapdoor of our scheme builds upon this advantage. It can really be viewed as the “interesting” generalization of the standard (U, U +V ) construction. – We have fixed ai di − bi ci = 1 for every i to simplify some of the expressions in what follows. It is readily seen that any generalized (U, U + V )-code that can be obtained in the more general case ai di − bi ci = 0 can also be obtained in the restricted case ai di − bi ci = 1 by choosing U and V appropriately.

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

31

Defining Trapdoor and InvAlg. From the security parameter λ, we derive the system parameters n, k, w and split k = kU + kV (see [18, §5.4] for more details). The secret key is a tuple sk = (ϕ, HU , HV , S, P) where ϕ is a UV-normalized (n/2−kU )×n/2 (n/2−kV )×n/2 (n−k)×(n−k) mapping, HU ∈ Fq , HV ∈ Fq , S ∈ Fq is nonn×n is a permutation matrix. Each element singular with k = kU +kV , and P ∈ Fq of sk is chosen randomly and uniformly in its domain. From (ϕ, HU , HV ) we derive the parity check matrix Hsk = H(ϕ, HU , HV ) as in Proposition 1. The public key is Hpk = SHsk P. Next, we need to produce an algorithm Dϕ,HU ,HV which inverts fw,Hsk . The parameter w is such that this can be achieved using the underlying (U, U + V ) structure while the generic problem remains hard. In Sect. 5 we will show how to use rejection sampling to devise Dϕ,HU ,HV such that its output is uniformly distributed over Sw when . This enables us to instantiate algorithm s is uniformly distributed over Fn−k q InvAlg. To summarize:  sk ← (ϕ, HU , HV , S, P)  InvAlg(sk, s)

  pk ← Hpk e ← Dϕ,HU ,HV (s S−1 )   (pk, sk) ← Trapdoor(λ) return eP As in [28], putting this together with a domain sampling condition –which we prove in Sect. 6 from a variation of the left-over hash lemma– allows us to define a family of trapdoor preimage sampleable functions, later referred to as the Wave-PSA family.

4

Inverting the Syndrome Function

This section is devoted to the inversion of fw,H which amounts to solve: (n−k)×n

Problem 1 (Syndrome Decoding with fixed weight). Given H ∈ Fq , and an integer w, find e ∈ Fnq such that eH = s and |e| = w. Fn−k q

, s∈

− + − + We consider three nested intervals weasy , weasy  ⊂ wUV , wUV  ⊂ w− , w+  for n−k w such that for s randomly chosen in Fq : −1 (s) is likely/very likely to exist if w ∈ w− , w+  (Gilbert-Varshamov – fw,H bound) −1 − + (s) is easy to find if w ∈ weasy , weasy  for all H (Prange algorithm) – e ∈ fw,H −1 − + – e ∈ fw,H (s) is easy to find if w ∈ wUV , wUV  and H is the parity check matrix of a generalized (U, U + V )-code. This is the key for exploiting the underlying (U, U + V ) structure as a trapdoor for inverting fw,H .

4.1

Surjective Domain of the Syndrome Function

The issue is here for which value of w we may expect that fw,H is surjective. This clearly implies that |Sw | ≥ q n−k . In other words we have:

32

T. Debris-Alazard et al.

− Fact 1. If fw,H is surjective, then , w+   where w− < w+ are the  n w ∈ w (q − 1)w ≥ q n−k . extremum of the set w ∈ 0, n | w 



For a fixed rate R = k/n, let us define ω − = lim w− /n and ω + = lim w+ /n. n→+∞

n→+∞

Note that the quantity ω − is known as the asymptotic Gilbert-Varshamov distance. A straightforward computation of the expected number of errors e of weight w such that eH = s when H is random shows that we expect an exponential number of solutions when w/n lies in (ω − , ω + ). However, coding theory has never come up with an efficient algorithm for finding a solution to this problem in the whole range (ω − , ω + ). 4.2

Easy Domain of the Syndrome Function

The subrange of (ω − , ω + ) for which we know how to solve efficiently Problem 1 − + , ωeasy ] where is given by the condition w/n ∈ [ωeasy 

− ωeasy =

R q−1  q−1 + (1 − R) and ωeasy + , = q q q

(4)

where R is the code rate k/n. This is achieved by a slightly generalized version of the Prange decoder [43]. Prange algorithm is able to complement any word whose coordinates are fixed on an information set into a word of prescribed syndrome. In practice, it outputs in polynomial time using linear algebra, a word e of prescribed syndrome and of the form (e , e ) up to a permutation. The word e ∈ Fkq has its support on an information set and can be chosen. is random, thus of average weight q−1 The word e ∈ Fn−k q q (n − k). By properly choosing |e | the algorithm average output relative weight can thus take any q−1 n−k n−k − + value between q−1 q n = ωeasy and k + q n = ωeasy . This procedure, that we call PrangeOne·, is formalized in Algorithm 1. (n−k)×n

and s Proposition 2. When H is chosen uniformly at random in Fq , for the output e of PrangeOne(H, s) we have uniformly at random in Fn−k q |e| = S + T where S and T are independent random variables, S ∈ 0, n − k, T ∈ 0, k, S is the Hamming weight of a vector that is uniformly distributed k and P(T = t) = D(t). Let D = t=0 tD(t), we have: over Fn−k q P (|e| = w) =

w  t=0

n−k

w−t

(q − 1)w−t

q n−k

D(t), E(|e|) = D +

q−1 q (n

− − k) = D + nωeasy

− + From this proposition, we deduce that any weight w in ωeasy n, ωeasy n can be reached by this Prange decoder with a probabilistic polynomial time algorithm − n and which is sufficiently that uses a distribution D such that D = w − ωeasy concentrated around its expectation. It will be helpful in what follows to be able to choose a probability distribution D as this gives a rather large degree of freedom in the distribution of |e| that will come very handy to simulate an

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

33

Algorithm 1. PrangeOne(H, s) — One iteration of the Prange decoder Parameters: q, n, k, D a distribution over 0, k (n−k)×n

Require: H ∈ Fq , s ∈ Fn−k q  Ensure: eH = s 1: t ← D 2: I ← InfoSet(H)  InfoSet(H) returns an information set of H⊥ 3: x ← {x ∈ Fn | |x | = t} I q 4: e ← PrangeStep(H, s, I, x) 5: return e function PrangeStep(H, s, I, x) — Prange vector completion (n−k)×n

Require: H ∈ Fq , s ∈ Fn−k , I an information set of H⊥ , x ∈ Fn q q  Ensure: eH = s and eI = xI P ← any n × n permutation matrix sending I on the last k coordinates (n−k)×(n−k)  A ∈ Fq ; e ∈ Fkq (A |  B) ← HP ; (∗ | e ) ← xP         A−1 , e P e ← s − e B return e

output distribution that is uniform over the words of weight w in the generalized (U, U + V )-decoder that we will consider in what follows. − + , weasy . Inverting the syndrome function Enlarging the Easy Domain weasy fw,H is the basic problem upon which all code-based cryptography relies. This 

− problem has been studied for a long time for relative weights ω = w n in (0, ωeasy ) and despite many efforts the best algorithms [6,8,11,19,21,38,39,45] for solving this problem are all exponential in n for such fixed relative weights. In other words, after more than fifty years of research, none of those algorithms came up − ). Furthermore, with a polynomial complexity for relative weights ω in (0, ωeasy by adapting all the previous algorithms beyond this point we observe for them the same behaviour: they are all polynomial in the range of relative weights − + + , ωeasy ] and become exponential once again when ω is in (ωeasy , 1). All [ωeasy these results point towards the fact that inverting fw,H in polynomial time on a larger range is fundamentally a hard problem.

4.3

Solution with Trapdoor

Let us recall that our trapdoor to invert fw,H is given by the family of normalized generalized (U, U + V )-codes (Proposition 1 in Sect. 3.2). As we will see, this family comes with a simple procedure which enables to invert fw,H with errors − + − + , wUV  ⊂ w− , w+  but with weasy , weasy  of weight which belongs to wUV − + wUV , wUV . We summarize this situation in Fig. 1. We wish to point out here, to avoid any misunderstanding that the procedure we give here is not the one we use at the end to instantiate Wave, but is merely here to give the underlying idea of the trapdoor. Rejection sampling will be needed as explained in the following section to avoid any information leakage on the trapdoor coming from the outputs of the algorithm given here.

34

T. Debris-Alazard et al. easy with (U,U+V) trapdoor hard 0

hard

easy − − wUV weasy

+ + weasy wUV

n

w

Fig. 1. Hardness of (U, U + V ) Decoding

It turns out that in the case of a normalized generalized (U, U + V )-code, a simple tweak of the Prange decoder will be able to reach relative weights w/n − + , ωeasy ]. It exploits the fundamental leverage of outside the “easy” region [ωeasy the Prange decoder : it consists in choosing the error e satisfying eH = s as we want in k positions when the code that we decode is random and of dimension k. When we want an error of low weight, we put zeroes on those positions, whereas if we want an error of large weight, we put non-zero values. This idea leads to even smaller or larger weights in the case of a normalized generalized (U, U + V )code. To explain this point, recall that we want to solve the following decoding problem in this case. Problem 2 (decoding problem for normalized generalized (U, U +V )-codes). Given a normalized generalized (U, U + V ) code (ϕ, HU , HV ) (see Proposition 1) of (n−k)×n parity-check matrix H = H(ϕ, HU , HV ) ∈ Fq , and a syndrome s ∈ Fn−k , q  n find e ∈ Fq of weight w such that eH = s. The following notation will be very useful to explain how we solve this problem. n/2

Notation 1. For a vector e in Fnq , we denote by eU and eV the vectors in Fq such that (eU , eV ) = ϕ−1 (e).

The decoding algorithm will recover eV and then eU . From eU and eV we recover e since e = ϕ(eU , eV ). The point of introducing such an eU and a eV is that Proposition 3. Solving the decoding Problem 2 is equivalent to find an e ∈ Fnq of weight w satisfying 



eU HU = sU and eV HV = sV n/2−kU

where s = (sU , sV ) with sU ∈ Fq

n/2−kV

and sV ∈ Fq

(5) .

Remark 3. We have put U and V as superscripts in sU and sV to avoid any confusion with the notation we have just introduced for eU and eV . Proof. Let us observe that e = ϕ(eU , eV ) = (a  eU + b  eV , c  eU + d  eV ) = (eU A+eV B, eU C+eV D) with A = Diag(a), B = Diag(b), C = Diag(c), D = Diag(d). By using this, eH = s translates into eU AD HU + eV BD HU − eU CB HU − eV DB HU = sU −eU AC HV − eV BC HV + eU CA HV + eV DA HV = sV

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

35

which amounts to eU (AD − BC)HU = sU and eV (AD − BC)HV = sV , since A, B, C, D are diagonal matrices, they are therefore symmetric and commute   with each other. We finish the proof by observing that AD − BC = In/2 . Performing the two decoding in (5) independently with the Prange algorithm gains nothing. However if we first solve in V with the Prange algorithm, and then seek a solution in U which properly depends on eV we increase the range of weights accessible in polynomial time for e. It then turns out that the range − + , ωUV ] of relative weights w/n for which the (U, U + V )-decoder works in [ωUV − + , ωeasy ]. This will provide an advantage to polynomial time is larger than [ωeasy the trapdoor owner. Tweaking the Prange Decoder for Reaching Large Weights. When q = 2, small and large weights play a symmetrical role. This is not the case anymore for q ≥ 3. In what follows we will suppose that q ≥ 3. In order to find a solution e of large weight to the decoding problem eH = s, we use Proposition 3 and first find an  arbitrary solution eV to eV HV = sV . The idea, now for performing the second  decoding eU HU = sU , is to take advantage of eV to find a solution eU that maximizes the weight of e = ϕ(eU , eV ). On any information set of the U code, we can fix arbitrarily eU . Such a set is of size kU and on those positions i we can always choose eU (i) such that this induces simultaneously two positions in e that are non-zero. These are ei and ei+n/2 . We just have to choose eU (i) so that we have simultaneously ai eU (i) + bi eV (i) = 0 and ci eU (i) + di eV (i) = 0. This is always possible since q ≥ 3 and it gives an expected weight of e:   2kU q−1 q−1 (n/2 − kU ) = n+ (6) E(|e|) = 2 kU + q q q 2k The best choice for kU is to take kU = k up to the point where q−1 q n + q = n, that is k = n/2 and for larger values of k we choose kU = n/2 and kV = k − kU .

Why Is the Trapdoor More Powerful for Large Weights than for Small Weights? This strategy can be clearly adapted for small weights. However, it is less powerful in this case. Indeed, to minimize the final error weight we would like to choose eU (i) in kU positions such that ai eU (i) + bi eV (i) = 0 and ci eU (i) + di eV (i) = 0. Here as ai di − bi ci = 1 and ai ci = 0 in the family of codes we consider, this is possible if and only if eV (i) = 0. Therefore, contrarily to the case where we want to reach errors of large weight, the area of positions where we can gain twice is constrained to be of size n/2 − |eV |. The minimal weight for eV we can reach in polynomial time with the Prange decoder is given by q−1 q (n/2 − kV ). In this way the set of positions where we can double the number of 0 will be of size q−1 n n/2 − q−1 q (n/2 − kV ) = 2q + q kV . It can be verified that this strategy would give the following expected weight for the final error we get: E(|e|) =

q−1 q−1 q−1 n 2(q − 1)2 n−2 kU if kU ≤ + kV and (n − k) else. q q 2q q (2q − 1)q

36

5

T. Debris-Alazard et al.

Preimage Sampling with Trapdoor: Achieving a Uniformly Distributed Output

We restrict our study to q = 3 but it can be generalized to larger q. To be a trapdoor one-way preimage sampleable function, we have to enforce that the outputs of our algorithm, which inverts our trapdoor function, are very close to be uniformly distributed over Sw . The procedure described in the previous section using directly the Prange decoder, does not meet this property. As we will prove, by changing it slightly, we will achieve this task by still keeping the property to output errors of weight w for which it is hard to solve the decoding problem for this weight. However, the parameters will have to be chosen carefully and the area of weights w for which we can output errors in polynomial time decreases. Figure 2 gives a rough picture of what will happen. A calculation available in [18] shows that leakage immunity can be efficiently achieved by + . At this moment, we do not know how to rejection sampling for w > weasy − . achieve this efficiently for w < weasy easy with (U,U+V) trapdoor − weasy

hard 0

easy

+ weasy

− wUV

hard

+ wUV

n

w

no leakage with (U, U + V ) trapdoor

Fig. 2. Hardness of (U, U + V ) Decoding with no leakage of signature

5.1

Rejection Sampling to Reach Uniformly Distributed Output

We will tweak slightly the generalized (U, U + V )-decoder from the previous section by performing in particular rejection sampling on eU and eV in order to obtain an error e satisfying eH = s that is uniformly distributed over the . Solving the words of weight w when the syndrome s is randomly chosen in Fn−k 3 decoding problem 2 of the generalized (U, U +V )-code will be done by solving (5) through an algorithm whose skeleton is given in Algorithm 2. DecodeV(HV , sV )  returns a vector satisfying eV HV = sV , whereas DecodeU(HU , ϕ, sU , eV )  returns a vector satisfying eU HU = sU and such that |ϕ(eU , eV )| = w. Here n/2−kU n/2−kV s = (sU , sV ) with sU ∈ F3 and sV ∈ F3 . What we want to achieve by rejection sampling is that the distribution of e output by this algorithm is the same as the distribution of eunif that denotes a vector that is chosen uniformly at random among the words of weight w in Fn3 . This will be achieved by ensuring that: 1. the eV fed into DecodeU(·) at Step 5 has the same distribution as eunif V , 2. the distribution of eU surviving to Condition 2 at Step 7 conditioned on the conditioned on eunif value of eV is the same as the distribution of eunif U V .

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

37

Algorithm 2. DecodeUV(HV , HU , ϕ, s) 1: 2: 3: 4: 5: 6: 7: 8:

repeat eV ← DecodeV(HV , sV ) until Condition 1 is met repeat eU ← DecodeU(HU , ϕ, sU , eV ) e ← ϕ(eU , eV ) until Condition 2 is met return e

 We assume that |ϕ(eU , eV )| = w here.

There is a property of the decoders DecodeV(·) and DecodeU(·) derived from Prange decoders that we will consider that will be very helpful here. Definition 3. DecodeV(·) is said to be weightwise uniform if the output eV of DecodeV(HV , sV ) is such that P(eV ) is a function of the integer |eV | when sV n/2−kV is chosen uniformly at random in F3 . DecodeU(·) is m1 -uniform if the U outputput eU of DecodeU(HU , ϕ, s , eV ) is such that the conditional probability P(eU |eV ) is a function of the pair of integers (|eV |, m1 (ϕ(eU , eV )) where    m1 (x) =  1 ≤ i ≤ n/2 : |(xi , xi+n/2 )| = 1  . unif unif It is readily observed that P(eunif V ) and P(eU |eV ) are also only functions of unif unif unif |eV | and (|eV |, m1 (e )) respectively. From this it is readily seen that we obtain the right distributions for eV and eU conditioned on eV by just ensuring that the distribution of |eV | follows the same distribution as |eunif V | and that the distribution of m1 (e) conditioned on |eV | is the same as the distribution of m1 (eunif ) conditioned on |eunif V |. This is shown by the following lemma.

Lemma 1. Let e be the output of Algorithm 2 when sV and sU are uniformly n/2−kV n/2−kU distributed in F3 and F3 respectively. Assume that DecodeU(·) is m1 -uniform whereas DecodeV(·) is weightwise uniform. If for any possible y unif ) = z | |eunif and z, |eV | ∼ |eunif V | and P(m1 (e) = z | |eV | = y) = P(m1 (e V | = unif y), then e ∼ e . The probabilities are taken here over the choice of sU and sV and over the internal coins of DecodeU(·) and DecodeV(·). Proof. We have for any x in Sw P(e = x) = P(eU = xU | eV = xV )P(eV = xV ) = P(DecodeU(HU , ϕ, sU , eV ) = xU | eV = xV ) P(DecodeV(HV , sV ) = xV ) P(m1 (e) = z | |eV | = y) P(|eV | = y)  =P = n(y, z) n(y) n/2

(7)

where n(y) is the number of vectors of F3 of weight y and n(y, z) is the number of vectors e in Fn3 such that eV = xV and such that m1 (e) = z (this last number

38

T. Debris-Alazard et al.

only depends on xV through its weight y). Equation (7) is here a consequence of the weightwise uniformity of DecodeV(·) on one hand and the m1 -uniformity of DecodeU(·) on the other hand. We conclude by noticing that P =

unif P(m1 (eunif ) = z | |eunif V | = y) P(|eV | = y) n(y, z) n(y)

(8)

= P(eunif = xU | eunif = xV )P(eunif = xV ) = P(eunif = x) U V V Equation (8) follows from the assumptions on the distribution of |eV | and of the   conditional distribution of m1 (e) for a given weight |eV |. This shows that in order to reach a uniformly distribution for e over Sw it is enough to perform a rejection sampling based on the weight |eV | for DecodeV(·) and based on the pair (|eV |, m1 (e)) for DecodeU(·). In other words, our decoding algorithm with rejection sampling will use a rejection vector rV indexed by the weights of eV for DecodeV(·) and a two-dimensional rejection vector rU indexed by (|eV |, m1 (e)) for DecodeU(·). This is described in Algorithm 3. Algorithm 3. DecodeUV(HV , HU , ϕ, s) 1: 2: 3: 4: 5: 6: 7: 8:

repeat eV ← DecodeV(HV , sV ) until rand([0, 1]) ≤ rV (|eV |) repeat eU ← DecodeU(HU , ϕ, sU , eV ) e ← ϕ(eU , eV ) until rand([0, 1]) ≤ rU (|eV |, m1 (e)) return e

Standard results on rejection sampling yield the following proposition: Proposition 4. For any i, t ∈ 0, n/2 and s ∈ 0, t, let

  q1 (i) = P (|eV | = i) ; q1unif (i) = P |eunif V |=i

(9)

  q2 (s, t) = P (m1 (e) = s | |eV | = t) ; q2unif (s, t) = P m1 (eunif ) = s | |eunif V |=t (10) unif (i) 1 q2unif (s, t)  1 q1  and rU (s, t) = rs with rV (i) = rs MV q1 (i) MU (t) q2 (s, t) 

q1unif (i) 0≤i≤n/2 q1 (i)

MVrs = max

and



q2unif (s, t) 0≤s≤t q2 (s, t)

MUrs (t) = max

Then if DecodeV(·) is weightwise uniform and DecodeU(·) is m1 -uniform, the output e of Algorithm 3 satisfies e ∼ eunif .

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

5.2

39

Application to the Prange Decoder

To instantiate rejection sampling, we have to provide here (i) how DecodeV(·) and DecodeU(·) are instantiated and (ii) how q1unif , q2unif , q1 and q2 are computed. Let us begin by the following proposition which gives q1unif and q2unif . Proposition 5. Let n be an even integer, w ≤ n, i, t ≤ n/2 and s ≤ t be integers. We have, q1unif (i)

n/2

= n i w/2 w 2

i  p=0 w+p≡0 mod 2

t n/2−t

q2unif (s, t)

   i n/2 − i 23p/2 p (w + p)/2 − i

3s

22 =  t n/2−t 3p if w + s ≡ 0 2 p w+p −t 2 s

p

(11)

w+s 2 −t

mod 2

and

0 else

(12)

2

Algorithm 4 . DecodeV(HV , sV ) the Decoder outputting an eV such that eV HV = sV . 1: J , I ← FreeSet(HV ) 2:  ← DV

n/2 3: xV ← x ∈ F3 | |xJ | = , Supp(x) ⊆ I 4: eV ← PrangeStep(HV , sV , I, xV ) 5: return eV function FreeSet(H)

 (xV )I \J is random

(n−k)×n

Require: H ∈ F3 Ensure: I an information set of H⊥ and J ⊂ I of size k − d 1: repeat 2: J ← 1, n of size k − d 3: until rank HJ = n − k 4: repeat 5: J  ← 1, n\J of size d 6: I ← J J 7: until I is an information set of H⊥ 8: return J , I

Algorithms DecodeV(·), DecodeU(·) are described in Algorithms 4 and 5. These two algorithms both use the Prange decoder in the same way as we did with the procedure described in Sect. 4.3 to reach large weights, except that here t ’s. These distributions we introduced some internal distributions DV and the DU are here to tweak the weight distributions of DecodeV(·) and DecodeU(·) in order to reduce the rejection rate. We have:

40

T. Debris-Alazard et al.

Algorithm 5. DecodeU(HU , ϕ, sU , eV ) the U-Decoder outputting an eU such that eU HU = sU and |ϕ(eU , eV )| = w. 1: t ← |eV | t 2: k=0 ← DU



  3: k0 ← kU − k=0  kU = kU − d 4: repeat 5: J , I ← FreeSetW(HU , eV , k=0 ) n/2 6: xU ← {x ∈ F3 | ∀j ∈ J , x(j) ∈ / {− abii eV (i), − dcii eV (i)} and Supp(x) ⊆ I} U 7: eU ← PrangeStep(HU , s , I, xU ) 8: until |ϕ(eU , eV )| = w 9: return eU function FreeSetW(H, x, k=0 ) (n−k)×n

Require: H ∈ Fq , x ∈ Fn q and k=0 ∈ 0, k. Ensure: J and I an information set of H⊥ such that |{i ∈ J : xi = 0}| = k=0 and J ⊂ I of size k − d. 1: repeat 2: J1 ← Supp(x) of size k=0 3: J2 ← 1, n\Supp(x) of size k − d − k=0 . 4: J ← J1 J2 5: until rank HJ = n − k 6: repeat 7: J  ← 1, n\J of size d 8: I ← J J 9: until I is an information set of H⊥ 10: return J , I

Proposition 6. Let n be an even integer, w ≤ n, i, t, kU ≤ n/2 and s ≤ t be 



 = kU − d. Let XV (resp. XUt ) integers. Let d be an integer, kV = kV − d and kU t ). We have, be a random variable distributed according to DV (resp. DU

q1 (i) =

i  t=0

⎧ ⎪  ⎪ ⎪ ⎨ q2 (s, t) =

⎪ ⎪ ⎪ ⎩

n/2−k

V 2i−t i−t P(XV  3n/2−kV

t−k=0 n/2−t−k0

= t)

(13)

3s

22 t  t−k=0 n/2−t−k0 3p P(XU = k =0 ) if w − s even. 2 2 w+p k=0 ∈K p −t−k s

p

w+s 2 −t−k0

2

0

0

(14)

else 

  with K = {k =0 | t + kU − n/2 ≤ k =0 ≤ t} and k0 = kU − k =0

A parameter d is introduced in Proposition 6 and in Algorithms 4 and 5. When d is large enough ρ(e, eunif ) will be typically very small as shown by

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

41

Theorem 1. Let e be the output of Algorithm 3 based on Algorithms 4,5 where and eunif be a uniformly the entry s is chosen uniformly at random in Fn−k 3 distributed error of weight w. We have   PHU ,HV ρ(e, eunif ) > 3−d/2 ≤ 3−d/2 . A much stronger result showing that ρ(e, eunif ) is typically smaller than n2 3−d will be given in the full paper [18]. It will be helpful to consider now the following definition. Definition 4 (Bad and Good Subsets). Let d ≤ k ≤ n be integers and (n−k)×n H ∈ F3 . A subset E ⊆ 1, n of size k − d is defined as a good set for H if HE is of full rank where E denotes the complementary of E. Otherwise, E is defined as a bad set for H. The proof of this theorem relies on introducing a variant of the decoder based on variants of the U and V decoders VarDecodeV(·) and VarDecodeU(·) of algorithms DecodeV(·) and DecodeU(·) respectively that work as DecodeV(·) and DecodeU(·) when J is a good set and depart from it when J is a bad set. In the later case, the Prange decoder is not used anymore and an error is output that simulates what the Prange decoder would do with the exception that there is no guarantee that the error eV that is output by VarDecodeV(·) satisfies eV HV = sV or that the eU that is output by VarDecodeU(·) satisfies eU HU = sU . The eV and eU that are output are chosen on the positions of J as DecodeV() and DecodeU() as would have done it, but the rest of the positions are chosen uniformly at random in F3 . It is clear that in this case Fact 2. VarDecodeV(·) is weightwise uniform and VarDecodeU(·) is m1 -uniform. The point of considering VarDecodeV(·) and VarDecodeU(·) is that they are very good approximations of DecodeV(·) and DecodeU(·) that meet the uniformity conditions that ensure by using Lemma 1 that the output of Algorithm 3 using VarDecodeV(·) and VarDecodeU(·) instead of DecodeV(·) and DecodeU(·) produces an error e that is uniformly distributed over the words of weight w. The outputs of VarDecodeV(·) and VarDecodeU(·) only differ from the output of DecodeV(·) and DecodeU(·) when a bad set J is encountered. These considerations can be used to prove the following proposition. Proposition 7. Algorithm 3 based on VarDecodeV(·) and VarDecodeU(·) produces uniformly distributed errors eunif of weight w. Let e be the output of Algorithm 3 with the use of DecodeV(·) and DecodeU(·). Let J unif be uniformly distributed over the subsets of 1, n/2 of size kV − d whereas J HV is be uniformly distributed over the same subsets that are good for HV . Let Ixunif V , uniformly distributed over the subsets of 1, n/2 of size kU − d such that their

42

T. Debris-Alazard et al.

intersection with xV is of size whereas IxHVU, is the uniform distribution over the same subsets that are good for HU . We have:



ρ e; eunif ≤ ρ J HV ; J unif   

P (k =0 = | eV = xV ) P eunif ρ IxHVU, ; Ixunif = xV + V V , xV ,

Proof. The first statement about the output of Algorithm 3 is a direct consequence of Fact 2 and Lemma 1. The proof of the rest of the proposition relies on the following proposition [30, Proposition 8.10]: Proposition 8. Let X,Y be two random variables over a common set A. For any randomized function f with domain A using internal coins independent from X and Y , we have: ρ (f (X); f (Y )) ≤ ρ (X; Y ) . n/2

Let us define for xV ∈ F3

n/2

and xU ∈ F3 , 

p(xV ) = P (eV = xV )

 q(xV ) = P eunif = xV V 

p(xU |xV ) = P (eU = xU | eV = xV )

 q(xU |xV ) = P eunif = xU | eunif = xV U V We have,



unif ρ e; eunif = ρ eU , eV ; eunif U , eV  |p(xV )p(xU |xV ) − q(xV )q(xU |xV )| = xV ,xU

=



|(p(xV ) − q(xV ))p(xU |xV ) + (p(xU |xV ) − q(xU |xV ))q(xV )|

xV ,xU





|(p(xV ) − q(xV ))p(xU |xV )| + |(p(xU |xV ) − q(xU |xV )q(xV )|

xV ,xU

=



|(p(xV ) − q(xV ))| +

xV



|p(xU |xV ) − q(xU |xV )| q(xV )

(15)

xV ,xU

 where in the last line we used that xU |p(xU |xV )| = 1 for any xV . Thanks to Proposition 8: 

(16) |p(xV ) − q(xV )| ≤ ρ J HV ; J unif xV

as the internal distribution DV of DecodeV(·) is independent of J HV and J unif . Let us upper-bound the second term of the inequality. The distribution of k =0 is only function of the weight of the vector given as input to DecodeU(·) or VarDecodeU(·). Therefore,

(17) = xV P (k =0 = | eV = xV ) = P k =0 = | eunif V

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

43



From (17), using the notation p(xU |xV , ) = P(eU = xU | k =0 = , eV = xV ) 

and q(xU |xV , ) = P(eunif = xU | k =0 = , eunif = xV ), we obtain U V  p(xU |xV ) − q(xU |xV ) = (p(xU |xV , ) − q(xU |xV , )) P (k =0 = | eV = xV ) 

(18) The internal coins of DecodeU(·) and VarDecodeU(·) are independent of IxHVU, and Ixunif and by using Proposition 8 we have for any xV and : V , 

  |p(xU |xV , ) − q(xU |xV , )| ≤ ρ IxHVU, ; Ixunif V ,

(19)

xU

Combining Equations (15), (16), (18) and(19) concludes    the proof.

H HU unif unif V and ρ IxV , ; IxV , are upperbounded by The expectations of ρ J ; J Lemma 2. We have

#{subsets of 1, n/2 of size k − d bad for H} ρ J HV ; J unif = (20) n/2



ρ IxHVU, ; Ixunif V ,



k−d

Nx, = |x| n/2−|x|

 −d



 3 E ρ J HV ; J unif ≤

2

(21)

k−d−

   3−d ≤ |x| n/2−|x| , E ρ IxHVU, ; Ixunif V , 2  k−d−

(22) (23)

where Nx, is the number of subsets of 1, n/2 of size k − d such that their intersection with Supp(x) is of size and that are bad for H. Proof. (20) and (21) follow from the fact that the statistical distance between the uniform distribution over 1, s and the uniform distribution over 1, t (with t ≥ n/2

s) is equal to t−s t . Let us index from 1 to k−d the subsets of size k−d of 1, n/2 and let Xi be the indicator of the event “the subset of index i is bad”. We have n/2 (k−d ) Xi . For integers d < m we have (see [18, Lemma 6]) P(rank M < N = i=1 (m−d)×m 1 m − d) ≤ 2·3 . This implies d when M is chosen uniformly at random in F3  n/2

   (k−d) P(Xi =1) 1 N P(Xi = 1) ≤ 2·3 = E ρ J HV ; J unif = ≤ d and E n/2 n/2 i=1 (k−d ) (k−d ) 1 . This proves (22). (23) follows from similar arguments.   2·3d

44

T. Debris-Alazard et al.

Proof (of Theorem 1). By using Markov’s inequality we have, by Proposition 7 and Lemma 2     P ρ(e, eunif ) > 3−d/2 ≤ 3d/2 E ρ(e, eunif ) 

  HU unif  d/2 ρ IxV , ; IxV , P (k =0 = | eV = xV ) ≤ 3 E ρ J HV ; J unif +

P eunif = xV V





xV ,

≤ 3d/2

⎧ ⎨ 3−d ⎩ 2

+



⎫ ⎬

−d

3 |x| n/2−|x| ≤ 3−d/2 . ⎭ k−d− xV , 2   

6

Achieving Uniform Domain Sampling

Hpk denotes the public parity-check matrix of a normalized generalized (U, U + V )-code as described in Sect. 3.2. The random structure of Hpk makes the syndromes associated to Hpk indistinguishable in a very strong sense from random syndromes as the following proposition shows. This achieves the Domain Sampling property of Definition 1. The following definition will be useful. Definition 5 (number of V blocks of type I). In a normalized generalized (U, U + V ) code of length n associated to (a, b, c, d), the number of V blocks of 

type I, which we denote by nI , is defined as: nI = |{1 ≤ i ≤ n/2 : bi di = 0}| . H Proposition 9. Let Dw be the distribution of eH when e is drawn uniformly . We have at random among Sw and let U be the uniform distribution over Fn−k 3

  1√ H EHpk ρ(Dw pk , U) ≤ ε 2

n 2 −kV

n



j 

with,

2 n 3 j 2  p=0:p≡w (mod 2) 3n−k ε = w n + n 2 2 w 2w+j w j=0 ⎛ nI n−nI 2 ⎞ nI  n j w−j ⎠. + 3 2 −kU ⎝ n 2 j j=0 w 2

j p

n 2 −j w+p 2 −j

2



2

3p 2

This bound decays exponentially in n in a certain regime of parameters: 









nI Proposition 10. Let RU = 2knU , RV = 2knV , R = nk , ω = w n , ν = n , then under the same assumptions as in Proposition 9, we have as n tends to infinity   H EHpk ρ(Dw pk , U) ≤ 2(α+o(1))n

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

45



where α = 12 min ((1 − R) log2 (3) − ω − h2 (ω), α1 , α2 ) and 

α1 =

  1 1 h2 (x) 3 (1 − RV ) log2 3 − ω − 2h2 (ω) + + x h2 (y) + y − 2 2 2 (x,y)∈R 2   ω − x(1 − y) +(1 − x)h2 1−x min



R = {(x, y) ∈ [0, 1) × [0, 1] : 0 ≤ ω − x(1 − y) ≤ 1 − x} x 1  (1 − RU ) log2 3 − 2h2 (ω) + νh2 min α2 = ν max(0,ω+ν−1)≤x≤min(ν,ω) 2   ω−x +2(1 − ν)h2 − x. 1−ν Remark 4. For the set of parameters suggested in [18], we have ε ≈ 2−354 and α ≈ −0.02135. Note that the upper-bound of Proposition 9 is by no means   2 I nI (njI )(n−n n w−j ) −k U sharp, this comes from the 3 2 term which is a very 2 j=0 (wn ) 2j crude upper-bound which is given here to avoid more complicated terms. It is straightforward to come up with a much sharper bound by improving this part of the upper-bound. The proof of this proposition relies among other things on a variation of the left-over hash lemma [5] that is adapted to our case: here the hash function to which we apply the left-over hash lemma is defined as H(e) = eHpk . H does not form a universal family of hash functions (essentially because the distribution of (n−k)×n the Hpk ’s is not the uniform distribution over F3 ). Lemma 3. Consider a finite family H = (hi )i∈I of functions from a finite set E to a finite set F . Denote by ε the bias of the collision probability, i.e. the quantity such that 1 (1 + ε) Ph,e,e (h(e) = h(e )) = |F | where h is drawn uniformly at random in H, e and e are drawn uniformly at random in E. Let U be the uniform distribution over F and D(h) be the distribution of the outputs h(e) when e is chosen uniformly at random in E. We have 1√ ε. Eh {ρ(D(h), U)} ≤ 2 To use this lemma we observe that Lemma 4. Assume that x and y are random vectors of Sw that are drawn uniformly atrandom in thisset. We have 1 (1 + ε) with ε given in Proposition 9. PHpk ,x,y xHpk = yHpk ≤ 3n−k

46

T. Debris-Alazard et al.

Proof. By Proposition 3, the probability we want to compute for is given by P ((xU − yU )HU = 0 and (xV − yV )HV = 0) where the probability is taken over HU , HV , x, y. To compute this, we use a standard result [18, Lemma 6] that gives

1  P yH = s = r , (24) 3 when y is a non-zero vector of Fn3 , s an arbitrary element in Fr3 and when H is . We distinguish between the events: chosen uniformly at random in Fr×n 3 

E2 ={xU = yU and xV = yV }



E4 ={xU = yU and xV = yV }

E1 ={xU = yU and xV = yV }; E3 ={xU = yU and xV = yV };

 

Under these events we get thanks to (24) and k = kU + kV :  

PHsk ,x,y xHsk = yHsk =

4 



  PHsk xHsk = yHsk |Ei Px,y (Ei )

i=1

Px,y (E1 ) Px,y (E2 ) Px,y (E3 ) + n/2−k + + Px,y (E4 ) U 3n−k 3n/2−kV 3   1 ≤ n−k 1 + 3n/2−kU P (E1 ) + 3n/2−kV P (E2 ) + 3n−k P(E4 ) , 3 =

where we used for the last inequality the trivial upper-bound P (E3 ) ≤ 1. Let us now upper-bound (or compute) the probabilities of the events E1 , E2 and E4 . For E4 , recall that from the definition of normalized generalized (U, U + V )-codes Px,y (E4 ) = P(x = y) = 2w1 n . For E2 we observe that P (E2 ) ≤ P (xV = yV ). To (w ) upper-bound this probability, we first observe that for any error e ∈ Sj,n/2 P(xV = e) = P (xV = e | |xV | = j) P(|xV | = j) =

1 q1 (j)

2j n/2 j

where q1unif (j) denotes P(|eunif V | = j) and is computed in Proposition 5. From this we deduce that P(xV = yV ) =

n/2 



Px (xV = e) = 2

j=0 e∈Fn/2 :|e|=j 3

which gives: P (E2 ) ≤

n/2 unif  q1 (j)2 . j n/2 j=0 2 j

n/2 

1 q1unif (j)2

j n/2 j=0 2 j

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

47

The upper-bound on E1 is obtained in a similar way by using first that P(E1 ) ≤ P(xU = yU ) and then the following bound P(xU = yU ) ≤

 nI   nI j=0

j

2−j

 n−nI 2 w−j n

w

proven in [18, §C.2].

7

.  

Concluding Remarks and Further Work

We have presented Wave the first code-based “hash-and-sign” signature scheme which follows the GPV strategy [28]. It allows to reduce the security of our scheme to only two assumptions from coding theory. Both of those assumptions relate closely to hard decoding problems. In the full paper [18], we provide a precise quantification of the security of the scheme and provide parameters for it. Note that the GPV strategy provides a very high level of security, but because of the multiple constraints it imposes, very few schemes managed to comply to it. For instance, only one such scheme based on hard lattice problems [24] was proposed to the recent NIST standardization effort. The main purpose of our work was to propose this new scheme and assess its security. Still, it has a few issues and extensions that are of interest. The Far Away Decoding Problem. The message security of Wave relates to the hardness of finding a codeword far from a given word. A recent work [12] adapts the best ISD techniques for low weight [8,38] and goes even further with a higher order generalized birthday algorithm [47]. Interestingly enough, in the non-binary case, this work gives a worst case exponent for the far away codeword that is significantly larger than the close codeword worst case exponent. This suggest that one could design code-based primitives with better parameters by considering the far away codeword problem rather than the usual close codeword problem. Distinguishability. Deciding whether a matrix is a parity check matrix of a generalized (U, U + V )-code is also a new problem. As shown in [17] it is hard in the worst case since the problem is NP-complete. In the binary case, (U, U +V ) codes have a large hull dimension for some set of parameters which are precisely those used in [17]. In the ternary case the normalized generalized (U, U + V )-codes do not suffer from this flaw. The freedom of the choice on vectors a, b, c and d is very likely to make the distinguishing problem much harder for generalized (U, U + V )-codes than for plain (U, U + V )-codes. Coming up with non-metric based distinguishers in the generalized case seems a tantalizing problem here. On the Tightness of the Security Reduction. It could be argued that one of the reasons of why we have a tight security-reduction comes from the fact that we reduce to the multiple instances version of the decoding problem, namely DOOM, instead of the decoding problem itself. This is true to some extent,

48

T. Debris-Alazard et al.

however this problem is as natural as the decoding problem itself. It has already been studied in some depth [44] and the decoding techniques for linear codes have a natural extension to DOOM as noticed in [44]. We also note that with our approach, where a message has many possible signatures, we avoid the tightness impossibility results given in [3] for instance. Rejection Sampling. Rejection sampling in our algorithm is relatively unobtrusive: a rejection every few signatures with a crude tuning of the decoder. We believe that it can be further improved. Our decoding has two steps. Each step is parametrized by a weight distribution which conditions the output weight distribution. We believe that we can tune those distributions to reduce the probability of rejection to an arbitrarily small value and thus to avoid the rejection phase. Improving Parameters. In order to predict accurately enough the output distribution of the signature algorithm, we had to restrict the decoders by excluding d positions from the information sets. Our result almost certainly applies when d = 0. By either proving it or stating it as a conjecture we may reduce the block size by more than 10%. Instantiation. The scheme is instantiated in [18, §5,§8]. For 128 bits of security, a signature takes 13 kilobits and a public key 3 megabytes. The rejection rate is under 10%. An implementation is also available at http://wave.inria.fr. Acknowledgements. We wish to thank the anonymous reviewers. In particular, our warmest gratitude goes to the last of them whose work went much beyond what can be found in a standard review. This includes the link clarifying our definition of “preimage sampleable on average” with the GPV definition [28] given in Sect. 3.1, a reorganization of the paper focusing on the main theoretical contribution, and simplifications and/or clarifications that all helped a great deal to improve this paper. We are also indebted to Andr´e Chailloux, L´eo Ducas and Thomas Prest for their early interest, insightful suggestions, and unwavering support.

References 1. Alkim, E., et al.: Revisiting TESLA in the quantum random oracle model. In: Lange, T., Takagi, T. (eds.) PQCrypto 2017. LNCS, vol. 10346, pp. 143–162. Springer, Cham (2017). https://doi.org/10.1007/978-3-319-59879-6 9 2. Aragon, N., Blazy, O., Gaborit, P., Hauteville, A., Z´emor, G.: Durandal: a rank metric based signature scheme. IACR Cryptology ePrint Archive (2018), Report 2018/1192, December 2018 3. Bader, C., Jager, T., Li, Y., Sch¨ age, S.: On the impossibility of tight cryptographic reductions. In: Fischlin, M., Coron, J.-S. (eds.) EUROCRYPT 2016. LNCS, vol. 9666, pp. 273–304. Springer, Heidelberg (2016). https://doi.org/10.1007/978-3662-49896-5 10 4. Baldi, M., Bianchi, M., Chiaraluce, F., Rosenthal, J., Schipani, D.: Using LDGM codes and sparse syndromes to achieve digital signatures. In: Gaborit, P. (ed.) PQCrypto 2013. LNCS, vol. 7932, pp. 1–15. Springer, Heidelberg (2013). https:// doi.org/10.1007/978-3-642-38616-9 1

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

49

5. Barak, B., et al.: Leftover hash lemma, revisited. In: Rogaway, P. (ed.) CRYPTO 2011. LNCS, vol. 6841, pp. 1–20. Springer, Heidelberg (2011). https://doi.org/10. 1007/978-3-642-22792-9 1 6. Barg, A.: Complexity issues in coding theory. Electronic Colloquium on Computational Complexity, October 1997. https://eccc.weizmann.ac.il/eccc-reports/1997/ TR97-046/Paper.pdf 7. Barreto, P.S., Misoczki, R., Simplicio, M.A.J.: One-time signature scheme from syndrome decoding over generic error-correcting codes. J. Syst. Softw. 84(2), 198– 204 (2011) 8. Becker, A., Joux, A., May, A., Meurer, A.: Decoding random binary linear codes in 2n/20 : How 1 + 1 = 0 improves information set decoding. In: Pointcheval, D., Johansson, T. (eds.) EUROCRYPT 2012. LNCS, vol. 7237, pp. 520–536. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-29011-4 31 9. Bellare, M., Rogaway, P.: The exact security of digital signatures-how to sign with RSA and Rabin. In: Maurer, U. (ed.) EUROCRYPT 1996. LNCS, vol. 1070, pp. 399–416. Springer, Heidelberg (1996). https://doi.org/10.1007/3-540-68339-9 34 10. Bernstein, D.J., Chou, T., Schwabe, P.: McBits: fast constant-time code-based cryptography. In: Bertoni, G., Coron, J.-S. (eds.) CHES 2013. LNCS, vol. 8086, pp. 250–272. Springer, Heidelberg (2013). https://doi.org/10.1007/978-3-642-403491 15 11. Both, L., May, A.: Decoding linear codes with high error rate and its impact for LPN security. In: Lange, T., Steinwandt, R. (eds.) PQCrypto 2018. LNCS, vol. 10786, pp. 25–46. Springer, Cham (2018). https://doi.org/10.1007/978-3-31979063-3 2 12. Bricout, R., Chailloux, A., Debris-Alazard, T., Lequesne, M.: Ternary syndrome decoding with large weights. preprint, arXiv:1903.07464, February 2019. To appear in the proceedings of SAC 2019 13. Cayrel, P.-L., Otmani, A., Vergnaud, D.: On Kabatianskii-Krouk-Smeets signatures. In: Carlet, C., Sunar, B. (eds.) WAIFI 2007. LNCS, vol. 4547, pp. 237–251. Springer, Heidelberg (2007). https://doi.org/10.1007/978-3-540-73074-3 18 14. Coron, J.-S.: Optimal security proofs for PSS and other signature schemes. In: Knudsen, L.R. (ed.) EUROCRYPT 2002. LNCS, vol. 2332, pp. 272–287. Springer, Heidelberg (2002). https://doi.org/10.1007/3-540-46035-7 18 15. Courtois, N.T., Finiasz, M., Sendrier, N.: How to achieve a McEliece-based digital signature scheme. In: Boyd, C. (ed.) ASIACRYPT 2001. LNCS, vol. 2248, pp. 157–174. Springer, Heidelberg (2001). https://doi.org/10.1007/3-540-45682-1 10 16. Debris-Alazard, T., Sendrier, N., Tillich, J.P.: A new signature scheme based on (U |U + V ) codes. preprint, arXiv:1706.08065v1, June 2017 17. Debris-Alazard, T., Sendrier, N., Tillich, J.P.: The problem with the surf scheme. preprint, arXiv:1706.08065, November 2017 18. Debris-Alazard, T., Sendrier, N., Tillich, J.P.: Wave: A new family of trapdoor oneway preimage sampleable functions based on codes. Cryptology ePrint Archive, Report 2018/996, May 2019. Full version of the current paper. All statement and section numbers quoted in this paper refer specifically to the May 2019 version 19. Debris-Alazard, T., Tillich, J.P.: Statistical decoding. preprint, arXiv:1701.07416, January 2017 20. Debris-Alazard, T., Tillich, J.-P.: Two attacks on rank metric code-based schemes: ranksign and an IBE scheme. In: Peyrin, T., Galbraith, S. (eds.) ASIACRYPT 2018. LNCS, vol. 11272, pp. 62–92. Springer, Cham (2018). https://doi.org/10. 1007/978-3-030-03326-2 3

50

T. Debris-Alazard et al.

21. Dumer, I.: On minimum distance decoding of linear codes. In: Proceedings of 5th Joint Soviet-Swedish International Workshop Information Theory, pp. 50–52. Moscow (1991) 22. Faug`ere, J.C., Gauthier, V., Otmani, A., Perret, L., Tillich, J.P.: A distinguisher for high rate McEliece cryptosystems. In: Proceedings of IEEE Information Theory Workshop- ITW 2011, pp. 282–286. Paraty, Brasil, October 2011 23. Finiasz, M.: Parallel-CFS- strengthening the CFS McEliece-based signature scheme. In: Biryukov, A., Gong, G., Stinson, D.R. (eds.) SAC 2010. LNCS, vol. 6544, pp. 159–170. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3642-19574-7 11 24. Fouque, P.A., et al.: Falcon: fast-fourier lattice-based compact signatures over NTRU 25. Fukushima, K., Roy, P.S., Xu, R., Kiyomoto, S., Morozov, K., Takagi, T.: RaCoSS (random code-based signature scheme). first round submission to the NIST postquantum cryptography call, November 2017 26. Gaborit, P., Ruatta, O., Schrek, J., Z´emor, G.: New results for rank-based cryptography. In: Pointcheval, D., Vergnaud, D. (eds.) AFRICACRYPT 2014. LNCS, vol. 8469, pp. 1–12. Springer, Cham (2014). https://doi.org/10.1007/978-3-319-0673461 27. Gaborit, P., Schrek, J.: Efficient code-based one-time signature from automorphism groups with syndrome compatibility. In: Proceedings IEEE International Symposium Information Theory - ISIT 2012, pp. 1982–1986. Cambridge, MA, USA, July 2012 28. Gentry, C., Peikert, C., Vaikuntanathan, V.: Trapdoors for hard lattices and new cryptographic constructions. In: Proceedings of the Fortieth Annual ACM Symposium on Theory of Computing, pp. 197–206. ACM (2008) 29. Gligoroski, D., Samardjiska, S., Jacobsen, H., Bezzateev, S.: McEliece in the world of Escher. IACR Cryptology ePrint Archive, Report 2014/360 (2014) 30. Goldwasser, S., Micciancio, D.: Complexity of lattice problems: a cryptographic perspective. In: Kluwer International Series in Engineering and Computer Science, vol. 671. Kluwer Academic Publishers, Dordrecht, March 2002 31. Huelsing, A., Bernstein, D.J., Panny, L., Lange, T.: Official NIST comments made for RaCoSS, official NIST comments made for RaCoSS (2018) 32. Johansson, T., J¨ onsson, F.: On the complexity of some cryptographic problems based on the general decoding problem. IEEE Trans. Inform. Theory 48(10), 2669– 2678 (2002) 33. Kabatianskii, G., Krouk, E., Semenov, S.: Error Correcting Coding and Security for Data Networks: Analysis of the Superchannel Concept. Wiley, Hoboken (2005) 34. Kabatianskii, G., Krouk, E., Smeets, B.: A digital signature scheme based on random error-correcting codes. In: Darnell, M. (ed.) Cryptography and Coding 1997. LNCS, vol. 1355, pp. 161–167. Springer, Heidelberg (1997). https://doi.org/10. 1007/BFb0024461 35. Landais, G., Sendrier, N.: Implementing CFS. In: Galbraith, S., Nandi, M. (eds.) INDOCRYPT 2012. LNCS, vol. 7668, pp. 474–488. Springer, Heidelberg (2012). https://doi.org/10.1007/978-3-642-34931-7 27 36. Lee, W., Kim, Y.S., Lee, Y.W., No, J.S.: Post quantum signature scheme based on modified Reed-Muller code pqsigRM. first round submission to the NIST postquantum cryptography call, November 2017 37. Lyubashevsky, V.: Fiat-shamir with aborts: applications to lattice and factoringbased signatures. In: Matsui, M. (ed.) ASIACRYPT 2009. LNCS, vol. 5912, pp.

Wave: A New Family of Trapdoor One-Way PSF Based on Codes

38.

39.

40.

41.

42.

43. 44.

45.

46.

47.

51

598–616. Springer, Heidelberg (2009). https://doi.org/10.1007/978-3-642-103667 35 ˜ 0.054n ). May, A., Meurer, A., Thomae, E.: Decoding random linear codes in O(2 In: Lee, D.H., Wang, X. (eds.) ASIACRYPT 2011. LNCS, vol. 7073, pp. 107–124. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25385-0 6 May, A., Ozerov, I.: On computing nearest neighbors with applications to decoding of binary linear codes. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 203–228. Springer, Heidelberg (2015). https://doi.org/10. 1007/978-3-662-46800-5 9 Moody, D., Perlner, R.: Vulnerabilities of McEliece in the world of Escher. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 104–117. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8 8 Otmani, A., Tillich, J.-P.: An efficient attack on all concrete KKS proposals. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 98–116. Springer, Heidelberg (2011). https://doi.org/10.1007/978-3-642-25405-5 7 Phesso, A., Tillich, J.-P.: An efficient attack on a code-based signature scheme. In: Takagi, T. (ed.) PQCrypto 2016. LNCS, vol. 9606, pp. 86–103. Springer, Cham (2016). https://doi.org/10.1007/978-3-319-29360-8 7 Prange, E.: The use of information sets in decoding cyclic codes. IRE Trans. Inf. Theory 8(5), 5–9 (1962) Sendrier, N.: Decoding one out of many. In: Yang, B.-Y. (ed.) PQCrypto 2011. LNCS, vol. 7071, pp. 51–67. Springer, Heidelberg (2011). https://doi.org/10.1007/ 978-3-642-25405-5 4 Stern, J.: A method for finding codewords of small weight. In: Cohen, G., Wolfmann, J. (eds.) Coding Theory 1988. LNCS, vol. 388, pp. 106–113. Springer, Heidelberg (1989). https://doi.org/10.1007/BFb0019850 Stern, J.: A new identification scheme based on syndrome decoding. In: Stinson, D.R. (ed.) CRYPTO 1993. LNCS, vol. 773, pp. 13–21. Springer, Heidelberg (1994). https://doi.org/10.1007/3-540-48329-2 2 Wagner, D.: A generalized birthday problem. In: Yung, M. (ed.) CRYPTO 2002. LNCS, vol. 2442, pp. 288–304. Springer, Heidelberg (2002). https://doi.org/10. 1007/3-540-45708-9 19

Lattices (1)

Middle-Product Learning with Rounding Problem and Its Applications Shi Bai1(B) , Katharina Boudgoust2(B) , Dipayan Das3(B) , Adeline Roux-Langlois2(B) , Weiqiang Wen2(B) , and Zhenfei Zhang4(B) 1

3

Department of Mathematical Sciences, Florida Atlantic University, Boca Raton, USA [email protected] 2 Univ Rennes, CNRS, IRISA, Rennes, France Department of Mathematics, National Institute of Technology, Durgapur, India 4 Algorand, Boston, USA

Abstract. At CRYPTO 2017, Roşca et al. introduce a new variant of the Learning With Errors (LWE) problem, called the Middle-Product LWE (MP-LWE). The hardness of this new assumption is based on the hardness of the Polynomial LWE (P-LWE) problem parameterized by a set of polynomials, making it more secure against the possible weakness of a single defining polynomial. As a cryptographic application, they also provide an encryption scheme based on the MP-LWE problem. In this paper, we propose a deterministic variant of their encryption scheme, which does not need Gaussian sampling and is thus simpler than the original one. Still, it has the same quasi-optimal asymptotic key and ciphertext sizes. The main ingredient for this purpose is the Learning With Rounding (LWR) problem which has already been used to derandomize LWE type encryption. The hardness of our scheme is based on a new assumption called Middle-Product Computational Learning With Rounding, an adaption of the computational LWR problem over rings, introduced by Chen et al. at ASIACRYPT 2018. We prove that this new assumption is as hard as the decisional version of MP-LWE and thus benefits from worst-case to average-case hardness guarantees.

Keywords: LWE

1

· LWR · Middle-Product · Public key encryption

Introduction

Lattice-based cryptosystems attracted considerable research interest in recent years due to their versatility, assumed quantum-resilience and efficiency. The Learning With Errors problem, introduced by Regev [Reg05] in his pioneering work, serves as a fundamental computational problem in lattice-based cryptography. Informally, the LWE problem asks for the solution of a system of noisy linear modular equations: Given positive integers n and q, an LWE sample consists of (a, b = a, s + e mod q) for a fixed vector s ∈ Zn , where a is sampled c International Association for Cryptologic Research 2019  S. D. Galbraith and S. Moriai (Eds.): ASIACRYPT 2019, LNCS 11921, pp. 55–81, 2019. https://doi.org/10.1007/978-3-030-34578-5_3

56

S. Bai et al.

from the uniform distribution over Znq and e is sampled from a probability distribution χ over R. The LWE problem exists in two versions: The search version asks to recover the secret s given arbitrarily many LWE samples; The decision version asks to distinguish between LWE samples and samples drawn from the uniform distribution over Znq × R. As an very attractive property for cryptography, LWE enjoys worst-case to average-case reductions [Reg05,Reg09,Pei09,BLP+13] from well-studied problems such as finding a set of short independent vectors (SIVP) or the decisional variant of finding short vectors (GapSVP) in Euclidean lattices. A standard conjecture is to assume that there is no polynomial-time algorithm that solves these problems (and their mildly approximated versions), even on quantum computers. Thus, any solver of the average-case problems can be transformed into a solver for any instance of the worst-case problem, which is presumed to be difficult. The protocols relying on the hardness of LWE are inherently inefficient due to the size of the public keys which usually contain m elements of Znq , where m is the number of samples which is usually larger than n log(n). To improve the efficiency, structured variants of LWE have been proposed [SSTX09,LPR10,LS15]. One promising variant is the Polynomial Learning With Errors (P-LWE) problem, introduced by Stehlé et al. [SSTX09]. Given a monic irreducible polynomial f ∈ Z[x] and an integer q ≥ 2, a P-LWE sample is given by (a, b = a·s+e mod q) for a fixed polynomial s ∈ Zq [x]/f , where a is sampled from the uniform distribution over Zq [x]/f and e is sampled from a probability distribution χ over R[x]/f . The P-LWE problem also admits worst-case to average-case connections from well-studied lattice problems. Whereas the hardness reductions for LWE start from the lattice problem in the class of general Euclidean lattices, the class has to be restricted to ideal lattices in the case of P-LWE. These ideal lattices correspond to the ideals in the polynomial ring Z[x]/f . Lyubashevsky et al. [LPR10] propose another promising variant, namely the Ring Learning With Errors (R-LWE) problem, where polynomial rings are replaced by the ring of integers of some number fields. In the case of cyclotomic fields, the P-LWE and R-LWE problems coincide up to some parameter losses. As a recent result, Roşca et al. [RSW18] show that P-LWE and R-LWE are equivalent for a larger class of polynomials. In addition, they also investigate other relations between these structured variants. Hedging Against Possible Weak Instances. Gaining in efficiency on the positive side comes with a potential decrease in the security level guarantees on the negative side. There are concrete examples of polynomials f on which the P-LWE becomes computationally easy: for instance when f has a linear factor over Z [CIV16]. Note that this case is excluded by restricting to irreducible polynomials. A review on the known weak instances of P-LWE and R-LWE is given by Peikert [Pei16]. To the best of our knowledge, it is still not fully understood how to choose a good polynomial for instantiating P-LWE. Motivated by the question of how to choose a good polynomial, Lyubashevsky introduces the so-called R