Open Access Published by De Gruyter June 14, 2020

# A signature scheme from the finite field isomorphism problem

• Jeffrey Hoffstein , Joseph H. Silverman , William Whyte and Zhenfei Zhang

## Abstract

In a recent paper the authors and their collaborators proposed a new hard problem, called the finite field isomorphism problem, and they used it to construct a fully homomorphic encryption scheme. In this paper, we investigate how one might build a digital signature scheme from this new problem. Intuitively, the hidden field isomorphism allows us to convert short vectors in the underlying lattice of one field into generic looking vectors in an isomorphic field.

## 1 Introduction

In [3], the authors and their collaborators presented a new hard problem, the Finite Field Isomorphism Problem. We briefly recall the problem here. Let q be a prime, let 𝔽q be the finite field with q elements, and let f(x) ∈ 𝔽q[x] and F(y) ∈ 𝔽q[y] be irreducible monic polynomials of degree n. Then

X:=Fq[x]/(f(x))andY:=Fq[y]/(F(y))(1)

are isomorphic fields with qn elements. As usual, we identify elements of 𝕏 and 𝕐 with vectors having integer coordinates between 12qand12q, and we use this identification measure the size of field elements. It is then an experimental observation that, except for trivial cases, the isomorphism 𝕏 → 𝕐 does not respect the Archimedian property of size. Indeed, when f and F are distinct monic irreducible polynomials, it is observed that polynomials within a sphere of small radius in 𝕏 appear to be essentially uniformly distributed in 𝕐, with respect to both the L and the L2 norms.

## Definition 1

Finite Field Isomorphism Problems (FFI): Let k ≥ 1 be an integer, let 𝕏 and 𝕐 be as in(1), letϕbe an isomorphismϕ : 𝕏 𝕐, let 1 ≤ β12qbe a parameter, and let 𝕏[β] denote the set ofa(x) ∈ 𝕏 withL-norm bounded bya∥ ≤ β. Choosea1(x), …, ak(x) uniformly and randomly from 𝕏[β], and letAi = ϕ(ai) for 1 ≤ ikbe the corresponding images in 𝕐.

The Computational FFI problem (CFFI): Given 𝕐 and the list of polynomialsA1(y), …, Ak(y), recoverf(x) and/or one or more ofa1(x), …, ak(x).

The Decisional FFI problem (DFFI): Letϵ > 0. Letb1(x) be randomly chosen in 𝕏[β], letB1(y) = ϕ(b1), and letB2(y) be randomly chosen in 𝕐. Given the data 𝕐, A1(y), …, Ak(y), and given the pair {B1(y), B2(y)} in a random order, identify, with probability greater than 1/2 + ϵ, which element of the pair was constructed usingϕ.

## Remark 1

Under reasonable independence assumptions and for reasonable parameters, the CFFI has a unique solution. Thus for randomly chosen F(y) and A1(y), …, Ak(y), it is an exercise to estimate the probability that there exists an f(x) ∈ 𝕏[β] and a1(x), …, ak(x) ∈ 𝕏[β] and an isomorphism 𝕏 → 𝕐 sending ai to Ai for all 1 ≤ ik. This probability is roughly n−1((2β + 1)k+1/qk)n.

In [3], the authors gave a detailed construction of how to build an isomorphism 𝕏 → 𝕐, described a preliminary analysis of the hardness of the FFI problems, and constructed a new fully homomorphic encryption scheme from the decisional version of the FFI problem. In this paper we explain how to build a signature scheme from the computational version of the FFI problem via the following framework, where we refer the reader to Section 3.3 for the definitions of the lattices Lh and LH.

1. Generate a signature s, which is a a short vector within or close to a lattice Lh related to the hidden field 𝕏.

2. Publish its image S ∈ 𝕐, and demonstrate the validity of the signature by showing a relationship between S and a lattice LH related to the public field 𝕐.

Since we have assumed that the map 𝕏 → 𝕐 behaves like a random mapping, there is a negligible probability that the public lattice LH will have any exceptionally short vectors. Therefore, we can build trapdoors using short vectors in Lh without the necessity of concealing the trapdoor from the attacker. This allows us to use very efficient methods to generate s. As an example, we will show how this can be done using NTRU lattices

Verification is still possible due to the homomorphic property of the map 𝕏 → 𝕐, but various lattice attacks on the public key, e.g., searching for the trapdoor from the lattice, are blunted or eliminated due to the non-linear nature of the isomorphism 𝕏 → 𝕐.

In this paper, we instantiate the above idea using the pqNTRUSign signature scheme [8, 9, 10], a candidate in the NIST PQC competition [17]. We name this new scheme pqFFSign.

We briefly recall that an NTRU lattice L is a built using a ring of the form 𝕏: = ℤ[X]/f(X)ℤ[X], where f(X) = XN ± 1 or some similar polynomial with small coefficients [9]. More precisely, one creates a sublattice of 𝕏 × 𝕏 by choosing small secret polynomials and taking solutions to a congruence modulo a public integer q. The private key is the short lattice vectors coming from the small polynomials, and the public key is a basis consisting of long vectors. The secret short vectors, as usual, can be used to solve approximate closest vector problems, and a signature in the pqNTRUSign scheme consists of a solution to an appr-CVP, where an additional congruence modulo a small prime p is used to tie the document to the signature. Details are given in the cited references, but the important point is that the NTRU ring and the NTRU lattice are public values, and the NTRU lattice contains one or more very short vectors, a property that could potentially be exploited by lattice reduction algorithms.

The key idea in the present paper is that we do not allow the attacker to see the lattice 𝕏, which contains one or more vectors that are considerably shorter than predicted by the Gaussian heuristic. Instead, we use the isomorphism 𝕏 → 𝕐 to transfer the entire problem to a lattice that does not have any especially short vectors. In this way, some previously described attacks against the private key of NTRU lattices, such as the hybrid attack [11], become impossible, since the very short vectors that exist in an NTRU lattice are mapped to random-looking vectors in the image lattice. However, even for pqFFSign, forgery attack via transcript analysis is still possible, so we rely as usual on rejection sampling [4, 13] to seal the information leakage in transcripts. Due to space constraints, we omit a full description and analysis of rejection sampling here, but it is easy to adapt the material already described in the original pqNTRUSign paper.

### Lattice-based signatures and rejection sampling

Signature schemes based on hard lattice problems have a history of almost 20 years. Early lattice-based signature schemes, such as GGHSign [6] and NTRUSign [7], leaked private key information via transcripts of message/signature pairs. An attacker could create a signing key from a long enough transcript using methods for “learning a parallelepiped” [5, 16].

In [13], Lyubashevsky proposed a rejection sampling method to thwart transcript leakage attacks. Using his technique, signatures are produced according to a fixed public distribution, typically either a Gaussian or a uniform distribution. A transcript reveals only this public distribution, and contains no information about the particular signing key that is used to generate the signatures. This technique has become the de facto method for avoiding transcript leakage in lattice-based signature schemes; cf. as [4, 8, 10, 14]. However, to ensure that the output signature follows a given distribution, a large number of randomly generated candidate signatures may need to be rejected before a suitable signature is accepted. This may significantly slow down the signing procedure.

## 2 Preliminaries

### 2.1 Notation

Let f(x) ∈ 𝔽q[x] and F(y) ∈ 𝔽q[y] be monic irreducible polynomials of degree n. We use f and F to construct two copies of 𝔽qn, which we denote by

X:=Fq[x]/(f(x))andY:=Fq[y]/(F(y)),

and we let ϕ : 𝕏 → 𝕐 be an isomorphism of fields. In general, polynomials denoted by lower case letters will be polynomials in 𝕏, and their isomorphic images in 𝕐 will be denoted with the corresponding capital letters. A vector form of a polynomial is the vector consisting of all coefficients of the given polynomial. We will often identify polynomials and vectors when there is no ambiguity.

Consider a polynomial a(x) = a0 + a1x + … + an−1xn−1 ∈ 𝕏. We will informally say that a(x) is short if for all i, the congruence class ai mod q reduced into the interval (−q/2, q/2] is small relative to q. An important class of such polynomials are those satisfying ai ∈ {−1, 0, 1}; these are called trinary polynomials. We denote by

a=max0in1|ai|anda2=(a02++an12)1/2

the L-norm and the L2-norm of a, respectively, where it is understood that the coefficients of a are normalized to lie in the interval (−q/2, q/2]. N.B. In our notation, the unsubscripted absolute value ∥ ⋅ ∥ is the L-norm, not the usual Euclidean L2-norm.

We now list some additional notation that is used in the rest of this paper:

• [Secret] a(x), b(x) ∈ 𝕏 short irreducible monic polynomials of degree n.

• [Secret] h(x) ≡ b(x)⋅(pa(x))−1 (mod f(x)) ∈ 𝕏.

• [Public] H(y) ∈ 𝕐 is the image in 𝕐 of h(x) ∈ 𝕏.

• [Secret] U is an n-by-n invertible matrix with small entries, e.g., in {−1, 0, 1}.

### 2.2 Two Uniformity Heuristics

We start with a heuristic which says that polynomials in 𝔽q[x] with small coefficients are as likely to be irreducible as random polynomials.

### Heuristic 1

Letqbe odd, and let 1 ≤ β12q. Then there are approximately1n(⌊2β + 1⌋)ndistinct irreducible monic polynomialsaover 𝔽q[x] satisfyinga∥ ≤ β.

Heuristic 1 is based on the very reasonable assumption that monic irreducible polynomials are uniformly distributed over 𝔽q[x] with respect to the L-norm, together with the well known prime number theorem for function fields, which states that the number of distinct irreducible monic polynomials of degree n in 𝔽q[x] is on the order of qn/n; see [12, Chapter 7, Section 2, Corollary 2]. Similarly, classical primality tests for integers such as Miller–Rabin [15, 18] are easily adapted to the function field setting. It is thus easy to check, at least with very high probability, whether a given polynomial is irreducible, and the probability of success is roughly 1/n.

We invoke Heuristic 1 primarily to ensure that the signer will be able to find a pqFFSign private key. It also could help with combinatorial security in the sense that it says that the space of pqFFSign private keys is too large to search. However, since there does not appear to be an algorithm that directly lists the irreducible polynomials in the set of bounded coefficient polynomials, the actual combinatorial security comes from the size of the full set of bounded coefficient polynomials.

We will also mention the following additional uniformity heuristic on inverses, which might help in future security analyses of pqFFSign. However, we note that this heuristic is not related to the hardness of the finite field isomorphism problem.

### Heuristic 2

Let q ≥ 2, and let U ∈ GLn(𝔽q) be an invertible matrix with small entries, for example entries randomly chosen from {−1, 0, 1}. Then the entries of U−1are approximately uniformly distributed in 𝔽q.

This is similar to various well-established assumptions. Uniformity of products of the form U11U2, with U1 and U2 small-entry circulant matrices, was used in analyzing the security of NTRUEncrypt [9]. If we instead choose the coefficients of U1 and U2 from a discrete Gaussian distribution for certain parameters, then it is proven in [19] that U11U2 is almost uniformly distributed in GLn(𝔽q).

We note that Heuristic 2 says that when our secret basis c1(x), …, cn(x) for 𝕏 is written as linear combinations of the (almost) standard basis x, x2, …, xn, the coefficients of those linear combinations look reasonably random in 𝔽q.

## 3 The pqFF-Sign Signature Scheme

For this section, we fix the following parameters:

• n, the degree of the polynomials f(x) and F(Y).

• q, a (moderate) size prime.

• β, a size parameter satisfying 1 ≤ β12q, used to specify the size of the coefficients of a “small” polynomial.

• p, a (very small) prime different from q.

• B, a closeness parameter, used to determine if a claimed signature is a good enough solution to a CVP to be a valid signature.

### 3.1 An Algorithm to Find an Isomorphism

We recall how to find suitable polynomials f(x) and F(y) and an explicit isomorphism

ϕ:Fq[x]/(f(x))Fq[y]/(F(y))

as described in more detail in [3]. Recall that we need to find four polynomials f, F, ϕ, ψ satisfying:

• f(x) ∈ 𝔽q[x] is irreducible monic of degree n with ∥f(x)∥ ≤ β.

• F(y) ∈ 𝔽q[y] is irreducible monic of degree n with random coefficients.

• ϕ(y) ∈ 𝔽q[y] and ψ(x) ∈ 𝔽q[x] have degree less than n.

• F(y) | f(ϕ(y)).

• ϕ(ψ(x)) ≡ x (mod f(x).

The key idea here is that x will be identified with ϕ(y) and y will be identified with ψ(x), and the conditions on ϕ and ψ say that this identification gives an explicit isomorphisms. The algorithm for finding these quantities is sketched in Algorithm 1.

### Remark 2

For a given f and F, there are exactly n choices for ϕ, namely the n roots of f in 𝕐. (The general theory of finite fields ensures that f splits completely in 𝕐 ≅ 𝔽qn.) Alternatively, given one value of ϕ(y), the complete set of possibilities for ϕ(y) are {ϕ(y)qi mod F(y) : 0 ≤ i < n}. These are exactly the Gal(𝕐/𝔽q)-conjugates of ϕ, where Gal(𝕐/𝔽q) ≅ Gal(𝔽qn/𝔽q) is cyclic of order n, generated by the q-power Frobenius map.

### Algorithm 1

Finite Field Isomorphism Generation (See [3] for details.)

 1: Sample f(x) uniformly from the set of monic degree n polynomials a(x) ∈ 𝔽q[x] satisfying ∥a∥ ≤ β until finding an f that is irreducible. 2: Sample F(y) uniformly from the set of monic degree n polynomials in 𝔽q[y] until finding an F that is irreducible. (Alternatively, use an F provided by a trusted source.) 3: Find a root of f(y) in the finite field 𝕐 := 𝔽q[y]/(F(y)) ≅ 𝔽qn, and lift this root to a polynomial ϕ(y) ∈ 𝔽q[y] of degree less than n. 4: Construct the unique polynomial ψ(x) ∈ 𝔽q[x] of degree less than n satisfying ψ(ϕ(y)) ≡ y(mod F(y). 5: returnf(x), F(y), ϕ(y) and ψ(x).

### 3.2 The Detailed Scheme

The pqFFSign signature scheme uses three algorithms: KEYGEN, SIGNING and VERIFY. In addition it also requires a Hash function

Hash:{documents}×{public keys}12p,12p2n

that maps a document and a public key into a 2n-dimensional vector with small coefficients. We assume as usual that Hash is a cryptographically secure hash function in which each bit of the given document and each bit of the given public key affects every bit of the output.

#### Key generation

The key generation algorithm

KEYGEN(λ)pk,sk

takes as the input a bit-security parameter λ, i.e., the goal is a scheme whose running time is O(2λ). It outputs a public key pk and a secret key sk as follows:

1. Generate a parameter set Ξ = {n, p, q, β, B} as a function of λ, where in particular p is a small integer, co-prime to q, satisfying pn/2 ≥ 2λ. (This ensures that a collision search on a set of size pn is infeasible for the desired bit-security.)

2. Generate a finite field isomorphism {f, F, ϕ, ψ} as described in Section 3.1.

3. Generate polynomials a(x) and b(x) in 𝔽q[x] with coefficients bounded by β.

4. Compute h(x) ≡ (pa(x))−1b(x)(mod f(x)) ∈ 𝕏.[1]

5. Compute H(y) := h(ϕ(y)) ∈ 𝕐, the image of h(x) in 𝕐.

6. Choose an invertible n-by-n matrix U ∈ GLn(𝔽q) with small coefficients, e.g., with coefficients bounded by β.

7. Define c1(x), c2(x), ⋯, cn(x) ∈ 𝕏 by the relation

Uc1(x)c2(x)cn(x)xx2xn(modq,f(x)).(2)

(See Remark 5 for the significance of the relation (2).)

8. Compute the images C1(y), …, Cn(y) ∈ 𝕐 of c1(x), …, cn(x).

9. Output the following signing key sk and verification key pk:

pk:={Ξ,F(y),H(y),C1(y),,Cn(y)},sk:={Ξ,f(x),ϕ(y),ψ(x),U,a(x),b(x),c1(x),,cn(x)}.

#### Signing

The signing algorithm

SIGN(μ,sk)σ

takes a message μ and a secret key sk as the input, and outputs a signature σ as follows:

1. Hash the message and the public key to form a pair of n-dimensional mod p vectors,

Hash(μ,pk)=(δ¯,ϵ¯):=(δ¯1,,δ¯n,ϵ¯1,,ϵ¯n).
2. Generate (δ, ϵ) satisfying:

δδ¯(modp),δ12qB,ϵϵ¯(modp),ϵ12qB,

and with the property that the polynomials

s(x):=i=1nδici(x)andt(x):=i=1nϵici(x),(3)

satisfy the relation

s(x)h(x)t(x)(modq,f(x))

in the field 𝕏. An algorithm to compute a valid pair (δ, ϵ) is given in Section 3.3.

3. Output: The signature is the pair σ := (δ, ϵ).

#### Verification

The verification algorithm

VERIFY(μ,σ,pk)ACCEPT/REJECT

takes a message μ, a signature σ, and a public key pk as the input. It first uses the message and the public key to compute

(δ¯,ϵ¯):=Hash(μ,pk).

It then checks the validity of the following conditions:

δδ¯(modp),δ12qB,(4)
ϵϵ¯(modp),ϵ12qB.(5)
i=1nδiCi(y)H(y)=i=1nϵiCi(y)inY.(6)

(See Remark 3 for the purpose of these conditions.) Output: ACCEPT if (4), (5), and 6 are true, REJECT otherwise.

#### Remark 3

The mod p conditions in (4) and (5) for δ and ϵ serve to link the signature to the document and to the public key. The equality (6) and the norm conditions in (4) and (5) give a relation in 𝕐 that reflects a relation among short vectors in 𝕏.

#### Remark 4

A comparison shows that the primary difference between pqNTRUSign and pqFFSign is that in the former, signatures are created by using polynomials in the ring ℤ[x]/(f(x)) whose coefficients are small relative to the standard basis 1, x, …, xn−1, while in the latter we use polynomials with small coefficients relative to the basis c1(x), …, cn(x). The advantage of this approach is that the verifier only sees a relation involving C1(y), …, Cn(y) in 𝕐.

#### Remark 5

The polynomials c1(x), c2(x), …, cn(x) form an 𝔽q-basis for 𝕏, and C1(y), C2(y), …, Cn(y) form an 𝔽q-basis for 𝕐. Each Cj(y) is the image of the corresponding cj(x) under the isomorphism that sends xϕ(y). This same isomorphism preserves the coefficients of linear combinations of the cj(x), that is,

αjcj(x)αjCj(y).

The key property on which pqFFSign is based is the relation (2) and the fact that the coefficients of U are small, from which it follows that each of the monomials x, x2, …, xn is a linear combination of the cj(x) with small coefficients. From this it follows that any polynomial in x with small coefficients can in turn be written as a polynomial in cj(x) with small coefficients. Note that Heuristic 2 says that the converse will not be true, i.e., it says that the coefficients of the cj(x) will be uniformly distributed mod q.

### 3.3 Algorithm To Find (δ, ϵ)

We note that the choice of the security parameter B provides a balance between combinatorial security (large B is good) and the difficulty of generating a valid signature using the private key (small B is good).

### Definition 2

For any polynomialh(x) ∈ 𝕏 = 𝔽q[x]/(f(x)), we define the associated NTRU lattice to be the 2n-dimensional lattice

Lh:=(u(x),v(x))Z[x]2:deg(u)n1,deg(v)n1,v(x)u(x)h(x)(modq,f(x)).

Similarly forLH. We note that (pa(x), b(x)) is a short vector inLh, but its image inLHis unlikely to be short.

1. For j = 1, …, n, choose δj(0) at random such that |δj(0)| < 12qB and δj(0)δj (mod p) and set

s0(x)=j=1nδj(0)cj(x).
2. Define t0(x) by

t0(x)s0(x)h(x)(modq,f(x))

and write

t0(x)i=0n1tixi(modq,f(x)).

Note that by construction we have (s0(x), t0(x)) ∈ Lh.

3. Rewrite t0(x) as a linear combination of the basis c1(x), …, cn(x) of 𝕏, say

t0(x)=j=1nηjcj(x)for someη1,,ηnwith12q<ηj12q.

If all of the ηj lie in the interval (−12q + B, 12qB], proceed to Step (iv); otherwise go back to Step (i) and choose new values for the δj(0). (For appropriate choices of parameters, the probability of success at this step is reasonably high; see [8] for details. As described in [8], this step may be used to implement rejection sampling, which provides security against transcript attacks.)

4. Construct (u(x), v(x)) ∈ Lh such that

u(x)=j=1nδj(u)cj(x)andv(x)=j=1nδj(v)cj(x),

with |δj(u)|,|δj(v)|<B for all j, with δj(u) ≡ 0 (mod p), and δj(v) + ηjϵj (mod p) for all j. The procedure for this step is sufficiently complicated that we give the details in Section 3.1.1.

5. Set s(x) = s0(x) + u(x) and t(x) = t0(x) + v(x). Write s(x) and t(x) as linear combination of the basis polynomials c1(x), …, cn(x) as in (3), and read off the coefficients of those linear combinations to create the vectors δ and ϵ that form the signature.

#### 3.3.1 Details of Step 4

To construct the desired (u(x), v(x)), we construct an appropriate r(x) which is short, and set

u(x)=pr(x)a(x)andv(x)=r(x)b(x).

We want to find an r(x) that satisfies

r(x)b(x)=j=1nδj(v)cj(x)with the|δj(v)|<B andδj(v)+ηjϵ¯j(modp),

and also satisfies

pr(x)a(x)=j=1nδj(u)cj(x)with the |δj(u)|<B andδj(u)0(modp).

Suppose first that we have any r(x) that is sufficiently short. Since a(x) is short, we see that r(x) a(x) is also short, and we may write

r(x)a(x)=i=1ndixiXwith smalldi.

Then the δj(u)s in the formula

pr(x)a(x)=j=1nδj(u)cj(x)

are given by

(δ1(u),,δn(u))=p(d1,,dn)U.

As long as all of the di and all of the entries of U are sufficiently small, we will have |δj(u)| < B and δj(u) ≡ 0 (mod p) for all j. Thus for whatever sufficiently short r(x) we choose, the δj(u) ≡ 0 (mod p) condition will hold.

We turn now to finding a short r(x) that satisfies

r(x)b(x)=j=1nδj(v)cj(x)with|δj(v)|<B andδj(v)ϵ¯jηj(modp).

To accomplish this, write b(x)=i=0n1bixi, set

(b0,0,b0,1,,b0,n1)=(b0,b1,,bn1),

and for 1 ≤ i < n, define (bi,0, bi,1, …, bi,n−1) by

xib(x)bi,0+bi,1x++bi,n1xn1(modf(x)).

Let 𝓑 denote the matrix whose i, j entry is bi,j and consider the product 𝓑U. The entries of 𝓑U are small because the bi,j and the entries of U are small. For any

r(x)=i=0n1rixii=1nrixi(modf(x))

we have

r(x)b(x)=(r1,r2,,rn)BUc1(x)c2(x)cn(x).

To solve for r(x), first define

(r¯1,r¯2,,r¯n)(δ¯1(v),δ¯2(v),,δ¯n(v))(BU)1(modp)

and lift each r¯j to rj ∈ (−p/2, p/2]. Then define δj(v) by

(δ1(v),,δn(v))=(r1,,rn)BU.

This accomplishes the goal

r(x)b(x)=j=1nδj(v)cj(x)withδj(v)δ¯j(v)(modp).

## 4 Security Considerations

We highlight some of best known attacks. Due to page limitations, we leave other (less effective) known attacks in the appendix.

### 4.1 The Size of B

The key point is to choose B in such a way that the final signature lies inside an appropriate subset of the (−12q, 12q] box. Recall that

(δ1(v),,δn(v))=(r1,,rn)BU.

The coefficients ri lie in the interval (−p/2, p/2]. Let K be chosen to be the maximum of the absolute values of the entries of 𝓑U. Then each |δj(v)| will be bounded above by a constant multiple of pKn. The same almost applies to |δj(u)|, but because of the multiple of p it will be larger by a factor of p unless some scaling is done to compensate for this, for example, by choosing the original δj(0) from an interval smaller than (−q/2, q/2]. So B must be on the order of pKn. The size of K will be optimal when U and 𝓑 are as sparse as possible.

### 4.2 Recovering the Isomorphism/Solving CFFI Problem

The attacker is given polynomials C1(y), …, Cn(y) ∈ 𝕐 that are the images of unknown short polynomials c1(x), …, cn(x) ∈ 𝕏 via an unknown isomorphism 𝕏 → 𝕐. For the general CFFI problem, if the attacker knows at least 2n elements of 𝕐 that are images of short elements of 𝕏, then she can set up a mixed lattice/combinatorial attack to recover the short elements of 𝕏 and the isomorphism 𝕏 → 𝕐. See Section B in the appendix for details.

This attack requires 2n elements, but the public key for pqFFSign provides the attacker with only n images of short elements of 𝕏, not 2n. So the attack would seem to fail at this point. However, the fact that f(x) is small means that products of small elements of 𝕏 remain reasonably small. Indeed, that is a key fact being exploited by pqFFSign. So for 1 ≤ in, the attacker can create additional elements by taking products such as Cn+i(y) := C1(y)Ci(y)mod F(y) in 𝕐, and these new elements of 𝕐 will be images of somewhat small elements of 𝕏. This may allow the attack described in Section B to proceed, with the caveat that the target vectors will now be considerably larger than in the basic version of the CFFI problem. On the other hand, since the coordinates of the target vectors will now consist of n very small numbers and n moderately small numbers, the targets are unbalanced. So a full analysis of the underlying lattice problem requires balancing the lattice to account for this imbalance in the targets' coordinates.

### 4.3 Recovering the Unique Shortest Vector

There are two main security concerns that determine parameters in pqNTRUSign. One is the problem of recovering the private key from the public NTRU key, and the other is the problem of forgery. Of these, the one that has the biggest impact on parameter size is the public key to private key problem. This is because, to make rejection sampling efficient, the q needs to be chosen large compared to n. This makes the lattice problem somewhat easier and forces an increase in the size of n. The forgery problem requires smaller parameters to achieve the same security levels.

In this context there appear at first to be two NTRU-type problems: Recovering a(x), b(x) from h(x), and recovering the corresponding polynomials A(y), B(y) from H(y). However, the polynomial h(x) is private and is only revealed if the underlying isomorphism is discovered, in which case the scheme is considered broken. So this lattice problem does not apply to pqFFSign.

On the other hand, the polynomial H(y) is public, but the corresponding problem of recovering A(y), B(y) from H(y) is not a lattice problem because A(y) and B(y) are polynomials with coefficients that are essentially random mod q, so they are not short. This is a consequence of the fundamental observation that the isomorphism between the two copies of 𝔽qn does not respect the archimedian properties of the polynomials’ coefficients. Further, since A(y) and B(y) are not short, recovery of them does not appear to be helpful to the attacker.

There is a lattice attack to recover the matrix U from the Cj(y), and this would suffice to break the scheme, but the dimension of the lattice required to solve this problem is at least n2. We describe this attack in Section C. For all of these reasons, it thus appears that it suffices to set parameters to avoid forgery attacks, and this should allow for smaller signatures and better operating characteristics. In particular, by choosing the small prime p as close as possible to q, we can make the Gaussian defect of a solution very close to one, which thus makes lattice reduction attacks very difficult even in relatively small dimensions.

## 5 Conclusion and Future Work

In this work we present a signature scheme (partially) based on the Computational Finite Field Isomorphism Problem (CFFI). Future research directions include:

### The hardness of the finite field isomorphism problem

In this paper, we have indicated several ways in which one might try to solve the CFFI problem. However, the quantitative difficulty of the CFFI problem is presently unclear.

### Average-case/worse-case hardness

There exists an easy instance of the CFFI problem, namely when f(x) = F(y). It would be of interest to prove that random (or even, all) instances of the CFFI problem with f(x) ≠ F(y) are equally difficult.

### Transcript security and rejection sampling

A sufficiently long raw pqNTRUSign transcript allows an attacker to reconstruct a short lattice basis due to the way in which signatures are generated. The use of rejection sampling eliminates this attack by leading to transcripts that are independent of the underlying lattice. (See [8] for details.) Similarly, raw pqFFSign reveals a transcript of short vectors (δ, ϵ) that may contain information about f or (a, b) or U. We expect that rejection sampling can be used to produce key-independent transcripts. Formulating and proving such a result should not be hard, but remains to be done.

### Security reduction between pqFFSign and CFFI

It is clear that the security of pqFFSign, the signature scheme that we have proposed in this paper, relies on the difficulty of CFFI. The converse is not clear. It would be quite interesting to give a security reduction showing, say, that breaking pqFFSign plus an algorithm solving some sort of standard hard CVP lattice problem is equivalent to solving the CFFI problem.

### Analyze the balanced lattice attack

As discussed in Section 4.2, the lattice attack (Section B) on the pure CFFI problem needs to be balanced before being applied to pqFFSign. Doing this will yield constraints on the various parameters required to achieve a desired level of security. Further, even if the lattice attack succeeds completely, there is still what appears to be a difficult combinatorial problem to solve. This combinatorial problem deserves further study.

## Acknowledgement

Hoffstein and Silverman’s research partially supported by NSF #1561709

## References

[1] Wieb Bosma, John Cannon and Catherine Playoust, The Magma algebra system. I. The user language., J. Symbolic Comput. 24 (1997), 235–265.10.1006/jsco.1996.0125Search in Google Scholar

[2] Yuanmi Chen and Phong Q. Nguyen, BKZ 2.0: Better Lattice Security Estimates, in: ASIACRYPT, pp. 1–20, 2011.10.1007/978-3-642-25385-0_1Search in Google Scholar

[3] Yarkin Doröz, Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman, Berk Sunar, William Whyte and Zhenfei Zhang, Fully Homomorphic Encryption from the Finite Field Isomorphism Problem, PKC 2018 (2018).10.1007/978-3-319-76578-5_5Search in Google Scholar

[4] Léo Ducas, Alain Durmus, Tancrède Lepoint and Vadim Lyubashevsky, Lattice Signatures and Bimodal Gaussians, CRYPTO 2013 (Ran Canetti and Juan A. Garay, eds.), LNCS 8042, Springer, 2013, pp. 40–56.10.1007/978-3-642-40041-4_3Search in Google Scholar

[5] Léo Ducas and Phong Q. Nguyen, Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures, in: Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2-6, 2012. Proceedings, pp. 433–450, 2012.10.1007/978-3-642-34961-4_27Search in Google Scholar

[6] Oded Goldreich, Shafi Goldwasser and Shai Halevi, Public-Key Cryptosystems from Lattice Reduction Problems, in: CRYPTO, pp. 112–131, 1997.10.1007/BFb0052231Search in Google Scholar

[7] Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H. Silverman and William Whyte, NTRUSIGN: Digital Signatures Using the NTRU Lattice, in: Topics in Cryptology - CT-RSA 2003, The Cryptographers' Track at the RSA Conference 2003, San Francisco, CA, USA, April 13-17, 2003, Proceedings, pp. 122–140, 2003.10.1007/3-540-36563-X_9Search in Google Scholar

[8] Jeffrey Hoffstein, Jill Pipher, John M. Schanck, Joseph H. Silverman and William Whyte, Transcript Secure Signatures Based on Modular Lattices, in: Post-Quantum Cryptography - 6th International Workshop, PQCrypto 2014, Waterloo, ON, Canada, October 1-3, 2014. Proceedings, pp. 142–159, 2014.10.1007/978-3-319-11659-4_9Search in Google Scholar

[9] Jeffrey Hoffstein, Jill Pipher and Joseph H. Silverman, NTRU: A Ring-Based Public Key Cryptosystem, in: ANTS, pp. 267–288, 1998.10.1007/BFb0054868Search in Google Scholar

[10] Jeffrey Hoffstein, Jill Pipher, William Whyte and Zhenfei Zhang, A signature scheme from Learning with Truncation, Cryptology ePrint Archive, Report 2017/995, 2017, http://eprint.iacr.org/2017/995.Search in Google Scholar

[11] Nick Howgrave-Graham, A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU, in: CRYPTO, pp. 150–169, 2007.10.1007/978-3-540-74143-5_9Search in Google Scholar

[12] K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, Springer-Verlag, 1990.10.1007/978-1-4757-2103-4Search in Google Scholar

[13] Vadim Lyubashevsky, Fiat-shamir with aborts: Applications to lattice and factoring-based signatures, ASIACRYPT 2009, Springer, 2009, pp. 598–616.10.1007/978-3-642-10366-7_35Search in Google Scholar

[14] Vadim Lyubashevsky, Lattice Signatures without Trapdoors, EUROCRYPT2012 (David Pointcheval and Thomas Johansson, eds.), LNCS 7237, Springer, 2012, pp. 738–755.10.1007/978-3-642-29011-4_43Search in Google Scholar

[15] Gary L. Miller, Riemann's hypothesis and tests for primality, Journal of Computer and System Sciences13 (1976), 300 – 317.10.1016/S0022-0000(76)80043-8Search in Google Scholar

[16] Phong Q. Nguyen and Oded Regev, Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures, J. Cryptology22 (2009), 139–160.10.1007/s00145-008-9031-0Search in Google Scholar

[17] NIST, Post-Quantum Cryptography - Round 1 Submissions, https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions.Search in Google Scholar

[18] Michael O Rabin, Probabilistic algorithm for testing primality, Journal of Number Theory12 (1980), 128 – 138.10.1016/0022-314X(80)90084-0Search in Google Scholar

[19] Damien Stehlé and Ron Steinfeld, Making NTRU as Secure as Worst-Case Problems over Ideal Lattices, in: Advances in Cryptology - EUROCRYPT2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, pp. 27–47, 2011.10.1007/978-3-642-20465-4_4Search in Google Scholar

## A Security Against Forgery

Recall that a signature is a pair of vectors δ = (δ1, …, δn), and ϵ = (ε1, …, εn), where (δ, ϵ) mod p = (δ, ϵ). Hence (δ, ϵ) is a vector in a translated lattice

(δ,ϵ)L1:=pZ2n+(δ¯,ϵ¯).

Next, using the formulas

S(y)=i=1nδiCi(y),T(y)=i=1nϵiCi(y),S(y)H(y)=T(y),

we have

δC(y)H(y)=ϵC(y).

That is, (δ, ϵ) is also in the lattice

(δ,ϵ)L2:=RowSpanqIn0CHC1In.

We observe that any vector in the intersection L1L2 is a potential signature. We have

det(L1)=p2n,det(L1)=qn,det(L1L2)=p2nqn,

where the last equality uses the assumption that gcd(p, q) = 1. Hence the Gaussian heuristic for the shortest nonzero vector in L1L2 is

GH(L1L2)=2dim(L1L2)πedet(L1L2)1dim=p2qNπe.

Further, we se that the L2 norm of the target vector is bounded by

(δ,ϵ)22Nq.

This yields the root Hermite factor

γ(L1L2)=2Nqp2qN/πe1/2n=2πeq/p1/2n.

Hence a lattice attack will be infeasible if we choose parameters to ensure that

2πeq/p1/2n<γexp,

where γexp is chosen to be the experimental Hermite factor expected to be achievable via lattice reduction algorithms. For example, using the LLL-BKZ 2.0 algorithms, a Hermite factor γ = 1.005 seems to be secure; see [2].

## B A Combined Lattice-Combinatorial Attack on the CFFI Problem

We consider the CFFI problem under the assumption that k ≥ 2n, so the attacker is given polynomials A1(y), …, Ak(y) ∈ 𝕐 that are the images of polynomials a1(x), …, ak(x) ∈ 𝕏 having small coefficients. We identify a polynomial C(y) = C0 + ⋯ + Cn−1yn−1 ∈ 𝕐 with the row vector C := (C0, …, Cn−1) ∈ Fqn, and similarly for elements of 𝕏. Then the (unknown) isomorphism ψ:𝕐 → 𝕏 is given by an n × n matrix Ψ, i.e., Ψ is the matrix of ψ relative to the bases {1, …, yn−1} of 𝕐 and {1, …, xn−1} of 𝕏. Note that with this notation, we have ψ(C(y)) = CΨ.

We form four n × n matrices

M:=A1An,N:=An+1A2n,m:=a1an,n:=an+1a2n.

In other words, the rows of 𝔐 are the vectors A1, …, An, and similarly for the other matrices. Then by assumption we have the matrix formulas

MΨ=mandNΨ=n,and thusNM1m=n,

where all computations are done in 𝔽q. Note that although the matrix Ψ has unknown random coefficients, the matrices 𝔐 and 𝔫 have unknown small coefficients, and the matrices 𝔐 and 𝔑 are known. So this last formula will allow us to describe a known lattice with unknown short target vectors.

For each 1 ≤ tn, let

vt:=coordinates are thetthcolumn ofmand whose secondncoordinates are thetthcolumn ofn.Z2n,

where we have, as usual, lifted numbers from 𝔽q to an interval centered at 0. Then the relation 𝔑𝔐−1𝔐 = 𝔫 tells us that

vtL:=Column SpanI0NM1qI.

We may thus use lattice reduction methods to search for the n short vectors 𝔳1, …, 𝔳n in the known lattice 𝔏.

The lattice $𝔏$ satisfies

dimL=2nandDetL=qn,

so the Gaussian expected norm of the smallest vector in 𝔏 is

GH(L)=dimL/πe(DetL)1/dimL=2nqπe.

On the other hand, if we assume that the coefficients of a1, …, a2n are random integers in the interval from −β to β, as in the statement of CFFI, then the expected length of each target vector 𝔳t is roughly τ := 2n/3β. Hence the root Hermite ratio is

γ(L):=GH(L)τ1/dimL1β3qπe1/2n.

We remark that currently a Hermite ratio smaller than 1.005 appears to achieve reasonable security; cf. [2].

There are two additional issues. First, it is not clear that the set

S:={vt:1tn}

of target vectors consists of the n shortest linearly independent vectors in 𝔏. Thus even a complete lattice reduction that finds an “optimal basis” for 𝔏 may only return some small linear combinations of the elements of 𝓢. The attacker would then have to unsort these small linear combinations to find the set 𝓢.

Second, even if the attacker finds the exact set of short vector 𝓢, there is a combinatorial problem to solve, since the set 𝓢 comes with no preferred order. But the coordinates of 𝔳t are the coefficients of xt in a1, …, a2n, so recovery of a1, …, a2n and reconstruction of Ψ works only if the set of short vectors 𝓢 is put in the correct order. There are n! ways to reorder 𝓢, so if n is large, a full search, or even a collision search, is infeasible. It remains an open problem to find a faster method to correctly order the elements of 𝓢.

## C Attack to Recover U

During key generation we construct a set of polynomials c1(x), …, cn(x) by choosing an n × n sparse matrix U and setting

c1(x)c2(x)cn(x)U1xx2xn(modq).

Then for example we have

i=1nu1,ici(x)=x,i=1nu2,ici(x)=x2,i=1nu3,ici(x)=x3,

so using the fact that xx2 = x3, we find that

i=1nu1,ici(x)j=1nu2,jcj(x)k=1nu3,kck(x)(modf(x),q).

This in turn gives a formula in 𝕐,

i=1nu1,iCi(y)j=1nu2,jCj(y)k=1nu3,kCk(y)(modF(y),q).

Multiplying this out gives

i=1nu1,iu2,iviCi(y)2+i=1n1j=i+1n(u1,iu2,j+u1,ju2,i)wijCi(y)Cj(y)k=1nu3,kCk(y)(modF(y),q).

Reducing the various Ci(y)Cj(y) products modulo F(y) yields a system of n linear equations over 𝔽q in the variables

{vi:1in}{wij:1i<jn}{u3,k:1kn}.

To ease notation, we write N = 12n(n + 3) for the number of variables, we write t = (vi, wij, u3,k) for the vector consisting of these variables, and we let M be the N × n matrix giving the system of linear equations over 𝔽q. Then we obtain a matrix formula

tINM0qIn=t0.

This gives a lattice problem of dimension N + n and determinant qn with target vector t.[2]

The size of the target t depends on the distribution of the entries in U. For simplicity, suppose that the entries of U are chosen uniformly and independently from {−1, 0, 1}. Then each wij satisfies

Prob(wij=±2)=281,Prob(wij=±1)=2081,Prob(wij=0)=3781.

So even ignoring the vi and u3,k coordinates of t, we find that the expected value of t22 is at least

n(n1)22814+20811+37810=1481(n2n),

so we expect ∥t∥ to be roughly n14/9. On the other hand, the Gaussian expected length of the shortest non-zero vector in the lattice is roughly

n2/πe(qn)1/n20.1nq1/n.

Thus even for quite large values of q, the target vector is likely to be considerably larger than many other (useless) short vectors in the lattice. For example, if n = 100, then the target only becomes a likely shortest vector if q > 10111.

## D A Non-Linear Attack

It is possible to use multiplication and reduction modulo F(y) in 𝕐 to set up an attack in which one has to find small solutions to certain non-linear equations. Such problems appear to be completely infeasible, which we illustrate with a toy example with n = 3.

The attacker knows the polynomials

c(y)=c0+c1y+c2y2,c(y)=c0+c1y+c2y2,h(y)=y2+h0y+h1.

To make life easier, we take h(y) = y3 + y + 1. The attacker tries to find the small polynomials

m(x)=m0+m1x+m2x2andm(x)=m0+m1x+m2x2

by eliminating the polynomial ϕ(y) = ϕ0 + ϕ1y + ϕ2y2 from the congruences

c0+c1y+c2y2m0+m1(ϕ0+ϕ1y+ϕ2y2)+m2(ϕ0+ϕ1y+ϕ2y2)2(mody3+y+1),c0+c1y+c2y2m0+m1(ϕ0+ϕ1y+ϕ2y2)+m2(ϕ0+ϕ1y+ϕ2y2)2(mody3+y+1).

Expanding and reducing modulo y3 + y + 1, we find that

c0+c1y+c2y2=(m2ϕ02+m1ϕ02m2ϕ2ϕ1+m0)+(2m2ϕ1ϕ02m2ϕ2ϕ1+m1ϕ1m2ϕ22)y+(2m2ϕ2ϕ0+m2ϕ12m2ϕ22+m1ϕ2)y2,

and similarly for c″. So we get 6 equations

m2ϕ02+m1ϕ02m2ϕ2ϕ1+m0=c02m2ϕ1ϕ02m2ϕ2ϕ1+m1ϕ1m2ϕ22=c12m2ϕ2ϕ0+m2ϕ12m2ϕ22+m1ϕ2=c2m2ϕ02+m1ϕ02m2ϕ2ϕ1+m0=c02m2ϕ1ϕ02m2ϕ2ϕ1+m1ϕ1m2ϕ22=c12m2ϕ2ϕ0+m2ϕ12m2ϕ22+m1ϕ2=c2

in the 9 variables m0,m1,m2,m0,m1,m2,ϕ0,ϕ1,ϕ2. These equations are linear in the small variables mi and mi, but are non-linear in the large variables ϕi that need to be eliminated. Eliminating the large variables, we are left with three highly non-linear polynomials in the six unknowns mi,mi. In other words, we need to find points with small coordinates on a 3-dimensional variety sitting in 6-dimensional space.

To investigate further, we computed an explicit example. We worked over 𝔽11 and took (c0,c1,c2,c0,c1,c2) = (1, 2, 3, 4, 5, 6). We used the Grobner-basis routine in Magma [1] to eliminate ϕ0, ϕ1, ϕ2 from the 6 equations. The resulting equations for the 6 variables mi,mi covered more then two pages of small type and had no discernable structure.