A signature scheme from the finite field isomorphism problem

Jeffrey Hoffstein; Joseph H. Silverman; William Whyte; Zhenfei Zhang

doi:10.1515/jmc-2015-0050

Open Access Published by De Gruyter June 14, 2020

A signature scheme from the finite field isomorphism problem

Jeffrey Hoffstein , Joseph H. Silverman , William Whyte and Zhenfei Zhang

From the journal Journal of Mathematical Cryptology

https://doi.org/10.1515/jmc-2015-0050

Abstract

In a recent paper the authors and their collaborators proposed a new hard problem, called the finite field isomorphism problem, and they used it to construct a fully homomorphic encryption scheme. In this paper, we investigate how one might build a digital signature scheme from this new problem. Intuitively, the hidden field isomorphism allows us to convert short vectors in the underlying lattice of one field into generic looking vectors in an isomorphic field.

Keywords: finite field isomorphism problem; lattice-based signature

1 Introduction

In [3], the authors and their collaborators presented a new hard problem, the Finite Field Isomorphism Problem. We briefly recall the problem here. Let q be a prime, let 𝔽_q be the finite field with q elements, and let f(x) ∈ 𝔽_q[x] and F(y) ∈ 𝔽_q[y] be irreducible monic polynomials of degree n. Then

X:=Fq[x]/(f(x))andY:=Fq[y]/(F(y))(1)

are isomorphic fields with qⁿ elements. As usual, we identify elements of 𝕏 and 𝕐 with vectors having integer coordinates between −12q and 12q, and we use this identification measure the size of field elements. It is then an experimental observation that, except for trivial cases, the isomorphism 𝕏 → 𝕐 does not respect the Archimedian property of size. Indeed, when f and F are distinct monic irreducible polynomials, it is observed that polynomials within a sphere of small radius in 𝕏 appear to be essentially uniformly distributed in 𝕐, with respect to both the L^∞ and the L² norms.

Definition 1

Finite Field Isomorphism Problems (FFI): Let k ≥ 1 be an integer, let 𝕏 and 𝕐 be as in(1), letϕbe an isomorphismϕ : 𝕏 →∼ 𝕐, let 1 ≤ β ≤ 12qbe a parameter, and let 𝕏[β] denote the set ofa(x) ∈ 𝕏 withL^∞-norm bounded by ∥a∥ ≤ β. Choosea₁(x), …, a_k(x) uniformly and randomly from 𝕏[β], and letA_i = ϕ(a_i) for 1 ≤ i ≤ kbe the corresponding images in 𝕐.

The Computational FFI problem (CFFI): Given 𝕐 and the list of polynomialsA₁(y), …, A_k(y), recoverf(x) and/or one or more ofa₁(x), …, a_k(x).

The Decisional FFI problem (DFFI): Letϵ > 0. Letb₁(x) be randomly chosen in 𝕏[β], letB₁(y) = ϕ(b₁), and letB₂(y) be randomly chosen in 𝕐. Given the data 𝕐, A₁(y), …, A_k(y), and given the pair {B₁(y), B₂(y)} in a random order, identify, with probability greater than 1/2 + ϵ, which element of the pair was constructed usingϕ.

Remark 1

Under reasonable independence assumptions and for reasonable parameters, the CFFI has a unique solution. Thus for randomly chosen F(y) and A₁(y), …, A_k(y), it is an exercise to estimate the probability that there exists an f(x) ∈ 𝕏[β] and a₁(x), …, a_k(x) ∈ 𝕏[β] and an isomorphism 𝕏 → 𝕐 sending a_i to A_i for all 1 ≤ i ≤ k. This probability is roughly n⁻¹((2β + 1)^k+1/q^k)ⁿ.

In [3], the authors gave a detailed construction of how to build an isomorphism 𝕏 → 𝕐, described a preliminary analysis of the hardness of the FFI problems, and constructed a new fully homomorphic encryption scheme from the decisional version of the FFI problem. In this paper we explain how to build a signature scheme from the computational version of the FFI problem via the following framework, where we refer the reader to Section 3.3 for the definitions of the lattices L_h and L_H.

Generate a signature s, which is a a short vector within or close to a lattice L_h related to the hidden field 𝕏.
Publish its image S ∈ 𝕐, and demonstrate the validity of the signature by showing a relationship between S and a lattice L_H related to the public field 𝕐.

Since we have assumed that the map 𝕏 → 𝕐 behaves like a random mapping, there is a negligible probability that the public lattice L_H will have any exceptionally short vectors. Therefore, we can build trapdoors using short vectors in L_h without the necessity of concealing the trapdoor from the attacker. This allows us to use very efficient methods to generate s. As an example, we will show how this can be done using NTRU lattices

Verification is still possible due to the homomorphic property of the map 𝕏 → 𝕐, but various lattice attacks on the public key, e.g., searching for the trapdoor from the lattice, are blunted or eliminated due to the non-linear nature of the isomorphism 𝕏 → 𝕐.

In this paper, we instantiate the above idea using the pqNTRUSign signature scheme [8, 9, 10], a candidate in the NIST PQC competition [17]. We name this new scheme pqFFSign.

We briefly recall that an NTRU lattice L is a built using a ring of the form 𝕏: = ℤ[X]/f(X)ℤ[X], where f(X) = X^N ± 1 or some similar polynomial with small coefficients [9]. More precisely, one creates a sublattice of 𝕏 × 𝕏 by choosing small secret polynomials and taking solutions to a congruence modulo a public integer q. The private key is the short lattice vectors coming from the small polynomials, and the public key is a basis consisting of long vectors. The secret short vectors, as usual, can be used to solve approximate closest vector problems, and a signature in the pqNTRUSign scheme consists of a solution to an appr-CVP, where an additional congruence modulo a small prime p is used to tie the document to the signature. Details are given in the cited references, but the important point is that the NTRU ring and the NTRU lattice are public values, and the NTRU lattice contains one or more very short vectors, a property that could potentially be exploited by lattice reduction algorithms.

The key idea in the present paper is that we do not allow the attacker to see the lattice 𝕏, which contains one or more vectors that are considerably shorter than predicted by the Gaussian heuristic. Instead, we use the isomorphism 𝕏 → 𝕐 to transfer the entire problem to a lattice that does not have any especially short vectors. In this way, some previously described attacks against the private key of NTRU lattices, such as the hybrid attack [11], become impossible, since the very short vectors that exist in an NTRU lattice are mapped to random-looking vectors in the image lattice. However, even for pqFFSign, forgery attack via transcript analysis is still possible, so we rely as usual on rejection sampling [4, 13] to seal the information leakage in transcripts. Due to space constraints, we omit a full description and analysis of rejection sampling here, but it is easy to adapt the material already described in the original pqNTRUSign paper.

Lattice-based signatures and rejection sampling

Signature schemes based on hard lattice problems have a history of almost 20 years. Early lattice-based signature schemes, such as GGHSign [6] and NTRUSign [7], leaked private key information via transcripts of message/signature pairs. An attacker could create a signing key from a long enough transcript using methods for “learning a parallelepiped” [5, 16].

In [13], Lyubashevsky proposed a rejection sampling method to thwart transcript leakage attacks. Using his technique, signatures are produced according to a fixed public distribution, typically either a Gaussian or a uniform distribution. A transcript reveals only this public distribution, and contains no information about the particular signing key that is used to generate the signatures. This technique has become the de facto method for avoiding transcript leakage in lattice-based signature schemes; cf. as [4, 8, 10, 14]. However, to ensure that the output signature follows a given distribution, a large number of randomly generated candidate signatures may need to be rejected before a suitable signature is accepted. This may significantly slow down the signing procedure.

2 Preliminaries

2.1 Notation

Let f(x) ∈ 𝔽_q[x] and F(y) ∈ 𝔽_q[y] be monic irreducible polynomials of degree n. We use f and F to construct two copies of 𝔽_qⁿ, which we denote by

X:=Fq[x]/(f(x))andY:=Fq[y]/(F(y)),

and we let ϕ : 𝕏 → 𝕐 be an isomorphism of fields. In general, polynomials denoted by lower case letters will be polynomials in 𝕏, and their isomorphic images in 𝕐 will be denoted with the corresponding capital letters. A vector form of a polynomial is the vector consisting of all coefficients of the given polynomial. We will often identify polynomials and vectors when there is no ambiguity.

Consider a polynomial a(x) = a₀ + a₁x + … + a_n−1xⁿ⁻¹ ∈ 𝕏. We will informally say that a(x) is short if for all i, the congruence class a_i mod q reduced into the interval (−q/2, q/2] is small relative to q. An important class of such polynomials are those satisfying a_i ∈ {−1, 0, 1}; these are called trinary polynomials. We denote by

∥a∥=max0≤i≤n−1|ai|and∥a∥2=(a02+⋯+an−12)1/2

the L^∞-norm and the L²-norm of a, respectively, where it is understood that the coefficients of a are normalized to lie in the interval (−q/2, q/2]. N.B. In our notation, the unsubscripted absolute value ∥ ⋅ ∥ is the L^∞-norm, not the usual Euclidean L²-norm.

We now list some additional notation that is used in the rest of this paper:

[Secret] a(x), b(x) ∈ 𝕏 short irreducible monic polynomials of degree n.
[Secret] h(x) ≡ b(x)⋅(pa(x))⁻¹ (mod f(x)) ∈ 𝕏.
[Public] H(y) ∈ 𝕐 is the image in 𝕐 of h(x) ∈ 𝕏.
[Secret] U is an n-by-n invertible matrix with small entries, e.g., in {−1, 0, 1}.

2.2 Two Uniformity Heuristics

We start with a heuristic which says that polynomials in 𝔽_q[x] with small coefficients are as likely to be irreducible as random polynomials.

Heuristic 1

Letqbe odd, and let 1 ≤ β ≤ 12q. Then there are approximately1n(⌊2β + 1⌋)ⁿdistinct irreducible monic polynomialsaover 𝔽_q[x] satisfying ∥a∥ ≤ β.

Heuristic 1 is based on the very reasonable assumption that monic irreducible polynomials are uniformly distributed over 𝔽_q[x] with respect to the L^∞-norm, together with the well known prime number theorem for function fields, which states that the number of distinct irreducible monic polynomials of degree n in 𝔽_q[x] is on the order of qⁿ/n; see [12, Chapter 7, Section 2, Corollary 2]. Similarly, classical primality tests for integers such as Miller–Rabin [15, 18] are easily adapted to the function field setting. It is thus easy to check, at least with very high probability, whether a given polynomial is irreducible, and the probability of success is roughly 1/n.

We invoke Heuristic 1 primarily to ensure that the signer will be able to find a pqFFSign private key. It also could help with combinatorial security in the sense that it says that the space of pqFFSign private keys is too large to search. However, since there does not appear to be an algorithm that directly lists the irreducible polynomials in the set of bounded coefficient polynomials, the actual combinatorial security comes from the size of the full set of bounded coefficient polynomials.

We will also mention the following additional uniformity heuristic on inverses, which might help in future security analyses of pqFFSign. However, we note that this heuristic is not related to the hardness of the finite field isomorphism problem.

Heuristic 2

Let q ≥ 2, and let U ∈ GL_n(𝔽_q) be an invertible matrix with small entries, for example entries randomly chosen from {−1, 0, 1}. Then the entries of U⁻¹are approximately uniformly distributed in 𝔽_q.

This is similar to various well-established assumptions. Uniformity of products of the form U1−1U₂, with U₁ and U₂ small-entry circulant matrices, was used in analyzing the security of NTRUEncrypt [9]. If we instead choose the coefficients of U₁ and U₂ from a discrete Gaussian distribution for certain parameters, then it is proven in [19] that U1−1U₂ is almost uniformly distributed in GL_n(𝔽_q).

We note that Heuristic 2 says that when our secret basis c₁(x), …, c_n(x) for 𝕏 is written as linear combinations of the (almost) standard basis x, x², …, xⁿ, the coefficients of those linear combinations look reasonably random in 𝔽_q.

3 The pqFF-Sign Signature Scheme

For this section, we fix the following parameters:

n, the degree of the polynomials f(x) and F(Y).
q, a (moderate) size prime.
β, a size parameter satisfying 1 ≤ β ≤ 12q, used to specify the size of the coefficients of a “small” polynomial.
p, a (very small) prime different from q.
B, a closeness parameter, used to determine if a claimed signature is a good enough solution to a CVP to be a valid signature.

3.1 An Algorithm to Find an Isomorphism

We recall how to find suitable polynomials f(x) and F(y) and an explicit isomorphism

ϕ:Fq[x]/(f(x)) →∼ Fq[y]/(F(y))

as described in more detail in [3]. Recall that we need to find four polynomials f, F, ϕ, ψ satisfying:

f(x) ∈ 𝔽_q[x] is irreducible monic of degree n with ∥f(x)∥ ≤ β.
F(y) ∈ 𝔽_q[y] is irreducible monic of degree n with random coefficients.
ϕ(y) ∈ 𝔽_q[y] and ψ(x) ∈ 𝔽_q[x] have degree less than n.
F(y) | f(ϕ(y)).
ϕ(ψ(x)) ≡ x (mod f(x).

The key idea here is that x will be identified with ϕ(y) and y will be identified with ψ(x), and the conditions on ϕ and ψ say that this identification gives an explicit isomorphisms. The algorithm for finding these quantities is sketched in Algorithm 1.

Remark 2

For a given f and F, there are exactly n choices for ϕ, namely the n roots of f in 𝕐. (The general theory of finite fields ensures that f splits completely in 𝕐 ≅ 𝔽_qⁿ.) Alternatively, given one value of ϕ(y), the complete set of possibilities for ϕ(y) are {ϕ(y)^qⁱ mod F(y) : 0 ≤ i < n}. These are exactly the Gal(𝕐/𝔽_q)-conjugates of ϕ, where Gal(𝕐/𝔽_q) ≅ Gal(𝔽_qⁿ/𝔽_q) is cyclic of order n, generated by the q-power Frobenius map.

Algorithm 1

Finite Field Isomorphism Generation (See [3] for details.)

1:	Sample f(x) uniformly from the set of monic degree n polynomials a(x) ∈ 𝔽_q[x] satisfying ∥a∥ ≤ β until finding an f that is irreducible.
2:	Sample F(y) uniformly from the set of monic degree n polynomials in 𝔽_q[y] until finding an F that is irreducible. (Alternatively, use an F provided by a trusted source.)
3:	Find a root of f(y) in the finite field 𝕐 := 𝔽_q[y]/(F(y)) ≅ 𝔽_qⁿ, and lift this root to a polynomial ϕ(y) ∈ 𝔽_q[y] of degree less than n.
4:	Construct the unique polynomial ψ(x) ∈ 𝔽_q[x] of degree less than n satisfying ψ(ϕ(y)) ≡ y(mod F(y).
5:	returnf(x), F(y), ϕ(y) and ψ(x).

3.2 The Detailed Scheme

The pqFFSign signature scheme uses three algorithms: KEYGEN, SIGNING and VERIFY. In addition it also requires a Hash function

Hash:{documents}×{public keys}⟶−12p,12p2n

that maps a document and a public key into a 2n-dimensional vector with small coefficients. We assume as usual that Hash is a cryptographically secure hash function in which each bit of the given document and each bit of the given public key affects every bit of the output.

Key generation

The key generation algorithm

KEYGEN(λ)→pk,sk

takes as the input a bit-security parameter λ, i.e., the goal is a scheme whose running time is O(2^λ). It outputs a public key pk and a secret key sk as follows:

Generate a parameter set Ξ = {n, p, q, β, B} as a function of λ, where in particular p is a small integer, co-prime to q, satisfying p^n/2 ≥ 2^λ. (This ensures that a collision search on a set of size pⁿ is infeasible for the desired bit-security.)
Generate a finite field isomorphism {f, F, ϕ, ψ} as described in Section 3.1.
Generate polynomials a(x) and b(x) in 𝔽_q[x] with coefficients bounded by β.
Compute h(x) ≡ (pa(x))⁻¹b(x)(mod f(x)) ∈ 𝕏.^[1]
Compute H(y) := h(ϕ(y)) ∈ 𝕐, the image of h(x) in 𝕐.
Choose an invertible n-by-n matrix U ∈ GL_n(𝔽_q) with small coefficients, e.g., with coefficients bounded by β.
Define c₁(x), c₂(x), ⋯, c_n(x) ∈ 𝕏 by the relation
Uc1(x)c2(x)⋮cn(x)≡xx2⋮xn(modq,f(x)).(2)
(See Remark 5 for the significance of the relation (2).)
Compute the images C₁(y), …, C_n(y) ∈ 𝕐 of c₁(x), …, c_n(x).
Output the following signing key sk and verification key pk:
pk:={Ξ,F(y),H(y),C1(y),…,Cn(y)},sk:={Ξ,f(x),ϕ(y),ψ(x),U,a(x),b(x),c1(x),…,cn(x)}.

Signing

The signing algorithm

SIGN(μ,sk)→σ

takes a message μ and a secret key sk as the input, and outputs a signature σ as follows:

Hash the message and the public key to form a pair of n-dimensional mod p vectors,
Hash⁡(μ,pk)=(δ¯,ϵ¯):=(δ¯1,…,δ¯n,ϵ¯1,…,ϵ¯n).
Generate (δ, ϵ) satisfying:
δ≡δ¯(modp),∥δ∥≤12q−B,ϵ≡ϵ¯(modp),∥ϵ∥≤12q−B,
and with the property that the polynomials
s(x):=∑i=1nδici(x)andt(x):=∑i=1nϵici(x),(3)
satisfy the relation
s(x)h(x)≡t(x)(modq,f(x))
in the field 𝕏. An algorithm to compute a valid pair (δ, ϵ) is given in Section 3.3.
Output: The signature is the pair σ := (δ, ϵ).

Verification

The verification algorithm

VERIFY(μ,σ,pk)→ACCEPT/REJECT

takes a message μ, a signature σ, and a public key pk as the input. It first uses the message and the public key to compute

(δ¯,ϵ¯):=Hash⁡(μ,pk).

It then checks the validity of the following conditions:

δ≡δ¯(modp),∥δ∥≤12q−B,(4)

ϵ≡ϵ¯(modp),∥ϵ∥≤12q−B.(5)

∑i=1nδiCi(y)H(y)=∑i=1nϵiCi(y)in Y.(6)

(See Remark 3 for the purpose of these conditions.) Output: ACCEPT if (4), (5), and 6 are true, REJECT otherwise.

Remark 3

The mod p conditions in (4) and (5) for δ and ϵ serve to link the signature to the document and to the public key. The equality (6) and the norm conditions in (4) and (5) give a relation in 𝕐 that reflects a relation among short vectors in 𝕏.

Remark 4

A comparison shows that the primary difference between pqNTRUSign and pqFFSign is that in the former, signatures are created by using polynomials in the ring ℤ[x]/(f(x)) whose coefficients are small relative to the standard basis 1, x, …, xⁿ⁻¹, while in the latter we use polynomials with small coefficients relative to the basis c₁(x), …, c_n(x). The advantage of this approach is that the verifier only sees a relation involving C₁(y), …, C_n(y) in 𝕐.

Remark 5

The polynomials c₁(x), c₂(x), …, c_n(x) form an 𝔽_q-basis for 𝕏, and C₁(y), C₂(y), …, C_n(y) form an 𝔽_q-basis for 𝕐. Each C_j(y) is the image of the corresponding c_j(x) under the isomorphism that sends x ↦ ϕ(y). This same isomorphism preserves the coefficients of linear combinations of the c_j(x), that is,

∑αjcj(x)↦∑αjCj(y).

The key property on which pqFFSign is based is the relation (2) and the fact that the coefficients of U are small, from which it follows that each of the monomials x, x², …, xⁿ is a linear combination of the c_j(x) with small coefficients. From this it follows that any polynomial in x with small coefficients can in turn be written as a polynomial in c_j(x) with small coefficients. Note that Heuristic 2 says that the converse will not be true, i.e., it says that the coefficients of the c_j(x) will be uniformly distributed mod q.

3.3 Algorithm To Find (δ, ϵ)

We note that the choice of the security parameter B provides a balance between combinatorial security (large B is good) and the difficulty of generating a valid signature using the private key (small B is good).

Definition 2

For any polynomialh(x) ∈ 𝕏 = 𝔽_q[x]/(f(x)), we define the associated NTRU lattice to be the 2n-dimensional lattice

Lh:=(u(x),v(x))∈Z[x]2:deg⁡(u)≤n−1,deg⁡(v)≤n−1,v(x)≡u(x)h(x)(mod q,f(x)).

Similarly forL_H. We note that (pa(x), b(x)) is a short vector inL_h, but its image inL_His unlikely to be short.

For j = 1, …, n, choose δj(0) at random such that |δj(0)| < 12q − B and δj(0) ≡ δ_j (mod p) and set
s0(x)=∑j=1nδj(0)cj(x).
Define t₀(x) by
t0(x)≡s0(x)h(x)(modq,f(x))
and write
t0(x)≡∑i=0n−1tixi(modq,f(x)).
Note that by construction we have (s₀(x), t₀(x)) ∈ L_h.
Rewrite t₀(x) as a linear combination of the basis c₁(x), …, c_n(x) of 𝕏, say
t0(x)=∑j=1nηjcj(x)for some η1,…,ηn with −12q<ηj≤12q.
If all of the η_j lie in the interval (−12q + B, 12q − B], proceed to Step (iv); otherwise go back to Step (i) and choose new values for the δj(0). (For appropriate choices of parameters, the probability of success at this step is reasonably high; see [8] for details. As described in [8], this step may be used to implement rejection sampling, which provides security against transcript attacks.)
Construct (u(x), v(x)) ∈ L_h such that
u(x)=∑j=1nδj(u)cj(x)andv(x)=∑j=1nδj(v)cj(x),
with |δj(u)|,|δj(v)|<B for all j, with δj(u) ≡ 0 (mod p), and δj(v) + η_j ≡ ϵ_j (mod p) for all j. The procedure for this step is sufficiently complicated that we give the details in Section 3.1.1.
Set s(x) = s₀(x) + u(x) and t(x) = t₀(x) + v(x). Write s(x) and t(x) as linear combination of the basis polynomials c₁(x), …, c_n(x) as in (3), and read off the coefficients of those linear combinations to create the vectors δ and ϵ that form the signature.

3.3.1 Details of Step 4

To construct the desired (u(x), v(x)), we construct an appropriate r(x) which is short, and set

u(x)=pr(x)a(x)andv(x)=r(x)b(x).

We want to find an r(x) that satisfies

r(x)b(x)=∑j=1nδj(v)cj(x)with the |δj(v)|<B and δj(v)+ηj≡ϵ¯j(modp),

and also satisfies

pr(x)a(x)=∑j=1nδj(u)cj(x)with the |δj(u)|<B and δj(u)≡0(modp).

Suppose first that we have any r(x) that is sufficiently short. Since a(x) is short, we see that r(x) a(x) is also short, and we may write

r(x)a(x)=∑i=1ndixi∈Xwith small di.

Then the δj(u)s in the formula

pr(x)a(x)=∑j=1nδj(u)cj(x)

are given by

(δ1(u),…,δn(u))=p(d1,…,dn)U.

As long as all of the d_i and all of the entries of U are sufficiently small, we will have |δj(u)| < B and δj(u) ≡ 0 (mod p) for all j. Thus for whatever sufficiently short r(x) we choose, the δj(u) ≡ 0 (mod p) condition will hold.

We turn now to finding a short r(x) that satisfies

r(x)b(x)=∑j=1nδj(v)cj(x)with |δj(v)|<B and δj(v)≡ϵ¯j−ηj(modp).

To accomplish this, write b(x)=∑i=0n−1bixi, set

(b0,0,b0,1,…,b0,n−1)=(b0,b1,…,bn−1),

and for 1 ≤ i < n, define (b_i,0, b_i,1, …, b_i,n−1) by

xib(x)≡bi,0+bi,1x+⋯+bi,n−1xn−1(modf(x)).

Let 𝓑 denote the matrix whose i, j entry is b_i,j and consider the product 𝓑U. The entries of 𝓑U are small because the b_i,j and the entries of U are small. For any

r(x)=∑i=0n−1rixi≡∑i=1nri′xi(modf(x))

we have

r(x)b(x)=(r1′,r2′,…,rn′)BUc1(x)c2(x)⋮cn(x).

To solve for r(x), first define

(r¯1′,r¯2′,…,r¯n′)≡(δ¯1(v),δ¯2(v),…,δ¯n(v))(BU)−1(modp)

and lift each r¯j′ to rj′ ∈ (−p/2, p/2]. Then define δj(v) by

(δ1(v),…,δn(v))=(r1′,…,rn′)BU.

This accomplishes the goal

r(x)b(x)=∑j=1nδj(v)cj(x)withδj(v)≡δ¯j(v)(modp).

4 Security Considerations

We highlight some of best known attacks. Due to page limitations, we leave other (less effective) known attacks in the appendix.

4.1 The Size of B

The key point is to choose B in such a way that the final signature lies inside an appropriate subset of the (−12q, 12q] box. Recall that

(δ1(v),…,δn(v))=(r1′,…,rn′)BU.

The coefficients ri′ lie in the interval (−p/2, p/2]. Let K be chosen to be the maximum of the absolute values of the entries of 𝓑U. Then each |δj(v)| will be bounded above by a constant multiple of pKn. The same almost applies to |δj(u)|, but because of the multiple of p it will be larger by a factor of p unless some scaling is done to compensate for this, for example, by choosing the original δj(0) from an interval smaller than (−q/2, q/2]. So B must be on the order of pKn. The size of K will be optimal when U and 𝓑 are as sparse as possible.

4.2 Recovering the Isomorphism/Solving CFFI Problem

The attacker is given polynomials C₁(y), …, C_n(y) ∈ 𝕐 that are the images of unknown short polynomials c₁(x), …, c_n(x) ∈ 𝕏 via an unknown isomorphism 𝕏 → 𝕐. For the general CFFI problem, if the attacker knows at least 2n elements of 𝕐 that are images of short elements of 𝕏, then she can set up a mixed lattice/combinatorial attack to recover the short elements of 𝕏 and the isomorphism 𝕏 → 𝕐. See Section B in the appendix for details.

This attack requires 2n elements, but the public key for pqFFSign provides the attacker with only n images of short elements of 𝕏, not 2n. So the attack would seem to fail at this point. However, the fact that f(x) is small means that products of small elements of 𝕏 remain reasonably small. Indeed, that is a key fact being exploited by pqFFSign. So for 1 ≤ i ≤ n, the attacker can create additional elements by taking products such as C_n+i(y) := C₁(y)C_i(y)mod F(y) in 𝕐, and these new elements of 𝕐 will be images of somewhat small elements of 𝕏. This may allow the attack described in Section B to proceed, with the caveat that the target vectors will now be considerably larger than in the basic version of the CFFI problem. On the other hand, since the coordinates of the target vectors will now consist of n very small numbers and n moderately small numbers, the targets are unbalanced. So a full analysis of the underlying lattice problem requires balancing the lattice to account for this imbalance in the targets' coordinates.

4.3 Recovering the Unique Shortest Vector

There are two main security concerns that determine parameters in pqNTRUSign. One is the problem of recovering the private key from the public NTRU key, and the other is the problem of forgery. Of these, the one that has the biggest impact on parameter size is the public key to private key problem. This is because, to make rejection sampling efficient, the q needs to be chosen large compared to n. This makes the lattice problem somewhat easier and forces an increase in the size of n. The forgery problem requires smaller parameters to achieve the same security levels.

In this context there appear at first to be two NTRU-type problems: Recovering a(x), b(x) from h(x), and recovering the corresponding polynomials A(y), B(y) from H(y). However, the polynomial h(x) is private and is only revealed if the underlying isomorphism is discovered, in which case the scheme is considered broken. So this lattice problem does not apply to pqFFSign.

On the other hand, the polynomial H(y) is public, but the corresponding problem of recovering A(y), B(y) from H(y) is not a lattice problem because A(y) and B(y) are polynomials with coefficients that are essentially random mod q, so they are not short. This is a consequence of the fundamental observation that the isomorphism between the two copies of 𝔽_qⁿ does not respect the archimedian properties of the polynomials’ coefficients. Further, since A(y) and B(y) are not short, recovery of them does not appear to be helpful to the attacker.

There is a lattice attack to recover the matrix U from the C_j(y), and this would suffice to break the scheme, but the dimension of the lattice required to solve this problem is at least n². We describe this attack in Section C. For all of these reasons, it thus appears that it suffices to set parameters to avoid forgery attacks, and this should allow for smaller signatures and better operating characteristics. In particular, by choosing the small prime p as close as possible to q, we can make the Gaussian defect of a solution very close to one, which thus makes lattice reduction attacks very difficult even in relatively small dimensions.

5 Conclusion and Future Work

In this work we present a signature scheme (partially) based on the Computational Finite Field Isomorphism Problem (CFFI). Future research directions include:

The hardness of the finite field isomorphism problem

In this paper, we have indicated several ways in which one might try to solve the CFFI problem. However, the quantitative difficulty of the CFFI problem is presently unclear.

Average-case/worse-case hardness

There exists an easy instance of the CFFI problem, namely when f(x) = F(y). It would be of interest to prove that random (or even, all) instances of the CFFI problem with f(x) ≠ F(y) are equally difficult.

Transcript security and rejection sampling

A sufficiently long raw pqNTRUSign transcript allows an attacker to reconstruct a short lattice basis due to the way in which signatures are generated. The use of rejection sampling eliminates this attack by leading to transcripts that are independent of the underlying lattice. (See [8] for details.) Similarly, raw pqFFSign reveals a transcript of short vectors (δ, ϵ) that may contain information about f or (a, b) or U. We expect that rejection sampling can be used to produce key-independent transcripts. Formulating and proving such a result should not be hard, but remains to be done.

Security reduction between pqFFSign and CFFI

It is clear that the security of pqFFSign, the signature scheme that we have proposed in this paper, relies on the difficulty of CFFI. The converse is not clear. It would be quite interesting to give a security reduction showing, say, that breaking pqFFSign plus an algorithm solving some sort of standard hard CVP lattice problem is equivalent to solving the CFFI problem.

Analyze the balanced lattice attack

As discussed in Section 4.2, the lattice attack (Section B) on the pure CFFI problem needs to be balanced before being applied to pqFFSign. Doing this will yield constraints on the various parameters required to achieve a desired level of security. Further, even if the lattice attack succeeds completely, there is still what appears to be a difficult combinatorial problem to solve. This combinatorial problem deserves further study.

Acknowledgement

Hoffstein and Silverman’s research partially supported by NSF #1561709

References

[1] Wieb Bosma, John Cannon and Catherine Playoust, The Magma algebra system. I. The user language., J. Symbolic Comput. 24 (1997), 235–265.10.1006/jsco.1996.0125Search in Google Scholar

[2] Yuanmi Chen and Phong Q. Nguyen, BKZ 2.0: Better Lattice Security Estimates, in: ASIACRYPT, pp. 1–20, 2011.10.1007/978-3-642-25385-0_1Search in Google Scholar

[3] Yarkin Doröz, Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman, Berk Sunar, William Whyte and Zhenfei Zhang, Fully Homomorphic Encryption from the Finite Field Isomorphism Problem, PKC 2018 (2018).10.1007/978-3-319-76578-5_5Search in Google Scholar

[4] Léo Ducas, Alain Durmus, Tancrède Lepoint and Vadim Lyubashevsky, Lattice Signatures and Bimodal Gaussians, CRYPTO 2013 (Ran Canetti and Juan A. Garay, eds.), LNCS 8042, Springer, 2013, pp. 40–56.10.1007/978-3-642-40041-4_3Search in Google Scholar

[5] Léo Ducas and Phong Q. Nguyen, Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures, in: Advances in Cryptology - ASIACRYPT 2012 - 18th International Conference on the Theory and Application of Cryptology and Information Security, Beijing, China, December 2-6, 2012. Proceedings, pp. 433–450, 2012.10.1007/978-3-642-34961-4_27Search in Google Scholar

[6] Oded Goldreich, Shafi Goldwasser and Shai Halevi, Public-Key Cryptosystems from Lattice Reduction Problems, in: CRYPTO, pp. 112–131, 1997.10.1007/BFb0052231Search in Google Scholar

[7] Jeffrey Hoffstein, Nick Howgrave-Graham, Jill Pipher, Joseph H. Silverman and William Whyte, NTRUSIGN: Digital Signatures Using the NTRU Lattice, in: Topics in Cryptology - CT-RSA 2003, The Cryptographers' Track at the RSA Conference 2003, San Francisco, CA, USA, April 13-17, 2003, Proceedings, pp. 122–140, 2003.10.1007/3-540-36563-X_9Search in Google Scholar

[8] Jeffrey Hoffstein, Jill Pipher, John M. Schanck, Joseph H. Silverman and William Whyte, Transcript Secure Signatures Based on Modular Lattices, in: Post-Quantum Cryptography - 6th International Workshop, PQCrypto 2014, Waterloo, ON, Canada, October 1-3, 2014. Proceedings, pp. 142–159, 2014.10.1007/978-3-319-11659-4_9Search in Google Scholar

[9] Jeffrey Hoffstein, Jill Pipher and Joseph H. Silverman, NTRU: A Ring-Based Public Key Cryptosystem, in: ANTS, pp. 267–288, 1998.10.1007/BFb0054868Search in Google Scholar

[10] Jeffrey Hoffstein, Jill Pipher, William Whyte and Zhenfei Zhang, A signature scheme from Learning with Truncation, Cryptology ePrint Archive, Report 2017/995, 2017, http://eprint.iacr.org/2017/995.Search in Google Scholar

[11] Nick Howgrave-Graham, A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU, in: CRYPTO, pp. 150–169, 2007.10.1007/978-3-540-74143-5_9Search in Google Scholar

[12] K. Ireland and M. Rosen, A Classical Introduction to Modern Number Theory, Springer-Verlag, 1990.10.1007/978-1-4757-2103-4Search in Google Scholar

[13] Vadim Lyubashevsky, Fiat-shamir with aborts: Applications to lattice and factoring-based signatures, ASIACRYPT 2009, Springer, 2009, pp. 598–616.10.1007/978-3-642-10366-7_35Search in Google Scholar

[14] Vadim Lyubashevsky, Lattice Signatures without Trapdoors, EUROCRYPT2012 (David Pointcheval and Thomas Johansson, eds.), LNCS 7237, Springer, 2012, pp. 738–755.10.1007/978-3-642-29011-4_43Search in Google Scholar

[15] Gary L. Miller, Riemann's hypothesis and tests for primality, Journal of Computer and System Sciences13 (1976), 300 – 317.10.1016/S0022-0000(76)80043-8Search in Google Scholar

[16] Phong Q. Nguyen and Oded Regev, Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures, J. Cryptology22 (2009), 139–160.10.1007/s00145-008-9031-0Search in Google Scholar

[17] NIST, Post-Quantum Cryptography - Round 1 Submissions, https://csrc.nist.gov/Projects/Post-Quantum-Cryptography/Round-1-Submissions.Search in Google Scholar

[18] Michael O Rabin, Probabilistic algorithm for testing primality, Journal of Number Theory12 (1980), 128 – 138.10.1016/0022-314X(80)90084-0Search in Google Scholar

[19] Damien Stehlé and Ron Steinfeld, Making NTRU as Secure as Worst-Case Problems over Ideal Lattices, in: Advances in Cryptology - EUROCRYPT2011 - 30th Annual International Conference on the Theory and Applications of Cryptographic Techniques, Tallinn, Estonia, May 15-19, 2011. Proceedings, pp. 27–47, 2011.10.1007/978-3-642-20465-4_4Search in Google Scholar

A Security Against Forgery

Recall that a signature is a pair of vectors δ = (δ₁, …, δ_n), and ϵ = (ε₁, …, ε_n), where (δ, ϵ) mod p = (δ, ϵ). Hence (δ, ϵ) is a vector in a translated lattice

(δ,ϵ)∈L1:=pZ2n+(δ¯,ϵ¯).

Next, using the formulas

S(y)=∑i=1nδiCi(y),T(y)=∑i=1nϵiCi(y),S(y)H(y)=T(y),

we have

δC(y)H(y)=ϵC(y).

That is, (δ, ϵ) is also in the lattice

(δ,ϵ)∈L2:=RowSpanqIn0CHC−1In.

We observe that any vector in the intersection L₁ ∩ L₂ is a potential signature. We have

det(L1)=p2n,det(L1)=qn,det(L1∩L2)=p2nqn,

where the last equality uses the assumption that gcd(p, q) = 1. Hence the Gaussian heuristic for the shortest nonzero vector in L₁ ∩ L₂ is

GH⁡(L1∩L2)=2dim⁡(L1∩L2)πedet(L1∩L2)1dim=p2qNπe.

Further, we se that the L² norm of the target vector is bounded by

∥(δ,ϵ)∥2≤2Nq.

This yields the root Hermite factor

γ(L1∩L2)=2Nqp2qN/πe1/2n=2πeq/p1/2n.

Hence a lattice attack will be infeasible if we choose parameters to ensure that

2πeq/p1/2n<γexp,

where γ_exp is chosen to be the experimental Hermite factor expected to be achievable via lattice reduction algorithms. For example, using the LLL-BKZ 2.0 algorithms, a Hermite factor γ = 1.005 seems to be secure; see [2].

B A Combined Lattice-Combinatorial Attack on the CFFI Problem

We consider the CFFI problem under the assumption that k ≥ 2n, so the attacker is given polynomials A₁(y), …, A_k(y) ∈ 𝕐 that are the images of polynomials a₁(x), …, a_k(x) ∈ 𝕏 having small coefficients. We identify a polynomial C(y) = C₀ + ⋯ + C_n−1yⁿ⁻¹ ∈ 𝕐 with the row vector C := (C₀, …, C_n−1) ∈ Fqn, and similarly for elements of 𝕏. Then the (unknown) isomorphism ψ:𝕐 → 𝕏 is given by an n × n matrix Ψ, i.e., Ψ is the matrix of ψ relative to the bases {1, …, yⁿ⁻¹} of 𝕐 and {1, …, xⁿ⁻¹} of 𝕏. Note that with this notation, we have ψ(C(y)) = CΨ.

We form four n × n matrices

M:=A1⋮An,N:=An+1⋮A2n,m:=a1⋮an,n:=an+1⋮a2n.

In other words, the rows of 𝔐 are the vectors A₁, …, A_n, and similarly for the other matrices. Then by assumption we have the matrix formulas

MΨ=mandNΨ=n,and thusNM−1m=n,

where all computations are done in 𝔽_q. Note that although the matrix Ψ has unknown random coefficients, the matrices 𝔐 and 𝔫 have unknown small coefficients, and the matrices 𝔐 and 𝔑 are known. So this last formula will allow us to describe a known lattice with unknown short target vectors.

For each 1 ≤ t ≤ n, let

vt:=coordinates are the tth−column of mand whose secondn coordinates are the tth−column of n.∈Z2n,

where we have, as usual, lifted numbers from 𝔽_q to an interval centered at 0. Then the relation 𝔑𝔐⁻¹𝔐 = 𝔫 tells us that

vt∈L:=Column SpanI0NM−1qI.

We may thus use lattice reduction methods to search for the n short vectors 𝔳₁, …, 𝔳_n in the known lattice 𝔏.

The lattice $𝔏$ satisfies

dimL=2nandDetL=qn,

so the Gaussian expected norm of the smallest vector in 𝔏 is

GH⁡(L)=dimL/πe(DetL)1/dimL=2nqπe.

On the other hand, if we assume that the coefficients of a₁, …, a_2n are random integers in the interval from −β to β, as in the statement of CFFI, then the expected length of each target vector 𝔳_t is roughly τ := 2n/3β. Hence the root Hermite ratio is

γ(L):=GH⁡(L)τ1/dimL≈1β3qπe1/2n.

We remark that currently a Hermite ratio smaller than 1.005 appears to achieve reasonable security; cf. [2].

There are two additional issues. First, it is not clear that the set

S:={vt:1≤t≤n}

of target vectors consists of the n shortest linearly independent vectors in 𝔏. Thus even a complete lattice reduction that finds an “optimal basis” for 𝔏 may only return some small linear combinations of the elements of 𝓢. The attacker would then have to unsort these small linear combinations to find the set 𝓢.

Second, even if the attacker finds the exact set of short vector 𝓢, there is a combinatorial problem to solve, since the set 𝓢 comes with no preferred order. But the coordinates of 𝔳_t are the coefficients of x^t in a₁, …, a_2n, so recovery of a₁, …, a_2n and reconstruction of Ψ works only if the set of short vectors 𝓢 is put in the correct order. There are n! ways to reorder 𝓢, so if n is large, a full search, or even a collision search, is infeasible. It remains an open problem to find a faster method to correctly order the elements of 𝓢.

C Attack to Recover U

During key generation we construct a set of polynomials c₁(x), …, c_n(x) by choosing an n × n sparse matrix U and setting

c1(x)c2(x)⋮cn(x)≡U−1xx2⋮xn(modq).

Then for example we have

∑i=1nu1,ici(x)=x,∑i=1nu2,ici(x)=x2,∑i=1nu3,ici(x)=x3,

so using the fact that x ⋅ x² = x³, we find that

∑i=1nu1,ici(x)∑j=1nu2,jcj(x)≡∑k=1nu3,kck(x)(modf(x),q).

This in turn gives a formula in 𝕐,

∑i=1nu1,iCi(y)∑j=1nu2,jCj(y)≡∑k=1nu3,kCk(y)(modF(y),q).

Multiplying this out gives

∑i=1nu1,iu2,i⏟viCi(y)2+∑i=1n−1∑j=i+1n(u1,iu2,j+u1,ju2,i)⏟wijCi(y)Cj(y)≡∑k=1nu3,kCk(y)(modF(y),q).

Reducing the various C_i(y)C_j(y) products modulo F(y) yields a system of n linear equations over 𝔽_q in the variables

{vi:1≤i≤n}∪{wij:1≤i<j≤n}∪{u3,k:1≤k≤n}.

To ease notation, we write N = 12n(n + 3) for the number of variables, we write t = (v_i, w_ij, u_3,k) for the vector consisting of these variables, and we let M be the N × n matrix giving the system of linear equations over 𝔽_q. Then we obtain a matrix formula

t∗INM0qIn=t0.

This gives a lattice problem of dimension N + n and determinant qⁿ with target vector t.^[2]

The size of the target t depends on the distribution of the entries in U. For simplicity, suppose that the entries of U are chosen uniformly and independently from {−1, 0, 1}. Then each w_ij satisfies

Prob⁡(wij=±2)=281,Prob⁡(wij=±1)=2081,Prob⁡(wij=0)=3781.

So even ignoring the v_i and u_3,k coordinates of t, we find that the expected value of ∥t∥22 is at least

n(n−1)2281⋅4+2081⋅1+3781⋅0=1481(n2−n),

so we expect ∥t∥ to be roughly n14/9. On the other hand, the Gaussian expected length of the shortest non-zero vector in the lattice is roughly

n2/πe⋅(qn)1/n2≈0.1⋅n⋅q1/n.

Thus even for quite large values of q, the target vector is likely to be considerably larger than many other (useless) short vectors in the lattice. For example, if n = 100, then the target only becomes a likely shortest vector if q > 10¹¹¹.

D A Non-Linear Attack

It is possible to use multiplication and reduction modulo F(y) in 𝕐 to set up an attack in which one has to find small solutions to certain non-linear equations. Such problems appear to be completely infeasible, which we illustrate with a toy example with n = 3.

The attacker knows the polynomials

c′(y)=c0′+c1′y+c2′y2,c″(y)=c0″+c1″y+c2″y2,h(y)=y2+h0y+h1.

To make life easier, we take h(y) = y³ + y + 1. The attacker tries to find the small polynomials

m′(x)=m0′+m1′x+m2′x2 andm″(x)=m0″+m1″x+m2″x2

by eliminating the polynomial ϕ(y) = ϕ₀ + ϕ₁y + ϕ₂y² from the congruences

c0′+c1′y+c2′y2≡m0′+m1′(ϕ0+ϕ1y+ϕ2y2)+m2′(ϕ0+ϕ1y+ϕ2y2)2(mody3+y+1),c0″+c1″y+c2″y2≡m0″+m1″(ϕ0+ϕ1y+ϕ2y2)+m2″(ϕ0+ϕ1y+ϕ2y2)2(mody3+y+1).

Expanding and reducing modulo y³ + y + 1, we find that

c0′+c1′y+c2′y2=(m2′ϕ02+m1′ϕ0−2m2′ϕ2ϕ1+m0′)+(2m2′ϕ1ϕ0−2m2′ϕ2ϕ1+m1′ϕ1−m2′ϕ22)y+(2m2′ϕ2ϕ0+m2′ϕ12−m2′ϕ22+m1′ϕ2)y2,

and similarly for c″. So we get 6 equations

m2′ϕ02+m1′ϕ0−2m2′ϕ2ϕ1+m0′=c0′2m2′ϕ1ϕ0−2m2′ϕ2ϕ1+m1′ϕ1−m2′ϕ22=c1′2m2′ϕ2ϕ0+m2′ϕ12−m2′ϕ22+m1′ϕ2=c2′m2″ϕ02+m1″ϕ0−2m2″ϕ2ϕ1+m0″=c0″2m2″ϕ1ϕ0−2m2″ϕ2ϕ1+m1″ϕ1−m2″ϕ22=c1″2m2″ϕ2ϕ0+m2″ϕ12−m2″ϕ22+m1″ϕ2=c2″

in the 9 variables m0′,m1′,m2′,m0″,m1″,m2″,ϕ0,ϕ1,ϕ2. These equations are linear in the small variables mi′ and mi″, but are non-linear in the large variables ϕ_i that need to be eliminated. Eliminating the large variables, we are left with three highly non-linear polynomials in the six unknowns mi′,mi″. In other words, we need to find points with small coordinates on a 3-dimensional variety sitting in 6-dimensional space.

To investigate further, we computed an explicit example. We worked over 𝔽₁₁ and took (c0′,c1′,c2′,c0″,c1″,c2″) = (1, 2, 3, 4, 5, 6). We used the Grobner-basis routine in Magma [1] to eliminate ϕ₀, ϕ₁, ϕ₂ from the 6 equations. The resulting equations for the 6 variables mi′,mi″ covered more then two pages of small type and had no discernable structure.

Received: 2020-02-07

Accepted: 2020-02-05

Published Online: 2020-06-14

This work is licensed under the Creative Commons Attribution 4.0 International License.

A signature scheme from the finite field isomorphism problem

Abstract

1 Introduction

Definition 1

Remark 1

Lattice-based signatures and rejection sampling

2 Preliminaries

2.1 Notation

2.2 Two Uniformity Heuristics

Heuristic 1

Heuristic 2

3 The pqFF-Sign Signature Scheme

3.1 An Algorithm to Find an Isomorphism

Remark 2

Algorithm 1

3.2 The Detailed Scheme

Key generation

Signing

Verification

Remark 3

Remark 4

Remark 5

3.3 Algorithm To Find (δ, ϵ)

Definition 2

3.3.1 Details of Step 4

4 Security Considerations

4.1 The Size of B

4.2 Recovering the Isomorphism/Solving CFFI Problem

4.3 Recovering the Unique Shortest Vector

5 Conclusion and Future Work

The hardness of the finite field isomorphism problem

Average-case/worse-case hardness

Transcript security and rejection sampling

Security reduction between pqFFSign and CFFI

Analyze the balanced lattice attack

Acknowledgement

References

A Security Against Forgery

B A Combined Lattice-Combinatorial Attack on the CFFI Problem

C Attack to Recover U

D A Non-Linear Attack

Journal and Issue

Articles in the same Issue