Page 1
PollyCracker Revisited
Martin Albrecht1
Pooya Farshim2
Ludovic Perret1
Jean-Charles Faug` ere1
1 SALSA Project - INRIA, UPMC, Univ Paris 06
2 Information Security Group, Royal Holloway, University of London
25. May 2011
Page 2
Outline
Motivation
Gr¨ obner Basics
Gr¨ obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 3
Outline
Motivation
Gr¨ obner Basics
Gr¨ obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 4
Homomorphic Encryption I
? From an algebraic perspective, homomorphic encryption can be seen
as the ability to evaluate multivariate (Boolean) polynomials over
ciphertexts.
? Hence, an instantiation of homomorphic encryption over the ring of
multivariate polynomials itself is perhaps the most natural.
Page 5
Homomorphic Encryption II
? Let I ⊂ P = F[x0,...,xn−1] be some ideal and denote by Encode()
an injective function, with inverse Decode(), that maps bits to
elements in the quotient ring P/I.
? Assume that Decode(Encode(m0) ◦ Encode(m1)) = m0 ◦ m1for
◦ ∈ {+,·}.
? We can encrypt a message m as
c = f + Encode(m) for f ∈ I.
? Decryption is performed by computing remainders modulo I.
Page 6
Homomorphic Encryption III
? This construction is somewhat homomorphic
c0+ c1
=
=
f0+ Encode(m0) + f1+ Encode(m1)
f + Encode(m0) + Encode(m1) for some f ∈ I.
c0· c1
=
=
(f0+ Encode(m0)) · (f1+ Encode(m1))
f0· f1+ f0· Encode(m1) + f1· Encode(m0)
+Encode(m0) · Encode(m1)
f + Encode(m0) · Encode(m1) for some f ∈ I.
=
? This construction is Polly Cracker.
Page 7
Homomorphic Encryption IV
? However, our confidence in Polly Cracker-style schemes has been
shaken as almost all such proposals are broken.
? It is a long standing open research challenge to propose a secure
Polly Cracker-style encryption scheme,
? ...even better if we can make it somewhat homomorphic.
Boo Barkee, Deh Cac Can, Julia Ecks, Theo Moriarty, and R. F. Ree.
Why you cannot even hope to use Gr¨ obner bases in Public Key
Cryptography: An open letter to a scientist who failed and a challenge to
those who have not yet failed.
Journal of Symbolic Computations, 18(6):497–501, 1994.
Page 8
Outline
Motivation
Gr¨ obner Basics
Gr¨ obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 9
Notation I
? P = F[x0,...,xn−1] with some ordering on monomials.
? P≤belements in P of degree at most b.
? LM(f ) is the leading monomial appearing in f ∈ P.
? LC(f ) is the coefficient corresponding to LM(f ) in f .
? LT(f ) is LC(f )LM(f ).
Page 10
Notation II
An example in F[x,y,z] with term ordering deglex:
f = 3yz + 2x + 1
? LM(f ) = yz,
? LC(f ) = 3 and
? LT(f ) = 3yz.
Page 11
Notation III
Definition (Generated Ideal)
Let f0,...,fm−1be polynomials in P. Define the set
?f0,...,fm−1? :=
?m−1
i=0
?
hifi: h0,...,hm−1∈ P
?
.
This set I is an ideal called the ideal generated by f0,...,fm−1.
Page 12
Notation IV
Definition (Gr¨ obner Basis)
Let I be an ideal of F[x0,...,xn−1] and fix a monomial ordering. A finite
subset
G = {g0,...,gm−1} ⊂ I
is said to be a Gr¨ obner basis of I if for any f ∈ I there exists gi∈ G
with
LM(gi) | LM(f ).
For each ideal I and monomial ordering there is a unique reduced
Gr¨ obner basis which can be computed in polynomial time from any
Gr¨ obner basis.
Gr¨ obner bases allow to compute remainders modulo I: r = f
mod I = f mod G.
Page 13
Characterisation of Gr¨ obner bases I
Definition (S-Polynomial)
The S-polynomial of f and g is defined as
S(f ,g) =
xγ
LT(f )· f −
xγ
LT(g)· g.
where
xγ= LCM(LM(f ),LM(g)).
Page 14
Characterisation of Gr¨ obner bases II
Definition (t-Representation)
Fix a monomial order and let F = {f0,...,fm−1} ⊂ P be an unordered
set of polynomials and let t be a monomial. Given a polynomial f ∈ P,
we say that f has a t-representation if f can be written in the form
f = h0f0+ ··· + hm−1fm−1,
such that whenever hifi?= 0, we have hifi≤ t.
Furthermore, we write that f −→
LM(f )-representation with respect to F.
F
0 if and only if f has an
Page 15
Characterisation of Gr¨ obner bases III
Theorem
A basis G = {g0,...,gs−1} for an ideal I is a Gr¨ obner basis if and only if
S(gi,gj) −→
G
0
for all i ?= j.
Page 16
Outline
Motivation
Gr¨ obner Basics
Gr¨ obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 17
Generating Gr¨ obner bases
begin
1
for 0 ≤ i < n do
for 0 ≤ j < M<xd
cij←$Fq;
gi← xd
return (g0,...,gn−1);
end
Algorithm 1: GBGendense(1λ,P,d)
2
ido
3
4
i+?
jcijmj;
5
6
7
Theorem
Let f ,g ∈ F[x0,...,xn−1] with
a = LM(f ) and b = LM(g) and
LCM(a,b) = a · b.
Then
S(f ,g) −→
{f ,g}0.
Page 18
Formalising the Problems I
proc. Initialize(1λ,P,d):
begin
P ←$Pλ;
G ←$GBGen(1λ,P,d);
return (1λ,P);
end
proc. Sample():
begin
f ←$P≤b;
f ← f − (f mod G);
return f ;
end
proc. Finalize(G?):
begin
return (G = G?);
end
Figure: Game GBP,GBGen(·),d,b,m. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 19
Formalising the Problems II
Definition (Gr¨ obner Basis (GB) Problem)
The advantage of a ppt algorithm A in solving the Gr¨ obner basis problem
with respect to basis generation algorithm GBGen(·) is defined by
Advgb
P,GBGen(·),d,b,m(·),A(λ) := Pr
?
GBA
P,GBGen(·),d,b,m(·)(λ) ⇒ T
?
,
where game GBP,GBGen(·),d,b,m(·)is shown in Figure 1.
Page 20
Formalising the Problems III
proc. Initialize(1λ,P,d):
begin
P ←$Pλ;
G ←$GBGen(1λ,P,d);
return (1λ,P);
end
proc. Sample():
begin
f ←$P≤b;
f ← f − (f mod G);
return f ;
end
proc. Challenge():
begin
f ←$P≤b;
return f ;
end
proc. Finalize(r?):
begin
return (r?= f mod G);
end
Figure: Game IRP,GBGen(·),d,b,m. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 21
Formalising the Problems IV
Definition (Ideal Remainder (IR) Problem)
The advantage of a ppt algorithm A in solving the ideal remainder
problem is defined by
?
where game IRP,GBGen(·),d,b,m(·)is shown in Figure 2.
Advir
P,GBGen(·),d,b,m(·),A(λ) := Pr IRA
P,GBGen(·),d,b,m(·)(λ) ⇒ T
?
−1/C(λ),
Page 22
Formalising the Problems V
proc. Initialize(1λ,P,d):
begin
P ←$Pλ;
G ←$GBGen(1λ,P,d);
c ←${0,1};
return (1λ,P);
end
proc. Sample():
begin
f ←$P≤b;
f ← f − (f mod G);
return f ;
end
proc. Challenge():
begin
f ←$P≤b;
if c=1 then
f ←f −(f mod G);
return f ;
end
proc. Finalize(c?):
begin
return (c = c?);
end
Figure: Game IMP,GBGen(·),d,b,m. An adversary is valid if it calls the Sample
oracle at most m(λ) times.
Page 23
Formalising the Problems VI
Definition (Ideal Membership (IM) Problem)
The advantage of a ppt algorithm A in solving the ideal membership
problem is defined by
Advim
P,GBGen(·),d,b,m(·),A(λ) := 2 · Pr
?
IMA
P,GBGen(·),d,b,m(·)(λ) ⇒ T
?
− 1,
where game IMP,GBGen(·),d,b,m(·)is shown in Figure 3.
Note
We can view the IM problem as the decisional version of the IR problem.
Page 24
Hardness I
Lemma (IR <=> GB)
For any ppt adversary A against the IR problem, there exists a ppt
adversary B against the GB problem such that
Advir
P,GBGen(·),d,b,m,A(λ)poly(λ)≤ Advgb
P,GBGen(·),d,b,m,B(λ).
Conversely, for any ppt adversary B against the GB problem, there exists
a ppt adversary A against the IR problem such that
Advgb
P,GBGen(·),d,b,m,B(λ) = Advir
P,GBGen(·),d,b,m,A(λ).
Page 25
Hardness II
Proof for first direction.
Consider an arbitrary element giin the Gr¨ obner basis G. We can write gi
as mi+ ˜ gifor some ˜ gi< giand mi= LM(gi).
Now, assume the normal form of miis riand suppose that ri< mi. This
implies that mi=?n−1
Repeat this process for all monomials up to and including degree d and
accumulate the results mi− riin a list˜G.
The list˜G is a list of elements ∈ ?G? with LM(˜G) ⊇ LM(G) which
implies˜G is a Gr¨ obner basis.
j=0hjgj+ rifor some hi∈ P. Hence, we have
mi− ri∈ ?G?: an element ∈ ?G? with leading monomial mi.
We cannot amplify our confidence since we only have a limited number
of samples.
Page 26
Hardness III
IR <=> IM
When the search space of remainders is poly(λ), the IM and IR problems
are equivalent, since the attacker can exhaustively search for the
remainder using the IM oracle.
Thus, we have decision to search reduction for some parameters.
Page 27
Hardness IV
Assuming that f0,...,fm−1is a random system, the complexity of
currently best known algorithms (i.e. with F5) to solve the GB problem is
given by
??n + D
where 2 ≤ ω < 3 is the linear algebra constant, and D is given by the
index of the first non-positive coefficient of:
O
D
?ω?
= O?(nD)ω?
?
k≥0
ckzk=(1 − zb)m
(1 − z)n.
Thus Gr¨ obner bases are exponential in n, if D is polynomial in n.
Page 28
Hardness V
Corollary
Let c ≥ 0. Then for m(λ) = c · n(λ) or m(λ) = c · n(λ)bpolynomials of
degree b in some ideal I, the Gr¨ obner basis of I can be computed in
exponential or polynomial time in n(λ) respectively.
Definition (GB/IR/IM Assumption)
Let P be such that n(λ) = Ω(λ). Assume b − d > 0, b > 1, and that
m(λ) = c · n(λ) for a constant c ≥ 1. Then the advantage of any ppt
algorithm in solving the GB/IR/IM problem is negligible as function of λ.
Page 29
Outline
Motivation
Gr¨ obner Basics
Gr¨ obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 30
Symmetric PollyCracker I
Algo. GenP,GBGen(·),d,b(1λ)
begin
P ←$Pλ;
G ←$GBGen(1λ,P,d);
SK ← (G,P,b);
PK ← (P,b);
return (SK,PK);
end
Algo. Enc(m,SK):
begin
f ←$P≤b;
← f − (f
c ← m + f ;
return c;
end
mod G);
Algo. Dec(c,SK):
begin
m ← c mod G;
return m;
end
Algo. Eval(c0,...,ct−1,C,PK):
begin
apply the Add and Mult
gates of C over P;
return the result;
end
Figure: The noise-free symmetric Polly Cracker scheme SPCP,GBGen(·),d,b.
Page 31
Security I
The m(·)-time IND-CPA security of a (homomorphic) symmetric-key
encryption scheme is defined in the usual way by requiring that the
advantage of any probabilistic polynomial-time adversary A
Advind-bcpa
m(·),SKE,A(λ) := 2 · Pr
?
IND-BCPAA
m(·),SKE(λ) ⇒ T
?
− 1
is negligible as a function of the security parameter λ. The difference
with the usual CPA security is that the adversary can query the
encryption oracle at most m(λ) times.
Page 32
Security II
Theorem
Let A be a ppt adversary against the m-time IND-BCPA security of the
scheme described in Figure 4. Then there exists a ppt adversary B
against the IM problem such that for all λ ∈ N we have
Advind-bcpa
m,SPC,A(λ) = 2 · Advim
P,GBGen(·),d,b,m,B(λ).
Conversely, let A be a ppt adversary against the IM problem. Then there
exists a ppt adversary B against the m-time IND-BCPA security of the
scheme described in Figure 4 such that for all λ ∈ N we have
Advim
P,GBGen(·),d,b,m,A(λ) = Advind-bcpa
m,SPC,B(λ).
Page 33
Outline
Motivation
Gr¨ obner Basics
Gr¨ obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 34
Conversions in the Literature
? There are a few techniques in the literature, which convert an
IND-CPA symmetric additive homomorphic scheme to an IND-CPA
public-key additive homomorphic scheme.
? One such conversion is to publish N encryptions of zero f0,...,fN−1
and to encrypt as
c =
?
s∈S
fs+ m
where S is a subset of {0,...,N − 1}.
While PollyCracker is additive homomorphic and secure up to some
bound, none of the proposed conversions give a secure scheme.
Page 35
Impossibility Result I
Theorem (Dickenstein, Fitchas, Giusti, and Sessa)
Let I = ?f0,...,fm−1? be an ideal in P = F[x0,...,xn−1],h be such that
deg(h) ≤ D, and
h − (h mod I) =
m−1
?
i=0
hifi,
where hi∈ P and deg(hifi) ≤ D.
Let G be the output of some Gr¨ obner basis computation algorithm up to
degree D (i.e. all computations with degree greater than D are ignored
and dropped). Then h mod I can be computed by polynomial reduction
of h via G.
Page 36
Impossibility Result II
Theorem
Let I = ?f0,...,fm−1? be an ideal in P = F[x0,...,xn−1]. If there is a
ppt algorithm A which samples elements from I uniformly given only
(f0,...,fm−1) ∈ I, then there exists a ppt algorithm B which computes a
Gr¨ obner basis for I.
Proof.
We can compute the normal forms of any f produced by A in polynomial
time since we know f0,...,fm−1. If f is arbitrary in the ideal I, we know
that normals forms are equivalent to Gr¨ obner basis computations. Thus,
we have a polynomial time algorithm for computing Gr¨ obner bases.
Page 37
Outline
Motivation
Gr¨ obner Basics
Gr¨ obner Basis and Ideal Membership Problems
Symmetric PollyCracker
Symmetric to Asymmetric Conversion
Noisy Variants
Page 38
Discrete Gaussian
A noise distribution χ will parametrise various games below. The discrete
Gaussian distribution is of particular interest to us.
Definition (Discrete Gaussian Distribution)
Let α > 0 be a real number and q ∈ N. The discrete Gaussian
distribution χα,q, is a Gaussian distribution rounded to the nearest
integer and reduced modulo q with mean zero and standard deviation αq.
Page 39
Gr¨ obner Bases with Noise I
proc. Initialize(1λ,P,d):
begin
P ←$Pλ;
G ←$GBGen(1λ,P,d);
return (1λ,P);
end
proc. Sample():
begin
f ←$P≤b;
e ←$χ;
f ← f − (f mod G) + e;
return f ;
end
proc. Finalize(G?):
begin
˜G ← reduced GB of G;
˜ G?← reduced GB of G?;
return˜G =˜G?;
end
Figure: Game GBNP,GBGen(·),d,b,χ.
Page 40
Gr¨ obner Bases with Noise II
Definition (Gr¨ obner Basis with Noise (GBN) Problem)
The Gr¨ obner Basis with Noise Problem is defined through game
GBNP,GBGen(·),d,b,χas shown in Figure 5. The advantage of a ppt
algorithm A in solving the GBN problem is
Advgbn
P,GBGen(·),d,b,χ,A(λ) := Pr
?
GBNA
P,GBGen(·),d,b,χ(λ) ⇒ T
?
.
Note that we do not impose a restriction on the number of samples any
more.
Page 41
Ideal Remainders with Noise I
proc. Initialize(1λ,P,d):
begin
P ←$Pλ;
G ←$GBGen(1λ,P,d);
return (1λ,P);
end
proc. Sample():
begin
f ←$P≤b;
e ←$χ;
f ← f − (f mod G) + e;
return f ;
end
proc. Challenge():
begin
f ←$P≤b;
return f ;
end
proc. Finalize(r?):
begin
return (r?= f mod G);
end
Figure: Game IRNP,GBGen(·),d,b,χ.
Page 42
Ideal Remainders with Noise II
Definition (Ideal Remainder with Noise (IRN) Problem)
The Ideal Remainder with Noise Problem is defined through game
IRNP,GBGen(·),d,b,χas shown in Figure 6. The advantage of a ppt
algorithm A in solving the IRN problem is
?
Advirn
P,GBGen(·),d,b,χ,A(λ) := Pr IRNA
P,GBGen(·),d,b,χ(λ) ⇒ T
?
− 1/C(λ).
Lemma (IRN Hard ⇔ GBN Hard)
For any ppt adversary A against the IRN problem, there exists a ppt
adversary B against the GBN problem such that
Advirn
P,GBGen(·),d,b,χ,A(λ) ≤ Advgbn
P,GBGen(·),d,b,χ,B(λ).
...and vice versa.
Page 43
Ideal Membership with Noise (Ideal Coset) I
proc. Initialize(1λ,P,d):
begin
P ←$Pλ;
G ←$GBGen(1λ,P,d);
c ←${0,1};
return (1λ,P);
end
proc. Sample():
begin
f ←$P≤b;
e ←$χ;
f ← f − (f mod G) + e;
return f ;
end
proc. Challenge():
begin
f ,e ←$P≤b, χ;
if c = 0 then
f ← f − (f mod G) + e;
return f ;
end
proc. Finalize(c?):
begin
return (c?= c);
end
Figure: Game IMNP,GBGen(·),d,b,χ.
Page 44
Ideal Membership with Noise (Ideal Coset) II
Definition (Ideal Membership with Noise (IMN) Problem)
The Ideal Membership with Noise (IMN) Problem is defined as a game,
denoted IMNP,GBGen(·),d,b,χ, shown in Figure 7. The advantage of a ppt
algorithm A in solving the ideal membership with noise problem is
defined by
Advimn
P,GBGen(·),d,b,χ,A(λ) := 2 · Pr
?
IMNA
P,GBGen(·),d,b,χ(λ) ⇒ T
?
− 1.
Lemma (IMN Hard ⇔ IRN Hard)
For any ppt adversary A against the IMN problem, there exists a ppt
adversary B against the IRN problem such that
Advimn
P,GBGen(·),d,b,χ,A(λ) ≤ Advirn
P,GBGen(·),d,b,χ,B(λ),
if q(λ)dimFq(P(λ)/GBGen(·))is polynomial in λ.
...and vice versa.
Page 45
Security I
Lemma (LWE Hard ⇒ GBN Hard for d = 1,b = 1)
Let q be a prime number. Then for any ppt adversary A against the
GBN problem with b = d = 1, there exists a ppt adversary B against the
LWE problem such that
Advgbn
P,GBGen(·),1,1,χ,A(λ) = Advlwe
n,q,χ,B(λ).
Proof.
Whenever A calls its Sample oracle, B queries its own Sample oracle to
obtain (a,b) where a = (a0,...,an−1). It returns?aixi−b to A. When
form [x0− s0,...,xn−1− sn−1] with si∈ Fq. Algorithm B terminates by
calling its Finalize oracle on s = (s0,...,sn−1).
A calls its Finalize on G, since d = 1, we may assume that G is of the
Page 46
Security II
Lemma (GBN Hard for 2b ⇒ GBN Hard for b)
For any ppt adversary A against the GBN problem at degree b with noise
χα,q, there exists a ppt adversary B against the GBN problem at degree
2b with noise χ√Nα2q,qsuch that
Advgbn
P,GBGen(·),d,b,χα,q,A(λ) = Advgbn
for N =?n+b
Proof.
Multiply samples fi,fjto get fi,j= fi·fj. To ensure sufficient randomness,
sum up N such products.
P,GBGen(·),d,2b,χ√Nα2q,q,B(λ)
b
?.
Page 47
Security III
Approximate GCD:
? The GBN problem for n = 1 is the approx. GCD problem over Fq[x].
? This problem has not yet received much attention, and hence it is
unclear under which parameters it is hard.
? However, the notion of a Gr¨ obner basis can been extended to
Z[x0,...,xn−1].
? This implies a version of the GBN problem over Z.
? This can be seen as a direct generalisation of the approximate GCD
problem in Z.
Page 48
Security IV
GBN over F2:
? For d = 1 and q = 2 we can reduce Max-3SAT instances to GBN
instances by translating each clause individually to a Boolean
polynomial.
? The Gr¨ obner basis returned by an arbitrary algorithm A solving GBN
using a bounded number of samples will provide a solution to the
Max-3SAT problem.
? Vice versa, we may convert a GBN problem for d = 1 to a Max-SAT
problem (more precisely Partial Max-Sat) by running an ANF to
CNF conversion algorithm.
Page 49
Security V
Best known attack (for d = 1):
? We reduce GBN to a larger LWE instance.
? Denote by N =?n+b
vectors in FN
the coefficient of the i-th monomial ∈ M≤b.
? Reply to each Sample query by the LWE oracle by calling the GBN
Sample oracle to retrieve f , compute v = M(f ) and return (a,b)
with a = (vN−1,...,v1) and b = −v0.
? When the LWE oracle queries its Finalize with s query the GBN
Finalize with [x0− s0,...,xn−1− sn−1].
b
?the number of monomials up to degree b.
qby assigning the i-th component of the image vector
? Let M : P → FN
qbe a function which maps polynomials in P to
Page 50
Polly Cracker with Noise
? GBN/IRN/IMN allow to construct a noisy version of our symmetric
Polly Cracker scheme: SPCN.
? SPCN is IND-CPA under the GBN assumption.
? Using any symmetric-to-asymmetric conversion from literature this
leads to a public-key Polly Cracker scheme.
? This scheme is somewhat homomorphic and can support a fixed but
arbitrary number of multiplications.
? This also implies that Regev’s public-key scheme based on LWE is
multiplicative homomorphic under some choice of parameters.
Remark
We implemented a toy version of this scheme.
Download full-text