Practical CCA2-Secure and Masked Ring-LWE Implementation
|
|
- Shon Briggs
- 5 years ago
- Views:
Transcription
1 Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1, Tobias Schneider 2, Thomas Pöppelmann 3, Tim Güneysu 1,4 1 Ruhr-University Bochum, 2 Université Catholique de Louvain, 3 Infineon Technologies AG, 4 DFKI CHES
2 Motiviation 2
3 Ring-LWE NIST post-quantum standardization project Various NIST submissions are based on Ring-LWE including NewHope LIMA (Kyber) 3
4 Ring-LWE NIST post-quantum standardization project Various NIST submissions are based on Ring-LWE including NewHope LIMA (Kyber) Previous work A masked ring-lwe implementation. O. Reparaz, S. Sinha Roy, F. Vercauteren, I. Verbauwhede. CHES 2015 Additively homomorphic ring-lwe masking. O. Reparaz, S. Sinha Roy, R. de Clercq, F. Vercauteren, I. Verbauwhede. PQCrypto
5 CCA2-Security Plain Ring-LWE encryption is only secure against chosenplaintext attackers (CPA) Many use cases require security against chosen-ciphertext attackers (CCA) Generic Fujisaki-Okamoto transform Assumes negligible decryption error Tweak by Targhi and Unruh for post-quantum security [TU16] Expensive re-encryption in decryption [TU16] E. E. Targhi and D. Unruh. Post-quantum security of the Fujisaki-Okamoto and OAEP transforms. TCC
6 CCA2-Security CCA2-secure Decryption 6
7 CCA2-Security CCA2-secure Decryption 7
8 CCA2-Security CCA2-secure Decryption 8
9 CCA2-Security CCA2-secure Decryption 9
10 Contribution 10
11 Embedded Implementation Our contribution: CCA2-secure first-order masked Ring-LWE implementation 11
12 Embedded Implementation Our contribution: CCA2-secure first-order masked Ring-LWE implementation Target platform ARM Cortex-M4 Constrained computing capabilities/memory 12
13 Embedded Implementation Our contribution: CCA2-secure first-order masked Ring-LWE implementation Target platform ARM Cortex-M4 Constrained computing capabilities/memory Secret-independent execution time as countermeasure against timing attacks Masking as countermeasure against Differential Power Analysis Boolean vs. arithmetic 13
14 Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE PRNG/Hash Ring-LWE CPA Encryption a x + c 1 BS BS BS NTT p x + + c 2 Polynomial multiplication m encode Binomial sampler (BS) Ring-LWE CPA Decryption c 1 x + decode m Encoding/Decoding r 1 c 2 14
15 Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE PRNG/Hash [BDPVA10] Ring-LWE CPA Encryption a x + c 1 BS BS BS NTT straight-forward p x + + c 2 Polynomial multiplication m encode Binomial sampler (BS) Ring-LWE CPA Decryption c 1 x + decode m Encoding/Decoding r 1 c 2 [BDPVA10] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Building power analysis resistant implementations of Keccak. Second SHA-3 candidate conference,
16 Masking Ring-LWE Components to be masked in CCA2-secure Ring-LWE PRNG/Hash [BDPVA10] Ring-LWE CPA Encryption a x + c 1 BS BS BS NTT straight-forward p x + + c 2 Polynomial multiplication m encode Binomial Sampler (BS) Ring-LWE CPA Decryption c 1 x + decode m Encoding/Decoding r 1 c 2 [BDPVA10] Guido Bertoni, Joan Daemen, Michaël Peeters, and Gilles Van Assche. Building power analysis resistant implementations of Keccak. Second SHA-3 candidate conference,
17 Encoding 17
18 Masked encoding Encoding transforms a bit string into a polynomial Without masking: coeff = bit q 2 18
19 Masked encoding Encoding transforms a bit string into a polynomial Without masking: coeff = bit q 2 With bit bit = bit: coeff = bit q 2 coeff = bit q 2 19
20 Masked encoding Encoding transforms a bit string into a polynomial Without masking: coeff = bit q 2 With bit bit = bit: coeff = bit q 2 coeff = bit q 2 q is a odd q 2 + q 2 q Problem: Result is off by one if bit = 1 and bit = 1 20
21 Masked encoding Solution: Add bit bit to the result Compute bit bit by splitting into subshares bit 1 + bit 2 (bit (1) + bit 2 ) = bit (1) bit 1 + bit 1 bit 2 + bit (2) bit 1 + bit (2) bit 2 Use fresh randomness to securely sum the cross-products 21
22 Decoding 22
23 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 23
24 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 24
25 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 25
26 Masked decoding Input: Coefficient [0, q 1] Output: Decoded bit Idea: Shift distribution of coefficients Apply arithmetic-to- Boolean conversion Extract sign bit 26
27 Binomial Sampler 27
28 Masked sampler Input: Boolean shares; Output: Arithmetic shares Count Hamming weight as σ 7 i=0 (bit i bit i ) 7 = σ i=0 bit i + bit i 2bit (i)bit (i) Compute bit (i) bit (i) by splitting into subshares 28
29 Results 29
30 Side-Channel Evaluation T-test evaluation of the decoding (example) Blue: first-order evaluation Dashed red: second-order evaluation 30
31 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 31
32 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 32
33 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 33
34 Cortex-M4 Performance Dimension n = 1024 Modulus q = Standard deviation ς = 2 34
35 Conclusion First masking of a Ring-LWE-based scheme that covers CCA2-security with first-order proof New masked encoder & decoder New masked sampler Future work: Higher-order masking 35
36 Thank You For Your Attention!
Eciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto
Eciently Masking Binomial Sampling at Arbitrary Orders for Lattice-Based Crypto Tobias Schneider 1, Clara Paglialonga 2, Tobias Oder 3, and Tim Güneysu 3,4 1 ICTEAM/ELEN/Crypto Group, Université Catholique
More informationA Lattice-based AKE on ARM Cortex-M4
A Lattice-based AKE on ARM Cortex-M4 Julian Speith 1, Tobias Oder 1, Marcel Kneib 2, and Tim Güneysu 1,3 1 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany {julian.speith,tobias.oder,tim.gueneysu}@rub.de
More informationMarkku-Juhani O. Saarinen
Shorter Messages and Faster Post-Quantum Encryption with Round5 on Cortex M Markku-Juhani O. Saarinen S. Bhattacharya 1 O. Garcia-Morchon 1 R. Rietman 1 L. Tolhuizen 1 Z. Zhang 2 (1)
More informationCompact Ring LWE Cryptoprocessor
1 Compact Ring LWE Cryptoprocessor CHES 2014 Sujoy Sinha Roy 1, Frederik Vercauteren 1, Nele Mentens 1, Donald Donglong Chen 2 and Ingrid Verbauwhede 1 1 ESAT/COSIC and iminds, KU Leuven 2 Electronic Engineering,
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationNewHope for ARM Cortex-M
for ARM Cortex-M Erdem Alkim 1, Philipp Jakubeit 2, Peter Schwabe 2 erdemalkim@gmail.com, phil.jakubeit@gmail.com, peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationImplementing RLWE-based Schemes Using an RSA Co-Processor
Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1, Christian Hanser 2, Andrea Hoeller 2, Thomas Pöppelmann 3, Fernando Virdia 1, Andreas Wallner 2 1 Information Security Group,
More informationInside Keccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013
Inside Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Keccak & SHA-3 Day Université Libre de Bruxelles March 27, 2013 1 / 49 Outline
More informationSaber on ARM. CCA-secure module lattice-based key encapsulation on ARM
Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar, Jose Maria Bermudo Mera, Sujoy Sinha Roy and Ingrid Verbauwhede imec-cosic, KU Leuven Kasteelpark Arenberg 10,
More informationPart I: Introduction to Post Quantum Cryptography Taipei. Tim Güneysu Ruhr-Universität Bochum & DFKI
Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Güneysu Ruhr-Universität Bochum & DFKI 04.10.2017 Overview Goals Provide a high-level introduction to Post-Quantum Cryptography
More informationRing-LWE: Applications to cryptography and their efficient realization
Ring-LWE: Applications to cryptography and their efficient realization Sujoy Sinha Roy, Angshuman Karmakar, and Ingrid Verbauwhede ESAT/COSIC and iminds, KU Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationAnalysis of cryptographic hash functions
Analysis of cryptographic hash functions Christina Boura SECRET Project-Team, INRIA Paris-Rocquencourt Gemalto, France Ph.D. Defense December 7, 2012 1 / 43 Symmetric key cryptography Alice and Bob share
More informationHash Functions. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 34
Hash Functions Ali El Kaafarani Mathematical Institute Oxford University 1 of 34 Outline 1 Definition and Notions of Security 2 The Merkle-damgård Transform 3 MAC using Hash Functions 4 Cryptanalysis:
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationTitanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality
Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality Ron Steinfeld, Amin Sakzad, Raymond K. Zhao Monash University ron.steinfeld@monash.edu Ron Steinfeld
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
More informationAlgebraic properties of SHA-3 and notable cryptanalysis results
Algebraic properties of SHA-3 and notable cryptanalysis results Christina Boura University of Versailles, France ICMC 2015, January 9, 2014 1 / 51 Cryptographic Hash Functions H : {0,1} {0,1} n m H h =
More informationBlock Ciphers and Side Channel Protection
Block Ciphers and Side Channel Protection Gregor Leander ECRYPT-CSA@CHANIA-2017 Main Idea Side-Channel Resistance Without protection having a strong cipher is useless Therefore: Masking necessary Usual
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationCryptographic Hash Functions Part II
Cryptographic Hash Functions Part II Cryptography 1 Andreas Hülsing, TU/e Some slides by Sebastiaan de Hoogh, TU/e Hash function design Create fixed input size building block Use building block to build
More informationarxiv: v2 [cs.cr] 14 Feb 2018
Code-based Key Encapsulation from McEliece s Cryptosystem Edoardo Persichetti arxiv:1706.06306v2 [cs.cr] 14 Feb 2018 Florida Atlantic University Abstract. In this paper we show that it is possible to extend
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationSide-channel analysis in code-based cryptography
1 Side-channel analysis in code-based cryptography Tania RICHMOND IMATH Laboratory University of Toulon SoSySec Seminar Rennes, April 5, 2017 Outline McEliece cryptosystem Timing Attack Power consumption
More informationPart 2 LWE-based cryptography
Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14
More informationFrodoKEM Learning With Errors Key Encapsulation. Algorithm Specifications And Supporting Documentation
FrodoKEM Learning With Errors Key Encapsulation Algorithm Specifications And Supporting Documentation Erdem Alkim Joppe W. Bos Léo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationEnhancing the Signal to Noise Ratio
Enhancing the Signal to Noise Ratio in Differential Cryptanalysis, using Algebra Martin Albrecht, Carlos Cid, Thomas Dullien, Jean-Charles Faugère and Ludovic Perret ESC 2010, Remich, 10.01.2010 Outline
More informationFast Lattice-Based Encryption: Stretching SPRING
Fast Lattice-Based Encryption: Stretching SPRING Charles Bouillaguet 1 Claire Delaplace 1,2 Pierre-Alain Fouque 2 Paul Kirchner 3 1 CFHP team, CRIStAL, Université de Lille, France 2 EMSEC team, IRISA,
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationAnalysis of Error-Correcting Codes for Lattice-Based Key Exchange
Analysis of Error-Correcting Codes for Lattice-Based Key Exchange Tim Fritzmann 1, Thomas Pöppelmann 2, and Johanna Sepulveda 1 1 Technische Universität München, Germany {tim.fritzmann,johanna.sepulveda}@tum.de
More informationCode-based Cryptography
a Hands-On Introduction Daniel Loebenberger Ηράκλειο, September 27, 2018 Post-Quantum Cryptography Various flavours: Lattice-based cryptography Hash-based cryptography Code-based
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationNumber "Not" Used Once - Key Recovery Fault Attacks on LWE Based Lattice Cryptographic Schemes
Number "Not" Used Once - Key Recovery Fault Attacks on LWE Based Lattice Cryptographic Schemes Prasanna Ravi 1, Shivam Bhasin 1, and Anupam Chattopadhyay 2 1 Temasek Laboratories, Nanyang Technological
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationCryptanalysis of 1-Round KECCAK
Cryptanalysis of 1-Round KECCAK Rajendra Kumar 1,Mahesh Sreekumar Rajasree 1 and Hoda AlKhzaimi 2 1 Center for Cybersecurity, Indian Institute of Technology Kanpur, India rjndr@iitk.ac.in, mahesr@iitk.ac.in
More informationLeakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi
Leakage Assessment Methodology - a clear roadmap for side-channel evaluations - Tobias Schneider and Amir Moradi Wednesday, September 16 th, 015 Motivation Security Evaluation Motivation Security Evaluation
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationMiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity
MiMC: Efficient Encryption and Cryptographic Hashing with Minimal Multiplicative Complexity. Arnab Roy 1 (joint work with Martin Albrecht 2, Lorenzo Grassi 3, Christian Rechberger 1,3 and Tyge Tiessen
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2009-2010 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: September 29th 2009 1 / 60 Last Time (I) Security
More informationCBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions
CBEAM: Ecient Authenticated Encryption from Feebly One-Way φ Functions Author: Markku-Juhani O. Saarinen Presented by: Jean-Philippe Aumasson CT-RSA '14, San Francisco, USA 26 February 2014 1 / 19 Sponge
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationInnovations in permutation-based crypto
Innovations in permutation-based crypto Joan Daemen 1,2 based on joint work with Guido Bertoni 3, Seth Hoert, Michaël Peeters 1, Gilles Van Assche 1 and Ronny Van Keer 1 Cryptacus Training School, Azores,
More informationCryptanalysis of EnRUPT
Cryptanalysis of EnRUPT Dmitry Khovratovich and Ivica Nikolić University of Luxembourg Abstract. In this paper we present a preimage attack on EnRUPT- 512. We exploit the fact that the internal state is
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationNew techniques for trail bounds and application to differential trails in Keccak
New techniques for trail bounds and application to differential trails in Keccak Silvia Mella 1,2 Joan Daemen 1,3 Gilles Van Assche 1 1 STMicroelectronics 2 University of Milan 3 Radboud University Fast
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1, and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105 78153 Le Chesnay
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationImproved Zero-sum Distinguisher for Full Round Keccak-f Permutation
Improved Zero-sum Distinguisher for Full Round Keccak-f Permutation Ming Duan 12 and Xuejia Lai 1 1 Department of Computer Science and Engineering, Shanghai Jiao Tong University, China. 2 Basic Courses
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationOn the Security of NOEKEON against Side Channel Cube Attacks
On the Security of NOEKEON against Side Channel Cube Attacks Shekh Faisal Abdul-Latip 1,2, Mohammad Reza Reyhanitabar 1, Willy Susilo 1, and Jennifer Seberry 1 1 Center for Computer and Information Security
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationCode-based cryptography
Code-based graphy Laboratoire Hubert Curien, UMR CNRS 5516, Bâtiment F 18 rue du professeur Benoît Lauras 42000 Saint-Etienne France pierre.louis.cayrel@univ-st-etienne.fr June 4th 2013 Pierre-Louis CAYREL
More informationJintai Ding*, Saraswathy RV. Lin Li, Jiqiang Liu
Comparison analysis and efficient implementation of reconciliation-based RLWE key exchange protocol Xinwei Gao Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationLessons Learned from High-Speed Implementa6on and Benchmarking of Two Post-Quantum Public-Key Cryptosystems
Lessons Learned from High-Speed Implementa6on and Benchmarking of Two Post-Quantum Public-Key Cryptosystems Malik Umar Sharif, Ahmed Ferozpuri, and Kris Gaj George Mason University USA Partially supported
More informationErrors, Eavesdroppers, and Enormous Matrices
Errors, Eavesdroppers, and Enormous Matrices Jessalyn Bolkema September 1, 2016 University of Nebraska - Lincoln Keep it secret, keep it safe Public Key Cryptography The idea: We want a one-way lock so,
More informationA Sound Method for Switching between Boolean and Arithmetic Masking
A Sound Method for Switching between Boolean and Arithmetic Masking Louis Goubin CP8 Crypto Lab, SchlumbergerSema 36-38 rue de la Princesse, BP45 78430 Louveciennes Cedex, France Louis.Goubin@louveciennes.tt.slb.com
More informationHigh-Precision Arithmetic in Homomorphic Encryption
High-Precision Arithmetic in Homomorphic Encryption Hao Chen 1, Kim Laine 2, Rachel Player 3, and Yuhou Xia 4 1 Microsoft Research, USA haoche@microsoft.com 2 Microsoft Research, USA kim.laine@microsoft.com
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationNotes for Lecture 9. 1 Combining Encryption and Authentication
U.C. Berkeley CS276: Cryptography Handout N9 Luca Trevisan February 17, 2009 Notes for Lecture 9 Notes scribed by Joel Weinberger, posted March 1, 2009 Summary Last time, we showed that combining a CPA-secure
More informationOn Keccak and SHA-3. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1. Icebreak 2013 Reykjavik, Iceland June 8, 2013
On Keccak and SHA-3 Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors Icebreak 2013 Reykjavik, Iceland June 8, 2013 1 / 61 Outline 1 Origins
More informationHybrid Key Encapsulation Mechanisms and Authenticated Key Exchange
Hybrid Key Encapsulation Mechanisms and Authenticated Key Exchange Nina Bindel 1 Jacqueline Brendel 1 Marc Fischlin 1 Brian Goncalves 2 Douglas Stebila 3 1 Technische Universität Darmstadt, Darmstadt,
More informationEnhanced Lattice-Based Signatures on Reconfigurable Hardware
Enhanced Lattice-Based Signatures on Reconfigurable Hardware Thomas Pöppelmann 1 Léo Ducas 2 Tim Güneysu 1 1 Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany 2 University of California,
More informationHigher-order differential properties of Keccak and Luffa
Higher-order differential properties of Keccak and Luffa Christina Boura 1,2, Anne Canteaut 1 and Christophe De Cannière 3 1 SECRET Project-Team - INRIA Paris-Rocquencourt - B.P. 105-78153 Le Chesnay Cedex
More informationKeccak sponge function family main document
Keccak sponge function family main document Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 http://keccak.noekeon.org/ Version 1.1 January 9, 2009 1 STMicroelectronics 2 NXP Semiconductors
More informationChanging of the Guards: a simple and efficient method for achieving uniformity in threshold sharing
Changing of the Guards: a simple and efficient method for achieving uniformity in threshold sharing Joan Daemen 1,2 1 Radboud University 2 STMicroelectronics Abstract. Since they were first proposed as
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationA Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus)
A Public-key Encryption Scheme Based on Non-linear Indeterminate Equations (Giophantus) Koichiro Akiyama 1, Yasuhiro Goto 2, Shinya Okumura 3, Tsuyoshi Takagi 4, Koji Nuida 5, Goichiro Hanaoka 5, Hideo
More informationKeccak. Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1
Keccak Guido Bertoni 1 Joan Daemen 1 Michaël Peeters 2 Gilles Van Assche 1 1 STMicroelectronics 2 NXP Semiconductors 17th Workshop on Elliptic Curve Cryptography Leuven, Belgium, September 17th, 2013 1
More informationPseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions
Pseudorandom Knapsacks and the Sample Complexity of LWE Search-to- Decision Reductions Crypto 2011 Daniele Micciancio Petros Mol August 17, 2011 1 Learning With Errors (LWE) secret public: integers n,
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationTitanium: Proposal for a NIST Post-Quantum Public-key Encryption and KEM Standard
Titanium: Proposal for a NIST Post-Quantum Public-key Encryption and KEM Standard Ron Steinfeld and Amin Sakzad and Raymond Kuo Zhao Faculty of Information Technology Monash University, Australia December
More informationLOTUS : Algorithm Specifications and Supporting Documentation
LOTUS : Algorithm Specifications and Supporting Documentation Le Trieu Phong 1, Takuya Hayashi 1,, Yoshinori Aono 1, Shiho Moriai 1 1 National Institute of Information and Communications Technology (NICT),
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationModels and analysis of security protocols 1st Semester Symmetric Encryption Lecture 5
Models and analysis of security protocols 1st Semester 2010-2011 Symmetric Encryption Lecture 5 Pascal Lafourcade Université Joseph Fourier, Verimag Master: October 11th 2010 1 / 61 Last Time (I) Security
More informationHILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction
HILA5 Pindakaas: On the CCA security of lattice-based encryption with error correction Daniel J. Bernstein 1 Leon Groot Bruinderink 2 Tanja Lange 2 Lorenz Panny 2 1 University of Illinois at Chicago 2
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationCollision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials
Collision Attacks on Up to 5 Rounds of SHA-3 Using Generalized Internal Differentials Itai Dinur 1, Orr Dunkelman 1,2 and Adi Shamir 1 1 The Weizmann Institute, Israel 2 University of Haifa, Israel Keccak
More informationA Generic Attack on Lattice-based Schemes using Decryption Errors
A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke Qian Guo 1,2, Thomas Johansson 2, and Alexander Nilsson 2 1 Dept. of Informatics, University of Bergen,
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationPerfectly-Crafted Swiss Army Knives in Theory
Perfectly-Crafted Swiss Army Knives in Theory Workshop Hash Functions in Cryptology * supported by Emmy Noether Program German Research Foundation (DFG) Hash Functions as a Universal Tool collision resistance
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationComparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
International Conference on Manufacturing Science and Engineering (ICMSE 2015) Comparison of some mask protections of DES against power analysis Kai Cao1,a, Dawu Gu1,b, Zheng Guo1,2,c and Junrong Liu1,2,d
More informationhttps://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationAnalysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes
Analysis of Random Oracle Instantiation Scenarios for OAEP and other Practical Schemes Alexandra Boldyreva 1 and Marc Fischlin 2 1 College of Computing, Georgia Institute of Technology, 801 Atlantic Drive,
More information