Post-quantum key exchange for the Internet based on lattices
|
|
- Jonah Willis
- 5 years ago
- Views:
Transcription
1 Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016
2 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange for the TLS Protocol from the Ring Learning with Errors Problem. IEEE S&P 2015, pp J. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan, D. Stebila Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE. ACM-CCS pp
3 Part 1: Motivation Part 2: Lattice basics Part 3: PQ key exchange based on (R)LWE
4 Diffie-Hellman key exchange q = g a (mod q) = g = a = ; \ \ \ \ \ \ \ \ \ g ab = = g b (mod q) b = ; \ \ \ \ \ \ \ \ \ \
5 ECDH key exchange p = p = E/F p : y 2 = x 3 3x + b #E = P = ( , ) [a]p = ( , ) [b]p = ( , ) a = [ab]p = ( , ) b =
6 Quantum computers Cryptopocalypse Quantum computers break elliptic curves, finite fields, factoring, everything currently used for PKC Aug 2015: NSA announces plans to transition to quantum-resistant algorithms 17 Dec 2016: NIST finalizes calls for quantum-secure submissions. Deadline: Nov 30,
7 Cryptopocalypse now? x = how long information needs to be secure y = how long it takes to deploy PQ crypto z = how far away is a quantum computer if x + y > z, we re screwed!
8 Real-world (e.g., Internet/TLS) cryptography in one slide (oversimplified) public-key/asymmetric crypto public-key/asymmetric crypto symmetrically encrypted traffic Client symmetrically encrypted traffic Server Public-key cryptography used to (1) establish a shared secret key (e.g., Diffie-Hellman key exchange) (2) authenticate one another (e.g., digital signatures) Symmetric key cryptography uses shared secret to encrypt/authenticate the subsequent traffic (e.g., block ciphers, AES/DES, stream ciphers, MACs) Hash functions used throughout (e.g., SHA s, Keccak)
9 Post-quantum key exchange Quantum-hard problem(s) for key exchange??? This talk: lattice problems
10 Part 1: Motivation Part 2: Lattice basics Part 3: PQ key exchange based on (R)LWE
11 Lattices Basis b 1,, b n R n 2b 1 b 1 + b 2 2b 2 Lattice L = {a 1 b a n b n a i Z} b 1 b 2 2b 2 b 1 2b 2 2b 1
12 Lattices v 1 Basis b 1,, b n R n Lattice L = {a 1 b a n b n a i Z} v 2 Bases not unique L = σ a i v i e.g., b 1 = 2, 1, b 2 = 10,6 v 1 = 4, 3, v 2 = 2,4
13 Lattices v 1 Basis b 1,, b n R n Lattice L = {a 1 b a n b n a i Z} v 2 Bases not unique L = σ a i v i e.g., b 1 = 2, 1, b 2 = 10,6 v 1 = 4, 3, v 2 = 2,4 Invariant det L = det(b i ) = det(v i = b i v i det = ±1
14 Hard Lattice Problem #1: Shortest Vector Problem (SVP γ ) v 1 v 2 s SVP: Given lattice L = v 1, v 2, find short vector s γ λ L (γ = 1 means shortest vector)
15 Hard Lattice Problem #1: Shortest Vector Problem (SVP γ ) v 1 v 2 s SVP γ is NP-hard for γ = O 1 SVP γ is P for γ = 2 Ω n
16 Hard Lattice Problem #2: Closest Vector Problem (CVP d ) v 1 v 2 CVP d : Given lattice L = {v 1, v 2 } and target vector v L within distance d, find the closest lattice point
17 SVP in dimension 10 b 1 = b 10 = L = {b 1, b 10 } ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) ( ) Z 10 Shortest vector λ L = ( ) λ L = b 1 14b 2 + 2b b 5 2b 6 9b b 8 + 3b 10
18 Why are they hard? Gaussian elimination? Least-squares? What about Gram-Schmidt to reduce basis? b i b i μ ij b j 1 j i 1 μ ij = b i,b j b j 2 SVP γ NP-hard for γ = O(1): at least as hard as the hardest problems in NP (if P NP, then no polynomial time alg.)
19 e.g., GGH 97 signatures ( NTRUsign) Idea: CVP is hard, but easy with good basis secret key: b 1 b 2 message: signature: v 1 public key: v 1 v 2 v 2 b 1 b 2
20 Security reductions GGH 97 ( right idea, but) did not come with a security proof If you can solve CVP, you can obviously forge messages, but this scheme was completely broken without solving CVP We want Thm: e.g., if you can forge signatures, you can solve CVP Ajtai 96: worst-to-average-case reduction unlocks lattice-based crypto if you can break an average case, you can break the worst case
21 Part 1: Motivation Part 2: Lattice basics Part 3: PQ key exchange based on (R)LWE
22 Regev 05 Introduces the Learning with Errors (LWE) problem Uses it to construct LWE encryption Shows that breaking LWE implies (quantum) solving hard lattice problems (GapSVP β and SIVP) see his 2012 talk
23 The learning with errors (LWE) problem random secret small Z q m n Z q n 1 Z q m 1 Z q m 1 + = Search LWE problem: given blue, find red
24 The learning with errors (LWE) problem random secret small Z q m n Z q n 1 Z q m 1 Z q m 1? + = Decision LWE problem: given blue, does red exist?
25 The learning with errors (LWE) problem 4 random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red
26 The learning with errors (LWE) problem 4 random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red
27 Toy example versus real-world example 4 Z Z = bits = 245 kb!!
28 The learning with errors (LWE) problem 4 random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red
29 The ring learning with errors (R-LWE) problem random secret small ind. from random Z Z Z Z = 11 Lyubashevsky-Peikert-Regev 10: add ring structure
30 The ring learning with errors (R-LWE) problem random secret small ind. from random Z Z Z Z =
31 The ring learning with errors (R-LWE) problem random small secret small ind. from random Z Z Z Z =
32 The ring learning with errors (R-LWE) problem random secret small ind. from random Z Z Z Z = LWE problem: given blue, find red
33 The ring learning with errors (R-LWE) problem Z Z 13 x / x x + 11x x 3 = x (4 + 1x + 11x x 3 ) = x 2 (4 + 1x + 11x x 3 ) = x 3 (4 + 1x + 11x x 3 ) Ideal lattice: lattice modulo ideal
34 The ring learning with errors (R-LWE) problem 4 + 1x + 11x x x 1x 2 + 1x 3 0 1x + 1x 2 + 1x x + 10x 2 + 7x 3 Z 13 x x R-LWE problem: given blue, find red
35 + The ring learning with errors (R-LWE) problem (the 128-bit secure version) x x + 9x x x 0x x x 1023 Z x x R-LWE problem: given blue, find (small!) red
36 R-LWE-DH: key agreement in R q = Z q x / x n + 1 secret: small e, s R q public: big a R q secret: small e, s R q a s + e a s + e s a s + e s a s s a s + e s a s
37 Approximate agreement mod q q/4 the usual ROUND function q 2 3q/4 0 ROUND x x x x x x 1023 = = = = This will work most of the time (fails 1/2 10 ), but we need exact agreement i.e., what happens if one of the coefficients is in the danger zone(s)
38 Making approximate agreement exact in Z q q/4 q 2 0 if 3q/4 or else
39 R-LWE-DH: exact key agreement secret: small e, s R q public: big a R q secret: small e, s R q a s + e a s + e and, n 0,1 n RECONCILE s a s + e,, n = ROUND s a s + e both parties now share k 0,1 n
40 [BCNS 15]: our implementation Implemented ring-lwe key exchange based on Peikert 14 Proof of security: if decision R-LWE is hard, then exact-ddh in our scheme is hard Constant-time software integrated into TLS (OpenSSL) Communication size: 8KiB roundtrip Runtime: ms per party (TLS handshake x slower than ECDH/ECDSA)
41 Early bird may get the worm but the second mouse gets the cheese! [ADPS 16]: much better implementation, error distribution, security analysis, pseudorandom parameters, etc etc Much faster than ours, even faster than classical (ECDH) PQ just means bigger keys (no slowdown)
42 Frodo: take off the ring! Z q x / x n + 1 Z q n some highlights from Galbraith s 2016 PQcrypto keynote final slide: We need to understand Ring-LWE Final comment: PQcrypto should be about greater security, not greater efficiency
43 seed Z PRF Frodo: recommended parameters bits of randomness, Renyi div to discrete Gaussian of variance 1.75 q = 2 15 = seed PRF 130-bit quantum 144-bit classical 103-bit plausible 752 A x + e c c Z q (& seed) rec x + e A 8 Z q Z 2 64 c x = 8 K 8 K s indistinguishable from random if decision-lwe is hard! 8 K 8 = x c 43
44 Standalone performance of PQ primitives
45 TLS connection throughput (#connections/second) 1600 bigger (top) is better NewHope 1.36x Frodo 0.78x Frodo 0.87x NewHope ECDHE BCNS Frodo 600 NTRU B 1 KiB 10 KiB 100 KiB Payload size x86_64, 2.6 GHz Intel Xeon E5 (Sandy Bridge) server Google n1-standard-4, client -32 note somewhat incomparable security levels
46 References [GGH97] O. Goldreich, S. Goldwasser, S. Halevi. Public-key cryptosystems from lattice reduction problems. CRYPTO 1997: [Regev05] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005: [LPR10] V. Lyubashevsky, C. Peikert, O. Regev. On ideal lattices and learning with errors over rings. EUROCRYPT 2010: [Peikert14] C. Peikert. Lattice Cryptography for the Internet. PQCrypto 2014: [BCNS15] J. Bos, C. Costello, M. Naehrig, D. Stebila. Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. IEEE S&P 2015: [ADPS16] E. Alkim, L. Ducas, T. Poppelmann, P. Schwabe. Post-quantum key exchange a new hope. USENIX 2016: [BCD+16] J. Bos, C. Costello, L. Ducas, I. Mironov, M. Naehrig, V. Nikolaenko, A. Raghunathan. Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE. ACM CCS 2016:
47 Questions?
Practical, Quantum-Secure Key Exchange from LWE
Practical, Quantum-Secure Key Exchange from LWE Douglas Stebila 4 th ETSI/IQC Workshop on Quantum-Safe Cryptography September 21, 2016 Acknowledgements Collaborators Joppe Bos Craig Costello and Michael
More informationPost-quantum key exchange based on Lattices
Post-quantum key exchange based on Lattices Joppe W. Bos Romanian Cryptology Days Conference Cybersecurity in a Post-quantum World September 20, 2017, Bucharest 1. NXP Semiconductors Operations in > 35
More informationPart 2 LWE-based cryptography
Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, 2017 https://www.douglas.stebila.ca/research/presentations Funding acknowledgements: SAC Summer School 2017-08-14
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationNewHope for ARM Cortex-M
for ARM Cortex-M Erdem Alkim 1, Philipp Jakubeit 2, Peter Schwabe 2 erdemalkim@gmail.com, phil.jakubeit@gmail.com, peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationA gentle introduction to isogeny-based cryptography
A gentle introduction to isogeny-based cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Motivation Part 2: Preliminaries Part 3: Brief SIDH sketch
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationJintai Ding*, Saraswathy RV. Lin Li, Jiqiang Liu
Comparison analysis and efficient implementation of reconciliation-based RLWE key exchange protocol Xinwei Gao Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong
More informationLeakage of Signal function with reused keys in RLWE key exchange
Leakage of Signal function with reused keys in RLWE key exchange Jintai Ding 1, Saed Alsayigh 1, Saraswathy RV 1, Scott Fluhrer 2, and Xiaodong Lin 3 1 University of Cincinnati 2 Cisco Systems 3 Rutgers
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationA gentle introduction to elliptic curve cryptography
A gentle introduction to elliptic curve cryptography Craig Costello Tutorial at SPACE 2016 December 15, 2016 CRRao AIMSCS, Hyderabad, India Part 1: Diffie-Hellman key exchange Part 2: Elliptic Curves Part
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationPost-quantum verifiable random functions from ring signatures
Post-quantum verifiable random functions from ring signatures Endre Abraham December 22, 2018 Abstract One of the greatest challenges on exchanging seemingly random nonces or data either on a trusted or
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationPost-Quantum Cryptography from Lattices
Post-Quantum Cryptography from Lattices Léo Ducas 1 CWI, Amsterdam, The Netherlands CWI Scientific Meeting, November 2016. 1 Funded by a PPP Grant, between NXP and CWI. Cryptography Cryptography in everyday
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationRing-LWE: Applications to cryptography and their efficient realization
Ring-LWE: Applications to cryptography and their efficient realization Sujoy Sinha Roy, Angshuman Karmakar, and Ingrid Verbauwhede ESAT/COSIC and iminds, KU Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationFrodoKEM Learning With Errors Key Encapsulation. Algorithm Specifications And Supporting Documentation
FrodoKEM Learning With Errors Key Encapsulation Algorithm Specifications And Supporting Documentation Erdem Alkim Joppe W. Bos Léo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationhttps://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols nichols@math.umass.edu University of Massachusetts Oct. 14, 2015 Cryptography basics Cryptography is the study of secure communications. Here are
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationInformation Security
SE 4472 / ECE 9064 Information Security Week 12: Random Number Generators and Picking Appropriate Key Lengths Fall 2015 Prof. Aleksander Essex Random Number Generation Where do keys come from? So far we
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationSelecting Elliptic Curves for Cryptography Real World Issues
Selecting Elliptic Curves for Cryptography Real World Issues Michael Naehrig Cryptography Research Group Microsoft Research UW Number Theory Seminar Seattle, 28 April 2015 Elliptic Curve Cryptography 1985:
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More informationElliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography
Elliptic curve cryptography in a post-quantum world: the mathematics of isogeny-based cryptography Andrew Sutherland MIT Undergraduate Mathematics Association November 29, 2018 Creating a shared secret
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationWhat are we talking about when we talk about post-quantum cryptography?
PQC Asia Forum Seoul, 2016 What are we talking about when we talk about post-quantum cryptography? Fang Song Portland State University PQC Asia Forum Seoul, 2016 A personal view on postquantum cryptography
More informationNumber "Not" Used Once - Key Recovery Fault Attacks on LWE Based Lattice Cryptographic Schemes
Number "Not" Used Once - Key Recovery Fault Attacks on LWE Based Lattice Cryptographic Schemes Prasanna Ravi 1, Shivam Bhasin 1, and Anupam Chattopadhyay 2 1 Temasek Laboratories, Nanyang Technological
More informationAnalysis of Error-Correcting Codes for Lattice-Based Key Exchange
Analysis of Error-Correcting Codes for Lattice-Based Key Exchange Tim Fritzmann 1, Thomas Pöppelmann 2, and Johanna Sepulveda 1 1 Technische Universität München, Germany {tim.fritzmann,johanna.sepulveda}@tum.de
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationPOST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW?
POST-QUANTUM CRYPTOGRAPHY HOW WILL WE ENCRYPT TOMORROW? Hanno Böck https://hboeck.de 1 INTRODUCTION Hanno Böck, freelance journalist and hacker. Writing for Golem.de and others. Fuzzing Project, funded
More informationNotes for Lecture 15
COS 533: Advanced Cryptography Lecture 15 (November 8, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Kevin Liu Notes for Lecture 15 1 Lattices A lattice looks something like the following.
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationHow to validate the secret of a Ring Learning with Errors (RLWE) key
How to validate the secret of a Ring Learning with Errors (RLWE) key Jintai Ding 1, Saraswathy RV 1, Saed Alsayigh 1, and Crystal Clough 1 University of Cincinnati Abstract. We use the signal function
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationMessage Authentication Codes (MACs)
Message Authentication Codes (MACs) Tung Chou Technische Universiteit Eindhoven, The Netherlands October 8, 2015 1 / 22 About Me 2 / 22 About Me Tung Chou (Tony) 2 / 22 About Me Tung Chou (Tony) Ph.D.
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationQuantum-secure symmetric-key cryptography based on Hidden Shifts
Quantum-secure symmetric-key cryptography based on Hidden Shifts Gorjan Alagic QMATH, Department of Mathematical Sciences University of Copenhagen Alexander Russell Department of Computer Science & Engineering
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky 1 and Daniele Micciancio 2 1 School of Computer Science, Tel Aviv University Tel Aviv 69978, Israel.
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationCryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL reduction Shinya Okumura Institute of Systems, Information Technologies and Nanotechnologies This is a joint work
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationQuantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security
Quantum-Safe Crypto Why & How? JP Aumasson, Kudelski Security Flight plan What s a quantum computer? How broken are your public keys? AES vs. quantum search Hidden quantum powers Defeating quantum computing
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationShort Stickelberger Class Relations and application to Ideal-SVP
Short Stickelberger Class Relations and application to Ideal-SVP Ronald Cramer Léo Ducas Benjamin Wesolowski Leiden University, The Netherlands CWI, Amsterdam, The Netherlands EPFL, Lausanne, Switzerland
More informationCRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2015, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationRing-SIS and Ideal Lattices
Ring-SIS and Ideal Lattices Noah Stephens-Davidowitz (for Vinod Vaikuntanathan s class) 1 Recalling h A, and its inefficiency As we have seen, the SIS problem yields a very simple collision-resistant hash
More informationSPHINCS: practical stateless hash-based signatures
SPHINCS: practical stateless hash-based signatures D. J. Bernstein, D. Hopwood, A. Hülsing, T. Lange, R. Niederhagen, L. Papachristodoulou, P. Schwabe, and Z. Wilcox O'Hearn Digital Signatures are Important!
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationA simple lattice based PKE scheme
DOI 10.1186/s40064-016-3300-4 RESEARCH Open Access A simple lattice based PKE scheme Limin Zhou 1*, Zhengming Hu 1 and Fengju Lv 2 *Correspondence: zhoulimin.s@163.com 1 Information Security Center, Beijing
More informationCRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2
CRYPTOGRAPHIC PROTOCOLS 2014, LECTURE 2 assumptions and reductions Helger Lipmaa University of Tartu, Estonia MOTIVATION Assume Alice designs a protocol How to make sure it is secure? Approach 1: proof
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationKey Recovery for LWE in Polynomial Time
Key Recovery for LWE in Polynomial Time Kim Laine 1 and Kristin Lauter 2 1 Microsoft Research, USA kimlaine@microsoftcom 2 Microsoft Research, USA klauter@microsoftcom Abstract We discuss a higher dimensional
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationHigh-speed key encapsulation from NTRU
High-speed key encapsulation from NTRU Andreas Hülsing 1, Joost Rijneveld 2, John Schanck 3,4, Peter Schwabe 2 1 Eindhoven University of Technology, The Netherlands 2 Radboud University, Nijmegen, The
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More information