Enhanced Lattice-Based Signatures on Reconfigurable Hardware
|
|
- Jessica Park
- 6 years ago
- Views:
Transcription
1 Enhanced Lattice-Based Signatures on Reconfigurable Hardware Thomas Pöppelmann 1 Léo Ducas 2 Tim Güneysu 1 1 Horst Görtz Institute for IT-Security, Ruhr-University Bochum, Germany 2 University of California, San-Diego, USA September 2014, CHES Workshop 1 / 23
2 Enhanced Lattice-Based Signatures on Reconfigurable Hardware 1 Introduction 2 Algorithmic contributions 3 Implementation and Performances 4 Conclusion 2 / 23
3 Lattice Based Cryptography Many theoretical advantages over ECC/RSA: Strong theoretical guarentee of hardness Resist known quantum algorithms Very versatile: PKE, Signatures, IBE, FHE... Asymptotically efficient O(n 2 ) or even O(n log n). In practice? Simple and very fast PKE (NTRU-Encrypt, LWE Encryption). Efficient signatures have been more problematic. 3 / 23
4 BLISS: An optimized Signature Scheme Signature without Trapdoors (Fiat-Shamir transform). [Lyu09] Fiat-Shamir with aborts ( 50Kbits) [Lyu12] Abort Rate improved using Gaussians ( 12Kbits) DDLL13] Abort Rate improved using Bimodal Gaussians ( 5Kbits) BLISS vs. ECDSA vs. RSA on Software Scheme. Security Sign Size Sign./s Ver./s BLISS-I 128 bits 5.5kbits 8k 33k RSA bits 2kbits 0.8k 27k RSA bits 4kbits 0.1k 7.5k ECDSA bits 512 bits 9.5k 2.5k BLISS [DDLL13] compared to OpenSSL implem. of RSA and ECDSA on x / 23
5 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id 5 / 23
6 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short w = Ay Z n 5 / 23
7 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short w = Ay Z n c Sample c Z k, short 5 / 23
8 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short z = y ± Sc Abort with proba. DZ,σ m (z)/m Dm Z,σ (z ± Sc) w = Ay Z n c z Sample c Z k, short Rejection probability is such that z D m Z,σ is independent from S. 5 / 23
9 Fiat-Shamir with aborts [Lyu09, Lyu12, DDLL13] sk : S Z m k 2q, short pk : A Z n m 2q, random T = AS = q Id Sample y D m Z,σ, short z = y ± Sc Abort with proba. DZ,σ m (z)/m Dm Z,σ (z ± Sc) Check w = Ay Z n c z Sample c Z k, short that z is short, and Az = Tc + w mod q Rejection probability is such that z D m Z,σ is independent from S. 5 / 23
10 Hardware Implementation of BLISS The two costly steps are: 6 / 23
11 Hardware Implementation of BLISS The two costly steps are: Polynomial multiplications Ay in Z q [X ]/(Φ 2n (X )) Already addressed in [PG13] and [RVM + 14] (next talk) 6 / 23
12 Hardware Implementation of BLISS The two costly steps are: Polynomial multiplications Ay in Z q [X ]/(Φ 2n (X )) Already addressed in [PG13] and [RVM + 14] (next talk) Discrete Gaussian Sampling y DZ,σ m for large σ Needs high precision sampling (learning attacks) Long Floating Points Arith. [GPV08] Slow algorithms [DDLL13] Large tables/trees [DG14] 6 / 23
13 Hardware Implementation of BLISS The two costly steps are: Polynomial multiplications Ay in Z q [X ]/(Φ 2n (X )) Already addressed in [PG13] and [RVM + 14] (next talk) Discrete Gaussian Sampling y DZ,σ m for large σ Needs high precision sampling (learning attacks) Long Floating Points Arith. [GPV08] Slow algorithms [DDLL13] Large tables/trees [DG14] Most of our contributions deal with hardware implementation of Discrete Gaussian Sampling. 6 / 23
14 Algorithmic contributions to Gaussian samping We focus on the fastest method to sample Discrete Gaussian using Cumulative Distribution Tables (CDT). Operation: Binary search accelerated by guide tables Problem: Naïve implementation would require 42KB 7 / 23
15 Algorithmic contributions to Gaussian samping We focus on the fastest method to sample Discrete Gaussian using Cumulative Distribution Tables (CDT). Operation: Binary search accelerated by guide tables Problem: Naïve implementation would require 42KB We introduce two new techniques: Gaussian sampling by convolution Kullback-Leibler-divergence based security argument Our algorithm requires a table of 2.1KB, and is almost as fast 7 / 23
16 1 Introduction 2 Algorithmic contributions 3 Implementation and Performances 4 Conclusion 8 / 23
17 (Discrete) Gaussians convolutions A convolution of gaussians is a gaussian. 9 / 23
18 (Discrete) Gaussians convolutions And what about discrete Gaussians? 9 / 23
19 (Discrete) Gaussians convolutions Well, depending on the parameter... 9 / 23
20 (Discrete) Gaussians convolutions It may seem quite Gaussian. 9 / 23
21 Peikert s Convolution Theorem Lemma (Adapted from [Pei10]) Let x 1 D Z,σ1, x 2 D Z,σ2 and set σ3 2 = σ1 2 + σ2 2, and σ 2 = σ1 2 + σ2 2. If σ 1 ω( log n) and σ 3 k ω( log n), then: x 1 + kx 2 D Z,σ. Application to BLISS-I: We can sample two variables x 1, x 2 of deviation σ = 19.5 to obtain x = x x 2, of deviation σ = 215. Impact: Size of table is reduced from 42KB to 4.5KB. Running time is less than doubled (binary search is faster for σ ). 10 / 23
22 Kullback-Leibler divergence Definition (Kullback-Leibler Divergence) Let P and Q be distribution over S. The KL divergence, of Q from P is defined as: D KL (P Q) = ( ) P(i) ln P(i). Q(i) i S KL-divergence allows the same arguments as Statistical Distance: Fact (Addivity and Datta Processing inequality) D KL (P 0 P 1 Q 0 Q 1 ) = D KL (P 0 Q 0 ) + D KL (P 1 Q 1 ) for any function f : D KL (f (P) f (Q)) D KL (P Q) 11 / 23
23 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler : 0 1 n A 0 : B 0 Secure 12 / 23
24 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler Approx. Sampler : 0 1 B 1 2 +ɛ : 0 1 n n A A : B 0 Secure Broken : B / 23
25 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler Approx. Sampler : 0 1 B 1 2 +ɛ : 0 1 n n A A : B 0 Secure Broken : B 1 3 Statistical distance argument (B 1, B 1 +ɛ) = Θ(ɛ), (B 0, B 1 ) = Θ(1) n Θ(1/ɛ) 12 / 23
26 Kullback-Leibler vs. Statistical distance: Example B 1 2 Exact Sampler Approx. Sampler : 0 1 B 1 2 +ɛ : 0 1 n n A A : B 0 Secure Broken : B 1 3 KL-Divergence argument D KL (B 1 B 1 +ɛ) = Θ(ɛ2 ), D KL (B 0 B 1 ) = Θ(1) n Θ(1/ɛ 2 ) 12 / 23
27 Kullback-Leibler vs. Statistical distance: Rule of Thumb Averaged absolute error (P, Q) = 1 2 D KL Averaged squared relative error i P(i) Q(i) D KL (P Q) 2 P(i) Q(i) i P(i) 2 P(i). Limits of KL-divergence D KL is not symmetric Can be worse than (e.g. Tailcutting) Improvements only for reduction to Search Problems 13 / 23
28 Truncating Cumulative Distribution Table Full CDT / 23
29 Truncating Cumulative Distribution Table Truncating left-most zeros / 23
30 Truncating Cumulative Distribution Table Truncating right-most bits using KL-divergence / 23
31 1 Introduction 2 Algorithmic contributions 3 Implementation and Performances 4 Conclusion 15 / 23
32 FPGA Implementation of BLISS-I : CDT Sampler Trivium Trivium Trivium Uniform LIFO Ring Buffer 128x8 BinSearch i j Comparator max min Reverse Table:tR Address Exponents Table:tE Startt Table:tS Table:tT 1-1 RAM:tB 0:tttttttttt0 1:tttttttttt0 ''' 1992:tt :t198 x 1. x x Ring-buffer to store random numbers generated by Trivium instantiation Binary-search component operates on block RAM B Biggest challenge: Critical path of binary search 16 / 23
33 FPGA Implementation of BLISS-I : Signing PolyMul message Compute2U secret-key Rv R) temp( NTT R( RG ALU Decoder Gaussian FIFO sampler KBernoulli-or-CDT[ BRAM2U BRAM2Y/ BRAM2Y( Hash Ram2U Ram2M Keccak2f[(Fvv] ExtractPos Ram2Pos SparseMul Core2S/2( Core2S(2( Ram2S/ Ram2S( MAC MAC Core2S/2/ Core2S(2/ Ram2S/ Ram2S( MAC MAC Compression Z/ Compress Z( Rejection- Sampling Norm B expk xy f[ Scalar Trivium Z/ Z( reject c Number theoretic transform (NTT) multiplier (ay 1 ) Keccak-1600 hash function Fast sparse multiplier (z 1 = s 1 c + y 1, z 2 = s 2 c + y 2 ) 17 / 23
34 FPGA Implementation of BLISS-I : Results Algorithm LUT FF BRAM DSP OPs/s BLISS-1[Sign] 7,491 7, k signs/s BLISS-1[Ver] 5,275 4, ,4k verifs/s CDT-Sampler 928 1, ,4 M samp./s Bernoulli Sampler 1,178 1, ,4 M samp./s Results are given for a 1024-bit message on Spartan6-LX25-3 High-speed signing and verification DT sampler is twice as fast as Bernoulli sampler for similar resource consumption 18 / 23
35 FPGA Implementation of BLISS-I : Comparision Algorithm LUT FF BRAM DSP OPs/s BLISS-1[Sign] 7,491 7, ,958 signs/sec BLISS-1[Ver] 5,275 4, ,438 signs/sec GLP-1[Sign/Ver] 6,088 6, ,627/7,438 RSA-2048 [Sign] 4190 slices Curve ECDSA , /110 [Sign/Ver] LUT/FF pairs Implementation faster that RSA and prime curve ECC/ECDSA Faster, shorter and more secure than GLP lattice-signature Reasonable area consumption 19 / 23
36 Conclusion Lattice-based Crypto is ready. BLISS compares to standardized signature schemes, in both Software and Hardware New geometric analysis will make it even faster [D14, To appear, see Rump Session] Time has come for standardization of lattice-based cryptography. Provide alternative/fallbacks to ECC/RSA Mostly unpatended Motivate more work: Comprehensive Cryptanalysis, Improved Algorithms, Lightweight Implementation, Side Channel Attacks, / 23
37 Open Access, Open-Sources Full and updated paper: Software implementation: Hardware implementation: Thanks! 21 / 23
38 Léo Ducas, Alain Durmus, Tancrède Lepoint, and Vadim Lyubashevsky. Lattice signatures and bimodal gaussians. In Ran Canetti and Juan A. Garay, editors, CRYPTO 2013, Part I, volume 8042 of LNCS, pages 40 56, Santa Barbara, CA, USA, August 18 22, Springer, Berlin, Germany. Nagarjun C. Dwarakanath and Steven D. Galbraith. Sampling from discrete Gaussians for lattice-based cryptography on a constrained device. Applicable Algebra in Engineering, Communication and Computing, pages 1 22, Craig Gentry, Chris Peikert, and Vinod Vaikuntanathan. Trapdoors for hard lattices and new cryptographic constructions. In Richard E. Ladner and Cynthia Dwork, editors, 40th ACM STOC, pages , Victoria, British Columbia, Canada, May 17 20, ACM Press. Vadim Lyubashevsky. Fiat-Shamir with aborts: Applications to lattice and factoring-based signatures. In Mitsuru Matsui, editor, ASIACRYPT 2009, volume 5912 of LNCS, pages , Tokyo, Japan, December 6 10, Springer, Berlin, Germany. 22 / 23
39 Vadim Lyubashevsky. Lattice signatures without trapdoors. In David Pointcheval and Thomas Johansson, editors, EUROCRYPT 2012, volume 7237 of LNCS, pages , Cambridge, UK, April 15 19, Springer, Berlin, Germany. Chris Peikert. An efficient and parallel gaussian sampler for lattices. In Tal Rabin, editor, CRYPTO 2010, volume 6223 of LNCS, pages 80 97, Santa Barbara, CA, USA, August 15 19, Springer, Berlin, Germany. Thomas Pöppelmann and Tim Güneysu. Towards practical lattice-based public-key encryption on reconfigurable hardware. In Tanja Lange, Kristin Lauter, and Petr Lisonek, editors, SAC 2013, volume 8282 of LNCS, pages 68 85, Burnaby, BC, Canada, August 14 16, Springer, Berlin, Germany. Sujoy Sinha Roy, Frederik Vercauteren, Nele Mentens, Donald Donglong Chen, and Ingrid Verbauwhede. Compact Ring-LWE based cryptoprocessor. In CHES 14, / 23
Compact Ring LWE Cryptoprocessor
1 Compact Ring LWE Cryptoprocessor CHES 2014 Sujoy Sinha Roy 1, Frederik Vercauteren 1, Nele Mentens 1, Donald Donglong Chen 2 and Ingrid Verbauwhede 1 1 ESAT/COSIC and iminds, KU Leuven 2 Electronic Engineering,
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationMasking the GLP Lattice-Based Signature Scheme at any Order
Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin
More informationRing-LWE: Applications to cryptography and their efficient realization
Ring-LWE: Applications to cryptography and their efficient realization Sujoy Sinha Roy, Angshuman Karmakar, and Ingrid Verbauwhede ESAT/COSIC and iminds, KU Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More informationSimple Lattice Trapdoor Sampling from a Broad Class of Distributions
Simple Lattice Trapdoor Sampling from a Broad Class of Distributions Vadim Lyubashevsky 1 and Daniel Wichs 2 1 Inria/ENS, Paris 2 Northeastern University Abstract. At the center of many lattice-based constructions
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland, New Zealand. S.Bai@auckland.ac.nz S.Galbraith@math.auckland.ac.nz
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationA Lattice-based AKE on ARM Cortex-M4
A Lattice-based AKE on ARM Cortex-M4 Julian Speith 1, Tobias Oder 1, Marcel Kneib 2, and Tim Güneysu 1,3 1 Horst Görtz Institute for IT Security, Ruhr-Universität Bochum, Germany {julian.speith,tobias.oder,tim.gueneysu}@rub.de
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationCompact and Side Channel Resistant Discrete Gaussian Sampling
1 Compact and Side Channel Resistant Discrete Gaussian Sampling Sujoy Sinha Roy, Oscar Reparaz, Frederik Vercauteren, and Ingrid Verbauwhede Abstract Discrete Gaussian sampling is an integral part of many
More informationSAMPLING FROM DISCRETE GAUSSIANS FOR LATTICE-BASED CRYPTOGRAPHY ON A CONSTRAINED DEVICE
SAMPLING FROM DISCRETE GAUSSIANS FOR LATTICE-BASED CRYPTOGRAPHY ON A CONSTRAINED DEVICE NAGARJUN C. DWARAKANATH AND STEVEN D. GALBRAITH ABSTRACT. Modern lattice-based public-key cryptosystems require sampling
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationPractical Lattice-Based Digital Signature Schemes
Practical Lattice-Based Digital Signature Schemes Howe, J., Poppelmann, T., O'Neill, M., O'Sullivan, E., & Guneysu, T. (2015). Practical Lattice-Based Digital Signature Schemes. ACM Transactions on Embedded
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Sonia Belaïd Joint Work with Gilles Barthe, Thomas Espitau, Pierre-Alain Fouque, Benjamin Grégoire, Mélissa Rossi, and Mehdi Tibouchi 1 / 31
More informationThe Rényi Divergence and Security Proofs
The Rényi Divergence and Security Proofs Thomas Prest Introduction 1 Introduction 2 Theory 1 The Rényi Divergence 2 Three useful lemmas 3 Framework for proving stuff 3 Practice 1 Application 1: Security
More informationLP Solutions of Vectorial Integer Subset Sums Cryptanalysis of Galbraith s Binary Matrix LWE
LP Solutions of Vectorial Integer Subset Sums Cryptanalysis of Galbraith s Binary Matrix LWE Gottfried Herold and Alexander May Horst Görtz Institute for IT-Security Ruhr-University Bochum, Germany Faculty
More informationDiscrete Ziggurat: A Time-Memory Trade-Off for Sampling from a Gaussian Distribution over the Integers
Discrete Ziggurat: A Time-Memory Trade-Off for Sampling from a Gaussian Distribution over the Integers Johannes Buchmann, Daniel Cabarcas, Florian Göpfert (B), Andreas Hülsing, and Patrick Weiden Technische
More informationNewHope for ARM Cortex-M
for ARM Cortex-M Erdem Alkim 1, Philipp Jakubeit 2, Peter Schwabe 2 erdemalkim@gmail.com, phil.jakubeit@gmail.com, peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationDiscrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers
Discrete Ziggurat: A Time-Memory Trade-off for Sampling from a Gaussian Distribution over the Integers Johannes Buchmann, Daniel Cabarcas, Florian Göpfert, Andreas Hülsing, and Patrick Weiden Technische
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationPractical CCA2-Secure and Masked Ring-LWE Implementation
Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1, Tobias Schneider 2, Thomas Pöppelmann 3, Tim Güneysu 1,4 1 Ruhr-University Bochum, 2 Université Catholique de Louvain, 3 Infineon
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationImplementing RLWE-based Schemes Using an RSA Co-Processor
Implementing RLWE-based Schemes Using an RSA Co-Processor Martin R. Albrecht 1, Christian Hanser 2, Andrea Hoeller 2, Thomas Pöppelmann 3, Fernando Virdia 1, Andreas Wallner 2 1 Information Security Group,
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationPractical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems
Practical Lattice-Based Cryptography: A Signature Scheme for Embedded Systems Tim Güneysu 1, Vadim Lyubashevsy 2, and Thomas Pöppelmann 1 1 Horst Görtz Institute for IT-Security, Ruhr-University Bochum,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationLattice Signature Schemes. Vadim Lyubashevsky INRIA / ENS Paris
Lattice Signature Schemes Vadim Lyubashevsky INRIA / ENS Paris LATTICE PROBLEMS The Knapsack Problem A = t mod q A is random in Z q n x m s is a random small vector in Z q m t=as mod q s Given (A,t), find
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationImproved Short Lattice Signatures in the Standard Model
Improved Short Lattice Signatures in the Standard Model Léo Ducas and Daniele Micciancio University of California, San Diego {lducas,daniele}@eng.ucsd.edu Abstract We present a signature scheme provably
More informationImprovement and Efficient Implementation of a Lattice-Based Signature Scheme
Improvement and Efficient Implementation of a Lattice-Based Signature Scheme Rachid El Bansarkhani (B) and Johannes Buchmann Fachbereich Informatik Kryptographie und Computeralgebra, Technische Universität
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationCRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme
CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme Léo Ducas 1, Eike Kiltz 2, Tancrède Lepoint 3, Vadim Lyubashevsky 4, Peter Schwabe 5, Gregor Seiler 6 and Damien Stehlé 7 1 CWI, Netherlands
More informationA signature scheme from the finite field isomorphism problem
A signature scheme from the finite field isomorphism problem Jeffrey Hoffstein 1, Joseph H. Silverman 1, William Whyte 2, and Zhenfei Zhang 2 1 Brown University, Providence, USA {jhoff,jhs}@math.brown.edu
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationPart I: Introduction to Post Quantum Cryptography Taipei. Tim Güneysu Ruhr-Universität Bochum & DFKI
Part I: Introduction to Post Quantum Cryptography Tutorial@CHES 2017 - Taipei Tim Güneysu Ruhr-Universität Bochum & DFKI 04.10.2017 Overview Goals Provide a high-level introduction to Post-Quantum Cryptography
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationFACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers
FACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers Raymond K. Zhao, Ron Steinfeld and Amin Sakzad Faculty of Information Technology, Monash University, {raymond.zhao,ron.steinfeld,amin.sakzad}@monash.edu
More informationLow-Cost and Area-Efficient FPGA Implementations of Lattice-Based Cryptography
Low-Cost and Area-Efficient FPGA Implementations of Lattice-Based Cryptography Aydin Aysu, Cameron Patterson and Patrick Schaumont Electrical and Computer Engineering Department Virginia Tech Blacksburg,
More informationDouble-Moduli Gaussian Encryption/Decryption with Primary Residues and Secret Controls
Int. J. Communications, Network and System Sciences, 011, 4, 475-481 doi:10.436/ijcns.011.47058 Published Online July 011 (http://www.scirp.org/journal/ijcns) Double-Moduli Gaussian Encryption/Decryption
More informationMasking the GLP Lattice-Based Signature Scheme at Any Order
Masking the GLP Lattice-Based Signature Scheme at Any Order Gilles Barthe 1, Sonia Belaïd 2, Thomas Espitau 3, Pierre-Alain Fouque 4, Benjamin Grégoire 5, Mélissa Rossi 6,7, and Mehdi Tibouchi 8 1 IMDEA
More informationEfficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography
Efficient Finite Field Multiplication for Isogeny Based Post Quantum Cryptography Angshuman Karmakar 1 Sujoy Sinha Roy 1 Frederik Vercauteren 1,2 Ingrid Verbauwhede 1 1 COSIC, ESAT KU Leuven and iminds
More informationSide Channel Analysis and Protection for McEliece Implementations
Side Channel Analysis and Protection for McEliece Implementations Thomas Eisenbarth Joint work with Cong Chen, Ingo von Maurich and Rainer Steinwandt 9/27/2016 NATO Workshop- Tel Aviv University Overview
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationRevisiting TESLA in the quantum random oracle model
Revisiting TESLA in the quantum random oracle model Erdem Alkim 1, Nina Bindel 2, Johannes Buchmann 2, Özgür Dagdelen 3, Edward Eaton 4,5, Gus Gutoski 4, Juliane Krämer 2, and Filip Pawlega 4,5 1 Ege University,
More informationFrom 5-pass MQ-based identification to MQ-based signatures
From 5-pass MQ-based identification to MQ-based signatures Ming-Shing Chen 1,2, Andreas Hülsing 3, Joost Rijneveld 4, Simona Samardjiska 5, Peter Schwabe 4 National Taiwan University 1 / Academia Sinica
More informationKatz, Lindell Introduction to Modern Cryptrography
Katz, Lindell Introduction to Modern Cryptrography Slides Chapter 12 Markus Bläser, Saarland University Digital signature schemes Goal: integrity of messages Signer signs a message using a private key
More informationImproving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems
Improving the efficiency of Generalized Birthday Attacks against certain structured cryptosystems Robert Niebuhr 1, Pierre-Louis Cayrel 2, and Johannes Buchmann 1,2 1 Technische Universität Darmstadt Fachbereich
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationDifferential Fault Attacks on Deterministic Lattice Signatures
S C I E N C E P A S S I O N T E C H N O L O G Y Differential Fault Attacks on Deterministic Lattice Signatures Leon Groot Bruinderink 1, Peter Pessl 2 1 Technische Universiteit Eindhoven, 2 Graz University
More informationReduced Memory Meet-in-the-Middle Attack against the NTRU Private Key
Submitted exclusively to the London Mathematical Society doi:10.1112/0000/000000 Reduced Memory Meet-in-the-Middle Attack against the NTRU Private Key Christine van Vredendaal Abstract NTRU is a public-key
More informationLattice Signatures Without Trapdoors
Lattice Signatures Without Trapdoors Vadim Lyubashevsky INRIA / École Normale Supérieure Abstract. We provide an alternative method for constructing lattice-based digital signatures which does not use
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationLoop abort Faults on Lattice-Based Fiat-Shamir Hash n Sign signatures
Loop abort Faults on Lattice-Based Fiat-Shamir Hash n Sign signatures Thomas Espitau, Pierre-Alain Fouque, Benoit Gérard, Mehdi Tibouchi To cite this version: Thomas Espitau, Pierre-Alain Fouque, Benoit
More informationRing-LWE security in the case of FHE
Chair of Naval Cyber Defense 5 July 2016 Workshop HEAT Paris Why worry? Which algorithm performs best depends on the concrete parameters considered. For small n, DEC may be favourable. For large n, BKW
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationLattice Signatures Without Trapdoors
Lattice Signatures Without Trapdoors Vadim Lyubashevsky INRIA / École Normale Supérieure Abstract. We provide an alternative method for constructing lattice-based digital signatures which does not use
More informationFormal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers
Formal Fault Analysis of Branch Predictors: Attacking countermeasures of Asymmetric key ciphers Sarani Bhattacharya and Debdeep Mukhopadhyay Indian Institute of Technology Kharagpur PROOFS 2016 August
More informationDetermination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes
Determination and exploration of practical parameters for the latest Somewhat Homomorphic Encryption (SHE) Schemes Vincent Migliore, Guillaume Bonnoron, Caroline Fontaine To cite this version: Vincent
More informationFPGA-based Niederreiter Cryptosystem using Binary Goppa Codes
FPGA-based Niederreiter Cryptosystem using Binary Goppa Codes Wen Wang 1, Jakub Szefer 1, and Ruben Niederhagen 2 1. Yale University, USA 2. Fraunhofer Institute SIT, Germany April 9, 2018 PQCrypto 2018
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationIn Praise of Twisted Canonical Embedding
In Praise of Twisted Canonical Embedding Jheyne N. Ortiz 1, Robson R. de Araujo 2, Ricardo Dahab 1, Diego F. Aranha 1, and Sueli I. R. Costa 2 1 Institute of Computing, University of Campinas, Brazil jheyne.ortiz@ic.unicamp.br
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationA subfield lattice attack on overstretched NTRU assumptions
A subfield lattice attack on overstretched NTRU assumptions Cryptanalysis of some FHE and Graded Encoding Schemes Martin R. Albrecht, Shi Bai and Léo Ducas London-ish Lattice Coding and Cryptography Meeting,
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationA Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes
A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationMultivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar?
Multivariate Public Key Cryptography or Why is there a rainbow hidden behind fields full of oil and vinegar? Christian Eder, Jean-Charles Faugère and Ludovic Perret Seminar on Fundamental Algorithms, University
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationA Lattice-Based Threshold Ring Signature Scheme (TRSS-L)
A Lattice-Based Threshold Ring Signature Scheme (TRSS-L) Pierre-Louis Cayrel 1 Richard Lindner 2 Markus Rückert 2 Rosemberg Silva 3 1 Center for Advanced Security Research Darmstadt (CASED) 2 Technische
More informationNoisy Diffie-Hellman protocols
Noisy Diffie-Hellman protocols Carlos Aguilar 1, Philippe Gaborit 1, Patrick Lacharme 1, Julien Schrek 1 and Gilles Zémor 2 1 University of Limoges, France, 2 University of Bordeaux, France. Classical
More informationA lattice-based partially blind signature
SECURITY AND COMMUNICATION NETWORKS Security Comm. Networks 206; 9:820 828 Published online February 206 in Wiley Online Library (wileyonlinelibrary.com)..439 SPECIAL ISSUE PAPER A lattice-based partially
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More information