attacks on lattice crypto december 7th 2016
play

Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup - PowerPoint PPT Presentation

Sep 19, 2022 •214 likes •686 views

RUHR-UNIVERSITT BOCHUM Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 1 RUHR-UNIVERSITT

  1. RUHR-UNIVERSITÄT BOCHUM Attacks on Lattice Crypto December 7th, 2016 FluxFingers Workgroup Symmetric Cryptography Ruhr University Bochum Friedrich Wiemer Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 1

  2. RUHR-UNIVERSITÄT BOCHUM Why is Lattice Based Crypto important? Or interesting? Or. . . ? Buzzword Bingo. Some facts It is a Post-Quantum secure Cryptosystem (PQC) Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 2

  3. RUHR-UNIVERSITÄT BOCHUM Why is Lattice Based Crypto important? Or interesting? Or. . . ? Buzzword Bingo. Some facts It is a Post-Quantum secure Cryptosystem (PQC) It is damn fast (faster than dinosauRS cryptA) Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 2

  4. RUHR-UNIVERSITÄT BOCHUM Why is Lattice Based Crypto important? Or interesting? Or. . . ? Buzzword Bingo. Some facts It is a Post-Quantum secure Cryptosystem (PQC) It is damn fast (faster than dinosauRS cryptA) You can build anything you want from it: Encryption, Signatures, even Hash Functions! Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 2

  5. RUHR-UNIVERSITÄT BOCHUM Why is Lattice Based Crypto important? Or interesting? Or. . . ? Buzzword Bingo. Some facts It is a Post-Quantum secure Cryptosystem (PQC) It is damn fast (faster than dinosauRS cryptA) You can build anything you want from it: Encryption, Signatures, even Hash Functions! It allows to build even some of the most advanced cryptographic building blocks: Fully Homomorphic Encryption (FHE), Multi-linear Maps, Identity-based Encryption (IBE), . . . Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 2

  6. RUHR-UNIVERSITÄT BOCHUM Why is Lattice Based Crypto important? Is everything done? Fully Homomorphic Encryption Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 3

  7. RUHR-UNIVERSITÄT BOCHUM The new cool kid in town. What is this Hype? “Lattice based Crypto is one of the most promising PQC candidates blablabla” (almost every paper on lattices) Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 4

  8. RUHR-UNIVERSITÄT BOCHUM The new cool kid in town. What is this Hype? “Lattice based Crypto is one of the most promising PQC candidates blablabla” (almost every paper on lattices) NSA supported this by announcing the need for PQC [KM15] in 2015 Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 4

  9. RUHR-UNIVERSITÄT BOCHUM The new cool kid in town. What is this Hype? “Lattice based Crypto is one of the most promising PQC candidates blablabla” (almost every paper on lattices) NSA supported this by announcing the need for PQC [KM15] in 2015 Alkim et al . won this year’s Internet Defense Prize [Fac16] for their lattice based key exchange “New Hope” [Alk+16] Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 4

  10. RUHR-UNIVERSITÄT BOCHUM The new cool kid in town. What is this Hype? “Lattice based Crypto is one of the most promising PQC candidates blablabla” (almost every paper on lattices) NSA supported this by announcing the need for PQC [KM15] in 2015 Alkim et al . won this year’s Internet Defense Prize [Fac16] for their lattice based key exchange “New Hope” [Alk+16] Google even implemented this in Chrome [Goob] Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 4

  11. RUHR-UNIVERSITÄT BOCHUM The new cool kid in town. What is this Hype? “Lattice based Crypto is one of the most promising PQC candidates blablabla” (almost every paper on lattices) NSA supported this by announcing the need for PQC [KM15] in 2015 Alkim et al . won this year’s Internet Defense Prize [Fac16] for their lattice based key exchange “New Hope” [Alk+16] Google even implemented this in Chrome [Goob] So, research is really vibrant here Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 4

  12. RUHR-UNIVERSITÄT BOCHUM Everything was fine. And then Shor entered the stage. . . A cryptographic thriller Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 5

  13. RUHR-UNIVERSITÄT BOCHUM Everything was fine. And then Shor entered the stage. . . A cryptographic thriller . . . and published an efficient CVP quantum algorithm [ES16] for one day the cryptographic community was shocked! Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 5

  14. RUHR-UNIVERSITÄT BOCHUM Everything was fine. And then Shor entered the stage. . . A cryptographic thriller . . . and published an efficient CVP quantum algorithm [ES16] for one day the cryptographic community was shocked! . . . and then Regev saved us all by finding a flaw in the paper [Reg] but still, Google stopped its PQ key exchange experiment with New Hope [Gooa] Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 5

  15. Enough motivation! How does Lattice Crypto work?

  16. RUHR-UNIVERSITÄT BOCHUM How does Lattice Based Crypto work? Wait! Lattice, wtf? Definition: A lattice L is an discrete, additive, abelian subgroup of R n . Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 7

  17. RUHR-UNIVERSITÄT BOCHUM How does Lattice Based Crypto work? Wait! Lattice, wtf? Definition: A lattice L is an discrete, additive, abelian subgroup of R n . Definition: Let b 1 , b 2 , . . . , b d ∈ R n , d � n linear independent. Then the set � � � d � � v ∈ R n L = � v = a i b i , a i ∈ Z � � i = 1 is a lattice. Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 7

  18. RUHR-UNIVERSITÄT BOCHUM Hey! You promised, this will be easy! Lattice, dt.: Gitter Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 8

  19. RUHR-UNIVERSITÄT BOCHUM Hey! You promised, this will be easy! OK, OK, we can say it easier: Z 2 is a Lattice Example lattice Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 9

  20. RUHR-UNIVERSITÄT BOCHUM Hey! You promised, this will be easy! OK, OK, we can say it easier: Z 2 is a Lattice Random Basis Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 9

  21. RUHR-UNIVERSITÄT BOCHUM Hey! You promised, this will be easy! OK, OK, we can say it easier: Z 2 is a Lattice Random Basis Reduced Basis In general, basis reduction is a hard problem! The LLL and BKZ algorithm ’s implementation of BKZ has 2 n 2 runtime. are available for this. NTL Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 9

  22. RUHR-UNIVERSITÄT BOCHUM Hard Problems in Lattices. . . . . . are what we need for crypto. Shortest Vector Problem (SVP) Given a lattice L , what is a shortest vector v ∈ L \ { 0 } ? Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 10

  23. RUHR-UNIVERSITÄT BOCHUM Hard Problems in Lattices. . . . . . are what we need for crypto. Example Shortest Vector Problem (SVP) Given a lattice L , what is a shortest vector v ∈ L \ { 0 } ? Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 10

  24. RUHR-UNIVERSITÄT BOCHUM Hard Problems in Lattices. . . . . . are what we need for crypto. Closest Vector Problem (CVP) Given a lattice L and a target t / ∈ L , what is the closest vector v ∈ L to t ? Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 11

  25. RUHR-UNIVERSITÄT BOCHUM Hard Problems in Lattices. . . . . . are what we need for crypto. Example Closest Vector Problem (CVP) Given a lattice L and a target t / ∈ L , what is the closest vector v ∈ L to t ? Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 11

  26. RUHR-UNIVERSITÄT BOCHUM Lattice Based Crypto Learning With Errors – or: the equivalent to textbook RSA Key Generation 1 1 Thanks to Elena for the nice pictures. Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 12

  27. RUHR-UNIVERSITÄT BOCHUM Lattice Based Crypto Learning With Errors – or: the equivalent to textbook RSA Encryption Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 12

  28. RUHR-UNIVERSITÄT BOCHUM Lattice Based Crypto Learning With Errors – or: the equivalent to textbook RSA Decryption Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 12

  29. RUHR-UNIVERSITÄT BOCHUM Attack Algorithm In practice most efficient strategy is Babai’s Nearest Plane [Bab86], improved by Lindner and Peikert [LP11] and Gama et al . [GNR10]. Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 13

  30. RUHR-UNIVERSITÄT BOCHUM Nearest Plane or BDD Enumeration Attack Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 14

  31. RUHR-UNIVERSITÄT BOCHUM Nearest Plane or BDD Enumeration Step 1: Basis Reduction Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 14

  32. RUHR-UNIVERSITÄT BOCHUM Nearest Plane or BDD Enumeration Step 2: Enumerate Nearest Planes Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 14

  33. RUHR-UNIVERSITÄT BOCHUM Parallel Implementation of BDD enumeration for LWE Finally, what we (joint work with Elena Kirshanova and Alex May) did: Research Project Goal: What is the practical runtime of BDD enumeration? Build a parallel implementation of NearestPlanes . Test this on some large scale parallel system. Hopefully break some real world parameters. Friedrich Wiemer | Attacks on Lattice Crypto | December 7th, 2016 15

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth Nadia Heninger 01/08/2020 Real World Crypto TPM 2 Trusted Platform Module (TPM) Software is Hackers? insecure. Bad Guys? Heartbleed? Rootkits?

437 views • 39 slides
FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 4: Lattice-Based Crypto. IV Ron Steinfeld Clayton School of IT Monash University March 2016 Ron Steinfeld FIT5124 Advanced Topics in SecurityLecture 4: Lattice-Based Crypto. IV Mar 2014 1/33 Plan

932 views • 39 slides
Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world

Timing Attacks and Countermeasures Peter Schwabe June 10, 2016 Summer school on real-world crypto and privacy ibenik, Croatia Secure Crypto Research over the past decades has produced several secure crypto algorithms: AES-256 block

1.04k views • 85 slides
Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto

Fundamentals of Lattice-Based Cryptography Chris Peikert University of Michigan 2nd Crypto Innovation School Shanghai, China 13 December 2019 1 / 23 Talk Outline 1 Lattices and hard problems 2 The SIS and LWE problems; basic applications 3

970 views • 94 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton

Introduction FIT5124 Advanced Topics in Security Lecture 1: Lattice-Based Crypto. I Ron Steinfeld Clayton School of IT Monash University March 2016 Acknowledgements: Some figures sourced from Oded Regevs Lecture Notes on Lattices in

460 views • 30 slides
Lattice Simplices of Bounded Degree Einstein Workshop on Lattice Polytopes 2016 Johannes

Lattice Simplices of Bounded Degree Einstein Workshop on Lattice Polytopes 2016 Johannes

Lattice Simplices of Bounded Degree Einstein Workshop on Lattice Polytopes 2016 Johannes Hofscheier Otto-von-Guericke-Universit at Magdeburg joint with Akihiro Higashitani Tuesday 13 December 2016 Motivation LLS LSD Deg. 2 Appl. Basic

784 views • 77 slides
An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010 1 / 10 Lattice-Based Crypto L R n b 2 b 1 2 / 10 Lattice-Based Crypto L R n p 1 p 2 2 / 10 Lattice-Based Crypto L R n b 2 p 1 b 1 =

975 views • 60 slides
Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun Goudarzi, Matthieu Rivain, Damien Vergnaud SAC 2016, 12 Aug, St. Johns Outline EC signature schemes based on random nonces computed from [ k ]

696 views • 52 slides
White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

Based on: J. W. Bos, C. Hubain, W. Michiels, P. Teuwen. In CHES 2016: Differential computation analysis: Hiding your white-box designs is not enough . White-Box Cryptography Don't Forget About Grey Box Attacks Joppe W. Bos Real World Crypto 2017

477 views • 29 slides
Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work

Lattice Assumptions in Crypto: Status Update Chris Peikert University of Michigan (covers work with Oded Regev and Noah Stephens-Davidowitz to appear, STOC17) 10 March 2017 1 / 14 Lattice-Based Cryptography p d o m x g = y N =

1.01k views • 84 slides
Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &

Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &

Basic Cryptanalysis Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Outline LLL sketch Application to Subset Sum Application to SIS Application to LWE Lattice

716 views • 49 slides
KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on

KRACKing WPA2 and Mitigating Future Attacks Mathy Vanhoef @vanhoefm CRYPTO Workshop on Attacks (WAC), Santa Barbara, 18 August 2018 Overview Key reinstalls in 4-way handshake Misconceptions Practical impact Channel validation 2

646 views • 51 slides
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Universit de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3.

697 views • 40 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC410/611: Security Security Security Attacks Security Threats Crypto

CPSC 410 / 611 : Operating Systems CPSC410/611: Security Security Security Attacks Security Threats Crypto Authentication Examples SSL Security Threats Breach of confidentiality unauthorized access to

458 views • 18 slides
Todays Objec3ves TCP Wrap Up Services: Buzzword Bingo Threads and Synchroniza3on

Todays Objec3ves TCP Wrap Up Services: Buzzword Bingo Threads and Synchroniza3on

9/22/17 Todays Objec3ves TCP Wrap Up Services: Buzzword Bingo Threads and Synchroniza3on Sept 22, 2017 Sprenkle - CSCI325 1 Review What layer is TCP? What does it add that the lower level does not have? How does it add

362 views • 11 slides
Overview Introduction Design Processes Jrg Cassens Linear Models Iterative Models SoSe

Overview Introduction Design Processes Jrg Cassens Linear Models Iterative Models SoSe

Required Reading Overview Introduction Design Processes Jrg Cassens Linear Models Iterative Models SoSe 2019 References Contextual Design of Interactive Systems SoSe 2019 Jrg Cassens Overview 1 / 81 Foreword Required

1.21k views • 99 slides
Introduction Rules & Regulations Updated: 12. April 2017 Dates & Times Websites

Introduction Rules & Regulations Updated: 12. April 2017 Dates & Times Websites

Welcome Introduction Rules & Regulations Updated: 12. April 2017 Dates & Times Websites Projects Jrg Cassens Discussion & Attendance Lab Course Media Informatics SoSe 2017 SoSe 2017 Jrg Cassens Introduction 1 / 75

1.59k views • 105 slides
Digital Signage Guide Composing Slides 1. Click the button. The Template screen appears. Here,

Digital Signage Guide Composing Slides 1. Click the button. The Template screen appears. Here,

Digital Signage Guide Composing Slides 1. Click the button. The Template screen appears. Here, you enter the project name and description, you determine the layout dimension, and you select the template you prefer. 2. You select the dimensions

407 views • 18 slides
Software Engineering Case Studies Bob Monroe Software Engineering Reading Group March 31, 1997

Software Engineering Case Studies Bob Monroe Software Engineering Reading Group March 31, 1997

Software Engineering Case Studies Bob Monroe Software Engineering Reading Group March 31, 1997 Overview Case study paper (Kitchenham et al) Overview of case study methodology Good case studies are powerful. They are also rare

561 views • 15 slides
Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki

Weird Machines on Little Robots Intro to binary exploitation on Android smartphones @f0rki 2013-06-06 Agenda Motivation ARM Primer Exploitation 101 Science, Bitches! Vulnerability classes Exploitation Defenses & Mitigation Techniques

899 views • 51 slides
SCALE APPLICATIONS FLEXIBLY WITH MICROPROFILE Ondrej Mihlyi @omihalyi SCALABLE APPLICATIONS

SCALE APPLICATIONS FLEXIBLY WITH MICROPROFILE Ondrej Mihlyi @omihalyi SCALABLE APPLICATIONS

SCALE APPLICATIONS FLEXIBLY WITH MICROPROFILE Ondrej Mihlyi @omihalyi SCALABLE APPLICATIONS What it means? Another buzzword? @OMihalyi HIGHLY SCALABLE APPLICATIONS !? Just great. Buzzword Bingo time! @OMihalyi SERIOUSLY, WHAT ARE WE

515 views • 29 slides
An Intuitive Guide to Combining Free Monad and Free Applicative Who Am I? I'm Cameron

An Intuitive Guide to Combining Free Monad and Free Applicative Who Am I? I'm Cameron

An Intuitive Guide to Combining Free Monad and Free Applicative Who Am I? I'm Cameron Linkedin - https://www.linkedin.com/in/cameron-joannidis/ Twitter - @CamJo89 Consult across a range of areas and have built many big data

1.13k views • 78 slides

More recommend