c r y s t a l s
play

C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS - PowerPoint PPT Presentation

Feb 11, 2024 •169 likes •557 views

C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS Shi Bai Joppe Bos Lo Ducas Eike Kiltz Tancrde Lepoint vadim Lyubashevsky John M. Schanck Peter Schwabe Damien Stehl Jan 4, 2017 - Real World Crypto Outline 2.

  1. C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS Shi Bai Joppe Bos Léo Ducas Eike Kiltz Tancrède Lepoint vadim Lyubashevsky John M. Schanck Peter Schwabe Damien Stehlé Jan 4, 2017 - Real World Crypto

  2. Outline 2. Module Latuices 3. Tie KEM 4. Open Qvantum Safe & Performances 5. Conclusion Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 1 / 27 1. Motivation

  3. Outline 1. Motivation 2. Module Latuices 3. Tie KEM 4. Open Qvantum Safe & Performances 5. Conclusion Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 2 / 27

  4. Previous talk: NIST http://nist.gov/pqcrypto Tiis talk is about LATTICE-BASED CRYPTOGRAPHY Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 3 / 27

  5. Lattice crypto in strongSwan OpenSource IPsec-based VPN Solution Early adopter of latuice-based crypto: 1 John Hofgstein, Jill Pipher, and Joseph E. Silverman. “NTRU: A New High Speed Public Key 2 Léo Ducas et al. “Latuice Signatures and Bimodal Gaussians”. In: CRYPTO (1) . Vol. 8042. LNCS. Springer, 2013. 3 Erdem Alkim et al. “Post-quantum Key Exchange - A New Hope”. In: USENIX Security Symposium . USENIX Association, 2016. Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 4 / 27 ▶ NTRUEncrypt 1 since Feb 2014 ▶ BLISS signature 2 since Jan 2015 ▶ NewHope 3 key exchange since Oct 2016 Cryptosystem”. In: ANTS III . vol. 1423. LNCS. Springer, 1998.

  6. Google’s experimentation with PQCrypto Impact assessment Combination of NewHope with ECDH (X25519) in TLS. Result: “ we did not fjnd any unexpected impediment to deploying something like NewHope ” 4 4 https://www.imperialviolet.org/2016/11/28/cecpq1.html Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 5 / 27

  7. Primary focus: KEM = KEM.Decaps() Sample random value Encrypt value using pk Send ciphertext c ClientComputeKey key = KDF(value) ServerComputeKey Decrypt c to recover value ClientKeyExchange key = KDF(value) Tie question is what post-quantum encryption scheme to use? Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto = KEM.Encaps() Send public key pk Server ClientComputeKey Client ClientHello ServerHello CertificateChain ServerKeyExchange ClientKeyExchange Finished Key generation ServerComputeKey Finished shared key application data ServerKeyExchange = KEM.Setup() 6 / 27

  8. Current lattice-based key excianges (learn more next talk) Reconciliation 5 Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) 2016/1157 (2016). 9 Erdem Alkim et al. “NewHope without reconciliation”. In: IACR Cryptology ePrint Archive USENIX Association, 2016. 8 Erdem Alkim et al. “Post-quantum Key Exchange - A New Hope”. In: USENIX Security Symposium . 7 Joppe W. Bos et al. “Post-Qvantum Key Exchange for the TLS Protocol from the Ring Learning with . In: ACM Conference on Computer and Communications Security . ACM, 2016. 6 Joppe W. Bos et al. “Frodo: Take ofg the Ring! Practical, Qvantum-Secure Key Exchange from LWE”. PQCrypto . Vol. 8772. LNCS. Springer, 2014 7 / 27 NewHope-Simple 9 NewHope 8 BCNS15 7 RLWE-based Frodo 6 LWE-based Encryption | comm | = 22.6 KiB | comm | > 22.6 KiB | comm | = 8.2 KiB | comm | = 3.9 KiB | comm | = 4 KiB 5 More complicated to implement (randomized doubling, latuice-quantizers, etc.) - cf. Jintai Ding. “A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem”. In: IACR Cryptology ePrint Archive 2012/688 (2012) and Chris Peikert. “Latuice Cryptography for the Internet”. In: Errors Problem”. In: IEEE Symposium on Security and Privacy . IEEE Computer Society, 2015, pp. 553–570.

  9. Why do people use a ring? 1 Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) 11 Daniel J. Bernstein et al. “NTRU Prime”. In: IACR Cryptology ePrint Archive 2016/461 (2016). Cryptosystem”. In: (1996). Preliminary Drafu. 10 John Hofgstein, Jill Pipher, and Joseph E. Silverman. “NTRU: A New High Speed Public Key 1 or LWE other possibilities 1011 1 usual ring RLWE vs. 8 / 27 ∈ Z q =

  10. Why do people use a ring? LWE vs. RLWE 10 John Hofgstein, Jill Pipher, and Joseph E. Silverman. “NTRU: A New High Speed Public Key Cryptosystem”. In: (1996). Preliminary Drafu. 11 Daniel J. Bernstein et al. “NTRU Prime”. In: IACR Cryptology ePrint Archive 2016/461 (2016). Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 8 / 27 ∈ Z q = usual ring Z q [ x ] / ( x n + 1 ) other possibilities 1011 x n − 1 or x p − x − 1

  11. Crystals: our cryptographic suite assumption Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 12 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. Module latuices 12 exchange, AKE (KEM-DEM), key for encryption KEM can be used security easy to increase Modularity: no NTRU CCA-secure KEM sampling no Gaussian no reconciliation Simplicity: 9 / 27 C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS

  12. Kyber and Dilithium 13 Tianks Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) 14 Tim Güneysu, Vadim Lyubashevsky, and Tiomas Pöppelmann. “Practical Latuice-Based ! Dilithium the digital signature (Not today) 10 / 27 Module latuices : d -dimensional matrices of elements in Z q [ x ] / ( x 256 + 1 ) ▶ 256 is the number of bits we want to encrypt ▶ Allow to reach dimensions 256 · d ’s ▶ Increase d to increase security Kyber 13 the KEM ▶ CCA security ▶ Encryption-based KEM ▶ No Gaussian distribution (à la GLP12 14 ) Cryptography: A Signature Scheme for Embedded Systems”. In: CHES . vol. 7428. LNCS. Springer, 2012.

  13. Outline 2. Module Lattices 3. Tie KEM 4. Open Qvantum Safe & Performances 5. Conclusion Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 11 / 27 1. Motivation

  14. Module lattices Latuices Module Latuices Ring Latuices Module latuices are ”more general” than Ring latuices (fjnitely generated modules over the ring of integers of a number fjeld), and less structured Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 12 / 27 ∈ Z q Example: d -dimensional matrices of polynomials in Z q [ x ] / ( x 256 + 1 ) ▶ allows to reach all dimensions 256 · d ▶ allows to reduce modulus q w.r.t. to ring latuices for same security ▶ more fmexible

  15. Decision MLWE: Distinguish 13 / 27 Uniform Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 18 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. 17 Vadim Lyubashevsky, Chris Peikert, and Oded Regev. “On Ideal Latuices and Learning with Errors 16 Benny Applebaum et al. “Fast Cryptographic Primitives and Circular-Secure Encryption Based on ACM, 2005. 15 Oded Regev. “On latuices, learning with errors, random linear codes, and cryptography”. In: STOC . and Small Uniform A with small secret and square matrices A Module learning with errors 15161718 over R = Z q [ x ] / ( x n + 1 ) × + = ⃗ s ⃗ ⃗ e b Hard Learning Problems”. In: CRYPTO . vol. 5677. LNCS. Springer, 2009. over Rings”. In: EUROCRYPT . vol. 6110. LNCS. Springer, 2010.

  16. Decision MLWE: Distinguish 13 / 27 Small Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 18 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. 17 Vadim Lyubashevsky, Chris Peikert, and Oded Regev. “On Ideal Latuices and Learning with Errors 16 Benny Applebaum et al. “Fast Cryptographic Primitives and Circular-Secure Encryption Based on ACM, 2005. 15 Oded Regev. “On latuices, learning with errors, random linear codes, and cryptography”. In: STOC . and Small Uniform A with small secret and square matrices Module learning with errors 15161718 over R = Z q [ x ] / ( x n + 1 ) × + = ⃗ ⃗ s ⃗ e b d Hard Learning Problems”. In: CRYPTO . vol. 5677. LNCS. Springer, 2009. over Rings”. In: EUROCRYPT . vol. 6110. LNCS. Springer, 2010.

  17. 13 / 27 Uniform Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 18 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. 17 Vadim Lyubashevsky, Chris Peikert, and Oded Regev. “On Ideal Latuices and Learning with Errors 16 Benny Applebaum et al. “Fast Cryptographic Primitives and Circular-Secure Encryption Based on ACM, 2005. 15 Oded Regev. “On latuices, learning with errors, random linear codes, and cryptography”. In: STOC . and Small Small A with small secret and square matrices Module learning with errors 15161718 over R = Z q [ x ] / ( x n + 1 ) × + = ⃗ ⃗ s ⃗ e b d Decision MLWE: Distinguish Hard Learning Problems”. In: CRYPTO . vol. 5677. LNCS. Springer, 2009. over Rings”. In: EUROCRYPT . vol. 6110. LNCS. Springer, 2010.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Cyclotomic Polytopes and Growth Series of Cyclotomic Lattices Matthias Beck & Serkan Ho

Cyclotomic Polytopes and Growth Series of Cyclotomic Lattices Matthias Beck & Serkan Ho

Cyclotomic Polytopes and Growth Series of Cyclotomic Lattices Matthias Beck & Serkan Ho sten San Francisco State University math.sfsu.edu/beck Math Research Letters Growth Series of Lattices L R d lattice of rank r M subset

534 views • 36 slides
Boundary Conflicts and Cluster Coarsening: Waves of Life and Death in the Cyclic Competition of

Boundary Conflicts and Cluster Coarsening: Waves of Life and Death in the Cyclic Competition of

Boundary Conflicts and Cluster Coarsening: Waves of Life and Death in the Cyclic Competition of Four Species Ahmed Roman, Michel Pleimling Virginia Tech, Blacksburg Friday, October 21 Roman A., Pleimling M. (Virginia Tech, Blacksburg)

368 views • 34 slides
Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere

Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere

Lattices and spherical designs. Gabriele Nebe Lehrstuhl D f ur Mathematik , Lattice sphere packings. Lattices. B = ( B 1 , . . . , B n ) basis of Euclidean space ( R n , ( , )) . L = { n i =1 a i B i | a i Z } lattice.

250 views • 24 slides
Counting lattice walks by winding angle Sminaire de combinatoire Philippe Flajolet Andrew Elvey

Counting lattice walks by winding angle Sminaire de combinatoire Philippe Flajolet Andrew Elvey

Counting lattice walks by winding angle Sminaire de combinatoire Philippe Flajolet Andrew Elvey Price CNRS, Universit de Tours October 2020 Counting lattice walks by winding angle Andrew Elvey Price L ATTICE WALKS BY WINDING ANGLE The

1.98k views • 151 slides
First test of a photonic band gap structure for ADMX-HF Workshop on Microwave Cavities and

First test of a photonic band gap structure for ADMX-HF Workshop on Microwave Cavities and

First test of a photonic band gap structure for ADMX-HF Workshop on Microwave Cavities and Detectors for Axion Research Livermore National Laboratory January 13, 2017 Samantha Lewis Graduate student University of California - Berkeley

391 views • 23 slides
What is now the status of = 1 / 2? Alexander Razumov Presqu le de Giens, June,

What is now the status of = 1 / 2? Alexander Razumov Presqu le de Giens, June,

What is now the status of = 1 / 2? Alexander Razumov Presqu le de Giens, June, 23, 2014 Yuri Stroganov 1944 2011 Contents 1 Vertex models 2 Six vertex model 3 XXZ spin chain at = 1 / 2 4 General XYZ spin chain

747 views • 48 slides
Packings of Equal Circles on Flat Tori William Dickinson Workshop on Rigidity Fields Institute

Packings of Equal Circles on Flat Tori William Dickinson Workshop on Rigidity Fields Institute

Packings of Equal Circles on Flat Tori William Dickinson Workshop on Rigidity Fields Institute October 14, 2011 Introduction Goal Understand locally and globally maximally dense packings of equal circles on a fixed torus. Introduction

879 views • 63 slides
Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y. Xiao and X. Xie Computer Science, McGill University, Montreal, Canada Fields Institute Workshop on Hybrid Methodologies for Symbolic-Numeric

1.3k views • 76 slides
The Laws of Linear Combination James H. Steiger Department of Psychology and Human Development

The Laws of Linear Combination James H. Steiger Department of Psychology and Human Development

The Laws of Linear Combination James H. Steiger Department of Psychology and Human Development Vanderbilt University James H. Steiger (Vanderbilt University) 1 / 21 The Laws of Linear Combination Goals for This Module 1 What is a Linear

546 views • 21 slides
NONE NONE Peter Gloviczki, MD Peter Gloviczki, MD Robert Zwolak, MD Robert Zwolak, MD Sean

NONE NONE Peter Gloviczki, MD Peter Gloviczki, MD Robert Zwolak, MD Robert Zwolak, MD Sean

Conflict of Interest Conflict of Interest What is Vascular Surgery What is Vascular Surgery Worth to a Health Care Worth to a Health Care System? System? NONE NONE Peter Gloviczki, MD Peter Gloviczki, MD Robert Zwolak, MD Robert Zwolak,

345 views • 9 slides
2012 NCTS Workshop on Dynamical Systems National Center for Theoretical Sciences, National

2012 NCTS Workshop on Dynamical Systems National Center for Theoretical Sciences, National

Deterministic SlowFast Systems Slowly driven systems Fully coupled systems Deterministic averaging Random fast motion 2012 NCTS Workshop on Dynamical Systems National Center for Theoretical Sciences, National Tsing-Hua University Hsinchu,

669 views • 30 slides
18.175: Lecture 18 Poisson random variables Scott Sheffield MIT 18.175 Lecture 18 1 Outline Extend

18.175: Lecture 18 Poisson random variables Scott Sheffield MIT 18.175 Lecture 18 1 Outline Extend

18.175: Lecture 18 Poisson random variables Scott Sheffield MIT 18.175 Lecture 18 1 Outline Extend CLT idea to stable random variables 18.175 Lecture 18 2 Outline Extend CLT idea to stable random variables 18.175 Lecture 18 3 Recall continuity

291 views • 12 slides
18.175: Lecture 17 Poisson random variables Scott Sheffield MIT 18.175 Lecture 16 1 Outline More

18.175: Lecture 17 Poisson random variables Scott Sheffield MIT 18.175 Lecture 16 1 Outline More

18.175: Lecture 17 Poisson random variables Scott Sheffield MIT 18.175 Lecture 16 1 Outline More on random walks and local CLT Poisson random variable convergence Extend CLT idea to stable random variables 18.175 Lecture 16 2 Outline More on

225 views • 21 slides
Foundations of Artificial Intelligence 13. Acting under Uncertainty Maximizing Expected Utility

Foundations of Artificial Intelligence 13. Acting under Uncertainty Maximizing Expected Utility

Foundations of Artificial Intelligence 13. Acting under Uncertainty Maximizing Expected Utility Joschka Boedecker and Wolfram Burgard and Bernhard Nebel Albert-Ludwigs-Universit at Freiburg Contents Introduction to Utility Theory 1

475 views • 32 slides
Law of the iterated logarithm for pure jump L evy processes Elena Shmileva, St.Petersburg

Law of the iterated logarithm for pure jump L evy processes Elena Shmileva, St.Petersburg

Outline Two types of the Law of the Iterated Logarithm Generalization of the LILs. Functional LIL My results on the Functional LIL for S S processes Conclusion Law of the iterated logarithm for pure jump L evy processes Elena Shmileva,

467 views • 21 slides
Confidence Bands for Distribution Functions: The Law of the Iterated Logarithm and Shape

Confidence Bands for Distribution Functions: The Law of the Iterated Logarithm and Shape

Confidence Bands for Distribution Functions: The Law of the Iterated Logarithm and Shape Constraints Lutz Duembgen (Bern) Jon A. Wellner (Seattle) Petro Kolesnyk (Bern) Ralf Wilke (Copenhagen) November 2014 I. The LIL for Brownian Motion and

521 views • 49 slides
Large deviations principles for lacunary sums Nina Gantert joint work, soon to be finished with

Large deviations principles for lacunary sums Nina Gantert joint work, soon to be finished with

Large deviations principles for lacunary sums Nina Gantert joint work, soon to be finished with Christoph Aistleitner, Zakhar Kabluchko, Joscha Prochno, Kavita Ramanan 1/20 Thanks to: Aicke Hinrichs, Joscha Prochno, Christoph Th ale,

1.22k views • 20 slides
Local regularity, multifractal analysis and boundary behavior of harmonic functions Eugenia

Local regularity, multifractal analysis and boundary behavior of harmonic functions Eugenia

Local regularity, multifractal analysis and boundary behavior of harmonic functions Eugenia Malinnikova NTNU, NORWAY; visiting Purdue University, IN Bloomington, October 10, 2015 E. Malinnikova (NTNU) Boundary behavior of harmonic functions

534 views • 52 slides
Computability, Complexity and Randomness 2016 Permutations of the integers do not induce

Computability, Complexity and Randomness 2016 Permutations of the integers do not induce

Computability, Complexity and Randomness 2016 Permutations of the integers do not induce nontrivial automorphisms of the Turing degrees Bjrn Kjos-Hanssen June 25, 2015 Computability, Complexity and Randomness , University of Heidelberg

770 views • 28 slides
A family of self-avoiding walks on the Sierpi nski gasket Takafumi Otsuka Departmant of

A family of self-avoiding walks on the Sierpi nski gasket Takafumi Otsuka Departmant of

A family of self-avoiding walks on the Sierpi nski gasket Takafumi Otsuka Departmant of Mathematics and Information Scienses Tokyo Metropolitan University 6th Cornell Conference on Analysis, Probability, and Mathematical Physics on Fractals

329 views • 13 slides
On Stability Property of Probability Laws with Respect to Small Violations of Algorithmic

On Stability Property of Probability Laws with Respect to Small Violations of Algorithmic

On Stability Property of Probability Laws with Respect to Small Violations of Algorithmic Randomness Vladimir V. Vyugin Institute for Information Transmission Problems Russian Academy of Sciences logo Martin-L of random sequences

190 views • 17 slides
Correlations of Fractional Parts of Dilated Harmonic Sequences Je ff Lagarias University of

Correlations of Fractional Parts of Dilated Harmonic Sequences Je ff Lagarias University of

Correlations of Fractional Parts of Dilated Harmonic Sequences Je ff Lagarias University of Michigan David Montague Stanford University Joint Math Meetings-San Diego Special Session on Arithmetic Statistics, January 10, 2013 Credits Work

331 views • 19 slides
On the rate of convergence of the Biggins martingale The rate of convergence Biggins martingale

On the rate of convergence of the Biggins martingale The rate of convergence Biggins martingale

What is the branching random walk and the Biggins martingale? Uniform integrability of the On the rate of convergence of the Biggins martingale The rate of convergence Biggins martingale in supercritical branching random walks Alexander

552 views • 16 slides
Snowflakes and Trees Christopher Bishop, Stony Brook Everything is Complex March 611 ,

Snowflakes and Trees Christopher Bishop, Stony Brook Everything is Complex March 611 ,

Snowflakes and Trees Christopher Bishop, Stony Brook Everything is Complex March 611 , 2016 Saas-Fee, Switzerland www.math.sunysb.edu/~bishop/lectures Ansel Adams Pyotr Ilyich Tchaikovsky Nikolai G. Makarov z z 1 z 2 u ( z ) = 1 u ( z

1.37k views • 113 slides

More recommend