crystals dilithium a lattice based digital signature
play

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo - PowerPoint PPT Presentation

Jan 08, 2024 •686 likes •1.06k views

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz (Ruhr-Universit at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor

  1. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L´ eo Ducas (CWI), Eike Kiltz (Ruhr-Universit¨ at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor Seiler (IBM Research) , Damien Stehl´ e (ENS de Lyon) September 10, 2018

  2. Overview Signature scheme submitted to the NIST PQC standardization process

  3. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes

  4. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters)

  5. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09]

  6. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information

  7. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller)

  8. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller) New: Compression of public key (60% smaller, 100 byte larger signature)

  9. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller) New: Compression of public key (60% smaller, 100 byte larger signature) New: Hardness based on Module -LWE/SIS

  10. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller) New: Compression of public key (60% smaller, 100 byte larger signature) New: Hardness based on Module -LWE/SIS New: Very efficient implementation

  11. Principal Design Considerations Easy to implement securely – No Gaussian sampling Small total size of public key + signature Among the smallest total size of all NIST submissions (Falcon is smaller) Conservative parameter selection Modular design Use of Module-LWE/SIS allows to work over the same small ring for all security levels: Arithmetic needs only be optimized once and for all

  12. Choice of Ring Strategy: Choose smallest ring dimension n that gives main advantages of Ring-LWE

  13. Choice of Ring Strategy: Choose smallest ring dimension n that gives main advantages of Ring-LWE Dimension n = 256 is enough to get sufficiently large set of small norm challenges Fully splitting prime q allows for NTT-based multiplication (more about this later) R = Z 2 23 − 2 13 +1 [ X ] / ( X 256 + 1)

  14. Simplified Scheme Key generation: Verification: A ← R 5 × 4 = w − c s 2 s 1 ← S 4 5 , s 2 ← S 5 � �� � c ′ = H(High( Az − c t ) , M ) 5 t = As 1 + s 2 If � z � ∞ ≤ γ − β and c ′ = c , accept pk = ( A , t ) , sk = ( A , t , s 1 , s 2 ) Signing: y ← S 4 γ w = Ay c = H(High( w ) , M ) ∈ B 60 z = y + c s 1 If � z � ∞ > γ − β or � Low( w − c s 2 ) � ∞ > γ − β, restart sig = ( z , c )

  15. Public Key Compression Verification: c ′ = H(High( Az − c t ) , M ) If � z � ∞ ≤ γ − β and c ′ = c , accept Decompose t = t 1 2 14 + t 0 and put only t 1 into public key (23 → 9 bits per coefficient)

  16. Public Key Compression Verification: c ′ = H(High( Az − c t ) , M ) If � z � ∞ ≤ γ − β and c ′ = c , accept Decompose t = t 1 2 14 + t 0 and put only t 1 into public key (23 → 9 bits per coefficient) For verification we need to compute High( Az − c t ) = High( Az − c t 1 2 14 − c t 0 ) Include carries from adding − c t 0 in signature → High( Az − c t 1 2 14 ) can be corrected

  17. Security Tight reduction, even in quantum random oracle model, from SelfTargetMSIS and Module-LWE/SIS [KLS18]: Adv SUF-CMA ( A ) ≤ Adv MLWE ( B ) + Adv SelfTargetMSIS ( C ) + Adv MSIS ( D ) + 2 − 254 Given matrix A , find short vector y , challenge polynomial c and message M such that � � y � � H ( I | A ) , M = c c SelfTargetMSIS has non-tight reduction with standard forking lemma argument from Module-SIS

  18. Implementation Reference and AVX2 optimized implementations on https://github.com/pq-crystals/dilithium Main Operations: Polynomial multiplication in fixed ring R = Z 2 23 − 2 13 +1 [ X ]( X 256 + 1) Expansion of the SHAKE XOF Independent sampling of polynomials: Allows for parallel use of SHAKE

  19. Constant Time Our implementations are fully protected against timing side channel attacks In particular: No use of the C ’%’-operator Note: Sampling of challenge polynomials is not constant-time and does not need to be

  20. Speed of Reference Implementation Key generation Signing Signing (average) Verification Multiplication 89 , 591 987 , 666 1 , 280 , 053 143 , 924 SHAKE 178 , 487 314 , 570 377 , 068 161 , 079 Modular Reduction 11 , 944 120 , 793 163 , 017 10 , 626 Rounding 6 , 586 108 , 412 137 , 324 11 , 821 Rejection Sampling 60 , 740 76 , 893 94 , 607 28 , 082 Addition 8 , 008 58 , 696 79 , 498 10 , 723 Packing 7 , 114 17 , 183 18 , 856 8 , 883 Total 381 , 178 1 , 778 , 148 2 , 260 , 429 396 , 043 Median cycles of 5000 executions on Intel Skylake i7-6600U processor

  21. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message

  22. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs

  23. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs But we only actually perform 172 NTTs

  24. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs But we only actually perform 172 NTTs

  25. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs But we only actually perform 172 NTTs We immediately get a 4 x speed-up in multiplication time from saving NTTs compared to Karatsuba multiplication Note: In our reference implementation NTTs still make up for the most time comsuming operation

  26. AVX2 optimized Implementation Optimizations: Vectorized NTT in assembly 4-way parallel SHAKE Better public key and signature compression Faster assembly modular reduction

  27. AVX2 optimized Implementation Optimizations: Vectorized NTT in assembly 4-way parallel SHAKE Better public key and signature compression Faster assembly modular reduction About 3 . 5 x faster signing compared to reference version

  28. AVX2 optimized Implementation Optimizations: Vectorized NTT in assembly 4-way parallel SHAKE Better public key and signature compression Faster assembly modular reduction About 3 . 5 x faster signing compared to reference version Recent update: > 40% faster compared to TCHES paper

  29. New Fast Vectorized NTT Implementation Prior state of the art: Double floating point arithmetic as in NewHope Now : Fast approach with integer arithmetic and same Montgomery reduction strategy as in reference implementation

  30. New Fast Vectorized NTT Implementation Prior state of the art: Double floating point arithmetic as in NewHope Now : Fast approach with integer arithmetic and same Montgomery reduction strategy as in reference implementation Unfortunately not as fast as 16-bit NTT in Kyber because of missing instruction for high product

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR

257 views • 23 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Nonlinear lattice kink pulses: existence and action on defects in crystals. With application to

Nonlinear lattice kink pulses: existence and action on defects in crystals. With application to

Nonlinear lattice kink pulses: existence and action on defects in crystals. With application to radiation damage and the long range effect. Cross-discipline research using results from: 1. charged particle tracks in crystals of muscovite

420 views • 23 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benot Libert 3 Damien Stehl 2 1 LIP, Universit Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group

239 views • 20 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
3-509

3-509

3-509 liuzhen@sjtu.edu.cn 1 Digital Signature Hash Function Message Authentication Code 2 Digital Signature There is an electronic document to be sent

738 views • 24 slides
Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes the following elements: A private key k A public key k A signature algorithm Public key is published Signature requires

475 views • 24 slides
Discrete space (lattice) arises naturally in solids (crystals) Using localized atomic-like

Discrete space (lattice) arises naturally in solids (crystals) Using localized atomic-like

Discrete space (lattice) arises naturally in solids (crystals) Using localized atomic-like orbitals (Wannier orbitals), called the tight-binding method, is often a good starting point for describing the electronic band structure The hopping

269 views • 9 slides
function TT-Entails? ( KB , ) returns true or false symbols a list of the proposition

function TT-Entails? ( KB , ) returns true or false symbols a list of the proposition

B.Y. Choueiry function TT-Entails? ( KB , ) returns true or false symbols a list of the proposition symbols in KB and return TT-Check-All ( KB , , symbols ,[ ]) function TT-Check-All ( KB , , symbols , model ) returns true

360 views • 3 slides
Inference Techniques for Logical Reasoning Recall: Wumpus World Wumpus You (Agent) 2

Inference Techniques for Logical Reasoning Recall: Wumpus World Wumpus You (Agent) 2

CSE 473 Chapter 7 Inference Techniques for Logical Reasoning Recall: Wumpus World Wumpus You (Agent) 2 Wumpusitional Logic Proposition Symbols and Semantics: Let P i,j be true if there is a pit in [i, j]. Let B i,j be true if there is a

331 views • 22 slides
Propositions An interpretation is an assignment of values to all variables. A model is an

Propositions An interpretation is an assignment of values to all variables. A model is an

Propositions An interpretation is an assignment of values to all variables. A model is an interpretation that satisfies the constraints. Often we dont want to just find a model, but want to know what is true in all models. A proposition is

257 views • 15 slides
CS 331: Artificial Intelligence Propositional Logic I 1 Knowledge-based Agents Can represent

CS 331: Artificial Intelligence Propositional Logic I 1 Knowledge-based Agents Can represent

CS 331: Artificial Intelligence Propositional Logic I 1 Knowledge-based Agents Can represent knowledge And reason with this knowledge How is this different from the knowledge used by problem-specific agents? More general More

430 views • 26 slides
Proofs A proof is a mechanically derivable demonstration that a formula logically follows from

Proofs A proof is a mechanically derivable demonstration that a formula logically follows from

Proofs A proof is a mechanically derivable demonstration that a formula logically follows from a knowledge base. Given a proof procedure, KB g means g can be derived from knowledge base KB . Recall KB | = g means g is true in all

296 views • 7 slides
CCPS Energy Conservation Updates and Highlights JULY 11, 2019 This Photo by Unknown Author is

CCPS Energy Conservation Updates and Highlights JULY 11, 2019 This Photo by Unknown Author is

CCPS Energy Conservation Updates and Highlights JULY 11, 2019 This Photo by Unknown Author is licensed under CC BY-SA CCPS ENERGY CONSERVATION PROGRAM 128 SMECO and BGE Projects to date (first application 10/09) $401,998.00 incentive

780 views • 6 slides
A. Baniasadi N. J. Dimopoulos University of Victoria Presenter: S. Agathos University of

A. Baniasadi N. J. Dimopoulos University of Victoria Presenter: S. Agathos University of

A. Jooya A. Baniasadi N. J. Dimopoulos University of Victoria Presenter: S. Agathos University of Ioannina The Goal Introduce a fast, low-cost and effective approach to optimize resource allocation in GPUs. Produces the optimum

414 views • 23 slides
Welcome Back! Our History 2009: Founded as Cleveland Carbon Fund, the

Welcome Back! Our History 2009: Founded as Cleveland Carbon Fund, the

Welcome Back! Our History 2009: Founded as Cleveland Carbon Fund, the 1st community- based, open-access carbon reduc9on fund in the United States. 2012:

561 views • 7 slides

More recommend