drs diagonal dominant reduction for lattice based
play

DRS Diagonal dominant Reduction for lattice-based Signature Thomas - PowerPoint PPT Presentation

Apr 11, 2024 •228 likes •458 views

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

  1. DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/˜ thomaspl thomaspl@uow.edu.au 13 April 2018 plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 1 / 10

  2. Outline Description 1 Security Analysis 2 Comments 3 Specificity 4 plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 2 / 10

  3. General Description Lattice based Digital Signature Work proposed in PKC 2008 without existing attack . Initially proposed to make GGHSign resistant to parallelepiped attacks. Modified to gain efficiency: avoid costly Hermite Normal Form . plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 3 / 10

  4. General Description Lattice based Digital Signature Work proposed in PKC 2008 without existing attack . Initially proposed to make GGHSign resistant to parallelepiped attacks. Modified to gain efficiency: avoid costly Hermite Normal Form . Lattice based Digital Signature Secret key: Diagonal Dominant Basis B = D − M of a lattice L Public key: A basis P of the same lattice P = UB Signature of a message m : a vector s such that ( m − s ) ∈ L and � s � ∞ < D Signature security related to GDD ∞ . plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 3 / 10

  5. Secret Key A diagonal Dominant Basis with N b ± b and N 1 ± 1. With a cyclic structure but for the signs . plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 4 / 10

  6. Secret Key A diagonal Dominant Basis with N b ± b and N 1 ± 1. With a cyclic structure but for the signs . D ± 1 ± 1 ± b 0 ± b ± 1 0 ± 1 0   0 ± 1 ± 1 ± b 0 ± b ± 1 0 ± 1 D    ± 1 0 D 1 1 ± b 0 ± b ± 1 0      0 ± 1 0 D ± 1 ± 1 ± b 0 ± b ± 1     ± 1 0 ± 1 0 ± 1 ± 1 ± b 0 ± b D   B =   ± b ± 1 0 ± 1 0 D ± 1 ± 1 ± b 0     0 ± b ± 1 0 ± 1 0 ± 1 ± 1 ± b D     ± b 0 ± b ± 1 0 ± 1 0 D ± 1 ± 1     ± 1 ± b 0 ± b ± 1 0 ± 1 0 ± 1 D   ± 1 ± 1 ± b 0 ± b ± 1 0 ± 1 0 D plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 4 / 10

  7. Secret Key A diagonal Dominant Basis with N b ± b and N 1 ± 1. With a cyclic structure but for the signs . D ± 1 ± 1 ± b 0 ± b ± 1 0 ± 1 0   0 ± 1 ± 1 ± b 0 ± b ± 1 0 ± 1 D    ± 1 0 D 1 1 ± b 0 ± b ± 1 0      0 ± 1 0 D ± 1 ± 1 ± b 0 ± b ± 1     ± 1 0 ± 1 0 ± 1 ± 1 ± b 0 ± b D   B =   ± b ± 1 0 ± 1 0 D ± 1 ± 1 ± b 0     0 ± b ± 1 0 ± 1 0 ± 1 ± 1 ± b D     ± b 0 ± b ± 1 0 ± 1 0 D ± 1 ± 1     ± 1 ± b 0 ± b ± 1 0 ± 1 0 ± 1 D   ± 1 ± 1 ± b 0 ± b ± 1 0 ± 1 0 D Growing b creates a gap between Euclidean Norm and Manhattan Norm Cyclic structure to guarantee � M � ∞ = � M � 1 plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 4 / 10

  8. Public Key P = UB with U = P R +1 T R P R ... T 1 P 1 With P i a random permutation matrix and plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 5 / 10

  9. Public Key P = UB with U = P R +1 T R P R ... T 1 P 1 With P i a random permutation matrix and A ± 1   0 0 0 A ± 1 0 0 0   T i =  A ± 1  0 0 0   A ± 1 0 0 0 with � 1 � � − 1 � 2 2 A +1 = , A − 1 = 1 1 1 − 1 plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 5 / 10

  10. Public Key P = UB with U = P R +1 T R P R ... T 1 P 1 With P i a random permutation matrix and A ± 1   0 0 0 A ± 1 0 0 0   T i =  A ± 1  0 0 0   A ± 1 0 0 0 with � 1 � � − 1 � 2 2 A +1 = , A − 1 = 1 1 1 − 1 U and U − can been computed efficiently. U , U − 1 , P coefficients are growing regularly during the R step. plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 5 / 10

  11. Signing As B = D − M , we have D ≡ M (mod L ) � M � 1 < D to guarantee short number of steps. plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 6 / 10

  12. Signing As B = D − M , we have D ≡ M (mod L ) � M � 1 < D to guarantee short number of steps. Vector Reduction 1 w ← Hash ( m ) 2 until � w � ∞ < D Find q , r such w = r + qD 1 Compute w ← r + qM 2 plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 6 / 10

  13. Signing As B = D − M , we have D ≡ M (mod L ) � M � 1 < D to guarantee short number of steps. Vector Reduction 1 w ← Hash ( m ) 2 until � w � ∞ < D Find q , r such w = r + qD 1 Compute w ← r + qM 2 Efficiency: No needs for large arithmetic . Security: Algorithm termination related to a public parameter D . plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 6 / 10

  14. Signature Verfication Alice Helps Bob Alice sends s such that Hash ( m ) − s ∈ L P . Alice sends k such that kP = Hash ( m ) − s During signing, Alice extracts q such that q ( D − M ) = Hash ( m ) − s Alice compute k = qU − 1 . plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 7 / 10

  15. Signature Verfication Alice Helps Bob Alice sends s such that Hash ( m ) − s ∈ L P . Alice sends k such that kP = Hash ( m ) − s During signing, Alice extracts q such that q ( D − M ) = Hash ( m ) − s Alice compute k = qU − 1 . Bob checks that � s � ∞ < D , and qP = Hash ( m ) − s . plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 7 / 10

  16. Best Known Attack Find the Unique Shortest Vector of the lattice � v � 1 P 0 with v = ( D , 0 , . . . , 0) and a lattice gap n � n +3 1 � n +3 1 n D 2 + N b b 2 + N 1 n +1 � D − M � � n +1 � n +1 � � � Γ = Γ γ = λ 2 2( n +1) 2 2 2 � N b b 2 + N 1 λ 1 � M � 2 plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 8 / 10

  17. Best Known Attack Find the Unique Shortest Vector of the lattice � v � 1 P 0 with v = ( D , 0 , . . . , 0) and a lattice gap n � n +3 1 � n +3 1 n D 2 + N b b 2 + N 1 n +1 � D − M � � n +1 � n +1 � � � Γ = Γ γ = λ 2 2( n +1) 2 2 2 � N b b 2 + N 1 λ 1 � M � 2 Conservator Choices 2 λ Dimension N b b N 1 ∆ R γ < 1 4 (1 . 006) d +1 2 128 912 16 28 432 32 24 < 1 4 (1 . 005) d +1 2 192 1160 23 25 553 32 24 < 1 4 (1 . 004) d +1 2 256 1518 33 23 727 32 24 plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 8 / 10

  18. Comments Yang Yu and Leo Ducas Attack When b is too big compare to other value of M , Machine learning can extract position of b related to D . Sign of b could also sometime be extracted. Consequence BDD attack is simpler as the gap of new problem bigger. plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 9 / 10

  19. Comments Yang Yu and Leo Ducas Attack When b is too big compare to other value of M , Machine learning can extract position of b related to D . Sign of b could also sometime be extracted. Consequence BDD attack is simpler as the gap of new problem bigger. Solutions 1 Find which sizes of b requires 2 64 signatures: current attack 2 17 for b = 28. 2 Uses b smaller: if b small, dimension increases by 20% to 30%. plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 9 / 10

  20. Specificity Specificity Digital Signature using Hidden Structured Lattice. Diagonal Dominant Basis. plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 10 / 10

  21. Specificity Specificity Digital Signature using Hidden Structured Lattice. Diagonal Dominant Basis. Advantage Generic Lattice without large integer arithmethic. Use Max Norm to minimise leaking. plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 10 / 10

  22. Specificity Specificity Digital Signature using Hidden Structured Lattice. Diagonal Dominant Basis. Advantage Generic Lattice without large integer arithmethic. Use Max Norm to minimise leaking. Disadvantage Quadratic structure is memory costly. Verfication still slower than signing. plantard sipasseuth dumondelle susilo (uow) DRS 13 April 2018 10 / 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Orthogonal similarity reduction of any symmetric matrix into a diagonal-plus-semiseparable one

Orthogonal similarity reduction of any symmetric matrix into a diagonal-plus-semiseparable one

Orthogonal similarity reduction of any symmetric matrix into a diagonal-plus-semiseparable one with free choice of the diagonal Ellen Van Camp, Raf Vandebril, Marc Van Barel and Nicola Mastronardi I. Algorithms Orthogonal similarity

1.53k views • 106 slides
Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL,

Background on lattice reduction Our results Our technical ideas and argument Conclusion and open problems Slide Reduction, RevisitedFilling the Gaps in Lattice SVP Approximation Jianwei Li ISG, RHUL, UK London-ish Lattice Coding &amp;

1.91k views • 167 slides
Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o (

Faster Enumeration-based Lattice Reduction: Root Hermite Factor k 1 / ( 2 k ) in Time k k / 8 + o ( k ) Martin R. Albrecht 1 , Shi Bai 2 , Pierre-Alain Fouque 3 , Paul Kirchner 3 , Damien Stehl 4 and Weiqiang Wen 3 1 Royal Holloway, University of

985 views • 50 slides
Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong

Seminar of Lattice Analysis 01 Slide Reduction Revisited Wenling Liu, Shanghai Jiao Tong University. Wenling Liu @ SJTU Table of Contents Lattice Backgrounds LenstraLenstraLov asz Reduction Hemite SVP reduction and DBKZ Algorithm

930 views • 49 slides
Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software

Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software

Hermite Reduction LLL Reduction HKZ Reduction Minkowski Reduction A Measurement Lattice Basis Reduction Part II: Algorithms Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca

758 views • 63 slides
The (gimmicky) Road Map Gradual Sub-Lattice Reduction The Old Stuff Lattice Reduction

The (gimmicky) Road Map Gradual Sub-Lattice Reduction The Old Stuff Lattice Reduction

The Old Stuff The New Concepts The Bottom Line Gradual Sub-Lattice Reduction (now with more applications!) Andy Novocin andy@novocin.com LIRMM, Montpellier June 22nd The Old Stuff The New Concepts The Bottom Line The (gimmicky) Road

1.46k views • 99 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Diagonal asymptotics for products of combinatorial classes Or: the diagonal method is still not

Diagonal asymptotics for products of combinatorial classes Or: the diagonal method is still not

Diagonal asymptotics for products of combinatorial classes Or: the diagonal method is still not very good Mark C. Wilson www.cs.auckland.ac.nz/mcw/ Department of Computer Science University of Auckland AofA, Menorca, 2013-05-30 The

1.23k views • 44 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto &amp; Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e

Background on Euclidean lattices Hybrid algorithms for LLL-reduction The fplll library Conclusion Accelerating lattice reduction algorithms with floating-point arithmetic Damien Stehl e http://perso.ens-lyon.fr/damien.stehle/ LIP

766 views • 74 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Applications of Dominant Set Sebastiano Vascon, PhD DAIS 09/05/2017 Recap on the Dominant Set

Applications of Dominant Set Sebastiano Vascon, PhD DAIS 09/05/2017 Recap on the Dominant Set

Applications of Dominant Set Sebastiano Vascon, PhD DAIS 09/05/2017 Recap on the Dominant Set technique Graph-based clustering technique A DS is subset of highly coherent nodes in a graph (high internal similarity and high external

746 views • 58 slides
Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y.

Lattice Reduction and Preconditioning Xiao-Wen Chang Joint work with M. Al Borne, W.-Y. Ku, Y. Xiao and X. Xie Computer Science, McGill University, Montreal, Canada Fields Institute Workshop on Hybrid Methodologies for Symbolic-Numeric

1.3k views • 76 slides
0.00 xx xy xz 0.0 0.1 0.2 0.3 0.4 0.5 External

0.00 xx xy xz 0.0 0.1 0.2 0.3 0.4 0.5 External

Off-Diagonal elements ( ij ) are small Off-diagonal terms of the polarizability matrix u r E Yx = i E Induced Dipole moment (Debye) 0.08 j ji i Zx Zy 0.06 Xy Yz 0.04 Xz 0.02 0.00 xx xy xz

723 views • 25 slides
The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V.

The Shortest Vector Problem (Lattice Reduction Algorithms) Approximation Algorithms by V. Vazirani, Chapter 27 - Problem statement, general discussion - Lattices: brief introduction - The Gauss algorithm in R 2 - Lower bound via

295 views • 13 slides
Diagonal extender based Prikry forcing Dima Sinapova University of California Irvine March 2012

Diagonal extender based Prikry forcing Dima Sinapova University of California Irvine March 2012

Diagonal extender based Prikry forcing Dima Sinapova University of California Irvine March 2012 Dima Sinapova University of California Irvine Diagonal extender based Prikry forcing Cardinal arithmetic and the exponential operation What is true

1.16k views • 104 slides
Enhancing the Conditional Access Module Security in Light of Smart Card Sharing Attacks

Enhancing the Conditional Access Module Security in Light of Smart Card Sharing Attacks

Enhancing the Conditional Access Module Security in Light of Smart Card Sharing Attacks Konstantinos Markantonakis, Michael Tunstall, Keith Mayes Dr Konstantinos Markantonakis (BSc, MSc, MBA, PhD) K.Markantonakis@rhul.ac.uk

509 views • 15 slides
Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @

Defeating TLS client authentication using fault attacks Who are we ? R&amp;D dept. @ Security Evaluation Kudelski Security Lab @ Kudelski IoT Embedded systems Hardware attacks security research Glitch / EM Reverse

889 views • 51 slides
Protection of Taximeter Data by Secure Elements Jrg Wolff Physikalisch-Technische

Protection of Taximeter Data by Secure Elements Jrg Wolff Physikalisch-Technische

PTB-Workshop on Protection of Measurement Data in Legal Metrology and Related Challenges, 30.11.-01.12.2011, PTB Berlin Protection of Taximeter Data by Secure Elements Jrg Wolff Physikalisch-Technische Bundesanstalt (PTB)

261 views • 23 slides
Malwares in Cyber Space Threat landscape, Emerging trends, Solutions and Challenges Atul

Malwares in Cyber Space Threat landscape, Emerging trends, Solutions and Challenges Atul

Malwares in Cyber Space Threat landscape, Emerging trends, Solutions and Challenges Atul Kabra, Solutions Architect CyberSpace The good, the bad and the ugly Internet is an unsafe neighborhood right in your office space

257 views • 12 slides
Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash

Security Proofs for the MD6 Hash Algorithm Ahmed Ezzat Outline Introduction to hash algorithms NIST SHA-3 Competition MD6 Algorithm and Mode of Operation Research Objective Approach Introduction to hash algorithms Hash

454 views • 14 slides
Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

Faster Gaussian Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction Lattices based Signatures Before Gaussian Sampling Preventing Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy

984 views • 67 slides
10thWEST AFRICAN INTERNET GOVERNANCE FORUM (WAIGF 2018) BURKINA FASO TOPIC : Digital Economy and

10thWEST AFRICAN INTERNET GOVERNANCE FORUM (WAIGF 2018) BURKINA FASO TOPIC : Digital Economy and

10thWEST AFRICAN INTERNET GOVERNANCE FORUM (WAIGF 2018) BURKINA FASO TOPIC : Digital Economy and Blockchain Technology Dr. Steven Bassey (Ph.D., DTh, CPMA, CEH, CHFI, USLPI/CSM, EC Council Certified) Chair Subcommittee on Data Protection

866 views • 14 slides
Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (UCSD)

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (UCSD)

Solving All Lattice Problems in Deterministic Single Exponential Time Daniele Micciancio (UCSD) (Joint work with P. Voulgaris, STOC 2010) Barriers II Workshop, Princeton August 27, 2010 CVP in deterministic 2 O ( n ) time Daniele Micciancio

1.33k views • 118 slides

More recommend