exploring the parameter space in lattice attacks daniel j
play

Exploring the parameter space in lattice attacks Daniel J. - PDF document

Feb 27, 2023 •123 likes •489 views

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

  1. 1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 Bernstein–Chuengsatiansup– Lange–van Vredendaal. Some hard lattice meta-problems: • Analyze cost of known attacks. • Optimize attack parameters. • Compare different attacks. • Evaluate crypto parameters. • Evaluate crypto designs.

  2. 2 sntrup761 evaluations from “NTRU Prime: round 2” Table 2: Ignoring cost of memory: 368 185 enum, ignoring hybrid 230 169 enum, including hybrid 153 139 sieving, ignoring hybrid 153 139 sieving, including hybrid Accounting for cost of memory: 368 185 enum, ignoring hybrid 277 169 enum, including hybrid 208 208 sieving, ignoring hybrid 208 180 sieving, including hybrid Security levels: . . . pre-quantum . . . post-quantum

  3. � � � � � 3 Analysis of typical lattice attack has complications at four layers, and at interfaces between layers. This talk emphasizes top layer. Analysis of lattices to attack cryptosystems “Approximate-SVP” analysis “SVP” analysis Model of computation

  4. 4 Three typical attack problems Define R = Z [ x ] = ( x 761 − x − 1); “small” = all coeffs in {− 1 ; 0 ; 1 } ; w = 286; q = 4591. Attacker wants to find small weight- w secret a ∈ R . Problem 1: Public G ∈ R =q with aG + e = 0. Small secret e ∈ R . Problem 2: Public G ∈ R =q and aG + e = A . Small secret e ∈ R . Problem 3: Public G 1 ; G 2 ∈ R =q . Public aG 1 + e 1 ; aG 2 + e 2 . Small secrets e 1 ; e 2 ∈ R .

  5. 5 Examples of target cryptosystems Secret key: small a ; small e . Public key reveals multiplier G and approximation A = aG + e . Public key for “NTRU” (1996 Hoffstein–Pipher–Silverman): G = − e=a , and A = 0.

  6. 5 Examples of target cryptosystems Secret key: small a ; small e . Public key reveals multiplier G and approximation A = aG + e . Public key for “NTRU” (1996 Hoffstein–Pipher–Silverman): G = − e=a , and A = 0. Public key for “Ring-LWE” (2010 Lyubashevsky–Peikert–Regev): random G , and A = aG + e .

  7. 5 Examples of target cryptosystems Secret key: small a ; small e . Public key reveals multiplier G and approximation A = aG + e . Public key for “NTRU” (1996 Hoffstein–Pipher–Silverman): G = − e=a , and A = 0. Public key for “Ring-LWE” (2010 Lyubashevsky–Peikert–Regev): random G , and A = aG + e . Recognize similarity + credits: “NTRU” ⇒ Quotient NTRU. “Ring-LWE” ⇒ Product NTRU.

  8. 5 Encryption for Quotient NTRU: Input small b , small d . Ciphertext: B = 3 bG + d .

  9. 5 Encryption for Quotient NTRU: Input small b , small d . Ciphertext: B = 3 bG + d . Encryption for Product NTRU: Input encoded message M . Randomly generate small b , small d , small c . Ciphertext: B = bG + d and C = bA + M + c .

  10. 5 Encryption for Quotient NTRU: Input small b , small d . Ciphertext: B = 3 bG + d . Encryption for Product NTRU: Input encoded message M . Randomly generate small b , small d , small c . Ciphertext: B = bG + d and C = bA + M + c . 2019 Bernstein “Comparing proofs of security for lattice-based encryption” includes survey of G; a; e; c; M details and variants in NISTPQC submissions.

  11. 5 Lattices Rewrite each problem as finding short nonzero solution to system of homogeneous R =q equations. Problem 1: Find ( a; e ) ∈ R 2 with aG + e = 0, given G ∈ R =q .

  12. 5 Lattices Rewrite each problem as finding short nonzero solution to system of homogeneous R =q equations. Problem 1: Find ( a; e ) ∈ R 2 with aG + e = 0, given G ∈ R =q . Problem 2: Find ( a; t; e ) ∈ R 3 with aG + e = At , given G; A ∈ R =q .

  13. 5 Lattices Rewrite each problem as finding short nonzero solution to system of homogeneous R =q equations. Problem 1: Find ( a; e ) ∈ R 2 with aG + e = 0, given G ∈ R =q . Problem 2: Find ( a; t; e ) ∈ R 3 with aG + e = At , given G; A ∈ R =q . Problem 3: Find ( a; t 1 ; t 2 ; e 1 ; e 2 ) ∈ R 5 with aG 1 + e 1 = A 1 t 1 , aG 2 + e 2 = A 2 t 2 , given G 1 ; A 1 ; G 2 ; A 2 ∈ R =q .

  14. 6 Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map ( a; r ) �→ ( a; qr − aG ) from R 2 to R 2 .

  15. 6 Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map ( a; r ) �→ ( a; qr − aG ) from R 2 to R 2 . Problem 2: Lattice is image of the map ( a; t; r ) �→ ( a; t; At + qr − aG ).

  16. 6 Recognize each solution space as a full-rank lattice: Problem 1: Lattice is image of the map ( a; r ) �→ ( a; qr − aG ) from R 2 to R 2 . Problem 2: Lattice is image of the map ( a; t; r ) �→ ( a; t; At + qr − aG ). Problem 3: Lattice is image of the map ( a; t 1 ; t 2 ; r 1 ; r 2 ) �→ ( a; t 1 ; t 2 ; A 1 t 1 + qr 1 − aG 1 ; A 2 t 2 + qr 2 − aG 2 ).

  17. 7 Module structure Each of these lattices is an R - module, and thus has, generically, many independent short vectors.

  18. 7 Module structure Each of these lattices is an R - module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short ( a; t; e ). Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). etc.

  19. 7 Module structure Each of these lattices is an R - module, and thus has, generically, many independent short vectors. e.g. in Problem 2: Lattice has short ( a; t; e ). Lattice has short ( xa; xt; xe ). Lattice has short ( x 2 a; x 2 t; x 2 e ). etc. Many more lattice vectors are fairly short combinations of independent vectors: e.g., (( x + 1) a; ( x + 1) t; ( x + 1) e ).

  20. 8 1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance.

  21. 8 1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.)

  22. 8 1999 May, for Problem 1: Force a stretch of coefficients of a to be 0. This reduces lattice rank, speeding up various attacks, despite lower success chance. (Always a speedup? Seems to be a slowdown if q is very large: see 2016 Kirchner–Fouque.) Other problems: same speedup. e.g. “Bai–Galbraith embedding” for Problem 2: Force t ∈ Z ; force a few coefficients of a to be 0. (Slowdown if q is very large? Literature misses module option!)

  23. 9 Standard analysis for Problem 1 Uniform random small weight- w secret a has length √ w ≈ 17.

  24. 9 Standard analysis for Problem 1 Uniform random small weight- w secret a has length √ w ≈ 17. Uniform random small secret e has length usually close to p 1522 = 3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong– Rossi. Is fixed weight safer?)

  25. 9 Standard analysis for Problem 1 Uniform random small weight- w secret a has length √ w ≈ 17. Uniform random small secret e has length usually close to p 1522 = 3 ≈ 23. (Impact of variations? Partial answer: 2020 Dachman-Soled–Ducas–Gong– Rossi. Is fixed weight safer?) Lattice has rank 2 · 761 = 1522. Attack parameter: k = 13. Force k positions in a to be 0: restrict to sublattice of rank 1509. Pr[ a is in sublattice] ≈ 0 : 2%.

  26. 10 Attacker is just as happy to find another solution such as ( xa; xe ).

  27. 10 Attacker is just as happy to find another solution such as ( xa; xe ). Standard analysis for, e.g., Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) has chance ≈ 0 : 2% of being in sublattice. These 761 chances are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.)

  28. 10 Attacker is just as happy to find another solution such as ( xa; xe ). Standard analysis for, e.g., Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) has chance ≈ 0 : 2% of being in sublattice. These 761 chances are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions ( ¸a; ¸e ). (How hard are these to find?)

  29. 10 Attacker is just as happy to find another solution such as ( xa; xe ). Standard analysis for, e.g., Z [ x ] = ( x 761 − 1): Each ( x j a; x j e ) has chance ≈ 0 : 2% of being in sublattice. These 761 chances are independent. (No, they aren’t; also, total Pr depends on attacker’s choice of positions. See 2001 May–Silverman.) Ignore bigger solutions ( ¸a; ¸e ). (How hard are these to find?) Pretend this analysis applies to Z [ x ] = ( x 761 − x − 1). (It doesn’t.)

  30. 11 Write equation e = qr − aG as 761 equations on coefficients.

  31. 11 Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q 600 .

  32. 11 Write equation e = qr − aG as 761 equations on coefficients. Attack parameter: m = 600. Ignore 761 − m = 161 equations: i.e., project e onto 600 positions. (1999 May.) Sublattice rank d = 1509 − 161 = 1348; det q 600 . Attack parameter: – = 1 : 331876. Rescaling (1997 Coppersmith– Shamir): Assign weight – to positions in a . Increases length of a to – √ w ≈ 23; increases det to – 748 q 600 . (Is this – optimal? Interaction with e size variation?)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round

1 2 Exploring the parameter space sntrup761 evaluations from in lattice attacks NTRU Prime: round 2 Table 2: Daniel J. Bernstein Ignoring cost of memory: 368 185 enum, ignoring hybrid Tanja Lange 230 169 enum, including hybrid 153

2k views • 65 slides
On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin R. Albrecht Information Security Group, Royal Holloway, University of London Learning with Errors or 1 Oded Regev. On lattices, learning with

586 views • 26 slides
TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth

TPM-Fail TPM meets Timing and Lattice Attacks Daniel Moghimi Berk Sunar Thomas Eisenbarth Nadia Heninger 01/08/2020 Real World Crypto TPM 2 Trusted Platform Module (TPM) Software is Hackers? insecure. Bad Guys? Heartbleed? Rootkits?

437 views • 39 slides
Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based

Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based

1 Challenges in evaluating costs of known lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Why analysis is important: Guide attack optimization.

799 views • 69 slides
Further exploring the parameter space of an IFS Alden Walker (UChicago) Joint with Danny Calegari

Further exploring the parameter space of an IFS Alden Walker (UChicago) Joint with Danny Calegari

Further exploring the parameter space of an IFS Alden Walker (UChicago) Joint with Danny Calegari and Sarah Koch November 3, 2014 Recall: Sarah Koch spoke about this project on September 26. I will give essentially the same introduction, but

742 views • 55 slides
CR Technical Parameter List (July, 2012) CR Lattice Parameter Circumference m 221.45 Max.

CR Technical Parameter List (July, 2012) CR Lattice Parameter Circumference m 221.45 Max.

CR Technical Parameter List (July, 2012) CR Lattice Parameter Circumference m 221.45 Max. magnetic rigidity Tm 13 Anti- Rare Isochronous protons isotopes mode 10 8 10 9 1-10 8 Max. number of particles Kinetic energy MeV/n 3000 740

409 views • 36 slides
Challenges in evaluating costs Three typical attack problems of known lattice attacks Define R =

Challenges in evaluating costs Three typical attack problems of known lattice attacks Define R =

1 2 Challenges in evaluating costs Three typical attack problems of known lattice attacks Define R = Z [ x ] = ( x 761 x 1); Daniel J. Bernstein small = all coeffs in { 1 ; 0 ; 1 } ; Tanja Lange w = 286; q = 4591. Attacker

1.73k views • 140 slides
1 Usages for From-Region visibility Conservative Visibility Sets Amortization: Exact

1 Usages for From-Region visibility Conservative Visibility Sets Amortization: Exact

From-Region Visibility and Overview Ray Space Factorization Short introduction to the problem Daniel Cohen-Or Dual Space & Parameter/Ray Space Tel-Aviv University Ray space factorization (SIGGRAPH03) From Point Visibility

546 views • 13 slides
Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi

Remote Timing Attacks on TPMs, AKA TPM-Fail Daniel Moghimi About Me Daniel Moghimi @danielmgmi https://moghimi.org Security Researcher PhD Candidate @ WPI Microarchitectural Attacks Side Channels Breaking Crypto

1.2k views • 71 slides
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque

Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Universit de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring Attack 3.

697 views • 40 slides
A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in

DD O S D ETECTION AND A LERTING Daniel Romo Niels van Dijkhuizen BACKGROUND DDoS attacks are commonly seen in the SURFnet network Mostly flooding attacks Customers are heavily affected and complain These attacks are cheap and

767 views • 17 slides
From Space flight to Foresight: Exploring the social movement spillover between Space and

From Space flight to Foresight: Exploring the social movement spillover between Space and

From Space flight to Foresight: Exploring the social movement spillover between Space and nanotechnology Josie G. Garong, Oxnard College Major: Civil Engineering Faculty Advisor: Prof. W. Patrick McCray Mentor: Mary Ingram-Waters, PhD

315 views • 17 slides
Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate

Microarchitectural Attacks and Heterogenous Cloud Computing By Daniel Moghimi PhD Candidate Worcester Polytechnic Institute (WPI) @danielmgmi Outline Data Dependency SPOILER: Speculative Load Hazards Boost Rowhammer and Cache Attacks

663 views • 28 slides
Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun

Lattice Attacks against Elliptic-Curve Signatures with Blinded Scalar Multiplication Dahmun Goudarzi, Matthieu Rivain, Damien Vergnaud SAC 2016, 12 Aug, St. Johns Outline EC signature schemes based on random nonces computed from [ k ]

696 views • 52 slides
Lattice Attacks on RSA Nadia Heninger University of Pennsylvania September 19, 2017 Reminder:

Lattice Attacks on RSA Nadia Heninger University of Pennsylvania September 19, 2017 Reminder:

Lattice Attacks on RSA Nadia Heninger University of Pennsylvania September 19, 2017 Reminder: Textbook RSA [Rivest Shamir Adleman 1977] Public Key Private Key N = pq modulus p , q primes e encryption d decryption exponent ( d = e 1 mod (

989 views • 88 slides
LATTICE SUSY joel.giedt, simon.catterall, raghav.govind.jha, david.schaich DESPERATELY SEEKING

LATTICE SUSY joel.giedt, simon.catterall, raghav.govind.jha, david.schaich DESPERATELY SEEKING

LATTICE SUSY joel.giedt, simon.catterall, raghav.govind.jha, david.schaich DESPERATELY SEEKING SUSY (ELISE TOO) WILSON FERMION N=4 Can impose SO(4), gauge invariance 8-dimensional parameter space to fine-tune in Notice rescaling of fields

254 views • 12 slides
Func+on applica+ons (calls, invoca+ons) lambda denotes a anonymous func+on To use a func+on, you

Func+on applica+ons (calls, invoca+ons) lambda denotes a anonymous func+on To use a func+on, you

Racket Func+ons Func+ons: the most important building block in Racket (and 251) Func+ons/procedures/methods/subrou+nes abstract over computa+ons Func%ons in Racket Like Java methods & Python func+ons, Racket func+ons have arguments

523 views • 7 slides
Parameter Passing 7 January 2019 OSU CSE 1 Connecting Caller and Callee When you call a

Parameter Passing 7 January 2019 OSU CSE 1 Connecting Caller and Callee When you call a

Parameter Passing 7 January 2019 OSU CSE 1 Connecting Caller and Callee When you call a method, how are the arguments connected to the formal parameters ? When the called method body returns , how are results communicated back to the

430 views • 29 slides
What would you like to spend most of our Drake EquaCon,

What would you like to spend most of our Drake EquaCon,

Welcome to Class 15: What would you like to spend most of our Drake EquaCon, SETI & Fermi Paradox last class on? Is it crazy to

94 views • 5 slides
Algorithmic Coalitional Game Theory Lecture 7: Weighted Voting Games Oskar Skibski University of

Algorithmic Coalitional Game Theory Lecture 7: Weighted Voting Games Oskar Skibski University of

Algorithmic Coalitional Game Theory Lecture 7: Weighted Voting Games Oskar Skibski University of Warsaw 07.04.2020 Weighted Voting Games Nassau County Board: Hempstead #1: 9 votes Hempstead #2: 9 votes North Hempstead: 7 votes

506 views • 39 slides
Stochastic Simulation The modelling process Bo Friis Nielsen Institute of Mathematical Modelling

Stochastic Simulation The modelling process Bo Friis Nielsen Institute of Mathematical Modelling

Stochastic Simulation The modelling process Bo Friis Nielsen Institute of Mathematical Modelling Technical University of Denmark 2800 Kgs. Lyngby Denmark Email: bfni@dtu.dk Explanation: What is the problem with the Explanation: What is

664 views • 28 slides
Peer-to-Peer Networks 15 Self-Organization Christian Schindelhauer Technical Faculty

Peer-to-Peer Networks 15 Self-Organization Christian Schindelhauer Technical Faculty

Peer-to-Peer Networks 15 Self-Organization Christian Schindelhauer Technical Faculty Computer-Networks and Telematics University of Freiburg Gnutella Connecting Protokoll - Ping Ping participants query for Ping neighbors Ping

293 views • 16 slides
DOT-K: Distributed Online Top-K Elements Algorithm with Extreme Value Statistics Nick Carey,

DOT-K: Distributed Online Top-K Elements Algorithm with Extreme Value Statistics Nick Carey,

DOT-K: Distributed Online Top-K Elements Algorithm with Extreme Value Statistics Nick Carey, Tams Budavri, Yanif Ahmad, Alexander Szalay Johns Hopkins University Department of Computer Science ncarey4@jhu.edu Context Simple Top-k

176 views • 16 slides
Data Streams Many large sources of data are generated as streams of updates: IP Network

Data Streams Many large sources of data are generated as streams of updates: IP Network

Summarizing and Mining Skewed Data Streams Graham Cormode cormode@bell-labs.com S. Muthukrishnan muthu@cs.rutgers.edu Data Streams Many large sources of data are generated as streams of updates: IP Network traffic data Text: email/

535 views • 20 slides

More recommend