frodokem practical quantum secure key encapsulation from
play

FrodoKEM practical quantum-secure key encapsulation from generic - PowerPoint PPT Presentation

Nov 29, 2023 •454 likes •950 views

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos L eo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan Douglas Stebila 1 / 11

  1. FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos L´ eo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan Douglas Stebila 1 / 11

  2. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. 2 / 11

  3. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. 2 / 11

  4. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. 2 / 11

  5. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. [FujisakiOkamoto’99,HHK’17] FrodoPKE FrodoKEM (IND-CPA) (IND-CCA) (generic transform) 2 / 11

  6. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. [FujisakiOkamoto’99,HHK’17] FrodoPKE FrodoKEM (IND-CPA) (IND-CCA) (generic transform) Concrete Instantiations 1 FrodoKEM-640: targets Level 1 security ( ≥ AES-128). 2 FrodoKEM-976: targets Level 3 security ( ≥ AES-192). 3 Other parameterizations are easy, by changing compile-time constants. 2 / 11

  7. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: 3 / 11

  8. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. 3 / 11

  9. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] 3 / 11

  10. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. 3 / 11

  11. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. Public-Key Encryption/Key Exchange ◮ Many schemes with tight (CPA-)security reductions from LWE: [Regev’05,PVW’08,GPV’08,P’09,LP’11,. . . ] 3 / 11

  12. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. Public-Key Encryption/Key Exchange ◮ Many schemes with tight (CPA-)security reductions from LWE: [Regev’05,PVW’08,GPV’08,P’09,LP’11,. . . ] ◮ FrodoCCS [BCDMNNRS’16] instantiated and implemented [LP’11] , using pseudorandom public matrix A to reduce public key size. 3 / 11

  13. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. Public-Key Encryption/Key Exchange ◮ Many schemes with tight (CPA-)security reductions from LWE: [Regev’05,PVW’08,GPV’08,P’09,LP’11,. . . ] ◮ FrodoCCS [BCDMNNRS’16] instantiated and implemented [LP’11] , using pseudorandom public matrix A to reduce public key size. ◮ FrodoPKE [this work] : wider error distributions, new parameters, . . . 3 / 11

  14. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. 4 / 11

  15. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . 4 / 11

  16. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . Bounded-distance decoding on a random ‘ q -ary’ lattice defined by A : (0 , q ) ( q, 0) 4 / 11

  17. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q (Images courtesy xkcd.org) 4 / 11

  18. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q M ∈ { 0 , 1 } k × ℓ (Images courtesy xkcd.org) 4 / 11

  19. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q C ≈ AR M ∈ { 0 , 1 } k × ℓ C ′ ≈ BR + q 2 · M (Images courtesy xkcd.org) 4 / 11

  20. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q C ≈ AR M ∈ { 0 , 1 } k × ℓ C ′ ≈ BR + q 2 · M C ′ − SC ≈ q 2 · M (Images courtesy xkcd.org) 4 / 11

  21. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q C ≈ AR M ∈ { 0 , 1 } k × ℓ C ′ ≈ BR + q 2 · M C ′ − SC ≈ q 2 · M c ( A , B , C , C ′ ) ≡ unif (Images courtesy xkcd.org) 4 / 11

  22. Distinctive Features of FrodoPKE/KEM 1 Generic, algebraically unstructured lattices: plain LWE. 2 ‘Semi-wide’ errors conforming to a worst-case/average-case reduction from a previously studied lattice problem: BDD with DGS. 3 Simple design and constant-time implementation: ⋆ power-of-2 modulus q for cheap & easy modular arithmetic ⋆ straightforward error sampling ⋆ no ‘reconciliation’ or error-correcting codes for removing noise ⋆ x64 implementation: 256 lines of plain C code (+ preexisting symmetric primitives) 5 / 11

  23. Distinctive Features of FrodoPKE/KEM 1 Generic, algebraically unstructured lattices: plain LWE. 2 ‘Semi-wide’ errors conforming to a worst-case/average-case reduction from a previously studied lattice problem: BDD with DGS. 3 Simple design and constant-time implementation: ⋆ power-of-2 modulus q for cheap & easy modular arithmetic ⋆ straightforward error sampling ⋆ no ‘reconciliation’ or error-correcting codes for removing noise ⋆ x64 implementation: 256 lines of plain C code (+ preexisting symmetric primitives) 5 / 11

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos L eo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan Douglas Stebila 1 / 11 Concrete

897 views • 52 slides
IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong Jiang , Zhenfeng Zhang , Long Chen , Hong Wang Zhi Ma Chinese State Key Laboratory of Mathematical Engineering and

577 views • 46 slides
Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

613 views • 30 slides
BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography

BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography

BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography Standardization Conference August, 24 th 2019, Santa Barbara, California, USA Authors: Affiliations: Nicolas Aragon University of Limoges, France

291 views • 14 slides
A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing

A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing

A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing - Part 1 Quantum Annealing - Hardware and Basic Principles Introduction to Programming Model and API Constraint Satisfation Problems HARDWARE AND

584 views • 27 slides
Everything is Quantum The EU Quantum Flagship Our mission is to keep KPN reliable & secure

Everything is Quantum The EU Quantum Flagship Our mission is to keep KPN reliable & secure

Everything is Quantum The EU Quantum Flagship Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL Contents Whats the problem? Whats everyone up to? Are

527 views • 33 slides
Encapsulation for Practical Simplification Procedures Olga Shumsky Matlin & William McCune

Encapsulation for Practical Simplification Procedures Olga Shumsky Matlin & William McCune

Encapsulation for Practical Simplification Procedures Olga Shumsky Matlin & William McCune Mathematics and Computer Science Division Argonne National Laboratory {matlin,mccune}@mcs.anl.gov Problem Origin First-order resolution and

254 views • 4 slides
LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 , Alessandro Barenghi 2 , Franco Chiaraluce 1 , Gerardo Pelosi 2 , Paolo Santini 1 1 Universit` a Politecnica delle Marche (m.baldi@univpm.it,

674 views • 52 slides
Q UANTUM C OMPUTING W HY N OW ? Practical Applications Quantum Supremacy Quantum Excitement

Q UANTUM C OMPUTING W HY N OW ? Practical Applications Quantum Supremacy Quantum Excitement

Q UANTUM COMPUTATION FOR THE DISCOVERY OF NEW MATERIALS AND CHEMISTRY Jarrod R. McClean Alvarez Fellow - Computational Research Division Lawrence Berkeley National Laboratory Q UANTUM C OMPUTING W HY N OW ? Practical Applications Quantum

645 views • 39 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number generator with non-iid generator at 17 Gbps samples Tobias Gehring et al. Marco Avesani et al. 1 The need for random numbers Alice quantum Rx laser

346 views • 32 slides
Towards the Practical Space-Ground Integrated Quantum Communication Network Cheng-Zhi Peng CAS

Towards the Practical Space-Ground Integrated Quantum Communication Network Cheng-Zhi Peng CAS

QCrypt 2020: Industry Session 2020/08/12 Online Conference Towards the Practical Space-Ground Integrated Quantum Communication Network Cheng-Zhi Peng CAS Center of Excellence in Quantum Information and Quantum Physics University of Science and

362 views • 15 slides
Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

slide 1 gaius Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a network packet or frame encapsulation refers to how the network interface uses packet switching hardware two machines

499 views • 27 slides
Achieving Practical Applications of Quantum Computers Matthew Otten otten@anl.gov February 7th,

Achieving Practical Applications of Quantum Computers Matthew Otten otten@anl.gov February 7th,

Achieving Practical Applications of Quantum Computers Matthew Otten otten@anl.gov February 7th, 2020 Quantum Supremacy Frank Arute et al. Quantum supremacy using a programmable superconducting processor. In: Nature 574.7779 (2019), pp.

1.01k views • 38 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for Combinatorial problems QTML Workshop Verona, Nov 6 (2017) - Davide Venturelli davide.venturelli@nasa.gov Challenges to Practical End-to-end

1.08k views • 79 slides
CS 591 PHD Seminar Beginning the journey toward earning a PhD CS Graduate Office Viveka

CS 591 PHD Seminar Beginning the journey toward earning a PhD CS Graduate Office Viveka

CS 591 PHD Seminar Beginning the journey toward earning a PhD CS Graduate Office Viveka Kudaligama Kara McGregor Maggie M. Chappell Assistant DGS Senior Grad Advisor Grad Advisor Nancy Amato Robin Kravets Darko Marinov Head of CS Dir.

639 views • 22 slides
Europe 2020: the EU strategy for smart, sustainable and inclusive growth The role of the social

Europe 2020: the EU strategy for smart, sustainable and inclusive growth The role of the social

Europe 2020: the EU strategy for smart, sustainable and inclusive growth The role of the social partners in the definition, implementation and follow-up of the Europe 2020 strategy Vice-President efovi - EESC- ECOSOC- 17 September 2010

74 views • 6 slides
SZDG, eCom4Com technology, EDGeS-EDGI in large P. Kacsuk MTA SZTAKI 1 The EDGI/EDGeS projects

SZDG, eCom4Com technology, EDGeS-EDGI in large P. Kacsuk MTA SZTAKI 1 The EDGI/EDGeS projects

SZDG, eCom4Com technology, EDGeS-EDGI in large P. Kacsuk MTA SZTAKI 1 The EDGI/EDGeS projects receive(d) Community research funding Outline of the talk SZTAKI Desktop Grid (SZDG) SZDG technology: eCom4Com EDGeS EDGI

702 views • 30 slides
On Basing Search SIVP on NP-Hardness Tianren Liu MIT liutr@mit.edu Sixteenth IACR Theory of

On Basing Search SIVP on NP-Hardness Tianren Liu MIT liutr@mit.edu Sixteenth IACR Theory of

On Basing Search SIVP on NP-Hardness Tianren Liu MIT liutr@mit.edu Sixteenth IACR Theory of Cryptography Conference Tianren LIU (MIT) Basing Search SIVP on NP-Hardness TCC 2018 1 / 18 Assumptions and Primitives in Cryptography

1.46k views • 99 slides
Computational Linguistics: TAG, CG and DG Raffaella Bernardi University of Trento Contents

Computational Linguistics: TAG, CG and DG Raffaella Bernardi University of Trento Contents

Computational Linguistics: TAG, CG and DG Raffaella Bernardi University of Trento Contents First Last Prev Next 1. Last time and today We have seen that Formal Grammars play a crucial role in the research on Computational

1.04k views • 40 slides
OB-PWS: Obfuscation-Based Private Web Search Ero Balsa , Carmela Troncoso and Claudia Diaz

OB-PWS: Obfuscation-Based Private Web Search Ero Balsa , Carmela Troncoso and Claudia Diaz

OB-PWS: Obfuscation-Based Private Web Search Ero Balsa , Carmela Troncoso and Claudia Diaz ESAT/COSIC, IBBT - KU Leuven Wednesday, 23 May 2012 Introduction Modelling OB-PWS The Privacy Problem Existing OB-PWS Systems Our contribution

775 views • 35 slides
Renewable and Non-Renewable Distributed Generation Technologies Pavol Bauer Learning objectives

Renewable and Non-Renewable Distributed Generation Technologies Pavol Bauer Learning objectives

Renewable and Non-Renewable Distributed Generation Technologies Pavol Bauer Learning objectives What are the non-renewable and renewable Distributed Generators (DGs) which are connected to microgrids? What are the main

885 views • 10 slides
Volunteer clouds to extend the resources of EMI middleware based VOs Attila Csaba Marosi, Pter

Volunteer clouds to extend the resources of EMI middleware based VOs Attila Csaba Marosi, Pter

Volunteer clouds to extend the resources of EMI middleware based VOs Attila Csaba Marosi, Pter Kacsuk, Jzsef Kovcs, Rbert Lovas Peter.Kacsuk@sztaki.mta.hu MTA SZTAKI Hungary http://edgi-project.eu Start date: 2010-06-01 Duration: 27

184 views • 15 slides

More recommend