how dangerous are decryp tion failures in lattice based
play

How Dangerous are Decryp- tion Failures in Lattice-based - PowerPoint PPT Presentation

Jan 02, 2023 •250 likes •1.07k views

How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter DAnvers 20 november 2019 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1 1 LWE hard

  1. How Dangerous are Decryp- tion Failures in Lattice-based Encryption? Jan-Pieter D’Anvers 20 november 2019

  2. 1 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 1

  3. 1 LWE hard problem ◮ LWE problem ◮ A A ← U ( Z n × n A ) q ◮ s e ← small ( Z n × k s s,e e ) q 2

  4. 1 LWE hard problem ◮ LWE problem ◮ A A ← U ( Z n × n A ) q ◮ s e ← small ( Z n × k s s,e e ) q ◮ ( A A A,b b b = A A A · s s s + e e e ) 2

  5. 1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s,e s ) q b A b b,A A b b = A b A · s A s + e s e e ✲ 3

  6. 1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s,e s ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A · s A s + e s e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b b b ′ , v ′ ✛ 3

  7. 1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e ← small ( Z n × k e s,e s ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A · s A s + e s e e s ′ ,e s s e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q b s e 2 ⌉ m ✛ 3

  8. 1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e ← small ( Z n × k e s s,e ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A · s A s + e s e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ 3

  9. 1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s s,e ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A A · s s s + e e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ m ′ = ⌊ 2 e ′′ + ⌊ q s ′ + e s ′ T A e T s s ′ T A e ′ T s q ( s s A As s s + e e s e 2 ⌉ m − s s As A s s − e e s s ) ⌉ 3

  10. 1 LWE based encryption Alice Bob A ← U ( Z n × n A A ) q s e e ← small ( Z n × k s s,e ) q b A e ′′ ← small ( Z n × k b b,A A b b b = A A A · s s s + e e e s s s ′ ,e e e ′ ,e e ) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s b b b ′ , v ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ m ′ = ⌊ 2 e ′′ + ⌊ q s ′ + e s ′ T A e T s s ′ T A e ′ T s q ( ✘✘ ❳❳ s s A As ✘ s s + e e s e 2 ⌉ m − ✘✘ s ❳❳ s A As ✘ s s − e e s s ) ⌉ ❳ ❳ 3

  11. 1 Failures s ′ + e e ′′ − e s || ∞ ≥ q ◮ failure if: || e e T s e ′ T s e s e e s 4 ◮ typically small failure probability δ ≈ 2 − 128 4

  12. 1 How calculated ◮ calculate some bounds ◮ assume Gaussian and calculate σ and µ ◮ calculate pdf exhaustively 5

  13. 1 Variations ◮ polynomials, vectors/matrices of polynomials Z q [ X ] / ( X n + 1) ◮ learning with rounding ◮ NTRU version, Mersenne prime, Threebears 6

  14. 1 Chosen ciphertext attacks ◮ Easy to attack with chosen ciphertexts ◮ We can not check the adversary 7

  15. 1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s,e s s e ) q b b,A b A A b b b = A A A · s s s + e e e ✲ 8

  16. 1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s s s,e e ) q b b,A b A A e ′′ ← small ( Z n × k b b b = A A · s A s s + e e e s s s ′ ,e e e ′ ,e e ; H ( m )) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b b b ′ , v ′ ✛ 8

  17. 1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s s,e s e ) q b b,A b A A e ′′ ← small ( Z n × k b b b = A A A · s s s + e e e s s s ′ ,e e e ′ ,e e ; H ( m )) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ v ′ = b b T · s s ′ + e e ′′ + ⌊ q b b b ′ , v ′ b s e 2 ⌉ m ✛ 8

  18. 1 FO-transform Alice Bob A ← U ( Z n × n A A ) q e ← small ( Z n × k m ← U ( { 0 , 1 } 256 ) s s s,e e ) q b b,A b A A e ′′ ← small ( Z n × k b b b = A A A · s s + e s e e s s s ′ ,e e e ′ ,e e ; H ( m )) q ✲ b ′ = A A T · s s ′ + e b b A s e e ′ b ′ T · s v ′ = b b T · s s ′ + e e ′′ + ⌊ q b b b ′ , v ′ v = b b s s b s e 2 ⌉ m ✛ m ′ = ⌊⌊ 2 q ⌉ ( v ′ − v ) ⌉ check ( m ′ ,b b b ′ , v ′ ) 8

  19. 1 Error term ◮ let’s group secret and ciphertext terms: � � � � e ′ s e − s s e S C S = S C = C s ′ e e e s s 9

  20. 1 Error term ◮ let’s group secret and ciphertext terms: � � � � e ′ s e − s s e S C S S = C = C s ′ e e e s s ◮ failure if: e ′′ || ∞ ≥ q S T C || S S C C + e e 4 9

  21. 2 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 10

  22. 2 Attack model ◮ precomputation: Grover’s algorithm 11

  23. 2 Attack model ◮ precomputation: Grover’s algorithm ◮ only classical access to decryption oracle 11

  24. 2 Failure boosting ◮ find weak ciphertexts ◮ query weak ciphertexts 12

  25. 2 Failure boosting ◮ find weak ciphertexts • generate ciphertext • estimate failure probability • accept if higher than f t ◮ query weak ciphertexts 12

  26. 2 Failure boosting ◮ find weak ciphertexts α • generate ciphertext • estimate failure probability • accept if higher than f t ◮ query weak ciphertexts β 12

  27. 2 Failure boosting ◮ find weak ciphertexts α • generate ciphertext • estimate failure probability • accept if higher than f t ◮ query weak ciphertexts β ◮ general model for schemes with decryption failures ◮ works if: • can estimate failure probability of ciphertexts • estimated failure probability of ciphertexts is different 12

  28. 2 Failure boosting technical ◮ α = P [ p e ( c ) > f t ] ◮ probability of finding weak ciphertext 13

  29. 2 Failure boosting technical ◮ α = P [ p e ( c ) > f t ] ◮ probability of finding weak ciphertext ◮ β = P [ c fails | p e ( c ) > f t ] ◮ failure probability of weak ciphertext 13

  30. 2 Lattice based schemes: simple case e ′′ || ∞ ≥ q S T C ◮ || S S C C + e e 4 14

  31. 2 Lattice based schemes: simple case C | ≥ q S T C ◮ | S S C 4 S T || 2 || C C || 2 | cos( θ ) | ≥ q ◮ || S S C 4 14

  32. 2 Lattice based schemes: matrices C || ∞ ≥ q ◮ || S S T C S C 4 15

  33. 2 Lattice based schemes: matrices C || ∞ ≥ q ◮ || S S T C S C 4 ◮ Gaussian assumption ◮ µ = 0 ◮ σ S T C � V ar ( ( S S C C ) ij ) = V ar ( S S S kj C C C ki ) k C 2 � C S = C ki · V ar ( S S kj ) k C k : || 2 2 · σ 2 C = || C s 15

  34. 2 How to calculate C C l P [ || C C || 2 = l ] P [ fail ||| C C || 2 = l ] 2 − 30 2 − 100 100 2 − 30 2 − 99 101 2 − 29 2 − 98 102 2 − 29 2 − 97 103 16

  35. 2 How to calculate C C l P [ || C C || 2 = l ] P [ fail ||| C C || 2 = l ] 2 − 30 2 − 100 100 2 − 30 2 − 99 101 2 − 29 2 − 98 102 2 − 29 2 − 97 103 α β 16

  36. 2 How to calculate C C l P [ || C C || 2 = l ] P [ fail ||| C C || 2 = l ] 2 − 30 2 − 100 100 2 − 30 2 − 99 101 2 − 29 2 − 98 102 2 − 29 2 − 97 103 α β 16

  37. 2 272 ) 2 248 total work to generate a failure (1/ 2 224 2 200 2 176 2 152 Kyber768 2 128 FrodoKEM-976 LAC-256 2 104 Saber LizardCat3 2 0 2 18 2 36 2 54 2 72 2 90 2 108 2 126 2 144 work to generate one weak sample (1/ ) 17

  38. Kyber768 2 411 FrodoKEM-976 LAC-256 ) 2 370 Saber LizardCat3 total work to generate a failure (1/ 2 329 2 288 2 247 2 206 2 165 2 124 2 83 2 190 2 168 2 146 2 124 2 102 2 80 2 58 2 36 weak ciphertext failure rate ( ) 18

  39. 3 Outline 1 Introduction 2 How to find 1st failure 3 How to find next failure 4 Recovering the secret 5 Conclusion 19

  40. 3 Failure boosting S T C ◮ S S C C = || S S S || 2 · || C C C || 2 cos θ 20

  43. δ 21

  44. α

  45. α β 22

  46. 23

  47. 23

  48. 3 Find next failures C | ≥ q S T C ◮ | S S C 4 ◮ E E E 24

  49. 3 Find next failures C | ≥ q S T C ◮ | S S C 4 ◮ E E E C � | ≥ q S T S T S T S T ◮ | S S C S C S C S C � C C � + S ⊥ C C ⊥ + S � C C ⊥ + S ⊥ C 4 24

  50. 3 Find next failures C | ≥ q S T C ◮ | S S C 4 ◮ E E E C � | ≥ q S T S T S T S T ◮ | S S C S C S C S C � C C � + S ⊥ C C ⊥ + S � C C ⊥ + S ⊥ C 4 C ⊥ | ≥ q ◮ | S S T S T S � C C C � + S S ⊥ C C 4 24

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky

A History of Lattice-Based Encryption (in order of increasing efficiency) Vadim Lyubashevsky INRIA / ENS, Paris Lattice-Based Crypto & Applications 1 Bar-Ilan University, Israel 2012 Lattice-Based Encryption Schemes 1. NTRU [Hoffstein,

849 views • 47 slides
Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator

Investigation of Failures 49 CFR 192.617 192.617 Investigation of Failures Each operator shall establish procedures for analyzing accidents and failures, including the selection of samples of the failed facility or equipment for

948 views • 55 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
What Can We Learn from Four Years of Data Center Hardware Failures? Guosai Wang, Lifei Zhang, Wei

What Can We Learn from Four Years of Data Center Hardware Failures? Guosai Wang, Lifei Zhang, Wei

What Can We Learn from Four Years of Data Center Hardware Failures? Guosai Wang, Lifei Zhang, Wei Xu Mo Moti tivati tion: n: E Evolving ng F Failur ure Mo Mode del Failures in data centers are common and costly - Violate service

870 views • 48 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat).

Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat).

Z c (3900) from lattice QCD based on Y. Ikeda et al., (HAL QCD), arXiv.1602.03465(hep-lat). Yoichi IKEDA (RCNP , Osaka Univ.) HAL QCD (Hadrons to Atomic nuclei from Lattice QCD) S. Aoki, D. Kawai, T. Miyamoto, K. Sasaki (YITP , Kyoto Univ.)

772 views • 42 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
failures with regards to condition based maintenance Kris De Gussem 31/03/2020 Problem

failures with regards to condition based maintenance Kris De Gussem 31/03/2020 Problem

Data based detection of pump failures with regards to condition based maintenance Kris De Gussem 31/03/2020 Problem definition Background Pumping station: pump between different levels in sewerage system, under roads , Prevent

313 views • 9 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore

Lattice Coding & Crypto Meeting Antonio Campello Sampling Algorithms for Lattice Gaussian Codes based on joint work with J.-C. Belfiore (Huawei Technologies France) Discrete Gaussian Measures f : R n R + D : [0 , 1] is a

917 views • 33 slides
Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path

SYSC 5801 Protection and Restoration Introduction Fact: Networks fail. Types of failures: Path failures Link failures Node failures Results: packet losses, waste of resources, and higher delay. What IGP does in the event

721 views • 35 slides
Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on

1 Exploring the parameter space in lattice attacks Daniel J. Bernstein Tanja Lange Based on attack survey from 2019 BernsteinChuengsatiansup Langevan Vredendaal. Some hard lattice meta-problems: Analyze cost of known attacks.

489 views • 36 slides
Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15

Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15

Content-Base Confidentiality lessons learned in the past year Yingdi Yu UCLA 9/29/15 ndncomm2015 1 What is content-based confidentiality? Confidentiality stays with content independent from where the content is

456 views • 11 slides
Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring

Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring

Cryptography: RSA Encryption and Decryption Greg Plaxton Theory in Programming Practice, Spring 2005 Department of Computer Science University of Texas at Austin Joining the RSA Cryptosystem: Quick Review First, Bob randomly chooses two

293 views • 14 slides
Todays Agenda Wrap up of Number Theory (Sec. 3.7) Fermats Little Theorem Public

Todays Agenda Wrap up of Number Theory (Sec. 3.7) Fermats Little Theorem Public

Todays Agenda Wrap up of Number Theory (Sec. 3.7) Fermats Little Theorem Public Key Cryptography (RSA) Strings and Languages (Chap. 12) Based on Rosen and slides by K. Busch 1 Fermats little theorem: For any prime and

357 views • 14 slides
Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1

Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1

Controlled Sharing of Sensitive Content NDN Case Study Yingdi Yu UCLA 10/3/15 1 Content-based confidentiality Confidentiality stays with content independent from where the content is independent from how it is

647 views • 10 slides
Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School

Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School

Bootstrapping (with Small Error Growth) Chris Peikert University of Michigan HEAT Summer School 12 Oct 2015 1 / 14 Fully Homomorphic Encryption [RAD78,Gentry09] FHE lets you do this: Eval ( f ) f ( ) A cryptographic holy

1.01k views • 66 slides
Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69

1 Lattice-based public-key cryptosystems D. J. Bernstein NIST post-quantum competition: 69 submissions in first round, from hundreds of people. (+13 submissions that NIST declared incomplete or improper.) 22 signature-system submissions. 5

1.97k views • 196 slides
Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents

Inner Product Functional Encryption Edouard Dufour Sans January 25, 2018 Table of Contents Introduction Functional Encryption Security definitions Notations The Power of Inner Products Descriptive statistics Machine Learning Practical

930 views • 65 slides
Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September

Code-based Cryptography Christiane Peters Technical University of Denmark ECC 2011 September 20, 2011 Code-based cryptography 1. Background 2. The McEliece cryptosystem 3. Information-set-decoding attacks 4. Designs: Wild McEliece 5.

721 views • 55 slides

More recommend