improvement and efficient implementation of a lattice

play

Improvement and Efficient Implementation of a Lattice-based - PowerPoint PPT Presentation

Feb 12, 2023 •178 likes •633 views

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit¨ at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1
Outline Introduction to Lattice-based Crypto Lattice-based Hash Function Lattice-based Signature Scheme Contributions Experimental Resaults Rachid El Bansarkhani Lattice-based Signatures2
Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b 1 , . . . , b n } ∈ R n : n � b i · Z = { Bx : x ∈ Z n } ⊂ R n L = i =1 A lattice has infinitely many bases: n L = � c i · Z i =1 Definition (Lattices) A discrete additive subgroup of R n Rachid El Bansarkhani Lattice-based Signatures3
Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b 1 , . . . , b n } ∈ R n : n � b i · Z = { Bx : x ∈ Z n } ⊂ R n L = i =1 A lattice has infinitely many bases: n L = � c i · Z i =1 Definition (Lattices) A discrete additive subgroup of R n Rachid El Bansarkhani Lattice-based Signatures3
Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b 1 , . . . , b n } ∈ R n : n � b i · Z = { Bx : x ∈ Z n } ⊂ R n L = i =1 A lattice has infinitely many bases: n L = � c i · Z i =1 Definition (Lattices) A discrete additive subgroup of R n Rachid El Bansarkhani Lattice-based Signatures3
Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = � v � to the origin λ 1 ( L ) = x � = 0 , x ∈L � x � min More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Rachid El Bansarkhani Lattice-based Signatures4
Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = � v � to the origin λ 1 ( L ) = x � = 0 , x ∈L � x � min More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Rachid El Bansarkhani Lattice-based Signatures4
Computational Problems Definition (Shortest Vector Problem) Given a basis B = { b 1 , . . . , b n } , find the shortest nonzero vector v in the lattice L ( B ), i.e. � v � = λ 1 Rachid El Bansarkhani Lattice-based Signatures5
Computational Problems Definition (Shortest Vector Problem) Given a basis B = { b 1 , . . . , b n } , find the shortest nonzero vector v in the lattice L ( B ), i.e. � v � = λ 1 Rachid El Bansarkhani Lattice-based Signatures5
Computational Problems Definition (Shortest Vector Problem) Given a basis B = { b 1 , . . . , b n } , find the shortest nonzero vector v in the lattice L ( B ), i.e. � v � = λ 1 Rachid El Bansarkhani Lattice-based Signatures5
Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6
Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6
Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6
Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6
Hash Function f A ( x ) = A · x mod q : is a compression function maps m bits to n log 2 q bits inversion and finding collisions as hard as worst-case lattice problems Rachid El Bansarkhani Lattice-based Signatures7
Hash Function Hardness of finding collisions Finding collisions in the average case, where A is chosen at random, is hard, provided approximating SIVP is hard in the worst-case Rachid El Bansarkhani Lattice-based Signatures8
From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9
From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9
From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9
From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9
From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9
From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9
From Hash Hunctions to a Signature Scheme Main challenge: How to generate random Matrix A , enabling the signer to sign messages? Solution : Use the trapdoor R to generate a random matrix A . Rachid El Bansarkhani Lattice-based Signatures10
From Hash Functions to a Signature Scheme Construction of A according to Micciancio an Peikert [MP12] : � ¯ G − ¯ � A = A | AR Parameters: ¯ A ∈ Z n × n is uniformly dist. q R ∈ Z n × nk is the secret/trapdoor (small entries) A is pseudorandom (comp. instantiation) Rachid El Bansarkhani Lattice-based Signatures11
From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian 2 k − 1   1 2 . . . 0 ... G =     2 k − 1 0 1 2 . . . Rachid El Bansarkhani Lattice-based Signatures12
From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian 2 k − 1   1 2 . . . 0 ... G =     2 k − 1 0 1 2 . . . Rachid El Bansarkhani Lattice-based Signatures12

Download Presentation

Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

More recommend