lapin
play

Lapin (an efficient authentication protocol based on Ring-LPN) - PowerPoint PPT Presentation

Sep 26, 2023 •330 likes •563 views

Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak Authentication Protocols Prover Verifier HB-style authentication shared AES key K protocols

  1. Lapin (an efficient authentication protocol based on Ring-LPN) Stefan Heyse, Eike Kiltz, Vadim Lyubashevsky, Christof Paar, Krzysztof Pietrzak

  2. Authentication Protocols Prover Verifier HB-style authentication shared AES key K protocols based on LPN c AES K (c) suitable for light-weight authentication

  3. Lightweight Authentication - Motivation Lightweight authentication has many applications • “We need security with less than 2000 gates for RFID tags” Sanjay Sarma (MIT AUTO-ID Labs) @ CHES 2002 • $3 trillion damage annually due to product piracy* → replacement parts and devices need authentication *Source: www.bascap.com • Remote keyless entry systems for buildings, cars…

  4. Lightweight Authentication - Motivation • Many embedded applications are very cost-sensitive → we need lightweight authentication • Since ≈ 2006 a lot of research on lightweight ciphers (PRESENT and many other proposals) • All previous lightweight ciphers… – are optimized for hardware complexity (gate count), even though the vast majority of embedded applications run in software / firmware → very small code attractive for many applications – are not based on hardness assumptions

  5. Learning Parity with Noise (LPN) n We have access to an oracle who has a secret s in Z 2 On every query, the oracle: n 1. Picks r ← Z 2 2. Picks a `noise’ e ← β ¼ (i.e. e= 0 w.p. ¾ and 1 w.p ¼) 3. Outputs ( r , t=< r , s > + e) 1 0 1 0 1 1 0 + = 1 1 0 1 1 1 0 0 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 1 0 1 1 1 1 1 1 0 1 0 0 1 1 0 0 0 1 1 0 0 The goal: Find s

  6. Decision LPN 1 0 1 0 1 1 0 + = 1 1 0 1 1 1 0 0 1 1 1 0 0 0 1 0 0 1 1 1 1 0 0 1 1 0 1 1 1 1 1 1 0 1 0 0 1 1 0 0 0 1 1 0 0 can’t distinguish from uniform Thm [BFKL ‘93]: Decision -LPN is as hard as LPN

  7. HB Protocol [HB ‘01] Prover Verifier n common secret s in Z 2 r 1 , … , r k n Pick r 1 , … , r k ← Z 2 For 1 ≤ j ≤ k t 1 , … , t k generate e j ← β ¼ Accept iff for more than set t j =< r j , s > + e j 60% of j, t j =< r j , s > As secure as LPN against a passive adversary s r 1 1 0 1 0 1 1 0 t 1 + = r 2 t 2 1 1 0 1 1 1 0 0 1 1 1 0 0 0 kn ≈ 2 18 bits!! 1 0 0 1 1 1 1 … … 0 0 1 1 0 1 1 1 1 1 1 0 0 1 1 0 1 0 r k 0 0 t k 1 1 0 0

  8. HB Protocol [HB ‘01] Prover Verifier n common secrets s 1 ,…, s k in Z 2 r n Pick r ← Z 2 For 1 ≤ j ≤ k t 1 , … , t k generate e j ← β ¼ Accept iff for more than set t j =< r , s j > + e j 60% of j, t j =< r , s j > As secure as LPN against a passive adversary r s 1 1 0 1 0 1 1 0 t 1 + = s 2 t 2 1 1 0 1 1 1 0 0 1 1 1 0 0 0 kn ≈ 2 18 bits!! 1 0 0 1 1 1 1 … … 0 0 1 1 0 1 1 1 1 1 1 0 0 1 1 0 1 0 s k 0 0 t k 1 1 0 0

  9. HB Protocol + Toeplitz Matrix [GRS ‘08] Prover Verifier n common secrets s 1 ,…, s k in Z 2 r n Pick r ← Z 2 For 1 ≤ j ≤ k t 1 , … , t k generate e j ← β ¼ Accept iff for more than set t j =< r , s j > + e j 60% of j, t j =< r , s j > As secure as “Toeplitz - LPN” against a passive adversary r s 1 1 0 1 0 1 1 0 t 1 + = s 2 t 2 1 1 0 1 1 1 0 0 1 1 0 0 0 1 k+n-1 ≈ 2 10 bits 1 0 1 1 1 1 1 … … 0 1 0 1 0 0 1 1 0 1 0 0 0 1 0 1 1 1 s k 0 1 t k 1 0 1 0

  10. HB Protocol + Ring (field) Z 2 [x]/< f (x)> Prover Verifier n common secrets s 1 ,…, s k in Z 2 r n Pick r ← Z 2 For 1 ≤ j ≤ k t 1 , … , t k generate e j ← β ¼ Accept iff for more than set t j =< r , s j > + e j 60% of j, t j =< r , s j > As secure as “Ring - LPN” against a passive adversary r s 1 1 0 0 1 1 1 0 t 1 + = s 2 t 2 1 1 0 1 1 1 0 0 1 1 0 0 0 1 ≈ 2 9 bits 0 0 1 1 1 1 1 … … 1 1 1 0 0 0 1 0 0 0 1 0 1 0 0 0 1 1 s k 0 1 t k 1 1 0 0

  11. HB Protocol + Field Z 2 [x]/<x 4 +x+1> 1+x+x 3 1+x 3 1+x+x 2 1+x 1 0 0 1 1 1 1 + = 1 1 0 1 1 1 0 0 1 1 0 0 0 1 0 0 1 1 1 1 0 0 0 1 1 1 0 1 0 0 0 1 0 1 0 0 0 1 0 0 0 1 1 0 0 1+x 2 +x 3 x 2 x

  12. Ring-LPN Problem f (x) = polynomial of degree n R = Z 2 [x]/< f (x)> (Decision) Ring-LPN problem s  R r  R r  R e  β ⅛ n t  R t = rs + e Output ( r , t ) Output ( r , t ) Distinguish between the two distributions

  13. Hardness of Ring-LPN • Very little known • For irreducible f (x), seems as hard as general LPN • For reducible f (x) … one needs to be careful – f (x) = x n + 1 (where n is a power of 2), there is a 2 √n algorithm • No known connection between decision and search versions

  14. HB Protocol + Ring (field) Z 2 [x]/< f (x)> Prover Verifier common secret s in Z 2 [x]/(f(x)) r Pick r ← Z 2 [x]/(f(x)) generate e ← β ⅛ n t set t = rs + e Accept iff t + rs is 0 for more than 60% of the coefficients As secure as “Ring - LPN” against a passive adversary 1 0 0 1 1 1 0 + = 1 1 0 1 1 1 0 0 1 1 0 0 0 1 0 0 1 1 1 1 1 What about active attacks?

  15. Active Attack Model Prover Adversary Phase 1 …

  16. Active Attack Model Verifier Adversary Phase 2 … Accept! Adversary wins

  17. HB Protocol with Active Security [JW ‘05, KS ’06, GRS ’08, …] Prover Verifier secret size doubled 3 Rounds security proof uses rewinding (not tight): adversary succeeding with probability δ lets us break LPN with probability δ 2

  18. Our Result • 2 round efficient protocol based on Ring-LPN • Uses ideas from [KPCJV ‘10] – [KPCJV ‘10 ] is a 2-round LPN-based protocol – It suffers from the same efficiency drawback as HB – Don’t know if it can be instantiated with a Toeplitz matrix

  19. New Authentication Protocol Prover Verifier common secrets s , s ’ in R = Z 2 [x]/< f (x)> R * is the set of all invertible elements in R D is a subset of R such that for all c ≠ c’ in D , c + c ’ is in R * c Pick c ← D generate r ← R * ( r , z ) generate e ← β ⅛ n Accept iff r is in R * and set z = r ( sc + s ’ )+ e more than ¾ of the entries of z + r ( sc + s ’ ) are 0

  20. Security Proof c *  D , a  R , s’ = c * s + a c Phase 1 ( r’ , t = r’s + e ) r = r’ ( c + c* ) -1 z = t + ra ( r , z ) = r ( sc + s ’ )+ e Phase 2 c * t = r’s + e if r is in R * and more ( r , z ) than ¾ of the entries of z + r ( sc * + s’ ) are 0. ( r’,t ) is random else

  21. Performance Comparisons 8-bit AVR ATmega163 smartcard implementations Protocol Online Time Offline Time Code Size (cycles) (cycles) (bytes) f (x)=x 621 +… 30,000 82,500 1356 (reducible) f (x)=x 532 +x+1 21,000 174,000 459 (irreducible) AES-Based 10,121 0 4644

  22. Open Problems • Man-in-the-middle security? – There is a 2 k/2 time MIM attack against our protocol (requires 2 k/2 observations) – Can we design a practical protocol provably secure against man-in-the-middle attacks? • Big step taken in [DKPW ‘12] • Is Lapin already secure against MIM attacks? • How hard is the Ring-LPN problem? – Is there a search-decision reduction? • A 2-round protocol with Toeplitz matrices? Thank You!

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Contemporary Russian Literature Topic Modelling Methods Ustinia Kosheleva, Anna Kondratjeva,

Contemporary Russian Literature Topic Modelling Methods Ustinia Kosheleva, Anna Kondratjeva,

Contemporary Russian Literature Topic Modelling Methods Ustinia Kosheleva, Anna Kondratjeva, Daria Maximova, Yevgeniy Lapin Digital Humanities minor, Colloquium I, Feb. 18, 2017 Corpus 59 books (mainly novels and collections of short stories)

281 views • 13 slides
September 2016 ANDRUS WHO ARE WE? ANDRUS Private, social sector Mission: ANDRUS

September 2016 ANDRUS WHO ARE WE? ANDRUS Private, social sector Mission: ANDRUS

Danni Lapin, LCSW-R Leani Spinner, LCSW-R September 2016 ANDRUS WHO ARE WE? ANDRUS Private, social sector Mission: ANDRUS nurtures social and emotional well- being in children and their families by delivering a broad range of vital

700 views • 26 slides
Water tershed Mana shed Manageme gement nt Plan, Plan, Town of wn of Butt Butter ernuts

Water tershed Mana shed Manageme gement nt Plan, Plan, Town of wn of Butt Butter ernuts

But Butter ternut nut Cr Creek eek Water tershed Mana shed Manageme gement nt Plan, Plan, Town of wn of Butt Butter ernuts nuts Danny Lapin, AICP , Environmental Planner September 11, 2019 Before We Get Started Please sign

548 views • 32 slides
Shorter Linear Straight-Line Programs for MDS Matrices Yet another XOR Count Paper Thorsten Kranz

Shorter Linear Straight-Line Programs for MDS Matrices Yet another XOR Count Paper Thorsten Kranz

Motivation Previous Work Shorter Linear Straight-Line Programs Results Conclusion Shorter Linear Straight-Line Programs for MDS Matrices Yet another XOR Count Paper Thorsten Kranz 1 , Gregor Leander 1 , Ko Stoffelen 2 , Friedrich Wiemer 1 1

950 views • 69 slides
Preconditioning for Nonsymmetry and Time-dependence Andy Wathen Oxford University, UK joint

Preconditioning for Nonsymmetry and Time-dependence Andy Wathen Oxford University, UK joint

Preconditioning for Nonsymmetry and Time-dependence Andy Wathen Oxford University, UK joint work with Jen Pestana and Elle McDonald Jeju, Korea, 2015 p.1/24 Iterative methods For self-adjoint problems/symmetric matrices, iterative

672 views • 25 slides
QCrypt: Implemenng a Next-Generaon Quantum Key Disllaon Engine in Pracce P. Junod

QCrypt: Implemenng a Next-Generaon Quantum Key Disllaon Engine in Pracce P. Junod

Context Classical Channel Overall Security . . . . . . . . . . . . . . . . . . . . . QCrypt: Implemenng a Next-Generaon Quantum Key Disllaon Engine in Pracce P. Junod (HEIG-VD) Joint work with A. Burg, J. Constann

666 views • 29 slides
Optimizing R VM: Interpreter-level Specialization and Vectorization Haichuan Wang 1 , Peng Wu 2 ,

Optimizing R VM: Interpreter-level Specialization and Vectorization Haichuan Wang 1 , Peng Wu 2 ,

DSC2014 Optimizing R VM: Interpreter-level Specialization and Vectorization Haichuan Wang 1 , Peng Wu 2 , David Padua 1 1 University of Illinois at Urbana-Champaign 2 Huawei America Lab Optimizing R VM: Interpreter-level Specialization and

605 views • 22 slides
Module 2 2.1 Transportation Planning Process The transportation planning process has a lot of

Module 2 2.1 Transportation Planning Process The transportation planning process has a lot of

CE -751, SLD, Class Notes, Fall 2006, IIT Bombay Module 2 2.1 Transportation Planning Process The transportation planning process has a lot of similarity to the problem solving process. The following table gives the major differences between the

503 views • 8 slides
Tracing While Loops 7 January 2019 OSU CSE 1 Consider... int i = 4, j = 1, n = 0; while (i &gt;

Tracing While Loops 7 January 2019 OSU CSE 1 Consider... int i = 4, j = 1, n = 0; while (i &gt;

Tracing While Loops 7 January 2019 OSU CSE 1 Consider... int i = 4, j = 1, n = 0; while (i &gt; j) { if (n % 2 == 0) { i--; } else { j++; } n++; } 7 January 2019 OSU CSE 2 Trace It int i = 4, j = 1, n = 0; i = 4 j = 1 n = 0 while

367 views • 20 slides
Tracing and Profiling MySQL Mostly with Linux tools: from strace and gdb to ftrace, bpftrace,

Tracing and Profiling MySQL Mostly with Linux tools: from strace and gdb to ftrace, bpftrace,

Tracing and Profiling MySQL Mostly with Linux tools: from strace and gdb to ftrace, bpftrace, perf and dynamic probes Valerii Kravchuk, Principal Support Engineer, MariaDB vkravchuk@gmail.com 1 Who am I? Valerii (aka Valeriy ) Kravchuk :

549 views • 27 slides
Content-aware Trace Collection and I/O Deduplication for Smartphones Bo Mao 1 , Suzhen Wu 1 , Hong

Content-aware Trace Collection and I/O Deduplication for Smartphones Bo Mao 1 , Suzhen Wu 1 , Hong

Content-aware Trace Collection and I/O Deduplication for Smartphones Bo Mao 1 , Suzhen Wu 1 , Hong Jiang 2 , Xiao Chen 1 , Weijian Yang 1 {maobo, suzhen}@xmu.edu.cn, hong.jiang@uta.edu 1 Xiamen University (http://astl.xmu.edu.cn/) 2 University of

379 views • 19 slides
MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and

MIT 6.837 - Ray Tracing Ray Tracing MIT EECS 6.837 Most slides are taken from Frdo Durand and Barb Cutler Some slides courtesy of Leonard McMillan 1 2 Ray Tracing Ray Tracing Ray Tracing kills two birds with one stone: Solves the

327 views • 11 slides
Selecting points of interest in traces using patterns of events Franois Trahay , Elisabeth

Selecting points of interest in traces using patterns of events Franois Trahay , Elisabeth

Selecting points of interest in traces using patterns of events Franois Trahay , Elisabeth Brunet, Mohamed Mosli Bouksiaa, Jianwei Liao Context Hardware is more and more complex NUMA, hierarchical caches, GPU, ... Software is more

640 views • 35 slides
ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC

IN INTRODUCTION TO TRAFFIC ANALYSIS ETI2506 Sunday, 23 October 2016 1 WHERE ARE WE IN THE CURRICULUM? 2 GOAL OF TRAFFIC ANALYSIS 1. Except for user terminals, the telephone network is composed of a variety of common 45 Trunks equipment

385 views • 17 slides
VISUALISING REAL TIME TRAFFIC DATA USING ELASTICSEARCH AND C3JS @ jettroCoenradie Trifork

VISUALISING REAL TIME TRAFFIC DATA USING ELASTICSEARCH AND C3JS @ jettroCoenradie Trifork

VISUALISING REAL TIME TRAFFIC DATA USING ELASTICSEARCH AND C3JS @ jettroCoenradie Trifork Amsterdam Case Study ANWB (Royal Dutch Automobile Association) FACT SHEET Software engineer @ Trifork Jettro Coenradie specialised in search

854 views • 37 slides
Quasi-Dynamic Network Model Contents Partition Method for Accelerating Parallel Network

Quasi-Dynamic Network Model Contents Partition Method for Accelerating Parallel Network

Quasi-Dynamic Network Model Contents Partition Method for Accelerating Parallel Network Simulation Background Research Objective Hiroyuki Ohsaki Gomez Oscar Quasi-Dynamic Network Model Partition Method Makoto Imase Basic idea

313 views • 4 slides
11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

11 Introduction Introduction M/M/1 Queueing delay (revisited) R=link bandwidth (bps)

Introduction Introduction Four sources of packet delay Delay in packet-switched networks 3. Transmission delay: 4. Propagation delay: 1. nodal processing: 2. queueing R=link bandwidth (bps) d = length of physical link check

185 views • 3 slides
We Innovate Pilsen With the help of modern technologies, we make life easier, we develop talents

We Innovate Pilsen With the help of modern technologies, we make life easier, we develop talents

We Innovate Pilsen With the help of modern technologies, we make life easier, we develop talents and inspire businesses. Together we create a smart city. We are the Information Technology Administration of the City of Pilsen (SITMP) a

881 views • 5 slides
Image Recognition Traffic Patterns for Wireless Multimedia Sensor Networks Wireless Multimedia

Image Recognition Traffic Patterns for Wireless Multimedia Sensor Networks Wireless Multimedia

Image Recognition Traffic Patterns for Wireless Multimedia Sensor Networks Wireless Multimedia Sensor Network Application Areas: Multimedia Surveillance Sensor Networks Advance Health Care Delivery Traffic Control Systems

246 views • 10 slides
Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing

Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing

FPGA implementation of Quantized (Deep) Neural Network (QNN) Accelerators Biruk Seyoum Phd Student, Scoula Superiore SantAnna, Pisa Contents Introduction Pipelined FPGA DNN accelerators Roof-line Model and optimizing FPGA DNN

587 views • 23 slides
The Function Placement Problem (FPP) Wolfgang Kellerer Technical University of Munich Dagstuhl,

The Function Placement Problem (FPP) Wolfgang Kellerer Technical University of Munich Dagstuhl,

Chair of Communication Networks Department of Electrical and Computer Engineering Technical University of Munich The Function Placement Problem (FPP) Wolfgang Kellerer Technical University of Munich Dagstuhl, January 16-18, 2017 based on A.

589 views • 25 slides
Lecture 17: More on binary vs. multi-class classifiers (Polychotomizers: One-Hot Vectors,

Lecture 17: More on binary vs. multi-class classifiers (Polychotomizers: One-Hot Vectors,

Lecture 17: More on binary vs. multi-class classifiers (Polychotomizers: One-Hot Vectors, Softmax, and Cross-Entropy) Mark Hasegawa-Johnson, 3/9/2019. CC-BY 3.0: You are free to share and adapt these slides if you cite the original. Modified by

1.3k views • 98 slides
Machine Learning CS 786 University of Waterloo Lecture 4: May 10, 2012 What is Machine

Machine Learning CS 786 University of Waterloo Lecture 4: May 10, 2012 What is Machine

Machine Learning CS 786 University of Waterloo Lecture 4: May 10, 2012 What is Machine Learning? Definition: A computer program is said to learn from experience E with respect to some class of tasks T and performance measure P, if its

627 views • 18 slides
Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems

Modeling the Catchment Via Mixtures: an Uncertainty Framework for Dynamic Hydrologic Systems Dynamic Hydrologic Systems Lucy Marshall Assistant Professor of Watershed Analysis A i P f f W h d A l i Department of Land Resources and

580 views • 30 slides

More recommend