lattice based cryptography episode iv
play

Lattice-based cryptography Episode IV A new hope Peter Schwabe - PowerPoint PPT Presentation

Sep 23, 2023 •133 likes •651 views

Lattice-based cryptography Episode IV A new hope Peter Schwabe Joint work with Erdem Alkim, Lo Ducas, and Thomas Pppelmann peter@cryptojedi.org https://cryptojedi.org June 23, 2017 Were indebted to Erdem Alkim, Lo Ducas,

  1. Lattice-based cryptography – Episode IV A new hope Peter Schwabe Joint work with Erdem Alkim, Léo Ducas, and Thomas Pöppelmann peter@cryptojedi.org https://cryptojedi.org June 23, 2017

  2. “We’re indebted to Erdem Alkim, Léo Ducas, Thomas Pöppelmann and Peter Schwabe, the researchers who developed “New Hope”, the post-quantum algorithm that we selected for this experiment.” https://security.googleblog.com/2016/07/experimenting-with-post-quantum.html 1

  3. “Key Agreement using the ‘NewHope’ lattice-based algorithm detailed in the New Hope paper, and LUKE (Lattice-based Unique Key Exchange), an ISARA speed-optimized version of the NewHope algorithm.” https://www.isara.com/isara-radiate/ 1

  4. “The deployed algorithm is a variant of “New Hope”, a quantum-resistant cryptosystem” https://www.infineon.com/cms/en/about-infineon/press/press-releases/2017/INFCCS201705-056.html 1

  5. A bit of (R)LWE history • Hoffstein, Pipher, Silverman, 1996: NTRU cryptosystem • Regev, 2005: Introduce LWE-based encryption • Lyubashevsky, Peikert, Regev, 2010: Ring-LWE and Ring-LWE encryption • Ding, Xie, Lin, 2012: Transform to (R)LWE-based key exchange • Peikert, 2014: Improved RLWE-based key exchange • Bos, Costello, Naehrig, Stebila, 2015: Instantiate and implement Peikert’s key exchange in TLS: • Alkim, Ducas, Pöppelmann, Schwabe, Aug. 2016: NewHope • Alkim, Ducas, Pöppelmann, Schwabe, Dec. 2016: NewHope-Simple 2

  6. Ring-Learning-with-errors (RLWE) • Let R q = Z q [ X ] / ( X n + 1 ) • Let χ be an error distribution on R q • Let s ∈ R q be secret • Attacker is given pairs ( a , as + e ) with • a uniformly random from R q • e sampled from χ • Task for the attacker: find s 3

  7. Ring-Learning-with-errors (RLWE) • Let R q = Z q [ X ] / ( X n + 1 ) • Let χ be an error distribution on R q • Let s ∈ R q be secret • Attacker is given pairs ( a , as + e ) with • a uniformly random from R q • e sampled from χ • Task for the attacker: find s • Common choice for χ : discrete Gaussian • Common optimization for protocols: fix a 3

  8. RLWE-based Encryption, KEM, KEX Alice (server) Bob (client) $ $ s , e ← χ s ′ , e ′ ← χ b u ← as ′ + e ′ b ← as + e − − − − → u ← − − − − = ass ′ + e ′ s Alice has v = us = ass ′ + es ′ Bob has v ′ = bs ′ • Secret and noise polynomials s , s ′ , e , e ′ are small • v and v ′ are approximately the same 4

  9. NewHope-Simple key exchange (simplified) Alice Bob $ $ s , e ← χ s ′ , e ′ ← χ ( b ) b ← as + e − − − − − → u ← as ′ + e ′ v ← bs ′ ( u ) v ′ ← us ← − − − 5

  10. NewHope-Simple key exchange (simplified) Alice Bob $ ← { 0 , 1 } 256 seed a ← Parse ( SHAKE-128 ( seed )) $ $ s , e ← χ s ′ , e ′ ← χ ( b , seed ) b ← as + e a ← Parse ( SHAKE-128 ( seed )) − − − − − → u ← as ′ + e ′ v ← bs ′ ( u ) v ′ ← us ← − − − 5

  11. NewHope-Simple key exchange (simplified) Alice Bob $ ← { 0 , 1 } 256 seed a ← Parse ( SHAKE-128 ( seed )) $ $ s , e ← χ s ′ , e ′ ← χ ( b , seed ) b ← as + e a ← Parse ( SHAKE-128 ( seed )) − − − − − → u ← as ′ + e ′ v ← bs ′ $ ← { 0 , 1 } n k k ← Encode ( k ) ( u , c ) v ′ ← us ← − − − c ← v + k 5

  12. NewHope-Simple key exchange (simplified) Alice Bob $ ← { 0 , 1 } 256 seed a ← Parse ( SHAKE-128 ( seed )) $ $ s , e ← χ s ′ , e ′ , e ′′ ← χ ( b , seed ) b ← as + e a ← Parse ( SHAKE-128 ( seed )) − − − − − → u ← as ′ + e ′ v ← bs ′ + e ′′ $ ← { 0 , 1 } n k k ← Encode ( k ) ( u , c ) v ′ ← us ← − − − c ← v + k 5

  13. NewHope-Simple key exchange (simplified) Alice Bob $ ← { 0 , 1 } 256 seed a ← Parse ( SHAKE-128 ( seed )) $ $ s , e ← χ s ′ , e ′ , e ′′ ← χ ( b , seed ) b ← as + e a ← Parse ( SHAKE-128 ( seed )) − − − − − → u ← as ′ + e ′ v ← bs ′ + e ′′ $ ← { 0 , 1 } n k k ← Encode ( k ) ( u , c ) v ′ ← us ← − − − c ← v + k k ′ ← c − v ′ 5

  14. NewHope-Simple key exchange (simplified) Alice Bob $ ← { 0 , 1 } 256 seed a ← Parse ( SHAKE-128 ( seed )) $ $ s , e ← χ s ′ , e ′ , e ′′ ← χ ( b , seed ) b ← as + e a ← Parse ( SHAKE-128 ( seed )) − − − − − → u ← as ′ + e ′ v ← bs ′ + e ′′ $ ← { 0 , 1 } n k k ← Encode ( k ) ( u , c ) v ′ ← us ← − − − c ← v + k k ′ ← c − v ′ µ ← Extract ( k ) µ ← Extract ( k ′ ) 5

  15. NewHope-Simple key exchange (simplified) Alice Bob $ ← { 0 , 1 } 256 seed a ← Parse ( SHAKE-128 ( seed )) $ $ s , e ← χ s ′ , e ′ , e ′′ ← χ ( b , seed ) b ← as + e a ← Parse ( SHAKE-128 ( seed )) − − − − − → u ← as ′ + e ′ v ← bs ′ + e ′′ $ ← { 0 , 1 } n k k ← Encode ( k ) ( u , c ) v ′ ← us ← − − − c ← v + k k ′ ← c − v ′ µ ← Extract ( k ) µ ← Extract ( k ′ ) This is LPR encryption, written as KEX (except for generation of a ) 5

  16. Against all authority • Standard approach to choosing a : “Let a be a uniformly random . . . ” 6

  17. Against all authority • Standard approach to choosing a : “Let a be a uniformly random . . . ” • Standard real-world approach: generate fixed a once 6

  18. Against all authority • Standard approach to choosing a : “Let a be a uniformly random . . . ” • Standard real-world approach: generate fixed a once • What if a is backdoored? • Parameter-generating authority can break key exchange • “Solution”: Nothing-up-my-sleeves (involves endless discussion!) 6

  19. Against all authority • Standard approach to choosing a : “Let a be a uniformly random . . . ” • Standard real-world approach: generate fixed a once • What if a is backdoored? • Parameter-generating authority can break key exchange • “Solution”: Nothing-up-my-sleeves (involves endless discussion!) • Even without backdoor: • Perform massive precomputation based on a • Use precomputation to break all key exchanges • Infeasible today, but who knows . . . • Attack in the spirit of Logjam 6

  20. Against all authority • Standard approach to choosing a : “Let a be a uniformly random . . . ” • Standard real-world approach: generate fixed a once • What if a is backdoored? • Parameter-generating authority can break key exchange • “Solution”: Nothing-up-my-sleeves (involves endless discussion!) • Even without backdoor: • Perform massive precomputation based on a • Use precomputation to break all key exchanges • Infeasible today, but who knows . . . • Attack in the spirit of Logjam • Solution in NewHope(-Simple): Choose a fresh a every time • Server can cache a for some time (e.g., 1h) 6

  21. Against all authority • Standard approach to choosing a : “Let a be a uniformly random . . . ” • Standard real-world approach: generate fixed a once • What if a is backdoored? • Parameter-generating authority can break key exchange • “Solution”: Nothing-up-my-sleeves (involves endless discussion!) • Even without backdoor: • Perform massive precomputation based on a • Use precomputation to break all key exchanges • Infeasible today, but who knows . . . • Attack in the spirit of Logjam • Solution in NewHope(-Simple): Choose a fresh a every time • Server can cache a for some time (e.g., 1h) • Must not reuse keys/noise! 6

  22. Isn’t SHAKE slow? • SHAKE-128 is slower than, e.g., AES-NI, Salsa20/ChaCha20, Blake2X, . . . in software • First versions of NewHope used Chacha20 to generate a • Gueron, Schlieker, 2016: NewHope becomes faster if we use AES-NI instead of SHAKE-128 • Google actually used Gueron-Schlieker version 7

  23. Isn’t SHAKE slow? • SHAKE-128 is slower than, e.g., AES-NI, Salsa20/ChaCha20, Blake2X, . . . in software • First versions of NewHope used Chacha20 to generate a • Gueron, Schlieker, 2016: NewHope becomes faster if we use AES-NI instead of SHAKE-128 • Google actually used Gueron-Schlieker version • Problem in modelling: • PRG is not the right building block • PRG is secure only for secret input • Could “zoom into” ChaCha20 or AES and argue security 7

  24. Isn’t SHAKE slow? • SHAKE-128 is slower than, e.g., AES-NI, Salsa20/ChaCha20, Blake2X, . . . in software • First versions of NewHope used Chacha20 to generate a • Gueron, Schlieker, 2016: NewHope becomes faster if we use AES-NI instead of SHAKE-128 • Google actually used Gueron-Schlieker version • Problem in modelling: • PRG is not the right building block • PRG is secure only for secret input • Could “zoom into” ChaCha20 or AES and argue security • Problem in practice: • AES is nasty in software, real advantage only with hardware AES • ChaCha20 is in TLS, but not that thoroughly analyzed • Blake2X: Also not much cryptanalysis • Salsa20: Better analysis, no “NIST approval” 7

  25. Encode and Extract • Encoding in LPR encryption: map n bits to n coefficients: • A zero bit maps to 0 • A one bit maps to q / 2 • Idea: Noise affects low bits of coefficients, put data into high bits 8

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much

Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much

1 2 Lattice-based cryptography: reduced to a special closest vector Episode V: problem which is much easier the ring strikes back than the general problem. As an application, we solved four out Daniel J. Bernstein of the five numerical

1.07k views • 70 slides
Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

1 Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the

683 views • 32 slides
Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts

Lattice-based cryptography (I) Thijs Laarhoven ts ttts PQCrypto Summer School 2017 (June 20, 2017) Part 1: Lattices, cryptography, and lattice basis

872 views • 53 slides
MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 20 TODAY: Lattice-based Cryptography Why Lattice-based Crypto? o Exponentially Hard (so far) o Quantum-Resistant (so far) o Worst-case hardness (unique feature of

699 views • 38 slides
Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17

Some Recent Progress in Lattice-Based Cryptography Chris Peikert SRI TCC 2009 1 / 17 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images courtesy xkcd.org) 2 / 17 Lattice-Based

923 views • 74 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia

Lattice-Based Cryptography: Constructing Trapdoors and More Applications Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based One-Way Functions Public key Z n m A for q =

871 views • 84 slides
Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles

Lattice-based Signcryption without Random Oracles Junji Shikata Graduate School of Environment and Information Sciences, Yokohama National University, Japan Overview Lattice-based Cryptography

277 views • 26 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1

Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal lattices 3 Practical Implementations:

1.03k views • 101 slides
Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of

Lattices: . . . to Cryptography Chris Peikert Georgia Institute of Technology Visions of Cryptography 10 December 2013 1 / 12 Agenda 1 The two one main lattice-based OWF 2 Two simple tricks that yield all of lattice cryptography 3 Lots of

909 views • 51 slides
Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum

Lattice Cryptography for the Internet Chris Peikert Georgia Institute of Technology Post-Quantum Cryptography 2 October 2014 1 / 12 Lattice-Based Cryptography p d o m x g = y N = = p m e mod N q e ( g a , g b ) (Images

873 views • 70 slides
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS,

Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8

850 views • 67 slides
Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the

Parameterized Hardware Accelerators for Lattice-Based Cryptography and Their Application to the HW/SW Co-Design of qTESLA Wen Wang , Shanquan Tian, Bernhard Jungk, Nina Bindel, Patrick Longa, and Jakub Szefer CHES 2020 September 14, 2020

711 views • 69 slides
Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25

Cryptography from worst-case complexity assumptions Daniele Micciancio UC San Diego LLL+25 June 2007 (Caen, France) Outline Introduction Lattices and algorithms Complexity and Cryptography Lattice based cryptography Lattice

497 views • 47 slides
and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
The unassigned distance geometry problem applied to find atoms in nanoclusters for sustainable

The unassigned distance geometry problem applied to find atoms in nanoclusters for sustainable

The unassigned distance geometry problem applied to find atoms in nanoclusters for sustainable energy S.J.L. Billinge 1,2 Pavol Juhas 3 , Phil Duxbury 3 1 Dept. of Applied Physics and Applied Mathematics, Columbia University 2 CMPMS, Brookhaven

537 views • 43 slides
BACK TO MISSION BRINGING PARISH LEADERS TOGETHER OPENING PRAYER Mary, Mother of the Church and

BACK TO MISSION BRINGING PARISH LEADERS TOGETHER OPENING PRAYER Mary, Mother of the Church and

BACK TO MISSION BRINGING PARISH LEADERS TOGETHER OPENING PRAYER Mary, Mother of the Church and our Mother, present our prayer of thanksgiving to your Son. Beg from Him the graces we need to be faithful disciples who follow Him with enthusiasm

559 views • 27 slides
Synchrotron radiation downstream Synchrotron radiation downstream of relativistic shocks of

Synchrotron radiation downstream Synchrotron radiation downstream of relativistic shocks of

Synchrotron radiation downstream Synchrotron radiation downstream of relativistic shocks of relativistic shocks and Fermi-LAT gamma-ray bursts and Fermi-LAT gamma-ray bursts Martin Lemoine Martin Lemoine Institut dAstrophysique de Paris

369 views • 19 slides
structures Prof. dr. Ines Lopez Arteaga Structural Acoustics Department of Mechanical

structures Prof. dr. Ines Lopez Arteaga Structural Acoustics Department of Mechanical

Sound radiation from structures Prof. dr. Ines Lopez Arteaga Structural Acoustics Department of Mechanical Engineering What do they have in common? What do they have in common? Source Transmission Receiver Soundboard What do they have in

762 views • 29 slides
Extreme QCD at RHIC and LHC Jamal Jalilian-Marian Baruch College, New York, NY, USA OUTLINE QCD

Extreme QCD at RHIC and LHC Jamal Jalilian-Marian Baruch College, New York, NY, USA OUTLINE QCD

Extreme QCD at RHIC and LHC Jamal Jalilian-Marian Baruch College, New York, NY, USA OUTLINE QCD at high temperature Phase transition: hadrons to partons ( QGP ) QCD at high energy Unitarity: small to large ( CGC ) RHIC and LHC QCD at high T

808 views • 47 slides
Pulsars as a Source of the WMAP Haze Kathryn Zurek Fermilab Kaplinghat, Phalen, KMZ, arXiv:

Pulsars as a Source of the WMAP Haze Kathryn Zurek Fermilab Kaplinghat, Phalen, KMZ, arXiv:

Pulsars as a Source of the WMAP Haze Kathryn Zurek Fermilab Kaplinghat, Phalen, KMZ, arXiv: 0905.0487 Excess cosmic ray electrons Fermi ATIC PAMELA DM model building fury Problematic with anti- protons gamma rays Cirelli et al

354 views • 13 slides
Survival of high-p T light and heavy flavors in a dense medium Boris Kopeliovich Valparaiso,

Survival of high-p T light and heavy flavors in a dense medium Boris Kopeliovich Valparaiso,

Survival of high-p T light and heavy flavors in a dense medium Boris Kopeliovich Valparaiso, Chile High p physics at LHC T Mexico, Sept. 26-Oct. 1, 2010 1 Challenging the energy loss scenario Test #I: Nuclear attenuation of hadrons in

417 views • 12 slides
Incandescent with the filament. How would removing the gas affect the bulbs energy efficiency?

Incandescent with the filament. How would removing the gas affect the bulbs energy efficiency?

Incandescent Lightbulbs 1 Incandescent Lightbulbs 2 Introductory Question An incandescent lightbulb contains some gas Incandescent with the filament. How would removing the gas affect the bulbs energy efficiency? Lightbulbs Make it

265 views • 4 slides

More recommend