Lattice-based cryptography II Constructions and implementation - - PowerPoint PPT Presentation
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and
Leon Groot Bruinderink July 1st, 2019
July 1st, 2019 1 / 27
In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and encryption schemes Reaction attacks and countermeasures Lattice-based signature schemes Side-channel attacks and countermeasures
July 1st, 2019 2 / 27
Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption
July 1st, 2019 3 / 27
Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption Pro’s:
The algorithms are quite fast The keys, cipher-texts, signatures are *quite small*
July 1st, 2019 3 / 27
Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption Pro’s:
The algorithms are quite fast The keys, cipher-texts, signatures are *quite small*
Con’s:
Many design parameters to choose (and attacks to avoid) Asymptotic hardness results vs concrete security/cryptanalysis
July 1st, 2019 3 / 27
Some features of lattice-based cryptography: Key-exchange, encryption, digital signatures But also more exotic stuff, e.g. homomorphic encryption Pro’s:
The algorithms are quite fast The keys, cipher-texts, signatures are *quite small*
Con’s:
Many design parameters to choose (and attacks to avoid) Asymptotic hardness results vs concrete security/cryptanalysis
Largest category of NIST post-quantum submissions Some real-life experiments (e.g. Google)
July 1st, 2019 3 / 27
July 1st, 2019 4 / 27
Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Zq, x, y = n
i=1 xiyi mod q usual inner-product
Let s ← χn be a secret Given pairs of (a, b = a, s + e) with
a ∈ Zn
q sampled uniform at random
e sampled from χ
(plain-) LWE: find s
July 1st, 2019 5 / 27
Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Zq, x, y = n
i=1 xiyi mod q usual inner-product
Let s ← χn be a secret Given pairs of (a, b = a, s + e) with
a ∈ Zn
q sampled uniform at random
e sampled from χ
(plain-) LWE: find s
a0 a1 a2 an−1
+ = A s e b
“Random” “Small”
n samples
July 1st, 2019 5 / 27
Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Zq, x, y = n
i=1 xiyi mod q usual inner-product
Let s ← χn be a secret Given pairs of (a, b = a, s + e) with
a ∈ Zn
q sampled uniform at random
e sampled from χ
(plain-) LWE: find s Common choice for χ: the discrete Gaussian distribution Dσ Regev showed that a hard lattice problem can be reduced to LWE
July 1st, 2019 5 / 27
Let q be a prime, n > 0 (usually a power of 2), χ some narrow error distribution in Zq, x, y = n
i=1 xiyi mod q usual inner-product
Let s ← χn be a secret Given pairs of (a, b = a, s + e) with
a ∈ Zn
q sampled uniform at random
e sampled from χ
(plain-) LWE: find s Common choice for χ: the discrete Gaussian distribution Dσ Regev showed that a hard lattice problem can be reduced to LWE First proposals for cryptosystems were quite big...
July 1st, 2019 5 / 27
Let q be a prime, n > 0 (usually a power of 2), Now define R = Zq[x]/(xn ± 1). Can add/subtract and multiply f = f0 + f1x + ... + fn−1xn−1 ∈ R fi ∈ [0, q) f + g ∈ R fg ∈ R
July 1st, 2019 6 / 27
Let q be a prime, n > 0 (usually a power of 2), Now define R = Zq[x]/(xn ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of (a, b = as + e) with
a ∈ R sampled uniform at random e sampled from χ
ring-LWE: find s
July 1st, 2019 6 / 27
Let q be a prime, n > 0 (usually a power of 2), Now define R = Zq[x]/(xn ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of (a, b = as + e) with
a ∈ R sampled uniform at random e sampled from χ
ring-LWE: find s
a ax ax2 axn−1
+ = A s e b
“Random” “Small”
1 sample
July 1st, 2019 6 / 27
Let q be a prime, n > 0 (usually a power of 2), Now define R = Zq[x]/(xn ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of (a, b = as + e) with
a ∈ R sampled uniform at random e sampled from χ
ring-LWE: find s Common choice for χ: the discrete Gaussian distribution Dn
σ
Related to problems in ideal (or “cyclic”) lattices
July 1st, 2019 6 / 27
Let q be a prime, n > 0 (usually a power of 2), Now define R = Zq[x]/(xn ± 1). Can add/subtract and multiply χ some narrow error distribution in R Let s ← χ be a secret Given pairs of (a, b = as + e) with
a ∈ R sampled uniform at random e sampled from χ
ring-LWE: find s Common choice for χ: the discrete Gaussian distribution Dn
σ
Related to problems in ideal (or “cyclic”) lattices Many design choices (e.g. NTRU: q = 2ℓ; n prime; χ sparse)
July 1st, 2019 6 / 27
July 1st, 2019 7 / 27
Recall Diffie-Hellman key-exchange
Alice Bob Public: G = g, |G| = n a ←$ [1, n) b ←$ [1, n) pubA = ga pubB = gb
pubA pubB
KA = (pubB)a = gab KB = (pubA)b = gab
July 1st, 2019 8 / 27
Recall Diffie-Hellman key-exchange
Alice Bob Public: G = g, |G| = n a ←$ [1, n) b ←$ [1, n) pubA = ga pubB = gb
pubA pubB
KA = (pubB)a = gab KB = (pubA)b = gab
Both parties end up with shared key K = gab
July 1st, 2019 8 / 27
ring-LWE key-exchange
Alice Bob Public: g ∈ R, distribution χ = Dn
σ
a, e ←$ χ b, e′ ←$ χ pubA = ga + e pubB = gb + e′
pubA pubB SA = (pubB)a = gab + e′a
SB = (pubA)b = gab + eb
July 1st, 2019 9 / 27
ring-LWE key-exchange
Alice Bob Public: g ∈ R, distribution χ = Dn
σ
a, e ←$ χ b, e′ ←$ χ pubA = ga + e pubB = gb + e′
pubA pubB SA = (pubB)a = gab + e′a
SB = (pubA)b = gab + eb
a, b, e, e′ ← Dn
σ, so small!
Keys are approximately equal: gab + e′a ≈ gab + eb
July 1st, 2019 9 / 27
ring-LWE key-exchange
Alice Bob Public: g ∈ R, distribution χ = Dn
σ
a, e ←$ χ b, e′ ←$ χ pubA = ga + e pubB = gb + e′
pubA pubB SA = (pubB)a = gab + e′a
SB = (pubA)b = gab + eb
a, b, e, e′ ← Dn
σ, so small!
Keys are approximately equal: gab + e′a ≈ gab + eb Need a way to get shared secret bits
July 1st, 2019 9 / 27
How to map coefficients to bits Alice and Bob obtained close vectors SA, SB ∈ Zn
q
July 1st, 2019 10 / 27
How to map coefficients to bits Alice and Bob obtained close vectors SA, SB ∈ Zn
q
0 ≡ q q/4 q/2 3q/4
“the edge”
July 1st, 2019 10 / 27
How to map coefficients to bits Alice and Bob obtained close vectors SA, SB ∈ Zn
q
0 ≡ q q/4 q/2 3q/4
“the edge” Alice : 0 Bob : 0
July 1st, 2019 10 / 27
How to map coefficients to bits Alice and Bob obtained close vectors SA, SB ∈ Zn
q
0 ≡ q q/4 q/2 3q/4
“the edge” Alice : 1 Bob : 1
July 1st, 2019 10 / 27
How to map coefficients to bits Alice and Bob obtained close vectors SA, SB ∈ Zn
q
0 ≡ q q/4 q/2 3q/4
“the edge” Alice : 0 Bob : 1
July 1st, 2019 10 / 27
How to map coefficients to bits Alice and Bob obtained close vectors SA, SB ∈ Zn
q
0 ≡ q q/4 q/2 3q/4
“the edge”
Alice : 0 Bob : 1
July 1st, 2019 10 / 27
Mapping coefficients by fixed map induces many errors Better idea: use two mappings and let Bob decide on which map Choose map where SB is far from edge
0 ≡ q q/4 q/2 3q/4
Map 0 Map 1 0 ≡ q q/4 q/2 3q/4
July 1st, 2019 11 / 27
LWE key-exchange with reconciliation
Alice Bob Public: g ∈ R, distribution χ = Dn
σ
a, e ←$ χ pubA = ga + e
pubA
b, e′ ←$ χ pubB = gb + e′ u = reconc(pubAb) K = map(pubBa, u) K = map(pubAb, u)
(pubB, u)
Can show that probability of errors is small for q, n, σ well-chosen
July 1st, 2019 12 / 27
LWE key-exchange with reconciliation
Alice Bob Public: ring R, distribution χ = Dn
σ
g ←$ R
a, e ←$ χ pubA = ga + e
(g, pubA)
b, e′ ←$ χ pubB = gb + e′ u = reconc(pubAb) K = map(pubBa, u) K = map(pubAb, u)
(pubB, u)
Can show that probability of errors is small for q, n, σ well-chosen Several tweaks; e.g. let Alice choose g (New-Hope)
July 1st, 2019 12 / 27
Can do LWE encryption by masking the message into LWE sample:
Alice Bob Public: g ∈ R, distribution χ = Dn
σ
a, e ←$ χ pubA = ga + e
pubA
m ∈ {0, 1}n b, e′, e′′ ← χ pubB = gb + e′ v = pubAb + e′′ c = v + encode(m)
(pubB, c)
c − pubBa ≈ encode(m)
July 1st, 2019 13 / 27
Can do LWE encryption by masking the message into LWE sample:
Alice Bob Public: g ∈ R, distribution χ = Dn
σ
a, e ←$ χ pubA = ga + e
pubA
m ∈ {0, 1}n b, e′, e′′ ← χ pubB = gb + e′ v = pubAb + e′′ c = v + encode(m)
(pubB, c)
c − pubBa ≈ encode(m)
c − pubBa = encode(m) + e′′ + eb + e′a
July 1st, 2019 13 / 27
Can do LWE encryption by masking the message into LWE sample:
Alice Bob Public: g ∈ R, distribution χ = Dn
σ
a, e ←$ χ pubA = ga + e
pubA
m ∈ {0, 1}n b, e′, e′′ ← χ pubB = gb + e′ v = pubAb + e′′ c = v + encode(m)
(pubB, c)
c − pubBa ≈ encode(m)
c − pubBa = encode(m) + e′′ + eb + e′a encode(m) = (q/2)m Recover m by some mapping operation (reconciliation)
July 1st, 2019 13 / 27
Can we now replace (EC)DH with LWE?
July 1st, 2019 14 / 27
Can we now replace (EC)DH with LWE? NO! Watch out for reaction attacks!
July 1st, 2019 14 / 27
Can we now replace (EC)DH with LWE? NO! Watch out for reaction attacks! or “Evil Bob”
July 1st, 2019 14 / 27
Can we now replace (EC)DH with LWE? NO! Watch out for reaction attacks! or “Evil Bob” Bob can deliberately choose “bad” elements b, e′, u Watches if errors occur during key-exchange/protocol
0 ≡ q q/4 q/2 3q/4
Alice: 0 0 ≡ q q/4 q/2 3q/4
Alice: 1
July 1st, 2019 14 / 27
The shown LWE key-exchange/encryption must be used ephemeral
July 1st, 2019 15 / 27
The shown LWE key-exchange/encryption must be used ephemeral To cache keys, most of the LWE schemes use the FO-transform There are two possibilities: IND-CPA or IND-CCA
July 1st, 2019 15 / 27
The shown LWE key-exchange/encryption must be used ephemeral To cache keys, most of the LWE schemes use the FO-transform There are two possibilities: IND-CPA or IND-CCA E IND-C P A H E M E R A L IND-C C A A C H E
July 1st, 2019 15 / 27
The shown LWE key-exchange/encryption must be used ephemeral To cache keys, most of the LWE schemes use the FO-transform There are two possibilities: IND-CPA or IND-CCA Claims of IND-CCA without FO are fishy (“Hilaas Pindakaas”)
July 1st, 2019 15 / 27
July 1st, 2019 16 / 27
Thijs covered GGH Signatures Hash-and-sign signature: requires a trapdoor (e.g. RSA, CVP) What about ring-LWE signatures?
July 1st, 2019 17 / 27
Thijs covered GGH Signatures Hash-and-sign signature: requires a trapdoor (e.g. RSA, CVP) What about ring-LWE signatures? Need to slightly adapt the problem The Ring-Short-Integer-Solution (ring-SIS), is the problem of:
Given a ∈ R Target polynomial t ∈ R (can be 0)
Find non-zero s ∈ R s.t. as ≡ t mod q and s small Also plain versions (plain-SIS)
July 1st, 2019 17 / 27
Public key: a ∈ R Secret key: s: “some way” to solve ring-SIS for any target b
July 1st, 2019 18 / 27
Public key: a ∈ R Secret key: s: “some way” to solve ring-SIS for any target b Sign(s, m): return small z with az ≡ H(m) mod q
July 1st, 2019 18 / 27
Public key: a ∈ R Secret key: s: “some way” to solve ring-SIS for any target b Sign(s, m): return small z with az ≡ H(m) mod q Verify(z, m): check wether az
?
≡ H(m) mod q and z small
July 1st, 2019 18 / 27
Public key: a ∈ R Secret key: s: “some way” to solve ring-SIS for any target b Sign(s, m): return small z with az ≡ H(m) mod q Verify(z, m): check wether az
?
≡ H(m) mod q and z small Every signature leaks “some” way of solving SIS Long history of “parallelepiped learning attacks”! Also applies to GGH, NTRUSign, DRS(submitted to NIST)
July 1st, 2019 18 / 27
Hash-and-sign “problematic”, so what else? DSA (i.e. DH signatures) is not hash-and-sign... So instead, try Fiat-Shamir!
July 1st, 2019 19 / 27
Proof-of-knowledge
Alice (prover) Bob (verifier) Public: G = g, |G| = n Secret x ∈ [1, n − 1) Public h = gx y ←$ [1, n − 1) u = gy
u
c ←$ [1, n − 1)
c
z = y − cx
z
Accept iff gzhc = u
July 1st, 2019 20 / 27
Signature scheme (Fiat-Shamir)
Alice (prover) Bob (verifier) Public: G = g, |G| = n Secret x ∈ [1, n − 1) Message m Public h = gx y ←$ [1, n − 1) u = gy c = H(u, m) z = y − cx
(c, z)
H(gzhc, m)
?
= c
July 1st, 2019 20 / 27
Signature scheme (Fiat-Shamir)
Alice (prover) Bob (verifier) Public: G = g, |G| = n Secret x ∈ [1, n − 1) Message m Public h = gx y ←$ [1, n − 1) u = gy c = H(u, m) z = y − cx
(c, z)
H(gzhc, m)
?
= c
Let’s replace g, x, gx by a, short s, t = as mod q And y, u by y, u = ay
July 1st, 2019 20 / 27
Mimic DSA with ring-SIS:
Alice (prover) Bob (verifier) Public: a ∈ R Secret short s Message m Public t ≡ as mod q y ←$ Zn
q
u = ay mod q c = H(u, m) z = y + sc
(c, z)
H(az − tc, m)
?
= c
y “hides” the secret part H outputs sparse binary polynomials
July 1st, 2019 21 / 27
Mimic DSA with ring-SIS:
Alice (prover) Bob (verifier) Public: a ∈ R Secret short s Message m Public t ≡ as mod q y ←$ Zn
q
u = ay mod q c = H(u, m) z = y + sc
(c, z)
H(az − tc, m)
?
= c
y “hides” the secret part H outputs sparse binary polynomials But now u = ay not SIS as y not small → use y ←$ Dn
σ
July 1st, 2019 21 / 27
Mimic DSA with discrete Gaussians:
Alice (prover) Bob (verifier) Public: a ∈ R Secret short s Message m Public t ≡ as mod q y ←$ Dn
σ
u = ay mod q c = H(u, m) z = y + sc
(c, z)
H(az − tc, m)
?
= c z small?
July 1st, 2019 21 / 27
Mimic DSA with discrete Gaussians:
Alice (prover) Bob (verifier) Public: a ∈ R Secret short s Message m Public t ≡ as mod q y ←$ Dn
σ
u = ay mod q c = H(u, m) z = y + sc
(c, z)
H(az − tc, m)
?
= c z small?
But now still leaking noisy information on s Use Fiat-Shamir with Aborts!
July 1st, 2019 21 / 27
Fiat-Shamir with discrete Gaussians and aborts:
Alice (prover) Bob (verifier) Public: a ∈ R Secret short s Message m Public t ≡ as mod q y ←$ Dn
σ
u = ay mod q c = H(u, m) z = y + sc Abort w.p. ρ(z)
(c, z)
H(az − tc, m)
?
= c z small?
Signatures statistically independent of s, i.e. z ∼ Dn
σ
July 1st, 2019 21 / 27
Fiat-Shamir with discrete Gaussians and aborts:
Alice (prover) Bob (verifier) Public: a ∈ R Secret short s Message m Public t ≡ as mod q y ←$ Dn
σ
u = ay mod q c = H(u, m) z = y + sc Abort w.p. ρ(z)
(c, z)
H(az − tc, m)
?
= c z small?
Signatures statistically independent of s, i.e. z ∼ Dn
σ
Several optimizations (i.e. BLISS)
July 1st, 2019 21 / 27
July 1st, 2019 22 / 27
Can we now replace (EC)DSA/RSA with e.g. BLISS?
July 1st, 2019 23 / 27
Can we now replace (EC)DSA/RSA with e.g. BLISS? Kinda, it depends... Watch out for side-channel attacks!
C r y p t
r a p h i c
e r a t i
Input Output Secret key Side-channel attack Data acquisition: power information, fault information, timings, etc. Analysis Key recovered! July 1st, 2019 23 / 27
Signature z = y + sc, c y ←$ Dn
σ looks nice and short on paper...
20 40 x 0.01 0.02 0.03 0.04 Dσ (x)
: σ = 10 : σ = 20 : σ = 30
July 1st, 2019 24 / 27
Signature z = y + sc, c y ←$ Dσ looks nice and short on paper... ...but very nasty in code: about 30% of the running time! Good target for a side-channel attack
July 1st, 2019 24 / 27
Signature z = y + sc, c y ←$ Dσ looks nice and short on paper... ...but very nasty in code: about 30% of the running time! Good target for a side-channel attack In 2016, we showed how to break BLISS with cache-attacks From noisy information on y, construct an “easy lattice problem” All discrete Gaussian samplers have vulnerabilities
July 1st, 2019 24 / 27
Signature z = y + sc, c y ←$ Dσ looks nice and short on paper... ...but very nasty in code: about 30% of the running time! Good target for a side-channel attack In 2016, we showed how to break BLISS with cache-attacks From noisy information on y, construct an “easy lattice problem” All discrete Gaussian samplers have vulnerabilities Possibly the reason why BLISS was not submitted to NIST
July 1st, 2019 24 / 27
Discrete Gaussian sampling problematic Use small uniform noise instead?
July 1st, 2019 25 / 27
Discrete Gaussian sampling problematic Use small uniform noise instead? Possible, but signatures become larger Dilithium and TESLA still reasonable size
July 1st, 2019 25 / 27
Discrete Gaussian sampling problematic Use small uniform noise instead? Possible, but signatures become larger Dilithium and TESLA still reasonable size Additionally remove sampling all-together, i.e. deterministic schemes
July 1st, 2019 25 / 27
Discrete Gaussian sampling problematic Use small uniform noise instead? Possible, but signatures become larger Dilithium and TESLA still reasonable size Additionally remove sampling all-together, i.e. deterministic schemes In 2018, we showed several differential fault attacks TESLA is now randomized again
July 1st, 2019 25 / 27
For key-exchange/encryption, several good options Many design choices! (ring-)LWE, NTRU, LWR; IND-CPA/CCA.
July 1st, 2019 26 / 27
For key-exchange/encryption, several good options Many design choices! (ring-)LWE, NTRU, LWR; IND-CPA/CCA. For digital signatures, sampling randomness can be problematic. Watch out for side-channel attacks, i.e. write constant-time code! Many ongoing improvements to signature schemes and samplers
July 1st, 2019 26 / 27
For key-exchange/encryption, several good options Many design choices! (ring-)LWE, NTRU, LWR; IND-CPA/CCA. For digital signatures, sampling randomness can be problematic. Watch out for side-channel attacks, i.e. write constant-time code! Many ongoing improvements to signature schemes and samplers Questions?
July 1st, 2019 26 / 27
LWE and Ring-LWE Goldreich, Goldwasser, and Halevi, “Public-Key Cryptosystems from Lattice Reduction Problems”, 1997 Regev, “On lattices, learning with errors, random linear codes, and cryptography”, 2009 Lyubashevsky, Peikert, and Regev, “On Ideal Lattices and Learning with Errors over Rings”, 2010 Silverman, “Lattices, cryptography, and the NTRU public key cryptosystem”, 2000 Lyubashevsky, Peikert, and Regev, “A Toolkit for Ring-LWE Cryptography”, 2013
July 1st, 2019 27 / 27
Lattice-based key-exchange/encryption Ding, “A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem”, 2012 Bos, Costello, Naehrig, and Stebila, “Post-quantum key exchange for the TLS protocol from the ring learning with errors problem”, 2014 Alkim, Ducas, P¨
Exchange - A New Hope”, 2016 Bos, Costello, Ducas, Mironov, Naehrig, Nikolaenko, Raghunathan, and Stebila, “Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE”, 2016
July 1st, 2019 27 / 27
More Lattice-based key-exchange/encryption Bernstein, Chuengsatiansup, Lange, and Vredendaal, “NTRU Prime: Reducing Attack Surface at Low Cost”, 2017 Bos, Ducas, Kiltz, Lepoint, Lyubashevsky, Schanck, Schwabe, Seiler, and Stehl´ e, “CRYSTALS - Kyber: A CCA-Secure Module-Lattice-Based KEM”, 2018 Baan, Bhattacharya, Fluhrer, Garc´ ıa-Morch´
Saarinen, Tolhuizen, and Zhang, “Round5: Compact and Fast Post-Quantum Public-Key Encryption”, 2019 Bos, Costello, Ducas, Mironov, Naehrig, Nikolaenko, Raghunathan, and Stebila, “Frodo: Take off the Ring! Practical, Quantum-Secure Key Exchange from LWE”, 2016
July 1st, 2019 27 / 27
Reaction attacks and attacks on lattice cryptography designs Fluhrer, “Cryptanalysis of ring-LWE based key exchange with key share reuse”, 2016 Bernstein, Groot Bruinderink, Lange, and Panny, “HILA5 Pindakaas: On the CCA Security of Lattice-Based Encryption with Error Correction”, 2018 Cramer, Ducas, Peikert, and Regev, “Recovering Short Generators of Principal Ideals in Cyclotomic Rings”, 2016 Bauch, Bernstein, Valence, Lange, and Vredendaal, “Short Generators Without Quantum Computers: The Case of Multiquadratics”, 2017
July 1st, 2019 27 / 27
Lattice-based signatures Lyubashevsky, “Fiat-Shamir with Aborts: Applications to Lattice and Factoring-Based Signatures”, 2009 Ducas, Durmus, Lepoint, and Lyubashevsky, “Lattice Signatures and Bimodal Gaussians”, 2013 Ducas, Lepoint, Lyubashevsky, Schwabe, Seiler, and Stehl´ e, “CRYSTALS - Dilithium: Digital Signatures from Module Lattices”, 2017 Alkim, Bindel, Buchmann, and Dagdelen, “TESLA: Tightly-Secure Efficient Signatures from Standard Lattices”, 2015
July 1st, 2019 27 / 27
Learning attacks on lattice-based signatures Nguyen and Regev, “Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures”, 2006 Ducas and Nguyen, “Learning a Zonotope and More: Cryptanalysis of NTRUSign Countermeasures”, 2012 Yu and Ducas, “Learning Strikes Again: The Case of the DRS Signature Scheme”, 2018
July 1st, 2019 27 / 27
Side-channel attacks on lattice-based signatures Groot Bruinderink, H¨ ulsing, Lange, and Yarom, “Flush, Gauss, and Reload - A Cache Attack on the BLISS Lattice-Based Signature Scheme”, 2016 Pessl, Groot Bruinderink, and Yarom, “To BLISS-B or not to be: Attacking strongSwan’s Implementation of Post-Quantum Signatures”, 2017 Espitau, Fouque, G´ erard, and Tibouchi, “Side-Channel Attacks on BLISS Lattice-Based Signatures: Exploiting Branch Tracing against strongSwan and Electromagnetic Emanations in Microcontrollers”, 2017 Groot Bruinderink and Pessl, “Differential Fault Attacks on Deterministic Lattice Signatures”, 2018
July 1st, 2019 27 / 27