luov
play

LUOV Ward Beullens, Bart Preneel, Alan Szepieniec, Frederik - PowerPoint PPT Presentation

Nov 24, 2022 •350 likes •612 views

LUOV Ward Beullens, Bart Preneel, Alan Szepieniec, Frederik Vercauteren 1 / 10 Overview Introduction 1 2 Modifications Some numbers 3 Conclusion 4 2 / 10 Goal of LUOV is to reduce the key sizes. (while preserving the good properties of UOV)

  1. LUOV Ward Beullens, Bart Preneel, Alan Szepieniec, Frederik Vercauteren 1 / 10

  2. Overview Introduction 1 2 Modifications Some numbers 3 Conclusion 4 2 / 10

  3. Goal of LUOV is to reduce the key sizes. (while preserving the good properties of UOV) • Generate SK from seed • Generate most of PK from seed [Petzoldt] • Field lifting What is LUOV? (baby don’t hurt me) Unbalanced Oil and Vinegar (UOV) [Patarin 1997] • Quadratic trapdoor function: P : F n q → F m q with n > m . • Trapdoor is a factorization of P = F ◦ T , where T is linear and F linear in the last m variables (oil variables). • Well understood signature scheme, fast, small signatures, but large keys. Used as building block for other MQ schemes (e.g. Rainbow). 3 / 10

  4. • Generate SK from seed • Generate most of PK from seed [Petzoldt] • Field lifting What is LUOV? (baby don’t hurt me) Unbalanced Oil and Vinegar (UOV) [Patarin 1997] • Quadratic trapdoor function: P : F n q → F m q with n > m . • Trapdoor is a factorization of P = F ◦ T , where T is linear and F linear in the last m variables (oil variables). • Well understood signature scheme, fast, small signatures, but large keys. Used as building block for other MQ schemes (e.g. Rainbow). Goal of LUOV is to reduce the key sizes. (while preserving the good properties of UOV) 3 / 10

  5. What is LUOV? (baby don’t hurt me) Unbalanced Oil and Vinegar (UOV) [Patarin 1997] • Quadratic trapdoor function: P : F n q → F m q with n > m . • Trapdoor is a factorization of P = F ◦ T , where T is linear and F linear in the last m variables (oil variables). • Well understood signature scheme, fast, small signatures, but large keys. Used as building block for other MQ schemes (e.g. Rainbow). Goal of LUOV is to reduce the key sizes. (while preserving the good properties of UOV) • Generate SK from seed • Generate most of PK from seed [Petzoldt] • Field lifting 3 / 10

  6. Field Lifting Assumption: Solving a random system P ( x ) = y over F 2 r is as hard as solving a random system P ( x ) = y , where P is defined over F 2 , when r is prime. Field lifting Given a UOV key pair ( P , T ) over F 2 , we can use it as a key pair over F 2 r . 2 1 + α 2 + + α 30 1 + x 1 x 2 + x 3 + x 1 x 4 + x 4 x 5 + x 5 = · · · x 2 2 + α 31 x 2 x 3 + x 3 + x 2 x 6 + x 3 x 4 + x 3 x 5 + x = 1 + α + · · · 6 α + α 5 + + α 31 x 1 x 2 + x 2 x 3 + x 3 x 4 + x 2 + x 5 x 6 = · · · | {z } | {z } H ( M ) P ( x ) 4 / 10

  7. when r is prime. Field lifting Given a UOV key pair ( P , T ) over F 2 , we can use it as a key pair over F 2 r . 2 1 + α 2 + + α 30 1 + x 1 x 2 + x 3 + x 1 x 4 + x 4 x 5 + x 5 = · · · x 2 2 + α 31 x 2 x 3 + x 3 + x 2 x 6 + x 3 x 4 + x 3 x 5 + x = 1 + α + · · · 6 α + α 5 + + α 31 x 1 x 2 + x 2 x 3 + x 3 x 4 + x 2 + x 5 x 6 = · · · | {z } | {z } H ( M ) P ( x ) Field Lifting Assumption: Solving a random system P ( x ) = y over F 2 r is as hard as solving a random system P ( x ) = y , where P is defined over F 2 , 4 / 10

  8. Field lifting Given a UOV key pair ( P , T ) over F 2 , we can use it as a key pair over F 2 r . 2 1 + α 2 + + α 30 1 + x 1 x 2 + x 3 + x 1 x 4 + x 4 x 5 + x 5 = · · · x 2 2 + α 31 x 2 x 3 + x 3 + x 2 x 6 + x 3 x 4 + x 3 x 5 + x = 1 + α + · · · 6 α + α 5 + + α 31 x 1 x 2 + x 2 x 3 + x 3 x 4 + x 2 + x 5 x 6 = · · · | {z } | {z } H ( M ) P ( x ) Field Lifting Assumption: Solving a random system P ( x ) = y over F 2 r is as hard as solving a random system P ( x ) = y , where P is defined over F 2 , when r is prime. 4 / 10

  9. Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) = y for x 0 in a subfield. Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . 5 / 10

  10. Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = 5 / 10

  11. Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 5 / 10

  12. We study some generalization of the attack in revised LUOV submission document. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . 5 / 10

  13. Attacks • Key recovery attacks Studied since 1997 • Forgery attacks: Solve P ( x ) = y for x . Subfield differential attack (Ding et al. 2019): Pick random x 0 and solve P ( x 0 + x 0 ) y for x 0 in a subfield. = Claimed complexity of the attack: Parameters Security lvl Subfield Complexity 2 107 LUOV-8-58-237 2 F 2 2 ⊂ F 2 8 2 135 LUOV-48-43-222 2 F 2 8 ⊂ F 2 48 Solution: Choose F 2 r , with r prime, such that there are no subfields to exploit. ⇒ No performance penalty . We study some generalization of the attack in revised LUOV submission document. 5 / 10

  14. • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient 6 / 10

  15. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. 6 / 10

  16. • Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. 6 / 10

  17. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. 6 / 10

  18. Round 2 improvements • Take smaller parameters ⇒ more efficient • Add salt to message before signing ⇒ Improved security against fault injection attacks and side-channel attacks. • Break up PRNG calls into multiple smaller calls. ⇒ Speed up by parallelization, lower memory usage. • Constant time AVX2 optimized implementation. • Add option to use Chacha8 instead of SHAKE to expand public randomness. ⇒ × 2 . 5 and × 5 . 2 faster signing and verification respectively (SL1). 6 / 10

  19. Updated submission package will be online next week. Round 2.1 modifications • Choose field extension of prime degree. Original New F 2 8 F 2 7 F 2 48 F 2 47 F 2 64 F 2 61 F 2 80 F 2 79 • Aim for security level 1,3,5 instead of 2,4,5. ⇒ Smaller keys and signatures and better performance. 7 / 10

  20. Round 2.1 modifications • Choose field extension of prime degree. Original New F 2 8 F 2 7 F 2 48 F 2 47 F 2 64 F 2 61 F 2 80 F 2 79 • Aim for security level 1,3,5 instead of 2,4,5. ⇒ Smaller keys and signatures and better performance. Updated submission package will be online next week. 7 / 10

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2021-22 harvest specifications and management measures: check-in Number of new proposals (not

2021-22 harvest specifications and management measures: check-in Number of new proposals (not

2021-22 harvest specifications and management measures: check-in Number of new proposals (not including SQ) : 10 ACL alts 10 allocation/ACT alts 7 off-top proposals 8 at-sea set-aside alts 48 trip limits alts multiple

712 views • 34 slides
A FAQ on tech, jobs, and wages Andrew McAfee, MIT amcafee@mit.edu

A FAQ on tech, jobs, and wages Andrew McAfee, MIT amcafee@mit.edu

A FAQ on tech, jobs, and wages Andrew McAfee, MIT amcafee@mit.edu @amcafee Whats going on? Whats going on? The polariza,on or hollowing out of the

856 views • 46 slides
Enhancement Department of Administrative Services State Purchasing Division doas.ga.gov GPM

Enhancement Department of Administrative Services State Purchasing Division doas.ga.gov GPM

Georgia Resident /Small Business/ Georgia Resident Small Business Enhancement Department of Administrative Services State Purchasing Division doas.ga.gov GPM Policy- 3.5.5.1.6 Price Matching Requirements To encourage Georgia Resident

873 views • 37 slides
2nd & H Parking Deck Transformation FEBRUARY 2017 AGENDA I. Team Background 3 II.

2nd & H Parking Deck Transformation FEBRUARY 2017 AGENDA I. Team Background 3 II.

2nd & H Parking Deck Transformation FEBRUARY 2017 AGENDA I. Team Background 3 II. Project Vision & Overview 6 III. Community Benefits & Retail 18 IV. Conclusion 21 V. Appendix 23 Team Background TEAM BACKGROUND DESIGN

511 views • 24 slides
Hannans Reward Ltd Minerals Exploration Western Australia Gold Nickel Iron

Hannans Reward Ltd Minerals Exploration Western Australia Gold Nickel Iron

ASX : HNR Hannans Reward Ltd Minerals Exploration Western Australia Gold Nickel Iron Company Update Celtic Club, West Perth, 3 December 2007 Keys Quality People Quality Projects & Active Exploration Time Hannans Reward

394 views • 21 slides
Summary of 2009 Projects (see attached table and map) Review Draft Memorandum of

Summary of 2009 Projects (see attached table and map) Review Draft Memorandum of

Conversions Working Group Meeting December 9, 2009 Discussion Topics 2009 CONVERSION PROJECTS REVIEW MOA CONCEPTS FOR FUTURE CONVERSION PROJECTS 2010 AWEP PROJECTS - PROGRAMMATIC DETAILS RECOMMENDATIONS TO THE IMPLEMENTATION

255 views • 11 slides
The History Intelligent Control Foundations of classical control 1950 s

The History Intelligent Control Foundations of classical control 1950 s

Control Systems and the Quest for Autonomy Symposium in Honor of Prof. Panos J. Antsaklis - Notre Dame E NTROPY AS A U NIFIED M EASURE T O E VALUATE A UTONOMOUS F UNCTIONALITY OF H IERARCHICAL S YSTEMS Dr. Ing. Kimon P. Valavanis John Evans

312 views • 15 slides
H + P Spectroscopy Spectrometers CCD Cameras Our product families of spectrometers span the

H + P Spectroscopy Spectrometers CCD Cameras Our product families of spectrometers span the

Spectroscopy and Imaging from X-Ray to NIR H + P Spectroscopy Spectrometers CCD Cameras Our product families of spectrometers span the hard X-Ray to NIR for spectroscopy and imaging applications. Configurations will align with applications

527 views • 15 slides
Predator-Prey Modeling Eric P. Anopolsky Introduction

Predator-Prey Modeling Eric P. Anopolsky Introduction

Differential Equations Projects http://online.redwoods.edu/instruct/darnold/deproj/ 1/32 Predator-Prey Modeling Eric P. Anopolsky Introduction Predator-prey modelling is population modelling with two distinct

353 views • 32 slides
Structure and resilience of fungal communities in Alaskan boreal forest soils D. Lee Taylor Ian

Structure and resilience of fungal communities in Alaskan boreal forest soils D. Lee Taylor Ian

Structure and resilience of fungal communities in Alaskan boreal forest soils D. Lee Taylor Ian C. Herriott Jack W. McFarland Michael G. Booth Photographer: Roger Ruess Summary of Three Fungal Community Structure Studies I. Two broad

812 views • 32 slides
Linking climate change and evolution in pre-service science teacher education: What is its'

Linking climate change and evolution in pre-service science teacher education: What is its'

Linking climate change and evolution in pre-service science teacher education: What is its' current status? & Where do we need to go? Haslam allows evolution bill to become law Deborah Tippins House Bill 368/Senate Bill 893

606 views • 28 slides
Total Variation in Image Analysis (The Homo Erectus Stage?) Franois Lauze 1Department of

Total Variation in Image Analysis (The Homo Erectus Stage?) Franois Lauze 1Department of

Total Variation Total Variation in Image Analysis (The Homo Erectus Stage?) Franois Lauze 1Department of Computer Science University of Copenhagen Hlar Summer School on Sparse Coding, August 2010 Total Variation Outline Motivation 1

1.61k views • 147 slides
Pedestrians and alcohol, how to manage all the problems; an engineers view ICTCT, Stellenbosch,

Pedestrians and alcohol, how to manage all the problems; an engineers view ICTCT, Stellenbosch,

Pedestrians and alcohol, how to manage all the problems; an engineers view ICTCT, Stellenbosch, April 4 2013 Christer Hydn, Lund University (christer.hyden@tft.lth.se) Alcohol in traffic is a huge problem! Low exposure High risks

844 views • 63 slides
Paleoanthropology and Language Ian Tattersall American Museum of Natural History Operating

Paleoanthropology and Language Ian Tattersall American Museum of Natural History Operating

Paleoanthropology and Language Ian Tattersall American Museum of Natural History Operating definition of Language: Whatever else it may also be, human language is a means of communicating using an extensive vocabulary of spoken symbols that

476 views • 44 slides
May 5, 2015 Presentation to the Orange County Board of County Commissioners on behalf of

May 5, 2015 Presentation to the Orange County Board of County Commissioners on behalf of

May 5, 2015 Presentation to the Orange County Board of County Commissioners on behalf of Citizens United for Sensible Growth, Inc. (CUSG) By Karen Z. Consalo, Esquire (Credential submitted to Record) Additional Presentations Today on behalf

710 views • 57 slides
Summary of PFAS sampling for Maine public water systems Maine CDC Drinking Water Program October

Summary of PFAS sampling for Maine public water systems Maine CDC Drinking Water Program October

Summary of PFAS sampling for Maine public water systems Maine CDC Drinking Water Program October 2019 This document presents a preliminary DRAFT summary of the 2019 voluntary sampling program for per- and polyfluoroalkyl substances (PFAS) in

221 views • 6 slides
Full Year Results 2010 Presentation to Investors & Analysts 3 d F b 3 rd February 2011 2011

Full Year Results 2010 Presentation to Investors & Analysts 3 d F b 3 rd February 2011 2011

Full Year Results 2010 Presentation to Investors & Analysts 3 d F b 3 rd February 2011 2011 Andrew Witty Chief Executive Officer 1 GSK is built around portfolios that drive highest returns in the current market environment Differentiated

204 views • 17 slides
Accessibility version: https://youtu.be/0ip5imNzLY4

Accessibility version: https://youtu.be/0ip5imNzLY4

Accessibility version: https://youtu.be/0ip5imNzLY4

1.16k views • 77 slides
New Mexico Healthcare-associated Infections (HAI) Program Presentation to the New Mexico Health

New Mexico Healthcare-associated Infections (HAI) Program Presentation to the New Mexico Health

New Mexico Healthcare-associated Infections (HAI) Program Presentation to the New Mexico Health and Human Services Committee N M i H lth d H S i C itt August 2010 Adverse Events in Healthcare National Nosocomial Infections

261 views • 12 slides
A Closer Look at Quality Measures April 9, 2013 1 Colorado Department of Health Care Policy

A Closer Look at Quality Measures April 9, 2013 1 Colorado Department of Health Care Policy

A Closer Look at Quality Measures April 9, 2013 1 Colorado Department of Health Care Policy and Financing Discussion of Measures Core Quality Measures (Required by CMS) State-Specific Process Measures Strategic Vision of LTSS

424 views • 8 slides
Colorado Department of Health Care Policy and Financing Medicare-Medicaid Enrollees Advisory

Colorado Department of Health Care Policy and Financing Medicare-Medicaid Enrollees Advisory

Colorado Department of Health Care Policy and Financing Medicare-Medicaid Enrollees Advisory Subcommittee February 12, 2013 1 Colorado Department of Health Care Policy and Financing Review Minutes 2 Colorado Department of Health Care

674 views • 39 slides
J.P. Morgan Healthcare Conference January 15, 2014 Greg Wasson President and CEO 2 1 Mass

J.P. Morgan Healthcare Conference January 15, 2014 Greg Wasson President and CEO 2 1 Mass

Mass J.P. Morgan Healthcare Conference January 15, 2014 Greg Wasson President and CEO 2 1 Mass Safe Harbor and Non-GAAP Safe Harbor and Non-GAAP Certain statements and projections of future results made in these presentations

653 views • 26 slides
Financial Catastrophes of the 21 st Century Longevity, Pandemics, and Asset Bubbles Dr. Andrew

Financial Catastrophes of the 21 st Century Longevity, Pandemics, and Asset Bubbles Dr. Andrew

Financial Catastrophes of the 21 st Century Longevity, Pandemics, and Asset Bubbles Dr. Andrew Coburn Senior Vice President, RMS & Director of the External Advisory Board Centre for Risk Studies, University of Cambridge ICRM Symposium

252 views • 24 slides
San Francisco Eligible Metropolitan Area 2014 Quality Management Program and Performance Measures

San Francisco Eligible Metropolitan Area 2014 Quality Management Program and Performance Measures

San Francisco Eligible Metropolitan Area 2014 Quality Management Program and Performance Measures Presentation HIV Health Services Planning Council September 28, 2015 Prepared By: Celinda Cant, Data Administrator, SFDPH-HIV Health Services

493 views • 28 slides

More recommend