masking the glp lattice based signature scheme at any
play

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles - PowerPoint PPT Presentation

Jan 02, 2023 •516 likes •1.04k views

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

  1. The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belaïd (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain Fouque (Univ. Rennes I and IUF) Benjamin Grégoire (INRIA Sophia Antipolis) Mélissa Rossi (ENS Paris and Thales) Mehdi Tibouchi (NTT Secure Platform Laboratories) May 1st 2018 Eurocrypt

  2. The signature The countermeasure and its proof Performances Future work Masking a post-quantum signature ➳ Numerous side channel attacks against lattice-based schemes (Gaussian distributions, rejection sampling) ➳ Few countermeasures exist, especially on signatures ➳ Call for concrete implementations of post-quantum cryptography Strong countermeasures needed

  3. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Algorithm Returned value

  4. Proof-Friendly The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Ishai, Sahai and Wagner model [ISW03] : The attacker can access the exact values of at most d intermediate values Algorithm Returned value

  5. Proof-Friendly Realistic The signature The countermeasure and its proof Performances Future work Leakage models and masking Ishai, Sahai and Wagner model [ISW03] : Input The attacker can access the exact values of at most d intermediate values Algorithm Noisy leakage model [CJRR99, PR13]: The attacker can access the noisy values of all the intermediate values Returned value

  6. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Returned value

  7. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares + + + + = Returned value

  8. The signature The countermeasure and its proof Performances Future work Leakage models and masking Input Security in the ISW model: d order masking Each sensitive value is replaced by d + 1 shares. Algorithm Such that it is impossible to recover the value without having all d + 1 shares + + + + = Any strict subset of at most d shares is independant from the sensitive value Returned value

  9. The signature The countermeasure and its proof Performances Future work Our contribution The fjrst provable masked implementation of a lattice-based signature scheme at any order ➳ New techniques for masking lattice-based Fiat–Shamir with abort signatures ➳ New proofs for masking probabilistic algorithms

  10. The signature The countermeasure and its proof Performances Future work 1 The signature 1 Why GLP signature scheme ? 2 GLP signature scheme 2 The countermeasure and its proof 1 Structure of the countermeasure and its proof 2 Masking GLP key generation 3 Masking GLP signature 4 Composition 5 Conversions Boolean to arithmetic 3 Performances

  11. But still some new diffjculties Probabilistic algorithm Reliance on rejection sampling The signature The countermeasure and its proof Performances Future work Why GLP signature scheme ? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] ➳ Ancestor of BLISS and Dilithium ➳ No Gaussians, only uniform distributions

  12. The signature The countermeasure and its proof Performances Future work Why GLP signature scheme ? Introduced in [Lyu09, Lyu12] Implemented by Güneysu, Lyubashevsky and Pöppelmann in [GLP12] ➳ Ancestor of BLISS and Dilithium ➳ No Gaussians, only uniform distributions But still some new diffjculties ➳ Probabilistic algorithm ➳ Reliance on rejection sampling

  13. The signature The countermeasure and its proof Performances Future work GLP Key derivation Z p [ x ] R = R k : coeffjcients in the range [ − k, k ] ( x n +1) Algorithm 1 GLP key derivation Ensure: Signing key sk , verifjcation key pk 1: s 1 , s 2 $ //s 1 and s 2 have coeffjcients in {− 1 , 0 , 1 } ← − R 1 $ 2: a ← − R 3: t ← as 1 + s 2 4: sk ← ( s 1 , s 2 ) 5: pk ← ( a , t ) ➳ Based on the Decisional Compact Knapsack problem

  14. The signature The countermeasure and its proof Performances Future work GLP signature ➳ Fiat–Shamir with abort signature Algorithm 2 GLP sign Require: m, pk = ( a , t ) , sk = ( s 1 , s 2 ) Ensure: Signature σ 1: y 1 , y 2 $ Random generation ← − R k 2: c ← H ( r = ay 1 + y 2 , m ) Commitment and challenge 3: z 1 ← s 1 c + y 1 4: z 2 ← s 2 c + y 2 5: if z 1 or z 2 / ∈ R k − α then restart Rejection Sampling 6: return σ = ( z 1 , z 2 , c ) k = 2 14 α = 16 n = 512 p = 8383489 Verifjcation : z 1 , z 2 ∈ R k − α and c = H ( az 1 + z 2 − tc , m )

  15. 2 Each block is proven securely masked with one of the following properties For non sensitive Every set of at most in- parts. termediate variables can Every set of at most in- be perfectly simulated termediate variables can with at most shares of be perfectly simulated each input. and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme public outputs Non interferent with with the public outputs Non interferent Unmasked The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks

  16. For non sensitive Every set of at most in- parts. termediate variables can Every set of at most in- be perfectly simulated termediate variables can with at most shares of be perfectly simulated each input. and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme public outputs Non interferent with with the public outputs Non interferent Unmasked The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties

  17. Every set of at most in- termediate variables can Every set of at most in- be perfectly simulated termediate variables can with at most shares of be perfectly simulated each input. and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme public outputs Non interferent with Non interferent with the public outputs Unmasked The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties For non sensitive parts.

  18. Every set of at most in- termediate variables can be perfectly simulated and at most shares of each input. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme Non interferent with the public outputs Non interferent with Unmasked public outputs The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties For non sensitive Every set of at most d in- parts. termediate variables can be perfectly simulated with at most d shares of each input.

  19. We give some values (called out- puts)totheattackerandprovethat the countermeasure does not leak more than the outputs. 3 A composition proof combines all the securities to the whole scheme Non interferent with the public outputs Unmasked public outputs Non interferent with The signature The countermeasure and its proof Performances Future work Structure of the countermeasure and its proof 1 The signature and key derivation algorithms are divided in blocks 2 Each block is proven securely masked with one of the following properties For non sensitive Every set of at most d in- parts. termediate variables can Every set of at most d in- be perfectly simulated termediate variables can with at most d shares of be perfectly simulated each input. and at most d shares of each input.

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR

257 views • 23 slides
CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz (Ruhr-Universit at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor

1.06k views • 36 slides
A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for

A New RSA-Based Signature Scheme Sven Sch age, J org Schwenk Horst G ortz Institute for IT-Security Africacrypt 2010 1 / 13 RSA-Based Signature Schemes Na ve RSA signature scheme not secure under the standard definition of

647 views • 51 slides
Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua University 2 Centrum Wiskunde & Informatica January 2019, London 1 / 42 This is a cryptanalysis work... Target: DRS a NIST lattice-based

1.32k views • 108 slides
Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved

8 + Introduction Higher Order Masking Side Channel Cryptanalysis of a Higher Order Schemes Generic Masking Scheme Scheme Improved Scheme Experimental Results J.-S. Coron 1 E. Prouff 2 M. Rivain 1 , 2 Conclusion 1 University of

555 views • 43 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr.

Oblivious Signature-Based Envelope scheme (OSBE) Presented By: Khaled Rabieh Supervisor: Dr. Mohamed Mahmoud Outline - What is Oblivious Signature-Based Envelope (OSBE)? - Applications - cryptosystem - Analysis 2 Problem Formulation -

339 views • 14 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides
Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benot Libert 3 Damien Stehl 2 1 LIP, Universit Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group

239 views • 20 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal

Outline ElGamal Signature Scheme 1 CPSC 418/MATH 318 Introduction to Cryptography El Gamal Signature Scheme, Cryptography in Practice: Random Number Odds and Ends on Public Key Crypto 2 Generation, Key Management Cryptography in Real Life 3

367 views • 14 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

How to mask S-Boxes of a block cipher against side channel attacks. Focus on the AES. Micha el

Introduction Masking based on Look-up tables How to mask (additively) basic operations? Method based on multiplicative masking Method based on Square and Multiply and addition chains Method based on the tower field representation

824 views • 54 slides
Global 1000 Conference and Showcase 2013 GLOBAL 1000 PANEL: LIFE SCIENCES Barbara Araneo, PhD,

Global 1000 Conference and Showcase 2013 GLOBAL 1000 PANEL: LIFE SCIENCES Barbara Araneo, PhD,

Global 1000 Conference and Showcase 2013 GLOBAL 1000 PANEL: LIFE SCIENCES Barbara Araneo, PhD, for Novo Nordisk Diabetes Research Unit 3/23/14 1 Engineering biologics into superior therapies 17 of

440 views • 5 slides
New medicines for type 2 diabetes 4. Thiazolidinediones 5. GLP-1 receptor agonists 6. DPP-4

New medicines for type 2 diabetes 4. Thiazolidinediones 5. GLP-1 receptor agonists 6. DPP-4

6/17/2019 1. Oral Secretagogues (e.g. sulfonylureas) 2. Metformin 3. Alpha glucosidase inhibitors New medicines for type 2 diabetes 4. Thiazolidinediones 5. GLP-1 receptor agonists 6. DPP-4 inhibitors 7. SGLT2 inhibitors 8. Insulin

626 views • 15 slides
Programming for Bioinformatics Michael Schroeder BIOTEC TU Dresden ms@biotec.tu-dresden.de

Programming for Bioinformatics Michael Schroeder BIOTEC TU Dresden ms@biotec.tu-dresden.de

Programming for Bioinformatics Michael Schroeder BIOTEC TU Dresden ms@biotec.tu-dresden.de Organization Lectures: Thursday 9:20 10:50, Auditorium right CRTD Prof. Michael Schroeder: michael.schroeder@tu-dresden.de Predoc Melissa

360 views • 32 slides
Probabilistic Reasoning a h C , N R wrt Time Decision Theoretic Agents Introduction to

Probabilistic Reasoning a h C , N R wrt Time Decision Theoretic Agents Introduction to

5 1 r e t p Probabilistic Reasoning a h C , N R wrt Time Decision Theoretic Agents Introduction to Probability [Ch13] Belief networks [Ch14] Dynamic Belief Networks [Ch15] Foundations Markov Chains

880 views • 52 slides
G.l.p., optimal coefficients, rank-1 lattice rules, ... Dirk Nuyens Department of Computer

G.l.p., optimal coefficients, rank-1 lattice rules, ... Dirk Nuyens Department of Computer

Lattice rules Lattice sequences Cos space + tent transform Conclusions G.l.p., optimal coefficients, rank-1 lattice rules, ... Dirk Nuyens Department of Computer Science KU Leuven, Belgium RICAM Special Semester on Algebra and Number

570 views • 53 slides
Introduction to E-environment/ Data Integrity workshop Cecilia Arfvidsson, on behalf of the EBF

Introduction to E-environment/ Data Integrity workshop Cecilia Arfvidsson, on behalf of the EBF

Introduction to E-environment/ Data Integrity workshop Cecilia Arfvidsson, on behalf of the EBF EBF Open Symposium Hotel NH Collection Barcelona, 21-23 November 2018 http://www.europeanbioanalysisforum.eu EBF Data Integrity Workshop Outline

282 views • 14 slides
Pr rss t

Pr rss t

Pr rs s Pr rss t r P ttr

700 views • 36 slides
CEE 370 Environmental Engineering Principles Lecture #1 Introduction I Reading: Chapter 1 in

CEE 370 Environmental Engineering Principles Lecture #1 Introduction I Reading: Chapter 1 in

CEE 370 Lecture #1 9/5/2019 Print version Updated: 5 September 2019 CEE 370 Environmental Engineering Principles Lecture #1 Introduction I Reading: Chapter 1 in Mihelcic & Zimmerman David Reckhow CEE 370 L#1 1 Introduction to CEE

298 views • 14 slides

More recommend