mpsign a signature from small secret middle product
play

MPSign: A Signature from Small-Secret Middle-Product Learning with - PowerPoint PPT Presentation

Dec 08, 2022 •161 likes •820 views

MPSign: A Signature from Small-Secret Middle-Product Learning with Errors Shi Bai Dipayan Das Ryo Hiromasa Miruna Rosca Amin Sakzad Damien Stehl Ron Steinfeld Zhenfei Zhang Miruna Rosca MPSign PKC 2020 1 / 22 What is this talk about?

  1. MPSign: A Signature from Small-Secret Middle-Product Learning with Errors Shi Bai Dipayan Das Ryo Hiromasa Miruna Rosca Amin Sakzad Damien Stehlé Ron Steinfeld Zhenfei Zhang Miruna Rosca MPSign PKC 2020 1 / 22

  2. What is this talk about? A digital signature scheme whose security in the QROM relies on the hardness of solving ApproxSVP f for many polynomials f . Main ingredient: A reduction from small secret PLWE f to small secret MP-LWE which works for many f ’s. Miruna Rosca MPSign PKC 2020 2 / 22

  3. Overview 1. Background 2. Hardness of MP-LWE with small secrets 3. MPSign: our digital signature based on small secret MP-LWE Miruna Rosca MPSign PKC 2020 3 / 22

  4. Background Miruna Rosca MPSign PKC 2020 4 / 22

  5. Digital signature DS = ( Gen , Sign , Ver ) pk sk Miruna Rosca MPSign PKC 2020 5 / 22

  6. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Miruna Rosca MPSign PKC 2020 5 / 22

  7. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Ver pk ( m, σ ) ∈ { 0 , 1 } Miruna Rosca MPSign PKC 2020 5 / 22

  8. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Ver pk ( m, σ ) ∈ { 0 , 1 } Correctness : Ver pk ( m, Sign sk ( m )) = 1 w.h.p. Miruna Rosca MPSign PKC 2020 5 / 22

  9. Digital signature DS = ( Gen , Sign , Ver ) ( m, σ = Sign sk ( m )) pk sk Ver pk ( m, σ ) ∈ { 0 , 1 } Correctness : Ver pk ( m, Sign sk ( m )) = 1 w.h.p. ufCMA Security : DS is secure if no adversary, having access to many signatures, is able to produce a signature for a new message. Miruna Rosca MPSign PKC 2020 5 / 22

  10. How to build lattice-based crypto? PSIS f PLWE f [LM06],[PR07] [SSTX09],[LPR10] ApproxSVP f Miruna Rosca MPSign PKC 2020 6 / 22

  11. How to build lattice-based crypto? PSIS f PLWE f [LM06],[PR07] [SSTX09],[LPR10] ApproxSVP f [CDPR16], [BBV+17], [CDW17], etc. ApproxSVP f is easier than ApproxSVP for some f ’s in some parameter regimes and setups. Miruna Rosca MPSign PKC 2020 6 / 22

  12. [Lyu16]: A problem at least as hard as many PSIS f PSIS over Z q [ x ] . . . . . . PSIS f 1 PSIS f 2 PSIS f m Miruna Rosca MPSign PKC 2020 7 / 22

  13. [Lyu16]: A problem at least as hard as many PSIS f PSIS over Z q [ x ] . . . . . . PSIS f 1 PSIS f 2 PSIS f m Application : digital signature scheme Miruna Rosca MPSign PKC 2020 7 / 22

  14. [RSSS17]: A problem at least as hard as many PLWE f MP - LWE . . . . . . PLWE f 1 PLWE f 2 PLWE f m Miruna Rosca MPSign PKC 2020 8 / 22

  15. [RSSS17]: A problem at least as hard as many PLWE f MP - LWE . . . . . . PLWE f 1 PLWE f 2 PLWE f m Applications of MP-LWE public key encryption: [RSSS17], [SSZ18], [BBD+19] identity based encryption: [LVV19] Miruna Rosca MPSign PKC 2020 8 / 22

  16. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 Miruna Rosca MPSign PKC 2020 9 / 22

  17. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) Miruna Rosca MPSign PKC 2020 9 / 22

  18. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 Distinguish between P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n Miruna Rosca MPSign PKC 2020 9 / 22

  19. The PLWE f and MP-LWE problems f poly. of degree n PLWE f q,χ 1 ,χ 2 Distinguish between P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  20. The PLWE f and MP-LWE problems f poly. of degree n PLWE f MP-LWE n,d q,χ 1 ,χ 2 q,χ 1 ,χ 2 Distinguish between P f q,χ 1 ( s ) for s ∈ Z q [ x ] /f a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  21. The PLWE f and MP-LWE problems f poly. of degree n PLWE f MP-LWE n,d q,χ 1 ,χ 2 q,χ 1 ,χ 2 Distinguish between MP n,d P f q,χ 1 ( s ) for s ∈ Z <n + d − 1 q,χ 1 ( s ) for s ∈ Z q [ x ] /f [ x ] q ֓ U ( Z <n a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 a ← q [ x ]) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) return ( a, b = a ⊙ d s + e ) and U ( Z q [ x ] /f × R q [ x ] /f ) <n with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  22. The PLWE f and MP-LWE problems f poly. of degree n PLWE f MP-LWE n,d q,χ 1 ,χ 2 q,χ 1 ,χ 2 Distinguish between Distinguish between MP n,d P f q,χ 1 ( s ) for s ∈ Z <n + d − 1 q,χ 1 ( s ) for s ∈ Z q [ x ] /f [ x ] q ֓ U ( Z <n a ← ֓ U ( Z q [ x ] /f ) and e ← ֓ χ 1 a ← q [ x ]) and e ← ֓ χ 1 return ( a, b = a · s + e mod f ) return ( a, b = a ⊙ d s + e ) and and U ( Z q [ x ] /f × R q [ x ] /f ) <n U ( Z <n q [ x ] × R <d q [ x ]) with non-negl. probability over the choice of s ← ֓ χ 2 . Miruna Rosca MPSign PKC 2020 9 / 22

  23. Hardness of MP-LWE with small secrets Miruna Rosca MPSign PKC 2020 10 / 22

  24. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , U [RSSS17] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  25. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , D ? MP-LWE n,d q, D , U [RSSS17] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  26. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , D ? MP-LWE n,d PLWE f q, D , U q, D , D [RSSS17] [ACPS09] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  27. Towards the hardness of MP-LWE with small secret * D: distribution which produces small elements w.h.p * U: uniform distribution MP-LWE n,d q, D , D This work MP-LWE n,d PLWE f q, D , U q, D , D [RSSS17] [ACPS09] PLWE f q, D , U error secret Miruna Rosca MPSign PKC 2020 11 / 22

  28. From PLWE f to MP-LWE for many f ’s * f ∈ Z [ x ] of degree n , d ≤ n * D R ,σ : Gaussian on R with standard deviation σ * D Z ,σ : Gaussian on Z with standard deviation σ MP-LWE n,d PLWE f [RSSS17] q,χ 1 ,χ 2 q,χ 1 ,χ 2 χ 1 D R d ,α ′ q D R n ,αq U ( Z n + d − 1 U ( Z n χ 2 ) q ) q MP-LWE n,d PLWE f This work q,χ 1 ,χ 2 q,χ 1 ,χ 2 χ 1 D Z d ,α ′′ q D Z n ,αq χ 2 D Z n + d − 1 ,α ′ q D Z n ,αq Miruna Rosca MPSign PKC 2020 12 / 22

  29. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Miruna Rosca MPSign PKC 2020 13 / 22

  30. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Take first column M f b = Rot f ( a ) M f s + M f e × Miruna Rosca MPSign PKC 2020 13 / 22

  31. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Take first column M f b = Rot f ( a ) M f s + M f e × Decompose Rot f ( a ) b ′ = Rot f (1) M f s M f e Toep ( a ) + × Miruna Rosca MPSign PKC 2020 13 / 22

  32. Recall [RSSS17] = + × Rot f ( b ) Rot f ( a ) Rot f ( s ) Rot f ( e ) Take first column M f b = Rot f ( a ) M f s + M f e × Decompose Rot f ( a ) b ′ = Rot f (1) M f s M f e Toep ( a ) + × Rename b ′ = s ′ e ′ Toep ( a ) + × Miruna Rosca MPSign PKC 2020 13 / 22

  33. From small secret PLWE f to small secret MP-LWE M f e + e Miruna Rosca MPSign PKC 2020 14 / 22

  34. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ Miruna Rosca MPSign PKC 2020 14 / 22

  35. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ We need a lower bound on the smallest singular value of M f . Miruna Rosca MPSign PKC 2020 14 / 22

  36. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ We need a lower bound on the smallest singular value of M f .  0 0  ∗ ∗ ∗ ∗ 0 0 0 ∗ ∗ ∗   • more restrictive family of f ’s   0 0 0 0 ∗ ∗   M f =   0 0 0 0 0  ∗     0 0 0 0 0  ∗   0 0 0 0 0 ∗ Miruna Rosca MPSign PKC 2020 14 / 22

  37. From small secret PLWE f to small secret MP-LWE M f e + e D Z ,α + D Z ,β ≈ D Z ,γ We need a lower bound on the smallest singular value of M f .  0 0  ∗ ∗ ∗ ∗ 0 0 0 ∗ ∗ ∗   • more restrictive family of f ’s   0 0 0 0 ∗ ∗   M f =   • larger noise amplification 0 0 0 0 0  ∗     0 0 0 0 0  ∗   0 0 0 0 0 ∗ Miruna Rosca MPSign PKC 2020 14 / 22

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

The Secret of Success In Iraq: Its All About The People SAME Mid-Atlantic/ Middle East

The Secret of Success In Iraq: Its All About The People SAME Mid-Atlantic/ Middle East

The Secret of Success In Iraq: Its All About The People SAME Mid-Atlantic/ Middle East Regional Conference October 11, 2007 Cultural Challenges In Iraq &amp; Beyond DoD &amp; Industry Will Continue To Work Globally &amp; Face

615 views • 38 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
The Secret to Managing Shared Secrets ActiveState State Tool Webinar The Secret to

The Secret to Managing Shared Secrets ActiveState State Tool Webinar The Secret to

The Secret to Managing Shared Secrets ActiveState State Tool Webinar The Secret to Managing Shared Secrets Welcome Pete Garcin Dana Crane Senior Product Manager Product Marketing ActiveState (@rawktron) Manager, ActiveState The

814 views • 35 slides
INTRODUCTION: A DIFFERENT KIND OF SERMON. 1 The Secret Shame of Middle Class Americans

INTRODUCTION: A DIFFERENT KIND OF SERMON. 1 The Secret Shame of Middle Class Americans

INTRODUCTION: A DIFFERENT KIND OF SERMON. 1 The Secret Shame of Middle Class Americans FED: 47% &lt; $400 2 Sermon on Contentment Slides.key - May 9, 2016 1. YOU CANT TAKE IT WITH YOU the world and its desire are passing away,

420 views • 16 slides
Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter:

Number-Theoretic Methods in Cryptology 2019 Delegating a Product of Group Exponentiations with Application to Signature Schemes Presenter: Giovanni Di Crescenzo Perspecta Labs Inc. (also doing business as Applied Communication Sciences)

548 views • 33 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
LESER Product Range, Developments &amp; Specialties of Middle East Rupendra Singh, LESER Middle

LESER Product Range, Developments &amp; Specialties of Middle East Rupendra Singh, LESER Middle

Tamilnadu Engineers Forum Kuwait 5th Technological Innovations Conference &amp; Exhibition 2 November 2014 LESER Product Range, Developments &amp; Specialties of Middle East Rupendra Singh, LESER Middle East Objectives of todays presentation

404 views • 39 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing

Secret Sharing and Visual Cryptography Outline Secret Sharing Visual Secret Sharing Constructions Moir Cryptography Issues Secret Sharing Secret Sharing Threshold Secret Sharing (Shamir, Blakely 1979) Motivation

1.32k views • 62 slides
VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret

NEW YORK LONDON SHANGHAI VICTORIA'S SECRET THE WORLD'S BEST BRAS OVERVIEW Victoria's Secret Victoria's PINK Secret Sport WE ARE MISSION VISION VALUES 8.1% GROWTH BY 2022 3BN DOMESTIC VALUE STATS WE OFFER LINGERIE PANTIES

340 views • 30 slides
Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is

Today. Polynomials. Secret Sharing. A secret! I have a secret! A number from 0 to 10. What is it? Any one of you knows nothing! Any two of you can figure it out! Example Applications: Nuclear launch: need at least 3 out of 5 people to

513 views • 23 slides
On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin

On dual lattice attacks against small-secret LWE and parameter choices in HElib and SEAL Martin R. Albrecht Information Security Group, Royal Holloway, University of London Learning with Errors or 1 Oded Regev. On lattices, learning with

586 views • 26 slides
PPR control and eradication challenges in the Middle East Middle East characteristics Large

PPR control and eradication challenges in the Middle East Middle East characteristics Large

Ghazi Yehia Xavier Pacholek OIE Regional Representation for the Middle East PPR control and eradication challenges in the Middle East Middle East characteristics Large small ruminants (SR) population 10% world sheep herd o 105 million

420 views • 16 slides
Edge Working Group and Activities The Vision thing - Product goals and objects. The Secret Sauce:

Edge Working Group and Activities The Vision thing - Product goals and objects. The Secret Sauce:

Edge Working Group and Activities The Vision thing - Product goals and objects. The Secret Sauce: Tools and Automation Pain Points and the Ask Confidential and proprietary materials for authorized Verizon personnel and outside agencies only.

557 views • 20 slides
Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven

Practical Attacks on the Walnut Signature Scheme Ward Beullens Simon R. Blackburn KU Leuven Royal Holloway December 2, 2018 Introduction 1/22 WalnutDSA is a Signature Scheme submitted to the NIST PQC project. Small signatures and keys

643 views • 27 slides
A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not

A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not

Mailchimp Scale: A MySQL Perspective John Scott Mailchimp What is Mailchimps secret sauce? Hint: Its not much of a secret. 2 Focus on the small business Empowering the Underdog 3 We give marketers production-ready

940 views • 82 slides
TuneupA)erA18Alignment JerryAnnala,AlexValishev

TuneupA)erA18Alignment JerryAnnala,AlexValishev

TuneupA)erA18Alignment JerryAnnala,AlexValishev PreAlignmentThoughtsandStudies A)ertheshutdownVA18wasrunningat45A,whichisconsistent

345 views • 6 slides
The never died: Automata theory for reversing modern CPUs RootedCON - March 2020

The never died: Automata theory for reversing modern CPUs RootedCON - March 2020

The never died: Automata theory for reversing modern CPUs RootedCON - March 2020 vwzq.net cgvwzq github.com/cgvwzq About me Im Pepe Vila (a.k.a. cgvwzq) PhD student at the IMDEA Software Institute Worked as security consultant

730 views • 61 slides
Introduction to Virtual Machines Michael Jantz Acknowledgements Slides adapted from Chapter 1

Introduction to Virtual Machines Michael Jantz Acknowledgements Slides adapted from Chapter 1

Introduction to Virtual Machines Michael Jantz Acknowledgements Slides adapted from Chapter 1 in Virtual Machines: Versatile Platforms for Systems and Processes by James E. Smith and Ravi Nair Credit to Prasad A. Kulkarni some slides

698 views • 33 slides
Object vision (Chapter 4) Lecture 9 Jonathan Pillow Sensation &amp; Perception (PSY 345 / NEU

Object vision (Chapter 4) Lecture 9 Jonathan Pillow Sensation &amp; Perception (PSY 345 / NEU

Object vision (Chapter 4) Lecture 9 Jonathan Pillow Sensation &amp; Perception (PSY 345 / NEU 325) Princeton University, Fall 2017 1 Introduction What do you see? 2 Introduction What do you see? 3 Introduction What do you see? 4

809 views • 57 slides
Recap: Pregel Superstep 0 3 6 2 1 Superstep 1 6 6 2 6 Superstep 2 6 6 6 6

Recap: Pregel Superstep 0 3 6 2 1 Superstep 1 6 6 2 6 Superstep 2 6 6 6 6

Asynchronous Graph Processing CompSci 590.03 Instructor: Ashwin Machanavajjhala (slides adapted from Graphlab talks at UAI10 &amp; VLDB 12 and

831 views • 64 slides
JustRunIt: ExperimentBased Management of Virtualized Data Centers Wei Zheng Yoshio Turner

JustRunIt: ExperimentBased Management of Virtualized Data Centers Wei Zheng Yoshio Turner

JustRunIt: ExperimentBased Management of Virtualized Data Centers Wei Zheng Yoshio Turner Ricardo Bianchini Renato Santos John Janakiraman Rutgers University HP Labs MoMvaMon Managing data center is a challenging task Resource

420 views • 27 slides
A Quantum Money solution to the Blockchain Scalability Problem Andrea Coladangelo, Or Sattath

A Quantum Money solution to the Blockchain Scalability Problem Andrea Coladangelo, Or Sattath

A Quantum Money solution to the Blockchain Scalability Problem Andrea Coladangelo, Or Sattath QCrypt 2020 The scalability problem The amount of resources or time needed per transaction grows with the number of users. e.g. Long waiting times

404 views • 24 slides
University of Tennessee Knoxville, Tennessee Smokey Mountain National Park Durable Materials for

University of Tennessee Knoxville, Tennessee Smokey Mountain National Park Durable Materials for

R ADIATION D AMAGE IN C RISTALLINE W ASTEFORMS Maik Lang University of Tennessee Department of Nuclear Engineering Knoxville, TN, USA mlang2@utk.edu University of Tennessee Knoxville, Tennessee Smokey Mountain National Park Durable

793 views • 42 slides

More recommend