wave a new family of trapdoor
play

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage - PowerPoint PPT Presentation

Feb 17, 2023 •309 likes •902 views

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

  1. Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for Large Weight Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Our Trapdoor and its Associated Decoder Information Security Group, Royal Holloway, University of London, UK Reaching Uniform Signatures September 18, 2019 Security Proof London-ish Lattice Meeting Conclusion 1 / 48

  2. Wave: A new family of trapdoor Results preimage sampleable functions Thomas Debris-Alazard, • The first code-based “hash-and-sign” that follows the GPV Nicolas Sendrier and Jean-Pierre strategy (Trapdoor Preimage Sampleable functions) ; Tillich Introduction • Security reduction to two problems (NP-complete) of coding Hardness of Syndrome theory: Decoding for Large Weight • Generic decoding of a linear code; Our Trapdoor and its • Distinguish between random codes and generalized Associated ( U , U + V )-codes. Decoder Reaching Uniform Signatures • Key Size ≈ 3MB, signature size ≈ 13Kb, signing time ≈ 0 . 1s Security Proof (non-optimized); Conclusion • Nice feature: uniform signatures through an efficient rejection sampling, one rejection every ≈ 100 signatures. 2 / 48

  3. Wave: A new family of trapdoor preimage sampleable functions 1 Introduction Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich 2 Hardness of Syndrome Decoding for Large Weight Introduction Hardness of Syndrome 3 Our Trapdoor and its Associated Decoder Decoding for Large Weight Our Trapdoor and its 4 Reaching Uniform Signatures Associated Decoder Reaching Uniform Signatures 5 Security Proof Security Proof Conclusion 6 Conclusion 3 / 48

  4. Wave: A new family of trapdoor Digital signature scheme preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Unsecure channel Introduction Hardness of Syndrome Decoding for Large Weight m ′ : Bob Alice: m Our Trapdoor and its Associated Alice wants to ensure Bob that: Decoder Reaching • m has not been corrupted ( m = m ′ ). Uniform Signatures • m comes from Alice Security Proof Conclusion → Idea: add a signature to m 4 / 48

  5. Wave: A new family of trapdoor Digital signature scheme preimage sampleable functions Thomas Debris-Alazard, Alice first makes the following operations: Nicolas Sendrier and Jean-Pierre • Generation of ( pk , sk ). Tillich • Send pk to everyone . Introduction Hardness of Syndrome Decoding for Unsecure channel Large Weight Our Trapdoor and its Associated ( m ′ , σ ′ ): Bob Decoder Alice: ( m , σ ) Reaching Uniform (( m ′ , σ ′ ) , pk ) σ ( m , sk ) b ∈ { 0 , 1 } Signatures Security Proof Conclusion Sgn Vrfy 5 / 48

  6. Wave: A new family of trapdoor Full Domain Hash Signature preimage sampleable functions Thomas Debris-Alazard, • f be a trapdoor one-way function Nicolas Sendrier and Jean-Pierre Tillich Easy Introduction Hardness of Syndrome Decoding for x f ( x ) Large Weight Our Trapdoor and its Associated Decoder Hard Reaching Uniform Easy with trap. Signatures Security Proof Conclusion • To sign m one computes y = H ( m ) (hash) and σ ∈ f − 1 ( y ). → It is required to invert f on all vectors (full domain). • Verification f ( σ ) = H ( m )? 6 / 48

  7. Wave: A new family of trapdoor ... with Bijective Trapdoors preimage sampleable functions OW? Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich • Let f be a bijective trapdoor one-way function Introduction Hardness of Syndrome • To sign m , compute σ = f − 1 ( H ( m )) ( H hash function) Decoding for Large Weight Our Trapdoor H ( m ) is uniform (ROM) ⇒ σ is uniform too! and its Associated Decoder (no leakage) Reaching Uniform Signatures Security Proof Conclusion Signature schemes DSA, RSA meet this nice feature Hard condition to meet in code/lattice-based cryptography... 7 / 48

  8. Wave: A new family of trapdoor Gentry-Peikert-Vaikuntanathan preimage sampleable functions (GPV) Approach Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight It is based on trapdoor one-way preimage sampleable function! Our Trapdoor and its Associated A family of trapdoor one way-functions ( f a ) a and a distribution D Decoder such that Reaching Uniform Signatures $ • f a ( x ) is uniformly distributed when x ← D , Security Proof Conclusion • algorithm computing x ← f − 1 ( y ) with the trapdoor is a distributed according to D 8 / 48

  9. Wave: A new family of trapdoor Gentry-Peikert-Vaikuntanathan preimage sampleable functions (GPV) Approach Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of Syndrome Decoding for Large Weight It is based on trapdoor one-way preimage sampleable function! Our Trapdoor and its Associated A family of trapdoor one way-functions ( f a ) a and a distribution D Decoder such that Reaching Uniform Signatures $ • f a ( x ) is uniformly distributed when x ← D , Security Proof Conclusion • algorithm computing x ← f − 1 ( y ) with the trapdoor is a distributed according to D � uniform over words of fixed Hamming weight in our case D = gaussian for lattices 8 / 48

  10. Wave: A new family of trapdoor Trapdoor One-way of Wave preimage sampleable functions Our one-way will be ( | · | Hamming weight) Thomas Debris-Alazard, { e ∈ F n F n − k Nicolas Sendrier f H : q : | e | = w } − → q and Jean-Pierre Tillich He ⊺ e �− → Introduction Inverting f H amounts to solve the following problem: Hardness of Syndrome Decoding for Large Weight Problem (Syndrome Decoding with fixed weight) Our Trapdoor and its Associated Given H ∈ F ( n − k ) × n , s ∈ F n − k , and an integer w, find e ∈ F n q such Decoder q q that He ⊺ = s ⊺ and | e | = w. Reaching Uniform Signatures Security Proof → Generic problem upon which all code-based cryptography relies Conclusion → Putting a trapdoor on f H consists in putting a structure on H ! Public-Key: H pk Signature of H ( m ): e of weight w with H pk e ⊺ = H ( m ). 9 / 48

  11. Wave: A new family of trapdoor Codes: Basic Definition preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich Introduction Hardness of A code C is a subspace of F n Syndrome q Decoding for Large Weight When C is of dimension k it is defined by a parity-check matrix Our Trapdoor H ∈ F ( n − k ) × n and its of full-rank as: Associated q Decoder q : Hc ⊺ = 0 } Reaching △ = { c ∈ F n C Uniform Signatures Security Proof Conclusion 10 / 48

  12. Wave: A new family of trapdoor The Trapdoor(I) preimage sampleable functions Thomas H pk parity-check matrix of a permuted generalized ( U , U + V ) code: Debris-Alazard, Nicolas Sendrier and Jean-Pierre Tillich • A permutation P , Introduction • Two codes U and V of length n / 2, Hardness of Syndrome Decoding for • Four vectors a , b , c , d over F n / 2 such that Large Weight q Our Trapdoor and its a i d i − b i c i � = 0 and a i c i � = 0 Associated Decoder Reaching Uniform Signatures △ ( a ⊙ U + b ⊙ V , c ⊙ U + d ⊙ V ) P = { ( a ⊙ u + b ⊙ v , c ⊙ u + d ⊙ v ) P Security Proof : u ∈ U , v ∈ V } Conclusion with △ x ⊙ y =( x 1 y 1 , x 2 y 2 , · · · , x n / 2 y n / 2 ) 11 / 48

  13. Wave: A new family of trapdoor The Trapdoor(II) preimage sampleable functions Example of generalized ( U , U + V )-code: Thomas Debris-Alazard, △ Nicolas Sendrier • ( U , U + V ) = { ( u , u + v ) : u ∈ U , v ∈ V } ; and Jean-Pierre Tillich △ • ( U + V , U − V ) = { ( u + v , u − v ) : u ∈ U , v ∈ V } ; Introduction • ... Hardness of Syndrome Decoding for • More generally, for all u = ( u 1 , · · · , u n / 2 ) ∈ U and Large Weight v = ( v 1 , · · · , v n / 2 ) ∈ V : Our Trapdoor and its Associated + n / 2 symbols Decoder Reaching , u n / 2 + v n / 2 , v n / 2 − u n / 2 � u 1 , u 2 + v 2 , · · · ; u 1 + v 1 , u 2 − v 2 , · · · � Uniform Signatures Security Proof n / 2 Conclusion 12 / 48

  14. Wave: A new family of trapdoor The Trapdoor(II) preimage sampleable functions Example of generalized ( U , U + V )-code: Thomas Debris-Alazard, △ Nicolas Sendrier • ( U , U + V ) = { ( u , u + v ) : u ∈ U , v ∈ V } ; and Jean-Pierre Tillich △ • ( U + V , U − V ) = { ( u + v , u − v ) : u ∈ U , v ∈ V } ; Introduction • ... Hardness of Syndrome Decoding for • More generally, for all u = ( u 1 , · · · , u n / 2 ) ∈ U and Large Weight v = ( v 1 , · · · , v n / 2 ) ∈ V : Our Trapdoor and its Associated + n / 2 symbols Decoder Reaching , u n / 2 + v n / 2 , v n / 2 − u n / 2 � u 1 , u 2 + v 2 , · · · ; u 1 + v 1 , u 2 − v 2 , · · · � Uniform Signatures Security Proof n / 2 Conclusion Proposition Decide if a code is a permuted generalized ( U , U + V ) -code or not is NP-complete. 12 / 48

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
GENwave What is Google wave? What is a wave? A wave is equal parts conversation and

GENwave What is Google wave? What is a wave? A wave is equal parts conversation and

GENwave What is Google wave? What is a wave? A wave is equal parts conversation and document. People can communicate and work together with richly formatted text, photos, videos, maps, and more. A wave is shared. Any participant can

942 views • 7 slides
A wave piercing, light weight vessel appropriate for family leisure, fishing or diving!

A wave piercing, light weight vessel appropriate for family leisure, fishing or diving!

A wave piercing, light weight vessel appropriate for family leisure, fishing or diving! EcoRunner 590C Boat Contents: 1. Features 2. Design 3. Technical Specifications 4. Ergonomics 5. Manufacturing 6. Ecofriendly 7. Safety 8. Activities

941 views • 43 slides
Slide 7 / 102 Slide 8 / 102 4 Compare/Contrast Pulse and Wave. 5 In a transverse wave, compare

Slide 7 / 102 Slide 8 / 102 4 Compare/Contrast Pulse and Wave. 5 In a transverse wave, compare

Slide 1 / 102 Slide 2 / 102 8th Grade Wave Properties Classwork-Homwork Slides 2015-10-15 www.njctl.org Slide 3 / 102 Slide 4 / 102 1 What causes a wave? Classwork #1: What is a Wave? Slide 5 / 102 Slide 6 / 102 2 In terms of wave

692 views • 17 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides
New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27 Introduction Introduction: CDH versus DDH group G , element G G of

954 views • 60 slides
The 8th Wave Process and Outcomes Jesse Marsh 8th Wave

The 8th Wave Process and Outcomes Jesse Marsh 8th Wave

8th Wave Launch Ceremony The 8th Wave Process and Outcomes Jesse Marsh 8th Wave Coordinator Amsterdam, 5 September 2014 The 8 th Wave Process and

463 views • 21 slides
What are Waves? Return to Table of Contents Slide 5 / 144 What is a Wave? A wave is a

What are Waves? Return to Table of Contents Slide 5 / 144 What is a Wave? A wave is a

Slide 1 / 144 Slide 2 / 144 8th Grade Wave Properties 2015-10-28 www.njctl.org Slide 3 / 144 Table of Contents: Wave properties What are waves? Click on the topic to go to that section Parts of a Wave The Wave Equation

938 views • 73 slides
Pelamis - Wave Energy in Action !! 2 Wave Hub - What is it? Simple idea! An area

Pelamis - Wave Energy in Action !! 2 Wave Hub - What is it? Simple idea! An area

WAVE HUB A Future for Wave Energy in Cornwall Dr Mike Patching BEng, PhD, CEng, MEI 1 Pelamis - Wave Energy in Action !! 2 Wave Hub - What is it? Simple idea! An area of sea with an electrical cable and connection point

505 views • 28 slides
Wave e Ima maging ing Tec echnology hnology Inc nc. Talk Summary (45 min) WIT: Wave

Wave e Ima maging ing Tec echnology hnology Inc nc. Talk Summary (45 min) WIT: Wave

Applications of wave imaging technologies to improve onshore US prospecting Morgan Brown Pacific Coast Section SEG Luncheon September 22, 2010 Wave e Ima maging ing Tec echnology hnology Inc nc. Talk Summary (45 min) WIT: Wave

799 views • 42 slides
Google Wave Joe Gregorio Developer Advocate Overview of Google Wave Google Wave Client

Google Wave Joe Gregorio Developer Advocate Overview of Google Wave Google Wave Client

Google Wave Joe Gregorio Developer Advocate Overview of Google Wave Google Wave Client authentication search access control abuse playback detection waves saved searches attachments folders gadgets contacts presence Product vs

923 views • 38 slides
Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
1 8th Grade Wave Properties 20151028 www.njctl.org 2 Table of Contents: Wave properties

1 8th Grade Wave Properties 20151028 www.njctl.org 2 Table of Contents: Wave properties

1 8th Grade Wave Properties 20151028 www.njctl.org 2 Table of Contents: Wave properties What are waves? Click on the topic to go to that section Parts of a Wave The Wave Equation Properties of Waves Sound as a Wave

1.67k views • 144 slides
Change-point Detection on a Tree to Study Evolutionary Adaptation from Present-day Species e 1 ,

Change-point Detection on a Tree to Study Evolutionary Adaptation from Present-day Species e 1 ,

Change-point Detection on a Tree to Study Evolutionary Adaptation from Present-day Species e 1 , 2 , Paul Bastide 3 , 4 , Mahendra Mariadassou 4 , C ecile An ephane Robin 3 St 1 Department of Statistics, University of WisconsinMadison,

1.03k views • 77 slides
See in 3D: how it works stereoscopic rendering Vincent Nozick - IGM / A3SI Vincent Nozick - IGM

See in 3D: how it works stereoscopic rendering Vincent Nozick - IGM / A3SI Vincent Nozick - IGM

See in 3d Devices stereoscopic images Orthostereoscopy Shooting Post-production See in 3d Devices stereoscopic images Orthostereoscopy Shooting Post-production See in 3D: how it works stereoscopic rendering Vincent Nozick - IGM / A3SI

699 views • 25 slides
TAINTED GIFTS GIFT OR BOOMERANG? Andrew Bird and Gary Pons 5 St Andrews Hill www.5sah.co.uk

TAINTED GIFTS GIFT OR BOOMERANG? Andrew Bird and Gary Pons 5 St Andrews Hill www.5sah.co.uk

TAINTED GIFTS GIFT OR BOOMERANG? Andrew Bird and Gary Pons 5 St Andrews Hill www.5sah.co.uk October 2018 TAINTED GIFTS GIFT OR BOOMERANG? The role of Tainted Gifts in the confiscation system What is a gift? It looks

659 views • 30 slides
IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195

IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195

IETF Status at IETF 85 Russ Housley IETF Chair 1 IETF 85 Participants l 1098 people l 195 newcomers l IETF 82 was 948 people l 55 countries l IETF 82 was 48 countries IETF 82 was held in US JP CN FR UK Taipei, Taiwan DE

327 views • 8 slides
Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de

Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de

Quantum Information Set Decoding Algorithms Ghazal Kachigar Jean-Pierre Tillich Institut de Math ematiques de Bordeaux, Universit e de Bordeaux Inria, EPI SECRET PQCrypto, Utrecht - 27/06/2017 Ghazal Kachigar , Jean-Pierre Tillich

775 views • 24 slides
Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome

Syndrome Decoding in the Non-Standard Cases Matthieu Finiasz Outline The Problem of Syndrome Decoding I The Cryptosystems of McEliece and Niederreiter II McEliece-Based Signatures III Provably Secure Syndrome-Based Hash Functions IV The

441 views • 32 slides
Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET

Decoding One Out of Many Nicolas Sendrier INRIA Paris-Rocquencourt, equipe-projet SECRET Code-based Cryptography Workshop 11-12 May 2011, Eindhoven, The Netherlands Computational Syndrome Decoding Problem: Syndrome Decoding H { 0 , 1 }

882 views • 37 slides
Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview

FSE 2011, February 14 -16, Lyngby, Denmark Fast correlation attacks on certain stream ciphers Willi Meier FHNW Switzerland 1 Overview A decoding problem LFSR-based stream ciphers Correlation attacks Fast correlation

908 views • 54 slides

More recommend