Post on 08-Jan-2018
Lattice Based Signatures
Johannes Buchmann Erik Dahmen Richard Lindner
Markus Rückert Michael Schneider
Outline
Digital Signatures in practiceWhy lattice based signatures?
Commercial 1Traditional lattice based signatures: NTRUA new approach:
Lattice based one-time signaturesCommercial 2
Windows XP updates authentic?
Shell.Exec(“rmdir /Q /S C:\Windows\System32“)
Or this “update”?
Automatic updates
Software updates for emdedded devices
Digital Signatures guarantee authenticity
Website digitally signed
data packages (...) are digitally signed.
Health Professional Card
…using 200 digits provides a margin of safety against future developments…
RSA-200 factored in 2005
After 27 years
RSA modulus for Windows XP updates
21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751
617 digits
Quantum computers make RSA, ECCinsecure
Peter Shor, 1994: Quantum algorithms for factoring and discrete logarithm problem
In 2001 Chuang et al. factor 15
NMRQuantum computer
Quantum immune signatures?
Lattice Based Signatures
Given:
Lattice L µ Zn
x 2 Zn
x
Closest Vector Problem ( CVP)
° ¸ 1
°- °-
°Find: v 2 L: kx – vk · kx – wk for all w 2 L
n
Arora et al. (1997):
Goldreich, Goldwasser (2000):
Complexity of °-CVP
log(n)c – CVP is NP-hard for all c
NP-hard
Not NP-hard
(n1/2 / log(n))-CVP is not NP-hard or coNP µ AM
Lattice SignaturesPublic Key: Basis of lattice L µ Zn
Private Key: Reduced basis of L
Signature:
Message mhash solve
CVP
Verification:
2. Accept if v close to h(m)
1. Check v 2 Lx
v
x = h(m) 2 Zn Signature v 2 L
GGH (Goldwasser, Goldreich, Halevi 1997)NTRU-Sign (Hoffstein et al. 2003)
Attack (Nguyen, Regev 2006)
CVP-based Signatures
Nguyen, Regev 2006 Attack
NTRU-251 broken using ≈ 400 signaturesGGH-400 broken using ≈ 160.000 signatures
s2
s1
s3
s4
Hash tree reduces
validity of many verification keys
to validity of one public key
Use one-time signature scheme (OTSS):
One (Signature key, verification key) per signature
Public Key
Verification Keys
Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8
Hash tree based signatures
Verifying SigningSignature size
23.8 msec9.3 msecECDSA13.6 msec914.1 msecRSA
71 bytes555 bytes
256 bit4440 bit
57.8 msec77.3 msecGMSS 3936 bytes256 bit
s
Timings obtained using FlexiProvider
on a Pentium Dual-Core 1.83GHz (240 Signatures)
= 128 bit symmetric security (secure until 2090)
GMSS (Dahmen, Schneider 2008) based on Winternitz OTS
Authentication path:O(tree depth · n)
GMSS signature size of n-bit hashes is Ω(n2):
(i, , , , , )
OTS: Ω(n2) Public key: O(n)
Reduce Signature Size !
Lyubashevsky Micciancio OTS 2008
R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am 2 R
H: (small elements in R)m ! R x = (x1,...,xm) H(x) = i=1,...,m ai xi
Micciancio 2002: If there exists a polynomial-time algorithm that finds a collision for a random choice of H then there exists a polynomial time algorithm that approximates ¸1(L) within a polynomial factor for every lattice L corresponding to an ideal in Z[x] / <f>.
Lyubashevsky Micciancio OTS 2008
R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am 2 R
H: (small elements in R)m ! R x = (x1,...,xm) H(x) = i=1,...,m ai xi
Signature Key: x,y 2 Rm “very small”Verification Key: (H(x), H(y))Signature of z 2 R (“very small”): s = xz+yVerification: H(s) = H(x)z+H(y)Signature and hash of same size!
?
Model: Forger is given H, H(x), H(y)obtains signature s of z of her choiceforges signature s‘ of z‘, (s,z) (s‘,z‘)
ML 2006: Forging a signature for random H implies being able to find very short vectors in ideal lattices L(I) = { (a0,...,an-1) 2 Zn: i=0,...,n-1 aixi + <f> 2 I }
Security of LM-OTS
Security of LM-OTS
1. There are many x‘,y‘ withH(x) = H(x‘), H(y) = H(y‘).
2. (H, H(x), H(y), s, z) yields negligible information about x,y.
3. Forger produces signature s‘ xz‘ + y4. Collision of H:
H(s‘) = H(x)z‘ + H(y) = H(xz‘ + y)
!
LM-OTS practical ?
Difficulty of °-SVP?
Lattice Challenge!
Lattice ChallengeB., Rückert, Lindner 2008
Lattice challenge
Dirichlet: L(c1,c2,n,X) contains vector of length < n
Ajtai: If there is a polynomial time algorithm for finding a vector of length < n in L(c1,c2,n,X) for a random X (dimension m > n)
then hard lattice problems can be solved in all lattices of dimension n (< m)
Lattice challenge
L(c1,c2,n,X)
c2 = 1, m challenge dimension, c2 = c2(n), q = n = n(m)
X from digits of π
γ = n/d(L)1/m
Gama, Nguyen 2008:
γ < 1.005m
then finding vector of length < n
totally out of reach
www.LatticeChallenge.org
Thank you