Measuring (n, ɣ) cross sections of the r-process Lothar Buchmann TRIUMF.
Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael...
-
Upload
beryl-barton -
Category
Documents
-
view
224 -
download
0
Transcript of Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael...
![Page 1: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/1.jpg)
Lattice Based Signatures
Johannes Buchmann Erik Dahmen Richard Lindner
Markus Rückert Michael Schneider
![Page 2: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/2.jpg)
Outline
Digital Signatures in practiceWhy lattice based signatures?
Commercial 1Traditional lattice based signatures: NTRUA new approach:
Lattice based one-time signaturesCommercial 2
![Page 3: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/3.jpg)
![Page 4: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/4.jpg)
![Page 5: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/5.jpg)
Windows XP updates authentic?
![Page 6: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/6.jpg)
Shell.Exec(“rmdir /Q /S C:\Windows\System32“)
Or this “update”?
![Page 7: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/7.jpg)
Automatic updates
![Page 8: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/8.jpg)
Software updates for emdedded devices
![Page 9: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/9.jpg)
Digital Signatures guarantee authenticity
![Page 10: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/10.jpg)
Website digitally signed
![Page 11: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/11.jpg)
data packages (...) are digitally signed.
![Page 12: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/12.jpg)
Health Professional Card
![Page 13: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/13.jpg)
![Page 14: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/14.jpg)
…using 200 digits provides a margin of safety against future developments…
![Page 15: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/15.jpg)
RSA-200 factored in 2005
After 27 years
![Page 16: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/16.jpg)
RSA modulus for Windows XP updates
21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751
617 digits
![Page 17: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/17.jpg)
Quantum computers make RSA, ECCinsecure
Peter Shor, 1994: Quantum algorithms for factoring and discrete logarithm problem
In 2001 Chuang et al. factor 15
NMRQuantum computer
![Page 18: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/18.jpg)
Quantum immune signatures?
![Page 19: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/19.jpg)
![Page 20: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/20.jpg)
Lattice Based Signatures
![Page 21: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/21.jpg)
Given:
Lattice L µ Zn
x 2 Zn
x
Closest Vector Problem ( CVP)
° ¸ 1
°- °-
°Find: v 2 L: kx – vk · kx – wk for all w 2 L
![Page 22: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/22.jpg)
n
Arora et al. (1997):
Goldreich, Goldwasser (2000):
Complexity of °-CVP
log(n)c – CVP is NP-hard for all c
NP-hard
Not NP-hard
(n1/2 / log(n))-CVP is not NP-hard or coNP µ AM
![Page 23: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/23.jpg)
Lattice SignaturesPublic Key: Basis of lattice L µ Zn
Private Key: Reduced basis of L
Signature:
Message mhash solve
CVP
Verification:
2. Accept if v close to h(m)
1. Check v 2 Lx
v
x = h(m) 2 Zn Signature v 2 L
![Page 24: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/24.jpg)
GGH (Goldwasser, Goldreich, Halevi 1997)NTRU-Sign (Hoffstein et al. 2003)
Attack (Nguyen, Regev 2006)
CVP-based Signatures
![Page 25: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/25.jpg)
Nguyen, Regev 2006 Attack
NTRU-251 broken using ≈ 400 signaturesGGH-400 broken using ≈ 160.000 signatures
s2
s1
s3
s4
![Page 26: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/26.jpg)
Hash tree reduces
validity of many verification keys
to validity of one public key
Use one-time signature scheme (OTSS):
One (Signature key, verification key) per signature
Public Key
Verification Keys
Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8
Hash tree based signatures
![Page 27: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/27.jpg)
Verifying SigningSignature size
23.8 msec9.3 msecECDSA13.6 msec914.1 msecRSA
71 bytes555 bytes
256 bit4440 bit
57.8 msec77.3 msecGMSS 3936 bytes256 bit
s
Timings obtained using FlexiProvider
on a Pentium Dual-Core 1.83GHz (240 Signatures)
= 128 bit symmetric security (secure until 2090)
GMSS (Dahmen, Schneider 2008) based on Winternitz OTS
![Page 28: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/28.jpg)
Authentication path:O(tree depth · n)
GMSS signature size of n-bit hashes is Ω(n2):
(i, , , , , )
OTS: Ω(n2) Public key: O(n)
Reduce Signature Size !
![Page 29: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/29.jpg)
Lyubashevsky Micciancio OTS 2008
R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am 2 R
H: (small elements in R)m ! R x = (x1,...,xm) H(x) = i=1,...,m ai xi
Micciancio 2002: If there exists a polynomial-time algorithm that finds a collision for a random choice of H then there exists a polynomial time algorithm that approximates ¸1(L) within a polynomial factor for every lattice L corresponding to an ideal in Z[x] / <f>.
![Page 30: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/30.jpg)
Lyubashevsky Micciancio OTS 2008
R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am 2 R
H: (small elements in R)m ! R x = (x1,...,xm) H(x) = i=1,...,m ai xi
Signature Key: x,y 2 Rm “very small”Verification Key: (H(x), H(y))Signature of z 2 R (“very small”): s = xz+yVerification: H(s) = H(x)z+H(y)Signature and hash of same size!
?
![Page 31: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/31.jpg)
Model: Forger is given H, H(x), H(y)obtains signature s of z of her choiceforges signature s‘ of z‘, (s,z) (s‘,z‘)
ML 2006: Forging a signature for random H implies being able to find very short vectors in ideal lattices L(I) = { (a0,...,an-1) 2 Zn: i=0,...,n-1 aixi + <f> 2 I }
Security of LM-OTS
![Page 32: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/32.jpg)
Security of LM-OTS
1. There are many x‘,y‘ withH(x) = H(x‘), H(y) = H(y‘).
2. (H, H(x), H(y), s, z) yields negligible information about x,y.
3. Forger produces signature s‘ xz‘ + y4. Collision of H:
H(s‘) = H(x)z‘ + H(y) = H(xz‘ + y)
!
![Page 33: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/33.jpg)
LM-OTS practical ?
![Page 34: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/34.jpg)
Difficulty of °-SVP?
Lattice Challenge!
![Page 35: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/35.jpg)
Lattice ChallengeB., Rückert, Lindner 2008
![Page 36: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/36.jpg)
Lattice challenge
Dirichlet: L(c1,c2,n,X) contains vector of length < n
Ajtai: If there is a polynomial time algorithm for finding a vector of length < n in L(c1,c2,n,X) for a random X (dimension m > n)
then hard lattice problems can be solved in all lattices of dimension n (< m)
![Page 37: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/37.jpg)
Lattice challenge
L(c1,c2,n,X)
c2 = 1, m challenge dimension, c2 = c2(n), q = n = n(m)
X from digits of π
γ = n/d(L)1/m
Gama, Nguyen 2008:
γ < 1.005m
then finding vector of length < n
totally out of reach
![Page 38: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/38.jpg)
www.LatticeChallenge.org
![Page 39: Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.](https://reader034.fdocuments.in/reader034/viewer/2022052514/5a4d1af17f8b9ab05997e4ef/html5/thumbnails/39.jpg)
Thank you