Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Lattice-based Signatures

242 views

Published on

This presentation on Lattice-based Digital Signatures from April 2018 was given to the Chinese academy of science from OnBoard Security's Zhenfei Zhang.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Lattice-based Signatures

  1. 1. Lattice based signatures Zhenfei Zhang zzhang@onboardsecurity.com April 27, 2018 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 1 / 29
  2. 2. Our company Previously known as NTRU Cryptosystem Inc., . . . . . . then Security Innovation, . . . Three focus area: Lattice based cryptographic research; V2X security; Editor of IEEE 1609.2 WAVE standard Trusted Computing and TPMs; Chair for TCG software stack working group and Virtualized Platform working group Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 2 / 29
  3. 3. Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  4. 4. Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  5. 5. Why lattice Lattice leads to the knowledge of everything! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  6. 6. Why lattice Lattice leads to the knowledge of everything! (WRONG!) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  7. 7. Why lattice the real reason 1994, Shor’s algorithm, break RSA and ECC with quantum computers; 2015, NSA announcement: prepare for the quantum apocalypse; 2017, NIST call for competition/standardization; 2030(?), predicted general purpose quantum computers; bonus points Good understanding of underlying hard problem; Fast, parallelable, hardware friendly; Numerous applications: FHE, ABE, MMap, obfuscation, . . . Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 4 / 29
  8. 8. Why lattice the real reason 2030(?), predicted general purpose quantum computers; Data vaulting attack A.k.a., harvest-then-decrypt attack Data need to be secret for, say, 30 years; Quantum computer arrives in, say, 15 years; Perhaps the most practical attack in cryptography! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 5 / 29
  9. 9. Figure source: https://nsa.gov1.info/utah-data-center/ Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 6 / 29
  10. 10. Figure source: https://csrc.nist.gov/projects/post-quantum- cryptography/post-quantum-cryptography-standardization Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 7 / 29
  11. 11. Source: https://csrc.nist.gov/Presentations/2018/PQ-Crypto-A-New- Proposed-Framework Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 8 / 29
  12. 12. This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 9 / 29
  13. 13. This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 10 / 29
  14. 14. Figure source: Wendy Cordero’s High School Math Site Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 11 / 29
  15. 15. Lattice Definition of a Lattice All the integral combinations of d ≤ n linearly independent vectors over R L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z} d dimension. B = (b1, . . . , bd ) is a basis. An example B = 5 1 2 √ 3 3 5 √ 2 1 d = 2 ≤ n = 3 In this talk, full rank integer Basis: B ∈ Zn,n. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 12 / 29
  16. 16. Example A lattice L B = 8 5 5 16 All lattice crypto talks start with an image of a dim-2 lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  17. 17. Example A lattice L UB = 1 0 −1 1 8 5 5 16 = 8 5 −3 11 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  18. 18. Example A lattice L UB = 1 0 1 1 8 5 5 16 = 8 5 13 21 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  19. 19. Example A lattice L UB = 3 1 2 1 8 5 5 16 = 29 31 21 26 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  20. 20. Example The Shortest Vector and The First Minima v = 8 5 , with λ1 = 82 + 52 = 9.434 The Shortest Vector Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  21. 21. Example The Determinant det L = det (BBT ) = 103 The Fundamental Parallelepiped Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  22. 22. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  23. 23. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x) Compute h (x) = f (x) × g(x) over Z[x] Reduce h (x) mod (xN − 1) mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  24. 24. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x), alternatively h0, . . . , hN−1 = f0, . . . , fN−1 ×        g0 g1 g2 . . . gN−1 gN−1 g0 g1 . . . gN−2 gN−2 gN−1 g0 . . . gN−3 ... ... ... ... ... g1 g2 g3 . . . g0        mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  25. 25. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  26. 26. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice qIN 0 H IN ..=               q 0 . . . 0 0 0 . . . 0 0 q . . . 0 0 0 . . . 0 ... ... ... ... ... ... ... ... 0 0 . . . q 0 0 . . . 0 h0 h1 . . . hN−1 1 0 . . . 0 hN−1 h0 . . . hN−2 0 1 . . . 0 ... ... ... ... ... ... ... ... h1 h2 . . . h0 0 0 . . . 1               Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  27. 27. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  28. 28. NTRU lattice The real NTRU assumption NTRU lattice behaves the same as random lattices. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  29. 29. NTRU lattice vs random lattice 256 0 172 1 256 0 17 1 (g, f ) = (1, 3) v = (17, 1) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 16 / 29
  30. 30. Lattice signatures GGHSign hash-then-sign generic lattice NTRUSign hash-then-sign NTRU lattice Fiat Shamir with abort FS, Rejection sampling generic lattice GPV hash-then-sign generic lattice BLISS FS, Rejection sampling NTRU lattice Dilithium FS, Rejection sampling generic lattice Falcon hash-then-sign NTRU lattice pqNTRUSign HTS, Rejection sampling NTRU lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 17 / 29
  31. 31. GGHSign Signing key: a good basis B Verification key a bad basis H Sign Hash message to a vector v Use B to find the closest vector c (Babai’s algorithm) Verification Check Dist(v − c) is small NTRUSign Good basis: (g,f) Bad basis: h Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 18 / 29
  32. 32. Transcript security Breaks GGHSign, NTRUSign; Each signature is a vector close to the lattice (info leakage); Recover enough of distance vectors (blue dots) gives away a good basis of the lattice; Seal the leakage with rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 19 / 29
  33. 33. GPV sampler: a randomized Babai function The idea A trapdoored lattice L, i.e. L⊥ A := {v : Av = 0 mod q}, Lh := {(u, v) : uh = v mod q} A trapdoor S, or (g, f ), and a smooth parameter ηε(L) A target lattice point v Outputs another vector s, s.t. s is uniform over L dist(s, v) Gaussian over Zn Bottle neck: trapdoor generation Bonsai Tree, Gadget matrix, . . . Falcon = GPV + NTRUSign + more ticks Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 20 / 29
  34. 34. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 21 / 29
  35. 35. Falcon Public key security: recover f and g from h; Forgery: as hard as finding a preimage for GPV without secret key Transcript security: output is already Gaussian independent from secret basis; no need for rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 22 / 29
  36. 36. Modular Lattice Signatures The core idea Given a lattice L with a trapdoor T, a message m, find a vector v v ∈ L v ≡ hash(m) mod p Can be instantiated via any trapdoored lattice SIS, R-SIS, R-LWE, etc pqNTRUSign is an efficient instantiation using NTRU lattice Efficient trapdoor f , g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 23 / 29
  37. 37. pqNTRUSign Sign (f , g, h = g/f , p = 3, R, m) Hash message into a “mod p” vector vp, up = hash(m|h) Repeat with rejection sampling: Sample v0 from certain distribution; compute v1 = p × v0 + vp Find a random lattice vector v1, u1 = v1 · I, h “v-side” meets the congruent condition. Micro-adjust “u-side” using trapdoor f and g Compute a = (u1 − up) · g−1 mod p Compute v2, u2 = a · p × f , g Compute v, u = v1, u1 + v2, u2 Output v as signature Remark v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 24 / 29
  38. 38. pqNTRUSign Verify (h, p = 3, R, m, v) Hash message into a “mod p” vector vp, up = hash(m|h) Reconstruct the lattice vector v, u = v · I, h Check vp, up = hash(m|h) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 25 / 29
  39. 39. pqNTRUSign Public key security: recover f and g from h; Forgery: as hard as solving an approx.-SVP in an intersected lattice; Transcript security - achieved via rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 26 / 29
  40. 40. Rejection Sampling Consider b ..= v0 + a · f “large” v0 drawn from uniform or Gaussian; “small” a drawn from sparse trinary/binary; sparse trinary/binary f is the secret. RS on b b follows certain publicly known distribution independent from f ; for two secret keys f1, f2 and a signature b, one is not able to tell which key signs b - witness indistinguishability. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 27 / 29
  41. 41. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N Before rejection 0.0005 0.0006 0.0007 0.0008 0.0009 0.001 0.0011 -600 -400 -200 0 200 400 600 "notuniforminq" 1/1031.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  42. 42. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N After rejection 0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 -600 -400 -200 0 200 400 600 "uniforminq" 1/1021.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  43. 43. Rejection Sampling Rejection sampling on Gaussian Sample v0 from discrete Gaussian χN σ Accept b when b is Gaussian Before/after rejection Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  44. 44. Thanks! to study the underlying principle to acquire knowledge (idiom); pursuing knowledge to the end. Figure source: Google Image & www.hsjushi.com Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 29 / 29

×