Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Lattice based signatures
Zhenfei Zhang
zzhang@onboardsecurity.com
April 27, 2018
Z.Zhang (OnBoard Security Inc.) NTRU cryp...
Our company
Previously known as NTRU Cryptosystem Inc., . . .
. . . then Security Innovation, . . .
Three focus area:
Latt...
Why lattice
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
Why lattice
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
Why lattice
Lattice leads to the knowledge of everything!
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
Why lattice
Lattice leads to the knowledge of everything!
(WRONG!)
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2...
Why lattice
the real reason
1994, Shor’s algorithm, break RSA and ECC with quantum
computers;
2015, NSA announcement: prep...
Why lattice
the real reason
2030(?), predicted general purpose quantum computers;
Data vaulting attack
A.k.a., harvest-the...
Figure source: https://nsa.gov1.info/utah-data-center/
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 6 / 29
Figure source: https://csrc.nist.gov/projects/post-quantum-
cryptography/post-quantum-cryptography-standardization
Z.Zhang...
Source: https://csrc.nist.gov/Presentations/2018/PQ-Crypto-A-New-
Proposed-Framework
Z.Zhang (OnBoard Security Inc.) NTRU ...
This talk
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 9 / 29
This talk
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 10 / 29
Figure source: Wendy Cordero’s High School Math Site
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 11 / 29
Lattice
Definition of a Lattice
All the integral combinations of d ≤ n linearly independent vectors
over R
L = Z b1 + · · ·...
Example
A lattice L
B =
8 5
5 16
All lattice crypto talks start with an image of a dim-2 lattice
Z.Zhang (OnBoard Security...
Example
A lattice L
UB =
1 0
−1 1
8 5
5 16
=
8 5
−3 11
An infinity of basis
Z.Zhang (OnBoard Security Inc.) NTRU crypto Apr...
Example
A lattice L
UB =
1 0
1 1
8 5
5 16
=
8 5
13 21
An infinity of basis
Z.Zhang (OnBoard Security Inc.) NTRU crypto Apri...
Example
A lattice L
UB =
3 1
2 1
8 5
5 16
=
29 31
21 26
An infinity of basis
Z.Zhang (OnBoard Security Inc.) NTRU crypto Ap...
Example
The Shortest Vector and The First Minima
v = 8 5 , with λ1 = 82 + 52 = 9.434
The Shortest Vector
Z.Zhang (OnBoard ...
Example
The Determinant
det L = det (BBT ) = 103
The Fundamental Parallelepiped
Z.Zhang (OnBoard Security Inc.) NTRU crypt...
NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime...
NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime...
NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime...
NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a ...
NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a ...
NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a ...
NTRU lattice
The real NTRU assumption
NTRU lattice behaves the same as random lattices.
NTRU lattice L =
qIN 0
H IN
g, f (...
NTRU lattice vs random lattice
256 0
172 1
256 0
17 1
(g, f ) = (1, 3) v = (17, 1)
Z.Zhang (OnBoard Security Inc.) NTRU cr...
Lattice signatures
GGHSign hash-then-sign generic lattice
NTRUSign hash-then-sign NTRU lattice
Fiat Shamir with abort FS, ...
GGHSign
Signing key: a good basis B
Verification key a bad basis H
Sign
Hash message to a vector v
Use B to find the closest...
Transcript security
Breaks GGHSign, NTRUSign;
Each signature is a vector close
to the lattice (info leakage);
Recover enou...
GPV sampler: a randomized Babai function
The idea
A trapdoored lattice L, i.e.
L⊥
A := {v : Av = 0 mod q}, Lh := {(u, v) :...
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 21 / 29
Falcon
Public key security: recover f and g from h;
Forgery: as hard as finding a preimage for GPV without secret key
Trans...
Modular Lattice Signatures
The core idea
Given a lattice L with a trapdoor T, a message m, find a vector v
v ∈ L
v ≡ hash(m...
pqNTRUSign
Sign (f , g, h = g/f , p = 3, R, m)
Hash message into a “mod p” vector vp, up = hash(m|h)
Repeat with rejection...
pqNTRUSign
Verify (h, p = 3, R, m, v)
Hash message into a “mod p” vector vp, up = hash(m|h)
Reconstruct the lattice vector...
pqNTRUSign
Public key security: recover f and g from h;
Forgery: as hard as solving an approx.-SVP in an intersected latti...
Rejection Sampling
Consider b ..= v0 + a · f
“large” v0 drawn from uniform or Gaussian;
“small” a drawn from sparse trinar...
Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , q
2 ]N
Accept b when b is in [−q
2 + B, ...
Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , q
2 ]N
Accept b when b is in [−q
2 + B, ...
Rejection Sampling
Rejection sampling on Gaussian
Sample v0 from discrete Gaussian χN
σ
Accept b when b is Gaussian
Before...
Thanks!
to study the underlying principle to acquire knowledge (idiom);
pursuing knowledge to the end.
Figure source: Goog...
Upcoming SlideShare
Loading in …5
×

Lattice-based Signatures

395 views

Published on

This presentation on Lattice-based Digital Signatures from April 2018 was given to the Chinese academy of science from OnBoard Security's Zhenfei Zhang.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Lattice-based Signatures

  1. 1. Lattice based signatures Zhenfei Zhang zzhang@onboardsecurity.com April 27, 2018 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 1 / 29
  2. 2. Our company Previously known as NTRU Cryptosystem Inc., . . . . . . then Security Innovation, . . . Three focus area: Lattice based cryptographic research; V2X security; Editor of IEEE 1609.2 WAVE standard Trusted Computing and TPMs; Chair for TCG software stack working group and Virtualized Platform working group Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 2 / 29
  3. 3. Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  4. 4. Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  5. 5. Why lattice Lattice leads to the knowledge of everything! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  6. 6. Why lattice Lattice leads to the knowledge of everything! (WRONG!) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  7. 7. Why lattice the real reason 1994, Shor’s algorithm, break RSA and ECC with quantum computers; 2015, NSA announcement: prepare for the quantum apocalypse; 2017, NIST call for competition/standardization; 2030(?), predicted general purpose quantum computers; bonus points Good understanding of underlying hard problem; Fast, parallelable, hardware friendly; Numerous applications: FHE, ABE, MMap, obfuscation, . . . Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 4 / 29
  8. 8. Why lattice the real reason 2030(?), predicted general purpose quantum computers; Data vaulting attack A.k.a., harvest-then-decrypt attack Data need to be secret for, say, 30 years; Quantum computer arrives in, say, 15 years; Perhaps the most practical attack in cryptography! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 5 / 29
  9. 9. Figure source: https://nsa.gov1.info/utah-data-center/ Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 6 / 29
  10. 10. Figure source: https://csrc.nist.gov/projects/post-quantum- cryptography/post-quantum-cryptography-standardization Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 7 / 29
  11. 11. Source: https://csrc.nist.gov/Presentations/2018/PQ-Crypto-A-New- Proposed-Framework Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 8 / 29
  12. 12. This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 9 / 29
  13. 13. This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 10 / 29
  14. 14. Figure source: Wendy Cordero’s High School Math Site Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 11 / 29
  15. 15. Lattice Definition of a Lattice All the integral combinations of d ≤ n linearly independent vectors over R L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z} d dimension. B = (b1, . . . , bd ) is a basis. An example B = 5 1 2 √ 3 3 5 √ 2 1 d = 2 ≤ n = 3 In this talk, full rank integer Basis: B ∈ Zn,n. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 12 / 29
  16. 16. Example A lattice L B = 8 5 5 16 All lattice crypto talks start with an image of a dim-2 lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  17. 17. Example A lattice L UB = 1 0 −1 1 8 5 5 16 = 8 5 −3 11 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  18. 18. Example A lattice L UB = 1 0 1 1 8 5 5 16 = 8 5 13 21 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  19. 19. Example A lattice L UB = 3 1 2 1 8 5 5 16 = 29 31 21 26 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  20. 20. Example The Shortest Vector and The First Minima v = 8 5 , with λ1 = 82 + 52 = 9.434 The Shortest Vector Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  21. 21. Example The Determinant det L = det (BBT ) = 103 The Fundamental Parallelepiped Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  22. 22. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  23. 23. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x) Compute h (x) = f (x) × g(x) over Z[x] Reduce h (x) mod (xN − 1) mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  24. 24. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x), alternatively h0, . . . , hN−1 = f0, . . . , fN−1 ×        g0 g1 g2 . . . gN−1 gN−1 g0 g1 . . . gN−2 gN−2 gN−1 g0 . . . gN−3 ... ... ... ... ... g1 g2 g3 . . . g0        mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  25. 25. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  26. 26. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice qIN 0 H IN ..=               q 0 . . . 0 0 0 . . . 0 0 q . . . 0 0 0 . . . 0 ... ... ... ... ... ... ... ... 0 0 . . . q 0 0 . . . 0 h0 h1 . . . hN−1 1 0 . . . 0 hN−1 h0 . . . hN−2 0 1 . . . 0 ... ... ... ... ... ... ... ... h1 h2 . . . h0 0 0 . . . 1               Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  27. 27. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  28. 28. NTRU lattice The real NTRU assumption NTRU lattice behaves the same as random lattices. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  29. 29. NTRU lattice vs random lattice 256 0 172 1 256 0 17 1 (g, f ) = (1, 3) v = (17, 1) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 16 / 29
  30. 30. Lattice signatures GGHSign hash-then-sign generic lattice NTRUSign hash-then-sign NTRU lattice Fiat Shamir with abort FS, Rejection sampling generic lattice GPV hash-then-sign generic lattice BLISS FS, Rejection sampling NTRU lattice Dilithium FS, Rejection sampling generic lattice Falcon hash-then-sign NTRU lattice pqNTRUSign HTS, Rejection sampling NTRU lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 17 / 29
  31. 31. GGHSign Signing key: a good basis B Verification key a bad basis H Sign Hash message to a vector v Use B to find the closest vector c (Babai’s algorithm) Verification Check Dist(v − c) is small NTRUSign Good basis: (g,f) Bad basis: h Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 18 / 29
  32. 32. Transcript security Breaks GGHSign, NTRUSign; Each signature is a vector close to the lattice (info leakage); Recover enough of distance vectors (blue dots) gives away a good basis of the lattice; Seal the leakage with rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 19 / 29
  33. 33. GPV sampler: a randomized Babai function The idea A trapdoored lattice L, i.e. L⊥ A := {v : Av = 0 mod q}, Lh := {(u, v) : uh = v mod q} A trapdoor S, or (g, f ), and a smooth parameter ηε(L) A target lattice point v Outputs another vector s, s.t. s is uniform over L dist(s, v) Gaussian over Zn Bottle neck: trapdoor generation Bonsai Tree, Gadget matrix, . . . Falcon = GPV + NTRUSign + more ticks Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 20 / 29
  34. 34. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 21 / 29
  35. 35. Falcon Public key security: recover f and g from h; Forgery: as hard as finding a preimage for GPV without secret key Transcript security: output is already Gaussian independent from secret basis; no need for rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 22 / 29
  36. 36. Modular Lattice Signatures The core idea Given a lattice L with a trapdoor T, a message m, find a vector v v ∈ L v ≡ hash(m) mod p Can be instantiated via any trapdoored lattice SIS, R-SIS, R-LWE, etc pqNTRUSign is an efficient instantiation using NTRU lattice Efficient trapdoor f , g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 23 / 29
  37. 37. pqNTRUSign Sign (f , g, h = g/f , p = 3, R, m) Hash message into a “mod p” vector vp, up = hash(m|h) Repeat with rejection sampling: Sample v0 from certain distribution; compute v1 = p × v0 + vp Find a random lattice vector v1, u1 = v1 · I, h “v-side” meets the congruent condition. Micro-adjust “u-side” using trapdoor f and g Compute a = (u1 − up) · g−1 mod p Compute v2, u2 = a · p × f , g Compute v, u = v1, u1 + v2, u2 Output v as signature Remark v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 24 / 29
  38. 38. pqNTRUSign Verify (h, p = 3, R, m, v) Hash message into a “mod p” vector vp, up = hash(m|h) Reconstruct the lattice vector v, u = v · I, h Check vp, up = hash(m|h) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 25 / 29
  39. 39. pqNTRUSign Public key security: recover f and g from h; Forgery: as hard as solving an approx.-SVP in an intersected lattice; Transcript security - achieved via rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 26 / 29
  40. 40. Rejection Sampling Consider b ..= v0 + a · f “large” v0 drawn from uniform or Gaussian; “small” a drawn from sparse trinary/binary; sparse trinary/binary f is the secret. RS on b b follows certain publicly known distribution independent from f ; for two secret keys f1, f2 and a signature b, one is not able to tell which key signs b - witness indistinguishability. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 27 / 29
  41. 41. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N Before rejection 0.0005 0.0006 0.0007 0.0008 0.0009 0.001 0.0011 -600 -400 -200 0 200 400 600 "notuniforminq" 1/1031.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  42. 42. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N After rejection 0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 -600 -400 -200 0 200 400 600 "uniforminq" 1/1021.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  43. 43. Rejection Sampling Rejection sampling on Gaussian Sample v0 from discrete Gaussian χN σ Accept b when b is Gaussian Before/after rejection Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  44. 44. Thanks! to study the underlying principle to acquire knowledge (idiom); pursuing knowledge to the end. Figure source: Google Image & www.hsjushi.com Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 29 / 29

×