SlideShare a Scribd company logo

Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE

Priyanka Aash
Priyanka Aash

Destructive and constructive methods in lattice-based cryptography will be discussed. Topic 1: Cryptanalysis of Compact-LWE Authors: Jonathan Bootle; Mehdi Tibouchi; Keita Xagawa Topic 2: Two-message Key Exchange with Strong Security from Ideal Lattices Authors: Zheng Yang; Yu Chen; Song Luo (Source: RSA Conference USA 2018)

Technology
1 of 46
Download to read offline
SESSION ID: #RSAC Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa CRYPTANALYSIS OF COMPACT-LWE CRYP-T10
Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Lattice-based cryptographic assumption Compact-LWE Based on the learning-with-errors (LWE) assumption Hoped to achieve security for smaller parameters
Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Proposed by Liu, Li, Kim, and Nepal at ACISP’17 invited talk Gives lightweight encryption scheme for constrained devices
Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Our contributions 1 2 3 LWE < Basic Decryption Attack Equivalent Secret Keys Parameter Choice Honest Decryption: 500 ciphertexts per second Our Decryption: 18,000 ciphertexts per second
Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Variant submitted to NIST post-quantum cryptography competition Cryptanalysed by us and others
#RSAC BACKGROUND
Presenter’s Company Logo – replace or delete on master slide #RSAC Lattices An 𝑛-dimensional lattice ℒ is A discrete additive subgroup of ℝ 𝑛 Generated by a basis ℬ = 𝒃1, … , 𝒃 𝑛 ℒ = ∑𝑖=1 𝑛 (ℤ ⋅ 𝒃𝑖)
Presenter’s Company Logo – replace or delete on master slide #RSAC Lattices Solve lattice problems by finding short vectors Example reduction algorithms are LLL and BKZ Add and subtract rows Find short basis vectors 𝒃1 𝒃2 → 𝒃1 ′ 𝒃2 ′ 𝒃2𝒃1 𝒃1 ′ 𝒃2 ′
Presenter’s Company Logo – replace or delete on master slide #RSAC Learning with Errors 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑒𝑖 𝒃 = 𝐴𝒔 + 𝒆 = + Noise values 𝑒𝑖 ← 𝜒 Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ 𝒁 𝑞 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞
Presenter’s Company Logo – replace or delete on master slide #RSAC Learning with Errors 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑒𝑖 𝒃 = 𝐴𝒔 + 𝒆 = + Noise values 𝑒𝑖 ← 𝜒 Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ 𝒁 𝑞 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 𝒃 and 𝐴 are public 𝒔 and 𝒆 are private Decision: does 𝒃, 𝐴 look random? Search: given 𝒃, 𝐴 , find 𝒔
Presenter’s Company Logo – replace or delete on master slide #RSAC Learning with Errors 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑒𝑖 𝒃 = 𝐴𝒔 + 𝒆 = + Noise values 𝑒𝑖 ← 𝜒 Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ 𝒁 𝑞 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 𝑚 samples Decision: does 𝒃, 𝐴 look random? Search: given 𝒃, 𝐴 , find 𝒔 Dimension 𝑛 secretsModulus q Noise distribution 𝜒
Presenter’s Company Logo – replace or delete on master slide #RSAC Compact-LWE 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor
Presenter’s Company Logo – replace or delete on master slide #RSAC Compact-LWE 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor 𝒃 and 𝐴 are public 𝒔, 𝒆 and the scaling factor are private Decision: does 𝒃, 𝐴 look random? Search: given 𝒃, 𝐴 , find 𝒔
Presenter’s Company Logo – replace or delete on master slide #RSAC Compact-LWE 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor maximum size of 𝐴 elements 𝑚 samples Dimension 𝑛 secrets modulo q Noise bound 𝑟 Scaling factor ingredients
Presenter’s Company Logo – replace or delete on master slide #RSAC Parameters Public Parameters 𝑝𝑝 = (𝑞, 𝑛, 𝑚, 𝑡, 𝑤, 𝑏) 𝑡, maximum plaintext size 𝑤, knapsack weight for encryption 𝑷𝑲 = (𝐴, 𝒃) Secret Parameters 𝑲 = (𝒔, 𝑠𝑘, 𝑟, 𝑝) 𝑛 + 1 < 𝑚 < 𝑛2 2𝑏 𝑏 𝑙𝑜𝑔2 𝑏 + 1 < 𝑞 2𝑙𝑜𝑔2 𝑏 < 𝑛 𝑡 ≤ 𝑝 𝑠𝑘 ⋅ 𝑡 − 1 + 𝑤𝑟𝑝 < 𝑞 𝑏 < 𝑟
Presenter’s Company Logo – replace or delete on master slide #RSAC Encryption Idea 16 𝑷𝑲 contains random-looking samples (𝒂𝑖, 𝑏𝑖) from (𝐴, 𝒃) Add knapsack of 𝑏𝑖 to hide message Include same knapsack of 𝒂𝑖 to allow decryption Enc 𝑷𝑲, 𝑣 : • Randomly pick 𝑤 samples (𝒂𝑖 𝑗 , 𝑏𝑖 𝑗 ) from 𝑷𝑲 • 𝒂, 𝑏 = ∑ 𝑗=1 𝑤 (𝒂𝑖 𝑗 , 𝑏𝑖 𝑗 ) • Return c = (𝒂, 𝑣 − 𝑏)
Presenter’s Company Logo – replace or delete on master slide #RSAC Comparison of Parameters 18 Compact-LWE Parameters Claims 138-bit security 𝑞 = 232 𝑛 = 13 𝑚 = 74 𝑡 = 216 , 𝑤 = 86, 𝑏 = 16 Lizard, Classical Parameters, 2016 Claims 128-bit security 𝑞 ≈ 210 𝑛 = 544 𝑚 = 840
Presenter’s Company Logo – replace or delete on master slide #RSAC Implementation Results 19 Implemented on MTM- CM5000-MSP device Contiki OS 50 encryptions per second 500 decryptions per second
#RSAC BASIC DECRYPTION ATTACK 20 1
Presenter’s Company Logo – replace or delete on master slide #RSAC Attack Strategy 21 c = 𝒂, 𝑣 − 𝑏 = 𝒂, 𝑏′ 𝒂, 𝑏 = ∑ 𝑗=1 𝑤 (𝒂𝑖 𝑗 , 𝑏𝑖 𝑗 ) Create lattice encoding knapsack Find a short vector with lattice reduction 1 𝟎 𝜅𝒂 𝟎 𝑡𝐼 𝑚 −𝜅𝐴 0 𝟎 𝟎 𝑏′ 𝒃 𝑞 Solves knapsack Recovers plaintext 1 𝟎 𝟎 𝑣
Presenter’s Company Logo – replace or delete on master slide #RSAC Experimental Results 22 Correctly decrypted 9998/10,000 random ciphertexts Roughly 16 decryptions per second 3.4 GHz Core i7-3770 desktop Sagemath, LLL in fplll Honest decryption: 500 decryptions per second, constrained device • One lattice reduction per ciphertext • Relies on low dimension n = 13
#RSAC SECRET KEY RECOVERY *equivalent secret key 23 12
Presenter’s Company Logo – replace or delete on master slide #RSAC Attack Strategy 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor 1. Recover scaling factor using lattice reduction 2. Find other secret values by brute force 3. Compute equivalent secret using lattice reduction
Presenter’s Company Logo – replace or delete on master slide #RSAC Step 1: Scale-factor Recovery 25 𝒃 = 𝐴𝒔 + 𝑘𝒆 Compute short 𝑈 such that 𝑈 𝑇 𝐴 = 0 𝑚𝑜𝑑 𝑞 𝑈𝒃 = 𝑘 ⋅ 𝑈𝒆 𝑚𝑜𝑑 𝑞 Short vector in (𝑈𝒃) 𝑇 𝑞𝐼 Public
Presenter’s Company Logo – replace or delete on master slide #RSAC Step 2: Recovering Secret Key Parameters 26 Secret scale-factor is 𝑘 = 𝑠𝑘 𝑞 −1 ⋅ 𝑝 Brute force search for 𝑠𝑘 and 𝑝 Use the values which maximise 𝑟 𝑠𝑘 ⋅ 𝑡 − 1 + 𝑤𝑟𝑝 < 𝑞
Presenter’s Company Logo – replace or delete on master slide #RSAC Step 3: Find an Equivalent Secret 27 Secret is a short lattice vector Use with modified decryption algorithm 𝐴 𝑇 0 𝑞𝐼 𝑚 0 𝑘−1 𝑡
Presenter’s Company Logo – replace or delete on master slide #RSAC Experimental Results 28 Correctly decrypted 10,000/10,000 random ciphertexts 1.28 seconds to get a key 53 microseconds per ciphertext Over 18,000 decryptions per second
#RSAC PARAMETER CHOICE 29 13 LWE <
Presenter’s Company Logo – replace or delete on master slide #RSAC Hardness Reductions 30 Breaking LWE Breaking Compact-LWE [LLKN17] Dimension 13 Dimension 13 Easy…
Presenter’s Company Logo – replace or delete on master slide #RSAC Hardness Reductions 31 Breaking LWE Breaking Compact-LWE [LLKN17] This work Lattice reduction, dimension 𝑚 3 lattice reductions, dimension ≤ 𝑚 + 1 Many attractive provable security properties
#RSAC THANKS! Version Attack Paper: https://eprint.iacr.org/2018/020.pdf Version Attack Code: https://goo.gl/2Vo3T7
SESSION ID: #RSAC Yu Chen TWO-MESSAGE KEY EXCHANGE WITH STRONG SECURITY FROM IDEAL LATTICES CRYP-T10 Associate Professor Institute of Information Engineering, Chinese Academy of Sciences
Two-message Key Exchange with Strong Security from Ideal Lattices Zheng Yang (University of Helsinki) Yu Chen (Chinese Academy of Sciences) Song Luo (Chongqing University of Technology) April 17th, CT-RSA 2018
Background: Two-message Key Exchange (TMKE) ➢Two-message Key exchange • Two messages: mid1, mid2——derived from party’s (ephemeral) secrets. • Shared session key K——computed from party’s (ephemeral) secrets and exchanged messages • Appealing to practice: low bandwidth and asynchronous communication Message generation function Session key generation function
The Simplest Example of TMKE ➢Seminal TMKE: Diffie-Hellman key exchange (DHKE) [DH76] • Cyclic group G =< g > of prime order p • Two messages: X, Y • Passively secure; active attacker can implement man-in-the middle attack
Motivation ➢Quantum computers are about to get real ➢DL, factoring, …., not hard against quantum algorithms ➢Lattice-based Cryptography • Quantum secure • Simple, efficient, and highly parallel ➢Existing Lattice-based AKE, e.g.: • AsiaCCS’13, Fujioka et al. , —— standard model, CK+ model without perfect forward secrecy (PFS) • Eurocrypt’15, Zhang et al., —— random oracle, BR model without PFS and leakage of ephemeral secret key • CT-RSA’14, Kurosawa and Furukawa (KF scheme) ——standard model, eCK model without PFS Is it Secure?
Overview of Our Results ➢ Revisit the security of the KF scheme (CT-RSA’14) • finding an attack ➢ Propose a new generic TMKE scheme • New cryptographic primitive: One-time CCA-secure KEM • Without random oracles • eCK-PFS model: known session key (KSK) , key compromise impersonation (KCI) , chosen identity and public key (CIDPK), ephemeral secret key leakage (ESKL), and perfect forward secrecy (PFS) ➢ Instantiation of TMKE from ideal lattices
The KF scheme ➢Building Blocks: Twisted PRF (TPRF), Signature (SIG), IND-CPA KEM (wKEM) ElGamal * *
Insecurity of the KF scheme: Attack test oracle test oracle is fresh and has no partner oracle at id1
Insecurity of the KF scheme: Problems Not tied to session info unknown key share One-time CCA attack against the KEM, CPA-secure KEM does not suffice
How to remedy the KF scheme? ➢ Main idea • Enhance the security of KEM • CPA to one-time CCA • Employ Key Derivation function • bind the session key with session specific information to defend active attacks
Our New Generic TMKE Protocol ➢ Building blocks • One-time KEM (OTKEM): encapsulate the session key • Signature (SIG): authenticate exchanged messages • IND-CPA KEM (wKEM): implement NAXOS trick against ephemeral key leakage (generate the pk for OTKEM) • Pseudo-random function (PRF): act as KDF to bind session key with session specific information
A New Generic TMKE Protocol All protocol messages
Instantiations from Ideal Lattices ➢ Building blocks’ instantiations from existing works: • Signature (SIG): Ruckert (PQCrypto’10) • IND-CPA KEM (wKEM): Peikert (PQCrypto’14). • Pseudo-random function (PRF): Banrjee et al. (Eurocrypt’12) • One-time KEM (OTKEM): q-bounded IND-CCA KEM (q=1), Cramer et al. Asiacrypt’07 (less efficient) Can we build efficient OTKEM from ideal lattices?
Efficient OTKEM from Ideal Lattices ➢ Direct construction • Ring-Learning with Errors (RLWE): • Target collision resistant hash function (TCRHF): Similar to construction of OTS from OWF n
Thank you very much for your attention!

Recommended

Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyAlexandre Augusto Giron
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice CryptographyPriyanka Aash
 
Quantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerQuantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerGokul Alex
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Consensus Algorithms.pptx
Consensus Algorithms.pptxConsensus Algorithms.pptx
Consensus Algorithms.pptxRajapriya82
 
Cryptanalysis 101
Cryptanalysis 101Cryptanalysis 101
Cryptanalysis 101rahat ali
 
Hash function
Hash functionHash function
Hash functionHarry Potter
 
Lattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemLattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemVarun Janga
 

Recommended

Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyAlexandre Augusto Giron
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice CryptographyPriyanka Aash
 
Quantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerQuantum Knowledge Proofs and Post Quantum Cryptography - A Primer
Quantum Knowledge Proofs and Post Quantum Cryptography - A PrimerGokul Alex
 
Cryptography.ppt
Cryptography.pptCryptography.ppt
Cryptography.pptUday Meena
 
Consensus Algorithms.pptx
Consensus Algorithms.pptxConsensus Algorithms.pptx
Consensus Algorithms.pptxRajapriya82
 
Cryptanalysis 101
Cryptanalysis 101Cryptanalysis 101
Cryptanalysis 101rahat ali
 
Hash function
Hash functionHash function
Hash functionHarry Potter
 
Lattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemLattice Based Cryptography - GGH Cryptosystem
Lattice Based Cryptography - GGH CryptosystemVarun Janga
 
Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adlemanHossain Md Shakhawat
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptographyCysinfo Cyber Security Community
 
Emily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyEmily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyCSNP
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta
 
RSA
RSARSA
RSAbansidhar11
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfRonSteinfeld1
 
Cryptography
CryptographyCryptography
Cryptographygueste4c97e
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security PrimerVenkatesh Iyer
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmSrinadh Muvva
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5koolkampus
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Ch01
Ch01Ch01
Ch01n C
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemoSamia Elsayed
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Hardik Manocha
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
AES.ppt
AES.pptAES.ppt
AES.pptssuser6602e0
 
Post quantum cryptography - thesis
Post quantum cryptography - thesisPost quantum cryptography - thesis
Post quantum cryptography - thesisSamy Shehata
 
A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Peter Lawrey
 

More Related Content

What's hot

Emily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyEmily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyCSNP
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofArunanand Ta
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfRonSteinfeld1
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security PrimerVenkatesh Iyer
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5koolkampus
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionSam Bowne
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to CryptographyPopescu Petre
 
Ch01
Ch01Ch01
Ch01n C
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Hardik Manocha
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYKathirvel Ayyaswamy
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxUrjaDhabarde
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication CodesDarshanPatil82
 
Post quantum cryptography - thesis
Post quantum cryptography - thesisPost quantum cryptography - thesis
Post quantum cryptography - thesisSamy Shehata
 

What's hot (20)

Rsa rivest shamir adleman
Rsa rivest shamir adlemanRsa rivest shamir adleman
Rsa rivest shamir adleman
 
Elliptic curve cryptography
Elliptic curve cryptographyElliptic curve cryptography
Elliptic curve cryptography
 
Emily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum CryptographyEmily Stamm - Post-Quantum Cryptography
Emily Stamm - Post-Quantum Cryptography
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge Proof
 
RSA
RSARSA
RSA
 
Quantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdfQuantum_Safe_Crypto_Overview_v3.pdf
Quantum_Safe_Crypto_Overview_v3.pdf
 
Cryptography
CryptographyCryptography
Cryptography
 
Network Security Primer
Network Security PrimerNetwork Security Primer
Network Security Primer
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
E-mail Security in Network Security NS5
E-mail Security in Network Security NS5E-mail Security in Network Security NS5
E-mail Security in Network Security NS5
 
CNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated EncryptionCNIT 141: 8. Authenticated Encryption
CNIT 141: 8. Authenticated Encryption
 
Introduction to Cryptography
Introduction to CryptographyIntroduction to Cryptography
Introduction to Cryptography
 
Ch01
Ch01Ch01
Ch01
 
Ch02 classic nemo
Ch02 classic nemoCh02 classic nemo
Ch02 classic nemo
 
Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES) Triple Data Encryption Standard (t-DES)
Triple Data Encryption Standard (t-DES)
 
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITYCS6701 CRYPTOGRAPHY AND NETWORK SECURITY
CS6701 CRYPTOGRAPHY AND NETWORK SECURITY
 
Topic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptxTopic20 The RC4 Algorithm.pptx
Topic20 The RC4 Algorithm.pptx
 
MAC-Message Authentication Codes
MAC-Message Authentication CodesMAC-Message Authentication Codes
MAC-Message Authentication Codes
 
AES.ppt
AES.pptAES.ppt
AES.ppt
 
Post quantum cryptography - thesis
Post quantum cryptography - thesisPost quantum cryptography - thesis
Post quantum cryptography - thesis
 

Similar to Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREJames Wickett
 
Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Peter Lawrey
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsPriyanka Aash
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPPositive Hack Days
 
Getting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleGetting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleDmitry Iudin
 
How to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R projectHow to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R projectWLOG Solutions
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictPriyanka Aash
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsJonathan Salwan
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesPriyanka Aash
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityDefconRussia
 
Code Red Security
Code Red SecurityCode Red Security
Code Red SecurityAmr Ali
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsMySQLConference
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefensePriyanka Aash
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGEPriyanka Aash
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackKeitaSugiyama1
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey GordeychikCODE BLUE
 

Similar to Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE (20)

A Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SREA Pragmatic Union: Security and SRE
A Pragmatic Union: Security and SRE
 
Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016Low latency microservices in java QCon New York 2016
Low latency microservices in java QCon New York 2016
 
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived SystemsEphemeral DevOps: Adventures in Managing Short-Lived Systems
Ephemeral DevOps: Adventures in Managing Short-Lived Systems
 
Эксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAPЭксплуатируем неэксплуатируемые уязвимости SAP
Эксплуатируем неэксплуатируемые уязвимости SAP
 
Getting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management ConsoleGetting access to the SAP server via SAP Management Console
Getting access to the SAP server via SAP Management Console
 
How to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R projectHow to lock a Python in a cage? Managing Python environment inside an R project
How to lock a Python in a cage? Managing Python environment inside an R project
 
15.Security
15.Security15.Security
15.Security
 
Lessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addictLessons from a recovering runtime application self protection addict
Lessons from a recovering runtime application self protection addict
 
How Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protectionsHow Triton can help to reverse virtual machine based software protections
How Triton can help to reverse virtual machine based software protections
 
OAuth 2.0 Threat Landscapes
OAuth 2.0 Threat LandscapesOAuth 2.0 Threat Landscapes
OAuth 2.0 Threat Landscapes
 
Ntewrok secuirty cs7
Ntewrok secuirty cs7Ntewrok secuirty cs7
Ntewrok secuirty cs7
 
Georgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software securityGeorgy Nosenko - An introduction to the use SMT solvers for software security
Georgy Nosenko - An introduction to the use SMT solvers for software security
 
Code Red Security
Code Red SecurityCode Red Security
Code Red Security
 
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance ProblemsD Trace Support In My Sql Guide To Solving Reallife Performance Problems
D Trace Support In My Sql Guide To Solving Reallife Performance Problems
 
Cryptography
CryptographyCryptography
Cryptography
 
Autonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and DefenseAutonomous Hacking: The New Frontiers of Attack and Defense
Autonomous Hacking: The New Frontiers of Attack and Defense
 
Hta r33
Hta r33Hta r33
Hta r33
 
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGESecure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
Secure Storage: COMPOSABLE AND ROBUST OUTSOURCED STORAGE
 
Grow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM StackGrow and Shrink - Dynamically Extending the Ruby VM Stack
Grow and Shrink - Dynamically Extending the Ruby VM Stack
 
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
[CB20] Vulnerabilities of Machine Learning Infrastructure by Sergey Gordeychik
 

More from Priyanka Aash

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsPriyanka Aash
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfPriyanka Aash
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfPriyanka Aash
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfPriyanka Aash
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfPriyanka Aash
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfPriyanka Aash
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfPriyanka Aash
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdfPriyanka Aash
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfPriyanka Aash
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfPriyanka Aash
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfPriyanka Aash
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldPriyanka Aash
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksPriyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Priyanka Aash
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Priyanka Aash
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsPriyanka Aash
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security GovernancePriyanka Aash
 

More from Priyanka Aash (20)

Digital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOsDigital Personal Data Protection (DPDP) Practical Approach For CISOs
Digital Personal Data Protection (DPDP) Practical Approach For CISOs
 
Verizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdfVerizon Breach Investigation Report (VBIR).pdf
Verizon Breach Investigation Report (VBIR).pdf
 
Top 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdfTop 10 Security Risks .pptx.pdf
Top 10 Security Risks .pptx.pdf
 
Simplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdfSimplifying data privacy and protection.pdf
Simplifying data privacy and protection.pdf
 
Generative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdfGenerative AI and Security (1).pptx.pdf
Generative AI and Security (1).pptx.pdf
 
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdfEVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
EVERY ATTACK INVOLVES EXPLOITATION OF A WEAKNESS.pdf
 
DPDP Act 2023.pdf
DPDP Act 2023.pdfDPDP Act 2023.pdf
DPDP Act 2023.pdf
 
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdfCyber Truths_Are you Prepared version 1.1.pptx.pdf
Cyber Truths_Are you Prepared version 1.1.pptx.pdf
 
Cyber Crisis Management.pdf
Cyber Crisis Management.pdfCyber Crisis Management.pdf
Cyber Crisis Management.pdf
 
CISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdfCISOPlatform journey.pptx.pdf
CISOPlatform journey.pptx.pdf
 
Chennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdfChennai Chapter.pptx.pdf
Chennai Chapter.pptx.pdf
 
Cloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdfCloud attack vectors_Moshe.pdf
Cloud attack vectors_Moshe.pdf
 
Stories From The Web 3 Battlefield
Stories From The Web 3 BattlefieldStories From The Web 3 Battlefield
Stories From The Web 3 Battlefield
 
Lessons Learned From Ransomware Attacks
Lessons Learned From Ransomware AttacksLessons Learned From Ransomware Attacks
Lessons Learned From Ransomware Attacks
 
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
Emerging New Threats And Top CISO Priorities In 2022 (Chennai)
 
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
Emerging New Threats And Top CISO Priorities In 2022 (Mumbai)
 
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
Emerging New Threats And Top CISO Priorities in 2022 (Bangalore)
 
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow LogsCloud Security: Limitations of Cloud Security Groups and Flow Logs
Cloud Security: Limitations of Cloud Security Groups and Flow Logs
 
Cyber Security Governance
Cyber Security GovernanceCyber Security Governance
Cyber Security Governance
 
Ethical Hacking
Ethical HackingEthical Hacking
Ethical Hacking
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraDeakin University
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024BookNet Canada
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsHyundai Motor Group
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Wonjun Hwang
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Artificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning eraArtificial intelligence in the post-deep learning era
Artificial intelligence in the post-deep learning era
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
New from BookNet Canada for 2024: BNC BiblioShare - Tech Forum 2024
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter RoadsSnow Chain-Integrated Tire for a Safe Drive on Winter Roads
Snow Chain-Integrated Tire for a Safe Drive on Winter Roads
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
The transition to renewables in India.pdf
The transition to renewables in India.pdfThe transition to renewables in India.pdf
The transition to renewables in India.pdf
 
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
Bun (KitWorks Team Study 노별마루 발표 2024.4.22)
 
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptxE-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
E-Vehicle_Hacking_by_Parul Sharma_null_owasp.pptx
 

Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE

  • 1. SESSION ID: #RSAC Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa CRYPTANALYSIS OF COMPACT-LWE CRYP-T10
  • 2. Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Lattice-based cryptographic assumption Compact-LWE Based on the learning-with-errors (LWE) assumption Hoped to achieve security for smaller parameters
  • 3. Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Proposed by Liu, Li, Kim, and Nepal at ACISP’17 invited talk Gives lightweight encryption scheme for constrained devices
  • 4. Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Our contributions 1 2 3 LWE < Basic Decryption Attack Equivalent Secret Keys Parameter Choice Honest Decryption: 500 ciphertexts per second Our Decryption: 18,000 ciphertexts per second
  • 5. Presenter’s Company Logo – replace or delete on master slide #RSAC Background Information Variant submitted to NIST post-quantum cryptography competition Cryptanalysed by us and others
  • 7. Presenter’s Company Logo – replace or delete on master slide #RSAC Lattices An 𝑛-dimensional lattice ℒ is A discrete additive subgroup of ℝ 𝑛 Generated by a basis ℬ = 𝒃1, … , 𝒃 𝑛 ℒ = ∑𝑖=1 𝑛 (ℤ ⋅ 𝒃𝑖)
  • 8. Presenter’s Company Logo – replace or delete on master slide #RSAC Lattices Solve lattice problems by finding short vectors Example reduction algorithms are LLL and BKZ Add and subtract rows Find short basis vectors 𝒃1 𝒃2 → 𝒃1 ′ 𝒃2 ′ 𝒃2𝒃1 𝒃1 ′ 𝒃2 ′
  • 9. Presenter’s Company Logo – replace or delete on master slide #RSAC Learning with Errors 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑒𝑖 𝒃 = 𝐴𝒔 + 𝒆 = + Noise values 𝑒𝑖 ← 𝜒 Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ 𝒁 𝑞 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞
  • 10. Presenter’s Company Logo – replace or delete on master slide #RSAC Learning with Errors 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑒𝑖 𝒃 = 𝐴𝒔 + 𝒆 = + Noise values 𝑒𝑖 ← 𝜒 Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ 𝒁 𝑞 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 𝒃 and 𝐴 are public 𝒔 and 𝒆 are private Decision: does 𝒃, 𝐴 look random? Search: given 𝒃, 𝐴 , find 𝒔
  • 11. Presenter’s Company Logo – replace or delete on master slide #RSAC Learning with Errors 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑒𝑖 𝒃 = 𝐴𝒔 + 𝒆 = + Noise values 𝑒𝑖 ← 𝜒 Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ 𝒁 𝑞 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 𝑚 samples Decision: does 𝒃, 𝐴 look random? Search: given 𝒃, 𝐴 , find 𝒔 Dimension 𝑛 secretsModulus q Noise distribution 𝜒
  • 12. Presenter’s Company Logo – replace or delete on master slide #RSAC Compact-LWE 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor
  • 13. Presenter’s Company Logo – replace or delete on master slide #RSAC Compact-LWE 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor 𝒃 and 𝐴 are public 𝒔, 𝒆 and the scaling factor are private Decision: does 𝒃, 𝐴 look random? Search: given 𝒃, 𝐴 , find 𝒔
  • 14. Presenter’s Company Logo – replace or delete on master slide #RSAC Compact-LWE 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor maximum size of 𝐴 elements 𝑚 samples Dimension 𝑛 secrets modulo q Noise bound 𝑟 Scaling factor ingredients
  • 15. Presenter’s Company Logo – replace or delete on master slide #RSAC Parameters Public Parameters 𝑝𝑝 = (𝑞, 𝑛, 𝑚, 𝑡, 𝑤, 𝑏) 𝑡, maximum plaintext size 𝑤, knapsack weight for encryption 𝑷𝑲 = (𝐴, 𝒃) Secret Parameters 𝑲 = (𝒔, 𝑠𝑘, 𝑟, 𝑝) 𝑛 + 1 < 𝑚 < 𝑛2 2𝑏 𝑏 𝑙𝑜𝑔2 𝑏 + 1 < 𝑞 2𝑙𝑜𝑔2 𝑏 < 𝑛 𝑡 ≤ 𝑝 𝑠𝑘 ⋅ 𝑡 − 1 + 𝑤𝑟𝑝 < 𝑞 𝑏 < 𝑟
  • 16. Presenter’s Company Logo – replace or delete on master slide #RSAC Encryption Idea 16 𝑷𝑲 contains random-looking samples (𝒂𝑖, 𝑏𝑖) from (𝐴, 𝒃) Add knapsack of 𝑏𝑖 to hide message Include same knapsack of 𝒂𝑖 to allow decryption Enc 𝑷𝑲, 𝑣 : • Randomly pick 𝑤 samples (𝒂𝑖 𝑗 , 𝑏𝑖 𝑗 ) from 𝑷𝑲 • 𝒂, 𝑏 = ∑ 𝑗=1 𝑤 (𝒂𝑖 𝑗 , 𝑏𝑖 𝑗 ) • Return c = (𝒂, 𝑣 − 𝑏)
  • 17. Presenter’s Company Logo – replace or delete on master slide #RSAC Comparison of Parameters 18 Compact-LWE Parameters Claims 138-bit security 𝑞 = 232 𝑛 = 13 𝑚 = 74 𝑡 = 216 , 𝑤 = 86, 𝑏 = 16 Lizard, Classical Parameters, 2016 Claims 128-bit security 𝑞 ≈ 210 𝑛 = 544 𝑚 = 840
  • 18. Presenter’s Company Logo – replace or delete on master slide #RSAC Implementation Results 19 Implemented on MTM- CM5000-MSP device Contiki OS 50 encryptions per second 500 decryptions per second
  • 20. Presenter’s Company Logo – replace or delete on master slide #RSAC Attack Strategy 21 c = 𝒂, 𝑣 − 𝑏 = 𝒂, 𝑏′ 𝒂, 𝑏 = ∑ 𝑗=1 𝑤 (𝒂𝑖 𝑗 , 𝑏𝑖 𝑗 ) Create lattice encoding knapsack Find a short vector with lattice reduction 1 𝟎 𝜅𝒂 𝟎 𝑡𝐼 𝑚 −𝜅𝐴 0 𝟎 𝟎 𝑏′ 𝒃 𝑞 Solves knapsack Recovers plaintext 1 𝟎 𝟎 𝑣
  • 21. Presenter’s Company Logo – replace or delete on master slide #RSAC Experimental Results 22 Correctly decrypted 9998/10,000 random ciphertexts Roughly 16 decryptions per second 3.4 GHz Core i7-3770 desktop Sagemath, LLL in fplll Honest decryption: 500 decryptions per second, constrained device • One lattice reduction per ciphertext • Relies on low dimension n = 13
  • 23. Presenter’s Company Logo – replace or delete on master slide #RSAC Attack Strategy 𝑏𝑖 = 𝒂𝑖, 𝒔 + 𝑠𝑘 𝑞 −1 ⋅ 𝑝 ⋅ 𝑒𝑖 = + Noise values 𝑒𝑖 ← [0, 𝑟] Secret 𝒔 ∈ 𝒁 𝑞 𝑛Uniformly random vectors 𝒂𝑖 ∈ [0, 𝑏] 𝑛 Samples 𝑏𝑖 in 𝒁 𝑞 Secret scaling factor 1. Recover scaling factor using lattice reduction 2. Find other secret values by brute force 3. Compute equivalent secret using lattice reduction
  • 24. Presenter’s Company Logo – replace or delete on master slide #RSAC Step 1: Scale-factor Recovery 25 𝒃 = 𝐴𝒔 + 𝑘𝒆 Compute short 𝑈 such that 𝑈 𝑇 𝐴 = 0 𝑚𝑜𝑑 𝑞 𝑈𝒃 = 𝑘 ⋅ 𝑈𝒆 𝑚𝑜𝑑 𝑞 Short vector in (𝑈𝒃) 𝑇 𝑞𝐼 Public
  • 25. Presenter’s Company Logo – replace or delete on master slide #RSAC Step 2: Recovering Secret Key Parameters 26 Secret scale-factor is 𝑘 = 𝑠𝑘 𝑞 −1 ⋅ 𝑝 Brute force search for 𝑠𝑘 and 𝑝 Use the values which maximise 𝑟 𝑠𝑘 ⋅ 𝑡 − 1 + 𝑤𝑟𝑝 < 𝑞
  • 26. Presenter’s Company Logo – replace or delete on master slide #RSAC Step 3: Find an Equivalent Secret 27 Secret is a short lattice vector Use with modified decryption algorithm 𝐴 𝑇 0 𝑞𝐼 𝑚 0 𝑘−1 𝑡
  • 27. Presenter’s Company Logo – replace or delete on master slide #RSAC Experimental Results 28 Correctly decrypted 10,000/10,000 random ciphertexts 1.28 seconds to get a key 53 microseconds per ciphertext Over 18,000 decryptions per second
  • 29. Presenter’s Company Logo – replace or delete on master slide #RSAC Hardness Reductions 30 Breaking LWE Breaking Compact-LWE [LLKN17] Dimension 13 Dimension 13 Easy…
  • 30. Presenter’s Company Logo – replace or delete on master slide #RSAC Hardness Reductions 31 Breaking LWE Breaking Compact-LWE [LLKN17] This work Lattice reduction, dimension 𝑚 3 lattice reductions, dimension ≤ 𝑚 + 1 Many attractive provable security properties
  • 31. #RSAC THANKS! Version Attack Paper: https://eprint.iacr.org/2018/020.pdf Version Attack Code: https://goo.gl/2Vo3T7
  • 32. SESSION ID: #RSAC Yu Chen TWO-MESSAGE KEY EXCHANGE WITH STRONG SECURITY FROM IDEAL LATTICES CRYP-T10 Associate Professor Institute of Information Engineering, Chinese Academy of Sciences
  • 33. Two-message Key Exchange with Strong Security from Ideal Lattices Zheng Yang (University of Helsinki) Yu Chen (Chinese Academy of Sciences) Song Luo (Chongqing University of Technology) April 17th, CT-RSA 2018
  • 34. Background: Two-message Key Exchange (TMKE) ➢Two-message Key exchange • Two messages: mid1, mid2——derived from party’s (ephemeral) secrets. • Shared session key K——computed from party’s (ephemeral) secrets and exchanged messages • Appealing to practice: low bandwidth and asynchronous communication Message generation function Session key generation function
  • 35. The Simplest Example of TMKE ➢Seminal TMKE: Diffie-Hellman key exchange (DHKE) [DH76] • Cyclic group G =< g > of prime order p • Two messages: X, Y • Passively secure; active attacker can implement man-in-the middle attack
  • 36. Motivation ➢Quantum computers are about to get real ➢DL, factoring, …., not hard against quantum algorithms ➢Lattice-based Cryptography • Quantum secure • Simple, efficient, and highly parallel ➢Existing Lattice-based AKE, e.g.: • AsiaCCS’13, Fujioka et al. , —— standard model, CK+ model without perfect forward secrecy (PFS) • Eurocrypt’15, Zhang et al., —— random oracle, BR model without PFS and leakage of ephemeral secret key • CT-RSA’14, Kurosawa and Furukawa (KF scheme) ——standard model, eCK model without PFS Is it Secure?
  • 37. Overview of Our Results ➢ Revisit the security of the KF scheme (CT-RSA’14) • finding an attack ➢ Propose a new generic TMKE scheme • New cryptographic primitive: One-time CCA-secure KEM • Without random oracles • eCK-PFS model: known session key (KSK) , key compromise impersonation (KCI) , chosen identity and public key (CIDPK), ephemeral secret key leakage (ESKL), and perfect forward secrecy (PFS) ➢ Instantiation of TMKE from ideal lattices
  • 38. The KF scheme ➢Building Blocks: Twisted PRF (TPRF), Signature (SIG), IND-CPA KEM (wKEM) ElGamal * *
  • 39. Insecurity of the KF scheme: Attack test oracle test oracle is fresh and has no partner oracle at id1
  • 40. Insecurity of the KF scheme: Problems Not tied to session info unknown key share One-time CCA attack against the KEM, CPA-secure KEM does not suffice
  • 41. How to remedy the KF scheme? ➢ Main idea • Enhance the security of KEM • CPA to one-time CCA • Employ Key Derivation function • bind the session key with session specific information to defend active attacks
  • 42. Our New Generic TMKE Protocol ➢ Building blocks • One-time KEM (OTKEM): encapsulate the session key • Signature (SIG): authenticate exchanged messages • IND-CPA KEM (wKEM): implement NAXOS trick against ephemeral key leakage (generate the pk for OTKEM) • Pseudo-random function (PRF): act as KDF to bind session key with session specific information
  • 43. A New Generic TMKE Protocol All protocol messages
  • 44. Instantiations from Ideal Lattices ➢ Building blocks’ instantiations from existing works: • Signature (SIG): Ruckert (PQCrypto’10) • IND-CPA KEM (wKEM): Peikert (PQCrypto’14). • Pseudo-random function (PRF): Banrjee et al. (Eurocrypt’12) • One-time KEM (OTKEM): q-bounded IND-CCA KEM (q=1), Cramer et al. Asiacrypt’07 (less efficient) Can we build efficient OTKEM from ideal lattices?
  • 45. Efficient OTKEM from Ideal Lattices ➢ Direct construction • Ring-Learning with Errors (RLWE): • Target collision resistant hash function (TCRHF): Similar to construction of OTS from OWF n
  • 46. Thank you very much for your attention!