c r y s t a l s
play

C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS - PowerPoint PPT Presentation

Feb 11, 2024 •169 likes •557 views

C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS Shi Bai Joppe Bos Lo Ducas Eike Kiltz Tancrde Lepoint vadim Lyubashevsky John M. Schanck Peter Schwabe Damien Stehl Jan 4, 2017 - Real World Crypto Outline 2.

  1. C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS Shi Bai Joppe Bos Léo Ducas Eike Kiltz Tancrède Lepoint vadim Lyubashevsky John M. Schanck Peter Schwabe Damien Stehlé Jan 4, 2017 - Real World Crypto

  2. Outline 2. Module Latuices 3. Tie KEM 4. Open Qvantum Safe & Performances 5. Conclusion Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 1 / 27 1. Motivation

  3. Outline 1. Motivation 2. Module Latuices 3. Tie KEM 4. Open Qvantum Safe & Performances 5. Conclusion Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 2 / 27

  4. Previous talk: NIST http://nist.gov/pqcrypto Tiis talk is about LATTICE-BASED CRYPTOGRAPHY Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 3 / 27

  5. Lattice crypto in strongSwan OpenSource IPsec-based VPN Solution Early adopter of latuice-based crypto: 1 John Hofgstein, Jill Pipher, and Joseph E. Silverman. “NTRU: A New High Speed Public Key 2 Léo Ducas et al. “Latuice Signatures and Bimodal Gaussians”. In: CRYPTO (1) . Vol. 8042. LNCS. Springer, 2013. 3 Erdem Alkim et al. “Post-quantum Key Exchange - A New Hope”. In: USENIX Security Symposium . USENIX Association, 2016. Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 4 / 27 ▶ NTRUEncrypt 1 since Feb 2014 ▶ BLISS signature 2 since Jan 2015 ▶ NewHope 3 key exchange since Oct 2016 Cryptosystem”. In: ANTS III . vol. 1423. LNCS. Springer, 1998.

  6. Google’s experimentation with PQCrypto Impact assessment Combination of NewHope with ECDH (X25519) in TLS. Result: “ we did not fjnd any unexpected impediment to deploying something like NewHope ” 4 4 https://www.imperialviolet.org/2016/11/28/cecpq1.html Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 5 / 27

  7. Primary focus: KEM = KEM.Decaps() Sample random value Encrypt value using pk Send ciphertext c ClientComputeKey key = KDF(value) ServerComputeKey Decrypt c to recover value ClientKeyExchange key = KDF(value) Tie question is what post-quantum encryption scheme to use? Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto = KEM.Encaps() Send public key pk Server ClientComputeKey Client ClientHello ServerHello CertificateChain ServerKeyExchange ClientKeyExchange Finished Key generation ServerComputeKey Finished shared key application data ServerKeyExchange = KEM.Setup() 6 / 27

  8. Current lattice-based key excianges (learn more next talk) Reconciliation 5 Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) 2016/1157 (2016). 9 Erdem Alkim et al. “NewHope without reconciliation”. In: IACR Cryptology ePrint Archive USENIX Association, 2016. 8 Erdem Alkim et al. “Post-quantum Key Exchange - A New Hope”. In: USENIX Security Symposium . 7 Joppe W. Bos et al. “Post-Qvantum Key Exchange for the TLS Protocol from the Ring Learning with . In: ACM Conference on Computer and Communications Security . ACM, 2016. 6 Joppe W. Bos et al. “Frodo: Take ofg the Ring! Practical, Qvantum-Secure Key Exchange from LWE”. PQCrypto . Vol. 8772. LNCS. Springer, 2014 7 / 27 NewHope-Simple 9 NewHope 8 BCNS15 7 RLWE-based Frodo 6 LWE-based Encryption | comm | = 22.6 KiB | comm | > 22.6 KiB | comm | = 8.2 KiB | comm | = 3.9 KiB | comm | = 4 KiB 5 More complicated to implement (randomized doubling, latuice-quantizers, etc.) - cf. Jintai Ding. “A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem”. In: IACR Cryptology ePrint Archive 2012/688 (2012) and Chris Peikert. “Latuice Cryptography for the Internet”. In: Errors Problem”. In: IEEE Symposium on Security and Privacy . IEEE Computer Society, 2015, pp. 553–570.

  9. Why do people use a ring? 1 Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) 11 Daniel J. Bernstein et al. “NTRU Prime”. In: IACR Cryptology ePrint Archive 2016/461 (2016). Cryptosystem”. In: (1996). Preliminary Drafu. 10 John Hofgstein, Jill Pipher, and Joseph E. Silverman. “NTRU: A New High Speed Public Key 1 or LWE other possibilities 1011 1 usual ring RLWE vs. 8 / 27 ∈ Z q =

  10. Why do people use a ring? LWE vs. RLWE 10 John Hofgstein, Jill Pipher, and Joseph E. Silverman. “NTRU: A New High Speed Public Key Cryptosystem”. In: (1996). Preliminary Drafu. 11 Daniel J. Bernstein et al. “NTRU Prime”. In: IACR Cryptology ePrint Archive 2016/461 (2016). Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 8 / 27 ∈ Z q = usual ring Z q [ x ] / ( x n + 1 ) other possibilities 1011 x n − 1 or x p − x − 1

  11. Crystals: our cryptographic suite assumption Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 12 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. Module latuices 12 exchange, AKE (KEM-DEM), key for encryption KEM can be used security easy to increase Modularity: no NTRU CCA-secure KEM sampling no Gaussian no reconciliation Simplicity: 9 / 27 C R Y S T A L S CRYptographic SuiTe for Algebraic LatticeS

  12. Kyber and Dilithium 13 Tianks Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) 14 Tim Güneysu, Vadim Lyubashevsky, and Tiomas Pöppelmann. “Practical Latuice-Based ! Dilithium the digital signature (Not today) 10 / 27 Module latuices : d -dimensional matrices of elements in Z q [ x ] / ( x 256 + 1 ) ▶ 256 is the number of bits we want to encrypt ▶ Allow to reach dimensions 256 · d ’s ▶ Increase d to increase security Kyber 13 the KEM ▶ CCA security ▶ Encryption-based KEM ▶ No Gaussian distribution (à la GLP12 14 ) Cryptography: A Signature Scheme for Embedded Systems”. In: CHES . vol. 7428. LNCS. Springer, 2012.

  13. Outline 2. Module Lattices 3. Tie KEM 4. Open Qvantum Safe & Performances 5. Conclusion Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 11 / 27 1. Motivation

  14. Module lattices Latuices Module Latuices Ring Latuices Module latuices are ”more general” than Ring latuices (fjnitely generated modules over the ring of integers of a number fjeld), and less structured Tancrède Lepoint (SRI International) CRYSTALS Jan 4, 2017 #realworldcrypto 12 / 27 ∈ Z q Example: d -dimensional matrices of polynomials in Z q [ x ] / ( x 256 + 1 ) ▶ allows to reach all dimensions 256 · d ▶ allows to reduce modulus q w.r.t. to ring latuices for same security ▶ more fmexible

  15. Decision MLWE: Distinguish 13 / 27 Uniform Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 18 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. 17 Vadim Lyubashevsky, Chris Peikert, and Oded Regev. “On Ideal Latuices and Learning with Errors 16 Benny Applebaum et al. “Fast Cryptographic Primitives and Circular-Secure Encryption Based on ACM, 2005. 15 Oded Regev. “On latuices, learning with errors, random linear codes, and cryptography”. In: STOC . and Small Uniform A with small secret and square matrices A Module learning with errors 15161718 over R = Z q [ x ] / ( x n + 1 ) × + = ⃗ s ⃗ ⃗ e b Hard Learning Problems”. In: CRYPTO . vol. 5677. LNCS. Springer, 2009. over Rings”. In: EUROCRYPT . vol. 6110. LNCS. Springer, 2010.

  16. Decision MLWE: Distinguish 13 / 27 Small Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 18 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. 17 Vadim Lyubashevsky, Chris Peikert, and Oded Regev. “On Ideal Latuices and Learning with Errors 16 Benny Applebaum et al. “Fast Cryptographic Primitives and Circular-Secure Encryption Based on ACM, 2005. 15 Oded Regev. “On latuices, learning with errors, random linear codes, and cryptography”. In: STOC . and Small Uniform A with small secret and square matrices Module learning with errors 15161718 over R = Z q [ x ] / ( x n + 1 ) × + = ⃗ ⃗ s ⃗ e b d Hard Learning Problems”. In: CRYPTO . vol. 5677. LNCS. Springer, 2009. over Rings”. In: EUROCRYPT . vol. 6110. LNCS. Springer, 2010.

  17. 13 / 27 Uniform Jan 4, 2017 #realworldcrypto CRYSTALS Tancrède Lepoint (SRI International) In: Des. Codes Cryptography 75.3 (2015). 18 Adeline Langlois and Damien Stehlé. “Worst-case to average-case reductions for module latuices”. 17 Vadim Lyubashevsky, Chris Peikert, and Oded Regev. “On Ideal Latuices and Learning with Errors 16 Benny Applebaum et al. “Fast Cryptographic Primitives and Circular-Secure Encryption Based on ACM, 2005. 15 Oded Regev. “On latuices, learning with errors, random linear codes, and cryptography”. In: STOC . and Small Small A with small secret and square matrices Module learning with errors 15161718 over R = Z q [ x ] / ( x n + 1 ) × + = ⃗ ⃗ s ⃗ e b d Decision MLWE: Distinguish Hard Learning Problems”. In: CRYPTO . vol. 5677. LNCS. Springer, 2009. over Rings”. In: EUROCRYPT . vol. 6110. LNCS. Springer, 2010.

Recommend

More recommend