crystals dilithium a lattice based digital signature
play

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo - PowerPoint PPT Presentation

Jan 08, 2024 •686 likes •1.06k views

CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L eo Ducas (CWI), Eike Kiltz (Ruhr-Universit at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor

  1. CRYSTALS-Dilithium: A Lattice-Based Digital Signature Scheme L´ eo Ducas (CWI), Eike Kiltz (Ruhr-Universit¨ at Bochum), Tancr` ede Lepoint (SRI International), Vadim Lyubashevsky (IBM Research), Peter Schwabe (Radboud University), Gregor Seiler (IBM Research) , Damien Stehl´ e (ENS de Lyon) September 10, 2018

  2. Overview Signature scheme submitted to the NIST PQC standardization process

  3. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes

  4. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters)

  5. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09]

  6. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information

  7. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller)

  8. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller) New: Compression of public key (60% smaller, 100 byte larger signature)

  9. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller) New: Compression of public key (60% smaller, 100 byte larger signature) New: Hardness based on Module -LWE/SIS

  10. Overview Signature scheme submitted to the NIST PQC standardization process One out of 5 lattice-based signature schemes Public key size 1 . 5 KB, signature size 2 . 7 KB (recommended parameters) Design based on “Fiat-Shamir with Aborts” technique [Lyu09] Rejection sampling is used to sample signatures that do not reveal secret information Signature compression as developped in [GLP12], [BG14] ( > 50% smaller) New: Compression of public key (60% smaller, 100 byte larger signature) New: Hardness based on Module -LWE/SIS New: Very efficient implementation

  11. Principal Design Considerations Easy to implement securely – No Gaussian sampling Small total size of public key + signature Among the smallest total size of all NIST submissions (Falcon is smaller) Conservative parameter selection Modular design Use of Module-LWE/SIS allows to work over the same small ring for all security levels: Arithmetic needs only be optimized once and for all

  12. Choice of Ring Strategy: Choose smallest ring dimension n that gives main advantages of Ring-LWE

  13. Choice of Ring Strategy: Choose smallest ring dimension n that gives main advantages of Ring-LWE Dimension n = 256 is enough to get sufficiently large set of small norm challenges Fully splitting prime q allows for NTT-based multiplication (more about this later) R = Z 2 23 − 2 13 +1 [ X ] / ( X 256 + 1)

  14. Simplified Scheme Key generation: Verification: A ← R 5 × 4 = w − c s 2 s 1 ← S 4 5 , s 2 ← S 5 � �� � c ′ = H(High( Az − c t ) , M ) 5 t = As 1 + s 2 If � z � ∞ ≤ γ − β and c ′ = c , accept pk = ( A , t ) , sk = ( A , t , s 1 , s 2 ) Signing: y ← S 4 γ w = Ay c = H(High( w ) , M ) ∈ B 60 z = y + c s 1 If � z � ∞ > γ − β or � Low( w − c s 2 ) � ∞ > γ − β, restart sig = ( z , c )

  15. Public Key Compression Verification: c ′ = H(High( Az − c t ) , M ) If � z � ∞ ≤ γ − β and c ′ = c , accept Decompose t = t 1 2 14 + t 0 and put only t 1 into public key (23 → 9 bits per coefficient)

  16. Public Key Compression Verification: c ′ = H(High( Az − c t ) , M ) If � z � ∞ ≤ γ − β and c ′ = c , accept Decompose t = t 1 2 14 + t 0 and put only t 1 into public key (23 → 9 bits per coefficient) For verification we need to compute High( Az − c t ) = High( Az − c t 1 2 14 − c t 0 ) Include carries from adding − c t 0 in signature → High( Az − c t 1 2 14 ) can be corrected

  17. Security Tight reduction, even in quantum random oracle model, from SelfTargetMSIS and Module-LWE/SIS [KLS18]: Adv SUF-CMA ( A ) ≤ Adv MLWE ( B ) + Adv SelfTargetMSIS ( C ) + Adv MSIS ( D ) + 2 − 254 Given matrix A , find short vector y , challenge polynomial c and message M such that � � y � � H ( I | A ) , M = c c SelfTargetMSIS has non-tight reduction with standard forking lemma argument from Module-SIS

  18. Implementation Reference and AVX2 optimized implementations on https://github.com/pq-crystals/dilithium Main Operations: Polynomial multiplication in fixed ring R = Z 2 23 − 2 13 +1 [ X ]( X 256 + 1) Expansion of the SHAKE XOF Independent sampling of polynomials: Allows for parallel use of SHAKE

  19. Constant Time Our implementations are fully protected against timing side channel attacks In particular: No use of the C ’%’-operator Note: Sampling of challenge polynomials is not constant-time and does not need to be

  20. Speed of Reference Implementation Key generation Signing Signing (average) Verification Multiplication 89 , 591 987 , 666 1 , 280 , 053 143 , 924 SHAKE 178 , 487 314 , 570 377 , 068 161 , 079 Modular Reduction 11 , 944 120 , 793 163 , 017 10 , 626 Rounding 6 , 586 108 , 412 137 , 324 11 , 821 Rejection Sampling 60 , 740 76 , 893 94 , 607 28 , 082 Addition 8 , 008 58 , 696 79 , 498 10 , 723 Packing 7 , 114 17 , 183 18 , 856 8 , 883 Total 381 , 178 1 , 778 , 148 2 , 260 , 429 396 , 043 Median cycles of 5000 executions on Intel Skylake i7-6600U processor

  21. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message

  22. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs

  23. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs But we only actually perform 172 NTTs

  24. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs But we only actually perform 172 NTTs

  25. Advantages of NTT Multiplication NTT-based multiplication allows for easy reuse of computation: In Dilithium on average about 224 multiplications to sign a message So, naively, 673 NTTs But we only actually perform 172 NTTs We immediately get a 4 x speed-up in multiplication time from saving NTTs compared to Karatsuba multiplication Note: In our reference implementation NTTs still make up for the most time comsuming operation

  26. AVX2 optimized Implementation Optimizations: Vectorized NTT in assembly 4-way parallel SHAKE Better public key and signature compression Faster assembly modular reduction

  27. AVX2 optimized Implementation Optimizations: Vectorized NTT in assembly 4-way parallel SHAKE Better public key and signature compression Faster assembly modular reduction About 3 . 5 x faster signing compared to reference version

  28. AVX2 optimized Implementation Optimizations: Vectorized NTT in assembly 4-way parallel SHAKE Better public key and signature compression Faster assembly modular reduction About 3 . 5 x faster signing compared to reference version Recent update: > 40% faster compared to TCHES paper

  29. New Fast Vectorized NTT Implementation Prior state of the art: Double floating point arithmetic as in NewHope Now : Fast approach with integer arithmetic and same Montgomery reduction strategy as in reference implementation

  30. New Fast Vectorized NTT Implementation Prior state of the art: Double floating point arithmetic as in NewHope Now : Fast approach with integer arithmetic and same Montgomery reduction strategy as in reference implementation Unfortunately not as fast as 16-bit NTT in Kyber because of missing instruction for high product

Recommend

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software

The signature The countermeasure and its proof Performances Future work Masking the GLP Lattice-Based Signature Scheme at any Order Gilles Barthe (IMDEA Software Institute) Sonia Belad (CryptoExperts) Thomas Espitau (UPMC) Pierre-Alain

1.04k views • 51 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o ROs. Techniques Short Sig? Tight

712 views • 47 slides
Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

633 views • 44 slides
Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa

Lattice-Based Signature Scheme with Verifier Local Revocation Adeline Langlois 1 San Ling 2 Khoa Nguyen 2 Huaxiong Wang 2 1 LIP, ENS de Lyon, France 2 Nanyang Technological University, Singapore March 27, 2014 PKC 2014 Group Signature with VLR

257 views • 23 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Nonlinear lattice kink pulses: existence and action on defects in crystals. With application to

Nonlinear lattice kink pulses: existence and action on defects in crystals. With application to

Nonlinear lattice kink pulses: existence and action on defects in crystals. With application to radiation damage and the long range effect. Cross-discipline research using results from: 1. charged particle tracks in crystals of muscovite

421 views • 23 slides
DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH,

DRS Diagonal dominant Reduction for lattice-based Signature Thomas PLANTARD, Arnaud SIPASSEUTH, Cedric DUMONDELLE, Willy SUSILO Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/ thomaspl

458 views • 22 slides
Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital

Parallel-CFS Strengthening the CFS McEliece-Based Signature Scheme Matthieu Finiasz Digital Signatures The hash and sign paradigm m c slide 1/18 . Any public key encryption can be turned into a signature. Digital Signatures The hash and

759 views • 28 slides
1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

1 Arbitrated Digital Signatures Digital Signature Standard (DSS) US Govt approved signature

CPE 542: CRYPTOGRAPHY & NETWORK SECURITY Digital Signatures have looked at message authentication but does not address issues of lack of trust Chapter 13 Digital Signatures digital signatures provide the ability to:

361 views • 3 slides
Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline

Lattice-Based Group Signatures with Logarithmic Signature Size Fabien Laguillaumie 1 Adeline Langlois 2 Benot Libert 3 Damien Stehl 2 1 LIP, Universit Lyon 1 2 LIP, ENS de Lyon 3 Technicolor December 4, 2013 Laguillaumie et al. LB Group

239 views • 20 slides
Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General

Digital Signatures and Authentication 1 Outline What is a digital signature ? General model Foundations of security RSA, DSA, ECDSA signatures Zero knowledge (Guillo-Quisquater) One-time signature Special

675 views • 46 slides
Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse)

Detecting Attacks Anomaly-based Detection Signature-based Signature-based (Misuse) Detection Intrusion Detection Host-based Network-based Boriana Ditcheva and Lisa Fowler Active/Passive University of North Carolina at

401 views • 12 slides
3-509

3-509

3-509 liuzhen@sjtu.edu.cn 1 Digital Signature Hash Function Message Authentication Code 2 Digital Signature There is an electronic document to be sent

738 views • 24 slides
Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes

Digital Signatures Model A public key analog of MAC A digital signature scheme includes the following elements: A private key k A public key k A signature algorithm Public key is published Signature requires

475 views • 24 slides
Discrete space (lattice) arises naturally in solids (crystals) Using localized atomic-like

Discrete space (lattice) arises naturally in solids (crystals) Using localized atomic-like

Discrete space (lattice) arises naturally in solids (crystals) Using localized atomic-like orbitals (Wannier orbitals), called the tight-binding method, is often a good starting point for describing the electronic band structure The hopping

269 views • 9 slides
Digital Signature And Hash Function

Digital Signature And Hash Function

Digital Signature And Hash Function 1 Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Biometric Signature

894 views • 52 slides
IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13

IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13

IM IMPLEMENTATION OF DIG IGIT ITAL SIG IGNATURE IN IN THE AVIA IATION IN INDUSTRY 13 13 OCTOBER 2017 1. What is Digital Signature? 2. Why use Digital Certificate? 3. Digital Signature Act 1997 4. Digital Signature Regulations 1998

282 views • 12 slides
Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based

Week 07 Lectures Signature-based Selection Indexing with Signatures 2/103 Signature-based indexing: designed for pmr queries (conjunction of equalities) does not try to achieve better than O(n) performance attempts to provide an

859 views • 27 slides
Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange

Efficient Redactable Signature and Application to Anonymous Credentials Olivier Sanders Orange Labs PKC 2020 Context PKC 2020 p 2 Digital Signature Digital signature can be used to authenticate digital data ... Name Birthdate Address

437 views • 33 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis

Lattice-based signatures Extra lecture for the Digital Signatures course 2020 Dennis Hofheinz ETH Zrich Quantum computers Grovers algorithm: speed up searches (N O(N)) Bigger problem for cryptography: Shors algorithm

469 views • 15 slides
How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz

How to achieve a McEliece-based Digital Signature Scheme Nicolas Courtois Matthieu Finiasz Nicolas Sendrier ASIACRYPT 2001 Brisbane McEliece in a nutshell (Niederreiter version) This scheme is equivalent to the original McEliece

432 views • 12 slides

More recommend