Faster Gaussian Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction Lattices based Signatures Before Gaussian Sampling Preventing Faster Gaussian Lattice Sampling using Information Leakage Gaussian Sampling Our Work Lazy Floating-Point Arithmetic A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. eo Ducas , ´ Ecole Normale Sup´ erieure L´ Impact of errors, and precision requirement Phong Nguyen, INRIA & Tsinghua Univ. An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Asiacrypt 2012 Conclusion 2/33
Faster Gaussian Lattices Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen A lattice Λ is a discrete subgroup of R n . Introduction Lattices based Signatures Before Gaussian Sampling Preventing Information Leakage Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 3/33
Faster Gaussian Basis of Lattices Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Lattices have two kinds of basis: Introduction Lattices based Signatures Before Gaussian Sampling Good Basis (short) Bad Basis (large) Preventing Information Leakage Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. Impact of errors, and Derive bad basis test membership t ∈ Λ precision requirement Solve geometric problem generate random element in Λ An Optimized FPA variant of Klein’s as Approx-CVP Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Good setting for Public Key Cryptography ! Efficiency Conclusion 4/33
Faster Gaussian Approximate the Closest Vector Problem Lattice Sampling using Lazy FPA The Approx-CVP Problem: L. Ducas Given t ∈ R n , find c ∈ Λ close to t P.Q. Nguyen Introduction Λ Lattices based Signatures Before Gaussian Sampling Preventing Information Leakage Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 5/33
Faster Gaussian Approximate the Closest Vector Problem Lattice Sampling using Lazy FPA Problem: Given t ∈ R n , find c ∈ Λ close to t L. Ducas P.Q. Nguyen Z n Λ Introduction B − 1 Lattices based Signatures Before Gaussian Sampling Preventing − → Information Leakage Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 6/33
Faster Gaussian Approximate the Closest Vector Problem Lattice Sampling using Lazy FPA Solution: s = ⌈ t · B − 1 ⌋ · B (Baba¨ ı’s Round-Off [Bab86]) L. Ducas P.Q. Nguyen Z n Λ Introduction B − 1 Lattices based Signatures Before Gaussian Sampling Preventing − → Information Leakage Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm ← − Floating Point Arithmetic FPA usage in Klein’s B Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 7/33
Faster Gaussian Approximate the Closest Vector Problem Lattice Sampling using Lazy FPA Solution: s = ⌈ t · B − 1 ⌋ · B (Baba¨ ı’s Round-Off [Bab86]) L. Ducas P.Q. Nguyen Z n Λ Introduction B − 1 Lattices based Signatures Before Gaussian Sampling Preventing − → Information Leakage Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm ← − Floating Point Arithmetic FPA usage in Klein’s B Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 8/33
Faster Gaussian Approximate the Closest Vector Problem Lattice Sampling using Lazy FPA Solution: s = ⌈ t · B − 1 ⌋ · B (Baba¨ ı’s Round-Off [Bab86]) L. Ducas Quality of the solution depends on the basis B . P.Q. Nguyen Z n Λ Introduction B − 1 Lattices based Signatures Before Gaussian Sampling Preventing − → Information Leakage Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm ← − Floating Point Arithmetic FPA usage in Klein’s B Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 9/33
Faster Gaussian GGH and NTRUSign Signature Schemes Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction The Goldreich-Goldwasser-Halevi [GGH97] signature scheme: Lattices based Signatures Before Gaussian Sampling Preventing Information Leakage Secret Key: a short basis B of Λ Gaussian Sampling Our Work A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA NTRUSign [HGP + 03] is an optimized instantiation of variant of Klein’s Algorithm GGH, using compact lattices. General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 10/33
Faster Gaussian GGH and NTRUSign Signature Schemes Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction The Goldreich-Goldwasser-Halevi [GGH97] signature scheme: Lattices based Signatures Before Gaussian Sampling Preventing Information Leakage Secret Key: a short basis B of Λ Gaussian Sampling Our Work Public Key: a large basis of Λ A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA NTRUSign [HGP + 03] is an optimized instantiation of variant of Klein’s Algorithm GGH, using compact lattices. General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 10/33
Faster Gaussian GGH and NTRUSign Signature Schemes Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction The Goldreich-Goldwasser-Halevi [GGH97] signature scheme: Lattices based Signatures Before Gaussian Sampling Preventing Information Leakage Secret Key: a short basis B of Λ Gaussian Sampling Our Work Public Key: a large basis of Λ A FPA variant of Klein’s Algorithm Signature: t = H ( m ) ∈ R n the hash of a message Floating Point Arithmetic s = ⌈ t · B − 1 ⌋ · B the signature of m FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA NTRUSign [HGP + 03] is an optimized instantiation of variant of Klein’s Algorithm GGH, using compact lattices. General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 10/33
Faster Gaussian GGH and NTRUSign Signature Schemes Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction The Goldreich-Goldwasser-Halevi [GGH97] signature scheme: Lattices based Signatures Before Gaussian Sampling Preventing Information Leakage Secret Key: a short basis B of Λ Gaussian Sampling Our Work Public Key: a large basis of Λ A FPA variant of Klein’s Algorithm Signature: t = H ( m ) ∈ R n the hash of a message Floating Point Arithmetic s = ⌈ t · B − 1 ⌋ · B the signature of m FPA usage in Klein’s Alg. Impact of errors, and precision requirement Verification: Check that s ∈ Λ and s − H ( m ) is small An Optimized FPA NTRUSign [HGP + 03] is an optimized instantiation of variant of Klein’s Algorithm GGH, using compact lattices. General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 10/33
Faster Gaussian Gaussian Sampling: Why ? Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction Lattices based Signatures Before Gaussian Sampling The previous algorithm to find pre-image leaks information Preventing Information Leakage about the good basis B : Gaussian Sampling Our Work Raw version broken in [NR09] A FPA variant of Klein’s Algorithm Floating Point Arithmetic FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 11/33
Faster Gaussian Gaussian Sampling: Why ? Lattice Sampling using Lazy FPA L. Ducas P.Q. Nguyen Introduction Lattices based Signatures Before Gaussian Sampling The previous algorithm to find pre-image leaks information Preventing Information Leakage about the good basis B : Gaussian Sampling Our Work Raw version broken in [NR09] A FPA variant of Klein’s Algorithm Floating Point Heuristic countermeasures later broken [DN12] Arithmetic FPA usage in Klein’s Alg. Impact of errors, and precision requirement An Optimized FPA variant of Klein’s Algorithm General Rejection Sampling Introducing Lazyness in Rej. Sampling Efficiency Conclusion 11/33
Recommend
More recommend