frodokem practical quantum secure key encapsulation from
play

FrodoKEM practical quantum-secure key encapsulation from generic - PowerPoint PPT Presentation

Nov 29, 2023 •454 likes •950 views

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos L eo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan Douglas Stebila 1 / 11

  1. FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos L´ eo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan Douglas Stebila 1 / 11

  2. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. 2 / 11

  3. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. 2 / 11

  4. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. 2 / 11

  5. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. [FujisakiOkamoto’99,HHK’17] FrodoPKE FrodoKEM (IND-CPA) (IND-CCA) (generic transform) 2 / 11

  6. FrodoKEM FrodoKEM’s security derives from plain Learning With Errors on algebraically unstructured lattices, parameterized cautiously to avoid known risk categories, and to conform to a worst-case/average-case reduction. [FujisakiOkamoto’99,HHK’17] FrodoPKE FrodoKEM (IND-CPA) (IND-CCA) (generic transform) Concrete Instantiations 1 FrodoKEM-640: targets Level 1 security ( ≥ AES-128). 2 FrodoKEM-976: targets Level 3 security ( ≥ AES-192). 3 Other parameterizations are easy, by changing compile-time constants. 2 / 11

  7. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: 3 / 11

  8. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. 3 / 11

  9. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] 3 / 11

  10. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. 3 / 11

  11. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. Public-Key Encryption/Key Exchange ◮ Many schemes with tight (CPA-)security reductions from LWE: [Regev’05,PVW’08,GPV’08,P’09,LP’11,. . . ] 3 / 11

  12. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. Public-Key Encryption/Key Exchange ◮ Many schemes with tight (CPA-)security reductions from LWE: [Regev’05,PVW’08,GPV’08,P’09,LP’11,. . . ] ◮ FrodoCCS [BCDMNNRS’16] instantiated and implemented [LP’11] , using pseudorandom public matrix A to reduce public key size. 3 / 11

  13. Pedigree Learning With Errors (LWE) [Regev’05] ◮ Lineage of [Ajtai’96,AjtaiDwork’97] : worst-case/average-case reductions: breaking random inputs = ⇒ solving famous problems on any lattice. “[This] assures us that attacks on the cryptographic construction are likely to be effective only for small choices of parameters and not asymptotically. In other words . . . there are no fundamental flaws in the design of our cryptographic construction.” [MicciancioRegev’09] ◮ LWE has been heavily used and cryptanalyzed by countless works. Public-Key Encryption/Key Exchange ◮ Many schemes with tight (CPA-)security reductions from LWE: [Regev’05,PVW’08,GPV’08,P’09,LP’11,. . . ] ◮ FrodoCCS [BCDMNNRS’16] instantiated and implemented [LP’11] , using pseudorandom public matrix A to reduce public key size. ◮ FrodoPKE [this work] : wider error distributions, new parameters, . . . 3 / 11

  14. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. 4 / 11

  15. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . 4 / 11

  16. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . Bounded-distance decoding on a random ‘ q -ary’ lattice defined by A : (0 , q ) ( q, 0) 4 / 11

  17. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q (Images courtesy xkcd.org) 4 / 11

  18. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q M ∈ { 0 , 1 } k × ℓ (Images courtesy xkcd.org) 4 / 11

  19. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q C ≈ AR M ∈ { 0 , 1 } k × ℓ C ′ ≈ BR + q 2 · M (Images courtesy xkcd.org) 4 / 11

  20. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q C ≈ AR M ∈ { 0 , 1 } k × ℓ C ′ ≈ BR + q 2 · M C ′ − SC ≈ q 2 · M (Images courtesy xkcd.org) 4 / 11

  21. LWE and FrodoPKE Learning With Errors ◮ Dimension n , modulus q , error distribution χ on ‘small’ integers. Assumption: for uniformly random matrix A over Z q and S from χ , c [ A , B ≈ SA ] ≡ uniform over Z q . pk = seed A , B ≈ SA S ← χ k × n ( A = expand ( seed A ) ∈ Z n × n ) q C ≈ AR M ∈ { 0 , 1 } k × ℓ C ′ ≈ BR + q 2 · M C ′ − SC ≈ q 2 · M c ( A , B , C , C ′ ) ≡ unif (Images courtesy xkcd.org) 4 / 11

  22. Distinctive Features of FrodoPKE/KEM 1 Generic, algebraically unstructured lattices: plain LWE. 2 ‘Semi-wide’ errors conforming to a worst-case/average-case reduction from a previously studied lattice problem: BDD with DGS. 3 Simple design and constant-time implementation: ⋆ power-of-2 modulus q for cheap & easy modular arithmetic ⋆ straightforward error sampling ⋆ no ‘reconciliation’ or error-correcting codes for removing noise ⋆ x64 implementation: 256 lines of plain C code (+ preexisting symmetric primitives) 5 / 11

  23. Distinctive Features of FrodoPKE/KEM 1 Generic, algebraically unstructured lattices: plain LWE. 2 ‘Semi-wide’ errors conforming to a worst-case/average-case reduction from a previously studied lattice problem: BDD with DGS. 3 Simple design and constant-time implementation: ⋆ power-of-2 modulus q for cheap & easy modular arithmetic ⋆ straightforward error sampling ⋆ no ‘reconciliation’ or error-correcting codes for removing noise ⋆ x64 implementation: 256 lines of plain C code (+ preexisting symmetric primitives) 5 / 11

Recommend

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos

FrodoKEM practical quantum-secure key encapsulation from generic lattices Erdem Alkim Joppe W. Bos L eo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris Peikert Ananth Raghunathan Douglas Stebila 1 / 11 Concrete

897 views • 52 slides
IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong

IND-CCA-secure Key Encapsulation Mechanism in the Quantum Random Oracle Model, Revisited Haodong Jiang , Zhenfeng Zhang , Long Chen , Hong Wang Zhi Ma Chinese State Key Laboratory of Mathematical Engineering and

577 views • 46 slides
Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES,

Saber on ARM CCA-secure module lattice-based key encapsulation on ARM Angshuman Karmakar CHES, Amsterdam 11 th September, 2018 Joint work with : Jose Maria Bermudo Mera Sujoy Sinha Roy Ingrid Verbauwhede Saber: CCA secure post-quantum KEM*

613 views • 30 slides
BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography

BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography

BIK IKE - Bi Bit-Flipping Key Encapsulation Presented to the 2 nd NIST Post-Quantum Cryptography Standardization Conference August, 24 th 2019, Santa Barbara, California, USA Authors: Affiliations: Nicolas Aragon University of Limoges, France

291 views • 14 slides
A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing

A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing

A Practical Approach to Quantum Annealing GOTO CHICAGO 2020 AGENDA Practical Quantum Annealing - Part 1 Quantum Annealing - Hardware and Basic Principles Introduction to Programming Model and API Constraint Satisfation Problems HARDWARE AND

584 views • 27 slides
Everything is Quantum The EU Quantum Flagship Our mission is to keep KPN reliable & secure

Everything is Quantum The EU Quantum Flagship Our mission is to keep KPN reliable & secure

Everything is Quantum The EU Quantum Flagship Our mission is to keep KPN reliable & secure and trusted by customers, partners and society part of the vital infra of NL Contents Whats the problem? Whats everyone up to? Are

527 views • 33 slides
Encapsulation for Practical Simplification Procedures Olga Shumsky Matlin & William McCune

Encapsulation for Practical Simplification Procedures Olga Shumsky Matlin & William McCune

Encapsulation for Practical Simplification Procedures Olga Shumsky Matlin & William McCune Mathematics and Computer Science Division Argonne National Laboratory {matlin,mccune}@mcs.anl.gov Problem Origin First-order resolution and

254 views • 4 slides
LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 ,

LEDAkem: a post-quantum key encapsulation mechanism based on QC-LDPC codes Marco Baldi 1 , Alessandro Barenghi 2 , Franco Chiaraluce 1 , Gerardo Pelosi 2 , Paolo Santini 1 1 Universit` a Politecnica delle Marche (m.baldi@univpm.it,

674 views • 52 slides
Q UANTUM C OMPUTING W HY N OW ? Practical Applications Quantum Supremacy Quantum Excitement

Q UANTUM C OMPUTING W HY N OW ? Practical Applications Quantum Supremacy Quantum Excitement

Q UANTUM COMPUTATION FOR THE DISCOVERY OF NEW MATERIALS AND CHEMISTRY Jarrod R. McClean Alvarez Fellow - Computational Research Division Lawrence Berkeley National Laboratory Q UANTUM C OMPUTING W HY N OW ? Practical Applications Quantum

645 views • 39 slides
A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation

A key-recovery timing attack on post-quantum primitives using the Fujisaki-Okamoto transformation and its application on FrodoKEM Qian Guo, Thomas Johansson, Alexander Nilsson August 10, 2020 Preliminaries Implementing Crypto Is Hard

994 views • 80 slides
Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number

Vacuum fluctuations Secure heterodyne-based quantum random number quantum random number generator with non-iid generator at 17 Gbps samples Tobias Gehring et al. Marco Avesani et al. 1 The need for random numbers Alice quantum Rx laser

346 views • 32 slides
Towards the Practical Space-Ground Integrated Quantum Communication Network Cheng-Zhi Peng CAS

Towards the Practical Space-Ground Integrated Quantum Communication Network Cheng-Zhi Peng CAS

QCrypt 2020: Industry Session 2020/08/12 Online Conference Towards the Practical Space-Ground Integrated Quantum Communication Network Cheng-Zhi Peng CAS Center of Excellence in Quantum Information and Quantum Physics University of Science and

362 views • 15 slides
Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a

slide 1 gaius Encapsulation and Tunneling encapsulation describes the process of placing an IP datagram inside a network packet or frame encapsulation refers to how the network interface uses packet switching hardware two machines

499 views • 27 slides
Achieving Practical Applications of Quantum Computers Matthew Otten otten@anl.gov February 7th,

Achieving Practical Applications of Quantum Computers Matthew Otten otten@anl.gov February 7th,

Achieving Practical Applications of Quantum Computers Matthew Otten otten@anl.gov February 7th, 2020 Quantum Supremacy Frank Arute et al. Quantum supremacy using a programmable superconducting processor. In: Nature 574.7779 (2019), pp.

1.01k views • 38 slides
Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted

Practical Secure Two-Party Computation and Applications Lecture 4: Hardware-Assisted Cryptographic Protocols Estonian Winter School in Computer Science 2016 Motivation 2 Two Areas Cryptographic Protocols Secure Hardware strong security

759 views • 52 slides
Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for

Challenges to Practical End-to-end Implementation of Quantum Optimization Approaches for Combinatorial problems QTML Workshop Verona, Nov 6 (2017) - Davide Venturelli davide.venturelli@nasa.gov Challenges to Practical End-to-end

1.08k views • 79 slides
Security proof of practical quantum key distribution with detection-efficiency mismatch Yanbao

Security proof of practical quantum key distribution with detection-efficiency mismatch Yanbao

Security proof of practical quantum key distribution with detection-efficiency mismatch Yanbao Zhang NTT Research Center for Theoretical Quantum Physics NTT Basic Research Lab, Japan Based on the joint work arXiv:2004.04383 with Patrick J.

349 views • 20 slides
Quantum neural networksa practical approach Piotr Gawron AstroCeNTParticle Astrophysics

Quantum neural networksa practical approach Piotr Gawron AstroCeNTParticle Astrophysics

Quantum neural networksa practical approach Piotr Gawron AstroCeNTParticle Astrophysics Science and Technology Centre International Research Agenda Nicolaus Copernicus Astronomical Center, Polish Academy of Sciences Agenda Quantum

539 views • 31 slides
Toward the first quantum simulation with quantum speedup Andrew Childs University of Maryland

Toward the first quantum simulation with quantum speedup Andrew Childs University of Maryland

Toward the first quantum simulation with quantum speedup Andrew Childs University of Maryland Dmitri Maslov Yuan Su Yunseong Nam Neil Julien Ross arXiv:1711.10980; PNAS 2018 Toward practical quantum speedup IBM Google/UCSB Delft

1.05k views • 77 slides
Encapsulation grouping of subprograms and the data Encapsulation they manipulate

Encapsulation grouping of subprograms and the data Encapsulation they manipulate

Encapsulation grouping of subprograms and the data Encapsulation they manipulate Information hiding abstract data types type definition is hidden from the user variables of the type can be declared variables of the type

1.02k views • 15 slides
Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon

Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon

Genetic Algorithm to Study Practical Quantum Adversaries Walter O. Krawec Sam A. Markelon University of Connecticut, Storrs CT USA walter.krawec@gmail.com walterkrawec.org Quantum Key Distribution (QKD) Allows two users Alice (A) and

1.03k views • 55 slides
Secure bit commitment from relativistic constraints Jed Kaniewski Centre for Quantum Technologies

Secure bit commitment from relativistic constraints Jed Kaniewski Centre for Quantum Technologies

Secure bit commitment from relativistic constraints Jed Kaniewski Centre for Quantum Technologies National University of Singapore joint work with Marco Tomamichel, Esther H anggi and Stephanie Wehner [ arXiv: 1206.1740 ] QCrypt 2012,

1.54k views • 88 slides
You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2

You thought your communication was secure? Quantum computers are coming! Daniel J. Bernstein 1 , 2 Tanja Lange 1 1 Technische Universiteit Eindhoven 2 University of Illinois at Chicago 16 April 2016 1 / 33 Cryptography Motivation

1.01k views • 57 slides
(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

(post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya

Towards a better understanding of (post-)quantum security of symmetric key schemes NTT Secure Platform Laboratories (and Nagoya University) Akinori Hosoyamada @ASK 2019 (2019.12.13) Introduction Quantum Attacks against Symmetric

738 views • 56 slides

More recommend