gravity sphincs
play

Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe - PowerPoint PPT Presentation

Apr 24, 2023 •365 likes •725 views

Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 11 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1 Introduction: SPHINCS Hash-based signatures

  1. Gravity-SPHINCS First PQC Standardization Conference Jean-Philippe Aumasson 1 , Guillaume Endignoux 2 Wednesday 11 th April, 2018 1 Kudelski Security 2 Work done while at Kudelski Security and EPFL 1

  2. Introduction: SPHINCS

  3. Hash-based signatures SPHINCS = stateless many-time signatures (up to 2 50 messages). Merkle • Hyper-tree of WOTS signatures ≈ certificate chain . . . WOTS • Hyper-tree of height H = 60, divided in 12 layers of . . . Hyper-tree {Merkle tree + WOTS} Merkle . . . Sign message M : . . . • Select index 0 ≤ i < 2 60 • Sign M with i -th HORST instance HORST • Chain of WOTS signatures. Figure 1: SPHINCS. 2

  4. Hash-based signatures Hash-based signatures in a nutshell: • Post-quantum security well understood ⇒ Grover’s algorithm : preimage-search in O ( 2 n / 2 ) instead of O ( 2 n ) for n -bit hash function. • Signature size is quite large: 41 KB for SPHINCS (stateless), 8 KB for XMSS (stateful). 3

  5. Gravity-SPHINCS

  6. Gravity-SPHINCS We propose improvements to reduce signature size of SPHINCS: • PRNG to obtain a random subset (PORS) • Octopus: optimized multi-authentication in Merkle trees • Secret key caching • Non-masked hashing 4

  7. Implementation Open-source implementations: • Reference C implementation in the submission • Optimized implementation for Intel ( AES-NI + SSE/AVX ) https://github.com/gravity-postquantum/gravity-sphincs • Rust implementation with focus on clarity and testing https://github.com/gendx/gravity-rs 5

  8. Benchmarks Some benchmarks on our optimized implementation 1 Instance S M L Key generation 0.4 s 12 s 6 s Sign 5 ms 7 ms 8 ms Verify 0.04 ms 0.12 ms 0.16 ms Signature size 2 (bytes) ≤ 12640 ≤ 28929 ≤ 35168 2 10 2 50 2 64 Capacity 1 Intel Core i5-6360U CPU @ 2.00 GHz 2 Size varies depending on the message and key 6

  9. PRNG to obtain a random subset

  10. From HORS to PORS Sign a message M with HORS: • Hash the message H ( M ) = 28c5c ... • Split the hash to obtain indices { 2 , 8 , c , 5 , c , . . . } and reveal values S 2 , S 8 , . . . SPHINCS leaf i c c 2 8 5 M H Public key P 0 P 1 P 2 P 3 P 4 P 5 P 6 P 7 P 8 P 9 P 10 P 11 P 12 P 13 P 14 P 15 H H H H H H H H H H H H H H H H Secret key S 0 S 1 S 2 S 3 S 4 S 5 S 6 S 7 S 8 S 9 S 10 S 11 S 12 S 13 S 14 S 15 7

  11. From HORS to PORS Sign a message M with HORS: • Hash the message H ( M ) = 28c5c ... • Split the hash to obtain indices { 2 , 8 , c , 5 , c , . . . } and reveal values S 2 , S 8 , . . . SPHINCS leaf i c c 2 8 5 M H Problems : • Some indices may be the same ⇒ fewer values revealed ⇒ lower security... • Attacker is free to choose the hyper-tree index i ⇒ larger attack surface. 7

  12. From HORS to PORS PORS = PRNG to obtain a random subset. • Seed a PRNG from the message. • Generate the hyper-tree index. • Ignore duplicated indices. SPHINCS leaf G 2 8 c 5 c e M i Significant security improvement for the same parameters! 8

  13. From HORS to PORS Advantages of PORS: • Significant security improvement for the same parameters! • Smaller hyper-tree than SPHINCS for same security level ⇒ Signatures are 4616 bytes smaller. • Performance impact of PRNG vs. hash function is negligible ⇒ For SPHINCS, generate only 32 distinct values. 9

  14. Octopus: multi-authentication in Merkle trees

  15. Octopus Merkle tree of height h = compact way to authenticate any of 2 h values. • Small public value = root • Small proofs of membership = h authentication nodes 10

  16. Octopus How to authenticate k values? • Use k independent proofs = kh nodes. • This is suboptimal! Many redundant values... 11

  17. Octopus How to authenticate k values? • Optimal solution: compute smallest set of authentication nodes. 12

  18. Octopus How many bytes does it save? • It depends on the shape of the “octopus”! • Examples for h = 4 and k = 4: between 2 and 8 authentication nodes. 13

  19. Octopus Theorem Given a Merkle tree of height h and k leaves to authenticate, the minimal number of authentication nodes n verifies: h − ⌈ log 2 k ⌉ ≤ n ≤ k ( h − ⌊ log 2 k ⌋ ) ⇒ For k > 1, this is always better than the kh nodes for k independent proofs! 14

  20. Octopus In the case of SPHINCS, k = 32 uniformly distributed leaves , tree of height h = 16. In our paper 3 , recurrence relation to compute average number of authentication nodes. Method Number of auth. nodes Independent proofs 512 SPHINCS 4 384 Octopus (worst case) 352 Octopus (average) 324 ⇒ Octopus authentication saves 1909 bytes for SPHINCS signatures on average. 3 https://eprint.iacr.org/2017/933 , to appear at CT-RSA 4 SPHINCS has a basic optimization to avoid redundant nodes close to the root. 15

  21. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  22. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  23. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  24. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  25. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  26. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  27. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  28. Octopus algorithm • Bottom-up algorithm to compute the optimal authentication nodes. • Formal specification in the submission, let’s see an example. 16

  29. Other optimizations

  30. Secret key caching WOTS signatures to “connect” Merkle trees are large ( ≈ 2144 bytes per WOTS ). Figure 2: SPHINCS. 17

  31. Secret key caching • We use a larger root Merkle tree , and cache computed more values in private cached key at key key. generation • Removing 3 levels = time 6432 bytes saved! (re)computed at signing • This cache can be time regenerated from a small private seed (32 bytes) . Figure 3: Secret key caching. 18

  32. Non-masked hashing • In SPHINCS, Merkle trees have a XOR-and-hash construction, to use a 2nd-preimage-resistant hash function H . • Various masks, depending on location in hyper-tree; all stored in the public key. • Post-quantum preimage search is faster with Grover’s algorithm ⇒ We remove the masks and rely on collision-resistant H . H H m i (a) Masked hashing in SPHINCS. (b) Mask off. 19

  33. Conclusion

  34. Take-aways Hash-based signatures: • well-understood security, • fast signing, very fast verification. What’s new in Gravity-SPHINCS? • octopus + PORS = great improvement over HORST, • secret-key caching = trade-off key generation time / signature size for a “powerful” signer, • mask-less hashing = simpler scheme. 20

  35. Conclusion Thank you for your attention! 21

Recommend

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical

Putting wings on SPHINCS PQCRYPTO Conference Stefan K olbl April 10th, 2018 Technical University of Denmark, Cybercrypt SPHINCS SPHINCS Hash-based signature scheme Stateless 128-bit post-quantum security Sizes: Public

692 views • 55 slides
A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem)

A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem)

A new submission to the SNAKE OIL CRYPTO competition Roberto Avanzi @FakeIACR (ad hodorem) Diego Aranha (our network expert) ANNOUNCEMENT After SPHINCS and SPHINCS-Haraka we are introducing a third variant of this

482 views • 4 slides
Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang

Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang

Transactions of the Korean Nuclear Society Virtual Spring Meeting July 9-10, 2020 Transient Capability of a Multi-group Pin Homogenized SP 3 Code SPHINCS Hyun Ho Cho 1) , Junsu Kang 1) , Joo Il Yoon 2) and Han Gyu Joo 1)* Seoul National University,

272 views • 4 slides
SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule fr

SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule fr

IMES FPGA-BASED ACCELERATOR FOR POST-QUANTUM SIGNATURE SCHEME SPHINCS-256 Dorian Amiet 1 , Andreas Curiger 2 and Paul Zbinden 1 1 HSR Hochschule fr Technik, Rapperswil, Switzerland 2 Securosys SA, Zrich, Switzerland CHES 2018 12.09.2018

525 views • 28 slides
Constructive Gravity A New Approach to Modified Gravity Theories Marcus C. Werner, Kyoto

Constructive Gravity A New Approach to Modified Gravity Theories Marcus C. Werner, Kyoto

Constructive Gravity A New Approach to Modified Gravity Theories Marcus C. Werner, Kyoto University Gravity and Cosmology 2018 YITP Long Term Workshop, 27 February 2018 Constructive gravity Standard approach to modified gravity: E ff ective

486 views • 15 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas Hlsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 28 April 2015 Hash-based

586 views • 33 slides
SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H

SPHINCS: practical stateless hash-based signatures Daniel J. Bernstein Daira Hopwood Andreas H ulsing Tanja Lange Ruben Niederhagen Louiza Papachristodoulou Michael Schneider Peter Schwabe Zooko Wilcox-OHearn 2 April 2015 Traditional hash-based

288 views • 10 slides
The Uncertainty Principle in Einstein Gravity Gaetano Vilasi Universit degli Studi di Salerno,

The Uncertainty Principle in Einstein Gravity Gaetano Vilasi Universit degli Studi di Salerno,

Quantum Mechanics and Einstein Gravity The Heisenberg Uncertainty Principle The Uncertainty Principle in Newton Gravity, (DA) The Uncertainty Principle in Einstein Gravity, (DA) The Uncertainty Principle and Einstein Gravity The photon

772 views • 58 slides
Thermodynamics of AdS 3 gravity: extremal CFTs vs. semi-classical gravity Yasunari Kurita

Thermodynamics of AdS 3 gravity: extremal CFTs vs. semi-classical gravity Yasunari Kurita

Strings and Fields 2019 @ YITP, Kyoto 20 Aug 2019 Thermodynamics of AdS 3 gravity: extremal CFTs vs. semi-classical gravity Yasunari Kurita Kanagawa Inst. Tech. 1 AdS 3 pure gravity Asymptotic symmetry is Virasoro sym. with central charge

520 views • 17 slides
Our Our Place Place in in the the Cosmos Cosmos Suns gravity determines motion of the

Our Our Place Place in in the the Cosmos Cosmos Suns gravity determines motion of the

Gravity Gravity rules the Universe It holds objects like the Sun and Earth together Our Our Place Place in in the the Cosmos Cosmos Suns gravity determines motion of the planets of the Solar System Lecture 7 Gravity binds

387 views • 5 slides
Lecture series on 3d gravity Lecture 1: Geometry of Classical 3d Gravity Quantum Structure of

Lecture series on 3d gravity Lecture 1: Geometry of Classical 3d Gravity Quantum Structure of

Lecture series on 3d gravity Lecture 1: Geometry of Classical 3d Gravity Quantum Structure of Spacetime and Gravity 2016 August 21-28 2016 Belgrade, Serbia Catherine Meusburger Department Mathematik, Universitt Erlangen-Nrnberg

502 views • 19 slides
Quantum gravity and TQFTs with defects Marc Geiller Perimeter Institute Quantum Gravity in Paris

Quantum gravity and TQFTs with defects Marc Geiller Perimeter Institute Quantum Gravity in Paris

Quantum gravity and TQFTs with defects Marc Geiller Perimeter Institute Quantum Gravity in Paris March 20 th 23 rd 2017 0 / 24 Introduction Bottom-up approach to quantum gravity Think of quantum gravity as a theory of quantum geometry

617 views • 51 slides
Le Centre Galactique vu par linstrument GRAVITY du VLTI Karine PERRAUT Institut de

Le Centre Galactique vu par linstrument GRAVITY du VLTI Karine PERRAUT Institut de

Le Centre Galactique vu par linstrument GRAVITY du VLTI Karine PERRAUT Institut de Plantologie et dAstrophysique de Grenoble and the GRAVITY Team The GRAVITY collaboration, Astr. &amp; Astrophys. 2017, 692, 94 The GRAVITY collaboration,

467 views • 21 slides
Conformal Tensors in Lovelock Gravity Lovelock gravity shares important features with Einstein

Conformal Tensors in Lovelock Gravity Lovelock gravity shares important features with Einstein

Conformal Tensors in Lovelock Gravity Lovelock gravity shares important features with Einstein gravity But exactly which features? Do we know them all? Formulate some basic questions a) Higher Curvature Bianchi Identities b) Analogues

303 views • 26 slides
Restricted Gravity A New Approach to Quantum Gravity Y. M. Cho School of Electrical and

Restricted Gravity A New Approach to Quantum Gravity Y. M. Cho School of Electrical and

Restricted Gravity A New Approach to Quantum Gravity Y. M. Cho School of Electrical and Computer Engineering Ulsan National Institute of Science and Technology and School of Physics and Astronomy College of Natural Science, Seoul

731 views • 47 slides
Chapter 13. Newtons Theory of Gravity Chapter Goal: To use Newtons theory of gravity to

Chapter 13. Newtons Theory of Gravity Chapter Goal: To use Newtons theory of gravity to

Chapter 13. Newtons Theory of Gravity Chapter Goal: To use Newtons theory of gravity to understand the motion of satellites and planets. Geocentric Model of Ptolemy Earth at the center of the universe From ancient Greeks to middle ages

385 views • 11 slides
Towards a Towards a Gauge Theory of Gravity Gauge Theory of Gravity Ivan Debono Fundamental

Towards a Towards a Gauge Theory of Gravity Gauge Theory of Gravity Ivan Debono Fundamental

Towards a Towards a Gauge Theory of Gravity Gauge Theory of Gravity Ivan Debono Fundamental Interactions All physical interactions in nature described by 4 fundamental forces: Gravity Electromagnetism Weak nuclear force

390 views • 20 slides
A new look at Newton-Cartan gravity Eric Bergshoeff Groningen University Memorial Meeting for

A new look at Newton-Cartan gravity Eric Bergshoeff Groningen University Memorial Meeting for

NC Gravity from gauging Bargmann The Schr odinger Method NC Gravity with Torsion Future Directions A new look at Newton-Cartan gravity Eric Bergshoeff Groningen University Memorial Meeting for Nobel Laureate Professor Abdus Salams 90th

623 views • 33 slides
#1: Gravity Gravity : One of the (4) fundamental forces Objects with mass attract other objects

#1: Gravity Gravity : One of the (4) fundamental forces Objects with mass attract other objects

13.1-13.2 #1: Gravity Gravity : One of the (4) fundamental forces Objects with mass attract other objects with mass F = G m 1 m 2 Newtons Law of Gravitation: r 2 Gravity is a very weak force G = 6.67 10 11 N m 2 kg 2 It is a

301 views • 6 slides
THE STABILITY CONDITIONS OF MODIFIED GRAVITY MODELS AND THEIR APPLICATIONS Gravity and Cosmology

THE STABILITY CONDITIONS OF MODIFIED GRAVITY MODELS AND THEIR APPLICATIONS Gravity and Cosmology

THE STABILITY CONDITIONS OF MODIFIED GRAVITY MODELS AND THEIR APPLICATIONS Gravity and Cosmology 2018 YITP, Kyoto University 13 February 2018 Georgios Papadomanolakis Lorentz Institute, Leiden University Based on: N. Frusciante, G.P. and A.

977 views • 18 slides
Black Holes Microstates in Three Dimensional Gravity Alex Maloney Northeast Gravity Workshop

Black Holes Microstates in Three Dimensional Gravity Alex Maloney Northeast Gravity Workshop

Black Holes Microstates in Three Dimensional Gravity Alex Maloney Northeast Gravity Workshop 4-22-16 1508.04079 &amp; to appear The Puzzle: Nature at low energies is well described by a local field theory: General Relativity + the

401 views • 15 slides
Topologically massive gravity and the AdS/CFT correspondence Balt van Rees 8 September 2009

Topologically massive gravity and the AdS/CFT correspondence Balt van Rees 8 September 2009

Topologically massive gravity and the AdS/CFT correspondence Balt van Rees 8 September 2009 Based on work with K. Skenderis and M. Taylor: arXiv:0906.4926 Topologically massive gravity Three-dimensional pure Einstein gravity is locally

736 views • 15 slides
A New Road to Massive Gravity? Eric Bergshoeff Groningen University based on a collaboration

A New Road to Massive Gravity? Eric Bergshoeff Groningen University based on a collaboration

Introduction General Procedure Higher-Derivative Gravity Comparison to Massive Gravity Conclusions A New Road to Massive Gravity? Eric Bergshoeff Groningen University based on a collaboration with Marija Kovacevic, Jose Juan

1.04k views • 45 slides
Dark Energy The Modified Gravity Perspective Part II: Beyond GR with Screening David F . Mota

Dark Energy The Modified Gravity Perspective Part II: Beyond GR with Screening David F . Mota

Dark Energy The Modified Gravity Perspective Part II: Beyond GR with Screening David F . Mota Institute of Theoretical Astrophysics University of Oslo 2015 Basic Observational Requirements of Modifying Gravity Modified Gravity as

377 views • 22 slides

More recommend