how to share a lattice trapdoor
play

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures - PowerPoint PPT Presentation

Feb 22, 2024 •269 likes •678 views

How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel , Chris Peikert Georgia Institute of Technology June 26, 2013 ACNS 2013, Banff, Alberta, Canada 1/11 Threshold Cryptography Setting: A

  1. How to Share a Lattice Trapdoor: Threshold Protocols for Signatures and (H)IBE Rikke Bendlin, Sara Krehbiel , Chris Peikert Georgia Institute of Technology June 26, 2013 ACNS 2013, Banff, Alberta, Canada 1/11

  2. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. ACNS 2013, Banff, Alberta, Canada 2/11

  3. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Digital signature scheme: ◮ KeyGen �→ sk to a privileged party, publish vk ◮ Sign ( µ, sk ) �→ σ ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ without sk . ACNS 2013, Banff, Alberta, Canada 2/11

  4. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Threshold signatures: ◮ KeyGen �→ � sk � i to each party i , publish vk � s � i is i ’s share of secret s ◮ Sign ( µ, � sk � i from ≥ h honest parties ) �→ σ (e.g. [Shamir’79]) ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ without sk . ACNS 2013, Banff, Alberta, Canada 2/11

  5. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Threshold signatures: ◮ KeyGen �→ � sk � i to each party i , publish vk � s � i is i ’s share of secret s ◮ Sign ( µ, � sk � i from ≥ h honest parties ) �→ σ (e.g. [Shamir’79]) ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ with ≤ t shares of sk . ACNS 2013, Banff, Alberta, Canada 2/11

  6. Threshold Cryptography Setting: A crypto task can be performed securely and correctly with ≥ h honest and ≤ t corrupted of ℓ total parties. Threshold signatures: ◮ KeyGen �→ � sk � i to each party i , publish vk � s � i is i ’s share of secret s ◮ Sign ( µ, � sk � i from ≥ h honest parties ) �→ σ (e.g. [Shamir’79]) ◮ Verify ( µ, σ, vk ) �→ accept or reject Properties: ⋆ Correctness: Verify accepts ( µ, σ ) from Sign. ⋆ Unforgeability: infeasible to sign µ with ≤ t shares of sk . ⋆ Threshold efficiency: • Verify runtime and vk size independent of ℓ • Efficient and minimally interactive Sign (not general MPC!) ACNS 2013, Banff, Alberta, Canada 2/11

  7. Threshold Versions of Classical Cryptoschemes ◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ACNS 2013, Banff, Alberta, Canada 3/11

  8. Threshold Versions of Classical Cryptoschemes ◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ◮ All broken by the quantum algorithm of Shor ’97. ACNS 2013, Banff, Alberta, Canada 3/11

  9. Threshold Versions of Classical Cryptoschemes ◮ Variants of ElGamal ◮ Canetti-Goldwasser ’98 version of Cramer-Shoup ’98 ◮ Shoup ’00 version of RSA ◮ All broken by the quantum algorithm of Shor ’97. ◮ Lattices for the post-quantum world... (Image courtesy wikipedia.org) ACNS 2013, Banff, Alberta, Canada 3/11

  10. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ACNS 2013, Banff, Alberta, Canada 4/11

  11. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ◮ Sign ( sk, µ ) : ⋆ Sample x ∈ Z m q : Ax = H ( µ ) ∈ Z n q . (Image courtesy cryptoexperts.com/tlepoint) ACNS 2013, Banff, Alberta, Canada 4/11

  12. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ◮ Sign ( sk, µ ) : ⋆ Sample x ∈ Z m q : Ax = H ( µ ) ∈ Z n q . ◮ Verify ( vk, µ, x ) : ⋆ Accept iff x is short and Ax = H ( µ ) . (Image courtesy cryptoexperts.com/tlepoint) ACNS 2013, Banff, Alberta, Canada 4/11

  13. The GPV Schemes [GentryPeikertVaikuntanathan’08] GPV Signatures: ◮ KeyGen (1 n ) : ⋆ sk = R , vk = unif A ∈ Z n × m with trapdoor R . q ◮ Sign ( sk, µ ) : ⋆ Sample x ∈ Z m q : Ax = H ( µ ) ∈ Z n q . ◮ Verify ( vk, µ, x ) : ⋆ Accept iff x is short and Ax = H ( µ ) . IBE using sampling for key extraction [GPV’08] HIBE using trapdoor delegation [CHKP’10] ABE, group signatures, . . . [AFV’11, GKV’10] (Image courtesy cryptoexperts.com/tlepoint) ACNS 2013, Banff, Alberta, Canada 4/11

  14. Threshold Lattice-Based Schemes Challenges: ◮ Complex early KeyGen algorithms [Ajtai’99, AlwenPeikert’09] ◮ GPV sampling involves adaptive iterations ACNS 2013, Banff, Alberta, Canada 5/11

  15. Threshold Lattice-Based Schemes Challenges: ◮ Complex early KeyGen algorithms [Ajtai’99, AlwenPeikert’09] ◮ GPV sampling involves adaptive iterations Prior work: ◮ Encryption [BD’10, MSs’11, XXZ’11] ◮ Signatures [CLRS’10, FGM’10] ACNS 2013, Banff, Alberta, Canada 5/11

  16. Contribution Threshold Protocols: trapdoor generation, discrete Gaussian sampling, and trapdoor delegation = ⇒ lattice-based threshold signatures and (H)IBE Properties: ◮ Information-theoretic security ◮ Optimal thresholds ◮ Efficiency/security params independent of # parties ◮ Inefficiency/interactivity limited to offline phase ⋆ Offline phase: computation at keygen time ⋆ Online phase: computation once syndrome is known ACNS 2013, Banff, Alberta, Canada 6/11

  17. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] ACNS 2013, Banff, Alberta, Canada 7/11

  18. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] Definition Short R is a trapdoor for A if AR = G . ACNS 2013, Banff, Alberta, Canada 7/11

  19. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] Definition Short R is a trapdoor for A if AR = G . ◮ Key Generation: ⋆ Sample uniform ¯ A and random short ¯ R . � ¯ ⋆ Output A = [ ¯ A | G − ¯ A ¯ � R ] and R = R . I ACNS 2013, Banff, Alberta, Canada 7/11

  20. New Lattice Trapdoors [MicciancioPeikert’12] ◮ Trapdoor can be a short basis [GGH’97, GPV’08] ◮ Improved efficiency with trapdoor based on public gadget G [MP’12] Definition Short R is a trapdoor for A if AR = G . ◮ Key Generation: ⋆ Sample uniform ¯ A and random short ¯ R . � ¯ ⋆ Output A = [ ¯ A | G − ¯ A ¯ � R ] and R = R . I ◮ Given u , how to sample short Gaussian x with Ax = u using R ? ACNS 2013, Banff, Alberta, Canada 7/11

  21. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ACNS 2013, Banff, Alberta, Canada 8/11

  22. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u . ACNS 2013, Banff, Alberta, Canada 8/11

  23. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u ; but Rz is skewed. ACNS 2013, Banff, Alberta, Canada 8/11

  24. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u ; but Rz is skewed. ◮ Convolution lemma [P’10] : covariance and syndrome are additive = ⇒ add p from a different skewed Gaussian. ACNS 2013, Banff, Alberta, Canada 8/11

  25. The Convolution Approach for Sampling [P’10, MP’12] Given A , R , and u , sample short Gaussian x with Ax = u . ◮ Easy to sample short z with Gz = A ( Rz ) = u ; but Rz is skewed. ◮ Convolution lemma [P’10] : covariance and syndrome are additive = ⇒ add p from a different skewed Gaussian. Standalone sample algorithm: ◮ Offline: Sample p , store with w = Ap . ◮ Online: Given u , sample z with Gz = u − w . Output x = p + Rz . ACNS 2013, Banff, Alberta, Canada 8/11

  26. Sampling in a Threshold Setting Given A , R , and u , sample short Gaussian x with Ax = u . Offline: ◮ Threshold sample shares of p and store with public w = Ap . ◮ Threshold sample and store shares of syndrome correction data. Online: (party i ) ◮ Retrieve � p � i and w . ◮ Assemble � Rz � i for Gaussian z with Gz = u − w . ◮ Broadcast � x � i = � p � i + � Rz � i and reconstruct x . ACNS 2013, Banff, Alberta, Canada 9/11

Recommend

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia

Trapdoors for Lattices: Signatures, ID-Based Encryption, and Beyond Chris Peikert Georgia Institute of Technology Lattice Crypto Day ENS, 29 May 2010 1 / 23 Talk Agenda 1 Lattice-based trapdoor functions and oblivious sampling 2

1.28k views • 103 slides
Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview

Faster Gaussian Sampling for Trapdoor Lattices with Arbitrary Modulus Nicholas Genise Daniele Micciancio (UCSD) 1 Overview of the Talk Part 1: Background Part 2: Our solution for arbitrary modulus G-lattice sampling Part 3: Our

210 views • 20 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems .

345 views • 3 slides
Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for

Trapdoor Problems Basing the solution on the complexity of problems, which are easy to solve for the legal users, but are very difficult to the eavesdroppers. Public Key Cryptography 1 Such problems are called trapdoor problems . They allow to

379 views • 5 slides
Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions

Wave: A new family of trapdoor preimage sampleable functions Thomas Debris-Alazard, Nicolas Sendrier Wave: A new family of trapdoor and Jean-Pierre Tillich preimage sampleable functions Introduction Hardness of Syndrome Decoding for

902 views • 59 slides
Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas; ntroducing the lattice gas; 2) Analytic description of the lattice gas; 3) Program objectives; 4) How to implement it (efficiently); 5)

321 views • 28 slides
RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions

RSA Public Key CryptoSystem One way Trapdoor Functions Diffie and Hellman (76) New Directions in Cryptography Split the Bobs secret key K to two parts: K E , to be used for encrypting messages to Bob. K D , to be used for

482 views • 32 slides
Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm?

Trapdoor simulation Algorithms in CS courses of quantum algorithms WHAT is your algorithm? Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Joint work with: Tung Chou Technische

922 views • 70 slides
New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1,

New Constructions and Applications of Trapdoor DDH Groups Yannick Seurin ANSSI, France March 1, PKC 2013 Yannick Seurin (ANSSI) Trapdoor DDH Groups PKC 2013 1 / 27 Introduction Introduction: CDH versus DDH group G , element G G of

954 views • 60 slides
Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on

Birmingham High Energy Physics Group - Particle Physics Seminar, University of Birmingham, 08.06.2016 Andreas Jttner Lattice QCD Outline 1. Lattice QCD (why and what) 2. Precision flavour physics 3. (g-2) on the lattice 4. Pushing

713 views • 52 slides
Lattice Points in Polytopes Richard P. Stanley U. Miami & M.I.T. A lattice polygon Georg

Lattice Points in Polytopes Richard P. Stanley U. Miami & M.I.T. A lattice polygon Georg

Lattice Points in Polytopes Richard P. Stanley U. Miami & M.I.T. A lattice polygon Georg Alexander Pick (18591942) P : lattice polygon in R 2 (vertices Z 2 , no self-intersections) Boundary and interior lattice points Picks

1.4k views • 120 slides
Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li,

Efficient Lossy Trapdoor Functions based on Subgroup Membership Assumptions Haiyang Xue, Bao Li, Xianhui Lu, Dingding Jia, Yamin Liu Institute of Information Engineering , Chinese Academy of Sciences 2013.11.21 Xue, Li, Lu, Jia, Liu (IIE)

274 views • 23 slides
Lattice Methods in Field Theory Contents 1. Motivation 2. BasicsEuclidean quantisation 3.

Lattice Methods in Field Theory Contents 1. Motivation 2. BasicsEuclidean quantisation 3.

Lattice Methods in Field Theory Contents 1. Motivation 2. BasicsEuclidean quantisation 3. Lattice gauge fields Jonathan Flynn 4. Lattice fermions University of Southampton 5. Lattice QCD 6. Numerical simulations BUSSTEPP 2002

550 views • 22 slides
When is the lattice of closure operators on a subgroup lattice again a subgroup lattice? Martha

When is the lattice of closure operators on a subgroup lattice again a subgroup lattice? Martha

When is the lattice of closure operators on a subgroup lattice again a subgroup lattice? Martha Kilpack 1 and Arturo Magidin 2 1 Brigham Young University 2 University of Louisiana at Lafayette Groups St Andrews 2017 Martha Kilpack and Arturo

1.43k views • 77 slides
Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang

Efficient Threshold Encryption from Lossy Trapdoor Functions Xiang Xie, Rui Xue and Rui Zhang SKLOIS Chinese Academy of Sciences Outline Background Our Results Our Constructions Conclusions 2 Threshold Public Key Encryption

854 views • 32 slides
Review on Lattice Muon g-2 HVP Calculation Kohtaroh Miura (GSI Helmholtz-Instute Mainz) Lattice

Review on Lattice Muon g-2 HVP Calculation Kohtaroh Miura (GSI Helmholtz-Instute Mainz) Lattice

Introduction Challenges and Progresses Discussion Summary and Conclusions Review on Lattice Muon g-2 HVP Calculation Kohtaroh Miura (GSI Helmholtz-Instute Mainz) Lattice 2018, 36th International Symposium on Lattice Field Theory, Michigan

885 views • 49 slides
Constructing a Crystal Once you specify the lattice, you can then hang a

Constructing a Crystal Once you specify the lattice, you can then hang a

Constructing a Crystal Once you specify the lattice, you can then hang a collection of atoms off of each position in the lattice Important: every lattice point (point on the scaffold) must have the exact same environment.

304 views • 18 slides
On the Lossiness of the Rabin Trapdoor Function Yannick Seurin ANSSI, France March 27, 2014

On the Lossiness of the Rabin Trapdoor Function Yannick Seurin ANSSI, France March 27, 2014

On the Lossiness of the Rabin Trapdoor Function Yannick Seurin ANSSI, France March 27, 2014 PKC 2014 Y. Seurin (ANSSI) Lossiness of Rabin TDF PKC 2014 1 / 28 Summary Summary of results We show that the Rabin Trapdoor Function (modular

803 views • 56 slides
An approach from Lattice Computing to fMRI analysis Manuel Graa, Maite Garca-Sebastin, Ivan

An approach from Lattice Computing to fMRI analysis Manuel Graa, Maite Garca-Sebastin, Ivan

Introduction The Linear Mixing Model Lattice Independence and Lattice Autoassociative Memories Endmember Induction Heuristic Algorithm (EIHA) A case study Conclusions and discussion An approach from Lattice Computing to fMRI analysis Manuel

457 views • 31 slides
Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio

Faster Gaussian Sampling for Trapdoor Lattices (with any modulus) March 2017 Daniele Micciancio (UCSD) Nicholas Genise (UCSD) Modern Cryptography Founded on Mathematics / Complexity Theory Start from mathematical problem P that is

461 views • 32 slides
Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad

Trapdoor functions from the Computational Diffie-Hellman Assumption Sanjam Garg 1 Mohammad Hajiabadi 1 , 2 1 University of California, Berkeley 2 University of Virginia August 22, 2018 1 / 18 Classical Public-Key Crypto 2 / 18 Classical

696 views • 55 slides
Lattice Calculation of PDFs Two Challenges. Euclidean lattice precludes the calculation of

Lattice Calculation of PDFs Two Challenges. Euclidean lattice precludes the calculation of

Lattice Calculation of PDFs Two Challenges. Euclidean lattice precludes the calculation of light-cone correlation functions So Use Operator-Product-Expansion to formulate in terms of Mellin Moments with respect to Bjorken x . Z d

317 views • 10 slides
Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 ,

Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 ,

Extension Field Cancellation A New MQ Trapdoor Construction February 2016 Alan Szepieniec 1 , Jintai Ding 2 , Bart Preneel 1 1: KU Leuven, ESAT/COSIC first.secondname@esat.kuleuven.be 2: University of Cincinnati, jintai.ding@uc.edu 1/24

587 views • 24 slides
The Lattice Project A Computational Grid System Presented by Adam Bazinet The Lattice Project

The Lattice Project A Computational Grid System Presented by Adam Bazinet The Lattice Project

The Lattice Project A Computational Grid System Presented by Adam Bazinet The Lattice Project The Lattice Project is primarily aimed at effectively sharing computational resources between departments and institutions, starting with those in

360 views • 12 slides

More recommend