improvement and efficient implementation of a lattice
play

Improvement and Efficient Implementation of a Lattice-based - PowerPoint PPT Presentation

Feb 12, 2023 •178 likes •633 views

Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1 Outline

  1. Improvement and Efficient Implementation of a Lattice-based Signature scheme Rachid El Bansarkhani, Johannes Buchmann Technische Universit¨ at Darmstadt TU Darmstadt August 2013 Rachid El Bansarkhani Lattice-based Signatures1

  2. Outline Introduction to Lattice-based Crypto Lattice-based Hash Function Lattice-based Signature Scheme Contributions Experimental Resaults Rachid El Bansarkhani Lattice-based Signatures2

  3. Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b 1 , . . . , b n } ∈ R n : n � b i · Z = { Bx : x ∈ Z n } ⊂ R n L = i =1 A lattice has infinitely many bases: n L = � c i · Z i =1 Definition (Lattices) A discrete additive subgroup of R n Rachid El Bansarkhani Lattice-based Signatures3

  4. Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b 1 , . . . , b n } ∈ R n : n � b i · Z = { Bx : x ∈ Z n } ⊂ R n L = i =1 A lattice has infinitely many bases: n L = � c i · Z i =1 Definition (Lattices) A discrete additive subgroup of R n Rachid El Bansarkhani Lattice-based Signatures3

  5. Introduction A lattice is the set of all integer linear combinations of (linearly independent) basis vectors B = { b 1 , . . . , b n } ∈ R n : n � b i · Z = { Bx : x ∈ Z n } ⊂ R n L = i =1 A lattice has infinitely many bases: n L = � c i · Z i =1 Definition (Lattices) A discrete additive subgroup of R n Rachid El Bansarkhani Lattice-based Signatures3

  6. Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = � v � to the origin λ 1 ( L ) = x � = 0 , x ∈L � x � min More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Rachid El Bansarkhani Lattice-based Signatures4

  7. Introduction The shortest vector v in a lattice: lattice point with minimum distance λ 1 = � v � to the origin λ 1 ( L ) = x � = 0 , x ∈L � x � min More generally, λ k denotes the smallest radius of a ball containing k linearly independent vectors Rachid El Bansarkhani Lattice-based Signatures4

  8. Computational Problems Definition (Shortest Vector Problem) Given a basis B = { b 1 , . . . , b n } , find the shortest nonzero vector v in the lattice L ( B ), i.e. � v � = λ 1 Rachid El Bansarkhani Lattice-based Signatures5

  9. Computational Problems Definition (Shortest Vector Problem) Given a basis B = { b 1 , . . . , b n } , find the shortest nonzero vector v in the lattice L ( B ), i.e. � v � = λ 1 Rachid El Bansarkhani Lattice-based Signatures5

  10. Computational Problems Definition (Shortest Vector Problem) Given a basis B = { b 1 , . . . , b n } , find the shortest nonzero vector v in the lattice L ( B ), i.e. � v � = λ 1 Rachid El Bansarkhani Lattice-based Signatures5

  11. Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6

  12. Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6

  13. Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6

  14. Hash function Lattice-based hash function [Ajtai96]: f A ( x ) = A · x mod q Input parameters: q ∈ Z (e.g. 2 19 ) Choose A ∈ Z n × m uniformly at random, n (e.g. n=256) is q main security parameter m > n · log 2 q x is from a bounded domain, e.g. x ∈ { 0 , 1 } n Rachid El Bansarkhani Lattice-based Signatures6

  15. Hash Function f A ( x ) = A · x mod q : is a compression function maps m bits to n log 2 q bits inversion and finding collisions as hard as worst-case lattice problems Rachid El Bansarkhani Lattice-based Signatures7

  16. Hash Function Hardness of finding collisions Finding collisions in the average case, where A is chosen at random, is hard, provided approximating SIVP is hard in the worst-case Rachid El Bansarkhani Lattice-based Signatures8

  17. From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9

  18. From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9

  19. From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9

  20. From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9

  21. From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9

  22. From Hash Functions to a Signature Scheme Signature scheme by Gentry, Peikert and Vaikunthanatan [GPV08] using Preimage Sampleable Trapdoor Functions (PSTF): Hash-and-Sign for lattices Keygen: random matrix A ∈ Z n × m and trapdoor R , RO H ( · ), q PSTF: f A ( x ) = A · x mod q Signing of message m : signature σ = f − 1 A ( H ( m )) using trapdoor R . Verification: � σ �≤ bound and f A ( σ ) = H ( m ) Similar to RSA Hash-and-Sign, but Verification process differs Forging signatures as hard as inverting lattice-based hash functions Secure in the RO Rachid El Bansarkhani Lattice-based Signatures9

  23. From Hash Hunctions to a Signature Scheme Main challenge: How to generate random Matrix A , enabling the signer to sign messages? Solution : Use the trapdoor R to generate a random matrix A . Rachid El Bansarkhani Lattice-based Signatures10

  24. From Hash Functions to a Signature Scheme Construction of A according to Micciancio an Peikert [MP12] : � ¯ G − ¯ � A = A | AR Parameters: ¯ A ∈ Z n × n is uniformly dist. q R ∈ Z n × nk is the secret/trapdoor (small entries) A is pseudorandom (comp. instantiation) Rachid El Bansarkhani Lattice-based Signatures11

  25. From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian 2 k − 1   1 2 . . . 0 ... G =     2 k − 1 0 1 2 . . . Rachid El Bansarkhani Lattice-based Signatures12

  26. From Hash Functions to a Signature Scheme Implementation issues: q = 2 k more suitable for practice entries of R are sampled from a discrete Gaussian 2 k − 1   1 2 . . . 0 ... G =     2 k − 1 0 1 2 . . . Rachid El Bansarkhani Lattice-based Signatures12

Recommend

IMPROVEMENT ? How do improvement science and implementation science contribute to quality and

IMPROVEMENT ? How do improvement science and implementation science contribute to quality and

IMPROVING IMPLEMENTATION OR IMPLEMENTING IMPROVEMENT ? How do improvement science and implementation science contribute to quality and effectiveness in health care? Abe Wandersman, PhD Professor Dept. of Psychology University of South Carolina

1.15k views • 81 slides
Operational Quality Improvement Operational Quality Improvement Designing Safe and Efficient

Operational Quality Improvement Operational Quality Improvement Designing Safe and Efficient

09/18/2012 Caroline LeGarde, Administrator, Johns Hopkins Department of Dermatology September 14, 2012 Operational Quality Improvement Operational Quality Improvement Designing Safe and Efficient Systems and Spaces Operational Quality Improvement

433 views • 24 slides
Efficient Implementation of a Generalized Pair HMM for Efficient Implementation of a Generalized

Efficient Implementation of a Generalized Pair HMM for Efficient Implementation of a Generalized

Efficient Implementation of a Generalized Pair HMM for Efficient Implementation of a Generalized Pair HMM for Comparative Gene Finding Comparative Gene Finding B. Majoros M. Pertea S.L. Salzberg ab initio (optional) gene finder genome 1

572 views • 34 slides
Whatever Mechanics of Were Calling Improvement This Series Evans Center for Implementation

Whatever Mechanics of Were Calling Improvement This Series Evans Center for Implementation

Whatever Mechanics of Were Calling Improvement This Series Evans Center for Implementation & Improvement Sciences Quality & Patient Safety, 1 Department of Medicine Planning for Improvement Present Quality Improvement (QI)

684 views • 33 slides
Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink

Lattice-based cryptography II Constructions and implementation issues Leon Groot Bruinderink July 1st, 2019 July 1st, 2019 1 / 27 Lattice-based cryptography II In this talk: Introduction to (ring-)LWE Lattice-based key-exchange and

1.44k views • 80 slides
Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions

Signature Schemes with Efficient Protocols and Dynamic Group Signatures from Lattice Assumptions Benot Libert 1 , 2 San Ling 3 Fabrice Mouhartem 1 Khoa Nguyen 3 Huaxiong Wang 3 1 .N.S. de Lyon, France 2 CNRS, France 3 Nanyang Technological

1.33k views • 92 slides
and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the

Standardizing Lattice Cryptography and Beyond Vadim Lyubashevsky IBM Research Zurich Why Lattice Cryptography One of the oldest and most (the most?) efficient quantum-resilient alternatives for basic primitives Public key

844 views • 62 slides
Implementation of a core T AG for French Benoit Crabb Lattice Universit Paris 7 A T AG

Implementation of a core T AG for French Benoit Crabb Lattice Universit Paris 7 A T AG

Implementation of a core T AG for French Benoit Crabb Lattice Universit Paris 7 A T AG for French 1 Outline of the talk Implementation of large scale computational grammar for French Linguistically motivated grammar We focus on the

645 views • 41 slides
Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai,

Lattice-Based SNARGs and Their Application to More Efficient Obfuscation Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Program Obfuscation [BGIRSVY01, GGHRSW13] Indistinguishability obfuscation ( ) has emerged as a central hub

648 views • 36 slides
Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography

Efficient Implementation of Lattice-based Cryptography for Embedded Devices Tobias Oder Ruhr-University Bochum Workshop on Cryptography for the 09.11.2017 Internet of Things and Cloud 2017 Lattice-based Cryptography Set of vectors in n

601 views • 27 slides
Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First

Efficient Implementation of Cryptographic pairings Mike Scott Dublin City University First Steps To do Pairing based Crypto we need two things Efficient algorithms Suitable elliptic curves We have got both! (Maybe not quite

509 views • 47 slides
Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas;

Lattice gas simulations Tony Kim Spring 2007 18.354 Project 1) Introducing the lattice gas; ntroducing the lattice gas; 2) Analytic description of the lattice gas; 3) Program objectives; 4) How to implement it (efficiently); 5)

321 views • 28 slides
air pollution and evaluate the implementation of the air quality improvement policies.

air pollution and evaluate the implementation of the air quality improvement policies.

The Korean government (Ministry of Environment) has installed and managed air quality monitoring stations (AQMSs) since 1973 to monitor air pollution and evaluate the implementation of the air quality improvement policies. Since 2011,

560 views • 31 slides
Fixed-Point implementation of Lattice Wave Digital Filter: comparison and error analysis

Fixed-Point implementation of Lattice Wave Digital Filter: comparison and error analysis

Motivation SIF LWDF LWDF-to-SIF Example and comparison Summary Fixed-Point implementation of Lattice Wave Digital Filter: comparison and error analysis Anastasia Volkova, Thibault Hilaire Sorbonne Universit es, University Pierre and

868 views • 41 slides
Efficient use of new technology for practice improvement Receptionist Professional Development

Efficient use of new technology for practice improvement Receptionist Professional Development

Efficient use of new technology for practice improvement Receptionist Professional Development Workshop Hobart August 2017 Presented by Katrina Otto Train IT Medical Pty Ltd www.trainitmedical.com.au katrina@trainitmedical.com.au Our

581 views • 45 slides
Research, Development and Implementation of Efficient Processing Technologies For Specialty and

Research, Development and Implementation of Efficient Processing Technologies For Specialty and

Research, Development and Implementation of Efficient Processing Technologies For Specialty and Energy Metals. September 2017 Disclaimer Statements contained in this presenta0on which are not historical

553 views • 23 slides
Continuous Improvement Continuous Improvement through through Employee Empowerment Employee

Continuous Improvement Continuous Improvement through through Employee Empowerment Employee

Continuous Improvement Continuous Improvement through through Employee Empowerment Employee Empowerment Implementation Roadmap Implementation Roadmap MPE-Inc. Date Presentation Purpose ! Share a vision ! Share a mission ! Share the

997 views • 50 slides
An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010

An Efficient and Parallel Gaussian Sampler for Lattices Chris Peikert Georgia Tech CRYPTO 2010 1 / 10 Lattice-Based Crypto L R n b 2 b 1 2 / 10 Lattice-Based Crypto L R n p 1 p 2 2 / 10 Lattice-Based Crypto L R n b 2 p 1 b 1 =

975 views • 60 slides
An Efficient Implementation of Distributed Routing Algorithms in NoCs Authors: J. Flich, S.

An Efficient Implementation of Distributed Routing Algorithms in NoCs Authors: J. Flich, S.

An Efficient Implementation of Distributed Routing Algorithms in NoCs Authors: J. Flich, S. Rodrigo, and J. Duato Parallel Architectures Group T echnical University of Valencia, Spain Conference title 1 Agenda Introduction System

656 views • 34 slides
An Efficient Implementation of the Low-Complexity Multi-Coset Sub-Nyquist Wideband Radar

An Efficient Implementation of the Low-Complexity Multi-Coset Sub-Nyquist Wideband Radar

An Efficient Implementation of the Low-Complexity Multi-Coset Sub-Nyquist Wideband Radar Electronic Surveillance Mehrdad Yaghoobi, Bernard Mulgrew and Mike E. Davies Edinburgh Research Partnership in Signal and Image Processing Institute for

304 views • 19 slides
An Efficient Implementation for Computing Gr obner bases over algebraic number fields

An Efficient Implementation for Computing Gr obner bases over algebraic number fields

An Efficient Implementation for Computing Gr obner bases over algebraic number fields Masayuki Noro Kobe University An Efficient Implementation for Computing Gr obner bases over algebraic number fields p. 1 Multiple algebraic

447 views • 25 slides
FAST ALGORITHM FOR FINDING n LATTICE SUBSPACES IN AND ITS IMPLEMENTATION ANDREW M. POWNUK THE

FAST ALGORITHM FOR FINDING n LATTICE SUBSPACES IN AND ITS IMPLEMENTATION ANDREW M. POWNUK THE

FAST ALGORITHM FOR FINDING n LATTICE SUBSPACES IN AND ITS IMPLEMENTATION ANDREW M. POWNUK THE UNIVERSITY OF TEXAS AT EL PASO n and its Implementation 1 Andrew Pownuk, Fast Algorithm for Finding

518 views • 39 slides
An Efficient Performance Improvement Method Utilizing Specialized Functional Units in Behavioral

An Efficient Performance Improvement Method Utilizing Specialized Functional Units in Behavioral

An Efficient Performance Improvement Method Utilizing Specialized Functional Units in Behavioral Synthesis Tsuyoshi Sadakata, and Yusuke Matsunaga Kyusyu University, Japan Motivation Specialized Functional Units (SFUs) (e.g. Multiply-Acc

277 views • 10 slides
Efficient Correlation-Free Many-States Lattice Monte Carlo on GPUs Jeffrey Kelling, Gza dor,

Efficient Correlation-Free Many-States Lattice Monte Carlo on GPUs Jeffrey Kelling, Gza dor,

Efficient Correlation-Free Many-States Lattice Monte Carlo on GPUs Jeffrey Kelling, Gza dor, Martin Weigel, Sibylle Gemming 8th May 2017 Member of the Helmholtz Association Jeffrey Kelling, Gza dor, Martin Weigel, Sibylle Gemming | FWIO

372 views • 25 slides

More recommend