learning strikes again the case of the drs signature
play

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu - PowerPoint PPT Presentation

Jul 21, 2023 •225 likes •1.32k views

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua University 2 Centrum Wiskunde & Informatica January 2019, London 1 / 42 This is a cryptanalysis work... Target: DRS a NIST lattice-based

  1. Message reduction algorithm Intuition: use s i to reduce w i decreases a lot for j � = i , w j increases a bit A reduction at i : w → w − q s i , q = ⌊ w i D ⌋ → 0 � � w − q s i � 1 = | w k − qs i , k | + | w i | − | q | · D ( q · w i > 0) k � = i � ≤ ( | w k | + | qs i , k | ) + | w i | − | q | · D k � = i � = � w � 1 − | q | · ( D − | s i , k | ) k � = i < � w � 1 (diagonal dominance) ⇒ message reduction always terminates! 13 / 42

  2. Resistance to NR attack The support of w : ( − D , D ) n DRS domain P ( S ) 14 / 42

  3. Resistance to NR attack The support of w : ( − D , D ) n DRS domain P ( S ) The support is “zero-knowledge” 14 / 42

  4. Resistance to NR attack The support of w : ( − D , D ) n DRS domain P ( S ) The support is “zero-knowledge”, but maybe the distribution is not! 14 / 42

  5. Outline 1 Background 2 DRS signature 3 Learning secret key coefficients 4 Exploiting the leaks 5 Countermeasures 15 / 42

  6. Intuition ( D,D ) w j w i ( − D, − D ) ( D,D ) ( D,D ) ( D,D ) w j w j w j w i w i w i ( − D, − D ) ( − D, − D ) ( − D, − D ) S i , j = − b S i , j = 0 S i , j = b 16 / 42

  7. Correlations Two sources of correlations between ( w i , w j ) reduction at i and S i , j � = 0 17 / 42

  8. Correlations Two sources of correlations between ( w i , w j ) reduction at i and S i , j � = 0 reduction at k and S k , i , S k , j � = 0 17 / 42

  9. Correlations Two sources of correlations between ( w i , w j ) reduction at i and S i , j � = 0 ⋆ reduction at k and S k , i , S k , j � = 0 17 / 42

  10. Correlations Two sources of correlations between ( w i , w j ) reduction at i and S i , j � = 0 ⋆ reduction at k and S k , i , S k , j � = 0 ⇒ S i , j should be strongly related to W i , j ( the distribution of ( w i , w j ) ) ! 17 / 42

  11. Figure out the model Can we devise a formula S i , j ≈ f ( W i , j ) ? 18 / 42

  12. Figure out the model Can we devise a formula S i , j ≈ f ( W i , j ) ? Seems complicated! cascading phenomenon: a reduction triggers another one. parasite correlations 18 / 42

  13. Figure out the model Can we devise a formula S i , j ≈ f ( W i , j ) ? Seems complicated! cascading phenomenon: a reduction triggers another one. parasite correlations ⇒ Search for the best linear fit f ? 18 / 42

  14. Figure out the model Can we devise a formula S i , j ≈ f ( W i , j ) ? Seems complicated! cascading phenomenon: a reduction triggers another one. parasite correlations ⇒ Search for the best linear fit f ? Search space for all linear f : too large! 18 / 42

  15. Figure out the model Can we devise a formula S i , j ≈ f ( W i , j ) ? Seems complicated! cascading phenomenon: a reduction triggers another one. parasite correlations ⇒ Search for the best linear fit f ? Search space for all linear f : too large! ⇒ choose some features { f i } and search in span( { f i } ) , i.e. f = � x ℓ f ℓ 18 / 42

  16. Training — feature selection Lower degree moments: f 2 ( W ) = E ( w i · | w i | 1 / 2 · w j ) f 1 ( W ) = E ( w i w j ) f 3 ( W ) = E ( w i · | w i | · w j ) 1 1 1 0.75 0.75 0.75 0.5 0.5 0.5 0.25 0.25 0.25 0.0 0.0 0.0 y y y -0.25 -0.25 -0.25 -0.5 -0.5 -0.5 -0.75 -0.75 -0.75 -1 -1 -1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 x x x 19 / 42

  17. Training — feature selection Lower degree moments: f 2 ( W ) = E ( w i · | w i | 1 / 2 · w j ) f 1 ( W ) = E ( w i w j ) f 3 ( W ) = E ( w i · | w i | · w j ) 1 1 1 0.75 0.75 0.75 0.5 0.5 0.5 0.25 0.25 0.25 0.0 0.0 0.0 y y y -0.25 -0.25 -0.25 -0.5 -0.5 -0.5 -0.75 -0.75 -0.75 -1 -1 -1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 x x x Not enough! 19 / 42

  18. Training — feature selection ( D,D ) w j w i ( − D, − D ) ( D,D ) ( D,D ) ( D,D ) w j w j w j w i w i w i ( − D, − D ) ( − D, − D ) ( − D, − D ) S i , j = − b S i , j = 0 S i , j = b 20 / 42

  19. Training — feature selection Pay more attention to the central region (i.e. | w i | small). f 4 = E ( w i ( w i − 1)( w i + 1) w j ) f 5 = E (2 w i (2 w i − 1)(2 w i + 1) w j | | 2 w i | ≤ 1) 1 1 0.75 0.75 0.5 0.5 0.25 0.25 0.0 0.0 y y -0.25 -0.25 -0.5 -0.5 -0.75 -0.75 -1 -1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 x x f 6 = E (4 w i (4 w i − 1)(4 w i + 1) w j | | 4 w i | ≤ 1) f 7 = E (8 w i (8 w i − 1)(8 w i + 1) w j | | 8 w i | ≤ 1) 1 1 0.75 0.75 0.5 0.5 0.25 0.25 0.0 0.0 y y -0.25 -0.25 -0.5 -0.5 -0.75 -0.75 -1 -1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 x x 21 / 42

  20. Training — feature selection Pay more attention to the central region (i.e. | w i | small). f 4 = E ( w i ( w i − 1)( w i + 1) w j ) f 5 = E (2 w i (2 w i − 1)(2 w i + 1) w j | | 2 w i | ≤ 1) 1 1 0.75 0.75 0.5 0.5 0.25 0.25 0.0 0.0 y y -0.25 -0.25 -0.5 -0.5 -0.75 -0.75 -1 -1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 x x f 6 = E (4 w i (4 w i − 1)(4 w i + 1) w j | | 4 w i | ≤ 1) f 7 = E (8 w i (8 w i − 1)(8 w i + 1) w j | | 8 w i | ≤ 1) 1 1 0.75 0.75 0.5 0.5 0.25 0.25 0.0 0.0 y y -0.25 -0.25 -0.5 -0.5 -0.75 -0.75 -1 -1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 x x Together with transposes (i.e. f t ( w i , w j ) = f ( w j , w i )), we finally selected 7 × 2 − 1 = 13 features in experiments. 21 / 42

  21. Training — model construction S i , j seems easier to learn when ( i − j mod n ) is smaller. 22 / 42

  22. Training — model construction S i , j seems easier to learn when ( i − j mod n ) is smaller. f + = � x + f ℓ , f − = � x − f ℓ according to ( i − j mod n ). 22 / 42

  23. Training — model construction S i , j seems easier to learn when ( i − j mod n ) is smaller. f + = � x + f ℓ , f − = � x − f ℓ according to ( i − j mod n ). 22 / 42

  24. Training — model construction S i , j seems easier to learn when ( i − j mod n ) is smaller. f + = � x + f ℓ , f − = � x − f ℓ according to ( i − j mod n ). Build models by least-square fit method 30 instances and 400 000 samples per instances 38 core-hours 22 / 42

  25. Training — model construction S i , j seems easier to learn when ( i − j mod n ) is smaller. f + = � x + f ℓ , f − = � x − f ℓ according to ( i − j mod n ). Build models by least-square fit method 30 instances and 400 000 samples per instances 38 core-hours Possible improvements advanced machine learning techniques 22 / 42

  26. Training — model construction S i , j seems easier to learn when ( i − j mod n ) is smaller. f + = � x + f ℓ , f − = � x − f ℓ according to ( i − j mod n ). Build models by least-square fit method 30 instances and 400 000 samples per instances 38 core-hours Possible improvements advanced machine learning techniques more blocks 22 / 42

  27. Training — model construction S i , j seems easier to learn when ( i − j mod n ) is smaller. f + = � x + f ℓ , f − = � x − f ℓ according to ( i − j mod n ). Build models by least-square fit method 30 instances and 400 000 samples per instances 38 core-hours Possible improvements advanced machine learning techniques more blocks new features 22 / 42

  28. The models f − f + 1 1 0.75 0.75 0.5 0.5 0.25 0.25 0.0 0.0 y y -0.25 -0.25 -0.5 -0.5 -0.75 -0.75 -1 -1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 -1 -0.75 -0.5 -0.25 0.0 0.25 0.5 0.75 1 x x 23 / 42

  29. Learning Let’s learn a new S as S ′ = f ( W )! f − f + S i,j = b S i,j = b 0.30 S i,j = − b S i,j = − b 0.20 S i,j =1 S i,j =1 0.25 S i,j = − 1 S i,j = − 1 S i,j =0 S i,j =0 0.15 0.20 0.15 0.10 0.10 0.05 0.05 0.00 0.00 −20 −10 0 10 20 −10 −5 0 5 10 24 / 42

  30. Learning Let’s learn a new S as S ′ = f ( W )! 0.35 S i,j = b S i,j = − b 0.30 S i,j =1 probability density S i,j = − 1 0.25 S i,j =0 0.20 0.15 0.10 0.05 0.00 10 5 0 5 10 f 24 / 42

  31. Learning Let’s learn a new S as S ′ = f ( W )! 0.35 S i,j = b S i,j = − b 0.30 S i,j =1 probability density S i,j = − 1 0.25 S i,j =0 0.20 0.15 0.10 0.05 0.00 10 5 0 5 10 f 24 / 42

  32. Learning — location S = D · I + is “absolute circulant” ⇒ more confidence via diagonal amplification 25 / 42

  33. Learning — location The weight of k -th diagonal W k = � S ′ 2 i , i + k 1.4 Large coefficient W + k 1.2 W − k 1.0 0.8 0.6 0.4 0.2 0.0 0 200 400 600 800 k 25 / 42

  34. Learning — location #signatures 13 / 16 14 / 16 15 / 16 16 / 16 50 000 5 3 6 6 100 000 - - - 20 200 000 - - - 20 400 000 - - - 20 Table: Location accuracy. The column, labeled by K / 16, shows the number of tested instances in which the largest N b scaled weights corresponded to exactly K large coefficient diagonals. 25 / 42

  35. Learning — location #signatures 13 / 16 14 / 16 15 / 16 16 / 16 50 000 5 3 6 6 100 000 - - - 20 200 000 - - - 20 400 000 - - - 20 Table: Location accuracy. The column, labeled by K / 16, shows the number of tested instances in which the largest N b scaled weights corresponded to exactly K large coefficient diagonals. We locate all large coefficients successfully! 25 / 42

  36. Learning — location #signatures 13 / 16 14 / 16 15 / 16 16 / 16 50 000 5 3 6 6 100 000 - - - 20 200 000 - - - 20 400 000 - - - 20 Table: Location accuracy. The column, labeled by K / 16, shows the number of tested instances in which the largest N b scaled weights corresponded to exactly K large coefficient diagonals. We locate all large coefficients successfully! but we are still missing the signs! 25 / 42

  37. Learning — sign S i , j ∈ {± b , ± 1 , 0 } 0.35 S i,j = b S i,j = − b 0.30 S i,j =1 probability density S i,j = − 1 0.25 S i,j =0 0.20 0.15 0.10 0.05 0.00 10 5 0 5 10 f 26 / 42

  38. Learning — sign S i , j ∈ {± b } 0.35 S i,j = b S i,j = − b 0.30 probability density 0.25 0.20 0.15 0.10 0.05 0.00 10 5 0 5 10 f 26 / 42

  39. Learning — sign #signatures p l p u p p row 400 000 0.9975 0.9939 0.9956 0.9323 200 000 0.9920 0.9731 0.9826 0.7546 100 000 0.9722 0.9330 0.9536 0.4675 50 000 0.9273 0.8589 0.8921 0.1608 Table: Experimental measures for p l , p u , p and p row . p = accuracy of guessing the sign of a large coefficient p l = accuracy for a large coefficient in the lower triangle p u = accuracy for a large coefficient in the upper triangle p row = p N b 26 / 42

  40. Learning — sign #signatures p l p u p p row 400 000 0.9975 0.9939 0.9956 0.9323 200 000 0.9920 0.9731 0.9826 0.7546 100 000 0.9722 0.9330 0.9536 0.4675 50 000 0.9273 0.8589 0.8921 0.1608 Table: Experimental measures for p l , p u , p and p row . p = accuracy of guessing the sign of a large coefficient p l = accuracy for a large coefficient in the lower triangle p u = accuracy for a large coefficient in the upper triangle p row = p N b We can determine all large coefficients in one row! 26 / 42

  41. Learning — sign #signatures p l p u p p row 400 000 0.9975 0.9939 0.9956 0.9323 200 000 0.9920 0.9731 0.9826 0.7546 100 000 0.9722 0.9330 0.9536 0.4675 50 000 0.9273 0.8589 0.8921 0.1608 Table: Experimental measures for p l , p u , p and p row . p = accuracy of guessing the sign of a large coefficient p l = accuracy for a large coefficient in the lower triangle p u = accuracy for a large coefficient in the upper triangle p row = p N b We can determine all large coefficients in one row! However, it is still hard to learn small coefficients... 26 / 42

  42. Outline 1 Background 2 DRS signature 3 Learning secret key coefficients 4 Exploiting the leaks 5 Countermeasures 27 / 42

  43. BDD & uSVP BDD (Bounded Distance Decoding) Given a lattice L and a target t “very close” to L , to find v ∈ L minimizing � v − t � . uSVP (Unique SVP) Given a lattice L with λ 1 ( L ) ≪ λ 2 ( L ), to find its shortest non-zero vector. 28 / 42

  44. BDD & uSVP BDD (Bounded Distance Decoding) Given a lattice L and a target t “very close” to L , to find v ∈ L minimizing � v − t � . uSVP (Unique SVP) Given a lattice L with λ 1 ( L ) ≪ λ 2 ( L ), to find its shortest non-zero vector. � B � BDD ⇒ uSVP on L ′ spanned by t 1 28 / 42

  45. BDD & uSVP BDD (Bounded Distance Decoding) Given a lattice L and a target t “very close” to L , to find v ∈ L minimizing � v − t � . uSVP (Unique SVP) Given a lattice L with λ 1 ( L ) ≪ λ 2 ( L ), to find its shortest non-zero vector. � B � BDD ⇒ uSVP on L ′ spanned by t 1 λ 1 ( L ′ ) = � 1 + dist( t , L ) 2 vol( L ′ ) = vol( L ) 28 / 42

  46. Solving uSVP by BKZ Required blocksize β 1 β/ d · λ 1 ( L ′ ) ≤ δ 2 β − d � · vol( L ′ ) [ADPS16, AGVW17]: d β 1 1 � � 2( β − 1) β β ( πβ ) where d = dim( L ′ ), δ β ≈ ( β > 50). 2 π e 29 / 42

  47. Solving uSVP by BKZ Required blocksize β 1 β/ d · λ 1 ( L ′ ) ≤ δ 2 β − d � · vol( L ′ ) [ADPS16, AGVW17]: d β 1 1 � � 2( β − 1) β β ( πβ ) where d = dim( L ′ ), δ β ≈ ( β > 50). 2 π e Cost of BKZ- β [Che13, Alb17]: C BKZ- β = 16 d · C SVP- β 29 / 42

  48. Solving uSVP by BKZ Required blocksize β 1 β/ d · λ 1 ( L ′ ) ≤ δ 2 β − d � · vol( L ′ ) [ADPS16, AGVW17]: d β 1 1 � � 2( β − 1) β β ( πβ ) where d = dim( L ′ ), δ β ≈ ( β > 50). 2 π e Cost of BKZ- β [Che13, Alb17]: C BKZ- β = 16 d · C SVP- β Cost of solving SVP- β Enum[APS15]: 2 0 . 270 β ln β − 1 . 019 β +16 . 10 29 / 42

  49. Solving uSVP by BKZ Required blocksize β 1 β/ d · λ 1 ( L ′ ) ≤ δ 2 β − d � · vol( L ′ ) [ADPS16, AGVW17]: d β 1 1 � � 2( β − 1) β β ( πβ ) where d = dim( L ′ ), δ β ≈ ( β > 50). 2 π e Cost of BKZ- β [Che13, Alb17]: C BKZ- β = 16 d · C SVP- β Cost of solving SVP- β Enum[APS15]: 2 0 . 270 β ln β − 1 . 019 β +16 . 10 Sieve [Duc17]: 2 0 . 396 β +8 . 4 29 / 42

  50. Solving uSVP by BKZ Required blocksize β 1 β/ d · λ 1 ( L ′ ) ≤ δ 2 β − d � · vol( L ′ ) [ADPS16, AGVW17]: d β 1 1 � � 2( β − 1) β β ( πβ ) where d = dim( L ′ ), δ β ≈ ( β > 50). 2 π e Cost of BKZ- β [Che13, Alb17]: C BKZ- β = 16 d · C SVP- β Cost of solving SVP- β Enum[APS15]: 2 0 . 270 β ln β − 1 . 019 β +16 . 10 ⋆ Sieve [Duc17]: 2 0 . 396 β +8 . 4 29 / 42

  51. Leaks help a lot! Attack without leaks b 2 · N b + N 1 + 1 d = n + 1, λ 1 ( L ′ ) = � cost: > 2 128 30 / 42

  52. Leaks help a lot! Attack without leaks � b 2 · N b + N 1 + 1 d = n + 1, λ 1 ( L ′ ) = cost: > 2 128 Naive attack with leaks d = n + 1, λ 1 ( L ′ ) = √ N 1 + 1 cost: 2 78 30 / 42

  53. Leaks help a lot! Attack without leaks b 2 · N b + N 1 + 1 d = n + 1, λ 1 ( L ′ ) = � cost: > 2 128 Naive attack with leaks d = n + 1 , λ 1 ( L ′ ) = √ N 1 + 1 cost: 2 78 Improved attack with leaks d = n − N b , λ 1 ( L ′ ) = √ N 1 + 1 cost: 2 73 30 / 42

  54. Improved BDD-uSVP attack Red: D , ± b (known) , Blue: 0 , ± 1 (unknown) t = 0 0 0 0 0 · · · 0 0 0 s k = · · · 31 / 42

  55. Improved BDD-uSVP attack   ∗ ∗ ∗ 1 ∗ ∗ Let H =  be HNF ( L ), and s = cH   . . ...  . . . . 1 ∗ ∗ t = 0 0 0 0 0 · · · 0 0 0 s k = · · · c = · · · 31 / 42

  56. Improved BDD-uSVP attack   ∗ ∗ ∗ 1 ∗ ∗ Let H =  be HNF ( L ), and s = cH   . . ...  . . . . 1 ∗ ∗ t = 0 0 0 0 0 · · · 0 0 0 s k = · · · c = · · · Let M such that tM = 0 0 · · · 0 = ( 0 , r ) s k M = = ( b , r ) cM = = ( p , r ) 31 / 42

  57. Improved BDD-uSVP attack � H ′ � Let M t HM = and H ′′ I H ′ � � let L ′ be the lattice spanned by t ′ = rH ′′ 1 32 / 42

  58. Improved BDD-uSVP attack � H ′ � Let M t HM = and H ′′ I H ′ � � let L ′ be the lattice spanned by t ′ = rH ′′ 1 dim( L ′ ) = n − N b vol( L ′ ) = vol( L ) λ 1 ( L ′ ) = � ( b , 1) � = √ N 1 + 1 32 / 42

  59. Improved BDD-uSVP attack Once one s i is recovered exactly ⇒ all 0’s in S are determined tM = 0 0 · · · 0 s k M = cM = dim = n − N b 33 / 42

  60. Improved BDD-uSVP attack Once one s i is recovered exactly ⇒ all 0’s in S are determined tM = 0 0 tM = 0 0 · · · 0 s k M = s k M = cM = cM = dim = n − N b dim = N 1 + N b + 1 ≈ n / 2 33 / 42

  61. Improved BDD-uSVP attack Once one s i is recovered exactly ⇒ all 0’s in S are determined tM = 0 0 tM = 0 0 · · · 0 s k M = s k M = cM = cM = dim = n − N b dim = N 1 + N b + 1 ≈ n / 2 Recovering secret matrix ≈ recovering a first secret. 33 / 42

  62. Improved BDD-uSVP attack Once one s i is recovered exactly ⇒ all 0’s in S are determined tM = 0 0 tM = 0 0 · · · 0 s k M = s k M = cM = cM = dim = n − N b dim = N 1 + N b + 1 ≈ n / 2 Recovering secret matrix ≈ recovering a first secret. Can we do better with the help of many t k close to s k ? [KF17] 33 / 42

  63. Conclusion We present a statistical attack against DRS: given 100 000 signatures, security is below 80-bits; even less with the current progress of lattice algorithms. 34 / 42

  64. Outline 1 Background 2 DRS signature 3 Learning secret key coefficients 4 Exploiting the leaks 5 Countermeasures 35 / 42

  65. Modified DRS In DRS: S = D · I + E is diagonal-dominant Version 1 [PSDS17] absolute circulant, E i , i = 0 three types of coefficients ( { 0 } , {± 1 } , {± b } ) with fixed numbers 36 / 42

  66. Modified DRS In DRS: S = D · I + E is diagonal-dominant Version 2 [PSDS18] Version 1 [PSDS17] $ absolute circulant, E i , i = 0 e 1 , · · · , e n ← − { v | � v � 1 < D } three types of coefficients variable diagonal elements ( { 0 } , {± 1 } , {± b } ) with fixed numbers 36 / 42

  67. Modified DRS In DRS: S = D · I + E is diagonal-dominant Version 2 [PSDS18] Version 1 [PSDS17] $ absolute circulant, E i , i = 0 e 1 , · · · , e n ← − { v | � v � 1 < D } three types of coefficients variable diagonal elements ( { 0 } , {± 1 } , {± b } ) with fixed numbers Impact no circulant structure ⇒ diagonal amplification doesn’t work 36 / 42

  68. Modified DRS In DRS: S = D · I + E is diagonal-dominant Version 2 [PSDS18] Version 1 [PSDS17] $ absolute circulant, E i , i = 0 e 1 , · · · , e n ← − { v | � v � 1 < D } three types of coefficients variable diagonal elements ( { 0 } , {± 1 } , {± b } ) with fixed numbers Impact no circulant structure ⇒ diagonal amplification doesn’t work coefficients are less sparsely distributed ⇒ less confidence of guessing 36 / 42

  69. Learning attack on modified DRS We regard S i , j as a random variable following the same distribution. Let S ′ be the guess of S and N be the sample size. 37 / 42

  70. Learning attack on modified DRS We regard S i , j as a random variable following the same distribution. Let S ′ be the guess of S and N be the sample size. As N grows, we hope Var ( S i , j − S ′ i , j ) < Var ( S i , j ) ⇒ more confidence of guessing � s i − s ′ i � < � s i � ⇒ guessing vector gets closer to the lattice 37 / 42

Recommend

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua

Learning Strikes Again: the Case of the DRS Signature Scheme Yang Yu 1 eo Ducas 2 L 1 Tsinghua University 2 Centrum Wiskunde &amp; Informatica Asiacrypt 2018 Brisbane, Australia 1 / 27 This is a cryptanalysis work... Target: DRS a NIST

807 views • 56 slides
Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature

Discharge uncertainty: sources and implications for hydrological analyses Signature 1 Signature 1 Signature 2 Signature 2 http://comm ons.wikime dia.org/wiki/ File:Piasnic a- Signature 3 Signature 3 wodowskaz -0.jpg Ida Westerberg 1,2

388 views • 19 slides
Machine learning strikes from below, a mining application: Material Classification by Drilling

Machine learning strikes from below, a mining application: Material Classification by Drilling

Machine learning strikes from below, a mining application: Material Classification by Drilling Machine Learning 2005 Johan Larsson Papers Material Classification by Drilling Diana LaBelle, John Bares, Illah Nourbakhsh Robotics Institute,

509 views • 29 slides
ratification and signature Signature vs ratification Signature formal expression of intent to

ratification and signature Signature vs ratification Signature formal expression of intent to

Steps and technical modalities to follow for the deposit of the instrument of ratification and signature Signature vs ratification Signature formal expression of intent to be bound, but no legal obligation yet: however, a State is

585 views • 10 slides
Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital

Electronic Signature Electronic Signature El Electronic Signature t i Si t Digital Signature Digital Signature And Hash Function Biometric Signature Electronic Signature Act ROC, 2002/04/01,

299 views • 13 slides
Rebuilding After Disaster Strikes: Strategies That Work September 25, 2018 Rebuilding after

Rebuilding After Disaster Strikes: Strategies That Work September 25, 2018 Rebuilding after

Rebuilding After Disaster Strikes: Strategies That Work September 25, 2018 Rebuilding after Disaster Strikes Jeff Pomeranz, City Manager, Cedar Rapids, IA 2008 Flood Strikes Cedar Rapids $5.4 billion in community-wide damage

657 views • 28 slides
2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve

2 Mission Impact Framework Signature Outcomes YWCA USA and member associations work to achieve signature metrics for each signature platform over a period of years. 3 Vision for Quality, Affordable Early Learning Strength, confidence,

291 views • 18 slides
WHEN DISASTER STRIKES E M E R G E N C Y P R E PA R E D N E S S F O R S TAT E A N D L O C A

WHEN DISASTER STRIKES E M E R G E N C Y P R E PA R E D N E S S F O R S TAT E A N D L O C A

8/10/2018 WHEN DISASTER STRIKES E M E R G E N C Y P R E PA R E D N E S S F O R S TAT E A N D L O C A L G O V E R N M E N T S TRAINING OBJECTIVES 1. Develop an in-depth understanding of ADA Title II and other disability rights laws as it

956 views • 9 slides
WHEN DISASTER STRIKES E M E R G E N C Y P R E PA R E D N E S S F O R S TAT E A N D L O C A

WHEN DISASTER STRIKES E M E R G E N C Y P R E PA R E D N E S S F O R S TAT E A N D L O C A

8/10/2018 WHEN DISASTER STRIKES E M E R G E N C Y P R E PA R E D N E S S F O R S TAT E A N D L O C A L G O V E R N M E N T S TRAINING OBJECTIVES 1. Develop an in-depth understanding of ADA Title II and other disability rights laws as it

454 views • 13 slides
Bayesian Learning from Sequential Data using Gaussian Processes with Signature Covariances Csaba

Bayesian Learning from Sequential Data using Gaussian Processes with Signature Covariances Csaba

Bayesian Learning from Sequential Data using Gaussian Processes with Signature Covariances Csaba Toth Joint work with Harald Oberhauser Mathematical Institute, University of Oxford International Conference on Machine Learning, July 2020

292 views • 26 slides
AS A MARINE OPERATOR, WHAT DO YOU NEED TO DO WHEN NATURAL DISASTER STRIKES? When a natural

AS A MARINE OPERATOR, WHAT DO YOU NEED TO DO WHEN NATURAL DISASTER STRIKES? When a natural

AS A MARINE OPERATOR, WHAT DO YOU NEED TO DO WHEN NATURAL DISASTER STRIKES? When a natural disaster strikes and the unexpected happens, the aftermath often leaves marine operators with two pressing questions. First, if the company suffers harms,

251 views • 12 slides
Limits of Learning-based Signature Generation with Adversaries Shobha Venkataraman, Carnegie

Limits of Learning-based Signature Generation with Adversaries Shobha Venkataraman, Carnegie

Limits of Learning-based Signature Generation with Adversaries Shobha Venkataraman, Carnegie Mellon University Avrim Blum, Carnegie Mellon University Dawn Song, University of California, Berkeley 1 Signatures Signature: function that

799 views • 41 slides
Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is

Digital Signature Schemes 1 What is digital signature? Properties Who signed what is publicly verifiable Unforgeable 2 A Digital Signature Scheme Key generation algorithm G (probabilistic) ( pk, sk ) G (1 ) security

602 views • 22 slides
Collaborative FE/HE Degree Apprenticeship Programme Development - the Case for a New

Collaborative FE/HE Degree Apprenticeship Programme Development - the Case for a New

Collaborative FE/HE Degree Apprenticeship Programme Development - the Case for a New &quot;Signature Pedagogy&quot; for Work Integrated Learning UVAC National Conference (Manchester) Dr Scott Andrews &amp; Ms Laura Ratcliffe - November 2018

367 views • 19 slides
1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun

1-out-of-2 Signature Mirosaw Kutyowski 1 and 1-out-of-2 Signature Jun Shao 2 Whats 1-out-of-2 Signature Mirosaw Kutyowski 1 and Jun Shao 2 Definitions of 1-out-of-2 signature 1 Institute of Mathematics and Computer Science Our

489 views • 34 slides
Nexus Maximus IV September 8 11 th , 2017 Goals A signature Nexus Learning experience

Nexus Maximus IV September 8 11 th , 2017 Goals A signature Nexus Learning experience

Nexus Maximus IV September 8 11 th , 2017 Goals A signature Nexus Learning experience Build relationships Learn collaboration tools and skills Break new ground Launch pad for further work Nexus Learning Nexus Maximus

722 views • 16 slides
Introduction Universities have largely ceased to enjoy their relative geographic monopolies.

Introduction Universities have largely ceased to enjoy their relative geographic monopolies.

E-Learning 2.0: A Case of Different Strokes for Different Follks? eLearning Forum Asia 2011, Singapore E- -Learning 2.0: A Case of Different Strokes Learning 2.0: A Case of Different Strokes for Different Folks? for Different Folks? Dr. David

413 views • 6 slides
12.1 Active Learning: A Review When learning, it may be the case that getting the true labels of

12.1 Active Learning: A Review When learning, it may be the case that getting the true labels of

CS/CNS/EE 253: Advanced Topics in Machine Learning Topic: Active Learning Review and Kernel Methods Lecturer: Andreas Krause Scribe: Jonathan Krause Date: Feb. 17, 2010 12.1 Active Learning: A Review When learning, it may be the case that getting

213 views • 5 slides
What happens to babies born during health worker strikes? Willa Friedman Anthony Keats

What happens to babies born during health worker strikes? Willa Friedman Anthony Keats

What happens to babies born during health worker strikes? Willa Friedman Anthony Keats University of Houston Wesleyan University June 2018 Collegio Carlo Alberto Friedman and Keats Strikes and Births June 2018 1 / 23 Pumwani strike 2013

469 views • 30 slides
MPSign: A Signature from Small-Secret Middle-Product Learning with Errors Shi Bai Dipayan Das

MPSign: A Signature from Small-Secret Middle-Product Learning with Errors Shi Bai Dipayan Das

MPSign: A Signature from Small-Secret Middle-Product Learning with Errors Shi Bai Dipayan Das Ryo Hiromasa Miruna Rosca Amin Sakzad Damien Stehl Ron Steinfeld Zhenfei Zhang Miruna Rosca MPSign PKC 2020 1 / 22 What is this talk about?

820 views • 65 slides
Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson

Presentation &amp; Handwriting Policy Chairs signature Mrs E Surtees Heads signature Mr M Tipple-Johnson Date 24 th January 2018 Review date Jan 2020 1 Presentation 1 Book covers should indicate:

52 views • 4 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

478 views • 24 slides
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it is a part of the document) 4. Signed document is unalterable. 5. Signature cannot be

244 views • 21 slides
Effectiveness of Deep Learning Vs. Machine Learning in a Health Care Use Case RxToDx A Data

Effectiveness of Deep Learning Vs. Machine Learning in a Health Care Use Case RxToDx A Data

Effectiveness of Deep Learning Vs. Machine Learning in a Health Care Use Case RxToDx A Data Science Machine Learning/Deep Learning Show Case Dima Rekesh/Julie Zhu/Ravi Rajagopalan Optum Technology November, 2017 Analytics Machine

483 views • 32 slides

More recommend