Odd Manhattan Thomas PLANTARD Institute of Cybersecurity and Cryptology University of Wollongong http://www.uow.edu.au/˜ thomaspl thomaspl@uow.edu.au 13 April 2018 plantard (uow) Odd Manhattan 13 April 2018 1 / 10
Outline Description 1 Security Analysis 2 Implementation Details 3 Comments 4 Specificity 5 plantard (uow) Odd Manhattan 13 April 2018 2 / 10
General Description Lattice based Cryptosystem Using Generic Lattice generated form its Dual . Dual created from an Odd Vector of bounded Manhattan norm. plantard (uow) Odd Manhattan 13 April 2018 3 / 10
General Description Lattice based Cryptosystem Using Generic Lattice generated form its Dual . Dual created from an Odd Vector of bounded Manhattan norm. Lattice based Key Encryption Message Encrypt a message m in the parity bit of a vector close to the lattice. CCA achived using classic method i.e. Dent’s. plantard (uow) Odd Manhattan 13 April 2018 3 / 10
Public Key Encryption Setup Alice choose 3 public parameters d a lattice dimension, 1 b an upper bound, 2 p a prime number. 3 Alice creates a secret random vector w ∈ M d , l i.e. with w i odd, 1 with � d i =1 | w i | bounded by l = ⌊ p − 1 2 b ⌋ 2 Alice publish the Lattice L such that w ∈ L ∗ . plantard (uow) Odd Manhattan 13 April 2018 4 / 10
Public Key Encryption Setup Alice choose 3 public parameters d a lattice dimension, 1 b an upper bound, 2 p a prime number. 3 Alice creates a secret random vector w ∈ M d , l i.e. with w i odd, 1 with � d i =1 | w i | bounded by l = ⌊ p − 1 2 b ⌋ 2 Alice publish the Lattice L such that w ∈ L ∗ . Encryption/Decryption To encrypt m ∈ { 0 , 1 } , Bob computes v such ∃ u ( v − u ) ∈ L 1 � u � ∞ ≤ b 2 � d i =1 u i mod 2 = m 3 To decrypt, Alice extract m = ( vw t mod p ) mod 2 . plantard (uow) Odd Manhattan 13 April 2018 4 / 10
Probability that a random lattice could be a public key Theorem Let L a full rank lattice of determinant p > 2 prime and dimension d > 1 , and l ∈ N ∗ , the probability that a Lattice does not have such vector in its dual L ∗ ∩ M d , l = ∅ is given by � 2 d − 1 ( ⌊ l + d 2 ⌋ ) � 1 d P p , d , l = 1 − p d − 1 plantard (uow) Odd Manhattan 13 April 2018 5 / 10
Probability that a random lattice could be a public key Theorem Let L a full rank lattice of determinant p > 2 prime and dimension d > 1 , and l ∈ N ∗ , the probability that a Lattice does not have such vector in its dual L ∗ ∩ M d , l = ∅ is given by � 2 d − 1 ( ⌊ l + d 2 ⌋ ) � 1 d P p , d , l = 1 − p d − 1 Cryptosystem Parameters By taking p ≈ 2 d +1 b d ( d )!, we insure that P p , d , p − 1 2 b < 1 2 i.e. the set of all possible public key represents more than half of the set of all generic lattices with equivalent dimension and determinant. plantard (uow) Odd Manhattan 13 April 2018 5 / 10
Computational Hardness for message security Definition ( α -Bounded Distance Parity Check (BDPC α )) Given a lattice L of dimension d and a vector v such that ∃ u , ( v − u ) ∈ L , � u � < αλ 1 ( L ), find � d i =1 u i mod 2 . plantard (uow) Odd Manhattan 13 April 2018 6 / 10
Computational Hardness for message security Definition ( α -Bounded Distance Parity Check (BDPC α )) Given a lattice L of dimension d and a vector v such that ∃ u , ( v − u ) ∈ L , � u � < αλ 1 ( L ), find � d i =1 u i mod 2 . Theorem ( BDD α 4 ≤ BDPC α ) For any l p − norm and any α ≤ 1 there is a polynomial time Cook-reduction from BDD α 4 to BDPC α . plantard (uow) Odd Manhattan 13 April 2018 6 / 10
Computational Hardness for message security Definition ( α -Bounded Distance Parity Check (BDPC α )) Given a lattice L of dimension d and a vector v such that ∃ u , ( v − u ) ∈ L , � u � < αλ 1 ( L ), find � d i =1 u i mod 2 . Theorem ( BDD α 4 ≤ BDPC α ) For any l p − norm and any α ≤ 1 there is a polynomial time Cook-reduction from BDD α 4 to BDPC α . Extracting message is as hard as... 1 1 BDD α with α = o ( d ) for l ∞ − norm, 2 USVP γ with γ = o ( d ) for l ∞ − norm, 3 GapSVP γ with γ = o ( d 2 log d ) for l ∞ − norm, 4 GapSVP γ with γ = o ( d 2 log d ) for l 2 − norm. plantard (uow) Odd Manhattan 13 April 2018 6 / 10
Best Known Attack Find the Unique Shortest Vector of the lattice � v � 1 0 P with a lattice gap � d +3 1 n d +1 p � ≃ Γ γ = λ 2 n +1 2 � λ 1 π d ( b +1) b 2 b +1 plantard (uow) Odd Manhattan 13 April 2018 7 / 10
Best Known Attack Find the Unique Shortest Vector of the lattice � v � 1 0 P with a lattice gap � d +3 1 n d +1 p � ≃ Γ γ = λ 2 n +1 2 � λ 1 π d ( b +1) b 2 b +1 Conservator Choices 2 λ Dimension Bound Determinant P p , d , p − 1 Gap 2 b 2 11258 − 4217 < 1 4 (1 . 006) d +1 2 128 1156 1 � 0 . 336 2 14353 − 15169 < 1 4 (1 . 005) d +1 2 192 1429 1 � 0 . 137 2 19268 − 7973 < 1 4 (1 . 004) d +1 2 256 1850 1 � 0 . 218 plantard (uow) Odd Manhattan 13 April 2018 7 / 10
Implementation Side-Channel resistance Constant time achieved by reorganising inner product computation. plantard (uow) Odd Manhattan 13 April 2018 8 / 10
Implementation Side-Channel resistance Constant time achieved by reorganising inner product computation. Shared Computation Due to CCA, implementation encrypting λ message m = 0 , 1. Optimisation to share some common computation while encrypting. plantard (uow) Odd Manhattan 13 April 2018 8 / 10
Implementation Side-Channel resistance Constant time achieved by reorganising inner product computation. Shared Computation Due to CCA, implementation encrypting λ message m = 0 , 1. Optimisation to share some common computation while encrypting. Pseudo Mersenne Using p = 2 n − c , to accelerate modular reduction . plantard (uow) Odd Manhattan 13 April 2018 8 / 10
Comment Tancrede Lepoint Implementation issue regarding CCA security. Shared secret was not randomised when return decryption failure. plantard (uow) Odd Manhattan 13 April 2018 9 / 10
Specificity Specificity Secret key is composed by only one Odd vector of bounded Manhattan Norm. Message is encrypted in the parity bit of a close vector. plantard (uow) Odd Manhattan 13 April 2018 10 / 10
Specificity Specificity Secret key is composed by only one Odd vector of bounded Manhattan Norm. Message is encrypted in the parity bit of a close vector. Advantage Majority of all generic lattices are potential public keys . As Hard as BDD o ( d ) for l ∞ − norm i.e. max norm . 1 No decryption error. Simplicity. plantard (uow) Odd Manhattan 13 April 2018 10 / 10
Specificity Specificity Secret key is composed by only one Odd vector of bounded Manhattan Norm. Message is encrypted in the parity bit of a close vector. Advantage Majority of all generic lattices are potential public keys . As Hard as BDD o ( d ) for l ∞ − norm i.e. max norm . 1 No decryption error. Simplicity. Disadvantage Keys and Ciphertext size . plantard (uow) Odd Manhattan 13 April 2018 10 / 10
Recommend
More recommend