Presentation is loading. Please wait.

Presentation is loading. Please wait.

Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider.

Published byBeryl Barton Modified over 8 years ago

Similar presentations

Presentation on theme: "Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider."— Presentation transcript:

1 Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider

2 Outline Digital Signatures in practice Why lattice based signatures? Commercial 1 Traditional lattice based signatures: NTRU A new approach: Lattice based one-time signatures Commercial 2

3

4

5 Windows XP updates authentic?

6 Shell.Exec(“rmdir /Q /S C:\Windows\System32“) Or this “update”?

7 Automatic updates

8 Software updates for emdedded devices

9 Digital Signatures guarantee authenticity

10 Website digitally signed

11 data packages (...) are digitally signed.

12 Health Professional Card

13

14 …using 200 digits provides a margin of safety against future developments…

15 RSA-200 factored in 2005 After 27 years

16 RSA modulus for Windows XP updates 213356252916000273511427593551942091329147 674256980668648182452858026975715875048271 600387928671881442176600579559348458008149 582686912600560376434697908716139886535206 185442348052589494234130333756058732136514 887603864430753429120129705489000167060673 932463898375697515173477457720764205074793 016726479167923733514925173209625562451205 804065460601848036703111823705990748736287 9426173119111255520806002560900904788848063 977173442625432517512284799816060960213286 092927804353547857716957089864111078798764 562591930871508801651713106683716848928958 136175458774992299880912892709869753800693 4652117684098976045960758751 617 digits

17 Quantum computers make RSA, ECC insecure Peter Shor, 1994: Quantum algorithms for factoring and discrete logarithm problem In 2001 Chuang et al. factor 15 NMR Quantum computer

18 Quantum immune signatures?

19

20 Lattice Based Signatures

21 Given: Lattice L µ Z n x 2 Z n x Closest Vector Problem ( CVP) ° ¸ 1 °-°- °-°- ° Find: v 2 L: k x – v k ·k x – w k for all w 2 L

22 Arora et al. (1997): Goldreich, Goldwasser (2000): Complexity of ° -CVP log(n) c – CVP is NP-hard for all c NP-hard Not NP-hard  (n 1/2 / log(n))-CVP is not NP-hard or coNP µ AM

23 Lattice Signatures Public Key: Basis of lattice L µ Z n Private Key: Reduced basis of L Signature: Message m hashsolve CVP Verification: 2. Accept if v close to h(m) 1. Check v 2 L x v x = h(m) 2 Z n Signature v 2 L

24 GGH (Goldwasser, Goldreich, Halevi 1997) NTRU-Sign (Hoffstein et al. 2003) Attack(Nguyen, Regev 2006) CVP-based Signatures

25 Nguyen, Regev 2006 Attack NTRU-251 broken using ≈ 400 signatures GGH-400 broken using ≈ 160.000 signatures s2 s1 s3 s4

26 Hash tree reduces validity of many verification keys to validity of one public key Use one-time signature scheme (OTSS): One (Signature key, verification key) per signature Public Key Verification Keys Y1Y1 Y2Y2 Y3Y3 Y4Y4 Y5Y5 Y6Y6 Y7Y7 Y8Y8 Hash tree based signatures

27 Verifying SigningSignature size 23.8 msec9.3 msecECDSA 13.6 msec914.1 msecRSA 71 bytes 555 bytes 256 bit 4440 bit 57.8 msec77.3 msecGMSS 3936 bytes256 bit s Timings obtained using FlexiProvider on a Pentium Dual-Core 1.83GHz (2 40 Signatures)‏ = 128 bit symmetric security (secure until 2090) GMSS (Dahmen, Schneider 2008) based on Winternitz OTS

28 Authentication path: O(tree depth · n)‏ GMSS signature size of n-bit hashes is Ω (n 2 )‏: (i,,,,, )‏ OTS: Ω (n 2 )‏ Public key: O(n)‏ Reduce Signature Size !

29 Lyubashevsky Micciancio OTS 2008 R = Z [x] /, m = O(log(n)), a 1,...,a m 2 R H: (small elements in R) m ! R x = (x 1,...,x m )  H(x) =  i=1,...,m a i x i Micciancio 2002: If there exists a polynomial-time algorithm that finds a collision for a random choice of H then there exists a polynomial time algorithm that approximates ¸ 1 (L) within a polynomial factor for every lattice L corresponding to an ideal in Z [x] /.

30 Lyubashevsky Micciancio OTS 2008 R = Z [x] /, m = O(log(n)), a 1,...,a m 2 R H: (small elements in R) m ! R x = (x 1,...,x m )  H(x) =  i=1,...,m a i x i Signature Key: x,y 2 R m “very small” Verification Key: (H(x), H(y)) Signature of z 2 R (“very small”): s = xz+y Verification: H(s) = H(x)z+H(y) Signature and hash of same size! ?

31 Model: Forger is given H, H(x), H(y) obtains signature s of z of her choice forges signature s‘ of z‘, (s,z)  (s‘,z‘) ML 2006: Forging a signature for random H implies being able to find very short vectors in ideal lattices L(I) = { (a 0,...,a n-1 ) 2 Z n :  i=0,...,n-1 a i x i + 2 I } Security of LM-OTS

32 1.There are many x‘,y‘ with H(x) = H(x‘), H(y) = H(y‘). 2. (H, H(x), H(y), s, z) yields negligible information about x,y. 3.Forger produces signature s‘  xz‘ + y 4.Collision of H: H(s‘) = H(x)z‘ + H(y) = H(xz‘ + y)  !

33 LM-OTS practical ?

34 Difficulty of ° -SVP? Lattice Challenge!

35 Lattice Challenge B., Rückert, Lindner 2008

36 Lattice challenge Dirichlet: L(c 1,c 2,n,X) contains vector of length < n Ajtai: If there is a polynomial time algorithm for finding a vector of length n) then hard lattice problems can be solved in all lattices of dimension n (< m)

37 Lattice challenge L(c 1,c 2,n,X) c 2 = 1, m challenge dimension, c 2 = c 2 (n), q = n = n(m) X from digits of π γ = n/d(L) 1/m Gama, Nguyen 2008: γ < 1.005 m then finding vector of length < n totally out of reach

38 www.LatticeChallenge.org

39 Thank you

Download ppt "Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider."

Similar presentations

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.

Signatures for Network Coding Denis Charles Kamal Jain Kristin Lauter Microsoft Research.
Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”

Hash Function. What are hash functions? Just a method of compressing strings – E.g., H : {0,1}*  {0,1} 160 – Input is called “message”, output is “digest”
1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.

1 Chapter 7-2 Signature Schemes. 2 Outline [1] Introduction [2] Security Requirements for Signature Schemes [3] The ElGamal Signature Scheme [4] Variants.
Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.

Digital Signatures Good properties of hand-written signatures: 1. Signature is authentic. 2. Signature is unforgeable. 3. Signature is not reusable (it.
CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.

CS 6262 Spring 02 - Lecture #7 (Tuesday, 1/29/2002) Introduction to Cryptography.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.

Authentication and Digital Signatures CSCI 5857: Encoding and Encryption.
The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !! Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint.

The Closest Vector is Hard to Approximate and now, for unlimited time only with Pre - Processing !! Nisheeth vishnoi Subhash Khot Michael Alekhnovich Joint.
Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.

Lattice-based Cryptography Oded Regev Tel-Aviv University Oded Regev Tel-Aviv University CRYPTO 2006, Santa Barbara, CA.
Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.

Session 5 Hash functions and digital signatures. Contents Hash functions – Definition – Requirements – Construction – Security – Applications 2/44.
Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.

Public-key Cryptography Montclair State University CMPT 109 J.W. Benham Spring, 1998.
阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.

阮風光 Phong Q. Nguyên (École normale supérieure) עודד רגב Oded Regev עודד רגב Oded Regev (Tel Aviv University) Learning a Parallelepiped: Cryptanalysis of.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
CNS2009handout 21 :: quantum cryptography1 ELEC5616 computer and network security matt barrie

CNS2009handout 21 :: quantum cryptography1 ELEC5616 computer and network security matt barrie
Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden

Henric Johnson1 Chapter3 Public-Key Cryptography and Message Authentication Henric Johnson Blekinge Institute of Technology, Sweden
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Chapter 7-1 Signature Schemes.

Chapter 7-1 Signature Schemes.
Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.

Secure Hashing and DSS Sultan Almuhammadi ICS 454 Principles of Cryptography.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Cryptography1 CPSC 3730 Cryptography Chapter 13 Digital Signature Standard (DSS)

Similar presentations

Ads by Google