1 / 39

Lattice Based Signatures

Lattice Based Signatures. Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider. Outline. Digital Signatures in practice Why lattice based signatures? Commercial 1 Traditional lattice based signatures: NTRU A new approach: Lattice based one-time signatures

omar
Download Presentation

Lattice Based Signatures

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Lattice Based Signatures Johannes Buchmann Erik Dahmen Richard Lindner Markus Rückert Michael Schneider

  2. Outline Digital Signatures in practice Why lattice based signatures? Commercial 1 Traditional lattice based signatures: NTRU A new approach: Lattice based one-time signatures Commercial 2

  3. Windows XP updates authentic?

  4. Or this “update”? Shell.Exec(“rmdir /Q /S C:\Windows\System32“)

  5. Automatic updates

  6. Software updates for emdedded devices

  7. Digital Signatures guarantee authenticity

  8. Website digitally signed

  9. data packages (...) are digitally signed.

  10. Health Professional Card

  11. …using 200 digits provides a margin of safety against future developments…

  12. RSA-200 factored in 2005 After 27 years

  13. 21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751 21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751 617 digits RSA modulus for Windows XP updates

  14. Peter Shor, 1994: Quantum algorithms for factoring and discrete logarithm problem NMR Quantum computer In 2001 Chuang et al. factor 15 Quantum computers make RSA, ECC insecure

  15. Quantum immune signatures?

  16. Lattice Based Signatures

  17. °- °- • °¸ 1 ° Find: v 2 L: kx – vk· kx – wk for all w 2 L Closest Vector Problem ( CVP) • Given: • Lattice L µZn • x 2Zn x

  18. Complexity of °-CVP Arora et al. (1997): log(n)c – CVP is NP-hard for all c Not NP-hard NP-hard Goldreich, Goldwasser (2000): (n1/2 / log(n))-CVP is notNP-hard or coNPµAM

  19. v hash solve CVP x Lattice Signatures Public Key: Basis of lattice L µZn Private Key: Reduced basis of L Signature: Signature v 2 L x = h(m) 2Zn Message m Verification: 1. Check v 2 L 2. Accept if v close to h(m)

  20. CVP-based Signatures GGH (Goldwasser, Goldreich, Halevi 1997) NTRU-Sign (Hoffstein et al. 2003) Attack (Nguyen, Regev 2006)

  21. s1 s3 s2 s4 Nguyen, Regev 2006 Attack NTRU-251 broken using ≈ 400 signatures GGH-400 broken using ≈ 160.000 signatures

  22. Hash tree based signatures Use one-time signature scheme (OTSS): One (Signature key, verification key) per signature Hash tree reduces validity of many verification keys to validity of one public key Public Key Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8 Verification Keys

  23. GMSS (Dahmen, Schneider 2008) based on Winternitz OTS = 128 bit symmetric security (secure until 2090) s Signature size Signing Verifying 4440 bit 555 bytes RSA 914.1 msec 13.6 msec 256 bit 71 bytes ECDSA 9.3 msec 23.8 msec 256 bit 3936 bytes GMSS 77.3 msec 57.8 msec Timings obtained using FlexiProvider on a Pentium Dual-Core 1.83GHz (240 Signatures)‏

  24. Reduce Signature Size ! GMSS signature size of n-bit hashes is Ω(n2)‏: (i, , , , , )‏ OTS: Ω(n2)‏ Authentication path: O(tree depth · n)‏ Public key: O(n)‏

  25. Lyubashevsky Micciancio OTS 2008 R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am2 R H: (small elements in R)m! R x = (x1,...,xm)  H(x) = i=1,...,m ai xi Micciancio 2002: If there exists a polynomial-time algorithm that finds a collision for a random choice of H then there exists a polynomial time algorithm that approximates ¸1(L) within a polynomial factor for every lattice L corresponding to an ideal in Z[x] / <f>.

  26. Lyubashevsky Micciancio OTS 2008 R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am2 R H: (small elements in R)m! R x = (x1,...,xm)  H(x) = i=1,...,m ai xi Signature Key: x,y2 Rm “very small” Verification Key: (H(x), H(y)) Signature of z 2 R (“very small”): s = xz+y Verification: H(s) = H(x)z+H(y) Signature and hash of same size! ?

  27. Security of LM-OTS Model: Forger is given H, H(x), H(y) obtains signature s of z of her choice forges signature s‘ of z‘, (s,z)  (s‘,z‘) ML 2006: Forging a signature for random H implies being able to find very short vectors in ideal lattices L(I) = { (a0,...,an-1) 2Zn: i=0,...,n-1 aixi + <f> 2 I }

  28. Security of LM-OTS • There are many x‘,y‘ with H(x) = H(x‘), H(y) = H(y‘). • (H, H(x), H(y), s, z) yields negligible information about x,y. • Forger produces signature s‘ xz‘ + y • Collision of H: H(s‘) = H(x)z‘ + H(y) = H(xz‘ + y) ! 

  29. LM-OTS practical ?

  30. Difficulty of °-SVP? Lattice Challenge!

  31. Lattice ChallengeB., Rückert, Lindner 2008

  32. Lattice challenge Dirichlet: L(c1,c2,n,X) contains vector of length < n Ajtai: If there is a polynomial time algorithm for finding a vector of length < n in L(c1,c2,n,X) for a random X (dimension m > n) then hard lattice problems can be solved in all lattices of dimension n (< m)

  33. Lattice challenge L(c1,c2,n,X) c2 = 1, m challenge dimension, c2 = c2(n),q = n = n(m) X from digits of π γ = n/d(L)1/m Gama, Nguyen 2008: γ < 1.005m then finding vector of length < n totally out of reach

  34. www.LatticeChallenge.org

  35. Thank you

More Related