SlideShare una empresa de Scribd logo

Lattice-based Signatures

OnBoard Security, Inc. - a Qualcomm Company
OnBoard Security, Inc. - a Qualcomm Company

This presentation on Lattice-based Digital Signatures from April 2018 was given to the Chinese academy of science from OnBoard Security's Zhenfei Zhang.

Tecnología
1 de 44
Descargar para leer sin conexión
Lattice based signatures Zhenfei Zhang zzhang@onboardsecurity.com April 27, 2018 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 1 / 29
Our company Previously known as NTRU Cryptosystem Inc., . . . . . . then Security Innovation, . . . Three focus area: Lattice based cryptographic research; V2X security; Editor of IEEE 1609.2 WAVE standard Trusted Computing and TPMs; Chair for TCG software stack working group and Virtualized Platform working group Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 2 / 29
Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
Why lattice Lattice leads to the knowledge of everything! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
Why lattice Lattice leads to the knowledge of everything! (WRONG!) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
Why lattice the real reason 1994, Shor’s algorithm, break RSA and ECC with quantum computers; 2015, NSA announcement: prepare for the quantum apocalypse; 2017, NIST call for competition/standardization; 2030(?), predicted general purpose quantum computers; bonus points Good understanding of underlying hard problem; Fast, parallelable, hardware friendly; Numerous applications: FHE, ABE, MMap, obfuscation, . . . Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 4 / 29
Why lattice the real reason 2030(?), predicted general purpose quantum computers; Data vaulting attack A.k.a., harvest-then-decrypt attack Data need to be secret for, say, 30 years; Quantum computer arrives in, say, 15 years; Perhaps the most practical attack in cryptography! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 5 / 29
Figure source: https://nsa.gov1.info/utah-data-center/ Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 6 / 29
Figure source: https://csrc.nist.gov/projects/post-quantum- cryptography/post-quantum-cryptography-standardization Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 7 / 29
Source: https://csrc.nist.gov/Presentations/2018/PQ-Crypto-A-New- Proposed-Framework Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 8 / 29
This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 9 / 29
This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 10 / 29
Figure source: Wendy Cordero’s High School Math Site Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 11 / 29
Lattice Definition of a Lattice All the integral combinations of d ≤ n linearly independent vectors over R L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z} d dimension. B = (b1, . . . , bd ) is a basis. An example B = 5 1 2 √ 3 3 5 √ 2 1 d = 2 ≤ n = 3 In this talk, full rank integer Basis: B ∈ Zn,n. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 12 / 29
Example A lattice L B = 8 5 5 16 All lattice crypto talks start with an image of a dim-2 lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
Example A lattice L UB = 1 0 −1 1 8 5 5 16 = 8 5 −3 11 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
Example A lattice L UB = 1 0 1 1 8 5 5 16 = 8 5 13 21 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
Example A lattice L UB = 3 1 2 1 8 5 5 16 = 29 31 21 26 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
Example The Shortest Vector and The First Minima v = 8 5 , with λ1 = 82 + 52 = 9.434 The Shortest Vector Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
Example The Determinant det L = det (BBT ) = 103 The Fundamental Parallelepiped Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x) Compute h (x) = f (x) × g(x) over Z[x] Reduce h (x) mod (xN − 1) mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x), alternatively h0, . . . , hN−1 = f0, . . . , fN−1 ×        g0 g1 g2 . . . gN−1 gN−1 g0 g1 . . . gN−2 gN−2 gN−1 g0 . . . gN−3 ... ... ... ... ... g1 g2 g3 . . . g0        mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice qIN 0 H IN ..=               q 0 . . . 0 0 0 . . . 0 0 q . . . 0 0 0 . . . 0 ... ... ... ... ... ... ... ... 0 0 . . . q 0 0 . . . 0 h0 h1 . . . hN−1 1 0 . . . 0 hN−1 h0 . . . hN−2 0 1 . . . 0 ... ... ... ... ... ... ... ... h1 h2 . . . h0 0 0 . . . 1               Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
NTRU lattice The real NTRU assumption NTRU lattice behaves the same as random lattices. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
NTRU lattice vs random lattice 256 0 172 1 256 0 17 1 (g, f ) = (1, 3) v = (17, 1) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 16 / 29
Lattice signatures GGHSign hash-then-sign generic lattice NTRUSign hash-then-sign NTRU lattice Fiat Shamir with abort FS, Rejection sampling generic lattice GPV hash-then-sign generic lattice BLISS FS, Rejection sampling NTRU lattice Dilithium FS, Rejection sampling generic lattice Falcon hash-then-sign NTRU lattice pqNTRUSign HTS, Rejection sampling NTRU lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 17 / 29
GGHSign Signing key: a good basis B Verification key a bad basis H Sign Hash message to a vector v Use B to find the closest vector c (Babai’s algorithm) Verification Check Dist(v − c) is small NTRUSign Good basis: (g,f) Bad basis: h Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 18 / 29
Transcript security Breaks GGHSign, NTRUSign; Each signature is a vector close to the lattice (info leakage); Recover enough of distance vectors (blue dots) gives away a good basis of the lattice; Seal the leakage with rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 19 / 29
GPV sampler: a randomized Babai function The idea A trapdoored lattice L, i.e. L⊥ A := {v : Av = 0 mod q}, Lh := {(u, v) : uh = v mod q} A trapdoor S, or (g, f ), and a smooth parameter ηε(L) A target lattice point v Outputs another vector s, s.t. s is uniform over L dist(s, v) Gaussian over Zn Bottle neck: trapdoor generation Bonsai Tree, Gadget matrix, . . . Falcon = GPV + NTRUSign + more ticks Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 20 / 29
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 21 / 29
Falcon Public key security: recover f and g from h; Forgery: as hard as finding a preimage for GPV without secret key Transcript security: output is already Gaussian independent from secret basis; no need for rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 22 / 29
Modular Lattice Signatures The core idea Given a lattice L with a trapdoor T, a message m, find a vector v v ∈ L v ≡ hash(m) mod p Can be instantiated via any trapdoored lattice SIS, R-SIS, R-LWE, etc pqNTRUSign is an efficient instantiation using NTRU lattice Efficient trapdoor f , g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 23 / 29
pqNTRUSign Sign (f , g, h = g/f , p = 3, R, m) Hash message into a “mod p” vector vp, up = hash(m|h) Repeat with rejection sampling: Sample v0 from certain distribution; compute v1 = p × v0 + vp Find a random lattice vector v1, u1 = v1 · I, h “v-side” meets the congruent condition. Micro-adjust “u-side” using trapdoor f and g Compute a = (u1 − up) · g−1 mod p Compute v2, u2 = a · p × f , g Compute v, u = v1, u1 + v2, u2 Output v as signature Remark v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 24 / 29
pqNTRUSign Verify (h, p = 3, R, m, v) Hash message into a “mod p” vector vp, up = hash(m|h) Reconstruct the lattice vector v, u = v · I, h Check vp, up = hash(m|h) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 25 / 29
pqNTRUSign Public key security: recover f and g from h; Forgery: as hard as solving an approx.-SVP in an intersected lattice; Transcript security - achieved via rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 26 / 29
Rejection Sampling Consider b ..= v0 + a · f “large” v0 drawn from uniform or Gaussian; “small” a drawn from sparse trinary/binary; sparse trinary/binary f is the secret. RS on b b follows certain publicly known distribution independent from f ; for two secret keys f1, f2 and a signature b, one is not able to tell which key signs b - witness indistinguishability. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 27 / 29
Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N Before rejection 0.0005 0.0006 0.0007 0.0008 0.0009 0.001 0.0011 -600 -400 -200 0 200 400 600 "notuniforminq" 1/1031.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N After rejection 0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 -600 -400 -200 0 200 400 600 "uniforminq" 1/1021.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
Rejection Sampling Rejection sampling on Gaussian Sample v0 from discrete Gaussian χN σ Accept b when b is Gaussian Before/after rejection Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
Thanks! to study the underlying principle to acquire knowledge (idiom); pursuing knowledge to the end. Figure source: Google Image & www.hsjushi.com Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 29 / 29

Recomendados

A Short Review of the NTRU Cryptosystem
A Short Review of the NTRU CryptosystemA Short Review of the NTRU Cryptosystem
A Short Review of the NTRU CryptosystemOnBoard Security, Inc. - a Qualcomm Company
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyAlexandre Augusto Giron
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & SteganographyAnimesh Shaw
 
One time Pad Encryption
One time Pad EncryptionOne time Pad Encryption
One time Pad EncryptionAbdullah Mubashar
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice CryptographyPriyanka Aash
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Big data security
Big data securityBig data security
Big data securityJoey Echeverria
 
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...MITRE - ATT&CKcon
 

Recomendados

A Short Review of the NTRU Cryptosystem
A Short Review of the NTRU CryptosystemA Short Review of the NTRU Cryptosystem
A Short Review of the NTRU CryptosystemOnBoard Security, Inc. - a Qualcomm Company
 
Introduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyIntroduction - Lattice-based Cryptography
Introduction - Lattice-based CryptographyAlexandre Augusto Giron
 
Cryptography & Steganography
Cryptography & SteganographyCryptography & Steganography
Cryptography & SteganographyAnimesh Shaw
 
One time Pad Encryption
One time Pad EncryptionOne time Pad Encryption
One time Pad EncryptionAbdullah Mubashar
 
Lattice Cryptography
Lattice CryptographyLattice Cryptography
Lattice CryptographyPriyanka Aash
 
RSA ALGORITHM
RSA ALGORITHMRSA ALGORITHM
RSA ALGORITHMShashank Shetty
 
Big data security
Big data securityBig data security
Big data securityJoey Echeverria
 
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...
MITRE ATT&CKcon 2.0: Zeek-based ATT&CK Metrics and Gap Analysis; Allan Thomso...MITRE - ATT&CKcon
 
Cryptographic hash function md5
Cryptographic hash function md5Cryptographic hash function md5
Cryptographic hash function md5Khulna University, Khulna, Bangladesh
 
3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and AlternativesSam Bowne
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Cryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSACryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSAaritraranjan
 
Lecture 10 - Multi-Party Computation Protocols
Lecture 10 - Multi-Party Computation ProtocolsLecture 10 - Multi-Party Computation Protocols
Lecture 10 - Multi-Party Computation ProtocolsUniversity of Rome "La Sapienza"
 
Free space QKD
Free space QKDFree space QKD
Free space QKDBen Catchpole
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric CryptographyUTD Computer Security Group
 
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWELattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWEPriyanka Aash
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA AlgorithmSrinadh Muvva
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic CryptographyInformation Technology
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Overview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsOverview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsJohannes Ahlmann
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:Asad Ali
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfGurvinder Singh, CISSP, CISA, ITIL v3
 
DES
DESDES
DESNaga Srimanyu Timmaraju
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 
Learning to discover monte carlo algorithm on spin ice manifold
Learning to discover monte carlo algorithm on spin ice manifoldLearning to discover monte carlo algorithm on spin ice manifold
Learning to discover monte carlo algorithm on spin ice manifoldKai-Wen Zhao
 
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...Mriganka Mandal
 

Más contenido relacionado

La actualidad más candente

3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and AlternativesSam Bowne
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)Mehedi Farazi
 
Cryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSACryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSAaritraranjan
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream CiphersSam Bowne
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageErik Van Buggenhout
 
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWELattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWEPriyanka Aash
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...MITRE - ATT&CKcon
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithmsAnamika Singh
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudMITRE ATT&CK
 
Overview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsOverview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsJohannes Ahlmann
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:Asad Ali
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificatesStephane Potier
 

La actualidad más candente (20)

Cryptographic hash function md5
Cryptographic hash function md5Cryptographic hash function md5
Cryptographic hash function md5
 
3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives3. The Data Encryption Standard (DES) and Alternatives
3. The Data Encryption Standard (DES) and Alternatives
 
Ssh (The Secure Shell)
Ssh (The Secure Shell)Ssh (The Secure Shell)
Ssh (The Secure Shell)
 
Cryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSACryptographic Algorithms: DES and RSA
Cryptographic Algorithms: DES and RSA
 
Lecture 10 - Multi-Party Computation Protocols
Lecture 10 - Multi-Party Computation ProtocolsLecture 10 - Multi-Party Computation Protocols
Lecture 10 - Multi-Party Computation Protocols
 
Free space QKD
Free space QKDFree space QKD
Free space QKD
 
2. Stream Ciphers
2. Stream Ciphers2. Stream Ciphers
2. Stream Ciphers
 
Leveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common LanguageLeveraging MITRE ATT&CK - Speaking the Common Language
Leveraging MITRE ATT&CK - Speaking the Common Language
 
Asymmetric Cryptography
Asymmetric CryptographyAsymmetric Cryptography
Asymmetric Cryptography
 
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWELattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
Lattice-Based Cryptography: CRYPTANALYSIS OF COMPACT-LWE
 
RSA Algorithm
RSA AlgorithmRSA Algorithm
RSA Algorithm
 
Ch11 Basic Cryptography
Ch11 Basic CryptographyCh11 Basic Cryptography
Ch11 Basic Cryptography
 
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
Measure What Matters: How to Use MITRE ATTACK to do the Right Things in the R...
 
Cryptographic algorithms
Cryptographic algorithmsCryptographic algorithms
Cryptographic algorithms
 
ATT&CKING Containers in The Cloud
ATT&CKING Containers in The CloudATT&CKING Containers in The Cloud
ATT&CKING Containers in The Cloud
 
Overview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus MechanismsOverview of Blockchain Consensus Mechanisms
Overview of Blockchain Consensus Mechanisms
 
One time pad Encryption:
One time pad Encryption:One time pad Encryption:
One time pad Encryption:
 
ISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdfISACA -Threat Hunting using Native Windows tools .pdf
ISACA -Threat Hunting using Native Windows tools .pdf
 
DES
DESDES
DES
 
An introduction to X.509 certificates
An introduction to X.509 certificatesAn introduction to X.509 certificates
An introduction to X.509 certificates
 

Similar a Lattice-based Signatures

Learning to discover monte carlo algorithm on spin ice manifold
Learning to discover monte carlo algorithm on spin ice manifoldLearning to discover monte carlo algorithm on spin ice manifold
Learning to discover monte carlo algorithm on spin ice manifoldKai-Wen Zhao
 
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...Mriganka Mandal
 
Security of Artificial Intelligence
Security of Artificial IntelligenceSecurity of Artificial Intelligence
Security of Artificial IntelligenceFederico Cerutti
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET Journal
 
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET Journal
 
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONS
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONSTHE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONS
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONSIJNSA Journal
 
LITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEM
LITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEMLITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEM
LITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEMIJNSA Journal
 
Robust Cascade Reconstruction by Steiner Tree Sampling
Robust Cascade Reconstruction by Steiner Tree SamplingRobust Cascade Reconstruction by Steiner Tree Sampling
Robust Cascade Reconstruction by Steiner Tree SamplingCigdem Aslay
 
6 games
6 games6 games
6 gamesMhd Sb
 
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...National Chengchi University
 
Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...
Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...
Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...Dmitrii Ignatov
 
Reading revue of "Inferring Multiple Graphical Structures"
Reading revue of "Inferring Multiple Graphical Structures"Reading revue of "Inferring Multiple Graphical Structures"
Reading revue of "Inferring Multiple Graphical Structures"tuxette
 
CAMINA GROUP FOR THE MOR CRYPTOSYSTEM
CAMINA GROUP FOR THE MOR CRYPTOSYSTEMCAMINA GROUP FOR THE MOR CRYPTOSYSTEM
CAMINA GROUP FOR THE MOR CRYPTOSYSTEMEditor IJMTER
 
2_GLMs_printable.pdf
2_GLMs_printable.pdf2_GLMs_printable.pdf
2_GLMs_printable.pdfElio Laureano
 

Similar a Lattice-based Signatures (20)

Learning to discover monte carlo algorithm on spin ice manifold
Learning to discover monte carlo algorithm on spin ice manifoldLearning to discover monte carlo algorithm on spin ice manifold
Learning to discover monte carlo algorithm on spin ice manifold
 
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...
SECRYPT 2018 Presentation: 15th International Conference on Security and Cry...
 
Community detection
Community detectionCommunity detection
Community detection
 
Security of Artificial Intelligence
Security of Artificial IntelligenceSecurity of Artificial Intelligence
Security of Artificial Intelligence
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key Exposure
 
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault DiagnosisIRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
IRJET- Data Analysis for Braking System in Time Domain for Fault Diagnosis
 
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONS
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONSTHE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONS
THE KEY EXCHANGE CRYPTOSYSTEM USED WITH HIGHER ORDER DIOPHANTINE EQUATIONS
 
LITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEM
LITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEMLITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEM
LITTLE DRAGON TWO: AN EFFICIENT MULTIVARIATE PUBLIC KEY CRYPTOSYSTEM
 
Robust Cascade Reconstruction by Steiner Tree Sampling
Robust Cascade Reconstruction by Steiner Tree SamplingRobust Cascade Reconstruction by Steiner Tree Sampling
Robust Cascade Reconstruction by Steiner Tree Sampling
 
Triggering patterns of topology changes in dynamic attributed graphs
Triggering patterns of topology changes in dynamic attributed graphsTriggering patterns of topology changes in dynamic attributed graphs
Triggering patterns of topology changes in dynamic attributed graphs
 
6 games
6 games6 games
6 games
 
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...
Threshold-optimal DSAECDSA signatures and an application to Bitcoin wallet se...
 
Final Report-1-(1)
Final Report-1-(1)Final Report-1-(1)
Final Report-1-(1)
 
Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...
Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...
Turning Krimp into a Triclustering Technique on Sets of Attribute-Condition P...
 
Reading revue of "Inferring Multiple Graphical Structures"
Reading revue of "Inferring Multiple Graphical Structures"Reading revue of "Inferring Multiple Graphical Structures"
Reading revue of "Inferring Multiple Graphical Structures"
 
CAMINA GROUP FOR THE MOR CRYPTOSYSTEM
CAMINA GROUP FOR THE MOR CRYPTOSYSTEMCAMINA GROUP FOR THE MOR CRYPTOSYSTEM
CAMINA GROUP FOR THE MOR CRYPTOSYSTEM
 
Kk3517971799
Kk3517971799Kk3517971799
Kk3517971799
 
2 funda.ppt
2 funda.ppt2 funda.ppt
2 funda.ppt
 
2_GLMs_printable.pdf
2_GLMs_printable.pdf2_GLMs_printable.pdf
2_GLMs_printable.pdf
 
2019 GDRR: Blockchain Data Analytics - Dissecting Blockchain Price Analytics...
2019 GDRR: Blockchain Data Analytics - Dissecting Blockchain Price Analytics...2019 GDRR: Blockchain Data Analytics - Dissecting Blockchain Price Analytics...
2019 GDRR: Blockchain Data Analytics - Dissecting Blockchain Price Analytics...
 

Más de OnBoard Security, Inc. - a Qualcomm Company

Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...OnBoard Security, Inc. - a Qualcomm Company
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...OnBoard Security, Inc. - a Qualcomm Company
 

Más de OnBoard Security, Inc. - a Qualcomm Company (13)

Garbled Circuits for Secure Credential Management Services
Garbled Circuits for Secure Credential Management ServicesGarbled Circuits for Secure Credential Management Services
Garbled Circuits for Secure Credential Management Services
 
Secure Drone-to-X Communication - AUVSI XPONENTIAL 2018
Secure Drone-to-X Communication - AUVSI XPONENTIAL 2018 Secure Drone-to-X Communication - AUVSI XPONENTIAL 2018
Secure Drone-to-X Communication - AUVSI XPONENTIAL 2018
 
Locking Down and Re-Using V2X Security - Lessons for Smart Cities
Locking Down and Re-Using V2X Security - Lessons for Smart CitiesLocking Down and Re-Using V2X Security - Lessons for Smart Cities
Locking Down and Re-Using V2X Security - Lessons for Smart Cities
 
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
Binary Hash Tree based Certificate Access Management for Connected Vehicles (...
 
Automotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still ExistsAutomotive Cybersecurity: The Gap Still Exists
Automotive Cybersecurity: The Gap Still Exists
 
Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?Car cybersecurity: What do automakers really think?
Car cybersecurity: What do automakers really think?
 
Security for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and ChallengesSecurity for Connected Vehicle: Successes and Challenges
Security for Connected Vehicle: Successes and Challenges
 
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
IEEE 1609.2 and Connected Vehicle Security: Standards Making in a Pocket Univ...
 
Connected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go WrongConnected Cars: What Could Possibly Go Wrong
Connected Cars: What Could Possibly Go Wrong
 
Certificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 CertificatesCertificate Management Protocols for 1609.2 Certificates
Certificate Management Protocols for 1609.2 Certificates
 
Scaling Systems Securely: Challenges and Risks
Scaling Systems Securely: Challenges and RisksScaling Systems Securely: Challenges and Risks
Scaling Systems Securely: Challenges and Risks
 
Misbehavior Handling Throughout the V2V System Lifecycle
Misbehavior Handling Throughout the V2V System LifecycleMisbehavior Handling Throughout the V2V System Lifecycle
Misbehavior Handling Throughout the V2V System Lifecycle
 
Quantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic ModulesQuantum Safety in Certified Cryptographic Modules
Quantum Safety in Certified Cryptographic Modules
 

Último

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhisoniya singh
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxOnBoard
 

Último (20)

Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
Transcript: #StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | DelhiFULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
FULL ENJOY 🔝 8264348440 🔝 Call Girls in Diplomatic Enclave | Delhi
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Maximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptxMaximizing Board Effectiveness 2024 Webinar.pptx
Maximizing Board Effectiveness 2024 Webinar.pptx
 

Lattice-based Signatures

  • 1. Lattice based signatures Zhenfei Zhang zzhang@onboardsecurity.com April 27, 2018 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 1 / 29
  • 2. Our company Previously known as NTRU Cryptosystem Inc., . . . . . . then Security Innovation, . . . Three focus area: Lattice based cryptographic research; V2X security; Editor of IEEE 1609.2 WAVE standard Trusted Computing and TPMs; Chair for TCG software stack working group and Virtualized Platform working group Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 2 / 29
  • 3. Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  • 4. Why lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  • 5. Why lattice Lattice leads to the knowledge of everything! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  • 6. Why lattice Lattice leads to the knowledge of everything! (WRONG!) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
  • 7. Why lattice the real reason 1994, Shor’s algorithm, break RSA and ECC with quantum computers; 2015, NSA announcement: prepare for the quantum apocalypse; 2017, NIST call for competition/standardization; 2030(?), predicted general purpose quantum computers; bonus points Good understanding of underlying hard problem; Fast, parallelable, hardware friendly; Numerous applications: FHE, ABE, MMap, obfuscation, . . . Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 4 / 29
  • 8. Why lattice the real reason 2030(?), predicted general purpose quantum computers; Data vaulting attack A.k.a., harvest-then-decrypt attack Data need to be secret for, say, 30 years; Quantum computer arrives in, say, 15 years; Perhaps the most practical attack in cryptography! Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 5 / 29
  • 9. Figure source: https://nsa.gov1.info/utah-data-center/ Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 6 / 29
  • 12. This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 9 / 29
  • 13. This talk Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 10 / 29
  • 14. Figure source: Wendy Cordero’s High School Math Site Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 11 / 29
  • 15. Lattice Definition of a Lattice All the integral combinations of d ≤ n linearly independent vectors over R L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z} d dimension. B = (b1, . . . , bd ) is a basis. An example B = 5 1 2 √ 3 3 5 √ 2 1 d = 2 ≤ n = 3 In this talk, full rank integer Basis: B ∈ Zn,n. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 12 / 29
  • 16. Example A lattice L B = 8 5 5 16 All lattice crypto talks start with an image of a dim-2 lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  • 17. Example A lattice L UB = 1 0 −1 1 8 5 5 16 = 8 5 −3 11 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  • 18. Example A lattice L UB = 1 0 1 1 8 5 5 16 = 8 5 13 21 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  • 19. Example A lattice L UB = 3 1 2 1 8 5 5 16 = 29 31 21 26 An infinity of basis Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  • 20. Example The Shortest Vector and The First Minima v = 8 5 , with λ1 = 82 + 52 = 9.434 The Shortest Vector Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  • 21. Example The Determinant det L = det (BBT ) = 103 The Fundamental Parallelepiped Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
  • 22. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  • 23. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x) Compute h (x) = f (x) × g(x) over Z[x] Reduce h (x) mod (xN − 1) mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  • 24. NTRU lattice NTRU ring Originally: Zq[x]/(xN − 1), q a power of 2, N a prime; Alternative 1: Zq[x]/(xN − x − 1), q a prime; Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2 Ring multiplications: h(x) = f (x) · g(x), alternatively h0, . . . , hN−1 = f0, . . . , fN−1 ×        g0 g1 g2 . . . gN−1 gN−1 g0 g1 . . . gN−2 gN−2 gN−1 g0 . . . gN−3 ... ... ... ... ... g1 g2 g3 . . . g0        mod q Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
  • 25. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  • 26. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice qIN 0 H IN ..=               q 0 . . . 0 0 0 . . . 0 0 q . . . 0 0 0 . . . 0 ... ... ... ... ... ... ... ... 0 0 . . . q 0 0 . . . 0 h0 h1 . . . hN−1 1 0 . . . 0 hN−1 h0 . . . hN−2 0 1 . . . 0 ... ... ... ... ... ... ... ... h1 h2 . . . h0 0 0 . . . 1               Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  • 27. NTRU lattice NTRU assumption Decisional: given two small ring elements f and g; it is hard to distinguish h = f /g from a uniformly random ring element; Computational: given h, find f and g. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  • 28. NTRU lattice The real NTRU assumption NTRU lattice behaves the same as random lattices. NTRU lattice L = qIN 0 H IN g, f (and its cyclic rotations) are unique shortest vectors in L; Decisional problem: decide if L has unique shortest vectors; Computational problem: find those vectors. Both are hard for random lattices. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
  • 29. NTRU lattice vs random lattice 256 0 172 1 256 0 17 1 (g, f ) = (1, 3) v = (17, 1) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 16 / 29
  • 30. Lattice signatures GGHSign hash-then-sign generic lattice NTRUSign hash-then-sign NTRU lattice Fiat Shamir with abort FS, Rejection sampling generic lattice GPV hash-then-sign generic lattice BLISS FS, Rejection sampling NTRU lattice Dilithium FS, Rejection sampling generic lattice Falcon hash-then-sign NTRU lattice pqNTRUSign HTS, Rejection sampling NTRU lattice Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 17 / 29
  • 31. GGHSign Signing key: a good basis B Verification key a bad basis H Sign Hash message to a vector v Use B to find the closest vector c (Babai’s algorithm) Verification Check Dist(v − c) is small NTRUSign Good basis: (g,f) Bad basis: h Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 18 / 29
  • 32. Transcript security Breaks GGHSign, NTRUSign; Each signature is a vector close to the lattice (info leakage); Recover enough of distance vectors (blue dots) gives away a good basis of the lattice; Seal the leakage with rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 19 / 29
  • 33. GPV sampler: a randomized Babai function The idea A trapdoored lattice L, i.e. L⊥ A := {v : Av = 0 mod q}, Lh := {(u, v) : uh = v mod q} A trapdoor S, or (g, f ), and a smooth parameter ηε(L) A target lattice point v Outputs another vector s, s.t. s is uniform over L dist(s, v) Gaussian over Zn Bottle neck: trapdoor generation Bonsai Tree, Gadget matrix, . . . Falcon = GPV + NTRUSign + more ticks Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 20 / 29
  • 34. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 21 / 29
  • 35. Falcon Public key security: recover f and g from h; Forgery: as hard as finding a preimage for GPV without secret key Transcript security: output is already Gaussian independent from secret basis; no need for rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 22 / 29
  • 36. Modular Lattice Signatures The core idea Given a lattice L with a trapdoor T, a message m, find a vector v v ∈ L v ≡ hash(m) mod p Can be instantiated via any trapdoored lattice SIS, R-SIS, R-LWE, etc pqNTRUSign is an efficient instantiation using NTRU lattice Efficient trapdoor f , g. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 23 / 29
  • 37. pqNTRUSign Sign (f , g, h = g/f , p = 3, R, m) Hash message into a “mod p” vector vp, up = hash(m|h) Repeat with rejection sampling: Sample v0 from certain distribution; compute v1 = p × v0 + vp Find a random lattice vector v1, u1 = v1 · I, h “v-side” meets the congruent condition. Micro-adjust “u-side” using trapdoor f and g Compute a = (u1 − up) · g−1 mod p Compute v2, u2 = a · p × f , g Compute v, u = v1, u1 + v2, u2 Output v as signature Remark v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 24 / 29
  • 38. pqNTRUSign Verify (h, p = 3, R, m, v) Hash message into a “mod p” vector vp, up = hash(m|h) Reconstruct the lattice vector v, u = v · I, h Check vp, up = hash(m|h) Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 25 / 29
  • 39. pqNTRUSign Public key security: recover f and g from h; Forgery: as hard as solving an approx.-SVP in an intersected lattice; Transcript security - achieved via rejection sampling. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 26 / 29
  • 40. Rejection Sampling Consider b ..= v0 + a · f “large” v0 drawn from uniform or Gaussian; “small” a drawn from sparse trinary/binary; sparse trinary/binary f is the secret. RS on b b follows certain publicly known distribution independent from f ; for two secret keys f1, f2 and a signature b, one is not able to tell which key signs b - witness indistinguishability. Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 27 / 29
  • 41. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N Before rejection 0.0005 0.0006 0.0007 0.0008 0.0009 0.001 0.0011 -600 -400 -200 0 200 400 600 "notuniforminq" 1/1031.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  • 42. Rejection Sampling Rejection sampling on Uniform Sample v0 uniformly from [−q 2 , q 2 ]N Accept b when b is in [−q 2 + B, q 2 − B]N After rejection 0 0.0002 0.0004 0.0006 0.0008 0.001 0.0012 -600 -400 -200 0 200 400 600 "uniforminq" 1/1021.0 Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  • 43. Rejection Sampling Rejection sampling on Gaussian Sample v0 from discrete Gaussian χN σ Accept b when b is Gaussian Before/after rejection Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
  • 44. Thanks! to study the underlying principle to acquire knowledge (idiom); pursuing knowledge to the end. Figure source: Google Image & www.hsjushi.com Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 29 / 29