This presentation on Lattice-based Digital Signatures from April 2018 was given to the Chinese academy of science from OnBoard Security's Zhenfei Zhang.
1. Lattice based signatures
Zhenfei Zhang
zzhang@onboardsecurity.com
April 27, 2018
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 1 / 29
2. Our company
Previously known as NTRU Cryptosystem Inc., . . .
. . . then Security Innovation, . . .
Three focus area:
Lattice based cryptographic research;
V2X security;
Editor of IEEE 1609.2 WAVE standard
Trusted Computing and TPMs;
Chair for TCG software stack working group and Virtualized Platform
working group
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 2 / 29
5. Why lattice
Lattice leads to the knowledge of everything!
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
6. Why lattice
Lattice leads to the knowledge of everything!
(WRONG!)
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 3 / 29
7. Why lattice
the real reason
1994, Shor’s algorithm, break RSA and ECC with quantum
computers;
2015, NSA announcement: prepare for the quantum apocalypse;
2017, NIST call for competition/standardization;
2030(?), predicted general purpose quantum computers;
bonus points
Good understanding of underlying hard problem;
Fast, parallelable, hardware friendly;
Numerous applications: FHE, ABE, MMap, obfuscation, . . .
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 4 / 29
8. Why lattice
the real reason
2030(?), predicted general purpose quantum computers;
Data vaulting attack
A.k.a., harvest-then-decrypt attack
Data need to be secret for, say, 30 years;
Quantum computer arrives in, say, 15 years;
Perhaps the most practical attack in cryptography!
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 5 / 29
14. Figure source: Wendy Cordero’s High School Math Site
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 11 / 29
15. Lattice
Definition of a Lattice
All the integral combinations of d ≤ n linearly independent vectors
over R
L = Z b1 + · · · + Z bd = {λ1b1 + · · · + λd bd : λi ∈ Z}
d dimension.
B = (b1, . . . , bd ) is a basis.
An example
B =
5 1
2
√
3
3
5
√
2 1
d = 2 ≤ n = 3
In this talk, full rank integer Basis: B ∈ Zn,n.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 12 / 29
16. Example
A lattice L
B =
8 5
5 16
All lattice crypto talks start with an image of a dim-2 lattice
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
17. Example
A lattice L
UB =
1 0
−1 1
8 5
5 16
=
8 5
−3 11
An infinity of basis
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
18. Example
A lattice L
UB =
1 0
1 1
8 5
5 16
=
8 5
13 21
An infinity of basis
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
19. Example
A lattice L
UB =
3 1
2 1
8 5
5 16
=
29 31
21 26
An infinity of basis
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
20. Example
The Shortest Vector and The First Minima
v = 8 5 , with λ1 = 82 + 52 = 9.434
The Shortest Vector
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
21. Example
The Determinant
det L = det (BBT ) = 103
The Fundamental Parallelepiped
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 13 / 29
22. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
23. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Ring multiplications: h(x) = f (x) · g(x)
Compute h (x) = f (x) × g(x) over Z[x]
Reduce h (x) mod (xN − 1) mod q
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
24. NTRU lattice
NTRU ring
Originally: Zq[x]/(xN − 1), q a power of 2, N a prime;
Alternative 1: Zq[x]/(xN − x − 1), q a prime;
Alternative 2: Zq[x]/(xN + 1), q a prime, N a power of 2
Ring multiplications: h(x) = f (x) · g(x), alternatively
h0, . . . , hN−1 = f0, . . . , fN−1 ×
g0 g1 g2 . . . gN−1
gN−1 g0 g1 . . . gN−2
gN−2 gN−1 g0 . . . gN−3
...
...
...
...
...
g1 g2 g3 . . . g0
mod q
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 14 / 29
25. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
26. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
NTRU lattice
qIN 0
H IN
..=
q 0 . . . 0 0 0 . . . 0
0 q . . . 0 0 0 . . . 0
...
...
...
...
...
...
...
...
0 0 . . . q 0 0 . . . 0
h0 h1 . . . hN−1 1 0 . . . 0
hN−1 h0 . . . hN−2 0 1 . . . 0
...
...
...
...
...
...
...
...
h1 h2 . . . h0 0 0 . . . 1
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
27. NTRU lattice
NTRU assumption
Decisional: given two small ring elements f and g; it is hard to
distinguish h = f /g from a uniformly random ring element;
Computational: given h, find f and g.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: find those vectors.
Both are hard for random lattices.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
28. NTRU lattice
The real NTRU assumption
NTRU lattice behaves the same as random lattices.
NTRU lattice L =
qIN 0
H IN
g, f (and its cyclic rotations) are unique shortest vectors in L;
Decisional problem: decide if L has unique shortest vectors;
Computational problem: find those vectors.
Both are hard for random lattices.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 15 / 29
29. NTRU lattice vs random lattice
256 0
172 1
256 0
17 1
(g, f ) = (1, 3) v = (17, 1)
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 16 / 29
31. GGHSign
Signing key: a good basis B
Verification key a bad basis H
Sign
Hash message to a vector v
Use B to find the closest vector c (Babai’s algorithm)
Verification
Check Dist(v − c) is small
NTRUSign
Good basis: (g,f)
Bad basis: h
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 18 / 29
32. Transcript security
Breaks GGHSign, NTRUSign;
Each signature is a vector close
to the lattice (info leakage);
Recover enough of distance
vectors (blue dots) gives away a
good basis of the lattice;
Seal the leakage with rejection
sampling.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 19 / 29
33. GPV sampler: a randomized Babai function
The idea
A trapdoored lattice L, i.e.
L⊥
A := {v : Av = 0 mod q}, Lh := {(u, v) : uh = v mod q}
A trapdoor S, or (g, f ), and a smooth parameter ηε(L)
A target lattice point v
Outputs another vector s, s.t.
s is uniform over L
dist(s, v) Gaussian over Zn
Bottle neck: trapdoor generation
Bonsai Tree, Gadget matrix, . . .
Falcon = GPV + NTRUSign + more ticks
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 20 / 29
35. Falcon
Public key security: recover f and g from h;
Forgery: as hard as finding a preimage for GPV without secret key
Transcript security: output is already Gaussian
independent from secret basis; no need for rejection sampling.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 22 / 29
36. Modular Lattice Signatures
The core idea
Given a lattice L with a trapdoor T, a message m, find a vector v
v ∈ L
v ≡ hash(m) mod p
Can be instantiated via any trapdoored lattice
SIS, R-SIS, R-LWE, etc
pqNTRUSign is an efficient instantiation using NTRU lattice
Efficient trapdoor f , g.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 23 / 29
37. pqNTRUSign
Sign (f , g, h = g/f , p = 3, R, m)
Hash message into a “mod p” vector vp, up = hash(m|h)
Repeat with rejection sampling:
Sample v0 from certain distribution; compute v1 = p × v0 + vp
Find a random lattice vector v1, u1 = v1 · I, h
“v-side” meets the congruent condition.
Micro-adjust “u-side” using trapdoor f and g
Compute a = (u1 − up) · g−1
mod p
Compute v2, u2 = a · p × f , g
Compute v, u = v1, u1 + v2, u2
Output v as signature
Remark
v = v1 + v2 = (p × v0 + vp) + p × a · f = p × (v0 + a · f ) + vp
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 24 / 29
38. pqNTRUSign
Verify (h, p = 3, R, m, v)
Hash message into a “mod p” vector vp, up = hash(m|h)
Reconstruct the lattice vector v, u = v · I, h
Check vp, up = hash(m|h)
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 25 / 29
39. pqNTRUSign
Public key security: recover f and g from h;
Forgery: as hard as solving an approx.-SVP in an intersected lattice;
Transcript security - achieved via rejection sampling.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 26 / 29
40. Rejection Sampling
Consider b ..= v0 + a · f
“large” v0 drawn from uniform or Gaussian;
“small” a drawn from sparse trinary/binary;
sparse trinary/binary f is the secret.
RS on b
b follows certain publicly known distribution independent from f ;
for two secret keys f1, f2 and a signature b, one is not able to tell
which key signs b - witness indistinguishability.
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 27 / 29
41. Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , q
2 ]N
Accept b when b is in [−q
2 + B, q
2 − B]N
Before rejection
0.0005
0.0006
0.0007
0.0008
0.0009
0.001
0.0011
-600 -400 -200 0 200 400 600
"notuniforminq"
1/1031.0
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
42. Rejection Sampling
Rejection sampling on Uniform
Sample v0 uniformly from [−q
2 , q
2 ]N
Accept b when b is in [−q
2 + B, q
2 − B]N
After rejection
0
0.0002
0.0004
0.0006
0.0008
0.001
0.0012
-600 -400 -200 0 200 400 600
"uniforminq"
1/1021.0
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
43. Rejection Sampling
Rejection sampling on Gaussian
Sample v0 from discrete Gaussian χN
σ
Accept b when b is Gaussian
Before/after rejection
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 28 / 29
44. Thanks!
to study the underlying principle to acquire knowledge (idiom);
pursuing knowledge to the end.
Figure source: Google Image & www.hsjushi.com
Z.Zhang (OnBoard Security Inc.) NTRU crypto April 27, 2018 29 / 29