??? Phong Q. Nguy - PowerPoint PPT Presentation

1 / 30
About This Presentation
Title:

??? Phong Q. Nguy

Description:

??? Phong Q. Nguy n ( cole normale sup rieure) ???? ???Oded Regev (Tel Aviv University) ... GGH and NTRU Signatures. Outline. Introduction to lattices. Lattice ... – PowerPoint PPT presentation

Number of Views:47
Avg rating:3.0/5.0
Slides: 31
Provided by: wisdomWe
Category:
Tags: ecole | nguy | phong

less

Transcript and Presenter's Notes

Title: ??? Phong Q. Nguy


1
Learning a Parallelepiped Cryptanalysis of
GGH and NTRU Signatures

??? Phong Q. Nguyên (École normale
supérieure) ???? ???Oded Regev (Tel Aviv
University)
2
Outline
3
(No Transcript)
4
Lattices
  • Basis
  • v1,,vn vectors in Rn
  • The lattice L is
  • La1v1anvn ai integers

v1v2
2v2
2v1
2v2-v1
v1
v2
2v2-2v1
0
5
Basis is not unique
v2
v1
0
6
Closest Vector Problem (CVP)
  • CVP Given a lattice and a target vector, find
    the closest lattice point
  • Seems very difficult best algorithms take time
    2n
  • However, checking if a point is in a lattice is
    easy

v2
v1
0
7
Babais CVP Algorithm
  • Babais algorithm given a point u, write
  • and output
  • Works well for good bases

8
Babais CVP Algorithm
9
Babais CVP Algorithm
10
Lattice-based Cryptography
  • One-way functions based on worst-case hardness
    Ajtai96, GoldreichGoldwasserHalevi96,
    CaiNerurkar97, MicciancioRegev04
  • Public-key cryptosystems based on worst-case
    hardness AjtaiDwork97, GoldreichGoldwasserHalevi9
    7, Regev04, Regev06
  • Other public-key cryptosystems GoldreichGoldwasse
    rHalevi97, HoffsteinPipherSilverman98
  • Signature schemes
  • GGH GoldreichGoldwasserHalevi97,
  • NTRUsign HoffsteinHowgraveGrahamPipherSilvermanW
    hyte01

11
Signature Schemes
  • Consists of
  • Key generation algorithm produces a
    (public-key,private-key) pair
  • Signing algorithm given a message and a
    private-key, produces a signature
  • Verification algorithm given a messagesignature
    and a public key, verifies that the signature
    matches

12
The GGH Signature Scheme
  • Idea CVP is hard, but easy with good basis
  • The scheme
  • Key generation algorithm choose a lattice with
    some good basis
  • Private-key good basis
  • Public-key bad basis
  • Signing algorithm given a message and a private
    key,
  • Map message to a point in space
  • Apply Babais algorithm with good basis to obtain
    the signature
  • Verification algorithm given messagesignature
    and a public key, verify that
  • Signature is a lattice point, and
  • Signature is close to the message

13
GGH Signature Scheme
Private-key
Public-key
14
GGH Signature Scheme
Public-key
Message
Signature
Verification 1. should be a lattice point
2. distance between and should be
small
15
(No Transcript)
16
The NTRUsign Signature Scheme
  • Essentially a very efficient implementation of
    the GGH signature scheme
  • Signature length only 1757 bits
  • Signing and verification are faster than
    RSA-based methods
  • Based on the NTRU lattices (bicyclic lattices
    generated from a polynomial ring)
  • Developed by the company NTRU and currently under
    consideration by IEEE P1363.1
  • Some flaws pointed out in GentrySzydlo02

17
Main Result
  • An inherent security flaw in GGH-based signature
    schemes
  • Demonstrated a practical attack on
  • GGH
  • Up to dimension 400
  • NTRUsign
  • Dimension 502
  • Applies to half of the parameter sets in IEEE
    P1363.1
  • Only 400 signatures needed!
  • The attack recovers the
  • private key
  • Running time is a few
  • minutes on a 2Ghz/2GB PC

18
Main Result
  • Possible countermeasures
  • Pertubations, as suggested by NTRU in several of
    the IEEE P1363.1 parameter sets
  • Larger entries in private key
  • It is not clear if the attack can be extended to
    deal with these extensions
  • Public key encryption schemes and one-way
    functions are still secure!!
  • This includes all schemes based on worst-case
    hardness and NTRUencrypt

19
The Attack
20
The Attack
21
Hidden Parallelepiped Problem
Given points sampled uniformly from an
n-dimensional centered parallelepiped, recover
the parallelepiped
22
Hidden Hypercube Problem
Given points sampled uniformly from an
n-dimensional centered unit hypercube, recover
the hypercube
23
HHP First Attempt
24
HHP Second Attempt
25
HHP The Algorithm
26
Back to HPP
27
Back to HPP
28
Were not alone
  • The HPP has already been looked at
  • In statistical analysis, and in particular
    Independent Component Analysis (ICA). The FastICA
    algorithm is very similar to ours
    HyvärinenOja97. Many applications in signal
    processing, neural networks, etc.
  • In the computational learning community, by
    FriezeJerrumKannan96. A somewhat different
    algorithm.
  • However, none gives a rigorous analysis. We
    analyze the algorithm rigorously, taking into
    account the effects of noise

29
Open questions


30
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "??? Phong Q. Nguy" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!