Phong Q. Nguy - PowerPoint PPT Presentation

About This Presentation
Title:

Phong Q. Nguy

Description:

Title: Slide 1 Last modified by: o Document presentation format: On-screen Show Other titles: Times New Roman Tahoma Arial Wingdings Comic Sans MS Ocean Slide 1 ... – PowerPoint PPT presentation

Number of Views:55
Avg rating:3.0/5.0
Slides: 29
Provided by: cimsNyuEd
Learn more at: https://cims.nyu.edu
Category:
Tags: algorithm | nguy | phong

less

Transcript and Presenter's Notes

Title: Phong Q. Nguy


1
Learning a Parallelepiped Cryptanalysis of
GGH and NTRU Signatures
Phong Q. Nguyên (École normale
supérieure) Oded Regev (Tel Aviv University)
2
Outline
3
Lattices
  • Basis
  • v1,,vn vectors in Rn
  • The lattice L is
  • La1v1anvn ai integers

v1v2
2v2
2v1
2v2-v1
v1
v2
2v2-2v1
0
4
Basis is not unique
v2
v1
0
5
Closest Vector Problem (CVP)
  • CVP Given a lattice and a target vector, find
    the closest lattice point
  • Seems very difficult best algorithms take time
    2n
  • However, checking if a point is in a lattice is
    easy

v2
v1
0
6
Babais CVP Algorithm
  • Babais algorithm given a point u, write
  • and output
  • Works well for good bases

7
Babais CVP Algorithm
8
Babais CVP Algorithm
9
Lattice-based Cryptography
  • One-way functions based on worst-case hardness
    Ajtai96, GoldreichGoldwasserHalevi96,
    CaiNerurkar97, MicciancioRegev04
  • Public-key cryptosystems based on worst-case
    hardness AjtaiDwork97, GoldreichGoldwasserHalevi9
    7, Regev04, Regev06
  • Other public-key cryptosystems GoldreichGoldwasse
    rHalevi97, HoffsteinPipherSilverman98
  • Signature schemes
  • GGH GoldreichGoldwasserHalevi97,
  • NTRUsign HoffsteinHowgraveGrahamPipherSilvermanW
    hyte01

10
Signature Schemes
  • Consists of
  • Key generation algorithm produces a
    (public-key,private-key) pair
  • Signing algorithm given a message and a
    private-key, produces a signature
  • Verification algorithm given a messagesignature
    and a public key, verifies that the signature
    matches

11
The GGH Signature Scheme
  • Idea CVP is hard, but easy with good basis
  • The scheme
  • Key generation algorithm choose a lattice with
    some good basis
  • Private-key good basis
  • Public-key bad basis
  • Signing algorithm given a message and a private
    key,
  • Map message to a point in space
  • Apply Babais algorithm with good basis to obtain
    the signature
  • Verification algorithm given messagesignature
    and a public key, verify that
  • Signature is a lattice point, and
  • Signature is close to the message

12
GGH Signature Scheme
Private-key
Public-key
13
GGH Signature Scheme
Public-key
Message
Signature
Verification 1. should be a lattice point
2. distance between and should be
small
14
The NTRUsign Signature Scheme
  • Essentially a very efficient implementation of
    the GGH signature scheme
  • Signature length only 1757 bits
  • Signing and verification are faster than
    RSA-based methods
  • Based on the NTRU lattices (bicyclic lattices
    generated from a polynomial ring)
  • Developed by the company NTRU and currently under
    consideration by IEEE P1363.1
  • Some flaws pointed out in GentrySzydlo02

15
Main Result
  • An inherent security flaw in GGH-based signature
    schemes
  • Demonstrated a practical attack on
  • GGH
  • Up to dimension 400
  • NTRUsign
  • Dimension 502
  • Applies to half of the parameter sets in IEEE
    P1363.1
  • Only 400 signatures needed!
  • The attack recovers the
  • private key
  • Running time is a few
  • minutes on a 2Ghz/2GB PC

16
Main Result
  • Possible countermeasures
  • Pertubations, as suggested by NTRU in several of
    the IEEE P1363.1 parameter sets
  • Larger entries in private key
  • It is not clear if the attack can be extended to
    deal with these extensions
  • Public key encryption schemes and one-way
    functions are still secure!!
  • This includes all schemes based on worst-case
    hardness and NTRUencrypt

17
The Attack
18
The Attack
19
Hidden Parallelepiped Problem
Given points sampled uniformly from an
n-dimensional centered parallelepiped, recover
the parallelepiped
20
Hidden Hypercube Problem
Given points sampled uniformly from an
n-dimensional centered unit hypercube, recover
the hypercube
21
HHP First Attempt
22
HHP Second Attempt
23
HHP The Algorithm
24
Back to HPP
25
Back to HPP
26
Were not alone
  • The HPP has already been looked at
  • In statistical analysis, and in particular
    Independent Component Analysis (ICA). The FastICA
    algorithm is very similar to ours
    HyvärinenOja97. Many applications in signal
    processing, neural networks, etc.
  • In the computational learning community, by
    FriezeJerrumKannan96. A somewhat different
    algorithm.
  • However, none gives a rigorous analysis. We
    analyze the algorithm rigorously, taking into
    account the effects of noise

27
Open questions


28
(No Transcript)
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "Phong Q. Nguy" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!