Lattice Based Signatures

Johannes Buchmann Erik Dahmen Richard Lindner

Markus Rückert Michael Schneider

Outline

Digital Signatures in practiceWhy lattice based signatures?

Commercial 1Traditional lattice based signatures: NTRUA new approach:

Lattice based one-time signaturesCommercial 2

Windows XP updates authentic?

Shell.Exec(“rmdir /Q /S C:\Windows\System32“)

Or this “update”?

Automatic updates

Software updates for emdedded devices

Digital Signatures guarantee authenticity

Website digitally signed

data packages (...) are digitally signed.

Health Professional Card

…using 200 digits provides a margin of safety against future developments…

RSA-200 factored in 2005

After 27 years

RSA modulus for Windows XP updates

21335625291600027351142759355194209132914767425698066864818245285802697571587504827160038792867188144217660057955934845800814958268691260056037643469790871613988653520618544234805258949423413033375605873213651488760386443075342912012970548900016706067393246389837569751517347745772076420507479301672647916792373351492517320962556245120580406546060184803670311182370599074873628794261731191112555208060025609009047888480639771734426254325175122847998160609602132860929278043535478577169570898641110787987645625919308715088016517131066837168489289581361754587749922998809128927098697538006934652117684098976045960758751

617 digits

Quantum computers make RSA, ECCinsecure

Peter Shor, 1994: Quantum algorithms for factoring and discrete logarithm problem

In 2001 Chuang et al. factor 15

NMRQuantum computer

Quantum immune signatures?

Lattice Based Signatures

Given:

Lattice L µ Zn

x 2 Zn

x

Closest Vector Problem ( CVP)

° ¸ 1

°- °-

°Find: v 2 L: kx – vk · kx – wk for all w 2 L

n

Arora et al. (1997):

Goldreich, Goldwasser (2000):

Complexity of °-CVP

log(n)c – CVP is NP-hard for all c

NP-hard

Not NP-hard

(n1/2 / log(n))-CVP is not NP-hard or coNP µ AM

Lattice SignaturesPublic Key: Basis of lattice L µ Zn

Private Key: Reduced basis of L

Signature:

Message mhash solve

CVP

Verification:

2. Accept if v close to h(m)

1. Check v 2 Lx

v

x = h(m) 2 Zn Signature v 2 L

GGH (Goldwasser, Goldreich, Halevi 1997)NTRU-Sign (Hoffstein et al. 2003)

Attack (Nguyen, Regev 2006)

CVP-based Signatures

Nguyen, Regev 2006 Attack

NTRU-251 broken using ≈ 400 signaturesGGH-400 broken using ≈ 160.000 signatures

s2

s1

s3

s4

Hash tree reduces

validity of many verification keys

to validity of one public key

Use one-time signature scheme (OTSS):

One (Signature key, verification key) per signature

Public Key

Verification Keys

Y1 Y2 Y3 Y4 Y5 Y6 Y7 Y8

Hash tree based signatures

Verifying SigningSignature size

23.8 msec9.3 msecECDSA13.6 msec914.1 msecRSA

71 bytes555 bytes

256 bit4440 bit

57.8 msec77.3 msecGMSS 3936 bytes256 bit

s

Timings obtained using FlexiProvider

on a Pentium Dual-Core 1.83GHz (240 Signatures)

= 128 bit symmetric security (secure until 2090)

GMSS (Dahmen, Schneider 2008) based on Winternitz OTS

Authentication path:O(tree depth · n)

GMSS signature size of n-bit hashes is Ω(n2):

(i, , , , , )

OTS: Ω(n2) Public key: O(n)

Reduce Signature Size !

Lyubashevsky Micciancio OTS 2008

R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am 2 R

H: (small elements in R)m ! R x = (x1,...,xm) H(x) = i=1,...,m ai xi

Micciancio 2002: If there exists a polynomial-time algorithm that finds a collision for a random choice of H then there exists a polynomial time algorithm that approximates ¸1(L) within a polynomial factor for every lattice L corresponding to an ideal in Z[x] / <f>.

Lyubashevsky Micciancio OTS 2008

R = Z[x] / <p,f(x)>, m = O(log(n)), a1,...,am 2 R

H: (small elements in R)m ! R x = (x1,...,xm) H(x) = i=1,...,m ai xi

Signature Key: x,y 2 Rm “very small”Verification Key: (H(x), H(y))Signature of z 2 R (“very small”): s = xz+yVerification: H(s) = H(x)z+H(y)Signature and hash of same size!

?

Model: Forger is given H, H(x), H(y)obtains signature s of z of her choiceforges signature s‘ of z‘, (s,z) (s‘,z‘)

ML 2006: Forging a signature for random H implies being able to find very short vectors in ideal lattices L(I) = { (a0,...,an-1) 2 Zn: i=0,...,n-1 aixi + <f> 2 I }

Security of LM-OTS

Security of LM-OTS

1. There are many x‘,y‘ withH(x) = H(x‘), H(y) = H(y‘).

2. (H, H(x), H(y), s, z) yields negligible information about x,y.

3. Forger produces signature s‘ xz‘ + y4. Collision of H:

H(s‘) = H(x)z‘ + H(y) = H(xz‘ + y)

!

LM-OTS practical ?

Difficulty of °-SVP?

Lattice Challenge!

Lattice ChallengeB., Rückert, Lindner 2008

Lattice challenge

Dirichlet: L(c1,c2,n,X) contains vector of length < n

Ajtai: If there is a polynomial time algorithm for finding a vector of length < n in L(c1,c2,n,X) for a random X (dimension m > n)

then hard lattice problems can be solved in all lattices of dimension n (< m)

Lattice challenge

L(c1,c2,n,X)

c2 = 1, m challenge dimension, c2 = c2(n), q = n = n(m)

X from digits of π

γ = n/d(L)1/m

Gama, Nguyen 2008:

γ < 1.005m

then finding vector of length < n

totally out of reach

www.LatticeChallenge.org

Thank you