20 research outputs found

    Faster verifications and smaller signatures: Trade-offs for ALTEQ using rejections

    Get PDF
    In this paper, we introduce a new probability function parameter in the instantiations of the Goldreich-Micali-Wigderson with Fiat-Shamir and unbalanced challenges used in ALTEQ, a recent NIST PQC candidate in the call for additional signatures. This probability set at 100% does not bring any changes in the scheme, but modifies the public challenge generation process when below 100%, by injecting potential rejections in otherwise completely valid inputs. From a theoretical point of view, this does not improve the asymptotical hardness of the scheme and negatively affects the efficiency of the signatory, and might itself seem trivial. However, from a practical point of view, implementation-wise and performance-wise, this triviality allows an extra degree of freedom in optimizing parameters, as the heuristic security level is also increased against forgers: previously valid combinations now can be deemed invalid. This allows us to make trade-offs to reduce the computational load in verifiers, accelerating verifications, marginally reduce the signature size, at the cost of making signatures slower and unlikely to be constant-time. In particular, this extra degree of freedom allows to make implementation choices that enable smoother and faster executions of the aforementioned protocols, especially in the context of parallelization using vectorized instructions. We also demonstrate the usefulness of our proposal to ALTEQ for other options, when slowing down the signing process is not an issue: significantly smaller signatures but longer verifications, or lower public key sizes. The ideas presented apply to any primitive, and can be used beyond ALTEQ

    DVA: Dangerous Variations of ALTEQ

    Get PDF
    In this paper, we present three types of variations of the ALTEQ cryptosystem, a recent submission to the NIST\u27s additional call for signatures. We name these Dangerous Variations of ALTEQ (DVA), as there is always a certain danger in stepping out of usual constructions, although we attempt to maintain heuristic security. First, we present DVA-GG (Graph Generalization), that can be seen as a more abstract point-of-view on the operations done in ALTEQ and encourages more research on the algebraic variants. In particular, we show this approach can lead to a patch counter to Beullens\u27 recent seed collision attack on ALTEQ that only depends on the primitive, and showcase some fancy usages of the primitive for experimental protocols. Second, we present DVA-PC (Precomputations) which is ``likely\u27\u27 as secure as ALTEQ in the random oracle model, and allow to drastically reduce the intermediate memory requirements within both the signature and verification process through an easily parallelizable extra operation. In particular, this facilitates precomputation variants with online phases that only depends on the complexity of basic matrix operations. We can then choose between either a tiny offline memory per signature, or get one of the fastest online signing speed for post-quantum cryptography. Third, we present DVA-DM (Distinct Matrices), some cryptanalytic targets that deviates from ALTEQ\u27s original algebraic structure. Those structures can serve as plain computational acceleration or just compress data sizes, and provide good options to motivate the study of specialized cryptanalysis for ALTEQ: if those are safe, then ALTEQ gain safe variants, and otherwise, we gain further understanding of the problems. In particular, the ideas can be applied beyond ALTEQ and beyond, and hopefully extend to MEDS, LESS, and group-action-based cryptography

    Tight bound on NewHope failure probability

    Get PDF
    NewHope Key Encapsulation Mechanism (KEM) has been presented at USENIX 2016 by Alchim et al. and is one of the remaining lattice-based candidates to the post-quantum standardization initiated by the NIST. However, despite the relative simplicity of the protocol, the bound on the decapsulation failure probability resulting from the original analysis is not tight. In this work we refine this analysis to get a tight upper-bound on this probability which happens to be much lower than what was originally evaluated. As a consequence we propose a set of alternnative parameters, increasing the security and the compactness of the scheme. However using a smaller modulus prevent the use of a full NTT algorithm to perform multiplications of elements in dimension 512 or 1024. Nonetheless, similarly to previous works, we combine different multiplication algorithms and show that our new parameters are competitive on a constant time vectorized implementation. Our most compact parameters bring a speed- up of 17% (resp. 11%) in performance but allow to gain more than 19% over the bandwidth requirements and to increase the security of 10% (resp. 7%) in dimension 512 (resp. 1024)

    Lattice-based Cryptography: Expanding the Design Space

    Get PDF
    This thesis is a compilation of the main published works I did during my studies in Australia. My research area was lattice-based cryptography, which focuses mainly on a family of mathematical primitives that are supposed to be “quantum-resistant”. The direction of my research was mostly targeted towards constructions that lie out- side of the mainly researched lattice forms to provide an alternative direction in the case common constructions were discovered to be insecure. We do have, however, some work that makes use of common constructions in which we expand the design space for better efficiency or security. At PKC 2008, Plantard et al. published a theoretical framework for a lattice-based signature scheme, namely Plantard-Susilo-Win (PSW). Recently, after ten years, we proposed a new signature scheme dubbed the Diagonal Reduction Signature (DRS) scheme was presented in the National Institute of Standards and Technology (NIST) PQC Standardization as a concrete instantiation of the initial work. Unfortunately, the initial submission was challenged by Yu and Ducas using the structure that is present on the secret key noise. Thus, we also present a new method to generate random noise in the Diagonal Reduction Signature (DRS) scheme to eliminate the aforementioned attack, and all subsequent potential variants. This involves sam- pling vectors from the -dimensional ball with uniform distribution. We also give insight on some underlying properties which affects both security and efficiency on the Plantard-Susilo-Win (PSW) type schemes and beyond, and hopefully increase the understanding on this family of lattices. This work was published in [SPS20]

    A Noise Study of the PSW Signature Family: Patching DRS with Uniform Distribution

    Get PDF
    At PKC 2008, Plantard et al. published a theoretical framework for a lattice-based signature scheme, namely Plantard-Susilo-Win (PSW). Recently, after ten years, a new signature scheme dubbed the Diagonal Reduction Signature (DRS) scheme was presented in the National Institute of Standards and Technology (NIST) PQC Standardization as a concrete instantiation of the initial work. Unfortunately, the initial submission was challenged by Yu and Ducas using the structure that is present on the secret key noise. In this paper, we are proposing a new method to generate random noise in the DRS scheme to eliminate the aforementioned attack, and all subsequent potential variants. This involves sampling vectors from the n-dimensional ball with uniform distribution. We also give insight on some underlying properties which affects both security and efficiency on the PSW type schemes and beyond, and hopefully increase the understanding on this family of lattices

    Enhancing Goldreich, Goldwasser and Halevi\u27s scheme with intersecting lattices

    Get PDF
    We present a technique to enhance the security of the Goldreich, Goldwasser and Halevi (GGH) scheme. The security of GGH has practically been broken by lattice reduction techniques. Those attacks are successful due to the structure of the basis used in the secret key. In this work, we aim to present a new technique to alleviate this problem by modifying the public key which hides the structure of the corresponding private key. We intersect the initial lattice with a random one while keeping the initial lattice as our secret key and use the corresponding result of the intersection as the public key. We show sufficient evidence that this technique will make GGH implementations secure against the aforementioned attacks

    A Noise Study of the PSW Signature Family: Patching DRS with Uniform Distribution †

    No full text
    At PKC 2008, Plantard et al. published a theoretical framework for a lattice-based signature scheme, namely Plantard–Susilo–Win (PSW). Recently, after ten years, a new signature scheme dubbed the Diagonal Reduction Signature (DRS) scheme was presented in the National Institute of Standards and Technology (NIST) PQC Standardization as a concrete instantiation of the initial work. Unfortunately, the initial submission was challenged by Yu and Ducas using the structure that is present on the secret key noise. In this paper, we are proposing a new method to generate random noise in the DRS scheme to eliminate the aforementioned attack, and all subsequent potential variants. This involves sampling vectors from the n-dimensional ball with uniform distribution. We also give insight on some underlying properties which affects both security and efficiency on the PSW type schemes and beyond, and hopefully increase the understanding on this family of lattices
    corecore