Криптоаналіз алгоритму цифрового підпису «Вершина»

У роботi розглянуто алгоритм цифрового пiдпису CRYSTALS-Dilithium, який слугував прототипом для нового алгоритму цифрового пiдпису «Вершина». Також наведено особливостi проекту нацiонального стандарту цифрового пiдпису та побудови алгоритму «Вершина». У ходi аналiзу алгоритму обчислено очiкувану кiлькiсть iтерацiй, яку повинен виконати алгоритм для формування правильного пiдпису. Викладено основнi теоретичнi вiдомостi про структуру Фiат-Шамiра з перериваннями та її стiйкiсть у квантовiй та класичнiй моделях обчислень. Отриманi власнi результати стiйкостi алгоритму «Вершина» до атаки пiдробки без використання повiдомлення у класичнiй i квантовiй моделях обчислень. Стйкiсть алгоритму «Вершина» до атаки вiдновлення ключа грунтується на припущеннi складностi задачi MLWE, а стiйкiсть до екзистенцiйної пiдробки пiдпису грунтується на припущеннi складностi задачi MSIS. Вiдповiдно у роботi обчислено очiкуваний рiвень складностi розв’язку задач SIS та LWE, до яких iснує зведення задач MSIS та MLWE. Метою роботи є оцiнка стiйкостi алгоритму цифрового пiдпису «Вершина» та аналiз складових алгоритмiв проекту нацiонального стандарту цифрового пiдпису та режимiв його роботи. Об’єктом дослiдження є процеси перетворення iнформацiї в алгоритмi цифрового пiдпису «Вершина». Предметом дослiдження є стiйкiсть алгоритму цифрового пiдпису «Вершина» до криптоаналізу.In the thesis is reviewed the CRYSTALS-Dilithium digital signature algorithm, which was selected as a prototype for the new «Vershyna» digital signature algorithm. The features of the project of the national standard of digital signature and construction of the algorithm «Vershyna» are also given. During the analysis of the project was calculated the expected number of repetitions that the algorithm must go through to form a correct signature. The main theoretical information about the structure of Fiat-Shamir with interruptions and its stability in quantum and classical random oracle models is presented. We obtain our own results of the resistance of the «Vershyna» algorithm to the attack without the use of a message in classical and quantum oracle models. The resistance of the «Vershyna» algorithm to a key recovery attack is based on the assumption of the hardness of the MLWE problem, and resilience to existential signature forgery is based on the assumption of the hardness of the MSIS problem. In this thesis is calculated the expected level of hardness of SIS and LWE problems, to which there is a reductions from MSIS and MLWE problems. The purpose of the thesis is to analyze the resistance to cryptanalysis of the proposed «Vershyna» digital signature algorithm and to analyze the constituent algorithms of the standard and modes of the digital signature scheme. The research object is the processes of information transformation in the «Vershyna» digital signature. The research subject is the resistance to cryptanalysis of the «Vershyna» digital signature

CRPSF and NTRU Signatures over cyclotomic fields

Classical NTRUEncrypt is one of the fastest known lattice-based encryption schemes. Its counterpart, NTRUSign, also has many advantages, such as moderate key sizes, high efficiency and potential of resisting attacks from quantum computers. However, like classical NTRUEncrypt, the security of NTRUSign is also heuristic. Whether we can relate the security of NTRUSign to the worst-case lattice problems like NTRUEncrypt is still an open problem. Our main contribution is that we propose a detailed construction of Collision Resistance Preimage Sampleable Functions $($CRPSF$)$ over any cyclotomic field based on NTRU. By using GPV\u27s construction, we can give a provably secure NTRU Signature scheme $($NTRUSign$)$, which is strongly existentially unforgeable under adaptive chosen-message attacks in the $($quantum$)$ random oracle model. The security of CRPSF $($NTRUSign$)$ is reduced to the corresponding ring small integer solution problem $($Ring-SIS$)$. More precisely, the security of our scheme is based on the worst-case approximate shortest independent vectors problem $($SIVP$_\gamma$$)$ over ideal lattices. For any fixed cyclotomic field, we give a probabilistic polynomial time $($PPT$)$ key generation algorithm which shows how to extend the secret key of NTRUEncrypt to the secret key of NTRUSign. This algorithm is important for constructions of many cryptographic primitives based on NTRU, for example, CRPSF, NTRUSign, identity-based encryption and identity-based signature. We also delve back into former construction of NTRUEncrypt, give a much tighter reduction from decision dual-Ring-LWE problem (where the secret is chosen form the codifferent ideal) to decision primal-Ring-LWE problem (where the secret is chosen form the ring of integers) and give a provably secure NTRUEncrypt over any cyclotomic ring. Some useful results about $q$-ary lattices, regularity and uniformity of distribution of the public keys of NTRUEncrypt are also extended to more general algebraic fields