142 research outputs found
Markov Chain Monte Carlo Algorithms for Lattice Gaussian Sampling
Sampling from a lattice Gaussian distribution is emerging as an important
problem in various areas such as coding and cryptography. The default sampling
algorithm --- Klein's algorithm yields a distribution close to the lattice
Gaussian only if the standard deviation is sufficiently large. In this paper,
we propose the Markov chain Monte Carlo (MCMC) method for lattice Gaussian
sampling when this condition is not satisfied. In particular, we present a
sampling algorithm based on Gibbs sampling, which converges to the target
lattice Gaussian distribution for any value of the standard deviation. To
improve the convergence rate, a more efficient algorithm referred to as
Gibbs-Klein sampling is proposed, which samples block by block using Klein's
algorithm. We show that Gibbs-Klein sampling yields a distribution close to the
target lattice Gaussian, under a less stringent condition than that of the
original Klein algorithm.Comment: 5 pages, 1 figure, IEEE International Symposium on Information
Theory(ISIT) 201
Almost universal codes for fading wiretap channels
We consider a fading wiretap channel model where the transmitter has only
statistical channel state information, and the legitimate receiver and
eavesdropper have perfect channel state information. We propose a sequence of
non-random lattice codes which achieve strong secrecy and semantic security
over ergodic fading channels. The construction is almost universal in the sense
that it achieves the same constant gap to secrecy capacity over Gaussian and
ergodic fading models.Comment: 5 pages, to be submitted to IEEE International Symposium on
Information Theory (ISIT) 201
NFLlib: NTT-based Fast Lattice Library
International audienceRecent years have witnessed an increased interest in lattice cryptography. Besides its strong security guarantees, its simplicity and versatility make this powerful theoretical tool a promising competitive alternative to classical cryptographic schemes. In this paper, we introduce NFLlib, an efficient and open-source C++ library dedicated to ideal lattice cryptography in the widely-spread polynomial ring Zp[x]/(x n + 1) for n a power of 2. The library combines al-gorithmic optimizations (Chinese Remainder Theorem, optimized Number Theoretic Transform) together with programming optimization techniques (SSE and AVX2 specializations, C++ expression templates, etc.), and will be fully available under the GPL license. The library compares very favorably to other libraries used in ideal lattice cryptography implementations (namely the generic number theory libraries NTL and flint implementing polynomial arithmetic, and the optimized library for lattice homomorphic encryption HElib): restricting the library to the aforementioned polynomial ring allows to gain several orders of magnitude in efficiency
Lattice Gaussian Sampling by Markov Chain Monte Carlo: Bounded Distance Decoding and Trapdoor Sampling
Sampling from the lattice Gaussian distribution plays an important role in
various research fields. In this paper, the Markov chain Monte Carlo
(MCMC)-based sampling technique is advanced in several fronts. Firstly, the
spectral gap for the independent Metropolis-Hastings-Klein (MHK) algorithm is
derived, which is then extended to Peikert's algorithm and rejection sampling;
we show that independent MHK exhibits faster convergence. Then, the performance
of bounded distance decoding using MCMC is analyzed, revealing a flexible
trade-off between the decoding radius and complexity. MCMC is further applied
to trapdoor sampling, again offering a trade-off between security and
complexity. Finally, the independent multiple-try Metropolis-Klein (MTMK)
algorithm is proposed to enhance the convergence rate. The proposed algorithms
allow parallel implementation, which is beneficial for practical applications.Comment: submitted to Transaction on Information Theor
Gaussian Sampling Precision in Lattice Cryptography
Security parameters and attack countermeasures for Lattice-based
cryptosystems have not yet matured to the level that we now expect
from RSA and Elliptic Curve implementations.
Many modern Ring-LWE and other lattice-based public key algorithms
require high precision random sampling from the Discrete Gaussian
distribution. The sampling procedure often represents the biggest
implementation bottleneck due to its memory and computational requirements.
We examine the stated requirements of precision for Gaussian
samplers, where statistical distance to the theoretical distribution is
typically expected to be below or for
90 or 128 ``bit\u27\u27 security level.
We argue that such precision is excessive and give precise
theoretical arguments why half of the precision of the security parameter
is almost always sufficient. This leads to faster and more
compact implementations; almost halving implementation size in both
hardware and software.
We further propose new experimental parameters for practical
Gaussian samplers for use in Lattice Cryptography
Discrete Gaussian Measures and New Bounds of the Smoothing Parameter for Lattices
In this paper, we start with a discussion of discrete Gaussian measures on lattices.
Several results of Banaszczyk are analyzed, different approaches are suggested.
In the second part of the paper we prove two new bounds for the smoothing parameter of lattices.
Under the natural assumption that is suitably small, we obtain two estimations of the
smoothing parameter:
1.
2.
For a lattice of dimension ,
\[
\eta_{\varepsilon}({\cal L}) \le \sqrt{\frac{\ln \big(n-1+\frac{2n}{\varepsilon}\big)}{\pi}}\tilde{bl}({\cal L}).
\
Learning strikes again: The case of the DRS signature scheme
Lattice signature schemes generally require particular care when it comes to preventing secret information from leaking through signature transcript. For example, the Goldreich-Goldwasser-Halevi (GGH) signature scheme and the NTRUSign scheme were completely broken by the parallelepiped-learning attack of Nguyen and Regev (Eurocrypt 2006). Several heuristic countermeasures were also shown vulnerable to similar statistical attacks.At PKC 2008, Plantard, Susilo and Win proposed a new variant of GGH, informally arguing resistance to such attacks. Based on this variant, Plantard, Sipasseuth, Dumondelle and Susilo proposed a concrete signature scheme, called DRS, that has been accepted in the round 1 of the NIST post-quantum cryptography project.In this work, we propose yet another statistical attack and demonstrate a weakness of the DRS scheme: one can recover some partial information of the secret key from sufficiently many signatures. One difficulty is that, due to the DRS reduction algorithm, the relation between the statistical leak and the secret seems more intricate. We work around this difficulty by training a statistical model, using a few features that we designed according to a simple heuristic analysis.While we only recover partial information on the secret key, this information is easily exploited by lattice attacks, significantly decreasing their complexity. Concretely, we claim that, provided that signatures are available, the secret key may be recovered using BKZ-138 for the first set of DRS parameters submitted to the NIST. This puts the security level of this parameter set below 80-bits (maybe even 70-bits), to be compared to an original claim of 128-bits.</p
- âŠ