Hawk: Module LIP Makes Lattice Signatures Fast, Compact and Simple

Ducas, Léo; Postlethwaite, Eamonn W.; Pulles, Ludo N.; Woerden, Wessel van

doi:10.1007/978-3-031-22972-5_3

Cited by 20 publications

(9 citation statements)

References 35 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…We note that the lattices we consider, which act as a counter-example, are not necessarily a natural choice for instantiating LIP for cryptographic application, but instead they warn that the hull attack can be relevant. This is fortunately inconsequential when instantiating LIP with the trivial lattice Z n as proposed in [BGPSD21,DPPW22]…”

Section: Contributionsmentioning

confidence: 99%

“…The lattice isomorphism problem (LIP) is the problem of finding an isometry between two lattices, given that such an isometry exists. It has long been a problem of interest in the geometry of numbers [PP85, PS97, Sch09, SHVvW20], in complexity theory [HR14], and has recently been proposed as a foundation for cryptography [BGPSD21,DvW22,DPPW22].…”

Section: Introductionmentioning

confidence: 99%

See 1 more Smart Citation

Hull Attacks on the Lattice Isomorphism Problem

Ducas

Gibbons

2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

The lattice isomorphism problem (LIP) asks one to find an isometry between two lattices. It has recently been proposed as a foundation for cryptography in two independent works [Ducas & van Woerden, EUROCRYPT 2022, Bennett et al. preprint 2021. This problem is the lattice variant of the code equivalence problem, on which the notion of the hull of a code can lead to devastating attacks. In this work we study the cryptanalytic role of an adaptation of the hull to the lattice setting, namely, the s-hull. We first show that the s-hull is not helpful for creating an arithmetic distinguisher. More specifically, the genus of the s-hull can be efficiently predicted from s and the original genus and therefore carries no extra information. However, we also show that the hull can be helpful for geometric attacks: for certain lattices the minimal distance of the hull is relatively smaller than that of the original lattice, and this can be exploited. The attack cost remains exponential, but the constant in the exponent is halved. This second result gives a counterexample to the general hardness conjecture of LIP proposed by Ducas & van Woerden.Our results suggests that one should be very considerate about the geometry of hulls when instantiating LIP for cryptography. They also point to unimodular lattices as attractive options, as they are equal to their dual and their hulls, leaving only the original lattice to an attacker. Remarkably, this is already the case in proposed instantiations, namely the trivial lattice Z n and the Barnes-Wall lattices.

show abstract

Section: Contributionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

Hull Attacks on the Lattice Isomorphism Problem

Ducas

Gibbons

2023

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Nevertheless, the authors did not conjecture that the problem of recovering rotations of Z n (ZSVP) is hard; consequently, there is no evidence of IND-CCA2 security. Finally, Ducas et al propose a concrete signature scheme called Hawk [17] based on the module variant of LIP. When compared to Falcon [19], signature generation is about 4 times faster on the x86 architecture while producing signatures that are approximately 15% smaller.…”

Section: Introductionmentioning

confidence: 99%

A Concrete LIP-Based KEM With Simple Lattices

de Castro Biage,

Zambonin,

Idalino

et al. 2024

IEEE Access

View full text Add to dashboard Cite

“…While the NIST standardization aimed at selecting a portfolio of post-quantum algorithms for general applications, there is a need for developing tailored post-quantum schemes that meet application-specific needs, for example, the constraints of the IoT and automotive applications. In recent years, several new post-quantum algorithms [DPPvW22,MKKV21] have emerged with better performance or security features (or both) than the candidate algorithms in the NIST standardization. Security against side-channel attacks [MOP07] has become an essential requirement in applications where an attacker can obtain side-channel information such as variations in the power consumption or electromagnetic emanation, or temperature of the cryptographic device.…”

Section: Introductionmentioning

confidence: 99%

Kavach: Lightweight masking techniques for polynomial arithmetic in lattice-based cryptography

Aikata

Basso

Cassiers

et al. 2023

TCHES

View full text Add to dashboard Cite

Lattice-based cryptography has laid the foundation of various modern-day cryptosystems that cater to several applications, including post-quantum cryptography. For structured lattice-based schemes, polynomial arithmetic is a fundamental part. In several instances, the performance optimizations come from implementing compact multipliers due to the small range of the secret polynomial coefficients. However, this optimization does not easily translate to side-channel protected implementations since masking requires secret polynomial coefficients to be distributed over a large range. In this work, we address this problem and propose two novel generalized techniques, one for the number theoretic transform (NTT) based and another for the non-NTT-based polynomial arithmetic. Both these proposals enable masked polynomial multiplication while utilizing and retaining the small secret property.For demonstration, we used the proposed technique and instantiated masked multipliers for schoolbook as well as NTT-based polynomial multiplication. Both of these can utilize the compact multipliers used in the unmasked implementations. The schoolbook multiplication requires an extra polynomial accumulation along with the two polynomial multiplications for a first-order protected implementation. However, this cost is nothing compared to the area saved by utilizing the existing cheap multiplication units. We also extensively test the side-channel resistance of the proposed design through TVLA to guarantee its first-order security.

show abstract

Hawk: Module LIP Makes Lattice Signatures Fast, Compact and Simple

Cited by 20 publications

References 35 publications

Hull Attacks on the Lattice Isomorphism Problem

Hull Attacks on the Lattice Isomorphism Problem

A Concrete LIP-Based KEM With Simple Lattices

Kavach: Lightweight masking techniques for polynomial arithmetic in lattice-based cryptography

Contact Info

Product

Resources

About