ModFalcon: Compact Signatures Based On Module-NTRU Lattices

Chuengsatiansup, Chitchanok; Prest, Thomas; Stehlé, Damien; Wallet, Alexandre; Xagawa, Keita

doi:10.1145/3320269.3384758

Cited by 25 publications

(18 citation statements)

References 38 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Furthermore, the structure of the algorithms allows time-memory tradeoff and batch CVP oracle to be used. We believe that this algorithm has been in the folklore for some time, and it is somehow hinted at in ModFalcon's security analysis [9,Subsection 4.2], but without analysis of the heuristics introduced.…”

Section: Thomas Espitau and Paul Kirchnermentioning

confidence: 99%

See 1 more Smart Citation

The nearest-colattice algorithm: Time-approximation tradeoff for approx-CVP

Espitau

Kirchner²

2020

Open Book Series

View full text Add to dashboard Cite

Section: Thomas Espitau and Paul Kirchnermentioning

confidence: 99%

“…In the so-called GPV framework [18], instantiated in the DLP cryptosystem [14] and its follow-ups FALCON [16], MODFALCON [9], a valid signature is a point close to a target, which is the hash of the message. Hence, forging a signature boils down to finding a close vector to a random target.…”

Section: Cryptographic Perspectivesmentioning

confidence: 99%

The nearest-colattice algorithm: Time-approximation tradeoff for approx-CVP

Espitau

Kirchner²

2020

Open Book Series

View full text Add to dashboard Cite

“…In the so-called GPV framework [18], instantiated in the DLP cryptosystem [14] and its followups Falcon [16], ModFalcon [9], a valid signature is a point close to a target, which is the hash of the message. Hence, forging a signature boils down to finding a close vector to a random target.…”

Section: Cryptographic Perspectivesmentioning

confidence: 99%

“…We believe that this algorithm has been in the folklore for some time, and it is somehow hinted in ModFalcon's security analysis [9,Subsection 4.2], but without analysis of the heuristics introduced.…”

Section: Introductionmentioning

confidence: 99%

The nearest-colattice algorithm

Espitau,

Kirchner

2020

Preprint

View full text Add to dashboard Cite

In this work, we exhibit a hierarchy of polynomial time algorithms solving approximate variants of the Closest Vector Problem (CVP). Our first contribution is a heuristic algorithm achieving the same distance tradeoff as HSVP algorithms, namely ≈ β n 2β covol(Λ)1 n for a random lattice Λ of rank n. Compared to the so-called Kannan's embedding technique, our algorithm allows using precomputations and can be used for efficient batch CVP instances. This implies that some attacks on lattice-based signatures lead to very cheap forgeries, after a precomputation.Our second contribution is a proven reduction from approximating the closest vector with a factor ≈ n 3 2 β 3n 2β to the Shortest Vector Problem (SVP) in dimension β.2 THOMAS ESPITAU AND PAUL KIRCHNER ⋆ Voronoi cell computation: Micciancio and Voulgaris' Voronoi cell algorithm solves CVP in time (4 + o(1)) n but uses a space of (2 + o(1)) n [28]. Sieving algorithms: where vectors are combined in order to get closer and closer to the target vector. Heuristic variants take time as low as (4/3 + o(1)) n 2 [7], but proven variants of classical sieves [3, 8, 15] could only solve CVP with approximation factor 1 + ǫ at a cost in the exponent. In 2015, a (2 + o(1)) n sieve for exact CVP was finally proven by Aggarwal, Dadush and Stephen-Davidowitz [1] thanks to the properties of discrete Gaussians.Many algorithms for solving its relaxed variant, APPROX-CVP, have been proposed. However, they come with caveats. For example, Dadush, Regev and Stephens-Davidowitz [10] give algorithms for this problem, but only with exponential time precomputations. Babai [5, Theorem 3.1] showed that one can reach an 2 n 2 -approximation factor for CVP in polynomial time. To the authors' knowledge, this has never been improved (while keeping the polynomial-time requirement), though the approximation factor for SVP has been significantly reduced [33,20,29].We aim at solving the relaxed version of CVP for relatively large approximation factors, and study the tradeoff between the quality of the approximation of the solution found and the time required to actually find it. In particular, we exhibit a hierarchy of polynomial-time algorithms solving APPROX-CVP, ranging from Babai's nearest plane algorithm to an actual CVP oracle. Contributions and summary of the techniques.In Section 3 we introduce our so-called Nearest-Colattice algorithm. Inspired by Babai's algorithm, it shows that in practice, we can achieve the performance of Kannan's embedding but with a basis which is independent of the target vector.Denote by T (β) (resp. T CVP (β)) the time required to solve √ β-Hermite-SVP (resp. exactly solve CVP) in rank β). Quantitatively, we show that:

show abstract

“…It is thus crucial for security to prove that signatures are sampled according to a distribution that is statistically independent of the trapdoor. The first approach to do so, which remains the state of the art, 8 is due to Gentry, Peikert and Vaikuntanathan (GPV) [19]: sample the ApproxCVP solution according to a discrete Gaussian distribution centered at the target point and supported over the lattice, with covariance independent from the trapdoor (usually spherical). This type of lattice discrete Gaussian sampling can be carried out by randomizing known deterministic algorithms for ApproxCVP, like Babai rounding and Babai's nearest plane algorithm.…”

Section: Introductionmentioning

confidence: 99%

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Espitau

Fouque

Gérard

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This work describes the MITAKA signature scheme: a new hash-and-sign signature scheme over NTRU lattices which can be seen as a variant of NIST finalist FALCON. It achieves comparable efficiency but is considerably simpler, online/offline, and easier to parallelize and protect against sidechannels, thus offering significant advantages from an implementation standpoint. It is also much more versatile in terms of parameter selection.We obtain this signature scheme by replacing the FFO lattice Gaussian sampler in FALCON by the "hybrid" sampler of Ducas and Prest, for which we carry out a detailed and corrected security analysis. In principle, such a change can result in a substantial security loss, but we show that this loss can be largely mitigated using new techniques in key generation that allow us to construct much higher quality lattice trapdoors for the hybrid sampler relatively cheaply. This new approach can also be instantiated on a wide variety of base fields, in contrast with FALCON's restriction to power-of-two cyclotomics.We also introduce a new lattice Gaussian sampler with the same quality and efficiency, but which is moreover compatible with the integral matrix Gram root technique of Ducas et al., allowing us to avoid floating point arithmetic. This makes it possible to realize the same signature scheme as MITAKA efficiently on platforms with poor support for floating point numbers.Finally, we describe a provably secure masking of MITAKA. More precisely, we introduce novel gadgets that allow provable masking at any order at much lower cost than previous masking techniques for Gaussian sampling-based signature schemes, for cheap and dependable side-channel protection.7 Sometimes, this is also seen as a bounded distance decoding problem, BDD, but with large enough decoding bound that there are exponentially many solutions, instead of a unique one as is typically the case in the traditional formulation of BDD. 8 Other techniques have been proposed that avoid Gaussian distributions, as in [34], but they tend not to be competitive. Authors Suppressed Due to Excessive LengthAlgorithm 5: Integer arithmetic ring Gaussian sampler Input: a matrix B ∈ R 2×2 such that BU û = B = BUu, where û = [u]p ∈ 1 p R, a center c ∈ R 2 , and parameters r, s > 0. Result: z with distribution negligibly far from D L (B),c,rs . 1 Precomputed: Σp = s 2 I − B B t and A ← IntGram(p 2 (Σp − I)) / * AA t = p 2 (Σp − I) * / 2 p ← Algorithm 6(p, A) / * p ∼ D R 2 ,r 2 Σp * / 3 ĉ ← B −1 (c − p) 4 z ← Algorithm 4(û, ĉ, s) / * z ∼ D L (U û),ĉ,s * / 5 return z = Bz Algorithm 6: Offline sampler Input: An integer p > 0, a matrix A ∈ R 2×m . Result: p ∈ R 2 with distribution negligibly far from D R 2 ,r 2 Σ , where Σ = 1 p 2 AA t + I.1 Precomputed: integers r > ηε(R 2 ) and L such that Lr ηε(Λ(A) ⊥ ). 2 x ← ( 0 Lr ) m 3 p ← 1 pL Ax 4 p ← p r 5 return p.

show abstract

ModFalcon: Compact Signatures Based On Module-NTRU Lattices

Cited by 25 publications

References 38 publications

The nearest-colattice algorithm: Time-approximation tradeoff for approx-CVP

The nearest-colattice algorithm: Time-approximation tradeoff for approx-CVP

The nearest-colattice algorithm

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Contact Info

Product

Resources

About