The nearest-colattice algorithm: Time-approximation tradeoff for approx-CVP

Espitau, Thomas; Kirchner, Paul

doi:10.2140/obs.2020.4.251

Cited by 7 publications

(5 citation statements)

References 37 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…As a Hash-and-Sign paradigm signature, forging a signature stems to feeding a lattice point v at a bounded distance from a random space point x. This ApproxCVP problem can be solved using the so-called Nearest-Cospace framework developed in [17]. Under the Geometric Series assumption, Theorem 3.3 of [17] states that under the condition:…”

Section: G1 Key Recovery Attackmentioning

confidence: 99%

See 1 more Smart Citation

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Espitau

Fouque

Gérard

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

This work describes the MITAKA signature scheme: a new hash-and-sign signature scheme over NTRU lattices which can be seen as a variant of NIST finalist FALCON. It achieves comparable efficiency but is considerably simpler, online/offline, and easier to parallelize and protect against sidechannels, thus offering significant advantages from an implementation standpoint. It is also much more versatile in terms of parameter selection.We obtain this signature scheme by replacing the FFO lattice Gaussian sampler in FALCON by the "hybrid" sampler of Ducas and Prest, for which we carry out a detailed and corrected security analysis. In principle, such a change can result in a substantial security loss, but we show that this loss can be largely mitigated using new techniques in key generation that allow us to construct much higher quality lattice trapdoors for the hybrid sampler relatively cheaply. This new approach can also be instantiated on a wide variety of base fields, in contrast with FALCON's restriction to power-of-two cyclotomics.We also introduce a new lattice Gaussian sampler with the same quality and efficiency, but which is moreover compatible with the integral matrix Gram root technique of Ducas et al., allowing us to avoid floating point arithmetic. This makes it possible to realize the same signature scheme as MITAKA efficiently on platforms with poor support for floating point numbers.Finally, we describe a provably secure masking of MITAKA. More precisely, we introduce novel gadgets that allow provable masking at any order at much lower cost than previous masking techniques for Gaussian sampling-based signature schemes, for cheap and dependable side-channel protection.7 Sometimes, this is also seen as a bounded distance decoding problem, BDD, but with large enough decoding bound that there are exponentially many solutions, instead of a unique one as is typically the case in the traditional formulation of BDD. 8 Other techniques have been proposed that avoid Gaussian distributions, as in [34], but they tend not to be competitive. Authors Suppressed Due to Excessive LengthAlgorithm 5: Integer arithmetic ring Gaussian sampler Input: a matrix B ∈ R 2×2 such that BU û = B = BUu, where û = [u]p ∈ 1 p R, a center c ∈ R 2 , and parameters r, s > 0. Result: z with distribution negligibly far from D L (B),c,rs . 1 Precomputed: Σp = s 2 I − B B t and A ← IntGram(p 2 (Σp − I)) / * AA t = p 2 (Σp − I) * / 2 p ← Algorithm 6(p, A) / * p ∼ D R 2 ,r 2 Σp * / 3 ĉ ← B −1 (c − p) 4 z ← Algorithm 4(û, ĉ, s) / * z ∼ D L (U û),ĉ,s * / 5 return z = Bz Algorithm 6: Offline sampler Input: An integer p > 0, a matrix A ∈ R 2×m . Result: p ∈ R 2 with distribution negligibly far from D R 2 ,r 2 Σ , where Σ = 1 p 2 AA t + I.1 Precomputed: integers r > ηε(R 2 ) and L such that Lr ηε(Λ(A) ⊥ ). 2 x ← ( 0 Lr ) m 3 p ← 1 pL Ax 4 p ← p r 5 return p.

show abstract

Section: G1 Key Recovery Attackmentioning

confidence: 99%

“…This ApproxCVP problem can be solved using the so-called Nearest-Cospace framework developed in [17]. Under the Geometric Series assumption, Theorem 3.3 of [17] states that under the condition:…”

Section: G1 Key Recovery Attackmentioning

confidence: 99%

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Espitau

Fouque

Gérard

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

show abstract

“…Since we are quite above λ 1 (L NTRU )/2, this is an instance of the Approximate Closest Vector Problem (ApproxCVP). This problem can be solved using the so-called Nearest-Cospace framework developed by Espitau and Kirchner in [16]. Under the Geometric Series assumption, Theorem 3.3 of [16] states that the decoding can be done in time Poly(d) calls to a cvp oracle in dimension β under the condition…”

Section: Security Analysismentioning

confidence: 99%

Shorter Hash-and-Sign Lattice-Based Signatures

Espitau

Tibouchi

Wallet

et al. 2022

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Lattice-based digital signature schemes following the hash-and-sign design paradigm of Gentry, Peikert and Vaikuntanathan (GPV) tend to offer an attractive level of efficiency, particularly when instantiated with structured compact trapdoors.In particular, NIST postquantum finalist Falcon is both quite fast for signing and verification and quite compact: NIST notes that it has the smallest bandwidth (as measured in combined size of public key and signature) of all round 2 digital signature candidates. Nevertheless, while Falcon-512, for instance, compares favorably to ECDSA-384 in terms of speed, its signatures are well over 10 times larger. For applications that store large number of signatures, or that require signatures to fit in prescribed packet sizes, this can be a critical limitation.In this paper, we explore several approaches to further improve the size of hashand-sign lattice-based signatures, particularly instantiated over NTRU lattices like Falcon and its recent variant Mitaka. In particular, while GPV signatures are usually obtained by sampling lattice points according to some spherical discrete Gaussian distribution, we show that it can be beneficial to sample instead according to a suitably chosen ellipsoidal discrete Gaussian: this is because only half of the sampled Gaussian vector is actually output as the signature, while the other half is recovered during verification. Making the half that actually occurs in signatures shorter reduces signature size at essentially no security loss (in a suitable range of parameters). Similarly, we show that reducing the modulus q with respect to which signatures are computed can improve signature size as well as verification key size almost "for free"; this is particularly true for constructions like Falcon and Mitaka that do not make substantial use of NTT-based multiplication (and rely instead on transcendental FFT). Finally, we show that the Gaussian vectors in signatures can be represented in a more compact way with appropriate coding-theoretic techniques, improving signature size by an additional 7 to 14%. All in all, we manage to reduce the size of, e.g., Falcon signatures by 30-40% at the cost of only 4-6 bits of Core-SVP security.

show abstract

“…For bigger values of t, one has to find a balance between the time complexity of the CVP algorithm and the distance c − e i+1 , closely related to the time complexity of the operation [a i • b] • E i+1 . This could be done with Espitau and Kirchner's algorithm [25], leading to a subexponential attack of time complexity L t [1/2, c] = exp((c + o(1)) t log(t)), with c 0.229 (see Appendix B). To reach a security level of 128 bits would require to take t ≥ 3 • 10 4 , which is unrealistic.…”

Section: Inverting the Class Group Action On Descending Chainsmentioning

confidence: 99%

On the Security of OSIDH

Dartois

Feo

2022

Public-Key Cryptography – PKC 2022

View full text Add to dashboard Cite

The Oriented Supersingular Isogeny Diffie-Hellman is a postquantum key exchange scheme recently introduced by Colò and Kohel. It is based on the group action of an ideal class group of a quadratic imaginary order on a subset of supersingular elliptic curves, and in this sense it can be viewed as a generalization of the popular isogeny based key exchange CSIDH. From an algorithmic standpoint, however, OSIDH is quite different from CSIDH. In a sense, OSIDH uses class groups which are more structured than in CSIDH, creating a potential weakness that was already recognized by Colò and Kohel. To circumvent the weakness, they proposed an ingenious way to realize a key exchange by exchanging partial information on how the class group acts in the neighborhood of the public curves, and conjectured that this additional information would not impact security. In this work we revisit the security of OSIDH by presenting a new attack, building upon previous work of Onuki. Our attack has exponential complexity, but it practically breaks Colò and Kohel's parameters unlike Onuki's attack. We also discuss countermeasures to our attack, and analyze their impact on OSIDH, both from an efficiency and a functionality point of view.

show abstract

The nearest-colattice algorithm: Time-approximation tradeoff for approx-CVP

Cited by 7 publications

References 37 publications

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Mitaka: A Simpler, Parallelizable, Maskable Variant of Falcon

Shorter Hash-and-Sign Lattice-Based Signatures

On the Security of OSIDH

Contact Info

Product

Resources

About