Learning Strikes Again: The Case of the DRS Signature Scheme

Ducas, Léo; Yu, Yang

doi:10.1007/978-3-030-03329-3_18

Cited by 14 publications

(12 citation statements)

References 22 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…where D is the signature bound (see Fig 1). We can see that the generated noise vectors follow a Gaussian distribution as far as their norms are concerned, and we believe it makes guessing values much harder for an attacker should they choose to focus on finding specific values or vectors (as it was the case in the original attack from Yu and Ducas [30]). We also conducted experiments, using BKZ20 from the fplll library [28] (see Fig 2).…”

Section: Expected Security Strengthmentioning

confidence: 99%

“…For the first step, Yu and Ducas noticed that the coefficients B of the secret key and the 1 could be distinguished via machine learning techniques [30], noticing for one part that the non-diagonal coefficients follow an "absolute-circulant" structure, and the fact that only two types of non-zero values exist. Based on this information, a surprisingly small amount of selected "features" to specialize a "least-square fit" method allowed them to recover both positions and signs of all if not most coefficients B of a secret vector.…”

Section: Yu and Ducas's Attack On The Drs Instantiation Of The Initiamentioning

confidence: 99%

“…We demonstrate that our new approach is sufficient to improve DRS to be secure against machine learning attacks as reported earlier in the literature. However, the secret matrix is still diagonal dominant and it remains an open question whether there exists a tight security proof to a well-known problem or if there is any unforeseen weaknesses to diagonal dominant lattices as both Li, Liu, Nitaj and Pan's [11] and Yu and Ducas's attacks [30] could lead to. The open questions for improvement stated in the original DRS report are also still applicable to our proposed iteration.…”

Section: Conclusion and Open Questionsmentioning

confidence: 99%

“…The NIST submission however provides a more straight-forward way to generate the noise, using another proof and condition to ensure the functionality of the scheme. This new way to generate the noise, however, is shown to be insecure: soon after DRS was made public, Yu and Ducas used machine learning techniques to severely reduce the security parameters [30]. Although according to Ducas' comments on the NIST forum [17], the attack was not devastating as it still seems asymptotically secure, however its concrete security was significantly decreased.…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

Improving the Security of the DRS Scheme with Uniformly Chosen Random Noise

Sipasseuth

Plantard

Susilo

2019

Information Security and Privacy

View full text Add to dashboard Cite

At PKC 2008, Plantard et al. published a theoretical framework for a lattice-based signature scheme. Recently, after ten years, a new signature scheme dubbed as the Diagonal Reduction Signature (DRS) scheme was presented in the NIST PQC Standardization as a concrete instantiation of the initial work. Unfortunately, the initial submission was challenged by Yu and Ducas using the structure that is present on the secret key noise. In this paper, we are proposing a new method to generate random noise in the DRS scheme to elimite the aforementioned attack, and all subsequent potential variants.

show abstract

Section: Expected Security Strengthmentioning

confidence: 99%

Section: Yu and Ducas's Attack On The Drs Instantiation Of The Initiamentioning

confidence: 99%

Section: Conclusion and Open Questionsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

Improving the Security of the DRS Scheme with Uniformly Chosen Random Noise

Sipasseuth

Plantard

Susilo

2019

Information Security and Privacy

View full text Add to dashboard Cite

show abstract

“…Gaussian sampling is important to prevent leaking secret information. Indeed early lattice trapdoors have suffered from statistical attacks [NR06,DN12b,YD18]. In 2008, Gentry, Peikert and Vaikuntanathan first showed that Gaussian distributions [GPV08] can prevent such leaks, and that Klein's algorithm [Kle00] could sample efficiently from a negligibly close distribution.…”

Section: Introductionmentioning

confidence: 99%

Integral Matrix Gram Root and Lattice Gaussian Sampling Without Floats

Ducas

Galbraith

Prest³

et al. 2020

Lecture Notes in Computer Science

Self Cite

View full text Add to dashboard Cite

Many advanced lattice based cryptosystems require to sample lattice points from Gaussian distributions. One challenge for this task is that all current algorithms resort to floating-point arithmetic (FPA) at some point, which has numerous drawbacks in practice: it requires numerical stability analysis, extra storage for high-precision, lazy/backtracking techniques for efficiency, and may suffer from weak determinism which can completely break certain schemes. In this paper, we give techniques to implement Gaussian sampling over general lattices without using FPA. To this end, we revisit the approach of Peikert, using perturbation sampling. Peikert's approach uses the Cholesky decomposition Σ = AA t of the target covariance matrix Σ, giving rise to a square matrix A with real (not integer) entries. Our idea, in a nutshell, is to replace this decomposition by an integral one. While there is in general no integer solution if we restrict A to being a square matrix, we show that such a decomposition can be efficiently found by allowing A to be wider (say n × 9n). This can be viewed as an extension of Lagrange's four-square theorem to matrices. In addition, we adapt our integral decomposition algorithm to the ring setting: for power-of-2 cyclotomics, we can exploit the tower of rings structure for improved complexity and compactness.

show abstract

Using Freivalds’ Algorithm to Accelerate Lattice-Based Signature Verifications

Sipasseuth

Plantard

Susilo

2019

Lecture Notes in Computer Science

View full text Add to dashboard Cite

© Springer Nature Switzerland AG, 2019. We present a novel computational technique to check whether a matrix-vector product is correct with a relatively high probability. While the idea could be related to verifiable delegated computations, most of the literature in this line of work focuses on provably secure functional aspects and do not provide clear computational techniques to verify whether a product $$xA = y$$ is correct where x, A and y are not given nor computed by the party which requires validity checking: this is typically the case for some cryptographic lattice-based signature schemes. This paper focuses on the computational aspects and the improvement on both speed and memory when implementing such a verifier, and use a practical example: the Diagonal Reduction Signature (DRS) scheme as it was one of the candidates in the recent National Institute of Standards and Technology Post-Quantum Cryptography Standardization Calls for Proposals competition. We show that in the case of DRS, we can gain a factor of 20 in verification speed.

show abstract

Learning Strikes Again: The Case of the DRS Signature Scheme

Cited by 14 publications

References 22 publications

Improving the Security of the DRS Scheme with Uniformly Chosen Random Noise

Improving the Security of the DRS Scheme with Uniformly Chosen Random Noise

Integral Matrix Gram Root and Lattice Gaussian Sampling Without Floats

Using Freivalds’ Algorithm to Accelerate Lattice-Based Signature Verifications

Contact Info

Product

Resources

About