A Closer Look at Falcon
601
10.5
Microsoft Research335 тыс
Следующее
1 день – 7314:06Популярные
86 дней – 2 10038:07
275 дней – 1 6395:06Опубликовано 9 декабря 2024, 20:35
Speakers: Jonas Janneck
Host: Melissa Chase
Falcon is a winner of NIST’s six-year post-quantum cryptography standardization competition. Based on the celebrated full-domain-hash framework of Gentry, Peikert and Vaikuntanathan (GPV) (STOC’08), Falcon leverages NTRU lattices to achieve the most compact signatures among lattice-based schemes. Its security hinges on a Renyi divergence-based argument for Gaussian samplers, a core element of the scheme. However, the GPV proof, which uses statistical distance to argue closeness of distributions, fails when applied naively to Falcon. Additional implementation-driven deviations from the GPV framework further invalidate the original proof, leaving Falcon without a security proof despite its selection for standardization. In this talk, I want to give an overview of our results which demonstrate that introducing a few minor, conservative modifications allows for the first formal proof of the scheme in the random oracle model. At the heart of our analysis lies an adaptation of the GPV framework to work with the Renyi divergence, along with an optimized method for parameter selection under this measure. Furthermore, we obtain a provable version of the GPV framework over NTRU rings. Unfortunately, our analysis shows that despite our modification of Falcon-512 and Falcon-1024 we do not achieve strong unforgeability for either scheme. For plain unforgeability we are able to show that our modifications to Falcon-512 barely satisfy the claimed 120-bit security target and for Falcon-1024 we confirm the claimed security level.
Host: Melissa Chase
Falcon is a winner of NIST’s six-year post-quantum cryptography standardization competition. Based on the celebrated full-domain-hash framework of Gentry, Peikert and Vaikuntanathan (GPV) (STOC’08), Falcon leverages NTRU lattices to achieve the most compact signatures among lattice-based schemes. Its security hinges on a Renyi divergence-based argument for Gaussian samplers, a core element of the scheme. However, the GPV proof, which uses statistical distance to argue closeness of distributions, fails when applied naively to Falcon. Additional implementation-driven deviations from the GPV framework further invalidate the original proof, leaving Falcon without a security proof despite its selection for standardization. In this talk, I want to give an overview of our results which demonstrate that introducing a few minor, conservative modifications allows for the first formal proof of the scheme in the random oracle model. At the heart of our analysis lies an adaptation of the GPV framework to work with the Renyi divergence, along with an optimized method for parameter selection under this measure. Furthermore, we obtain a provable version of the GPV framework over NTRU rings. Unfortunately, our analysis shows that despite our modification of Falcon-512 and Falcon-1024 we do not achieve strong unforgeability for either scheme. For plain unforgeability we are able to show that our modifications to Falcon-512 barely satisfy the claimed 120-bit security target and for Falcon-1024 we confirm the claimed security level.
Свежие видео
2 дня – 2772:05
6 дней – 5 8721:01
10 дней – 11 6253:34
12 дней – 1 053 1570:42
12 дней – 12 239 1394:22
14 дней – 1 067 9110:36Случайные видео
53 дня – 21 5427:34
197 дней – 35 17928:11
26.03.23 – 111 9700:46
11.03.23 – 60 1233:59
04.05.21 – 1 179 4663:50
24.04.10 – 2 3043:59
1 день – 23 80111:01
3 дня – 94 1709:00
7 дней – 5510:14
9 дней – 1662:23
13 дней – 19 9195:35
14 дней – 1 26314:52
