146 research outputs found
์ ๋ณด ๋ณดํธ ๊ธฐ๊ณ ํ์ต์ ์ํธํ ๊ธฐ๋ฐ ๊ธฐ์ : ๊ทผ์ฌ ๋ํ ์ํธ์ ๋ถํธ ๊ธฐ๋ฐ ์ํธ
ํ์๋
ผ๋ฌธ (๋ฐ์ฌ) -- ์์ธ๋ํ๊ต ๋ํ์ : ๊ณต๊ณผ๋ํ ์ ๊ธฐยท์ ๋ณด๊ณตํ๋ถ, 2021. 2. ๋
ธ์ข
์ .In this dissertation, three main contributions are given as; i) a protocol of privacy-preserving machine learning using network resources, ii) the development of approximate homomorphic encryption that achieves less error and high-precision bootstrapping algorithm without compromising performance and security, iii) the cryptanalysis and the modification of code-based cryptosystems: cryptanalysis on IKKR cryptosystem and modification of the pqsigRM, a digital signature scheme proposed to the post-quantum cryptography (PQC) standardization of National Institute of Standards and Technology (NIST).
The recent development of machine learning, cloud computing, and blockchain raises a new privacy problem; how can one outsource computation on confidential data? Moreover, as research on quantum computers shows success, the need for PQC is also emerging. Multi-party computation (MPC) is the cryptographic protocol that makes computation on data without revealing it. Since MPC is designed based on homomorphic encryption (HE) and PQC, research on designing efficient and safe HE and PQC is actively being conducted.
First, I propose a protocol for privacy-preserving machine learning (PPML) that replaces bootstrapping of homomorphic encryption with network resources. In general, the HE ciphertext has a limited depth of circuit that can be calculated, called the level of a ciphertext. We call bootstrapping restoring the level of ciphertext that has exhausted its level through a method such as homomorphic decryption. Bootstrapping of homomorphic encryption is, in general, very expensive in time and space. However, when deep computations like deep learning are performed, it is required to do bootstrapping. In this protocol, both the client's message and servers' intermediate values are kept secure, while the client's computation and communication complexity are light.
Second, I propose an improved bootstrapping algorithm for the CKKS scheme and a method to reduce the error by homomorphic operations in the CKKS scheme. The Cheon-Kim-Kim-Song (CKKS) scheme (Asiacrypt '17) is one of the highlighted fully homomorphic encryption (FHE) schemes as it is efficient to deal with encrypted real numbers, which are the usual data type for many applications such as machine learning. However, the precision drop due to the error growth is a drawback of the CKKS scheme for data processing. I propose a method to achieve high-precision approximate FHE using the following two methods .First, I apply the signal-to-noise ratio (SNR) concept and propose methods to maximize SNR by reordering homomorphic operations in the CKKS scheme. For that, the error variance is minimized instead of the upper bound of error when we deal with the encrypted data. Second, from the same perspective of minimizing error variance, I propose a new method to find the approximate polynomials for the CKKS scheme. The approximation method is especially applied to the CKKS scheme's bootstrapping, where we achieve bootstrapping with smaller error variance compared to the prior arts. In addition to the above variance-minimizing method, I cast the problem of finding an approximate polynomial for a modulus reduction into an L2-norm minimization problem. As a result, I find an approximate polynomial for the modulus reduction without using the sine function, which is the upper bound for the polynomial approximation of the modulus reduction. By using the proposed method, the constraint of q = O(m^{3/2}) is relaxed as O(m), and thus the level loss in bootstrapping can be reduced. The performance improvement by the proposed methods is verified by implementation over HE libraries, that is, HEAAN and SEAL. The implementation shows that by reordering homomorphic operations and using the proposed polynomial approximation, the reliability of the CKKS scheme is improved. Therefore, the quality of services of various applications using the proposed CKKS scheme, such as PPML, can be improved without compromising performance and security.
Finally, I propose an improved code-based signature scheme and cryptanalysis of code-based cryptosystems. A novel code-based signature scheme with small parameters and an attack algorithm on recent code-based cryptosystems are presented in this dissertation. This scheme is based on a modified Reed-Muller (RM) code, which reduces the signing complexity and key size compared with existing code-based signature schemes. The proposed scheme has the advantage of the pqsigRM decoder and uses public codes that are more difficult to distinguish from random codes. I use (U, U+V) -codes with the high-dimensional hull to overcome the disadvantages of code-based schemes. The proposed a decoder which efficiently samples from coset elements with small Hamming weight for any given syndrome. The proposed signature scheme resists various known attacks on RM code-based cryptography. For 128 bits of classical security, the signature size is 4096 bits, and the public key size is less than 1 MB. Recently, Ivanov, Kabatiansky, Krouk, and Rumenko (IKKR) proposed three new variants of the McEliece cryptosystem (CBCrypto 2020, affiliated with Eurocrypt 2020). This dissertation shows that one of the IKKR cryptosystems is equal to the McEliece cryptosystem. Furthermore, a polynomial-time attack algorithm for the other two IKKR cryptosystems is proposed. The proposed attack algorithm utilizes the linearity of IKKR cryptosystems. Also, an implementation of the IKKR cryptosystems and the proposed attack is given. The proposed attack algorithm finds the plaintext within 0.2 sec, which is faster than the elapsed time for legitimate decryption.๋ณธ ๋
ผ๋ฌธ์ ํฌ๊ฒ ๋ค์์ ์ธ ๊ฐ์ง์ ๊ธฐ์ฌ๋ฅผ ํฌํจํ๋ค. i) ๋คํธ์ํฌ๋ฅผ ํ์ฉํด์ ์ ๋ณด ๋ณดํธ ๋ฅ๋ฌ๋์ ๊ฐ์ ํ๋ ํ๋กํ ์ฝ ii) ๊ทผ์ฌ ๋ํ ์ํธ์์ ๋ณด์์ฑ๊ณผ ์ฑ๋ฅ์ ์ํด ์์ด ์๋ฌ๋ฅผ ๋ฎ์ถ๊ณ ๋์ ์ ํ๋๋ก ๋ถํธ์คํธ๋ํ ํ๋ ๋ฐฉ๋ฒ iii) IKKR ์ํธ ์์คํ
๊ณผ pqsigRM ๋ฑ ๋ถํธ ๊ธฐ๋ฐ ์ํธ๋ฅผ ๊ณต๊ฒฉํ๋ ๋ฐฉ๋ฒ๊ณผ ํจ์จ์ ์ธ ๋ถํธ ๊ธฐ๋ฐ ์ ์ ์๋ช
์์คํ
.
๊ทผ๋์ ๊ธฐ๊ณํ์ต๊ณผ ๋ธ๋ก์ฒด์ธ ๊ธฐ์ ์ ๋ฐ์ ์ผ๋ก ์ธํด์ ๊ธฐ๋ฐ ๋ฐ์ดํฐ์ ๋ํ ์ฐ์ฐ์ ์ด๋ป๊ฒ ์ธ์ฃผํ ์ ์๋๋์ ๋ํ ์๋ก์ด ๋ณด์ ๋ฌธ์ ๊ฐ ๋๋๋๊ณ ์๋ค. ๋ํ, ์์ ์ปดํจํฐ์ ๊ดํ ์ฐ๊ตฌ๊ฐ ์ฑ๊ณต์ ๊ฑฐ๋ญํ๋ฉด์, ์ด๋ฅผ ์ด์ฉํ ๊ณต๊ฒฉ์ ์ ํญํ๋ ํฌ์คํธ ์์ ์ํธ์ ํ์์ฑ ๋ํ ์ปค์ง๊ณ ์๋ค. ๋ค์๊ฐ ์ปดํจํ
์ ๋ฐ์ดํฐ๋ฅผ ๊ณต๊ฐํ์ง ์๊ณ ๋ฐ์ดํฐ์ ๋ํ ์ฐ์ฐ์ ์ํํ ์ ์๋๋ก ํ๋ ์ํธํ์ ํ๋กํ ์ฝ์ ์ด์นญ์ด๋ค. ๋ค์๊ฐ ์ปดํจํ
์ ๋ํ ์ํธ์ ํฌ์คํธ ์์ ์ํธ์ ๊ธฐ๋ฐํ๊ณ ์์ผ๋ฏ๋ก, ํจ์จ์ ์ธ ๋ํ ์ํธ์ ํฌ์คํธ ์์ ์ํธ์ ๊ดํ ์ฐ๊ตฌ๊ฐ ํ๋ฐํ๊ฒ ์ํ๋๊ณ ์๋ค.
๋ํ ์ํธ๋ ์ํธํ๋ ๋ฐ์ดํฐ์ ๋ํ ์ฐ์ฐ์ด ๊ฐ๋ฅํ ํน์ํ ์ํธํ ์๊ณ ๋ฆฌ์ฆ์ด๋ค. ์ผ๋ฐ์ ์ผ๋ก ๋ํ ์ํธ์ ์ํธ๋ฌธ์ ๋ํด์ ์ํ ๊ฐ๋ฅํ ์ฐ์ฐ์ ๊น์ด๊ฐ ์ ํด์ ธ ์์ผ๋ฉฐ, ์ด๋ฅผ ์ํธ๋ฌธ์ ๋ ๋ฒจ์ด๋ผ๊ณ ์นญํ๋ค. ๋ ๋ฒจ์ ๋ชจ๋ ์๋นํ ์ํธ๋ฌธ์ ๋ ๋ฒจ์ ๋ค์ ๋ณต์ํ๋ ๊ณผ์ ์ ๋ถํธ์คํธ๋ํ (bootstrapping)์ด๋ผ๊ณ ์นญํ๋ค. ์ผ๋ฐ์ ์ผ๋ก ๋ถํธ์คํธ๋ํ์ ๋งค์ฐ ์ค๋ ๊ฑธ๋ฆฌ๋ ์ฐ์ฐ์ด๋ฉฐ ์๊ฐ ๋ฐ ๊ณต๊ฐ ๋ณต์ก๋๊ฐ ํฌ๋ค. ๊ทธ๋ฌ๋, ๋ฅ๋ฌ๋๊ณผ ๊ฐ์ด ๊น์ด๊ฐ ํฐ ์ฐ์ฐ์ ์ํํ๋ ๊ฒฝ์ฐ ๋ถํธ์คํธ๋ํ์ด ํ์์ ์ด๋ค. ๋ณธ ๋
ผ๋ฌธ์์๋ ์ ๋ณด ๋ณดํธ ๊ธฐ๊ณํ์ต์ ์ํ ์๋ก์ด ํ๋กํ ์ฝ์ ์ ์ํ๋ค. ์ด ํ๋กํ ์ฝ์์๋ ์
๋ ฅ ๋ฉ์์ง์ ๋๋ถ์ด ์ ๊ฒฝ๋ง์ ์ค๊ฐ๊ฐ๋ค ๋ํ ์์ ํ๊ฒ ๋ณดํธ๋๋ค. ๊ทธ๋ฌ๋ ์ฌ์ ํ ์ฌ์ฉ์์ ํต์ ๋ฐ ์ฐ์ฐ ๋ณต์ก๋๋ ๋ฎ๊ฒ ์ ์ง๋๋ค.
Cheon, Kim, Kim ๊ทธ๋ฆฌ๊ณ Song (CKKS)๊ฐ ์ ์ํ ์ํธ ์์คํ
(Asiacrypt 17)์ ๊ธฐ๊ณํ์ต ๋ฑ์์ ๊ฐ์ฅ ๋๋ฆฌ ์ฐ์ด๋ ๋ฐ์ดํฐ์ธ ์ค์๋ฅผ ํจ์จ์ ์ผ๋ก ๋ค๋ฃฐ ์ ์์ผ๋ฏ๋ก ๊ฐ์ฅ ์ด๋ง๋ฐ๋ ์์ ๋ํ ์ํธ ์์คํ
์ด๋ค. ๊ทธ๋ฌ๋, ์ค๋ฅ์ ์ฆํญ๊ณผ ์ ํ๊ฐ CKKS ์ํธ ์์คํ
์ ๊ฐ์ฅ ํฐ ๋จ์ ์ด๋ค. ์ด ๋
ผ๋ฌธ์์๋ ์๋์ ๊ธฐ์ ์ ํ์ฉํ์ฌ CKKS ์ํธ ์์คํ
์ ์ค๋ฅ๋ฅผ ์ค์ด๋ ๋ฐฉ๋ฒ์ ์ ์ํ๋ฉฐ, ์ด๋ ๊ทผ์ฌ ๋ํ ์ํธ์ ์ผ๋ฐํํ์ฌ ์ ์ฉํ ์ ์๋ค. ์ฒซ์งธ, ์ ํธ ๋๋น ์ก์ ๋น (signal-to-noise ratio, SNR)์ ๊ฐ๋
์ ๋์
ํ์ฌ, SNR๋ฅผ ์ต๋ํํ๋๋ก ์ฐ์ฐ์ ์์๋ฅผ ์ฌ์กฐ์ ํ๋ค. ๊ทธ๋ฌ๊ธฐ ์ํด์๋, ์ค๋ฅ์ ์ต๋์น ๋์ ๋ถ์ฐ์ด ์ต์ํ๋์ด์ผ ํ๋ฉฐ, ์ด๋ฅผ ๊ด๋ฆฌํด์ผ ํ๋ค. ๋์งธ, ์ค๋ฅ์ ๋ถ์ฐ์ ์ต์ํํ๋ค๋ ๊ฐ์ ๊ด์ ์์ ์๋ก์ด ๋คํญ์ ๊ทผ์ฌ ๋ฐฉ๋ฒ์ ์ ์ํ๋ค. ์ด ๊ทผ์ฌ ๋ฐฉ๋ฒ์ ํนํ, CKKS ์ํธ ์์คํ
์ ๋ถํธ์คํธ๋ํ์ ์ ์ฉ๋์์ผ๋ฉฐ, ์ข
๋ ๊ธฐ์ ๋ณด๋ค ๋ ๋ฎ์ ์ค๋ฅ๋ฅผ ๋ฌ์ฑํ๋ค. ์์ ๋ฐฉ๋ฒ์ ๋ํ์ฌ, ๊ทผ์ฌ ๋คํญ์์ ๊ตฌํ๋ ๋ฌธ์ ๋ฅผ L2-norm ์ต์ํ ๋ฌธ์ ๋ก ์นํํ๋ ๋ฐฉ๋ฒ์ ์ ์ํ๋ค. ์ด๋ฅผ ํตํด์ ์ฌ์ธ ํจ์์ ๋์
์์ด ๊ทผ์ฌ ๋คํญ์์ ๊ตฌํ๋ ๋ฐฉ๋ฒ์ ์ ์ํ๋ค. ์ ์๋ ๋ฐฉ๋ฒ์ ์ฌ์ฉํ๋ฉด, q=O(m^{3/2})๋ผ๋ ์ ์ฝ์ q=O(m)์ผ๋ก ์ค์ผ ์ ์์ผ๋ฉฐ, ๋ถํธ์คํธ๋ํ์ ํ์ํ ๋ ๋ฒจ ์๋ชจ๋ฅผ ์ค์ผ ์ ์๋ค. ์ฑ๋ฅ ํฅ์์ HEAAN๊ณผ SEAL ๋ฑ์ ๋ํ ์ํธ ๋ผ์ด๋ธ๋ฌ๋ฆฌ๋ฅผ ํ์ฉํ ๊ตฌํ์ ํตํด ์ฆ๋ช
ํ์ผ๋ฉฐ, ๊ตฌํ์ ํตํด์ ์ฐ์ฐ ์ฌ์ ๋ ฌ๊ณผ ์๋ก์ด ๋ถํธ์คํธ๋ํ์ด CKKS ์ํธ ์์คํ
์ ์ฑ๋ฅ์ ํฅ์ํจ์ ํ์ธํ๋ค. ๋ฐ๋ผ์, ๋ณด์์ฑ๊ณผ ์ฑ๋ฅ์ ํํ ์์ด ๊ทผ์ฌ ๋ํ ์ํธ๋ฅผ ์ฌ์ฉํ๋ ์๋น์ค์ ์ง์ ํฅ์ํ ์ ์๋ค.
์์ ์ปดํจํฐ๋ฅผ ํ์ฉํ์ฌ ์ ํต์ ์ธ ๊ณต๊ฐํค ์ํธ๋ฅผ ๊ณต๊ฒฉํ๋ ํจ์จ์ ์ธ ์๊ณ ๋ฆฌ์ฆ์ด ๊ณต๊ฐ๋๋ฉด์, ํฌ์คํธ ์์ ์ํธ์ ๋ํ ํ์์ฑ์ด ์ฆ๋ํ๋ค. ๋ถํธ ๊ธฐ๋ฐ ์ํธ๋ ํฌ์คํธ ์์ ์ํธ๋ก์จ ๋๋ฆฌ ์ฐ๊ตฌ๋์๋ค. ์์ ํค ํฌ๊ธฐ๋ฅผ ๊ฐ๋ ์๋ก์ด ๋ถํธ ๊ธฐ๋ฐ ์ ์ ์๋ช
์์คํ
๊ณผ ๋ถํธ ๊ธฐ๋ฐ ์ํธ๋ฅผ ๊ณต๊ฒฉํ๋ ๋ฐฉ๋ฒ์ด ๋
ผ๋ฌธ์ ์ ์๋์ด ์๋ค. pqsigRM์ด๋ผ ๋ช
๋ช
ํ ์ ์ ์๋ช
์์คํ
์ด ๊ทธ๊ฒ์ด๋ค.
์ด ์ ์ ์๋ช
์์คํ
์ ์์ ๋ Reed-Muller (RM) ๋ถํธ๋ฅผ ํ์ฉํ๋ฉฐ, ์๋ช
์ ๋ณต์ก๋์ ํค ํฌ๊ธฐ๋ฅผ ์ข
๋ ๊ธฐ์ ๋ณด๋ค ๋ง์ด ์ค์ธ๋ค. pqsigRM์ hull์ ์ฐจ์์ด ํฐ (U, U+V) ๋ถํธ์ ์ด์ ๋ณตํธํ๋ฅผ ์ด์ฉํ์ฌ, ์๋ช
์์ ํฐ ์ด๋์ด ์๋ค. ์ด ๋ณตํธํ ์๊ณ ๋ฆฌ์ฆ์ ์ฃผ์ด์ง ๋ชจ๋ ์ฝ์
(coset)์ ์์์ ๋ํ์ฌ ์์ ํค๋ฐ ๋ฌด๊ฒ๋ฅผ ๊ฐ๋ ์์๋ฅผ ๋ฐํํ๋ค. ๋ํ, ์์ ๋ RM ๋ถํธ๋ฅผ ์ด์ฉํ์ฌ, ์๋ ค์ง ๋ชจ๋ ๊ณต๊ฒฉ์ ์ ํญํ๋ค. 128๋นํธ ์์ ์ฑ์ ๋ํด์ ์๋ช
์ ํฌ๊ธฐ๋ 4096 ๋นํธ์ด๊ณ , ๊ณต๊ฐ ํค์ ํฌ๊ธฐ๋ 1MB๋ณด๋ค ์๋ค. ์ต๊ทผ, Ivanov, Kabatiansky, Krouk, ๊ทธ๋ฆฌ๊ณ Rumenko (IKKR)๊ฐ McEliece ์ํธ ์์คํ
์ ์ธ ๊ฐ์ง ๋ณํ์ ๋ฐํํ๋ค (CBCrypto 2020, Eurocrypt 2020์ ํจ๊ป ์งํ). ๋ณธ ๋
ผ๋ฌธ์์๋ IKKR ์ํธ ์์คํ
์ค ํ๋๊ฐ McEliece ์ํธ ์์คํ
๊ณผ ๋์น์์ ์ฆ๋ช
ํ๋ค. ๋ํ ๋๋จธ์ง IKKR ์ํธ ์์คํ
์ ๋ํ ๋คํญ ์๊ฐ ๊ณต๊ฒฉ์ ์ ์ํ๋ค. ์ ์ํ๋ ๊ณต๊ฒฉ์ IKKR ์ํธ ์์คํ
์ ์ ํ์ฑ์ ํ์ฉํ๋ค. ๋ํ, ์ด ๋
ผ๋ฌธ์ ์ ์ํ ๊ณต๊ฒฉ์ ๊ตฌํ์ ํฌํจํ๋ฉฐ, ์ ์๋ ๊ณต๊ฒฉ์ 0.2์ด ์ด๋ด์ ๋ฉ์์ง๋ฅผ ๋ณต์ํ๊ณ , ์ด๋ ์ ์์ ์ธ ๋ณตํธํ๋ณด๋ค ๋น ๋ฅธ ์๋์ด๋ค.Contents
Abstract i
Contents iv
List of Tables ix
List of Figures xi
1 Introduction 1
1.1 Homomorphic Encryption and Privacy-Preserving Machine Learning 4
1.2 High-Precision CKKS Scheme and Its Bootstrapping 5
1.2.1 Near-Optimal Bootstrapping of the CKKS Scheme Using Least Squares Method 6
1.2.2 Variance-Minimizing and Optimal Bootstrapping of the CKKS Scheme 8
1.3 Efficient Code-Based Signature Scheme and Cryptanalysis of the Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems 10
1.3.1 Modified pqsigRM: An Efficient Code-Based Signature Scheme 11
1.3.2 Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems and Its Equality 13
1.4 Organization of the Dissertation 14
2 Preliminaries 15
2.1 Basic Notation 15
2.2 Privacy-Preserving Machine Learning and Security Terms 16
2.2.1 Privacy-Preserving Machine Learning and Security Terms 16
2.2.2 Privacy-Preserving Machine Learning 17
2.3 The CKKS Scheme and Its Bootstrapping 18
2.3.1 The CKKS Scheme 18
2.3.2 CKKS Scheme in RNS 22
2.3.3 Bootstrapping of the CKKS Scheme 24
2.3.4 Statistical Characteristics of Modulus Reduction and Failure Probability of Bootstrapping of the CKKS Scheme 26
2.4 Approximate Polynomial and Signal-to-Noise Perspective for Approximate Homomorphic Encryption 27
2.4.1 Chebyshev Polynomials 27
2.4.2 Signal-to-Noise Perspective of the CKKS Scheme 28
2.5 Preliminary for Code-Based Cryptography 29
2.5.1 The McEliece Cryptosystem 29
2.5.2 CFS Signature Scheme 30
2.5.3 ReedMuller Codes and Recursive Decoding 31
2.5.4 IKKR Cryptosystems 33
3 Privacy-Preserving Machine Learning via FHEWithout Bootstrapping 37
3.1 Introduction 37
3.2 Information Theoretic Secrecy and HE for Privacy-Preserving Machine Learning 38
3.2.1 The Failure Probability of Ordinary CKKS Bootstrapping 39
3.3 Comparison With Existing Methods 43
3.3.1 Comparison With the Hybrid Method 43
3.3.2 Comparison With FHE Method 44
3.4 Comparison for Evaluating Neural Network 45
4 High-Precision Approximate Homomorphic Encryption and Its Bootstrapping by Error Variance Minimization and Convex Optimization 50
4.1 Introduction 50
4.2 Optimization of Error Variance in the Encrypted Data 51
4.2.1 Tagged Information for Ciphertext 52
4.2.2 WorstCase Assumption 53
4.2.3 Error in Homomorphic Operations of the CKKS Scheme 54
4.2.4 Reordering Homomorphic Operations 59
4.3 Near-Optimal Polynomial for Modulus Reduction 66
4.3.1 Approximate Polynomial Using L2-Norm optimization 66
4.3.2 Efficient Homomorphic Evaluation of the Approximate Polynomial 70
4.4 Optimal Approximate Polynomial and Bootstrapping of the CKKS Scheme 73
4.4.1 Polynomial Basis Error and Polynomial Evaluation in the CKKS Scheme 73
4.4.2 Variance-Minimizing Polynomial Approximation 74
4.4.3 Optimal Approximate Polynomial for Bootstrapping and Magnitude of Its Coefficients 75
4.4.4 Reducing Complexity and Error Using Odd Function 79
4.4.5 Generalization of Weight Constants and Numerical Method 80
4.5 Comparison and Implementation 84
4.6 Reduction of Level Loss in Bootstrapping 89
4.7 Implementation of the Proposed Method and Performance Comparison 92
4.7.1 Error Variance Minimization 92
4.7.2 Weight Constant and Minimum Error Variance 93
4.7.3 Comparison of the Proposed MethodWith the Previous Methods 96
5 Efficient Code-Based Signature Scheme and Cryptanalysis of Code-Based Cryptosystems 104
5.1 Introduction 104
5.2 Modified ReedMuller Codes and Proposed Signature Scheme 105
5.2.1 Partial Permutation of Generator Matrix and Modified ReedMuller Codes 105
5.2.2 Decoding of Modified ReedMuller Codes 108
5.2.3 Proposed Signature Scheme 110
5.3 Security Analysis of Modified pqsigRM 111
5.3.1 Decoding One Out of Many 112
5.3.2 Security Against Key Substitution Attacks 114
5.3.3 EUFCMA Security 114
5.4 Indistinguishability of the Public Code and Signature 120
5.4.1 Modifications of Public Code 121
5.4.2 Public Code Indistinguishability 124
5.4.3 Signature Leaks 126
5.5 Parameter Selection 126
5.5.1 Parameter Sets 126
5.5.2 Statistical Analysis for Determining Number of Partial Permutations 128
5.6 Equivalence of the Prototype IKKR and the McEliece Cryptosystems 131
5.7 Cryptanalysis of the IKKR Cryptosystems 133
5.7.1 Linearity of Two Variants of IKKR Cryptosystems 133
5.7.2 The Attack Algorithm 134
5.7.3 Implementation 135
6 Conclusion 139
6.1 Privacy-Preserving Machine Learning Without Bootstrapping 139
6.2 Variance-Minimization in the CKKS Scheme 140
6.3 L2-Norm Minimization for the Bootstrapping of the CKKS Scheme 141
6.4 Modified pqsigRM: RM Code-Based Signature Scheme 142
6.5 Cryptanalysis of the IKKR Cryptosystem 143
Abstract (In Korean) 155
Acknowlegement 158Docto
"Once Upon a Place": Compute Your Meeting Location Privately
Popular services such as Doodle Mobile and Tymelie are extremely useful planning tools that enable mobile-phone users to determine common meeting time(s) for events. Similar planning tools for determining optimal meeting locations, based on the location preferences of the users, are highly desirable for event planning and management in popular mobile phone applications, such as taxi sharing, route planning and mobile participatory sensing. Yet, they have received very little attention by researchers. An important, and often overlooked, facet of such planning applications is the privacy of the participating users and their preferences; users want to agree on a meeting location without necessarily revealing their location preferences to the service provider or to the other users. In this paper, we address the problem of privacy-preserving optimal meeting-location computation, especially focusing on its applicability to current mobile devices and applications. We first define the notion of privacy in such computations. Second, we model the problem of optimal meeting-location computation as a privacy-preserving k-center problem and we design two solutions; both solutions take advantage of the homomorphic properties of well-known cryptosystems by Boneh-Goh-Nissim, ElGamal and Paillier in order to perform oblivious computations. Third, we implement the proposed solutions on a testbed of the latest generation Nokia mobile devices and study their performance. Finally, we assess the utility and expectations, in terms of privacy and usability, of the proposed solutions by means of a targeted survey and user-study of mobile-phone users
Recommended from our members
DISTRIBUTED LEARNING ALGORITHMS: COMMUNICATION EFFICIENCY AND ERROR RESILIENCE
In modern day machine learning applications such as self-driving cars, recommender systems, robotics, genetics etc., the size of the training data has grown to the point that it has become essential to design distributed learning algorithms. A general framework for the distributed learning is \emph{data parallelism} where the data is distributed among the \emph{worker machines} for parallel processing and computation to speed up learning. With billions of devices such as cellphones, computers etc., the data is inherently distributed and stored locally in the users\u27 devices. Learning in this set up is popularly known as \emph{Federated Learning}. The speed-up due to distributed framework gets hindered by some fundamental problems such as straggler workers, communication bottleneck due to high communication overhead between workers and central server, adversarial failure popularly know as \emph{Byzantine failure}. In this thesis, we study and develop distributed algorithms that are error resilient and communication efficient.
First, we address the problem of straggler workers where the learning is delayed due to slow workers in the distributed setup. To mitigate the effect of the stragglers, we employ \textbf{LDPC} (low density parity check) code to encode the data and implement gradient descent algorithm in the distributed setup. Second, we present a family of vector quantization schemes \emph{vqSGD} (vector quantized Stochastic Gradient Descent ) that provides an asymptotic reduction in the communication cost with convergence guarantees in the first order distributed optimization. We also showed that \emph{vqSGD} provides strong privacy guarantee. Third, we address the problem of Byzantine failure together with communication-efficiency in the first order gradient descent algorithm. We consider a generic class of - approximate compressor for communication efficiency and employ a simple \emph{norm based thresholding} scheme to make the learning algorithm robust to Byzantine failures. We establish statistical error rate for non-convex smooth loss. Moreover, we analyze the compressed gradient descent algorithm with error feedback in a distributed setting and in the presence of Byzantine worker machines. Fourth, we employ the generic class of - approximate compressor to develop a communication efficient second order Newton-type algorithm and provide rate of convergence for smooth objective. Fifth, we propose \textbf{COMRADE} (COMmunication-efficient and Robust Approximate Distributed nEwton ), an iterative second order algorithm that is communication efficient as well as robust against Byzantine failures. Sixth, we propose a distributed \emph{cubic-regularized Newton } algorithm that can escape saddle points effectively for non-convex loss function and find a local minima . Furthermore, the proposed algorithm can resist the attack of the Byzantine machines, which may create \emph{fake local minima} near the saddle points of the loss function, also known as saddle-point attack
Set-valued Data: Regression, Design and Outliers
The focus of this dissertation is to study setโvalued data from three aspects, namely regression, optimal design and outlier identification. This dissertation consists of three peerโreviewed published articles, each of them addressing one aspect. Their titles and abstracts are listed below:
1. Local regression smoothers with setโvalued outcome data:
This paper proposes a method to conduct local linear regression smoothing in the presence of setโvalued outcome data. The proposed estimator is shown to be consistent, and its mean squared error and asymptotic distribution are derived. A method to build error tubes around the estimator is provided, and a small Monte Carlo exercise is conducted to confirm the good finite sample properties of the estimator. The usefulness of the method is illustrated on a novel dataset from a clinical trial to assess the effect of certain genesโ expressions on different lung cancer treatments outcomes.
2. Optimal design for multivariate multiple linear regression with setโidentified response:
We consider the partially identified regression model with setโidentified responses, where the estimator is the set of the least square estimators obtained for all possible choices of points sampled from setโidentified observations. We address the issue of determining the optimal design for this case and show that, for objective functions mimicking those for several classical optimal designs, their setโidentified analogues coincide with the optimal designs for pointโidentified realโvalued responses.
3. Depth and outliers for samples of sets and random sets distributions:
We suggest several constructions suitable to define the depth of setโvalued observations with respect to a sample of convex sets or with respect to the distribution of a random closed convex set. With the concept of a depth, it is possible to determine if a given convex set should be regarded an outlier with respect to a sample of convex closed sets. Some of our constructions are motivated by the known concepts of halfโspace depth and band depth for functionโvalued data. A novel construction derives the depth from a family of nonโlinear expectations of random sets. Furthermore, we address the role of positions of sets for evaluation of their depth. Two case studies concern interval regression for Greek wine data and detection of outliers in a sample of particles
On constructions of quantum-secure device-independent randomness expansion protocols
Device-independent randomness expansion protocols aim to expand a short uniformly random string into a much longer one whilst guaranteeing that their output is truly random. They are device-independent in the sense that this guarantee does not dependent on the specifics of an implementation. Rather, through the observation of nonlocal correlations we can conclude that the outputs generated are necessarily random. This thesis reports a general method for constructing these protocols and evaluating their security. Using this method, we then construct several explicit protocols and analyse their performance on noisy qubit systems. With a view towards near-future quantum technologies, we also investigate whether randomness expansion is possible using current nonlocality experiments. We find that, by combining the recent theoretical and experimental advances, it is indeed now possible to reliably and securely expand randomness
A Survey on Quantum Channel Capacities
Quantum information processing exploits the quantum nature of information. It
offers fundamentally new solutions in the field of computer science and extends
the possibilities to a level that cannot be imagined in classical communication
systems. For quantum communication channels, many new capacity definitions were
developed in comparison to classical counterparts. A quantum channel can be
used to realize classical information transmission or to deliver quantum
information, such as quantum entanglement. Here we review the properties of the
quantum communication channel, the various capacity measures and the
fundamental differences between the classical and quantum channels.Comment: 58 pages, Journal-ref: IEEE Communications Surveys and Tutorials
(2018) (updated & improved version of arXiv:1208.1270
- โฆ