544 research outputs found
A Non-commutative Cryptosystem Based on Quaternion Algebras
We propose BQTRU, a non-commutative NTRU-like cryptosystem over quaternion
algebras. This cryptosystem uses bivariate polynomials as the underling ring.
The multiplication operation in our cryptosystem can be performed with high
speed using quaternions algebras over finite rings. As a consequence, the key
generation and encryption process of our cryptosystem is faster than NTRU in
comparable parameters. Typically using Strassen's method, the key generation
and encryption process is approximately times faster than NTRU for an
equivalent parameter set. Moreover, the BQTRU lattice has a hybrid structure
that makes inefficient standard lattice attacks on the private key. This
entails a higher computational complexity for attackers providing the
opportunity of having smaller key sizes. Consequently, in this sense, BQTRU is
more resistant than NTRU against known attacks at an equivalent parameter set.
Moreover, message protection is feasible through larger polynomials and this
allows us to obtain the same security level as other NTRU-like cryptosystems
but using lower dimensions.Comment: Submitted for possible publicatio
A Subfield Lattice Attack on Overstretched NTRU Assumptions:Cryptanalysis of Some FHE and Graded Encoding Schemes
International audienc
A Survey on Homomorphic Encryption Schemes: Theory and Implementation
Legacy encryption systems depend on sharing a key (public or private) among
the peers involved in exchanging an encrypted message. However, this approach
poses privacy concerns. Especially with popular cloud services, the control
over the privacy of the sensitive data is lost. Even when the keys are not
shared, the encrypted material is shared with a third party that does not
necessarily need to access the content. Moreover, untrusted servers, providers,
and cloud operators can keep identifying elements of users long after users end
the relationship with the services. Indeed, Homomorphic Encryption (HE), a
special kind of encryption scheme, can address these concerns as it allows any
third party to operate on the encrypted data without decrypting it in advance.
Although this extremely useful feature of the HE scheme has been known for over
30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE)
scheme, which allows any computable function to perform on the encrypted data,
was introduced by Craig Gentry in 2009. Even though this was a major
achievement, different implementations so far demonstrated that FHE still needs
to be improved significantly to be practical on every platform. First, we
present the basics of HE and the details of the well-known Partially
Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which
are important pillars of achieving FHE. Then, the main FHE families, which have
become the base for the other follow-up FHE schemes are presented. Furthermore,
the implementations and recent improvements in Gentry-type FHE schemes are also
surveyed. Finally, further research directions are discussed. This survey is
intended to give a clear knowledge and foundation to researchers and
practitioners interested in knowing, applying, as well as extending the state
of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the
survey that is being submitted to ACM CSUR and has been uploaded to arXiv for
feedback from stakeholder
An Advanced Quantum-Resistant Signature Scheme for Cloud Based on Eisenstein Ring
The authors wish to express their appreciation to the reviewers for their helpful suggestions which greatly improved the presentation of this paper. This work was supported by the Major Program of National Natural Science Foundation of China (11290141).Peer reviewe
Message Recovery Attack in NTRU through VFK Lattices
In the present paper, we implement a message recovery attack to all variants
of the NTRU cryptosystem. Our approach involves a reduction from the
NTRU-lattice to a Voronoi First Kind lattice, enabling the application of a
polynomial CVP exact algorithm crucial for executing the Message Recovery. The
efficacy of our attack relies on a specific oracle that permits us to
approximate an unknown quantity. Furthermore, we outline the mathematical
conditions under which the attack is successful. Finally, we delve into a
well-established polynomial algorithm for CVP on VFK lattices and its
implementation, shedding light on its efficacy in our attack. Subsequently, we
present comprehensive experimental results on the NTRU-HPS and the NTRU-Prime
variants of the NIST submissions and propose a method that could indicate the
resistance of the NTRU cryptosystem to our attack
An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices
In this paper, we study the Learning With Errors problem and its binary
variant, where secrets and errors are binary or taken in a small interval. We
introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on
a quantization step that generalizes and fine-tunes modulus switching. In
general this new technique yields a significant gain in the constant in front
of the exponent in the overall complexity. We illustrate this by solving p
within half a day a LWE instance with dimension n = 128, modulus ,
Gaussian noise and binary secret, using
samples, while the previous best result based on BKW claims a time
complexity of with samples for the same parameters. We then
introduce variants of BDD, GapSVP and UniqueSVP, where the target point is
required to lie in the fundamental parallelepiped, and show how the previous
algorithm is able to solve these variants in subexponential time. Moreover, we
also show how the previous algorithm can be used to solve the BinaryLWE problem
with n samples in subexponential time . This
analysis does not require any heuristic assumption, contrary to other algebraic
approaches; instead, it uses a variant of an idea by Lyubashevsky to generate
many samples from a small number of samples. This makes it possible to
asymptotically and heuristically break the NTRU cryptosystem in subexponential
time (without contradicting its security assumption). We are also able to solve
subset sum problems in subexponential time for density , which is of
independent interest: for such density, the previous best algorithm requires
exponential time. As a direct application, we can solve in subexponential time
the parameters of a cryptosystem based on this problem proposed at TCC 2010.Comment: CRYPTO 201
์ก์ํค๋ฅผ ๊ฐ์ง๋ ์ ์๊ธฐ๋ฐ ๋ํ์ํธ์ ๊ดํ ์ฐ๊ตฌ
ํ์๋
ผ๋ฌธ(๋ฐ์ฌ)--์์ธ๋ํ๊ต ๋ํ์ :์์ฐ๊ณผํ๋ํ ์๋ฆฌ๊ณผํ๋ถ,2020. 2. ์ฒ์ ํฌ.ํด๋ผ์ฐ๋ ์์ ๋ฐ์ดํฐ ๋ถ์ ์์ ์๋๋ฆฌ์ค๋ ๋ํ์ํธ์ ๊ฐ์ฅ ํจ๊ณผ์ ์ธ ์์ฉ ์๋๋ฆฌ์ค ์ค ํ๋์ด๋ค. ๊ทธ๋ฌ๋, ๋ค์ํ ๋ฐ์ดํฐ ์ ๊ณต์์ ๋ถ์๊ฒฐ๊ณผ ์๊ตฌ์๊ฐ ์กด์ฌํ๋ ์ค์ ํ์ค์ ๋ชจ๋ธ์์๋ ๊ธฐ๋ณธ์ ์ธ ์๋ณตํธํ์ ๋ํ ์ฐ์ฐ ์ธ์๋ ์ฌ์ ํ ํด๊ฒฐํด์ผ ํ ๊ณผ์ ๋ค์ด ๋จ์์๋ ์ค์ ์ด๋ค. ๋ณธ ํ์๋
ผ๋ฌธ์์๋ ์ด๋ฌํ ๋ชจ๋ธ์์ ํ์ํ ์ฌ๋ฌ ์๊ตฌ์ฌํญ๋ค์ ํฌ์ฐฉํ๊ณ , ์ด์ ๋ํ ํด๊ฒฐ๋ฐฉ์์ ๋
ผํ์๋ค.
๋จผ์ , ๊ธฐ์กด์ ์๋ ค์ง ๋ํ ๋ฐ์ดํฐ ๋ถ์ ์๋ฃจ์
๋ค์ ๋ฐ์ดํฐ ๊ฐ์ ์ธต์๋ ์์ค์ ๊ณ ๋ คํ์ง ๋ชปํ๋ค๋ ์ ์ ์ฐฉ์ํ์ฌ, ์ ์๊ธฐ๋ฐ ์ํธ์ ๋ํ์ํธ๋ฅผ ๊ฒฐํฉํ์ฌ ๋ฐ์ดํฐ ์ฌ์ด์ ์ ๊ทผ ๊ถํ์ ์ค์ ํ์ฌ ํด๋น ๋ฐ์ดํฐ ์ฌ์ด์ ์ฐ์ฐ์ ํ์ฉํ๋ ๋ชจ๋ธ์ ์๊ฐํ์๋ค. ๋ํ ์ด ๋ชจ๋ธ์ ํจ์จ์ ์ธ ๋์์ ์ํด์ ๋ํ์ํธ ์นํ์ ์ธ ์ ์๊ธฐ๋ฐ ์ํธ์ ๋ํ์ฌ ์ฐ๊ตฌํ์๊ณ , ๊ธฐ์กด์ ์๋ ค์ง NTRU ๊ธฐ๋ฐ์ ์ํธ๋ฅผ ํ์ฅํ์ฌ module-NTRU ๋ฌธ์ ๋ฅผ ์ ์ํ๊ณ ์ด๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ ์ ์๊ธฐ๋ฐ ์ํธ๋ฅผ ์ ์ํ์๋ค.
๋์งธ๋ก, ๋ํ์ํธ์ ๋ณตํธํ ๊ณผ์ ์๋ ์ฌ์ ํ ๋น๋ฐํค๊ฐ ๊ด์ฌํ๊ณ ์๊ณ , ๋ฐ๋ผ์ ๋น๋ฐํค ๊ด๋ฆฌ ๋ฌธ์ ๊ฐ ๋จ์์๋ค๋ ์ ์ ํฌ์ฐฉํ์๋ค. ์ด๋ฌํ ์ ์์ ์์ฒด์ ๋ณด๋ฅผ ํ์ฉํ ์ ์๋ ๋ณตํธํ ๊ณผ์ ์ ๊ฐ๋ฐํ์ฌ ํด๋น ๊ณผ์ ์ ๋ํ์ํธ ๋ณตํธํ์ ์ ์ฉํ์๊ณ , ์ด๋ฅผ ํตํด ์๋ณตํธํ์ ๋ํ ์ฐ์ฐ์ ์ ๊ณผ์ ์ ์ด๋ ๊ณณ์๋ ํค๊ฐ ์ ์ฅ๋์ง ์์ ์ํ๋ก ์ํํ ์ ์๋ ์ํธ์์คํ
์ ์ ์ํ์๋ค.
๋ง์ง๋ง์ผ๋ก, ๋ํ์ํธ์ ๊ตฌ์ฒด์ ์ธ ์์ ์ฑ ํ๊ฐ ๋ฐฉ๋ฒ์ ๊ณ ๋ คํ์๋ค. ์ด๋ฅผ ์ํด ๋ํ์ํธ๊ฐ ๊ธฐ๋ฐํ๊ณ ์๋ ์ด๋ฅธ๋ฐ Learning With Errors (LWE) ๋ฌธ์ ์ ์ค์ ์ ์ธ ๋ํด์ฑ์ ๋ฉด๋ฐํ ๋ถ์ํ์๊ณ , ๊ทธ ๊ฒฐ๊ณผ ๊ธฐ์กด์ ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ๋ณด๋ค ํ๊ท ์ ์ผ๋ก 1000๋ฐฐ ์ด์ ๋น ๋ฅธ ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ๋ค์ ๊ฐ๋ฐํ์๋ค. ์ด๋ฅผ ํตํด ํ์ฌ ์ฌ์ฉํ๊ณ ์๋ ๋ํ์ํธ ํ๋ผ๋ฏธํฐ๊ฐ ์์ ํ์ง ์์์ ๋ณด์๊ณ , ์๋ก์ด ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ์ ํตํ ํ๋ผ๋ฏธํฐ ์ค์ ๋ฐฉ๋ฒ์ ๋ํด์ ๋
ผํ์๋ค.Secure data analysis delegation on cloud is one of the most powerful application that homomorphic encryption (HE) can bring. As the technical level of HE arrive at practical regime, this model is also being considered to be a more serious and realistic paradigm. In this regard, this increasing attention requires more versatile and secure model to deal with much complicated real world problems.
First, as real world modeling involves a number of data owners and clients, an authorized control to data access is still required even for HE scenario. Second, we note that although homomorphic operation requires no secret key, the decryption requires the secret key. That is, the secret key management concern still remains even for HE. Last, in a rather fundamental view, we thoroughly analyze the concrete hardness of the base problem of HE, so-called Learning With Errors (LWE). In fact, for the sake of efficiency, HE exploits a weaker variant of LWE whose security is believed not fully understood.
For the data encryption phase efficiency, we improve the previously suggested NTRU-lattice ID-based encryption by generalizing the NTRU concept into module-NTRU lattice. Moreover, we design a novel method that decrypts the resulting ciphertext with a noisy key. This enables the decryptor to use its own noisy source, in particular biometric, and hence fundamentally solves the key management problem. Finally, by considering further improvement on existing LWE solving algorithms, we propose new algorithms that shows much faster performance. Consequently, we argue that the HE parameter choice should be updated regarding our attacks in order to maintain the currently claimed security level.1 Introduction 1
1.1 Access Control based on Identity 2
1.2 Biometric Key Management 3
1.3 Concrete Security of HE 3
1.4 List of Papers 4
2 Background 6
2.1 Notation 6
2.2 Lattices 7
2.2.1 Lattice Reduction Algorithm 7
2.2.2 BKZ cost model 8
2.2.3 Geometric Series Assumption (GSA) 8
2.2.4 The Nearest Plane Algorithm 9
2.3 Gaussian Measures 9
2.3.1 Kullback-Leibler Divergence 11
2.4 Lattice-based Hard Problems 12
2.4.1 The Learning With Errors Problem 12
2.4.2 NTRU Problem 13
2.5 One-way and Pseudo-random Functions 14
3 ID-based Data Access Control 16
3.1 Module-NTRU Lattices 16
3.1.1 Construction of MNTRU lattice and trapdoor 17
3.1.2 Minimize the Gram-Schmidt norm 22
3.2 IBE-Scheme from Module-NTRU 24
3.2.1 Scheme Construction 24
3.2.2 Security Analysis by Attack Algorithms 29
3.2.3 Parameter Selections 31
3.3 Application to Signature 33
4 Noisy Key Cryptosystem 36
4.1 Reusable Fuzzy Extractors 37
4.2 Local Functions 40
4.2.1 Hardness over Non-uniform Sources 40
4.2.2 Flipping local functions 43
4.2.3 Noise stability of predicate functions: Xor-Maj 44
4.3 From Pseudorandom Local Functions 47
4.3.1 Basic Construction: One-bit Fuzzy Extractor 48
4.3.2 Expansion to multi-bit Fuzzy Extractor 50
4.3.3 Indistinguishable Reusability 52
4.3.4 One-way Reusability 56
4.4 From Local One-way Functions 59
5 Concrete Security of Homomorphic Encryption 63
5.1 Albrecht's Improved Dual Attack 64
5.1.1 Simple Dual Lattice Attack 64
5.1.2 Improved Dual Attack 66
5.2 Meet-in-the-Middle Attack on LWE 69
5.2.1 Noisy Collision Search 70
5.2.2 Noisy Meet-in-the-middle Attack on LWE 74
5.3 The Hybrid-Dual Attack 76
5.3.1 Dimension-error Trade-o of LWE 77
5.3.2 Our Hybrid Attack 79
5.4 The Hybrid-Primal Attack 82
5.4.1 The Primal Attack on LWE 83
5.4.2 The Hybrid Attack for SVP 86
5.4.3 The Hybrid-Primal attack for LWE 93
5.4.4 Complexity Analysis 96
5.5 Bit-security estimation 102
5.5.1 Estimations 104
5.5.2 Application to PKE 105
6 Conclusion 108
Abstract (in Korean) 120Docto
- โฆ