Cryptanalysis of the Co-ACD Assumption

At ACM-CCS 2014, Cheon, Lee and Seo introduced a new number-theoretic assumption, the co-approximate common divisor (Co-ACD) assumption, based on which they constructed several cryptographic primitives, including a particularly fast additively homomorphic encryption scheme. For their proposed parameters, they found that their scheme was the ``most efficient of those that support an additive homomorphic property\u27\u27. In this paper, we analyze the security of the Cheon-Lee-Seo (CLS) homomorphic encryption scheme and of the underlying Co-ACD assumption, and present several lattice-based attacks that are effectively devastating for the proposed constructions. First, we prove that a few known plaintexts are sufficient to decrypt any ciphertext in the symmetric-key CLS scheme. This breaks the one-wayness of both the symmetric-key and the public-key variants of CLS encryption as well as the underlying decisional Co-ACD assumption for a very wide range of parameters. Then, we show that this attack can be heuristically extended to decrypt small messages without any known plaintext. And finally, we find that Coppersmith\u27s theorem can even be used to solve the search variant of the Co-ACD problem, and mount a full key recovery on the public-key CLS scheme. Concretely speaking, the parameters proposed by Cheon et al. and originally aiming at 128-bit security can be broken in a matter of seconds. And while it is possible to select parameters outside of the range in which our attacks run in polynomial time, they have to be so large as to render the proposed constructions severely uncompetitive (e.g. our asymptotic estimates indicate that 128 bits of security against our attacks require a modulus of at least 400,000 bits)

Homomorphic Encryption and Cryptanalysis of Lattice Cryptography

The vast amount of personal data being collected and analyzed through internet connected devices is vulnerable to theft and misuse. Modern cryptography presents several powerful techniques that can help to solve the puzzle of how to harness data for use while at the same time protecting it---one such technique is homomorphic encryption that allows computations to be done on data while it is still encrypted. The question of security for homomorphic encryption relates to the broader field of lattice cryptography. Lattice cryptography is one of the main areas of cryptography that promises to be secure even against quantum computing. In this dissertation, we will touch on several aspects of homomorphic encryption and its security based on lattice cryptography. Our main contributions are: 1. proving some heuristics that are used in major results in the literature for controlling the error size in bootstrapping for fully homomorphic encryption, 2. presenting a new fully homomorphic encryption scheme that supports k-bit arbitrary operations and achieves an asymptotic ciphertext expansion of one, 3. thoroughly studying certain attacks against the Ring Learning with Errors problem, 4. precisely characterizing the performance of an algorithm for solving the Approximate Common Divisor problem

Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR

The LWE problem has been widely used in many constructions for post-quantum cryptography due to its strong security reduction from the worst-case of lattice hard problems and its lightweight operations. The PKE schemes based on the LWE problem have a simple and fast decryption, but the encryption phase is rather slow due to large parameter size for the leftover hash lemma or expensive Gaussian samplings. In this paper, we propose a novel PKE scheme, called Lizard, without relying on either of them. The encryption procedure of Lizard first combines several LWE samples as in the previous LWE-based PKEs, but the following step to re-randomize this combination before adding a plaintext is different: it removes several least significant bits of each component of the computed vector rather than adding an auxiliary error vector. Lizard is IND-CPA secure under the hardness assumptions of the LWE and LWR problems, and its variant achieves IND-CCA security in the quantum random oracle model. Our approach accelerates encryption speed to a large extent and also reduces the size of ciphertexts, and Lizard is very competitive for applications requiring fast encryption and decryption phases. In our single-core implementation on a laptop, the encryption and decryption of IND-CCA Lizard with 256-bit plaintext space under 128-bit quantum security take 0.014 and 0.027 milliseconds, which are comparable to those of NTRU. To achieve these results, we further take some advantages of sparse small secrets

Algorithms for CRT-variant of Approximate Greatest Common Divisor Problem

The approximate greatest common divisor problem (ACD) and its variants have been used to construct many cryptographic primitives. In particular, variants of the ACD problem based on Chinese remainder theorem (CRT) are exploited in the constructions of a batch fully homomorphic encryption to encrypt multiple messages in one ciphertext. Despite the utility of the CRT-variant scheme, the algorithms to solve its security foundation have not been studied well compared to the original ACD based scheme. In this paper, we propose two algorithms for solving the CCK-ACD problem, which is used to construct a batch fully homomorphic encryption over integers. To achieve the goal, we revisit the orthogonal lattice attack and simultaneous Diophantine approximation algorithm. Both two algorithms take the same time complexity $2^{\tilde{O}(\frac{\gamma}{(\eta-\rho)^2})}$ up to a polynomial factor to solve the CCK-ACD problem for the bit size of samples $\gamma$, secret primes $\eta$, and error bound $\rho$. Compared to Chen and Nguyen\u27s algorithm in Eurocrypt\u27 12, which takes $\tilde{O}(2^{\rho/2})$ complexity, our algorithm gives the first parameter condition related to $\eta$ and $\gamma$ size. We also report the experimental results for our attack upon several parameters. From the results, we can see that our algorithms work well both in theoretical and experimental terms

효율적인 정수 기반 동형 암호

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2015. 2. 천정희.Fully homomorphic encryption allows a worker to perform additions and multiplications on encrypted plaintext values without decryption. The first construction of a fully homomorphic scheme (FHE) based on ideal lattices was described by Gentry in 2009. Since Gentry's breakthrough result, many improvements have been made, introducing new variants, improving efficiency, and providing new features. The most FHE schemes still have very large ciphertexts (millions of bits for a single ciphertext). This presents a considerable bottleneck in practical deployments. To improve the efficiency of FHE schemes, especially ciphertext size, we can consider the following two observations. One is to improve the ratio of plaintext and ciphertext by packing many messages in one ciphertext and the other is to reduce the size of FHE-ciphertext by combining FHE with existing public-key encryption. In the dissertation, we study on construction of efficient FHE over the integers. First, we propose a new variant DGHV fully homomorphic encryption to extend message space. Using Chinese remainder theorem, our scheme reduces the overheads (ratio of ciphertext computation and plaintext computation) from $\tilde{O}(\lambda^4)$ to $\tilde{O}(\lambda)$. We reduce the security of our Somewhat Homomorphic Encryption scheme to a decisional version of Approximate GCD problem (DACD). To reduce the ciphertext size, we propose a hybrid scheme that combines public key encryption (PKE) and somewhat homomorphic encryption (SHE). In this model, messages are encrypted with a PKE and computations on encrypted data are carried out using SHE or FHE after homomorphic decryption. Our approach is suitable for cloud computing environments since it has small bandwidth, low storage requirement, and supports efficient computing on encrypted data. We also give alternative approach to reduce the FHE ciphertext size. Some of recent SHE schemes possess two properties, the public key compression and the key switching. By combining them, we propose a hybrid encryption scheme in which a block of messages is encrypted by symmetric version of the SHE and its secret key is encrypted by the (asymmetric) SHE. The ciphertext under the symmetric key encryption is compressed by using the public key compression technique and we convert the ciphertext into asymmetric encryption to enable homomorphic computations using key switching technique.Contents Abstract 1 Introduction 1 1.1 A Brief Overview of this Thesis 3 2 CRT-based FHE over the Integers 8 2.1 Preliminaries 12 2.2 Our Somewhat Homomorphic Encryption Scheme 14 2.2.1 Parameters 14 2.2.2 The Construction 15 2.2.3 Correctness 17 2.3 Security 19 2.4 FullyHomomorphicEncryption 27 2.4.1 BitMessageSpace 28 2.4.2 LargeMessageSpace 29 2.5 Discussion 35 2.5.1 SecureLargeIntegerArithmetic 35 2.5.2 Public key compression 35 3 A Hybrid Scheme of PKE and SHE 37 3.1 Preliminaries 39 3.1.1 HardProblems 40 3.1.2 Homomorphic Encryption Schemes 41 3.2 Encrypt with PKE and Compute with SHE 43 3.2.1 A Hybrid Scheme of PKE and SHE 44 3.2.2 Additive Homomorphic Encryptions for PKE in the HybridScheme 48 3.2.3 Multiplicative Homomorphic Encryptions for PKE in theHybridScheme 51 3.3 Homomorphic Evaluation of Exponentiation 56 3.3.1 Improved Exponentiation using Vector Decomposition 56 3.3.2 Improve the Bootstrapping without Squashing 59 3.4 Discussions 62 3.4.1 ApplicationModel 62 3.4.2 Advantages 63 3.5 Generic Conversion of SHE from Private-Key to Public-Key 68 4 A Hybrid Asymmetric Homomorphic Encryption 70 4.1 Preliminaries 72 4.2 A Hybrid Approach to Asymmetric FHE with Compressed Ciphertext 73 4.2.1 MainTools 73 4.2.2 Hybrid Encryption with Compressed Ciphertexts 76 4.3 ConcreteHybridConstructions 77 4.3.1 Hybrid Encryptions based on DGHV and Its Variants 77 4.3.2 Hybrid Encryptions based on LWE 87 4.4 Discussion 93 4.4.1 Comparison to Other Approaches 93 4.4.2 Other Fully Homomorphic Encryptions 94 5 Conclusion 95 Abstract (in Korean) 105 Acknowledgement (in Korean) 106Docto

Critical Perspectives on Provable Security: Fifteen Years of Another Look Papers

We give an overview of our critiques of “proofs” of security and a guide to our papers on the subject that have appeared over the past decade and a half. We also provide numerous additional examples and a few updates and errata

SoK: How (not) to Design and Implement Post-Quantum Cryptography

Post-quantum cryptography has known a Cambrian explosion in the last decade. What started as a very theoretical and mathematical area has now evolved into a sprawling research field, complete with side-channel resistant embedded implementations, large scale deployment tests and standardization efforts. This study systematizes the current state of knowledge on post-quantum cryptography. Compared to existing studies, we adopt a transversal point of view and center our study around three areas: (i) paradigms, (ii) implementation, (iii) deployment. Our point of view allows to cast almost all classical and post-quantum schemes into just a few paradigms. We highlight trends, common methodologies, and pitfalls to look for and recurrent challenges

LIPIcs, Volume 251, ITCS 2023, Complete Volume

LIPIcs, Volume 251, ITCS 2023, Complete Volum

Abstract Algebra: Theory and Applications

Tom Judson\u27s Abstract Algebra: Theory and Applications is an open source textbook designed to teach the principles and theory of abstract algebra to college juniors and seniors in a rigorous manner. Its strengths include a wide range of exercises, both computational and theoretical, plus many nontrivial applications. Rob Beezer has contributed complementary material using the open source system, Sage.An HTML version on the PreText platform is available here. The first half of the book presents group theory, through the Sylow theorems, with enough material for a semester-long course. The second-half is suitable for a second semester and presents rings, integral domains, Boolean algebras, vector spaces, and fields, concluding with Galois Theory.https://scholarworks.sfasu.edu/ebooks/1022/thumbnail.jp