Cryptography from tensor problems

We describe a new proposal for a trap-door one-way function. The new proposal belongs to the "multivariate quadratic" family but the trap-door is different from existing methods, and is simpler

Fast construction of irreducible polynomials over finite fields

International audienceWe present a randomized algorithm that on input a finite field $K$ with $q$ elements and a positive integer $d$ outputs a degree $d$ irreducible polynomial in $K[x]$. The running time is $d^{1+o(1)} \times (\log q)^{5+o(1)}$ elementary operations. The $o(1)$ in $d^{1+o(1)}$ is a function of $d$ that tends to zero when $d$ tends to infinity. And the $o(1)$ in $(\log q)^{5+o(1)}$ is a function of $q$ that tends to zero when $q$ tends to infinity. In particular, the complexity is quasi-linear in the degree $d$

COMPRESS MULTIPLE CIPHERTEXTS USING ELGAMAL ENCRYPTION SCHEMES

In this work we deal with the problem of how to squeeze multiple ciphertexts without losing original message information. To do so, we formalize the notion of decompos- ability for public-key encryption and investigate why adding decomposability is challenging. We construct an ElGamal encryption scheme over extension fields, and show that it supports the efficient decomposition. We then analyze security of our scheme under the standard DDH assumption, and evaluate the performance of our construction

Deterministic polynomial factoring over finite fields: A uniform approach via P-schemes

We introduce a family of combinatorial objects called P-schemes, where P is a collection of subgroups of a finite group G. A P-scheme is a collection of partitions of right coset spaces H\G, indexed by H ∈ P, that satisfies a list of axioms. These objects generalize the classical notion of association schemes as well as m-schemes (Ivanyos et al., 2009). We apply the theory of P-schemes to deterministic polynomial factoring over finite fields: suppose f(X) ∈ Z[X] and a prime number pare given, such that f(X) :=f(X) modpfactorizes into n =deg(f)distinct linear factors over the finite field F_p. We show that, assuming the generalized Riemann hypothesis (GRH), f(X)can be completely factorized in deterministic polynomial time if the Galois group G of f(X)is an almost simple primitive permutation group on the set of roots of f(X), and the socle of Gis a subgroup of Sym(k)for kup to 2^O(√log n). This is the first deterministic polynomial-time factoring algorithm for primitive Galois groups of superpolynomial order. We prove our result by developing a generic factoring algorithm and analyzing it using P-schemes. We also show that the main results achieved by known GRH-based deterministic polynomial factoring algorithms can be derived from our generic algorithm in a uniform way. Finally, we investigate the schemes conjecturein Ivanyos et al. (2009), and formulate analogous conjectures associated with various families of permutation groups. We show that these conjectures form a hierarchy of relaxations of the original schemes conjecture, and their positive resolutions would imply deterministic polynomial-time factoring algorithms for various families of Galois groups under GRH

Binääripolynomien tekijöihinjako

This thesis describes a solution to a cryptographic programming challenge originally posted by Nintendo in order to gain job applicants. The encryption method turned out to be the same as binary polynomial multiplication which means decryption can be done with binary polynomial factorization. While providing shallow exploration of other options, the main approach in this thesis was to first compute square-free factorization of a polynomial using David Yun's algorithm from 1974 and then to apply slower Elwyn Berlekamp's algorithm on those square-free factors to compute a proper irreducible factorization of the polynomial. In addition to just explaining and implementing algorithms, the details of how to make these computations fast on a computer system have been explained in detail. The binary polynomial factorization translates really efficiently to a computer algorithm where one bit represents one coefficient. Using this fact allowed author of this thesis to efficiently implement the algorithms to solved the challenge as the 273rd person since the it was posted on-line.Tässä työssä kuvataan ratkaisu erääseen kryptografiseen ongelmaan, jonka peliyhtiö Nintendo julkaisi tavoitteenaan tarjota työmahdollisuus ongelman ratkaisseille. Lähemmässä tarkastelussa selvisi, että heidän salausalgoritminsa keskiössä oli binääripolynomien kertolasku ja siten purkualgoritmi sekä ongelman ratkaisu vaativat binääripolynomien tekijöihin jakoa. Itse ratkaisu koostuu kahdesta vaiheesta. Ensin binääripolynomi jaetaan neliöttömiin tekijöihin käyttäen David Yunin algoritmia vuodelta 1974. Tämän jälkeen neliöttömät tekijät jaetaan alkupolynomeihin käyttäen hieman hitaampaa Elwyn Berlekampin algoritmia. Molemmat algoritmit toteutetaan C++ kielellä modernilla tietokoneella ja tuon toteutuksen tehokkuuteen kiinnitettään työssä erityistä huomiota. Näiden kahden algoritmin kuvaamisen lisäksi työssä esitellään pintapuolisesti muita tapoja jakaa polynomi tekijöihin äärellisen kentän yli tarkoituksena antaa kuva siitä, kuinka alan tutkimus on kehittynyt. Binääripolynomit on hyvin tehokasta esittää tietokoneella niin, että yksi bitti vastaa yhtä kerrointa. Tätä hyväksikäyttäen työssä saatiin aikaiseksi tehokas toteutus, jolla päästiin 273ksi tehtävän suorittaneeksi

다항식 인수분해와 그 응용

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2013. 2. 천정희.Polynomial representations which represent a set by a polynomial over a ring~$\Z_{\sigma}$ for a composite integer~$\sigma$ enable us to construct efficient private set operation protocols by combining with some additive homomorphic encryption scheme. However, a polynomial representation has a limitation due to the hardness of polynomial factorizations over $\Z_{\sigma}$. It makes hard to recover a corresponding set from a resulting polynomial in some private set operation protocols. We provide two representations of a set by a polynomial over $\Z_{\sigma}$ which enable us to uniquely factorize a polynomial satisfying some criteria. The first suggestion works on a ring $\Z_{N}$ for RSA modulus $N$, a message space of Paillier encryption. To do this, we mediate between sizes of modulus $N$ and elements in the domain so that each element in the domain is to be a small root of a certain polynomial over $\Z_{\sigma}$ and apply Coppersmith small root finding algorithm. In case of our second suggestion, it works on a ring $\Z_{\sigma}$ for a product $\sigma$ of small primes, a message space of Naccache-Stern encryption. While the factorization of $N$ is secret in Paillier encryption, the factorization of $\sigma$ is public. Hence, we can obtain many candidates of roots of polynomial using a polynomial factorization algorithm working on prime fields and Chinese remainder theorem. In our suggestion, to remove irrelevant candidates, we adopt a special encoding function which supports early abort strategy. As a result, we can efficiently recover a corresponding set from a polynomial in $\Z_{\sigma}[x]$ whose roots locates in the image of our encoding function. As applications of our polynomial representations, we obtain a constant-round private set union protocols. Our construction improves the complexity than the previous best result without an honest majority assumption. We also consider a private set intersection protocol in storage model, in which the owners of sets and the recipients are separated.1 Introduction 1 1.1 Contribution of This Work 3 1.1.1 Our Polynomial Representation 4 1.1.2 Applications to Private Set Operations 5 1.2 Organization 7 2 Preliminaries 8 2.1 Basics 8 2.2 Private Set Operations 9 2.3 Polynomial Representation 12 2.4 Additive Homomorphic Encryption 13 2.4.1 Threshold Additive Homomorphic Encryption 15 2.5 Polynomial Factorization Algorithm 19 3 Polynomial Factorization over \Z_\sigma for composite \sigma 21 3.1 When the Factorization of \sigma is Hidden 22 3.2 When the Factorization of \sigma is Public 24 3.2.1 Our Polynomial Representation 26 3.2.2 The Expected Number of Linkable Pairs 28 3.2.3 The Proper Size of \alpha 32 4 Application to Private Set Union 36 4.1 Transforming Our Representation into Rational Function using Reversed Laurent Series 38 4.2 Set Union for Honest-But-Curious Case 41 4.3 Set Union for Malicious Case 48 4.4 Extension to Multi-set Union Protocol 54 5 Application to Private Set Intersection for Multiple Use in Storage Model 55 5.1 Our Set Encryption 57 5.2 Our Basic Private Set Intersection Protocols 60 5.2.1 Honest-But-Curious Case 60 5.2.2 Malicious Case 64 5.3 Our Set Intersection Protocol in the Storage Model 68 5.3.1 Set Intersection for Multiple Use 68 5.3.2 Applying Bucket Allocation 70 6 Conclusion 70Docto

Reduced Order and Surrogate Models for Gravitational Waves

We present an introduction to some of the state of the art in reduced order and surrogate modeling in gravitational wave (GW) science. Approaches that we cover include Principal Component Analysis, Proper Orthogonal Decomposition, the Reduced Basis approach, the Empirical Interpolation Method, Reduced Order Quadratures, and Compressed Likelihood evaluations. We divide the review into three parts: representation/compression of known data, predictive models, and data analysis. The targeted audience is that one of practitioners in GW science, a field in which building predictive models and data analysis tools that are both accurate and fast to evaluate, especially when dealing with large amounts of data and intensive computations, are necessary yet can be challenging. As such, practical presentations and, sometimes, heuristic approaches are here preferred over rigor when the latter is not available. This review aims to be self-contained, within reasonable page limits, with little previous knowledge (at the undergraduate level) requirements in mathematics, scientific computing, and other disciplines. Emphasis is placed on optimality, as well as the curse of dimensionality and approaches that might have the promise of beating it. We also review most of the state of the art of GW surrogates. Some numerical algorithms, conditioning details, scalability, parallelization and other practical points are discussed. The approaches presented are to large extent non-intrusive and data-driven and can therefore be applicable to other disciplines. We close with open challenges in high dimension surrogates, which are not unique to GW science.Comment: Invited article for Living Reviews in Relativity. 93 page

Deterministic polynomial factoring over finite fields: A uniform approach via P-schemes

We introduce a family of combinatorial objects called P-schemes, where P is a collection of subgroups of a finite group G. A P-scheme is a collection of partitions of right coset spaces H\G, indexed by H ∈ P, that satisfies a list of axioms. These objects generalize the classical notion of association schemes as well as m-schemes (Ivanyos et al., 2009). We apply the theory of P-schemes to deterministic polynomial factoring over finite fields: suppose f(X) ∈ Z[X] and a prime number pare given, such that f(X) :=f(X) modpfactorizes into n =deg(f)distinct linear factors over the finite field F_p. We show that, assuming the generalized Riemann hypothesis (GRH), f(X)can be completely factorized in deterministic polynomial time if the Galois group G of f(X)is an almost simple primitive permutation group on the set of roots of f(X), and the socle of Gis a subgroup of Sym(k)for kup to 2^O(√log n). This is the first deterministic polynomial-time factoring algorithm for primitive Galois groups of superpolynomial order. We prove our result by developing a generic factoring algorithm and analyzing it using P-schemes. We also show that the main results achieved by known GRH-based deterministic polynomial factoring algorithms can be derived from our generic algorithm in a uniform way. Finally, we investigate the schemes conjecturein Ivanyos et al. (2009), and formulate analogous conjectures associated with various families of permutation groups. We show that these conjectures form a hierarchy of relaxations of the original schemes conjecture, and their positive resolutions would imply deterministic polynomial-time factoring algorithms for various families of Galois groups under GRH

동형암호와 프로그램 비밀 분석

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2015. 8. 천정희.동형 암호는 복호화 과정을 거치지 않고 암호화 된 상태에서 암호문끼리 연산을 통해 데이터의 자료 처리를 가능하게 하는 암호 기술로 최근 많이 사용되고 있는 클라우드 서비스 환경에서 발생 할 수 있는 보안 문제들을 해결 할 수 있는 암호시스템으로 주목 받고 있다. 본 학위 논문에서는 동형 암호 응용 기술 연구와 함께 새로운 동형암호 알고리즘 개발에 대해 연구한다. 응용기술 연구에서는 Naccache-Stern 덧셈 동형 암호를 이용하여 프라이버시를 보존하는 합집합 연산 프로토콜과 RLWE기반 BGV 동형암호를 이용하여 비밀 프로그램 정적 분석 방법을 제안한다. 효율적인 합집합 연산을 지원하기 위해, 참여자의 집합원소들을 표현하는 특별한 인코딩 함수 제안하고, 제안한 인코딩 함수를 적용하여 유일 인수 분해 정역(unique factorization domain)이 아닌 공간에서도 다항식들의 근을 효율적으로 복구 할 수 있는 방법을 제안한다. 이를 바탕으로, 현존하는 가장 효율적인 상수라운드의 합집합 연산 프로토콜을 제안한다. 프로그램 비밀 분석에서는 동형암호를 이용하여 비밀 포인터 분석방법을 제시한다. 프로그램 변수의 타입 정보를 이용하여, 동형암호 연산시 필요한 곱 연산의 횟수를 $O(m^2 \log m)$ 에서 $O(\log m)$ 로 획기적으로 줄일 수 있는 방법을 제시하고, 이를 바탕으로 실제 생활에 이용 가능한 수준의 프로그램 비밀 분석 방법을 제안한다. 이를 통해 분석가는 암호화된 프로그램 정보를 이용하여 프로그램에 있는 포인터 변수가 실행 중 어느 변수 혹은 저장 장소를 가리킬 수 있는 지에 대한 분석이 가능해진다. 마지막으로 새로운 암호학적 난제인 다항식 근사공약수 문제를 제안하고, 이 문제에 기반하는 새로운 동형암호를 제안한다. 제안한 동형암호는 Djik 등이 제안한 동형암호의 다항식 버전으로 볼 수 있으며, 이에 따라 데이터 병렬처리뿐만 아니라 큰 정수 연산 지원하는 특징을 가지고 있다. Djik 등이 제안한 동형암호계열의 완전동형암호들은 비밀키를 나누는 연산을 제공하기 위해 부분합 문제가 어렵다는 가정을 사용하는 반면, 제안한 동형암호는 복호화 과정에서 비밀 정보를 나누는 과정이 필요 없기 때문에 부분합 문제의 가정을 필요로 하지 않는다.Homomorphic encryption enables computing certain functions on encrypted data without decryption. Many cloud-based services need efficient homomorphic encryption schemes to provide security to the data in cloud computing. In this thesis, we focus on applications of homomorphic encryptions for set operation and program analysis, and we suggest a new construction of homomorphic encryption. First, we present a new privacy preserving set union protocol and a secure points-to analysis method as applications of homomorphic encryptions. Our set union protocol is based on the additive homomorphic encryption scheme by Naccache and Stern, whose message space is $\Z_{\sigma}$ which $\sigma$ is a product of small primes. We introduce a special polynomial representation such that if a polynomial is represented as this form, then it is factorized uniquely in $\Z_\sigma[X]$. From this representation, we obtain an efficient constant round set union protocol without honest majority assumption. We adopt a somewhat homomorphic encryption to perform static analysis on encrypted programs. In our method, a somewhat homomorphic encryption scheme of depth $O(\log{m})$ is able to evaluate Andersen's pointer analysis with $O(\log{m})$ homomorphic matrix multiplications, for the number $m$ of pointer variables when the maximal pointer level is bounded. Finally, we propose a somewhat homomorphic encryption scheme over the polynomial ring. The security of the proposed scheme is based on the polynomial approximate common divisor problem which can be seen as a polynomial analogous of a base problem of DGHV fully homomorphic encryption and its extension. Our scheme is conceptually simple and does not require a complicated re-linearization process. For this reason, our scheme is more efficient than RLWE-based homomorphic encryption over the polynomial ring when evaluating low degree polynomial of large integers. Furthermore, we convert this scheme to a leveled fully homomorphic encryption scheme, and the resulting scheme has features similar to the variant of van Dijk et al.s scheme by Coron et al. Our scheme, however, does not use the subset sum, which makes its design much simpler.Abstract i 1 Introduction 1 2 Private Set Union Protocol 6 2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Polynomial Representation of a Set . . . . . . . . . . . 8 2.1.2 Reversed Laurent Series . . . . . . . . . . . . . . . . . 9 2.1.3 Additive Homomorphic Encryption . . . . . . . . . . . 10 2.1.4 Root Finding Algorithms . . . . . . . . . . . . . . . . 12 2.2 New Polynomial Representation of a Set . . . . . . . . . . . . 12 2.2.1 New Invertible Polynomial Representation . . . . . . . 14 2.2.2 The Expected Number of Root Candidates . . . . . . . 17 2.2.3 The Proper Size of $alpha$. . . . . . . . . . . . . . . . . . . 21 2.3 New Privacy-preserving Set Union Protocols . . . . . . . . . . 25 2.3.1 Application of Our Polynomial Representation . . . . . 25 2.3.2 Honest-But-Curious Model . . . . . . . . . . . . . . . 27 2.3.3 Malicious Model . . . . . . . . . . . . . . . . . . . . . 30 2.3.4 Extension to the Multi-set Union Protocol . . . . . . . 32 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3 Secure Static Program Analysis 37 3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.1.1 Homomorphic Encryption . . . . . . . . . . . . . . . . 39 3.1.2 The BGV-type Cryptosystem . . . . . . . . . . . . . . 42 3.1.3 Security Model . . . . . . . . . . . . . . . . . . . . . . 43 3.2 A Basic Construction of a Pointer Analysis in Secrecy . . . . . 44 3.2.1 Inclusion-based Pointer Analysis . . . . . . . . . . . . 44 3.2.2 The Pointer Analysis in Secrecy . . . . . . . . . . . . . 45 3.3 Improvement of the Pointer Analysis in Secrecy . . . . . . . . 48 3.3.1 Problems of the Basic Approach . . . . . . . . . . . . 49 3.3.2 Overview of Improvement . . . . . . . . . . . . . . . . 49 3.3.3 Level-by-level Analysis . . . . . . . . . . . . . . . . . . 50 3.3.4 Ciphertext Packing . . . . . . . . . . . . . . . . . . . . 53 3.3.5 Randomization of Ciphertexts . . . . . . . . . . . . . . 56 3.4 Experimental Result . . . . . . . . . . . . . . . . . . . . . . . 56 3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4 New Fully Homomorphic Encryption 63 4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.1.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.1.2 Chinese Remaindering for Polynomials over Composite Modulus . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.3 Distributions . . . . . . . . . . . . . . . . . . . . . . . 67 4.2 Our Fully Homomorphic Encryption Scheme . . . . . . . . . . 68 4.2.1 Basic Parameters . . . . . . . . . . . . . . . . . . . . . 68 4.2.2 The Somewhat Homomorphic Encryption Scheme . . . 69 4.2.3 Leveled Fully Homomorphic Encryption Scheme . . . . 71 4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.3.1 The Polynomial ACD Problems . . . . . . . . . . . . . 76 4.3.2 Security Proof . . . . . . . . . . . . . . . . . . . . . . 77 4.4 Analysis of the Polynomial ACD Problems . . . . . . . . . . . 80 4.4.1 Distinguishing Attack . . . . . . . . . . . . . . . . . . 80 4.4.2 Chen-Nguyens Attack . . . . . . . . . . . . . . . . . . 82 4.4.3 Coppersmiths Attack . . . . . . . . . . . . . . . . . . 83 4.4.4 Extension of Cohn-Heningers Attack . . . . . . . . . . 85 4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.5.1 Public Key Compression . . . . . . . . . . . . . . . . . 90 4.5.2 Implementation Results . . . . . . . . . . . . . . . . . 92 4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5 Conclusions 96 Abstract (in Korean) 110Docto