248 research outputs found
Implementation and evaluation of improved Gaussian sampling for lattice trapdoors
We report on our implementation of a new Gaussian sampling algorithm for lattice trapdoors. Lattice trapdoors are used in a wide array of lattice-based cryptographic schemes including digital signatures, attributed-based encryption, program obfuscation and others. Our implementation provides Gaussian sampling for trapdoor lattices with prime moduli, and supports both single- and multi-threaded execution. We experimentally evaluate our implementation through its use in the GPV hash-and-sign digital signature scheme as a benchmark. We compare our design and implementation with prior work reported in the literature. The evaluation shows that our implementation 1) has smaller space requirements and faster runtime, 2) does not require multi-precision floating-point arithmetic, and 3) can be used for a broader range of cryptographic primitives than previous implementations
Building an Efficient Lattice Gadget Toolkit: Subgaussian Sampling and More
Many advanced lattice cryptography applications require efficient algorithms for inverting the so-called gadget matrices, which are used to formally describe a digit decomposition problem that produces an output with specific (statistical) properties. The common gadget inversion problems are the classical (often binary) digit decomposition, subgaussian decomposition, Learning with Errors (LWE) decoding, and discrete Gaussian sampling. In this work, we build and implement an efficient lattice gadget toolkit that provides a general treatment of gadget matrices and algorithms for their inversion/sampling. The main contribution of our work is a set of new gadget matrices and algorithms for efficient subgaussian sampling that have a number of major theoretical and practical advantages over previously known algorithms. Another contribution deals with efficient algorithms for LWE decoding and discrete Gaussian sampling in the Residue Number System (RNS) representation.
We implement the gadget toolkit in PALISADE and evaluate the performance of our algorithms both in terms of runtime and noise growth. We illustrate the improvements due to our algorithms by implementing a concrete complex application, key-policy attribute-based encryption (KP-ABE), which was previously considered impractical for CPU systems (except for a very small number of attributes). Our runtime improvements for the main bottleneck operation based on subgaussian sampling range from 18x (for 2 attributes) to 289x (for 16 attributes; the maximum number supported by a previous implementation). Our results are applicable to
a wide range of other advanced applications in lattice cryptography, such as GSW-based homomorphic encryption schemes, leveled fully homomorphic signatures, key-hiding PRFs and other forms of ABE, some program obfuscation constructions, and more
Recommended from our members
Gadgets and Gaussians in Lattice-Based Cryptography
This dissertation explores optimal algorithms employed in lattice-based cryptographic schemes. Chapter 2 focuses on optimizing discrete gaussian sampling on "gadget" and algebraic lattices. These gaussian sampling algorithms are used in lattice-cryptography's most efficient trapdoor mechanism for the SIS and LWE problems: "MP12" trapdoors. However, this trapdoor mechanism was previously not optimized and inefficient (or not proven to be statistically correct) for structured lattices (ring-SIS/LWE), lattice-cryptography's most efficient form, where the modulus is often a prime. The algorithms in this chapter achieve optimality in this regime and have (already) resulted in drastic efficiency improvement in independent implementations.Chapter 3 digs deeper into the gadget lattice's associated algorithms. Specifically, we explore efficiently sampling a simple subgaussian distribution on gadget lattices, and we optimize LWE decoding on gadget lattices. These subgaussian sampling algorithms correspond to a randomized bit-decomposition needed in lattice-based schemes with homomorphic properties like fully homomorphic encryption (FHE). Next, we introduce a general class of "Chinese Remainder Theorem" (CRT) gadgets. These gadgets allow advanced lattice-based schemes to avoid multi-precision arithmetic when the applications modulus is larger than 64 bits. The algorithms presented in the first two chapters improve the efficiency of many lattice-based cryptosystems: digital signature schemes, identity-based encryption schemes, as well as more advanced schemes like fully-homomorphic encryption and attribute-based encryption. In the final chapter, we take a closer look at the random matrices used in trapdoor lattices. First, we revisit the constants in the concentration bounds of subgaussian random matrices. Then, we provide experimental evidence for a simple heuristic regarding the singular values of matrices with entries drawn from commonly used distributions in cryptography. Though the proofs in this chapter are dense, cryptographers need a strong understanding of the singular values of these matrices since their maximum singular value determines the concrete security of the trapdoor scheme's underlying SIS problem
Towards a Simpler Lattice Gadget Toolkit
As a building block, gadgets and associated algorithms are widely used in advanced lattice cryptosystems. The gadget algorithms for power-of-base moduli are very efficient and simple, however the current algorithms for arbitrary moduli are still complicated and practically more costly despite several efforts. Considering the necessity of arbitrary moduli, developing simpler and more practical gadget algorithms for arbitrary moduli is crucial to improving the practical performance of lattice based applications.
In this work, we propose two new gadget sampling algorithms for arbitrary moduli. Our first algorithm is for gadget Gaussian sampling. It is simple and efficient. One distinguishing feature of our Gaussian sampler is that it does not need floating-point arithmetic, which makes it better compatible with constrained environments. Our second algorithm is for gadget subgaussian sampling. Compared with the existing algorithm, it is simpler, faster, and requires asymptotically less randomness. In addition, our subgaussian sampler achieves an almost equal quality for different practical parameters. Overall these two algorithms provide simpler options for gadget algorithms and enhance the practicality of the gadget toolkit
Ring Signature from Bonsai Tree: How to Preserve the Long-Term Anonymity
Signer-anonymity is the central feature of ring signatures, which enable a
user to sign messages on behalf of an arbitrary set of users, called the ring,
without revealing exactly which member of the ring actually generated the
signature. Strong and long-term signer-anonymity is a reassuring guarantee for
users who are hesitant to leak a secret, especially if the consequences of
identification are dire in certain scenarios such as whistleblowing. The notion
of \textit{unconditional anonymity}, which protects signer-anonymity even
against an infinitely powerful adversary, is considered for ring signatures
that aim to achieve long-term signer-anonymity. However, the existing
lattice-based works that consider the unconditional anonymity notion did not
strictly capture the security requirements imposed in practice, this leads to a
realistic attack on signer-anonymity.
In this paper, we present a realistic attack on the unconditional anonymity
of ring signatures, and formalize the unconditional anonymity model to strictly
capture it. We then propose a lattice-based ring signature construction with
unconditional anonymity by leveraging bonsai tree mechanism. Finally, we prove
the security in the standard model and demonstrate the unconditional anonymity
through both theoretical proof and practical experiments
Analysis of BCNS and Newhope Key-exchange Protocols
Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. Following increasing interest from both companies and government agencies in building quantum computers, a number of works have proposed instantiations of practical post-quantum key-exchange protocols based on hard problems in lattices, mainly based on the Ring Learning With Errors (R-LWE) problem.
In this work we present an analysis of Ring-LWE based key-exchange mechanisms and compare two implementations of Ring-LWE based key-exchange protocol: BCNS and NewHope. This is important as NewHope protocol implementation outperforms state-of-the art elliptic curve based Diffie-Hellman key-exchange X25519, thus showing that using quantum safe key-exchange is not only a viable option but also a faster one. Specifically, this thesis compares different reconciliation methods, parameter choices, noise sampling algorithms and performance
์ก์ํค๋ฅผ ๊ฐ์ง๋ ์ ์๊ธฐ๋ฐ ๋ํ์ํธ์ ๊ดํ ์ฐ๊ตฌ
ํ์๋
ผ๋ฌธ(๋ฐ์ฌ)--์์ธ๋ํ๊ต ๋ํ์ :์์ฐ๊ณผํ๋ํ ์๋ฆฌ๊ณผํ๋ถ,2020. 2. ์ฒ์ ํฌ.ํด๋ผ์ฐ๋ ์์ ๋ฐ์ดํฐ ๋ถ์ ์์ ์๋๋ฆฌ์ค๋ ๋ํ์ํธ์ ๊ฐ์ฅ ํจ๊ณผ์ ์ธ ์์ฉ ์๋๋ฆฌ์ค ์ค ํ๋์ด๋ค. ๊ทธ๋ฌ๋, ๋ค์ํ ๋ฐ์ดํฐ ์ ๊ณต์์ ๋ถ์๊ฒฐ๊ณผ ์๊ตฌ์๊ฐ ์กด์ฌํ๋ ์ค์ ํ์ค์ ๋ชจ๋ธ์์๋ ๊ธฐ๋ณธ์ ์ธ ์๋ณตํธํ์ ๋ํ ์ฐ์ฐ ์ธ์๋ ์ฌ์ ํ ํด๊ฒฐํด์ผ ํ ๊ณผ์ ๋ค์ด ๋จ์์๋ ์ค์ ์ด๋ค. ๋ณธ ํ์๋
ผ๋ฌธ์์๋ ์ด๋ฌํ ๋ชจ๋ธ์์ ํ์ํ ์ฌ๋ฌ ์๊ตฌ์ฌํญ๋ค์ ํฌ์ฐฉํ๊ณ , ์ด์ ๋ํ ํด๊ฒฐ๋ฐฉ์์ ๋
ผํ์๋ค.
๋จผ์ , ๊ธฐ์กด์ ์๋ ค์ง ๋ํ ๋ฐ์ดํฐ ๋ถ์ ์๋ฃจ์
๋ค์ ๋ฐ์ดํฐ ๊ฐ์ ์ธต์๋ ์์ค์ ๊ณ ๋ คํ์ง ๋ชปํ๋ค๋ ์ ์ ์ฐฉ์ํ์ฌ, ์ ์๊ธฐ๋ฐ ์ํธ์ ๋ํ์ํธ๋ฅผ ๊ฒฐํฉํ์ฌ ๋ฐ์ดํฐ ์ฌ์ด์ ์ ๊ทผ ๊ถํ์ ์ค์ ํ์ฌ ํด๋น ๋ฐ์ดํฐ ์ฌ์ด์ ์ฐ์ฐ์ ํ์ฉํ๋ ๋ชจ๋ธ์ ์๊ฐํ์๋ค. ๋ํ ์ด ๋ชจ๋ธ์ ํจ์จ์ ์ธ ๋์์ ์ํด์ ๋ํ์ํธ ์นํ์ ์ธ ์ ์๊ธฐ๋ฐ ์ํธ์ ๋ํ์ฌ ์ฐ๊ตฌํ์๊ณ , ๊ธฐ์กด์ ์๋ ค์ง NTRU ๊ธฐ๋ฐ์ ์ํธ๋ฅผ ํ์ฅํ์ฌ module-NTRU ๋ฌธ์ ๋ฅผ ์ ์ํ๊ณ ์ด๋ฅผ ๊ธฐ๋ฐ์ผ๋ก ํ ์ ์๊ธฐ๋ฐ ์ํธ๋ฅผ ์ ์ํ์๋ค.
๋์งธ๋ก, ๋ํ์ํธ์ ๋ณตํธํ ๊ณผ์ ์๋ ์ฌ์ ํ ๋น๋ฐํค๊ฐ ๊ด์ฌํ๊ณ ์๊ณ , ๋ฐ๋ผ์ ๋น๋ฐํค ๊ด๋ฆฌ ๋ฌธ์ ๊ฐ ๋จ์์๋ค๋ ์ ์ ํฌ์ฐฉํ์๋ค. ์ด๋ฌํ ์ ์์ ์์ฒด์ ๋ณด๋ฅผ ํ์ฉํ ์ ์๋ ๋ณตํธํ ๊ณผ์ ์ ๊ฐ๋ฐํ์ฌ ํด๋น ๊ณผ์ ์ ๋ํ์ํธ ๋ณตํธํ์ ์ ์ฉํ์๊ณ , ์ด๋ฅผ ํตํด ์๋ณตํธํ์ ๋ํ ์ฐ์ฐ์ ์ ๊ณผ์ ์ ์ด๋ ๊ณณ์๋ ํค๊ฐ ์ ์ฅ๋์ง ์์ ์ํ๋ก ์ํํ ์ ์๋ ์ํธ์์คํ
์ ์ ์ํ์๋ค.
๋ง์ง๋ง์ผ๋ก, ๋ํ์ํธ์ ๊ตฌ์ฒด์ ์ธ ์์ ์ฑ ํ๊ฐ ๋ฐฉ๋ฒ์ ๊ณ ๋ คํ์๋ค. ์ด๋ฅผ ์ํด ๋ํ์ํธ๊ฐ ๊ธฐ๋ฐํ๊ณ ์๋ ์ด๋ฅธ๋ฐ Learning With Errors (LWE) ๋ฌธ์ ์ ์ค์ ์ ์ธ ๋ํด์ฑ์ ๋ฉด๋ฐํ ๋ถ์ํ์๊ณ , ๊ทธ ๊ฒฐ๊ณผ ๊ธฐ์กด์ ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ๋ณด๋ค ํ๊ท ์ ์ผ๋ก 1000๋ฐฐ ์ด์ ๋น ๋ฅธ ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ๋ค์ ๊ฐ๋ฐํ์๋ค. ์ด๋ฅผ ํตํด ํ์ฌ ์ฌ์ฉํ๊ณ ์๋ ๋ํ์ํธ ํ๋ผ๋ฏธํฐ๊ฐ ์์ ํ์ง ์์์ ๋ณด์๊ณ , ์๋ก์ด ๊ณต๊ฒฉ ์๊ณ ๋ฆฌ์ฆ์ ํตํ ํ๋ผ๋ฏธํฐ ์ค์ ๋ฐฉ๋ฒ์ ๋ํด์ ๋
ผํ์๋ค.Secure data analysis delegation on cloud is one of the most powerful application that homomorphic encryption (HE) can bring. As the technical level of HE arrive at practical regime, this model is also being considered to be a more serious and realistic paradigm. In this regard, this increasing attention requires more versatile and secure model to deal with much complicated real world problems.
First, as real world modeling involves a number of data owners and clients, an authorized control to data access is still required even for HE scenario. Second, we note that although homomorphic operation requires no secret key, the decryption requires the secret key. That is, the secret key management concern still remains even for HE. Last, in a rather fundamental view, we thoroughly analyze the concrete hardness of the base problem of HE, so-called Learning With Errors (LWE). In fact, for the sake of efficiency, HE exploits a weaker variant of LWE whose security is believed not fully understood.
For the data encryption phase efficiency, we improve the previously suggested NTRU-lattice ID-based encryption by generalizing the NTRU concept into module-NTRU lattice. Moreover, we design a novel method that decrypts the resulting ciphertext with a noisy key. This enables the decryptor to use its own noisy source, in particular biometric, and hence fundamentally solves the key management problem. Finally, by considering further improvement on existing LWE solving algorithms, we propose new algorithms that shows much faster performance. Consequently, we argue that the HE parameter choice should be updated regarding our attacks in order to maintain the currently claimed security level.1 Introduction 1
1.1 Access Control based on Identity 2
1.2 Biometric Key Management 3
1.3 Concrete Security of HE 3
1.4 List of Papers 4
2 Background 6
2.1 Notation 6
2.2 Lattices 7
2.2.1 Lattice Reduction Algorithm 7
2.2.2 BKZ cost model 8
2.2.3 Geometric Series Assumption (GSA) 8
2.2.4 The Nearest Plane Algorithm 9
2.3 Gaussian Measures 9
2.3.1 Kullback-Leibler Divergence 11
2.4 Lattice-based Hard Problems 12
2.4.1 The Learning With Errors Problem 12
2.4.2 NTRU Problem 13
2.5 One-way and Pseudo-random Functions 14
3 ID-based Data Access Control 16
3.1 Module-NTRU Lattices 16
3.1.1 Construction of MNTRU lattice and trapdoor 17
3.1.2 Minimize the Gram-Schmidt norm 22
3.2 IBE-Scheme from Module-NTRU 24
3.2.1 Scheme Construction 24
3.2.2 Security Analysis by Attack Algorithms 29
3.2.3 Parameter Selections 31
3.3 Application to Signature 33
4 Noisy Key Cryptosystem 36
4.1 Reusable Fuzzy Extractors 37
4.2 Local Functions 40
4.2.1 Hardness over Non-uniform Sources 40
4.2.2 Flipping local functions 43
4.2.3 Noise stability of predicate functions: Xor-Maj 44
4.3 From Pseudorandom Local Functions 47
4.3.1 Basic Construction: One-bit Fuzzy Extractor 48
4.3.2 Expansion to multi-bit Fuzzy Extractor 50
4.3.3 Indistinguishable Reusability 52
4.3.4 One-way Reusability 56
4.4 From Local One-way Functions 59
5 Concrete Security of Homomorphic Encryption 63
5.1 Albrecht's Improved Dual Attack 64
5.1.1 Simple Dual Lattice Attack 64
5.1.2 Improved Dual Attack 66
5.2 Meet-in-the-Middle Attack on LWE 69
5.2.1 Noisy Collision Search 70
5.2.2 Noisy Meet-in-the-middle Attack on LWE 74
5.3 The Hybrid-Dual Attack 76
5.3.1 Dimension-error Trade-o of LWE 77
5.3.2 Our Hybrid Attack 79
5.4 The Hybrid-Primal Attack 82
5.4.1 The Primal Attack on LWE 83
5.4.2 The Hybrid Attack for SVP 86
5.4.3 The Hybrid-Primal attack for LWE 93
5.4.4 Complexity Analysis 96
5.5 Bit-security estimation 102
5.5.1 Estimations 104
5.5.2 Application to PKE 105
6 Conclusion 108
Abstract (in Korean) 120Docto
Implementing conjunction obfuscation under entropic ring LWE
We address the practicality challenges of secure program obfuscation by implementing, optimizing, and experimentally assessing an approach to securely obfuscate conjunction programs proposed in [1]. Conjunction programs evaluate functions , where is either or and , and can be used as classifiers. Our obfuscation approach satisfies distributional Virtual Black Box (VBB) security based on reasonable hardness assumptions, namely an entropic variant of the Ring Learning with Errors (Ring-LWE) assumption. Prior implementations of secure program obfuscation techniques support either trivial programs like point functions, or support the obfuscation of more general but less efficient branching programs to satisfy Indistinguishability Obfuscation (IO), a weaker security model. Further, the more general implemented techniques, rather
than relying on standard assumptions, base their security on conjectures that have been shown to be theoretically vulnerable. Our work is the first implementation of non-trivial program obfuscation based on polynomial rings. Our contributions include multiple design and implementation advances resulting
in reduced program size, obfuscation runtime, and evaluation runtime by many orders of magnitude. We implement our design in software and experimentally assess performance in a commercially available multi-core computing environment.
Our implementation achieves runtimes of 6.7 hours to securely obfuscate a 64-bit conjunction program and 2.5 seconds to evaluate this program over an arbitrary input. We are also able to obfuscate a 32-bit conjunction program with 53 bits of security in 7 minutes and evaluate the obfuscated program in 43 milliseconds on a commodity desktop computer, which implies that 32-bit conjunction obfuscation is already practical. Our graph-induced (directed) encoding implementation runs up to 25 levels, which is higher than previously reported in the literature for this encoding. Our design and implementation advances are
applicable to obfuscating more general compute-and-compare
programs and can also be used for many cryptographic schemes
based on lattice trapdoors
Server-Aided Revocable Predicate Encryption: Formalization and Lattice-Based Instantiation
Efficient user revocation is a necessary but challenging problem in many
multi-user cryptosystems. Among known approaches, server-aided revocation
yields a promising solution, because it allows to outsource the major workloads
of system users to a computationally powerful third party, called the server,
whose only requirement is to carry out the computations correctly. Such a
revocation mechanism was considered in the settings of identity-based
encryption and attribute-based encryption by Qin et al. (ESORICS 2015) and Cui
et al. (ESORICS 2016), respectively.
In this work, we consider the server-aided revocation mechanism in the more
elaborate setting of predicate encryption (PE). The latter, introduced by Katz,
Sahai, and Waters (EUROCRYPT 2008), provides fine-grained and role-based access
to encrypted data and can be viewed as a generalization of identity-based and
attribute-based encryption. Our contribution is two-fold. First, we formalize
the model of server-aided revocable predicate encryption (SR-PE), with rigorous
definitions and security notions. Our model can be seen as a non-trivial
adaptation of Cui et al.'s work into the PE context. Second, we put forward a
lattice-based instantiation of SR-PE. The scheme employs the PE scheme of
Agrawal, Freeman and Vaikuntanathan (ASIACRYPT 2011) and the complete subtree
method of Naor, Naor, and Lotspiech (CRYPTO 2001) as the two main ingredients,
which work smoothly together thanks to a few additional techniques. Our scheme
is proven secure in the standard model (in a selective manner), based on the
hardness of the Learning With Errors (LWE) problem.Comment: 24 page
- โฆ