5,830 research outputs found
Ring Learning With Errors: A crossroads between postquantum cryptography, machine learning and number theory
The present survey reports on the state of the art of the different
cryptographic functionalities built upon the ring learning with errors problem
and its interplay with several classical problems in algebraic number theory.
The survey is based to a certain extent on an invited course given by the
author at the Basque Center for Applied Mathematics in September 2018.Comment: arXiv admin note: text overlap with arXiv:1508.01375 by other
authors/ comment of the author: quotation has been added to Theorem 5.
Frodo: Take off the ring! Practical, quantum-secure key exchange from LWE
Lattice-based cryptography offers some of the most attractive primitives believed to be resistant to quantum computers. Following increasing interest from both companies and government agencies in building quantum computers, a number of works have proposed instantiations of practical post-quantum key exchange protocols based on hard problems in ideal lattices, mainly based on the Ring Learning With Errors (R-LWE) problem. While ideal lattices facilitate major efficiency and storage benefits over their nonideal counterparts, the additional ring structure that enables these advantages also raises concerns about the assumed difficulty of the underlying problems. Thus, a question of significant interest to cryptographers, and especially to those currently placing bets on primitives that will withstand quantum adversaries, is how much of an advantage the additional ring structure actually gives in practice. Despite conventional wisdom that generic lattices might be too slow and unwieldy, we demonstrate that LWE-based key exchange is quite practical: our constant time implementation requires around 1.3ms computation time for each party; compared to the recent NewHope R-LWE scheme, communication sizes increase by a factor of 4.7×, but remain under 12 KiB in each direction. Our protocol is competitive when used for serving web pages over TLS; when partnered with ECDSA signatures, latencies increase by less than a factor of 1.6×, and (even under heavy load) server throughput only decreases by factors of 1.5× and 1.2× when serving typical 1 KiB and 100 KiB pages, respectively. To achieve these practical results, our protocol takes advantage of several innovations. These include techniques to optimize communication bandwidth, dynamic generation of public parameters (which also offers additional security against backdoors), carefully chosen error distributions, and tight security parameters
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a
number of applications, in particular, as an essential building block for
two-party and multi-party computation. We construct a round-optimal (2 rounds)
universally composable (UC) protocol for oblivious transfer secure against
active adaptive adversaries from any OW-CPA secure public-key encryption scheme
with certain properties in the random oracle model (ROM). In terms of
computation, our protocol only requires the generation of a public/secret-key
pair, two encryption operations and one decryption operation, apart from a few
calls to the random oracle. In~terms of communication, our protocol only
requires the transfer of one public-key, two ciphertexts, and three binary
strings of roughly the same size as the message. Next, we show how to
instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE,
and CDH assumptions. Our instantiations based on the low noise LPN, McEliece,
and QC-MDPC assumptions are the first UC-secure OT protocols based on coding
assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3)
low communication and computational complexities. Previous results in this
setting only achieved static security and used costly cut-and-choose
techniques.Our instantiation based on CDH achieves adaptive security at the
small cost of communicating only two more group elements as compared to the
gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which
only achieves static security in the ROM
Quantum key distribution with delayed privacy amplification and its application to security proof of a two-way deterministic protocol
Privacy amplification (PA) is an essential post-processing step in quantum
key distribution (QKD) for removing any information an eavesdropper may have on
the final secret key. In this paper, we consider delaying PA of the final key
after its use in one-time pad encryption and prove its security. We prove that
the security and the key generation rate are not affected by delaying PA.
Delaying PA has two applications: it serves as a tool for significantly
simplifying the security proof of QKD with a two-way quantum channel, and also
it is useful in QKD networks with trusted relays. To illustrate the power of
the delayed PA idea, we use it to prove the security of a qubit-based two-way
deterministic QKD protocol which uses four states and four encoding operations.Comment: 11 pages, 3 figure
DAGS:Key encapsulation using dyadic GS codes
Code-based cryptography is one of the main areas of interest for NIST's Post-Quantum Cryptography Standardization call. In this paper, we introduce DAGS, a Key Encapsulation Mechanism (KEM) based on quasi-dyadic generalized Srivastava codes. The scheme is proved to be IND-CCA secure in both random oracle model and quantum random oracle model. We believe that DAGS will offer competitive performance, especially when compared with other existing code-based schemes, and represent a valid candidate for post-quantum standardization.</p
Security of Quantum Bit-String Generation
We consider the cryptographic task of bit-string generation. This is a
generalisation of coin tossing in which two mistrustful parties wish to
generate a string of random bits such that an honest party can be sure that the
other cannot have biased the string too much. We consider a quantum protocol
for this task, originally introduced in Phys. Rev. A {\bf 69}, 022322 (2004),
that is feasible with present day technology. We introduce security conditions
based on the average bias of the bits and the Shannon entropy of the string.
For each, we prove rigorous security bounds for this protocol in both noiseless
and noisy conditions under the most general attacks allowed by quantum
mechanics. Roughly speaking, in the absence of noise, a cheater can only bias
significantly a vanishing fraction of the bits, whereas in the presence of
noise, a cheater can bias a constant fraction, with this fraction depending
quantitatively on the level of noise. We also discuss classical protocols for
the same task, deriving upper bounds on how well a classical protocol can
perform. This enables the determination of how much noise the quantum protocol
can tolerate while still outperforming classical protocols. We raise several
conjectures concerning both quantum and classical possibilities for large n
cryptography. An experiment corresponding to the scheme analysed in this paper
has been performed and is reported elsewhere.Comment: 16 pages. No figures. Accepted for publication in Phys. Rev. A. A
corresponding experiment is reported in quant-ph/040812
Analysis of BCNS and Newhope Key-exchange Protocols
Lattice-based cryptographic primitives are believed to offer resilience against attacks by quantum computers. Following increasing interest from both companies and government agencies in building quantum computers, a number of works have proposed instantiations of practical post-quantum key-exchange protocols based on hard problems in lattices, mainly based on the Ring Learning With Errors (R-LWE) problem.
In this work we present an analysis of Ring-LWE based key-exchange mechanisms and compare two implementations of Ring-LWE based key-exchange protocol: BCNS and NewHope. This is important as NewHope protocol implementation outperforms state-of-the art elliptic curve based Diffie-Hellman key-exchange X25519, thus showing that using quantum safe key-exchange is not only a viable option but also a faster one. Specifically, this thesis compares different reconciliation methods, parameter choices, noise sampling algorithms and performance
- …