Implementing a Toolkit for Ring-LWE Based Cryptography in Arbitrary Cyclotomic Number Fields

Recent research in the field of lattice-based cryptography, especially on the topic of the ring-based primitive ring-LWE, provided efficient and practical ring-based cryptographic schemes, which can compete with more traditional number-theoretic ones. In the case of ring-LWE these cryptographic schemes operated mainly in power-of-two cyclotomics, which vastly restricted the variety of possible applications. Due to the toolkit for ring-LWE of Lyubashevsky, Peikert and Regev, there are now cryptographic schemes that operate in arbitrary cyclotomics, with no loss in their underlying hardness guarantees, and only little loss computational efficiency. Next to some further refinements and explanations of the theory and additional implementation notes, we provide the - as far as we know - first implementation of the toolkit of Lyubashevsky, Peikert and Regev. This includes a complete framework with fast and modular algorithms that can be used to build cryptographic schemes around ring-LWE. Our framework is easy to use, open source and has only little third party dependencies. For demonstration purposes we implemented two public-key cryptographic schemes using our framework. The complete source code is available at https://github.com/CMMayer/Toolkit-for-Ring-LWE.git

Learning with Errors is easy with quantum samples

Learning with Errors is one of the fundamental problems in computational learning theory and has in the last years become the cornerstone of post-quantum cryptography. In this work, we study the quantum sample complexity of Learning with Errors and show that there exists an efficient quantum learning algorithm (with polynomial sample and time complexity) for the Learning with Errors problem where the error distribution is the one used in cryptography. While our quantum learning algorithm does not break the LWE-based encryption schemes proposed in the cryptography literature, it does have some interesting implications for cryptography: first, when building an LWE-based scheme, one needs to be careful about the access to the public-key generation algorithm that is given to the adversary; second, our algorithm shows a possible way for attacking LWE-based encryption by using classical samples to approximate the quantum sample state, since then using our quantum learning algorithm would solve LWE

Gadgets and Gaussians in Lattice-Based Cryptography

This dissertation explores optimal algorithms employed in lattice-based cryptographic schemes. Chapter 2 focuses on optimizing discrete gaussian sampling on "gadget" and algebraic lattices. These gaussian sampling algorithms are used in lattice-cryptography's most efficient trapdoor mechanism for the SIS and LWE problems: "MP12" trapdoors. However, this trapdoor mechanism was previously not optimized and inefficient (or not proven to be statistically correct) for structured lattices (ring-SIS/LWE), lattice-cryptography's most efficient form, where the modulus is often a prime. The algorithms in this chapter achieve optimality in this regime and have (already) resulted in drastic efficiency improvement in independent implementations.Chapter 3 digs deeper into the gadget lattice's associated algorithms. Specifically, we explore efficiently sampling a simple subgaussian distribution on gadget lattices, and we optimize LWE decoding on gadget lattices. These subgaussian sampling algorithms correspond to a randomized bit-decomposition needed in lattice-based schemes with homomorphic properties like fully homomorphic encryption (FHE). Next, we introduce a general class of "Chinese Remainder Theorem" (CRT) gadgets. These gadgets allow advanced lattice-based schemes to avoid multi-precision arithmetic when the applications modulus is larger than 64 bits. The algorithms presented in the first two chapters improve the efficiency of many lattice-based cryptosystems: digital signature schemes, identity-based encryption schemes, as well as more advanced schemes like fully-homomorphic encryption and attribute-based encryption. In the final chapter, we take a closer look at the random matrices used in trapdoor lattices. First, we revisit the constants in the concentration bounds of subgaussian random matrices. Then, we provide experimental evidence for a simple heuristic regarding the singular values of matrices with entries drawn from commonly used distributions in cryptography. Though the proofs in this chapter are dense, cryptographers need a strong understanding of the singular values of these matrices since their maximum singular value determines the concrete security of the trapdoor scheme's underlying SIS problem

Vers une arithmétique efficace pour le chiffrement homomorphe basé sur le Ring-LWE

Fully homomorphic encryption is a kind of encryption offering the ability to manipulate encrypted data directly through their ciphertexts. In this way it is possible to process sensitive data without having to decrypt them beforehand, ensuring therefore the datas' confidentiality. At the numeric and cloud computing era this kind of encryption has the potential to considerably enhance privacy protection. However, because of its recent discovery by Gentry in 2009, we do not have enough hindsight about it yet. Therefore several uncertainties remain, in particular concerning its security and efficiency in practice, and should be clarified before an eventual widespread use. This thesis deals with this issue and focus on performance enhancement of this kind of encryption in practice. In this perspective we have been interested in the optimization of the arithmetic used by these schemes, either the arithmetic underlying the Ring Learning With Errors problem on which the security of these schemes is based on, or the arithmetic specific to the computations required by the procedures of some of these schemes. We have also considered the optimization of the computations required by some specific applications of homomorphic encryption, and in particular for the classification of private data, and we propose methods and innovative technics in order to perform these computations efficiently. We illustrate the efficiency of our different methods through different software implementations and comparisons to the related art.Le chiffrement totalement homomorphe est un type de chiffrement qui permet de manipuler directement des données chiffrées. De cette manière, il est possible de traiter des données sensibles sans avoir à les déchiffrer au préalable, permettant ainsi de préserver la confidentialité des données traitées. À l'époque du numérique à outrance et du "cloud computing" ce genre de chiffrement a le potentiel pour impacter considérablement la protection de la vie privée. Cependant, du fait de sa découverte récente par Gentry en 2009, nous manquons encore de recul à son propos. C'est pourquoi de nombreuses incertitudes demeurent, notamment concernant sa sécurité et son efficacité en pratique, et devront être éclaircies avant une éventuelle utilisation à large échelle.Cette thèse s'inscrit dans cette problématique et se concentre sur l'amélioration des performances de ce genre de chiffrement en pratique. Pour cela nous nous sommes intéressés à l'optimisation de l'arithmétique utilisée par ces schémas, qu'elle soit sous-jacente au problème du "Ring-Learning With Errors" sur lequel la sécurité des schémas considérés est basée, ou bien spécifique aux procédures de calculs requises par certains de ces schémas. Nous considérons également l'optimisation des calculs nécessaires à certaines applications possibles du chiffrement homomorphe, et en particulier la classification de données privées, de sorte à proposer des techniques de calculs innovantes ainsi que des méthodes pour effectuer ces calculs de manière efficace. L'efficacité de nos différentes méthodes est illustrée à travers des implémentations logicielles et des comparaisons aux techniques de l'état de l'art

Implementing conjunction obfuscation under entropic ring LWE

We address the practicality challenges of secure program obfuscation by implementing, optimizing, and experimentally assessing an approach to securely obfuscate conjunction programs proposed in [1]. Conjunction programs evaluate functions $f (x_1, . . . , x_L) = \wedge_{i \in I}$ $y_i$, where $y_i$ is either $x_i$ or $\neg x_i$ and $I \subseteq [L]$, and can be used as classifiers. Our obfuscation approach satisfies distributional Virtual Black Box (VBB) security based on reasonable hardness assumptions, namely an entropic variant of the Ring Learning with Errors (Ring-LWE) assumption. Prior implementations of secure program obfuscation techniques support either trivial programs like point functions, or support the obfuscation of more general but less efficient branching programs to satisfy Indistinguishability Obfuscation (IO), a weaker security model. Further, the more general implemented techniques, rather than relying on standard assumptions, base their security on conjectures that have been shown to be theoretically vulnerable. Our work is the first implementation of non-trivial program obfuscation based on polynomial rings. Our contributions include multiple design and implementation advances resulting in reduced program size, obfuscation runtime, and evaluation runtime by many orders of magnitude. We implement our design in software and experimentally assess performance in a commercially available multi-core computing environment. Our implementation achieves runtimes of 6.7 hours to securely obfuscate a 64-bit conjunction program and 2.5 seconds to evaluate this program over an arbitrary input. We are also able to obfuscate a 32-bit conjunction program with 53 bits of security in 7 minutes and evaluate the obfuscated program in 43 milliseconds on a commodity desktop computer, which implies that 32-bit conjunction obfuscation is already practical. Our graph-induced (directed) encoding implementation runs up to 25 levels, which is higher than previously reported in the literature for this encoding. Our design and implementation advances are applicable to obfuscating more general compute-and-compare programs and can also be used for many cryptographic schemes based on lattice trapdoors

Encriptação parcialmente homomórfica CCA1-segura

Orientadores: Ricardo Dahab, Diego de Freitas AranhaTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Nesta tese nosso tema de pesquisa é a encriptação homomórfica, com foco em uma solução prática e segura para encriptação parcialmente homomórfica (somewhat homomorphic encryption - SHE), considerando o modelo de segurança conhecido como ataque de texto encriptado escolhido (chosen ciphertext attack - CCA). Este modelo pode ser subdividido em duas categorias, a saber, CCA1 e CCA2, sendo CCA2 o mais forte. Sabe-se que é impossível construir métodos de encriptação homomórfica que sejam CCA2-seguros. Por outro lado, é possível obter segurança CCA1, mas apenas um esquema foi proposto até hoje na literatura; assim, seria interessante haver outras construções oferecendo este tipo de segurança. Resumimos os principais resultados desta tese de doutorado em duas contribuições. A primeira é mostrar que a família NTRU de esquemas SHE é vulnerável a ataques de recuperação de chave privada, e portanto não são CCA1-seguros. A segunda é a utilização de computação verificável para obter esquemas SHE que são CCA1-seguros e que podem ser usados para avaliar polinômios multivariáveis quadráticos. Atualmente, métodos de encriptação homomórfica são construídos usando como substrato dois problemas de difícil solução: o MDC aproximado (approximate GCD problem - AGCD) e o problema de aprendizado com erros (learning with errors - LWE). O problema AGCD leva, em geral, a construções mais simples mas com desempenho inferior, enquanto que os esquemas baseados no problema LWE correspondem ao estado da arte nesta área de pesquisa. Recentemente, Cheon e Stehlé demonstraram que ambos problemas estão relacionados, e é uma questão interessante investigar se esquemas baseados no problema AGCD podem ser tão eficientes quanto esquemas baseados no problema LWE. Nós respondemos afirmativamente a esta questão para um cenário específico: estendemos o esquema de computação verificável proposto por Fiore, Gennaro e Pastro, de forma que use a suposição de que o problema AGCD é difícil, juntamente com o esquema DGHV adaptado para uso do Teorema Chinês dos Restos (Chinese remainder theorem - CRT) de forma a evitar ataques de recuperação de chave privadaAbstract: In this thesis we study homomorphic encryption with focus on practical and secure somewhat homomorphic encryption (SHE), under the chosen ciphertext attack (CCA) security model. This model is classified into two different main categories: CCA1 and CCA2, with CCA2 being the strongest. It is known that it is impossible to construct CCA2-secure homomorphic encryption schemes. On the other hand, CCA1-security is possible, but only one scheme is known to achieve it. It would thus be interesting to have other CCA1-secure constructions. The main results of this thesis are summarized in two contributions. The first is to show that the NTRU-family of SHE schemes is vulnerable to key recovery attacks, hence not CCA1-secure. The second is the utilization of verifiable computation to obtain a CCA1-secure SHE scheme that can be used to evaluate quadratic multivariate polynomials. Homomorphic encryption schemes are usually constructed under the assumption that two distinct problems are hard, namely the Approximate GCD (AGCD) Problem and the Learning with Errors (LWE) Problem. The AGCD problem leads, in general, to simpler constructions, but with worse performance, wheras LWE-based schemes correspond to the state-of-the-art in this research area. Recently, Cheon and Stehlé proved that both problems are related, and thus it is an interesting problem to investigate if AGCD-based SHE schemes can be made as efficient as their LWE counterparts. We answer this question positively for a specific scenario, extending the verifiable computation scheme proposed by Fiore, Gennaro and Pastro to work under the AGCD assumption, and using it together with the Chinese Remainder Theorem (CRT)-version of the DGHV scheme, in order to avoid key recovery attacksDoutoradoCiência da ComputaçãoDoutor em Ciência da Computação143484/2011-7CNPQCAPE

On Large Polynomial Multiplication in Certain Rings

Multiplication of polynomials with large integer coefficients and very high degree is used in cryptography. Residue number system (RNS) helps distribute a very large integer over a set of smaller integers, which makes the computations faster. In this thesis, multiplication of polynomials in ring Z_p/(x^n + 1) where n is a power of two is analyzed using the Schoolbook method, Karatsuba algorithm, Toeplitz matrix vector product (TMVP) method and Number Theoretic Transform (NTT) method. All coefficients are residues of p which is a 30-bit integer that has been selected from the set of 30-bit moduli for RNS in NFLlib. NTT has a computational complexity of O(n log n) and hence, it has the best performance among all these methods for the multiplication of large polynomials. NTT method limits applications in ring Z_p/(x^n + 1). This restricts size of the polynomials to only powers of two. We consider multiplication in other cyclotomic rings using TMVP method which has a subquadratic complexity of O(n log_2 3). An attempt is made to improve the performance of TMVP method by designing a hybrid method that switches to schoolbook method when n reaches a certain low value. It is first implemented in Zp/(x^n + 1) to improve the performance of TMVP for large polynomials. This method performs almost as good as NTT for polynomials of size 2^(10). TMVP method is then exploited to design multipliers in other rings Z_p/Φ_k where Φ_k is a cyclotomic trinomial. Similar hybrid designs are analyzed to improve performance in the trinomial rings. This allows a wider range of polynomials in terms of size to work with and helps avoid unnecessary use of larger key size that might slow down computations