908 research outputs found

    A New Upperbound for the Oblivious Transfer Capacity of Discrete Memoryless Channels

    Full text link
    We derive a new upper bound on the string oblivious transfer capacity of discrete memoryless channels. The main tool we use is the tension region of a pair of random variables introduced in Prabhakaran and Prabhakaran (2014) where it was used to derive upper bounds on rates of secure sampling in the source model. In this paper, we consider secure computation of string oblivious transfer in the channel model. Our bound is based on a monotonicity property of the tension region in the channel model. We show that our bound strictly improves upon the upper bound of Ahlswede and Csisz\'ar (2013).Comment: 7 pages, 3 figures, extended version of submission to IEEE Information Theory Workshop, 201

    Privacy-Preserving Quantum Two-Party Geometric Intersection

    Full text link
    Privacy-preserving computational geometry is the research area on the intersection of the domains of secure multi-party computation (SMC) and computational geometry. As an important field, the privacy-preserving geometric intersection (PGI) problem is when each of the multiple parties has a private geometric graph and seeks to determine whether their graphs intersect or not without revealing their private information. In this study, through representing Alice's (Bob's) private geometric graph G_A (G_B) as the set of numbered grids S_A (S_B), an efficient privacy-preserving quantum two-party geometric intersection (PQGI) protocol is proposed. In the protocol, the oracle operation O_A (O_B) is firstly utilized to encode the private elements of S_A=(a_0, a_1, ..., a_(M-1)) (S_B=(b_0, b_1, ..., b_(N-1))) into the quantum states, and then the oracle operation O_f is applied to obtain a new quantum state which includes the XOR results between each element of S_A and S_B. Finally, the quantum counting is introduced to get the amount (t) of the states |a_i+b_j> equaling to |0>, and the intersection result can be obtained by judging t>0 or not. Compared with classical PGI protocols, our proposed protocol not only has higher security, but also holds lower communication complexity

    Computational Perspectives on Bell Inequalities and Many-body Quantum Correlations

    Get PDF
    The predictions of quantum mechanics cannot be resolved with a completely classical view of the world. In particular, the statistics of space-like separated measurements on entangled quantum systems violate a Bell inequality. We put forward a computational perspective on a broad class of Bell tests that study correlators, or the statistics of joint measurement outcomes. We associate particular maps, or functions to particular theories. The violation of a Bell inequality then implies the ability to perform some functions, or computations that classical, or more generally, local hidden variable (LHV) theories cannot.Comment: PhD thesis: 169 pages, 3 figures, and hopefully is of use to someon

    On perfectly secure 2PC in the OT-hybrid model

    Get PDF
    A well known result by Kilian (ACM 1988) asserts that general secure two computation (2PC) with statistical security, can be based on OT. Specifically, in the client-server model, where only one party -- the client -- receives an output, Kilianโ€™s result shows that given the ability to call an ideal oracle that computes OT, two parties can securely compute an arbitrary function of their inputs with unconditional security. Ishai et al. (EUROCRYPT 2011) further showed that this can be done efficiently for every two-party functionality in NC1\mathrm{NC}^1 in a single round. However, their results only achieve statistical security, namely, it is allowed to have some error in security. This leaves open the natural question as to which client-server functionalities can be computed with perfect security in the OT-hybrid model, and what is the round complexity of such computation. So far, only a handful of functionalities were known to have such protocols. In addition to the obvious theoretical appeal of the question towards better understanding secure computation, perfect, as opposed to statistical reductions, may be useful for designing secure multiparty protocols with high concrete efficiency, achieved by eliminating the dependence on a security parameter. In this work, we identify a large class of client-server functionalities f:Xร—Yโ†ฆ{0,1}f:\mathcal{X}\times \mathcal{Y}\mapsto \{0,1\}, where the server\u27s domain X\mathcal{X} is larger than the client\u27s domain Y\mathcal{Y}, that have a perfect reduction to OT. Furthermore, our reduction is 1-round using an oracle to secure evaluation of many parallel invocations of (21)\binom21-bit-OT, as done by Ishai et al. (EUROCRYPT 2011). Interestingly, the set of functions that we are able to compute was previously identified by Asharov (TCC 2014) in the context of fairness in two-party computation, naming these functions full-dimensional. Our result also extends to randomized non-Boolean functions f:Xร—Yโ†ฆ{0,โ€ฆ,kโˆ’1}f:\mathcal{X}\times \mathcal{Y}\mapsto\{0,\ldots,k-1\} satisfying โˆฃXโˆฃ>(kโˆ’1)โ‹…โˆฃYโˆฃ|\mathcal{X}|>(k-1)\cdot|\mathcal{Y}|

    Privacy-preserving proximity detection with secure multi-party computational geometry

    Get PDF
    Over the last years, Location-Based Services (LBSs) have become popular due to the global use of smartphones and improvement in Global Positioning System (GPS) and other positioning methods. Location-based services employ users' location to offer relevant information to users or provide them with useful recommendations. Meanwhile, with the development of social applications, location-based social networking services (LBSNS) have attracted millions of users because the geographic position of users can be used to enhance the services provided by those social applications. Proximity detection, as one type of location-based function, makes LBSNS more flexible and notifies mobile users when they are in proximity. Despite all the desirable features that such applications provide, disclosing the exact location of individuals to a centralized server and/or their social friends might put users at risk of falling their information in wrong hands, since locations may disclose sensitive information about people including political and religious affiliations, lifestyle, health status, etc. Consequently, users might be unwilling to participate in such applications. To this end, private proximity detection schemes enable two parties to check whether they are in close proximity while keeping their exact locations secret. In particular, running a private proximity detection protocol between two parties only results in a boolean value to the querier. Besides, it guarantees that no other information can be leaked to the participants regarding the other party's location. However, most proposed private proximity detection protocols enable users to choose only a simple geometric range on the map, such as a circle or a rectangle, in order to test for proximity. In this thesis, we take inspiration from the field of Computational Geometry and develop two privacy-preserving proximity detection protocols that allow a mobile user to specify an arbitrary complex polygon on the map and check whether his/her friends are located therein. We also analyzed the efficiency of our solutions in terms of computational and communication costs. Our evaluation shows that compared to the similar earlier work, the proposed solution increases the computational efficiency by up to 50%, and reduces the communication overhead by up to 90%. Therefore, we have achieved a significant reduction of computational and communication complexity

    ์ •๋ณด ๋ณดํ˜ธ ๊ธฐ๊ณ„ ํ•™์Šต์˜ ์•”ํ˜ธํ•™ ๊ธฐ๋ฐ˜ ๊ธฐ์ˆ : ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ์™€ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ

    Get PDF
    ํ•™์œ„๋…ผ๋ฌธ (๋ฐ•์‚ฌ) -- ์„œ์šธ๋Œ€ํ•™๊ต ๋Œ€ํ•™์› : ๊ณต๊ณผ๋Œ€ํ•™ ์ „๊ธฐยท์ •๋ณด๊ณตํ•™๋ถ€, 2021. 2. ๋…ธ์ข…์„ .In this dissertation, three main contributions are given as; i) a protocol of privacy-preserving machine learning using network resources, ii) the development of approximate homomorphic encryption that achieves less error and high-precision bootstrapping algorithm without compromising performance and security, iii) the cryptanalysis and the modification of code-based cryptosystems: cryptanalysis on IKKR cryptosystem and modification of the pqsigRM, a digital signature scheme proposed to the post-quantum cryptography (PQC) standardization of National Institute of Standards and Technology (NIST). The recent development of machine learning, cloud computing, and blockchain raises a new privacy problem; how can one outsource computation on confidential data? Moreover, as research on quantum computers shows success, the need for PQC is also emerging. Multi-party computation (MPC) is the cryptographic protocol that makes computation on data without revealing it. Since MPC is designed based on homomorphic encryption (HE) and PQC, research on designing efficient and safe HE and PQC is actively being conducted. First, I propose a protocol for privacy-preserving machine learning (PPML) that replaces bootstrapping of homomorphic encryption with network resources. In general, the HE ciphertext has a limited depth of circuit that can be calculated, called the level of a ciphertext. We call bootstrapping restoring the level of ciphertext that has exhausted its level through a method such as homomorphic decryption. Bootstrapping of homomorphic encryption is, in general, very expensive in time and space. However, when deep computations like deep learning are performed, it is required to do bootstrapping. In this protocol, both the client's message and servers' intermediate values are kept secure, while the client's computation and communication complexity are light. Second, I propose an improved bootstrapping algorithm for the CKKS scheme and a method to reduce the error by homomorphic operations in the CKKS scheme. The Cheon-Kim-Kim-Song (CKKS) scheme (Asiacrypt '17) is one of the highlighted fully homomorphic encryption (FHE) schemes as it is efficient to deal with encrypted real numbers, which are the usual data type for many applications such as machine learning. However, the precision drop due to the error growth is a drawback of the CKKS scheme for data processing. I propose a method to achieve high-precision approximate FHE using the following two methods .First, I apply the signal-to-noise ratio (SNR) concept and propose methods to maximize SNR by reordering homomorphic operations in the CKKS scheme. For that, the error variance is minimized instead of the upper bound of error when we deal with the encrypted data. Second, from the same perspective of minimizing error variance, I propose a new method to find the approximate polynomials for the CKKS scheme. The approximation method is especially applied to the CKKS scheme's bootstrapping, where we achieve bootstrapping with smaller error variance compared to the prior arts. In addition to the above variance-minimizing method, I cast the problem of finding an approximate polynomial for a modulus reduction into an L2-norm minimization problem. As a result, I find an approximate polynomial for the modulus reduction without using the sine function, which is the upper bound for the polynomial approximation of the modulus reduction. By using the proposed method, the constraint of q = O(m^{3/2}) is relaxed as O(m), and thus the level loss in bootstrapping can be reduced. The performance improvement by the proposed methods is verified by implementation over HE libraries, that is, HEAAN and SEAL. The implementation shows that by reordering homomorphic operations and using the proposed polynomial approximation, the reliability of the CKKS scheme is improved. Therefore, the quality of services of various applications using the proposed CKKS scheme, such as PPML, can be improved without compromising performance and security. Finally, I propose an improved code-based signature scheme and cryptanalysis of code-based cryptosystems. A novel code-based signature scheme with small parameters and an attack algorithm on recent code-based cryptosystems are presented in this dissertation. This scheme is based on a modified Reed-Muller (RM) code, which reduces the signing complexity and key size compared with existing code-based signature schemes. The proposed scheme has the advantage of the pqsigRM decoder and uses public codes that are more difficult to distinguish from random codes. I use (U, U+V) -codes with the high-dimensional hull to overcome the disadvantages of code-based schemes. The proposed a decoder which efficiently samples from coset elements with small Hamming weight for any given syndrome. The proposed signature scheme resists various known attacks on RM code-based cryptography. For 128 bits of classical security, the signature size is 4096 bits, and the public key size is less than 1 MB. Recently, Ivanov, Kabatiansky, Krouk, and Rumenko (IKKR) proposed three new variants of the McEliece cryptosystem (CBCrypto 2020, affiliated with Eurocrypt 2020). This dissertation shows that one of the IKKR cryptosystems is equal to the McEliece cryptosystem. Furthermore, a polynomial-time attack algorithm for the other two IKKR cryptosystems is proposed. The proposed attack algorithm utilizes the linearity of IKKR cryptosystems. Also, an implementation of the IKKR cryptosystems and the proposed attack is given. The proposed attack algorithm finds the plaintext within 0.2 sec, which is faster than the elapsed time for legitimate decryption.๋ณธ ๋…ผ๋ฌธ์€ ํฌ๊ฒŒ ๋‹ค์Œ์˜ ์„ธ ๊ฐ€์ง€์˜ ๊ธฐ์—ฌ๋ฅผ ํฌํ•จํ•œ๋‹ค. i) ๋„คํŠธ์›Œํฌ๋ฅผ ํ™œ์šฉํ•ด์„œ ์ •๋ณด ๋ณดํ˜ธ ๋”ฅ๋Ÿฌ๋‹์„ ๊ฐœ์„ ํ•˜๋Š” ํ”„๋กœํ† ์ฝœ ii) ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ์—์„œ ๋ณด์•ˆ์„ฑ๊ณผ ์„ฑ๋Šฅ์˜ ์†ํ•ด ์—†์ด ์—๋Ÿฌ๋ฅผ ๋‚ฎ์ถ”๊ณ  ๋†’์€ ์ •ํ™•๋„๋กœ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘ ํ•˜๋Š” ๋ฐฉ๋ฒ• iii) IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ๊ณผ pqsigRM ๋“ฑ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ๋ฅผ ๊ณต๊ฒฉํ•˜๋Š” ๋ฐฉ๋ฒ•๊ณผ ํšจ์œจ์ ์ธ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ. ๊ทผ๋ž˜์˜ ๊ธฐ๊ณ„ํ•™์Šต๊ณผ ๋ธ”๋ก์ฒด์ธ ๊ธฐ์ˆ ์˜ ๋ฐœ์ „์œผ๋กœ ์ธํ•ด์„œ ๊ธฐ๋ฐ€ ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•œ ์—ฐ์‚ฐ์„ ์–ด๋–ป๊ฒŒ ์™ธ์ฃผํ•  ์ˆ˜ ์žˆ๋Š๋ƒ์— ๋Œ€ํ•œ ์ƒˆ๋กœ์šด ๋ณด์•ˆ ๋ฌธ์ œ๊ฐ€ ๋Œ€๋‘๋˜๊ณ  ์žˆ๋‹ค. ๋˜ํ•œ, ์–‘์ž ์ปดํ“จํ„ฐ์— ๊ด€ํ•œ ์—ฐ๊ตฌ๊ฐ€ ์„ฑ๊ณต์„ ๊ฑฐ๋“ญํ•˜๋ฉด์„œ, ์ด๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ์— ์ €ํ•ญํ•˜๋Š” ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์˜ ํ•„์š”์„ฑ ๋˜ํ•œ ์ปค์ง€๊ณ  ์žˆ๋‹ค. ๋‹ค์ž๊ฐ„ ์ปดํ“จํŒ…์€ ๋ฐ์ดํ„ฐ๋ฅผ ๊ณต๊ฐœํ•˜์ง€ ์•Š๊ณ  ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•œ ์—ฐ์‚ฐ์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋Š” ์•”ํ˜ธํ•™์  ํ”„๋กœํ† ์ฝœ์˜ ์ด์นญ์ด๋‹ค. ๋‹ค์ž๊ฐ„ ์ปดํ“จํŒ…์€ ๋™ํ˜• ์•”ํ˜ธ์™€ ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์— ๊ธฐ๋ฐ˜ํ•˜๊ณ  ์žˆ์œผ๋ฏ€๋กœ, ํšจ์œจ์ ์ธ ๋™ํ˜• ์•”ํ˜ธ์™€ ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์— ๊ด€ํ•œ ์—ฐ๊ตฌ๊ฐ€ ํ™œ๋ฐœํ•˜๊ฒŒ ์ˆ˜ํ–‰๋˜๊ณ  ์žˆ๋‹ค. ๋™ํ˜• ์•”ํ˜ธ๋Š” ์•”ํ˜ธํ™”๋œ ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•œ ์—ฐ์‚ฐ์ด ๊ฐ€๋Šฅํ•œ ํŠน์ˆ˜ํ•œ ์•”ํ˜ธํ™” ์•Œ๊ณ ๋ฆฌ์ฆ˜์ด๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ๋™ํ˜• ์•”ํ˜ธ์˜ ์•”ํ˜ธ๋ฌธ์— ๋Œ€ํ•ด์„œ ์ˆ˜ํ–‰ ๊ฐ€๋Šฅํ•œ ์—ฐ์‚ฐ์˜ ๊นŠ์ด๊ฐ€ ์ •ํ•ด์ ธ ์žˆ์œผ๋ฉฐ, ์ด๋ฅผ ์•”ํ˜ธ๋ฌธ์˜ ๋ ˆ๋ฒจ์ด๋ผ๊ณ  ์นญํ•œ๋‹ค. ๋ ˆ๋ฒจ์„ ๋ชจ๋‘ ์†Œ๋น„ํ•œ ์•”ํ˜ธ๋ฌธ์˜ ๋ ˆ๋ฒจ์„ ๋‹ค์‹œ ๋ณต์›ํ•˜๋Š” ๊ณผ์ •์„ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘ (bootstrapping)์ด๋ผ๊ณ  ์นญํ•œ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์€ ๋งค์šฐ ์˜ค๋ž˜ ๊ฑธ๋ฆฌ๋Š” ์—ฐ์‚ฐ์ด๋ฉฐ ์‹œ๊ฐ„ ๋ฐ ๊ณต๊ฐ„ ๋ณต์žก๋„๊ฐ€ ํฌ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜, ๋”ฅ๋Ÿฌ๋‹๊ณผ ๊ฐ™์ด ๊นŠ์ด๊ฐ€ ํฐ ์—ฐ์‚ฐ์„ ์ˆ˜ํ–‰ํ•˜๋Š” ๊ฒฝ์šฐ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์ด ํ•„์ˆ˜์ ์ด๋‹ค. ๋ณธ ๋…ผ๋ฌธ์—์„œ๋Š” ์ •๋ณด ๋ณดํ˜ธ ๊ธฐ๊ณ„ํ•™์Šต์„ ์œ„ํ•œ ์ƒˆ๋กœ์šด ํ”„๋กœํ† ์ฝœ์„ ์ œ์•ˆํ•œ๋‹ค. ์ด ํ”„๋กœํ† ์ฝœ์—์„œ๋Š” ์ž…๋ ฅ ๋ฉ”์‹œ์ง€์™€ ๋”๋ถˆ์–ด ์‹ ๊ฒฝ๋ง์˜ ์ค‘๊ฐ„๊ฐ’๋“ค ๋˜ํ•œ ์•ˆ์ „ํ•˜๊ฒŒ ๋ณดํ˜ธ๋œ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์—ฌ์ „ํžˆ ์‚ฌ์šฉ์ž์˜ ํ†ต์‹  ๋ฐ ์—ฐ์‚ฐ ๋ณต์žก๋„๋Š” ๋‚ฎ๊ฒŒ ์œ ์ง€๋œ๋‹ค. Cheon, Kim, Kim ๊ทธ๋ฆฌ๊ณ  Song (CKKS)๊ฐ€ ์ œ์•ˆํ•œ ์•”ํ˜ธ ์‹œ์Šคํ…œ (Asiacrypt 17)์€ ๊ธฐ๊ณ„ํ•™์Šต ๋“ฑ์—์„œ ๊ฐ€์žฅ ๋„๋ฆฌ ์“ฐ์ด๋Š” ๋ฐ์ดํ„ฐ์ธ ์‹ค์ˆ˜๋ฅผ ํšจ์œจ์ ์œผ๋กœ ๋‹ค๋ฃฐ ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ ๊ฐ€์žฅ ์ด‰๋ง๋ฐ›๋Š” ์™„์ „ ๋™ํ˜• ์•”ํ˜ธ ์‹œ์Šคํ…œ์ด๋‹ค. ๊ทธ๋Ÿฌ๋‚˜, ์˜ค๋ฅ˜์˜ ์ฆํญ๊ณผ ์ „ํŒŒ๊ฐ€ CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ๊ฐ€์žฅ ํฐ ๋‹จ์ ์ด๋‹ค. ์ด ๋…ผ๋ฌธ์—์„œ๋Š” ์•„๋ž˜์˜ ๊ธฐ์ˆ ์„ ํ™œ์šฉํ•˜์—ฌ CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์˜ค๋ฅ˜๋ฅผ ์ค„์ด๋Š” ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•˜๋ฉฐ, ์ด๋Š” ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ์— ์ผ๋ฐ˜ํ™”ํ•˜์—ฌ ์ ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. ์ฒซ์งธ, ์‹ ํ˜ธ ๋Œ€๋น„ ์žก์Œ ๋น„ (signal-to-noise ratio, SNR)์˜ ๊ฐœ๋…์„ ๋„์ž…ํ•˜์—ฌ, SNR๋ฅผ ์ตœ๋Œ€ํ™”ํ•˜๋„๋ก ์—ฐ์‚ฐ์˜ ์ˆœ์„œ๋ฅผ ์žฌ์กฐ์ •ํ•œ๋‹ค. ๊ทธ๋Ÿฌ๊ธฐ ์œ„ํ•ด์„œ๋Š”, ์˜ค๋ฅ˜์˜ ์ตœ๋Œ€์น˜ ๋Œ€์‹  ๋ถ„์‚ฐ์ด ์ตœ์†Œํ™”๋˜์–ด์•ผ ํ•˜๋ฉฐ, ์ด๋ฅผ ๊ด€๋ฆฌํ•ด์•ผ ํ•œ๋‹ค. ๋‘˜์งธ, ์˜ค๋ฅ˜์˜ ๋ถ„์‚ฐ์„ ์ตœ์†Œํ™”ํ•œ๋‹ค๋Š” ๊ฐ™์€ ๊ด€์ ์—์„œ ์ƒˆ๋กœ์šด ๋‹คํ•ญ์‹ ๊ทผ์‚ฌ ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•œ๋‹ค. ์ด ๊ทผ์‚ฌ ๋ฐฉ๋ฒ•์€ ํŠนํžˆ, CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์— ์ ์šฉ๋˜์—ˆ์œผ๋ฉฐ, ์ข…๋ž˜ ๊ธฐ์ˆ ๋ณด๋‹ค ๋” ๋‚ฎ์€ ์˜ค๋ฅ˜๋ฅผ ๋‹ฌ์„ฑํ•œ๋‹ค. ์œ„์˜ ๋ฐฉ๋ฒ•์— ๋”ํ•˜์—ฌ, ๊ทผ์‚ฌ ๋‹คํ•ญ์‹์„ ๊ตฌํ•˜๋Š” ๋ฌธ์ œ๋ฅผ L2-norm ์ตœ์†Œํ™” ๋ฌธ์ œ๋กœ ์น˜ํ™˜ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•œ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด์„œ ์‚ฌ์ธ ํ•จ์ˆ˜์˜ ๋„์ž… ์—†์ด ๊ทผ์‚ฌ ๋‹คํ•ญ์‹์„ ๊ตฌํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•œ๋‹ค. ์ œ์•ˆ๋œ ๋ฐฉ๋ฒ•์„ ์‚ฌ์šฉํ•˜๋ฉด, q=O(m^{3/2})๋ผ๋Š” ์ œ์•ฝ์„ q=O(m)์œผ๋กœ ์ค„์ผ ์ˆ˜ ์žˆ์œผ๋ฉฐ, ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์— ํ•„์š”ํ•œ ๋ ˆ๋ฒจ ์†Œ๋ชจ๋ฅผ ์ค„์ผ ์ˆ˜ ์žˆ๋‹ค. ์„ฑ๋Šฅ ํ–ฅ์ƒ์€ HEAAN๊ณผ SEAL ๋“ฑ์˜ ๋™ํ˜• ์•”ํ˜ธ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ํ™œ์šฉํ•œ ๊ตฌํ˜„์„ ํ†ตํ•ด ์ฆ๋ช…ํ–ˆ์œผ๋ฉฐ, ๊ตฌํ˜„์„ ํ†ตํ•ด์„œ ์—ฐ์‚ฐ ์žฌ์ •๋ ฌ๊ณผ ์ƒˆ๋กœ์šด ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์ด CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์„ฑ๋Šฅ์„ ํ–ฅ์ƒํ•จ์„ ํ™•์ธํ–ˆ๋‹ค. ๋”ฐ๋ผ์„œ, ๋ณด์•ˆ์„ฑ๊ณผ ์„ฑ๋Šฅ์˜ ํƒ€ํ˜‘ ์—†์ด ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์„œ๋น„์Šค์˜ ์งˆ์„ ํ–ฅ์ƒํ•  ์ˆ˜ ์žˆ๋‹ค. ์–‘์ž ์ปดํ“จํ„ฐ๋ฅผ ํ™œ์šฉํ•˜์—ฌ ์ „ํ†ต์ ์ธ ๊ณต๊ฐœํ‚ค ์•”ํ˜ธ๋ฅผ ๊ณต๊ฒฉํ•˜๋Š” ํšจ์œจ์ ์ธ ์•Œ๊ณ ๋ฆฌ์ฆ˜์ด ๊ณต๊ฐœ๋˜๋ฉด์„œ, ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์— ๋Œ€ํ•œ ํ•„์š”์„ฑ์ด ์ฆ๋Œ€ํ–ˆ๋‹ค. ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ๋Š” ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ๋กœ์จ ๋„๋ฆฌ ์—ฐ๊ตฌ๋˜์—ˆ๋‹ค. ์ž‘์€ ํ‚ค ํฌ๊ธฐ๋ฅผ ๊ฐ–๋Š” ์ƒˆ๋กœ์šด ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ๊ณผ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ๋ฅผ ๊ณต๊ฒฉํ•˜๋Š” ๋ฐฉ๋ฒ•์ด ๋…ผ๋ฌธ์— ์ œ์•ˆ๋˜์–ด ์žˆ๋‹ค. pqsigRM์ด๋ผ ๋ช…๋ช…ํ•œ ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ์ด ๊ทธ๊ฒƒ์ด๋‹ค. ์ด ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ์€ ์ˆ˜์ •๋œ Reed-Muller (RM) ๋ถ€ํ˜ธ๋ฅผ ํ™œ์šฉํ•˜๋ฉฐ, ์„œ๋ช…์˜ ๋ณต์žก๋„์™€ ํ‚ค ํฌ๊ธฐ๋ฅผ ์ข…๋ž˜ ๊ธฐ์ˆ ๋ณด๋‹ค ๋งŽ์ด ์ค„์ธ๋‹ค. pqsigRM์€ hull์˜ ์ฐจ์›์ด ํฐ (U, U+V) ๋ถ€ํ˜ธ์™€ ์ด์˜ ๋ณตํ˜ธํ™”๋ฅผ ์ด์šฉํ•˜์—ฌ, ์„œ๋ช…์—์„œ ํฐ ์ด๋“์ด ์žˆ๋‹ค. ์ด ๋ณตํ˜ธํ™” ์•Œ๊ณ ๋ฆฌ์ฆ˜์€ ์ฃผ์–ด์ง„ ๋ชจ๋“  ์ฝ”์…‹ (coset)์˜ ์›์†Œ์— ๋Œ€ํ•˜์—ฌ ์ž‘์€ ํ—ค๋ฐ ๋ฌด๊ฒŒ๋ฅผ ๊ฐ–๋Š” ์›์†Œ๋ฅผ ๋ฐ˜ํ™˜ํ•œ๋‹ค. ๋˜ํ•œ, ์ˆ˜์ •๋œ RM ๋ถ€ํ˜ธ๋ฅผ ์ด์šฉํ•˜์—ฌ, ์•Œ๋ ค์ง„ ๋ชจ๋“  ๊ณต๊ฒฉ์— ์ €ํ•ญํ•œ๋‹ค. 128๋น„ํŠธ ์•ˆ์ •์„ฑ์— ๋Œ€ํ•ด์„œ ์„œ๋ช…์˜ ํฌ๊ธฐ๋Š” 4096 ๋น„ํŠธ์ด๊ณ , ๊ณต๊ฐœ ํ‚ค์˜ ํฌ๊ธฐ๋Š” 1MB๋ณด๋‹ค ์ž‘๋‹ค. ์ตœ๊ทผ, Ivanov, Kabatiansky, Krouk, ๊ทธ๋ฆฌ๊ณ  Rumenko (IKKR)๊ฐ€ McEliece ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์„ธ ๊ฐ€์ง€ ๋ณ€ํ˜•์„ ๋ฐœํ‘œํ–ˆ๋‹ค (CBCrypto 2020, Eurocrypt 2020์™€ ํ•จ๊ป˜ ์ง„ํ–‰). ๋ณธ ๋…ผ๋ฌธ์—์„œ๋Š” IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ์ค‘ ํ•˜๋‚˜๊ฐ€ McEliece ์•”ํ˜ธ ์‹œ์Šคํ…œ๊ณผ ๋™์น˜์ž„์„ ์ฆ๋ช…ํ•œ๋‹ค. ๋˜ํ•œ ๋‚˜๋จธ์ง€ IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ์— ๋Œ€ํ•œ ๋‹คํ•ญ ์‹œ๊ฐ„ ๊ณต๊ฒฉ์„ ์ œ์•ˆํ•œ๋‹ค. ์ œ์•ˆํ•˜๋Š” ๊ณต๊ฒฉ์€ IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์„ ํ˜•์„ฑ์„ ํ™œ์šฉํ•œ๋‹ค. ๋˜ํ•œ, ์ด ๋…ผ๋ฌธ์€ ์ œ์•ˆํ•œ ๊ณต๊ฒฉ์˜ ๊ตฌํ˜„์„ ํฌํ•จํ•˜๋ฉฐ, ์ œ์•ˆ๋œ ๊ณต๊ฒฉ์€ 0.2์ดˆ ์ด๋‚ด์— ๋ฉ”์‹œ์ง€๋ฅผ ๋ณต์›ํ•˜๊ณ , ์ด๋Š” ์ •์ƒ์ ์ธ ๋ณตํ˜ธํ™”๋ณด๋‹ค ๋น ๋ฅธ ์†๋„์ด๋‹ค.Contents Abstract i Contents iv List of Tables ix List of Figures xi 1 Introduction 1 1.1 Homomorphic Encryption and Privacy-Preserving Machine Learning 4 1.2 High-Precision CKKS Scheme and Its Bootstrapping 5 1.2.1 Near-Optimal Bootstrapping of the CKKS Scheme Using Least Squares Method 6 1.2.2 Variance-Minimizing and Optimal Bootstrapping of the CKKS Scheme 8 1.3 Efficient Code-Based Signature Scheme and Cryptanalysis of the Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems 10 1.3.1 Modified pqsigRM: An Efficient Code-Based Signature Scheme 11 1.3.2 Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems and Its Equality 13 1.4 Organization of the Dissertation 14 2 Preliminaries 15 2.1 Basic Notation 15 2.2 Privacy-Preserving Machine Learning and Security Terms 16 2.2.1 Privacy-Preserving Machine Learning and Security Terms 16 2.2.2 Privacy-Preserving Machine Learning 17 2.3 The CKKS Scheme and Its Bootstrapping 18 2.3.1 The CKKS Scheme 18 2.3.2 CKKS Scheme in RNS 22 2.3.3 Bootstrapping of the CKKS Scheme 24 2.3.4 Statistical Characteristics of Modulus Reduction and Failure Probability of Bootstrapping of the CKKS Scheme 26 2.4 Approximate Polynomial and Signal-to-Noise Perspective for Approximate Homomorphic Encryption 27 2.4.1 Chebyshev Polynomials 27 2.4.2 Signal-to-Noise Perspective of the CKKS Scheme 28 2.5 Preliminary for Code-Based Cryptography 29 2.5.1 The McEliece Cryptosystem 29 2.5.2 CFS Signature Scheme 30 2.5.3 ReedMuller Codes and Recursive Decoding 31 2.5.4 IKKR Cryptosystems 33 3 Privacy-Preserving Machine Learning via FHEWithout Bootstrapping 37 3.1 Introduction 37 3.2 Information Theoretic Secrecy and HE for Privacy-Preserving Machine Learning 38 3.2.1 The Failure Probability of Ordinary CKKS Bootstrapping 39 3.3 Comparison With Existing Methods 43 3.3.1 Comparison With the Hybrid Method 43 3.3.2 Comparison With FHE Method 44 3.4 Comparison for Evaluating Neural Network 45 4 High-Precision Approximate Homomorphic Encryption and Its Bootstrapping by Error Variance Minimization and Convex Optimization 50 4.1 Introduction 50 4.2 Optimization of Error Variance in the Encrypted Data 51 4.2.1 Tagged Information for Ciphertext 52 4.2.2 WorstCase Assumption 53 4.2.3 Error in Homomorphic Operations of the CKKS Scheme 54 4.2.4 Reordering Homomorphic Operations 59 4.3 Near-Optimal Polynomial for Modulus Reduction 66 4.3.1 Approximate Polynomial Using L2-Norm optimization 66 4.3.2 Efficient Homomorphic Evaluation of the Approximate Polynomial 70 4.4 Optimal Approximate Polynomial and Bootstrapping of the CKKS Scheme 73 4.4.1 Polynomial Basis Error and Polynomial Evaluation in the CKKS Scheme 73 4.4.2 Variance-Minimizing Polynomial Approximation 74 4.4.3 Optimal Approximate Polynomial for Bootstrapping and Magnitude of Its Coefficients 75 4.4.4 Reducing Complexity and Error Using Odd Function 79 4.4.5 Generalization of Weight Constants and Numerical Method 80 4.5 Comparison and Implementation 84 4.6 Reduction of Level Loss in Bootstrapping 89 4.7 Implementation of the Proposed Method and Performance Comparison 92 4.7.1 Error Variance Minimization 92 4.7.2 Weight Constant and Minimum Error Variance 93 4.7.3 Comparison of the Proposed MethodWith the Previous Methods 96 5 Efficient Code-Based Signature Scheme and Cryptanalysis of Code-Based Cryptosystems 104 5.1 Introduction 104 5.2 Modified ReedMuller Codes and Proposed Signature Scheme 105 5.2.1 Partial Permutation of Generator Matrix and Modified ReedMuller Codes 105 5.2.2 Decoding of Modified ReedMuller Codes 108 5.2.3 Proposed Signature Scheme 110 5.3 Security Analysis of Modified pqsigRM 111 5.3.1 Decoding One Out of Many 112 5.3.2 Security Against Key Substitution Attacks 114 5.3.3 EUFCMA Security 114 5.4 Indistinguishability of the Public Code and Signature 120 5.4.1 Modifications of Public Code 121 5.4.2 Public Code Indistinguishability 124 5.4.3 Signature Leaks 126 5.5 Parameter Selection 126 5.5.1 Parameter Sets 126 5.5.2 Statistical Analysis for Determining Number of Partial Permutations 128 5.6 Equivalence of the Prototype IKKR and the McEliece Cryptosystems 131 5.7 Cryptanalysis of the IKKR Cryptosystems 133 5.7.1 Linearity of Two Variants of IKKR Cryptosystems 133 5.7.2 The Attack Algorithm 134 5.7.3 Implementation 135 6 Conclusion 139 6.1 Privacy-Preserving Machine Learning Without Bootstrapping 139 6.2 Variance-Minimization in the CKKS Scheme 140 6.3 L2-Norm Minimization for the Bootstrapping of the CKKS Scheme 141 6.4 Modified pqsigRM: RM Code-Based Signature Scheme 142 6.5 Cryptanalysis of the IKKR Cryptosystem 143 Abstract (In Korean) 155 Acknowlegement 158Docto
    • โ€ฆ
    corecore