On the impact of decryption failures on the security of LWE/LWR based schemes

In this paper we investigate the impact of decryption failures on the chosen-ciphertext security of (Ring/Module)-Learning With Errors and (Ring/Module)-Learning with Rounding based primitives. Our analysis is split in three parts: First, we use a technique to increase the failure rate of these schemes called failure boosting. Based on this technique we investigate the minimal effort for an adversary to obtain a failure in 3 cases: when he has access to a quantum computer, when he mounts a multi-target attack and when he can only perform a limited number of oracle queries. Secondly, we examine the amount of information that an adversary can derive from failing ciphertexts. Finally, these techniques are combined in an attack on (Ring/Module)-LWE and (Ring/Module)-LWR based schemes with decryption failures. We provide both a theoretical analysis as well as an implementation to calculate the security impact and show that an attacker can significantly reduce the security of (Ring/Module)-LWE/LWR based schemes that have a relatively high failure rate. However, for the candidates of the NIST post-quantum standardization process that we assessed, the number of required oracle queries is above practical limits due to their conservative parameter choices

LWE with side information: Attacks and concrete security estimation

We propose a framework for cryptanalysis of lattice-based schemes, when side information—in the form of “hints”—about the secret and/or error is available. Our framework generalizes the so-called primal lattice reduction attack, and allows the progressive integration of hints before running a final lattice reduction step. Our techniques for integrating hints include sparsifying the lattice, projecting onto and intersecting with hyperplanes, and/or altering the distribution of the secret vector. Our main contribution is to propose a toolbox and a methodology to integrate such hints into lattice reduction attacks and to predict the performance of those lattice attacks with side information. While initially designed for side-channel information, our framework can also be used in other cases: exploiting decryption failures, or simply exploiting constraints imposed by certain schemes (LAC, Round5, NTRU). We implement a Sage 9.0 toolkit to actually mount such attacks with hints when computationally feasible, and to predict their performances on larger instances. We provide several end-to-end application examples, such as an improvement of a single trace attack on Frodo by Bos et al. (SAC 2018). In particular, our work can estimates security loss even given very little side information, leading to a smooth measurement/computation trade-off for side-channel attacks

BCH 부호를 이용한 FrodoKEM의 성능 개선 및 동형 비교를 위한 합성함수에 의한 부호 함수의 미니맥스 근사

학위논문 (박사) -- 서울대학교 대학원 : 공과대학 전기·정보공학부, 2020. 8. 노종선.In this dissertation, two main contributions are given as; Performance improvement of FrodoKEM using Gray and error-correcting codes (ECCs). Optimal minimax polynomial approximation of sign function by composite polynomial for homomorphic comparison. First, modification of FrodoKEM using Gray codes and ECCs is studied. Lattice-based scheme is one of the most promising schemes for post-quantum cryptography (PQC). Among many lattice-based cryptosystems, FrodoKEM is a well-known key-encapsulation mechanism (KEM) based on (plain) learning with errors problems and is advantageous in that the hardness is based on the problem of unstructured lattices. Many lattice-based cryptosystems adopt ECCs to improve their performance, such as LAC, Three Bears, and Round5 which were presented in the NIST PQC Standardization Round 2 conference. However, for lattice-based cryptosystems that do not use ring structures such as FrodoKEM, it is difficult to use ECCs because the number of transmitted symbols is small. In this dissertation, I propose a method to apply Gray and ECCs to FrodoKEM by encoding the bits converted from the encrypted symbols. It is shown that the proposed method improves the security level and/or the bandwidth of FrodoKEM, and 192 message bits, 50\% more than the original 128 bits, can be transmitted using one of the modified Frodo-640's. Second, an optimal minimax polynomial approximation of sign function by a composite polynomial is studied. The comparison function of the two numbers is one of the most commonly used operations in many applications including deep learning and data processing systems. Several studies have been conducted to efficiently evaluate the comparison function in homomorphic encryption schemes which only allow addition and multiplication for the ciphertext. Recently, new comparison methods that approximate sign function using composite polynomial in the homomorphic encryption, called homomorphic comparison operation, were proposed and it was proved that the methods have optimal asymptotic complexity. In this dissertation, I propose new optimal algorithms that approximate the sign function in the homomorphic encryption by using composite polynomials of the minimax approximate polynomials, which are constructed by the modified Remez algorithm. It is proved that the number of required non-scalar multiplications and depth consumption for the proposed algorithms are less than those for any methods that use a composite polynomial of component polynomials with odd degree terms approximating the sign function, respectively. In addition, an optimal polynomial-time algorithm for the proposed homomorphic comparison operation is proposed by using dynamic programming. As a result of numerical analysis, for the case that I want to minimize the number of non-scalar multiplications, the proposed algorithm reduces the required number of non-scalar multiplications and depth consumption by about 33% and 35%, respectively, compared to those for the previous work. In addition, for the case that I want to minimize the depth consumption, the proposed algorithm reduces the required number of non-scalar multiplications and depth consumption by about 10% and 47%, respectively, compared to those for the previous work.이 학위 논문에서는, 다음 두 가지 내용이 연구되었다. FrodoKEM을 그레이 부호 및 오류정정부호를 사용하여 개선 동형 비교 연산을 위해 합성 다항식을 사용한 부호 함수의 최적 미니맥스 다항식 근사 먼저, 그레이 부호 및 오류정정부호를 사용하여 FrodoKEM을 변형시키는 방법이 연구되었다. 격자기반암호는 가장 유망한 포스트 양자 암호 스킴이다. 많은 격자기반암호 시스템 중에서 FrodoKEM은 learning with errors (LWE) 문제에 기반을 둔 잘 알려진 키-캡슐화 메커니즘 (KEM) 이며 구조를 갖지 않은 격자 문제에 기반을 둔 어려움을 가진다는 장점이 있다. NIST 포스트 양자 암호 표준화 라운드 2에 발표된 LAC, Three Bears, Round5와 같이 성능 개선을 위해 오류정정부호를 사용하는 많은 암호 시스템들이 있다. 그러나 FrodoKEM과 같이 링 구조를 사용하지 않는 격자기반 암호 시스템에서는 전송되는 심볼 개수가 작기 때문에 오류정정부호를 사용하기 어렵다. 나는 암호화된 심볼로부터 변환된 비트들을 부호화하여 오류정정부호와 그레이 부호를 FrodoKEM에 적용하는 방법을 제안하였다. 제안한 알고리즘은 FrodoKEM의 보안성 레벨 혹은 데이터전송량을 향상하고 기존 128비트보다 50\% 많은 192비트가 변형된 Frodo-640에서 전송될 수 있음을 보여주었다. 두 번째로, 합성 다항식을 사용한 부호 함수의 최적 미니맥스 다항식 근사가 연구되었다. 두 숫자의 비교 함수는 딥러닝 및 데이터 처리 시스템을 포함한 많은 응용에서 가장 많이 사용되는 연산 중 하나이다. 암호문 상에서의 덧셈과 곱셈만 지원하는 동형 암호에서 비교 함수를 효율적으로 계산하는 몇몇 연구가 진행되었다. 동형 암호에서 합성 다항식을 사용하여 부호 함수를 근사하는 비교 방법은 동형 비교 연산이라고 불리는데 최근 새로운 동형 비교 연산 방법이 제안되었고 그 방법이 최적 점근적 복잡도를 가진다는 것이 증명되었다. 본 논문에서 나는 미니맥스 근사다항식의 합성함수를 사용하여 동형암호에서 부호 함수를 근사하는 새로운 최적 알고리즘을 제안한다. 미니맥스 근사 다항식은 modified Remez 알고리즘에 의해 얻을 수 있다. 제안하는 알고리즘은 임의의 부호 함수를 근사하는 홀수 차수 항들을 가진 다항식의 합성 다항식을 사용하는 방법보다 더 적은 넌스칼라 곱 및 뎁스 소모를 사용한다는 것이 증명되었다. 또한, 제안한 동형 비교 연산에 대한 다이나믹 프로그래밍을 사용한 최적 다항시간 알고리즘이 제안되었다. 수치 분석 결과, 넌스칼라 곱 개수를 최소로 할 때, 제안하는 알고리즘은 필요한 넌스칼라 곱 개수와 뎁스 소모를 기존 방법의 필요한 넌스칼라 곱 개수 및 뎁스 소모보다 각각 33%, 35%정도 감소시킨다. 또한, 뎁스 소모를 최소로 할 때, 제안하는 알고리즘은 필요한 넌스칼라 곱 개수와 뎁스 소모를 기존 방법의 필요한 넌스칼라 곱 개수 및 뎁스 소모보다 각각 10%, 47%정도 감소시킨다.1 Introduction 1 1.1 Background 1 1.2 Overview of Dissertation 3 1.3 Notations 5 2 Preliminaries 6 2.1 NIST Post-Quantum Cryptography Standardization 6 2.1.1 Background 6 2.1.2 Categories for Security Level 7 2.1.3 List of Algorithms in NIST PQC Round 2 8 2.2 Public-Key Encryption and Key-Encapsulation Mechanism 10 2.3 Lattice-Based Cryptogaphy 13 2.3.1 Learning with Errors Problem 13 2.3.2 Overview of FrodoPKE Algorithm 14 2.3.3 Parameters of FrodoKEM 17 2.4 BCH and Gray Codes 18 2.5 Fully Homomorphic Encryption 20 2.5.1 Homomorphic Encryption 20 2.5.2 Comparison Operation in Fully Homomorphic Encryption 21 2.6 Approximation Theory 22 2.7 Algorithms for Minimax Approximation 24 3. Improvement of FrodoKEM Using Gray and BCH Codes 29 3.1 Modification of FrodoKEM with Gray and Error-Correcting Codes 33 3.1.1 Viewing FrodoPKE as a Digital Communication System 33 3.1.2 Error-Correcting Codes for FrodoPKE 34 3.1.3 Gray Coding 36 3.1.4 IND-CCA Security of Modified FrodoKEM 38 3.1.5 Evaluation of DFR 40 3.1.6 Error Dependency 43 3.2 Performance Improvement of FrodoKEM Using Gray and BCH Codes 43 3.2.1 Improving the Security Level of FrodoKEM 43 3.2.2 Increasing the Message Size of Frodo-640 47 3.2.3 Reducing the Bandwidth of Frodo-640 50 4. Homomorphic Comparison Using Optimal Composition of Minimax Approximate Polynomials 54 4.1 Introduction 54 4.1.1 Previous Works 55 4.1.2 My Contributions 56 4.2 Approximation of Sign Function by Using Optimal Composition of Minimax Approximate Polynomials 58 4.2.1 New Approximation Method for Sine Function Using Composition of the Minimax Approximate Polynomials 58 4.2.2 Optimality of Approximation of the Sign Function by a Minimax Composite Polynomial 64 4.2.3 Achieving Polynomial-Time Algorithm for New Approximation Method by Using Dynamic Programming 68 4.3 Numerical Results 80 4.3.1 Computation of the Required Non-Scalar Multiplications and Depth Consumption 81 4.3.2 Comparisons 81 5. Conclusions 88 Abstract (In Korean) 97Docto