An Improved BKW Algorithm for LWE with Applications to Cryptography and Lattices

In this paper, we study the Learning With Errors problem and its binary variant, where secrets and errors are binary or taken in a small interval. We introduce a new variant of the Blum, Kalai and Wasserman algorithm, relying on a quantization step that generalizes and fine-tunes modulus switching. In general this new technique yields a significant gain in the constant in front of the exponent in the overall complexity. We illustrate this by solving p within half a day a LWE instance with dimension n = 128, modulus $q = n^2$, Gaussian noise $\alpha = 1/(\sqrt{n/\pi} \log^2 n)$ and binary secret, using $2^{28}$ samples, while the previous best result based on BKW claims a time complexity of $2^{74}$ with $2^{60}$ samples for the same parameters. We then introduce variants of BDD, GapSVP and UniqueSVP, where the target point is required to lie in the fundamental parallelepiped, and show how the previous algorithm is able to solve these variants in subexponential time. Moreover, we also show how the previous algorithm can be used to solve the BinaryLWE problem with n samples in subexponential time $2^{(\ln 2/2+o(1))n/\log \log n}$. This analysis does not require any heuristic assumption, contrary to other algebraic approaches; instead, it uses a variant of an idea by Lyubashevsky to generate many samples from a small number of samples. This makes it possible to asymptotically and heuristically break the NTRU cryptosystem in subexponential time (without contradicting its security assumption). We are also able to solve subset sum problems in subexponential time for density $o(1)$, which is of independent interest: for such density, the previous best algorithm requires exponential time. As a direct application, we can solve in subexponential time the parameters of a cryptosystem based on this problem proposed at TCC 2010.Comment: CRYPTO 201

Notes on Lattice-Based Cryptography

Asymmetrisk kryptering er avhengig av antakelsen om at noen beregningsproblemer er vanskelige å løse. I 1994 viste Peter Shor at de to mest brukte beregningsproblemene, nemlig det diskrete logaritmeproblemet og primtallsfaktorisering, ikke lenger er vanskelige å løse når man bruker en kvantedatamaskin. Siden den gang har forskere jobbet med å finne nye beregningsproblemer som er motstandsdyktige mot kvanteangrep for å erstatte disse to. Gitterbasert kryptografi er forskningsfeltet som bruker kryptografiske primitiver som involverer vanskelige problemer definert på gitter, for eksempel det korteste vektorproblemet og det nærmeste vektorproblemet. NTRU-kryptosystemet, publisert i 1998, var et av de første som ble introdusert på dette feltet. Problemet Learning With Error (LWE) ble introdusert i 2005 av Regev, og det regnes nå som et av de mest lovende beregningsproblemene som snart tas i bruk i stor skala. Å studere vanskelighetsgraden og å finne nye og raskere algoritmer som løser den, ble et ledende forskningstema innen kryptografi. Denne oppgaven inkluderer følgende bidrag til feltet: - En ikke-triviell reduksjon av Mersenne Low Hamming Combination Search Problem, det underliggende problemet med et NTRU-lignende kryptosystem, til Integer Linear Programming (ILP). Særlig finner vi en familie av svake nøkler. - En konkret sikkerhetsanalyse av Integer-RLWE, en vanskelig beregningsproblemvariant av LWE, introdusert av Gu Chunsheng. Vi formaliserer et meet-in-the-middle og et gitterbasert angrep for denne saken, og vi utnytter en svakhet ved parametervalget gitt av Gu, for å bygge et forbedret gitterbasert angrep. - En forbedring av Blum-Kalai-Wasserman-algoritmen for å løse LWE. Mer spesifikt, introduserer vi et nytt reduksjonstrinn og en ny gjetteprosedyre til algoritmen. Disse tillot oss å utvikle to implementeringer av algoritmen, som er i stand til å løse relativt store LWE-forekomster. Mens den første effektivt bare bruker RAM-minne og er fullt parallelliserbar, utnytter den andre en kombinasjon av RAM og disklagring for å overvinne minnebegrensningene gitt av RAM. - Vi fyller et tomrom i paringsbasert kryptografi. Dette ved å gi konkrete formler for å beregne hash-funksjon til G2, den andre gruppen i paringsdomenet, for Barreto-Lynn-Scott-familien av paringsvennlige elliptiske kurver.Public-key Cryptography relies on the assumption that some computational problems are hard to solve. In 1994, Peter Shor showed that the two most used computational problems, namely the Discrete Logarithm Problem and the Integer Factoring Problem, are not hard to solve anymore when using a quantum computer. Since then, researchers have worked on finding new computational problems that are resistant to quantum attacks to replace these two. Lattice-based Cryptography is the research field that employs cryptographic primitives involving hard problems defined on lattices, such as the Shortest Vector Problem and the Closest Vector Problem. The NTRU cryptosystem, published in 1998, was one of the first to be introduced in this field. The Learning With Error (LWE) problem was introduced in 2005 by Regev, and it is now considered one of the most promising computational problems to be employed on a large scale in the near future. Studying its hardness and finding new and faster algorithms that solve it became a leading research topic in Cryptology. This thesis includes the following contributions to the field: - A non-trivial reduction of the Mersenne Low Hamming Combination Search Problem, the underlying problem of an NTRU-like cryptosystem, to Integer Linear Programming (ILP). In particular, we find a family of weak keys. - A concrete security analysis of the Integer-RLWE, a hard computational problem variant of LWE introduced by Gu Chunsheng. We formalize a meet-in-the-middle attack and a lattice-based attack for this case, and we exploit a weakness of the parameters choice given by Gu to build an improved lattice-based attack. - An improvement of the Blum-Kalai-Wasserman algorithm to solve LWE. In particular, we introduce a new reduction step and a new guessing procedure to the algorithm. These allowed us to develop two implementations of the algorithm that are able to solve relatively large LWE instances. While the first one efficiently uses only RAM memory and is fully parallelizable, the second one exploits a combination of RAM and disk storage to overcome the memory limitations given by the RAM. - We fill a gap in Pairing-based Cryptography by providing concrete formulas to compute hash-maps to G2, the second group in the pairing domain, for the Barreto-Lynn-Scott family of pairing-friendly elliptic curves.Doktorgradsavhandlin

잡음키를 가지는 신원기반 동형암호에 관한 연구

학위논문(박사)--서울대학교 대학원 :자연과학대학 수리과학부,2020. 2. 천정희.클라우드 상의 데이터 분석 위임 시나리오는 동형암호의 가장 효과적인 응용 시나리오 중 하나이다. 그러나, 다양한 데이터 제공자와 분석결과 요구자가 존재하는 실제 현실의 모델에서는 기본적인 암복호화와 동형 연산 외에도 여전히 해결해야 할 과제들이 남아있는 실정이다. 본 학위논문에서는 이러한 모델에서 필요한 여러 요구사항들을 포착하고, 이에 대한 해결방안을 논하였다. 먼저, 기존의 알려진 동형 데이터 분석 솔루션들은 데이터 간의 층위나 수준을 고려하지 못한다는 점에 착안하여, 신원기반 암호와 동형암호를 결합하여 데이터 사이에 접근 권한을 설정하여 해당 데이터 사이의 연산을 허용하는 모델을 생각하였다. 또한 이 모델의 효율적인 동작을 위해서 동형암호 친화적인 신원기반 암호에 대하여 연구하였고, 기존에 알려진 NTRU 기반의 암호를 확장하여 module-NTRU 문제를 정의하고 이를 기반으로 한 신원기반 암호를 제안하였다. 둘째로, 동형암호의 복호화 과정에는 여전히 비밀키가 관여하고 있고, 따라서 비밀키 관리 문제가 남아있다는 점을 포착하였다. 이러한 점에서 생체정보를 활용할 수 있는 복호화 과정을 개발하여 해당 과정을 동형암호 복호화에 적용하였고, 이를 통해 암복호화와 동형 연산의 전 과정을 어느 곳에도 키가 저장되지 않은 상태로 수행할 수 있는 암호시스템을 제안하였다. 마지막으로, 동형암호의 구체적인 안전성 평가 방법을 고려하였다. 이를 위해 동형암호가 기반하고 있는 이른바 Learning With Errors (LWE) 문제의 실제적인 난해성을 면밀히 분석하였고, 그 결과 기존의 공격 알고리즘보다 평균적으로 1000배 이상 빠른 공격 알고리즘들을 개발하였다. 이를 통해 현재 사용하고 있는 동형암호 파라미터가 안전하지 않음을 보였고, 새로운 공격 알고리즘을 통한 파라미터 설정 방법에 대해서 논하였다.Secure data analysis delegation on cloud is one of the most powerful application that homomorphic encryption (HE) can bring. As the technical level of HE arrive at practical regime, this model is also being considered to be a more serious and realistic paradigm. In this regard, this increasing attention requires more versatile and secure model to deal with much complicated real world problems. First, as real world modeling involves a number of data owners and clients, an authorized control to data access is still required even for HE scenario. Second, we note that although homomorphic operation requires no secret key, the decryption requires the secret key. That is, the secret key management concern still remains even for HE. Last, in a rather fundamental view, we thoroughly analyze the concrete hardness of the base problem of HE, so-called Learning With Errors (LWE). In fact, for the sake of efficiency, HE exploits a weaker variant of LWE whose security is believed not fully understood. For the data encryption phase efficiency, we improve the previously suggested NTRU-lattice ID-based encryption by generalizing the NTRU concept into module-NTRU lattice. Moreover, we design a novel method that decrypts the resulting ciphertext with a noisy key. This enables the decryptor to use its own noisy source, in particular biometric, and hence fundamentally solves the key management problem. Finally, by considering further improvement on existing LWE solving algorithms, we propose new algorithms that shows much faster performance. Consequently, we argue that the HE parameter choice should be updated regarding our attacks in order to maintain the currently claimed security level.1 Introduction 1 1.1 Access Control based on Identity 2 1.2 Biometric Key Management 3 1.3 Concrete Security of HE 3 1.4 List of Papers 4 2 Background 6 2.1 Notation 6 2.2 Lattices 7 2.2.1 Lattice Reduction Algorithm 7 2.2.2 BKZ cost model 8 2.2.3 Geometric Series Assumption (GSA) 8 2.2.4 The Nearest Plane Algorithm 9 2.3 Gaussian Measures 9 2.3.1 Kullback-Leibler Divergence 11 2.4 Lattice-based Hard Problems 12 2.4.1 The Learning With Errors Problem 12 2.4.2 NTRU Problem 13 2.5 One-way and Pseudo-random Functions 14 3 ID-based Data Access Control 16 3.1 Module-NTRU Lattices 16 3.1.1 Construction of MNTRU lattice and trapdoor 17 3.1.2 Minimize the Gram-Schmidt norm 22 3.2 IBE-Scheme from Module-NTRU 24 3.2.1 Scheme Construction 24 3.2.2 Security Analysis by Attack Algorithms 29 3.2.3 Parameter Selections 31 3.3 Application to Signature 33 4 Noisy Key Cryptosystem 36 4.1 Reusable Fuzzy Extractors 37 4.2 Local Functions 40 4.2.1 Hardness over Non-uniform Sources 40 4.2.2 Flipping local functions 43 4.2.3 Noise stability of predicate functions: Xor-Maj 44 4.3 From Pseudorandom Local Functions 47 4.3.1 Basic Construction: One-bit Fuzzy Extractor 48 4.3.2 Expansion to multi-bit Fuzzy Extractor 50 4.3.3 Indistinguishable Reusability 52 4.3.4 One-way Reusability 56 4.4 From Local One-way Functions 59 5 Concrete Security of Homomorphic Encryption 63 5.1 Albrecht's Improved Dual Attack 64 5.1.1 Simple Dual Lattice Attack 64 5.1.2 Improved Dual Attack 66 5.2 Meet-in-the-Middle Attack on LWE 69 5.2.1 Noisy Collision Search 70 5.2.2 Noisy Meet-in-the-middle Attack on LWE 74 5.3 The Hybrid-Dual Attack 76 5.3.1 Dimension-error Trade-o of LWE 77 5.3.2 Our Hybrid Attack 79 5.4 The Hybrid-Primal Attack 82 5.4.1 The Primal Attack on LWE 83 5.4.2 The Hybrid Attack for SVP 86 5.4.3 The Hybrid-Primal attack for LWE 93 5.4.4 Complexity Analysis 96 5.5 Bit-security estimation 102 5.5.1 Estimations 104 5.5.2 Application to PKE 105 6 Conclusion 108 Abstract (in Korean) 120Docto

SALSA VERDE: a machine learning attack on Learning With Errors with sparse small secrets

Learning with Errors (LWE) is a hard math problem used in post-quantum cryptography. Homomorphic Encryption (HE) schemes rely on the hardness of the LWE problem for their security, and two LWE-based cryptosystems were recently standardized by NIST for digital signatures and key exchange (KEM). Thus, it is critical to continue assessing the security of LWE and specific parameter choices. For example, HE uses secrets with small entries, and the HE community has considered standardizing small sparse secrets to improve efficiency and functionality. However, prior work, SALSA and PICANTE, showed that ML attacks can recover sparse binary secrets. Building on these, we propose VERDE, an improved ML attack that can recover sparse binary, ternary, and narrow Gaussian secrets. Using improved preprocessing and secret recovery techniques, VERDE can attack LWE with larger dimensions ($n=512$) and smaller moduli ($\log_2 q=12$ for $n=256$), using less time and power. We propose novel architectures for scaling. Finally, we develop a theory that explains the success of ML LWE attacks.Comment: 18 pages, accepted to NeurIPS 202

Envisioning the Future of Cyber Security in Post-Quantum Era: A Survey on PQ Standardization, Applications, Challenges and Opportunities

The rise of quantum computers exposes vulnerabilities in current public key cryptographic protocols, necessitating the development of secure post-quantum (PQ) schemes. Hence, we conduct a comprehensive study on various PQ approaches, covering the constructional design, structural vulnerabilities, and offer security assessments, implementation evaluations, and a particular focus on side-channel attacks. We analyze global standardization processes, evaluate their metrics in relation to real-world applications, and primarily focus on standardized PQ schemes, selected additional signature competition candidates, and PQ-secure cutting-edge schemes beyond standardization. Finally, we present visions and potential future directions for a seamless transition to the PQ era

Encriptação parcialmente homomórfica CCA1-segura

Orientadores: Ricardo Dahab, Diego de Freitas AranhaTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Nesta tese nosso tema de pesquisa é a encriptação homomórfica, com foco em uma solução prática e segura para encriptação parcialmente homomórfica (somewhat homomorphic encryption - SHE), considerando o modelo de segurança conhecido como ataque de texto encriptado escolhido (chosen ciphertext attack - CCA). Este modelo pode ser subdividido em duas categorias, a saber, CCA1 e CCA2, sendo CCA2 o mais forte. Sabe-se que é impossível construir métodos de encriptação homomórfica que sejam CCA2-seguros. Por outro lado, é possível obter segurança CCA1, mas apenas um esquema foi proposto até hoje na literatura; assim, seria interessante haver outras construções oferecendo este tipo de segurança. Resumimos os principais resultados desta tese de doutorado em duas contribuições. A primeira é mostrar que a família NTRU de esquemas SHE é vulnerável a ataques de recuperação de chave privada, e portanto não são CCA1-seguros. A segunda é a utilização de computação verificável para obter esquemas SHE que são CCA1-seguros e que podem ser usados para avaliar polinômios multivariáveis quadráticos. Atualmente, métodos de encriptação homomórfica são construídos usando como substrato dois problemas de difícil solução: o MDC aproximado (approximate GCD problem - AGCD) e o problema de aprendizado com erros (learning with errors - LWE). O problema AGCD leva, em geral, a construções mais simples mas com desempenho inferior, enquanto que os esquemas baseados no problema LWE correspondem ao estado da arte nesta área de pesquisa. Recentemente, Cheon e Stehlé demonstraram que ambos problemas estão relacionados, e é uma questão interessante investigar se esquemas baseados no problema AGCD podem ser tão eficientes quanto esquemas baseados no problema LWE. Nós respondemos afirmativamente a esta questão para um cenário específico: estendemos o esquema de computação verificável proposto por Fiore, Gennaro e Pastro, de forma que use a suposição de que o problema AGCD é difícil, juntamente com o esquema DGHV adaptado para uso do Teorema Chinês dos Restos (Chinese remainder theorem - CRT) de forma a evitar ataques de recuperação de chave privadaAbstract: In this thesis we study homomorphic encryption with focus on practical and secure somewhat homomorphic encryption (SHE), under the chosen ciphertext attack (CCA) security model. This model is classified into two different main categories: CCA1 and CCA2, with CCA2 being the strongest. It is known that it is impossible to construct CCA2-secure homomorphic encryption schemes. On the other hand, CCA1-security is possible, but only one scheme is known to achieve it. It would thus be interesting to have other CCA1-secure constructions. The main results of this thesis are summarized in two contributions. The first is to show that the NTRU-family of SHE schemes is vulnerable to key recovery attacks, hence not CCA1-secure. The second is the utilization of verifiable computation to obtain a CCA1-secure SHE scheme that can be used to evaluate quadratic multivariate polynomials. Homomorphic encryption schemes are usually constructed under the assumption that two distinct problems are hard, namely the Approximate GCD (AGCD) Problem and the Learning with Errors (LWE) Problem. The AGCD problem leads, in general, to simpler constructions, but with worse performance, wheras LWE-based schemes correspond to the state-of-the-art in this research area. Recently, Cheon and Stehlé proved that both problems are related, and thus it is an interesting problem to investigate if AGCD-based SHE schemes can be made as efficient as their LWE counterparts. We answer this question positively for a specific scenario, extending the verifiable computation scheme proposed by Fiore, Gennaro and Pastro to work under the AGCD assumption, and using it together with the Chinese Remainder Theorem (CRT)-version of the DGHV scheme, in order to avoid key recovery attacksDoutoradoCiência da ComputaçãoDoutor em Ciência da Computação143484/2011-7CNPQCAPE

SALSA: Attacking Lattice Cryptography with Transformers

Currently deployed public-key cryptosystems will be vulnerable to attacks by full-scale quantum computers. Consequently, "quantum resistant" cryptosystems are in high demand, and lattice-based cryptosystems, based on a hard problem known as Learning With Errors (LWE), have emerged as strong contenders for standardization. In this work, we train transformers to perform modular arithmetic and combine half-trained models with statistical cryptanalysis techniques to propose SALSA: a machine learning attack on LWE-based cryptographic schemes. SALSA can fully recover secrets for small-to-mid size LWE instances with sparse binary secrets, and may scale to attack real-world LWE-based cryptosystems.Comment: Extended version of work published at NeurIPS 202

On the IND-CCA1 Security of FHE Schemes

Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it first. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied, and we therefore provide an overview of the IND-CCA1 security of all acknowledged FHE schemes in this paper. To give this overview, we grouped the SHE schemes into broad categories based on their similarities and underlying hardness problems. For each category, we show that the SHE schemes are susceptible to either known adaptive key recovery attacks, a natural extension of known attacks, or our proposed attacks. Finally, we discuss the known techniques to achieve IND-CCA1-secure FHE and SHE schemes. We concluded that none of the proposed schemes were IND-CCA1-secure and that the known general constructions all had their shortcomings.publishedVersio