Lattice Gaussian Sampling by Markov Chain Monte Carlo: Bounded Distance Decoding and Trapdoor Sampling

Sampling from the lattice Gaussian distribution plays an important role in various research fields. In this paper, the Markov chain Monte Carlo (MCMC)-based sampling technique is advanced in several fronts. Firstly, the spectral gap for the independent Metropolis-Hastings-Klein (MHK) algorithm is derived, which is then extended to Peikert's algorithm and rejection sampling; we show that independent MHK exhibits faster convergence. Then, the performance of bounded distance decoding using MCMC is analyzed, revealing a flexible trade-off between the decoding radius and complexity. MCMC is further applied to trapdoor sampling, again offering a trade-off between security and complexity. Finally, the independent multiple-try Metropolis-Klein (MTMK) algorithm is proposed to enhance the convergence rate. The proposed algorithms allow parallel implementation, which is beneficial for practical applications.Comment: submitted to Transaction on Information Theor

Implementation and evaluation of improved Gaussian sampling for lattice trapdoors

We report on our implementation of a new Gaussian sampling algorithm for lattice trapdoors. Lattice trapdoors are used in a wide array of lattice-based cryptographic schemes including digital signatures, attributed-based encryption, program obfuscation and others. Our implementation provides Gaussian sampling for trapdoor lattices with prime moduli, and supports both single- and multi-threaded execution. We experimentally evaluate our implementation through its use in the GPV hash-and-sign digital signature scheme as a benchmark. We compare our design and implementation with prior work reported in the literature. The evaluation shows that our implementation 1) has smaller space requirements and faster runtime, 2) does not require multi-precision floating-point arithmetic, and 3) can be used for a broader range of cryptographic primitives than previous implementations

Ring Signature from Bonsai Tree: How to Preserve the Long-Term Anonymity

Signer-anonymity is the central feature of ring signatures, which enable a user to sign messages on behalf of an arbitrary set of users, called the ring, without revealing exactly which member of the ring actually generated the signature. Strong and long-term signer-anonymity is a reassuring guarantee for users who are hesitant to leak a secret, especially if the consequences of identification are dire in certain scenarios such as whistleblowing. The notion of \textit{unconditional anonymity}, which protects signer-anonymity even against an infinitely powerful adversary, is considered for ring signatures that aim to achieve long-term signer-anonymity. However, the existing lattice-based works that consider the unconditional anonymity notion did not strictly capture the security requirements imposed in practice, this leads to a realistic attack on signer-anonymity. In this paper, we present a realistic attack on the unconditional anonymity of ring signatures, and formalize the unconditional anonymity model to strictly capture it. We then propose a lattice-based ring signature construction with unconditional anonymity by leveraging bonsai tree mechanism. Finally, we prove the security in the standard model and demonstrate the unconditional anonymity through both theoretical proof and practical experiments

Contributions to Lattice–based Cryptography

Post–quantum cryptography (PQC) is a new and fast–growing part of Cryptography. It focuses on developing cryptographic algorithms and protocols that resist quantum adversaries (i.e., the adversaries who have access to quantum computers). To construct a new PQC primitive, a designer must use a mathematical problem intractable for the quantum adversary. Many intractability assumptions are being used in PQC. There seems to be a consensus in the research community that the most promising are intractable/hard problems in lattices. However, lattice–based cryptography still needs more research to make it more efficient and practical. The thesis contributes toward achieving either the novelty or the practicality of lattice– based cryptographic systems

Post-quantum blockchain for internet of things domain

This thesis was submitted for the award of Doctor of Philosophy and was awarded by Brunel University LondonIn the evolving realm of quantum computing, emerging advancements reveal substantial challenges and threats to existing cryptographic infrastructures, particularly impacting blockchain technologies. These are pivotal for securing the Internet of Things (IoT) ecosystems. The traditional blockchain structures, integral to myriad IoT applications, are susceptible to potential quantum computations, emphasizing an urgent need for innovations in post-quantum blockchain solutions to reinforce security in the expansive domain of IoT. This PhD thesis delves into the crucial exploration and meticulous examination of the development and implementation of post-quantum blockchain within the IoT landscape, focusing on the incorporation of advanced post-quantum cryptographic algorithms in Hyperledger Fabric, a forefront blockchain platform renowned for its versatility and robustness. The primary aim is to discern viable post-quantum cryptographic solutions capable of fortifying blockchain systems against impending quantum threats enhancing security and reliability in IoT applications. The research comprehensively evaluates various post-quantum public-key generation and digital signature algorithms, performing detailed analyses of their computational time and memory usage to identify optimal candidates. Furthermore, the thesis proposes an innovative lattice-based digital signature scheme Fast-Fourier Lattice-based Compact Signature over NTRU (Falcon), which leverages the Monte Carlo Markov Chain (MCMC) algorithm as a trapdoor sampler to augment its security attributes. The research introduces a post-quantum version of the Hyperledger Fabric blockchain that integrates post-quantum signatures. The system utilizes the Open Quantum Safe (OQS) library, rigorously tested against NIST round 3 candidates for optimal performance. The study highlights the capability to manage IoT data securely on the post-quantum Hyperledger Fabric blockchain through the Message Queue Telemetry Transport (MQTT) protocol. Such a configuration ensures safe data transfer from IoT sensors directly to the blockchain nodes, securing the processing and recording of sensor data within the node ledger. The research addresses the multifaceted challenges of quantum computing advancements and significantly contributes to establishing secure, efficient, and resilient post-quantum blockchain infrastructures tailored explicitly for the IoT domain. These findings are instrumental in elevating the security paradigms of IoT systems against quantum vulnerabilities and catalysing innovations in post-quantum cryptography and blockchain technologies. Furthermore, this thesis introduces strategies for the optimization of performance and scalability of post-quantum blockchain solutions and explores alternative, energy-efficient consensus mechanisms such as the Raft and Stellar Consensus Protocol (SCP), providing sustainable alternatives to the conventional Proof-of-Work (PoW) approach. A critical insight emphasized throughout this thesis is the imperative of synergistic collaboration among academia, industry, and regulatory bodies. This collaboration is pivotal to expedite the adoption and standardization of post-quantum blockchain solutions, fostering the development of interoperable and standardized technologies enriched with robust security and privacy frameworks for end users. In conclusion, this thesis furnishes profound insights and substantial contributions to implementing post-quantum blockchain in the IoT domain. It delineates original contributions to the knowledge and practices in the field, offering practical solutions and advancing the state-of-the-art in post-quantum cryptography and blockchain research, thereby paving the way for a secure and resilient future for interconnected IoT systems

잡음키를 가지는 신원기반 동형암호에 관한 연구

학위논문(박사)--서울대학교 대학원 :자연과학대학 수리과학부,2020. 2. 천정희.클라우드 상의 데이터 분석 위임 시나리오는 동형암호의 가장 효과적인 응용 시나리오 중 하나이다. 그러나, 다양한 데이터 제공자와 분석결과 요구자가 존재하는 실제 현실의 모델에서는 기본적인 암복호화와 동형 연산 외에도 여전히 해결해야 할 과제들이 남아있는 실정이다. 본 학위논문에서는 이러한 모델에서 필요한 여러 요구사항들을 포착하고, 이에 대한 해결방안을 논하였다. 먼저, 기존의 알려진 동형 데이터 분석 솔루션들은 데이터 간의 층위나 수준을 고려하지 못한다는 점에 착안하여, 신원기반 암호와 동형암호를 결합하여 데이터 사이에 접근 권한을 설정하여 해당 데이터 사이의 연산을 허용하는 모델을 생각하였다. 또한 이 모델의 효율적인 동작을 위해서 동형암호 친화적인 신원기반 암호에 대하여 연구하였고, 기존에 알려진 NTRU 기반의 암호를 확장하여 module-NTRU 문제를 정의하고 이를 기반으로 한 신원기반 암호를 제안하였다. 둘째로, 동형암호의 복호화 과정에는 여전히 비밀키가 관여하고 있고, 따라서 비밀키 관리 문제가 남아있다는 점을 포착하였다. 이러한 점에서 생체정보를 활용할 수 있는 복호화 과정을 개발하여 해당 과정을 동형암호 복호화에 적용하였고, 이를 통해 암복호화와 동형 연산의 전 과정을 어느 곳에도 키가 저장되지 않은 상태로 수행할 수 있는 암호시스템을 제안하였다. 마지막으로, 동형암호의 구체적인 안전성 평가 방법을 고려하였다. 이를 위해 동형암호가 기반하고 있는 이른바 Learning With Errors (LWE) 문제의 실제적인 난해성을 면밀히 분석하였고, 그 결과 기존의 공격 알고리즘보다 평균적으로 1000배 이상 빠른 공격 알고리즘들을 개발하였다. 이를 통해 현재 사용하고 있는 동형암호 파라미터가 안전하지 않음을 보였고, 새로운 공격 알고리즘을 통한 파라미터 설정 방법에 대해서 논하였다.Secure data analysis delegation on cloud is one of the most powerful application that homomorphic encryption (HE) can bring. As the technical level of HE arrive at practical regime, this model is also being considered to be a more serious and realistic paradigm. In this regard, this increasing attention requires more versatile and secure model to deal with much complicated real world problems. First, as real world modeling involves a number of data owners and clients, an authorized control to data access is still required even for HE scenario. Second, we note that although homomorphic operation requires no secret key, the decryption requires the secret key. That is, the secret key management concern still remains even for HE. Last, in a rather fundamental view, we thoroughly analyze the concrete hardness of the base problem of HE, so-called Learning With Errors (LWE). In fact, for the sake of efficiency, HE exploits a weaker variant of LWE whose security is believed not fully understood. For the data encryption phase efficiency, we improve the previously suggested NTRU-lattice ID-based encryption by generalizing the NTRU concept into module-NTRU lattice. Moreover, we design a novel method that decrypts the resulting ciphertext with a noisy key. This enables the decryptor to use its own noisy source, in particular biometric, and hence fundamentally solves the key management problem. Finally, by considering further improvement on existing LWE solving algorithms, we propose new algorithms that shows much faster performance. Consequently, we argue that the HE parameter choice should be updated regarding our attacks in order to maintain the currently claimed security level.1 Introduction 1 1.1 Access Control based on Identity 2 1.2 Biometric Key Management 3 1.3 Concrete Security of HE 3 1.4 List of Papers 4 2 Background 6 2.1 Notation 6 2.2 Lattices 7 2.2.1 Lattice Reduction Algorithm 7 2.2.2 BKZ cost model 8 2.2.3 Geometric Series Assumption (GSA) 8 2.2.4 The Nearest Plane Algorithm 9 2.3 Gaussian Measures 9 2.3.1 Kullback-Leibler Divergence 11 2.4 Lattice-based Hard Problems 12 2.4.1 The Learning With Errors Problem 12 2.4.2 NTRU Problem 13 2.5 One-way and Pseudo-random Functions 14 3 ID-based Data Access Control 16 3.1 Module-NTRU Lattices 16 3.1.1 Construction of MNTRU lattice and trapdoor 17 3.1.2 Minimize the Gram-Schmidt norm 22 3.2 IBE-Scheme from Module-NTRU 24 3.2.1 Scheme Construction 24 3.2.2 Security Analysis by Attack Algorithms 29 3.2.3 Parameter Selections 31 3.3 Application to Signature 33 4 Noisy Key Cryptosystem 36 4.1 Reusable Fuzzy Extractors 37 4.2 Local Functions 40 4.2.1 Hardness over Non-uniform Sources 40 4.2.2 Flipping local functions 43 4.2.3 Noise stability of predicate functions: Xor-Maj 44 4.3 From Pseudorandom Local Functions 47 4.3.1 Basic Construction: One-bit Fuzzy Extractor 48 4.3.2 Expansion to multi-bit Fuzzy Extractor 50 4.3.3 Indistinguishable Reusability 52 4.3.4 One-way Reusability 56 4.4 From Local One-way Functions 59 5 Concrete Security of Homomorphic Encryption 63 5.1 Albrecht's Improved Dual Attack 64 5.1.1 Simple Dual Lattice Attack 64 5.1.2 Improved Dual Attack 66 5.2 Meet-in-the-Middle Attack on LWE 69 5.2.1 Noisy Collision Search 70 5.2.2 Noisy Meet-in-the-middle Attack on LWE 74 5.3 The Hybrid-Dual Attack 76 5.3.1 Dimension-error Trade-o of LWE 77 5.3.2 Our Hybrid Attack 79 5.4 The Hybrid-Primal Attack 82 5.4.1 The Primal Attack on LWE 83 5.4.2 The Hybrid Attack for SVP 86 5.4.3 The Hybrid-Primal attack for LWE 93 5.4.4 Complexity Analysis 96 5.5 Bit-security estimation 102 5.5.1 Estimations 104 5.5.2 Application to PKE 105 6 Conclusion 108 Abstract (in Korean) 120Docto

Towards Compact Identity-based Encryption on Ideal Lattices

Basic encryption and signature on lattices have comparable efficiency to their classical counterparts in terms of speed and key size. However, Identity-based Encryption (IBE) on lattices is much less efficient in terms of compactness, even when instantiated on ideal lattices and in the Random Oracle Model (ROM). This is because the underlying preimage sampling algorithm used to extract the users\u27 secret keys requires huge public parameters. In this work, we specify a compact IBE instantiation for practical use by introducing various optimizations. Specifically, we first propose a modified gadget to make it more suitable for the instantiation of practical IBE. Then, by incorporating our gadget and the non-spherical Gaussian technique, we provide an efficient preimage sampling algorithm, based on which, we give a specification of a compact IBE on ideal lattice. Finally, two parameter sets and a proof-of-concept implementation are presented. Given the importance of the preimage sampling algorithm in lattice-based cryptography, we believe that our technique can also be applied to the practical instantiation of other advanced cryptographic schemes