Efficient noninteractive certification of RSA moduli and beyond

In many applications, it is important to verify that an RSA public key (N; e) speci es a permutation over the entire space ZN, in order to prevent attacks due to adversarially-generated public keys. We design and implement a simple and e cient noninteractive zero-knowledge protocol (in the random oracle model) for this task. Applications concerned about adversarial key generation can just append our proof to the RSA public key without any other modi cations to existing code or cryptographic libraries. Users need only perform a one-time veri cation of the proof to ensure that raising to the power e is a permutation of the integers modulo N. For typical parameter settings, the proof consists of nine integers modulo N; generating the proof and verifying it both require about nine modular exponentiations. We extend our results beyond RSA keys and also provide e cient noninteractive zero- knowledge proofs for other properties of N, which can be used to certify that N is suitable for the Paillier cryptosystem, is a product of two primes, or is a Blum integer. As compared to the recent work of Auerbach and Poettering (PKC 2018), who provide two-message protocols for similar languages, our protocols are more e cient and do not require interaction, which enables a broader class of applications.https://eprint.iacr.org/2018/057First author draf

The Theory and Applications of Homomorphic Cryptography

Homomorphic cryptography provides a third party with the ability to perform simple computations on encrypted data without revealing any information about the data itself. Typically, a third party can calculate one of the encrypted sum or the encrypted product of two encrypted messages. This is possible due to the fact that the encryption function is a group homomorphism, and thus preserves group operations. This makes homomorphic cryptosystems useful in a wide variety of privacy preserving protocols. A comprehensive survey of known homomorphic cryptosystems is provided, including formal definitions, security assumptions, and outlines of security proofs for each cryptosystem presented. Threshold variants of several homomorphic cryptosystems are also considered, with the first construction of a threshold Boneh-Goh-Nissim cryptosystem given, along with a complete proof of security under the threshold semantic security game of Fouque, Poupard, and Stern. This approach is based on Shoup's approach to threshold RSA signatures, which has been previously applied to the Paillier and Damg\aa rd-Jurik cryptosystems. The question of whether or not this approach is suitable for other homomorphic cryptosystems is investigated, with results suggesting that a different approach is required when decryption requires a reduction modulo a secret value. The wide variety of protocols utilizing homomorphic cryptography makes it difficult to provide a comprehensive survey, and while an overview of applications is given, it is limited in scope and intended to provide an introduction to the various ways in which homomorphic cryptography is used beyond simple addition or multiplication of encrypted messages. In the case of strong conditional oblivious tranfser, a new protocol implementing the greater than predicate is presented, utilizing some special properties of the Boneh-Goh-Nissim cryptosystem to achieve security against a malicious receiver

Learning with Errors in the Exponent

We initiate the study of a novel class of group-theoretic intractability problems. Inspired by the theory of learning in presence of errors [Regev, STOC\u2705] we ask if noise in the exponent amplifies intractability. We put forth the notion of Learning with Errors in the Exponent (LWEE) and rather surprisingly show that various attractive properties known to exclusively hold for lattices carry over. Most notably are worst-case hardness and post-quantum resistance. In fact, LWEE\u27s duality is due to the reducibility to two seemingly unrelated assumptions: learning with errors and the representation problem [Brands, Crypto\u2793] in finite groups. For suitable parameter choices LWEE superposes properties from each individual intractability problem. The argument holds in the classical and quantum model of computation. We give the very first construction of a semantically secure public-key encryption system in the standard model. The heart of our construction is an ``error recovery\u27\u27 technique inspired by [Joye-Libert, Eurocrypt\u2713] to handle critical propagations of noise terms in the exponent

Trace-based cryptoanalysis of cyclotomic Rq,0×RqR_{q,0}\times R_q-PLWE for the non-split case

We describe a decisional attack against a version of the PLWE problem in which the samples are taken from a certain proper subring of large dimension of the cyclotomic ring $\mathbb{F}_q[x]/(\Phi_{p^k}(x))$ with $k>1$ in the case where $q\equiv 1\pmod{p}$ but $\Phi_{p^k}(x)$ is not totally split over $\mathbb{F}_q$. Our attack uses the fact that the roots of $\Phi_{p^k}(x)$ over suitable extensions of $\mathbb{F}_q$ have zero-trace and has overwhelming success probability as a function of the number of input samples. An implementation in Maple and some examples of our attack are also provided.Comment: 19 pages; 1 figure; Major update to previous version due to some weaknesses detecte

Algorithms in number theory

Wetensch. publicatieFaculteit der Wiskunde en Natuurwetenschappe

Securely Instantiating Cryptographic Schemes Based on the Learning with Errors Assumption

Since its proposal by Regev in 2005, the Learning With Errors (LWE) problem was used as the underlying problem for a great variety of schemes. Its applications are many-fold, reaching from basic and highly practical primitives like key exchange, public-key encryption, and signature schemes to very advanced solutions like fully homomorphic encryption, group signatures, and identity based encryption. One of the underlying reasons for this fertility is the flexibility with that LWE can be instantiated. Unfortunately, this comes at a cost: It makes selecting parameters for cryptographic applications complicated. When selecting parameters for a new LWE-based primitive, a researcher has to take the influence of several parameters on the efficiency of the scheme and the runtime of a variety of attacks into consideration. In fact, the missing trust in the concrete hardness of LWE is one of the main problems to overcome to bring LWE-based schemes to practice. This thesis aims at closing the gap between the theoretical knowledge of the hardness of LWE, and the concrete problem of selecting parameters for an LWE-based scheme. To this end, we analyze the existing methods to estimate the hardness of LWE, and introduce new estimation techniques where necessary. Afterwards, we show how to transfer this knowledge into instantiations that are at the same time secure and efficient. We show this process on three examples: - A highly optimized public-key encryption scheme for embedded devices that is based on a variant of Ring-LWE. - A practical signature scheme that served as the foundation of one of the best lattice-based signature schemes based on standard lattices. - An advanced public-key encryption scheme that enjoys the unique property of natural double hardness based on LWE instances similar to those used for fully homomorphic encryption

On Cryptographic Building Blocks and Transformations

Cryptographic building blocks play a central role in cryptography, e.g., encryption or digital signatures with their security notions. Further, cryptographic building blocks might be constructed modularly, i.e., emerge out of other cryptographic building blocks. Essentially, one cryptographically transforms the underlying block(s) and their (security) properties into the emerged block and its properties. This thesis considers cryptographic building blocks and new cryptographic transformations

Trace-based cryptanalysis of cyclotomic R_{q,0}xR_q-PLWE for the non-split case

We describe a decisional attack against a version of the PLWE problem in which the samples are taken from a certain proper subring of large dimension of the cyclotomic ring Fq[x]/(Φp k (x)) with k > 1 in the case where q ≡ 1 (mod p) but Φp k (x) is not totally split over Fq. Our attack uses the fact that the roots of Φp k (x) over suitable extensions of Fq have zero-trace and has overwhelming success probability as a function of the number of input samples. An implementation in Maple and some examples of our attack are also provided.Agencia Estatal de InvestigaciónUniversidad de Alcal