106 research outputs found

    Efficient Computation for Pairing Based Cryptography: A State of the Art

    Get PDF

    An algorithmic and architectural study on Montgomery exponentiation in RNS

    Get PDF
    The modular exponentiation on large numbers is computationally intensive. An effective way for performing this operation consists in using Montgomery exponentiation in the Residue Number System (RNS). This paper presents an algorithmic and architectural study of such exponentiation approach. From the algorithmic point of view, new and state-of-the-art opportunities that come from the reorganization of operations and precomputations are considered. From the architectural perspective, the design opportunities offered by well-known computer arithmetic techniques are studied, with the aim of developing an efficient arithmetic cell architecture. Furthermore, since the use of efficient RNS bases with a low Hamming weight are being considered with ever more interest, four additional cell architectures specifically tailored to these bases are developed and the tradeoff between benefits and drawbacks is carefully explored. An overall comparison among all the considered algorithmic approaches and cell architectures is presented, with the aim of providing the reader with an extensive overview of the Montgomery exponentiation opportunities in RNS

    Theory and Practice of Cryptography and Network Security Protocols and Technologies

    Get PDF
    In an age of explosive worldwide growth of electronic data storage and communications, effective protection of information has become a critical requirement. When used in coordination with other tools for ensuring information security, cryptography in all of its applications, including data confidentiality, data integrity, and user authentication, is a most powerful tool for protecting information. This book presents a collection of research work in the field of cryptography. It discusses some of the critical challenges that are being faced by the current computing world and also describes some mechanisms to defend against these challenges. It is a valuable source of knowledge for researchers, engineers, graduate and doctoral students working in the field of cryptography. It will also be useful for faculty members of graduate schools and universities

    A FPGA pairing implementation using the Residue Number System

    Get PDF
    Recently, a lot of progresses have been made in software implementations of pairings at the 128-bit security level in large characteristic. In this work, we obtain analogous progresses for hardware implementations. For this, we use the RNS representation of numbers which is especially well suited for pairing computation in a hardware context. A FPGA implementation is proposed, based on an adaptation of Guillermin\u27s architecture which computes a pairing in 1.07 ms. It is 2 times faster than all previous hardware implementations (including ASIC and small characteristic implementations) and almost as fast as best software implementations

    GPU-based Parallel Computing Models and Implementations for Two-party Privacy-preserving Protocols

    Get PDF
    In (two-party) privacy-preserving-based applications, two users use encrypted inputs to compute a function without giving out plaintext of their input values. Privacy-preserving computing algorithms have to utilize a large amount of computing resources to handle the encryption-decryption operations. In this dissertation, we study optimal utilization of computing resources on the graphic processor unit (GPU) architecture for privacy-preserving protocols based on secure function evaluation (SFE) and the Elliptic Curve Cryptographic (ECC) and related algorithms. A number of privacy-preserving protocols are implemented, including private set intersection (PSI), secret handshaking (SH), secure Edit distance (ED) and Smith-Waterman (SW) problems. PSI is chosen to represent ECC point multiplication related computations, SH for bilinear pairing, and the last two for SFE-based dynamic programming (DP) problems. They represent different types of computations, so that in-depth understanding of the benefits and limitations of the GPU architecture for privacy preserving protocols is gained. For SFE-based ED and SW problems, a wavefront parallel computing model on the CPU-GPU architecture under the semi-honest security model is proposed. Low level parallelization techniques for GPU-based gate (de-)garbler, synchronized parallel memory access, pipelining, and general GPU resource mapping policies are developed. This dissertation shows that the GPU architecture can be fully utilized to speed up SFE-based ED and SW algorithms, which are constructed with billions of garbled gates, on a contemporary GPU card GTX-680, with very little waste of processing cycles or memory space. For PSI and SH protocols and underlying ECC algorithms, the analysis in this research shows that the conventional Montgomery-based number system is more friendly to the GPU architecture than the Residue Number System (RNS) is. Analysis on experiment results further shows that the lazy reduction in higher extension fields can have performance benefits only when the GPU architecture has enough fast memory. The resulting Elliptic curve Arithmetic GPU Library (EAGL) can run 3350.9 R-ate (bilinear) pairing/sec, and 47000 point multiplication/sec at the 128-bit security level, on one GTX-680 card. The primary performance bottleneck is found to be lacking of advanced memory management functions in the contemporary GPU architecture for bilinear pairing operations. Substantial performance gain can be expected when the on-chip memory size and/or more advanced memory prefetching mechanisms are supported in future generations of GPUs

    Proofless Verifiable Computation from Integer Factoring

    Get PDF
    VC schemes provide a mechanism for verifying the output of a remotely executed program. These are used to support computing paradigms wherein a computationally restricted client, the Verifier, wishes to delegate work to a more powerful but untrusted server, the Prover. The Verifier wishes to detect any incorrect results, be they accidental or malicious. The current state-of-the-art is only close-to-practical, usually because of a computationally demanding setup which must be amortised across repeat executions. We present a VC scheme for verifying the output of arithmetic circuits with a small one-time setup, KGen, independent of the size of the circuit being verified, and a insignificantly small constant program specific setup, ProbGen. To our knowledge our VC scheme is the first built from the hardness of integer factoring, a standard cryptographic assumption. Our scheme has the added novelty that the proofs are simply the raw output of the target computation, and the Prover is in effect blind to the fact they are taking part in a VC scheme at all. Compared to related work our scheme comes at the cost of a more expensive, but still efficient, verification step. Verification is always practical, and the Prover workload is unchanged from unverified outsourced computation. Although our scheme has worse asymptotic performance than the state-of-the-art it is particularly well suited for verifying one-shot programs and the output of large integer polynomial evaluation

    Multiplication in Finite Fields and Elliptic Curves

    Get PDF
    La cryptographie ร  clef publique permet de s'รฉchanger des clefs de faรงon distante, d'effectuer des signatures รฉlectroniques, de s'authentifier ร  distance, etc. Dans cette thรจse d'HDR nous allons prรฉsenter quelques contributions concernant l'implantation sรปre et efficace de protocoles cryptographiques basรฉs sur les courbes elliptiques. L'opรฉration de base effectuรฉe dans ces protocoles est la multiplication scalaire d'un point de la courbe. Chaque multiplication scalaire nรฉcessite plusieurs milliers d'opรฉrations dans un corps fini.Dans la premiรจre partie du manuscrit nous nous intรฉressons ร  la multiplication dans les corps finis car c'est l'opรฉration la plus coรปteuse et la plus utilisรฉe. Nous prรฉsentons d'abord des contributions sur les multiplieurs parallรจles dans les corps binaires. Un premier rรฉsultat concerne l'approche sous-quadratique dans une base normale optimale de type 2. Plus prรฉcisรฉment, nous amรฉliorons un multiplieur basรฉ sur un produit de matrice de Toeplitz avec un vecteur en utilisant une recombinaison des blocs qui supprime certains calculs redondants. Nous prรฉsentons aussi un multiplieur pous les corps binaires basรฉ sur une extension d'une optimisation de la multiplication polynomiale de Karatsuba.Ensuite nous prรฉsentons des rรฉsultats concernant la multiplication dans un corps premier. Nous prรฉsentons en particulier une approche de type Montgomery pour la multiplication dans une base adaptรฉe ร  l'arithmรฉtique modulaire. Cette approche cible la multiplication modulo un premier alรฉatoire. Nous prรฉsentons alors une mรฉthode pour la multiplication dans des corps utilisรฉs dans la cryptographie sur les couplages : les extensions de petits degrรฉs d'un corps premier alรฉatoire. Cette mรฉthode utilise une base adaptรฉe engendrรฉe par une racine de l'unitรฉ facilitant la multiplication polynomiale basรฉe sur la FFT. Dans la derniรจre partie de cette thรจse d'HDR nous nous intรฉressons ร  des rรฉsultats qui concernent la multiplication scalaire sur les courbes elliptiques. Nous prรฉsentons une parallรฉlisation de l'รฉchelle binaire de Montgomery dans le cas de E(GF(2^n)). Nous survolons aussi quelques contributions sur des formules de division par 3 dans E(GF(3^n)) et une parallรฉlisation de type (third,triple)-and-add. Dans le dernier chapitre nous dรฉveloppons quelques directions de recherches futures. Nous discutons d'abord de possibles extensions des travaux faits sur les corps binaires. Nous prรฉsentons aussi des axes de recherche liรฉs ร  la randomisation de l'arithmรฉtique qui permet une protection contre les attaques matรฉrielles

    Efficient cryptographic primitives: Secure comparison, binary decomposition and proxy re-encryption

    Get PDF
    โ€Data outsourcing becomes an essential paradigm for an organization to reduce operation costs on supporting and managing its IT infrastructure. When sensitive data are outsourced to a remote server, the data generally need to be encrypted before outsourcing. To preserve the confidentiality of the data, any computations performed by the server should only be on the encrypted data. In other words, the encrypted data should not be decrypted during any stage of the computation. This kind of task is commonly termed as query processing over encrypted data (QPED). One natural solution to solve the QPED problem is to utilize fully homomorphic encryption. However, fully homomorphic encryption is yet to be practical. The second solution is to adopt multi-server setting. However, the existing work is not efficient. Their implementations adopt costly primitives, such as secure comparison, binary decomposition among others, which reduce the efficiency of the whole protocols. Therefore, the improvement of these primitives results in high efficiency of the protocols. To have a well-defined scope, the following types of computations are considered: secure comparison (CMP), secure binary decomposition (SBD) and proxy re-encryption (PRE). We adopt the secret sharing scheme and paillier public key encryption as building blocks, and all computations can be done on the encrypted data by utilizing multiple servers. We analyze the security and the complexity of our proposed protocols, and their efficiencies are evaluated by comparing with the existing solutions.โ€--Abstract, page iii

    ์ •๋ณด ๋ณดํ˜ธ ๊ธฐ๊ณ„ ํ•™์Šต์˜ ์•”ํ˜ธํ•™ ๊ธฐ๋ฐ˜ ๊ธฐ์ˆ : ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ์™€ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ

    Get PDF
    ํ•™์œ„๋…ผ๋ฌธ (๋ฐ•์‚ฌ) -- ์„œ์šธ๋Œ€ํ•™๊ต ๋Œ€ํ•™์› : ๊ณต๊ณผ๋Œ€ํ•™ ์ „๊ธฐยท์ •๋ณด๊ณตํ•™๋ถ€, 2021. 2. ๋…ธ์ข…์„ .In this dissertation, three main contributions are given as; i) a protocol of privacy-preserving machine learning using network resources, ii) the development of approximate homomorphic encryption that achieves less error and high-precision bootstrapping algorithm without compromising performance and security, iii) the cryptanalysis and the modification of code-based cryptosystems: cryptanalysis on IKKR cryptosystem and modification of the pqsigRM, a digital signature scheme proposed to the post-quantum cryptography (PQC) standardization of National Institute of Standards and Technology (NIST). The recent development of machine learning, cloud computing, and blockchain raises a new privacy problem; how can one outsource computation on confidential data? Moreover, as research on quantum computers shows success, the need for PQC is also emerging. Multi-party computation (MPC) is the cryptographic protocol that makes computation on data without revealing it. Since MPC is designed based on homomorphic encryption (HE) and PQC, research on designing efficient and safe HE and PQC is actively being conducted. First, I propose a protocol for privacy-preserving machine learning (PPML) that replaces bootstrapping of homomorphic encryption with network resources. In general, the HE ciphertext has a limited depth of circuit that can be calculated, called the level of a ciphertext. We call bootstrapping restoring the level of ciphertext that has exhausted its level through a method such as homomorphic decryption. Bootstrapping of homomorphic encryption is, in general, very expensive in time and space. However, when deep computations like deep learning are performed, it is required to do bootstrapping. In this protocol, both the client's message and servers' intermediate values are kept secure, while the client's computation and communication complexity are light. Second, I propose an improved bootstrapping algorithm for the CKKS scheme and a method to reduce the error by homomorphic operations in the CKKS scheme. The Cheon-Kim-Kim-Song (CKKS) scheme (Asiacrypt '17) is one of the highlighted fully homomorphic encryption (FHE) schemes as it is efficient to deal with encrypted real numbers, which are the usual data type for many applications such as machine learning. However, the precision drop due to the error growth is a drawback of the CKKS scheme for data processing. I propose a method to achieve high-precision approximate FHE using the following two methods .First, I apply the signal-to-noise ratio (SNR) concept and propose methods to maximize SNR by reordering homomorphic operations in the CKKS scheme. For that, the error variance is minimized instead of the upper bound of error when we deal with the encrypted data. Second, from the same perspective of minimizing error variance, I propose a new method to find the approximate polynomials for the CKKS scheme. The approximation method is especially applied to the CKKS scheme's bootstrapping, where we achieve bootstrapping with smaller error variance compared to the prior arts. In addition to the above variance-minimizing method, I cast the problem of finding an approximate polynomial for a modulus reduction into an L2-norm minimization problem. As a result, I find an approximate polynomial for the modulus reduction without using the sine function, which is the upper bound for the polynomial approximation of the modulus reduction. By using the proposed method, the constraint of q = O(m^{3/2}) is relaxed as O(m), and thus the level loss in bootstrapping can be reduced. The performance improvement by the proposed methods is verified by implementation over HE libraries, that is, HEAAN and SEAL. The implementation shows that by reordering homomorphic operations and using the proposed polynomial approximation, the reliability of the CKKS scheme is improved. Therefore, the quality of services of various applications using the proposed CKKS scheme, such as PPML, can be improved without compromising performance and security. Finally, I propose an improved code-based signature scheme and cryptanalysis of code-based cryptosystems. A novel code-based signature scheme with small parameters and an attack algorithm on recent code-based cryptosystems are presented in this dissertation. This scheme is based on a modified Reed-Muller (RM) code, which reduces the signing complexity and key size compared with existing code-based signature schemes. The proposed scheme has the advantage of the pqsigRM decoder and uses public codes that are more difficult to distinguish from random codes. I use (U, U+V) -codes with the high-dimensional hull to overcome the disadvantages of code-based schemes. The proposed a decoder which efficiently samples from coset elements with small Hamming weight for any given syndrome. The proposed signature scheme resists various known attacks on RM code-based cryptography. For 128 bits of classical security, the signature size is 4096 bits, and the public key size is less than 1 MB. Recently, Ivanov, Kabatiansky, Krouk, and Rumenko (IKKR) proposed three new variants of the McEliece cryptosystem (CBCrypto 2020, affiliated with Eurocrypt 2020). This dissertation shows that one of the IKKR cryptosystems is equal to the McEliece cryptosystem. Furthermore, a polynomial-time attack algorithm for the other two IKKR cryptosystems is proposed. The proposed attack algorithm utilizes the linearity of IKKR cryptosystems. Also, an implementation of the IKKR cryptosystems and the proposed attack is given. The proposed attack algorithm finds the plaintext within 0.2 sec, which is faster than the elapsed time for legitimate decryption.๋ณธ ๋…ผ๋ฌธ์€ ํฌ๊ฒŒ ๋‹ค์Œ์˜ ์„ธ ๊ฐ€์ง€์˜ ๊ธฐ์—ฌ๋ฅผ ํฌํ•จํ•œ๋‹ค. i) ๋„คํŠธ์›Œํฌ๋ฅผ ํ™œ์šฉํ•ด์„œ ์ •๋ณด ๋ณดํ˜ธ ๋”ฅ๋Ÿฌ๋‹์„ ๊ฐœ์„ ํ•˜๋Š” ํ”„๋กœํ† ์ฝœ ii) ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ์—์„œ ๋ณด์•ˆ์„ฑ๊ณผ ์„ฑ๋Šฅ์˜ ์†ํ•ด ์—†์ด ์—๋Ÿฌ๋ฅผ ๋‚ฎ์ถ”๊ณ  ๋†’์€ ์ •ํ™•๋„๋กœ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘ ํ•˜๋Š” ๋ฐฉ๋ฒ• iii) IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ๊ณผ pqsigRM ๋“ฑ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ๋ฅผ ๊ณต๊ฒฉํ•˜๋Š” ๋ฐฉ๋ฒ•๊ณผ ํšจ์œจ์ ์ธ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ. ๊ทผ๋ž˜์˜ ๊ธฐ๊ณ„ํ•™์Šต๊ณผ ๋ธ”๋ก์ฒด์ธ ๊ธฐ์ˆ ์˜ ๋ฐœ์ „์œผ๋กœ ์ธํ•ด์„œ ๊ธฐ๋ฐ€ ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•œ ์—ฐ์‚ฐ์„ ์–ด๋–ป๊ฒŒ ์™ธ์ฃผํ•  ์ˆ˜ ์žˆ๋Š๋ƒ์— ๋Œ€ํ•œ ์ƒˆ๋กœ์šด ๋ณด์•ˆ ๋ฌธ์ œ๊ฐ€ ๋Œ€๋‘๋˜๊ณ  ์žˆ๋‹ค. ๋˜ํ•œ, ์–‘์ž ์ปดํ“จํ„ฐ์— ๊ด€ํ•œ ์—ฐ๊ตฌ๊ฐ€ ์„ฑ๊ณต์„ ๊ฑฐ๋“ญํ•˜๋ฉด์„œ, ์ด๋ฅผ ์ด์šฉํ•œ ๊ณต๊ฒฉ์— ์ €ํ•ญํ•˜๋Š” ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์˜ ํ•„์š”์„ฑ ๋˜ํ•œ ์ปค์ง€๊ณ  ์žˆ๋‹ค. ๋‹ค์ž๊ฐ„ ์ปดํ“จํŒ…์€ ๋ฐ์ดํ„ฐ๋ฅผ ๊ณต๊ฐœํ•˜์ง€ ์•Š๊ณ  ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•œ ์—ฐ์‚ฐ์„ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋„๋ก ํ•˜๋Š” ์•”ํ˜ธํ•™์  ํ”„๋กœํ† ์ฝœ์˜ ์ด์นญ์ด๋‹ค. ๋‹ค์ž๊ฐ„ ์ปดํ“จํŒ…์€ ๋™ํ˜• ์•”ํ˜ธ์™€ ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์— ๊ธฐ๋ฐ˜ํ•˜๊ณ  ์žˆ์œผ๋ฏ€๋กœ, ํšจ์œจ์ ์ธ ๋™ํ˜• ์•”ํ˜ธ์™€ ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์— ๊ด€ํ•œ ์—ฐ๊ตฌ๊ฐ€ ํ™œ๋ฐœํ•˜๊ฒŒ ์ˆ˜ํ–‰๋˜๊ณ  ์žˆ๋‹ค. ๋™ํ˜• ์•”ํ˜ธ๋Š” ์•”ํ˜ธํ™”๋œ ๋ฐ์ดํ„ฐ์— ๋Œ€ํ•œ ์—ฐ์‚ฐ์ด ๊ฐ€๋Šฅํ•œ ํŠน์ˆ˜ํ•œ ์•”ํ˜ธํ™” ์•Œ๊ณ ๋ฆฌ์ฆ˜์ด๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ๋™ํ˜• ์•”ํ˜ธ์˜ ์•”ํ˜ธ๋ฌธ์— ๋Œ€ํ•ด์„œ ์ˆ˜ํ–‰ ๊ฐ€๋Šฅํ•œ ์—ฐ์‚ฐ์˜ ๊นŠ์ด๊ฐ€ ์ •ํ•ด์ ธ ์žˆ์œผ๋ฉฐ, ์ด๋ฅผ ์•”ํ˜ธ๋ฌธ์˜ ๋ ˆ๋ฒจ์ด๋ผ๊ณ  ์นญํ•œ๋‹ค. ๋ ˆ๋ฒจ์„ ๋ชจ๋‘ ์†Œ๋น„ํ•œ ์•”ํ˜ธ๋ฌธ์˜ ๋ ˆ๋ฒจ์„ ๋‹ค์‹œ ๋ณต์›ํ•˜๋Š” ๊ณผ์ •์„ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘ (bootstrapping)์ด๋ผ๊ณ  ์นญํ•œ๋‹ค. ์ผ๋ฐ˜์ ์œผ๋กœ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์€ ๋งค์šฐ ์˜ค๋ž˜ ๊ฑธ๋ฆฌ๋Š” ์—ฐ์‚ฐ์ด๋ฉฐ ์‹œ๊ฐ„ ๋ฐ ๊ณต๊ฐ„ ๋ณต์žก๋„๊ฐ€ ํฌ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜, ๋”ฅ๋Ÿฌ๋‹๊ณผ ๊ฐ™์ด ๊นŠ์ด๊ฐ€ ํฐ ์—ฐ์‚ฐ์„ ์ˆ˜ํ–‰ํ•˜๋Š” ๊ฒฝ์šฐ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์ด ํ•„์ˆ˜์ ์ด๋‹ค. ๋ณธ ๋…ผ๋ฌธ์—์„œ๋Š” ์ •๋ณด ๋ณดํ˜ธ ๊ธฐ๊ณ„ํ•™์Šต์„ ์œ„ํ•œ ์ƒˆ๋กœ์šด ํ”„๋กœํ† ์ฝœ์„ ์ œ์•ˆํ•œ๋‹ค. ์ด ํ”„๋กœํ† ์ฝœ์—์„œ๋Š” ์ž…๋ ฅ ๋ฉ”์‹œ์ง€์™€ ๋”๋ถˆ์–ด ์‹ ๊ฒฝ๋ง์˜ ์ค‘๊ฐ„๊ฐ’๋“ค ๋˜ํ•œ ์•ˆ์ „ํ•˜๊ฒŒ ๋ณดํ˜ธ๋œ๋‹ค. ๊ทธ๋Ÿฌ๋‚˜ ์—ฌ์ „ํžˆ ์‚ฌ์šฉ์ž์˜ ํ†ต์‹  ๋ฐ ์—ฐ์‚ฐ ๋ณต์žก๋„๋Š” ๋‚ฎ๊ฒŒ ์œ ์ง€๋œ๋‹ค. Cheon, Kim, Kim ๊ทธ๋ฆฌ๊ณ  Song (CKKS)๊ฐ€ ์ œ์•ˆํ•œ ์•”ํ˜ธ ์‹œ์Šคํ…œ (Asiacrypt 17)์€ ๊ธฐ๊ณ„ํ•™์Šต ๋“ฑ์—์„œ ๊ฐ€์žฅ ๋„๋ฆฌ ์“ฐ์ด๋Š” ๋ฐ์ดํ„ฐ์ธ ์‹ค์ˆ˜๋ฅผ ํšจ์œจ์ ์œผ๋กœ ๋‹ค๋ฃฐ ์ˆ˜ ์žˆ์œผ๋ฏ€๋กœ ๊ฐ€์žฅ ์ด‰๋ง๋ฐ›๋Š” ์™„์ „ ๋™ํ˜• ์•”ํ˜ธ ์‹œ์Šคํ…œ์ด๋‹ค. ๊ทธ๋Ÿฌ๋‚˜, ์˜ค๋ฅ˜์˜ ์ฆํญ๊ณผ ์ „ํŒŒ๊ฐ€ CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ๊ฐ€์žฅ ํฐ ๋‹จ์ ์ด๋‹ค. ์ด ๋…ผ๋ฌธ์—์„œ๋Š” ์•„๋ž˜์˜ ๊ธฐ์ˆ ์„ ํ™œ์šฉํ•˜์—ฌ CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์˜ค๋ฅ˜๋ฅผ ์ค„์ด๋Š” ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•˜๋ฉฐ, ์ด๋Š” ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ์— ์ผ๋ฐ˜ํ™”ํ•˜์—ฌ ์ ์šฉํ•  ์ˆ˜ ์žˆ๋‹ค. ์ฒซ์งธ, ์‹ ํ˜ธ ๋Œ€๋น„ ์žก์Œ ๋น„ (signal-to-noise ratio, SNR)์˜ ๊ฐœ๋…์„ ๋„์ž…ํ•˜์—ฌ, SNR๋ฅผ ์ตœ๋Œ€ํ™”ํ•˜๋„๋ก ์—ฐ์‚ฐ์˜ ์ˆœ์„œ๋ฅผ ์žฌ์กฐ์ •ํ•œ๋‹ค. ๊ทธ๋Ÿฌ๊ธฐ ์œ„ํ•ด์„œ๋Š”, ์˜ค๋ฅ˜์˜ ์ตœ๋Œ€์น˜ ๋Œ€์‹  ๋ถ„์‚ฐ์ด ์ตœ์†Œํ™”๋˜์–ด์•ผ ํ•˜๋ฉฐ, ์ด๋ฅผ ๊ด€๋ฆฌํ•ด์•ผ ํ•œ๋‹ค. ๋‘˜์งธ, ์˜ค๋ฅ˜์˜ ๋ถ„์‚ฐ์„ ์ตœ์†Œํ™”ํ•œ๋‹ค๋Š” ๊ฐ™์€ ๊ด€์ ์—์„œ ์ƒˆ๋กœ์šด ๋‹คํ•ญ์‹ ๊ทผ์‚ฌ ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•œ๋‹ค. ์ด ๊ทผ์‚ฌ ๋ฐฉ๋ฒ•์€ ํŠนํžˆ, CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์— ์ ์šฉ๋˜์—ˆ์œผ๋ฉฐ, ์ข…๋ž˜ ๊ธฐ์ˆ ๋ณด๋‹ค ๋” ๋‚ฎ์€ ์˜ค๋ฅ˜๋ฅผ ๋‹ฌ์„ฑํ•œ๋‹ค. ์œ„์˜ ๋ฐฉ๋ฒ•์— ๋”ํ•˜์—ฌ, ๊ทผ์‚ฌ ๋‹คํ•ญ์‹์„ ๊ตฌํ•˜๋Š” ๋ฌธ์ œ๋ฅผ L2-norm ์ตœ์†Œํ™” ๋ฌธ์ œ๋กœ ์น˜ํ™˜ํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•œ๋‹ค. ์ด๋ฅผ ํ†ตํ•ด์„œ ์‚ฌ์ธ ํ•จ์ˆ˜์˜ ๋„์ž… ์—†์ด ๊ทผ์‚ฌ ๋‹คํ•ญ์‹์„ ๊ตฌํ•˜๋Š” ๋ฐฉ๋ฒ•์„ ์ œ์•ˆํ•œ๋‹ค. ์ œ์•ˆ๋œ ๋ฐฉ๋ฒ•์„ ์‚ฌ์šฉํ•˜๋ฉด, q=O(m^{3/2})๋ผ๋Š” ์ œ์•ฝ์„ q=O(m)์œผ๋กœ ์ค„์ผ ์ˆ˜ ์žˆ์œผ๋ฉฐ, ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์— ํ•„์š”ํ•œ ๋ ˆ๋ฒจ ์†Œ๋ชจ๋ฅผ ์ค„์ผ ์ˆ˜ ์žˆ๋‹ค. ์„ฑ๋Šฅ ํ–ฅ์ƒ์€ HEAAN๊ณผ SEAL ๋“ฑ์˜ ๋™ํ˜• ์•”ํ˜ธ ๋ผ์ด๋ธŒ๋Ÿฌ๋ฆฌ๋ฅผ ํ™œ์šฉํ•œ ๊ตฌํ˜„์„ ํ†ตํ•ด ์ฆ๋ช…ํ–ˆ์œผ๋ฉฐ, ๊ตฌํ˜„์„ ํ†ตํ•ด์„œ ์—ฐ์‚ฐ ์žฌ์ •๋ ฌ๊ณผ ์ƒˆ๋กœ์šด ๋ถ€ํŠธ์ŠคํŠธ๋ž˜ํ•‘์ด CKKS ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์„ฑ๋Šฅ์„ ํ–ฅ์ƒํ•จ์„ ํ™•์ธํ–ˆ๋‹ค. ๋”ฐ๋ผ์„œ, ๋ณด์•ˆ์„ฑ๊ณผ ์„ฑ๋Šฅ์˜ ํƒ€ํ˜‘ ์—†์ด ๊ทผ์‚ฌ ๋™ํ˜• ์•”ํ˜ธ๋ฅผ ์‚ฌ์šฉํ•˜๋Š” ์„œ๋น„์Šค์˜ ์งˆ์„ ํ–ฅ์ƒํ•  ์ˆ˜ ์žˆ๋‹ค. ์–‘์ž ์ปดํ“จํ„ฐ๋ฅผ ํ™œ์šฉํ•˜์—ฌ ์ „ํ†ต์ ์ธ ๊ณต๊ฐœํ‚ค ์•”ํ˜ธ๋ฅผ ๊ณต๊ฒฉํ•˜๋Š” ํšจ์œจ์ ์ธ ์•Œ๊ณ ๋ฆฌ์ฆ˜์ด ๊ณต๊ฐœ๋˜๋ฉด์„œ, ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ์— ๋Œ€ํ•œ ํ•„์š”์„ฑ์ด ์ฆ๋Œ€ํ–ˆ๋‹ค. ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ๋Š” ํฌ์ŠคํŠธ ์–‘์ž ์•”ํ˜ธ๋กœ์จ ๋„๋ฆฌ ์—ฐ๊ตฌ๋˜์—ˆ๋‹ค. ์ž‘์€ ํ‚ค ํฌ๊ธฐ๋ฅผ ๊ฐ–๋Š” ์ƒˆ๋กœ์šด ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ๊ณผ ๋ถ€ํ˜ธ ๊ธฐ๋ฐ˜ ์•”ํ˜ธ๋ฅผ ๊ณต๊ฒฉํ•˜๋Š” ๋ฐฉ๋ฒ•์ด ๋…ผ๋ฌธ์— ์ œ์•ˆ๋˜์–ด ์žˆ๋‹ค. pqsigRM์ด๋ผ ๋ช…๋ช…ํ•œ ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ์ด ๊ทธ๊ฒƒ์ด๋‹ค. ์ด ์ „์ž ์„œ๋ช… ์‹œ์Šคํ…œ์€ ์ˆ˜์ •๋œ Reed-Muller (RM) ๋ถ€ํ˜ธ๋ฅผ ํ™œ์šฉํ•˜๋ฉฐ, ์„œ๋ช…์˜ ๋ณต์žก๋„์™€ ํ‚ค ํฌ๊ธฐ๋ฅผ ์ข…๋ž˜ ๊ธฐ์ˆ ๋ณด๋‹ค ๋งŽ์ด ์ค„์ธ๋‹ค. pqsigRM์€ hull์˜ ์ฐจ์›์ด ํฐ (U, U+V) ๋ถ€ํ˜ธ์™€ ์ด์˜ ๋ณตํ˜ธํ™”๋ฅผ ์ด์šฉํ•˜์—ฌ, ์„œ๋ช…์—์„œ ํฐ ์ด๋“์ด ์žˆ๋‹ค. ์ด ๋ณตํ˜ธํ™” ์•Œ๊ณ ๋ฆฌ์ฆ˜์€ ์ฃผ์–ด์ง„ ๋ชจ๋“  ์ฝ”์…‹ (coset)์˜ ์›์†Œ์— ๋Œ€ํ•˜์—ฌ ์ž‘์€ ํ—ค๋ฐ ๋ฌด๊ฒŒ๋ฅผ ๊ฐ–๋Š” ์›์†Œ๋ฅผ ๋ฐ˜ํ™˜ํ•œ๋‹ค. ๋˜ํ•œ, ์ˆ˜์ •๋œ RM ๋ถ€ํ˜ธ๋ฅผ ์ด์šฉํ•˜์—ฌ, ์•Œ๋ ค์ง„ ๋ชจ๋“  ๊ณต๊ฒฉ์— ์ €ํ•ญํ•œ๋‹ค. 128๋น„ํŠธ ์•ˆ์ •์„ฑ์— ๋Œ€ํ•ด์„œ ์„œ๋ช…์˜ ํฌ๊ธฐ๋Š” 4096 ๋น„ํŠธ์ด๊ณ , ๊ณต๊ฐœ ํ‚ค์˜ ํฌ๊ธฐ๋Š” 1MB๋ณด๋‹ค ์ž‘๋‹ค. ์ตœ๊ทผ, Ivanov, Kabatiansky, Krouk, ๊ทธ๋ฆฌ๊ณ  Rumenko (IKKR)๊ฐ€ McEliece ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์„ธ ๊ฐ€์ง€ ๋ณ€ํ˜•์„ ๋ฐœํ‘œํ–ˆ๋‹ค (CBCrypto 2020, Eurocrypt 2020์™€ ํ•จ๊ป˜ ์ง„ํ–‰). ๋ณธ ๋…ผ๋ฌธ์—์„œ๋Š” IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ์ค‘ ํ•˜๋‚˜๊ฐ€ McEliece ์•”ํ˜ธ ์‹œ์Šคํ…œ๊ณผ ๋™์น˜์ž„์„ ์ฆ๋ช…ํ•œ๋‹ค. ๋˜ํ•œ ๋‚˜๋จธ์ง€ IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ์— ๋Œ€ํ•œ ๋‹คํ•ญ ์‹œ๊ฐ„ ๊ณต๊ฒฉ์„ ์ œ์•ˆํ•œ๋‹ค. ์ œ์•ˆํ•˜๋Š” ๊ณต๊ฒฉ์€ IKKR ์•”ํ˜ธ ์‹œ์Šคํ…œ์˜ ์„ ํ˜•์„ฑ์„ ํ™œ์šฉํ•œ๋‹ค. ๋˜ํ•œ, ์ด ๋…ผ๋ฌธ์€ ์ œ์•ˆํ•œ ๊ณต๊ฒฉ์˜ ๊ตฌํ˜„์„ ํฌํ•จํ•˜๋ฉฐ, ์ œ์•ˆ๋œ ๊ณต๊ฒฉ์€ 0.2์ดˆ ์ด๋‚ด์— ๋ฉ”์‹œ์ง€๋ฅผ ๋ณต์›ํ•˜๊ณ , ์ด๋Š” ์ •์ƒ์ ์ธ ๋ณตํ˜ธํ™”๋ณด๋‹ค ๋น ๋ฅธ ์†๋„์ด๋‹ค.Contents Abstract i Contents iv List of Tables ix List of Figures xi 1 Introduction 1 1.1 Homomorphic Encryption and Privacy-Preserving Machine Learning 4 1.2 High-Precision CKKS Scheme and Its Bootstrapping 5 1.2.1 Near-Optimal Bootstrapping of the CKKS Scheme Using Least Squares Method 6 1.2.2 Variance-Minimizing and Optimal Bootstrapping of the CKKS Scheme 8 1.3 Efficient Code-Based Signature Scheme and Cryptanalysis of the Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems 10 1.3.1 Modified pqsigRM: An Efficient Code-Based Signature Scheme 11 1.3.2 Ivanov-Kabatiansky-Krouk-Rumenko Cryptosystems and Its Equality 13 1.4 Organization of the Dissertation 14 2 Preliminaries 15 2.1 Basic Notation 15 2.2 Privacy-Preserving Machine Learning and Security Terms 16 2.2.1 Privacy-Preserving Machine Learning and Security Terms 16 2.2.2 Privacy-Preserving Machine Learning 17 2.3 The CKKS Scheme and Its Bootstrapping 18 2.3.1 The CKKS Scheme 18 2.3.2 CKKS Scheme in RNS 22 2.3.3 Bootstrapping of the CKKS Scheme 24 2.3.4 Statistical Characteristics of Modulus Reduction and Failure Probability of Bootstrapping of the CKKS Scheme 26 2.4 Approximate Polynomial and Signal-to-Noise Perspective for Approximate Homomorphic Encryption 27 2.4.1 Chebyshev Polynomials 27 2.4.2 Signal-to-Noise Perspective of the CKKS Scheme 28 2.5 Preliminary for Code-Based Cryptography 29 2.5.1 The McEliece Cryptosystem 29 2.5.2 CFS Signature Scheme 30 2.5.3 ReedMuller Codes and Recursive Decoding 31 2.5.4 IKKR Cryptosystems 33 3 Privacy-Preserving Machine Learning via FHEWithout Bootstrapping 37 3.1 Introduction 37 3.2 Information Theoretic Secrecy and HE for Privacy-Preserving Machine Learning 38 3.2.1 The Failure Probability of Ordinary CKKS Bootstrapping 39 3.3 Comparison With Existing Methods 43 3.3.1 Comparison With the Hybrid Method 43 3.3.2 Comparison With FHE Method 44 3.4 Comparison for Evaluating Neural Network 45 4 High-Precision Approximate Homomorphic Encryption and Its Bootstrapping by Error Variance Minimization and Convex Optimization 50 4.1 Introduction 50 4.2 Optimization of Error Variance in the Encrypted Data 51 4.2.1 Tagged Information for Ciphertext 52 4.2.2 WorstCase Assumption 53 4.2.3 Error in Homomorphic Operations of the CKKS Scheme 54 4.2.4 Reordering Homomorphic Operations 59 4.3 Near-Optimal Polynomial for Modulus Reduction 66 4.3.1 Approximate Polynomial Using L2-Norm optimization 66 4.3.2 Efficient Homomorphic Evaluation of the Approximate Polynomial 70 4.4 Optimal Approximate Polynomial and Bootstrapping of the CKKS Scheme 73 4.4.1 Polynomial Basis Error and Polynomial Evaluation in the CKKS Scheme 73 4.4.2 Variance-Minimizing Polynomial Approximation 74 4.4.3 Optimal Approximate Polynomial for Bootstrapping and Magnitude of Its Coefficients 75 4.4.4 Reducing Complexity and Error Using Odd Function 79 4.4.5 Generalization of Weight Constants and Numerical Method 80 4.5 Comparison and Implementation 84 4.6 Reduction of Level Loss in Bootstrapping 89 4.7 Implementation of the Proposed Method and Performance Comparison 92 4.7.1 Error Variance Minimization 92 4.7.2 Weight Constant and Minimum Error Variance 93 4.7.3 Comparison of the Proposed MethodWith the Previous Methods 96 5 Efficient Code-Based Signature Scheme and Cryptanalysis of Code-Based Cryptosystems 104 5.1 Introduction 104 5.2 Modified ReedMuller Codes and Proposed Signature Scheme 105 5.2.1 Partial Permutation of Generator Matrix and Modified ReedMuller Codes 105 5.2.2 Decoding of Modified ReedMuller Codes 108 5.2.3 Proposed Signature Scheme 110 5.3 Security Analysis of Modified pqsigRM 111 5.3.1 Decoding One Out of Many 112 5.3.2 Security Against Key Substitution Attacks 114 5.3.3 EUFCMA Security 114 5.4 Indistinguishability of the Public Code and Signature 120 5.4.1 Modifications of Public Code 121 5.4.2 Public Code Indistinguishability 124 5.4.3 Signature Leaks 126 5.5 Parameter Selection 126 5.5.1 Parameter Sets 126 5.5.2 Statistical Analysis for Determining Number of Partial Permutations 128 5.6 Equivalence of the Prototype IKKR and the McEliece Cryptosystems 131 5.7 Cryptanalysis of the IKKR Cryptosystems 133 5.7.1 Linearity of Two Variants of IKKR Cryptosystems 133 5.7.2 The Attack Algorithm 134 5.7.3 Implementation 135 6 Conclusion 139 6.1 Privacy-Preserving Machine Learning Without Bootstrapping 139 6.2 Variance-Minimization in the CKKS Scheme 140 6.3 L2-Norm Minimization for the Bootstrapping of the CKKS Scheme 141 6.4 Modified pqsigRM: RM Code-Based Signature Scheme 142 6.5 Cryptanalysis of the IKKR Cryptosystem 143 Abstract (In Korean) 155 Acknowlegement 158Docto

    Delay Encryption

    Get PDF
    We introduce a new primitive named Delay Encryption, and give an efficient instantation based on isogenies of supersingular curves and pairings. Delay Encryption is related to Time-lock Puzzles and Verifiable Delay Functions, and can be roughly described as ``time-lock identity based encryption\u27\u27. It has several applications in distributed protocols, such as sealed bid Vickrey auctions and electronic voting. We give an instantiation of Delay Encryption by modifying Boneh and Frankiln\u27s IBE scheme, where we replace the master secret key by a long chain of isogenies, as in the isogeny VDF of De Feo, Masson, Petit and Sanso. Similarly to the isogeny-based VDF, our Delay Encryption requires a trusted setup before parameters can be safely used; our trusted setup is identical to that of the VDF, thus the same parameters can be generated once and shared for many executions of both protocols, with possibly different delay parameters. We also discuss several topics around delay protocols based on isogenies that were left untreated by De Feo et al., namely: distributed trusted setup, watermarking, and implementation issues
    • โ€ฆ
    corecore