566 research outputs found
Security Analysis of Cryptosystems Using Short Generators over Ideal Lattices
In this paper, we analyze the security of cryptosystems using
short generators over ideal lattices such as candidate multilinear maps
by Garg, Gentry and Halevi and fully homomorphic encryption by Smart
and Vercauteren. Our approach is based on a recent work by Cramer,
Ducas, Peikert and Regev on analysis of recovering a short generator of
an ideal in the -th cyclotomic field for a prime power .
In their analysis, implicit lower bounds of the special values of Dirichlet -functions at 1 are essentially used for estimating some sizes of the dual basis in the log-unit lattice of
the -th cyclotomic field.
Our main contribution is to improve Cramer et al.\u27s analysis by giving
explicit lower and upper bounds of the special values of
Dirichlet -functions at 1 for any non-trivial even Dirichlet characters modulo .
Moreover, we give various experimental evidence that recovering short
generators of principle ideals in -th cyclotomic fields
for is succeeded with high probability.
As a consequence, our analysis suggests that the security of the above cryptosystems based on the difficulty of recovering a short generator
is reduced to solving the principal ideal problem under the number theoretical conjecture so-called Weber\u27s class number problem
A Coefficient-Embedding Ideal Lattice can be Embedded into Infinitely Many Polynomial Rings
Many lattice-based crypstosystems employ ideal lattices for high efficiency.
However, the additional algebraic structure of ideal lattices usually makes us
worry about the security, and it is widely believed that the algebraic
structure will help us solve the hard problems in ideal lattices more
efficiently. In this paper, we study the additional algebraic structure of
ideal lattices further and find that a given ideal lattice in some fixed
polynomial ring can be embedded as an ideal in infinitely many different
polynomial rings. We explicitly present all these polynomial rings for any
given ideal lattice. The interesting phenomenon tells us that a single ideal
lattice may have more abundant algebraic structures than we imagine, which will
impact the security of corresponding crypstosystems. For example, it increases
the difficulties to evaluate the security of crypstosystems based on ideal
lattices, since it seems that we need consider all the polynomial rings that
the given ideal lattices can be embedded into if we believe that the algebraic
structure will contribute to solve the corresponding hard problem. It also
inspires us a new method to solve the ideal lattice problems by embedding the
given ideal lattice into another well-studied polynomial ring. As a by-product,
we also introduce an efficient algorithm to identify if a given lattice is an
ideal lattice or not
A Non-commutative Cryptosystem Based on Quaternion Algebras
We propose BQTRU, a non-commutative NTRU-like cryptosystem over quaternion
algebras. This cryptosystem uses bivariate polynomials as the underling ring.
The multiplication operation in our cryptosystem can be performed with high
speed using quaternions algebras over finite rings. As a consequence, the key
generation and encryption process of our cryptosystem is faster than NTRU in
comparable parameters. Typically using Strassen's method, the key generation
and encryption process is approximately times faster than NTRU for an
equivalent parameter set. Moreover, the BQTRU lattice has a hybrid structure
that makes inefficient standard lattice attacks on the private key. This
entails a higher computational complexity for attackers providing the
opportunity of having smaller key sizes. Consequently, in this sense, BQTRU is
more resistant than NTRU against known attacks at an equivalent parameter set.
Moreover, message protection is feasible through larger polynomials and this
allows us to obtain the same security level as other NTRU-like cryptosystems
but using lower dimensions.Comment: Submitted for possible publicatio
NewHope: A Mobile Implementation of a Post-Quantum Cryptographic Key Encapsulation Mechanism
NIST anticipates the appearance of large-scale quantum computers by 2036 [34], which will threaten widely used asymmetric algorithms, National Institute of Standards and Technology (NIST) launched a Post-Quantum Cryptography Standardization Project to find quantum-secure alternatives. NewHope post-quantum cryptography (PQC) key encapsulation mechanism (KEM) is the only Round 2 candidate to simultaneously achieve small key values through the use of a security problem with sufficient confidence its security, while mitigating any known vulnerabilities. This research contributes to NIST project’s overall goal by assessing the platform flexibility and resource requirements of NewHope KEMs on an Android mobile device. The resource requirements analyzed are transmission size as well as scheme runtime, central processing unit (CPU), memory, and energy usage. Results from each NewHope KEM instantiations are compared amongst each other, to a baseline application, and to results from previous work. NewHope PQC KEM was demonstrated to have sufficient flexibility for mobile implementation, competitive performance with other PQC KEMs, and to have competitive scheme runtime with current key exchange algorithms
A Survey on Homomorphic Encryption Schemes: Theory and Implementation
Legacy encryption systems depend on sharing a key (public or private) among
the peers involved in exchanging an encrypted message. However, this approach
poses privacy concerns. Especially with popular cloud services, the control
over the privacy of the sensitive data is lost. Even when the keys are not
shared, the encrypted material is shared with a third party that does not
necessarily need to access the content. Moreover, untrusted servers, providers,
and cloud operators can keep identifying elements of users long after users end
the relationship with the services. Indeed, Homomorphic Encryption (HE), a
special kind of encryption scheme, can address these concerns as it allows any
third party to operate on the encrypted data without decrypting it in advance.
Although this extremely useful feature of the HE scheme has been known for over
30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE)
scheme, which allows any computable function to perform on the encrypted data,
was introduced by Craig Gentry in 2009. Even though this was a major
achievement, different implementations so far demonstrated that FHE still needs
to be improved significantly to be practical on every platform. First, we
present the basics of HE and the details of the well-known Partially
Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which
are important pillars of achieving FHE. Then, the main FHE families, which have
become the base for the other follow-up FHE schemes are presented. Furthermore,
the implementations and recent improvements in Gentry-type FHE schemes are also
surveyed. Finally, further research directions are discussed. This survey is
intended to give a clear knowledge and foundation to researchers and
practitioners interested in knowing, applying, as well as extending the state
of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the
survey that is being submitted to ACM CSUR and has been uploaded to arXiv for
feedback from stakeholder
Algorithms on Ideal over Complex Multiplication order
We show in this paper that the Gentry-Szydlo algorithm for cyclotomic orders,
previously revisited by Lenstra-Silverberg, can be extended to
complex-multiplication (CM) orders, and even to a more general structure. This
algorithm allows to test equality over the polarized ideal class group, and
finds a generator of the polarized ideal in polynomial time. Also, the
algorithm allows to solve the norm equation over CM orders and the recent
reduction of principal ideals to the real suborder can also be performed in
polynomial time. Furthermore, we can also compute in polynomial time a unit of
an order of any number field given a (not very precise) approximation of it.
Our description of the Gentry-Szydlo algorithm is different from the original
and Lenstra- Silverberg's variant and we hope the simplifications made will
allow a deeper understanding. Finally, we show that the well-known speed-up for
enumeration and sieve algorithms for ideal lattices over power of two
cyclotomics can be generalized to any number field with many roots of unity.Comment: Full version of a paper submitted to ANT
Usability of structured lattices for a post-quantum cryptography: practical computations, and a study of some real Kummer extensions
Lattice-based cryptography is an excellent candidate for post-quantum cryptography, i.e. cryptosystems which are resistant to attacks run on quantum computers. For efficiency reason, most of the constructions explored nowadays are based on structured lattices, such as module lattices or ideal lattices. The security of most constructions can be related to the hardness of retrieving a short element in such lattices, and one does not know yet to what extent these additional structures weaken the cryptosystems. A related problem – which is an extension of a classical problem in computational number theory – called the Short Principal Ideal Problem (or SPIP), consists of finding a short generator of a principal ideal. Its assumed hardness has been used to build some cryptographic schemes. However it has been shown to be solvable in quantum polynomial time over cyclotomic fields, through an attack which uses the Log-unit lattice of the field considered. Later, practical results showed that multiquadratic fields were also weak to this strategy.
The main general question that we study in this thesis is To what extent can structured lattices be used to build a post-quantum cryptography
Learning with Errors over Group Rings Constructed by Semi-direct Product
The Learning with Errors (LWE) problem has been widely utilized as a
foundation for numerous cryptographic tools over the years. In this study, we
focus on an algebraic variant of the LWE problem called Group ring LWE
(GR-LWE). We select group rings (or their direct summands) that underlie
specific families of finite groups constructed by taking the semi-direct
product of two cyclic groups. Unlike the Ring-LWE problem described in
\cite{lyubashevsky2010ideal}, the multiplication operation in the group rings
considered here is non-commutative. As an extension of Ring-LWE, it maintains
computational hardness and can be potentially applied in many cryptographic
scenarios. In this paper, we present two polynomial-time quantum reductions.
Firstly, we provide a quantum reduction from the worst-case shortest
independent vectors problem (SIVP) in ideal lattices with polynomial
approximate factor to the search version of GR-LWE. This reduction requires
that the underlying group ring possesses certain mild properties; Secondly, we
present another quantum reduction for two types of group rings, where the
worst-case SIVP problem is directly reduced to the (average-case) decision
GR-LWE problem. The pseudorandomness of GR-LWE samples guaranteed by this
reduction can be consequently leveraged to construct semantically secure
public-key cryptosystems.Comment: 45 page
- …