Security considerations for Galois non-dual RLWE families

We explore further the hardness of the non-dual discrete variant of the Ring-LWE problem for various number rings, give improved attacks for certain rings satisfying some additional assumptions, construct a new family of vulnerable Galois number fields, and apply some number theoretic results on Gauss sums to deduce the likely failure of these attacks for 2-power cyclotomic rings and unramified moduli

Algebraic aspects of solving Ring-LWE, including ring-based improvements in the Blum-Kalai-Wasserman algorithm

We provide a reduction of the Ring-LWE problem to Ring-LWE problems in subrings, in the presence of samples of a restricted form (i.e. $(a,b)$ such that $a$ is restricted to a multiplicative coset of the subring). To create and exploit such restricted samples, we propose Ring-BKW, a version of the Blum-Kalai-Wasserman algorithm which respects the ring structure. Off-the-shelf BKW dimension reduction (including coded-BKW and sieving) can be used for the reduction phase. Its primary advantage is that there is no need for back-substitution, and the solving/hypothesis-testing phase can be parallelized. We also present a method to exploit symmetry to reduce table sizes, samples needed, and runtime during the reduction phase. The results apply to two-power cyclotomic Ring-LWE with parameters proposed for practical use (including all splitting types).Comment: 25 pages; section on advanced keying significantly extended; other minor revision

SALSA: Attacking Lattice Cryptography with Transformers

Currently deployed public-key cryptosystems will be vulnerable to attacks by full-scale quantum computers. Consequently, "quantum resistant" cryptosystems are in high demand, and lattice-based cryptosystems, based on a hard problem known as Learning With Errors (LWE), have emerged as strong contenders for standardization. In this work, we train transformers to perform modular arithmetic and combine half-trained models with statistical cryptanalysis techniques to propose SALSA: a machine learning attack on LWE-based cryptographic schemes. SALSA can fully recover secrets for small-to-mid size LWE instances with sparse binary secrets, and may scale to attack real-world LWE-based cryptosystems.Comment: Extended version of work published at NeurIPS 202

Usability of structured lattices for a post-quantum cryptography: practical computations, and a study of some real Kummer extensions

Lattice-based cryptography is an excellent candidate for post-quantum cryptography, i.e. cryptosystems which are resistant to attacks run on quantum computers. For efficiency reason, most of the constructions explored nowadays are based on structured lattices, such as module lattices or ideal lattices. The security of most constructions can be related to the hardness of retrieving a short element in such lattices, and one does not know yet to what extent these additional structures weaken the cryptosystems. A related problem – which is an extension of a classical problem in computational number theory – called the Short Principal Ideal Problem (or SPIP), consists of finding a short generator of a principal ideal. Its assumed hardness has been used to build some cryptographic schemes. However it has been shown to be solvable in quantum polynomial time over cyclotomic fields, through an attack which uses the Log-unit lattice of the field considered. Later, practical results showed that multiquadratic fields were also weak to this strategy. The main general question that we study in this thesis is To what extent can structured lattices be used to build a post-quantum cryptography

NTRU in Quaternion Algebras of Bounded Discriminant

The NTRU assumption provides one of the most prominent problems on which to base post-quantum cryptography. Because of the efficiency and security of NTRU-style schemes, structured variants have been proposed, using modules. In this work, we create a structured form of NTRU using lattices obtained from orders in cyclic division algebras of index 2, that is, from quaternion algebras. We present a public-key encryption scheme, and show that its public keys are statistically close to uniform. We then prove IND-CPA security of a variant of our scheme when the discriminant of the quaternion algebra is not too large, assuming the hardness of Learning with Errors in cyclic division algebras

Algebraic lattices and applications to codes and cryptography

Orientador: Sueli Irene Rodrigues CostaTese (doutorado) - Universidade Estadual de Campinas, Instituto de Matemática Estatística e Computação CientíficaResumo: Neste trabalho estudamos a aplicação de reticulados algébricos a diferentes contextos. Ao todo, quatro objetivos norteiam esta tese. O primeiro objetivo consiste na construção de reticulados com boa densidade de centro via submódulos de anéis de inteiros de corpos de números algébricos. Nesse contexto, concluímos a construção algébrica do reticulado $D_n$, para qualquer $n$, e estudamos a sua distância produto mínima, bem como a de $\mathbb{Z}^n$. Além disso, calculamos a expressão da forma traço associada a corpos de números abelianos de grau primo ímpar ramificado, a qual está relacionada à densidade de centro de reticulados algébricos obtidos via o mergulho de Minkowski. O segundo objetivo se trata da análise de situações em que reticulados algébricos são bem arredondados. Provamos que em cada dimensão prima ímpar existem infinitos reticulados algébricos não equivalentes entre si que são bem arredondados. O terceiro objetivo é apresentar a aplicabilidade e a atualidade dos reticulados algébricos no contexto da criptografia pós-quântica. Além de resumir os avanços recentes da criptografia via reticulados, propomos a utilização de reticulados algébricos obtidos via o mergulho torcido a este contexto e provamos que a dificuldade de quebra da segurança do sistema proposto está associada à dificuldade de solucionar o problema anel-LWE. Por fim, o quarto objetivo trata do estudo dos reticulados logarítmicos, com especial destaque ao raio de cobertura através das unidades de qualquer corpo ciclotômico. Calculamos uma cota superior para o raio de cobertura de reticulados logarítmicos construídos através desses corpos. Nas abordagens dentro dos quatro propósitos acima fica ressaltado que ferramentas algébricas vêm contribuindo de forma eficaz para a produção de reticulados aplicáveis a diversos contextos em teoria de códigos e criptografiaAbstract: In this work we study applications of algebraic lattices in different contexts. Four goals guide this PhD thesis. The first goal is the construction of lattices with great center density via submodules of the ring of integers of algebraic number fields. In this approach, we obtain the algebraic construction of the lattice $D_n$, for all $n$, and study its minimum product distance, as well as of the lattice $\mathbb{Z}^n$. Besides, we calculate the expression of the trace form associated with abelian number fields of ramified odd prime degree, which is related to the center density of algebraic lattices obtained via the Minkowski embedding. The second goal is the analysis of cases which provide well rounded algebraic lattices. We prove that for each odd prime dimension there exist infinitely many non-equivalent algebraic lattices which are well rounded. The third goal is to present the application of algebraic lattices in the context of the so called post-quantum cryptography. We resume recent advances of lattice cryptography, propose the use of algebraic lattices coming from twisted embedding in this context and prove that the hardness of broking the security of the proposed system is related to the hardness to solve the ring-LWE problem. The fourth goal is the study of logarithmic lattices, specially the analysis of the covering radius of those obtained from units of cyclotomic number fields. We calculate an upper bound of the covering radius of the logarithmic lattices constructed from these fields. In the four objectives described above it is stressed that algebraic tools have good contributions to produce lattices used in coding theory and cryptographyDoutoradoMatematicaDoutor em MatemáticaCAPE

Security Guidelines for Implementing Homomorphic Encryption

Fully Homomorphic Encryption (FHE) is a cryptographic primitive that allows performing arbitrary operations on encrypted data. Since the conception of the idea in [RAD78], it was considered a holy grail of cryptography. After the first construction in 2009 [Gen09], it has evolved to become a practical primitive with strong security guarantees. Most modern constructions are based on well-known lattice problems such as Learning with Errors (LWE). Besides its academic appeal, in recent years FHE has also attracted significant attention from industry, thanks to its applicability to a considerable number of real-world use-cases. An upcoming standardization effort by ISO/IEC aims to support the wider adoption of these techniques. However, one of the main challenges that standards bodies, developers, and end users usually encounter is establishing parameters. This is particularly hard in the case of FHE because the parameters are not only related to the security level of the system, but also to the type of operations that the system is able to handle. In this paper, we provide examples of parameter sets for LWE targeting particular security levels that can be used in the context of FHE constructions. We also give examples of complete FHE parameter sets, including the parameters relevant for correctness and performance, alongside those relevant for security. As an additional contribution, we survey the parameter selection support offered in open-source FHE libraries

Homomorphic Encryption Standard

Homomorphic Encryption is a breakthrough technology which can enable private cloud storage and computation solutions, and many applications have been described in the literature in the last few years. But before Homomorphic Encryption can be adopted in medical, health, and financial sectors to protect data and patient and consumer privacy, it will have to be standardized, most likely by multiple standardization bodies and government agencies. An important part of standardization is broad agreement on security levels for varying parameter sets. Although extensive research and benchmarking has been done in the research community to establish the foundations for this effort, it is hard to find all the information in one place, along with concrete parameter recommendations for applications and deployment. This document is the first Homomorphic Encryption Standard (HES) approved by the Homomorphicencryption.org community in 2018. It captures the collective knowledge on the state of security of these schemes, specifies the schemes, and recommends a wide selection of parameters to be used for homomorphic encryption at various security levels. We describe known attacks and their estimated running times in order to make these security parameter recommendations

Survey on Fully Homomorphic Encryption, Theory, and Applications

Data privacy concerns are increasing significantly in the context of Internet of Things, cloud services, edge computing, artificial intelligence applications, and other applications enabled by next generation networks. Homomorphic Encryption addresses privacy challenges by enabling multiple operations to be performed on encrypted messages without decryption. This paper comprehensively addresses homomorphic encryption from both theoretical and practical perspectives. The paper delves into the mathematical foundations required to understand fully homomorphic encryption (FHE). It consequently covers design fundamentals and security properties of FHE and describes the main FHE schemes based on various mathematical problems. On a more practical level, the paper presents a view on privacy-preserving Machine Learning using homomorphic encryption, then surveys FHE at length from an engineering angle, covering the potential application of FHE in fog computing, and cloud computing services. It also provides a comprehensive analysis of existing state-of-the-art FHE libraries and tools, implemented in software and hardware, and the performance thereof