918 research outputs found

    Large Modulus Ring-LWE > Module-LWE

    Get PDF

    ์žก์Œํ‚ค๋ฅผ ๊ฐ€์ง€๋Š” ์‹ ์›๊ธฐ๋ฐ˜ ๋™ํ˜•์•”ํ˜ธ์— ๊ด€ํ•œ ์—ฐ๊ตฌ

    Get PDF
    ํ•™์œ„๋…ผ๋ฌธ(๋ฐ•์‚ฌ)--์„œ์šธ๋Œ€ํ•™๊ต ๋Œ€ํ•™์› :์ž์—ฐ๊ณผํ•™๋Œ€ํ•™ ์ˆ˜๋ฆฌ๊ณผํ•™๋ถ€,2020. 2. ์ฒœ์ •ํฌ.ํด๋ผ์šฐ๋“œ ์ƒ์˜ ๋ฐ์ดํ„ฐ ๋ถ„์„ ์œ„์ž„ ์‹œ๋‚˜๋ฆฌ์˜ค๋Š” ๋™ํ˜•์•”ํ˜ธ์˜ ๊ฐ€์žฅ ํšจ๊ณผ์ ์ธ ์‘์šฉ ์‹œ๋‚˜๋ฆฌ์˜ค ์ค‘ ํ•˜๋‚˜์ด๋‹ค. ๊ทธ๋Ÿฌ๋‚˜, ๋‹ค์–‘ํ•œ ๋ฐ์ดํ„ฐ ์ œ๊ณต์ž์™€ ๋ถ„์„๊ฒฐ๊ณผ ์š”๊ตฌ์ž๊ฐ€ ์กด์žฌํ•˜๋Š” ์‹ค์ œ ํ˜„์‹ค์˜ ๋ชจ๋ธ์—์„œ๋Š” ๊ธฐ๋ณธ์ ์ธ ์•”๋ณตํ˜ธํ™”์™€ ๋™ํ˜• ์—ฐ์‚ฐ ์™ธ์—๋„ ์—ฌ์ „ํžˆ ํ•ด๊ฒฐํ•ด์•ผ ํ•  ๊ณผ์ œ๋“ค์ด ๋‚จ์•„์žˆ๋Š” ์‹ค์ •์ด๋‹ค. ๋ณธ ํ•™์œ„๋…ผ๋ฌธ์—์„œ๋Š” ์ด๋Ÿฌํ•œ ๋ชจ๋ธ์—์„œ ํ•„์š”ํ•œ ์—ฌ๋Ÿฌ ์š”๊ตฌ์‚ฌํ•ญ๋“ค์„ ํฌ์ฐฉํ•˜๊ณ , ์ด์— ๋Œ€ํ•œ ํ•ด๊ฒฐ๋ฐฉ์•ˆ์„ ๋…ผํ•˜์˜€๋‹ค. ๋จผ์ €, ๊ธฐ์กด์˜ ์•Œ๋ ค์ง„ ๋™ํ˜• ๋ฐ์ดํ„ฐ ๋ถ„์„ ์†”๋ฃจ์…˜๋“ค์€ ๋ฐ์ดํ„ฐ ๊ฐ„์˜ ์ธต์œ„๋‚˜ ์ˆ˜์ค€์„ ๊ณ ๋ คํ•˜์ง€ ๋ชปํ•œ๋‹ค๋Š” ์ ์— ์ฐฉ์•ˆํ•˜์—ฌ, ์‹ ์›๊ธฐ๋ฐ˜ ์•”ํ˜ธ์™€ ๋™ํ˜•์•”ํ˜ธ๋ฅผ ๊ฒฐํ•ฉํ•˜์—ฌ ๋ฐ์ดํ„ฐ ์‚ฌ์ด์— ์ ‘๊ทผ ๊ถŒํ•œ์„ ์„ค์ •ํ•˜์—ฌ ํ•ด๋‹น ๋ฐ์ดํ„ฐ ์‚ฌ์ด์˜ ์—ฐ์‚ฐ์„ ํ—ˆ์šฉํ•˜๋Š” ๋ชจ๋ธ์„ ์ƒ๊ฐํ•˜์˜€๋‹ค. ๋˜ํ•œ ์ด ๋ชจ๋ธ์˜ ํšจ์œจ์ ์ธ ๋™์ž‘์„ ์œ„ํ•ด์„œ ๋™ํ˜•์•”ํ˜ธ ์นœํ™”์ ์ธ ์‹ ์›๊ธฐ๋ฐ˜ ์•”ํ˜ธ์— ๋Œ€ํ•˜์—ฌ ์—ฐ๊ตฌํ•˜์˜€๊ณ , ๊ธฐ์กด์— ์•Œ๋ ค์ง„ NTRU ๊ธฐ๋ฐ˜์˜ ์•”ํ˜ธ๋ฅผ ํ™•์žฅํ•˜์—ฌ module-NTRU ๋ฌธ์ œ๋ฅผ ์ •์˜ํ•˜๊ณ  ์ด๋ฅผ ๊ธฐ๋ฐ˜์œผ๋กœ ํ•œ ์‹ ์›๊ธฐ๋ฐ˜ ์•”ํ˜ธ๋ฅผ ์ œ์•ˆํ•˜์˜€๋‹ค. ๋‘˜์งธ๋กœ, ๋™ํ˜•์•”ํ˜ธ์˜ ๋ณตํ˜ธํ™” ๊ณผ์ •์—๋Š” ์—ฌ์ „ํžˆ ๋น„๋ฐ€ํ‚ค๊ฐ€ ๊ด€์—ฌํ•˜๊ณ  ์žˆ๊ณ , ๋”ฐ๋ผ์„œ ๋น„๋ฐ€ํ‚ค ๊ด€๋ฆฌ ๋ฌธ์ œ๊ฐ€ ๋‚จ์•„์žˆ๋‹ค๋Š” ์ ์„ ํฌ์ฐฉํ•˜์˜€๋‹ค. ์ด๋Ÿฌํ•œ ์ ์—์„œ ์ƒ์ฒด์ •๋ณด๋ฅผ ํ™œ์šฉํ•  ์ˆ˜ ์žˆ๋Š” ๋ณตํ˜ธํ™” ๊ณผ์ •์„ ๊ฐœ๋ฐœํ•˜์—ฌ ํ•ด๋‹น ๊ณผ์ •์„ ๋™ํ˜•์•”ํ˜ธ ๋ณตํ˜ธํ™”์— ์ ์šฉํ•˜์˜€๊ณ , ์ด๋ฅผ ํ†ตํ•ด ์•”๋ณตํ˜ธํ™”์™€ ๋™ํ˜• ์—ฐ์‚ฐ์˜ ์ „ ๊ณผ์ •์„ ์–ด๋Š ๊ณณ์—๋„ ํ‚ค๊ฐ€ ์ €์žฅ๋˜์ง€ ์•Š์€ ์ƒํƒœ๋กœ ์ˆ˜ํ–‰ํ•  ์ˆ˜ ์žˆ๋Š” ์•”ํ˜ธ์‹œ์Šคํ…œ์„ ์ œ์•ˆํ•˜์˜€๋‹ค. ๋งˆ์ง€๋ง‰์œผ๋กœ, ๋™ํ˜•์•”ํ˜ธ์˜ ๊ตฌ์ฒด์ ์ธ ์•ˆ์ „์„ฑ ํ‰๊ฐ€ ๋ฐฉ๋ฒ•์„ ๊ณ ๋ คํ•˜์˜€๋‹ค. ์ด๋ฅผ ์œ„ํ•ด ๋™ํ˜•์•”ํ˜ธ๊ฐ€ ๊ธฐ๋ฐ˜ํ•˜๊ณ  ์žˆ๋Š” ์ด๋ฅธ๋ฐ” Learning With Errors (LWE) ๋ฌธ์ œ์˜ ์‹ค์ œ์ ์ธ ๋‚œํ•ด์„ฑ์„ ๋ฉด๋ฐ€ํžˆ ๋ถ„์„ํ•˜์˜€๊ณ , ๊ทธ ๊ฒฐ๊ณผ ๊ธฐ์กด์˜ ๊ณต๊ฒฉ ์•Œ๊ณ ๋ฆฌ์ฆ˜๋ณด๋‹ค ํ‰๊ท ์ ์œผ๋กœ 1000๋ฐฐ ์ด์ƒ ๋น ๋ฅธ ๊ณต๊ฒฉ ์•Œ๊ณ ๋ฆฌ์ฆ˜๋“ค์„ ๊ฐœ๋ฐœํ•˜์˜€๋‹ค. ์ด๋ฅผ ํ†ตํ•ด ํ˜„์žฌ ์‚ฌ์šฉํ•˜๊ณ  ์žˆ๋Š” ๋™ํ˜•์•”ํ˜ธ ํŒŒ๋ผ๋ฏธํ„ฐ๊ฐ€ ์•ˆ์ „ํ•˜์ง€ ์•Š์Œ์„ ๋ณด์˜€๊ณ , ์ƒˆ๋กœ์šด ๊ณต๊ฒฉ ์•Œ๊ณ ๋ฆฌ์ฆ˜์„ ํ†ตํ•œ ํŒŒ๋ผ๋ฏธํ„ฐ ์„ค์ • ๋ฐฉ๋ฒ•์— ๋Œ€ํ•ด์„œ ๋…ผํ•˜์˜€๋‹ค.Secure data analysis delegation on cloud is one of the most powerful application that homomorphic encryption (HE) can bring. As the technical level of HE arrive at practical regime, this model is also being considered to be a more serious and realistic paradigm. In this regard, this increasing attention requires more versatile and secure model to deal with much complicated real world problems. First, as real world modeling involves a number of data owners and clients, an authorized control to data access is still required even for HE scenario. Second, we note that although homomorphic operation requires no secret key, the decryption requires the secret key. That is, the secret key management concern still remains even for HE. Last, in a rather fundamental view, we thoroughly analyze the concrete hardness of the base problem of HE, so-called Learning With Errors (LWE). In fact, for the sake of efficiency, HE exploits a weaker variant of LWE whose security is believed not fully understood. For the data encryption phase efficiency, we improve the previously suggested NTRU-lattice ID-based encryption by generalizing the NTRU concept into module-NTRU lattice. Moreover, we design a novel method that decrypts the resulting ciphertext with a noisy key. This enables the decryptor to use its own noisy source, in particular biometric, and hence fundamentally solves the key management problem. Finally, by considering further improvement on existing LWE solving algorithms, we propose new algorithms that shows much faster performance. Consequently, we argue that the HE parameter choice should be updated regarding our attacks in order to maintain the currently claimed security level.1 Introduction 1 1.1 Access Control based on Identity 2 1.2 Biometric Key Management 3 1.3 Concrete Security of HE 3 1.4 List of Papers 4 2 Background 6 2.1 Notation 6 2.2 Lattices 7 2.2.1 Lattice Reduction Algorithm 7 2.2.2 BKZ cost model 8 2.2.3 Geometric Series Assumption (GSA) 8 2.2.4 The Nearest Plane Algorithm 9 2.3 Gaussian Measures 9 2.3.1 Kullback-Leibler Divergence 11 2.4 Lattice-based Hard Problems 12 2.4.1 The Learning With Errors Problem 12 2.4.2 NTRU Problem 13 2.5 One-way and Pseudo-random Functions 14 3 ID-based Data Access Control 16 3.1 Module-NTRU Lattices 16 3.1.1 Construction of MNTRU lattice and trapdoor 17 3.1.2 Minimize the Gram-Schmidt norm 22 3.2 IBE-Scheme from Module-NTRU 24 3.2.1 Scheme Construction 24 3.2.2 Security Analysis by Attack Algorithms 29 3.2.3 Parameter Selections 31 3.3 Application to Signature 33 4 Noisy Key Cryptosystem 36 4.1 Reusable Fuzzy Extractors 37 4.2 Local Functions 40 4.2.1 Hardness over Non-uniform Sources 40 4.2.2 Flipping local functions 43 4.2.3 Noise stability of predicate functions: Xor-Maj 44 4.3 From Pseudorandom Local Functions 47 4.3.1 Basic Construction: One-bit Fuzzy Extractor 48 4.3.2 Expansion to multi-bit Fuzzy Extractor 50 4.3.3 Indistinguishable Reusability 52 4.3.4 One-way Reusability 56 4.4 From Local One-way Functions 59 5 Concrete Security of Homomorphic Encryption 63 5.1 Albrecht's Improved Dual Attack 64 5.1.1 Simple Dual Lattice Attack 64 5.1.2 Improved Dual Attack 66 5.2 Meet-in-the-Middle Attack on LWE 69 5.2.1 Noisy Collision Search 70 5.2.2 Noisy Meet-in-the-middle Attack on LWE 74 5.3 The Hybrid-Dual Attack 76 5.3.1 Dimension-error Trade-o of LWE 77 5.3.2 Our Hybrid Attack 79 5.4 The Hybrid-Primal Attack 82 5.4.1 The Primal Attack on LWE 83 5.4.2 The Hybrid Attack for SVP 86 5.4.3 The Hybrid-Primal attack for LWE 93 5.4.4 Complexity Analysis 96 5.5 Bit-security estimation 102 5.5.1 Estimations 104 5.5.2 Application to PKE 105 6 Conclusion 108 Abstract (in Korean) 120Docto

    From Pre-Quantum to Post-Quantum IoT Security: A Survey on Quantum-Resistant Cryptosystems for the Internet of Things

    Get PDF
    ยฉ 2020 IEEE. This version of the article has been accepted for publication, after peer review. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.[Absctract]: Although quantum computing is still in its nascent age, its evolution threatens the most popular public-key encryption systems. Such systems are essential for today's Internet security due to their ability for solving the key distribution problem and for providing high security in insecure communications channels that allow for accessing websites or for exchanging e-mails, financial transactions, digitally signed documents, military communications or medical data. Cryptosystems like Rivest-Shamir-Adleman (RSA), elliptic curve cryptography (ECC) or Diffie-Hellman have spread worldwide and are part of diverse key Internet standards like Transport Layer Security (TLS), which are used both by traditional computers and Internet of Things (IoT) devices. It is especially difficult to provide high security to IoT devices, mainly because many of them rely on batteries and are resource constrained in terms of computational power and memory, which implies that specific energy-efficient and lightweight algorithms need to be designed and implemented for them. These restrictions become relevant challenges when implementing cryptosystems that involve intensive mathematical operations and demand substantial computational resources, which are often required in applications where data privacy has to be preserved for the long term, like IoT applications for defense, mission-critical scenarios or smart healthcare. Quantum computing threatens such a long-term IoT device security and researchers are currently developing solutions to mitigate such a threat. This article provides a survey on what can be called post-quantum IoT systems (IoT systems protected from the currently known quantum computing attacks): the main post-quantum cryptosystems and initiatives are reviewed, the most relevant IoT architectures and challenges are analyzed, and the expected future trends are indicated. Thus, this article is aimed at providing a wide view of post-quantum IoT security and give useful guidelines...This work was supported in part by the Xunta de Galicia under Grant ED431G2019/01, in part by the Agencia Estatal de Investigaciรณn of Spain under Grant TEC2016-75067-C4- 1-R and Grant RED2018-102668-T, and in part by ERDF funds of the EU (AEI/FEDER, UE).Xunta de Galicia; ED431G2019/0

    Implementation and evaluation of improved Gaussian sampling for lattice trapdoors

    Get PDF
    We report on our implementation of a new Gaussian sampling algorithm for lattice trapdoors. Lattice trapdoors are used in a wide array of lattice-based cryptographic schemes including digital signatures, attributed-based encryption, program obfuscation and others. Our implementation provides Gaussian sampling for trapdoor lattices with prime moduli, and supports both single- and multi-threaded execution. We experimentally evaluate our implementation through its use in the GPV hash-and-sign digital signature scheme as a benchmark. We compare our design and implementation with prior work reported in the literature. The evaluation shows that our implementation 1) has smaller space requirements and faster runtime, 2) does not require multi-precision floating-point arithmetic, and 3) can be used for a broader range of cryptographic primitives than previous implementations

    Ring Learning With Errors: A crossroads between postquantum cryptography, machine learning and number theory

    Get PDF
    The present survey reports on the state of the art of the different cryptographic functionalities built upon the ring learning with errors problem and its interplay with several classical problems in algebraic number theory. The survey is based to a certain extent on an invited course given by the author at the Basque Center for Applied Mathematics in September 2018.Comment: arXiv admin note: text overlap with arXiv:1508.01375 by other authors/ comment of the author: quotation has been added to Theorem 5.

    Privacy-Aware Processing of Biometric Templates by Means of Secure Two-Party Computation

    Get PDF
    The use of biometric data for person identification and access control is gaining more and more popularity. Handling biometric data, however, requires particular care, since biometric data is indissolubly tied to the identity of the owner hence raising important security and privacy issues. This chapter focuses on the latter, presenting an innovative approach that, by relying on tools borrowed from Secure Two Party Computation (STPC) theory, permits to process the biometric data in encrypted form, thus eliminating any risk that private biometric information is leaked during an identification process. The basic concepts behind STPC are reviewed together with the basic cryptographic primitives needed to achieve privacy-aware processing of biometric data in a STPC context. The two main approaches proposed so far, namely homomorphic encryption and garbled circuits, are discussed and the way such techniques can be used to develop a full biometric matching protocol described. Some general guidelines to be used in the design of a privacy-aware biometric system are given, so as to allow the reader to choose the most appropriate tools depending on the application at hand

    On single server private information retrieval in a coding theory perspective

    Full text link
    In this paper, we present a new perspective of single server private information retrieval (PIR) schemes by using the notion of linear error-correcting codes. Many of the known single server schemes are based on taking linear combinations between database elements and the query elements. Using the theory of linear codes, we develop a generic framework that formalizes all such PIR schemes. Further, we describe some known PIR schemes with respect to this code-based framework, and present the weaknesses of the broken PIR schemes in a generic point of view

    Learning with Errors over Group Rings Constructed by Semi-direct Product

    Full text link
    The Learning with Errors (LWE) problem has been widely utilized as a foundation for numerous cryptographic tools over the years. In this study, we focus on an algebraic variant of the LWE problem called Group ring LWE (GR-LWE). We select group rings (or their direct summands) that underlie specific families of finite groups constructed by taking the semi-direct product of two cyclic groups. Unlike the Ring-LWE problem described in \cite{lyubashevsky2010ideal}, the multiplication operation in the group rings considered here is non-commutative. As an extension of Ring-LWE, it maintains computational hardness and can be potentially applied in many cryptographic scenarios. In this paper, we present two polynomial-time quantum reductions. Firstly, we provide a quantum reduction from the worst-case shortest independent vectors problem (SIVP) in ideal lattices with polynomial approximate factor to the search version of GR-LWE. This reduction requires that the underlying group ring possesses certain mild properties; Secondly, we present another quantum reduction for two types of group rings, where the worst-case SIVP problem is directly reduced to the (average-case) decision GR-LWE problem. The pseudorandomness of GR-LWE samples guaranteed by this reduction can be consequently leveraged to construct semantically secure public-key cryptosystems.Comment: 45 page

    Number Theoretic Transform and Its Applications in Lattice-based Cryptosystems: A Survey

    Full text link
    Number theoretic transform (NTT) is the most efficient method for multiplying two polynomials of high degree with integer coefficients, due to its series of advantages in terms of algorithm and implementation, and is consequently widely-used and particularly fundamental in the practical implementations of lattice-based cryptographic schemes. Especially, recent works have shown that NTT can be utilized in those schemes without NTT-friendly rings, and can outperform other multiplication algorithms. In this paper, we first review the basic concepts of polynomial multiplication, convolution and NTT. Subsequently, we systematically introduce basic radix-2 fast NTT algorithms in an algebraic way via Chinese Remainder Theorem. And then, we elaborate recent advances about the methods to weaken restrictions on parameter conditions of NTT. Furthermore, we systematically introduce how to choose appropriate strategy of NTT algorithms for the various given rings. Later, we introduce the applications of NTT in the lattice-based cryptographic schemes of NIST post-quantum cryptography standardization competition. Finally, we try to present some possible future research directions
    • โ€ฆ
    corecore