TOT, a Fast Multivariate Public Key Cryptosystem with Basic Secure Trapdoor

In this paper, we design a novel one-way trapdoor function, and then propose a new multivariate public key cryptosystem called $\rm TOT$, which can be used for encryption, signature and authentication. Through analysis, we declare that $\rm TOT$ is secure, because it can resist current known algebraic attacks if its parameters are properly chosen. Some practical implementations for $\rm TOT$ are also given, and whose security level is at least $2^{90}$. The comparison shows that $\rm TOT$ is more secure than $\rm HFE$, $\rm HFEv$ and $\rm Quartz$ (when $n \ge 81$ and $D_{HFE} \ge 129$, $\rm HFE$ is still secure), and it can reach almost the same speed of computing the secret map by $\rm C^\ast$ and $\rm Sflash^{v2}$ (even though $\rm C^\ast$ was broken, its high speed has been affirmed)

Architectures for Code-based Post-Quantum Cryptography

L'abstract è presente nell'allegato / the abstract is in the attachmen

Encapsulated Search Index: Public-Key, Sub-linear, Distributed, and Delegatable

We build the first sub-linear (in fact, potentially constant-time) public-key searchable encryption system: − server can publish a public key $PK$. − anybody can build an encrypted index for document $D$ under $PK$. − client holding the index can obtain a token $z_w$ from the server to check if a keyword $w$ belongs to $D$. − search using $z_w$ is almost as fast (e.g., sub-linear) as the non-private search. − server granting the token does not learn anything about the document $D$, beyond the keyword $w$. − yet, the token $z_w$ is specific to the pair $(D, w)$: the client does not learn if other keywords $w\u27\neq w$ belong to $D$, or if w belongs to other, freshly indexed documents $D\u27$. − server cannot fool the client by giving a wrong token $z_w$. We call such a primitive Encapsulated Search Index (ESI). Our ESI scheme can be made $(t, n)$- distributed among $n$ servers in the best possible way: non-interactive, verifiable, and resilient to any coalition of up to $(t − 1)$ malicious servers. We also introduce the notion of delegatable ESI and show how to extend our construction to this setting. Our solution — including public indexing, sub-linear search, delegation, and distributed token generation — is deployed as a commercial application by Atakama

Design of advanced primitives for secure multiparty computation : special shuffles and integer comparison

In modern cryptography, the problem of secure multiparty computation is about the cooperation between mutually distrusting parties computing a given function. Each party holds some private information that should remain secret as much as possible throughout the computation. A large body of research initiated in the early 1980's has shown that any computable function can be evaluated using secure multiparty computation. Though these feasibility results are general, their applicability in practical situations is rather unsatisfactory. This thesis concerns the study of two particular cryptographic primitives with focus on efficiency. The first primitive studied is a generalization of verifiable shuffles of homomorphic encryptions, where the shuffler is only allowed to apply a permutation from a restricted set of permutations. In this thesis, we consider shuffles using permutations from a k-fragile set, meaning that any k input-output correspondences uniquely identify a permutation within the set. We provide verifiable shuffles restricted to the set of all rotations (1-fragile), affine transformations (2-fragile), and Möbius transformations (3-fragile). Applications of these special shuffles include fragile mixing, electronic elections, secure function evaluation using scrambled circuits, and secure integer comparison. Two approaches for verifiable rotations are presented. On the one hand, we use properties of the Discrete Fourier Transform (DFT) to express in a compact way that a rotation is applied in a shuffle. The solution is efficient, but imposes some mild restrictions on the parameters to allow DFT to work. On the other hand, we present a general solution that does not impose any parameter constraint and works on any homomorphic cryptosystem. These protocols for rotations are used to build efficient shuffling protocols for affine and Möbius transformations. The second primitive is secure integer comparison. In a general scenario, parties are given homomorphic encryptions of the bits of two integers and, after running a protocol, an encryption of a bit is produced, telling the result of the greater-than comparison of the two integers. This is a useful building block for higher-level protocols such as electronic voting, biometrics authentication or electronic auctions. A study of the relationship of other problems to integer comparison is given as well. We present two types of solutions for integer comparison. Firstly, we consider an arithmetic circuit yielding secure protocols within the framework for multiparty computation based on threshold homomorphic cryptosystems. Our circuit achieves a good balance between round and computational complexities, when compared to the similar solutions in the literature. The second type of solutions uses a intricate approach where different building blocks are used. A full analysis is made for the two-party case where efficiency of the resulting protocols compares favorably to other solutions and approaches

Compromising emissions from a high speed cryptographic embedded system

Specific hardware implementations of cryptographic algorithms have been subject to a number of “side channel” attacks of late. A side channel is any information bearing emission that results from the physical implementation of a cryptographic algorithm. Smartcard realisations have been shown to be particularly vulnerable to these attacks. Other more complex embedded cryptographic systems may also be vulnerable, and each new design needs to be tested. The vulnerability of a recently developed high speed cryptographic accelerator is examined. The purpose of this examination is not only to verify the integrity of the device, but also to allow its designers to make a determination of its level of conformance with any standard that they may wish to comply with. A number of attacks were reviewed initially and two were chosen for examination and implementation - Power Analysis and Electromagnetic Analysis. These particular attacks appeared to offer the greatest threat to this particular system. Experimental techniques were devised to implement these attacks and a simulation and micrcontroller emulation were setup to ensure these techniques were sound. Each experimental setup was successful in attacking the simulated data and the micrcontroller circuit. The significance of this was twofold in that it verified the integrity of the setup and proved that a real threat existed. However, the attacks on the cryptographic accelerator failed in all cases to reveal any significant information. Although this is considered a positive result, it does not prove the integrity of the device as it may be possible for an adversary with more resources to successfully attack the board. It does however increase the level of confidence in this particular product and acts as a stepping stone towards conformance of cryptographic standards. The experimental procedures developed can also be used by designers wishing to test the vulnerability of their own products to these attacks

Usability of structured lattices for a post-quantum cryptography: practical computations, and a study of some real Kummer extensions

Lattice-based cryptography is an excellent candidate for post-quantum cryptography, i.e. cryptosystems which are resistant to attacks run on quantum computers. For efficiency reason, most of the constructions explored nowadays are based on structured lattices, such as module lattices or ideal lattices. The security of most constructions can be related to the hardness of retrieving a short element in such lattices, and one does not know yet to what extent these additional structures weaken the cryptosystems. A related problem – which is an extension of a classical problem in computational number theory – called the Short Principal Ideal Problem (or SPIP), consists of finding a short generator of a principal ideal. Its assumed hardness has been used to build some cryptographic schemes. However it has been shown to be solvable in quantum polynomial time over cyclotomic fields, through an attack which uses the Log-unit lattice of the field considered. Later, practical results showed that multiquadratic fields were also weak to this strategy. The main general question that we study in this thesis is To what extent can structured lattices be used to build a post-quantum cryptography

How to Sample a Discrete Gaussian (and more) from a Random Oracle

The random oracle methodology is central to the design of many practical cryptosystems. A common challenge faced in several systems is the need to have a random oracle that outputs from a structured distribution $\mathcal{D}$, even though most heuristic implementations such as SHA-3 are best suited for outputting bitstrings. Our work explores the problem of sampling from discrete Gaussian (and related) distributions in a manner that they can be programmed into random oracles. We make the following contributions: -We provide a definitional framework for our results. We say that a sampling algorithm $\mathsf{Sample}$ for a distribution is explainable if there exists an algorithm $\mathsf{Explain}$ where, for a $x$ in the domain, we have that $\mathsf{Explain}(x) \rightarrow r \in \{0,1\}^n$ such that $\mathsf{Sample}(r)=x$. Moreover, if $x$ is sampled from $\mathcal{D}$ the explained distribution is statistically close to choosing $r$ uniformly at random. We consider a variant of this definition that allows the statistical closeness to be a precision parameter\u27\u27 given to the $\mathsf{Explain}$ algorithm. We show that sampling algorithms which satisfy our `explainability\u27 property can be programmed as a random oracle. -We provide a simple algorithm for explaining \emph{any} sampling algorithm that works over distributions with polynomial sized ranges. This includes discrete Gaussians with small standard deviations. -We show how to transform a (not necessarily explainable) sampling algorithm $\mathsf{Sample}$ for a distribution into a new $\mathsf{Sample}\u27$ that is explainable. The requirements for doing this is that (1) the probability density function is efficiently computable (2) it is possible to efficiently uniformly sample from all elements that have a probability density above a given threshold $p$, showing the equivalence of random oracles to these distributions and random oracles to uniform bitstrings. This includes a large class of distributions, including all discrete Gaussians. -A potential drawback of the previous approach is that the transformation requires an additional computation of the density function. We provide a more customized approach that shows the Miccancio-Walter discrete Gaussian sampler is explainable as is. This suggests that other discrete Gaussian samplers in a similar vein might also be explainable as is

Cryptographic Foundations For Control And Optimization: Making Cloud-Based And Networked Decisions On Encrypted Data

Advances in communication technologies and computational power have determined a technological shift in the data paradigm. The resulting architecture requires sensors to send local data to the cloud for global processing such as estimation, control, decision and learning, leading to both performance improvement and privacy concerns. This thesis explores the emerging field of private control for Internet of Things, where it bridges dynamical systems and computations on encrypted data, using applied cryptography and information-theoretic tools.Our research contributions are privacy-preserving interactive protocols for cloud-outsourced decisions and data processing, as well as for aggregation over networks in multi-agent systems, both of which are essential in control theory and machine learning. In these settings, we guarantee privacy of the data providers\u27 local inputs over multiple time steps, as well as privacy of the cloud service provider\u27s proprietary information. Specifically, we focus on (i) private solutions to cloud-based constrained quadratic optimization problems from distributed private data; (ii) oblivious distributed weighted sum aggregation; (iii) linear and nonlinear cloud-based control on encrypted data; (iv) private evaluation of cloud-outsourced data-driven control policies with sparsity and low-complexity requirements. In these scenarios, we require computational privacy and stipulate that each participant is allowed to learn nothing more than its own result of the computation. Our protocols employ homomorphic encryption schemes and secure multi-party computation tools with the purpose of performing computations directly on encrypted data, such that leakage of private information at the computing entity is minimized. To this end, we co-design solutions with respect to both control performance and privacy specifications, and we streamline their implementation by exploiting the rich structure of the underlying private data

Practical unconditionally secure signature schemes and related protocols

The security guarantees provided by digital signatures are vital to many modern applications such as online banking, software distribution, emails and many more. Their ubiquity across digital communications arguably makes digital signatures one of the most important inventions in cryptography. Worryingly, all commonly used schemes – RSA, DSA and ECDSA – provide only computational security, and are rendered completely insecure by quantum computers. Motivated by this threat, this thesis focuses on unconditionally secure signature (USS) schemes – an information theoretically secure analogue of digital signatures. We present and analyse two new USS schemes. The first is a quantum USS scheme that is both information-theoretically secure and realisable with current technology. The scheme represents an improvement over all previous quantum USS schemes, which were always either realisable or had a full security proof, but not both. The second is an entirely classical USS scheme that uses minimal resources and is vastly more efficient than all previous schemes, to such an extent that it could potentially find real-world application. With the discovery of such an efficient classical USS scheme using only minimal resources, it is difficult to see what advantage quantum USS schemes may provide. Lastly, we remain in the information-theoretic security setting and consider two quantum protocols closely related to USS schemes – oblivious transfer and quantum money. For oblivious transfer, we prove new lower bounds on the minimum achievable cheating probabilities in any 1-out-of-2 protocol. For quantum money, we present a scheme that is more efficient and error tolerant than all previous schemes. Additionally, we show that it can be implemented using a coherent source and lossy detectors, thereby allowing for the first experimental demonstration of quantum coin creation and verification

New Design and Analysis Techniques for Post-Quantum Cryptography

Due to the threat of scalable quantum computation breaking existing public-key cryptography, interest in post-quantum cryptography has exploded in the past decade. There are two key aspects to the mitigation of the quantum threat. The first is to have a complete understanding of the capabilities of a quantum enabled adversary and be able to predict the impact on the security of protocols. The second is to find suitable replacements for those protocols rendered insecure. In this thesis, we develop new techniques to help address these problems, in order to better prepare for the post-quantum era. Proofs in security models that consider quantum adversaries are notoriously more challenging compared to their classical analogues. The quantum random oracle model abstracts real world hash functions to a black box, but allows for superposition queries. This model is important as it often makes possible the reduction of the security of a protocol to the hardness of an underlying hard problem. We prove several results about the model itself. We provide upper and lower bounds on the ability of the adversary to find collisions in non-uniform functions in this model. We also compare the quantum random oracle model to the classical random oracle model and establish that a key aspect of their relationship to the standard model is unchanged. As well, we develop a way to model a new security property (dubbed quantum annoyingness) that considers the security of classical password-authenticated key exchange schemes in the presence of quantum adversaries, and prove the security of a recently standardized protocol in this model. For the second problem, we show how established post-quantum problems can be used to build protocols beyond key establishment and signing. We look at two protocols, that of key-blinded signatures and updatable public-key encryption, which are variants of signature and key-establishment protocols. We show how these protocols can be instantiated by modifying existing post-quantum signature and key-establishment protocols. Both of these protocols were originally built heavily relying on the structure of the discrete logarithm problem. In instantiating the schemes with post-quantum assumptions, we also highlight how alternative mathematical structures can be adapted to achieve the same results. Finally, we provide proofs, implementations, and performance metrics for these instantiations