28 research outputs found
Security considerations for Galois non-dual RLWE families
We explore further the hardness of the non-dual discrete variant of the
Ring-LWE problem for various number rings, give improved attacks for certain
rings satisfying some additional assumptions, construct a new family of
vulnerable Galois number fields, and apply some number theoretic results on
Gauss sums to deduce the likely failure of these attacks for 2-power cyclotomic
rings and unramified moduli
Attacks on the Search-RLWE problem with small errors
The Ring Learning-With-Errors (RLWE) problem shows great promise for
post-quantum cryptography and homomorphic encryption. We describe a new attack
on the non-dual search RLWE problem with small error widths, using ring
homomorphisms to finite fields and the chi-squared statistical test. In
particular, we identify a "subfield vulnerability" (Section 5.2) and give a new
attack which finds this vulnerability by mapping to a finite field extension
and detecting non-uniformity with respect to the number of elements in the
subfield. We use this attack to give examples of vulnerable RLWE instances in
Galois number fields. We also extend the well-known search-to-decision
reduction result to Galois fields with any unramified prime modulus q,
regardless of the residue degree f of q, and we use this in our attacks. The
time complexity of our attack is O(nq2f), where n is the degree of K and f is
the residue degree of q in K. We also show an attack on the non-dual (resp.
dual) RLWE problem with narrow error distributions in prime cyclotomic rings
when the modulus is a ramified prime (resp. any integer). We demonstrate the
attacks in practice by finding many vulnerable instances and successfully
attacking them. We include the code for all attacks
On error distributions in ring-based LWE
Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the ring learning with errors problem (ring-LWE) has become a popular building block for cryptographic primitives, due to its great versatility and its hardness proof consisting of a (quantum) reduction from ideal lattice problems. But, for a given modulus q and degree n number field K, generating ring-LWE samples can be perceived as cumbersome, because the secret keys have to be taken from the reduction mod q of a certain fractional ideal O-K(V) subset of K called the codifferent or 'dual', rather than from the ring of integers O-K itself. This has led to various non-dual variants of ring-LWE, in which one compensates for the non-duality by scaling up the errors. We give a comparison of these versions, and revisit some unfortunate choices that have been made in the recent literature, one of which is scaling up by vertical bar Delta(K)vertical bar(1/2n) with Delta(K) the discriminant of K. As a main result, we provide, for any epsilon > 0, a family of number fields K for which this variant of ring-LWE can be broken easily as soon as the errors are scaled up by vertical bar Delta(K)vertical bar((1-epsilon)/n)
Homomorphic Encryption and Cryptanalysis of Lattice Cryptography
The vast amount of personal data being collected and analyzed through internet connected devices is vulnerable to theft and misuse. Modern cryptography presents several powerful techniques that can help to solve the puzzle of how to harness data for use while at the same time protecting it---one such technique is homomorphic encryption that allows computations to be done on data while it is still encrypted. The question of security for homomorphic encryption relates to the broader field of lattice cryptography. Lattice cryptography is one of the main areas of cryptography that promises to be secure even against quantum computing.
In this dissertation, we will touch on several aspects of homomorphic encryption and its security based on lattice cryptography. Our main contributions are:
1. proving some heuristics that are used in major results in the literature for controlling the error size in bootstrapping for fully homomorphic encryption,
2. presenting a new fully homomorphic encryption scheme that supports k-bit arbitrary operations and achieves an asymptotic ciphertext expansion of one,
3. thoroughly studying certain attacks against the Ring Learning with Errors problem,
4. precisely characterizing the performance of an algorithm for solving the Approximate Common Divisor problem
Ring-LWE over two-to-power cyclotomics is not hard
The Ring-LWE over two-to-power cyclotomic integer rings has been the hard computational problem for lattice cryptographic constructions. Its hardness and the conjectured hardness of approximating ideal SIVP for ideal lattices in two-to-power cyclotomic fields have been the fundamental open problems in lattice cryptography and the computational number theory. In our previous paper we presented a general theory of subset attack on the Ring-LWE with not only the Gaussian error distribution but also general error distributions. By the usage of our subset attack from sublattice quadruples we prove
that the decision Ring-LWE (then the search version) over two-to-power cyclotomic integer rings with certain sufficiently large polynomially bounded modulus parameters when degrees d_n = 2^{n-1} going to the infinity can be solved by a polynomial (in d_n) time algorithm for wide error distributions with widths in the range of Peikert-Regev-Stephens-Davidowitz hardness reduction results in their STOC 2017 paper. Hence we also prove that approximating idealSIV Ppoly(dn) with some polynomial factors for ideal lattices in two-to-power cyclotomic fields can be solved within the quantum polynomial time. Therefore post-quantum lattice cryptographic constructions can not be based on the ”hardness” of Ring-LWE over two-to-power cyclotomic integer rings even in the classical computational model
How (Not) to Instantiate Ring-LWE
The \emph{learning with errors over rings} (Ring-LWE) problem---or
more accurately, family of problems---has emerged as a promising
foundation for cryptography due to its practical efficiency,
conjectured quantum resistance, and provable \emph{worst-case
hardness}: breaking certain instantiations of Ring-LWE is at least
as hard as quantumly approximating the Shortest Vector Problem on
\emph{any} ideal lattice in the ring.
Despite this hardness guarantee, several recent works have shown that
certain instantiations of Ring-LWE can be broken by relatively simple
attacks. While the affected instantiations are not supported by
worst-case hardness theorems (and were not ever proposed for
cryptographic purposes), this state of affairs raises natural
questions about what other instantiations might be vulnerable, and in
particular whether certain classes of rings are inherently unsafe for
Ring-LWE.
This work comprehensively reviews the known attacks on Ring-LWE and
vulnerable instantiations. We give a new, unified exposition which
reveals an elementary geometric reason why the attacks work, and
provide rigorous analysis to explain certain phenomena that were
previously only exhibited by experiments. In all cases, the
insecurity of an instantiation is due to the fact that the error
distribution is insufficiently ``well spread\u27\u27 relative to the ring.
In particular, the insecure instantiations use the so-called
\emph{non-dual} form of Ring-LWE, together with \emph{spherical} error
distributions that are much narrower and of a very different shape
than the ones supported by hardness proofs.
On the positive side, we show that any Ring-LWE instantiation which
satisfies (or only almost satisfies) the hypotheses of the
``worst-case hardness of search\u27\u27 theorem is \emph{provably immune} to
broad generalizations of the above-described attacks: the running time
divided by advantage is at least exponential in the degree of the
ring. This holds for the ring of integers in \emph{any} number field,
so the rings themselves are not the source of insecurity in the
vulnerable instantiations. Moreover, the hypotheses of the worst-case
hardness theorem are \emph{nearly minimal} ones which provide these
immunity guarantees
A Practical Post-Quantum Public-Key Cryptosystem Based on spLWE
The Learning with Errors (LWE) problem has been widely used as a hardness assumption to construct public-key primitives. In this paper, we propose an efficient instantiation of a PKE scheme based on LWE with a sparse secret, named as spLWE. We first construct an IND-CPA PKE and convert it to an IND-CCA scheme in the quantum random oracle model by applying a modified Fujisaki-Okamoto conversion of Unruh. In order to guarantee the security of our base problem suggested in this paper, we provide a polynomial time reduction from LWE with a uniformly chosen secret to spLWE. We modify the previous attacks for LWE to exploit the sparsity of a secret key and derive more suitable parameters. We can finally estimate performance of our
scheme supporting 256-bit messages: our implementation shows that our IND-CCA scheme takes 313 micro seconds and 302 micro seconds respectively for encryption and decryption with the parameters that have 128-quantum bit security
On the Ring-LWE and Polynomial-LWE problems
The Ring Learning With Errors problem (RLWE) comes in various forms.
Vanilla RLWE is the decision dual-RLWE variant, consisting in distinguishing from uniform a distribution depending on a secret belonging
to the dual O_K^vee of the ring of integers O_K of a specified number field K.
In primal-RLWE, the secret instead belongs to O_K. Both
decision dual-RLWE and primal-RLWE enjoy search counterparts.
Also widely used is (search/decision) Polynomial Learning With Errors (PLWE),
which is not defined
using a ring of integers O_K of a number field K but
a polynomial ring ZZ[x]/f for a monic
irreducible f in ZZ[x].
We show that there exist reductions between all of these six
problems that incur limited parameter losses.
More precisely: we prove that the (decision/search) dual to
primal reduction from Lyubashevsky et al. [EUROCRYPT~2010]
and Peikert [SCN~2016]
can be implemented with a small error rate growth for all rings
(the resulting reduction is non-uniform polynomial time); we
extend it to polynomial-time reductions between (decision/search)
primal RLWE and PLWE that work for a family
of polynomials f that is exponentially large as a function
of deg f (the resulting reduction is also
non-uniform polynomial time); and we
exploit the recent technique from Peikert et al. [STOC~2017]
to obtain a search to decision reduction for RLWE for arbitrary number fields.
The reductions incur error rate increases that depend
on intrinsic quantities related to K and f