1,290 research outputs found
A framework for cryptographic problems from linear algebra
We introduce a general framework encompassing the main hard problems emerging in lattice-based cryptography, which naturally includes the recently proposed Mersenne prime cryptosystem, but also problems coming from code-based cryptography. The framework allows to easily instantiate new hard problems and to automatically construct plausibly post-quantum secure primitives from them. As a first basic application, we introduce two new hard problems and the corresponding encryption schemes. Concretely, we study generalisations of hard problems such as SIS, LWE and NTRU to free modules over quotients of Z[X] by ideals of the form (f,g), where f is a monic polynomial and gâZ[X] is a ciphertext modulus coprime to f. For trivial modules (i.e. of rank one), the case f=Xn+1 and g=qâZ>1 corresponds to ring-LWE, ring-SIS and NTRU, while the choices f=Xnâ1 and g=Xâ2 essentially cover the recently proposed Mersenne prime cryptosystems. At the other extreme, when considering modules of large rank and letting deg(f)=1, one recovers the framework of LWE and SIS
CRYSTALS - Kyber: A CCA-secure Module-Lattice-Based KEM
Rapid advances in quantum computing, together with the announcement by the National Institute of Standards and Technology (NIST) to define new standards for digital-signature, encryption, and key-establishment protocols, have created significant interest in post-quantum cryptographic schemes. This paper introduces Kyber (part of CRYSTALS - Cryptographic Suite for Algebraic Lattices - a package submitted to NIST post-quantum standardization effort in November 2017), a portfolio of post-quantum cryptographic primitives built around a key-encapsulation mechanism (KEM), based on hardness assumptions over module lattices. Our KEM is most naturally seen as a successor to the NEWHOPE KEM (Usenix 2016). In particular, the key and ciphertext sizes of our new construction are about half the size, the KEM offers CCA instead of only passive security, the security is based on a more general (and flexible) lattice problem, and our optimized implementation results in essentially the same running time as the aforementioned scheme. We first introduce a CPA-secure public-key encryption scheme, apply a variant of the Fujisaki-Okamoto transform to create a CCA-secure KEM, and eventually construct, in a black-box manner, CCA-secure encryption, key exchange, and authenticated-key-exchange schemes. The security of our primitives is based on the hardness of Module-LWE in the classical and quantum random oracle models, and our concrete parameters conservatively target more than 128 bits of post-quantum security
Attacks on the Search-RLWE problem with small errors
The Ring Learning-With-Errors (RLWE) problem shows great promise for
post-quantum cryptography and homomorphic encryption. We describe a new attack
on the non-dual search RLWE problem with small error widths, using ring
homomorphisms to finite fields and the chi-squared statistical test. In
particular, we identify a "subfield vulnerability" (Section 5.2) and give a new
attack which finds this vulnerability by mapping to a finite field extension
and detecting non-uniformity with respect to the number of elements in the
subfield. We use this attack to give examples of vulnerable RLWE instances in
Galois number fields. We also extend the well-known search-to-decision
reduction result to Galois fields with any unramified prime modulus q,
regardless of the residue degree f of q, and we use this in our attacks. The
time complexity of our attack is O(nq2f), where n is the degree of K and f is
the residue degree of q in K. We also show an attack on the non-dual (resp.
dual) RLWE problem with narrow error distributions in prime cyclotomic rings
when the modulus is a ramified prime (resp. any integer). We demonstrate the
attacks in practice by finding many vulnerable instances and successfully
attacking them. We include the code for all attacks
On the Shortness of Vectors to be found by the Ideal-SVP Quantum Algorithm
The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard as the ana
On the shortness of vectors to be found by the Ideal-SVP quantum algorithm
The hardness of finding short vectors in ideals of cyclotomic number fields (hereafter, Ideal-SVP) can serve as a worst-case assumption for numerous efficient cryptosystems, via the average-case problems Ring-SIS and Ring-LWE. For a while, it could be assumed the Ideal-SVP problem was as hard a
- âŠ