27 research outputs found
Essays on Monetary Economics
My dissertation, which consists of three papers, is devoted to studying the implications of conventional and unconventional monetary policies for inflation, asset prices, and welfare.
The first paper examines the sustainability and effectiveness of negative nominal interest rates. I construct a model of multiple means of payment where the cost of holding paper currency—its storage and security costs—determines the effective rate of return on currency, which establishes the effective lower bound on nominal interest rates. I show that central banks can reduce the effective rate of return on currency, and thus the effective lower bound, by altering their policy on bank reserves. However, reducing the lower bound leads to welfare losses associated with individuals holding more currency. Moreover, sustaining a negative rate by reducing the lower bound has no stimulative effects. This occurs because this policy combination reduces both the rate of return on currency and interest rates on financial assets, leaving the relative interest rates between currency and financial assets unchanged.
In the second paper, I develop a two-country model with financial frictions to study how a central bank\u27s unconventional asset purchases affect international asset prices and welfare. In the model, the key financial frictions are limited commitment, differential pledgeability of assets as collateral, and a scarcity of collateralizable assets. Due to the differential pledgeability of assets, financial intermediaries acquire different asset portfolios depending on their home country. I find that quantitative easing can reduce long-term bond yields and term premia internationally and depreciate the creditor country\u27s currency. Foreign exchange intervention always depreciates the local currency, but it can improve welfare globally if implemented by the creditor country.
The third paper studies the implications of heterogeneous payment choices for monetary policy. I construct a model of money and credit where each consumer participates in a small-value or a large-value transaction depending on a preference shock. Financial intermediaries write deposit contracts for consumers to intermediate credit transactions. The preference shock is private information and is costly for intermediaries to observe. I find that, in equilibrium, financial intermediaries create state-contingent deposit contracts for consumers. However, private information and costly monitoring generate an incentive problem, so that the quantity of credit is constrained for consumers in large-value transactions. The effects of monetary policy on the allocation of means of payment vary depending on the size of transaction
Approximate Homomorphic Encryption over the Conjugate-invariant Ring
The Ring Learning with Errors (RLWE) problem over a cyclotomic ring has been the most widely used hardness assumption for the construction of practical homomorphic encryption schemes. However, this restricted choice of a base ring may cause a waste in terms of plaintext space usage. For example, an approximate homomorphic encryption scheme of Cheon et al. (ASIACRYPT 2017) is able to store a complex number in each of the plaintext slots since its canonical embedding of a cyclotomic field has a complex image. The imaginary part of a plaintext is not underutilized at all when the computation is performed over the real numbers, which is required in most of the real-world applications such as machine learning.
In this paper, we are proposing a new homomorphic encryption scheme which supports arithmetic over the real numbers. Our scheme is based on RLWE over a subring of a cyclotomic ring called conjugate-invariant ring. We show that this problem is no easier than a standard lattice problem over ideal lattices by the reduction of Peikert et al. (STOC 2017). Our scheme allows real numbers to be packed in a ciphertext without any waste of a plaintext space and consequently we can encrypt twice as many plaintext slots as the previous scheme while maintaining the same security level, storage, and computational costs
Probability that the k-gcd of products of positive integers is B-friable
In 1849, Dirichlet~\cite{D49} proved that the probability that two positive integers are relatively prime is 1/\zeta(2). Later, it was generalized into the case that positive integers has no nontrivial th power common divisor.
In this paper, we further generalize this result: the probability that the gcd of m products of n positive integers is B-friable is \prod_{p>B}[1-{1-(1-\frac{1}{p})^{n}}^{m}] for m >= 2. We show that it is lower bounded by \frac{1}{\zeta(s)} for some s>1 if B>n^{\frac{m}{m-1}}, which completes the heuristic proof in the cryptanalysis of cryptographic multilinear maps by Cheon et al.~\cite{CHLRS15}.
We extend this result to the case of -gcd: the probability is
\prod_{p>B}[1-{1-(1-\frac{1}{p})^{n}(1+\frac{_{n}H_{1}}{p}+\cdot\cdot\cdot+\frac{_{n}H_{k-1}}{p^{k-1}})}^{m}], where _{n}H_{i} = n+i-1 \choose i
Remark on the Security of CKKS Scheme in Practice
Recently, Li and Micciancio (ePrint 2020/1533) have proposed a passive attack on the CKKS approximate homomorphic encryption (HE) scheme, which allows an adversary to query decryption on valid ciphertexts. In this paper, we discuss for which applications such attack is applicable, and introduce an extension of the HEaaN library. In addition, we investigate the mitigation strategies of other HE libraries that support the CKKS scheme including HElib, PALISADE, Lattigo and SEAL
Faster Bootstrapping of FHE over the Integers
Bootstrapping in fully homomorphic encryption (FHE) over the integers is a homomorphic evaluation of the squashed decryption function suggested by van Dijk et al.
The typical approach for the bootstrapping is representing the decryption function as a binary circuit with a fixed message space. All bootstrapping methods in FHEs over the integers use this approach; however, these methods require too many homomorphic multiplications, slowing down the whole procedure. In this paper, we propose an efficient bootstrapping method using various message spaces. Our bootstrapping method requires only number of homomorphic multiplications, which is significantly lower than of the previous methods. We implement our bootstrapping method on the scale-invariant FHE over the integers; the CLT scheme introduced by Coron, Lepoint and Tibouchi. It takes 6 seconds for a 500-bit message space and a 72-bit security in PC. This is the fastest result among the bootstrapping methods on FHEs over the integers. We also apply our bootstrapping method to evaluate an AES-128 circuit homomorphically. As a result, it takes about 8 seconds per 128-bit block and is faster than the previous result of homomorphic evaluation of AES circuit using FHEs over the integers without bootstrapping
Toward Practical Lattice-based Proof of Knowledge from Hint-MLWE
In the last decade, zero-knowledge proof of knowledge protocols have been extensively studied to achieve active security of various cryptographic protocols. However, the existing solutions simply seek zero-knowledge for both message and randomness, which is an overkill in many applications since protocols may remain secure even if some information about randomness is leaked to the adversary.
We develop this idea to improve the state-of-the-art proof of knowledge protocols for RLWE-based public-key encryption and BDLOP commitment schemes. In a nutshell, we present new proof of knowledge protocols without using noise flooding or rejection sampling which are provably secure under a computational hardness assumption, called Hint-MLWE. We also show an efficient reduction from Hint-MLWE to the standard MLWE assumption.
Our approach enjoys the best of two worlds because it has no computational overhead from repetition (abort) and achieves a polynomial overhead between the honest and proven languages. We prove this claim by demonstrating concrete parameters and compare with previous results. Finally, we explain how our idea can be further applied to other proof of knowledge providing advanced functionality
A New Trapdoor over Module-NTRU Lattice and its Application to ID-based Encryption
A trapdoor over NTRU lattice proposed by Ducas, Lyubashevsky and Prest~(ASIACRYPT 2014) has been widely used in various crytographic primitives such as identity-based encryption~(IBE) and digital signature,
due to its high efficiency compared to previous lattice trapdoors.
However, the most of applications use this trapdoor with the power-of-two cyclotomic rings,
and hence to obtain higher security level one should double the ring dimension which results in a huge loss of efficiency.
In this paper, we give a new way to overcome this problem by introducing a generalized notion of NTRU lattices which we call \emph{Module-NTRU}~(MNTRU) lattices,
and show how to efficiently generate a trapdoor over MNTRU lattices.
Moreover, beyond giving parameter flexibility,
we further show that the Gram-Schmidt norm of the trapdoor can be reached to about where MNTRU covers cases while including NTRU as case.
Since the efficiency of trapdoor-based IBE is closely related to the Gram-Schmidt norm of trapdoor,
our trapdoor over MNTRU lattice brings more efficient IBE scheme than the previously best one of Ducas, Lyubashevsky and Prest, while providing the same security level
Faster Amortized FHEW bootstrapping using Ring Automorphisms
Amortized bootstrapping offers a way to simultaneously refresh many ciphertexts of a fully homomorphic encryption scheme, at a total cost comparable to that of refreshing a single ciphertext. An amortization method for FHEW-style cryptosystems was first proposed by (Micciancio and Sorrell, ICALP 2018), who showed that the amortized cost of bootstrapping n FHEW-style ciphertexts can be reduced from basic cryptographic operations to just , for any constant . However, despite the promising asymptotic saving, the algorithm was rather inpractical due to a large constant (exponential in ) hidden in the asymptotic notation. In this work, we propose an alternative amortized boostrapping method with much smaller overhead, still achieving asymptotic amortized cost, but with a hidden constant that is only linear in , and with reduced noise growth. This is achieved following the general strategy of (Micciancio and Sorrell), but replacing their use of the Nussbaumer transform, with a much more practical Number Theoretic Transform, with multiplication by twiddle factors implemented using ring automorphisms. A key technical ingredient to do this is a new scheme switching technique proposed in this paper which may be of independent interest
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
The LWE problem has been widely used in many constructions for post-quantum cryptography due to its strong security reduction from the worst-case of lattice hard problems and its lightweight operations. The PKE schemes based on the LWE problem have a simple and fast decryption, but the encryption phase is rather slow due to large parameter size for the leftover hash lemma or expensive Gaussian samplings.
In this paper, we propose a novel PKE scheme, called Lizard, without relying on either of them. The encryption procedure of Lizard first combines several LWE samples as in the previous LWE-based PKEs,
but the following step to re-randomize this combination before adding a plaintext is different: it removes several least significant bits of each component of the computed vector rather than adding an auxiliary error vector. Lizard is IND-CPA secure under the hardness assumptions of the LWE and LWR problems, and its variant achieves IND-CCA security in the quantum random oracle model.
Our approach accelerates encryption speed to a large extent and also reduces the size of ciphertexts, and Lizard is very competitive for applications requiring fast encryption and decryption phases. In our single-core implementation on a laptop, the encryption and decryption of IND-CCA Lizard with 256-bit plaintext space under 128-bit quantum security take 0.014 and 0.027 milliseconds, which are comparable to those of NTRU. To achieve these results, we further take some advantages of sparse small secrets
Towards a Polynomial Instruction Based Compiler for Fully Homomorphic Encryption Accelerators
Fully Homomorphic Encryption (FHE) is a transformative technology that enables computations on encrypted data without requiring decryption, promising enhanced data privacy. However, its adoption has been limited due to significant performance overheads. Recent advances include the proposal of domain-specific, highly-parallel hardware accelerators designed to overcome these limitations.
This paper introduces PICA, a comprehensive compiler framework designed to simplify the programming of these specialized FHE accelerators and integration with existing FHE libraries. PICA leverages a novel polynomial Instruction Set Architecture (p-ISA), which abstracts polynomial rings and their arithmetic operations, serving as a fundamental data type for the creation of compact, efficient code embracing high-level operations on polynomial rings, referred to as kernels, e.g., encompassing FHE primitives like arithmetic and ciphertext management. We detail a kernel generation framework that translates high-level FHE operations into pseudo-code using p-ISA, and a subsequent tracing framework that incorporates p-ISA functionalities and kernels into established FHE libraries. Additionally, we introduce a mapper to coordinate multiple FHE kernels for optimal application performance on targeted hardware accelerators. Our evaluations demonstrate PICA\u27s efficacy in creation of compact and efficient code, when compared with an x64 architecture. Particularly in managing complex FHE operations such as relinearization, where we observe a 25.24x instruction count reduction even when a large batch size (8192) is taken into account