LP Solutions of Vectorial Integer Subset Sums - Cryptanalysis of Galbraith\u27s Binary Matrix LWE

We consider Galbraith\u27s space efficient LWE variant, where the $(m \times n)$-matrix $A$ is binary. In this binary case, solving a vectorial subset sum problem over the integers allows for decryption. We show how to solve this problem using (Integer) Linear Programming. Our attack requires only a fraction of a second for all instances in a regime for $m$ that cannot be attacked by current lattice algorithms. E.g.\ we are able to solve 100 instances of Galbraith\u27s small LWE challenge $(n,m) = (256, 400)$ all in a fraction of a second. We also show under a mild assumption that instances with $m \leq 2n$ can be broken in polynomial time via LP relaxation. Moreover, we develop a method that identifies weak instances for Galbraith\u27s large LWE challenge $(n,m)=(256, 640)$

On the Asymptotic Complexity of Solving LWE

We provide for the first time an asymptotic comparison of all known algorithms for the search version of the Learning with Errors (LWE) problem. This includes an analysis of several lattice-based approaches as well as the combinatorial BKW algorithm. Our analysis of the lattice-based approaches defines a general framework, in which the algorithms of Babai, Lindner-Peikert and several pruning strategies appear as special cases. We show that within this framework, all lattice algorithms achieve the same asymptotic complexity. For the BKW algorithm, we present a refined analysis for the case of only a polynomial number of samples via amplification, which allows for a fair comparison with lattice-based approaches. Somewhat surprisingly, such a small number of samples does not make the asymptotic complexity significantly inferior, but only affects the constant in the exponent. As the main result we obtain that both, lattice-based techniques and BKW with a polynomial number of samples, achieve running time 2^{\bigO(n)} for $n$-dimensional LWE, where we make the constant hidden in the big-\bigO notion explicit as a simple and easy to handle function of all LWE-parameters. In the lattice case this function also depends on the time to compute a BKZ lattice basis with block size $\Theta(n)$. Thus, from a theoretical perspective our analysis reveals how LWE\u27s complexity changes as a function of the LWE-parameters, and from a practical perspective our analysis is a useful tool to choose LWE-parameters resistant to all known attacks

Chipmunk: Better Synchronized Multi-Signatures from Lattices

Multi-signatures allow for compressing many signatures for the same message that were generated under independent keys into one small aggregated signature. This primitive is particularly useful for proof-of-stake blockchains, like Ethereum, where the same block is signed by many signers, who vouch for the block\u27s validity. Being able to compress all signatures for the same block into a short string significantly reduces the on-chain storage costs, which is an important efficiency metric for blockchains. In this work, we consider multi-signatures in the synchronized setting, where the signing algorithm takes an additional time parameter as input and it is only required that signatures for the same time step are aggregatable. The synchronized setting is simpler than the general multi-signature setting, but is sufficient for most blockchain related applications, as signers are naturally synchronized by the length of the chain. We present Chipmunk, a concretely efficient lattice-based multi-signature scheme in the synchronized setting that allows for signing an a-priori bounded number of messages. Chipmunk allows for non-interactive aggregation of signatures and is secure against rogue-key attacks. The construction is plausibly secure against quantum adversaries as our security relies on the assumed hardness of the short integer solution problem. We significantly improve upon the previously best known construction in this setting by Fleischhacker, Simkin, and Zhang (CCS 2022). Our aggregate signature size is $5.6 \times$ smaller and for $112$ bits of security our construction allows for compressing 8192 individual signatures into a multi-signature of size around $136$ KB. We provide a full implementation of Chipmunk and provide extensive benchmarks studying our construction\u27s efficiency

Quantum Algorithms for the Approximate <i>k</i>-List Problem and their Application to Lattice Sieving

The Shortest Vector Problem (SVP) is one of the mathematical foundations of lattice based cryptography. Lattice sieve algorithms are amongst the foremost methods of solving SVP. The asymptotically fastest known classical and quantum sieves solve SVP in a $d$-dimensional lattice in 2^{\const d + \smallo(d)} time steps with 2^{\const' d + \smallo(d)} memory for constants $c, c'$. In this work, we give various quantum sieving algorithms that trade computational steps for memory.We first give a quantum analogue of the classical $k$-Sieve algorithm [Herold--Kirshanova--Laarhoven, PKC'18] in the Quantum Random Access Memory (QRAM) model, achieving an algorithm that heuristically solves SVP in $2^{0.2989d + o(d)}$ time steps using $2^{0.1395d + o(d)}$ memory. This should be compared to the state-of-the-art algorithm [Laarhoven, Ph.D Thesis, 2015] which, in the same model, solves SVP in $2^{0.2653d + o(d)}$ time steps and memory. In the QRAM model these algorithms can be implemented using \poly(d) width quantum circuits.Secondly, we frame the $k$-Sieve as the problem of $k$-clique listing in a graph and apply quantum $k$-clique finding techniques to the $k$-Sieve. Finally, we explore the large quantum memory regime by adapting parallel quantum search [Beals et al., Proc. Roy. Soc. A'13] to the $2$-Sieve and giving an analysis in the quantum circuit model. We show how to heuristically solve SVP in $2^{0.1037d + o(d)}$ time steps using $2^{0.2075d + o(d)}$ quantum memory

Applications of classical algebraic geometry to cryptography

Diese Arbeit behandelt Anwendungen klassischer algebraischer Geometrie auf Fragestellungen der Kryptographie. Der erste Teil der Arbeit behandelt dabei das Polly Cracker with Noise Verschlüsselungsverfahren (Albrecht et al., ASIACRYPT2011). Es wird gezeigt, dass dieses Verfahren keine wesentlichen Vorteile gegenüber LWE-basierten Verfahren hat. Der zweite Teil der Arbeit behandelt kryptographische Annahmen in generischen Gruppen mit Schwerpunkt auf Matrixannahmen. Es werden Methoden entwickelt, um mit Hilfe von Konzepten der algebraischen Geometrie die generische Sicherheit solcher Annahmen zu analysieren. Darauf aufbauend wird eine Identifizierung von Matrixannahmen mit Annahmen in Polynomringen vorgestellt. Diese Identifikation erlaubt es, Polynommultiplikation als sog. projecting pairing zu nutzen und damit erhebliche Effizienzgewinne für Konstruktionen in symmetrischen Pairing-Gruppen zusammengesetzter Ordnung zu erzielen.This thesis shows some applications of classical algebraic geometry to applications arising from cryptography. The first part of the thesis deals with the Polly Cracker with Noise cryptosystem (Albrecht et al., ASIACRYPT2011). The main result is that this scheme does not offer any significant advantages over LWE-based schemes. The second part of the thesis analyzes cryptographic assumptions in generic groups with a focus on matrix assumptions. We characterize security in an appropriate generic model using the language of algebraic geometry. Using methods from algebraic geometry, we show how to analyze matrix assumptions by considering the determinant of a related matrix. As a further application, this determinant allows to identify matrix assumptions with assumptions in polynomial spaces. We use this to construct optimal projecting pairings, thereby considerably improving efficiency of the composite-order to prime-order transformation in the framework of Freeman, EUROCRYPT2010

Speed-Ups and Time-Memory Trade-Offs for Tuple Lattice Sieving

International audienc

On the asymptotic complexity of solving LWE

International audienc

Speed-ups and time–memory trade-offs for tuple lattice sieving

In this work we study speed-ups and time–space trade-offs for solving the shortest vector problem (SVP) on Euclidean lattices based on tuple lattice sieving

New techniques for structural batch verification in bilinear groups with applications to groth-Sahai proofs

Comunicació presentada a: the 2017 ACM SIGSAC Conference on Computer and Communications Security, celebrada del 30 d'octubre al 3 de novembre de 2017 a Dallas, Texas, Estats Units d'Amèrica.Bilinear groups form the algebraic setting for a multitude of important cryptographic protocols including anonymous credentials, e-cash, e-voting, e-coupon, and loyalty systems. It is typical of such crypto protocols that participating parties need to repeatedly verify that certain equations over bilinear groups are satisfied, e.g., to check that computed signatures are valid, commitments can be opened, or non-interactive zero-knowledge proofs verify correctly. Depending on the form and number of equations this part can quickly become a performance bottleneck due to the costly evaluation of the bilinear map. To ease this burden on the verifier, batch verification techniques have been proposed that allow to combine and check multiple equations probabilistically using less operations than checking each equation individually. In this work, we revisit the batch verification problem and existing standard techniques. We introduce a new technique which, in contrast to previous work, enables us to fully exploit the structure of certain systems of equations. Equations of the appropriate form naturally appear in many protocols, e.g., due to the use of Groth–Sahai proofs. The beauty of our technique is that the underlying idea is pretty simple:we observe that many systems of equations can alternatively be viewed as a single equation of products of polynomials for which probabilistic polynomial identity testing following Schwartz–Zippel can be applied. Comparisons show that our approach can lead to significant improvements in terms of the number of pairing evaluations. Indeed, for the BeleniosRF voting system presented at CCS 2016, we can reduce the number of pairings (required for ballot verification) from 4k + 140, as originally reported by Chaidos et al. [19], to k +7. As our implementation and benchmarks demonstrate, this may reduce the verification runtime to only 5% to 13% of the original runtime.Gottfried Herold is supported by ERC Starting Grant 335086 Lattices: Algorithms and Cryptography (LattAC). Max Hoffmann is supported by DFG grant PA 587/10-1. Michael Klooß is supported by the Competence Center for Applied Security Technology (KASTEL). Carla Ràfols is supported by Marie Curie COFUND project “UPF Fellows” under grant agreement 600387. Andy Rupp is supported by DFG grant RU 1664/3-1 and the Competence Center for Applied Security Technology (KASTEL)