Accelerating integer-based fully homomorphic encryption using Comba multiplication

n/

Tightly Secure Ring-LWE Based Key Encapsulation with Short Ciphertexts

We provide a tight security proof for an IND-CCA Ring-LWE based Key Encapsulation Mechanism that is derived from a generic construction of Dent (IMA Cryptography and Coding, 2003). Such a tight reduction is not known for the generic construction. The resulting scheme has shorter ciphertexts than can be achieved with other generic constructions of Dent or by using the well-known Fujisaki-Okamoto constructions (PKC 1999, Crypto 1999). Our tight security proof is obtained by reducing to the security of the underlying Ring-LWE problem, avoiding an intermediate reduction to a CPA-secure encryption scheme. The proof technique maybe of interest for other schemes based on LWE and Ring-LWE

Improved Measurements of Partial Rate Asymmetry in B -> h h Decays

We report improved measurements of the partial rate asymmetry (Acp) in B -> h h decays with 140fb^-1 of data collected with the Belle detector at the KEKB e+e- collider. Here h stands for a charged or neutral pion or kaon and in total five decay modes are included: K-+ pi+-, K0s pi-+, K-+ pi0, pi-+ pi0 and K0s pi0. The flavor of the last decay mode is determined from the accompanying B meson. Using a data sample 4.7 times larger than that of our previous measurement, we find Acp(K-+ pi+-) -0.088+-0.035+-0.013, 2.4 sigma from zero. Results for other decay modes are also presented.Comment: 9 pages, 1 figur

Efficient Homomorphic Comparison Methods with Optimal Complexity

Comparison of two numbers is one of the most frequently used operations, but it has been a challenging task to efficiently compute the comparison function in homomorphic encryption (HE) which basically support addition and multiplication. Recently, Cheon et al. (Asiacrypt 2019) introduced a new approximate representation of the comparison function with a rational function, and showed that this rational function can be evaluated by an iterative algorithm. Due to this iterative feature, their method achieves a logarithmic computational complexity compared to previous polynomial approximation methods; however, the computational complexity is still not optimal, and the algorithm is quite slow for large-bit inputs in HE implementation. In this work, we propose new comparison methods with optimal asymptotic complexity based on composite polynomial approximation. The main idea is to systematically design a constant-degree polynomial $f$ by identifying the \emph{core properties} to make a composite polynomial $f\circ f \circ \cdots \circ f$ get close to the sign function (equivalent to the comparison function) as the number of compositions increases. We additionally introduce an acceleration method applying a mixed polynomial composition $f\circ \cdots \circ f\circ g \circ \cdots \circ g$ for some other polynomial $g$ with different properties instead of $f\circ f \circ \cdots \circ f$. Utilizing the devised polynomials $f$ and $g$, our new comparison algorithms only require $\Theta(\log(1/\epsilon)) + \Theta(\log\alpha)$ computational complexity to obtain an approximate comparison result of $a,b\in[0,1]$ satisfying $|a-b|\ge \epsilon$ within $2^{-\alpha}$ error. The asymptotic optimality results in substantial performance enhancement: our comparison algorithm on encrypted $20$-bit integers for $\alpha = 20$ takes $1.43$ milliseconds in amortized running time, which is $30$ times faster than the previous work

Predicate Encryption for Circuits from LWE

In predicate encryption, a ciphertext is associated with descriptive attribute values x in addition to a plaintext μ, and a secret key is associated with a predicate f. Decryption returns plaintext μ if and only if f(x)=1. Moreover, security of predicate encryption guarantees that an adversary learns nothing about the attribute x or the plaintext μ from a ciphertext, given arbitrary many secret keys that are not authorized to decrypt the ciphertext individually. We construct a leveled predicate encryption scheme for all circuits, assuming the hardness of the subexponential learning with errors (LWE) problem. That is, for any polynomial function d=d(λ), we construct a predicate encryption scheme for the class of all circuits with depth bounded by d(λ), where λ is the security parameter.Microsoft Corporation (PhD Fellowship)Northrop Grumman Cybersecurity Research ConsortiumUnited States. Defense Advanced Research Projects Agency (Grant FA8750-11-2-0225)National Science Foundation (U.S.) (Awards CNS-1350619)National Science Foundation (U.S.) (Awards CNS-1413920)Alfred P. Sloan Foundation (Fellowship)Microsoft (Faculty Fellowship

Numerical Method for Comparison on Homomorphically Encrypted Numbers

We propose a new method to compare numbers which are encrypted by Homomorphic Encryption (HE). Previously, comparison and min/max functions were evaluated using Boolean functions where input numbers are encrypted bit-wisely. However, the bit-wise encryption methods require relatively expensive computation of basic arithmetic operations such as addition and multiplication. In this paper, we introduce iterative algorithms that approximately compute the min/max and comparison operations of several numbers which are encrypted word-wisely. From the concrete error analyses, we show that our min/max and comparison algorithms have $\Theta(\alpha)$ and $\Theta(\alpha\log\alpha)$ computational complexity to obtain approximate values within an error rate $2^{-\alpha}$, while the previous minimax polynomial approximation method requires the exponential complexity $\Theta(2^{\alpha/2})$ and $\Theta(\sqrt{\alpha}\cdot 2^{\alpha/2})$, respectively. We also show the (sub-)optimality of our min/max and comparison algorithms in terms of asymptotic computational complexity among polynomial evaluations to obtain approximate min/max and comparison results. Our comparison algorithm is extended to several applications such as computing the top-$k$ elements and counting numbers over the threshold in encrypted state. Our new method enables word-wise HEs to enjoy comparable performance in practice with bit-wise HEs for comparison operations while showing much better performance on polynomial operations. Computing an approximate maximum value of any two $\ell$-bit integers encrypted by HEAAN, up to error $2^{\ell-10}$, takes only $1.14$ milliseconds in amortized running time, which is comparable to the result based on bit-wise HEs

Towards a Practical Cluster Analysis over Encrypted Data

Cluster analysis is one of the most significant unsupervised machine learning tasks, and it is utilized in various fields associated with privacy issues including bioinformatics, finance and image processing. In this paper, we propose a practical solution for privacy-preserving cluster analysis based on homomorphic encryption~(HE). Our work is the first HE solution for the mean-shift clustering algorithm. To reduce the super-linear complexity of the original mean-shift algorithm, we adopt a novel random sampling method called dust sampling which perfectly fits in HE and achieves the linear complexity. We also substitute non-polynomial kernels by a new polynomial kernel so that it can be efficiently computed in HE. The HE implementation of our modified mean-shift clustering algorithm based on the approximate HE scheme HEAAN shows prominent performance in terms of speed and accuracy. It takes about $30$ minutes with $99\%$ accuracy over several public datasets with hundreds of data, and even for the dataset with $262,144$ data it takes only $82$ minutes applying SIMD operations in HEAAN. Our results outperform the previously best known result (SAC 2018) over $400$ times

Studies of the Decay B+- -> D_CP K+-

We report studies of the decay B+- -> D_CP K+-, where D_CP denotes neutral D mesons that decay to CP eigenstates. The analysis is based on a 29.1/fb data sample of collected at the \Upsilon(4S) resonance with the Belle detector at the KEKB asymmetric e+ e- storage ring. Ratios of branching fractions of Cabibbo-suppressed to Cabibbo-favored processes involving D_CP are determined to be B(B- -> D_1 K-)/B(B- -> D_1 pi-)=0.125 +- 0.036 +- 0.010 and B(B- -> D_2 K-)/B(B- -> D_2 pi-)=0.119 +- 0.028 +- 0.006, where indices 1 and 2 represent the CP=+1 and CP=-1 eigenstates of the D0 - anti D0 system, respectively. We also extract the partial rate asymmetries for B+- -> D_CP K+-, finding A_1 = 0.29 +- 0.26 +- 0.05 and A_2 = -0.22 +- 0.24 +- 0.04.Comment: 10 pages, 2 figures, submitted to Physical Review Letter

Search for CP violation in the decay B0->D*+-D-+

We report a search for CP-violating asymmetry in B0 -> D*+- D-+ decays. The analysis employs two methods of B0 reconstruction: full and partial. In the full reconstruction method all daughter particles of the B0 are required to be detected; the partial reconstruction technique requires a fully reconstructed D- and only a slow pion from the D*+ -> D0 pi_slow+ decay. From a fit to the distribution of the time interval corresponding to the distance between two B meson decay points we calculate the CP-violating parameters and find the significance of nonzero CP asymmetry to be 2.7 standard deviations.Comment: 4 pages, 3 figure

Cloud-assisted Asynchronous Key Transport with Post-Quantum Security

In cloud-based outsourced storage systems, many users wish to securely store their files for later retrieval, and additionally to share them with other users. These retrieving users may not be online at the point of the file upload, and in fact they may never come online at all. In this asynchoronous environment, key transport appears to be at odds with any demands for forward secrecy. Recently, Boyd et al. (ISC 2018) presented a protocol that allows an initiator to use a modified key encapsulation primitive, denoted a blinded KEM (BKEM), to transport a file encryption key to potentially many recipients via the (untrusted) storage server, in a way that gives some guarantees of forward secrecy. Until now all known constructions of BKEMs are built using RSA and DDH, and thus are only secure in the classical setting. We further the understanding of the use of blinding in post-quantum cryptography in two aspects. First, we show how to generically build blinded KEMs from homomorphic encryption schemes with certain properties. Second, we construct the first post-quantum secure blinded KEMs, and the security of our constructions are based on hard lattice problems