Chiffrement avancé à partir du problème Learning With Errors

National audienceLe problèmeLearning With Errors (LWE) est algorithmiquement difficile pour des instances aléatoires. Il a été introduit par Oded Regev en 2005 et, depuis lors, il s'est avéré très utile pour construire des primitives cryptographiques, pour assurer la confidentialité de l'information. Dans ce chapitre, nous présenterons le problème LWE et illustrerons sa richesse, en décrivant des schémas de chiffrement avancés pouvant être prouvés au moins aussi sûrs que LWE est difficile. Nous rappellerons le concept fondamental de chiffrement, puis nous nous focaliserons sur les notions de chiffrement fondé sur l'identité et de chiffrement par attributs

Implementing Candidate Graded Encoding Schemes from Ideal Lattices

International audienceMultilinear maps have become popular tools for designing cryptographic schemes since a first approximate realisation candidate was proposed by Garg, Gentry and Halevi (GGH). This construction was later improved by Langlois, Stehlé and Steinfeld who proposed GGHLite which offers smaller parameter sizes. In this work, we provide the first implementation of such approximate multilinear maps based on ideal lattices. Implementing GGH-like schemes naively would not allow instantiating it for non-trivial parameter sizes. We hence propose a strategy which reduces parameter sizes further and several technical improvements to allow for an efficient implementation. In particular, since finding a prime ideal when generating instances is an expensive operation, we show how we can drop this requirement. We also propose algorithms and implementations for sampling from discrete Gaussians, for inverting in some Cyclotomic number fields and for computing norms of ideals in some Cyclotomic number rings. Due to our improvements we were able to compute a multilinear jigsaw puzzle for κ " 52 (resp. κ " 38) and λ " 52 (resp. λ " 80)

Linearly Homomorphic Encryption from DDH

We design a linearly homomorphic encryption scheme whose security relies on the hardness of the decisional Diffie-Hellman problem. Our approach requires some special features of the underlying group. In particular, its order is unknown and it contains a subgroup in which the discrete logarithm problem is tractable. Therefore, our instantiation holds in the class group of a non maximal order of an imaginary quadratic field. Its algebraic structure makes it possible to obtain such a linearly homomorphic scheme whose message space is the whole set of integers modulo a prime p and which supports an unbounded number of additions modulo p from the ciphertexts. A notable difference with previous works is that, for the first time, the security does not depend on the hardness of the factorization of integers. As a consequence, under some conditions, the prime p can be scaled to fit the application needs

Efficient CCA Timed Commitments in Class Groups

International audienceTimed commitments [Boneh and Naor, CRYPTO 2000] are the timed analogue of standard commitments, where the commitment can be non-interactively opened after a pre-specified amount of time passes. Timed commitments have a large spectrum of applications, such as sealed bid auctions, fair contract signing, fair multi-party computation, and cryptocurrency payments. Unfortunately, all practical constructions rely on a (private-coin) trusted setup and do not scale well with the number of participants. These are two severe limiting factors that have hindered the widespread adoption of this primitive. In this work, we set out to resolve these two issues and propose an efficient timed commitment scheme that also satisfies the strong notion of CCA-security. Specifically, our scheme has a transparent (i.e. public-coin) one-time setup and the amount of sequential computation is essentially independent of the number of participants. As a key technical ingredient, we propose the first (linearly) homomorphic time-lock puzzle with a transparent setup, from class groups of imaginary quadratic order. To demonstrate the applicability of our scheme, we use it to construct a new distributed randomness generation protocol, where parties jointly sample a random string. Our protocol is the first to simultaneously achieve (1) high scalability in the number of participants, (2) transparent one-time setup, (3) lightning speed in the optimistic case where all parties are honest, and (4) ensure that the output random string is unpredictable and unbiased, even when the adversary corrupts − 1 parties. To substantiate the practicality of our approach, we implemented our protocol and our experimental evaluation shows that it is fast enough to be used in practice. We also evaluated a heuristic version of the protocol that is at least 3 orders of magnitude more efficient both in terms of communication size and computation time. This makes the protocol suitable for supporting hundreds of participants

Lattice-Based Group Signatures with Logarithmic Signature Size

Group signatures are cryptographic primitives where users can anonymously sign messages in the name of a population they belong to. Gordon et al. (Asiacrypt 2010) suggested the first realization of group signatures based on lattice assumptions in the random oracle model. A significant drawback of their scheme is its linear signature size in the cardinality $N$ of the group. A recent extension proposed by Camenisch et al. (SCN 2012) suffers from the same overhead. In this paper, we describe the first lattice-based group signature schemes where the signature and public key sizes are essentially logarithmic in $N$ (for any fixed security level). Our basic construction only satisfies a relaxed definition of anonymity (just like the Gordon et al. system) but readily extends into a fully anonymous group signature (i.e., that resists adversaries equipped with a signature opening oracle). We prove the security of our schemes in the random oracle model under the SIS and LWE assumptions

Efficient CCA Timed Commitments in Class Groups

Timed commitments [Boneh and Naor, CRYPTO 2000] are the timed analogue of standard commitments, where the commitment can be non-interactively opened after a pre-specified amount of time passes. Timed commitments have a large spectrum of applications, such as sealed bid auctions, fair contract signing, fair multi-party computation, and cryptocurrency payments. Unfortunately, all practical constructions rely on a (private-coin) trusted setup and do not scale well with the number of participants. These are two severe limiting factors that have hindered the widespread adoption of this primitive. In this work, we set out to resolve these two issues and propose an efficient timed commitment scheme that also satisfies the strong notion of CCA-security. Specifically, our scheme has a transparent (i.e. public-coin) one-time setup and the amount of sequential computation is essentially independent of the number of participants. As a key technical ingredient, we propose the first (linearly) homomorphic time-lock puzzle with a transparent setup, from class groups of imaginary quadratic order. To demonstrate the applicability of our scheme, we use it to construct a new distributed randomness generation protocol, where $n$ parties jointly sample a random string. Our protocol is the first to simultaneously achieve (1) high scalability in the number of participants, (2) transparent one-time setup, (3) lightning speed in the optimistic case where all parties are honest, and (4) ensure that the output random string is unpredictable and unbiased, even when the adversary corrupts $n-1$ parties. To substantiate the practicality of our approach, we implemented our protocol and our experimental evaluation shows that it is fast enough to be used in practice. We also evaluated a heuristic version of the protocol that is at least 3 orders of magnitude more efficient both in terms of communication size and computation time. This makes the protocol suitable for supporting hundreds of participants

Computational Differential Privacy for Encrypted Databases Supporting Linear Queries

Differential privacy is a fundamental concept for protecting individual privacy in databases while enabling data analysis. Conceptually, it is assumed that the adversary has no direct access to the database, and therefore, encryption is not necessary. However, with the emergence of cloud computing and the «on-cloud» storage of vast databases potentially contributed by multiple parties, it is becoming increasingly necessary to consider the possibility of the adversary having (at least partial) access to sensitive databases. A consequence is that, to protect the on-line database, it is now necessary to employ encryption. At PoPETs\u2719, it was the first time that the notion of differential privacy was considered for encrypted databases, but only for a limited type of query, namely histograms. Subsequently, a new type of query, summation, was considered at CODASPY\u2722. These works achieve statistical differential privacy, by still assuming that the adversary has no access to the encrypted database. In this paper, we argue that it is essential to assume that the adversary may eventually access the encrypted data, rendering statistical differential privacy inadequate. Therefore, the appropriate privacy notion for encrypted databases that we use is computational differential privacy, which was introduced by Beimel et al. at CRYPTO \u2708. In our work, we focus on the case of functional encryption, which is an extensively studied primitive permitting some authorized computation over encrypted data. Technically, we show that any randomized functional encryption scheme that satisfies simulation-based security and differential privacy of the output can achieve computational differential privacy for multiple queries to one database. Our work also extends the summation query to a much broader range of queries, specifically linear queries, by utilizing inner-product functional encryption. Hence, we provide an instantiation for inner-product functionalities by proving its simulation soundness and present a concrete randomized inner-product functional encryption with computational differential privacy against multiple queries. In term of efficiency, our protocol is almost as practical as the underlying inner product functional encryption scheme. As evidence, we provide a full benchmark, based on our concrete implementation for databases with up to 1 000 000 entries. Our work can be considered as a step towards achieving privacy-preserving encrypted databases for a wide range of query types and considering the involvement of multiple database owners

Bandwidth-efficient threshold EC-DSA revisited: Online/Offline Extensions, Identifiable Aborts, Proactivity and Adaptive Security

Due to their use in crypto-currencies, threshold ECDSA signatures have received much attention in recent years. Though efficient solutions now exist both for the two party, and the full threshold scenario, there is still much room for improvement, be it in terms of protocol functionality, strengthening security or further optimising efficiency. In the past few months, a range of protocols have been published, allowing for a non interactive -- and hence extremely efficient -- signing protocol; providing new features, such as identifiable aborts (parties can be held accountable if they cause the protocol to fail), fairness in the honest majority setting (all parties receive output or nobody does) and other properties. In some cases, security is proven in the strong simulation based model. We combine ideas from the aforementioned articles with the suggestion of Castagnos \textit{et al.} (PKC 2020) to use the class group based $\mathsf{CL}$ framework so as to drastically reduce bandwidth consumption. Building upon this latter protocol we present a new, maliciously secure, full threshold ECDSA protocol that achieving additional features without sacrificing efficiency. Our most basic protocol boasts a non interactive signature algorithm and identifiable aborts. We also propose a more advanced variant that also achieves adaptive security (for the $n$-out-of-$n$ case) and proactive security. Our resulting constructions improve upon state of the art Paillier\u27s based realizations achieving similar goals by up to a 10 factor in bandwidth consumption

Cryptographie à clé publique: Conception et algorithmique

Public key cryptography aims at providing efficient, versatile, and secure solutions to protect complex systems such as electronic voting, anonymous access control, secure routing,... The foundation of public key cryptography is the existence of hard algorithmic problems, on which the security of these protocols relies. The factorisation of integers, the discrete logarithm over the group of points of an elliptic curve are example of such problems. Designing a secure cryptosystem needs a precise identification and analysis of the underlying algorithmic problem, an optimised arithmetic, and a proof of its security according to a model of adversary.I present in this thesis my contributions to this framework: in the first part, I will describe a new factoring algorithm for numbers of the shape pq2 using the algorithmic of quadratic forms, and its application to the cryptanalysis of long-lived cryptosystems based on the arithmetic of orders of quadratic fields. I will then illustrate the optimisation of the arithmetic of cryptography by providing an improvement of Miller's algorithm to compute pairings on elliptic curves, which is of crucial importance in the design of functional cryptosystems, as illustrated later.In a second part, I will talk about the design and security analysis of functional cryptosystems, which provide a natural way to protect data in defining a security policy to authorise several users to access (part of) this data. The concept of functional encryption naturally captures those of (anonymous) identity-based encryption and attribute based encryption. I will provide a theoretical study of the relations between semantic security and anonymity for identity-based encryption in different security scenarios. Then, I will propose efficient attribute based encryption and signature schemes for which the size of the ciphertexts or signatures does not depend on the number of attributes of a userLa cryptographie à clé publique vise à fournir des solutions efficaces, polyvalentes et sécurisées afin de protéger les systèmes complexes comme le vote électronique, contrôle d'accès anonyme, routage sécurisé, ... La base de la cryptographie à clé publique est l'existence de problèmes algorithmiques durs, sur lesquels la sécurité de ces protocoles repose. La factorisation des entiers, le logarithme discret sur le groupe de points d'une courbe elliptique sont par exemple de tels problèmes. La conception d'un système de cryptage sécurisé doit avoir une identification précise et l'analyse du problème algorithmique sous-jacente, une arithmétique optimisée, et une preuve de sa sécurité selon un modèle de l'adversaire.Je présente dans cette thèse mes contributions à ce cadre: dans la première partie, je vais décrire un nouvel algorithme de factorisation pour les nombres de la pq2 de forme à l'aide de l'algorithmique des formes quadratiques, et son application à la cryptanalyse de systèmes de chiffrement à long terme basé sur l'arithmétique des ordres de corps quadratiques. Je vais donc illustrer l'optimisation de l'arithmétique de la cryptographie en fournissant une amélioration de l'algorithme de Miller pour calculer les appariements sur les courbes elliptiques, ce qui est d'une importance cruciale dans la conception de systèmes de chiffrement fonctionnels, comme illustré plus tard.Dans une deuxième partie, je vais parler de l'analyse de la conception et de la sécurité des systèmes de chiffrement fonctionnels, qui fournissent un moyen naturel de protéger les données en définissant une politique de sécurité pour autoriser plusieurs utilisateurs à accéder (en partie) de ces données. Le concept de chiffrement fonctionnel capte naturellement ceux du chiffrement basé sur le chiffrement et attribut identitaire. Je vais fournir une étude théorique des relations entre la sécurité et l'anonymat sémantique pour le chiffrement basé sur l'identité des différents scénarios de sécurité. Ensuite, je vais proposer des systèmes de chiffrement et de signature des régimes d'attributs efficaces pour lesquels la taille des textes chiffrés ou les signatures ne dépendent pas du nombre d'attributs d'un utilisateur

Factoring pq2pq^2 with quadratic forms and cryptographic applications

International audienc