Practical MP-LWE-based encryption balancing security-risk vs. efficiency

Middle-Product Learning With Errors (MP-LWE) is a variant of the LWE problem introduced at CRYPTO 2017 by Rosca et al [RSSS17]. Asymptotically, the theoretical results of [RSSS17] suggest that MP-LWE gives lattice-based public-key cryptosystems offering a ‘security-risk vs. efficiency’ trade-off: higher performance than cryptosystems based on unstructured lattices (LWE problem) and lower risk than cryptosystems based on structured lattices (Polynomial/Ring LWE problem). However, although promising in theory, [RSSS17] left the practical implications of MP-LWE for lattice-based cryptography unclear. In this paper, we show how to build practical public-key cryptosystems with strong security guarantees based on MP-LWE. On the implementation side, we present optimised fast algorithms for computing the middle-product operation over polynomial rings $Z_q[x]$, the dominant computation for MP-LWE-based cryptosystems. On the security side, we show how to obtain a nearly tight security proof for MP-LWE from the hardest Polynomial LWE problem over a large family of rings, improving on the loose reduction of [RSSS17]. We also show and analyze an optimised cryptanalysis of MP-LWE that narrows the complexity gap to the above security proof. To evaluate the practicality of MP-LWE, we apply our results to construct, implement and optimise parameters for a practical MP-LWE-based public-key cryptosystem, Titanium, and compare its benchmarks to other lattice-based systems. Our results show that MP-LWE offers a new ‘security-risk vs. efficiency’ trade-off in lattice-based cryptography in practice, not only asymptotically in theory

FACCT: FAst, Compact, and Constant-Time Discrete Gaussian Sampler over Integers

The discrete Gaussian sampler is one of the fundamental tools in implementing lattice-based cryptosystems. However, a naive discrete Gaussian sampling implementation suffers from side-channel vulnerabilities, and the existing countermeasures usually introduce significant overhead in either the running speed or the memory consumption. In this paper, we propose a fast, compact, and constant-time implementation of the binary sampling algorithm, originally introduced in the BLISS signature scheme. Our implementation adapts the Rényi divergence and the transcendental function polynomial approximation techniques. The efficiency of our scheme is independent of the standard deviation, and we show evidence that our implementations are either faster or more compact than several existing constant-time samplers. In addition, we show the performance of our implementation techniques applied to and integrated with two existing signature schemes: qTesla and Falcon. On the other hand, the convolution theorems are typically adapted to sample from larger standard deviations, by combining samples with much smaller standard deviations. As an additional contribution, we show better parameters for the convolution theorems

COSAC: COmpact and Scalable Arbitrary-Centered Discrete Gaussian Sampling over Integers

The arbitrary-centered discrete Gaussian sampler is a fundamental subroutine in implementing lattice trapdoor sampling algorithms. However, existing approaches typically rely on either a fast implementation of another discrete Gaussian sampler or pre-computations with regards to some specific discrete Gaussian distributions with fixed centers and standard deviations. These approaches may only support sampling from standard deviations within a limited range, or cannot efficiently sample from arbitrary standard deviations determined on-the-fly at run-time. In this paper, we propose a compact and scalable rejection sampling algorithm by sampling from a continuous normal distribution and performing rejection sampling on rounded samples. Our scheme does not require pre-computations related to any specific discrete Gaussian distributions. Our scheme can sample from both arbitrary centers and arbitrary standard deviations determined on-the-fly at run-time. In addition, we show that our scheme only requires a low number of trials close to 2 per sample on average, and our scheme maintains good performance when scaling up the standard deviation. We also provide a concrete error analysis of our scheme based on the Renyi divergence. We implement our sampler and analyse its performance in terms of storage and speed compared to previous results. Our sampler\u27s running time is center-independent and is therefore applicable to implementation of convolution-style lattice trapdoor sampling and identity-based encryption resistant against timing side-channel attacks

MatRiCT+: More Efficient Post-Quantum Private Blockchain Payments

We introduce MatRiCT+, a practical private blockchain payment protocol based on ``post-quantum\u27\u27 lattice assumptions. MatRiCT+ builds on MatRiCT due to Esgin et al. (ACM CCS\u2719) and, in general, follows the Ring Confidential Transactions (RingCT) approach used in Monero, the largest privacy-preserving cryptocurrency. In terms of the practical aspects, MatRiCT+ has 2-18x shorter proofs (depending on the number of input accounts, M) and runs 3-11x faster (for a typical transaction) in comparison to MatRiCT. A significant advantage of MatRiCT+ is that the proof length\u27s dependence on M is very minimal (only O(log M)), while MatRiCT has a proof length linear in M. To support its efficiency, we devise several novel techniques in our design of MatRiCT+ to achieve compact lattice-based zero-knowledge proof systems, exploiting the algebraic properties of power-of-2 cyclotomic rings commonly used in practical lattice-based cryptography. Along the way, we design a family of ``optimal\u27\u27 challenge spaces, using a technique we call partition-and-sample, with minimal $\ell_1$-norm and invertible challenge differences (with overwhelming probability), while supporting highly-splitting power-of-2 cyclotomic rings. We believe all these results to be widely applicable and of independent interest

Efficient Verifiable Partially-Decryptable Commitments from Lattices and Applications

We introduce verifiable partially-decryptable commitments (VPDC), as a building block for constructing efficient privacy-preserving protocols supporting auditability by a trusted party. A VPDC is an extension of a commitment along with an accompanying proof, convincing a verifier that (i) the given commitment is well-formed and (ii) a certain part of the committed message can be decrypted using a (secret) trapdoor known to a trusted party. We first formalize VPDCs and then introduce a general decryption feasibility result that overcomes the challenges in relaxed proofs arising in the lattice setting. Our general result can be applied to a wide class of Fiat-Shamir based protocols and may be of independent interest. Next, we show how to extend the commonly used lattice-based `Hashed-Message Commitment\u27 (HMC) scheme into a succinct and efficient VPDC. In particular, we devise a novel `gadget\u27-based Regev-style (partial) decryption method, compatible with efficient relaxed lattice-based zero-knowledge proofs. We prove the soundness of our VPDC in the setting of adversarial proofs, where a prover tries to create a valid VPDC output that fails in decryption. To demonstrate the effectiveness of our results, we extend a private blockchain payment protocol, MatRiCT, by Esgin et al. (ACM CCS \u2719) into a formally auditable construction, which we call MatRiCT-Au, with very low communication and computation overheads over MatRiCT

A Study of Trait Anhedonia in Non-Clinical Chinese Samples: Evidence from the Chapman Scales for Physical and Social Anhedonia

Background: Recent studies suggest that anhedonia, an inability to experience pleasure, can be measured as an enduring trait in non-clinical samples. In order to examine trait anhedonia in a non-clinical sample, we examined the properties of a range of widely used questionnaires capturing anhedonia. Methods: 887 young adults were recruited from colleges. All of them were administered a set of checklists, including Chapman Scale for Social Anhedonia (CRSAS) and the Chapman Scale for Physical Anhedonia Scale (CPAS), The Temporal Experience of Pleasure Scale(TEPS), and The Schizotypal Personality Questionnaire (SPQ). Results: Males showed significantly higher level of physical (F = 5.09, p<0.001) and social (F = 4.38, p<0.005) anhedonia than females. As expected, individuals with schizotypal personality features also demonstrated significantly higher scores of physical (t = 3.81, p<0.001) and social (t = 7.33, p<0.001) trait anhedonia than individuals without SPD features, but no difference on self-report anticipatory and consummatory pleasure experience. Conclusions: Concerning the comparison on each item of physical and social anhedonia, the results indicated that individuals with SPD feature exhibited higher than individuals without SPD features on more items of social anhedonia than physical anhedonia scale. These preliminary findings suggested that trait anhedonia can be identified a non-clinical sample. Exploring the demographic and clinical correlates of trait anhedonia in the general population may provide clues to the pathogenesis of psychotic disorder.China. Ministry of Science and Technology. National Key Technologies R&D Program (2012BAI36B01)National Science Fund China (Grant no. 81088001)National Science Fund China (Grant no. 91132701)Chinese Academy of Sciences. Knowledge Innovation Project (KSCX2-EW-J-8

MatRiCT: Efficient, Scalable and Post-Quantum Blockchain Confidential Transactions Protocol

We introduce MatRiCT, an efficient RingCT protocol for blockchain confidential transactions, whose security is based on ``post-quantum\u27\u27 (module) lattice assumptions. The proof length of the protocol is around two orders of magnitude shorter than the existing post-quantum proposal, and scales efficiently to large anonymity sets, unlike the existing proposal. Further, we provide the first full implementation of a post-quantum RingCT, demonstrating the practicality of our scheme. In particular, a typical transaction can be generated in a fraction of a second and verified in about 23 ms on a standard PC. Moreover, we show how our scheme can be extended to provide auditability, where a user can select a particular authority from a set of authorities to reveal her identity. The user also has the ability to select no auditing and all these auditing options may co-exist in the same environment. The key ingredients, introduced in this work, of MatRiCT are 1) the shortest to date scalable ring signature from standard lattice assumptions with no Gaussian sampling required, 2) a novel balance zero-knowledge proof and 3) a novel extractable commitment scheme from (module) lattices. We believe these ingredients to be of independent interest for other privacy-preserving applications such as secure e-voting. Despite allowing 64-bit precision for transaction amounts, our new balance proof, and thus our protocol, does not require a range proof on a wide range (such as 32- or 64-bit ranges), which has been a major obstacle against efficient lattice-based solutions. Further, we provide new formal definitions for RingCT-like protocols, where the real-world blockchain setting is captured more closely. The definitions are applicable in a generic setting, and thus are believed to contribute to the development of future confidential transaction protocols in general (not only in the lattice setting)

Quantum-safe HIBE: does it cost a Latte?

The United Kingdom (UK) government is considering advanced primitives such as identity-based encryption (IBE) for adoption as they transition their public-safety communications network from TETRA to an LTE-based service. However, the current LTE standard relies on elliptic-curve-based IBE, which will be vulnerable to quantum computing attacks, expected within the next 20-30 years. Lattices can provide quantum-safe alternatives for IBE. These schemes have shown promising results in terms of practicality. To date, several IBE schemes over lattices have been proposed, but there has been little in the way of practical evaluation. This paper provides the first complete optimised practical implementation and benchmarking of Latte, a promising Hierarchical IBE (HIBE) scheme proposed by the UK National Cyber Security Centre (NCSC) in 2017 and endorsed by European Telecommunications Standards Institute (ETSI). We propose optimisations for the KeyGen, Delegate, Extract and Gaussian sampling components of Latte, to increase attack costs, reduce decryption key lengths by 2x-3x, ciphertext sizes by up to 33%, and improve speed. In addition, we conduct a precision analysis, bounding the Rényi divergence of the distribution of the real Gaussian sampling procedures from the ideal distribution in corroboration of our claimed security levels. Our resulting implementation of the Delegate function takes 0.4 seconds at 80-bit security level on a desktop machine at 4.2GHz, significantly faster than the order of minutes estimated in the ETSI technical report. Furthermore, our optimised Latte Encrypt/Decrypt implementation reaches speeds up to 9.7x faster than the ETSI implementation

Neurological Soft Signs Are Not "Soft" in Brain Structure and Functional Networks: Evidence From ALE Meta-Analysis

Background: Neurological soft signs (NSS) are associated with schizophrenia and related psychotic disorders. NSS have been conventionally considered as clinical neurological signs without localized brain regions. However, recent brain imaging studies suggest that NSS are partly localizable and may be associated with deficits in specific brain areas. Method: We conducted an activation likelihood estimation meta-analysis to quantitatively review structural and functional imaging studies that evaluated the brain correlates of NSS in patients with schizophrenia and other psychotic disorders. Six structural magnetic resonance imaging (sMRI) and 15 functional magnetic -resonance imaging (fMRI) studies were included. Results: The results from meta-analysis of the sMRI studies-indicated that NSS were associated with atrophy of the precentral gyrus, the cerebellum, the inferior frontal gyrus, and the thalamus. The results from meta-analysis of the fMRI studies demonstrated that the NSS-related task was significantly associated with altered brain activation in the inferior frontal gyrus, bilateral putamen, the cerebellum, and the superior temporal gyrus. Conclusions: Ourfindings from both sMRI and fMRI meta-analyses further support the conceptualization of NSS as a manifestation of the &quot;cerebello-thalamo-prefrontal&quot; brain network model of schizophrenia and related psychotic disorders

Prolonged Drying Trend Coincident with the Demise of Norse Settlement in Southern Greenland

Declining temperature has been thought to explain the abandonment of Norse settlements, southern Greenland, in the early 15th century, although limited paleoclimate evidence is available from the inner settlement region itself. Here, we reconstruct the temperature and hydroclimate history from lake sediments at a site adjacent to a former Norse farm. We find no substantial temperature changes during the settlement period but rather that the region experienced a persistent drying trend, which peaked in the 16th century. Drier climate would have notably reduced grass production, which was essential for livestock overwintering, and this drying trend is concurrent with a Norse diet shift. We conclude that increasingly dry conditions played a more important role in undermining the viability of the Eastern Settlement than minor temperature changes