A framework for cryptographic problems from linear algebra

We introduce a general framework encompassing the main hard problems emerging in lattice-based cryptography, which naturally includes the recently proposed Mersenne prime cryptosystem, but also problems coming from code-based cryptography. The framework allows to easily instantiate new hard problems and to automatically construct plausibly post-quantum secure primitives from them. As a first basic application, we introduce two new hard problems and the corresponding encryption schemes. Concretely, we study generalisations of hard problems such as SIS, LWE and NTRU to free modules over quotients of Z[X] by ideals of the form (f,g), where f is a monic polynomial and g∈Z[X] is a ciphertext modulus coprime to f. For trivial modules (i.e. of rank one), the case f=Xn+1 and g=q∈Z>1 corresponds to ring-LWE, ring-SIS and NTRU, while the choices f=Xn−1 and g=X−2 essentially cover the recently proposed Mersenne prime cryptosystems. At the other extreme, when considering modules of large rank and letting deg(f)=1, one recovers the framework of LWE and SIS

Efficiently processing complex-valued data in homomorphic encryption

We introduce a new homomorphic encryption scheme that is natively capable of computing with complex numbers. This is done by generalizing recent work of Chen, Laine, Player and Xia, who modified the Fan–Vercauteren scheme by replacing the integral plaintext modulus t by a linear polynomial X − b. Our generalization studies plaintext moduli of the form Xm + b. Our construction significantly reduces the noise growth in comparison to the original FV scheme, so much deeper arithmetic circuits can be homomorphically executed

On the Security of the Multivariate Ring Learning with Errors Problem

The Multivariate Ring Learning with Errors ($m$-RLWE) problem was introduced in 2015 by Pedrouzo-Ulloa, Troncoso-Pastoriza and Pérez-González. Instead of working over a polynomial residue ring with one variable as in RLWE, it works over a polynomial residue ring in several variables. However, care must be taken when choosing the multivariate rings for use in cryptographic applications as they can be either weak or simply equivalent to univariate RLWE. For example, Pedrouzo-Ulloa et al.\ suggest using tensor products of cyclotomic rings, in particular power-of-two cyclotomic rings. They claim incorrectly that the security increases with the product of the individual degrees. In this paper, we present simple methods to solve the search $m$-RLWE problem far more efficiently than is stated in the current literature by reducing the problem to the RLWE problem in dimension equal to the maximal degree of its components (and not the product) and where the noise increases with the square-root of the degree of the other components. Our methods utilise the fact that the defining cyclotomic polynomials share algebraically related roots. We use these methods to successfully attack the search variant of the $m$-RLWE problem for a set of parameters estimated to offer more than 2600 bits of security, and being equivalent to solving the bounded distance decoding problem in a highly structured lattice of dimension 16384, in less than two weeks of computation time or just a few hours if parallelized on 128 cores. Finally, we also show that optimizing module-LWE cryptosystems by introducing an extra ring structure as is common practice to optimize LWE, often results in a total breakdown of security

SoK: On the Security of Cryptographic Problems from Linear Algebra

There are two main aims to this paper. Firstly, we survey the relevant existing attack strategies known to apply to the most commonly used lattice-based cryptographic problems as well as to a number of their variants. In particular, we consider attacks against problems in the style of LWE, SIS and NTRU defined over rings of the form $\mathbb{Z}[X]/(f(X), g(X))$, where classically $g(X) = q$ is an integer modulus. We also include attacks on variants which use only large integer arithmetic, corresponding to the degree one case $g(X) = X - c$. Secondly, for each of these approaches we investigate whether they can be generalised to the case of a polynomial modulus $g(X)$ having degree larger than one, thus addressing the security of the generalised cryptographic problems from linear algebra introduced by Bootland et al. We find that some attacks readily generalise to a wide range of parameters while others require very specific conditions to be met in order to work

Analysis of salmonid leukocytes purified by hypotonic lysis of erythrocytes

A technique that uses hypotonic lysis of erythrocytes was optimized for the purification of leukocytes from the peripheral blood and anterior kidney (pronephros) of rainbow trout Oncorhynchus mykiss. Comparisons of initial blood dilution (1:2, 1:4, and 1:6) and the time of exposure to hypotonic conditions (10, 20, and 40 s) revealed that a dilution of 1:2 provided the most complete hemolysis after 20 or 40 s in a hypotonic solution. For pronephros, a 1:5 (w:v) dilution and lysis in hypotonic solution for 10–40 s was effective in eliminating erythrocytes. Total leukocyte yield from the blood and pronephros by use of the hypotonic lysis method was comparable with that obtained by use of typical density gradient centrifugation, and cell viability was 97% or greater. Differential cell counts showed that hypotonic lysis resulted in a distribution of leukocyte cell types similar to that of density gradient separation. Hypotonic lysis of erythrocytes is a simple, rapid, and inexpensive method of purifying leukocytes from salmonid fish blood and pronephros

A Framework for Cryptographic Problems from Linear Algebra.

status: publishe

Efficiently Processing Complex-Valued Data in Homomorphic Encryption

status: publishe

Revisiting Multivariate Lattices for Encrypted Signal Processing

Multimedia contents are inherently sensitive signals that must be protected when processed in untrusted environments. The field of Secure Signal Processing addresses this challenge by developing methods which enable operating with sensitive signals in a privacy-conscious way. Recently, we introduced a hard lattice problem called m-RLWE (multivariate Ring Learning with Errors) which gives support to efficient encrypted processing of multidimensional signals. Afterwards, Bootland et al. presented an attack to m-RLWE that reduces the Qsecurity of the underlying scheme from a lattice with dimension Pi(ini) to max{n(i)}(i). Our work introduces a new pre-/postcoding block that addresses this attack and achieves the efficient results of our initial ap Qproach while basing its security directly on RLWE with dimension Pi(ini) , hence preserving the security and efficiency originally claimed. Additionally, this work provides a detailed comparison between a conventional use of RLWE, m-RLWE and our new pre-/post-coding procedure, which we denote "packed"-RLWE. Finally, we discuss a set of encrypted signal processing applications which clearly benefit from the proposed framework, either alone or in a combination of baseline RLWE, m-RLWE and "packed"-RLWE