22 research outputs found
Interpolation and Approximation of Polynomials in Finite Fields over a Short Interval from Noisy Values
Motivated by a recently introduced HIMMO key distribution scheme, we consider
a modification of the noisy polynomial interpolation problem of recovering an
unknown polynomial from approximate values of the residues of
modulo a prime at polynomially many points taken from a short
interval
Results on polynomial interpolation with mixed modular operations and unknown moduli
Motivated by a recently introduced HIMMO key predistribution scheme, we investigate the limits of various attacks on the polynomial interpolation problem with mixedmodular operations and hidden moduli. We firstly review the classical attack and consider itin a quantum-setting. Then, we introduce new techniques for finding out the secret moduli and consider quantum speed-ups
Achieving secure and efficient lattice-based public-key encryption: the impact of the secret-key distribution
Lattice-based public-key encryption has a large
number of design choices that can be combined in
diverse ways to obtain different tradeoffs. One of these choices is
the distribution from which secret keys are sampled.
Numerous secret-key distributions exist in the state of the
art, including (discrete) Gaussian, binomial, ternary, and fixed-weight ternary.
Although the secret-key distribution
impacts both the concrete security and the performance of
the schemes, it has not been compared in a detailed way how
the choice of secret-key distribution affects this tradeoff.
In this paper, we compare different aspects of
secret-key distributions from submissions to the NIST
post-quantum standardization effort.
We consider their impact on
concrete security (influenced by the entropy and
variance of the distribution), and
on decryption
failures and
IND-CCA2 security
(influenced by the probability of sampling keys
with ``non average, large\u27\u27 norm).
Next, we select concrete parameters of an
encryption
scheme instantiated with the above
distributions
%optimized for key sizes,
to identify which distribution(s) offer the
best tradeoffs between security and key sizes.
The conclusions of the paper are:
first, the above optimization shows that
fixed-weight
ternary secret keys result in the smallest key sizes in the analyzed scheme.
The reason is that such secret keys
reduce the decryption failure rate
and hence allow for a higher
noise-to-modulus ratio, alleviating the slight increase in
lattice dimension required for countering specialized attacks that
apply in this case.
Second, compared to secret keys
with independently sampled components,
secret keys with a fixed composition
(i.e., the number of secret key components equal to any possible
value is fixed)
result in the scheme becoming more secure against
active attacks based on decryption failures
spKEX: An optimized lattice-based key exchange
The advent of large-scale quantum computers has resulted in significant interest in quantum-safe cryptographic primitives. Lattice-based cryptography is one of the most attractive post-quantum cryptographic families due to its well-understood security, efficient operation and versatility. However, LWE-based schemes are still relatively bulky and slow.
In this work, we present spKEX, a forward-secret, post-quantum,
unauthenticated lattice-based key-exchange scheme that combines four
techniques to optimize performance. spKEX relies on Learning with
Rounding (LWR) to reduce bandwidth; it uses sparse and ternary secrets
to speed up computations and reduce failure probability; it applies an improved key reconciliation scheme to reduce bandwidth and failure probability; and computes the public matrix A by means of a permutation to improve performance while allowing for a fresh A in each key exchange.
For a quantum security level of 128 bits, our scheme requires 30%
lesser bandwidth than the LWE-based key-exchange proposal Frodo [9]
and allows for a fast implementation of the key exchange
HIMMO - A lightweight collusion-resistant key predistribution scheme
In this paper we introduce HIMMO as a truly practical and lightweight
collusion-resistant key predistribution scheme. The scheme is reminiscent ofBlundo et al\u27s elegant key predistribution scheme, in which the master key is a symmetric bivariate polynomial over a finite field, and a unique common key is defined for every pair of nodes as the evaluation of the polynomial at the finite field elements associated with the nodes. Unlike Blundo et al\u27s scheme,
however, which completely breaks down once the number of colluding nodes exceeds the degree of the polynomial, the new scheme is designed to tolerateany number of colluding nodes.
Key establishment in HIMMO amounts to the evaluation of a single low-degree univariate polynomial involving reasonably sized numbers, thus exhibiting excellent performance even for constrained devices such as 8-bit CPUs, as we demonstrate. On top of this, the scheme is very versatile, as it not only supports implicit authentication of the nodes like any key predistribution scheme, but also supports identity-based key predistribution in a natural and efficient way. The latter property derives from the fact that HIMMO supports long node identifiers at a reasonable cost, allowing outputs of a
collision-resistant hash function to be used as node identifiers. Moreover, HIMMO allows for a transparent way to split the master key between multiple parties.
The new scheme is superior to any of the existing alternatives due to the intricate way it combines the use of multiple symmetric bivariate polynomials evaluated over ``different\u27\u27 finite rings. We have extensively analyzed the security of HIMMO against two attacks. For these attacks, we have identified the Hiding Information (HI) problem and the Mixing Modular Operations (MMO) problem as the underlying problems. These problems are closely related to some well-defined lattice problems, and therefore the best attacks on HIMMO are
dependent on lattice-basis reduction. Based on these connections, we propose concrete values for all relevant parameters, for which we conjecture that the scheme is secure
Efficient Quantum-Resistant Trust Infrastructure based on HIMMO
Secure Internet communications face conflicting demands: while advances in (quantum) computers require stronger, quantum-resistant cryptographic algorithms, the Internet of Things demands better-performing protocols. Finally, communication links usually depend on a single root-of-trust, e.g., a certification authority which forms a single point-of-failure that is too big of a risk for future systems. This paper addresses these problems by proposing a hybrid infrastructure that combines the quantum-resistant HIMMO key pre-distribution scheme based on multiple Trusted Third Parties with public-key cryptography. During operation, any pair of devices can use private HIMMO key material and public keys to establish a secure and authenticated link, where their public keys are certified beforehand by multiple TTPs, acting as roots of trust. Our solution is resilient to the capture of individual roots of trust without affecting performance, while public-key cryptography provides features such as forward-secrecy. Combining HIMMO identities with public keys enables secure certification of public keys and distribution of HIMMO key material from multiple TTPs, without requiring an out-of-band channel. The infrastructure can be tuned to fit Internet of Things use-cases benefiting from an efficient, non-interactive and authenticated key exchange, or to fit use-cases where the use of multiple TTPs provides privacy safe-guards when lawful interception is required. Our TLS proof-of-concept shows the feasibility of our proposal by integrating the above security features with minimal changes in the TLS protocol. Our TLS implementation provides classic and post-quantum confidentiality and authentication, all while adding a computation overhead of only 2.8% and communication overhead of approximately 50 bytes to a pre-quantum Elliptic Curve Diffie-Hellman ciphersuite
Shorter Messages and Faster Post-Quantum Encryption with Round5 on Cortex M
Round5 is a Public Key Encryption and Key Encapsulation Mechanism (KEM)
based on General Learning with Rounding (GLWR), a lattice problem.
We argue that the ring variant of GLWR is better suited for embedded
targets than the more common RLWE (Ring Learning With Errors) due to
significantly shorter keys and messages. Round5 incorporates GLWR with
error correction, building on design features from NIST Post-Quantum
Standardization candidates Round2 and Hila5. The proposal avoids
Number Theoretic Transforms (NTT), allowing more flexibility in
parameter selection and making it simpler to implement. We discuss
implementation techniques of Round5 ring variants and compare
them to other NIST PQC candidates on lightweight Cortex M4 platform. We
show that the current development version of Round5 offers not only
the shortest key and ciphertext sizes among Lattice-based candidates, but
also has leading performance and implementation size characteristics
Round2: KEM and PKE based on GLWR
Cryptographic primitives that are secure against quantum computing are receiving growing attention with recent, steady advances in quantum computing and standardization initiatives in post-quantum cryptography by NIST and ETSI. Lattice-based cryptography is one of the families in post-quantum cryptography, demonstrating desirable features such as well-understood security, efficient performance, and versatility.
In this work, we present Round2 that consists of a key-encapsulation mechanism and a public-key encryption scheme. Round2 is based on the General Learning with Rounding problem, that unifies the Learning with Rounding and Ring Learning with Rounding problems. Round2\u27s construction using the above problem allows for a unified description and implementation. The key-encapsulation mechanism and public-key encryption scheme furthermore share common building blocks, simplifying (security and operational) analysis and code review. Round2\u27s reliance on prime cyclotomic rings offers a large design space that allows fine-tuning of parameters to required security levels. The use of rounding reduces bandwidth requirements and the use of sparse-trinary secrets improves CPU performance and decryption success rates. Finally, Round2 includes various approaches of refreshing the system public parameter A, allowing efficient ways of preventing precomputation and back-door attacks