On the cryptographic properties of weightwise affine and weightwise quadratic functions

Weightwise degree-d functions are Boolean functions that take the values of a function of degree at most d on each set of fixed Hamming weight. The class of weightwise affine functions encompasses both the symmetric functions and the Hidden Weight Bit Function (HWBF). The good cryptographic properties of the HWBF, except for the nonlinearity, motivates to investigate a larger class with functions that share the good properties and have a better nonlinearity. Additionally, the homomorphic friendliness of symmetric functions exhibited in the context of hybrid homomorphic encryption and the recent results on homomorphic evaluation of Boolean functions make this class of functions appealing for efficient privacy-preserving protocols. In this article we realize the first study on weightwise degree-d functions, focusing on weightwise affine and weightwise quadratic functions. We show some properties on these new classes of functions, in particular on the subclass of cyclic weightwise functions. We provide balanced constructions and prove nonlinearity lower bounds for all cyclic weightwise affine functions and for a family of weightwise quadratic functions. We complement our work with experimental results, they show that other cyclic weightwise linear functions than the HWBF have better cryptographic parameters, and considering weightwise quadratic functions allows to reach higher algebraic immunity and substantially better nonlinearity

On the algebraic immunity of weightwise perfectly balanced functions

In this article we study the Algebraic Immunity (AI) of Weightwise Perfectly Balanced (WPB) functions. After showing a lower bound on the AI of two classes of WPB functions from the previous literature, we prove that the minimal AI of a WPB $n$-variables function is constant, equal to $2$ for $n\ge 4$ . Then, we compute the distribution of the AI of WPB function in $4$ variables, and estimate the one in $8$ and $16$ variables. For these values of $n$ we observe that a large majority of WPB functions have optimal AI, and that we could not obtain an AI-$2$ WPB function by sampling at random. Finally, we address the problem of constructing WPB functions with bounded algebraic immunity, exploiting a construction from 2022 by Gini and Méaux. In particular, we present a method to generate multiple WPB functions with minimal AI, and we prove that the WPB functions with high nonlinearity exhibited by Gini and Méaux also have minimal AI. We conclude with a construction giving WPB functions with lower bounded AI, and give as example a family with all elements with AI at least $n/2-\log(n)+1$

Boolean functions with restricted input and their robustness; application to the FLIP cipher

We study the main cryptographic features of Boolean functions (balancedness, nonlinearity, algebraic immunity) when, for a given number n of variables, the input to these functions is restricted to some subset E o

Towards Practical Transciphering for FHE with Setup Independent of the Plaintext Space

Fully Homomorphic Encryption (FHE) is a powerful tool to achieve non-interactive privacy preserving protocols with optimal computation/communication complexity. However, the main disadvantage is that the actual communication cost (bandwidth) is high due to the large size of FHE ciphertexts. As a solution, a technique called transciphering (also known as Hybrid Homomorphic Encryption) was introduced to achieve almost optimal bandwidth for such protocols. However, all of existing works require clients to fix a precision for the messages or a mathematical structure for the message space beforehand. It results in unwanted constraints on the plaintext size or underlying structure of FHE based applications. In this article, we introduce a new approach for transciphering which does not require fixed message precision decided by the client, for the first time. In more detail, a client uses any kind of FHE-friendly symmetric cipher for $\{0,1\}$ to send its input data encrypted bit-by-bit, then the server can choose a precision $p$ depending on the application and homomorphically transforms the encrypted bits into FHE ciphertexts encrypting integers in $\mathbb{Z}_p$. To illustrate our new technique, we evaluate a transciphering using FiLIP cipher and adapt the most practical homomorphic evaluation technique [CCS\u2722] to keep the practical latency. As a result, our proof-of-concept implementation for $p$ from $2^2$ to $2^8$ takes only from $13$ ms to $137$ ms

Shorter and Faster Identity-Based Signatures with Tight Security in the (Q)ROM from Lattices

We provide identity-based signature (IBS) schemes with tight security against adaptive adversaries, in the (classical or quantum) random oracle model (ROM or QROM), in both unstructured and structured lattices, based on the SIS or RSIS assumption. These signatures are short (of size independent of the message length). Our schemes build upon a work from Pan and Wagner (PQCrypto’21) and improve on it in several ways. First, we prove their transformation from non-adaptive to adaptive IBS in the QROM. Then, we simplify the parameters used and give concrete values. Finally, we simplify the signature scheme by using a non-homogeneous relation, which helps us reduce the size of the signature and get rid of one costly trapdoor delegation. On the whole, we get better security bounds, shorter signatures and faster algorithms

Improved Filter Permutators: Combining Symmetric Encryption Design, Boolean Functions, Low Complexity Cryptography, and Homomorphic Encryption, for Private Delegation of Computations

Motivated by the application of delegating computation, we revisit the design of filter permutators as a general approach to build stream ciphers that can be efficiently evaluated in a fully homomorphic manner. We first introduce improved filter permutators that allow better security analyses, instances and implementations than the previously proposed FLIP family of stream ciphers. We also put forward the similarities between these improved constructions and a popular PRG design by Goldreich. Then, we exhibit the relevant cryptographic parameters of two families of Boolean functions, direct sums of monomials and XOR-MAJ functions, which give candidates to instantiate the improved filter permutator paradigm. We develop new Boolean functions techniques to study them, and refine Goldreich\u27s PRG locality bound for this purpose. We give an asymptotic analysis of the noise level of improved filter permutators instances using both kind of functions, and recommend them as good candidates for evaluation with a third-generation FHE scheme. Finally, we propose a methodology to evaluate the performance of such symmetric cipher designs in a FHE setting, which primarily focuses on the noise level of the symmetric ciphertexts (hence on the amount of operations on these ciphertextsthat can be homomorphically evaluated). Evaluations performed with HElib show that instances of improved filter permutators using direct sums of monomials as filter outperform all existing ciphers in the literature based on this criteria. We also discuss the (limited) overheads of these instances in terms of latency and throughput

Effective and Efficient Masking with Low Noise using Small-Mersenne-Prime Ciphers

Embedded devices used in security applications are natural targets for physical attacks. Thus, enhancing their side-channel resistance is an important research challenge. A standard solution for this purpose is the use of Boolean masking schemes, as they are well adapted to current block ciphers with efficient bitslice representations. Boolean masking guarantees that the security of an implementation grows exponentially in the number of shares under the assumption that leakages are sufficiently noisy (and independent). Unfortunately, it has been shown that this noise assumption is hardly met on low-end devices. In this paper, we therefore investigate techniques to mask cryptographic algorithms in such a way that their resistance can survive an almost complete lack of noise. Building on seed theoretical results of Dziembowski et al., we put forward that arithmetic encodings in prime fields can reach this goal. We first exhibit the gains that such encodings lead to thanks to a simulated information theoretic analysis of their leakage (with up to six shares). We then provide figures showing that on platforms where optimized arithmetic adders and multipliers are readily available (i.e., most MCUs and FPGAs), performing masked operations in small to medium Mersenne-prime fields as opposed to binary extension fields will not lead to notable implementation overheads. We compile these observations into a new AES-like block cipher, called AES-prime, which is well-suited to illustrate the remarkable advantages of masking in prime fields. We also confirm the practical relevance of our findings by evaluating concrete software (ARM Cortex-M3) and hardware (Xilinx Spartan-6) implementations. Our experimental results show that security gains over Boolean masking (and, more generally, binary encodings) can reach orders of magnitude despite the same amount of information being leaked per share

When Bad News Become Good News

Hard physical learning problems have been introduced as an alternative option to implement cryptosystems based on hard learning problems. Their high-level idea is to use inexact computing to generate erroneous computations directly, rather than to first compute correctly and add errors afterwards. Previous works focused on the applicability of this idea to the Learning Parity with Noise (LPN) problem as a first step, and formalized it as Learning Parity with Physical Noise (LPPN). In this work, we generalize it to the Learning With Errors (LWE) problem, formalized as Learning With Physical Errors (LWPE). We first show that the direct application of the design ideas used for LPPN prototypes leads to a new source of (mathematical) data dependencies in the error distributions that can reduce the security of the underlying problem. We then show that design tweaks can be used to avoid this issue, making LWPE samples natively robust against such data dependencies. We additionally put forward that these ideas open a quite wide design space that could make hard physical learning problems relevant in various applications. And we conclude by presenting a first prototype FPGA design confirming our claims

Chiffrement complètement homomorphe hybride

Fully homomorphic encryption, firstly built in 2009, is a very powerful kind of encryption, allowing to compute any function on encrypted data, and to get an encrypted version of the result. Such encryption enables to securely delegate data to a cloud, ask for computations, recover the result, while keeping private the data during the whole process. However, today’s inefficiency of fully homomorphic encryption, and its inadequateness to the outsourcing computation context, makes its use alone insufficient for this application. Both of these issues can be circumvented, using fully homomorphic encryption in a larger framework, by combining it with a symmetric encryption scheme. This combination gives a hybrid fully homomorphic framework, designed towards efficient outsourcing computation, providing both security and privacy. In this thesis, we contribute to the study of hybridfully homomorphic framework, through the analysis, and the design of symmetric primitives making efficient this hybrid construction. Through the examination of fully homomorphic encryption schemes, we develop tools to efficiently use the homomorphic properties in a more complex framework. By investigating various symmetric encryption schemes, and buildingblocks up to the circuit level, we determine good candidates for a hybrid context. Through evaluating the security of constructions optimizing the homomorphic evaluation, we contribute to a wide study within the cryptographic Boolean functions area. More particularly, we introduce a new family of symmetric encryption schemes, with a new design, adapted to the hybrid fully homomorphic framework. We then investigate its behavior relatively to homomorphic evaluation, and we address the security of such design. Finally, particularities of this family of ciphers motivate specific cryptanalyses, therefore we develop and analyze new cryptographic Boolean criteria.Le chiffrement complètement homomorphe est une classe de chiffrement permettant de calculer n’importe quelle fonction sur des données chiffrées et de produire une version chiffrée du résultat. Il permet de déléguer des données à un cloud de façon sécurisée, faire effectuer des calculs, tout en gardant le caractère privé de ces données. Cependant, l’innéficacité actuelle des schémas de chiffrement complètement homomorphes, et leur inadéquation au contexte de délégation de calculs, rend son usage seul insuffisant pour cette application. Ces deux problèmes peuvent être résolus, en utilisant ce chiffrement dans un cadre plus large, en le combinant avec un schéma de chiffrement symétrique. Cette combinaison donne naissance au chiffrement complètement homomorphe hybride, conçu dans le but d’une délégation de calculs efficace, garantissant des notions de sécurité et de vie privée. Dans cette thèse, nous étudions le chiffrement complètement homomorphe hybride et ses composantes, à travers la conception de primitives cryptographiques symétriques rendant efficace cette construction hybride. En examinant les schémas de chiffrement complètement homomorphes, nous developpons des outils pour utiliser efficacement leurs propriétés homomorphiques dans un cadre plus complexe. En analysant différents schémas symétriques, et leurs composantes, nous déterminons de bons candidats pour le contexte hybride. En étudiant la sécurité des constructions optimisant l’évaluation homomorphique, nous contribuons au domaine des fonctions booléennes utilisées en cryptologie. Plus particulièrement, nous introduisons une nouvelle famille de schémas de chiffrement symétriques, avec une nouvelle construction, adaptée au contexte hybride. Ensuite, nous nous intéressons à son comportement homomorphique, et nous étudions la sécurité de cette construction. Finalement, les particularités de cette famille de schémas de chiffrement motivant des cryptanalyses spécifiques, nous développons et analysons de nouveaux critères cryptographiques booléens

On the fast algebraic immunity of threshold functions

Motivated by the impact of fast algebraic attacks on stream ciphers, and recent constructions using a threshold function as main part of the filtering function, we study the fast algebraic immunity of threshold functions. As a first result, we determine exactly the fast algebraic immunity of all majority functions in more than 8 variables. Then, For all n ≥ 8 and all threshold value between 1 and n we exhibit the fast algebraic immunity for most of the thresholds, and we determine a small range for the value related to the few remaining cases. Finally, provided m ≥ 2, we determine exactly the fast algebraic immunity of all threshold functions in 3 ⋅ 2m or 3 ⋅ 2m + 1 variables