Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012
|
|
- Gervase Arnold
- 6 years ago
- Views:
Transcription
1 Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of Technology Session ID: CRYP-R35 Session Classification: Advanced
2 Public Key Encryption m m A pk B CT B B sk B 2 Presenter Logo
3 Forwarding m m A pk B CT B B sk B pk C CT C m C sk C 3 Presenter Logo
4 Proxy Re-Encryption (PRE) m A pk B CT B Proxy B m sk B pk C rk B C CT C C sk C 4 Presenter Logo
5 Proxy Re-Encryption (PRE) Types Bidirectional or Unidirectional Multi-hop or Single-hop This work: Unidirectional, Single-hop PRE 5 Presenter Logo
6 Our Results We present a definition of security against chosen-ciphertext attacks (CCA) for unidirectional, single-hop PRE Extended from previous works New PRE scheme with this security 6 Presenter Logo
7 Agenda Model of PRE Security Notions of PRE Proposed PRE Scheme Concluding Remarks 7 Presenter Logo
8 8 Model of PRE
9 Model of PRE Setup(1 k ) PP KGen(PP) (pk,sk) ReKey(PP,sk i,pk j ) rk i->j Enc 1 (PP,pk i,m) 1 st -CT i (first level) Enc 2 (PP,pk i,m) 2 nd -CT i (second level) ReEnc(PP, rk i->j,2 nd -CT i ) 1 st -CT j (first level) Dec 1 (PP,pk i,1 st -CT i ) m Dec 2 (PP,pk i,2 nd -CT i ) m 9 Presenter Logo
10 Model of PRE (second level) 2 nd -CT i ReEnc (first level) 1 st -CT j Setup(1 k ) PP KGen(PP) (pk,sk) ReEnc ReKey(PP,sk (first level) 1 i st,pk -CT j ) i rk i->j Enc 1 (PP,pk i,m) 1 st -CT i (first level) Enc 2 (PP,pk i,m) 2 nd -CT i (second level) ReEnc(PP, rk i->j,2 nd -CT i ) 1 st -CT j (first level) Dec 1 (PP,pk i,1 st -CT i ) m Dec 2 (PP,pk i,2 nd -CT i ) m 10 Presenter Logo
11 Summary of uni-pre Schemes Schemes IND-CCA Security of ReEnc RO-free Security of Second Level Ciphertext [AFGH06] CPA [LV08] RCCA [CWYD10] CCA [HMY+11] RCCA [CDL11] CCA [HKK+12] CCA Ours CCA 11 Presenter Logo
12 12 Security Notions of PRE
13 Security Notions of PRE Previous works Security of second level ciphertext Security of first level (E.g. [LV08], [CWYD10], [HKK+12], ) 13 Presenter Logo
14 Security Notions of PRE This work Security of second level ciphertext Security of original first level ciphertext Security of re-encrypted ciphertext 14 Presenter Logo
15 Security Notions of PRE This work Security of second level ciphertext (2nd-level-CCA security) Security of original first level ciphertext (1st-ori-CCA security) Security of re-encrypted ciphertext (1st-re-CCA security) 15 Presenter Logo
16 2nd-level-CCA Security Oracles O pk, O sk, O rk, O re, O dec1, O dec2 With some conditions!!! Output b pk i*,(m 0,m 1 ) 2 nd -CT* Oracles b {0,1} 2 nd -CT* Enc 2 (pk i*,m b ) 16 Presenter Logo
17 2nd-level-CCA Security Conditions: O sk (i*) is not allowed O rk (i*,j) is allowed if pk j is uncorrupted key If Adv issueso re (i,j,ct i ) oro dec1 (i,ct i ): (pk i, CT i ) can t be a derivative of (pk i, 2 nd -CT*) 17 Presenter Logo
18 Extension from The Model of [HKK+12] Security of second level ciphertext The gap w.r.t the restriction on the first level decryption queries The example showing this gap in the proceedings is wrong, however, we can show the gap by other examples Security of first level ciphertext 18 Presenter Logo
19 1st-ori-CCA Security [CDL11] Oracles O pk, O sk, O rk, O re, O dec1, O dec2 Output b pk i*,(m 0,m 1 ) 1 st -CT* Oracles b {0,1} 1 st -CT* Enc 1 (pk i*,m b ) 19 Presenter Logo
20 1st-re-CCA Security [CDL11] Oracles O pk, O sk, O rk, O re, O dec1, O dec2 pk i,pk i*,(sct 0,sCT 1 ) 1 st -CT* sct 0 Enc 2 (pk i,m 0 ) sct 1 Enc 2 (pk i,m 1 ) Output b Oracles b {0,1} 1 st -CT* ReEnc 1 (rk i->i*,sct b ) 20 Presenter Logo
21 CCA-Security of first level ciphertext VS. 1st-ori-CCA Security 1st-re-CCA Security 21 Presenter Logo
22 CCA-Security of first level ciphertext 1 st -CT*=Enc 1 (pk i*,m b ) or ReEnc(rk i->i*,enc 2 (pk i,m b )) 22
23 CCA-Security of first level ciphertext 1 st -CT*=Enc 1 (pk i*,m b ) or ReEnc(rk i->i*,enc 2 (pk i,m b )) CCA-Security of first level ciphertext 23 1st-ori-CCA Security 1st-re-CCA Security
24 CCA-Security of first level ciphertext 1 st -CT*=Enc 1 (pk i*,m b ) or ReEnc(rk i->i*,enc 2 (pk i,m b )) If Adv both compromised delegator (sk i ) and proxy (rk i->i* ) then Adv may have obtained the original ciphertext 2 nd -CT b Enc 2 (pk i, m b ) and use sk i to decrypt trivially 24
25 CCA-Security of first level ciphertext 1st-re-CCA Security Secure Secure If Adv both compromised delegator (sk i ) and proxy (rk i->i* ) then Adv may have obtained the original ciphertext 2 nd -CT b Enc 2 (pk i, m b ) and use sk i to decrypt trivially 25
26 CCA-Security of first level ciphertext 1st-ori-CCA Security 1st-re-CCA Security 26
27 27 Proposed PRE Scheme
28 Introduction of Our Scheme Construction based on IND-CCA secure PKE scheme from CT-RSA 10 (Lai, Deng, Liu, and Kou) IND-CCA secure PKE scheme from PKC 07 (Kiltz) Properties 2nd-level-CCA 1st-ori-CCA 1st-re-CCA w/o Random Oracle Using bilinear maps 28 Presenter Logo
29 The Proposed Scheme (1/2) Setup(1 λ ): PP=(p,G,G T,g,g 1,h,u,v,d,u 1,v 1,d 1,e,H, TCR, TCR ). KGen: pk = (g x, g 1 x 2, g y ),sk = (x, y) ReKey(sk i,pk j ): rk i j = g 1 x 2 j /x i 29 Presenter Logo
30 The Proposed Scheme (2/2) Enc 2 (pk i,m): ReEnc : Check the validity of Compute CT i = (C 1,C 2,C 3,C 4,C 5 ), where C 1 = pk r i1,c 2 = h r,c 3 = e(g, g 1 ) r m,t = H(C 2,C 3 ), C 4 = (u t v s d),c 5 = s. (rk i j, pk i,ct i ) CT i CT j = (A, B,C),where C 6 = C R 1,C 7 = pk R i1,c 8 = rk 1/R i j,c T = C 2 C 3... C 8 A = g r t, t = TCR(A), B = (pk i,3 C SYM.Enc(H(pk r i,3 ),C T ) h) r, 30 Presenter Logo
31 Security of Our Scheme Theorem 1 Our scheme meets the 2nd-level-CCA security, assuming the hash function H is target collision resistant, the 6-AmDBDH assumption holds in groups (G, G T ), and the 2-AmCDH problem is hard. Theorem 2 Our scheme meets the 1st-ori-CCA and the 1st-re-CCA security, assuming the hash function TCR is target collision resistant, the GHDH problem is hard, and SYM is CCA-secure. 31 Presenter Logo
32 32 Concluding Remarks
33 Concluding Remarks We have present a CCA security definition for unidirectional, single-hop PRE Extended from previous works New PRE scheme with this security 33 Presenter Logo
34 Solving BDD by Enumeration: An Update Mingjie Liu 1, Phong Q.Nguyen 2 1 BICMR, Peking University and Tsinghua University 2 INRIA and Tsinghua University CT-RSA 2013
35 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion
36 BDD: Why Is Important Lattice is a discrete additive subgroup of R m BDD: Bounded Distance Decoding, a basic lattice problem, a special case of CVP (closest vector problem), the target vector very close to lattice
37 BDD: Why Is Important Lattice is a discrete additive subgroup of R m BDD: Bounded Distance Decoding, a basic lattice problem, a special case of CVP (closest vector problem), the target vector very close to lattice
38 BDD: Why Is Important Lattice is a discrete additive subgroup of R m BDD: Bounded Distance Decoding, a basic lattice problem, a special case of CVP (closest vector problem), the target vector very close to lattice t v
39 Lattice in Crypto Applications to cryptanalysis Lattice based schemes:ntru, GGH etc Non-lattice based schemes: knapsack, RSA, DSA, etc Cryptography Applications: hashing, encryption, signatures, identification, FHE, oblivious transfer, etc Crypto Functions Abstract Properties Average-case Problem: LWE, SIS
40 BDD: Why Is Important The security of most lattice-based encryption schemes relies on the hardness of BDD, such as LWE (Learning with error): one of the two average-case problems most of the provably-secure lattice-based constructions are based on Hidden number problem(hnp) DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5, What is the best algorithm for BDD?
41 Previous Work Babai s NearestPlane algorithm, Babai, 1985 NearestPlanes algorithm, Lindner and Peikert, 2011 Claimed that this was the best attack known on Search-LWE Embedding method, Kannan 1987 Heuristically reduces BDD to the unique-shortest vector problem The largest BDD cryptanalytic instances ever solved in practice using this method
42 Our Work Rephrasing NearestPlanes algorithm in the pruned-enumeration framework of Gama-Nguyen-Regev (GNR) Present a simple randomized variant. In the case of LWE, significantly better than the Lindner-Peikert attack the speedup can be as big as NPs Radom-NPs
43 Our Work Consider GNR pruned-enumeration algorithms to solve BDD: Provides even better attacks on Search-LWE The method of choice in practice for the general BDD case. Recover the DSA secret key from 2 3 least significant bits with 100 instances Lattice version of Bleichenbacher s celebrated chosen ciphertext attack [Ble98] on RSA-PKCS#1.5 encryption version 1.5, 1024bit, 80 dimension (Babai algorithm) 65 dimesion (Enumeration with pruning) GGH: the first partial secret-key recovery in dimensions and re-solved the 350-dimensional message-recovery challenge using much weaker lattice reduction
44 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion
45 BDD Problem Bounded Distance Decoding (BDD): Given a lattice and a target vector unusually close to the lattice, to find the closest lattice vector to the target What is the best algorithm for solving BDD in practice? Several parameters impact the answer, e.g. the dimension, the size and shape of the error.
46 LWE problem Search: find s Z n q, given noisy random inner product a 1, b 1 = a 1, s + e 1 mod q a 2, b 2 = a 2, s + e 2 mod q. Uniform a i Z n q, Gaussian error e i LWE is a BDD instance for the lattice Λ q (A) = {y Z m : y = sa mod q for s Z n q}
47 LWE problem Search: find s Z n q, given noisy random inner product a 1, b 1 a 2, b 2 a 3, b 3 Uniform a i Z n q, Gaussian error e i LWE is a BDD instance for the lattice Λ q (A) = {y Z m : y = sa mod q for s Z n q}
48 LWE problem Search: find s Z n q, given noisy random inner product.. m A t, b = A t s + e.. Uniform a i Z n q, Gaussian error e i LWE is a BDD instance for the lattice Λ q (A) = {y Z m : y = sa mod q for s Z n q}
49 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1
50 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1
51 αt 1 u 1 αt 2 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5
52 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2
53 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2 αt 3 u 3
54 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2 αt 3 u 3 u 4 αt 4
55 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt 1 u 1 αt 2 u 2 αt 3 u 3 αt 5 u 5 u 4 αt 4
56 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt d αt 1 u 1 αt 2 u 2 u d... αt 3 u 3 αt 5 u 5 u 4 αt 4
57 HNP Problem: Hidden Number Problem Recover α Z q, given u i = APP l,q (αt i ), 1 i d where APP l,q (n) denotes any rational number r satisfying n r q q, 2 l+1 z q = min b Z z bq Example: DSA with partially known nonces, chosen ciphertext attack on RSA-PKCS#1 encryption version 1.5 αt d αt 1 u 1 αt 2 u 2... u d α αt 3 u 3 αt 5 u 5 u 4 αt 4
58 HNP Problem Can be reduced to :BDD problem in a d + 1-dimensional lattice target vectorµu = (u 1, u 2,..., u d, 0) q q q 0 1 t 1 t d 2 l+1 There exists a lattice vector h = (αt 1 + qh 1,..., αt d + qh d, α 2 l+1 ), such that h u d + 1 q 2 l+1 (1)
59 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion
60 Babai s NearestPlane Algorithm Gram-schmidt orthogonalization: Give n linearly independent vetors, GS constructs n orthogonal vectors span the same subspaces. b i = π i (b i ), where π i : orthogonal projection over span (b 1, b 2,..., b i 1 ) 1(B) 2(B) m-k+1(b) m(b)
61 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 2 b 1
62 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 2 * b 2 b 1
63 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 2 * b 2 b 1
64 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 1 b 2
65 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 2 * b 1 b 2
66 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 2 * b 1 b 2
67 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 b 2 * b 1 t b 2
68 Babai s NearestPlane Algorithm Babai s algorithm outputs a lattice vector v relatively close to the input target vector t. v is the unique lattice vector such that v t P 1/2 (B ) = { m i=1 x ib i : 1 2 < x i 1 2 } ξ i(v t) b i /2 where ξ i (x) denotes the i-th coordinate of x in the normalized Gram-Schmidt basis (b 1 / b 1,..., b m/ b m ). b 1 b 2 * b 2 v b 2 * b 1 v t b 2
69 Babai s Nearest Plane Algorithm The algorithm success error vector in P 1/2 (B ) When the error distribution is Gaussian with standard deviation s/ 2π, the success probability ( m i=1 erf b i ) π 2s
70 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. b 3 * b3 b 2 b 1
71 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. b 3 * b 3 * b3 b 2 b 1
72 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. t b 3 * b 3 * b3 b 2 b 1
73 Babai s NearestPlane Algorithm Split the m-dimensional lattice as m 1-dimensional hyperplane Σ m 1 i=1 x ib i + kb m, project the target vector to the nearest one. Then solve the (m 1)-dimensional case. t b 3 * b 3 * t b3 b 2 b 1
74 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion
75 The NearestPlanes Algorithm Choose d i 1 distinct planes in the i-th level These generalizations make P 1/2 (B ) wider in the direction of b i by a factor of d i Output a set of Πd i distinct lattice vectors in L(B), v t P 1/2 (DB ) where D is diagonal matrix with (d 1, d 2,..., d m ). ξ i (v t) d i b i /2 The success probability is m i=1 erf ( di b i π 2s Lindner and Peikert[LP11]: their algorithm is better for most parameters and success probability than the distinguisher of Micciancio and Regev[MR08] for LWE. ).
76 The NearestPlanes Algorithm b 3 * b3 b 2 b 1
77 The NearestPlanes Algorithm b 3 * b 3 * b3 b 2 b 1
78 The NearestPlanes Algorithm t b 3 * b 3 * b3 b 2 b 1
79 The NearestPlanes Algorithm t 1 t b 3 * b 3 * b3 b 2 b 1
80 The NearestPlanes Algorithm t 1 t b 3 * b 3 * t 2 b3 b 2 b 1
81 The NearestPlanes Algorithm t 1 t b 3 * b 3 * t 2 b3 b 2 t 3 b 1
82 The NearestPlanes Algorithm b 2 b 1
83 The NearestPlanes Algorithm t b 2 b 1
84 The NearestPlanes Algorithm v1 t b 2 b 1
85 The NearestPlanes Algorithm v 2 v1 t b 2 b 1
86 The NearestPlanes Algorithm v 2 v1 t b 2 v 3 b 1
87 The NearestPlanes Algorithm v 4 v 2 v1 t b 2 v 3 b 1
88 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion
89 Lattice Enumeration for CVP Both Babai s algorithm and NearestPlanes algorithm can be viewed as a pruned enumeration: ξ i (v t) b i /2 Vs ξ i(v t) d i b i /2 Outline of enumeration Step 1: Basis reduction Step 2: Enumerate all lattice vector v, v t R by project lattice. R is the expected length of error vector. Target vector t = Σ m i=1 t ib i, v = Σ m i=1 v ib i. π i (v t) R, i = 1,..., m π m (v t) R = v m (t m R b m, t m + R b m ) For each value of v m, π m 1 (v t) R implies that the integer v m 1 belongs to an interval of /small0length
90 Lattice Enumeration for CVP v m v m m (v-t) m (v-t) v m-1 v m-1 v m-1 v m-1 v m-1... m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) v m-2 v m-2 m-2 (v-t) m-2 (v-t)... v v v
91 Prunned Technique First proposed by Schnorr and Euchner 1994 First rigorous analysis: Gama, Nguyen, Regev, 2010 Cutting down branches to decrease the complexity at the cost of losing the solution. The success probability should be considered.
92 Prunned Technique Replace each inequality π m k+1 (v t) R by π m k+1 (v t) R k for each index k, where 0 < R 1 R 2 R m R. k Linear pruning R k = m R. Choosing the optimal bounding function is very helpful for finding the solution. Take dimension 3 as a example, the search range from a ball to a x1 2 R2 3 cylinder x1 2 + x2 2 R2 2 x1 2 + x2 2 + x2 3 R2 1 Algorithm Repeat the following: 1. Generate a reduced basis 2. Do pruned enumeration
93 Prunned Technique v m v m m (v-t) m (v-t) v m-1 v m-1 v m-1 v m-1 v m-1... m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) v m-2 v m-2 m-2 (v-t) m-2 (v-t)... v v v
94 Prunned Technique v m v m m (v-t) m (v-t) v m-1 v m-1 v m-1 v m-1 v m-1... m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) m-1 (v-t) v m-2 v m-2 m-2 (v-t) m-2 (v-t)... v v v
95 Complexity of Enumeration The complexity of enumeration is, up to a polynomial factor, the number of lattice points in all projected lattices inside the enumeration range. By the Gaussian heuristic, this number should be Full enumeration : Σ 1 k m v k (R)/vol(π m k+1 (L)), where v k (R) is the volume of the k-dim ball of radius R. Pruning technique: Σ 1 k m vol(c R1,R 2,...,R k )/vol(π m k+1 (L)), where C R1,R 2,...,R k = {(x 1, x 2,..., x k ) R k, j k, j l=1 x2 l R 2 j }. Total cost = T redu+t Enum p succ (R 1,...,R m ) where T Redu is the basis reduction time, T Enum is the time for enumerating
96 Randomizing the NearestPlanes Algorithm Similar to pruning, we randomize the Nearestplanes algorithm by repeating several times the basic algorithm with different randomized reduced bases The numerical data from [LP11] is far from optimal:the running times of basis reduction and enumeration are not totally balanced
97 Numerical Comparison Our algorithm can get a better trade off. In the LWE parameters [LP11] consider, the comparison is following NearestPlanes Randomized-NP Log n q s δ red enum Cost δ red enum pro Cost Speedup
98 Numerical Comparison Our algorithm can get a better trade off. In the LWE parameters [LP11] consider, the comparison is following 200 NPs Radom-NPs
99 Outline Motivation Algorithm for BDD BDD Problem Babai NearestPlane Algorithm Lindner-Peikert s NearestPlanes Algorithm Revisited Solving BDD by (GNR) Pruned Enumeration Randomizing the NearestPlanes Algorithm GNR Pruned Enumeration to BDD Conclusion
100 Adapt Enumeration with Pruning to BDD Further improvement can be obtained by Pruned enumeration Previous: best algorithm for BDD is embedding method, our experiments show pruned enumeration performs better For SVP, the shortest vector is assumed uniformly distribute in the ball with radius R-expected length. For BDD, the shape of error affects the success probability, which make a theoretical analysis difficult. So compute this probability experimentally (by sampling) is essential
101 Application to LWE Bounding function: Linear, search R 2 = c expected length of error 2 Randomized-NP Linear Pruning Log n q s δ red enum pro Cost δ red enum pro f-redius Cost Speedup
102 Application to LWE Bounding function: Linear, search R 2 = c expected length of error NPs Linear-Pruning
103 Application to GGH Key recovery challenge: m BDD-instance with error vector chosen uniformly at random from [ 4,..., +3] m Dimension BKZ blocksize Bounding function linear linear linear optimized Estimated Nb of Nodes Average Nb of Nodes Success probability Nb of Success Table 1: Key-recovery for GGH Challenges
104 Application to GGH Message recovery challenge: In 1999 Nguyen showed it can be reduce to a BDD instance with error in { 1 2, 1 2 }m. Using the embedding method and BKZ 20 basis, he solved dimension 200,250 and 300 instances. For dimension 350, pruned-bkz with blocksize 60 is required. For dimension 350, we do enumerate with pruning to recover 350-dimension message A bounding function according to the error distribution. R 2 k = min{e(x k) + 3D(X k ), 1}R 2 m, E(X k ) = k m, D(X k) = Success probability 92% BKZ-20 basis Time: s in a single 3-Ghz Intel-Core2 core k(m k) m 2 ( m 2 +1).
105 Application to DSA Each DSA signature generation require the use of a one-time key k modulo q, where q is usually a 160-bit prime number. In 2002, Nguyen and Shparlinski showed that disclosing l bits of each one-time key k for several (message,signature) pair to recover the DSA secret key is a HNP problem = BDD instance They used embedding method to recover the DSA secret key in a few hours, given the l = 3 least significant bits of each one-time key for about 100 signatures, but the attack failed for l = 2. Enumeration with pruning: using BKZ-90 reduction[cn11] and linear pruning, l = 2 case, given about 100 signatures, 4185 seconds, success probability 23%
106 Application to DSA Choose the enumeration radius Here, the x-coordinate is the ratio between the (squared) enumeration radius and the (squared) expected length the error vector. The y-coordinate is log 2 (Number of enumeration nodes/success probability) 35.2 Total Cost Figure 1: Total cost for DSA
107 Conclusion Our work shows that any security estimate of BDD-based cryptosystems must take into account enumeration attacks NearestPlanes BDD algorithm [LP11] does not seem to offer any practical advantage over GNR pruning [GNR10], despite having appeared later. BDD enumeration can be practical even in high dimension like 350
108 Thank you for your attention!
Solving BDD by Enumeration: An Update
Solving BDD by Enumeration: An Update Mingjie Liu, Phong Q. Nguyen To cite this version: Mingjie Liu, Phong Q. Nguyen. Solving BDD by Enumeration: An Update. Ed Dawson. CT-RSA 2013 - The Cryptographers
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationRing-LWE security in the case of FHE
Chair of Naval Cyber Defense 5 July 2016 Workshop HEAT Paris Why worry? Which algorithm performs best depends on the concrete parameters considered. For small n, DEC may be favourable. For large n, BKW
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationEnumeration. Phong Nguyễn
Enumeration Phong Nguyễn http://www.di.ens.fr/~pnguyen March 2017 References Joint work with: Yoshinori Aono, published at EUROCRYPT 2017: «Random Sampling Revisited: Lattice Enumeration with Discrete
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationHidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *
2017 2nd International Conference on Artificial Intelligence: Techniques and Applications (AITA 2017) ISBN: 978-1-60595-491-2 Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV * DCS
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationOn the Asymptotic Complexity of Solving LWE
On the Asymptotic Complexity of Solving LWE Gottfried Herold, Elena Kirshanova, and Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr University Bochum, Germany elena.kirshanova@rub.de
More informationBKZ 2.0: Better Lattice Security Estimates
BKZ 2.0: Better Lattice Security Estimates Yuanmi Chen and Phong Q. Nguyen 1 ENS, Dept. Informatique, 45 rue d Ulm, 75005 Paris, France. http://www.eleves.ens.fr/home/ychen/ 2 INRIA and ENS, Dept. Informatique,
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More information2 cryptology was immediately understood, and they were used to break schemes based on the knapsack problem (see [99, 23]), which were early alternativ
Corrected version of Algorithmic Number Theory { Proceedings of ANTS-IV (July 3{7, 2000, Leiden, Netherlands) W. Bosma (Ed.), vol.???? of Lecture Notes in Computer Science, pages???{??? cspringer-verlag
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationGauss Sieve on GPUs. Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1
Gauss Sieve on GPUs Shang-Yi Yang 1, Po-Chun Kuo 1, Bo-Yin Yang 2, and Chen-Mou Cheng 1 1 Department of Electrical Engineering, National Taiwan University, Taipei, Taiwan {ilway25,kbj,doug}@crypto.tw 2
More informationComputers and Mathematics with Applications
Computers and Mathematics with Applications 61 (2011) 1261 1265 Contents lists available at ScienceDirect Computers and Mathematics with Applications journal homepage: wwwelseviercom/locate/camwa Cryptanalysis
More informationTrapdoors for Lattices: Simpler, Tighter, Faster, Smaller
Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller Daniele Micciancio 1 Chris Peikert 2 1 UC San Diego 2 Georgia Tech April 2012 1 / 16 Lattice-Based Cryptography y = g x mod p m e mod N e(g a,
More informationLattice Reduction of Modular, Convolution, and NTRU Lattices
Summer School on Computational Number Theory and Applications to Cryptography Laramie, Wyoming, June 19 July 7, 2006 Lattice Reduction of Modular, Convolution, and NTRU Lattices Project suggested by Joe
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationOn the Bit Security of Elliptic Curve Diffie Hellman
On the Bit Security of Elliptic Curve Diffie Hellman Barak Shani Department of Mathematics, University of Auckland, New Zealand Abstract This paper gives the first bit security result for the elliptic
More informationAn Efficient Lattice-based Secret Sharing Construction
An Efficient Lattice-based Secret Sharing Construction Rachid El Bansarkhani 1 and Mohammed Meziani 2 1 Technische Universität Darmstadt Fachbereich Informatik Kryptographie und Computeralgebra, Hochschulstraße
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationPredicting Lattice Reduction
Predicting Lattice Reduction Nicolas Gama and Phong Q. Nguyen École normale supérieure/cnrs/inria, 45 rue d Ulm, 75005 Paris, France nicolas.gama@ens.fr http://www.di.ens.fr/~pnguyen Abstract. Despite
More informationCSC 2414 Lattices in Computer Science September 27, Lecture 4. An Efficient Algorithm for Integer Programming in constant dimensions
CSC 2414 Lattices in Computer Science September 27, 2011 Lecture 4 Lecturer: Vinod Vaikuntanathan Scribe: Wesley George Topics covered this lecture: SV P CV P Approximating CVP: Babai s Nearest Plane Algorithm
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationLecture 5: CVP and Babai s Algorithm
NYU, Fall 2016 Lattices Mini Course Lecture 5: CVP and Babai s Algorithm Lecturer: Noah Stephens-Davidowitz 51 The Closest Vector Problem 511 Inhomogeneous linear equations Recall that, in our first lecture,
More informationSieving for Shortest Vectors in Ideal Lattices:
Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective Joppe W. Bos Microsoft Research LACAL@RISC Seminar on Cryptologic Algorithms CWI, Amsterdam, Netherlands Joint work with Michael
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationLattice Reduction Algorithms: Theory and Practice
Lattice Reduction Algorithms: Theory and Practice Phong Q. Nguyen INRIA and ENS, Département d informatique, 45 rue d Ulm, 75005 Paris, France http://www.di.ens.fr/~pnguyen/ Abstract. Lattice reduction
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem. Vadim Lyubashevsky Daniele Micciancio
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio Lattices Lattice: A discrete additive subgroup of R n Lattices Basis: A set
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationAdapting Density Attacks to Low-Weight Knapsacks
Adapting Density Attacks to Low-Weight Knapsacks Phong Q. Nguy ên 1 and Jacques Stern 2 1 CNRS & École normale supérieure, DI, 45 rue d Ulm, 75005 Paris, France. Phong.Nguyen@di.ens.fr http://www.di.ens.fr/
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem IMI Cryptography Seminar 28 th June, 2016 Speaker* : Momonari Kuo Grauate School of Mathematics, Kyushu University * This work is a
More informationA Note on the Density of the Multiple Subset Sum Problems
A Note on the Density of the Multiple Subset Sum Problems Yanbin Pan and Feng Zhang Key Laboratory of Mathematics Mechanization, Academy of Mathematics and Systems Science, Chinese Academy of Sciences,
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationCOS 598D - Lattices. scribe: Srdjan Krstic
COS 598D - Lattices scribe: Srdjan Krstic Introduction In the first part we will give a brief introduction to lattices and their relevance in some topics in computer science. Then we show some specific
More informationOrthogonalized Lattice Enumeration for Solving SVP
Orthogonalized Lattice Enumeration for Solving SVP Zhongxiang Zheng 1, Xiaoyun Wang 2, Guangwu Xu 3, Yang Yu 1 1 Department of Computer Science and Technology,Tsinghua University, Beijing 100084, China,
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationShortest Vector Problem (1982; Lenstra, Lenstra, Lovasz)
Shortest Vector Problem (1982; Lenstra, Lenstra, Lovasz) Daniele Micciancio, University of California at San Diego, www.cs.ucsd.edu/ daniele entry editor: Sanjeev Khanna INDEX TERMS: Point lattices. Algorithmic
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationCSE 206A: Lattice Algorithms and Applications Spring Basis Reduction. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basis Reduction Instructor: Daniele Micciancio UCSD CSE No efficient algorithm is known to find the shortest vector in a lattice (in arbitrary
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationSolving the Shortest Lattice Vector Problem in Time n
Solving the Shortest Lattice Vector Problem in Time.465n Xavier Pujol 1 and Damien Stehlé 1 Université de Lyon, Laboratoire LIP, CNRS-ENSL-INRIA-UCBL, 46 Allée d Italie, 69364 Lyon Cedex 07, France CNRS,
More informationOn the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups
On the Impossibility of Constructing Efficient KEMs and Programmable Hash Functions in Prime Order Groups Goichiro Hanaoka, Takahiro Matsuda, Jacob C.N. Schuldt Research Institute for Secure Systems (RISEC)
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLattice Reduction Attacks on HE Schemes. Martin R. Albrecht 15/03/2018
Lattice Reduction Attacks on HE Schemes Martin R. Albrecht 15/03/2018 Learning with Errors The Learning with Errors (LWE) problem was defined by Oded Regev. 1 Given (A, c) with uniform A Z m n q, uniform
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem Royal Holloway an Kyushu University Workshop on Lattice-base cryptography 7 th September, 2016 Momonari Kuo Grauate School of Mathematics,
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationPractice Exam Winter 2018, CS 485/585 Crypto March 14, 2018
Practice Exam Name: Winter 2018, CS 485/585 Crypto March 14, 2018 Portland State University Prof. Fang Song Instructions This exam contains 8 pages (including this cover page) and 5 questions. Total of
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationTitanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality
Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality Ron Steinfeld, Amin Sakzad, Raymond K. Zhao Monash University ron.steinfeld@monash.edu Ron Steinfeld
More informationLearning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures
A preliminary version appeared in the Proceedings of EUROCRYPT 06 Learning a Parallelepiped: Cryptanalysis of GGH and NTRU Signatures Phong Q. Nguyen 1 and Oded Regev 2 1 CNRS & École normale supérieure,
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationCSE 206A: Lattice Algorithms and Applications Spring Basic Algorithms. Instructor: Daniele Micciancio
CSE 206A: Lattice Algorithms and Applications Spring 2014 Basic Algorithms Instructor: Daniele Micciancio UCSD CSE We have already seen an algorithm to compute the Gram-Schmidt orthogonalization of a lattice
More information