Part 2 LWE-based cryptography
|
|
- Bernard Greer
- 5 years ago
- Views:
Transcription
1 Part 2 LWE-based cryptography Douglas Stebila SAC Summer School Université d'ottawa August 14, Funding acknowledgements:
2 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 2 Post-quantum crypto Classical crypto with no known exponential quantum speedup Hash-based Code-based Multivariate Latticebased Isogenies Merkle signatures Sphincs McEliece Niederreiter multivariate quadratic NTRU learning with errors ring-lwe supersingular elliptic curve isogenies
3 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 3 Quantum-safe crypto Classical post-quantum crypto Quantum crypto Quantum key distribution Hash-based Merkle signatures Sphincs Code-based McEliece Niederreiter Multivariate multivariate quadratic Latticebased NTRU learning with errors ring-lwe Isogenies supersingular elliptic curve isogenies Quantum random number generators Quantum channels Quantum blind computation
4 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 4 Today's agenda 1. Quantum computing and its impact on cryptography (Mosca) 2. LWE-based cryptography (Stebila) 3. Isogeny-based cryptography (Jao) 4. Additional topics Security models for post-quantum cryptography (Jao) Applications (Stebila) Topics excluded: Code-based cryptography Hash-based signatures Multivariate cryptography
5 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 5 Learning with errors problems
6 Linear system problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 6 Solving systems of linear equations Z secret Z = Z
7 Linear system problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 7 Solving systems of linear equations Z secret Z = Z
8 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 8 Learning with errors problem random secret small noise Z Z Z Z =
9 Search LWE problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 9 Learning with errors problem random secret small noise Z Z Z Z =
10 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 10 Search LWE problem Let n, m, and q be positive integers. Let s and e be distributions over Z. Let s $ n $ s. Let a i U(Z n $ q ), e i e, and set b i ha i, si + e i mod q, for i =1,...,m. The search LWE problem for (n, m, q, s, e) is to find s given (a i,b i ) m i=1. In particular, for algorithm A, define the advantage Adv lwe n,m,q, s, e (A) =Pr s $ n s ; a i $ U(Z n q ); e i $ b i ha i, s i i + e mod q : A((a i,b i ) m i=1) =s). e;
11 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 11 Decision learning with errors problem random secret small noise looks random Z Z Z Z = Decision LWE problem: given blue, distinguish green from random
12 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 12 Decision LWE problem Let n and q be positive integers. Let s and e be distributions over Z. Let s $ n s. Define the following two oracles: O e,s: a $ U(Z n q ), e $ e;return(a, ha, si + e mod q). U: a $ U(Z n q ), u $ U(Z q ); return (a,u). The decision LWE problem for (n, q, s, e) is to distinguish O,s from U. In particular, for algorithm A, define the advantage Adv dlwe n,q, s, e (A) = Pr(s $ Z n q : A O e,s () = 1) Pr(A U () = 1).
13 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 13 Choice of error distribution Usually a discrete Gaussian distribution of width s = q < 1 for error rate Define the Gaussian function s (x) =exp( kxk 2 /s 2 ) The continuous Gaussian distribution has probability density function Z f(x) = s (x)/ s (z)dz = s (x)/s n R n
14 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 14 Short secrets The secret distribution s was originally taken to be the uniform distribution Short secrets: use s = e There's a tight reduction showing that LWE with short secrets is hard if LWE with uniform secrets is hard
15 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 15 Toy example versus real-world example Z Z bits = 11 KiB
16 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 16 Ring learning with errors problem random Z Each row is the cyclic shift of the row above
17 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 17 Ring learning with errors problem random Z Each row is the cyclic shift of the row above with a special wrapping rule: x wraps to x mod 13.
18 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 18 Ring learning with errors problem random Z Each row is the cyclic shift of the row above with a special wrapping rule: x wraps to x mod 13. So I only need to tell you the first row.
19 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 19 Ring learning with errors problem 4 + 1x + 11x x 3 Z 13 [x]/hx 4 +1i random x + 11x x 3 0 1x + 1x 2 + 1x 3 secret small noise = x + 10x 2 + 7x 3
20 Search ring-lwe problem: given blue, find red SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 20 Ring learning with errors problem 4 + 1x + 11x x 3 Z 13 [x]/hx 4 +1i random secret + small noise = x + 10x 2 + 7x 3
21 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 21 Search ring-lwe problem Let R = Z[X]/hX n +1i, wheren is a power of 2. Let q be an integer, and define R q = R/qR, i.e.,r q = Z q [X]/hX n +1i. Let s and e be distributions over R q. Let s $ s. Let a $ U(R q ), e $ e, and set b as + e. The search ring-lwe problem for (n, q, s, e) is to find s given (a, b). In particular, for algorithm A define the advantage Adv rlwe n,q, s, e (A) =Pr s $ s; a $ U(R q ); e $ e; b as + e : A(a, b) =s.
22 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 22 Decision ring-lwe problem Let n and q be positive integers. Let s and e be distributions over R q. Let s $ s. Define the following two oracles: O e,s: a $ U(R q ), e $ e;return(a, as + e). U: a, u $ U(R q ); return (a, u). The decision ring-lwe problem for (n, q, s, e) is to distinguish O e,s from U. In particular, for algorithm A, define the advantage Adv drlwe n,q, s, e (A) = Pr(s $ R q : A O e,s () = 1) Pr(A U () = 1).
23 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 23 Problems Computational LWE problem Decision LWE problem with or without short secrets Computational ring-lwe problem Decision ring-lwe problem
24 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 24 Search-decision equivalence Easy fact: If the search LWE problem is easy, then the decision LWE problem is easy. Fact: If the decision LWE problem is easy, then the search LWE problem is easy. Requires nq calls to decision oracle Intuition: test the each value for the first component of the secret, then move on to the next one, and so on.
25 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 25 NTRU problem For an invertible s 2 R q and a distribution on R, define N s, to be the distribution that outputs e/s 2 R q where e $. The NTRU learning problem is: given independent samples a i 2 R q where every sample is distributed according to either: (1) N s, for some randomly chosen s 2 R q (fixed for all samples), or (2) the uniform distribution, distinguish which is the case.
26 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 26 "Lattice-based"
27 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 27 Hardness of decision LWE "lattice-based" worst-case gap shortest vector problem (GapSVP) poly-time [Regev05, BLPRS13] decision LWE
28 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 28 Lattices Let B = {b 1, b n } Z n n q be a set of linearly independent basis vectors for Z n q. Define the corresponding lattice ( n ) X L = L(B) = z i b i : z i 2 Z. (In other words, a lattice is a set of integer linear combinations.) i=1 Define the minimum distance of a lattice as 1(L) = min kvk. v2l\{0}
29 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 29 Shortest vector problem The shortest vector problem (SVP) is: given a basis B for some lattice L = L(B), find a shortest non-zero vector, i.e., find v 2 L such that kvk = 1 (L). The decision approximate shortest vector problem (GapSVP ) is: given a basis B for some lattice L = L(B) whereeither 1(L) apple 1 or 1(L) >, determine which is the case.
30 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 30 Regev's iterative reduction Theorem. [Reg05] For any modulus q apple 2 poly(n) and any discretized Gaussian error distribution of parameter q 2 p n where 0 < < 1, solving the decision LWE problem for (n, q, U, ) with at most m = poly(n) samples is at least as hard as quantumly solving GapSVP and SIVP on arbitrary n- dimensional lattices for some = Õ(n/ ). The polynomial-time reduction is extremely non-tight: approximately O(n 13 ). [Regev; STOC 2005]
31 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 31 Solving the (approximate) shortest vector problem The complexity of GapSVP depends heavily on how and n relate, and get harder for smaller. Algorithm Time Approx. factor LLL algorithm poly(n) (n log log n/ log n) 2 various 2 (n log n) poly(n) various 2 (n) time and space poly(n) Sch87 2 (n/k) 2 k p NP \ co-np n NP-hard n o(1) In cryptography, we tend to use n.
32 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 32 Picking parameters Estimate parameters based on runtime of lattice reduction algorithms. Based on reductions: Calculate required runtime for GapSVP or SVP based on tightness gaps and constraints in each reduction Pick parameters based on best known GapSVP or SVP solvers or known lower bounds Based on cryptanalysis: Ignore tightness in reductions. Pick parameters based on best known LWE solvers relying on lattice solvers.
33 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 33 Ring-LWE LWE Cyclic structure Z Þ Save communication, more efficient computation 4 KiB representation Z bits = 11 KiB
34 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 34 Why consider (slower, bigger) LWE? Generic vs. ideal lattices Ring-LWE matrices have additional structure Relies on hardness of a problem in ideal lattices LWE matrices have no additional structure Relies on hardness of a problem in generic lattices Currently, best algorithms for ideal lattice problems are essentially the same as for generic lattices Small constant factor improvement in some cases Very recent quantum polynomial time algorithm for Ideal-SVP ( but not immediately applicable to ring- LWE NTRU also relies on a problem in a type of ideal lattices If we want to eliminate this additional structure, can we still get an efficient protocol?
35 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 35 Public key encryption from LWE
36 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 36 Regev's public key encryption scheme Let n, m, q, be LWE parameters. KeyGen(): s $ Z n q. A $ Z m n q. e $ (Z m q ). b As + e. Return pk (A, b), sk s. Enc(pk, x 2 {0, 1}): s 0 $ {0, 1} m. b 0 s 0 A. v 0 hs 0, bi. c x encode(v 0 ). Return (b 0,c). Dec(sk, (b 0,c)): v hb 0, si. Returndecode(v). [Regev; STOC 2005]
37 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 37 Encode/decode encode(x 2 {0, 1}) j q x 2k ( decode(x 2 Z q ) 0, if x 2 [ 1, otherwise q 4, q 4 ) [Regev; STOC 2005]
38 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 38 Lindner Peikert public key encryption Let n, q, be LWE parameters. KeyGen(): s $ (Z n ). A $ Z n n q. e $ (Z n ). b As + e. Return pk (A, b) and sk s. Enc(pk, x 2 {0, 1}): s 0 $ (Z n ). e 0 $ (Z n ). b 0 s 0 A + e 0. e 00 $ ṽ 0 hs 0, bi + e 00. c encode(x)+ṽ 0.Returnctxt ( b 0,c). (Z). Dec(sk, ( b 0,c)): v h b 0, si. Returndecode(c v). [Lindner, Peikert; CT-RSA 2011]
39 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 39 Correctness Sender and receiver approximately compute the same shared secret s 0 As ṽ 0 = hs 0, bi + e 00 = s 0 (As + e)+e 00 = s 0 As + hs 0, ei + e 00 s 0 As v = h b 0, si =(s 0 A + e 0 )s = s 0 As + he 0, si s 0 As
40 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 40 Difference between Regev and Lindner Peikert Regev: Bob s public key is s 0 A where s 0 $ {0, 1} m Encryption mask is hs 0, bi Lindner Peikert: Bob s public key is s 0 A + e 0 where s 0 $ e Encryption mask is hs 0, bi + e 00 In Regev, Bob s public key is a subset sum instance. In Lindner Peikert, Bob s public key and encryption mask is just another LWE instance.
41 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 41 IND-CPA security of Lindner Peikert Indistinguishable against chosen plaintext attacks Theorem. If the decision LWE problem is hard, then Lindner Peikert is IND- CPA-secure. Let n, q, be LWE parameters. Let A be an algorithm. Then there exist algorithms B 1, B 2 such that Adv ind-cpa LP[n,q, ](A) apple Advdlwe n,q, (A B 1 )+Adv dlwe n,q, (A B 2 ) [Lindner, Peikert; CT-RSA 2011]
42 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 42 IND-CPA security of Lindner Peikert Game 0: Decision-LWE Game 1: Rewrite Game 2: 1: A $ U(Z n n q ) 2: s, e $ (Z n q ) 3: b As + e 4: s 0, e 0 $ (Z n q ) 5: b0 s 0 A + e 0 6: e 00 $ (Z q ) 7: ṽ 0 s 0 b + e 00 8: c 0 encode(0) + ṽ 0 9: c 1 encode(1) + ṽ 0 10: b $ U({0, 1}) 11: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0, e 0 $ (Z n q ) 4: b0 s 0 A + e 0 5: e 00 $ (Z q ) 6: ṽ 0 s 0 b + e 00 7: c 0 encode(0) + ṽ 0 8: c 1 encode(1) + ṽ 0 9: b $ U({0, 1}) 10: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0 $ 4: [e 0 ke 00 ] 5: (Z n q ) $ (Z n+1 q ) [ b 0 kṽ 0 ] s 0 [Ak b]+[e 0 ke 00 ] 6: c 0 encode(0) + ṽ 0 7: c 1 encode(1) + ṽ 0 8: b $ U({0, 1}) 9: return (A, b, b 0,c b ) [Lindner, Peikert; CT-RSA 2011]
43 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 43 IND-CPA security of Lindner Peikert Game 2: Decision-LWE Game 3: Rewrite Game 4: 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: s 0 $ 4: [e 0 ke 00 ] 5: (Z n q ) $ (Z n+1 q ) [ b 0 kṽ 0 ] s 0 [Ak b]+[e 0 ke 00 ] 6: c 0 encode(0) + ṽ 0 7: c 1 encode(1) + ṽ 0 8: b $ U({0, 1}) 9: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: [ b 0 kṽ 0 ] $ U(Z n+1 q ) 4: c 0 encode(0) + ṽ 0 5: c 1 encode(1) + ṽ 0 6: b $ U({0, 1}) 7: return (A, b, b 0,c b ) 1: A $ U(Z n n q ) 2: b $ U(Z n q ) 3: [ b 0 kṽ 0 ] $ U(Z n+1 q ) 4: b $ U({0, 1}) 5: return (A, b, b 0, ṽ 0 ) Independent of hidden bit [Lindner, Peikert; CT-RSA 2011]
44 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 44 Public key validation No public key validation possible in IND-CPA KEMs/PKEs from LWE/ring- LWE Key reuse in LWE/ring-LWE leads to real attacks following from searchdecision equivalence Comment in [Peikert, PQCrypto 2014] Attack described in [Fluhrer, Eprint 2016] Need to ensure usage is okay with just IND-CPA Or construct IND-CCA KEM/PKE using Fujisaki Okamoto transform or quantum-resistant variant [Targhi Unruh, TCC 2016] [Hofheinz et al., Eprint 2017]
45 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 45 Direct key agreement
46 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 46 LWE and ring-lwe public key encryption and key exchange Regev STOC 2005 Public key encryption from LWE Lyubashevsky, Peikert, Regev Eurocrypt 2010 Public key encryption from ring-lwe Lindner, Peikert eprint 2010, CT-RSA 2011 Public key encryption from LWE and ring-lwe Approximate key exchange from LWE Ding, Xie, Lin eprint 2012 Key exchange from LWE and ring-lwe with single-bit reconciliation Peikert PQCrypto 2014 Key encapsulation mechanism based on ring-lwe and variant single-bit reconciliation Bos, Costello, Naehrig, Stebila IEEE S&P 2015 Implementation of Peikert's ring-lwe key exchange, testing in TLS 1.2
47 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 47 Basic LWE key agreement (unauthenticated) Based on Lindner Peikert LWE public key encryption scheme Alice public: big A in Z q n x m Bob secret: random small s, e in Z q m b = As + e secret: random small s', e' in Z q n b' = s'a + e' shared secret: b's = s'as + e's s'as shared secret: s'b s'as These are only approximately equal need rounding
48 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 48 Rounding Each coefficient of the polynomial is an integer modulo q Treat each coefficient independently Techniques by Ding [Din12] and Peikert [Pei14] [Ding; eprint 2012] [Peikert; PQCrypto 2014]
49 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 49 Basic rounding Round either to 0 or q/2 Treat q/2 as 1 q/4 This works most of the time: prob. failure q/2 round to 1 round to 0 0 Not good enough: we need exact key agreement. 3q/4
50 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 50 Rounding (Peikert) Bob says which of two regions the value is in: or q/4 q/4 If q/2 0 q/2 0 3q/4 q/4 3q/4 If q/2 0 3q/4 [Peikert; PQCrypto 2014]
51 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 51 Rounding (Peikert) If alice bob q/8, then this always works. q/4 bob alice alice If q/2 0 alice 3q/4 Security not affected: revealing or leaks no information [Peikert; PQCrypto 2014]
52 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 52 Exact LWE key agreement (unauthenticated) Alice public: big A in Z q n x m Bob secret: random small s, e in Z q m b = As + e secret: random small s', e' in Z q n b' = s'a + e', or shared secret: round(b's) shared secret: round(s'b)
53 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 53 Exact ring-lwe key agreement (unauthenticated) Alice public: big a in R q = Z q [x]/(x n +1) Bob secret: random small s, e in R q b = a s + e secret: random small s, e in R q b = a s + e, or shared secret: round(s b ) shared secret: round(b s )
54 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 54 Exact LWE key agreement "Frodo" Uses two matrix forms of LWE: Public key is n x n matrix Shared secret is m x n matrix A generated pseudorandomly Secure if decision learning with errors problem is hard (and Gen is a random oracle). [Bos et al.; ACM CCS 2016]
55 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 55 Rounding Error distribution We extract 4 bits from each of the 64 matrix entries in the shared secret More granular form of Peikert s 400 rounding var. = Parameter sizes, rounding, and error distribution all found via search scripts. Close to discrete Gaussian in terms of Rényi divergence ( ) Only requires 12 bits of randomness to sample
56 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 56 Parameters Recommended All known variants of the sieving algorithm require a list of vectors to be created of this size Paranoid 144-bit classical security, 130-bit quantum security, 103-bit plausible lower bound n = 752, m = 8, q = 2 15 χ = approximation to rounded Gaussian with 11 elements Failure: Total communication: 22.6 KiB 177-bit classical security, 161-bit quantum security, 128-bit plausible lower bound n = 864, m = 8, q = 2 15 χ = approximation to rounded Gaussian with 13 elements Failure: Total communication: 25.9 KiB
57 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 57 Exact ring-lwe key agreement "BCNS15" [Bos, Costello, Naehrig, Stebila; IEEE S&P 2015]
58 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 58 Parameters 160-bit classical security, 80-bit quantum security n = 1024 q = χ = discrete Gaussian with parameter sigma = 8/sqrt(2π) Failure: Total communication: 8.1 KiB
59 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 59 Implementation aspect 1: Polynomial arithmetic Polynomial multiplication in R q = Z q [x]/(x ) done with Nussbaumer s FFT: If 2 m = rk, then R[X] hx 2m +1i = R[Z] hz r +1i [X] hx k Zi Rather than working modulo degree-1024 polynomial with coefficients in Z q, work modulo: degree-256 polynomial whose coefficients are themselves polynomials modulo a degree-4 polynomial, or degree-32 polynomials whose coefficients are polynomials modulo degree-8 polynomials whose coefficients are polynomials or
60 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 60 Implementation aspect 2: Sampling discrete Gaussians D Z, (x) = 1 S e x for x 2 Z, 3.2,S =8 Security proofs require small elements sampled within statistical distance of the true discrete Gaussian We use inversion sampling: precompute table of cumulative probabilities For us: 52 elements, size = bits Sampling each coefficient requires six 192-bit integer comparisons and there are 1024 coefficients for constant time
61 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 61 Sampling is expensive [Bos, Costello, Naehrig, Stebila; IEEE S&P 2015]
62 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 62 NewHope Alkim, Ducas, Pöppelman, Schwabe. USENIX Security 2016 New parameters Different error distribution Improved performance Pseudorandomly generated parameters Further performance improvements by others [GS16,LN16,AOPPS17, ]
63 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 63 Implementations Our implementations Ring-LWE BCNS15 LWE Frodo Pure C implementations Constant time Compare with others RSA 3072-bit (OpenSSL 1.0.1f) ECDH nistp256 (OpenSSL) Use assembly code Ring-LWE NewHope NTRU EES743EP1 SIDH (Isogenies) (MSR) Pure C implementations
64 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 64 Post-quantum key exchange performance Speed Communication RSA 3072-bit Fast 4 ms Small 0.3 KiB ECDH nistp256 Very fast 0.7 ms Very small 0.03 KiB Code-based Very fast 0.5 ms Very large 360 KiB NTRU Very fast ms Medium 1 KiB Ring-LWE Very fast ms Medium 2 4 KiB LWE Fast 1.4 ms Large 11 KiB SIDH Med. slow ms Small 0.5 KiB See [Bos, Costello, Ducas, Mironov, Naehrig, Nikolaenko, Raghunathan, Stebila, ACM CCS 2016] for details/methodology
65 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 65 Other applications of LWE
66 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 66 Fully homomorphic encryption from LWE KeyGen(): s $ (Z n q ) Enc(sk, µ 2 Z 2 ): Pick c 2 Z n q satisfies e µ mod 2. such that hs, ci = e mod q where e 2 Z Dec(sk, c): Compute hs, ci 2Z q, represent this as e 2 Z \ [ Return µ 0 e mod 2. q 2, q 2 ). [Brakerski, Vaikuntanathan; FOCS 2011]
67 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 67 Fully homomorphic encryption from LWE c 1 + c 2 encrypts µ 1 + µ 2 : hs, c 1 + c 2 i = hs, c 1 i + hs, c 2 i = e 1 + e 2 mod q Decryption will work as long as the error e 1 + e 2 remains below q/2. [Brakerski, Vaikuntanathan; FOCS 2011]
68 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 68 Fully homomorphic encryption from LWE Let c 1 c 2 =(c 1,i c 2,j ) i,j 2 Z n2 q be the tensor product (or Kronecker product). c 1 c 2 is the encryption of µ 1 µ 2 under secret key s s: hs s, c 1 c 2 i = hs, c 1 i hs, c 2 i = e 1 e 2 mod q Decryption will work as long as the error e 1 e 2 remains below q/2. [Brakerski, Vaikuntanathan; FOCS 2011]
69 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 69 Fully homomorphic encryption from LWE Error conditions mean that the number of additions and multiplications is limited. Multiplication increases the dimension (exponentially), so the number of multiplications is again limited. There are techniques to resolve both of these issues. Key switching allows converting the dimension of a ciphertext. Modulus switching and bootstrapping are used to deal with the error rate.
70 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 70 Digital signatures [Lyubashevsky 2011] KeyGen(): S $ { d,..., 0,...,d} m k, A $ Z n m q, T AS. Secret key: S; publickey:(a, T). Sign(S,µ): y $ m ; c H(Ay,µ); z Sc + y. With prob. p(z) output (z, c), else restart Sign. "Rejection sampling" Vfy((A, T),µ,(z, c)): Accept i kzk apple p m and c = H(Az Tc,µ) [Lyubashevsky; Eurocrypt 2012]
71 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 71 Post-quantum signature sizes Public key Signature RSA 3072-bit Small 0.3 KiB Small 0.3 KiB ECDSA nistp256 Very small 0.03 KiB Very small 0.03 KiB Hash-based (stateful) Small 0.9 KiB Medium 3.6 KiB Hash-based (stateless) Small 1 KiB Large 32 KiB Lattice-based (ignoring tightness) Lattice-based (respecting tightness) Medium KiB Medium 3 9 KiB Very large 1330 KiB Small 1.2 KiB SIDH Small KiB Very large KiB See [Bindel, Herath, McKague, Stebila PQCrypto 2017] for details
72 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 72 Summary
73 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 73 Summary LWE and ring-lwe problems Search, decision, short secrets Reduction from GapSVP to LWE Public key encryption from LWE Regev Lindner Peikert Key exchange from LWE / ring-lwe Other applications of LWE
74 SAC Summer School Post-Quantum Cryptography Part 2 LWE-based cryptography 74 More reading Post-Quantum Cryptography by Bernstein, Buchmann, Dahmen A Decade of Lattice Cryptography by Chris Peikert
Practical, Quantum-Secure Key Exchange from LWE
Practical, Quantum-Secure Key Exchange from LWE Douglas Stebila 4 th ETSI/IQC Workshop on Quantum-Safe Cryptography September 21, 2016 Acknowledgements Collaborators Joppe Bos Craig Costello and Michael
More informationPost-quantum key exchange based on Lattices
Post-quantum key exchange based on Lattices Joppe W. Bos Romanian Cryptology Days Conference Cybersecurity in a Post-quantum World September 20, 2017, Bucharest 1. NXP Semiconductors Operations in > 35
More informationPost-quantum key exchange for the Internet based on lattices
Post-quantum key exchange for the Internet based on lattices Craig Costello Talk at MSR India Bangalore, India December 21, 2016 Based on J. Bos, C. Costello, M. Naehrig, D. Stebila Post-Quantum Key Exchange
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationLeakage of Signal function with reused keys in RLWE key exchange
Leakage of Signal function with reused keys in RLWE key exchange Jintai Ding 1, Saed Alsayigh 1, Saraswathy RV 1, Scott Fluhrer 2, and Xiaodong Lin 3 1 University of Cincinnati 2 Cisco Systems 3 Rutgers
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationFrodoKEM Learning With Errors Key Encapsulation. Algorithm Specifications And Supporting Documentation
FrodoKEM Learning With Errors Key Encapsulation Algorithm Specifications And Supporting Documentation Erdem Alkim Joppe W. Bos Léo Ducas Patrick Longa Ilya Mironov Michael Naehrig Valeria Nikolaenko Chris
More informationCRYSTALS Kyber and Dilithium. Peter Schwabe February 7, 2018
CRYSTALS Kyber and Dilithium Peter Schwabe peter@cryptojedi.org https://cryptojedi.org February 7, 2018 Crypto today 5 building blocks for a secure channel Symmetric crypto Block or stream cipher (e.g.,
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationImproved Parameters for the Ring-TESLA Digital Signature Scheme
Improved Parameters for the Ring-TESLA Digital Signature Scheme Arjun Chopra Abstract Akleylek et al. have proposed Ring-TESLA, a practical and efficient digital signature scheme based on the Ring Learning
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationhttps://www.microsoft.com/en-us/research/people/plonga/ Outline Motivation recap Isogeny-based cryptography The SIDH key exchange protocol The SIKE protocol Authenticated key exchange from supersingular
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationNewHope for ARM Cortex-M
for ARM Cortex-M Erdem Alkim 1, Philipp Jakubeit 2, Peter Schwabe 2 erdemalkim@gmail.com, phil.jakubeit@gmail.com, peter@cryptojedi.org 1 Ege University, Izmir, Turkey 2 Radboud University, Nijmegen, The
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationA simple lattice based PKE scheme
DOI 10.1186/s40064-016-3300-4 RESEARCH Open Access A simple lattice based PKE scheme Limin Zhou 1*, Zhengming Hu 1 and Fengju Lv 2 *Correspondence: zhoulimin.s@163.com 1 Information Security Center, Beijing
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Asymmetric Crypto ECC RSA DSA Symmetric Crypto AES SHA2 SHA1... Combination of both
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationTighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model. Shuichi Katsumata (The University of Tokyo /AIST) Takashi Yamakawa (NTT)
1 Tighter Security Proofs for GPV-IBE in the Quantum Random Oracle Model (The University of Tokyo /AIST) *Pronounced as Shuichi Katsumata (The University of Tokyo /AIST) Shota Yamada (AIST) Takashi Yamakawa
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationJintai Ding*, Saraswathy RV. Lin Li, Jiqiang Liu
Comparison analysis and efficient implementation of reconciliation-based RLWE key exchange protocol Xinwei Gao Beijing Key Laboratory of Security and Privacy in Intelligent Transportation, Beijing Jiaotong
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationIntroduction to Quantum Safe Cryptography. ENISA September 2018
Introduction to Quantum Safe Cryptography ENISA September 2018 Introduction This talk will introduce the mathematical background of the most popular PQC primitives Code-based Lattice-based Multivariate
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationThe quantum threat to cryptography
The quantum threat to cryptography Ashley Montanaro School of Mathematics, University of Bristol 20 October 2016 Quantum computers University of Bristol IBM UCSB / Google University of Oxford Experimental
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationFault Attacks Against Lattice-Based Signatures
Fault Attacks Against Lattice-Based Signatures T. Espitau P-A. Fouque B. Gérard M. Tibouchi Lip6, Sorbonne Universités, Paris August 12, 2016 SAC 16 1 Towards postquantum cryptography Quantum computers
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationMarkku-Juhani O. Saarinen
Shorter Messages and Faster Post-Quantum Encryption with Round5 on Cortex M Markku-Juhani O. Saarinen S. Bhattacharya 1 O. Garcia-Morchon 1 R. Rietman 1 L. Tolhuizen 1 Z. Zhang 2 (1)
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationOn Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem
On Bounded Distance Decoding, Unique Shortest Vectors, and the Minimum Distance Problem Vadim Lyubashevsky Daniele Micciancio To appear at Crypto 2009 Lattices Lattice: A discrete subgroup of R n Group
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationPractical CCA2-Secure and Masked Ring-LWE Implementation
Practical CCA2-Secure and Masked Ring-LWE Implementation Tobias Oder 1, Tobias Schneider 2, Thomas Pöppelmann 3, Tim Güneysu 1,4 1 Ruhr-University Bochum, 2 Université Catholique de Louvain, 3 Infineon
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationHow to validate the secret of a Ring Learning with Errors (RLWE) key
How to validate the secret of a Ring Learning with Errors (RLWE) key Jintai Ding 1, Saraswathy RV 1, Saed Alsayigh 1, and Crystal Clough 1 University of Cincinnati Abstract. We use the signal function
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More informationProving Hardness of LWE
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 22/2/2012 Proving Hardness of LWE Bar-Ilan University Dept. of Computer Science (based on [R05, J. of the ACM])
More informationAn improved compression technique for signatures based on learning with errors
An improved compression technique for signatures based on learning with errors Shi Bai and Steven D. Galbraith Department of Mathematics, University of Auckland. CT-RSA 2014 1 / 22 Outline Introduction
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationPublic Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy
Symmetric Cryptography Review Alice Bob Public Key x e K (x) y d K (y) x K K Instructor: Dr. Wei (Lisa) Li Department of Computer Science, GSU Two properties of symmetric (secret-key) crypto-systems: The
More informationTitanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality
Titanium: Post-Quantum Lattice-Based Public-Key Encryption balancing Security Risk and Practicality Ron Steinfeld, Amin Sakzad, Raymond K. Zhao Monash University ron.steinfeld@monash.edu Ron Steinfeld
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationKey Recovery for LWE in Polynomial Time
Key Recovery for LWE in Polynomial Time Kim Laine 1 and Kristin Lauter 2 1 Microsoft Research, USA kimlaine@microsoftcom 2 Microsoft Research, USA klauter@microsoftcom Abstract We discuss a higher dimensional
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationAn introduction to supersingular isogeny-based cryptography
An introduction to supersingular isogeny-based cryptography Craig Costello Summer School on Real-World Crypto and Privacy June 8, 2017 Šibenik, Croatia Towards quantum-resistant cryptosystems from supersingular
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationA Generic Attack on Lattice-based Schemes using Decryption Errors
A Generic Attack on Lattice-based Schemes using Decryption Errors with Application to ss-ntru-pke Qian Guo 1,2, Thomas Johansson 2, and Alexander Nilsson 2 1 Dept. of Informatics, University of Bergen,
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationSupersingular Isogeny Key Encapsulation
Supersingular Isogeny Key Encapsulation Presented by David Jao University of Waterloo and evolutionq, Inc. Full list of submitters: Reza Azarderakhsh, FAU Matt Campagna, Amazon Craig Costello, MSR Luca
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationRing-SIS and Ideal Lattices
Ring-SIS and Ideal Lattices Noah Stephens-Davidowitz (for Vinod Vaikuntanathan s class) 1 Recalling h A, and its inefficiency As we have seen, the SIS problem yields a very simple collision-resistant hash
More informationRing-LWE: Applications to cryptography and their efficient realization
Ring-LWE: Applications to cryptography and their efficient realization Sujoy Sinha Roy, Angshuman Karmakar, and Ingrid Verbauwhede ESAT/COSIC and iminds, KU Leuven Kasteelpark Arenberg 10, B-3001 Leuven-Heverlee,
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More information