© The British Computer Society 2018. All rights reserved. For permissions, please e-mail: [email protected] Advance Access publication on 11 June 2018 doi:10.1093/comjnl/bxy060 Klepto for Ring-LWE Encryption
1 2* DIANYAN XIAO AND YANG YU
1Institute for Advanced Study, Tsinghua University, Beijing 100084, China 2Department of Computer Science and Technology, Tsinghua University, Beijing 100084, China *Corresponding author: [email protected] Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018
Due to its great efficiency and quantum resistance, public key cryptography based on Ring-LWE problem has drawn much attention in recent years. A batch of cryptanalysis works provided ever-improved security estimations for various Ring-LWE schemes, but few works discussed the security of Ring-LWE cryptography from kleptographic aspect. In this paper, we show how to embed a backdoor into a classic Ring-LWE encryption scheme so that partial bits of the plain- text are leaked to the owner of the backdoor. By theoretical analysis and experimental obser- vations, we argue that the klepto Ring-LWE encryption scheme with such backdoor is feasible and practical.
Keywords: lattice-based cryptography; kleptography; public key encryption; ring learning with errors
Received 11 January 2018; revised 9 May 2018; editorial decision 11 May 2018 Handling editor: Albert Levi
1. INTRODUCTION and efficiency, Ring-LWE [10], an algebraic variant of LWE, Kleptography, introduced by Young and Yung [1–4], is the enjoys better popularity than usual LWE in practical applica- study of exploiting cryptographic backdoors to steal informa- tions. Moreover, Ring-LWE has been proved to be as hard as tion securely and subliminally. A typical klepto scheme is a certain worst-case problems over ideal lattices, and this provides black-box implementation whose output should be indistin- a firm theoretical grounding for the security of Ring-LWE guishable from that of the legitimate cryptosystem for anyone schemes. Therefore, Ring-LWE schemes seem to reach an ideal but the owner of the backdoor key. A klepto scheme can be balance between efficiency and security. designed to leak the message, the private key or the state of the With the upcoming post-quantum cryptography standardiza- pseudorandom number generator, and the attacker can decrypt tion by the NIST, it is pressing to provide a comprehensive the leaked information using his backdoor key. After the dra- cryptanalysis for lattice-based cryptosystems. From the mathem- matic revelations of Edward Snowden, the cryptographic atical and algorithmic aspects, people have developed various research community realized that kleptographic attack indeed attacks against lattice-based cryptosystems, such as lattice- had been deployed and likely used for worldwide surveillance, reduction attacks [11, 12] and combinatorial attacks [13, 14]. All which rekindled the interest in kleptography. these cryptanalysis results seem to form a somewhat systemati- With the threat that quantum computers pose to most of the cal methodology for estimating the security of lattice-based current cryptosystems, post-quantum cryptography has been cryptography. However, from the kleptographic aspect, there are gaining much attention in recent years. Due to the great per- only few results related to lattice schemes. In [15], the authors formance and strong security guarantee, lattice-based cryptog- discussed a class of possible backdoors for NewHope, a Ring- raphy is considered as a desirable quantum-safe alternative to LWE key exchange. As claimed in [15], their backdoors apply classical schemes based on integer factorization or discrete to fixed public parameter and can be prevented by the ‘nothing- logarithms. NTRU and LWE are two most widely used fam- up-my-sleeve’ process which is to choose the public parameter ilies of lattice-based cryptography. NTRU [5] is one of the as the hash of a common universal string. In a very recent paper earliest lattice-based schemes and has been standardized by [16], Kwant, Lange and Thissen targeted NTRU scheme [5]and IEEE. Through more than 20 years’ study, NTRU is believed proposed a klepto scheme with an ECC-based backdoor. Also, very efficient and secure. However, the security of classical they discussed the impact of the NTRU backdoor and counter- NTRU relies on heuristic arguments and provably secure measures against the klepto scheme. NTRU variants [6–8] are impractical. LWE (Learning With In this paper, we show how to modify a classic Ring-LWE Errors) was introduced by Regev in [9]. In terms of compactness encryption scheme into a klepto scheme. The backdoor we
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 KLEPTO FOR RING-LWE ENCRYPTION 1229 set is also based on Ring-LWE itself which makes the whole • C¢ computes using the attacker’s public encryption scheme accord with post-quantum setting. Our technical idea function E (and possibly other functions as well), con- is to ‘encode’ a polynomial of low degree but large coefficients tained within C¢. into a new polynomial of high degree but small coefficients. • The attacker’s private decryption function D is not Exploiting this idea, we are able to infect the Ring-LWE cipher- contained within C¢ and is known only by the attacker. text using a polynomial of small coefficients so that the infected • The output of C¢ agrees with the public specifications ciphertext can be translated into a backdoor ciphertext, and at of the output of C. At the same time, it contains pub- the same time the decryption would not be affected too much lished bits (of the plaintext or user’s secret key) which by this modification. By studying the backdoor theoretically and are easily derivable by the attacker but are otherwise experimentally, we claim that such a klepto scheme is practical. hidden. Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 The rest of this paper is organized as follows. After some • Furthermore, the output of C and C¢ are polynomially preliminaries in Section 2, we introduce our Ring-LWE indistinguishable to everyone (including those who encryption backdoor in Section 3. In Section 4, we analysis have access to the code of C¢) except the attacker. the impact and quality of our backdoor theoretically. In Section 5, we provide experimental results to check the qual- As explained in [16], the SETUP still works well in prac- ity of the backdoor. Finally, we conclude in Section 6. tice even if we use a relaxed Condition 5 in which the output of C and C¢ are only required to be fairly close rather than polynomially indistinguishable, because the end user does not 2. PRELIMINARIES know the code of C¢ and often does not know the distribution of the output of C exactly. We will follow the relaxed 2.1. Notations SETUP setting later.
For an integer q ³ 2, we identify q with [0, q)Ç. The ring that we will work with is a power-of-2 cyclotomic ring, i.e. =[]/(+ XXn 1) where n is a power of 2. Let n n-1 i 2.3. Gaussian measures qq=[]/(+) XX 1 . For any t = åi=0 tXi Î , we call n (¼tt01,,n- )Î the coefficient vector of t. We denote by We denote by D the discrete Gaussian distribution over t (resp. t ¥) the Euclidean (resp. ℓ¥) norm of the coeffi- s æ x2 ö cient vector of t. with deviation s.1 Let r ()=x expç- ÷, then the prob- s ç 2 ÷ A function fn()is negligible,if fn()= on (-c )for any con- èç 2s ø÷ stant c. Generally, we denote by negl(n) as a negligible function ability of x Î under Ds is Ds ()=xxrrss ()/( )where n with respect to n. We say that a probability is overwhelming if it rss()= åxÎr ()x . For =[]/(+ XX 1), let Ds, be is 1negl-(n). The notations log()· and ln()· represent the the distribution of v Î where each coefficient of v is base 2 and natural logarithms, respectively. sampled from Ds independently. We write zD↩ when the random variable z is sampled For > 0, let h ()= min {>sv 0∣åvÎr12/(p s )()£ from the distribution D, and denote by D()x the probability 1 + } that actually equals the so-called smoothing para- n of z = x.Forafinite domain E,letUE()be the uniform dis- meter of . Now we recall some basic properties of Gaussian. tribution over E. For two distributions D1, D2 over a same discrete domain E, their statistical distance is D()=DD12; 1 LEMMA 2.1 (Adapted from Lemma 3.3 in [17]). Let åxEÎ ∣∣Dx12()- Dx ().WesayD1 and D2 are statistically 2 =[]/(+ XXn 1) and Î(0, 1 ). Then h ()£ close with respect to n if D()DD12; is negligible. ln((+/))/ 2n 1 1 p.
LEMMA 2.2 (Lemma 1.5 in [18]). Let =[]/(+ XXn 1). 2.2. Kleptography æ1 - c2 ö Let c > 1 and C = c · expç ÷ < 1. Then The core of a klepto scheme is a SETUP (Secretly Embedded ç ÷ Pr (³ycnCs )£n. è 2 ø Trapdoor with Universal Protection) that was introduced by yD↩ s, Young and Yung in [1]. LEMMA 2.3 (Adapted from Lemma 10 in [19]). Let æ ö n 1 ÷ DEFINITION 2.1 (Adapted from Definition 1 in [1]). Let C be =[]/(+ XX 1) and Î ç0, ÷. For èç m + ø÷ a publicly known cryptosystem. A SETUP mechanism is an 21 z1,,¼Îzm and s ³()/hp 2 , we have algorithmic modification made to C to get C¢ such that
• The input of C¢ agrees with the public specifications of the input of C. 1Discrete Gaussian is sometimes defined by its width s = 2ps.
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 1230 D. XIAO AND Y. YU
fi ê q ù æ m m ö the coef cients of m back to either 0 or ê ú, whichever ç 2 ÷ ëê 2 ú Prç ååyzi i ³ 2ps t· zi ÷ is closest modulo q. yD↩ s, ç ÷ i è i=11¥ i= ø÷
1 + 2 For appropriate parameters, it can be shown (see [20]) that £ ··22tnp e e.-pt q 1 - re+- e21 e s ¥ would be less than with overwhelming probability. Notice that 4 In particular, the above probability is negligible for t =(w log n ). êq ù vusreees-=+-21 +ê úmqmod , ëê2 ú Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 thus we know that decryption is correct with overwhelming probability. 2.4. Ring-LWE Assuming the hardness of Ring-LWE, it follows that the
For s Î q and y a distribution over , the Ring-LWE dis- Ring-LWE encryption scheme is semantically secure and the tribution As,y is the distribution over qq´ obtained by ciphertext is pseudorandom, which was explained in [20]. sampling the pair (+aas,mod e q )where a ↩ U ()q and e ↩ y. The search Ring-LWE problem is to find s given arbitrarily many independent samples from As,y. The decision 3. THE BACKDOOR OF RING-LWE ENCRYPTION version is defined as follows: given some samples from As,y where s ↩ y and the same number of samples from In this section, we will propose a modified Ring-LWE encryption scheme with a backdoor using a SETUP that is U (´)qq, distinguish them with an advantage 1/( poly n). As shown in [10], for certain parameters and error distribu- based on a smaller Ring-LWE scheme. By setting different tion y, both search and decision Ring-LWE problems are as parameters, the klepto Ring-LWE scheme leaks a different hard as the worst-case approximate shortest vector problem proportion of the message to the third party owning the back- with polynomial factor over ideal lattices. Currently, it is door key. believed that Ring-LWE with proper parameters is against The klepto scheme is specified by two sets of parameters: subexponential quantum attacks. We refer to [10, 20] for the public one is ()nq,,s determining the Ring-LWE encryp- more details of Ring-LWE. tion scheme and the secret one is (nq¢¢¢,,,st) determining The Ring-LWE encryption scheme that we will discuss the Ring-LWE-based backdoor with parameter t for adjusting later was first described in [10]. The issues of parameter the proportion of leaked message. To make the backdoor selection and implementation details were well-studied in workable and compact, we set n¢ < n and t £/nn¢. n n¢ [21]. We denote by RLWEnq,,s the Ring-LWE encryption Let =[]/(+ XX 1) and ¢ =[]/(+) XX 1 where scheme specified by the tuple ()nq,,s where n is a power of n is a power of 2 and n¢ is a factor of n. We identify a poly- 2, q is the modulus,2 and s is the deviation of the discrete é 1 ù nomial and its coefficient vector. Let k =/nn¢, pq= ê ¢ k ú and Gaussian used as Ring-LWE error distribution. We may omit ê ú the subscripts when they are clear from the context. The ring d = 2t. Now we are to define two maps that will be used in n fi =[]/(+ XX 1) and the plaintext space is 2. We list encryption and decryption algorithms. The rst one is that below three main algorithms, i.e. key generation, encryption qext : ¢ p and decryption: q¢
(vv01¢¢,,,¼ vn¢¢- 1)(↦ vv01 ,,, ¼ vn- 1 ) , • RLWE-KeyGen: Choose a ↩ U()q and s, eD↩ s,. Let b =+Îas e q. The public key is the pair where ()vvik ik++-11 v ik k is the p-adic expansion of vi¢ for ()δab, q q, and the secret key is s Î . in=¼0, 1, , ¢ - 1. The second one is that • RLWE-Enc ()m : Choose r,,ee12↩ Ds ,. The cipher- text is qcom: 2 ¢d (¼)(vv,,, v↦ vv¢¢ ,,,¼ v¢ ) , æ ö 01n-¢ 1 01n - 1 êq ù ÷ ()=uv,,ç ar+++ e12 br e ê úm÷ δqq. èç ê2 ú ø÷ ë ú where (vviitt++-11 v i tt ) is the 2-adic expansion of vi¢ for in=¼0, 1, , ¢ - 1. It can be observed that qext extends a • RLWE-Dec ((uv, )): Calculate mvusq=- mod . polynomial in ¢ to a polynomial in of bounded infinity The coefficients of m can be recovered by rounding q¢ norm and qcom compresses the first tn¢ bits of a binary poly- nomial in into a polynomial in . Furthermore, it is 2In practice, the modulus q is usually chosen to be a number of special d property, such as a prime congruent to 1 modulo 2n, which leads to a faster worth noting that qext is injective and easy-to-invert, and so is ttnnn¢ - ¢ implementation. qcom restricted to {}´0, 1 0 .
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 KLEPTO FOR RING-LWE ENCRYPTION 1231
We also introduce a slightly modified Ring-LWE encryp- vus- tion, denoted by RLWE’nq,,,st, whose plaintext space is d. =+D-vussvu -D The key generation algorithm is exactly the same as that of êq ù =(re + e21 - e s )+Dvu -D s +ê úmqmod . RLWEnq,,s. The encryption and decryption algorithms are ëê2 ú listed as follows: æ 1 ö ç é ¢ ù÷ fi • ’ When the magnitude of pqç= ê k ú÷ is signi cantly less than q, RLWE -Enc ()m : Choose r,,ee12↩ Ds ,. The cipher- èç ê úø÷ q text is it would still hold that D-Dvusreees + +21 -¥ < 4 with a high probability in practice and thus the receiver
æ ö Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 ê q ù ÷ recovers the message correctly in this case. ()=uv,,ç ar+++ e12 br e ê úm÷ δqq. èç ëê2t ú ø÷ For the attacker, the decryption algorithm is shown as follows: • RLWE’-Dec((uv, )): Calculate mvusq=- mod . • The coefficients of m can be recovered by rounding Klepto-Dec((uv, )). ê q ù the coefficients of m back to a certain multiple of ê ú, (1) Calculate (uv,)=( u mod pv , mod p )and then ëê 2t ú whichever is closest modulo q. calculate uv¢¢, Î ¢ such that uu =(q ¢), q¢ ext vv =(qext ¢). fi Intuitively, the modi ed Ring-LWE scheme works well under (2) Run RLWE’,nq¢¢¢,,,st- Dec(( u¢¢ v )) and obtain a proper parameters like the original Ring-LWE scheme. Further middle term m¢ Î ¢d. discussion will be shown in next section. We now describe three (3) Calculate m Î{0, 1 }ttnnn¢ ´ 0 - ¢ such that m¢ = main algorithms of the klepto Ring-LWE scheme. qcom ()m . The leaked message is m. The public key generation algorithm is totally the same as that in Ring-LWE encryption. The kleptographic attacker The backdoor discussed in [15] targets a Ring-LWE key generated his backdoor Ring-LWE key pair ((ab¢¢,,) s¢) and exchange, while ours targets a Ring-LWE encryption scheme. picked⌊tn¢⌋ bits to locate the leaked message in secret and in More importantly, the backdoor in [15] modified the public advance. For simplicity, we will only discuss the case where parameter a as an NTRU-like public key f /g where f , g are t is a positive integer and the attacker targeted the first tn¢ small polynomials, while our backdoor is embedded in the 3 bits of the message. implementation of encryption and never changes the public The encryption algorithm is changed as follows: key. Indeed, the public key could be generated elsewhere and chosen to be the hash of a universal string, in which the back- • Klepto-Enc()m . door in [15] does not work. Compared with the NTRU klepto scheme [16], our klepto scheme is built on a totally different (1) Run RLWEnq,,s- Enc() m and obtain the ciphertext cryptosystem and our backdoor follows post-quantum setting ()δuv, qq. rather than ECC setting. Furthermore, the parameter selection (2) Run RLWE’nq¢¢¢,,,st- Enc(())q com m and obtain the and analysis of our backdoor are quite different from that in ciphertext (uv¢¢, )΢ ´ ¢ . qq¢¢ [16], which is shown in the next section. (3) Calculate uu =(qext ¢)Îp and vv =(qext ¢)Î p. 4. ANALYSIS OF THE BACKDOOR (4) Calculate Du Î with all coefficients in [-/pp2, /) 2 such that uu = mod pwhere u = In this section, we are to report on the impact and quality of uq+Du mod ;ifsuchDu does not exist, back to the backdoor in Ring-LWE encryption. More specifically, we fi 1. Calculate Dv Î with all coef cients in will discuss how the backdoor parameters affect the decryp- [-/pp2, /) 2 such that vv = mod pwhere v = tion for the attacker and legitimate receiver, how much vq+Dv mod ;ifsuchDv does not exist, back infected ciphertexts behave like uninfected ones and how to 1. middle terms in decryption behave different with respect to (5) The ciphertext is ()δuv, qq. infected and uninfected ciphertexts.
There are two different decryption algorithms for the legit- imate receiver and the attacker. The legitimate receiver uses 4.1. Decryption failures for the attacker his secret key s and follows the original Ring-LWE decryp- tion. The middle term he calculated is that There are two kinds of operations in backdoor decryption: inversions of qext and qcom and a modified Ring-LWE decryp- 3 For different targeted bits, we only need to modify the map qcom. tion. The decryption failure of backdoor decryption is
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 1232 D. XIAO AND Y. YU
æ 1 ö equivalent to the decryption failure of the modified Ring- For t =(w log n ), Î ç0, ÷ and s ³ èç 9 ø÷ LWE scheme. By a routine computation, we have that the ln((+/))/() 2n 1 1 2 p , by similar arguments shown in fi middle term in the modi ed Ring-LWE decryption is last subsection, we have that when
ê q¢ ù 2 vusreees¢ - ¢¢= ¢¢+ ¢ - ¢¢+ ê úmq¢¢mod . 22 np 21 ê t ú qtnc>++++()42ps 2 s 1 21,2p ë2 ú 4
Thus, a successful decryption relies on the fact that re¢¢+ the probability Pklepto is negligible, which implies that legit- 1 ê q¢ ù imate receivers can hardly detect the klepto scheme only ees¢ - ¢¢ < ê ú. It then leads to that the probability of Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 21¥ ê t ú from decryption failures. 22ë ú decryption failure for the attacker is REMARK 1. Equations (1) and (2) provide quantitative par- æ ö ameter relations to ensure a negligible probability of decryp- ç 1 ê q¢ ù÷ Pattacker = Prçre¢¢+ e¢ - e¢¢ s ¥ ³ ê ú÷ tion failures, which sets a theoretical grounding for backdoor ç 21 ê t ú÷ èç 22ë úø parameter selection. However, in practice, people may choose tighter parameters to achieve better efficiency and an accept- ¢¢¢ ¢¢ where r ,,,,eees12 ↩ Ds¢¢, . able decryption failure rate. We choose s¢ ³(ln 2n¢(+/))/( 1 1 2 p )for a small æ 1 ö Î ç0, ÷.Fort¢ = w log n¢ , Lemmas 2.1 and 2.2 show èç 7 ø÷ () that 4.3. Distinctions between infected and uninfected sr¢¢, ³ cn¢¢s ciphertexts Next we are to report on a few distinctions between infected with negligible probability. Combining Lemma 2.3,wehavethat and uninfected ciphertexts. We follow the notations in Section 3. Let qlpw=+where l Î and w Î . We start re¢¢+ e¢ - e¢¢ s ³ 22ps¢¢ t nc ¢2 s ¢2 + 1. p 21¥ with the following heuristics profiling the distributions of with negligible probability. Consequently, when ciphertexts:
2 (1) We model the distributions of ()uv, and (uv¢¢, ) as qtnc¢ > 22tt+-12ps¢¢ 2 ¢ s ¢ ++ 12,1 () 1 U (´)qqand U (¢ ´ ¢ ) respectively. qq¢¢ the probability Pattacker is negligible, which implies that the (2) We assume that ()uv, and (uv¢¢, ) look like attacker recovers correctly all targeted bits of message with independent. overwhelming probability. The Heuristic 1 can be explained by the pseudorandomness of Ring-LWE ciphertexts assuming the hardness of Ring-LWE. The Heuristic 2 is reasonable because the key generation and 4.2. Decryption failures for the legitimate receiver encryption of RLWEnq,,s and RLWenq¢¢¢¢,,,st are independent, In the klepto Ring-LWE encryption scheme, the ciphertext is despite the fact that two plaintexts that they correspond to are infected by two extra terms Du and Dv, and the middle term strongly correlated. in decryption becomes Ciphertexts modulo p: For uninfected ciphertexts ()uv, , each coefficient of ()upmod and ()vpmod follows the same êq ù distribution D1 over p that vusree- =( +21 - es )+Dvu -D s +ê úmqmod . ëê2 ú ïì l + 1 ï ,;iw< According to the definitions, we know that D , ï u ¥ ï q p np D1()=i í D£v ¥ and then D£u . Thus, the probability of ï l 2 2 ï ,.iw³ decryption failure for legitimate receivers is bounded by îïq æ ö 1 êqpù ÷ However, for infected ciphertexts ()uv, , the ciphertext Pklepto£ Prçre+- e 2 e 1 s -D³u s ¥ ê ú - ÷ èç 22ëê ú 2ø÷ modulo p equals an extension (by qext)of(uv¢¢, ) and thus the distributions of coefficients of upmod and vpmod could be k where r,,ee12 , e , s↩ Ds ,. different. We denote by ext()Îa p the p-adic expansion of
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 KLEPTO FOR RING-LWE ENCRYPTION 1233
()k k ()1 a Î q¢ and by D2 the distribution of ext(a) over p where where Sl ={(qp - +l )mod p , ¼( , q - 1 ) mod p} and ()2 a ↩ U ()q¢ . Then, for ii01,,¼Îkp- , we have Sl ={0, 1, ¼ ,l - 1}. The total number of (yz, ¢) corre- sponding to bad pairs is ïì 1 ï ,;ipj < q¢ ï ¢ å j NpS=(-)∣∣ ()k ï q j å y D2 ()=ii01 ik- 1 í y ï0,ipj ³ q¢ . ï å j p-1 ï j ()112 () () î =-å( SSSlll⋂ ) l=1 k k Let D1 be the distribution over p where each coordinate pp(-)1 p-1
()12 () Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 follows D1 independently. On the one hand, according to the = - å SSll⋂ , ()k 2 l=1 probability mass functions of D1 and D2 , we conclude that D k and D ()k are indeed different, which may be used to 1 2 where SSww()11=={¼+- ⧹ () ,,l 1}. check the existence of such backdoor. On the other hand, llp For any i Î p,ifiwÎ[0, ), there are exactly (-)wi notice that ()12 ()’ SSll⋂ s containing i;ifiwpÎ[,1 - ], there are exactly ()12 ()’ k ()k k k k ()k (-pi1 -)SSll⋂ s containing i. Therefore, it leads to that D(DD1 ;;2 )£ D( DU1 (p )) + D( U (p ) ; D2 ) k ¢ p-1 w-11p- pq- ()12 () £D(())+kDU· 1; p SS⋂ =(-)+(--) wi p1 i pk åååll l=1 i=0 iw= kw(-) p w pqk - ¢ = + ,3() ww(-)1 (-)(- pwpw -)1 k = + , pq p 2 2
k ()k thus D1 and D2 could be close when k is small, qp and and we immediately obtain that N =(-)wp w. We now qp¢ » k, which implies a way to select parameters for high- complete the proof. □ quality backdoors. Ciphertexts modulo q: In Step 4 of the klepto encryption, As a direct corollary, we give the expected number of repe- the black-box calculates certain small terms Du and Dv accord- titions of the klepto encryption. ing to ()uv, and (uv¢¢, ). However, as claimed in the algo- rithm, such Du and Dv do not always exist and thus the black- COROLLARY 4.1. The expected number of repetitions of klep- box may restart several times, which is different from the case to encryption is (almost) in [16]. For z Î and z¢ Î , we say (zz, ¢) is a bad pair if and æ ö-2n q p ç wp(-) w÷ ¢ ç11,- ÷ - only if the set {Dzz Î∣ ((zqzp + D )mod ) = mod } ⋂ èç pq ø÷ [-/pp2, /) 2 is empty. The total number of bad pairs is shown in the following lemma. if ((qqextuv¢)(, ext ¢)) is (almost) uniform over U (´)pp.
LEMMA 4.1. Let qp> and w =(qpmod )Îp, then there It implies that the klepto encryption terminates after few are totally w (-pw) bad pairs. repetitions when q is sufficiently large. ê pú Now we are to compare ()uv, and ()uv, by studying each Proof. Let y =-z ê ú mod q, then (zz, ¢) is a bad pair if fi i Î N ëê 2 ûú of their coef cients. For q, let i denote the number of (zz, ¢) such that iz=+Dz mod qand iz= ¢ mod pfor some and only if {Îxyxqzpp ∣ ((+)mod )=¢ mod }=Æ.If y +£pq, the term ((yx + )mod q ) equals y + x for Dz Î[-/pp2, / 2 ). It is easy to verify the following facts: x Î p. When x runs over p, there is always a unique x0 • "ÎiNpqi, £; such that y +=xz0 ¢ mod p. Thus a bad pair (zz, ¢) implies ê pú • æ p pù that y =-z >-qp. Now we are to calculate the num- "Îi qi⋂ç , q - ú, Np= ; ê ú è 2 2 ûú ëê 2 ûú • q-1 ber of (yz, ¢) corresponding to bad pairs. åi=0 Npqwpwi =-(-). (By Lemma 4.1) Let y =-+qpl where l Î[1,p - 1 ], then Let Dz and Dz be the distributions of a random coefficient Syxqpxyp={(( + )mod ) mod ∣ Î } of ()uv, and ()uv, , respectively. If we replace (uv, ) in ()12 () Step 4 of the klepto encryption with (uv¢¢, )(´)↩ Upp, = SSll⋃ , then we obtain a new pair, denoted by ()uv, . Let Dz be the distribution of a random coefficient of ()uv, , then
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 1234 D. XIAO AND Y. YU
TABLE 1. Experimental measure of decryption failures. DFRR and DFRA are the abbreviations of ‘Decryption failure rate for legitimate recei- vers’ and ‘Decryption failure rate for attackers’, respectively. We use LMR to denote the proportion of leaked message.
Parameter é n¢ ù êq¢ n ú DFRR (%) DFRA (%) LMR (nq,,s) (nq¢¢¢,,,st) ê ú
(/128,8,114 2p ,1) 8 93.82 88.63 0.25 æ 12.18 ö (/128,9,114 2p ,1) 9 92.96 100 0.25 ç512, 12289, ÷ èç 2p ø÷ (/)128, 7681, 11 2p , 1 10 90.47 100 0.25 4
(/128,9,11 2p ,2) 9 92.84 38.79 0.5 Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 (/)128, 7681, 11 2p , 2 10 90.21 79.15 0.5 (/)128, 9473, 11 2p , 2 10 90.27 98.33 0.5 (/)128, 104 , 11 2p , 2 10 91.01 99.15 0.5 (/)256, 7681, 11.31 2p , 1 10 100 99.08 0.25 æ 8 ö (/)256, 104 , 11.31 2p , 1 10 100 99.99 0.25 ç1024, 232 - 1, ÷ èç 2p ø÷ (/)512, 12289, 12.18 2p , 1 111 100 97.13 0.5 (/)512, 1112 , 12.18 2p , 1 111 100 97.31 0.5 (/)256, 114 , 11.31 2p , 2 11 100 97.85 0.5 (/)256, 15361, 11.31 2p , 2 12 100 99.12 0.5 (/)512, 1602 , 12.18 2p , 2 160 100 98.76 1 (/)512, 25601, 12.18 2p , 2 161 100 98.79 1 (/)512, 1612 , 12.18 2p , 2 161 100 99.22 1 (/)256, 7681, 11.31 2p , 1 10 100 99.38 0.25 æ 8 ö ç1024, 12289, ÷ (/)256, 104 , 11.31 2p , 1 10 100 99.99 0.25 èç ø÷ 2p (/)256, 13313, 11.31 2p , 2 11 99.99 92.91 0.5 (/)256, 114 , 11.31 2p , 2 11 100 98.07 0.5 (/)256, 15361, 11.31 2p , 2 12 99.99 99.21 0.5 (/256, 124 , 11.31 2p , 2) 12 100 100 0.5
EMARK ¢ k D()ÎD()+[-D()D()]DDzz;; DD zz D zz ;,;. D D zz D R 2. For an ideal case where w = 0 and qp= , fol- lowing the deductions of Equations (3) and (4), we know that k to distinguish infected and uninfected ciphertexts modulo q It is easy to check that D()=DDzz;0when qp¢ = . Intuitively, D()DD; is supposed to be small when qp¢ » k. and p is computationally hard under the assumed hardness of zz fi Moreover, it can be verified that, when qwpw>(-), Ring-LWE. In this case, the SETUP totally follows De nition 2.1. In a real scheme, q is fixed as a public parameter thus the attacker may not be able to ensure w = 0. However, it is easy Ni 1 ∣∣Dizz()- D () i = - to choose q¢ such that qp¢ = k and w (-)pw pq, for pq-(-) w p w q which infected and uninfected ciphertexts modulo q and p ïì p 1 1 ïü also seem to be indistinguishable. £ max íï - , ýï, îï pq-(-) w p w q q þï
then it follows that when qwpw>(-)and qp¢ » k, 4.4. Middle terms in decryption D(DDzz;; ) » D( DD zz ) In Section 4.3, the decryption key is not involved in distin- 1 p 1 guishing infected and uninfected ciphertexts yet. Indeed, given = å - a legitimate decryption key, one would be able to know more 2 iIÎ pq-(-) w p w q information contained in the ciphertexts, for example, the mid- 1 N 1 + å i - dle term, i.e. 2 iIÏ pq-(-) w p w q êq ù (-)(-qpwpw ) é p ù Mvus=- -ê úm Î q Î + ê0, ú ()4 ëê2 ú 2qpqwpw(-(-)) ëê 2q ûú where s is the secret key and ()uv, is a ciphertext of the mes- æ p pù where I = ç , q - ú. sage m. è 2 2 ûú SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 KLEPTO FOR RING-LWE ENCRYPTION 1235
TABLE 2. Experimental measure of the closeness between infected and uninfected ciphertexts. The comparisons among the distributions over 32 32 q are not provided for q =-21, because 2 - 1 is too large for us to generate accurate statistics.
Parameter ()q ()q ()q ()p ()p ()p Drk Dru Dku Drk Dru Dku (nq,,s) (nq¢¢¢,,,st)
(/)128, 7681, 11 2p , 1 0.0608 0.0139 0.0600 0.2323 0.0252 0.2319 æ 12.18 ö (/)128, 7681, 11 2p , 2 0.0606 0.0138 0.0603 0.2313 0.0252 0.2319 ç512, 12289, ÷ èç 2p ø÷ (/)128, 9473, 11 2p , 2 0.0251 0.0138 0.0214 0.0668 0.0249 0.0592 4
(/128,8,11 2p ,1) 0.0184 0.0139 0.0139 0.0227 0.0163 0.0159 Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 (/128,9,114 2p ,1) 0.0184 0.0140 0.0138 0.0285 0.0204 0.0199 (/128,9,114 2p ,2) 0.0184 0.0138 0.0138 0.0289 0.0198 0.0207 (/)128, 104 , 11 2p , 2 0.0187 0.0139 0.0139 0.0353 0.0248 0.0248 (/)256, 7681, 11.31 2p , 1 0.2318 0.0177 0.2319 æ 8 ö (/)512, 12289, 12.18 2p , 1 0.0211 0.0139 0.0152 ç1024, 232 - 1, ÷ èç 2p ø÷ (/)256, 15361, 11.31 2p , 2 0.2591 0.0252 0.2592 (/)512, 25601, 12.18 2p , 2 0.0348 0.0201 0.0267 (/)256, 104 , 11.31 2p , 1 0.0249 0.0176 0.0178 (/)512, 1112 , 12.18 2p , 1 0.0197 0.0140 0.0140 (/)256, 114 , 11.31 2p , 2 0.0299 0.0212 0.0210 (/)512, 1602 , 12.18 2p , 2 0.0284 0.0200 0.0198 (/)512, 1612 , 12.18 2p , 2 0.0285 0.0200 0.0201 (/)256, 7681, 11.31 2p , 1 0.0604 0.0098 0.0600 0.2320 0.0177 0.2319 æ 8 ö ç1024, 12289, ÷ (/)256, 13313, 11.31 2p , 2 0.0266 0.0099 0.0246 0.0939 0.0212 0.0915 èç ø÷ 2p (/)256, 15361, 11.31 2p , 2 0.0654 0.0099 0.0653 0.2592 0.0254 0.2592 (/)256, 104 , 11.31 2p , 1 0.0131 0.0098 0.0098 0.0250 0.0176 0.0178 (/)256, 114 , 11.31 2p , 2 0.0133 0.0098 0.0099 0.0300 0.0215 0.0213 (/256, 124 , 11.31 2p , 2) 0.0131 0.0097 0.0097 0.0357 0.0254 0.0253
As mentioned before, the middle term M equals 5. PRACTICAL IMPLEMENTATION (+re e - e s )for a legitimate ciphertext and (+-re e 21 2 We implemented the klepto scheme in Sage [24]andranexperi- es1 )+Dvu -D s for an infected ciphertext, where r,,e p ments to observe the impact of the backdoor from the aspects dis- ee12, ↩ Ds , and DD£uv¥¥, . For simplicity, we 2 cussedinSection4. Three sets of public Ring-LWE parameters assume that all coefficients of a middle term independently we discussed are ()=(nq, ,sp 512, 12289, 12.18 /) 2 , 32 follow the same distribution denoted by D (resp. D )for (-/1024, 2 1, 8 2p ) and (/)1024, 12289, 8 2p .The M M fi uninfected ciphertexts (resp. infected ciphertexts). From rst two tuples were discussed in [21]and[25], respectively and the theoretical aspect, we do not prove the statistical or claimed to provide at least 128-bits security, and the third one is adapted from the second one by decreasing the modulus like computational indistinguishability between DM and DM . Indeed this is a non-trivial problem. A possible solution is [15]. For each public parameter tuple, different backdoor param- eter tuples (nq¢¢¢,,,st) were discussed and compared. For to design delicate perturbations Du and Dv. Moreover, one may be able to give a rigorous proof when smudging tech- each parameter set, we generated 100 random instances and nique [22] or some other ciphertext sanitization technique encrypted 100 random plaintexts for each instance so that [23] is applied. However, under such setting, the schemes 10 000 ciphertexts were collected totally. would be impractical. To formally confirm the indistin- Table 1 shows how the backdoor parameter affects decryp- tion failures for legitimate receivers and attackers. Experimental guishability between DM and DM given the decryption key é n¢ù is left as a future work. From the practical aspect, we will results confirm that for fixed ()nq,,s ,smallerpq= ê ¢ n ú leads compare the statistics of DM and DM experimentally in the ê ú next section. Indicated by experimental results, when p is to less decryption failures for legitimate receivers. The propor- small, it is not easy to distinguish the middle terms yielded tn¢ tion of leaked message equals , thus a direct approach to by infected and uninfected ciphertexts in practice. n
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 1236 D. XIAO AND Y. YU
TABLE 3. Experimental measure of M , M , sM and s M .
Parameter é n¢ ù n êq¢ ú M M sM s M (nq,,s) (nq¢¢¢,,,st) ê ú
(/128,8,114 2p ,1) 8 0.4949 5.2413 752.0630 795.3722 æ 12.18 ö (/128,9,114 2p ,1) 9 0.0578 0.3553 755.5527 806.6366 ç512, 12289, ÷ èç 2p ø÷ (/)128, 7681, 11 2p , 1 10 0.5509 −2.8801 755.9129 821.8440 (/128,9,114 2p ,2) 9 0.5805 0.5908 757.5418 810.0109 − − (/)128, 7681, 11 2p , 2 10 0.1230 0.4453 757.1177 822.7273 Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 (/)128, 9473, 11 2p , 2 10 −0.0263 −4.7967 752.7451 818.1350 (/)128, 104 , 11 2p , 2 10 −0.2817 0.9695 755.7126 820.5229 (/)256, 7681, 11.31 2p , 1 10 0.1186 −2.3709 461.4615 549.4083 æ 8 ö (/)256, 104 , 11.31 2p , 1 10 −0.0850 −0.2645 460.7307 548.3159 ç1024, 232 - 1, ÷ èç 2p ø÷ (/)512, 12289, 12.18 2p , 1 111 −0.0910 −0.1882 461.8267 3312.2316 (/)512, 1112 , 12.18 2p , 1 111 0.0283 −0.4126 461.2856 3307.7249 (/)256, 114 , 11.31 2p , 2 11 −0.0428 0.0240 460.8434 562.8343 (/)256, 15361, 11.31 2p , 2 12 −0.1359 −1.1515 460.8889 581.9961 (/)512, 1602 , 12.18 2p , 2 160 0.2552 1.1382 461.9073 4766.3459 (/)512, 25601, 12.18 2p , 2 161 0.1939 −0.1191 461.0203 4755.4355 (/)512, 1612 , 12.18 2p , 2 161 0.2985 −0.7573 459.8787 4758.0793 (/)256, 7681, 11.31 2p , 1 10 −0.1168 −1.3590 461.1512 549.2173 æ 8 ö ç1024, 12289, ÷ (/)256, 104 , 11.31 2p , 1 10 −0.0759 0.0225 460.5395 548.0335 èç ø÷ 2p (/)256, 13313, 11.31 2p , 2 11 0.1015 0.2012 460.4020 561.4611 (/)256, 114 , 11.31 2p , 2 11 0.1423 −0.0885 459.6836 560.9952 (/)256, 15361, 11.31 2p , 2 12 0.1803 −4.6646 459.9769 581.8082 (/256, 124 , 11.31 2p , 2) 12 0.1378 −3.0988 461.2178 583.7178
()q ()p leak more message is to increase t or n¢. For larger t, infected). Let Drk = D()DDzz; and Drk =D(DDzz¢¢; ). ()q Equation (1)showsthatq¢ should be increased accordingly to For better comparisons, we also considered D=ru ()q ()p ensure correct decryption for attacker, which may weaken the D(DUzq; ( )), D=ku D(DUzq; ( )) and D=D(ru DUz¢; ()) pk security of the backdoor scheme, but it does not seem to ()p and D=D(ku DUz¢; ()) pk . All experimental results are listed in increase p too much. For larger n¢, the backdoor seems more Table 2. fi secure, but p would be increased a lot, which signi cantly We compare experimental results with our estimations in affects the correct decryption for legitimate receivers when q is wp(-) w Equations (3) and (4). Let d = where not so large. From experimental results, we also conclude that 1 pqk - ¢ pq it is more convenient to add backdoors to Ring-LWE encryp- w =(qpmod )and d = that are closely related to 2 k tion scheme with very large q, because large q allows more p statistical distances between ciphertext distributions. We backdoor parameter tuples for stealing different proportions of observe that D()p and D()p are approximately equal to d when message. rk ku 2 d is not very small (e.g. d > 0.18),andthesetwomeasures We also measured experimentally the closeness between 2 2 are less than 0.04 when d = 0. That suggests that to hide the infected and uninfected ciphertexts via statistical distances follow- 2 backdoor well, the attacker should choose parameters such that ing the discussions in Section 4.3.Weassumethatallcoefficients ()p d2 = 0 or very small. We also notice that Dru may exceed the of uninfected (resp. infected) ciphertexts follow the same distribu- ()p upper bound implicit in Equation (3), i.e. D £ kd1.Thereare tion Dz (resp. Dz ), and measure them together to collect more ru é 1 ù two possible causes for this phenomenon: (1) the inherent differ- samples. Let k =/nn¢ and pq= ê ¢ k ú. For a ciphertext ()uv, ê ú ence between Ring-LWE ciphertext distribution and uniform where uu=(01,, ¼ un- ) and vv=(01,, ¼ vn- ), we generate distribution, and (2) the experimental error. Furthermore, when k ()q 2n¢ values a01,,¼ an¢- ,b01,,¼Îbn¢- pk where ai = qp¢ ¹ , Drk may be relatively larger, which is implicit in the k-1 j k-1 j å j=0pu()ik+ j mod pand bi = å j=0pv()ik+ j mod p.Wealso approximation in Equation (4). assume that these 2n¢ values follow the same distribution To compare the middle terms with respect to uninfected denoted by Dz¢ (resp. Dz¢)when()uv, is uninfected (resp. and infected ciphertexts, we considered the distributions DM
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 KLEPTO FOR RING-LWE ENCRYPTION 1237
(a) Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018
(b)
32 FIGURE 1. Comparisons between DM and DM for different p’s when ()=(-/nq, ,sp 1024, 2 1, 8 2 ).(a) (nq¢¢¢,,,st)= é n¢ ù é n¢ ù (/)256, 104 , 11.31 2p , 1 , êq¢ n ú = 10 and (b) (nq¢¢¢, ,st ,)=( 512, 1612 , 12.18 / 2 p , 2 ), êq¢ n ú = 161. ê ú ê ú and DM that are defined in Section 4.4. First, we experimen- sM and the difference seems to depend on the magnitudes of é n¢ù tally measured the statistics of D and D . For XD↩ and n M M M Duv, D , i.e. pq= ê ¢ ú. For better illustrations, we also plot XD↩ , let and be the expectation of X and X , and ê ú M M M Figure 1 to show the comparison between D and D corre- s and s be the standard deviation, respectively. Table 3 M M M M sponding to small and large p respectively. Indeed D and illustrates the experimental results. Since both and M M M D behave different: the middle term with respect to an are close to 0, coefficients of middle terms should be of sym- M infected ciphertext tends to be of smaller size. However, metry. It also can be observed that s M is usually larger than
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 1238 D. XIAO AND Y. YU
as p decreases, DM seems to converge to DM . Thus, when [6] Stehlé, D. and Steinfeld, R. (2011) Making NTRU as Secure as p is small, to detect the backdoor may still require suffi- Worst-Case Problems Over Ideal Lattices. Advances in ciently many ciphertexts even though the decryption key is Cryptology – EUROCRYPT 2011, Tallinn, Estonia, May – – available. 15 19, pp. 27 47. Springer, Berlin, Heidelberg. [7] Yu, Y., Xu, G. and Wang, X. (2017) Provably Secure NTRU Instances over Prime Cyclotomic Rings. Public-Key Cryptography – PKC 2017, Amsterdam, The Netherlands, March 28–31, 2017, 6. CONCLUSION Proceedings, Part I, pp. 409–434. Springer, Berlin, Heidelberg. In this paper, we propose a construction of backdoor for Ring- [8] Yu, Y., Xu, G. and Wang, X. (2017). Provably Secure LWE encryption scheme and study it theoretically and experi- NTRUEncrypt Over more General Cyclotomic Rings. Cryptology Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018 mentally. As indicated by our analysis and experiments, it seems ePrint Archive, Report 2017/304, Available at https://eprint.iacr. practical to modify Ring-LWE scheme into a klepto variant in org/2017/304. such a way, especially for the scheme with large modulus. [9] Regev, O. (2005) On Lattices, Learning with Errors, Random Therefore, we believe that black-box implementations of Ring- Linear Codes, and Cryptography. Proc. STOC 2005, Baltimore, – – LWE cryptographic algorithms are potentially dangerous and MD,USA,May22 24, pp. 84 93. ACM, New York City, USA. not supposed to be accepted easily. Our analysis in Section 4 [10] Lyubashevsky, V., Peikert, C. and Regev, O. (2010) On Ideal can be used for detecting such backdoors preliminarily. It would Lattices and Learning with Errors over Rings. Advances in Cryptology – EUROCRYPT 2010, French Riviera, May 30– be meaningful to exploit other cryptanalysis and tools to give an June 3, pp. 1–23. Springer, Berlin, Heidelberg. elaborative backdoor detection. We leave it as future work. [11] Chen, Y. and Nguyen, P.Q. (2011) BKZ 2.0: Better Lattice Security Estimates. Advances in Cryptology – ASIACRYPT 2011, Seoul, South Korea, December 4–8, pp. 1–20. Springer, FUNDING Berlin, Heidelberg. This research was supported by The National Key Research and [12] Coppersmith, D. and Shamir, A. (1997) Lattice Attacks on – Development Program of China (Project no. 2017YFA0303903) NTRU. Advances in Cryptology EUROCRYPT 1997, Konstanz, Germany, May 11–15, pp. 52–61. Springer, Berlin, Heidelberg. and 973 National Program on Key Basic Research Project of China (Project no. 2013CB834205). [13] Howgrave-Graham, N. (2007) A Hybrid Lattice-Reduction and Meet-in-the-Middle Attack Against NTRU. Advances in Cryptology – CRYPTO 2007, Santa Barbara, CA, USA, August 19–23, pp. 150–169. Springer, Berlin, Heidelberg. ACKNOWLEDGEMENTS [14] Kirchner, P. and Fouque, P.-A. (2015) An Improved BKW We thank Léo Ducas and Prof. Xiaoyun Wang for helpful Algorithm for LWE with Applications to Cryptography and – discussions and comments. We also would like to thank the Lattices. Advances in Cryptology CRYPTO 2015, Santa Barbara, CA,USA,August16–20, pp. 43–62. Springer, Berlin, Heidelberg. anonymous reviewers for their constructive comments. [15] Alkim, E., Ducas, L., Pöppelmann, T. and Schwabe, P. (2016) Post-Quantum Key Exchange—A New Hope. USENIX Security 2016, Austin, TX, USA, August 10–12, pp. 327–343. REFERENCES USENIX Association, Berkeley, CA, USA. [1] Young, A. and Yung, M. (1996) The Dark Side of ‘Black-Box’ [16] Kwant, R., Lange, T. and Thissen, K. (2017) Lattice Klepto: Cryptography, or: Should We Trust Capstone? Advances in Turning Post-quantum Crypto Against Itself. Selected Areas in Cryptology – CRYPTO 1996, Santa Barbara, CA, USA, August Cryptography – SAC 2017, Ottawa, Ontario, Canada, August 18–22, pp. 89–103. Springer, Berlin, Heidelberg. 16–18. Springer, Berlin, Heidelberg. [2] Young, A. and Yung, M. (1996) Cryptovirology: Extortion- [17] Micciancio, D. and Regev, O. (2007) Worst-case to average- Based Security Threats and Countermeasures. IEEE Symp. case reductions based on Gaussian measures. SIAM J. Comput., Security and Privacy, Oakland, CA, USA, May 6–8, pp. 37, 267–302. 129–140. IEEE Computer Society, Washington, D.C., USA. [18] Banaszczyk, W. (1993) New bounds in some transference theo- [3] Young, A. and Yung, M. (1997) Kleptography: Using rems in the geometry of numbers. Math. Ann., 296, 625–635. Cryptography Against Cryptography. Advances in Cryptology – [19] Langlois, A. and Stehlé, D. (2015) Worst-case to average-case EUROCRYPT 1997, Konstanz, Germany, May 11–15, pp. 62–74. reductions for module lattices. Designs Codes Cryptogr., 75, Springer, Berlin, Heidelberg. 565–599. [4] Young, A. and Yung, M. (2004) Malicious Cryptography: [20] Lyubashevsky, V., Peikert, C. and Regev, O. (2013) A Toolkit Exposing Cryptovirology. Wiley, Hoboken, NJ, USA. for Ring-LWE Cryptography. Advances in Cryptology – [5] Hoffstein, J., Pipher, J. and Silverman, J.H. (1998) NTRU: A EUROCRYPT 2013, Athens, Greece, May 26–30, pp. 35–54. Ring-Based Public Key Cryptosystem. Proc. ANTS 1998, Springer, Berlin, Heidelberg. Portland, OR, USA, June 21–25, pp. 267–288. Springer, [21] Liu, Z., Seo, H., Roy, S.S., Großschädl, J., Kim, H. and Berlin, Heidelberg. Verbauwhede, I. (2015) Efficient Ring-LWE Encryption on
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018 KLEPTO FOR RING-LWE ENCRYPTION 1239
8-bit AVR Processors. Cryptographic Hardware and Embedded Vienna, Austria, May 8–12. Proceedings, Part I, pp. 294–310. Systems – CHES 2015, Saint-Malo, France, September 13–16, Springer, Berlin, Heidelberg. pp. 663–682. Springer, Berlin, Heidelberg. [24] The Sage Development Team SageMath: A Free Open-Source [22] Asharov, G., Jain, A., López-Alt, A., Tromer, E., Vaikuntanathan, V. Mathematics Software System. Available at https://www. and Wichs, D. (2012) Multiparty Computation with Low sagemath.org/. Communication, Computation and Interaction via Threshold FHE. [25] Bos, J.W., Costello, C., Naehrig, M. and Stebila, D. (2015) Advances in Cryptology – EUROCRYPT 2012, Cambridge, UK, Post-Quantum Key Exchange for the TLS Protocol from the April 15–19. Proceedings, pp. 483–501. Springer, Berlin, Heidelberg. Ring Learning with Errors Problem. IEEE Symp. Security and [23] Ducas, L. and Stehlé, D. (2016) Sanitization of FHE Privacy, San Jose, CA, USA, May 17–21, pp. 553–570. IEEE Ciphertexts. Advances in Cryptology – EUROCRYPT 2016, Computer Society, Washington, DC, USA. Downloaded from https://academic.oup.com/comjnl/article-abstract/61/8/1228/5035449 by guest on 19 December 2018
SECTION D: SECURITY IN COMPUTER SYSTEMS AND NETWORKS THE COMPUTER JOURNAL,VOL.61NO. 8, 2018