DOCSLIB.ORG

The Learning with Errors Problem in 3 Hours

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
The Learning with Errors Problem in 3 Hours An Introduction to the Learning with Errors Problem in 3 Hours 賴奕甫 Peter W. Shor There are polynomial-time quantum algorithms that can solve • Factorization Problem • Discrete Logarithm Problem (over ℤ푝) About ECC There is also a quantum algorithm that can solve • Discrete Logarithm Problem over Elliptic Curves ; ( If there was a practical quantum computer, then it was able to break • RSA encryption, signature scheme • Diffie-Hellman Key Exchange, Elgamal, DSA • Elliptic Curve Diffie-Hellman (ECDH), Elliptic Curve DSA (ECDSA) • …etc No more forward secrecy. Post-Quantum Cryptography Lattice-based cryptography • Post-quantum cryptography • is a branch of cryptography • Multivariate cryptography that considers cryptographic • Hash-based cryptography algorithms which is still • Code-based cryptography secure against quantum • Supersingular elliptic curve isogeny cryptography attack. LWE Problem • The learning with errors problem (LWE) is included in the lattice- based cryptography. • The LWE problem is versatile (it can be used to construct a variety of cryptographic algorithms). For example, A Simple Introduction to the Lattice • This is a lattice in ℝ2. It can be written as… • 푥, 푦 |푥, 푦 ∈ ℤ Also written as… 1 0 • ℤ + ℤ 0 1 1 0 • ℤ + ℤ 1 1 1 1 • ℤ + ℤ 0 1 • ... A Lattice A Simple Introduction to the Lattice 푛 • Definition 1. For a linear independent set 퐵 = 푢1, … , 푢푘 ⊂ ℝ , a lattice 퐿 generated by 퐵 in ℝ푛 is defined to be 퐿 = ℤ푢푖 . (If 푘 = 푛, then the lattice is said to be a full-rank lattice.) There is an equivalent definition for the lattice in ℝ푛-- A Simple Introduction to the Lattice • Definition 2. A set 퐿 ⊂ ℝ푛 is said to be a discrete additive subgroup if it satisfies the following two conditions: 1. It is closed under addition and substraction. (additive subgroup) 2. There is a constant 휖 > 0 such that for any 푣 ∈ 퐿 퐿 ∩ 푤 ∈ ℝ푛: 푣 − 푤 = 푣 . (discrete) • Theorem. In ℝ푛, a subset of ℝ푛 is a lattice if and only if it is a discrete additive subgroup. (see p.25 in Algebraic Number Theory by Neukirch ) Mythology in Lattice-Based Cryptography • Given a linear independent generating set of a lattice 퐿 in ℝ푛 . • 퐶푙표푠푒푠푡 푣푒푐푡표푟 푝푟표푏푙푒푚 (CVP): Given: a vector 푤 in ℝ푛. Request: Find 푣 ∈ 퐿 such that 푤 − 푣 = min 푤 − 푢 푢∈퐿 • 푆ℎ표푟푒푠푡 푣푒푐푡표푟 푝푟표푏푙푒푚 (SVP): Request: Find a nonzero vector 푣 ∈ 퐿 such that 푣 = min 푢 푢∈퐿− 0 Hardness: CVP≥SVP (sketch) • Given a lattice 퐿 generated by a independent set 푏1, … , 푏푛 . • Write the shortest nonzero lattice point 푣 = 푎푖푏푖. (Note that 푎푖 ∈ ℤ can not be all even.) ′ ′ • For each 푖, feed the CVP oracle with 퐿푖, 푏푖 where lattice 퐿푖 is generated by {푏1, … , 푏푖−1, 2푏푖, 푏푖+1, 푏푛} • And the output is 푣푖 • Then 푣푗 − 푏푗 is the shortest nonzero vector for some 푗. (Why?) Linear Equations 푇 4 • There is a secret vector 풔 = 푠1, 푠2, 푠3, 푠4 ∈ ℤ13 • Given 1푠1 + 2푠2 + 5푠3 + 2푠4 = 9 푚표푑 13 12푠1 + 1푠2 + 1푠3 + 6푠4 = 7 푚표푑 13 6푠1 + 10푠2 + 3푠3 + 6푠4 = 1 푚표푑 13 10푠1 + 4푠2 + 12푠3 + 8푠4 = 0 푚표푑 13 . • Solve for 풔 The Learning with Errors Problem (Search) 푇 4 • There is a secret vector 풔 = 푠1, 푠2, 푠3, 푠4 ∈ ℤ13 • Given 5푠1 + 5푠2 + −3 푠3 + 7푠4 ≈ 6 푚표푑 13 −1푠1 + 1푠2 + 2푠3 + −5 푠4 ≈ −4 푚표푑 13 −3 푠1 + 3푠2 + 7푠3 + 4푠4 ≈ 2 푚표푑 13 5푠1 + 4푠2 + −1 푠3 + 2푠4 ≈ −5 푚표푑 13 −4 푠1 + 6푠2 + 3푠3 + −2 푠4 ≈ 5 푚표푑 13 −2 푠1 + 3푠2 + 1푠3 + 6푠4 ≈ −3 푚표푑 13 . • There is an odds of ½ for each equation that is added by 1. • Solve for 풔 LWE distribution • (Definition) 푛 1. For a secret vector 풔 ∈ ℤ푞 and distribution 휒, an LWE 푛 distribution 풜풔,푛,푞,휒 generates a sample 풂, 푏 ∈ ℤ푞 × 푚×푛 푚 ℤ푞 or (퐴, 풃) ∈ ℤ푞 × ℤ푞 where 풂 sampled uniformly from 푛 ℤ푞 and 푏 = 풂, 풔 + 푒 where 푒 ← 휒. 풂ퟏ 풂ퟐ LWE Problem (Search) × 풔 풂 + 풆 풃 = ퟑ ⋮ • (Definition) 2. LWE problem (Search): 풏 • Secret 풔 ∈ ℤ풒. Given 푝표푙푦 푛 LWE samples 퐴, 풃 from 풜풔,푛,푞,휒. • Find 풔. LWE Problem (Search) Dimension 푛 Modulus 푞 Error distribution 휒 Adversary Challenger 퐴, 풃 풏 풏 Output: 풔 ∈ ℤ풒 Secret 풔 ∈ ℤ풒 Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 from 풜풔,푛,푞,휒 LWE Problem (Decisional) • (Definition) 3. Decisional LWE problem: $ 풏 • 풔 ← ℤ풒. Given 푝표푙푦(푛) samples (퐴, 풃) which are either from 풜풔,푛,푞,휒 푚×푛 푚 or generated uniformly over ℤ푞 × ℤ푞 (with fair probabilities) • Determine which is the case in non-negligible advantage. LWE Problem (Decisional) Dimension 푛 Modulus 푞 Error distribution 휒 Adversary Challenger 퐴, 풃 $ 풏 풔 ← ℤ풒 Output: {“LWE”, ”uniform at random”} Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 either from 풜풔,푛,푞,휒 or uniformly at random over 푚×푛 푚 ℤ푞 × ℤ푞 For example • Dimension 푛 = 4 • Modulus 푞 = 13 • Error distribution 휒. (±1 ← 휒 with prob ¼, 0 ← 휒 with ½ ) Given 0 6 0 −2 5 1 −6 6 0 −2 4 7 −5 6 6 3 −3 , 4 4 3 −2 1 1 9 −5−3−5−4−1 0 Q: LWE distribution or uniform distribution? Remark. • The distribution 휒 is called the “error distribution”. 휒 is typically chosen to be a discrete Gaussian (normal) distribution with small standard deviation. • The hardness varies with the S.D. of 휒 • Oded Regev shows that 퐿푊퐸 ≥ 푎푝푝푟표푥−푆(퐼)푉푃 & 푎푝푝푟표푥−GapSVP with a quantum reduction. • Specifically, with 푑푖푚푒푛푠푖표푛 푛, modulus 푞 = 푝표푙푦 푛 , and error distribution (discrete Gaussian distribution) 휒 of standard deviation 훼푞, 퐿푊퐸푛,푞,휒 ≥ ( 푛/ 훼)−푆(퐼)푉푃. Little Knowledge: How to check candidate 풔 ? 푚×푛 푚 • Given 푝표푙푦(푛) LWE samples (퐴, 풃 = 퐴풔 + 풆) ∈ ℤ푞 × ℤ푞 for some 푛 fixed secret 풔 ∈ ℤ푞 . • Assume you find an algorithm that can generate a small set of candidate answers. How can you check which one may be the correct one? A Little Question For any 푐 ∈ ℤ푞. 휒 is some distribution over ℤ푞. Pr 푎 + 푏 = 푐 =? (푎 and b are generated independently) $ b←ℤ푞 푎←휒 If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem “≤” • Given 푝표푙푦(푛) samples either from a LWE distribution 풜풔,푛,푞,휒 for some 푛 푚×푛 푚 unknown 풔 ∈ ℤ푞 or generated uniformly over ℤ푞 × ℤ푞 . 푛 • Take some of them to the oracle of SLWE problem to find 풔 ∈ ℤ푞. • Then ? “≥” 푛 • Given 푝표푙푦(푛) samples a LWE distribution 풜풔,푛,푞,휒 for some unknown 풔 ∈ ℤ푞 . Claim we can solve it with a DLWE oracle. If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem “≥” • Given 푝표푙푦(푛) samples 풂풊, 푏푖 from a LWE distribution 풜풔,푛,푞,휒 for some 푇 푛 unknown 풔 = 푠1, … , 푠푛 ∈ ℤ푞 . Claim we can solve for 푠1 with a DLWE oracle. 1. Choose guessing 푘 ∈ ℤ푞. 푛 푛 2. Define a transformation 휙푘: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 by ′ 풂 + 푟 , 푏 + 푘 ∙ 푟 ← 휙푘 풂, 푏 , ′ 푇 푛 where 푟 ∈ ℤ푞 is generated uniformly at random and 푟 = 푟, 0, … , 0 ∈ ℤ푞. <Uniformly random>: ⇒? If the modulus 푞 is 푝표푙푦 푛 -bounded, then DLWE=SLWE problem “≥” 푛 푛 • Define a transformation 휙푘: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 by ′ 풂 + 푟 , 푏 + 푘 ∙ 푟 ← 휙푘 풂, 푏 , ′ 푇 푛 where 푟 ∈ ℤ푞 is generated uniformly at random and 푟 = 푟, 0, … , 0 ∈ ℤ푞. <LWE samples>: 풂풊, 푏푖 = 풂풊, 풂풊, 풔 + 푒푖 ′ ′ ′ 풂풊 + 푟 , 푏푖 + 푘 ∙ 푟 = 풂풊 + 풓 , 풂풊 + 풓 , 푠 + 푒푖 + 푟 ∙ 푘 − 푠1 If 푘 = 푠1, ⇒? If 푘 ≠ 푠1, ⇒? Short Secret DLWE Problem: Dimension 푛 Modulus 푞 Error distribution 휒 Adversary Challenger 퐴, 풃 Output: {“LWE”, ”uniform at random”} 풔 ← 흌풏 Generate : 푝표푙푦 푛 LWE samples 퐴, 풃 either from 풜풔,푛,푞,휒 or uniformly at random over 푚×푛 푚 ℤ푞 × ℤ푞 Lemma: Short Secret DLWE Problem≥DLWE problem • Given access to the short secret LWE problem. $ 푛×푛 푇 푛×푛 • Given LWE instances (퐴 ∈ ℤ푞 , 풃 = 퐴 푠 + 풆풔) where 퐴 ← ℤ푞 , $ 푛 unknown 푠 ← ℤ푞 and 푒푠 generated from 휒. (DLWE problem setting) • Say 퐴 is invertible. 푛 푛 • Consider a transformation 휙: ℤ푞 × ℤ푞 → ℤ푞 × ℤ푞 휙 풂′, 푏′ = −퐴−1풂′, 푏′ + −퐴−1풂′, 푏 ′ 푛 ′ ′ ′ • Given a LWE instance (풂 ∈ ℤ푞, 푏 = 풂 , 푠 + 푒 ) • Compute:휙 풂′, 푏′ −1 ′ −1 ′ = −퐴 풂 , −퐴 풂 , 푒푠 + 푒′ ⇒ ? A Taste of Passive Security Proof with DLWE problem $ 푛×푛 퐴 ← ℤ푞 푛 푛 풔풂 ← 휒 ; 풆풂 ← 휒 푛 풃 = 퐴풔풂 + 풆풂 ∈ ℤ푞 푛×푛 푛 퐴, 풃 ∈ ℤ푞 × ℤ푞 ′ 푛 풃 , 푐 ∈ ℤ푞 × ℤ푞 푚 ∈ 0,1 풔 , 풆 ← 휒푛 Decrypt: 푩 푩 푞 푒퐵′ ← 휒 푐 − 풃′풔 = 푒′ − 풆푻 푠 ≈ 푚 ∙ 푚표푑 푞 풂 푏 푩 푎 2 ′ 푻 푻 푛 풃 = 풔푩퐴 + 풆푩 ∈ ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game0 (original protocol) $ 푛×푛 퐴 ← ℤ푞 푛 푛 풔풂 ← 휒 ; 풆풂 ← 휒 푛 풃 = 퐴풔풂 + 풆풂 ∈ ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 풔 , 풆 ← 휒푛 Decrypt: 푩 푩 ′ ′ 푻 푒퐵′ ← 휒 푐 − 풃 풔풂 = 푒퐵 − 풆푩푠푎 푞 풃′ = 풔푻 퐴 + 풆푻 ∈ ℤ푛 ≈ 푚 ∙ 푚표푑 푞 푩 푩 푞 2 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game1 $ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 푛 풔푩, 풆푩 ← 휒 푒퐵′ ← 휒 ′ 푻 푻 푛 풃 = 풔푩퐴 + 풆푩 ∈ ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game2 $ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 푚 ∈ 0,1 푛 풔푩 ← 휒 푒퐵′ ← 휒 $ ′ 푛 풃 ← ℤ푞 푞 푐 = 풔푻 풃 + 푒′ + 푚 ∙ 푩 퐵 2 Game3 $ 푛×푛 퐴 ← ℤ푞 $ 푛 풃 ← ℤ푞 퐴, 풃 퐴, 풃 풃′, 푐 풃′, 푐 푚 $ 푚 ← 0,1 $ ′ 푛 풃 ← ℤ푞 $ 푐 ← ℤ푞 Public Key Cryptosystems Based on the LWE Problem or Related Problems Contents • Review • Diffie-Hellman Like Key Exchange • Peikert’s Method • RLWE in Brief • NewHope Review Lattice-based cryptography Multivariate cryptography Shor Post-Quantum Algorithm Cryptography Code-based etc.
Load more

Recommended publications
  • On Ideal Lattices and Learning with Errors Over Rings∗
    On Ideal Lattices and Learning with Errors Over Rings∗ Vadim Lyubashevskyy Chris Peikertz Oded Regevx June 25, 2013 Abstract The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives). We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring- LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE. 1 Introduction Over the last decade, lattices have emerged as a very attractive foundation for cryptography. The appeal of lattice-based primitives stems from the fact that their security can often be based on worst-case hardness assumptions, and that they appear to remain secure even against quantum computers.
    [Show full text]
  • Presentation
    Side-Channel Analysis of Lattice-based PQC Candidates Prasanna Ravi and Sujoy Sinha Roy [email protected], [email protected] Notice • Talk includes published works from journals, conferences, and IACR ePrint Archive. • Talk includes works of other researchers (cited appropriately) • For easier explanation, we ‘simplify’ concepts • Due to time limit, we do not exhaustively cover all relevant works. • Main focus on LWE/LWR-based PKE/KEM schemes • Timing, Power, and EM side-channels Classification of PQC finalists and alternative candidates Lattice-based Cryptography Public Key Encryption (PKE)/ Digital Signature Key Encapsulation Mechanisms (KEM) Schemes (DSS) LWE/LWR-based NTRU-based LWE, Fiat-Shamir with Aborts NTRU, Hash and Sign (Kyber, SABER, Frodo) (NTRU, NTRUPrime) (Dilithium) (FALCON) This talk Outline • Background: • Learning With Errors (LWE) Problem • LWE/LWR-based PKE framework • Overview of side-channel attacks: • Algorithmic-level • Implementation-level • Overview of masking countermeasures • Conclusions and future works Given two linear equations with unknown x and y 3x + 4y = 26 3 4 x 26 or . = 2x + 3y = 19 2 3 y 19 Find x and y. Solving a system of linear equations System of linear equations with unknown s Gaussian elimination solves s when number of equations m ≥ n Solving a system of linear equations with errors Matrix A Vector b mod q • Search Learning With Errors (LWE) problem: Given (A, b) → computationally infeasible to solve (s, e) • Decisional Learning With Errors (LWE) problem: Given (A, b) →
    [Show full text]
  • Overview of Post-Quantum Public-Key Cryptosystems for Key Exchange
    Overview of post-quantum public-key cryptosystems for key exchange Annabell Kuldmaa Supervised by Ahto Truu December 15, 2015 Abstract In this report we review four post-quantum cryptosystems: the ring learning with errors key exchange, the supersingular isogeny key exchange, the NTRU and the McEliece cryptosystem. For each protocol, we introduce the underlying math- ematical assumption, give overview of the protocol and present some implementa- tion results. We compare the implementation results on 128-bit security level with elliptic curve Diffie-Hellman and RSA. 1 Introduction The aim of post-quantum cryptography is to introduce cryptosystems which are not known to be broken using quantum computers. Most of today’s public-key cryptosys- tems, including the Diffie-Hellman key exchange protocol, rely on mathematical prob- lems that are hard for classical computers, but can be solved on quantum computers us- ing Shor’s algorithm. In this report we consider replacements for the Diffie-Hellmann key exchange and introduce several quantum-resistant public-key cryptosystems. In Section 2 the ring learning with errors key exchange is presented which was introduced by Peikert in 2014 [1]. We continue in Section 3 with the supersingular isogeny Diffie–Hellman key exchange presented by De Feo, Jao, and Plut in 2011 [2]. In Section 5 we consider the NTRU encryption scheme first described by Hoffstein, Piphe and Silvermain in 1996 [3]. We conclude in Section 6 with the McEliece cryp- tosystem introduced by McEliece in 1978 [4]. As NTRU and the McEliece cryptosys- tem are not originally designed for key exchange, we also briefly explain in Section 4 how we can construct key exchange from any asymmetric encryption scheme.
    [Show full text]
  • Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices
    Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé1 and Ron Steinfeld2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d’Italie, 69364 Lyon Cedex 07, France. [email protected] – http://perso.ens-lyon.fr/damien.stehle 2 Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University, NSW 2109, Australia [email protected] – http://web.science.mq.edu.au/~rons Abstract. NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Sil- verman, is the fastest known lattice-based encryption scheme. Its mod- erate key-sizes, excellent asymptotic performance and conjectured resis- tance to quantum computers could make it a desirable alternative to fac- torisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the se- cret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem. Keywords. Lattice-based cryptography, NTRU, provable security. 1 Introduction NTRUEncrypt, devised by Hoffstein, Pipher and Silverman, was first presented at the Crypto’96 rump session [14]. Although its description relies on arithmetic n over the polynomial ring Zq[x]=(x − 1) for n prime and q a small integer, it was quickly observed that breaking it could be expressed as a problem over Euclidean lattices [6].
    [Show full text]
  • Lattices That Admit Logarithmic Worst-Case to Average-Case Connection Factors
    Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert∗ Alon Rosen† April 4, 2007 Abstract We demonstrate an average-case problem that is as hard as finding γ(n)-approximate√ short- est vectors in certain n-dimensional lattices in the worst case, where γ(n) = O( log n). The previously best known factor for any non-trivial class of lattices was γ(n) = O˜(n). Our results apply to families of lattices having special algebraic structure. Specifically, we consider lattices that correspond to ideals in the ring of integers of an algebraic number field. The worst-case problem we rely on is to find approximate shortest vectors in these lattices, under an appropriate form of preprocessing of the number field. For the connection factors γ(n) we achieve, the corresponding decision problems on ideal lattices are not known to be NP-hard; in fact, they are in P. However, the search approximation problems still appear to be very hard. Indeed, ideal lattices are well-studied objects in com- putational number theory, and the best known algorithms for them seem to perform no better than the best known algorithms for general lattices. To obtain the best possible connection factor, we instantiate our constructions with infinite families of number fields having constant root discriminant. Such families are known to exist and are computable, though no efficient construction is yet known. Our work motivates the search for such constructions. Even constructions of number fields having root discriminant up to O(n2/3−) would yield connection factors better than O˜(n).
    [Show full text]
  • Improved Attacks Against Key Reuse in Learning with Errors Key Exchange (Full Version)
    Improved attacks against key reuse in learning with errors key exchange (full version) Nina Bindel, Douglas Stebila, and Shannon Veitch University of Waterloo May 27, 2021 Abstract Basic key exchange protocols built from the learning with errors (LWE) assumption are insecure if secret keys are reused in the face of active attackers. One example of this is Fluhrer's attack on the Ding, Xie, and Lin (DXL) LWE key exchange protocol, which exploits leakage from the signal function for error correction. Protocols aiming to achieve security against active attackers generally use one of two techniques: demonstrating well-formed keyshares using re-encryption like in the Fujisaki{Okamoto transform; or directly combining multiple LWE values, similar to MQV-style Diffie–Hellman-based protocols. In this work, we demonstrate improved and new attacks exploiting key reuse in several LWE-based key exchange protocols. First, we show how to greatly reduce the number of samples required to carry out Fluhrer's attack and reconstruct the secret period of a noisy square waveform, speeding up the attack on DXL key exchange by a factor of over 200. We show how to adapt this to attack a protocol of Ding, Branco, and Schmitt (DBS) designed to be secure with key reuse, breaking the claimed 128-bit security level in 12 minutes. We also apply our technique to a second authenticated key exchange protocol of DBS that uses an additive MQV design, although in this case our attack makes use of ephemeral key compromise powers of the eCK security model, which was not in scope of the claimed BR-model security proof.
    [Show full text]
  • Cryptography from Ideal Lattices
    Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Ideal Lattices Damien Stehl´e ENS de Lyon Berkeley, 07/07/2015 Damien Stehl´e Ideal Lattices 07/07/2015 1/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2)
    [Show full text]
  • Hardness of K-LWE and Applications in Traitor Tracing
    Hardness of k-LWE and Applications in Traitor Tracing San Ling1, Duong Hieu Phan2, Damien Stehlé3, and Ron Steinfeld4 1 Division of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore 2 Laboratoire LAGA (CNRS, U. Paris 8, U. Paris 13), U. Paris 8 3 Laboratoire LIP (U. Lyon, CNRS, ENSL, INRIA, UCBL), ENS de Lyon, France 4 Faculty of Information Technology, Monash University, Clayton, Australia Abstract. We introduce the k-LWE problem, a Learning With Errors variant of the k-SIS problem. The Boneh-Freeman reduction from SIS to k-SIS suffers from an ex- ponential loss in k. We improve and extend it to an LWE to k-LWE reduction with a polynomial loss in k, by relying on a new technique involving trapdoors for random integer kernel lattices. Based on this hardness result, we present the first algebraic con- struction of a traitor tracing scheme whose security relies on the worst-case hardness of standard lattice problems. The proposed LWE traitor tracing is almost as efficient as the LWE encryption. Further, it achieves public traceability, i.e., allows the authority to delegate the tracing capability to “untrusted” parties. To this aim, we introduce the notion of projective sampling family in which each sampling function is keyed and, with a projection of the key on a well chosen space, one can simulate the sampling function in a computationally indistinguishable way. The construction of a projective sampling family from k-LWE allows us to achieve public traceability, by publishing the projected keys of the users. We believe that the new lattice tools and the projective sampling family are quite general that they may have applications in other areas.
    [Show full text]
  • How to Strengthen Ntruencrypt to Chosen-Ciphertext Security in the Standard Model
    NTRUCCA: How to Strengthen NTRUEncrypt to Chosen-Ciphertext Security in the Standard Model Ron Steinfeld1?, San Ling2, Josef Pieprzyk3, Christophe Tartary4, and Huaxiong Wang2 1 Clayton School of Information Technology Monash University, Clayton VIC 3800, Australia [email protected] 2 Div. of Mathematical Sciences, School of Physical and Mathematical Sciences, Nanyang Technological University, Singapore, 637371 lingsan,[email protected] 3 Centre for Advanced Computing - Algorithms and Cryptography, Dept. of Computing, Macquarie University, Sydney, NSW 2109, Australia [email protected] 4 Institute for Theoretical Computer Science, Tsinghua University, People's Republic of China [email protected] Abstract. NTRUEncrypt is a fast and practical lattice-based public-key encryption scheme, which has been standardized by IEEE, but until re- cently, its security analysis relied only on heuristic arguments. Recently, Stehlé and Steinfeld showed that a slight variant (that we call pNE) could be proven to be secure under chosen-plaintext attack (IND-CPA), assum- ing the hardness of worst-case problems in ideal lattices. We present a variant of pNE called NTRUCCA, that is IND-CCA2 secure in the standard model assuming the hardness of worst-case problems in ideal lattices, and only incurs a constant factor overhead in ciphertext and key length over the pNE scheme. To our knowledge, our result gives the rst IND- CCA2 secure variant of NTRUEncrypt in the standard model, based on standard cryptographic assumptions. As an intermediate step, we present a construction for an All-But-One (ABO) lossy trapdoor function from pNE, which may be of independent interest. Our scheme uses the lossy trapdoor function framework of Peik- ert and Waters, which we generalize to the case of (k −1)-of-k-correlated input distributions.
    [Show full text]
  • Download the Entire Data X
    ARCHW.8 MASSACHUSETTS INSTITUTE OF TECHNOLOLGY Cryptographic Tools for the Cloud JUL 07 2015 by LIBRARIES Sergey Gorbunov - Submitted to the Department of Electrical Engineering and Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy at the MASSACHUSETTS INSTITUTE OF TECHNOLOGY June 2015 @ Massachusetts Institute of Technology 2015. All rights reserved. Signature redacted A u th or .............................. Department of Electrical E gineer and Computer Science May 18, 2015 Signature redacted C ertified by ...................................... r.. ....................... Vinod Vaikuntanathan Assistant Professor Thesis Supervisor Signature redacted Accepted by .......................... -- JI lA.Kolodziejski Chairman, Department Committee on Graduate Theses Cryptographic Tools for the Cloud by Sergey Gorbunov Submitted to the Department of Electrical Engineering and Computer Science on May 18, 2015, in partial fulfillment of the requirements for the degree of Doctor of Philosophy Abstract Classical cryptography is playing a major role in securing the Internet. Banking transactions, medical records, personal and military messages are transmitted securely through the Internet using classical encryption and signature algorithms designed and developed over the last decades. However, today we face new security challenges that arise in cloud settings that cannot be solved effectively by these classical algorithms. In this thesis, we address three major challenges that arise in cloud settings and present new cryptographic algorithms to solve them. Privacy of data. How can a user efficiently and securely share data with multiple authorized receivers through the cloud? To address this challenge, we present attribute- based and predicate encryption schemes for circuits of any arbitrary polynomial size. Our constructions are secure under the standard learning with errors (LWE) assumption.
    [Show full text]
  • NIST)  Quantum Computing Will Break Many Public-Key Cryptographic Algorithms/Schemes ◦ Key Agreement (E.G
    Post Quantum Cryptography Team Presenter: Lily Chen National Institute of Standards and Technology (NIST) Quantum computing will break many public-key cryptographic algorithms/schemes ◦ Key agreement (e.g. DH and MQV) ◦ Digital signatures (e.g. RSA and DSA) ◦ Encryption (e.g. RSA) These algorithms have been used to protect Internet protocols (e.g. IPsec) and applications (e.g.TLS) NIST is studying “quantum-safe” replacements This talk will focus on practical aspects ◦ For security, see Yi-Kai Liu’s talk later today ◦ Key establishment: ephemeral Diffie-Hellman ◦ Authentication: signature or pre-shared key Key establishment through RSA, DHE, or DH Client Server ◦ RSA – Client encrypts pre- master secret using server’s Client RSA public key Hello Server Hello Certificate* ◦ DHE – Ephemeral Diffie- ServerKeyExchange* Hellman CertificateRequest* ◦ DH – Client generates an ServerHelloDone ephemeral DH public value. Certificate* ClientKeyExchange* Pre-master secret is generated CertificateVerify* using server static public key {ChangeCipherSpec} Finished Server authentication {ChangeCipherSpec} ◦ RSA – implicit (by key Finished confirmation) ◦ DHE - signature Application data Application Data ◦ DH – implicit (by key confirmation) IKE ◦ A replacement of ephemeral Diffie-Hellman key agreement should have a fast key pair generation scheme ◦ If signatures are used for authentication, both signing and verifying need to be equally efficient TLS ◦ RSA - encryption replacement needs to have a fast encryption ◦ DHE – fast key pair generation and efficient signature verification ◦ DH – fast key pair generation Which are most important in practice? ◦ Public and private key sizes ◦ Key pair generation time ◦ Ciphertext size ◦ Encryption/Decryption speed ◦ Signature size ◦ Signature generation/verification time Not a lot of benchmarks in this area Lattice-based ◦ NTRU Encryption and NTRU Signature ◦ (Ring-based) Learning with Errors Code-based ◦ McEliece encryption and CFS signatures Multivariate ◦ HFE, psFlash , Quartz (a variant of HFE), Many more….
    [Show full text]
  • A Decade of Lattice Cryptography
    A Decade of Lattice Cryptography Chris Peikert1 February 17, 2016 1Department of Computer Science and Engineering, University of Michigan. Much of this work was done while at the School of Computer Science, Georgia Institute of Technology. This material is based upon work supported by the National Science Foundation under CAREER Award CCF-1054495, by DARPA under agreement number FA8750-11- C-0096, and by the Alfred P. Sloan Foundation. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author and do not necessarily reflect the views of the National Science Foundation, DARPA or the U.S. Government, or the Sloan Foundation. The U.S. Government is authorized to reproduce and distribute reprints for governmental purposes notwithstanding any copyright notation thereon. Abstract n Lattice-based cryptography is the use of conjectured hard problems on point lattices in R as the foundation for secure cryptographic systems. Attractive features of lattice cryptography include apparent resistance to quantum attacks (in contrast with most number-theoretic cryptography), high asymptotic efficiency and parallelism, security under worst-case intractability assumptions, and solutions to long-standing open problems in cryptography. This work surveys most of the major developments in lattice cryptography over the past ten years. The main focus is on the foundational short integer solution (SIS) and learning with errors (LWE) problems (and their more efficient ring-based variants), their provable hardness assuming the worst-case intractability of standard lattice problems, and their many cryptographic applications. Contents 1 Introduction 3 1.1 Scope and Organization . .4 1.2 Other Resources . .5 2 Background 6 2.1 Notation .
    [Show full text]