Top PDF Cyclotomic Polynomials in Ring-LWE Homomorphic Encryption Schemes

Cyclotomic Polynomials in Ring-LWE Homomorphic Encryption Schemes

Cyclotomic Polynomials in Ring-LWE Homomorphic Encryption Schemes

Homomorphic Encryption has been considered the ’Holy Grail of Cryp- tography’ since the discovery of secure public key cryptography in the 1970s. In 2009, a long-standing question about whether fully ho- momorphic encryption is theoretically plausible was affirmatively an- swered by Craig Gentry and his bootstrapping construction. Gentry’s breakthrough has initiated a surge of new research in this area, one of the most promising ideas being the Learning With Errors (LWE) problem posed by Oded Regev’s. Although this problem has proved to be versatile as a basis for homomorphic encryption schemes, the large key sizes result in a quadratic overhead making this inefficient for practical purposes. In order to address this efficiency issue, Oded Regev, Chris Peikert and Vadim Lyubashevsky ported the LWE prob- lem to a ring setting, thus calling it the Ring Learning with Errors (Ring-LWE) problem.
Show more

93 Read more

Approximate  Homomorphic  Encryption  over  the  Conjugate-invariant  Ring

Approximate Homomorphic Encryption over the Conjugate-invariant Ring

Abstract. The Ring Learning with Errors (RLWE) problem over a cyclotomic ring has been the most widely used hardness assumption for the construction of practical homomorphic encryption schemes. However, this restricted choice of a base ring may cause a waste in terms of plaintext space usage. For example, an approximate homomorphic encryption scheme of Cheon et al. (ASIACRYPT 2017) is able to store a complex number in each of the plaintext slots since its canonical embedding of a cyclotomic field has a complex image. The imaginary part of a plaintext is not underutilized at all when the computation is performed over the real numbers, which is required in most of the real-world applications such as machine learning. In this paper, we are proposing a new homomorphic encryption scheme which supports arith- metic over the real numbers. Our scheme is based on RLWE over a subring of a cyclotomic ring called conjugate-invariant ring. We show that this problem is no easier than a stan- dard lattice problem over ideal lattices by the reduction of Peikert et al. (STOC 2017). Our scheme allows real numbers to be packed in a ciphertext without any waste of a plaintext space and consequently we can encrypt twice as many plaintext slots as the previous scheme while maintaining the same security level, storage, and computational costs.
Show more

18 Read more

Fully  Homomorphic  Encryption  from  Ring-LWE:Identity-Based,Arbitrary  Cyclotomic,Tighter  Parameters

Fully Homomorphic Encryption from Ring-LWE:Identity-Based,Arbitrary Cyclotomic,Tighter Parameters

Gentry constructed a “somewhat homomorphic” scheme at first, which support only a limited number of homomorphism multiplications, then by “bootstrapping” one obtains a fully homomorphic encryption scheme. Since the appearance of Gentry’s scheme, there has been put forward a series of homomorphic encryption schemes [2-4] based on different academic and mathematical problems. There has been much discussion in the field whether fully homomorphic encryption has practical value or not. One of reasons is that the existing encryption scheme’s public key size is large, which effective key management has always been a problem of the encryption application. Identity based encryption [5] use the user's unique identity (such as E-mail addresses, etc.) as its public key, and user private key generated by the trusted third party, which do not rely on the public key certificate for key management. Naccache [6] first raised at CHES that to construct an identity-based fully homomorphic encryption scheme has been an open problem in 2010.
Show more

11 Read more

Packed  Ciphertexts  in  LWE-based  Homomorphic  Encryption

Packed Ciphertexts in LWE-based Homomorphic Encryption

Another thing which is easier to do in integer-based schemes than in polynomial-based scheme is to gradually reduce the dimension as the computation progresses: Fresh ciphertexts in all these schemes must have a very large modulus/noise ratio to enable computation, which implies that we need fairly high dimension (or fairly high ring-size) to get security. However, larger noise (and hence smaller modulus/noise ratio) is used as the computation progresses, so from a security standpoint it is permissible to switch to lower dimension (or smaller ring), thus speeding up further homomorphic operations. Recently, it was shown in [GHPS12] how to do this for schemes in polynomial rings, but this operation is highly constrained by the relevant algebra. Specifically, if the dimension of the initial ring is some m, then it is only possible to switch to other rings of dimension that divides m. In particular it means that the first time we can perform this transformation is when it is safe to switch to a ring of size m/2 (or less), which means that at least half the computation has to be done relative to the original large ring. In contrast, switching to a lower dimension is nearly trivial in LWE-based schemes: All we need is key-switching from the initial dimension-n key to a lower-dimension key, exactly as is done for re-linearization (with the noise magnitude in the key-switching gadget increased to provide adequate security relative to the lower dimension).
Show more

12 Read more

Ring-LWE  in  Polynomial  Rings

Ring-LWE in Polynomial Rings

Since its recent introduction, the Ring-LWE problem [LPR10] has already been used as a building block for numerous cryptographic applications. In addi- tion to its original functionality as the basis of efficient lattice-based cryp- tosystems [LPR10], it has since been used as a hardness assumption in the constructions of efficient signature schemes [MP11,Lyu11], fully-homomorphic encryption schemes [BV11b,BV11a,BGV11,GHS11], pseudo-random functions [BPR11], protocols for doing secure multi-party computation [DPSZ11,LATV11], and also gives an explanation for the hardness of the NTRU cryptosystem [SS11]. A very natural way in which one would like to be able to define the (deci- sional) Ring-LWE problem is as follows: for a polynomial ring R q = Z q [X]/(f (X ))
Show more

23 Read more

Which  Ring  Based  Somewhat  Homomorphic  Encryption  Scheme  is  Best?

Which Ring Based Somewhat Homomorphic Encryption Scheme is Best?

Some of the more spectacular advances in implementation improvements for Somewhat Homomorphic Encryption (SHE) schemes have come in the context of the ring based schemes such as BGV [3]. The main improvements here have come through the use of SIMD techniques (first introduced in the context of Gentry’s original scheme [7] by Smart and Vercauteren [17], but then extended to the Ring-LWE based schemes by Gentry et al [3]). SIMD techniques in the ring setting allow for a small overall asymptotic overhead in using SHE schemes [8] by exploiting the Galois group to move data between slots. The Galois group can also be used to perform cheap exponentiation via the Frobenius endomorphism [9]. Other improvements in the ring based setting have come from the use of modulus switching to a larger modulus, so as to perform key switching [9], the use of scale invariant versions [6, 1], and the use of NTRU to enable key homomorphic schemes [14].
Show more

54 Read more

On  Key  Recovery  Attacks  against  Existing  Somewhat  Homomorphic  Encryption  Schemes

On Key Recovery Attacks against Existing Somewhat Homomorphic Encryption Schemes

We first remark that the LWE and RLWE problems are syntactically equivalent. They only use different rings ( Z for LWE, and a polynomial ring Z [x]/(x d + 1) for RLWE), as well as different vector dimensions over these rings (n = poly(λ) for LWE, n = 1 for RLWE). For this reason and to simplify the presentation, the authors of [BGV12] introduced the general learning with errors (GLWE) problem, which is a generalized version of LWE and RLWE. Definition 4 (GLWE problem). For security parameter λ, let n = n(λ) be an integer dimension, let f (x) = x d + 1 where d = d(λ) is a power of 2, let q = q(λ) ≥ 2 be a prime
Show more

28 Read more

Fast  Secure  Matrix  Multiplications  over  Ring-Based  Homomorphic  Encryption

Fast Secure Matrix Multiplications over Ring-Based Homomorphic Encryption

Matrix computation is one of the most basic and useful operations for var- ious applications, including statistical analysis, image processing and machine learning. In this paper, we focus on secure matrix multiplications (see Figure 1 below for an image of our goal). At present, ring-based leveled FHE schemes, such as BGV [4], FV [10], YASHE [3], and NTRU [19], are efficient and useful. BGV and FV schemes are based on the ring-LWE (learning with errors) as- sumption [21], and YASHE is a variant of NTRU. Costache and Smart [8] com- pared features of such schemes (see also [18] for a comparison), and showed that the BGV scheme is more efficient for large plaintext space than other schemes. Hence we use HElib [16] as a software library in our implementation of the BGV scheme. (Recently, HElib has been improved for efficiency [17].) For secure ma- trix computation, matrix-vector multiplication is proposed in HElib (see [15] for its manual). Recently, Lu et al. [20] slightly modified the matrix-vector multipli- cation for secure statistical analysis over HElib. As an individual work, Duong et al. [9] proposed efficient methods for secure single matrix multiplication over ring-based SHE schemes. Later, Wang et al. [28] modified Duong et al.’s meth- ods for flexible matrix computation, but their modification is much less efficient for matrices of larger size.
Show more

21 Read more

Efficient  Evaluation  of  Low  Degree  Multivariate  Polynomials  in  Ring-LWE  Homomorphic  Encryption  Schemes

Efficient Evaluation of Low Degree Multivariate Polynomials in Ring-LWE Homomorphic Encryption Schemes

Several researches were conducted in order to improve the evaluation perfor- mance of polynomials over encrypted data and take advantage of the plaintext space polynomial structure. The coefficient packing method, introduced in [22], allows to pack several messages into a single ciphertext. In a series of papers [28, 27] the authors describe how to evaluate multivariate linear polynomials over coefficient packed messages. In this work, we further generalize their method to allow evaluation of low-degree multivariate polynomials. The coefficients of the evaluated multivariate polynomial can be either in clear or encrypted forms. The proposed packing and computation methods allow not only to reduce ciphertext expansion ratio 1 but also to perform computations using messages encoded in
Show more

17 Read more

CHIMERA:  Combining  Ring-LWE-based  Fully  Homomorphic  Encryption  Schemes

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes

functions evaluate an inner product followed by a rounding function and since the rounding function is a step function, instead of first applying the expen- sive bootstrapping and then evaluating a function f , one can replace the last rounding step in the bootstrapping by a more general step function g that ap- proximates f and use a homomorphic lookup table evaluation. This is essentially the idea of the key-switching algorithms described in Section 2.2 that are later used to achieve a switch between the schemes in Sections 3 and 4. Note that the concept of functional key-switch is not new (it appeared already in the context of TFHE [16] and implicitly in the work of Ducas and Micciancio [18]). Yet, its application to scheme switching presented in this work is novel.
Show more

29 Read more

Ring  Homomorphic  Encryption  Schemes

Ring Homomorphic Encryption Schemes

Fully Homomorphic Encryption (FHE) is considered to be the ”holy grail” of cryptogra- phy. In short, fully homomorphic encryption allows to perform arbitrary computation on encrypted data. The main usability of such a device is to outsource a computation to a re- mote server without compromising data privacy. In [12], C. Gentry succeeded in describing the first plausible method for constructing fully homomorphic encryption schemes. Gentry’s approach consists of several steps: first, he constructs a somewhat homomorphic encryp- tion scheme which is an encryption scheme that supports evaluating low-degree polynomials on the encrypted data. Next, he ”squashes” the decryption procedure so that it can be expressed as a low-degree polynomial which is supported by the scheme, and finally, he de- velops a bootstrapping technique which allows one to obtain a fully homomorphic scheme. The first generation of fully homomorphic schemes ([13], [11], [24], [10], [15]) constructed following this recipe is based on ideal lattices, which became lately the standard ground for post-quantum cryptology [21]. A second generation of encryption schemes started in [5], where fully homomorphic encryption was established in a simpler way, based on the learning with errors assumption; the scheme was then improved in [7]. Currently, perhaps the simplest FHE scheme based on the learning with errors assumption is by Brakerski [6] who builded on Regev’s public key encryption scheme [20]. The most recent achievement in this direction was obtained in [16], where a significant FHE scheme was introduced claiming three important properties: simpler, faster, and attribute-based FHE. Here we emphasize that all these FHE scheme are ”noisy” schemes, namely, ciphertexts for these FHE schemes involve ”noise” terms to conceal plaintexts. In this respect, an immediate question is whether one can actually construct a noise-free FHE scheme. In such a noise-free FHE scheme, the ciphertext space and the plaintext space should both have ring structures, and the decryp- tion algorithm should be a ring homomorphism, so that one can call such a scheme a ring homomorphic encryption scheme. Moreover, as explained in [14], it is enough to look for a ring homomorphic encryption scheme in which the plaintext is the field with two elements F 2 . Let us mention here that a different approach towards achieving noise-free FHE was
Show more

17 Read more

A  masked  ring-LWE  implementation

A masked ring-LWE implementation

There are plenty of countermeasures against DPA. Most notably, masking [6,12] is both a provably sound and popular in industry. Masking effectively randomizes the computation of the cryptographic algorithm by splitting each intermediate into several shares, in such a way that each share is independent from any secret. This property is preserved through the entire computation. Thus, observing any single intermediate (for example, by a side-channel, be it known or unknown) reveals nothing about the secret. However, there are not many masking schemes specifically designed for postquantum cryptography. In [4] Brenner et. al. present a masked FPGA implementation of the post-quantum pseudo-random function SPRING.
Show more

21 Read more

Factorization of Cyclotomic Polynomials with Quadratic Radicals in the Coefficients

Factorization of Cyclotomic Polynomials with Quadratic Radicals in the Coefficients

In this article we continue the consideration of geometrical constructions of regular n -gons for odd n by rhombic bicompasses and ruler used in [1] for the construction of the regular heptagon ( n = 7 ). We discuss the possible factori- zation of the cyclotomic polynomial in polynomial factors which contain not higher than quadratic radicals in the coefficients whereas usually the factori- zation of the cyclotomic polynomials is considered in products of irreducible factors with integer coefficients. In considering the regular heptagon we find a modified variant of its construction by rhombic bicompasses and ruler. In de- tail, supported by figures, we investigate the case of the regular tridecagon ( n = 13 ) which in addition to n = 7 is the only candidate with low n (the next to this is n = 769 ) for which such a construction by rhombic bicom- passes and ruler seems to be possible. Besides the coordinate origin we find here two points to fix for the possible application of two bicompasses (or even four with the addition of the complex conjugate points to be fixed). With only one bicompass one has in addition the problem of the trisection of an angle which can be solved by a neusis construction that, however, is not in the spirit of constructions by compass and ruler and is difficult to realize during the ac- tion of bicompasses. As discussed it seems that to finish the construction by bicompasses the correlated action of two rhombic bicompasses must be ap- plied in this case which avoids the disadvantages of the neusis construction. Single rhombic bicompasses allow to draw at once two circles around two fixed points in such correlated way that the position of one of the rotating points on one circle determines the positions of all the other points on the second circle in unique way. The known case n = 17 embedded in our me- thod is discussed in detail.
Show more

35 Read more

Adaptive  key  recovery  attacks  on  NTRU-based  somewhat  homomorphic  encryption  schemes

Adaptive key recovery attacks on NTRU-based somewhat homomorphic encryption schemes

same key pair, then we say that the cryptosystem is secure against chosen plaintext attacks (CPA). In homomorphic encryption, it is impossible to achieve CCA2 security, because the adver- sary can add an encryption of zero to the encrypted challenge, or multiply it by the encryp- tion of one, and send it to the decryption oracle, which allows him to trivially win the game. Many FHE schemes have as public value an encryption of the private key bits, which can be sent to the decryption oracle before the challenge, which makes such schemes insecure against CCA1 adversaries. Indeed, a key recovery attack is stronger than a CCA1 attack and Loftus et al [LMSV12] showed that Gentry’s construction over ideal lattices is vulnerable to it and pre- sented the only SHE proposal that is known to be CCA1 secure.
Show more

12 Read more

Adding  Distributed  Decryption   and  Key  Generation  to  a  Ring-LWE  Based  CCA  Encryption  Scheme

Adding Distributed Decryption and Key Generation to a Ring-LWE Based CCA Encryption Scheme

It should be noted that the statistical security in this step is really only per coefficient of the ring-element, and thus to obtain “true” security one needs to actually choose secp much larger than is done in (say) the SCALE-MAMBA system [3] (where a value of secp = 40 is selected). Although in practice this is probably not a problem as it is unknown how to extract the minor statistical variations per coefficient when processing a number of full ring elements in this manner. Even when selecting low values of secp such as 40, one obtains a huge blow-up in the parameters of the scheme and hence increased computational cost.
Show more

18 Read more

LAC:  Practical  Ring-LWE  Based  Public-Key  Encryption  with  Byte-Level  Modulus

LAC: Practical Ring-LWE Based Public-Key Encryption with Byte-Level Modulus

Abstract. We propose an instantiation of public key encryption scheme based on the ring learning with error problem, where the modulus is at a byte level and the noise is at a bit level, achieving one of the most compact lattice based schemes in the literature. The main technical chal- lenges are a) the decryption error rates increases and needs to be handled elegantly, and b) we cannot use the Number Theoretic Transform (NTT) technique to speed up the implementation. We overcome those limita- tions with some customized parameter sets and heavy error correction codes. We give a treatment of the concrete security of the proposed pa- rameter set, with regards to the recent advance in lattice based cryptanal- ysis. We present an optimized implementation taking advantage of our byte level modulus and bit level noise. In addition, a byte level modulus allows for high parallelization and the bit level noise avoids the modu- lus reduction during multiplication. Our result shows that LAC is more compact than most of the existing (Ring-)LWE based solutions, while achieving a similar level of efficiency, compared with popular solutions in this domain, such as Kyber.
Show more

36 Read more

Key  Recovery  Attacks  against  NTRU-based  Somewhat  Homomorphic  Encryption  Schemes

Key Recovery Attacks against NTRU-based Somewhat Homomorphic Encryption Schemes

In the literature, all Somewhat Homomorphic Encryption (SHE) schemes have been developed with the aim of being IND-CPA secure. In [Gen09], Gentry emphasized it as a future work to investigate SHE schemes with IND-CCA1 security (i.e. secure against a non-adaptive chosen- ciphertext attack). Up to now, the only scheme proven IND-CCA1 secure is that by Loftus et al. [LMSV12]. Most works in this direction focus on devising attacks against existing SHE schemes. It has been shown that most existing SHE schemes suffer from key recovery attacks, which allow an attacker to recover the private key of an underlying encryption scheme when given a number of decryption oracle accesses. It is clear that a key recovery attack is stronger than a typical attack against IND-CCA1 security.
Show more

19 Read more

Compact  Ring-LWE  based  Cryptoprocessor

Compact Ring-LWE based Cryptoprocessor

A[k + j] and A[k + j + m/2] are first read from memory and then arithmetic operations (one multiplication, one addition and one subtraction) are performed. The new A[k + j] and A[k + j + m/2] are then written back to memory. During one iteration of the inner- most loop, the arithmetic circuits are thus used only once, while the memory is read or written twice. This leads to idle cycles in the arithmetic circuits. The polynomial multi- plier in [22] uses two parallel memory blocks to provide a continuous flow of coefficients to the arithmetic circuits. However this approach could result in under-utilization of the RAM blocks if the coefficient size is much smaller than the word size (for example in the ring-LWE cryptosystem [17]). In the literature there are many papers on efficient memory management schemes using segmentation and efficient address generation (see [18]) for the classical FFT algorithm. Another well known approach is the constant geometry FFT (or NTT) which always maintains a constant index difference between the processed coefficients [21]. However the constant geometry algorithm is not in-place and hence not suitable for resource constrained platforms. In [1] memory usage is im- proved by keeping two coefficients A[k] and B[k] of the two input polynomials A and B in the same memory location. We propose a memory access scheme which is designed to minimize the number of block RAM slices and to achieve maximum utilization of computational circuits present in the NTT architecture.
Show more

18 Read more

Estimate  all  the {LWE,  NTRU}  schemes!

Estimate all the {LWE, NTRU} schemes!

The techniques outlined above to solve the LWE and NTRU problems rely on lattice reduction, the procedure of generating a “sufficiently orthogonal” basis given the description of a lattice. The lattice reduction algorithm attaining the best theoretical results is Slide reduction [GN08]. In this work, however, we consider the experimentally best performing algorithm, BKZ [SE94,CN11,DT17]. Given a basis for one of the lattices described above, we need to choose the block size necessary to successfully recover the shortest vector when running BKZ. This is done following the analysis introduced in [ADPS16, Section 6.3] for the LWE and NTRU primal attacks, and the analysis done in [MR09,Alb17] for the LWE dual attack. BKZ in turn makes use of an oracle solving the Shortest Vector Problem (or SVP oracle) in a smaller lattice. Several SVP algorithms can be used to instantiate this oracle, the two most efficient are current generations of sieving [BDGL16] or enumeration [MW15]. Since we are considering security in the post-quantum setting, we also have to consider quan- tum algorithms, which as of writing mainly means to consider potential Grover [Gro96] speed-ups for these algorithms [LMvdP15,ADPS16]. We note that the reported speed-ups of these algorithms are assuming per- fect quantum computers that can run arbitrarily long computations and disregard the inherent lack of parallelism in Grover-style search. A more refined understanding of the cost of quantum algorithms for solving SVP is a pressing topic for future research.
Show more

54 Read more

Homomorphic Image Encryption

Homomorphic Image Encryption

The pre-existing Image Encryption techniques aimed at peer to peer sharing, and one has to take the risk of trusting the other entity usually third party apps. We find that most schemes aim at achieving a tradeoff between time complexity and efficiency. However using homomorphic technique the security is improved and the total control lies within the user. It provides total peer to peer security. The domain is still new and developing and a lot needs to be introduced before it can be practically introduced in the society. The problem lies within extracting features from the encrypted images which plays a vital role in Machine learning using image processing and can be considered as a part of future scope.
Show more

7 Read more

Show all 7415 documents...