Craig Gentry,Shai Halevi,Chris Peikert,Nigel P. Smart

DOI: https://doi.org/10.1007/978-3-642-32928-9_2

2012-01-01

Abstract:The security of BGV-style homomorphic encryption schemes over polynomial rings relies on rings of very large dimension. This large dimension is needed because of the large modulus-to-noise ratio in the key-switching matrices that are used for the top few levels of the evaluated circuit. However, larger noise (and hence smaller modulus-to-noise ratio) is used in lower levels of the circuit, so from a security standpoint it is permissible to switch to lower-dimension rings, thus speeding up the homomorphic operations for the lower levels of the circuit. However, implementing such ring-switching is nontrivial, since these schemes rely on the ring algebraic structure for their homomorphic properties.A basic ring-switching operation was used by Brakerski, Gentry and Vaikuntanathan, over polynomial rings of the form \documentclass[12pt]{minimal}\usepackage{amsmath}\usepackage{wasysym}\usepackage{amsfonts}\usepackage{amssymb}\usepackage{amsbsy}\usepackage{mathrsfs}\usepackage{upgreek}\setlength{\oddsidemargin}{-69pt}\begin{document}$\mathbb{Z}[X]/(X^{2^n}+1)$\end{document}, in the context of bootstrapping. In this work we generalize and extend this technique to work over any cyclotomic ring and show how it can be used not only for bootstrapping but also during the computation itself (in conjunction with the “packed ciphertext” techniques of Gentry, Halevi and Smart).

Drăgoi, Vlad-Florin

DOI: https://doi.org/10.1007/s12095-024-00712-3

2024-05-11

Cryptography and Communications

Abstract:Code-based cryptography received attention after the NIST started the post-quantum cryptography standardization process in 2016. A central NP-hard problem is the binary syndrome decoding problem, on which the security of many code-based cryptosystems lies. The best known methods to solve this problem all stem from the information-set decoding strategy, first introduced by Prange in 1962. A recent line of work considers augmented versions of this strategy, with hints typically provided by side-channel information. In this work, we consider the integer syndrome decoding problem, where the integer syndrome is available but might be noisy. We study how the performance of the decoder is affected by the noise. First we identify the noise model as being close to a centered in zero binomial distribution. Second we model the probability of success of the ISD-score decoder in presence of a binomial noise. Third, we demonstrate that with high probability our algorithm finds the solution as long as the noise parameter d is linear in t (the Hamming weight of the solution) and t is sub-linear in the code-length. We provide experimental results on cryptographic parameters for the BIKE and Classic McEliece cryptosystems, which are both candidates for the fourth round of the NIST standardization process.

computer science, theory & methods,mathematics, applied

Shihe Ma,Tairong Huang,Anyu Wang,Xiaoyun Wang

DOI: https://doi.org/10.1007/978-3-031-58723-8_14

2024-01-01

Abstract:The BGV scheme is one of the most popular FHE schemes for computing homomorphic integer arithmetic. The bootstrapping technique of BGV is necessary to evaluate arbitrarily deep circuits homomorphically. However, the BGV bootstrapping performs poorly for large plaintext prime p due to its digit removal procedure exhibiting a computational complexity of at least O(root p). In this paper, we propose optimizations for the digit removal procedure with large p by leveraging the properties of null polynomials over the ring Z(pe). Specifically, we demonstrate that it is possible to construct low-degree null polynomials based on two observations of the input to the digit removal procedure: 1) the support size of the input can be upper-bounded by (2B + 1)(2); 2) the size of the lower digits to be removed can be upper-bounded by B. Here B can be controlled within a narrow interval [22, 23] in our parameter selection, making the degree of these null polynomials much smaller than p for large values of p. These low-degree null polynomials can significantly reduce the polynomial degrees during homomorphic digit removal, thereby decreasing both running time and capacity consumption. Theoretically, our optimizations reduce the computational cost of extracting a single digit from O(root pe) (by Chen and Han) or O(root p 4 root epsilon) (by Geelen et al.) to min(2B + 1, root inverted right perpendicular e/t inverted left perpendicular (2B + 1)) for some t >= 1. We implement and benchmark our method on HElib with p = 17, 127, 257, 8191 and 65537 (The code is available at https://github.com/msh086/BGVBoot-for- Large- p). With our optimized digit removal, we achieve a bootstrapping throughput 1.38 similar to 151 times that in HElib, with the speedup increasing with the value of p. For p = 65537, we accelerate the digit removal step by 80 times and reduce the bootstrapping time from more than 12 h to less than 14min.

Archi Gupta,Priya Ghosh,Kornikar Sen,Ujjwal Sen

2024-08-12

Abstract:The Bernstein-Vazirani (BV) algorithm offers exceptional accuracy in finding the hidden bit string of a function. We explore how the algorithm performs in real-world situations where noise can potentially interfere with its performance. In order to assess the impact of imperfect equipments, we introduce various forms of glassy disorders into the effect of the Hadamard gates used in the Bernstein-Vazirani circuit. We incorporated disorders of five different forms, viz., Haar-uniform with finite cutoff, spherical Gaussian, discrete circular, spherical Cauchy-Lorentz, and squeezed. We find that the effectiveness of the algorithm decreases with increasing disorder strength in all cases. Additionally, we demonstrate that as the number of bits in the secret string increases, the success probability of correctly guessing the string becomes increasingly insensitive to the type of disorder and instead depends only on the mean and spread of the disorder. We compare our results with the performance of the analogous classical algorithm in the presence of similar noise. When the length of the secret string is small or moderate, the quantum BV algorithm is found to be more efficient compared to the classical algorithm for almost all types of disorders under consideration, unless the strength of the disorder is very high and the disorder follows a discrete circular distribution. However, if we move to extremely large secret strings, the success probability of the disordered BV algorithm merges with the success probability of the disordered classical algorithm for all considered disorders having arbitrary strengths. The limit on the length of the string after which the efficiency of the quantum algorithm becomes equivalent to the classical algorithm depends on the amount of disorder and not on the type of disorder.

Quantum Physics

Luke Mortimer

2024-12-12

Abstract:Bell inequalities are an important tool for studying non-locality, however quickly become computationally intractable as the system size grows. We consider a novel method for finding an upper bound for the quantum violation of such inequalities by combining the NPA hierarchy, the method of alternating projections, and the memory-efficient optimisation algorithm L-BFGS. Whilst our method may not give the tightest upper bound possible, it often does so several orders of magnitude faster than state-of-the-art solvers, with minimal memory usage, thus allowing solutions to problems that would otherwise be intractable. We benchmark using the well-studied I3322 inequality as well as a more general large-scale randomized inequality RXX22. For randomized inequalities with 130 inputs either side (a first-level moment matrix of size 261x261), our method is ~100x faster than both MOSEK and SCS whilst giving a bound only ~2% above the optimum.

Quantum Physics

Gereon Koßmann,René Schwonnek

2024-11-08

Abstract:This paper introduces a numerical framework for establishing lower bounds on the conditional von-Neumann entropy in device-independent quantum cryptography and randomness extraction scenarios. Leveraging a hierarchy of semidefinite programs derived from the Navascués-Pironio-Acin (NPA) hierarchy, our tool enables efficient computation of entropy bounds based solely on observed statistics, assuming the validity of quantum mechanics. The method's computational efficiency is ensured by its reliance on projective operators within the non-commutative polynomial optimization problem. The method facilitates provable bounds for extractable randomness in noisy scenarios and aligns with modern entropy accumulation theorems. Consequently, the framework offers an adaptable tool for practical quantum cryptographic protocols, expanding secure communication possibilities in untrusted environments.

Quantum Physics

Jiming Xu,Yujian Wang,Juan Liu,Xin'an Wang

DOI: https://doi.org/10.1109/asid50160.2020.9271722

2020-01-01

Abstract:Ring learning with errors (RLWE) is a commonly-used primitive in the construction of lattice-based cryptography, which is widely adopted in the design of post-quantum cryptographic algorithms and homomorphic encryption schemes. The cryptosystems based on RLWE are usually defined on a polynomial quotient ring with addition and multiplication operations. The polynomial multiplication is expensive in both time and space, hence optimizations are needed in order to achieve practical RLWE implementations. Number theoretic transform (NTT) is a technique widely used to speed up polynomial multiplications. In this paper we propose a general-purpose NTT algorithm that can support different RLWE parameters. Unlike the NTT optimizations which need significant amount of space to store the NTT parameters for each different RLWE setting, this algorithm trades a small amount of time for the elimination of most pre-computed NTT parameters. This is particularly helpful for implementations which have tight area or storage budget. For the Fan-Vercauteren fully-homomorphic encryption scheme with 192-bit classical security, our implementation of all the NTT components requires 612 bytes of read-only data on a STM32 microcontroller, while a conventional implementation requires 96 KB.

Andrew C. Yao

2004-01-01

Abstract:The “x2 mod N” generator, also known as the BBS generator [2], has a strong theoretical foundation from the computational complexity theory and the number theory. Proofs were given that, under certain reasonable assumptions on which modern cryptography heavily relies, the BBS pseudo-random sequences would pass any feasible statistical test. Unfortunately, the algorithm was found to be too slow for computer simulation applications. In this article, we present a practical implementation of the “x2 mod N” generator. We show a variant of the Montgomery modular multiplication algorithm [21] tailored to the typical computer environment used for computer simulations. We observed an adequate level of performance for the “x2 mod N” generator to be seriously considered whenever an otherwise “good” pseudo-random generator casts a doubt about the results of a sensitive simulation.

Zongsheng Hou,Neng Zhang,Leibo Liu

DOI: https://doi.org/10.1088/1742-6596/1993/1/012030

2021-01-01

Journal of Physics Conference Series

Abstract:Fully homomorphic encryption (FHE) is a novel encryption method that can perform operations on encrypted data. The performance of applications based on FHE is still low due to the high computational complexity of operations on the ciphertext. In this paper, we proposed an efficient FHE radix-2 addition algorithm in BGV scheme, called Optimized Cheon’s SIMD Adder. It is an optimization of Cheon’s SIMD Adder. The proposed adder uses the previously calculated results as much as possible to calculate the new result, so that it can keep the circuit depth as 0(log(μ)) and reduce the number of homomorphic multiplications. We also compared the weighted computational complexity (WCC) between this work and Cheon’s. The WCC of this work is only O (μ), while Cheon’s is 0(μ· log (μ)). At the end of the paper, we implemented the proposed addition, which improves the calculation speedup by 1.3 ~ 1.4 times for 8 ~ 512- bit adders compared with Cheon’s SIMD Adder.

Bong Gon Kim,Dennis Wong,Yoon Seok Yang

DOI: https://doi.org/10.5121/csit.2023.132104

2024-02-07

Abstract:We present a secure and private blockchain-based Verifiable Random Function (VRF) scheme addressing some limitations of classical VRF constructions. Given the imminent quantum computing adversarial scenario, conventional cryptographic methods face vulnerabilities. To enhance our VRF's secure randomness, we adopt post-quantum Ring-LWE encryption for synthesizing pseudo-random sequences. Considering computational costs and resultant on-chain gas costs, we suggest a bifurcated architecture for VRF design, optimizing interactions between on-chain and off-chain. Our approach employs a secure ring signature supported by NIZK proof and a delegated key generation method, inspired by the Chaum-Pedersen equality proof and the Fiat-Shamir Heuristic. Our VRF scheme integrates multi-party computation (MPC) with blockchain-based decentralized identifiers (DID), ensuring both security and randomness. We elucidate the security and privacy aspects of our VRF scheme, analyzing temporal and spatial complexities. We also approximate the entropy of the VRF scheme and detail its implementation in a Solidity contract. Also, we delineate a method for validating the VRF's proof, matching for the contexts requiring both randomness and verification. Conclusively, using the NIST SP800-22 of the statistical randomness test suite, our results exhibit a 98.86% pass rate over 11 test cases, with an average p-value of 0.5459 from 176 total tests.

Cryptography and Security,Distributed, Parallel, and Cluster Computing

Kalyan Barman,Tomoyuki Ichiba,Palaniappan Vellaisamy

2024-10-01

Abstract:This paper deals with bilateral-gamma (BG) approximation to functionals of an isonormal Gaussian process. We use Malliavin-Stein method to obtain the error bounds for the smooth Wasserstein distance. As by-products, the error bounds for variance-gamma (V G), Laplace, gamma and normal approximations are presented. Our approach is new in the sense that the Stein equation is based on integral operators rather than diferential operators commonly used in the literature. Some of our bounds are sharper than the existing ones. For the approximation of a random element from the second Wiener chaos to a BG distribution, the bounds are obtained in terms of their cumulants. Using this result, we show that a sequence of random variables (rvs) in the second Wiener chaos converges in distribution to a BG rv if their cumulants of order two to six converge. As an application of our results, we consider an approximation of homogeneous sums of independent rvs to a BG distribution, and mention some related limit theorems also. Finally, an approximation of a U-statistic to the BG distribution is discussed.

Probability

Johannes Buchmann,Daniel Cabarcas,Jintai Ding,Mohamed Saied Emam Mohamed

DOI: https://doi.org/10.1007/978-3-642-12678-9_5

2010-01-01

Abstract:Recent developments in multivariate polynomial solving algorithms have made algebraic cryptanalysis a plausible threat to many cryptosystems. However, theoretical complexity estimates have shown this kind of attack unfeasible for most realistic applications. In this paper we present a strategy for computing Gröbner basis that challenges those complexity estimates. It uses a flexible partial enlargement technique together with reduced row echelon forms to generate lower degree elements–mutants. This new strategy surpasses old boundaries and obligates us to think of new paradigms for estimating complexity of Gröbner basis computation. The new proposed algorithm computed a Gröbner basis of a degree 2 random system with 32 variables and 32 equations using 30 GB which was never done before by any known Gröbner bases solver.

Jose L. Imana,Pengzhou He,Tianyou Bao,Yazheng Tu,Jiafeng Xie

DOI: https://doi.org/10.1109/tcsi.2022.3169471

2022-07-29

Abstract:Ring learning-with-errors (RLWE)-based encryption scheme is a lattice-based cryptographic algorithm that constitutes one of the most promising candidates for Post-Quantum Cryptography (PQC) standardization due to its efficient implementation and low computational complexity. Binary Ring-LWE (BRLWE) is a new optimized variant of RLWE, which achieves smaller computational complexity and higher efficient hardware implementations. In this paper, two efficient architectures based on Linear-Feedback Shift Register (LFSR) for the arithmetic used in Inverted Binary Ring-LWE (InvBRLWE)-based encryption scheme are presented, namely the operation of over the polynomial ring . The first architecture optimizes the resource usage for major computation and has a novel input processing setup to speed up the overall processing latency with minimized input loading cycles. The second architecture deploys an innovative serial-in serial-out processing format to reduce the involved area usage further yet maintains a regular input loading time-complexity. Experimental results show that the architectures presented here improve the complexities obtained by competing schemes found in the literature, e.g., involving 71.23% less area-delay product than recent designs. Both architectures are highly efficient in terms of area-time complexities and can be extended for deploying in different lightweight application environments.

Marco Baldi,Alessandro Barenghi,Franco Chiaraluce,Gerardo Pelosi,Paolo Santini

DOI: https://doi.org/10.1007/978-3-030-90428-9_7

2021-01-01

Abstract:We present a variant of the classic in-place bit-flipping decoder, frequently used with Low- and Moderate-Density Parity Check (LDPC/MDPC) codes, which allows a statistical analysis of the achievable decoding failure rate (DFR) in worst-case conditions. Such evaluation is of paramount importance in code-based post-quantum cryptography (PQC) where the ability to achieve indistinguishability under adaptive chosen ciphertext attacks strictly depends on being able to ensure very low DFR values (e.g., in the order of 2-128$$2^{-128}$$ or lower) that, as such, are practically impossible to validate via numerical simulation. We provide theoretical evidence of the proposed approach and demonstrate its correctness through numerical examples. Moreover, we investigate the effect of changing the bit flipping decision threshold on the provided worst case analysis. Finally, we give design parameters for code-based cryptosystems employing Quasi-Cyclic LDPC/MDPC codes, able to achieve the security levels required in the NIST PQC standardization initiative which is currently in progress.

Joan Daemen,Daniël Kuijsters,Silvia Mella,Denise Verbakel

DOI: https://doi.org/10.1007/s12095-024-00711-4

2024-04-28

Cryptography and Communications

Abstract:Many modern cryptographic primitives for hashing and (authenticated) encryption make use of constructions that are instantiated with an iterated cryptographic permutation that operates on a fixed-width state consisting of an array of bits. Often, such permutations are the repeated application of a relatively simple round function consisting of a linear layer and a non-linear layer. These constructions do not require that the underlying function is a permutation and they can plausibly be based on a non-invertible transformation. Recently, Grassi proposed the use of non-invertible mappings operating on arrays of digits that are elements of a finite field of odd characteristic for so-called MPC-/FHE-/ZK-friendly symmetric cryptographic primitives. In this work, we consider a mapping that we call that has a simple expression and is based on squaring. We discuss, for the first time, the differential and linear propagation properties of and observe that these follow the same rules up to a relabeling of the digits. This is an intriguing property that, as far as we know, only exists for and the binary mapping that is used in the cryptographic permutation Xoodoo . Moreover, we study the implications of its non-invertibility on differentials with zero output difference and on biases at the output of the mapping and show that they are as small as they can possibly be.

computer science, theory & methods,mathematics, applied

Shuhei Nakamura,Yasuhiko Ikematsu,Yacheng Wang,Jintai Ding,Tsuyoshi Takagi

DOI: https://doi.org/10.1016/j.tcs.2021.09.043

IF: 1.002

2021-01-01

Theoretical Computer Science

Abstract:Multivariate public key cryptography is a candidate for post-quantum cryptography, and it allows generating particularly short signatures and fast verification. The Rainbow signature scheme proposed by Ding and Schmidt is such a multivariate cryptosystem, and it is considered secure against all known attacks. The Rainbow-Band-Separation attack recovers a secret key of Rainbow by solving certain systems of quadratic equations, and its complexity is estimated by the well-known theoretical value called the degree of regularity. However, the degree of regularity is generally larger than the solving degree in experiments, and an accurate estimation cannot be obtained. In this article, we propose a new theoretical value for the complexity of the Rainbow-Band-Separation attack using a Gröbner basis algorithm, which provides a more precise estimation compared to that using the degree of regularity. This theoretical value is deduced by the two-variable power series ∏ i = 1 m ( 1 − t 1 d i 1 t 2 d i 2 ) ( 1 − t 1 ) n 1 ( 1 − t 2 ) n 2 . Since the two-variable power series coincides with the one-variable power series at t 1 = t 2 deriving the degree of regularity, the theoretical value is less than or equal to the degree of regularity under a certain condition. Moreover, we show a relation between the Rainbow-Band-Separation attack using the hybrid approach and the HighRank attack. By considering this relation and our theoretical value, we obtain a new complexity estimation for the Rainbow-Band-Separation attack. Furthermore, applying our theoretical value to the complexity formula used in the NIST PQC 2nd round, we show that a slight modification of the proposed Rainbow parameter sets is required. Consequently, we provide a new theoretical value for generally estimating the solving degree of a bi-graded polynomial system, which can influence the parameter selection of Rainbow in the NIST PQC standardization project.

Ziyang Chen,Yichen Zhang,Xiangyu Wang,Song Yu,Hong Guo

DOI: https://doi.org/10.3390/e21070652

IF: 2.738

2019-01-01

Entropy

Abstract:The entropic uncertainty relation (EUR) is of significant importance in the security proof of continuous-variable quantum key distribution under coherent attacks. The parameter estimation in the EUR method contains the estimation of the covariance matrix (CM), as well as the max-entropy. The discussions in previous works have not involved the effect of finite-size on estimating the CM, which will further affect the estimation of leakage information. In this work, we address this issue by adapting the parameter estimation technique to the EUR analysis method under composable security frameworks. We also use the double-data modulation method to improve the parameter estimation step, where all the states can be exploited for both parameter estimation and key generation; thus, the statistical fluctuation of estimating the max-entropy disappears. The result shows that the adapted method can effectively estimate parameters in EUR analysis. Moreover, the double-data modulation method can, to a large extent, save the key consumption, which further improves the performance in practical implementations of the EUR.

Paresh Baidya,Swagata Mondal,Rourab Paul

2024-05-14

Abstract:Ring Learning With Error (RLWE) algorithm is used in Post Quantum Cryptography (PQC) and Homomorphic Encryption (HE) algorithm. The existing classical crypto algorithms may be broken in quantum computers. The adversaries can store all encrypted data. While the quantum computer will be available, these encrypted data can be exposed by the quantum computer. Therefore, the PQC algorithms are an essential solution in recent applications. On the other hand, the HE allows operations on encrypted data which is appropriate for getting services from third parties without revealing confidential plain-texts. The FPGA based PQC and HE hardware accelerators like RLWE is much cost-effective than processor based platform and Application Specific Integrated Circuit (ASIC). FPGA based hardware accelerators still consume more power compare to ASIC based design. Near Threshold Computation (NTC) may be a convenient solution for FPGA based RLWE implementation. In this paper, we have implemented RLWE hardware accelerator which has 14 subcomponents. This paper creates clusters based on the critical path of all 14 subcomponents. Each cluster is implemented in an FPGA partition which has the same biasing voltage $V_{ccint}$. The clusters that have higher critical paths use higher Vccint to avoid timing failure. The clusters have lower critical paths use lower biasing voltage Vccint. This voltage scaled, partitioned RLWE can save ~6% and ~11% power in Vivado and VTR platform respectively. The resource usage and throughput of the implemented RLWE hardware accelerator is comparatively better than existing literature.

Cryptography and Security,Hardware Architecture

Iván Blanco-Chacón,Alberto Pedrouzo-Ulloa,Rahinatou Yuh Njah Nchiwo,Beatriz Barbero-Lucas

2023-06-07

Abstract:We discuss the advantages and limitations of cyclotomic fields to have fast polynomial arithmetic within homomorphic encryption, and show how these limitations can be overcome by replacing cyclotomic fields by a family that we refer to as cyclo-multiquadratic. This family is of particular interest due to its arithmetic efficiency properties and to the fact that the Polynomial Learning with Errors (PLWE) and Ring Learning with Errors (RLWE) problems are equivalent for it. Likewise, we provide exact expressions for the condition number for any cyclotomic field, but under what we call the twisted power basis. As a tool for our result, we obtain refined polynomial upper bounds for the condition number of cyclotomic fields with up to 6 different primes dividing the conductor. From a more practical side, we also show that for this family, swapping between NTT and coefficient representations can be achieved at least twice faster than for the usual cyclotomic family.

Cryptography and Security

Mackenzie H. Shaw,Barbara M. Terhal

2024-08-20

Abstract:Recently, Bravyi et al. [1] proposed a set of small quantum Bivariate Bicycle (BB) codes that achieve a similar circuit-level error rate to the surface code but with an improved encoding rate. In this work, we generalise a novel parity-check circuit design principle that we call morphing circuits (first introduced in [2]) and apply this methodology to BB codes. Our construction generates a new family of BB codes -- including a new $[[144,12,12]]$ "gross" code -- whose parity check circuits require a qubit connectivity of degree five instead of six. Intriguingly, each parity check circuit requires only 6 rounds of CNOT gates -- one fewer than in Ref. [1] -- even though our new codes have weight-9 stabilisers. We also show how to perform logical input/output circuits to an ancillary rotated surface code using morphing circuits, all within a biplanar layout. The new codes perform at least as well as those of Ref. [1] under uniform circuit-level noise when decoded using BP-OSD. Finally, we develop a general framework for designing morphing circuits and present a sufficient condition for its applicability to two-block group algebra codes. [1] S. Bravyi, A. W. Cross, J. M. Gambetta, D. Maslov, P. Rall, and T. J. Yoder, Nature 627, 778 (2024). [2] C. Gidney and C. Jones, New circuits and an open source decoder for the color code (2023), <a class="link-https" data-arxiv-id="2312.08813" href="https://arxiv.org/abs/2312.08813">arXiv:2312.08813</a>.

Quantum Physics