Abstract S-box is the basic component of symmetric cryptographic algorithms, and its cryptographic properties play a key role in security of the algorithms. In this paper we give the distributions of Walsh spectrum and the distributions of autocorrelation functions for (n + 1)-bit S-boxes in [12]. We obtain the nonlinearity of (n + 1)-bit S-boxes, and one necessary and sufficient conditions of (n + 1)-bit S-boxes satisfying m-order resilient. Meanwhile, we also give one characterization of (n + 1)-bit S-boxes satisfying t-order propagation criterion. Finally, we give one relationship of the sum-of-squares indicators between an n-bit S-box S0 and the (n + 1)-bit S-box S (which is constructed by S0).
{"title":"On cryptographic properties of (n + 1)-bit S-boxes constructed by known n-bit S-boxes","authors":"Yu Zhou, Daoguang Mu, Xinfeng Dong","doi":"10.1515/jmc-2020-0004","DOIUrl":"https://doi.org/10.1515/jmc-2020-0004","url":null,"abstract":"Abstract S-box is the basic component of symmetric cryptographic algorithms, and its cryptographic properties play a key role in security of the algorithms. In this paper we give the distributions of Walsh spectrum and the distributions of autocorrelation functions for (n + 1)-bit S-boxes in [12]. We obtain the nonlinearity of (n + 1)-bit S-boxes, and one necessary and sufficient conditions of (n + 1)-bit S-boxes satisfying m-order resilient. Meanwhile, we also give one characterization of (n + 1)-bit S-boxes satisfying t-order propagation criterion. Finally, we give one relationship of the sum-of-squares indicators between an n-bit S-box S0 and the (n + 1)-bit S-box S (which is constructed by S0).","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"258 - 265"},"PeriodicalIF":1.2,"publicationDate":"2020-12-08","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0004","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"41906582","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract At ProvSec 2013, Minematsu presented the circulant hash, an almost-xor universal hash using only the xor and rotation operations. The circulant hash is a variant of Carter and Wegman’s H3 hash as well as Krawczyk’s Toeplitz hash, both of which are hashes based on matrix-vector multiplication over 𝔽2. In this paper we revisit the circulant hash and reinterpret it as a multiplication in the polynomial ring 𝔽2[x]/(xn + 1). This leads to simpler proofs, faster implementations in modern computer chips, and newer variants with practical implementation advantages.
{"title":"The circulant hash revisited","authors":"Filipe Araújo, Samuel Neves","doi":"10.1515/jmc-2018-0054","DOIUrl":"https://doi.org/10.1515/jmc-2018-0054","url":null,"abstract":"Abstract At ProvSec 2013, Minematsu presented the circulant hash, an almost-xor universal hash using only the xor and rotation operations. The circulant hash is a variant of Carter and Wegman’s H3 hash as well as Krawczyk’s Toeplitz hash, both of which are hashes based on matrix-vector multiplication over 𝔽2. In this paper we revisit the circulant hash and reinterpret it as a multiplication in the polynomial ring 𝔽2[x]/(xn + 1). This leads to simpler proofs, faster implementations in modern computer chips, and newer variants with practical implementation advantages.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"250 - 257"},"PeriodicalIF":1.2,"publicationDate":"2020-12-03","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2018-0054","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42658851","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication). We present a heuristic algorithm that allows a passive eavesdropper to recover Alice’s private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Implementation of the attack is available on GitHub.
{"title":"Attack on Kayawood protocol: uncloaking private keys","authors":"M. Kotov, A. Menshov, A. Ushakov","doi":"10.1515/jmc-2019-0015","DOIUrl":"https://doi.org/10.1515/jmc-2019-0015","url":null,"abstract":"Abstract We analyze security properties of a two-party key-agreement protocol recently proposed by I. Anshel, D. Atkins, D. Goldfeld, and P. Gunnels, called Kayawood protocol. At the core of the protocol is an action (called E-multiplication) of a braid group on some finite set. The protocol assigns a secret element of a braid group to each party (private key). To disguise those elements, the protocol uses a so-called cloaking method that multiplies private keys on the left and on the right by specially designed elements (stabilizers for E-multiplication). We present a heuristic algorithm that allows a passive eavesdropper to recover Alice’s private key by removing cloaking elements. Our attack has 100% success rate on randomly generated instances of the protocol for the originally proposed parameter values and for recent proposals that suggest to insert many cloaking elements at random positions of the private key. Implementation of the attack is available on GitHub.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"237 - 249"},"PeriodicalIF":1.2,"publicationDate":"2020-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2019-0015","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"41413901","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Lattice sieving in two dimensions has proven to be an indispensable practical aid in integer factorization and discrete log computations involving the number field sieve. The main contribution of this article is to show that a different method of lattice sieving in three dimensions will provide a significant speedup in medium characteristic. Our method is to use the successive minima and shortest vectors of the lattice instead of transition vectors to iterate through lattice points. We showcase the new method by a record computation in a 133-bit subgroup of Fp6 ${{mathbb{F}}_{{{p}^{6}}}}$, with p6 having 423 bits. Our overall timing is nearly 3 times faster than the previous record of a 132-bit subgroup in a 422-bit field. The approach generalizes to dimensions 4 or more, overcoming one key obstruction to the implementation of the tower number field sieve.
{"title":"Lattice Sieving in Three Dimensions for Discrete Log in Medium Characteristic","authors":"G. McGuire, Oisín Robinson","doi":"10.1515/jmc-2020-0008","DOIUrl":"https://doi.org/10.1515/jmc-2020-0008","url":null,"abstract":"Abstract Lattice sieving in two dimensions has proven to be an indispensable practical aid in integer factorization and discrete log computations involving the number field sieve. The main contribution of this article is to show that a different method of lattice sieving in three dimensions will provide a significant speedup in medium characteristic. Our method is to use the successive minima and shortest vectors of the lattice instead of transition vectors to iterate through lattice points. We showcase the new method by a record computation in a 133-bit subgroup of Fp6 ${{mathbb{F}}_{{{p}^{6}}}}$, with p6 having 423 bits. Our overall timing is nearly 3 times faster than the previous record of a 132-bit subgroup in a 422-bit field. The approach generalizes to dimensions 4 or more, overcoming one key obstruction to the implementation of the tower number field sieve.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"223 - 236"},"PeriodicalIF":1.2,"publicationDate":"2020-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0008","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"45525006","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Let Ω be a finite set of finitary operation symbols. We initiate the study of (weakly) pseudo-free families of computational Ω-algebras in arbitrary varieties of Ω-algebras. A family (Hd | d ∈ D) of computational Ω-algebras (where D ⊆ {0, 1}*) is called polynomially bounded (resp., having exponential size) if there exists a polynomial η such that for all d ∈ D, the length of any representation of every h ∈ Hd is at most η(|d|)( resp., |Hd|≤2η(|d|)). $eta (|d|)left( text{ resp}text{., }left| {{H}_{d}} right|le {{2}^{eta (|d|)}} right).$ First, we prove the following trichotomy: (i) if Ω consists of nullary operation symbols only, then there exists a polynomially bounded pseudo-free family; (ii) if Ω = Ω0 ∪ {ω}, where Ω0 consists of nullary operation symbols and the arity of ω is 1, then there exist an exponential-size pseudo-free family and a polynomially bounded weakly pseudo-free family; (iii) in all other cases, the existence of polynomially bounded weakly pseudo-free families implies the existence of collision-resistant families of hash functions. In this trichotomy, (weak) pseudo-freeness is meant in the variety of all Ω-algebras. Second, assuming the existence of collision-resistant families of hash functions, we construct a polynomially bounded weakly pseudo-free family and an exponential-size pseudo-free family in the variety of all m-ary groupoids, where m is an arbitrary positive integer.
{"title":"Pseudo-free families of computational universal algebras","authors":"M. Anokhin","doi":"10.1515/jmc-2020-0014","DOIUrl":"https://doi.org/10.1515/jmc-2020-0014","url":null,"abstract":"Abstract Let Ω be a finite set of finitary operation symbols. We initiate the study of (weakly) pseudo-free families of computational Ω-algebras in arbitrary varieties of Ω-algebras. A family (Hd | d ∈ D) of computational Ω-algebras (where D ⊆ {0, 1}*) is called polynomially bounded (resp., having exponential size) if there exists a polynomial η such that for all d ∈ D, the length of any representation of every h ∈ Hd is at most η(|d|)( resp., |Hd|≤2η(|d|)). $eta (|d|)left( text{ resp}text{., }left| {{H}_{d}} right|le {{2}^{eta (|d|)}} right).$ First, we prove the following trichotomy: (i) if Ω consists of nullary operation symbols only, then there exists a polynomially bounded pseudo-free family; (ii) if Ω = Ω0 ∪ {ω}, where Ω0 consists of nullary operation symbols and the arity of ω is 1, then there exist an exponential-size pseudo-free family and a polynomially bounded weakly pseudo-free family; (iii) in all other cases, the existence of polynomially bounded weakly pseudo-free families implies the existence of collision-resistant families of hash functions. In this trichotomy, (weak) pseudo-freeness is meant in the variety of all Ω-algebras. Second, assuming the existence of collision-resistant families of hash functions, we construct a polynomially bounded weakly pseudo-free family and an exponential-size pseudo-free family in the variety of all m-ary groupoids, where m is an arbitrary positive integer.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"197 - 222"},"PeriodicalIF":1.2,"publicationDate":"2020-11-25","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0014","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43706806","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract In this paper we provide a framework for applying classical search and preprocessing to quantum oracles for use with Grover’s quantum search algorithm in order to lower the quantum circuit-complexity of Grover’s algorithm for single-target search problems. This has the effect (for certain problems) of reducing a portion of the polynomial overhead contributed by the implementation cost of quantum oracles and can be used to provide either strict improvements or advantageous trade-offs in circuit-complexity. Our results indicate that it is possible for quantum oracles for certain single-target preimage search problems to reduce the quantum circuit-size from O 2 n / 2 ⋅ m C $Oleft(2^{n/2}cdot mCright)$ (where C originates from the cost of implementing the quantum oracle) to O ( 2 n / 2 ⋅ m C ) $O(2^{n/2} cdot msqrt{C})$ without the use of quantum ram, whilst also slightly reducing the number of required qubits. This framework captures a previous optimisation of Grover’s algorithm using preprocessing [21] applied to cryptanalysis, providing new asymptotic analysis. We additionally provide insights and asymptotic improvements on recent cryptanalysis [16] of SIKE [14] via Grover’s algorithm, demonstrating that the speedup applies to this attack and impacting upon quantum security estimates [16] incorporated into the SIKE specification [14].
{"title":"A framework for reducing the overhead of the quantum oracle for use with Grover’s algorithm with applications to cryptanalysis of SIKE","authors":"Jean-François Biasse, Benjamin Pring","doi":"10.1515/jmc-2020-0080","DOIUrl":"https://doi.org/10.1515/jmc-2020-0080","url":null,"abstract":"Abstract In this paper we provide a framework for applying classical search and preprocessing to quantum oracles for use with Grover’s quantum search algorithm in order to lower the quantum circuit-complexity of Grover’s algorithm for single-target search problems. This has the effect (for certain problems) of reducing a portion of the polynomial overhead contributed by the implementation cost of quantum oracles and can be used to provide either strict improvements or advantageous trade-offs in circuit-complexity. Our results indicate that it is possible for quantum oracles for certain single-target preimage search problems to reduce the quantum circuit-size from O 2 n / 2 ⋅ m C $Oleft(2^{n/2}cdot mCright)$ (where C originates from the cost of implementing the quantum oracle) to O ( 2 n / 2 ⋅ m C ) $O(2^{n/2} cdot msqrt{C})$ without the use of quantum ram, whilst also slightly reducing the number of required qubits. This framework captures a previous optimisation of Grover’s algorithm using preprocessing [21] applied to cryptanalysis, providing new asymptotic analysis. We additionally provide insights and asymptotic improvements on recent cryptanalysis [16] of SIKE [14] via Grover’s algorithm, demonstrating that the speedup applies to this attack and impacting upon quantum security estimates [16] incorporated into the SIKE specification [14].","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"143 - 156"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0080","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42761476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract Recently, supersingular isogeny cryptosystems have received attention as a candidate of post-quantum cryptography (PQC). Their security relies on the hardness of solving isogeny problems over supersingular elliptic curves. The meet-in-the-middle approach seems the most practical to solve isogeny problems with classical computers. In this paper, we propose two algebraic approaches for isogeny problems of prime power degrees. Our strategy is to reduce isogeny problems to a system of algebraic equations, and to solve it by Gröbner basis computation. The first one uses modular polynomials, and the second one uses kernel polynomials of isogenies. We report running times for solving isogeny problems of 3-power degrees on supersingular elliptic curves over 𝔽p2 with 503-bit prime p, extracted from the NIST PQC candidate SIKE. Our experiments show that our first approach is faster than the meet-in-the-middle approach for isogeny degrees up to 310.
{"title":"Algebraic approaches for solving isogeny problems of prime power degrees","authors":"Yasushi Takahashi, Momonari Kudo, Ryoya Fukasaku, Yasuhiko Ikematsu, Masaya Yasuda, K. Yokoyama","doi":"10.1515/jmc-2020-0072","DOIUrl":"https://doi.org/10.1515/jmc-2020-0072","url":null,"abstract":"Abstract Recently, supersingular isogeny cryptosystems have received attention as a candidate of post-quantum cryptography (PQC). Their security relies on the hardness of solving isogeny problems over supersingular elliptic curves. The meet-in-the-middle approach seems the most practical to solve isogeny problems with classical computers. In this paper, we propose two algebraic approaches for isogeny problems of prime power degrees. Our strategy is to reduce isogeny problems to a system of algebraic equations, and to solve it by Gröbner basis computation. The first one uses modular polynomials, and the second one uses kernel polynomials of isogenies. We report running times for solving isogeny problems of 3-power degrees on supersingular elliptic curves over 𝔽p2 with 503-bit prime p, extracted from the NIST PQC candidate SIKE. Our experiments show that our first approach is faster than the meet-in-the-middle approach for isogeny degrees up to 310.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"31 - 44"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0072","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44685624","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In 2017, we decided to start the annual series of MathCryptWorkshops in order to encouragemore mathematicians and computational number theorists to propose and work on hard problems in cryptography. This is the second volume of papers from our second annual MathCrypt conference hosted at Crypto 2019, on August 19, 2019 in Santa Barbara. We were motivated to launch this series of workshops to attract more mathematicians to work on hard problems in cryptography. There is a gap in the publishing culture between mathematics and computer science which we hope to bridge with this effort. Mathematicians primarily recognize publications in journals, whereas cryptographers almost always publish their results quickly in proceedings volumes of conferences which are the most prestigious venues for the research area. Many mathematicians are not accustomed to the model of submitting a paper by the conference deadline, presenting the work at the conference, and publishing in the proceedings volume. We wanted to provide a regular annual venue for mathematicians to contribute to the cryptographic research community at this accelerated pace, and the Journal ofMathematical Cryptology was an ideal place and a willing partner to create this opportunity. We are at a point in time where it is increasingly important for mathematicians to be involved in cryptography research, as we set out to determine the next generation of cryptographic systems based on hard math problems which can withstand attacks from a quantum computer once it is built. In 2017, NIST launched a 5-year international competition to determine post-quantum cryptosystems (PQC). MathCrypt can play a complimentary role by encouraging mathematicians to work on and publish attacks on new proposals, including both preliminary results and also even results which represent the failure of a certain approach to effectively attack a new system. This creates the culture of sharing information on approacheswhichhave been tried and theirmeasure of success. Currently there is such ahigh bar for publishing papers with new attacks. Attacking the underlying hardmath problems in cryptography is an extremely challenging endeavor, and so the incentives are not aligned to encourage new researchers and young researchers to work and commit themselves to this direction. The opportunity to publish intermediate results in venues like MathCrypt should help to de-risk this endeavor and encourage more mathematician to pursue these research directions. The MathCrypt proceedings volumes are also intended as a place to publish proposals for new cryptographic systems based on new ideas for hard math problems. The post quantum era provides both an opportunity and a challenge tomathematicians to create new systems based on new ideas.When an idea for a hard math problem is first proposed, it can be hard to evaluate the long-term potential in the span of a few weeks during a short review cycle. Thus more established venues may be reluctant
{"title":"Editor’s Preface for the Second Annual MathCrypt Proceedings Volume","authors":"J. Cheon, K. Lauter, Yongsoo Song","doi":"10.1515/jmc-2020-0170","DOIUrl":"https://doi.org/10.1515/jmc-2020-0170","url":null,"abstract":"In 2017, we decided to start the annual series of MathCryptWorkshops in order to encouragemore mathematicians and computational number theorists to propose and work on hard problems in cryptography. This is the second volume of papers from our second annual MathCrypt conference hosted at Crypto 2019, on August 19, 2019 in Santa Barbara. We were motivated to launch this series of workshops to attract more mathematicians to work on hard problems in cryptography. There is a gap in the publishing culture between mathematics and computer science which we hope to bridge with this effort. Mathematicians primarily recognize publications in journals, whereas cryptographers almost always publish their results quickly in proceedings volumes of conferences which are the most prestigious venues for the research area. Many mathematicians are not accustomed to the model of submitting a paper by the conference deadline, presenting the work at the conference, and publishing in the proceedings volume. We wanted to provide a regular annual venue for mathematicians to contribute to the cryptographic research community at this accelerated pace, and the Journal ofMathematical Cryptology was an ideal place and a willing partner to create this opportunity. We are at a point in time where it is increasingly important for mathematicians to be involved in cryptography research, as we set out to determine the next generation of cryptographic systems based on hard math problems which can withstand attacks from a quantum computer once it is built. In 2017, NIST launched a 5-year international competition to determine post-quantum cryptosystems (PQC). MathCrypt can play a complimentary role by encouraging mathematicians to work on and publish attacks on new proposals, including both preliminary results and also even results which represent the failure of a certain approach to effectively attack a new system. This creates the culture of sharing information on approacheswhichhave been tried and theirmeasure of success. Currently there is such ahigh bar for publishing papers with new attacks. Attacking the underlying hardmath problems in cryptography is an extremely challenging endeavor, and so the incentives are not aligned to encourage new researchers and young researchers to work and commit themselves to this direction. The opportunity to publish intermediate results in venues like MathCrypt should help to de-risk this endeavor and encourage more mathematician to pursue these research directions. The MathCrypt proceedings volumes are also intended as a place to publish proposals for new cryptographic systems based on new ideas for hard math problems. The post quantum era provides both an opportunity and a challenge tomathematicians to create new systems based on new ideas.When an idea for a hard math problem is first proposed, it can be hard to evaluate the long-term potential in the span of a few weeks during a short review cycle. Thus more established venues may be reluctant","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"1 - 3"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0170","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48389877","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
D. Dachman-Soled, Huijing Gong, Mukul Kulkarni, Aria Shahverdi
Abstract The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems, such as the Regev and Dual-Regev encryption schemes as well as their leakage-resilient counterparts. The LHL does not hold in the ring setting, when the ring is far from a field, which is typical for efficient cryptosystems. Lyubashevsky et al. (Eurocrypt ’13) proved a “regularity lemma,” which can be used instead of the LHL, but applies only for Gaussian inputs. This is in contrast to the LHL, which applies when the input is drawn from any high min-entropy distribution. Our work presents an approach for generalizing the “regularity lemma” of Lyubashevsky et al. to certain conditional distributions. We assume the input was sampled from a discrete Gaussian distribution and consider the induced distribution, given side-channel leakage on the input. We present three instantiations of our approach, proving that the regularity lemma holds for three natural conditional distributions.
{"title":"Towards a Ring Analogue of the Leftover Hash Lemma","authors":"D. Dachman-Soled, Huijing Gong, Mukul Kulkarni, Aria Shahverdi","doi":"10.1515/jmc-2020-0076","DOIUrl":"https://doi.org/10.1515/jmc-2020-0076","url":null,"abstract":"Abstract The leftover hash lemma (LHL) is used in the analysis of various lattice-based cryptosystems, such as the Regev and Dual-Regev encryption schemes as well as their leakage-resilient counterparts. The LHL does not hold in the ring setting, when the ring is far from a field, which is typical for efficient cryptosystems. Lyubashevsky et al. (Eurocrypt ’13) proved a “regularity lemma,” which can be used instead of the LHL, but applies only for Gaussian inputs. This is in contrast to the LHL, which applies when the input is drawn from any high min-entropy distribution. Our work presents an approach for generalizing the “regularity lemma” of Lyubashevsky et al. to certain conditional distributions. We assume the input was sampled from a discrete Gaussian distribution and consider the induced distribution, given side-channel leakage on the input. We present three instantiations of our approach, proving that the regularity lemma holds for three natural conditional distributions.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"87 - 110"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0076","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42587508","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Abstract A statistical framework applicable to Ring-LWE was outlined by Murphy and Player (IACR eprint 2019/452). Its applicability was demonstrated with an analysis of the decryption failure probability for degree-1 and degree-2 ciphertexts in the homomorphic encryption scheme of Lyubashevsky, Peikert and Regev (IACR eprint 2013/293). In this paper, we clarify and extend results presented by Murphy and Player. Firstly, we make precise the approximation of the discretisation of a Normal random variable as a Normal random variable, as used in the encryption process of Lyubashevsky, Peikert and Regev. Secondly, we show how to extend the analysis given by Murphy and Player to degree-k ciphertexts, by precisely characterising the distribution of the noise in these ciphertexts.
{"title":"Discretisation and Product Distributions in Ring-LWE","authors":"S. Murphy, Rachel Player","doi":"10.1515/jmc-2020-0073","DOIUrl":"https://doi.org/10.1515/jmc-2020-0073","url":null,"abstract":"Abstract A statistical framework applicable to Ring-LWE was outlined by Murphy and Player (IACR eprint 2019/452). Its applicability was demonstrated with an analysis of the decryption failure probability for degree-1 and degree-2 ciphertexts in the homomorphic encryption scheme of Lyubashevsky, Peikert and Regev (IACR eprint 2013/293). In this paper, we clarify and extend results presented by Murphy and Player. Firstly, we make precise the approximation of the discretisation of a Normal random variable as a Normal random variable, as used in the encryption process of Lyubashevsky, Peikert and Regev. Secondly, we show how to extend the analysis given by Murphy and Player to degree-k ciphertexts, by precisely characterising the distribution of the noise in these ciphertexts.","PeriodicalId":43866,"journal":{"name":"Journal of Mathematical Cryptology","volume":"15 1","pages":"45 - 59"},"PeriodicalIF":1.2,"publicationDate":"2020-11-17","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://sci-hub-pdf.com/10.1515/jmc-2020-0073","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48892415","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: