BIKE is a post-quantum key encapsulation mechanism (KEM) selected for the 4th round of the NIST's standardization campaign. It relies on the hardness of the syndrome decoding problem for quasi-cyclic codes and on the indistinguishability of the public key from a random element, and provides the most competitive performance among round 4 candidates, which makes it relevant for future real-world use cases. Analyzing its side-channel resistance has been highly encouraged by the community and several works have already outlined various side-channel weaknesses and proposed ad-hoc countermeasures. However, in contrast to the well-documented research line on masking lattice-based algorithms, the possibility of generically protecting code-based algorithms by masking has only been marginally studied in a 2016 paper by Chen et al. in SAC 2015. At this stage of the standardization campaign, it is important to assess the possibility of fully masking BIKE scheme and the resulting cost in terms of performances.� In this work, we provide the first high-order masked implementation of a code-based algorithm. We had to tackle many issues such as finding proper ways to handle large sparse polynomials, masking the key-generation algorithm or keeping the benefit of the bitslicing. In this paper, we present all the gadgets necessary to provide a fully masked implementation of BIKE, we discuss our different implementation choices and we propose a full proof of masking in the Ishai Sahai and Wagner (Crypto 2003) model.� More practically, we also provide an open C-code masked implementation of the key-generation, encapsulation and decapsulation algorithms with extensive benchmarks. While the obtained performance is slower than existing masked lattice-based algorithms, we show that masking at order 1, 2, 3, 4 and 5 implies a performance penalty of x5.8, x14.2, x24.4, x38 and x55.6 compared to order 0 (unmasked and unoptimized BIKE). This scaling is encouraging and no Boolean to Arithmetic conversion has been used.
BIKE 是一种后量子密钥封装机制 (KEM),被选入 NIST 标准化活动的第四轮。它依赖于准循环码综合症解码问题的硬度和公钥与随机元素的不可区分性,在第 4 轮候选机制中性能最具竞争力,因此与未来的实际应用案例息息相关。分析它的抗侧信道能力受到了业界的高度鼓励,已有几项研究概述了各种侧信道弱点,并提出了临时对策。然而,与基于网格算法的掩码研究路线形成鲜明对比的是,通过掩码对基于代码的算法进行通用保护的可能性仅在 2016 年由 Chen 等人在 SAC 2015 上发表的一篇论文中进行了少量研究。在现阶段的标准化活动中,评估完全屏蔽 BIKE 方案的可能性以及由此产生的性能代价非常重要。在这项工作中,我们首次提供了基于代码算法的高阶掩码实现。我们必须解决许多问题,如找到处理大型稀疏多项式的适当方法、屏蔽密钥生成算法或保持比特切分的优势。在本文中,我们介绍了提供完全掩码 BIKE 实现所需的所有小工具,讨论了我们的不同实现选择,并提出了 Ishai Sahai 和 Wagner(Crypto 2003)模型中的完全掩码证明。更实际的是,我们还提供了密钥生成、封装和解封装算法的开放式 C 代码掩码实现,并提供了大量基准测试。虽然所获得的性能比现有的基于屏蔽网格的算法慢,但我们表明,与阶数 0(未屏蔽和未优化的 BIKE)相比,阶数 1、2、3、4 和 5 的屏蔽意味着 x5.8、x14.2、x24.4、x38 和 x55.6 的性能损失。这种缩放令人鼓舞,而且没有使用布尔到算术的转换。
{"title":"A provably masked implementation of BIKE Key Encapsulation Mechanism","authors":"Loïc Demange, Mélissa Rossi","doi":"10.62056/aesgvua5v","DOIUrl":"https://doi.org/10.62056/aesgvua5v","url":null,"abstract":"BIKE is a post-quantum key encapsulation mechanism (KEM) selected for the 4th round of the NIST's standardization campaign. It relies on the hardness of the syndrome decoding problem for quasi-cyclic codes and on the indistinguishability of the public key from a random element, and provides the most competitive performance among round 4 candidates, which makes it relevant for future real-world use cases. Analyzing its side-channel resistance has been highly encouraged by the community and several works have already outlined various side-channel weaknesses and proposed ad-hoc countermeasures. However, in contrast to the well-documented research line on masking lattice-based algorithms, the possibility of generically protecting code-based algorithms by masking has only been marginally studied in a 2016 paper by Chen et al. in SAC 2015. At this stage of the standardization campaign, it is important to assess the possibility of fully masking BIKE scheme and the resulting cost in terms of performances.\u0000 In this work, we provide the first high-order masked implementation of a code-based algorithm. We had to tackle many issues such as finding proper ways to handle large sparse polynomials, masking the key-generation algorithm or keeping the benefit of the bitslicing. In this paper, we present all the gadgets necessary to provide a fully masked implementation of BIKE, we discuss our different implementation choices and we propose a full proof of masking in the Ishai Sahai and Wagner (Crypto 2003) model.\u0000 More practically, we also provide an open C-code masked implementation of the key-generation, encapsulation and decapsulation algorithms with extensive benchmarks. While the obtained performance is slower than existing masked lattice-based algorithms, we show that masking at order 1, 2, 3, 4 and 5 implies a performance penalty of x5.8, x14.2, x24.4, x38 and x55.6 compared to order 0 (unmasked and unoptimized BIKE). This scaling is encouraging and no Boolean to Arithmetic conversion has been used.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"24 11","pages":"76"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140727111","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We prove that isogenies between Drinfeld F[x]-modules over a finite field can be computed in polynomial time. This breaks Drinfeld analogs of isogeny-based cryptosystems.
{"title":"Computing isogenies between finite Drinfeld modules","authors":"B. Wesolowski","doi":"10.62056/avommp-3y","DOIUrl":"https://doi.org/10.62056/avommp-3y","url":null,"abstract":"We prove that isogenies between Drinfeld F[x]-modules over a finite field can be computed in polynomial time. This breaks Drinfeld analogs of isogeny-based cryptosystems.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"68 6","pages":"438"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724943","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.
{"title":"Preliminary Cryptanalysis of the Biscuit Signature Scheme","authors":"Charles Bouillaguet, Julia Sauvage","doi":"10.62056/aemp-4c2h","DOIUrl":"https://doi.org/10.62056/aemp-4c2h","url":null,"abstract":"Biscuit is a recent multivariate signature scheme based on the MPC-in-the-Head paradigm. It has been submitted to the NIST competition for additional signature schemes. Signatures are derived from a zero-knowledge proof of knowledge of the solution of a structured polynomial system. This extra structure enables efficient proofs and compact signatures. This short note demonstrates that it also makes these polynomial systems easier to solve than random ones. As a consequence, the original parameters of Biscuit failed to meet the required security levels and had to be upgraded.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"37 12","pages":"148"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726899","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
One of the central questions in cryptology is how efficient generic constructions of cryptographic primitives can be. Gennaro, Gertner, Katz, and Trevisan [SIAM J. of Compt., 2005] studied the lower bounds of the number of invocations of a (trapdoor) one-way permutation in order to construct cryptographic schemes, e.g., pseudorandom number generators, digital signatures, and public-key and symmetric-key encryption.� Recently, quantum machines have been explored to _construct_ cryptographic primitives other than quantum key distribution. This paper studies the efficiency of _quantum_ black-box constructions of cryptographic primitives when the communications are _classical_. Following Gennaro et al., we give the lower bounds of the number of invocations of an underlying quantumly-computable quantum-one-way permutation when the _quantum_ construction of pseudorandom number generator and symmetric-key encryption is weakly black-box. Our results show that the quantum black-box constructions of pseudorandom number generator and symmetric-key encryption do not improve the number of invocations of an underlying quantumly-computable quantum-one-way permutation.
密码学的核心问题之一是密码基元的通用构造如何才能高效。Gennaro、Gertner、Katz 和 Trevisan [SIAM J. of Compt.,2005] 研究了(陷阱门)单向排列调用次数的下限,以构建密码方案,如伪随机数生成器、数字签名、公钥和对称密钥加密。最近,人们开始探索用量子机来构建量子密钥分发之外的其他加密原语。本文研究了当通信是_经典_时,加密原语的_量子_黑箱构造的效率。继 Gennaro 等人之后,我们给出了当伪随机数发生器和对称密钥加密的_量子_构造是弱黑箱时,底层量子可计算量子单向置换的调用次数下限。我们的结果表明,伪随机数发生器和对称密钥加密的量子黑箱构造并不能提高底层量子可计算量子单向排列的调用次数。
{"title":"On the Efficiency of Generic, Quantum Cryptographic Constructions","authors":"Keita Xagawa","doi":"10.62056/a66c0l5vt","DOIUrl":"https://doi.org/10.62056/a66c0l5vt","url":null,"abstract":"One of the central questions in cryptology is how efficient generic constructions of cryptographic primitives can be. Gennaro, Gertner, Katz, and Trevisan [SIAM J. of Compt., 2005] studied the lower bounds of the number of invocations of a (trapdoor) one-way permutation in order to construct cryptographic schemes, e.g., pseudorandom number generators, digital signatures, and public-key and symmetric-key encryption.\u0000 Recently, quantum machines have been explored to _construct_ cryptographic primitives other than quantum key distribution. This paper studies the efficiency of _quantum_ black-box constructions of cryptographic primitives when the communications are _classical_. Following Gennaro et al., we give the lower bounds of the number of invocations of an underlying quantumly-computable quantum-one-way permutation when the _quantum_ construction of pseudorandom number generator and symmetric-key encryption is weakly black-box. Our results show that the quantum black-box constructions of pseudorandom number generator and symmetric-key encryption do not improve the number of invocations of an underlying quantumly-computable quantum-one-way permutation.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"26 1","pages":"1142"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140725374","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A fundamental result dating to Ligero (Des. Codes Cryptogr. '23) establishes that each fixed linear block code exhibits proximity gaps with respect to the collection of affine subspaces, in the sense that each given subspace either resides entirely close to the code, or else contains only a small portion which resides close to the code. In particular, any given subspace's failure to reside entirely close to the code is necessarily witnessed, with high probability, by a uniformly randomly sampled element of that subspace. We investigate a variant of this phenomenon in which the witness is not sampled uniformly from the subspace, but rather from a much smaller subset of it. We show that a logarithmic number of random field elements (in the dimension of the subspace) suffice to effect an analogous proximity test, with moreover only a logarithmic (multiplicative) loss in the possible prevalence of false witnesses. We discuss applications to recent noninteractive proofs based on linear codes, including Brakedown (CRYPTO '23).
{"title":"Proximity Testing with Logarithmic Randomness","authors":"Benjamin E. Diamond, Jim Posen","doi":"10.62056/aksdkp10","DOIUrl":"https://doi.org/10.62056/aksdkp10","url":null,"abstract":"A fundamental result dating to Ligero (Des. Codes Cryptogr. '23) establishes that each fixed linear block code exhibits proximity gaps with respect to the collection of affine subspaces, in the sense that each given subspace either resides entirely close to the code, or else contains only a small portion which resides close to the code. In particular, any given subspace's failure to reside entirely close to the code is necessarily witnessed, with high probability, by a uniformly randomly sampled element of that subspace. We investigate a variant of this phenomenon in which the witness is not sampled uniformly from the subspace, but rather from a much smaller subset of it. We show that a logarithmic number of random field elements (in the dimension of the subspace) suffice to effect an analogous proximity test, with moreover only a logarithmic (multiplicative) loss in the possible prevalence of false witnesses. We discuss applications to recent noninteractive proofs based on linear codes, including Brakedown (CRYPTO '23).","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"32 6","pages":"630"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140723594","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this work, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the classical public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.
{"title":"Recovering cryptographic keys from partial information, by example","authors":"Gabrielle De Micheli, N. Heninger","doi":"10.62056/ahjbksdja","DOIUrl":"https://doi.org/10.62056/ahjbksdja","url":null,"abstract":"Side-channel attacks targeting cryptography may leak only partial or indirect information about the secret keys. There are a variety of techniques in the literature for recovering secret keys from partial information. In this work, we survey several of the main families of partial key recovery algorithms for RSA, (EC)DSA, and (elliptic curve) Diffie-Hellman, the classical public-key cryptosystems in common use today. We categorize the known techniques by the structure of the information that is learned by the attacker, and give simplified examples for each technique to illustrate the underlying ideas.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"29 9","pages":"1506"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140727211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We investigate proof systems where security holds against rational parties instead of malicious ones. Our starting point is the notion of rational arguments, a variant of rational proofs (Azar and Micali, STOC 2012) where security holds against rational adversaries that are also computationally bounded.� Rational arguments are an interesting primitive because they generally allow for very efficient protocols, and in particular sublinear verification (i.e. where the Verifier does not have to read the entire input). In this paper we aim at narrowing the gap between literature on rational schemes and real world applications. Our contribution is two-fold.� We provide the first construction of rational arguments for the class of polynomial computations that is practical (i.e., it can be applied to real-world computations on reasonably common hardware) and with logarithmic communication. Techniques-wise, we obtain this result through a compiler from information-theoretic protocols and rational proofs for polynomial evaluation. The latter could be of independent interest.� As a second contribution, we propose a new notion of extractability for rational arguments. Through this notion we can obtain arguments where knowledge of a witness is incentivized (rather than incentivizing mere soundness). We show how our aforementioned compiler can also be applied to obtain efficient extractable rational arguments for � � � N� P� � � .
我们研究的是针对理性对手而非恶意对手的证明系统。我们的出发点是理性论证的概念,它是理性证明的一种变体(Azar 和 Micali,STOC 2012),在这种证明系统中,面对计算受限的理性对手也能保证安全性。理性论证是一种有趣的基本原理,因为它通常可以实现非常高效的协议,尤其是亚线性验证(即验证者无需读取整个输入)。本文旨在缩小有理方案文献与现实应用之间的差距。我们的贡献有两个方面。我们首次为多项式计算类提供了实用的理性论证结构(即可以在合理普通的硬件上应用于现实世界的计算),并且具有对数通信功能。在技术上,我们通过信息论协议的编译器和多项式计算的理性证明来获得这一结果。后者可能具有独立的意义。第二个贡献是,我们为理性论证提出了一个新的可提取性概念。通过这个概念,我们可以获得对证人的了解受到激励的论证(而不仅仅是对合理性的激励)。我们展示了上述编译器如何应用于获取 N P 的高效可提取理性论证。
{"title":"How to Make Rational Arguments Practical and Extractable","authors":"Matteo Campanelli, Chaya Ganesh, Rosario Gennaro","doi":"10.62056/a63zl86bm","DOIUrl":"https://doi.org/10.62056/a63zl86bm","url":null,"abstract":"We investigate proof systems where security holds against rational parties instead of malicious ones. Our starting point is the notion of rational arguments, a variant of rational proofs (Azar and Micali, STOC 2012) where security holds against rational adversaries that are also computationally bounded.\u0000 Rational arguments are an interesting primitive because they generally allow for very efficient protocols, and in particular sublinear verification (i.e. where the Verifier does not have to read the entire input). In this paper we aim at narrowing the gap between literature on rational schemes and real world applications. Our contribution is two-fold.\u0000 We provide the first construction of rational arguments for the class of polynomial computations that is practical (i.e., it can be applied to real-world computations on reasonably common hardware) and with logarithmic communication. Techniques-wise, we obtain this result through a compiler from information-theoretic protocols and rational proofs for polynomial evaluation. The latter could be of independent interest.\u0000 As a second contribution, we propose a new notion of extractability for rational arguments. Through this notion we can obtain arguments where knowledge of a witness is incentivized (rather than incentivizing mere soundness). We show how our aforementioned compiler can also be applied to obtain efficient extractable rational arguments for \u0000 \u0000 \u0000 N\u0000 P\u0000 \u0000 \u0000 .","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"23 6","pages":"1966"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140721393","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Décio Luiz Gazzoni Filho, Guilherme Brandão, Julio López Hernandez
Efficient polynomial multiplication routines are critical to the performance of lattice-based post-quantum cryptography (PQC). As PQC standards only recently started to emerge, CPUs still lack specialized instructions to accelerate such routines. Meanwhile, deep learning has grown immeasurably in importance. Its workloads call for teraflops-level of processing power for linear algebra operations, mainly matrix multiplication. Computer architects have responded by introducing ISA extensions, coprocessors and special-purpose cores to accelerate such operations. In particular, Apple ships an undocumented matrix-multiplication coprocessor, AMX, in hundreds of millions of mobile phones, tablets and personal computers. Our work repurposes AMX to implement polynomial multiplication and applies it to the NTRU cryptosystem, setting new speed records on the Apple M1 and M3 systems-on-chip (SoCs): polynomial multiplication, key generation, encapsulation and decapsulation are sped up by � � 1.54� � –� � 3.07� ×� � , � � 1.08� � –� � 1.33� ×� � , � � 1.11� � –� � 1.50� ×� � and � � 1.20� � –� � 1.98� ×� � , respectively, over the previous state-of-the-art.
{"title":"Fast polynomial multiplication using matrix multiplication accelerators with applications to NTRU on Apple M1/M3 SoCs","authors":"Décio Luiz Gazzoni Filho, Guilherme Brandão, Julio López Hernandez","doi":"10.62056/a3txommol","DOIUrl":"https://doi.org/10.62056/a3txommol","url":null,"abstract":"Efficient polynomial multiplication routines are critical to the performance of lattice-based post-quantum cryptography (PQC). As PQC standards only recently started to emerge, CPUs still lack specialized instructions to accelerate such routines. Meanwhile, deep learning has grown immeasurably in importance. Its workloads call for teraflops-level of processing power for linear algebra operations, mainly matrix multiplication. Computer architects have responded by introducing ISA extensions, coprocessors and special-purpose cores to accelerate such operations. In particular, Apple ships an undocumented matrix-multiplication coprocessor, AMX, in hundreds of millions of mobile phones, tablets and personal computers. Our work repurposes AMX to implement polynomial multiplication and applies it to the NTRU cryptosystem, setting new speed records on the Apple M1 and M3 systems-on-chip (SoCs): polynomial multiplication, key generation, encapsulation and decapsulation are sped up by \u0000 \u0000 1.54\u0000 \u0000 –\u0000 \u0000 3.07\u0000 ×\u0000 \u0000 , \u0000 \u0000 1.08\u0000 \u0000 –\u0000 \u0000 1.33\u0000 ×\u0000 \u0000 , \u0000 \u0000 1.11\u0000 \u0000 –\u0000 \u0000 1.50\u0000 ×\u0000 \u0000 and \u0000 \u0000 1.20\u0000 \u0000 –\u0000 \u0000 1.98\u0000 ×\u0000 \u0000 , respectively, over the previous state-of-the-art.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"75 8","pages":"2"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140726284","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We present new secure multi-party computation protocols for linear algebra over a finite field, which improve the state-of-the-art in terms of security. We look at the case of unconditional security with perfect correctness, i.e., information-theoretic security without errors. We notably propose an expected constant-round protocol for solving systems of m linear equations in n variables over Fq with expected complexity O(k n^2.5 + k m) (where complexity is measured in terms of the number of secure multiplications required) with k > m(m+n)+1. The previous proposals were not error-free: known protocols can indeed fail and thus reveal information with probability Omega(poly(m)/q). Our protocols are simple and rely on existing computer-algebra techniques, notably the Preparata-Sarwate algorithm, a simple but poorly known “baby-step giant-step” method for computing the characteristic polynomial of a matrix, and techniques due to Mulmuley for error-free linear algebra in positive characteristic.
我们为有限域上的线性代数提出了新的安全多方计算协议,这些协议在安全性方面提高了最新水平。我们研究了具有完美正确性的无条件安全情况,即没有错误的信息论安全。值得注意的是,我们提出了一种用于求解 Fq 上 n 个变量中 m 个线性方程组的预期常圆协议,其预期复杂度为 O(k n^2.5 + k m)(复杂度用所需的安全乘法次数来衡量),且 k > m(m+n)+1。以前的建议并非没有错误:已知协议确实可能失败,从而以 Omega(poly(m)/q) 的概率泄露信息。我们的协议很简单,依赖于现有的计算机代数技术,特别是 Preparata-Sarwate 算法,这是一种计算矩阵特征多项式的简单但鲜为人知的 "小步巨步 "方法,以及 Mulmuley 提出的正特征无错线性代数技术。
{"title":"Secure Multi-Party Linear Algebra with Perfect Correctness","authors":"Jules Maire, Damien Vergnaud","doi":"10.62056/avzojbkrz","DOIUrl":"https://doi.org/10.62056/avzojbkrz","url":null,"abstract":"We present new secure multi-party computation protocols for linear algebra over a finite field, which improve the state-of-the-art in terms of security. We look at the case of unconditional security with perfect correctness, i.e., information-theoretic security without errors. We notably propose an expected constant-round protocol for solving systems of m linear equations in n variables over Fq with expected complexity O(k n^2.5 + k m) (where complexity is measured in terms of the number of secure multiplications required) with k > m(m+n)+1. The previous proposals were not error-free: known protocols can indeed fail and thus reveal information with probability Omega(poly(m)/q). Our protocols are simple and rely on existing computer-algebra techniques, notably the Preparata-Sarwate algorithm, a simple but poorly known “baby-step giant-step” method for computing the characteristic polynomial of a matrix, and techniques due to Mulmuley for error-free linear algebra in positive characteristic.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"199 1","pages":"508"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140724151","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This paper reviews, from bottom to top, a polynomial-time algorithm to correct � � t� � errors in classical binary Goppa codes defined by squarefree degree-� � t� � polynomials. The proof is factored through a proof of a simple Reed–Solomon decoder, and the algorithm is simpler than Patterson's algorithm. All algorithm layers are expressed as Sage scripts backed by test scripts. All theorems are formally verified. The paper also covers the use of decoding inside the Classic McEliece cryptosystem, including reliable recognition of valid inputs.
本文自下而上评述了一种多项式时间算法,用于纠正由无平方 t 度多项式定义的经典二进制 Goppa 码中的 t 错误。证明是通过一个简单的里德-所罗门解码器的证明来实现的,该算法比帕特森算法更简单。所有算法层都以 Sage 脚本表达,并有测试脚本支持。所有定理都经过正式验证。论文还涉及经典 McEliece 密码系统内部解码的使用,包括有效输入的可靠识别。
{"title":"Understanding binary-Goppa decoding","authors":"D. Bernstein","doi":"10.62056/angy4fe-3","DOIUrl":"https://doi.org/10.62056/angy4fe-3","url":null,"abstract":"This paper reviews, from bottom to top, a polynomial-time algorithm to correct \u0000 \u0000 t\u0000 \u0000 errors in classical binary Goppa codes defined by squarefree degree-\u0000 \u0000 t\u0000 \u0000 polynomials. The proof is factored through a proof of a simple Reed–Solomon decoder, and the algorithm is simpler than Patterson's algorithm. All algorithm layers are expressed as Sage scripts backed by test scripts. All theorems are formally verified. The paper also covers the use of decoding inside the Classic McEliece cryptosystem, including reliable recognition of valid inputs.","PeriodicalId":508905,"journal":{"name":"IACR Cryptol. ePrint Arch.","volume":"21 1","pages":"473"},"PeriodicalIF":0.0,"publicationDate":"2024-04-09","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"140721950","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: