• Title/Summary/Keyword: LWE

Search Result 31, Processing Time 0.028 seconds

ZERO-KNOWLEDGE PROOFS FROM SPLWE-BASED COMMITMENTS

  • Kim, Jinsu;Kim, Dooyoung
    • East Asian mathematical journal
    • /
    • v.38 no.1
    • /
    • pp.85-94
    • /
    • 2022
  • Recently, an LWE-based commitment scheme is proposed. Their construction is statistically hiding as well as computationally binding. On the other hand, the construction of related zero-knowledge protocols is left as an open problem. In this paper, we present zero-knowledge protocols with hardness based on the LWE problem. we show how to instantiate efficient zero-knowledge protocols that can be used to prove linear and sum relations among these commitments. In addition, we show how the variant of LWE, spLWE problem, can be used to instantiate efficient zero-knowledge protocols.

LWE-like KEM/전자서명에 대한 부채널 대응기법 동향

  • JeongHwan Lee;Sang-Yun Jung;Won Geun Shin;Sujin Park;HeeSeok Kim
    • Review of KIISC
    • /
    • v.33 no.3
    • /
    • pp.85-96
    • /
    • 2023
  • LWE-like 암호는 지난 몇 년간 표준화 선정 대상 유력 후보로 주목받았다. 실제로 NIST가 선정한 양자내성암호 표준화 진행 대상 4종 중 2종이 LWE 기반 암호인만큼, LWE-like 암호는 많은 중요성을 가지고 있으며 이에 따라 LWE-like 암호에 대한 부채널 분석/대응 기술 연구가 활발히 진행되었다. 특히 전력/전자파를 이용한 분석과 이에 대한 마스킹 대응기법 연구가 많은 결실을 맺었다. 따라서 본 논문은 LWE-like KEM/전자서명에 대한 부채널 대응기술 중 마스킹 기법 동향을 서술한다. LWE-like KEM에 대한 1차 및 고차 마스킹 기법 연구 동향을 정리하고, LWE-like 전자서명에 대한 고차 마스킹 기법 동향을 정리한다.

A Study of SPA Vulnerability on 8-bit Implementation of Ring-LWE Cryptosystem (8 비트 구현 Ring-LWE 암호시스템의 SPA 취약점 연구)

  • Park, Aesun;Won, Yoo-Seung;Han, Dong-Guk
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.3
    • /
    • pp.439-448
    • /
    • 2017
  • It is news from nowhere that post-quantum cryptography has side-channel analysis vulnerability. Side-channel analysis attack method and countermeasures for code-based McEliece cryptosystem and lattice-based NTRU cryptosystem have been investigated. Unfortunately, the investigation of the ring-LWE cryptosystem in terms of side-channel analysis is as yet insufficient. In this paper, we propose a chosen ciphertext simple power analysis attack that can be applied when ring-LWE cryptography operates on 8-bit devices. Our proposed attack can recover the key only with [$log_2q$] traces. q is a parameter related to the security level. It is used 7681 and 12289 to match the common 128 and 256-bit security levels, respectively. We identify the vulnerability through experiment that can reveal the secret key in modular add while the ring-LWE decryption performed on real 8-bit devices. We also discuss the attack that uses a similarity measurement method for two vectors to reduce attack time.

Countermeasure against Chosen Ciphertext Spa Attack of the Public-Key Cryptosystem Based on Ring-Lwe Problem (Ring-LWE 기반 공개키 암호시스템의 선택 암호문 단순전력분석 공격 대응법)

  • Park, Aesun;Won, Yoo-Seung;Han, Dong-Guk
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.27 no.5
    • /
    • pp.1001-1011
    • /
    • 2017
  • A lattice-based cryptography is known as one of the post-quantum cryptographies. Ring-LWE problem is an algebraic variant of LWE, which operates over elements of polynomial rings instead of vectors. It is already known that post-quantum cryptography has side-channel analysis vulnerability. In 2016, Park et al. reported a SPA vulnerability of the public key cryptosystem, which is proposed by Roy et al., based on the ring-LWE problem. In 2015 and 2016, Reparaz et al. proposed DPA attack and countermeasures against Roy cryptosystem. In this paper, we show that the chosen ciphertext SPA attack is also possible for Lyubashevsky cryptosystem which does not use NTT. And then we propose a countermeasure against CCSPA(Chosen Ciphertext SPA) attack and we also show through experiment that our proposed countermeasure is secure.

Ciphertext policy attribute-based encryption supporting unbounded attribute space from R-LWE

  • Chen, Zehong;Zhang, Peng;Zhang, Fangguo;Huang, Jiwu
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.11 no.4
    • /
    • pp.2292-2309
    • /
    • 2017
  • Ciphertext policy attribute-based encryption (CP-ABE) is a useful cryptographic technology for guaranteeing data confidentiality but also fine-grained access control. Typically, CP-ABE can be divided into two classes: small universe with polynomial attribute space and large universe with unbounded attribute space. Since the learning with errors over rings (R-LWE) assumption has characteristics of simple algebraic structure and simple calculations, based on R-LWE, we propose a small universe CP-ABE scheme to improve the efficiency of the scheme proposed by Zhang et al. (AsiaCCS 2012). On this basis, to achieve unbounded attribute space and improve the expression of attribute, we propose a large universe CP-ABE scheme with the help of a full-rank differences function. In this scheme, all polynomials in the R-LWE can be used as values of an attribute, and these values do not need to be enumerated at the setup phase. Different trapdoors are used to generate secret keys in the key generation and the security proof. Both proposed schemes are selectively secure in the standard model under R-LWE. Comparison with other schemes demonstrates that our schemes are simpler and more efficient. R-LWE can obtain greater efficiency, and unbounded attribute space means more flexibility, so our research is suitable in practices.

Optimization of Approximate Modular Multiplier for R-LWE Cryptosystem (R-LWE 암호화를 위한 근사 모듈식 다항식 곱셈기 최적화)

  • Jae-Woo, Lee;Youngmin, Kim
    • Journal of IKEEE
    • /
    • v.26 no.4
    • /
    • pp.736-741
    • /
    • 2022
  • Lattice-based cryptography is the most practical post-quantum cryptography because it enjoys strong worst-case security, relatively efficient implementation, and simplicity. Ring learning with errors (R-LWE) is a public key encryption (PKE) method of lattice-based encryption (LBC), and the most important operation of R-LWE is the modular polynomial multiplication of rings. This paper proposes a method for optimizing modular multipliers based on approximate computing (AC) technology, targeting the medium-security parameter set of the R-LWE cryptosystem. First, as a simple way to implement complex logic, LUT is used to omit some of the approximate multiplication operations, and the 2's complement method is used to calculate the number of bits whose value is 1 when converting the value of the input data to binary. We propose a total of two methods to reduce the number of required adders by minimizing them. The proposed LUT-based modular multiplier reduced both speed and area by 9% compared to the existing R-LWE modular multiplier, and the modular multiplier using the 2's complement method reduced the area by 40% and improved the speed by 2%. appear. Finally, the area of the optimized modular multiplier with both of these methods applied was reduced by up to 43% compared to the previous one, and the speed was reduced by up to 10%.

Security Analysis on TiGER KEM in KpqC Round 1 Competition Using Meet-LWE Attack (KpqC 1 라운드 TiGER KEM의 Meet-LWE 공격에 대한 안전성 분석)

  • Joohee Lee;Eun-min Lee;Jiseung Kim
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.33 no.5
    • /
    • pp.709-719
    • /
    • 2023
  • Recently, Post-Quantum Cryptography (PQC), which is secure against attacks using quantum computers, has been actively studied. In 2022, the KpqC competition, a competition for domestic PQC standardization, was launched, and a total of 16 candidate algorithms were received, and the first round is underway. In this paper, we apply Alexander May's Meet-LWE attack to TiGER, a lattice-based key encapsulation mechanism that is a candidate for the first round of the KpqC competition, and analyze its concrete attack complexity. The computational results of applying the Meet-LWE attack to each of the proposed parameters of TiGER show that the proposed TiGER192 parameter, which targets 192-bit quantum security, actually achieves 170-bit classical security. In addition, we propose a parameter setting to increase the attack complexity against the Meet-LWE attack.

Analysis on Decryption Failure Probability of TiGER (TiGER의 복호화 실패율 분석)

  • Seungwoo Lee;Jonghyun Kim;Jong Hwan Park
    • Journal of the Korea Institute of Information Security & Cryptology
    • /
    • v.34 no.2
    • /
    • pp.157-166
    • /
    • 2024
  • Probability of decryption failure of a public key cryptography based on LWE(learning with errors) is determined by its architecture and parameter settings. Since large decryption failure probability leads to attacks[1] on scheme as well as degradation of performance, TiGER[2], a Ring-LWE(R)-based KEM proposed for the first round of KpqC, tried to reduce the decryption failure probability by using error correction code Xef and D2 encoding method. However, D'Anvers et al. has shown that the commonly assumed independence of each bit error is not established since in the case of an encryption scheme based on Ring-LWE(R) using an error correction code, there is error dependency which is not negligible[3]. In this paper, since TiGER does not consider the error dependency, we calcualte the decryption failure probability of TiGER by considering the error dependency. In addition, we found that the bit error probability is incorrectly calculated in TiGER, so we present the correct calculation.

Efficient Signature Schemes from R-LWE

  • Wang, Ting;Yu, Jianping;Zhang, Peng;Zhang, Yong
    • KSII Transactions on Internet and Information Systems (TIIS)
    • /
    • v.10 no.8
    • /
    • pp.3911-3924
    • /
    • 2016
  • Compared to the classical cryptography, lattice-based cryptography is more secure, flexible and simple, and it is believed to be secure against quantum computers. In this paper, an efficient signature scheme is proposed from the ring learning with errors (R-LWE), which avoids sampling from discrete Gaussians and has the characteristics of the much simpler description etc. Then, the scheme is implemented in C/C++ and makes a comparison with the RSA signature scheme in detail. Additionally, a linearly homomorphic signature scheme without trapdoor is proposed from the R-LWE assumption. The security of the above two schemes are reducible to the worst-case hardness of shortest vectors on ideal lattices. The security analyses indicate the proposed schemes are unforgeable under chosen message attack model, and the efficiency analyses also show that the above schemes are much more efficient than other correlative signature schemes.