Advertisement

HILA5: On Reliability, Reconciliation, and Error Correction for Ring-LWE Encryption

  • Markku-Juhani O. Saarinen
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 10719)

Abstract

We describe a new reconciliation method for Ring-LWE that has a significantly smaller failure rate than previous proposals while reducing ciphertext size and the amount of randomness required. It is based on a simple, deterministic variant of Peikert’s reconciliation that works with our new “safe bits” selection and constant-time error correction techniques. The new method does not need randomized smoothing to achieve non-biased secrets. When used with the very efficient “New Hope” Ring-LWE parametrization we achieve a decryption failure rate well below \(2^{-128}\) (compared to \(2^{-60}\) of the original), making the scheme suitable for public key encryption in addition to key exchange protocols; the reconciliation approach saves about \(40 \%\) in ciphertext size when compared to the common LP11 Ring-LWE encryption scheme. We perform a combinatorial failure analysis using full probability convolutions, leading to a precise understanding of decryption failure conditions on bit level. Even with additional implementation security and safety measures the new scheme is still essentially as fast as the New Hope but has slightly shorter messages. The new techniques have been instantiated and implemented as a Key Encapsulation Mechanism (KEM) and public key encryption scheme designed to meet the requirements of NIST’s Post-Quantum Cryptography effort at very high security level.

Keywords

Ring-LWE Reconciliation Post-Quantum encryption New hope 

Notes

Acknowledgements.

The author wishes to thank the DARKMATTER Crypto Team and Dr. Najwa Aaraj for providing feedback and supporting this research.

Supplementary material

References

  1. 1.
    Aguilar, C., Gaborit, P., Lacharme, P., Schrek, J., Zémor, G.: Noisy Diffie-Hellman protocols, May 2010, https://pqc2010.cased.de/rr/03.pdf. Talk given by Philippe Gaborit at PQCrypto 2010 “Recent Results” session
  2. 2.
    Albrecht, M.R., Göpfert, F., Virdia, F., Wunderer, T.: Revisiting the expected cost of solving uSVP and applications to LWE. In: ASIACRYPT 2017 (2017), https://eprint.iacr.org/2017/815
  3. 3.
    Albrecht, M.R., Player, R., Scott, S.: On the concrete hardness of learning with errors. J. Math. Cryptology 9(3), 169–203 (2015), https://eprint.iacr.org/2015/046
  4. 4.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Newhope without reconciliation. IACR ePrint 2016/1157, December 2016, https://eprint.iacr.org/2016/1157
  5. 5.
    Alkim, E., Ducas, L., Pöppelmann, T., Schwabe, P.: Post-quantum key exchange - A new hope. In: Holz, T., Savage, S. (eds.) USENIX Security 16, pp. 327–343. USENIX Association, August 2016, https://www.usenix.org/system/files/conference/usenixsecurity16/sec16_paper_alkim.pdf. full version, https://eprint.iacr.org/2015/1092
  6. 6.
    Alkim, E., Jakubeit, P., Schwabe, P.: A new hope on ARM Cortex-M. IACR ePrint 2016/758 (2016), https://eprint.iacr.org/2016/758
  7. 7.
    Amy, M., Matteo, O.D., Gheorghiu, V., Mosca, M., Parent, A., Schanck, J.: Estimating the cost of generic quantum pre-image attacks on SHA-2 and SHA-3. IACR ePrint 2016/992 (2016), http://eprint.iacr.org/2016/992. To appear in Proc. SAC 2016
  8. 8.
    Applebaum, B., Cash, D., Peikert, C., Sahai, A.: Fast cryptographic primitives and circular-secure encryption based on hard learning problems. In: Halevi, S. (ed.) CRYPTO 2009. LNCS, vol. 5677, pp. 595–618. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-03356-8_35 CrossRefGoogle Scholar
  9. 9.
    Bellare, M., Desai, A., Pointcheval, D., Rogaway, P.: Relations among notions of security for public-key encryption schemes. In: Krawczyk, H. (ed.) CRYPTO 1998. LNCS, vol. 1462, pp. 26–45. Springer, Heidelberg (1998).  https://doi.org/10.1007/BFb0055718 CrossRefGoogle Scholar
  10. 10.
    Bennett, C.H., Brassard, G.: Quantum cryptography: public key distribution and coin tossing. In: Proceedings of IEEE International Conference on Computers, Systems and Signal Processing, pp. 175–179. IEEE, December 1984, http://researcher.watson.ibm.com/researcher/files/us-bennetc/BB84highest.pdf
  11. 11.
    Bennett, C.H., Brassard, G., Robert, J.M.: Privacy amplification by public discussion. SIAM J. Comput. 17(2), 210–229 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  12. 12.
    Bertoni, G., Daemen, J., Peeters, M., Assche, G.V., Keer, R.V.: Caesar submission: Keyak v2, September 2016, http://keyak.noekeon.org/. cAESAR Candidate Specification
  13. 13.
    Bos, J., Costello, C., Ducas, L., Mironov, I., Naehrig, M., Nikolaenko, V., Raghunathan, A., Stebila, D.: Frodo: take off the ring! practical, quantum-secure key exchange from LWE. In: ACM CCS 2016, pp. 1006–1018. ACM, October 2016, https://eprint.iacr.org/2016/659. Full version, IACR ePrint 2016/659
  14. 14.
    Bos, J.W., Costello, C., Naehrig, M., Stebila, D.: Post-quantum key exchange for the TLS protocol from the ring learning with errors problem. In: IEEE S & P 2015, pp. 553–570. IEEE Computer Society (2015), https://eprint.iacr.org/2014/599. Extended version, IACR ePrint 2014/599
  15. 15.
    Brassard, G., Salvail, L.: Secret-key reconciliation by public discussion. In: Helleseth, T. (ed.) EUROCRYPT 1993. LNCS, vol. 765, pp. 410–423. Springer, Heidelberg (1994).  https://doi.org/10.1007/3-540-48285-7_35 CrossRefGoogle Scholar
  16. 16.
    Chen, L., Jordan, S., Liu, Y.K., Moody, D., Peralta, R., Perlner, R., Smith-Tone, D.: Report on post-quantum cryptography. NISTIR 8105, April 2016Google Scholar
  17. 17.
    Costello, C., Longa, P., Naehrig, M.: Efficient algorithms for supersingular isogeny Diffie-Hellman. In: Robshaw, M., Katz, J. (eds.) CRYPTO 2016. LNCS, vol. 9814, pp. 572–601. Springer, Heidelberg (2016).  https://doi.org/10.1007/978-3-662-53018-4_21 CrossRefGoogle Scholar
  18. 18.
    Cramer, R., Shoup, V.: Design and analysis of practical public-key encryption schemes secure against adaptive chosen ciphertext attack. SIAM J. Comput. 33(1), 167–226 (2003), http://www.shoup.net/papers/cca2.pdf
  19. 19.
    Czajkowski, J., Bruinderink, L.G., Hülsing, A., Schaffner, C.: Quantum preimage, 2nd-preimage, and collision resistance of SHA3. IACR ePrint 2017/302 (2017), https://eprint.iacr.org/2017/302
  20. 20.
    Ding, J.: Improvements on cryptographic systems using pairing with errors, June 2015, https://patents.google.com/patent/WO2015184991A1/en. Application PCT/CN2015/080697
  21. 21.
    Ding, J., Xie, X., Lin, X.: A simple provably secure key exchange scheme based on the learning with errors problem. IACR ePrint 2012/688 (2012), https://eprint.iacr.org/2012/688
  22. 22.
    Dworkin, M.: Recommendation for block cipher modes of operation: Galois/Counter Mode (GCM) and GMAC. NIST Special Publication 800–38D, November 2007Google Scholar
  23. 23.
    FIPS: Specification for the Advanced Encryption Standard (AES). Federal Information Processing Standards Publication 197 (November 2001), http://csrc.nist.gov/publications/fips/fips197/fips-197.pdf
  24. 24.
    FIPS: SHA-3 standard: permutation-based hash and extendable-output functions. Federal Information Processing Standards Publication 202, August 2015Google Scholar
  25. 25.
    Gueron, S., Schlieker, F.: Speeding up R-LWE post-quantum key exchange. IACR ePrint 2016/467 (2016), https://eprint.iacr.org/2016/467
  26. 26.
    Kuo, P.C., Li, W.D., Chen, Y.W., Hsu, Y.C., Peng, B.Y., Cheng, C.M., Yang, B.Y.: Post-quantum key exchange on FPGAs. IACR ePrint 2017/690 (2017), https://eprint.iacr.org/2017/690
  27. 27.
    Lindner, R., Peikert, C.: Better key sizes (and attacks) for LWE-based encryption. In: Kiayias, A. (ed.) CT-RSA 2011. LNCS, vol. 6558, pp. 319–339. Springer, Heidelberg (2011).  https://doi.org/10.1007/978-3-642-19074-2_21 CrossRefGoogle Scholar
  28. 28.
    Longa, P., Naehrig, M.: Speeding up the number theoretic transform for faster ideal lattice-based cryptography. In: Foresti, S., Persiano, G. (eds.) CANS 2016. LNCS, vol. 10052, pp. 124–139. Springer, Cham (2016).  https://doi.org/10.1007/978-3-319-48965-0_8 CrossRefGoogle Scholar
  29. 29.
    Lyubashevsky, V., Peikert, C., Regev, O.: On ideal lattices and learning with errors over rings. In: Gilbert, H. (ed.) EUROCRYPT 2010. LNCS, vol. 6110, pp. 1–23. Springer, Heidelberg (2010).  https://doi.org/10.1007/978-3-642-13190-5_1 CrossRefGoogle Scholar
  30. 30.
    Lyubashevsky, V., Peikert, C., Regev, O.: A toolkit for ring-LWE cryptography. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 35–54. Springer, Heidelberg (2013).  https://doi.org/10.1007/978-3-642-38348-9_3 CrossRefGoogle Scholar
  31. 31.
    MacWilliams, F.J., Sloane, N.J.: The Theory of Error-correcting Codes. North-Holland, Amsterdam (1977)zbMATHGoogle Scholar
  32. 32.
    NIST: Submission requirements and evaluation criteria for the post-quantum cryptography standardization process. Official Call for Proposals, National Institute for Standards and Technology, December 2016, http://csrc.nist.gov/groups/ST/post-quantum-crypto/documents/call-for-proposals-final-dec-2016.pdf
  33. 33.
    NSA/CSS: Information assurance directorate: Commercial national security algorithm suite and quantum computing FAQ, January 2016, https://www.iad.gov/iad/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/cnsa-suite-and-quantum-computing-faq.cfm
  34. 34.
    Nussbaumer, H.J.: Fast polynomial transform algorithms for digital convolution. IEEE Trans. Acoust. Speech Signal Process. 28, 205–215 (1980)MathSciNetCrossRefzbMATHGoogle Scholar
  35. 35.
    Peikert, C.: Some recent progress in lattice-based cryptography. In: Reingold, O. (ed.) TCC 2009. LNCS, vol. 5444, pp. 72–72. Springer, Heidelberg (2009).  https://doi.org/10.1007/978-3-642-00457-5_5 CrossRefGoogle Scholar
  36. 36.
    Peikert, C.: Lattice cryptography for the internet. In: Mosca, M. (ed.) PQCrypto 2014. LNCS, vol. 8772, pp. 197–219. Springer, Cham (2014).  https://doi.org/10.1007/978-3-319-11659-4_12 Google Scholar
  37. 37.
    Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves. Quantum Inf. Comput. 3(4), 317–344 (2003), https://arxiv.org/abs/quant-ph/9508027. Updated version available on arXiv
  38. 38.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. In: STOC 2005, pp. 84–93. ACM, May 2005Google Scholar
  39. 39.
    Regev, O.: On lattices, learning with errors, random linear codes, and cryptography. J. ACM 56(6), 34:1–34:40 (2009)Google Scholar
  40. 40.
    Saarinen, M.J.O.: Arithmetic coding and blinding countermeasures for lattice signatures. J. Cryptographic Eng. (to appear, 2017), http://rdcu.be/oHun
  41. 41.
    Saarinen, M.J.O.: Ring-LWE ciphertext compression and error correction: tools for lightweight post-quantum cryptography. In: Proceedings of the 3rd ACM International Workshop on IoT Privacy, Trust, and Security, IoTPTS 2017, pp. 15–22. ACM, April 2017Google Scholar
  42. 42.
    Shor, P.W.: Algorithms for quantum computation: discrete logarithms and factoring. In: Proceedings of FOCS 1994, pp. 124–134. IEEE (1994), https://arxiv.org/abs/quant-ph/9508027. Updated version available on arXiv
  43. 43.
    Stebila, D., Mosca, M.: Post-quantum key exchange for the internet and the open quantum safe project. In: Avanzi, R., Heys, H. (eds.) SAC 2016. LNCS, vol. 10532, pp. 14–37. Springer, Cham (2017).  https://doi.org/10.1007/978-3-319-69453-5_2 CrossRefGoogle Scholar
  44. 44.
    Streit, S., Santis, F.D.: Post-quantum key exchange on ARMv8-A - a new hope for NEON made simple. IACR ePrint 2017/388 (2017), https://eprint.iacr.org/2017/388
  45. 45.
    Unruh, D.: Collapsing sponges: post-quantum security of the sponge construction. IACR ePrint 2017/282 (2017), https://eprint.iacr.org/2017/282

Copyright information

© Springer International Publishing AG 2018

Authors and Affiliations

  1. 1.HelsinkiFinland

Personalised recommendations