Johannes A. Buchmann

Post-Quantum Cryptography

Cryptography is essential for the security of online communication, cars and implanted medical devices. However, many commonly used cryptosystems will be completely broken once large quantum computers exist. Post-quantum cryptography is cryptography under the assumption that the attacker has a large quantum computer; post-quantum cryptosystems strive to remain secure even in this scenario. This relatively young research area has seen some successes in identifying mathematical operations for which quantum algorithms offer little advantage in speed, and then building cryptographic systems around those. The central challenge in post-quantum cryptography is to meet demands for cryptographic usability and flexibility without sacrificing confidence.

A key-exchange system based on imaginary quadratic fields

We describe another key-exchange system which, while based on the general idea of the well-known scheme of Diffie and Hellman, seems to be more secure than that technique. The new system is based on the arithmetic of an imaginary quadratic field, and makes use, specifically, of the properties of the class group of such a field.

Public Key Cryptography — PKC 2012

Gentry’s bootstrapping technique is currently the only known method of obtaining a “pure” fully homomorphic encryption (FHE) schemes, and it may offers performance advantages even in cases that do not require pure FHE (e.g., when using the noise-control technique of Brakerski-Gentry-Vaikuntanathan). The main bottleneck in bootstrapping is the need to evaluate homomorphically the reduction of one integer modulo another. This is typically done by emulating a binary modular reduction circuit, using bit operations on binary representation of integers. We present a simpler approach that bypasses the homomorphic modularreduction bottleneck to some extent, by working with a modulus very close to a power of two. Our method is easier to describe and implement than the generic binary circuit approach, and we expect it to be faster in practice (although we did not implement it yet). In some cases it also allows us to store the encryption of the secret key as a single ciphertext, thus reducing the size of the public key. We also show how to combine our new method with the SIMD homomorphic computation techniques of Smart-Vercauteren and Gentry-Halevi-Smart, to get a bootstrapping method that works in time quasi-linear in the security parameter. This last part requires extending the techniques from prior work to handle arithmetic not only over fields, but also over some rings. (Specifically, our method uses arithmetic modulo a power of two, rather than over characteristic-two fields.)

On the design of hardware building blocks for modern lattice-based encryption schemes

We present both a hardware and a software implementation variant of the learning with errors (LWE) based cryptosystem presented by Lindner and Peikert. This work helps in assessing the practicality of lattice-based encryption. For the software implementation, we give a comparison between a matrix and polynomial based variant of the LWE scheme. This module includes multiplication in polynomial rings using Fast Fourier Transform (FFT). In order to implement lattice-based cryptography in an efficient way, it is crucial to apply the systems over polynomial rings. FFT speeds up multiplication in polynomial rings, which is the most critical operation in lattice-based cryptography, from quadratic to quasi-linear runtime. For the hardware variant, we show how this fundamental building block of lattice-based cryptography can be implemented and evaluated in terms of performance. A second important component for lattice-based cryptosystems is the sampling from discrete Gaussian distributions. We examine three different variants for sampling Gaussian distributed integers, namely rejection sampling, a rounding based approach, and a look-up table based approach in hardware.

XMSS - a practical forward secure signature scheme based on minimal security assumptions

We present the hash-based signature scheme XMSS. It is the first provably (forward) secure and practical signature scheme with minimal security requirements: a pseudorandom and a second preimage resistant (hash) function family. Its signature size is reduced to less than 25% compared to the best provably secure hash based signature scheme.

CMSS: an improved merkle signature scheme

The Merkle signature scheme (MSS) is an interesting alternative for well established signature schemes such as RSA, DSA, and ECDSA. The security of MSS only relies on the existence of cryptographically secure hash functions. MSS has a good chance of being quantum computer resistant. In this paper, we propose CMSS, a variant of MSS, with reduced private key size, key pair generation time, and signature generation time. We demonstrate that CMSS is competitive in practice by presenting a highly efficient implementation within the Java Cryptographic Service Provider FlexiProvider. We present extensive experimental results and show that our implementation can for example be used to sign messages in Microsoft Outlook.

Merkle Signatures with Virtually Unlimited Signature Capacity

We propose GMSS, a new variant of the Merkle signature scheme. GMSS is the first Merkle-type signature scheme that allows a cryptographically unlimited(280) number of documents to be signed with one key pair. Compared to recent improvements of the Merkle signature scheme, GMSS reduces the signature size as well as the signature generation cost.

LiDIA : a library for computational number theory

In this paper we describe LiDIA, a new library for computational number theory. Why do we work on a new library for computational number theory when such powerful tools as Pari [1], Kant [11], Simath [10] already exist? In fact, those systems are very useful for solving problems for which there exist efficient system routines. For example, using Pari or Kant it is possible to compute invariants of algebraic number fields and Simath can be used to find the rank of an elliptic curve over Q. However, building complicated and efficient software on top of existing systems has in our experience turned out to be very difficult. Therefore, the software of our research group is developed independently of other computer algebra systems.

On the computation of units and class numbers by a generalization of Lagrange's algorithm

Based on a number geometric interpretation of the continued fraction algorithm in real quadratic fields an algorithm is developed by which one can compute a system of fundamental units of any order O of an arbitrary number field F. This algorithm can also be used to test an ideal in O for principality and to compute the class number of O.

MXL2: Solving Polynomial Equations over GF(2) Using an Improved Mutant Strategy

MutantXL is an algorithm for solving systems of polynomial equations that was proposed at SCC 2008. This paper proposes two substantial improvements to this algorithm over GF(2) that result in significantly reduced memory usage. We present experimental results comparing MXL2to the XL algorithm, the MutantXL algorithm and Magmas implementation of F 4 . For this comparison we have chosen small, randomly generated instances of the MQ problem and quadratic systems derived from HFE instances. In both cases, the largest matrices produced by MXL2are substantially smaller than the ones produced by MutantXL and XL. Moreover, for a significant number of cases we even see a reduction of the size of the largest matrix when we compare MXL2against Magmas F 4 implementation.