Joop van de Pol

Estimating Key Sizes for High Dimensional Lattice-Based Systems

We revisit the estimation of parameters for use in applications of the BGV homomorphic encryption system, which generally require high dimensional lattices. In particular, we utilize the BKZ-2.0 simulator of Chen and Nguyen to identify the best lattice attack that can be mounted using BKZ in a given dimension at a given security level. Using this technique, we show that it should be possible to work with lattices of smaller dimensions than previous methods have recommended, while still maintaining reasonable levels of security. As example applications we look at the evaluation of AES via FHE operations presented at Crypto 2012, and the parameters for the SHE variant of BGV used in the SPDZ protocol from Crypto 2012.

Just A Little Bit More

We extend the Flush+Reload side-channel attack of Benger et al. to extract a significantly larger number of bits of information per observed signature when using OpenSSL. This means that by observing only 25 signatures, we can recover secret keys of the secp256k1 curve, used in the Bitcoin protocol, with a probability greater than 50 percent. This is an order of magnitude improvement over the previously best known result.

Amplifying side channels through performance degradation

Interference between processes executing on shared hardware can be used to mount performance-degradation attacks. However, in most cases, such attacks offer little benefit for the adversary. In this paper, we demonstrate that software-based performance-degradation attacks can be used to amplify side-channel leaks, enabling the adversary to increase both the amount and the quality of information captured. We identify a new information leak in the OpenSSL implementation of the ECDSA digital signature algorithm, albeit seemingly unexploitable due to the limited granularity of previous trace procurement techniques. To overcome this imposing hurdle, we combine the information leak with a microarchitectural performance-degradation attack that can slow victims down by a factor of over 150. We demonstrate how this combination enables the amplification of a side-channel sufficiently to exploit this new information leak. Using the combined attack, an adversary can break a private key of the secp256k1 curve, used in the Bitcoin protocol, after observing only 6 signatures---a four-fold improvement over all previously described attacks.

Solving the Shortest Vector Problem in Lattices Faster Using Quantum Search

By applying Grover’s quantum search algorithm to the lattice algorithms of Micciancio and Voulgaris, Nguyen and Vidick, Wang et al., and Pujol and Stehle, we obtain improved asymptotic quantum results for solving the shortest vector problem. With quantum computers we can provably find a shortest vector in time 2^1.799n?+?o(n), improving upon the classical time complexity of 2^2.465n?+?o(n) of Pujol and Stehle and the 2^2n?+?o(n) of Micciancio and Voulgaris, while heuristically we expect to find a shortest vector in time 2^0.312n?+?o(n), improving upon the classical time complexity of 2^0.384n?+?o(n) of Wang et al. These quantum complexities will be an important guide for the selection of parameters for post-quantum cryptosystems based on the hardness of the shortest vector problem. Keywords: lattices; shortest vector problem; sieving; quantum algorithms; quantum search

Bootstrapping BGV Ciphertexts with a Wider Choice of p and q

We describe a method to bootstrap a packed BGV ciphertext which does not depend (as much) on any special properties of the plaintext and ciphertext moduli. Prior “efficient” methods such as that of Gentry et al. (PKC 2012) required a ciphertext modulus \(q\) which was close to a power of the plaintext modulus \(p\). This enables our method to be applied in a larger number of situations. Also unlike previous methods our depth grows only as \(O(\log p + \log \log q)\) as opposed to the \(\log q\) of previous methods. Our basic bootstrapping technique makes use of a representation of the group \({\mathbb {Z}}_q^+\) over the finite field \({\mathbb {F}}_p\) (either based on polynomials or elliptic curves), followed by polynomial interpolation of the reduction mod \(p\) map over the coefficients of the algebraic group.

Sieving for shortest vectors in ideal lattices: a practical perspective

The security of many lattice-based cryptographic schemes relies on the hardness of finding short vectors in integral lattices. We propose a new variant of the parallel Gauss sieve algorithm to compute such short vectors. It combines favourable properties of previous approaches resulting in reduced run time and memory requirement per node. Our publicly available implementation outperforms all previous Gauss sieve approaches for dimensions 80, 88, and 96. When computing short vectors in ideal lattices, we show how to reduce the number of multiplications and comparisons by using a symbolic Fourier transform. We computed a short vector in a negacyclic ideal lattice of dimension 128 in less than nine days on 1,024 cores, more than twice as fast as the recent record computation for the same lattice on the same computer hardware.

Post-Quantum Cryptography - PQC 2013

By applying Grover’s quantum search algorithm to the lattice algorithms of Micciancio and Voulgaris, Nguyen and Vidick, Wang et al., and Pujol and Stehle, we obtain improved asymptotic quantum results for solving the shortest vector problem. With quantum computers we can provably find a shortest vector in time 2^1.799n?+?o(n), improving upon the classical time complexity of 2^2.465n?+?o(n) of Pujol and Stehle and the 2^2n?+?o(n) of Micciancio and Voulgaris, while heuristically we expect to find a shortest vector in time 2^0.312n?+?o(n), improving upon the classical time complexity of 2^0.384n?+?o(n) of Wang et al. These quantum complexities will be an important guide for the selection of parameters for post-quantum cryptosystems based on the hardness of the shortest vector problem. Keywords: lattices; shortest vector problem; sieving; quantum algorithms; quantum search

Solving the shortest vector problem in lattices faster using quantum search

By applying Grover’s quantum search algorithm to the lattice algorithms of Micciancio and Voulgaris, Nguyen and Vidick, Wang et al., and Pujol and Stehle, we obtain improved asymptotic quantum results for solving the shortest vector problem. With quantum computers we can provably find a shortest vector in time 2^1.799n?+?o(n), improving upon the classical time complexity of 2^2.465n?+?o(n) of Pujol and Stehle and the 2^2n?+?o(n) of Micciancio and Voulgaris, while heuristically we expect to find a shortest vector in time 2^0.312n?+?o(n), improving upon the classical time complexity of 2^0.384n?+?o(n) of Wang et al. These quantum complexities will be an important guide for the selection of parameters for post-quantum cryptosystems based on the hardness of the shortest vector problem. Keywords: lattices; shortest vector problem; sieving; quantum algorithms; quantum search