Bit Security of Learning with Errors for Post-Quantum Cryptography and Fully Homomorphic Encryption

后量子密码学和全同态加密的错误学习的比特安全性

• 批准号: EP/P009417/1
• 负责人: Martin Albrecht
• 金额: $ 10.22万
• 依托单位: Royal Holloway University of London
• 依托单位国家: 英国
• 项目类别: Research Grant
• 财政年份: 2017
• 资助国家: 英国
• 起止时间: 2017 至 无数据
• 项目状态: 已结题
• 来源: https://gtr.ukri.org/projects?ref=EP%2FP009417%2F1
• 关键词: Bit; Security; Learning; Errors; Post

LWE can be summarised as: given a matrix `A` and a vector `b` modulo `q`, decide if `b` is uniform or if `b = A * s + e` for some small error `e`. Hence, the problem is essentially to solve a noisy linear system of equations modulo `q`. It was shown by Regev that this problem is as hard as assumed-to-be-hard problems. The problem has become a central building block of modern cryptographic constructions.1. Modern cybersecurity relies on cryptographic algorithms such as RSA encryption and digital signatures as well as the Diffie-Hellman key exchange. It is well-known that the hard mathematical problems underlying these algorithms can be solved efficiently on a quantum computer. While the advent of quantum computers has been promised many times before, recent developments in the area have convinced many actors, especially those with a long-term security mission, to actively seek alternative algorithms which promise post-quantum security. As a result, post-quantum cryptography has recently developed from a niche area of cryptography to a mainstream concern. With the American standards body NIST announcing it would hold a competition for post-quantum proposals, the field is posed to become a central area of cryptographic research in the coming years. LWE is one of the central candidates for a hard problem withstanding attacks using quantum computers and first proposals for key exchange algorithms for Internet communication based on LWE are available.2. Fully homomorphic encryption, the ability to compute with encrypted data, has progressed considerably since a first solution was proposed in Gentry's seminal work. The most recent generation of such schemes have become efficient enough to the point that first prototype applications, such as privacy-preserving computations with genome data, are being developed. All such constructions rely on the difficulty of solving LWE.While it is encouraging to have Regev's proof that solving LWE is no easier than solving problems widely believed to be hard as we increase parameters, this does not settle the question of how big we should choose our parameters to provide security against real world attacks. The purpose of this project is to provide more refined answers to this question, allowing us to rely on LWE with more confidence.

可以将LWE概述为：给定矩阵`a`和vector`B` modulo` q'，确定`b`是否均匀，或者是否b = a * s + e`对于某些小错误`因此，问题本质上是解决方程式嘈杂的线性系统模型`q'。 Regev表明，这个问题与假定的问题一样困难。这个问题已成为现代加密结构的中心基础。1。现代网络安全依赖于加密算法，例如RSA加密和数字签名以及Diffie-Hellman密钥交换。众所周知，这些算法的基础数学问题可以在量子计算机上有效解决。虽然量子计算机的出现之前已经承诺了多次，但该地区的最新发展使许多演员，尤其是那些具有长期安全任务的演员，都积极寻求替代算法，这些算法承诺后量化后的安全性。结果，量词后密码学最近从密码学的利基区域发展到主流关注点。随着美国标准机构NIST宣布将举办量词后提案的竞争，该领域被认为是未来几年的密码研究的中心领域。 LWE是使用Quantum Computers进行攻击的严重问题的中心候选人之一，并且可以提供基于LWE的Internet通信的钥匙交换算法的第一个建议。2。自从绅士的开创性工作中提出了第一个解决方案以来，完全使用加密数据计算的能力是完全同态加密的。最近一代这样的方案已经变得足够有效，以至于开发了第一个原型应用程序，例如使用基因组数据进行隐私的计算。所有这些结构都依赖于解决LWE的困难。尽管有Regev的证据证明，解决LWE的证据不比解决问题广泛地认为是困难的问题要容易得多，但这并不能解决我们应该如何选择参数以提供对现实世界攻击的安全性的问题。该项目的目的是为这个问题提供更精致的答案，使我们能够更有信心依靠LWE。

项目成果

Implementing RLWE-based Schemes Using an RSA Co-Processor

• DOI: 10.13154/tches.v2019.i1.169-208
• 发表时间: 2018-11
• 期刊: IACR Trans. Cryptogr. Hardw. Embed. Syst.
• 作者: Martin R. Albrecht;Christian H. Hanser;Andrea Höller;T. Pöppelmann;Fernando Virdia;Andreas Wallner

Breaking Bridgefy, again: Adopting libsignal is not enough

再次破坏 Bridgefy：采用 libsignal 还不够

• 发表时间: 2022
• 期刊: Proceedings of the 31st USENIX Security Symposium, Security 2022
• 作者: Albrecht M.R.

Prime and Prejudice

最初与偏见

• DOI: 10.1145/3243734.3243787
• 发表时间: 2018
• 作者: Albrecht M