Public-Key Cryptography – PKC 2013

In this short note we observe that the Peikert-Vaikuntanathan-Waters (PVW) method of packing many plaintext elements in a single Regev-type ciphertext, can be used for performing SIMD homomorphic operations on packed ciphertext. This provides an alternative to the Smart-Vercauteren (SV) ciphertextpacking technique that relies on polynomial-CRT. While the SV technique is only applicable to schemes that rely on ring-LWE (or other hardness assumptions in ideal lattices), the PVW method can be used also for cryptosystems whose security is based on standard LWE (or more broadly on the hardness of “GeneralLWE”). Although using the PVW method with LWE-based schemes leads to worse asymptotic efficiency than using the SV technique with ring-LWE schemes, the simplicity of this method may still offer some practical advantages. Also, the two techniques can be used in tandem with “general-LWE” schemes, suggesting yet another tradeoff that can be optimized for different settings.

[1]  John J. Cannon,et al.  The Magma Algebra System I: The User Language , 1997, J. Symb. Comput..

[2]  Ariel J. Feldman,et al.  Lest we remember: cold-boot attacks on encryption keys , 2008, CACM.

[3]  Alexander Meurer,et al.  Correcting Errors in RSA Private Keys , 2010, CRYPTO.

[4]  Benoit Feix,et al.  Power Analysis for Secret Recovering and Reverse Engineering of Public Key Algorithms , 2007, Selected Areas in Cryptography.

[5]  Don Coppersmith,et al.  Finding a Small Root of a Bivariate Integer Equation; Factoring with High Bits Known , 1996, EUROCRYPT.

[6]  Christophe Giraud,et al.  An RSA Implementation Resistant to Fault Attacks and to Simple Power Analysis , 2006, IEEE Transactions on Computers.

[7]  Richard J. Lipton,et al.  On the Importance of Checking Cryptographic Protocols for Faults (Extended Abstract) , 1997, EUROCRYPT.

[8]  Don Coppersmith,et al.  Small Solutions to Polynomial Equations, and Low Exponent RSA Vulnerabilities , 1997, Journal of Cryptology.

[9]  Alexander May,et al.  Solving Linear Equations Modulo Divisors: On Factoring Given Any Bits , 2008, ASIACRYPT.

[10]  Thomas M. Cover,et al.  Elements of Information Theory , 2005 .

[11]  Christophe Clavier,et al.  Square Always Exponentiation , 2011, INDOCRYPT.

[12]  Nick Howgrave-Graham,et al.  Finding Small Roots of Univariate Modular Equations Revisited , 1997, IMACC.

[13]  Jasper G. J. van Woudenberg,et al.  Defeating RSA Multiply-Always and Message Blinding Countermeasures , 2011, CT-RSA.

[14]  Christophe Clavier,et al.  Correlation Power Analysis with a Leakage Model , 2004, CHES.

[15]  Antoine Joux,et al.  Fault Attacks on RSA Signatures with Partially Unknown Messages , 2009, CHES.

[16]  Hovav Shacham,et al.  Available from the IACR Cryptology ePrint Archive as Report 2008/510. Reconstructing RSA Private Keys from Random Key Bits , 2022 .

[17]  Matthieu Rivain,et al.  Securing RSA against Fault Analysis by Double Addition Chain Exponentiation , 2009, CT-RSA.

[18]  David Naccache,et al.  Modulus Fault Attacks against RSA-CRT Signatures , 2011, CHES.

[19]  W. Hoeffding Probability Inequalities for sums of Bounded Random Variables , 1963 .

[20]  Arjen K. Lenstra Memo on RSA signature generation in the presence of faults , 1996 .

[21]  Christophe Giraud,et al.  On Second-Order Fault Analysis Resistance for CRT-RSA Implementations , 2009, WISTP.

[22]  Harvey L. Garner,et al.  RESIDUE NUMBER SYSTEM ENHANCEMENTS FOR PROGRAMMABLE PROCESSORS , 2008 .

[23]  Alexander May,et al.  A Strategy for Finding Roots of Multivariate Polynomials with New Applications in Attacking RSA Variants , 2006, ASIACRYPT.

[24]  Jean-Pierre Seifert,et al.  A new CRT-RSA algorithm secure against bellcore attacks , 2003, CCS '03.

[25]  Johannes Blömer,et al.  A Tool Kit for Finding Small Roots of Bivariate Polynomials over the Integers , 2005, EUROCRYPT.

[26]  Alexandre Venelli,et al.  Redundant Modular Reduction Algorithms , 2011, CARDIS.

[27]  Marc Joye,et al.  The Montgomery Powering Ladder , 2002, CHES.

[28]  J. Quisquater,et al.  Fast decipherment algorithm for RSA public-key cryptosystem , 1982 .

[29]  Jean-Sébastien Coron,et al.  Fault Attacks Against emv Signatures , 2010, CT-RSA.

[30]  Kenneth G. Paterson,et al.  A Coding-Theoretic Approach to Recovering Noisy RSA Keys , 2012, IACR Cryptol. ePrint Arch..

[31]  Adi Shamir,et al.  A method for obtaining digital signatures and public-key cryptosystems , 1978, CACM.

[32]  Chris Peikert,et al.  Public-key cryptosystems from the worst-case shortest vector problem: extended abstract , 2009, STOC '09.

[33]  David Vigilant,et al.  RSA with CRT: A New Cost-Effective Solution to Thwart Fault Attacks , 2008, CHES.

[34]  Dan Boneh,et al.  An Attack on RSA Given a Small Fraction of the Private Key Bits , 1998, ASIACRYPT.

[35]  Don Coppersmith,et al.  Finding a Small Root of a Univariate Modular Equation , 1996, EUROCRYPT.

[36]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2009, JACM.