Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts

Symmetric ciphers purposed for Fully Homomorphic Encryption FHE have recently been proposed for two main reasons. First, minimizing the implementation time and memory overheads that are inherent to current FHE schemes. Second, improving the homomorphic capacity, i.e. the amount of operations that one can perform on homomorphic ciphertexts before bootstrapping, which amounts to limit their level of noise. Existing solutions for this purpose suggest a gap between block ciphers and stream ciphers. The first ones typically allow a constant but small homomorphic capacity, due to the iteration of rounds eventually leading to complex Boolean functions hence large noise. The second ones typically allow a larger homomorphic capacity for the first ciphertext blocks, that decreases with the number of ciphertext blocks due to the increasing Boolean complexity of the stream ciphers' output. In this paper, we aim to combine the best of these two worlds, and propose a new stream cipher construction that allows constant and smaller noise. Its main idea is to apply a Boolean filter function to a public bit permutation of a constant key register, so that the Boolean complexity of the stream cipher outputs is constant. We also propose an instantiation of the filter function designed to exploit recent 3rd-generation FHE schemes, where the error growth is quasi-additive when adequately multiplying ciphertexts with the same amount of noise. In order to stimulate further investigation, we then specify a few instances of this stream cipher, for which we provide a preliminary security analysis. We finally highlight the good properties of our stream cipher regarding the other goal of minimizing the time and memory complexity of calculus delegation for 2nd-generation FHEi¾?schemes. We conclude the paper with open problems related to the large design space opened by these new constructions.

[1]  Claude Carlet,et al.  Enhanced Boolean functions suitable for the filter model of pseudo-random generator , 2015, Des. Codes Cryptogr..

[2]  Thomas Siegenthaler,et al.  Decrypting a Class of Stream Ciphers Using Ciphertext Only , 1985, IEEE Transactions on Computers.

[3]  Seokhie Hong,et al.  A note on "Improved Fast Correlation Attacks on Stream Ciphers" , 2010, IACR Cryptol. ePrint Arch..

[4]  Willi Meier,et al.  Fast Correlation Attacks on Stream Ciphers (Extended Abstract) , 1988, EUROCRYPT.

[5]  Frederik Armknecht,et al.  Efficient Computation of Algebraic Immunity for Algebraic and Fast Algebraic Attacks , 2006, EUROCRYPT.

[6]  Manuel Blum,et al.  How to generate cryptographically strong sequences of pseudo random bits , 1982, 23rd Annual Symposium on Foundations of Computer Science (sfcs 1982).

[7]  Frederik Vercauteren,et al.  Somewhat Practical Fully Homomorphic Encryption , 2012, IACR Cryptol. ePrint Arch..

[8]  Willi Meier,et al.  Fast Correlation Attacks: Methods and Countermeasures , 2011, FSE.

[9]  Virginie Lallemand,et al.  Cryptanalysis of the FLIP Family of Stream Ciphers , 2016, CRYPTO.

[10]  Léo Ducas,et al.  Lattice Signatures and Bimodal Gaussians , 2013, IACR Cryptol. ePrint Arch..

[11]  J. Faugère A new efficient algorithm for computing Gröbner bases (F4) , 1999 .

[12]  Donald E. Knuth The Art of Computer Programming 2 / Seminumerical Algorithms , 1971 .

[13]  Craig Gentry,et al.  Homomorphic Evaluation of the AES Circuit , 2012, IACR Cryptol. ePrint Arch..

[14]  Adi Shamir,et al.  Cube Attacks on Tweakable Black Box Polynomials , 2009, IACR Cryptol. ePrint Arch..

[15]  Chris Peikert,et al.  Better Key Sizes (and Attacks) for LWE-Based Encryption , 2011, CT-RSA.

[16]  Jonathan Katz,et al.  Introduction to Modern Cryptography: Principles and Protocols , 2007 .

[17]  Roman Vershynin,et al.  Introduction to the non-asymptotic analysis of random matrices , 2010, Compressed Sensing.

[18]  Craig Gentry,et al.  (Leveled) fully homomorphic encryption without bootstrapping , 2012, ITCS '12.

[19]  B. Preneel Fast Software Encryption: Second International Workshop, Leuven, Belgium, December 14-16, 1994. Proceedings , 1995 .

[20]  David Thomas,et al.  The Art in Computer Programming , 2001 .

[21]  Claus-Peter Schnorr,et al.  Lattice basis reduction: Improved practical algorithms and solving subset sum problems , 1991, FCT.

[22]  J. Wrench Table errata: The art of computer programming, Vol. 2: Seminumerical algorithms (Addison-Wesley, Reading, Mass., 1969) by Donald E. Knuth , 1970 .

[23]  Oded Regev,et al.  On lattices, learning with errors, random linear codes, and cryptography , 2005, STOC '05.

[24]  Michael Luby,et al.  How to Construct Pseudo-Random Permutations from Pseudo-Random Functions (Abstract) , 1986, CRYPTO.

[25]  Anne Canteaut,et al.  Zero-Sum Distinguishers for Iterated Permutations and Application to Keccak-f and Hamsi-256 , 2010, Selected Areas in Cryptography.

[26]  Claude Carlet,et al.  PICARO - A Block Cipher Allowing Efficient Higher-Order Side-Channel Resistance , 2012, ACNS.

[27]  François-Xavier Standaert,et al.  LS-Designs: Bitslice Encryption for Efficient Masked Software Implementations , 2014, FSE.

[28]  Chris Peikert,et al.  On Ideal Lattices and Learning with Errors over Rings , 2010, JACM.

[29]  Mihir Bellare,et al.  Forward-Security in Private-Key Cryptography , 2003, CT-RSA.

[30]  David A. Wagner,et al.  Tweakable Block Ciphers , 2002, Journal of Cryptology.

[31]  Yehuda Lindell,et al.  Introduction to Modern Cryptography , 2004 .

[32]  Donald Ervin Knuth,et al.  The Art of Computer Programming, Volume II: Seminumerical Algorithms , 1970 .

[33]  Daniele Micciancio Lattice-Based Cryptography , 2011, Encyclopedia of Cryptography and Security.

[34]  Nicolas Courtois Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[35]  Ross J. Anderson Searching for the Optimum Correlation Attack , 1994, FSE.

[36]  Tatsuaki Okamoto,et al.  Packing Messages and Optimizing Bootstrapping in GSW-FHE , 2015, Public Key Cryptography.

[37]  Shai Halevi,et al.  Algorithms in HElib , 2014, CRYPTO.

[38]  Proceedings of the 3rd ACM Cloud Computing Security Workshop, CCSW 2011, Chicago, IL, USA, October 21, 2011 , 2011, CCSW.

[39]  Michael Naehrig,et al.  A Comparison of the Homomorphic Encryption Schemes FV and YASHE , 2014, AFRICACRYPT.

[40]  María Naya-Plasencia,et al.  Conditional Differential Cryptanalysis of NLFSR-Based Cryptosystems , 2010, ASIACRYPT.

[41]  María Naya-Plasencia,et al.  Block Ciphers That Are Easier to Mask: How Far Can We Go? , 2013, CHES.

[42]  Chris Peikert,et al.  Circular and KDM Security for Identity-Based Encryption , 2012, Public Key Cryptography.

[43]  Oded Regev,et al.  Lattice-Based Cryptography , 2006, CRYPTO.

[44]  Vinod Vaikuntanathan,et al.  Lattice-based FHE as secure as PKE , 2014, IACR Cryptol. ePrint Arch..

[45]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[46]  David A. Wagner,et al.  Integral Cryptanalysis , 2002, FSE.

[47]  Dominique De Werra Boolean Models and Methods in Mathematics, Computer Science, and Engineering , 2010, Boolean Models and Methods.

[48]  Chris Peikert,et al.  Trapdoors for Lattices: Simpler, Tighter, Faster, Smaller , 2012, IACR Cryptol. ePrint Arch..

[49]  Éric Levieil,et al.  An Improved LPN Algorithm , 2006, SCN.

[50]  Anne Canteaut,et al.  Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression , 2016, FSE.

[51]  Yehuda Lindell,et al.  Introduction to Modern Cryptography (Chapman & Hall/Crc Cryptography and Network Security Series) , 2007 .

[52]  Martin R. Albrecht,et al.  Ciphers for MPC and FHE , 2015, IACR Cryptol. ePrint Arch..

[53]  François-Xavier Standaert,et al.  Leakage-Resilient Symmetric Cryptography Under Empirically Verifiable Assumptions , 2013, IACR Cryptol. ePrint Arch..

[54]  Anne Canteaut,et al.  Stream Ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression , 2016, Journal of Cryptology.

[55]  Nicolas Courtois,et al.  Higher Order Correlation Attacks, XL Algorithm and Cryptanalysis of Toyocrypt , 2002, ICISC.

[56]  Aria Shahverdi,et al.  Toward Practical Homomorphic Evaluation of Block Ciphers Using Prince , 2014, Financial Cryptography Workshops.

[57]  Willi Meier,et al.  Fast Algebraic Attacks on Stream Ciphers with Linear Feedback , 2003, CRYPTO.

[58]  Jean-Sébastien Coron,et al.  Scale-Invariant Fully Homomorphic Encryption over the Integers , 2014, Public Key Cryptography.

[59]  Michael Schneider,et al.  Estimating the Security of Lattice-based Cryptosystems , 2010, IACR Cryptol. ePrint Arch..

[60]  Willi Meier,et al.  Optimized Interpolation Attacks on LowMC , 2015, ASIACRYPT.

[61]  Nicolas Gama,et al.  Predicting Lattice Reduction , 2008, EUROCRYPT.

[62]  Vinod Vaikuntanathan,et al.  SHIELD: Scalable Homomorphic Implementation of Encrypted Data-Classifiers , 2015, IEEE Transactions on Computers.

[63]  Léo Ducas,et al.  FHEW: Bootstrapping Homomorphic Encryption in Less Than a Second , 2015, EUROCRYPT.

[64]  Vinod Vaikuntanathan,et al.  Can homomorphic encryption be practical? , 2011, CCSW '11.

[65]  Florian Mendel,et al.  Higher-Order Cryptanalysis of LowMC , 2015, ICISC.

[66]  Claude Carlet,et al.  Boolean Functions for Cryptography and Error-Correcting Codes , 2010, Boolean Models and Methods.

[67]  Willi Meier,et al.  Algebraic Immunity of S-Boxes and Augmented Functions , 2007, FSE.

[68]  Phong Q. Nguyen,et al.  BKZ 2.0: Better Lattice Security Estimates , 2011, ASIACRYPT.

[69]  Chris Peikert,et al.  Faster Bootstrapping with Polynomial Error , 2014, CRYPTO.

[70]  Douglas H. Wiedemann Solving sparse linear equations over finite fields , 1986, IEEE Trans. Inf. Theory.

[71]  Brent Waters,et al.  Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based , 2013, CRYPTO.