Slides of Talk on Sage & Algebraic Techniques

The slides of my Icebreak talk on Sage and algebraic techniques for (lazy) cryptographers are now available (LaTeX sources here).

BKW: Update

We have updated our pre-print titled “On the Complexity of the BKW Algorithm on LWE” on ePrint.

There are two main changes and the reasons why I am mentioning this update here.

1. We included a more thorough comparison with other approaches, in particular, with lattice reduction (reducing LWE to SIS). To our surprise, BKW is quite competitive even in relatively modest dimensions. For Regev’s and Lindner-Peikert’s parameter sets (as interpreted here) we get that BKW is at least as fast as BKZ starting in dimension $n \approx 250$, which I find very low (see Table 4 on page 19).
2. We also provide an alternative approximating for the running time of BKZ. The standard estimate due to Lindner-Peikert is $\log_2 T_{sec} = \log_2 1.8/\delta_0 - 110$ where $\delta_0$ is the targeted root hermit factor. Interpolating estimates from the BKZ 2.0 simulator and reflecting on the doubly exponential running time of BKZ in the blocksize $\beta$ we found: $\log_2 T_{sec} = \log_2 0.009/\delta^2_0 - 27$. However, since this might be controversial, we include estimates for both models.

Faugère-Lachartre implementation for linear algebra for Gröbner bases

Fayssal’s code which implements the Faugère-Lachartre approach to linear algebra for Gröbner bases is available on Github now. Fayssal did a Master’s project on linear algebra for Gröbner bases in the team of Jean-Charles Faugère.

A Generator for LWE and Ring-LWE Instances

We’re ready to announce our LWE/Ring-LWE generators for Sage:

We introduce software for the generation of instances of the LWE and Ring-LWE problems, allowing both the generation of generic instances and also particular instances closely-related to those arising from cryptomania proposals in the literature. Our goal is to allow researchers to attack different instances in order to assess the practical hardness of LWE and Ring-LWE. This will in turn give insight to the practical security of cryptographic systems based on both problems.

Both the Sage and the lmonade project were successful in applying to Google Summer of Code 2013. If you are a student head over to their respective GSOC pages and get in touch. If you want to do a project related the stuff I write about on this blog, i.e., with me as a mentor, get in touch as well.

A Fully Homomorphic Cryptosystem with Approximate Perfect Secrecy

At CT-RSA 2013 a paper titled “A Fully Homomorphic Cryptosystem with Approximate Perfect Secrecy” by Michal Hojsík and Veronika Půlpánová was presented. Here is the abstract:

We propose a new fully homomorphic cryptosystem called Symmetric Polly Cracker (SymPC) and we prove its security in the information theoretical settings. Namely, we prove that SymPC approaches perfect secrecy in bounded CPA model as its security parameter grows (which we call approximate perfect secrecy). In our construction, we use a Gröbner basis to generate a polynomial factor ring of ciphertexts and use the underlying field as the plaintext space. The Gröbner basis equips the ciphertext factor ring with a multiplicative structure that is easily algorithmized, thus providing an environment for a fully homomorphic cryptosystem.

The proposal seems to have succeeded where we could not: a fully homomorphic encryption scheme that also is information theoretic secure. Indeed, the authors reference our work and point out that they are taking a different approach (from ours) which allows them to succeed in realising these two goals. Continue reading

Encouraging female reverse engineers

Thomas Dullien is running a nice competition to address the gender gap in IT security or more precisely reverse engineering:

As a field, reverse engineering has undergone a rapid change in recent years:
a rise in importance and visibility has led to a rapidly growing community of
reverse engineers. More people are doing reverse engineering, better tools are
developed, and it has mutated from a “dark art” to an almost-mainstream
endeavor.

However, as the community grows, the most visible parts  remain unchanged.
While there are female reverse engineers in the field, they are still under-
represented in absolute numbers and visibility of their work in conference
attendance and presentations.

What can we, as a growing field, do to change this? Progress can be made on the
macro level by many small and decentralized contributions on the micro level.
So, when I heard about the Syscan speaker’s honorarium this year, I decided to
put it to good use.

I asked a few friends if they’d be willing to form a panel of judges for a
women-only reverse engineering challenge, with the first (and only) prize being
a ticket to fly to and attend Syscan Singapore 2013. Luckily for me, they
agreed

LPN and SVP

I am currently attending ESC 2013 in Mondorf, Luxembourg. Over dinner someone mentioned that there is no known reduction from LPN to lattice reduction, i.e., it is not known that you can solve LPN with LLL and friends.  This seems rather strange to me, because the standard lattice attack on LWE seems to be carrying over as is:

n = 100 # number of variables
m = 400 # number of samples
A = random_matrix(GF(2), m, n)
s = random_vector(GF(2), n) # our secret
p = 0.25 # our error rate

v = A*s + vector(GF(2),[1 if random() < p else 0 for _ in range(m)])

# we are searching for a short vector in the dual lattice
B = A.kernel().matrix()
L = B.change_ring(ZZ).LLL()

# because a short vector there, means few additions which means a higher bias in the sum
Av = A.augment(v)
sum(map(lambda x: abs(x) % 2,L[0])), (L[0]*Av)[-1]


Of course, this means running lattice reduction many times, but still: what am I missing?

PS: Obligatory, Sage cell here.

Matrix Multiplication over GF(p^e)

After my talk at Sage Days 35 in Warwick (that was in winter 2011) David Harvey had an idea on how to speed up matrix multiplication over $\mathbb{F}_{p^n}$. We spend some time on this in Warwick and developed this idea further (adding fun stuff like Mixed Integer Programming in the process) but did not get around to do much on this project in the mean time (I have explained the idea at the end of my talk in Mykonos, though).

Just now, in a conversation with Richard Parker I was reminded of this dormant project, i.e., the question of how many multiplications i $\mathbb{F}_p$ it takes to do a multiplication in $\mathbb{F}_{p^n}$. In particular, I recalled to have written some code for Sage which gives some upper bound to this answer which is better than Karatsuba.

Well, here’s an interactive demo … gosh, I love the Sage cell server.

DTU Crypto Group is hiring

the group I am in is hiring an assistant/associate professor.

DTU Compute at the Technical University of Denmark calls for applications for a position as associate or assistant professor. The department is looking for a dynamic faculty member to participate in research and teaching in computer science and mathematics. The position is available from 1 May 2013.

DTU Compute conducts research and provides teaching in the fields of mathematics, modeling and computer science. The expanding mass of information and the increasingly complex use of advanced technology in society demand development of advanced computer based mathematical models and calculations. The unique skills of the department are in high demand in IT innovation and production.

Through the position the University seeks to strengthen the research within cryptology. The cryptology group at DTU has experts in design and analysis of ciphers and hash functions and in side-channel analysis. Experience with implementing cryptography in software and/or hardware is regarded as a plus. Interest and skills in pedagogical work and dissemination of mathematical sciences will play an important role.