The recent decision by the National Institute of Standards and Technology (NIST) to standardize lattice-based cryptography has further increased the demand for security analysis. The Ring-Learning with Error (Ring-LWE) problem is a mathematical problem that constitutes such lattice cryptosystems. It has many algebraic properties because it is considered in the ring of integers, R, of a number field, K. These algebraic properties make the Ring-LWE based schemes efficient, although some of them are also used for attacks. When the modulus, q, is unramified in K, it is known that the Ring-LWE problem, to determine the secret information s ∈ R/qR, can be solved by determining s (mod q) ∈ Fqf for all prime ideals q lying over q. The χ2-attack determines s (mod q) ∈Fqf using chi-square tests over R/q ≅ Fqf. The χ2-attack is improved in the special case where the residue degree f is two, which is called the two-residue-degree χ2-attack. In this paper, we extend the two-residue-degree χ2-attack to the attack that works efficiently for any residue degree. As a result, the attack time against a vulnerable field using our proposed attack with parameter (q,f)=(67, 3) was 129 seconds on a standard PC. We also evaluate the vulnerability of the two-power cyclotomic fields.

Multisignatures enable multiple users to sign a message interactively. Many instantiations are proposed for multisignatures, however, most of them are quantum-insecure, because these are based on the integer factoring assumption or the discrete logarithm assumption. Although there exist some constructions based on the lattice problems, which are believed to be quantum-secure, their security reductions are loose. In this paper, we aim to improve the security reduction of lattice-based multisignature schemes concerning tightness. Our basic strategy is combining the multisignature scheme proposed by El Bansarkhani and Sturm with the lattice-based signature scheme by Abdalla, Fouque, Lyubashevsky, and Tibouchi which has a tight security reduction from the Ring-LWE (Ring Learning with Errors) assumption. Our result shows that proof techniques for standard signature schemes can be applied to multisignature schemes, then we can improve the polynomial loss factor concerning the Ring-LWE assumption. Our second result is to address the problem of security proofs of existing lattice-based multisignature schemes pointed out by Damgård, Orlandi, Takahashi, and Tibouchi. We employ a new cryptographic assumption called the Rejected-Ring-LWE assumption, to complete the security proof.

In this paper, we propose the decomposition ring homomorphic encryption scheme, that is a homomorphic encryption scheme built on the decomposition ring, which is a subring of cyclotomic ring. By using the decomposition ring the structure of plaintext slot becomes ℤpl, instead of GF(pd) in conventional schemes on the cyclotomic ring. For homomorphic multiplication of integers, one can use the full of ℤpl slots using the proposed scheme, although in conventional schemes one can use only one-dimensional subspace GF(p) in each GF(pd) slot. This allows us to realize fast and compact homomorphic encryption for integer plaintexts. In fact, our benchmark results indicate that our decomposition ring homomorphic encryption schemes are several times faster than HElib for integer plaintexts due to its higher parallel computation.

The learning with errors (LWE) problem is considered as one of the most compelling candidates as the security base for the post-quantum cryptosystems. For the application of LWE based cryptographic schemes, the concrete parameters are necessary: the length n of secret vector, the moduli q and the deviation σ. In the middle of 2016, Germany TU Darmstadt group initiated the LWE Challenge in order to assess the hardness of LWE problems. There are several approaches to solve the LWE problem via reducing LWE to other lattice problems. Xu et al.'s group solved some LWE Challenge instances using Liu-Nguyen's adapted enumeration technique (reducing LWE to BDD problem) [23] and they published this result at ACNS 2017 [32]. In this paper, at first, we applied the progressive BKZ on the LWE challenge cases of σ/q=0.005 using Kannan's embedding technique. We can intuitively observe that the embedding technique is more efficient with the embedding factor M closer to 1. Then we will analyze the optimal number of samples m for a successful attack on LWE case with secret length of n. Thirdly based on this analysis, we show the practical cost estimations using the precise progressive BKZ simulator. Simultaneously, our experimental results show that for n ≥ 55 and the fixed σ/q=0.005, the embedding technique with progressive BKZ is more efficient than Xu et al.'s implementation of the enumeration algorithm in [32][14]. Moreover, by our parameter setting, we succeed in solving the LWE Challenge over (n,σ/q)=(70, 0.005) using 216.8 seconds (32.73 single core hours).

We build a privacy-preserving system of linear regression protecting both input data secrecy and output privacy. Our system achieves those goals simultaneously via a novel combination of homomorphic encryption and differential privacy dedicated to linear regression and its variants (ridge, LASSO). Our system is proved scalable over cloud servers, and its efficiency is extensively checked by careful experiments.

Fuzzy techniques can implement the fine-grained access control of encrypted data in the Cloud because they support error-tolerance. In this system, using biometric attributes such as fingerprints, faces and irises as pubic parameters is advantageous over those systems based on Public Key Infrastructure (PKI). This is because biometric information is unique, unforgettable and non-transferable. However the biometric-attribute measurements are noisy and most of the existing encryption systems can not support the biometric-attribute encryption. Additionally, the previous fuzzy encryption schemes only achieve the selective security which is a weak security model. To overcome these drawbacks, we propose a new fuzzy encryption scheme based on the lattice in this letter. The proposed scheme is based on a hierarchical identity-based encryption with fixed-dimensional private keys space and thus has short public parameters and short private keys, which results in high computation efficiency. Furthermore, it achieves the strong security, i.e., adaptive security. Lastly, the security is reduced to the learning with errors (LWE) problem in the standard model.

Logistic regression is a powerful machine learning tool to classify data. When dealing with sensitive or private data, cares are necessary. In this paper, we propose a secure system for privacy-protecting both the training and predicting data in logistic regression via homomorphic encryption. Perhaps surprisingly, despite the non-polynomial tasks of training and predicting in logistic regression, we show that only additively homomorphic encryption is needed to build our system. Indeed, we instantiate our system with Paillier, LWE-based, and ring-LWE-based encryption schemes, highlighting the merits and demerits of each instantiation. Besides examining the costs of computation and communication, we carefully test our system over real datasets to demonstrate its utility.