Better Key Sizes (and Attacks) for LWE-Based Encryption

Lindner, Richard; Peikert, Chris

doi:10.1007/978-3-642-19074-2_21

Cited by 496 publications

(550 citation statements)

References 33 publications

Supporting

Mentioning

548

Contrasting

Order By: Relevance

“…A security level of bits means that the best known attacks take about 2 basic operations. We chose parameters considered secure under the distinguishing attack in [15], using the method described in [14, Section 5.1] and [6,Section 6]. For the exact details of the security evaluation, we refer to [15,14,6].…”

Section: Choice Of Parametersmentioning

confidence: 99%

See 1 more Smart Citation

ML Confidential: Machine Learning on Encrypted Data

Graepel

Lauter

Naehrig

2013

Lecture Notes in Computer Science

304

241

View full text Add to dashboard Cite

Abstract. We demonstrate that, by using a recently proposed leveled homomorphic encryption scheme, it is possible to delegate the execution of a machine learning algorithm to a computing service while retaining confidentiality of the training and test data. Since the computational complexity of the homomorphic encryption scheme depends primarily on the number of levels of multiplications to be carried out on the encrypted data, we define a new class of machine learning algorithms in which the algorithm's predictions, viewed as functions of the input data, can be expressed as polynomials of bounded degree. We propose confidential algorithms for binary classification based on polynomial approximations to least-squares solutions obtained by a small number of gradient descent steps. We present experimental validation of the confidential machine learning pipeline and discuss the trade-offs regarding computational complexity, prediction accuracy and cryptographic security.

show abstract

Section: Choice Of Parametersmentioning

confidence: 99%

“…We chose parameters considered secure under the distinguishing attack in [15], using the method described in [14, Section 5.1] and [6,Section 6]. For the exact details of the security evaluation, we refer to [15,14,6]. Security depends on the size of q, σ, and d, and for a given pair q, σ one can determine a lower bound for d.…”

Section: Choice Of Parametersmentioning

confidence: 99%

ML Confidential: Machine Learning on Encrypted Data

Graepel

Lauter

Naehrig

2013

Lecture Notes in Computer Science

304

241

View full text Add to dashboard Cite

show abstract

“…log(q 1 ) = 31 log(q 2 ) = 301 Poly. Degree [29] n > log(q)(λ + 110)/7.2 n n 1 = 1024 This is due to the fact that in the IBM HElib, the need for a chain of moduli required for the noise management leads to a modulus width approximately 10× larger. Since the polynomial degree is directly related to the modulus width by equation (8), this resulted in another 10× growth in the polynomial degree in the IBM HElib.…”

Section: Ctxt Multiplicationmentioning

confidence: 99%

SHIELD: Scalable Homomorphic Implementation of Encrypted Data-Classifiers

Khedr

Gulak

Vaikuntanathan

2016

IEEE Trans. Comput.

View full text Add to dashboard Cite

Abstract-Homomorphic encryption (HE) systems enable computations on encrypted data, without decrypting and without knowledge of the secret key. In this work, we describe an optimized Ring Learning With Errors (RLWE) based implementation of a variant of the HE system recently proposed by Gentry, Sahai and Waters (GSW). Although this system was widely believed to be less efficient than its contemporaries, we demonstrate quite the opposite behavior for a large class of applications. We first highlight and carefully exploit the algebraic features of the system to achieve significant speedup over the state-of-the-art HE implementation, namely the IBM homomorphic encryption library (HElib). We introduce several optimizations on top of our HE implementation, and use the resulting scheme to construct a homomorphic Bayesian spam filter, secure multiple keyword search, and a homomorphic evaluator for binary decision trees. Our results show a factor of 10× improvement in performance (under the same security settings and CPU platforms) compared to IBM HElib for these applications. Our system is built to be easily portable to GPUs (unlike IBM HElib) which results in an additional speedup of up to a factor of 103.5× to offer an overall speedup of 1035×.

show abstract

“…The evaluation of the concrete level of security/efficiency offered by SIS and LWE for specific small parameter values still requires careful cryptanalysis, and consideration of the best known attacks. (See, for example, [22,15,9]. )…”

Section: Theorem 2 (Corollary Of Theorem 6)mentioning

confidence: 99%

Hardness of SIS and LWE with Small Parameters

Micciancio

Peikert

2013

Lecture Notes in Computer Science

Self Cite

211

138

View full text Add to dashboard Cite

Abstract. The Short Integer Solution (SIS) and Learning With Errors (LWE) problems are the foundations for countless applications in latticebased cryptography, and are provably as hard as approximate lattice problems in the worst case. An important question from both a practical and theoretical perspective is how small their parameters can be made, while preserving their hardness.We prove two main results on SIS and LWE with small parameters. For SIS, we show that the problem retains its hardness for moduli q ≥ β · n δ for any constant δ > 0, where β is the bound on the Euclidean norm of the solution. This improves upon prior results which required q > β · √ n log n, and is close to optimal since the problem is trivially easy for q ≤ β. For LWE, we show that it remains hard even when the errors are small (e.g., uniformly random from {0, 1}), provided that the number of samples is small enough (e.g., linear in the dimension n of the LWE secret). Prior results required the errors to have magnitude at least √ n and to come from a Gaussian-like distribution.

show abstract

Better Key Sizes (and Attacks) for LWE-Based Encryption

Cited by 496 publications

References 33 publications

ML Confidential: Machine Learning on Encrypted Data

ML Confidential: Machine Learning on Encrypted Data

SHIELD: Scalable Homomorphic Implementation of Encrypted Data-Classifiers

Hardness of SIS and LWE with Small Parameters

Contact Info

Product

Resources

About