D.5.2 Mid-term report on dissemination, standardization

ICT-644209

HEAT

Homomorphic Encryption Applications and Technology

D.5.2

Mid-term report on dissemination, standardization, publication,exploitation and training

Due date of deliverable: 30. May 2016Actual submission date: 30. June 2016

Start date of project: 1 January 2015 Duration: 3 years

Lead contractor: University of Bristol (UNIVBRIS)

Revision 1.0

Project co-funded by the European Commission within the H2020 ProgrammeDissemination Level

PU Public XPP Restricted to other programme participants (including the Commission services)RE Restricted to a group specified by the consortium (including the Commission services)CO Confidential, only for members of the consortium (including the Commission services)

Ref. Ares(2016)2772333 - 15/06/2016

Mid-term report on dissemination, standardization,publication, exploitation and training

EditorNigel P. Smart (UNIVBRIS)

ContributorsAll other partners.

30. June 2016Revision 1.0

The work described in this report has in part been supported by the Commission of the European Communitiesthrough the H2020 ICT program under contract ICT-644209. The information in this document is provided as is,and no warranty is given or implied that the information is fit for any particular purpose. The user thereof uses theinformation at its sole risk and liability.

Contents

Executive Summary 1

1 External Communication 3

2 Publication 7

3 Standardization 153.1 Overview of on-going actions in HEAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.1.1 Standardizing homomorphic encryption in ISO . . . . . . . . . . . . . . . . . . . . . 153.1.2 Widening the scope of NIST standards . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

3.2 Creating ISO/IEC 18033-6 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2.1 What is ISO SC 27? . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153.2.2 Phase 1 (Sofia-Kuching): the Study Period . . . . . . . . . . . . . . . . . . . . . . . . . 163.2.3 Phase 2: Editing 18033-6 "Homomorphic Encryption" . . . . . . . . . . . . . . . . 173.2.4 Current status in May 2016 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

4 Exploitation and IP 19

5 Summer Schools and Workshops 21

i

ii

Executive Summary

This deliverable details the progress so far with respect to dissemination for the HEAT project. Asdescribed in our dissemination plan, WP-5 of HEAT aims to overcome key obstacles to widespreaddeployment of homomorphic encryption. We target three stakeholder groups (the scientific com-munity, commercial and industrial experts, and finally the general public).

To target these groups five key areas of dissemination are identified. These are

1. External Communication

2. Publications.

3. Standardization.

4. Exploitation and IP.

5. Summer Schools and Workshops.

1

2 HEAT

Chapter 1

External Communication

As per the communication plan we have set up a web site for the project, a twitter account anda blog. The web site is the main communication portal for external communications. The website is used to point visitors to our workshops, as well as providing a summary of the papers anddeliverables published by the project. To aid communications each paper is presented alongsidea more down-to-earth short description of the contents.

The project has also produced, jointly with the SafeCrypto project, a flyer describing the con-tents of the two projects and why they are complementary. Thus enabling interest in one projectto be fed seamlessly into the other project. There have also been a couple of press releases, aswell as numerous web articles on related matters published by a number of the partners.

A major part of communication is the outward facing engagement at external events; mainlyconferences and tradeshows. Below we present the main events attended by participants in theproject; note not all attendance was funded via the HEAT project as we were able to leverage otherfunds to help in our external engagement.

3

4 HEAT

Name Partner Title of Talk Approx. No. Location Date PercentageParticipants (Acad/Ind/Gov)

J. Bos NXP Sieving for Shortest Vectors in Ideal 100 Amsterdam 02/06/2015 70/20/10Lattices: A Practical Perspective

J. Bos NXP Sieving for Shortest Vectors in Ideal 30 Leuven 25/3/2015 90/10/0Lattices: A Practical Perspective

J.-S. Coron UNILUX Fully Homomorphic Encryption 100 Paris 12/14/15 50/40/10and Cloud Computing

S. Vivek UNIVBRIS Leakage-Resilient Authentication 800 Denver 12/10/15 55/35/10and Encryption from Symmetric

Cryptographic PrimitivesA. Costache UNIVBRIS Which Somewhat Homomorphic 60 San Fran. 03/03/16 65/25/10

Encryption Scheme is best?N. Smart UNIVBRIS Computing on Encrypted Data 150 Darmstadt 02/06/2015 70/30/0N. Smart UNIVBRIS Computing on Encrypted Data 200 Darmstadt 02/07/2015 100/0/0N. Smart UNIVBRIS Computing on Encrypted Data 250 London 17/09/2015 80/10/10N. Smart UNIVBRIS Computing on Encrypted Data 60 Dagstuhl 02/02/2016 90/10/0N. Smart UNIVBRIS Computing on Encrypted Data 20 San Diego 25/02/2016 100/0/0N. Smart UNIVBRIS Homomorphic Encryption 50 Bristol 10/11/2015 50/40/10

T. Lepoint CRX The Bumpy Ride of Multilinear Maps, 100 Budapest 06/04/2016 80/20/0Revisited

T. Lepoint CRX CLT: Construction(s) and Attacks 100 Paris 11/10/2015 70/20/10T. Lepoint CRX Zeroizing Attacks on Multilinear Maps 60 Bochum 08/10/2015 80/20/0T. Lepoint CRX New Multilinear Maps over the Integers 175 Santa Barbara 18/08/2015 65/25/10T. Lepoint CRX On White-Box Cryptography, Multilinear 50 San Francisco 17/07/2015 0/100/0

Maps and ObfuscationT. Lepoint CRX Multilinear Maps over the Integers: 100 Berkeley 10/07/2015 80/20

From Design to SecurityT. Lepoint CRX The Bumpy Ride of Multilinear Maps 30 Bristol 07/05/2015 100/0/0J. Eynard UPMC RNS Arithmetic Approach in Lattice-based 100 Lyon 22/06/2015 60/20/20

Cryptography Accelerating the “Rounding-off”Core Procedure

J. Eynard UPMC Programmable RNS Lattice-Based Parallel 100 Toronto 27/07/2015 60/20/20Cryptographic Decryption

A. Gélin UPMC Reduction of number field defining 10 Lausanne 04/19/16 100/0/0polynomials and application to

class group computationsC. Pierrot UPMC Index calculus algorithms 25 Suzhou 01/14/16 100/0/0

F. Vercauteren KUL HEAT: Homormorphic Encryption Applications 60 Brussels 29/04/2015 40/30/30and Technology

F. Vercauteren KUL Fully homomorphic encryption 70 Leuven 16/06/2015 30/60/10F. Vercauteren KUL Provably weak instances of RLWE revisited 50 Auckland 12/04/2015 80/15/5

W. Castryck KUL Provably weak instances of RLWE revisited 400 Vienna 05/09/2016 60/30/10

Table 1.1: Presentations Given

D.5.2 — Mid-term report on dissemination, standardization, publication, exploitation and training5

Name Conference Partner Relation Approx. No. Location Date Percentageto Project Participants (Acad/Ind/Gov)

J. Bos CHES NXP SCA aspects of FHE 450 Saint-Malo, FR Sept. 13-15 2015 50/40/10S. Vivek CHES UNIVBRIS SCA aspects of FHE 450 Saint Malo, FR Sept. 13-15 2015 50/40/10V. Nikov Eurocrypt NXP Crypto incl. FHE 350 Sofia, BU Apr. 26-30 2015 60/30/10N. Smart Eurocrypt UNIVBRIS Crypto incl. FHE 350 Sofia, BU Apr. 26-30 2015 60/30/10

A. Costache Eurocrypt UNIVBRIS Crypto incl. FHE 350 Sofia, BU Apr. 26-30 2015 60/30/10J.-S. Coron Eurocrypt UNILUX Crypto incl. FHE 400 Vienna, AT May 08-12 2016 60/30/10M. S. Lee Eurocrypt UNILUX Crypto incl. FHE 400 Vienna, AT May 08-12 2016 60/30/10S. Vivek Eurocrypt UNIVBRIS Crypto incl. FHE 400 Vienna, AT May 08-12 2016 60/30/10

N. Smart Eurocrypt UNIVBRIS Crypto incl. FHE 400 Vienna, AT May 08-12 2016 60/30/10A. Costache Eurocrypt UNIVBRIS Crypto incl. FHE 400 Vienna, AT May 08-12 2016 60/30/10T. Lepoint Eurocrypt CRX Crypto incl. FHE 400 Vienna, AT May 08-12 2016 60/30/10P. Paillier Eurocrypt CRX Crypto incl. FHE 400 Vienna, AT May 08-12 2016 60/30/10S. Vivek CRYPTO UNIVBRIS Crypto incl. FHE 350 Santa Barbara, US Aug. 16-20 2015 65/25/10

N. Smart CRYPTO UNIVBRIS Crypto incl. FHE 350 Santa Barbara, US Aug. 16-20 2015 65/25/10A. Costache CRYPTO UNIVBRIS Crypto incl. FHE 350 Santa Barbara, US Aug. 16-20 2015 65/25/10T. Lepoint CRYPTO CRX Crypto incl. FHE 350 Santa Barbara, US Aug. 16-20 2015 65/25/10

S. Vivek IndoCrypt UNIVBRIS Crypto incl. FHE 100 Bangalore, IN Dec. 6-9 2015 60/25/15N. Smart RWC UNIVBRIS Various Crypto 350 London, UK Jan 7-9 2015 40/50/10N. Smart RWC UNIVBRIS Various Crypto 500 Palo Alto, USA Jan 6-8 2016 30/60/10

T. Lepoint RWC CRX Various Crypto 500 Palo Alto, USA Jan 6-8 2016 30/60/10N. Smart RSA UNIVBRIS Various Crypto 25000 San Fran, USA Apr 20-24 2015 5/90/5N. Smart RSA UNIVBRIS Various Crypto 35000 San Fran, USA Mar 1-4 2016 5/90/5

A. Costache RSA UNIVBRIS Various Crypto 35000 San Fran, USA Mar 1-4 2016 5/90/5N. Smart Asiacrypt UNIVBRIS Crypto incl. FHE 250 Auckland, NZ Nov. 30- Dec 3 2015 80/10/10

F. Vercauteren Asiacrypt KUL Crypto incl. FHE 250 Auckland, NZ Nov. 30- Dec 3 2015 80/10/10A. Waller CCS Thalses Security incl. FHE 800 Denver, USA Oct. 12-16 2015 55/35/10A. Waller Avoncrypt Thales MPC and FHE 50 Bristol, UK Oct 10-11 2015 50/40/10D. Mould Avoncrypt Thales MPC and FHE 50 Bristol, UK Oct 10-11 2015 50/40/10

A. Costache Avoncrypt Bristol MPC and FHE 50 Bristol, UK Oct 10-11 2015 50/40/10A. Costache Math. of Crypto Bristol Training event 50 UC Irvine, US Aug 31-Sept 03 15 80/20/0T. Lepoint Financial Crypto CRX Various Crypto 175 Puerto Rico, PR Jan-15 70/20/10J.C. Bajard C2 CGR IM UPMC Various Crypto. 100 Hyeres, FR 04/10/2015 75/15/10

V. Zucca C2 CGR IM UPMC Various Crypto. 100 Hyeres, FR 04/10/2015 75/15/10J.C. Bajard Crypto Conf UPMC Various Crypto 100 Santa Clara, US 11/07/2016 60/20/20

V. Zucca Lattices UPMC Lattices conf 30 Lyon, FR 25/11/2016 100/0/0J.C. Bajard YACC UPMC Various Crypto 100 Porquerolles, FR 06/06/2016 75/15/10

V. Zucca YACC UPMC Various Crypto 100 Porquerolles, FR 06/06/2016 75/15/10A. Joux Dagstuhl UPMC Various Crypto 50 Dagstuhl, DL 01/10/2016 70/15/15

F. Vercauteren CSP Innovation KUL EU Presentatoin 60 Brussels, BE 29/04/2015 40/30/30F. Vercauteren CyberSecurity Course KUL Training 70 Leuven, BE 16/06/2015 30/60/10

W. Castryck ECC 2015 KUL FHE + lattices 100 Bordeaux, FR 28/09/2015 80/10/10F. Vercauteren ECC 2015 KUL FHE + lattices 100 Bordeaux, FR 28/09/2015 80/10/10

I. I.shenko ECRYPT Workshop KUL Training 50 Bochum, DE 10/08/2015 95/5/0I. I.shenko HEAT School KUL SFHE 80 Paris, FR 12-16/10/2015 90/10/0

A. Costache HEAT School UNIVBRIS SFHE 80 Paris, FR 12-16/10/2015 90/10/0N. Smart HEAT School UNIVBRIS SFHE 80 Paris, FR 12-16/10/2015 90/10/0

F. Vercauteren KUL Asiacrypt 2015 400 Auckland, NZ 29/11/2015 70/20/10W. Castryck Lattices and Coding KUL SHE+Lattices 30 London, UK 05/04/2016 100/0/0

F. Vercauteren Lattices and Coding KUL SHE+Lattices 30 London, UK 05/04/2016 100/0/0

Table 1.2: Conference/Meeting Attendance

Name Partner Relation Approx. No. Location Date Percentageto Project Participants (Acad/Ind/Gov)

P. Paillier CRX Study Period homomorphic encryption SC 27 = 300, WG2 = 60 Kuching Apr-15 15/55/30P. Paillier CRX Standard on homomorphic encryption SC 27 = 300, WG2 = 60 Jaipur Oct-15 15/55/30

(ISO/IEC 18033-6 WD1)P. Paillier CRX Standard on homomorphic encryption SC 27 = 300, WG2 = 60 Tampa, US Apr-16 15/55/30

(ISO/IEC 18033-6 WD2)

Table 1.3: ISO SC27 Standardization Meetings

6 HEAT

Chapter 2

Publication

The following publications have been produced during the first phase of the HEAT project:

Cryptanalysis of the Co-ACD AssumptionPierre-Alain Fouque and Moon Sung Lee and Tancrède Lepoint and Mehdi Tibouchi

Homomorphic cryptography allows to securely delegate computation over encrypted dataand is a very active research area. At ACM-CCS 2014, a top-tier conference on computer andcommunications security, a new scheme claimed to be the “most efficient of those that supportan additive homomorphic property” was proposed by Cheon, Lee and Seo.

Understanding the security of the homomorphic cryptographic schemes is also at the coreof the HEAT project. In this paper that appeared at CRYPTO 2015, a top-tier conference in cryp-tography, we show that the latter scheme is completely insecure. We present new lattice-basedattacks that are effectively devastating for the proposed constructions. More precisely, we showthat the parameters proposed by Cheon et al. and originally aiming at 128-bit security can bebroken in a matter of seconds. And while it is possible to select parameters outside of the rangein which our attacks run in polynomial time, they have to be so large as to render the proposedconstructions severely uncompetitive (e.g. our asymptotic estimates indicate that 128 bits of se-curity against our attacks require a modulus of at least 400,000 bits).

Zeroizing Without Low-Level Zeroes: Attacks on Multilinear Maps and Their LimitationsJean-Sébastien Coron and Craig Gentry and Shai Halevi and Tancrède Lepoint and Hemanta K.Maji and Eric Miles and Mariana Raykova and Amit Sahai and Mehdi Tibouchi

Multilinear maps are very useful tools that were discovered in 2013, and which made possiblethe first secure solution to cryptographic software obfuscation, and many other applications. Atthe core of many constructions was the CLT scheme, proposed at CRYPTO 2013, whose flexibilityallowed new exciting developments.

Cryptographic multilinear maps belong to the realm of cryptography allowing to compute onencrypted data. For multilinear maps (contrary to fully homomorphic encryption), at the end ofthe computation, it is possible to publicly know if we have an encryption of 0 or not and this isthe key ingredient of the construction. Unfortunately, in early 2015, a linear relation in the latterprocedure was shown to break the CLT scheme in general (but not for obfuscation).

Because the latter scheme is build from homomorphic encryption, understanding how se-cure multilinear maps can be, and what is secure to compute over encrypted data, is of utmostimportance. In this work, we extend the previous attacks on multilinear maps to numerous new

7

8 HEAT

settings, and show some attacks on some simplified versions of obfuscation. Our paper appearedat CRYPTO 2015, a top-tier conference in cryptology, and comes from collaboration with externalresearchers of IBM Research, University of California Los Angeles, Stanford Research Institute,Purdue University and NTT Secure Platform Laboratories.

New Multilinear Maps over the IntegersJean-Sébastien Coron and Tancrède Lepoint and Mehdi Tibouchi

Multilinear maps are very useful tools that were discovered in 2013, and which made possiblethe first secure solution to cryptographic software obfuscation, and many other applications. Atthe core of many constructions was the CLT scheme, that we proposed at CRYPTO 2013, whoseflexibility allowed new exciting developments.

Cryptographic multilinear maps belong to the realm of cryptography allowing to compute onencrypted data. For multilinear maps (contrary to fully homomorphic encryption), at the end ofthe computation, it is possible to publicly know if we have an encryption of 0 or not and this isthe key ingredient of the construction. Unfortunately, in early 2015, a linear relation in the latterprocedure was shown to break the scheme in general (but not for obfuscation).

Because of its high potential, in this paper which appeared at CRYPTO 2015, a top-tier confer-ence in cryptology, we propose a completely revisited CLT scheme, enjoying the same flexibilitybut highly resistant to all known attacks.

RNS Arithmetic Approach in Lattice-based Cryptography Jean-Claude Bajard, Julien Eynard,Nabil Merkiche, Thomas Plantard

Residue Number Systems (RNS) are naturally considered as an interesting candidate to pro-vide efficient arithmetic for implementations of cryptosystems such as RSA, ECC (Elliptic CurveCryptography), pairings, etc. More recently, RNS have been used to accelerate fully homomor-phic encryption as lattice-based cryptogaphy. In this paper, we present an RNS algorithm resolv-ing the Closest Vector Problem (CVP). This algorithm is particularly efficient for a certain class oflattice basis. It provides a full RNS Babai round-off procedure without any costly conversion intoalternative positional number systems such as the Mixed Radix System (MRS). An optimized Cox-Rower architecture adapted to the proposed algorithm is also presented. The main modificationsreside in the Rower unit whose feature is to use only one multiplier. This allows to free two out ofthree multipliers from the Rower unit by reusing the same one with an overhead of 3 more cyclesper inner reduction. An analysis of feasibility of implementation within FPGA is also given. Thispaper appeared at ARITH 22.

Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective Joppe W. Bos and MichaelNaehrig and Joop van de Pol

The security of many lattice-based cryptographic schemes relies on the hardness of findingshort vectors in integral lattices. We propose a new variant of the parallel Gauss sieve algorithm tocompute such short vectors. It combines favorable properties of previous approaches resultingin reduced run time and memory requirement per node. Our publicly available implementationoutperforms all previous Gauss sieve approaches for dimensions 80, 88, and 96.

Modular Hardware Architecture for Somewhat Homomorphic Function Evaluation Sujoy SinhaRoy and Kimmo Järvinen and Frederik Vercauteren and Vassil Dimitrov and Ingrid Verbauwhede

This paper, which appeared at CHES 2015, reports on a hardware architecture implementingall building blocks used in polynomial ring based fully homomorphic schemes. As an exam-


ple, the YASHE encryption scheme is implemented on top of this architecture and the SIMON-64/128 block cipher was executed in the encrypted domain. The building blocks are integrated inan instruction-set coprocessor, which can be controlled by a computer for evaluating arbitraryfunctions (up to the multiplicative depth 44 and 128-bit security level). This implementationevaluates SIMON-64/128 in approximately 157.7s (at 143MHz) and it processes 2048 ciphertextsat once giving a relative time of only 77ms per block. This is 26.6 times faster than the leadingsoftware implementation on a 4-core Intel Core-i7 processor running at 3.4GHz.

Cryptanalysis of the Quadratic Zero-Testing of GGH Zvika Brakerski and Craig Gentry and ShaiHalevi and Tancrède Lepoint and Amit Sahai and Mehdi Tibouchi

Multilinear maps are very useful tools that were discovered in 2013, and which made possiblethe first secure solution to cryptographic software obfuscation, and many other applications. Un-derstanding the security of the constructions is therefore of utmost importance. Cryptographicmultilinear maps belong to the realm of cryptography allowing to compute on encrypted data.For multilinear maps (contrary to fully homomorphic encryption), at the end of the computation,it is possible to publicly know if we have an encryption of 0 or not and this is the key ingredient ofthe construction. The first candidate multilinear map was described by Garg, Gentry and Haleviat EUROCRYPT 2013, a top-tier conference in cryptography. Unfortunately, even as of today, thesecurity of the construction remains difficult to assess. Many attacks cast doubts on what distri-butions can be used with this GGH scheme. During the CRYPTO 2015 conference, Shai Haleviproposed a tentative fix by Gentry, Halevi and Lepoint of this “zero-test”. This short note showsthat unfortunately the fix fails to immunize the GGH construction against extended versions ofthe previous attacks. With this work, we make a step forward understanding better the securityof multilinear maps.

Which Ring Based Somewhat Homomorphic Encryption Scheme is Best? Ana Maria Costacheand Nigel P. Smart

There are a number of ring based FHE schemes published in the literature, the two most fa-mous being the BGV and the NTRU schemes, and their “scale-invariant” cousins FV and YASHE.The ring based schemes offer a number of advantages over other schemes, such as the ability tomove data around in the plaintext slots, and potentially reductions to more well studied problemssuch as ring-LWE. The purpose of this paper, which appeared at CT-RSA 2016, is to compare side-by-side the NTRU and BGV schemes in their non-scale invariant (messages in the lower bits),and their scale invariant (message in the upper bits) forms. As an additional optimization, wealso investigate the affect of modulus reduction on the scale-invariant schemes. We comparethe schemes using the “average case” noise analysis presented by Gentry et al. In addition weunify notation and techniques so as to show commonalities between the schemes.

We find that the BGV scheme appears to be more efficient for large plaintext moduli, whilstYASHE seems more efficient for small plaintext moduli (although the benefit is not as great asone would have expected).

Speeding-up lattice sieving without increasing the memory, using sub-quadratic nearest neigh-bor search Anja Becker, Nicolas Gama and Antoine Joux

Lattice-based cryptography is a promising area due to the simple additive, parallelizable struc-ture of a lattice. In particular, this structure is very useful in the context of fully homomorphicencryption. As a consequence, lattice reduction algorithms are essential cryptanalytic tools fromthe HEAT project.

10 HEAT

In this paper, we give a simple heuristic sieving algorithm for the shortest vector problem(SVP). Unlike previous time-memory trade-offs, we do not need to increase the memory in orderto improve the running time. To achieve this result, we borrow a recent tool from coding theory,known as nearest neighbor search for binary code words. We simplify its analysis, and show thatit can be adapted to solve this variant of the fixed-radius nearest neighbor search problem: Givena list of exponentially many unit vectors in large dimension, find all pairs of vectors which forman acute angle. The complexity is sub-quadratic in the number of vectors, which leads to an im-provement for reduction algorithms based on lattice sieving.

A masked ring-LWE implementation Oscar Reparaz and Sujoy Sinha Roy and Frederik Vercauterenand Ingrid Verbauwhede

Lattice-based cryptography has become popular as one of the main post-quantum public-key cryptosystems. However, just like ordinary cryptosystems they are still vulnerable to sidechannel attacks such as power analysis or EM radiation.

So far the cryptographic community has ignored this aspect. This paper is the first to presenta side channel secure implementation of RLWE decryption. More detailed, the authors presenta masked ring-LWE decryption implementation resistant to first-order side-channel attacks.

The solution has the peculiarity that the entire computation is performed in the masked do-main. This is achieved thanks to a new, bespoke masked decoder implementation. The output ofthe ring-LWE decryption are Boolean shares suitable for derivation of a symmetric key. The au-thors have implemented a hardware architecture of the masked ring-LWE processor on a Virtex-IIFPGA, and have performed side channel analysis to confirm the soundness of their approach.

This paper was presented at CHES 2015, the most prestigious conference on cryptographichardware and side-channel security.

Improved security proofs in lattice-based cryptography: using the Rényi divergence ratherthan the statistical distance Shi Bai and Adeline Langlois and Tancrède Lepoint and DamienStehlé and Ron Steinfeld

To analyze the efficiency of the homomorphic encryption schemes at the core of the HEATproject, we studied how the Renyi divergence can be used instead of the statistical distance. TheRényi divergence is a measure of closeness of two probability distributions. The article showsthat it can often be used as an alternative to the statistical distance in security proofs for lattice-based cryptography, and therefore in homomorphic encryption schemes. The techniques of thisarticle lead to security proofs for schemes with smaller parameters, and sometimes to simplersecurity proofs than the existing ones. This article was published at ASIACRYPT 2015, one of thetop-tier conference of cryptography, organized by the IACR.

Stream ciphers: A Practical Solution for Efficient Homomorphic-Ciphertext Compression AnneCanteaut and Sergiu Carpov and Caroline Fontaine and Tancrède Lepoint and María Naya-Plasenciaand Pascal Paillier and Renaud Sirdey

In typical applications of homomorphic encryption, one of the first steps consists for a user,let’s call her Alice, to encrypt her data under a public key, and to send the ciphertext to someoneelse, e.g. to the Cloud. Unfortunately, even the most recent homomorphic encryption schemesare such that the size of the ciphertext is much larger than the size of the message. Typically, toencrypt a 4MB image, the ciphertext will end up being at least 1 GB long!

In 2012, Michael Naehrig, Kristin Lauter and Vinod Vaikuntanathan from Microsoft Researchsuggested to use the following hybrid approach: encrypt the message under a scheme with no


ciphertext expansion (i.e. the ciphertext will have the same size as the message), e.g. under theAdvanced Encryption Standard. However, this approach has several drawbacks. First, AES wasnot at all designed in a context of homomorphic cryptography: the operations are not easily par-allelizable, the multiplicative depth is large: AES does not appear to be particularly well suitedfor homomorphic evaluations. Second drawback, the latency of the homomorphic evaluationof AES is added to the latency of the homomorphic evaluation of the function to be performed:in other words, the data will be homomorphically processed upon after being homomorphicallydecrypted (i.e. several minutes later!).

For the HEAT project, Tancrède Lepoint and Pascal Paillier from CryptoExperts together withAnne Canteaut, Sergiu Carpov, Caroline Fontaine, María Naya-Plasencia and Renaud Sirdey pro-posed to revisit the hybrid system entirely to tackle both drawbacks mentioned earlier in an ar-ticle available on the ePrint archive. The key idea is to identify that the homomorphic “decom-pression” phase is subject to an offline phase and an online phase. The offline phase is plaintext-independent and therefore can be performed in advance, whereas the online phase completesdecompression upon reception of the plaintext-dependent part of the compressed ciphertext.The paper has appeared at FSE 2016.

Programmable RNS Lattice-Based Parallel Cryptographic Decryption Paulo Martins, LeonelSousa, Julien Eynard, Jean-Claude Bajard

Should quantum computing become viable, current public-key cryptographic schemes willno longer be valid. Since cryptosystems take many years to mature, research on post-quantumcryptography is now more important than ever. Herein, lattice-based cryptography is focusedon, as an alternative post-quantum cryptosystem, to improve its efficiency. In this article, whichappeared at ASAP 2015, we put together several theoretical developments so as to produce an ef-ficient implementation that solves the Closest Vector Problem (CVP) on Goldreich-Goldwasser-Halevi (GGH)-like cryptosystems based on the Residue Number System (RNS). We were able toproduce speed-ups of up to 5.9 and 11.2 on the GTX 780 Ti and i7 4770K devices, respectively,when compared to a single-core optimized implementation. Finally, we show that the proposedimplementation is a competitive alternative to the Rivest-Shamir- Adleman (RSA).

Fixed Point Arithmetic in SHE Schemes Ana Maria Costache, Nigel Paul Smart, Srinivas Vivekand Adrian Waller

The purpose of this paper is to investigate fixed point arithmetic in ring-based SomewhatHomomorphic Encryption (SHE) schemes. We provide three main contributions. Firstly, we in-vestigate the representation of fixed point numbers. We analyse the two representations fromDowlin et al, representing a fixed point number as a large integer (encoded as a scaled polyno-mial) versus a polynomial-based fractional representation. We show that these two are, in fact,isomorphic by presenting an explicit isomorphism between the two that enables us to map theparameters from one representation to another.

Secondly, given a computation and a bound on the fixed point numbers used as inputs andscalars within the computation, we achieve a way of producing lower bounds on the plaintextmodulus p and the degree of the ring d needed to support complex homomorphic operations.

Finally, we investigate an application in homomorphic image processing. We have an im-age given in encrypted form and are required to perform the standard image processing pipelineof Fourier Transform–Hadamard Product–Inverse Fourier Transform. In particular we examineapplications in which the specific matrices involved in the Hadamard multiplication are also en-crypted. We propose a mixed Fourier Transform Algorithm which aims to strike a compromise

12 HEAT

between the number of homomorphic multiplications and the parameter sizes of the underlyingSHE scheme.

Provably Weak Instances of Ring-LWE Revisited Wouter Castryck and Ilia Iliashenko and Fred-erik Vercauteren

This paper revisits a paper that was published in CRYPTO 2015 by Elias, Lauter, Ozman andStange. They described an attack on the non-dual decision version of the ring learning with errorsproblem (RLWE) for two special families of defining polynomials, whose construction dependson the modulus q that is being used. For particularly chosen error parameters, they managed tosolve non-dual decision RLWE given 20 samples, with a success rate ranging from 10 percent to80 percent.

In this paper we show how to solve the search version for the same families and error pa-rameters, using only 7 samples with a success rate of 100 percent. Moreover our attack works forevery modulus q’ instead of the q that was used to construct the defining polynomial. The attackis based on the observation that the RLWE error distribution for these families of polynomials isvery skewed in the directions of the polynomial basis. For the parameters chosen by Elias et al.the smallest errors are negligible and simple linear algebra successfully recovers the secret. Butenlarging the error paremeters makes the largest errors wrap around, thereby turning the RLWEproblem unsuitable for cryptographic applications. These observations also apply to dual RLWE,but do not contradict the seminal work by Lyubashevsky, Peikert and Regev. This paper appearedat at Eurocrypt 2016.

On Error Distributions in Ring-Based LWE Wouter Castryck and Ilia Iliashenko and Frederik Ver-cauteren

Since its introduction in 2010 by Lyubashevsky, Peikert and Regev, the Ring Learning With Er-rors problem (Ring-LWE) has been widely used as a building block for cryptographic primitives,due to its great versatility and its hardness proof consisting of a (quantum) reduction to ideal lat-tice problems. This reduction assumes a lower bound on the width of the error distribution thatis often violated in practice. In practice people often make very agressive parameter choices andtypically also do not follow the precise construction of ring-LWE as introduced by Lyubashevsky,Peikert and Regev. In particular, they do not work with the dual of the ring of integers, and workwith a variant that is not equivalent with the original construction of ring-LWE. In this paper, toappear at ANTS XII, we show that caution is needed when doing so, by constructing examples ofnumber fields such that ring-LWE can be broken if one does not use the proper ring-LWE con-struction or use parameters that are (even slightly) too agressive.

Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron and Moon Sung Lee and Tan-crède Lepoint and Mehdi Tibouchi

For the past couple of years, cryptographic multilinear maps have found numerous applica-tions in the design of cryptographic protocols, the most salient example of which is probably theconstruction of indistinguishability obfuscation (iO). Unfortunately, the multilinear candidateschemes of today (GGH13, CLT13 and GGH15) do not rely on well-established hardness assump-tions, and recent months have witnessed a number of attacks showing that they fail to meet anumber of desirable security requirements, and that they cannot be used to securely instantiatesuch and such protocols. In particular, the more immediate application of multilinear maps, thatis one-round multipartite key agreement, has been broken for GGH13 and CLT13.

Since the third proposed multilinear maps scheme, GGH15, does not fit the same graded en-


coding framework as the earlier candidates, one needs new constructions to use it to instantiatecryptographic protocols. Our main contribution, in this paper to appear at CRYPTO 2016, is todescribe a cryptanalysis of the Diffie-Hellman key-agreement protocol when instantiated withGGH15 multilinear maps. Our attack makes it possible to generate an equivalent user privatekey in polynomial time, which in turn allows to recover the shared session key.

A subfield lattice attack on overstretched NTRU assumptions: Cryptanalysis of some FHE andGraded Encoding Schemes Martin Albrecht, Shi Bai, Léo Ducas

In this paper, to appear at CRYPTO 2016, we exploit the presence of a subfield to solve theNTRU problem for large moduli q : norming-down the public key h to a subfield may lead to aneasier lattice problem, and any sufficiently good solution may be lifted to a short vector in the fullNTRU-lattice. We restrict ourselves to choices of dimensions n (λ) and modulus q (λ) that werepreviously thought to offer resistance against attacks in time exponential in the security param-eter λ. For any super-polynomial q (λ), the subfield attack can be made sub-exponential in λ,or even polynomial as q (λ) gets larger. The subfield lattice attack directly affects the asymptoticsecurity of the bootstrappable homomorphic encryption schemes LTV and YASHE. It also makesGGH-like Multilinear Maps vulnerable to principal ideals attacks — therefore leading to a quan-tum break — and almost vulnerable to a statistical attack a-la Gentry-Szydlo. No *encodings ofzero* nor *zero-testing parameter* are required. We also provide meaningful practical experi-ments. Using just LLL in dimension 512 we obtain vectors that would have required runningBKZ with block-size 130 in dimension 8192. Finally, we discuss concrete aspects of this attack,the potential immunity of NTRUEncrypt and Bliss parameters, issue preliminary recommenda-tions and suggest countermeasures.

Fast Fourier Orthogonalization Léo Ducas and Thomas PrestThe classical fast Fourier transform (FFT) allows to compute in quasi-linear time the product

of two polynomials, in the circular convolution ring R [x ]/(x d −1)— a task that naively requiresquadratic time. Equivalently, it allows to accelerate matrix-vector products when the matrix is*circulant*. In this work, we discover that the ideas of the FFT can be applied to speed up theorthogonalization process of matrices with circulant blocks of size d ×d . We show that, when dis composite, it is possible to proceed to the orthogonalization in an inductive way —up to an ap-propriate re-indexation of rows and columns. This leads to a structured Gram-Schmidt decom-position. In turn, this structured Gram-Schmidt decomposition accelerates a cornerstone latticealgorithm: the nearest plane algorithm. The complexity of both algorithms may be brought downto Θ(d · log d ). Our results, to appear at ISSAC 2016, easily extend to cyclotomic rings, and can beadapted to Gaussian samplers. This finds applications in lattice-based cryptography, improvingthe performances of trapdoor functions.

14 HEAT

Chapter 3

Standardization

3.1 Overview of on-going actions in HEAT

3.1.1 Standardizing homomorphic encryption in ISO

As detailed in Table 1.3 we engaged, and indeed Pascal Paillier is the main editor, with the stan-dardization process of ISO in homomorphic encryption. This process is progressing well, and isexpected to produce its first standard in the next few years.

3.1.2 Widening the scope of NIST standards

In addition a dialogue was opened with NIST by Nigel Smart to investigate the standardizationof “higher level” primitives; many of which are needed in the use cases being investigated by theHEAT project.

3.2 Creating ISO/IEC 18033-6

ISO/IEC 18033-6 will be the first standard on homomophic encryption. According to its editionroadmap within ISO SC 27, it is expected to be ready for publication in fall 2019.

In this first edition, the scope will be limited to simply homomorphic encryption, where onlyone operation is supported. However, most experts within ISO expect this standard to also in-clude FHE/SHE mechanisms in the next editions, assuming schemes reach a sufficient level ofmaturity and progressively acquire an appropriate level of trust in their security (the parametriza-tion of many FHE/SHE schemes is not well understood yet).

By opposition, simply homomorphic encryption is considered to be very mature; many en-cryption schemes have been proposed over the last 3 decades based on well-understood com-plexity assumptions, plenty of implementations of these exist that are fast and compact, and anextensive literature has appeared over the years about how they can be used in applications.

3.2.1 What is ISO SC 27?

The ISO/IEC JTC1 Sub-Committee 27 (SC 27, "Security Techniques") is one of the many sub-committees in ISO and is dedicated to IT security. It is formed of 5 working groups, among whichthe Working Group 2 (WG2) has a particular focus on cryptography and security mechanisms.

15

16 HEAT

Figure 3.1: How ISO SC 27 works

The entire ISO SC 27 (all 5 Working Groups) meets physically twice a year, with a spring meet-ing and a fall meeting. The total number of experts who come to these events varies over time,but is generally between 300 and 400, and tends to increase every year. WG2 meetings usuallygathers about 50-60 cryptography experts from 15-20 national bodies. The term national bodyrefers to a country, as ISO is composed of member states and functions in essence like the UnitedNations.

Year Spring meeting (April) Fall meeting (October)2012 Stockholm Rome2013 Sofia-Antipolis Incheon2014 Hong-Kong Mexico2015 Kuching Jaipur2016 Tampa Abu Dhabi

Figure 3.2: Recent history of ISO SC 27 meetings

We summarize below the main actions that we have undertaken over the last 2 years to stan-dardize homomorphic encryption (HE) within ISO SC 27.

3.2.2 Phase 1 (Sofia-Kuching): the Study Period

During the ISO SC 27 spring meeting in Sofia-Antipolis in 2013, it has been decided to start aStudy Period (SP) within WG2 on the adequacy of standardizing HE.

ISO conducts Study Periods on a regular basis; it is the usual way for working groups to de-termine whether a particular action should be undertaken, such as the inclusion or removal ofa cryptographic mechanism from a published standard, or the creation of a new standard oramendment or technical corrigendum.

At the time when the SP started, the needs expressed by prominent actors in the securityindustry for standardized mechanisms for HE were pretty clear: HE was and is still perceived as


a powerful tool that opens the way to a wide range of secure solutions, most particularly in thecloud computing arena. However, the method as to how to proceed with such standardizationwithin SC27 needed to be clarified. During the Sofia meeting, 3 co-rapporteurs were nominatedto conduct the SP:

Main rapporteur: Pascal Paillier, CryptoExperts (France)

Co-rapporteur: Atsuko Miyaji, JAIST (Japan)

Co-rapporteur: Jacques Traore, Orange Labs (France)

In total, the SP was extended 3 times and lasted 24 months. It received contributions fromseveral national bodies (Japan, UK, South Korea, US, France, Mexico, etc). Overall, the SP resultedin the following conclusions:

• homomorphic encryption has been around for decades and well-trusted, well-documentedmechanisms are known to realize it. Additive schemes are particularly interesting in ap-plications as many advanced cryptographic protocols are based on these schemes. Theindustrial ecosystem would welcome such a standard to build and confidently invest ininnovative security solutions in a wide range of contexts.

• the two options for standardizing HE were identified as being either

1. by creating a new multi-part project on Homomorphic Cryptography within WG2, ofwhich HE would be a single part. Other primitives such as homomorphic signaturesand secret sharing would also give rise to dedicated parts.

2. or, create a new part in the pre-existing multi-part standard on encryption (ISO/IEC18033) to address and specify HE.

Reaching closure during the Kuching meeting, WG2 decided to go with option 2 and votedthe creation of ISO/IEC 18033 Part 6. A separate project on homomorphic secret sharing wasalso started at the same time. WG2 also nominated editors for the new standard:

Main editor: Pascal Paillier, CryptoExperts (France)

Co-editor: Atsuko Miyaji, JAIST (Japan)

3.2.3 Phase 2: Editing 18033-6 "Homomorphic Encryption"

Standards start their life by being mere working documents over which national bodies providecomments and improvements in successive 6-month rounds. The comments that are hard toresolve and/or require a consensual position are treated during the physical ISO meetings, wherea consensus between national bodies is usually reached. The life cycle of an ISO standard can bedescribed as follows:

Working Draft (WD): first informal document where the scope and structure are being stabi-lized. Any expert can provide individual comments on WDs.

18 HEAT

Committee Draft (CD): The structure of the document should be stable but new mechanismscan be added on demand. Individual experts are not allowed to comment CDs; commentshave to be provided by national bodies, thus forcing a first level of consensus within na-tional bodies.

Draft International Standard (DIS): usually a majority of the contents are agreed upon, includingthe definitions and the approved mechanisms.

Final Draft International Standard (FDIS): the text has now full maturity and comments havebecome essentially editorial.

International Standard (IS): the standard is ready and goes to publication. The IS will howeverbe reviewed periodically and can also become the object of amendments or technical cor-rigenda. A revision must be voted for the IS to be re-written.

Comments received on WD1 during period 1 (Kuching - Jaipur)

The first Working Draft (WD1) contained a number of terms and definitions specific to homo-morphic encryption.

Over that 6-month period, we received comments from Japan, the UK, South Korea and France.They were successfully resolved and the text passed from WD1 to WD2.

Comments received on WD2 during period 2 (Jaipur - Tampa)

WD2 contained a first HE mechanism: the basic ElGamal encryption scheme with a restrictedmessage space.

Comments were received from Japan, the UK and South Korea. They were successfully re-solved and the text passed from WD2 to WD3. Also, Japan suggested the inclusion of an additiveencryption scheme based on LWE called SPHERE. At the Tampa meeting though, the editors re-quested the scheme to be published prior to consider it for inclusion. A number of agreed-uponcriteria for the inclusion of new cryptographic mechanisms preexist within WG2, and these re-quire the mechanism to be the object of sufficiently many publications in the public scientificcommunity.

The PRACTICE project also provided comments through a Category C liaison with WG2, ask-ing for the inclusion of various FHE/SHE schemes. These however, fall outside the scope of thestandard for the time being, and ultimately will have to be submitted individually by nationalbodies for them to be considered in the next editions.

3.2.4 Current status in May 2016

A 3rd working draft (WD3) is currently in preparation, in which the Paillier encryption scheme isadded. This inclusion was approved by WG2 during the Tampa meeting.

Within the next months, until the next ISO meeting in Abu Dhabi, national bodies may sug-gest the inclusion of other mechanisms of their choice. Which ones are to be approved and in-cluded in the standard will then be the result of a consensus to be reached at Abu Dhabi.

As a conclusion, the partners of HEAT are actively involved in the standardization of homo-morphic encryption, within ISO for the time being, and possibly through other bodies in thefuture. We will provide an update on these achievements in the next dissemination report.

Chapter 4

Exploitation and IP

As is common with cryptography there are no plans to patent specific implementation tech-niques or cryptographic systems. Industry generally does not adopt cryptographic schemes whichare patented; they adopt schemes which are freely available, public scrutinized and have stooda reasonable test of time. In the HEAT project to enable greater impact we will also be followingthis rule of thumb.

However, we do intend to patent (where appropriate) the applications of SHE technologieswithin specific use cases and applications. At this stage in the project the development and im-plementation of the practical use-cases utilizing the SHE schemes has not yet reached a level ofmaturity to be able to exploit any intellectual property. It is envisaged that as the use-cases de-velop, opportunities will arise to do so, through the innovation of optimisations in the algorithmstailored for the specific use cases, and in the novel application of the technology.

19

20 HEAT

Chapter 5

Summer Schools and Workshops

So far the HEAT project has organized one summer school and one workshop (to be held in July2016) in topics related to the project. In addition to the training of external entities conductedvia these events, the HEAT programme has also directly supported the PhD training of the re-searchers; Ana Costache (Bristol), Ilia Iliashenko (KU Leuven) and Vincent Zucca (UPMC).

Summer School on Mathematical and Practical Aspects of Fully Homomorphic Encryptionand Multi-Linear Maps October 12th-16th 2015, Paris, FranceThe speakers were

Zvika Brakerski, Weizmann Institute.Léo Ducas, CWI, Amsterdam.Craig Gentry, IBM.Shai Halevi, IBM.Tancrède Lepoint, CryptoExperts.Chris Peikert, Georgia-Tech.Amit Sahai, UCLA.Damien Stehlé, ENS-Lyon.

The summer school was attended by around 80 participants from all over the world.

WHEAT: Workshop HEAT July 5-7, 2016, Université Pierre et Marie Curie, Paris, FranceThis workshop will consist of a number of invited talks and a set of contributed talks by re-searchers from across the globe. The invited talks will concentrate mainly on cryptanalysis, andwill be given by

Martin Albrecht, University of London.Léo Ducas, CWI, Amsterdam.Antoine Joux, University Pierre et Marie Curie.Thijs Laarhoven, Eindhoven University of Technology.Adeline Langlois, CNRS, University of Rennes.Damien Stehlé, École Normale Supérieure de Lyon.

21

Documents

D.5.2 Mid-term report on dissemination, standardization