Periodic Reporting for period 1 - ReSCALE (Reinventing Symmetric Cryptography for Arithmetization over Large fiElds)
Berichtszeitraum: 2022-09-01 bis 2025-02-28
Cryptography is the science of secrecy. It corresponds to the techniques ensuring that information can be exchanged securely, even in the presence of an adversary capable of listening to it.
All electronic communications need to be secured, and the amount of data that needs to be encrypted is enormous: from banking credentials to private messages, all this information is secured using sophisticated computer algorithms such as block ciphers and hash functions. We now have reliable algorithms of each of these types, so we can secure communications by ensuring their confidentiality (an eavesdropper cannot obtain any useful information), their integrity (a modification made while the information is transmitted will be detected), and their authentication (we can be sure that the information was produced by the correct person or entity). For example, when logging into a website, cryptographic algorithms are used to process the password (so that it cannot be intercepted), to authenticate the website (so that a hacker cannot impersonate it to steal information), and then to secure the rest of the communication.
However, our ever growing reliance on digital tools demands a new type of security: beyond communications, we now need to secure *computations*. What does "securing a computation" mean? For example, it could mean devising algorithms that can operate on encrypted data in order to perform meaningful operation without decrypting it. This is called *Fully Homomorphic Encryption (FHE)*, and will be used in the future for instance for automated medical diagnosis: an AI model will be evaluated on an encrypted X-ray image and return a diagnosis without decrypting it, meaning that it would be impossible for the service provider to know the content of the X-ray (or indeed the diagnosis). Only the patient would have the cryptographic keys needed to make sense of this data. Similarly, *zero-knowledge protocols* can prove that an online service has performed an agreed upon set of operation on secret data to derive a specific result without revealing either said secret data, or what the result is: they would simply guarantee that the result, which ever it is, is correct.
Unfortunately, a wide-scale deployment of such protocols remains difficult at this stage: they correspond to complex pieces of software that rely on an array of cryptographic sub-blocks (so-called primitives) of different types for their security. These primitives then need to be fast on top of being secure, which turns out to be a bottleneck in practice.
The aim of the ReSCALE project is to investigate some of the primitives needed for such protocols. The aim is then twofold: we need to better understand the security they provide, and how to design them. Of course, the second point depends on the first since new primitives need to be secure. This study is made all the more complicated by a specific consequence of integration with advanced protocols like FHE and zero-knowledge proofs: the mathematical alphabet on which the algorithms operate is different. Primitives used to secure communications are optimized to encrypt bit-strings, i.e. long sequences of 0 and 1. On the other hand, these protocols use elementary operations that are defined over large integers, and their number needs to be minimized. Thus, in order to perform the analysis of these new primitives, we need to build the necessary mathematical tools from scratch. The purpose of ReSCALE is thus to. rescale our tools from the binary size to an arbitrary size, and to use those to ensure the security of a wide array of cryptographic mechanisms.
All electronic communications need to be secured, and the amount of data that needs to be encrypted is enormous: from banking credentials to private messages, all this information is secured using sophisticated computer algorithms such as block ciphers and hash functions. We now have reliable algorithms of each of these types, so we can secure communications by ensuring their confidentiality (an eavesdropper cannot obtain any useful information), their integrity (a modification made while the information is transmitted will be detected), and their authentication (we can be sure that the information was produced by the correct person or entity). For example, when logging into a website, cryptographic algorithms are used to process the password (so that it cannot be intercepted), to authenticate the website (so that a hacker cannot impersonate it to steal information), and then to secure the rest of the communication.
However, our ever growing reliance on digital tools demands a new type of security: beyond communications, we now need to secure *computations*. What does "securing a computation" mean? For example, it could mean devising algorithms that can operate on encrypted data in order to perform meaningful operation without decrypting it. This is called *Fully Homomorphic Encryption (FHE)*, and will be used in the future for instance for automated medical diagnosis: an AI model will be evaluated on an encrypted X-ray image and return a diagnosis without decrypting it, meaning that it would be impossible for the service provider to know the content of the X-ray (or indeed the diagnosis). Only the patient would have the cryptographic keys needed to make sense of this data. Similarly, *zero-knowledge protocols* can prove that an online service has performed an agreed upon set of operation on secret data to derive a specific result without revealing either said secret data, or what the result is: they would simply guarantee that the result, which ever it is, is correct.
Unfortunately, a wide-scale deployment of such protocols remains difficult at this stage: they correspond to complex pieces of software that rely on an array of cryptographic sub-blocks (so-called primitives) of different types for their security. These primitives then need to be fast on top of being secure, which turns out to be a bottleneck in practice.
The aim of the ReSCALE project is to investigate some of the primitives needed for such protocols. The aim is then twofold: we need to better understand the security they provide, and how to design them. Of course, the second point depends on the first since new primitives need to be secure. This study is made all the more complicated by a specific consequence of integration with advanced protocols like FHE and zero-knowledge proofs: the mathematical alphabet on which the algorithms operate is different. Primitives used to secure communications are optimized to encrypt bit-strings, i.e. long sequences of 0 and 1. On the other hand, these protocols use elementary operations that are defined over large integers, and their number needs to be minimized. Thus, in order to perform the analysis of these new primitives, we need to build the necessary mathematical tools from scratch. The purpose of ReSCALE is thus to. rescale our tools from the binary size to an arbitrary size, and to use those to ensure the security of a wide array of cryptographic mechanisms.
So far, we have made progress in the two broad directions of cryptology: the design of new primitives, and the search for flaws in existing ones (i.e. "cryptanalysis"). The aim when looking for flaws is not to attack systems currently in use in order to harm its users, quite the opposite: the aim is to identify potential types of flaws, and then identify the relevant counter-measures before such systems are deployed so as to increase the security of the users.
In terms of design, we have identified a previously unknown connection between the design requirement of some zero-knowledge protocols, and "CCZ-equivalence". This form of equivalence is a concept from mathematics introduced in the late 1990's in an unrelated context: its inventors wanted to classify some functions by sorting them into "CCZ-equivalence classes" since all the functions in such a class have similar properties. Our idea is to use pairs of functions from a CCZ-equivalence class, where one offers good security, and the other offers good performances. Combining them in an ingenuous way, it is possible to enjoy the best properties of each function. This insight lead to the design of Anemoi, a new hash function that offers very competitive performances in multiple proof systems. We have also made significant advances in the design of "stream ciphers", a common type of cryptographic algorithms, significantly lowering the cost of FHE in some contexts. Our algorithm, called Transistor, will be released soon.
In terms of cryptanalysis, we have challenged the then state-of-the-art wisdom. Until the start of this project, the security analysis of primitives defined over big integers hinged on two hypotheses:
1. the cryptanalysis techniques falling in the "statistical attacks" category are not really relevant, and
2. the relevant techniques, called "algebraic attacks", can be prevented by ensuring that a specific algorithm was very slow.
Both ideas have worrying limitations. First, statistical attacks can be relevant: while the conditions for their applicability correspond to unlikely coincidences, they are extremely powerful when they can be applied. Second, while it is true that algebraic attacks are a significant threat that has to be prevented, the known techniques to achieve this protection are insufficient. We have shown that algebraic attacks can in fact be run in a different way than previously considered; and this alternative method is far more efficient.
In terms of design, we have identified a previously unknown connection between the design requirement of some zero-knowledge protocols, and "CCZ-equivalence". This form of equivalence is a concept from mathematics introduced in the late 1990's in an unrelated context: its inventors wanted to classify some functions by sorting them into "CCZ-equivalence classes" since all the functions in such a class have similar properties. Our idea is to use pairs of functions from a CCZ-equivalence class, where one offers good security, and the other offers good performances. Combining them in an ingenuous way, it is possible to enjoy the best properties of each function. This insight lead to the design of Anemoi, a new hash function that offers very competitive performances in multiple proof systems. We have also made significant advances in the design of "stream ciphers", a common type of cryptographic algorithms, significantly lowering the cost of FHE in some contexts. Our algorithm, called Transistor, will be released soon.
In terms of cryptanalysis, we have challenged the then state-of-the-art wisdom. Until the start of this project, the security analysis of primitives defined over big integers hinged on two hypotheses:
1. the cryptanalysis techniques falling in the "statistical attacks" category are not really relevant, and
2. the relevant techniques, called "algebraic attacks", can be prevented by ensuring that a specific algorithm was very slow.
Both ideas have worrying limitations. First, statistical attacks can be relevant: while the conditions for their applicability correspond to unlikely coincidences, they are extremely powerful when they can be applied. Second, while it is true that algebraic attacks are a significant threat that has to be prevented, the known techniques to achieve this protection are insufficient. We have shown that algebraic attacks can in fact be run in a different way than previously considered; and this alternative method is far more efficient.
Our advances on algebraic cryptanalysis mean that the security arguments against such attacks need to be re-written from scratch---and will impact future designs. In particular, as the standardization of cryptographic algorithms defined over large integers is being considered, the candidates will need to take these results into account. Further research is needed (and in fact, already ongoing) to identify the best method to design algorithms that are secure against such attacks while still providing high security.
Our stream cipher, Transistor, will significantly lower some of the costs associated with the use of a specific FHE protocol called "TFHE". This will ease its deployment.
Finally, the collaborations we have set up between researchers of different areas of cryptography and mathematics, as well as with european startups, already constitute one of the long term impacts of this project. We will maintain our focus in this area.
Our stream cipher, Transistor, will significantly lower some of the costs associated with the use of a specific FHE protocol called "TFHE". This will ease its deployment.
Finally, the collaborations we have set up between researchers of different areas of cryptography and mathematics, as well as with european startups, already constitute one of the long term impacts of this project. We will maintain our focus in this area.