ADVERTISING AGGREGATIONARCHITECTURE
|
|
- Randolf Lynch
- 5 years ago
- Views:
Transcription
1 SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED PSA ACM NETWORK CCS WPES AND DISTRIBUTED WORKSHOP SYSTEMS SECURITY (NDSS) SYMPOSIUM 2018 Daniela Becker Robert Bosch LLC RTC North America Pittsburgh, USA Jorge Guajardo Robert Bosch LLC RTC North America Pittsburgh, USA Karl-Heinz Zimmermann Hamburg University of Technology Hamburg, Germany
2 Outline 1. Introduction: Private Stream Aggregation (PSA) Problem Statement, Previous Work - Shi et al. s PSA Scheme (NDSS 2011). 2. (Augmented) Learning With Errors Theory Background. 3. Lattice-Based PSA: LaPS General Construction. LaPS instantiation & Experimental Results. 4. Summary & Outlook 2 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018
3 Private Stream Aggregation (PSA) Problem Distributed set of users ( U i ) want to compute sum of their sensitive data ( d i ) No information must be leaked about individual user U i Untrusted aggregator (A), i.e. honest-but-curious U 1 U 2 d 1 d 2 d 3?? U 3? A?? 3 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018
4 Private Stream Aggregation (PSA) Solution Apply differential privacy mechanism M to each d i create noisy version x i Send encrypted x i to aggregator A A aggregates ciphertexts and decrypts learns nothing but noisy sum x agg U 1 d 1 M x 1 Enc c 1 U 2 d 2 M x 2 Enc c 2 A Agg c agg Dec = c 1 + c 2 + c 3 x agg U 3 d 3 M x 3 Enc c 3 4 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018
5 Private Stream Aggregation (PSA) Security & Privacy Notions Aggregator obliviousness A learns nothing but noisy sum x agg differentially private U 1 d 1 NoisyEnc 1 c 1 U 2 d 2 NoisyEnc 2 c 2 A AggrDec x agg U 3 d 3 NoisyEnc 3 c 3 5 Research and Technology Center CR/RTC3-NA 02/19/2018
6 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec r i Geom c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N x i d i + r i c i g x i H t sk i c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 6 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.
7 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i r i Geom NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec Create noisy version cof agg c 1 c N data x c i agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N x i d i + r i c i g x i H t sk i c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 7 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.
8 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec r i Geom x i d i + r i Desired result x agg in the exponent c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N c i g x i H t sk i c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 8 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.
9 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i r i Geom x i d i + r i c i g x i H t sk i A - param, t, {c i } N i=1, sk 0 c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk Note that N N sk i = sk 0 c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg i=1 AggrDec N {c i } i=1 x agg = DLog(g x agg ) 9 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.
10 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i NoisyEnc i A - param, t, {c i } N i=1, sk 0 AggrDec r i Geom x i d i + r i c i g x i H t sk i Cancels out c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg N {c i } i=1 x agg = DLog(g x agg ) 10 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.
11 Private Stream Aggregation (PSA) Shi et al. [1] U i - param, t, sk i, d i r i Geom NoisyEnc i Solve discrete logarithm to x i d i + r i retrieve result x agg c i g x Strong i H t sk limitation on plaintext i size, e.g. efficient instantiation in [1] is for 1-bit plaintext N {c i } i=1 A - param, t, {c i } N i=1, sk 0 c agg c 1 c N c agg = g x 1 H t sk 1 g x N H t sk N c agg = g x 1+ +x N H t sk 1+ +sk N c agg H t sk 0 = g x 1+ +x N H t sk 1+ +sk N H t sk 0 = g x 1+ +x N = g x agg x agg = DLog(g x agg ) AggrDec 11 Research and Technology Center CR/RTC3-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.
12 Lattice-based PSA (LaPS) Goals Overcome previous input limitation [1] of 1 bit for 1000 users Improve security guarantee Note: current schemes are breakable by quantum computers Imagine, each user can only send value 0 or 1. max. aggregation value 1000 Use LWE-based construction Contributions Resolve open problem from [1] Post-quantum security Encrypt values up to max. aggregation value 66 million 66 thousand times bigger values First implementation of PSA scheme: 150 times faster aggregation compared to [1] 12 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 [1] E. Shi, T.-H. H. Chan, E. Rieffel, R. Chow, and D. Song. Privacy-Preserving Aggregation of Time-Series Data. NDSS 2011.
13 Learning With Errors (LWE) [2] A Z q λ κ s Z q κ b Z q λ A 11 A 12 A 13 A 1κ s 1 b 1 A 21 A 22 A 23 A 2κ s 2 b 2 A 31 A 32 A 33 A 3κ A 41 A 42 A 43 A 4κ s 3 = b 3 b 4 (mod q) s κ A λ1 A λ2 A λ3 A λκ b λ Given (A,b): find s 13 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [2] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005.
14 Learning With Errors (LWE) [2] discrete Gaussian distribution coefficients secret error result λ κ κ A Z q s Z q e i Ψ λ b Z q A 11 A 12 A 13 A 1κ s 1 e 1 b 1 A 21 A 22 A 23 A 2κ s 2 e 2 b 2 A 31 A 32 A 33 A 3κ A 41 A 42 A 43 A 4κ s 3 s κ + e 3 e 4 = b 3 (mod q) b 4 A λ1 A λ2 A λ3 A λκ e λ b λ Given (A,b): find s as hard as worstcase lattice problems* post-quantum secure 14 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 *) relevant parameters: (q, κ, Ψ) [2] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005.
15 LWE [2] coefficients secret error result λ κ κ A Z LWE: e Ψ λ q s Z λ q b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ 15 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [2] O. Regev. On lattices, learning with errors, random linear codes, and cryptography. STOC 2005.
16 Augmented LWE (A-LWE) [3] coefficients secret error result λ κ κ A Z q s Z q A-LWE: e D λ Λv G b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ 16 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [3] R. El Bansarkhani, Ö. Dagdelen, J. Buchmann. Augmented Learning with Errors: The Untapped Potential of the Error Term. FC 2015.
17 Augmented LWE (A-LWE) Message Embedding [3] Straightforward encryption coefficients secret error result λ κ κ A Z q s Z q A-LWE: e D λ Λv G b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ encode message m using some function f D Λv G defined by v and G m is embedded in e Compute v = f(m) Draw e D Λv G A-LWE: e D Λv G A-LWE: b looks like LWE-term but contains message m b = Enc(m) 17 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [3] R. El Bansarkhani, Ö. Dagdelen, J. Buchmann. Augmented Learning with Errors: The Untapped Potential of the Error Term. FC 2015.
18 Augmented LWE (A-LWE) Message Embedding [3] Decryption coefficients secret error result λ κ κ A Z q s Z q A-LWE: e D λ Λv G b Z q A Z q λ κ s Zκ q + e Z q λ = b Z q λ Compute e = b + ( s T A) Dec A,s (b) special property of D Λv G Compute v = G e mod q decode message Compute m = f 1 (v) 18 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [3] R. El Bansarkhani, Ö. Dagdelen, J. Buchmann. Augmented Learning with Errors: The Untapped Potential of the Error Term. FC 2015.
19 LaPS Overview d 1 U 1 NoisyEnc 1 s 1 c 1 = As 1 + e 1 Remember me? A-LWE! U 2 d 2 NoisyEnc 2 s 2 c 2 = As 2 + e 2 A AggrDec s 0 d 3 U 3 NoisyEnc 3 s 3 c 3 = As 3 + e 3 x i = x 1 + x 2 + x x N U N d N NoisyEnc N s N c N = As N + e N c i s cannot be decrypted by quantum adversary post-quantum security Output does not leak information about individual d i s nor x i s privacy 19 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018
20 LaPS Let s take a closer look U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i c agg c c N c agg = A N i=1 s i + e i v i = AHOM. Enc(pk, x i ) c agg + As 0 e i Sample e i D Λvi (G) c i As i + e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i ) N {c i } i=1 20 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018
21 LaPS: Correctness AggrDec Double Unwrapping U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i Unwrap first layer, since N i=1 s i = s 0 v i = AHOM. Enc(pk, x i ) c agg c c N c agg = A N i=1 s i + e i c agg + As 0 e i Sample e i D Λvi (G) c i As i + e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i ) N {c i } i=1 21 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018
22 LaPS: Correctness AggrDec Double Unwrapping U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i c agg c c N c agg = A N i=1 s i + e i 22 inner ciphertexts v i are v i = AHOM. Enc(pk, additively x i ) homomorphic AHOM. Dec N i=1 v i Sample e i D Λvi (G) = N AHOM. Dec(v i ) c i As i + e i Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 i=1 N {c i } i=1 c agg + As 0 e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i )
23 LaPS: Correctness AggrDec Double Unwrapping U i - param, A, G, pk, s i, d i NoisyEnc i A - param, A, G, {c i } N i=1, sk, s 0 AggrDec x i d i + η i c agg c c N c agg = A N i=1 s i + e i v i = AHOM. Enc(pk, x i ) c agg + As 0 e i 23 Sample e i D Λvi (G) c i As i + eunwrap i second layer using sk Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 N {c i } i=1 G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i )
24 LaPS: Correctness AggrDec Double Unwrapping Correctness: As long as AHOM. Dec N i=1 v i = N i=1 x i and since G e i mod q = v i, where e i D Λvi G, the aggregator indeed outputs the noisy sum aggregate of the users' values. We require AHOM to be additively homomorphic - therefore the sum of the homomorphic ciphertexts N i=1 v i corresponds to an encryption of the sum of the underlying plaintexts i=1 N x i. A - param, A, G, {c i } N i=1, sk, s 0 c agg c c N c agg = A N i=1 s i + e i c agg + As 0 e i G e i v i v i = N i=1 AHOM. Enc pk, x i = AHOM. Enc(pk, x i ) x agg = AHOM. Dec(sk, v i ) AggrDec 24 Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018
25 LaPS: Security Guarantees NoisyEnc i Let s take a closer look For security we want: Break NoisyEnc i break w-c lattice problem U i - param, A, G, pk, s i, d i x i d i + η i NoisyEnc i Encrypt x i using AHOM v i pseudo-random ciphertext v i = AHOM. Enc(pk, x i ) v i c uniform Sample e i D Λvi (G) D Λvi (G) c discrete Gaussian Ψ c i As i + e i A-LWE c (LWE w-c lattices) 25 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018
26 LaPS: Security Guarantees NoisyEnc i Let s take a closer look For security we want: Break NoisyEnc i break w-c lattice problem U i - param, A, G, pk, s i, d i x i d i + η i v i = AHOM. Enc(pk, x i ) Sample e i D Λvi (G) c i As i + e i NoisyEnc i Theorem 1 (Semantic Security): Let the output of AHOM. Enc be indistinguishable from random [ ]. Then, the ciphertexts generated by NoisyEnc in are semantically secure assuming the hardness of worst case lattice problems. Theorem 2 (Aggregator Obliviousness Security): Let the output of AHOM. Enc be indistinguishable from random [ ]. LaPS satisfies aggregator oblivious security assuming the hardness of worst case lattice problems. 26 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018
27 LaPS Instantiation Experimental Results Instantiation using M χ discrete Laplace mechanism and AHOM reduced* BGV encryption scheme BEFORE [1] AFTER (this work)** NoisyEnc i AggrDec p {0,1}: 0.6 ms p 5: p 37: p 65537: p {0,1}: 300 ms p 5: p 37: p 65537: 3.58 ms 3.62 ms 3.73 ms 1.87 ms 1.88 ms 1.96 ms *) Original BGV Scheme [4], adapted from [5] and reduced to homomorphic addition (, i.e. no multiplication) **) Runtime results [ms] for LaPS instance for 1000 users, 80-bit security MacBook, macos Sierra, single 2.5 GHz Intel Core i7 and 16GB memory; averaged over 1000 runs [4] Z. Brakerski and V. Vaikuntanathan, Efficient Fully Homomorphic Encryption from (Standard) LWE. ECCC Research and Technology Center Daniela Becker CR/RTC3.2-NA 02/19/2018 [5] I. Damgard, M. Keller, E. Larraia, V. Pastro, P. Scholl, and N. P. Smart. Practical Covertly Secure MPC for Dishonest Majority or: Breaking the SPDZ Limits. ESORICS 2013.
28 Summary Lattice-based Private Stream Aggregation Plug-and-play deployment of additively homomorphic encryption Strong security & privacy guarantees (Augmented) LWE-assumption provides postquantum security Formal Differential Privacy analysis Significant efficiency improvements compared to previous work 150 times faster decryption times larger plaintext space 28 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018
29 Summary Outlook Lattice-based Private Stream Aggregation Dynamic joins and leaves / user failures Strong security & privacy guarantees Enhance scheme to aggregator unforgeability / public verifiability of aggregate result E.g. by combining with Homomorphic Aggregate Signature scheme (HAS) [6] Significant efficiency improvements compared to previous work 29 Research and Technology Center Daniela Becker CR/RTC3-NA 02/19/2018 [6] Z. Jing. A homomorphic aggregate signature scheme based on lattice. MPE 2014.
30 THANK YOU QUESTIONS?
Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationIncreased efficiency and functionality through lattice-based cryptography
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationMASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationSecure Computation of Hidden Markov Models and Secure Floating-Point Arithmetic in the Malicious Model
Noname manuscript No. (will be inserted by the editor) Secure Computation of Hidden Markov Models and Secure Floating-Point Arithmetic in the Malicious Model Mehrdad Aliasgari Marina Blanton Fattaneh Bayatbabolghani
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationSPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a
SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, 2018 1 CWI, Amsterdam 2 Aarhus University, Denmark 3
More informationDifferential Privacy and its Application in Aggregation
Differential Privacy and its Application in Aggregation Part 1 Differential Privacy presenter: Le Chen Nanyang Technological University lechen0213@gmail.com October 5, 2013 Introduction Outline Introduction
More informationA Framework to Select Parameters for Lattice-Based Cryptography
A Framework to Select Parameters for Lattice-Based Cryptography Nabil Alkeilani Alkadri, Johannes Buchmann, Rachid El Bansarkhani, and Juliane Krämer Technische Universität Darmstadt Department of Computer
More informationOn i-hop Homomorphic Encryption
No relation to On i-hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research 2 This Work is About Connections between: Homomorphic encryption (HE) Secure function evaluation
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationSecure computation of hidden Markov models and secure floating-point arithmetic in the malicious model
Int. J. Inf. Secur. DOI 10.1007/s10207-016-0350-0 REGULAR CONTRIBUTION Secure computation of hidden Markov models and secure floating-point arithmetic in the malicious model Mehrdad Aliasgari 1 Marina
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationTowards Round-Optimal Secure Multiparty Computations: Multikey FHE without a CRS
Towards Round-Optimal Secure Multiparty Computations: Multikey FHE without a CRS Eunkyung Kim 1, Hyang-Sook Lee( ) 2, and Jeongeun Park 2 1 Security Research Team, Samsung SDS E tower, Seongchongil 56,
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationHomomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes
An extended abstract of this paper appears in the proceedings of COCOON 2016. This is the full version. Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes Pierre-Alain Fouque 1,3, Benjamin
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationAugmented Learning with Errors: The Untapped Potential of the Error Term
Augmented Learning with Errors: The Untapped Potential of the Error Term Rachid El Bansarkhani, Özgür Dagdelen, and Johannes Buchmann Technische Universität Darmstadt Fachbereich Informatik Kryptographie
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationBounded Key-Dependent Message Security
Bounded Key-Dependent Message Security Boaz Barak Iftach Haitner Dennis Hofheinz Yuval Ishai October 21, 2009 Abstract We construct the first public-key encryption scheme that is proven secure (in the
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationPrivacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions
Privacy-Preserving Aggregation of Time-Series Data with Public Verifiability from Simple Assumptions Keita Emura National Institute of Information and Communications Technology (NICT), Japan. k-emura@nict.go.jp
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationEncryption Switching Protocols
This is the full version of the extended abstract which appears in In Advances in Cryptology Proceedings of CRYPTO 16 Part I Springer-Verlag, LNCS 9814, pages 308 338 . Encryption
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationOverdrive: Making SPDZ Great Again
Overdrive: Making SPDZ Great Again Marcel Keller 1, Valerio Pastro 2, and Dragos Rotaru 1,3 1 University of Bristol 2 Yale University 3 imec-cosic, Dept. Electrical Engineering, KU Leuven m.keller@bristol.ac.uk,
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationMULTI-SCHEME FULLY HOMOMORPHIC ENCRYPTIONS AND ITS APPLICATION IN PRIVACY PRESERVING DATA MINING
MULTI-SCHEME FULLY HOMOMORPHIC ENCRYPTIONS AND ITS APPLICATION IN PRIVACY PRESERVING DATA MINING DISSERTATION Presented in Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationWatermarking Cryptographic Functionalities from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationOn Two Round Rerunnable MPC Protocols
On Two Round Rerunnable MPC Protocols Paul Laird Dublin Institute of Technology, Dublin, Ireland email: {paul.laird}@dit.ie Abstract. Two-rounds are minimal for all MPC protocols in the absence of a trusted
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 11 October 7, 2015 CPSC 467, Lecture 11 1/37 Digital Signature Algorithms Signatures from commutative cryptosystems Signatures from
More information