Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
|
|
- Noah O’Neal’
- 5 years ago
- Views:
Transcription
1 Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012 Bar-Ilan University Craig Gentry IBM Watson
2 Optimizations of Somewhat Homomorphic Encryption (SWHE) Constructions of Fully Homomorphic Encryption (FHE) Bar-Ilan University
3 And Better Management of Ciphertext Noise Bar-Ilan University
4 Focusing on the noise problem
5 Noisy Polly Cracker Version: Let χ be an error distribution. Distinguish these distributions: Bar-Ilan University Generate uniform s Z qn. For many i, generate e i χ and a linear polynomial f i (x 1,, x n ) = f 0 f 1 x 1 f n x n (from Z q n1 ) such that [f i (s 1,, s n )] q = e i. For many i, generate and output a uniformly random linear polynomial f i (x 1,, x n ) (from Z q n1 ).
6 Parameters: q such that gcd(q,2)=1. ADD and MULT: Output sum or product of ciphertext polynomials. Relinearize / Key-Switch Bar-Ilan University KeyGen: Secret = uniform s 2 Z qn. Public key: linear polys {f i (x 1,,x n )} s.t. [f i (s)] q =2e i, e i q. Encrypt: Set g(x 1,,x n ) as a random subset sum of {f i (x 1,,x n )}. Output c(x 1,,x n )=mg(x 1,,x n ). Decrypt: [c(s)] q = msmeven. Reduce mod 2.
7 ADD: c(x) = c 1 (x)c 2 (x). Noise of c(x) namely, [c(s)] q is sum of noises. MULT: c(x) = c 1 (x) c 2 (x). Noise [c(s)] q is product of noises. Sort of After MULT, there is relinearization step that adds a small amount to the noise. Function F: c(x) F(c 1 (x),,c t (x)). Noise [c(s)] q f(c 1 (s),,c t (s)) i.e., F applied to noises. Rough approximation: If F has degree d and fresh noises are bounded by B, c(x) has noise B d. Noise magnitude increases exponentially with degree.
8 SWHE ciphertexts must be large to let noise room to grow. Noise grows exponentially with degree. To successfully evaluate degree-d poly, noise B Ã B d without wrapping. So, coefficients of lattice vectors have > d bits. For security, we need it to be hard to B d-1 > 2 d -approximate lattice problems in 2 k time. Requires lattice dim > d k. Total ciphertext length > d 2 k bits.
9 Since total ciphertext length d 2 k bits, we have SWHE for bounded degree: Bar-Ilan University SWHE for bounded degree: A family of schemes E (d), d Z, that for security parameter k, E (d) can homomorphically evaluate functions of degree d. KeyGen, Enc, Dec, ADD, MULT are all poly(k,d). Eval has complexity polynomial in k, d, and circuit size. This is the best we can hope for when noise grows exponentially with degree.
10 Bar-Ilan University
11 Leveled FHE [Gen09]: Relaxation of FHE A family of schemes E (L), L Z, is leveled fully homomorphic if, for security parameter k, E (L) can homomorphically evaluate circuits of depth L, The Dec (decrypt) function is the same for all L, KeyGen, Enc, Dec, ADD, MULT are all poly(k,l). Eval has complexity polyomial in k, L, and circuit size. Humbler name for it: SWHE for bounded depth circuits.
12 Our fantasy: Noise doesn t grow exponentially with degree. There is some simple trick to reduce noise after MULTs. We get better noise management, hence shorter ciphertexts and SWHE for bounded depth. Bar-Ilan University
13 Crazy Idea [BV11b, BGV12]: Suppose c encrypts m that is, m = [[c(s)] q ] 2. Let s pick p<q and set c*(x) = (p/q) c(x), rounded. Maybe it is true that: c*(x) encrypts m: m = [[c*(s)] p ] 2 (new inner modulus). [c*(s)] p (p/q) [c(s)] q (noise is smaller). This really shouldn t work
14 Scaling lemma: Let p < q be odd moduli. Given c with m = [[<c,s>] q ] 2. Set c = (p/q)c. Set c to be the integer vector closest to c such that c = c mod 2. If [<c,s>] q < q/2 - (q/p) l 1 (s), then c is a valid encryption of m with possibly much less noise! m = [<c,s>] p ] 2. [<c,s>] p < (p/q) [<c,s>] q l 1 (s), where l 1 (s) is l 1 -norm of s.
15 Annotated Proof 1. For some k, [<c,s>] q =<c,s>-kq. 1. Imagine <c,s> is close to kq. 2. (p/q)[<c,s>] q = <c,s>-kp. 2. Then <c,s> is close to kp. 3. <c -c,s> < l 1 (s). 3. <c,s> close to kp if s is small. 4. Thus, <c,s>-kp < (p/q) [<c,s>] q l 1 (s) < p/2. 5. So, [<c,s>] p = <c,s> kp. 6. Since c = c and p = q mod 2, we have [<c,s>] p ] 2 =[<c,s>] q ] 2. Scaling lemma:let p<q be odd moduli. Given c with m = [[<c,s>] q ] 2. Set c = (p/q)c. Set c to be the integer (ring) vector closest to c such that c = c mod 2. If [<c,s>] q < q/2 - (q/p) l 1 (s), then: c is a valid encryption of m with possibly much less noise! m = [<c,s>] p ] 2, and [<c,s>] p < (p/q) [<c,s>] q l 1 (s).
16 Example: q=127, p=29, c=(175,212), s=(2,3) <c,s> mod q = = -30 c = (p/q) c = (39.9,48.4) To get c, we round down both values (39,48). <c,s> mod p = = -10 k=8 in both cases, and -30=-10 mod 2. The noise magnitude decreases from 30 to 10. But relative magnitude increases: 10/29 > 30/127.
17 Recall [<c,s>] p < (p/q) [<c,s>] q l 1 (s). Luckily [ACPS 2009] proved that LWE is hard even when s is small chosen from the error distribution χ. So we use this distribution for the secret keys.
18 Scaling lemma also holds for LPR10, BV11a. [LPR10]: Ring-LWE encryption scheme can can also have small secret keys, from the error distribution χ.
19 To evaluate a circuit of depth L Start with a large modulus q L and noise η «q L. After first MULT, noise grows to η 2. Switch the modulus to q L-1 q L /η. Noise reduced to η 2 /η η. After next MULT, noise again grows to η 2. Switch to q L-2 q L-1 /η to reduce the noise to η. Keep switching moduli after each layer. Setting q i-1 q i /η. ( Ladder of decreasing moduli.) Until the last modulus just barely satisfies q 1 > η.
20 Example: q 9 n 9 with modulus reduction. Noise Modulus Fresh ciphertexts η q 9 = η 9 Level-1, Degree=2 η q 8 = η 8 Level-2, Degree=4 η q 7 = η 7 Level-3, Degree=8 η q 6 = η 6 Level-4, Degree=16 η q 5 = η 5 Level-5, Degree=32 η q 4 = η 4 Level-6, Degree=64 η q 3 = η 3 Level-7, Degree=128 η q 2 = η 2 2/29/2012 Level-8, Degree=256 η q 1 = η
21 Example: q 9 n 9 with no modulus reduction. Noise Modulus Fresh ciphertexts η q 9 = η 9 Level-1, Degree=2 η 2 q 9 = η 9 Level-2, Degree=4 η 4 q 9 = η 9 Level-3, Degree=8 η 8 q 9 = η 9 Decryption error Level-4, Degree=16 η 16 q 9 = η 9 Level-5, Degree=32 η 32 Level-6, Degree=64 η 64 Level-7, Degree=128 η 128 2/29/2012 Level-8, Degree=256 η 256
22 To evaluate circuit of depth L; Largest modulus is q L q 1 L η L. Largest ciphertext is O(k poly(l)) bits, where k is the security parameter. Compare: without modulus reduction: ciphertext was O(k d 2 ) bits, where d was the degree (not the depth) of the circuit. Depth is logarithmic in degree. Exponential improvement.
23 Final ciphertext (at output level) is small q 1 is small. Use key-switching to reduce dimension of the ciphertext if needed ( dimension reduction [BV11b]). Final ciphertext can be as small as a normal (nonhomomorphic) Regev 05 ciphertext. We have SWHE for bounded depth circuits.
24 Based on (R)LWE, but for what approx factor? Approx factor = modulus/ noise = (poly(k)) depth. Previously, modulus/ noise = (poly(k)) degree.
25 [CNT12] extends the modulus reduction trick to the integer scheme.
26 Each ciphertext is packed with an array of plaintexts Bar-Ilan University
27 Ciphertexts are long, plaintexts are often short. Wasteful! Overhead of homomorphic encryption = (encrypted comp. time)/(unencrypted comp. time) > (ciphertext length)/(plaintext length)
28 Each ciphertext has an array of plaintext slots. An operation (,x) on a ciphertext acts separately, in parallel, on each plaintext slot (each index in array). Suppose two ciphertexts c and c have (b 1,b 2,b 3 ) and (b 1,b 2,b 3 ) respectively in their slots 3-ADD(c,c ) (b 1 b 1, b 2 b 2, b 3 b 3 ). 3-MULT(c,c ) (b 1 b 1, b 2 b 2, b 3 b 3 ). 3-ADD, 3-MULT cost same as ADD, MULT. Think Chinese Remainder Theorem.
29 Parameters: q such that gcd(q,2)=1. KeyGen: Secret = uniform s 2 Z qn. Public key: linear polys {f i (x 1,,x n )} s.t. [f i (s)] q =2e i, e i q. Encrypt (m Z 2 ): Set g(x 1,,x n ) as a random subset sum of {f i (x 1,,x n )}. Output c(x 1,,x n )=mg(x 1,,x n ). Decrypt: [c(s)] q = msmeven. Reduce mod 2. ADD and MULT: Output sum or product of ciphertext polynomials.
30 Parameters: q and small p 1,p 2,p 3 s.t. gcd(q,p 1 p 2 p 3 )=1. KeyGen: Secret = uniform s 2 Z qn. Public key: linear polys {f i (x 1,,x n )} s.t. [f i (s)] q =p 1 p 2 p 3 e i, e i q. Encrypt (m Z p1p2p3 ): Set g(x 1,,x n ) as a random subset sum of {f i (x 1,,x n )}. Output c(x 1,,x n )=mg(x 1,,x n ). Decrypt: [c(s)] q = m(mult of p 1 p 2 p 3 ). Reduce mod p 1 p 2 p 3. ADD and MULT: Output sum or product of ciphertext polynomials. By CRT, ADD and MULT operate separately on {m mod p i }.
31 Motivation: Better efficiency: RLWE more efficient than LWE even in non-batched setting. Batching works very well in RLWE-based SWHE.
32 Let R = Z[y]/h(y), p prime, R p = Z p [y]/h(y). Suppose h(y) = h i (y) mod p. Then R p Direct product of {Z p [y]/h i (y)}. Example: R = Z[y]/(y 4 1), p=17. (y 4 1) = (y-2)(y-8)(y-15)(y-9) mod 17 2, 8=2 3, 15=2 5, 9=2 7 are the primitive 8-th roots of unity mod 17. Z 17 [y]/(y 4 1) Direct product of Z 17 [y]/(y-2), Z 17 [y]/(y-8), m(y) Z 17 [y]/(y 4 1) is determined by its evaluations at 2, 8, 15, 9.
33 Parameters: q with gcd(q,2)=1, R = Z[y]/(y n 1), R 2 = Z 2 [y]/(y n 1), R q = Z q [y]/(y n 1). KeyGen: Secret = uniform s 2 R. Public key: linear polys {f i (x)} s.t. f i (s)=2e i, e i q. Encrypt(m R 2 ): : Set g(x) as a random subset sum of {f i (x)}. Output c(x)=mg(x). Decrypt: c(s) = msmeven. Reduce mod 2. ADD and MULT: Add or multiply the ciphertext polynomials.
34 Parameters: p, q with gcd(q,p)=1,r = Z[y]/(y n 1), R p = Z p [y]/(y n 1), R q = Z q [y]/(y n 1). KeyGen: Secret = uniform s 2 R. Public key: linear polys {f i (x)} s.t. f i (s)= pe i, e i q. Encrypt(m R p ): : Set g(x) as a random subset sum of {f i (x)}. Output c(x)=mg(x). Decrypt: c(s) = m(p multiple). Reduce mod p. ADD and MULT: Add or multiply the ciphertext polynomials.
35 Parameters: p, q with gcd(q,p)=1,r = Z[y]/(y n 1), R p = Z p [y]/(y n 1), R q = Z q [y]/(y n 1). KeyGen: Secret = uniform s 2 R. Public key: linear polys {f i (x)} s.t. f i (s)= pe i, e i q. Encrypt(m R p ): : Set g(x) as a random subset sum of {f i (x)}. Output c(x)=mg(x). Decrypt: c(s) = m(p multiple). Reduce mod p. Set p = 1 mod 2n, so p has n primitive 2n-th roots of unity. Then, R p splits. ADD and MULT: Add or multiply the ciphertext polynomials. Message m(y) in R p has n plaintext slots for m s evaluations at primitive n-th roots of unity mod p.
36 Plaintexts are m(y) R p = Z p [y]/(y n 1), represented by evaluations m(α i ), where α i s are primitive n-th roots of unity mod p. m 1 (y)m 2 (y) m 1 (α 1 )m 2 (α 1 ),, m 1 (α n )m 2 (α n ). m 1 (y) m 2 (y) m 1 (α 1 ) m 2 (α 1 ),, m 1 (α n ) m 2 (α n ). F(m 1 (y),,m t (y)) F(m 1 (α 1 ),,m t (α 1 )),, F(m 1 (α n ),,m t (α n )). Compute F on n inputs {(a 1i,, a ti ) : i 2 [n]} in parallel by setting {m i (y)} so that m i (α j ) = a ij.
37 Array of length n n-add
38 Array of length n n-mult
39 Array of length n Bar-Ilan University Function F % % % % % % % % % % Great for computing same function F on n different input strings. We can do SIMD homomorphically.
40 Bar-Ilan University
41 x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 ADD and MULT are a complete set of operations.
42 Bar-Ilan University x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 n-add and n-mult are NOT a complete set of operations.
43 Bar-Ilan University n-mult n-permute(π) x 1 x 2 x 3 x 4 x 5 x 7 x 1 x 2 x 3 x 4 x 5 x x 1 0 x x 2 0 x n-add x 1 x x 2 x x 1 x 2 x 3 x 4
44 Ring Automorphisms! Bar-Ilan University How do we Evaluate n-permute(π) homomorphically, without decompressing the packed ciphertexts?
45 Map a(y) b(y) = a(y i ) mod (y n 1), where i 2 Z 2n *. Bar-Ilan University a(x) = a(α 1 ) a(α 2 ) a(α n-1 ) a(α n ) b(x) = = a(α 1i ) a(α 2i ) a(α n-1i ) a(α ni ) a(α π(1) ) a(α π(2) ) a(α π(n-1) ) a(α π(n) ) b(y) has the same evaluations as a(y), but permuted!
46 Given ciphertext c 1 (y) x c 0 (y) with c 1 (y) s(y)c 0 (y) = m(y)p e(y) (mod q, y n 1) c 1 (y i ) s(y i )c 0 (y i ) = m(y i )p e(y i ) (mod q, y in 1), i 2 Z 2n *. c 1 (y i ) s(y i )c 0 (y i ) = m(y i )p e(y i ) (mod q, y n 1), i 2 Z 2n *. c 1 (y i ) x c 0 (y i ) is an encryption of m(y i ) under key s(y i ). Key switch s(y) s(y i ) to get encryption of m(y i ) under normal key s(y).
47 The Basic Permutations (b(y) = a(y i )): Only n (out of n!) of the possible permutations. Automorphism group Gal(Q(α)/Q) Z 2n *. Think of the automorphisms as n-rotate(i), which rotates the n items i steps clockwise, like a dial. Claim: For any permutation π, we can build n-permute(π) efficiently from n-add, n-mult, and n-rotate(i).
48 Butterfly network: assume n = 2 k. n-permute(π) can be realized by a butterfly network of 2k-1 levels of n-swap(i,s) ops, i2{1,,2k-1}, s2{0,1} n/2. At level i, the 2 k items are partitioned into n/2 pairs, each pair with k-bit indices differing only in i-k -th bit. n-swap(i,s) swaps the j-th pair iff s j =1.
49 8-SWAP(2,0110) Potential Swaps
50 8-SWAP(2,0110) Actual Swaps ROTATE(2) ROTATE(-2)
51 8-SWAP(2,0110) Actual Swaps ROTATE(2) ROTATE(-2)
52 8-SWAP(2,0110) n-mult
53 8-SWAP(2,0110)
54 8-SWAP(2,0110) n-mult
55 8-SWAP(2,0110)
56 8-SWAP(2,0110) n-mult
57 8-SWAP(2,0110)
58 8-SWAP(2,0110) n-add
59 Overhead of batched RLWE-based BGV12 SWHE for security parameter k: = (encrypted comp. time)/(unencrypted comp. time) = poly(log q L, log w) = poly(l, log k, log w), where w is the maximum width of circuit being evaluated.
60 and the bootstrapping step Bar-Ilan University
61 So far, we can evaluate bounded depth F: x 1 F Bar-Ilan University x 2 c F(x 1, x 2,, x t ) x t We have a noisy evaluated ciphertext c. We want to get a less noisy c that encrypts the same value, but with less noise. Bootstrapping refreshes ciphertexts, using the encrypted secret key. 61
62 For ciphertext c, consider D c (sk) = Decrypt sk (c) Suppose D c ( ) is a low-depth polynomial in sk. Include in the public key also Enc pk (sk). sk 1 c y D c New encryption of y, with less noise. sk 2 sk n c D c (sk) = Decrypt sk (c) = y Homomorphic computation applied only to the fresh encryption of sk. 62
63 Recall: Complexity of BGV12 (and BV11b) decryption is independent of L, the depth it can evaluate. Set L > 1depth needed to evaluate D C. Then, homomorphic decryption reduces the noise level. (Use recursively.) We now have FHE (modulo a circular security issue).
64 Decryption function computable in depth O(log k). Our somewhat homomorphic scheme only needs to compute circuits of depth O(log k). Bar-Ilan University BGV12 performance with bootstrapping: Ciphertext size can be quasi-linear in k. ADD and MULT take Ō(k) time. Bootstrapping takes Ō(k 2 ) time. Actually, with batching, we can reduce it to Ō(k) amortized. Overhead is poly(l, log k, log w) = poly(log k, log w), where w is the maximum width of circuit being evaluated. Security can be based on quasi-polynomial factors: 2 Ō(log2 k) versus 2 kc (R)LWE.
65 A hybrid FHE scheme that combines lattices and Elgamal Bar-Ilan University
66 Goal: Construct a bootstrappable SWHE scheme. Bar-Ilan University Problem SWHE schemes don t handle multiplication well, it amplifies the noisiness of ciphertexts. But Elgamal cannot alternate between additions and multiplications Solution? Elgamal handles multiplication well! Maybe Elgamal can help! Suppose the decryption function puts all of the mults together, without alternation? Can Elgamal help with the product part?
67 SWHE: Use a lattice-based SWHE scheme, as before. Express SWHE decryption as a ciphertext-dependent depth-3 (ΣΠΣ) arithmetic circuit applied secret key. P 1 c 1 c k fan-in P k L 1,1 X X X X L1,d1 a 1 x 1... a n x n a 0 1 L i,j = a 0 Σ t=1 n a t x t P i = Π j = 1 d i L i,j C(x) = Σ i=1 k c i P i = Σ i c i Π j L i,j
68 Bootstrapping: Evaluate depth-3 circuit homomorphically by combining a SWHE scheme with a helper MHE (multiplicative homomorphic enc.) scheme, like Elgamal: Bottom Sums: Get MHE encryptions of the bottom sums. (Can put all needed MHE ciphertexts in public key.) Products: Evaluate them homomorphically using MHE scheme. Translation: Translate each ciphertext Enc MHE (m) to Enc SWHE (m) by evaluating MHE decryption homomorphically. Top Sum: Evaluate top sum under the SWHE scheme.
69 Main high-level idea: The SWHE scheme only needs enough homomorphic capacity to evaluate the MHE scheme s decryption, not its own decryption. Breaks the self-referentiality of bootstrapping.
70 SWHE Scheme MHE Scheme Bar-Ilan University Chimera (mythology): 1) A monstrous fire-breathing female creature composed of the parts of multiple animals: upon the body of a lioness with a tail that ended in a snake s head, the head of a goat arose on her back. 2) The term chimera has also come to mean, more generally, an impossible or foolish fantasy, hard to believe.
71 Bar-Ilan University
72 Typically, they can be computed using restricted depth-3 circuits. Proven already for Regev s cryptosystem by Klivans and Sherstov. Bar-Ilan University
73 Bar-Ilan University Elementary symmetric polynomial e k (x 1,, x n ): sum of all monomials that are products of exactly k distinct variables. Cool fact: e k (x) mod p can be computed by a depth-3 arithmetic circuit (for large enough p) How? If P(z) = P i (zx 1 ), then e k (x) is the coefficient of z n-k Computing P(z): evaluate P(z) in n1 points, Observe: interpolate the bottom Let A = {a 1,, a n1 } be some subset of Zsums p are restricted. Bottom Sums: Compute a j x i for all x i s and a j s. Products: Compute λ j P(a j ) = Π i (a j x i ) for all j. Top Sum: Interpolate j λ j P(a j ) to get desired coefficient of P(z).
74 Multilinear symmetric polynomials (MSPs): Bar-Ilan University MSPs are symmetric, and each variable has degree 1 MSPs are linear combinations of elementary symmetric polynomials (ESPs) MSPs can be computed by restricted depth-3 circuits. Lattice-based decryption functions can be expressed as restricted MSPs.
75 Bar-Ilan University
76 MHE scheme: Elgamal over QR(p) p = 2q1 be a safe prime SWHE scheme: Plaintext space = Z p. Decryption is a restricted depth-3 arithmetic circuit over Z p.
77 FHE.KeyGen: Generate Elgamal key (e L, g e L ), SWHE key ({sil }, pk i ), for every level L in the circuit Encrypt individual bits of e L under k L1. Encrypt values a j s i (in Z p ) under Elgamal for a j in A. Note: A is our set of interpolation points in our MSP. Technicality: the a j s must be chosen so that a j and a j 1 are both in QR(p), the plaintext space of Elgamal. Publish the public keys and encrypted secret keys.
78 To refresh a level-i ciphertext c: First, express SWHE.Dec(c,s) as a c-dependent restricted depth-3 circuit taking key s as input. Bar-Ilan University c 2 c 1 X X X X a 4 s 1 a 4 s 2 a 4 s 3
79 Refresh.BottomSums: Pick up the Elgamal encryptions of a j s i from PK. The bottom sums have been precomputed. Refresh.Products: Compute c j P(a j ) = c j Π i (a j s i ) mod p homomorphically using Elgamal. Refresh.Translation: Translate to SWHE for the addition X X c 2 X c 1 X Bar-Ilan University Uses Elgamal.Mult for products Elgamal.Enc(a j s i ) in the public key a 4 s 1 a 4 s 2 a 4 s 3
80 Refresh.Translation: Goal: Convert (y, z) = (g r, mg -er ) to a SWHE ciphertext. Precompute y i = y 2 i mod p for all i up to log q. Inside SWHE, compute y e[i]2 i = e[i] y 2 i (1-e[i])y 0 mod p. Inside SWHE, compute product of y e[i]2i s to get y e. The degree of this product is log q. Inside SWHE, compute product of y e and z to get m. Refresh.TopSum: Just do it inside the SWHE scheme.
81 Required homomorphic capacity of SWHE scheme: Evaluate Elgamal decryption, plus an ADD or MULT. Overall degree = 2 log q. Set SWHE parameters large to evaluate polynomials of degree 2 log q. Done!
82 Bar-Ilan University
83 Bar-Ilan University [ACPS09] Benny Applebaum, David Cash, Chris Peikert, and Amit Sahai. Fast cryptographic primitives and circular-secure encryption based on hard learning problems. Crypto [BGV12] Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. Fully homomorphic encryption without bootstrapping. ITCS [BV11a] Zvika Brakerski and Vinod Vaikuntanathan. Fully homomorphic encryption from ring-lwe and security for key dependent messages. Crypto [BV11b] Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. FOCS [CNT12] Jean-Sebastien Coron, David Naccache, and Mahdi Tibouchi. Public-Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers. Eurocrypt [GH11b] Craig Gentry and Shai Halevi. Fully Homomorphic Encryption without Squashing Using Depth-3 Arithmetic Circuits. FOCS [GHS12] Craig Gentry, Shai Halevi, and Nigel Smart. Fully Homomorphic Encryption with Polylog Overhead. Eurocrypt [SV11] Nigel P. Smart, Frederik Vercauteren. Fully Homomorphic SIMD Operations. eprint.iacr.org/2011/133.
84 We can compress the entire FHE ciphertext down to a single MHE (e.g., Elgamal) ciphertext Choose a j s cleverly so that all products P(a j ) can be computed just from P(a 1 ) Recall: P(z) = Π i (zs i ) where s i is a secret key bit. We only store P(a 1 ) e.g., a single Elgamal ciphertext! Note: P(a j ) can be computed homomorphically from P(a 1 ) within the MHE scheme. Set a j such that we know (w j, e j ) such that a j = w j a e j 1 mod p, and a j 1 = w j (a 1 1) e j mod p How? Choose e j and set a j = a ej 1 /((a 1 1) ej a ej 1 ) and w j = a j /a ej 1. Then, P(a j ) = w jd P(a 1 ) e j mod p
85 Lemma: Let p be a prime. Let S = {(u,v): u 0, v 0, u 2 -v 2 = 1 mod p} Then, S = p-3 or p-5, depending on whether p = 3 or 1 mod 4. Proof: For each pair (u,v) in S, let a uv = uv. Then a uv -1 = u-v, and we have: u = (a uv a uv -1 )/2 and v = (a uv - a uv -1 )/2 implying that a uv determines u and v uniquely. So, for we have S = T. T = {a 0 : aa -1 0, a-a -1 0}, We have that a is in T unless a = 0, a 2 = -1, or a 2 = ±1. If p = 1 mod 4, then -1 in QR(p), and there are 5 prohibited values. If p = 3 mod 4, then -1 is not a residue, and there are 3 prohibited values.
FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry IBM Shai Halevi IBM Nigel P. Smart University of Bristol December 15, 2011 Abstract Gentry s bootstrapping technique is currently the only
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationBootstrapping for HElib
Bootstrapping for HElib Shai Halevi 1 and Victor Shoup 1,2 1 IBM Research 2 New York University Abstract. Gentry s bootstrapping technique is still the only known method of obtaining fully homomorphic
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Homomorphic Encryption Basics Somewhat homomorphic
More informationScale-Invariant Fully Homomorphic Encryption over the Integers
Scale-Invariant Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, Tancrède Lepoint 1,,3, and Mehdi Tibouchi 4 1 University of Luxembourg, Luxembourg jean-sebastien.coron@uni.lu École
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert October 9, 2013 Abstract Gentry s bootstrapping technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University zvika@stanford.edu Abstract. We present a new tensoring techniue for LWE-based fully homomorphic
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Abstract We present a new tensoring techniue for LWE-based fully homomorphic encryption. While in all previous
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationBatch Fully Homomorphic Encryption over the Integers
Batch Fully Homomorphic Encryption over the Integers Jung Hee Cheon 1, Jean-Sébastien Coron 2, Jinsu Kim 1, Moon Sung Lee 1, Tancrède Lepoint 3,4, Mehdi Tibouchi 5, and Aaram Yun 6 1 Seoul National University
More information16 Fully homomorphic encryption : Construction
16 Fully homomorphic encryption : Construction In the last lecture we defined fully homomorphic encryption, and showed the bootstrapping theorem that transforms a partially homomorphic encryption scheme
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationCS Topics in Cryptography January 28, Lecture 5
CS 4501-6501 Topics in Cryptography January 28, 2015 Lecture 5 Lecturer: Mohammad Mahmoody Scribe: Ameer Mohammed 1 Learning with Errors: Motivation An important goal in cryptography is to find problems
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim, Yongsoo Song (University of California, San Diego) Landscape of Homomorphic
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationTOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION
TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION A Thesis Presented to The Academic Faculty by Jacob Alperin-Sheriff In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationOptimizing Fully Homomorphic Encryption
Optimizing Fully Homomorphic Encryption By Kevin C. King B.S., C.S. M.I.T., 2015 September 30, 2016 Submitted to the Department of Electrical Engineering and Computer Science In Partial Fulfillment of
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationFaster Homomorphic Evaluation of Discrete Fourier Transforms
Faster Homomorphic Evaluation of Discrete Fourier Transforms Anamaria Costache, Nigel P. Smart, and Srinivas Vivek University of Bristol, Bristol, UK Abstract. We present a methodology to achieve low latency
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationCryptanalysis of a Homomorphic Encryption Scheme
Cryptanalysis of a Homomorphic Encryption Scheme Sonia Bogos, John Gaspoz and Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland {soniamihaela.bogos, john.gaspoz, serge.vaudenay}@epfl.ch Abstract. Homomorphic
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More informationHigh-Precision Arithmetic in Homomorphic Encryption
High-Precision Arithmetic in Homomorphic Encryption Hao Chen 1, Kim Laine 2, Rachel Player 3, and Yuhou Xia 4 1 Microsoft Research, USA haoche@microsoft.com 2 Microsoft Research, USA kim.laine@microsoft.com
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationFHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime
FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime Daniel Benarroch,1, Zvika Brakerski,1, and Tancrède Lepoint,2 1 Weizmann Institute of Science, Israel 2 SRI International, USA Abstract.
More informationHomomorphic Encryption without Gaussian Noise
Homomorphic Encryption without Gaussian Noise Anamaria Costache and Nigel P. Smart Dept. Computer Science, University of Bristol, United Kingdom. Abstract. We propose a Somewhat Homomorphic Encryption
More informationFully Homomorphic Encryption
6.889: New Developments in Cryptography February 8, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption Scribe: Alessandro Chiesa Achieving fully-homomorphic encryption, under any kind of reasonable
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationEvaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems
Rochester Institute of Technology RIT Scholar Works Presentations and other scholarship 3-31-2016 Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems Peizhao Hu Rochester
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationFast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems
Fast Cryptographic Primitives & Circular-Secure Encryption Based on Hard Learning Problems Benny Applebaum, David Cash, Chris Peikert, Amit Sahai Princeton University, Georgia Tech, SRI international,
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationAn Improved RNS Variant of the BFV Homomorphic Encryption Scheme
An Improved RNS Variant of the BFV Homomorphic Encryption Scheme Shai Halevi 1, Yuriy Polyakov 2, and Victor Shoup 3 1 IBM Research 2 NJIT Cybersecurity Research Center 3 NYU Abstract. We present an optimized
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More information(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces
(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces Koji Nuida Kaoru Kurosawa National Institute of Advanced Industrial Science and Technology (AIST), Japan, k.nuida@aist.go.jp
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationFloating-Point Homomorphic Encryption
Floating-Point Homomorphic Encryption Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song Department of Mathematical Sciences, Seoul National University, Republic of Korea {jhcheon, kimandrik, alfks500,
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationHomomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based
Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based Craig Gentry Amit Sahai Brent Waters June 8, 2013 Abstract We describe a comparatively simple
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationHomomorphic AES Evaluation Using the Modified LTV Scheme
Noname manuscript No. (will be inserted by the editor) Homomorphic AES Evaluation Using the Modified LTV Scheme Yarkın Doröz Yin Hu Berk Sunar the date of receipt and acceptance should be inserted later
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationFaster Bootstrapping with Polynomial Error
Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert June 13, 2014 Abstract Bootstrapping is a technique, originally due to Gentry (STOC 2009), for refreshing ciphertexts of a
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationHomomorphic Encryption for Arithmetic of Approximate Numbers
Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon 1, Andrey Kim 1, Miran Kim 2, and Yongsoo Song 1 1 Seoul National University, Republic of Korea {jhcheon, kimandrik, lucius05}@snu.ac.kr
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationHigh-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More information