Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
|
|
- Gervase Mills
- 5 years ago
- Views:
Transcription
1 Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015
2 2 / 30 Timeline: The Hype Cycle of Multilinear Maps
3 Timeline visibility time 2 / 30
4 Timeline visibility time 2 / 30 1 technology trigger
5 Timeline visibility time second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]
6 Timeline visibility time 2 peak of inflated expectations second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]
7 Timeline visibility time io second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]
8 Timeline visibility time 3 trough of disillusionment second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]
9 Timeline visibility time break of (G)DDH in GGH [HJ15] break of previous fixes and extensions [CGHLMMRST15] tentatives fixes for CLT [BWZ14,GGHZ14] break of CLT [CHLRS15] weak DL [GGH13] second candidate construction [CLT13] 2 / 30 first candidate construction [GGH13]
10 Today visibility time 3 / 30
11 Today visibility time slope of enlightenment 4 3 / 30
12 Today visibility time Graph induced [GGH15] New multilinear maps over integers [CLT15] 3 / 30
13 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] 4 / 30
14 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction 4 / 30
15 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) 4 / 30
16 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) Follow [GGH13] recipe Level by multiplicative mask Zero-testing by multiplication and shortness 4 / 30
17 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) Follow [GGH13] recipe Level by multiplicative mask Zero-testing by multiplication and shortness Similar to FHE schemes based on Approximate-GCD 4 / 30
18 The CLT Scheme Multilinear maps over the integers [CoronL.Tibouchi 13 15] Second candidate construction Composite-order maps (different from [GGH13,GGH15]) Follow [GGH13] recipe Level by multiplicative mask Zero-testing by multiplication and shortness Similar to FHE schemes based on Approximate-GCD Useful for many applications... 4 / 30
19 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data... but we do not want the same information from the result than with HE 5 / 30
20 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a)... but we do not want the same information from the result than with HE 5 / 30
21 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a) in both cases, computing low-degree polys of [a i ] s is possible, up to a degree k... but we do not want the same information from the result than with HE 5 / 30
22 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a) in both cases, computing low-degree polys of [a i ] s is possible, up to a degree k... but we do not want the same information from the result than with HE MMAPS can test if it is zero, at level k (and hard to compute at degree > k) 5 / 30
23 SWHE vs. MMAPs Computation over encrypted data We want to compute homomorphically over encrypted data encode a into [a] encrypt a into [a] = Enc(a) in both cases, computing low-degree polys of [a i ] s is possible, up to a degree k... but we do not want the same information from the result than with HE MMAPS can test if it is zero, at level k (and hard to compute at degree > k) 5 / 30 SHWE no information on a from the result, except with secret key
24 6 / 30 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14]
25 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p 6 / 30
26 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p Public key x 0 = q 0 p for very large (hard to factor) q 0 6 / 30
27 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p Public key x 0 = q 0 p for very large (hard to factor) q 0 Ciphertext of m c = q p + g r + m for q [0, q 0 ) and r χ small 6 / 30
28 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key prime p Public key x 0 = q 0 p for very large (hard to factor) q 0 Ciphertext of m c = CRT q0,p( q, g r + m ) for q [0, q 0 ) and r χ small 6 / 30
29 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key primes p 1,..., p n Public key x 0 = q 0 p 1 p n for very large (hard to factor) q 0 Ciphertext of m c = CRT q0,p 1,...,p n ( q, g 1 r 1 + m 1,..., g n r n + m n ) for q [0, q 0 ) and r 1,..., r n χ small 6 / 30
30 Starting from Homomorphic Encryption SWHE over the integers [DGHV10,CMNT11,CNT12,CCKLLMTY13,CLT14] Secret key primes p 1,..., p n Public key x 0 = q 0 p 1 p n for very large (hard to factor) q 0 Ciphertext of m c = CRT q0,p 1,...,p n ( q, g 1 r 1 + m 1,..., g n r n + m n ) for q [0, q 0 ) and r 1,..., r n χ small + 6 / 30
31 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] 7 / 30
32 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] Let z [0, x 0 ) be a random (invertible) multiplicative mask 7 / 30
33 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] Let z [0, x 0 ) be a random (invertible) multiplicative mask Encoding of m Z g1 Z gn at level j: [ m] j = c/z j mod x 0 = CRT q,p 1,...,p n (q, r 1 g 1 + m 1,..., r n g n + m n ) z j mod x 0 7 / 30
34 Adding Sharp Levels Using multiplicative mask [GGH13,CLT13] Let z [0, x 0 ) be a random (invertible) multiplicative mask Encoding of m Z g1 Z gn at level j: [ m] j = c/z j mod x 0 = CRT q,p 1,...,p n (q, r 1 g 1 + m 1,..., r n g n + m n ) z j mod x 0 7 / 30 Operations over Z x0 : Addition [ m] j + [ m ] j [ m + m ] j Multiplication [ m] j1 [ m ] j2 [ m m ] j1 +j 2
35 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] 8 / 30
36 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] How to test whether two degree-k encodings are equal? [ m] k [ l] k (i.e. m = l) [ m l] k [ 0] k 8 / 30
37 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] How to test whether two degree-k encodings are equal? [ m] k [ l] k (i.e. m = l) [ m l] k [ 0] k What is an encoding of m = 0? [ 0] k = CRT q,p 1,...,p n (q, r 1 g 1,..., r n g n ) z k mod x 0 8 / 30
38 Main Ingredient: Testing for Zero Using the shortness of the noise [GGH13,CLT13] How to test whether two degree-k encodings are equal? [ m] k [ l] k (i.e. m = l) [ m l] k [ 0] k What is an encoding of m = 0? [ 0] k = CRT q,p 1,...,p n (q, r 1 g 1,..., r n g n ) z k mod x 0 8 / 30 Idea of [GGH13]: multiply by an element which will cancel z k and when the r i s are small (r i g i p i ), yield something small compared to x 0.
39 9 / 30 Simplifications for Zero-Testing
40 Simplifications for Zero-Testing [ 0] k = i g i r i (p i 1 /z k mod p i ) p i + ( p j ) q mod x 0 where p i = j i p j 9 / 30
41 Simplifications for Zero-Testing [ 0] k = i g i r i (p i 1 /z k mod p i ) p i + ( p j ) q mod x 0 where p i = j i p j The random value q makes difficult to obtain something small... except if we are working modulo p j 9 / 30
42 Simplifications for Zero-Testing [ 0] k = i g i r i (p i 1 /z k mod p i ) p i + ( p j ) q mod x 0 where p i = j i p j The random value q makes difficult to obtain something small... except if we are working modulo p j 9 / 30 In the following x 0 = p j, and [ m] j = c/z j mod x 0 = CRT p 1,...,p n (r 1 g 1 + m 1,..., r n g n + m n ) z j mod x 0
43 Zero-Testing Procedure Multiply by the public element (where h i p i ) p zt = i h i (g 1 i z k mod p i ) p i mod x 0 10 / 30
44 Zero-Testing Procedure Multiply by the public element (where h i p i ) p zt = i h i (g 1 i z k mod p i ) p i mod x 0 [ m] k = c/z k mod x 0 = CRT p 1,...,p n (r 1 g 1 + m 1,..., r n g n + m n ) z k mod x 0 therefore [ m] k p zt = i (r i + m i g 1 i ) h i p i mod x 0 10 / 30
45 Zero-Testing Procedure Multiply by the public element (where h i p i ) p zt = i h i (g 1 i z k mod p i ) p i mod x 0 [ m] k = c/z k mod x 0 = CRT p 1,...,p n (r 1 g 1 + m 1,..., r n g n + m n ) z k mod x 0 therefore [ m] k p zt = i (r i + m i g 1 i ) h i p i mod x 0 We have (we prove equivalence whp when many p zt s are given) m = 0 [ m] k p zt mod x 0 x 0 10 / 30
46 11 / 30 Hardness Assumptions
47 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine 11 / 30
48 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine At the heart of the multipartite key echange protocol 11 / 30
49 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine At the heart of the multipartite key echange protocol Assumed to be hard (no reduction to Approx.-GCD) 11 / 30
50 Hardness Assumptions GDDH: Given (k + 1) elements [ m i ] 1 whether m k+1 i=1 m i. and [ m ] k, determine At the heart of the multipartite key echange protocol Assumed to be hard (no reduction to Approx.-GCD) Asymptotic parameters obtained from numerous attacks orthogonal lattice attack on encodings GCD attack on zero-testing hidden subset sum attack on zero-testing attacks on the inverse zero-testing matrix brute-force on the noises, / 30
51 But... Zeroizing Attack Eurocrypt 2015 best paper [CHLRS15] 12 / 30
52 13 / 30 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure
53 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k p zt = i r i (h i p i ) Z 13 / 30
54 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k 2 [ b] 1 [ c] 1 p zt = i r i ˆb i ĉ i (h i p i ) Z 13 / 30
55 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k 2 [ b] 1 [ c] 1 p zt = i r i ˆb i ĉ i (h i p i ) Z r i ˆb i (h i p i ) ĉ i 13 / 30
56 The Zeroizing Attack on CLT13 Exploiting the (bi)linearity of the zero-testing procedure [ 0] k 2 [ b] 1 [ c] 1 p zt = i r i ˆb i ĉ i (h i p i ) Z r i ˆbi (h i p i ) ĉ i 13 / 30
57 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 14 / 30
58 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 r i ˆbi (h i p i ) ĉ i r i ˆb i (h i p i ) ĉ i 14 / 30
59 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 r i ˆbi (h i p i ) ĉ i (ĉ i ) 1 1 ˆb i (h i p i ) (r 1 i ) 14 / 30
60 The Zeroizing Attack on CLT13 Inversion over Q Let s do it with many [ 0] k 2, [ c] 1 and two targets [ b] 1, [ b ] 1 r i ˆbi (h i p i ) ĉ i (ĉ i ) 1 1 ˆb i (h i p i ) (r 1 i ) = r i ˆbi /ˆb i (r i ) 1 14 / 30
61 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 15 / 30
62 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 Compute the eigenvalues β i /β i = ˆb i /ˆb i 15 / 30
63 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 Compute the eigenvalues β i /β i = ˆb i /ˆb i We have that p i (β i [ b] 1 β i [ b ] 1 ) 15 / 30
64 The Zeroizing Attack on CLT13 Computing eigenvalues Consider the target encodings [ b] 1 = CRT pi (ˆb i )/z, [ b ] 1 = CRT pi (ˆb i)/z r i ˆb i /ˆb i (r i ) 1 15 / 30 Compute the eigenvalues β i /β i = ˆb i /ˆb i We have that p i (β i [ b] 1 β i [ b ] 1 ) Compute p i = gcd(β i [ b] 1 β i [ b ] 1, x 0 )
65 16 / 30 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15]
66 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15] Breaks early tentative fixes [BWZ14,GGHZ14] using zero-testing as a black-box 16 / 30
67 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15] Breaks early tentative fixes [BWZ14,GGHZ14] using zero-testing as a black-box Don t need [ 0] k 2 [ b] 1 [ c] 1 but [ a] k 2 [ b] 1 [ c] 1 [ 0] k 16 / 30
68 Generalizing the Zeroizing Attack on CLT13 Zeroizing without low-level zeroes [CGHLMMRST15] Breaks early tentative fixes [BWZ14,GGHZ14] using zero-testing as a black-box Don t need [ 0] k 2 [ b] 1 [ c] 1 but [ a] k 2 [ b] 1 [ c] 1 [ 0] k Can be diagonal per block. Instead of computing eigenvalues use characteristic polynomial. r i ˆbi (h i p i ) ĉ i 16 / 30
69 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] 17 / 30
70 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts 17 / 30
71 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts Even without the randomness q, their form should not be an issue 17 / 30
72 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts Even without the randomness q, their form should not be an issue In [CoronL.Tibouchi15], we revisit the zero-testing procedure itself 17 / 30
73 Thwarting Cheon et al. Attack? Can we remove this linearity? [CLT15] The encodings look like DGHV ciphertexts Even without the randomness q, their form should not be an issue In [CoronL.Tibouchi15], we revisit the zero-testing procedure itself In a nutshell: the zero-testing is done modulo a new prime modulus N; x 0 is no longer public. 17 / 30
74 18 / 30 Inherent randomness in current encodings
75 Inherent randomness in current encodings Current form of encodings [ m] k = CRT pi (m i + g i r i )/z k mod x 0 18 / 30
76 Inherent randomness in current encodings Current form of encodings [ m] k = CRT pi (m i + g i r i )/z k mod x 0 [ m] k = i (m i g 1 i + r i mod p i ) u i + a x 0 over Z with u i = (g i p i 1 z k mod p i )p i. 18 / 30
77 Inherent randomness in current encodings Current form of encodings [ m] k = CRT pi (m i + g i r i )/z k mod x 0 [ m] k = i (m i g 1 i + r i mod p i ) u i + a x 0 over Z with u i = (g i p i 1 z k mod p i )p i. 18 / 30 The element a is highly non-linear in the r i s The element a is different from the random q we had before when adapting DGHV ( m = 0 a is small)
78 New Zero-Test Parameter Pick a random, large prime N x 0. We want to generate a new zero-test value α zt such that [ m] k α zt mod N N m = 0 19 / 30
79 New Zero-Test Parameter Pick a random, large prime N x 0. We want to generate a new zero-test value α zt such that In particular, we have [ m] k α zt mod N = i [ m] k α zt mod N N m = 0 (m i g 1 i + r i mod p i ) (u i α zt ) + a x 0 α zt mod N 19 / 30
80 New Zero-Test Parameter Pick a random, large prime N x 0. We want to generate a new zero-test value α zt such that In particular, we have [ m] k α zt mod N = i [ m] k α zt mod N N m = 0 (m i g 1 i + r i mod p i ) (u i α zt ) + a x 0 α zt mod N 19 / 30 so we want α zt u i mod N N and α zt x 0 mod N N
81 How To Generate α zt? Given N, the generation of α zt Z N such that for all i, u i α zt mod N and x 0 α zt mod N are small is not obvious. 20 / 30
82 How To Generate α zt? Given N, the generation of α zt Z N such that for all i, u i α zt mod N and x 0 α zt mod N are small is not obvious. The problem amounts to finding a relatively short vector in a lattice 1 u 1 u n x 0 N... N N 20 / 30
83 How To Generate α zt? Given N, the generation of α zt Z N such that for all i, u i α zt mod N and x 0 α zt mod N are small is not obvious. The problem amounts to finding a relatively short vector in a lattice 1 u 1 u n x 0 N... N N Use LLL? (we can tolerate an exponential approx. factor over SVP), but typically n / 30
84 21 / 30 How To Generate α zt? Using the structure of the u i s
85 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i 21 / 30
86 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i First note that p 1 j u i mod N is small for all i j 21 / 30
87 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i First note that p 1 j u i mod N is small for all i j Only p 1 j u j mod N is not a priori small 21 / 30
88 How To Generate α zt? Using the structure of the u i s Remember that N x 0 and u i = (g i p i 1 z k mod p i )p i First note that p 1 j u i mod N is small for all i j Only p 1 j u j mod N is not a priori small Let us find α j such that α j p 1 j u j mod N is small As before it amounts to finding a short vector in ( ) N/B p 1 j u j N 21 / 30
89 How To Generate α zt? Using the structure of the u i s ( N/B p 1 j N u j ) 22 / 30
90 How To Generate α zt? Using the structure of the u i s ( N/B p 1 j N We chose B such that LLL finds a short vector u j (α j N/B, β j ) where α j p j and β j = α j p 1 j u j mod N N/ p j. ) 22 / 30
91 How To Generate α zt? Using the structure of the u i s ( N/B p 1 j N We chose B such that LLL finds a short vector u j (α j N/B, β j ) where α j p j and β j = α j p 1 j u j mod N N/ p j. New zero-testing element: ) α zt = j h j α j p 1 j mod N 22 / 30
92 How To Generate α zt? Using the structure of the u i s New zero-testing element (sizes to keep in mind N x 0 p j, α j p j ): α zt = j h j α j p 1 j mod N When applied on an encoding [ m] k : [ m] k α zt mod N = i (m i g 1 i + r i mod p i ) (u i α zt ) + a x 0 α zt mod N 23 / 30
93 How To Generate α zt? Using the structure of the u i s New zero-testing element (sizes to keep in mind N x 0 p j, α j p j ): α zt = j h j α j p 1 j mod N When applied on an encoding [ m] k : [ m] k α zt mod N = i (m i g 1 i + r i mod p i ) (h i β i + j i h j α j u i /p j ) + a x 0 α zt mod N 23 / 30
94 24 / 30 An Important Caveat Cannot work directly modulo x 0
95 An Important Caveat Cannot work directly modulo x 0 x 0 cannot be made public, contrary to [CLT13] 24 / 30
96 An Important Caveat Cannot work directly modulo x 0 x 0 cannot be made public, contrary to [CLT13] However, define v 0 = x 0 α zt mod N, and ([ 0] k α zt mod N) mod v 0 = ( i r i (h i β i + j i h j α j u i /p j ) + a v 0 Z) mod v 0 = i r i (h i β i + j i h j α j u i /p j ) mod v 0 24 / 30
97 An Important Caveat Cannot work directly modulo x 0 x 0 cannot be made public, contrary to [CLT13] However, define v 0 = x 0 α zt mod N, and ([ 0] k α zt mod N) mod v 0 = ( i r i (h i β i + j i h j α j u i /p j ) + a v 0 Z) mod v 0 = i r i (h i β i + j i h j α j u i /p j ) mod v 0 We can apply Cheon et al. attack modulo v 0 24 / 30
98 25 / 30 An Important Caveat A Ladder of encodings
99 An Important Caveat A Ladder of encodings Making x 0 secret is somewhat inconvenient: when we add or multiply encodings, we cannot reduce them modulo x 0 anymore to keep them of the same size 25 / 30
100 An Important Caveat A Ladder of encodings Making x 0 secret is somewhat inconvenient: when we add or multiply encodings, we cannot reduce them modulo x 0 anymore to keep them of the same size Solution (taken from [DGHV10]): publish a ladder of encodings of 0 of increasing size 25 / 30 encodings X (j) i = (CRT pi (r i g i )/z j mod x 0 ) + q i x 0 with q i [0, 2 i ) for i = 1,..., log(x 0 ) do the operation over Z, and remove X (j) i for decreasing i s
101 26 / 30 Concrete Attempt
102 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 26 / 30
103 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 Apply the ladder to reduce its size to the size of x 0 : u = u + s i X (k) i 26 / 30
104 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 Apply the ladder to reduce its size to the size of x 0 : u = u + s i X (k) i Write u over Z: u = i (r i ˆb i ĉ i + s i r X,i,k ) u i a x 0 26 / 30
105 Concrete Attempt Consider u = [ 0] k 2 [ b] 1 [ c] 1 Apply the ladder to reduce its size to the size of x 0 : u = u + s i X (k) i Write u over Z: u = i (r i ˆb i ĉ i + s i r X,i,k ) u i a x 0 All s i s and a come up in the way of Cheon et al. attack 26 / 30
106 27 / 30 Proof-of-concept Implementation Instantiation λ κ n η ρ γ = n η pp size Small MB Medium MB Large GB Extra GB Setup Publish KeyGen 5.9 s 0.10 s 0.17 s 36 s 0.33 s 1.06 s 583 s 2.05 s 6.17 s 4528 s 7.8 s 23.9 s
107 28 / 30 Conclusion
108 Conclusion The CLT scheme has many interesting features: composite order maps, assumed hardness of GDDH but also of DLIN & SubM 28 / 30
109 Conclusion The CLT scheme has many interesting features: composite order maps, assumed hardness of GDDH but also of DLIN & SubM Concrete targets to attack in practice if desired Same efficiency as original CLT13 28 / 30
110 Conclusion The CLT scheme has many interesting features: composite order maps, assumed hardness of GDDH but also of DLIN & SubM Concrete targets to attack in practice if desired Same efficiency as original CLT13 Open problems for CLT15: Analyze the reparation Improve the efficiency Adapt the technique to [GGH13]? 28 / 30
111 29 / 30 Thank You Questions & Discussion
112 Discussion 1. Design public encoding space / inversion 2. Attacks 3. Assumptions what sort of assumptions can be made? base multilinear maps on well-known problems 4. Applications something that look different from obfuscation what can you do with a small number of levels? relation between 2-multilinear maps / pairings in applications 30 / 30
On Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationZeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1
Zeroizing Without Low-Level Zeroes: New MMAP Attacks and Their Limitations 1 Jean-Sébastien Coron 2 Craig Gentry 3 Shai Halevi 3 Tancrède Lepoint 4 Hemanta K. Maji 5,6 Eric Miles 6 Mariana Raykova 7 Amit
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationImmunizing Multilinear Maps Against Zeroizing Attacks
Immunizing Multilinear Maps Against Zeroizing Attacks Dan Boneh Stanford University David J. Wu Stanford University Joe Zimmerman Stanford University Abstract In recent work Cheon, Han, Lee, Ryu, and Stehlé
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationScale-Invariant Fully Homomorphic Encryption over the Integers
Scale-Invariant Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, Tancrède Lepoint 1,,3, and Mehdi Tibouchi 4 1 University of Luxembourg, Luxembourg jean-sebastien.coron@uni.lu École
More informationFHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime
FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime Daniel Benarroch,1, Zvika Brakerski,1, and Tancrède Lepoint,2 1 Weizmann Institute of Science, Israel 2 SRI International, USA Abstract.
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationObfuscation and Weak Multilinear Maps
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation
More informationCryptanalysis of GGH15 Multilinear Maps
Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationCryptanalyses of Candidate Branching Program Obfuscators
Cryptanalyses of Candidate Branching Program Obfuscators ilei Chen Craig Gentry Shai Halevi February 16, 2017 Abstract We describe new cryptanalytic attacks on the candidate branching program obfuscator
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPartial Key Exposure: Generalized Framework to Attack RSA
Partial Key Exposure: Generalized Framework to Attack RSA Cryptology Research Group Indian Statistical Institute, Kolkata 12 December 2011 Outline of the Talk 1 RSA - A brief overview 2 Partial Key Exposure
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationAnnihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13
Annihilation Attacks for Multilinear Maps: Cryptanalysis of Indistinguishability Obfuscation over GGH13 Eric Miles Amit Sahai Mark Zhandry Abstract In this work, we present a new class of polynomial-time
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationCryptanalysis of branching program obfuscators
Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationMath 299 Supplement: Modular Arithmetic Nov 8, 2013
Math 299 Supplement: Modular Arithmetic Nov 8, 2013 Numbers modulo n. We have previously seen examples of clock arithmetic, an algebraic system with only finitely many numbers. In this lecture, we make
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationBatch Fully Homomorphic Encryption over the Integers
Batch Fully Homomorphic Encryption over the Integers Jung Hee Cheon 1, Jean-Sébastien Coron 2, Jinsu Kim 1, Moon Sung Lee 1, Tancrède Lepoint 3,4, Mehdi Tibouchi 5, and Aaram Yun 6 1 Seoul National University
More informationFULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationIntroduction to Cryptology. Lecture 19
Introduction to Cryptology Lecture 19 Announcements HW6 due today HW7 due Thursday 4/20 Remember to sign up for Extra Credit Agenda Last time More details on AES/DES (K/L 6.2) Practical Constructions of
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationA Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More informationProperty Preserving Symmetric Encryption
Property Preserving Symmetric Encryption Omkant Pandey Microsoft, Redmond Yannis Rouselakis University of Texas at Austin Traditional Cryptography Alice Bob Eve New Goal: Computations on Encrypted Data
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIn fact, 3 2. It is not known whether 3 1. All three problems seem hard, although Shor showed that one can solve 3 quickly on a quantum computer.
Attacks on RSA, some using LLL Recall RSA: N = pq hard to factor. Choose e with gcd(e,φ(n)) = 1, where φ(n) = (p 1)(q 1). Via extended Euclid, find d with ed 1 (mod φ(n)). Discard p and q. Public key is
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationAn Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University (SNU), Republic of Korea Abstract.
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationRSA. Ramki Thurimella
RSA Ramki Thurimella Public-Key Cryptography Symmetric cryptography: same key is used for encryption and decryption. Asymmetric cryptography: different keys used for encryption and decryption. Public-Key
More information(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces
(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces Koji Nuida Kaoru Kurosawa National Institute of Advanced Industrial Science and Technology (AIST), Japan, k.nuida@aist.go.jp
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationAn Algorithm for NTRU Problems
An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationOne can use elliptic curves to factor integers, although probably not RSA moduli.
Elliptic Curves Elliptic curves are groups created by defining a binary operation (addition) on the points of the graph of certain polynomial equations in two variables. These groups have several properties
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationCIS 551 / TCOM 401 Computer and Network Security
CIS 551 / TCOM 401 Computer and Network Security Spring 2008 Lecture 15 3/20/08 CIS/TCOM 551 1 Announcements Project 3 available on the web. Get the handout in class today. Project 3 is due April 4th It
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationCryptanalysis of the Co-ACD Assumption
Cryptanalysis of the Co-ACD Assumption Pierre-Alain Fouque 1, Moon Sung Lee 2, Tancrède Lepoint 3, and Mehdi Tibouchi 4 1 Université de Rennes 1 and Institut Universitaire de France fouque@irisa.fr 2 Seoul
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationPublic Key Cryptography
Public Key Cryptography Spotlight on Science J. Robert Buchanan Department of Mathematics 2011 What is Cryptography? cryptography: study of methods for sending messages in a form that only be understood
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationGraph-Induced Multilinear Maps from Lattices
Graph-Induced Multilinear Maps from Lattices Craig Gentry IBM Sergey Gorbunov MIT November 11, 2014 Shai Halevi IBM Abstract Graded multilinear encodings have found extensive applications in cryptography
More information4. Congruence Classes
4 Congruence Classes Definition (p21) The congruence class mod m of a Z is Example With m = 3 we have Theorem For a b Z Proof p22 = {b Z : b a mod m} [0] 3 = { 6 3 0 3 6 } [1] 3 = { 2 1 4 7 } [2] 3 = {
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationHuijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro
Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro Circuit
More informationBootstrapping for HElib
Bootstrapping for HElib Shai Halevi 1 and Victor Shoup 1,2 1 IBM Research 2 New York University Abstract. Gentry s bootstrapping technique is still the only known method of obtaining fully homomorphic
More informationCarmen s Core Concepts (Math 135)
Carmen s Core Concepts (Math 135) Carmen Bruni University of Waterloo Week 8 1 The following are equivalent (TFAE) 2 Inverses 3 More on Multiplicative Inverses 4 Linear Congruence Theorem 2 [LCT2] 5 Fermat
More information1 What are Physical Attacks. 2 Physical Attacks on RSA. Today:
Today: Introduction to the class. Examples of concrete physical attacks on RSA A computational approach to cryptography Pseudorandomness 1 What are Physical Attacks Tampering/Leakage attacks Issue of how
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More information