General Impossibility of Group Homomorphic Encryption in the Quantum World
|
|
- Victoria Patterson
- 5 years ago
- Views:
Transcription
1 General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1
2 An example Consider the basic, unpadded RSA: let N = pq for large primes p and q, consider group (Z n, ) public exponent e s.t. gcd(e, φ(n)) = 1 secret exponent d = e 1 mod φ(n) Enc(m) = m e mod N for plaintext m Dec(c) = c d mod N for ciphertext c. 2
3 An example Consider the basic, unpadded RSA: let N = pq for large primes p and q, consider group (Z n, ) public exponent e s.t. gcd(e, φ(n)) = 1 secret exponent d = e 1 Enc(m) = m e mod φ(n) mod N for plaintext m Dec(c) = c d mod N for ciphertext c. Now consider two plaintexts m 1, m 2, and consider the product of their encryptions: c 1 = Enc(m 1 ), c 2 = Enc(m 2 ) Dec(c 1 c 2 ) = Dec(m e 1 me 2 ) = Dec((m 1 m 2 ) e ) = (m 1 m 2 ) ed mod N = m 1 m 2. 2
4 An example Consider the basic, unpadded RSA: let N = pq for large primes p and q, consider group (Z n, ) public exponent e s.t. gcd(e, φ(n)) = 1 secret exponent d = e 1 Enc(m) = m e mod φ(n) mod N for plaintext m Dec(c) = c d mod N for ciphertext c. Now consider two plaintexts m 1, m 2, and consider the product of their encryptions: c 1 = Enc(m 1 ), c 2 = Enc(m 2 ) Dec(c 1 c 2 ) = Dec(m e 1 me 2 ) = Dec((m 1 m 2 ) e ) = (m 1 m 2 ) ed mod N = m 1 m 2. In this case, decryption is a group homomorphism. 2
5 Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): 3
6 Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to 3
7 Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to the set of encryptions C := { Enc pk (m; r) m P, r Rnd } is a group in respect to 3
8 Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to the set of encryptions C := { Enc pk (m; r) m P, r Rnd } is a group in respect to the decryption is a group homomorphism: Dec sk (c 1 c 2 ) = Dec sk (c 1 ) Dec sk (c 2 ), for every c 1, c 2 C. 3
9 Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to the set of encryptions C := { Enc pk (m; r) m P, r Rnd } is a group in respect to the decryption is a group homomorphism: Dec sk (c 1 c 2 ) = Dec sk (c 1 ) Dec sk (c 2 ), for every c 1, c 2 C. (from now on we will only consider Abelian groups) 3
10 Fully Homomorphic Encryption (FHE) In Fully Homomorphic Encryption we have the following properties: plaintext and ciphertext spaces are rings, not just groups (so there are two operations) the set of encryptions C is usually just a set, not necessarily a group the decryption is guaranteed to run correctly only after less than p(λ) evaluations for some polynomial p. (even if p can be adjusted dynamically through bootstrapping, in GHE the decryption is guaranteed even after unbounded many evaluations) 4
11 The dierences 5
12 The dierences 5
13 The dierences 5
14 The dierences 5
15 The dierences GHE is not `FHE with just one operation': it is something dierent. 5
16 Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... 6
17 Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... Shor's algorithm Factorization of integers in quantum PPT. 6
18 Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken Shor's algorithm Factorization of integers in quantum PPT. 6
19 Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken Shor's algorithm Factorization of integers in quantum PPT. Watrous' and other variants Discrete logarithm and many related computational problems in quantum PPT. 6
20 Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken broken broken broken Shor's algorithm Factorization of integers in quantum PPT. Watrous' and other variants Discrete logarithm and many related computational problems in quantum PPT. 6
21 Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken broken broken broken Shor's algorithm Factorization of integers in quantum PPT. Watrous' and other variants Discrete logarithm and many related computational problems in quantum PPT. Question Is GHE possible at all in the quantum world? 6
22 Our result Theorem Let E be any IND-CPA secure GHE scheme. Then there exists a PPT quantum algorithm which breaks the security of E with non-negligible probability. 7
23 IND-CPA Security 8
24 IND-CPA Security 8
25 Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. 9
26 Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. Given an element x G drawn from some distribution: Problem: decide whether x H or x G \ H. 9
27 Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. Given an element x G drawn from some distribution: Problem: decide whether x H or x G \ H. Remark In a GHE scheme, the set of encryptions of the neutral element 1 G, { Enc pk (1 G ; r) r Rnd } is a subgroup of the ciphertext group. 9
28 Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. Given an element x G drawn from some distribution: Problem: decide whether x H or x G \ H. Remark In a GHE scheme, the set of encryptions of the neutral element 1 G, { Enc pk (1 G ; r) r Rnd } is a subgroup of the ciphertext group. Theorem For GHE schemes, IND-CPA security implies hardness of SMP respect to the subgroup of encryptions of 1 G. notice: vice versa does not hold. 9
29 An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. 10
30 An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. There is a simple way of reducing SMP to OFP. Given G, H, x G : 1 compute order of H 2 compute order of H, x (subgroup generated by H and x) 3 x H i the two orders are the same. 10
31 An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. There is a simple way of reducing SMP to OFP. Given G, H, x G : 1 compute order of H 2 compute order of H, x (subgroup generated by H and x) 3 x H i the two orders are the same. Watrous' order-nding quantum algorithm Given generators g 1,..., g k of subgroup H < G, there exists a PPT quantum algorithm which outputs o(h). 10
32 An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. There is a simple way of reducing SMP to OFP. Given G, H, x G : 1 compute order of H 2 compute order of H, x (subgroup generated by H and x) 3 x H i the two orders are the same. Watrous' order-nding quantum algorithm Given generators g 1,..., g k of subgroup H < G, there exists a PPT quantum algorithm which outputs o(h). Done! 10
33 End of this talk Thanks for your attention! 11
34 Not so fast... 12
35 Not so fast... What do we mean by a description of a group H? 12
36 Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H 12
37 Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element 12
38 Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element black-box access to the group operation 12
39 Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element black-box access to the group operation black-box access to the inversion of group elements 12
40 Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element black-box access to the group operation black-box access to the inversion of group elements Notice: in GHE, we do not necessary have a set of generators. 12
41 The problem 13
42 The problem Recall: we want to solve the SMP in G in respect to the subgroup of the encryption of 1 G ; this would break IND-CPA security. 13
43 The problem Recall: we want to solve the SMP in G in respect to the subgroup of the encryption of 1 G ; this would break IND-CPA security. Idea: use the sampling algorithm by requesting encryptions of the neutral element, and hope to nd a set of generators after not too many samples. 13
44 The uniform case If the Enc algorithm samples form H according to the uniform distribution, where ord(h) 2 k, then: Theorem [Pak,Bratus,'99] Sampling k + 4 elements yields a generating set for H with probability
45 The uniform case If the Enc algorithm samples form H according to the uniform distribution, where ord(h) 2 k, then: Theorem [Pak,Bratus,'99] Sampling k + 4 elements yields a generating set for H with probability 3 4. But in general we can have arbitrary distributions! 14
46 Arbitrary distribution Much more dicult. 15
47 Arbitrary distribution Much more dicult. Idea: we restrict to a large enough subgroup. 15
48 Arbitrary distribution Much more dicult. Idea: we restrict to a large enough subgroup. Details are tricky 15
49 Arbitrary distribution Much more dicult. Idea: we restrict to a large enough subgroup. Details are tricky Theorem If H < G is a sampleable subgroup according to arbitrary distribution D, with ord(h) 2 k, then: sampling 7k (2 + log(k) ) + 1 elements yields a generating set for H with probability 3 4, regardless of D. 15
50 The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 16
51 The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 16
52 The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 16
53 The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 4 run Watrous' algorithm on {c 1,..., c n, c}, obtaining order o 2 16
54 The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 4 run Watrous' algorithm on {c 1,..., c n, c}, obtaining order o 2 5 if o 1 = o 2 then output 0, else output 1 16
55 The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 4 run Watrous' algorithm on {c 1,..., c n, c}, obtaining order o 2 5 if o 1 = o 2 then output 0, else output 1 Theorem No GHE scheme can be IND-CPA secure against quantum adversaries. 16
56 In the FHE case... Our attack strictly relies on the group structure. 17
57 In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: 17
58 In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H 17
59 In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H the probability that Enc(m 0 ) lies in H is high 17
60 In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H the probability that Enc(m 0 ) lies in H is high the probability that Enc(m 1 ) lies in G \ H is high 17
61 In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H the probability that Enc(m 0 ) lies in H is high the probability that Enc(m 1 ) lies in G \ H is high 17
62 End of this talk (for good...) Thanks for your attention! 18
arxiv: v2 [cs.cr] 13 Jan 2014
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht 1, Tommaso Gagliardoni 2,, Stefan Katzenbeisser 2, and Andreas Peter 3, arxiv:1401.2417v2 [cs.cr] 13 Jan 2014
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationTechnische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm
Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION Cryptography Endterm Exercise 1 One Liners 1.5P each = 12P For each of the following statements, state if it
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018
Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationTECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019
Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019 Name : TU/e student number : Exercise 1 2 3 4 5 total points Notes: Please hand in all sheets at the end of the exam.
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More informationNetwork Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30
Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) LIU Zhen Due Date: March 30 Questions: 1. RSA (20 Points) Assume that we use RSA with the prime numbers p = 17 and q = 23. (a) Calculate
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationLecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004
CMSC 858K Advanced Topics in Cryptography January 27, 2004 Lecturer: Jonathan Katz Lecture 1 Scribe(s): Jonathan Katz 1 Introduction to These Notes These notes are intended to supplement, not replace,
More informationUnforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni
Unforgeable quantum encryption Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni Authenticated Encryption! (Using AES with 128 bit block size in Galois Counter Mode and SHA2) Authenticated
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationIntroduction to Elliptic Curve Cryptography
Indian Statistical Institute Kolkata May 19, 2017 ElGamal Public Key Cryptosystem, 1984 Key Generation: 1 Choose a suitable large prime p 2 Choose a generator g of the cyclic group IZ p 3 Choose a cyclic
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationImplementation Tutorial on RSA
Implementation Tutorial on Maciek Adamczyk; m adamczyk@umail.ucsb.edu Marianne Magnussen; mariannemagnussen@umail.ucsb.edu Adamczyk and Magnussen Spring 2018 1 / 13 Overview Implementation Tutorial Introduction
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationCTR mode of operation
CSA E0 235: Cryptography 13 March, 2015 Dr Arpita Patra CTR mode of operation Divya and Sabareesh 1 Overview In this lecture, we formally prove that the counter mode of operation is secure against chosen-plaintext
More informationEncryption Switching Protocols Revisited: Switching modulo p
Encryption Switching Protocols Revisited: Switching modulo p Guilhem Castagnos 1, Laurent Imbert 2 and Fabien Laguillaumie 2,3 1 IMB UMR 5251, Université de Bordeaux, LFANT/INRIA 2 CNRS, Université Montpellier/CNRS
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationRSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14
RSA Algorithm http://koclab.org Çetin Kaya Koç Spring 2018 1 / 14 Well-Known One-Way Functions Discrete Logarithm: Given p, g, and x, computing y in y = g x (mod p) is EASY Given p, g, y, computing x in
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationStrong Security Models for Public-Key Encryption Schemes
Strong Security Models for Public-Key Encryption Schemes Pooya Farshim (Joint Work with Manuel Barbosa) Information Security Group, Royal Holloway, University of London, Egham TW20 0EX, United Kingdom.
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationDigital Signature Schemes and the Random Oracle Model. A. Hülsing
Digital Signature Schemes and the Random Oracle Model A. Hülsing Today s goal Review provable security of in use signature schemes. (PKCS #1 v2.x) PAGE 1 Digital Signature Source: http://hari-cio-8a.blog.ugm.ac.id/files/2013/03/dsa.jpg
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 60 Outline 1 RSA Encryption Scheme 2 Discrete Logarithm and Diffie-Hellman Algorithm 3 ElGamal Encryption Scheme 4
More information8 Security against Chosen Plaintext
8 Security against Chosen Plaintext Attacks We ve already seen a definition that captures security of encryption when an adversary is allowed to see just one ciphertext encrypted under the key. Clearly
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationLecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004
CMSC 858K Advanced Topics in Cryptography March 18, 2004 Lecturer: Jonathan Katz Lecture 16 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Digital Signature Schemes In this lecture, we introduce
More information1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2
Contents 1 Recommended Reading 1 2 Public Key/Private Key Cryptography 1 2.1 Overview............................................. 1 2.2 RSA Algorithm.......................................... 2 3 A Number
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationThe Theory and Applications of Homomorphic Cryptography
The Theory and Applications of Homomorphic Cryptography by Kevin Henry A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More information