Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
|
|
- Leona Floyd
- 5 years ago
- Views:
Transcription
1 Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015
2 Outsourcing Computation x x f f(x) , web-search, navigation, social networking What if x is private? Search query, location, business information, medical information
3 The Situation Today We promise we wont look at your data. Honest! We want real protection.
4 Outsourcing Computation Privately Learns nothing on x. x Enc(x) f y Dec y = f(x) WANTED Homomorphic Evaluation function: Eval: f, Enc x Enc(f x )
5 Fully Homomorphic Encryption (FHE) sk, pk evk x Enc(x) (x) f Correctness: Dec y y = = f(x) f(x) Input privacy: Enc(x) Enc(0) y = Eval y (f, Enc x ) Fully Homomorphic = Correctness for any efficient f = Correctness for universal set NAND. (+, ) over Z (= binary XOR, AND )
6 PKE FHE : Trivial FHE? - Keygen and Enc: Same as PKE. - Eval f, c (f, c) - Dec (f, c) f(dec (c)) Enc (x) NOT what we were looking for All work is relayed to receiver. = f Dec Enc x = f(x) Compact FHE: Dec time does not depend on ciphertext. ciphertext length is globally bounded. In this talk (and in literature) FHE Compact-FHE
7 Trivial FHE? PKE FHE : - Keygen and Enc: Same as PKE. - Eval f, c (f, c) This scheme also completely reveals f to the receiver. Can be a problem. - Dec (f, c) f(dec (c)) Circuit Privacy: Receiver learns nothing about f (except output). Compactness Circuit Privacy (by complicated reduction) [GHV10] Circuit private FHE is not trivial to achieve even non-compact. In this talk: Only care about compactness, no more circuit privacy.
8 Applications In the cloud: Private outsourcing of computation. Near-optimal private outsourcing of storage (single-server PIR). [G09,BV11b] Verifiable outsourcing (delegation). [GGP11,CKV11,KRR13,KRR14] Private machine learning in the cloud. [GLN12,HW13] Secure multiparty computation: Low-communication multiparty computation. [AJLTVW12,LTV12] More efficient MPC. [BDOZ11,DPSZ12,DKLPSS12] Primitives: Succinct argument systems. [GLR11,DFH11,BCCT11,BC12,BCCT12,BCGT13, ] General functional encryption. [GKPVZ12] Indistinguishability obfuscation for all circuits. [GGHRSW13, ]
9 Verifiable Outsourcing (Delegation) x x f f(x), π What if the server is cheating? Can send wrong value of f(x). Need proof!
10 FHE Verifiable Outsourcing FHE Verifiability and Privacy. 1. Verifiability with preprocessing under standard assumptions: [GGP10, CKV10,KRR13,KRR14]. 2. Less standard assumptions but without preprocessing via SNARGs/SNARKs [DCL08,BCCT11, ] (uses FHE or PIR). Pre-FHE solutions: multiple rounds [K92] or random oracles [M94].
11 FHE Verifiable Outsourcing But preprocessing is [CKV10] as x sk, pk Preprocessing: c = Enc(0) z = Eval(f, c ) c = Enc x, c hard as computation! evk f Verification: y, y Check y = z? Yes output Dec(y ) No output Server executes y = Eval(f, c) Idea: Cut and choose c, c look the same cheating server will be caught w.p. ½ (easily amplifiable)
12 FHE Verifiable Outsourcing [CKV10] x sk, pk Preprocessing: c = Enc(0) z = Eval(f, c ) (evk, Enc c ), (evk, Enc c ) evk f Verification: y, y Check Dec (y ) = z? Yes output Dec (Dec y ) No output Server executes y = Eval (Eval f,, c ) y = Eval (Eval f,, c ) Idea: Outer layer keeps server oblivious of z. Can recycle z for future computations. Server is not allowed to know if we accept/reject!
13 FHE Timeline Basic scheme: Ideal cosets in polynomial rings. Bounded-depth homomorphism. - Assumption: hardness 30 years of (quantum) of hardly apx. scratching short vector in ideal lattice. the surface: Bootstrapping: bounded-depth HE full HE. Only-addition [RSA78, R79, GM82, But bootstrapping doesn t G84, P99, apply R05]. to basic scheme... Addition + 1 multiplication [BGN05, GHV10]. Other variants [SYY99, IP07, MGH10]. - Need additional assumption: hardness of sparse subset-sum. is it even possible?
14 The FHE Challenge Make it simpler. Simplified basic scheme [vdghv10,bv11a] - Under similar assumptions. Make it more secure.? Make it practical. Optimizations [SV10,SS10,GH10]
15 FHE without Ideals [BV11b] Linear algebra instead of polynomial rings Assumption: Apx. short vector in arbitrary lattices (via LWE). Shortest-vector Problem (SVP): Fundamental algorithmic problem extensively studied. [LLL82,K86,A97,M98,AKS03,MR04,MV10]
16 FHE without Ideals [BV11b] Linear algebra instead of polynomial rings Assumption: Apx. short vector in arbitrary lattices (via LWE). Basic scheme: noisy linear equations over Z. Ciphertext is a linear function c(x) s.t. c sk m. Add/multiply functions for homomorphism. Multiplication raises degree use relinearization. Bootstrapping: Use dimension-modulus reduction to shrink ciphertexts. Simpler: straightforward presentation. More secure: based on a standard assumption. Efficiency improvements. Concurrently [GH11]: Ideal lattice based scheme without squashing.
17 Follow-ups: FHE without Ideals [BGV12]: Improved parameters. Even better security. Improved efficiency in ring setting using batching. Batching without ideals in [BGH13]. [B12]: Improved security. Security based on classical lattice assumptions. Explained in blog post [BB12]. Various optimizations, applications and implementations: [LNV11, GHS12a, GHS12b, GHS12c, GHPS12, AJLTVW12, LTV12, DSPZ12, FV12, GLN12, BGHWW12,HW13 ]
18 The Approximate Eigenvector Method [GSW13] Ciphertexts = Matrix Same assumption and keys as before ciphertexts are different Basic scheme: Approximate eigenvector over Z. Ciphertext is a matrix C s.t. C sk m sk. Add/multiply matrices for homomorphism*. Bootstrapping: Same as previous schemes. Simpler: straightforward presentation. New and exciting applications for free! IB-FHE, AB-FHE. Same security as [BGV12, B12]. Unclear about efficiency: some advantages, some drawbacks.
19 Sequentialization [BV14] What is the best way to evaluate a product of k numbers? Parallel Sequential X X X X vs. c 1 c 2 X X c 1 c 2 c 3 c 4 Conventional wisdom c 3 c 4 Actually better (if done right)
20 Sequentialization [BV14] Barrington s Theorem [B86]: Every depth d computation can be transformed into a width-5 depth 4 branching program. A sequential model of computation Better security breaks barrier of [BGV12, B12,GSW13]. Using dimension-modulus reduction (from [BV11b]) same hardness assumption as non homomorphic encryption. Short ciphertexts.
21 FHE Over the Integers [DGHV09,CMNT11,CNT12,CCKLLTY13,CLT14] Parallel line of work: Similar construction using different assumptions. Approximate GCD Problem: Ciphertexts = Number similar to 1D lattice Basic operations more straightforward Analogues for batching, scale invariance. Noise control more complicated. Assumption less standard. details will not be discussed in this course
22 Implementations HElib (IBM/NYU) Ring-LWE (ideal-lattice) scheme of [BGV12], optimizations of [GHS12a] Most recent results [HS14a,HS14b] hcrypt project FHE over the integers [DGHV09] Stanford FHE LWE scheme of [B12] with optimizations Unpublished code Ring-LWE implementation of [GHS12b]. Over the integers implementation of [CCKLLTY13].
23 Efficiency Standard benchmark: AES128 circuit Implementations of [BGV12] by [GHS12c] 5 sec/input Limiting factors: Circuit representation. Bootstrapping. Key size. 2-years ago it was 5 min/input, and in 2010 it was 5 min/gate [GH10] To be practical, we need to improve the theory.
24 Hybrid FHE sk, pk evk x Enc (x) y = Eval (f, Enc x ) f Dec y = f(x) In known FHE encryption is slow and ciphertexts are long. In symmetric encryption (e.g. AES) these are better. Best of both worlds?
25 Generate FHE keys and symmetric Give encryption key. of Hybrid sym to FHE server. sym Enc (sym) sk, pk evk Encrypt x using sym. x c=enc (x) f y = y Eval = Eval (f, (f, Enc y ) x ) Dec y = f(x) Easy to encrypt, ciphertext is short But how to do Eval? Define: h z = SYM_Dec (c) Server Computes: y = Eval (h, Enc (sym)) y = Enc h sym = Enc SYM_Dec c = Enc (x)
26 Approximate Eigenvector Method [GSW13] Observation: Let C, C be matrices with the same eigenvector s, and let m, m be their respective eigenvalues w.r.t s. Then: 1. C + C has eigenvalue (m +m ) w.r.t s. 2. C C (and also C C ) has eigenvalue m m w.r.t s. Idea: s = secret key, C = ciphertext, and m = message. Homomorphism for addition and multiplication. Full homomorphism! Insecure! Eigenvectors are easy to find. What about approximate eigenvectors? Say over Z
27 Approximate Eigenvector Method [GSW13] C s = m s + e m s How to decrypt? Must have restriction on e Suppose s[1] = q/2, and m {0,1} (C s)[1] = m + e[1] Find m by rounding Condition for correct decryption: e < q/4.
28 Approximate Eigenvector Method [GSW13] C s = m s + e e q C s = m s + e e q Goal: C, C C = Enc(m + m ), C = Enc(m m ). C = C + C : (C +C ) s = C s + C s = m s + e + m s + e = (m +m ) s + ( e + e ) Noise grows a little e
29 Approximate Eigenvector Method [GSW13] C s = m s + e C s = m s + e e q e q Goal: C, C C = Enc(m + m ), C = Enc(m m ). C = C C : Can also use C C (C C ) s = C m s + e = m C s + C e = m m s + e + C e Noise grows. But by how much? = m m s + m e + C e e
30 Plan for Technical Part 1. Constructing approximate eigenvector scheme. 2. Sequentialization. 3. Bootstrapping. 4. Open problems and limits on FHE.
31 Learning with Errors (LWE) [R05] Random noisy linear equations uniform secret vector Z Z A s + η = b A b U LWE assumption uniform matrix Z small noise Z η αq stat. far from uniform! As hard as n/α -apx. short vector in worst case n-dim. lattices [R05, P09]
32 Learning with Errors (LWE) [R05] (Rearranging Notation) secret vector Z Z new secret vector s Z A s + η = b -A b s 1 = η uniform matrix Z small noise Z η αq new matrix A Z ( )
33 Learning with Errors (LWE) [R05] (Rearranging Notation) A s = η Indistinguishable from uniform matrix Z ( )
34 Encryption Scheme from LWE [R05,ACPS09] public key A s = η r 0,1 uniform A Looks jointly uniform c secret key s = r η + g s small noise Generalize to matrices! + g c = approximation of g s (without knowing s) [ACPS09]
35 Encryption Scheme from LWE [R05,ACPS09] public key A s = η R 0,1 uniform A secret key + G C s = Rη + Gs = e small noise Z ( ) C =
36 Approx. Eigenvector Encryption Goal: Encrypt message m {0,1} Idea: Enc m As we saw: = C C s = e + mi s = m s + e C C s = C e + m s = C e + m C s = C e + m e + m m s HUGE noise small noise desired output Need to reduce the norm of C Solution: binary decomposition
37 C = Binary Decomposition Break each entry in C to its binary representation (mod 8) bits C = Small entries like we wanted! But product with s now meaningless (mod 8) Consider the reverse operation: C s = bits(c) G s = bits(c) s 1 0 bits C = C 0 4 s = G s 0 2 powers of 2 vector 0 1 Contains q/2 as an element G
38 Approx. Eigenvector Encryption Enc m = C Z ( ) ( ) C = G bits C C C s = e + m G s. C = bits C C = bits(c )) C C s s = bits(c ) e + m G s = bits (C ) e + m bits(c ) G s = bits (C ) e + m C s = bits (C ) e + m e + m m G s small-ish small desired output e N e + m e N + 1 max{ e, e } N
39 Homomorphic Circuit Evaluation Noise grows during homomorphic evaluation Depth d e e N + 1 Mαq N αq Decryption succeeds if α 1/N. e (N + 1) e e e Mαq
40 Full Homomorphism α N d log 1/α Undesirable: 1. If depth upper-bound is known ahead of time. Huge parameters. Set N d ; α = 2 log 1/α = d Low security. Inflexible. Leveled FHE: Parameters (evk) grow with d. 2. Single scheme for any poly depth. Bootstrap!
41 The Bootstrapping Theorem (Proof to come) Homomorphic fully homomorphic when d < d d = depth of the decryption circuit. d = maximal homomorphic depth. Additional condition, to be discussed. In our scheme: d = log N FHE if α < N Quasi-polynomial approximation for short vector problems (same factor as [BGV12,B12]) Non-homomorphic schemes only need N approximation
42 A Taste of Sequentialization [BV13] e = bits (C ) e + m e Important observations: Asymmetric! 1. e gets multiplied by 0/1 ; e can get multiplied by N. 2. m = 0 e has no effect! Conclusion: The order of multiplication matters. Want to multiply C, C s.t. e e. Which is better: bits C C or bits C C?
43 e A Taste of Sequentialization [BV14] e = bits (C ) e + m e Task: Multiply 4 ciphertexts C,, C Multiplication Tree Sequential Multiplier e = E N + 1 X X e = E (N + 1) X X = E c 1 c 2 c 3 c 4 c 1 E c 2 e X Winner! E (3N + 1) E E (2N + 1) E (N + 1) X = E c 3 c 4
44 A Taste of Sequentialization [BV14] e = bits (C ) e + m e Multiplexer (MUX): m m + 1 m m E + 2E Additive noise increase! E N + m E X + E N + (1 m )E X c 1 c 2 1-c 1 c 3 E E E E
45 Bootstrapping Homomorphic fully homomorphic when d < d d = depth of the decryption circuit. d = maximal homomorphic depth.
46 Bootstrapping Given scheme with bounded d How to extend its homomorphic capability? Idea: Do a few operations, then switch to a new instance (pk, sk ) Switch keys cost in homomorphism (pk, sk ) (pk, sk )
47 How to Switch Keys We have seen this before! Hybrid FHE
48 sym sk, pk Hybrid FHE Enc (sym) evk x c=enc (x) y = Eval (f, y ) f Dec y = f(x) Define: h z = SYM_Dec (c) Server Computes: y = Eval (h, Enc (sym)) y = Enc h sym = Enc SYM_Dec c = Enc (x)
49 How to Switch Keys Decryption circuit: m Dual view: m Dec ( ) c Dec (c) h sk h sk = Dec c = m Key switching procedure sk, pk sk, pk : Input: c = Enc (m) Server aux info: aux = Enc (sk ) (ahead of time) Output: Eval (h, aux) Eval depth = d Eval h, aux = Eval h, Enc sk = Enc h sk = Enc Dec c = Enc (m)
50 Bootstrapping Given scheme with bounded d. How to extend its homomorphic capability? Idea: Do a few operations, then switch to a new instance (pk, sk ) Need to generate many keys Switch keys cost of d hom. operations (pk, sk ) (pk, sk ) Conclusion: Bootstrapping if d d + 1
51 Bootstrapping Given scheme with bounded d. How to extend its homomorphic capability? Idea: Do a few operations, then switch to a new instance Server aux info: aux = Enc (sk ) (pk, sk ) Switch from the key to itself! Key switching works (pk, sk ) (pk, sk )
52 Circular Security Is it secure to publish aux = Enc (sk) Intuitively: Yes, encryption hides the message. Formally: Security does not extend. What can we do about it? Option 1: Assume it s secure no attack is known. Option 2: Use a sequence of keys. No. of keys proportional to computation depth (leveled FHE). Short keys without circular assumption? [BV11a]: Circular secure somewhat homomorphic scheme.
53 What We Saw Today Definition of FHE. Applications. Historical perspective and background. Constructing HE using the approximate eigenvector method. Sequentialization. Bootstrapping. Limits on HE.
54 Open Problems Short keys without circular security. FHE from different assumptions. CCA1 secure FHE. Bounded malleability. Improved efficiency.
55 Thank You
Fully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationIncreased efficiency and functionality through lattice-based cryptography
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationFULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationWatermarking Cryptographic Functionalities from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu Digital Watermarking 1 Digital Watermarking Content is (mostly) viewable
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationFully Key-Homomorphic Encryption and its Applications
Fully Key-Homomorphic Encryption and its Applications D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko, G. Segev, V. Vaikuntanathan, D. Vinayagamurthy Outline Background on PKE and IBE Functionality
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationHigh-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationFHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime
FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime Daniel Benarroch,1, Zvika Brakerski,1, and Tancrède Lepoint,2 1 Weizmann Institute of Science, Israel 2 SRI International, USA Abstract.
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationFaster Bootstrapping with Polynomial Error
Faster Bootstrapping with Polynomial Error Jacob Alperin-Sheriff Chris Peikert June 13, 2014 Abstract Bootstrapping is a technique, originally due to Gentry (STOC 2009), for refreshing ciphertexts of a
More informationMULTI-SCHEME FULLY HOMOMORPHIC ENCRYPTIONS AND ITS APPLICATION IN PRIVACY PRESERVING DATA MINING
MULTI-SCHEME FULLY HOMOMORPHIC ENCRYPTIONS AND ITS APPLICATION IN PRIVACY PRESERVING DATA MINING DISSERTATION Presented in Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in
More informationA Survey of Computational Assumptions on Bilinear and Multilinear Maps. Allison Bishop IEX and Columbia University
A Survey of Computational Assumptions on Bilinear and Multilinear Maps Allison Bishop IEX and Columbia University Group Basics There are two kinds of people in this world. Those who like additive group
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More information16 Fully homomorphic encryption : Construction
16 Fully homomorphic encryption : Construction In the last lecture we defined fully homomorphic encryption, and showed the bootstrapping theorem that transforms a partially homomorphic encryption scheme
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More informationA Key Recovery Attack on MDPC with CCA Security Using Decoding Errors
A Key Recovery Attack on MDPC with CCA Security Using Decoding Errors Qian Guo Thomas Johansson Paul Stankovski Dept. of Electrical and Information Technology, Lund University ASIACRYPT 2016 Dec 8th, 2016
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationPicnic Post-Quantum Signatures from Zero Knowledge Proofs
Picnic Post-Quantum Signatures from Zero Knowledge Proofs MELISSA CHASE, MSR THE PICNIC TEAM DAVID DERLER STEVEN GOLDFEDER JONATHAN KATZ VLAD KOLESNIKOV CLAUDIO ORLANDI SEBASTIAN RAMACHER CHRISTIAN RECHBERGER
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationTargeted Homomorphic Attribute Based Encryption
Targeted Homomorphic Attribute Based Encryption Zvika Brakerski David Cash Rotem Tsabary Hoeteck Wee Abstract In (key-policy) attribute based encryption (ABE), messages are encrypted respective to attributes
More informationTOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION
TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION A Thesis Presented to The Academic Faculty by Jacob Alperin-Sheriff In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationMASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication
MASTER Fully homomorphic encryption in JCrypTool Ramaekers, C.F.W. Award date: 2011 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationFHE Circuit Privacy Almost For Free
FHE Circuit Privacy Almost For Free Florian Bourse, Rafaël Del Pino, Michele Minelli, and Hoeteck Wee ENS, CNRS, INRIA, and PSL Research University, Paris, France {fbourse,delpino,minelli,wee}@di.ens.fr
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationPublic-Key Cryptosystems from the Worst-Case Shortest Vector Problem. Chris Peikert Georgia Tech
1 / 14 Public-Key Cryptosystems from the Worst-Case Shortest Vector Problem Chris Peikert Georgia Tech Computer Security & Cryptography Workshop 12 April 2010 2 / 14 Talk Outline 1 State of Lattice-Based
More informationEfficient Fully Homomorphic Encryption from (Standard) LWE
Efficient Fully Homomorphic Encryption from (Standard) LWE Zvika Brakerski Vinod Vaikuntanathan Abstract We present a fully homomorphic encryption scheme that is based solely on the (standard) learning
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More informationA Lattice-Based Universal Thresholdizer for Cryptographic Systems
A Lattice-Based Universal Thresholdizer for Cryptographic Systems Dan Boneh Rosario Gennaro Steven Goldfeder Sam Kim Abstract We develop a general approach to thresholdizing a large class of (non-threshold)
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationQUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS
QUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS Florian Speelman (joint work with Yfke Dulek and Christian Schaffner) http://arxiv.org/abs/1603.09717 QIP 2017, Seattle, Washington, Monday
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationCSA E0 312: Secure Computation September 09, [Lecture 9-10]
CSA E0 312: Secure Computation September 09, 2015 Instructor: Arpita Patra [Lecture 9-10] Submitted by: Pratik Sarkar 1 Summary In this lecture we will introduce the concept of Public Key Samplability
More informationMultiparty Computation with Low Communication, Computation and Interaction via Threshold FHE
Multiparty Computation with Low Communication, Computation and Interaction via Threshold FHE Gilad Asharov Abhishek Jain Daniel Wichs June 9, 2012 Abstract Fully homomorphic encryption (FHE) provides a
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationScale-Invariant Fully Homomorphic Encryption over the Integers
Scale-Invariant Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, Tancrède Lepoint 1,,3, and Mehdi Tibouchi 4 1 University of Luxembourg, Luxembourg jean-sebastien.coron@uni.lu École
More information