Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
|
|
- Candice Golden
- 5 years ago
- Views:
Transcription
1 CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University
2 Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob should compute z 1 + z 2 = (x 1 +x 2 )(y 1 +y 2 ) How do we compute this? = x 1 y 1 + x 2 y 1 + x 1 y 2 + x 2 y 2 Alice can compute this Bob can compute this
3 On the use of computational assumptions How much can we ask users to trust crypto? 1. Necessary (one way functionsare needed for symmetric crypto, public key crypto is probably needed for 2PC) 2. We must believe that some problems are hard (e.g., breaking RSA or breaking AES). But we should not ask for more trust than needed! 3. Construct complex systems based on well studied assumptions. Then prove (via reduction), that any adv that can break property X of system S can be used to solve computational problem P. 4. If we believe problem P to be hard, then we conclude that system S has property X. 3
4 The Crypto Toolbox Weaker assumption Stronger assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 4
5 Reduction Proof If: an adversary can break the security (e.g., learn the secret input x) Then: use this adversary as a subroutine to break the security of some hard problem (e.g., RSA) But: the problem is hard So: the protocol must be secure x E(m) x m 5
6 Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
7 1-2 OT Receiver b m b 1-2 OT m 0,m 1 Sender Receiver does not learn m 1-b Sender does not learn b
8 1-2 OT Receiver b m b 1-2 OT m 0,m 1 Sender m b = (1-b) m 0 + b m 1 m b = m 0 + b (m 1 - m 0 )
9 k-n OT Receiver i 1,,i n m i1,,m in k-n OT Sender m 1,,m n
10 2PC via 1-n OT Receiver x f(x,y) 1-n OT Sender f(1,y),,f(n,y)
11 Oblivious Transfer = Receiver b bit multiplication 1-2 OT ab + c Sender (c,a+c)
12 Short OT à Long OT Receiver k-bit strings Sender b b k b 1-2 OT k 0,k 1 m 0,m 1 poly(k)-bit strings m b =prg(k b ) u b u 0 = prg(k 0 ) m 0, u 1 = prg(k 1 ) m 1
13 Random OT = OT b m c,r c r 0,r 0,m 1 1 ROT m b =r c x b x 0 = r 0 m 0, x 1 = r 1 m 1 if b=c
14 Random OT = OT b m c,r c ROT r 0,r 0,m 1 1 d = b c m b =r c x b x 0 = r 0 d m 0, x 1 = r 1 d m 1 Exercise: check that it works!
15 (R)OT is symmetric bits Sender s 0,s 1 ROT b,y=s b c = s 0 s 1 r 0 = y z = s c, z=r 0 r 1 = b r 0 c r 0,r 1 Exercise: check that it works No communication!
16 Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
17 Efficiency Problem: OT requires public key primitives, inherently inefficient
18 The Crypto Toolbox Weaker assumption Stronger assumption OTP >> SKE >> PKE >> FHE >> Obfuscation More efficient Less efficient 18
19 Efficiency Problem: OT requires public key primitives, inherently inefficient Solution: OT extension Like hybrid encryption! Start with few (expensive) OT based on PKE Get many (inexpensive) OT using only SKE
20 OT Extension, Pictorially Starting point: k seed OTs X 0,1 k k X b1,1 U b 1 b k 1-2 OTs X 0 X 1,1 X 1 k n n=poly(k) Input or output? Remember that ROT = OT, it doesn t really make a difference! Remember: OT stretching (see Short OT à Long OT slide earlier) 20
21 Condition for OT extension X 1 = X 0 c c Problem for active security! 21
22 OT Extension, Pictorially k X 1 b 1 c U b 1 b k 1-2 COTs X 1 X c k n Correlated OTs n=poly(k) 22
23 OT Extension, Pictorially U " c %& = " % c & X = b c
24 OT Extension, Turn your head! U X X U = b c = b c
25 OT Extension, Pictorially k U b k 1-2 COTs X c k n n=poly(k) 25
26 OT Extension, Pictorially n U n 1-2 c X n b COTs k k 26
27 X= H Break the correlation! Y 0 = H U V b b b Y 1 = H U b 27
28 Breaking the correlation Using a correlation robust hash function H s.t. 1. {a 0,, a n, H(a 0 + r ),, H(a n + r)} // (a i s, r random) 2. {a 0,, a n, b 0,, b n } // (a i s,b i s random) are computationally indistinguishable 28
29 OT Extension, Pictorially k n Y 1,1 Y 1 Y 0,1 Y 0 n 1-2 ROTs c 1 c Y c1,1 V k n=poly(k) 29
30 Recap 0. Strech k OTs from k- to poly(k)=n-bitlong strings 1. Send correction for each pair of messages x i 0,x i 1 s.t., x i 0 x i 1 = c 2. Turn your head (S/R swap roles) 3. The bits of c are the new choice bits 4. Break the correlation: y j 0=H(u j ), y j 1=H(u j b) Not secure against active adversaries 30
31 Recent Results in OT Extension (seereferences at the end) Active secure OT extension essentially as efficient as passive OT. Asharov et al. Keller et al. The columns of the matrix c c Can be seen as a simple replica encoding of a bit. Better encodings can be used for better efficiency, see e.g., Kolesnikov et al. Cascudo et al
32 Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
33 Oblivious Linear Evaluation Receiver b ab + c OLE (a,c) Sender Not bits anymore! Could be values in a ring or a field Arithmetic equivalent of OT
34 n OTs = OLE (Gilboa) Receiver b=(b 0,b 1,,b n-1 ) b i d i =a(2 i b i ) + c i 1-2 OT (c i,a2 i +c i ) Sender a (n bit number) c 0 + +c n-1 =c d 0 + +d n-1 =a(b 0 +2b n-1 b n-1 )+(c 0 + +c n-1 )=ab+c
35 Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
36 Additive (or Linear) Homomorphic Encryption Pailler is a AHE whose security is related to the hardness of factoring Still an important tool in the protocol designer toolbox!
37 (Simplified) Pailler Public key: N = pq, with p = q Secret key: Φ(N)=(p-1)(q-1) Pailler works mod N 2 Z * N^2 = Z N Z * N Note that due to choice of parameters gcd(φ(n),n)=1
38 (Simplified) Pailler (c Z N^2 ) ß Encrypt(m Z N ; r Z * N) Output c = α(m) β(r) mod N 2 Where: α(m) takes care of the homomorphism β(r) takes care of security
39 α(m) For homomorphism α(m Z N ) = (1+mN) mod N 2 For decryption: α(m) efficiently invertible α -1 (y Z N2 ) = y-1 / N // Integer division For homomorphism: α(m 1 ) α(m 2 ) = α(m 1 + m 2 mod N) Exercise: check this!
40 β(r) For security β(r Z N* ) = r N mod N 2 For decryption: β(r) Φ(N) =1 mod N 2 Assumption for security {β(r) rßz N* } {sßz N^2* } For homomorphism β(r 1 ) β(r 2 ) = β(r 1 r 2 ) Φ(N 2 )=N Φ(N) and x Φ(N^2) =1 mod N 2 for all x in Z N2 *
41 Putting Things Together Security: Enc pk (m;r) = α(m) β(r) // r unif. in Z N * comp.ind. from distributed identically to α(m) s // s unif. in Z N2 * t // t unif. in Z N2 *
42 Putting Things Together Homomorphism: Enc pk (m 1 ;r 1 ) Enc pk (m 2 ;r 2 ) = α(m 1 ) β(r 1 ) α(m 2 ) β(r 2 ) = α(m 1 + m 2 mod N) β(r 1 r 2 ) = Enc pk (m 1 + m 2 mod N; r 1 r 2 )
43 Putting Things Together - Decryption Dec(sk,c): 1. t 1 = c Φ(N) mod N 2 2. t 2 = α -1 (t 1 ) mod N 3. t 3 = t 2 Φ(N) -1 mod N Correctness 1. t 1 = α(m) Φ(N) β(r) Φ(N) = = α(m Φ(N)) 1 2. t 2 = α -1 (α(m Φ(N))) = = m Φ(N) 3. t 3 = m Φ(N) Φ(N) -1 = = m 4. Output m=t 3
44 How to Multiply with Pailler Receiver Sender pk, B = Enc pk (b;r) D = c a Enc pk (c;s) d=dec sk (D)=ab+c mod N
45 How to Multiply with Pailler Receiver Sender pk, B = Enc pk (b;r) D = c a Enc pk (c;s) Privacy for Alice: B Enc pk (0;r) due to IND-CPA of Pailler Privacy for Bob? Alice knows the secret key! But due to homomorphism of Pailler {sk,d} {sk,enc pk (ab+c;t)} d=dec sk (D)=ab+c mod N
46 Part 2: How to multiply Warmup: Useful OT Properties OT Extension Multiplication Protocols OT-based Pailler Encryption Noisy Encodings
47 Slide by Satrajit Gosh OLE from Noisy Encodings (Ishai et al. [IPS09], generalizing [NP06]) Noisy Encodings Encode: Takes! # $, outputs a set % and encoding & # ' Eval: Takes (, * # $ and the encoding &, outputs an encoding + Decode: Takes an encoding + and the set %, outputs, =!( + *
48 OLE from Noisy Encodings Encode(a) 1. Pick a polynomial " of degree ) 1 with " 0 = (, evaluate at & = 4) positions 1 n '( - " 1 " 2 " & 2. Pick a random error + vector - with 3 = 2) + 1 non-zero elements, 5 = = / Add the two together 0 0 Slide by Satrajit Gosh m=1 for simplicity 2 A 1 -. " & Assumption - Pseudorandomness 9 B <
49 Slide by Satrajit Gosh OLE from Noisy Encodings Eval(v,b,r) 1. Pick a polynomial ' of degree - 1 with ' 0 =,, evaluate at & = 4- positions 1 & +, 2 '(1) '(2) '(2)! 1 # $! & 2. Pick a polynomial 9 of degree 2-2 with : 0 = 8, evaluate at & = 4- positions 1 n : 1 : 2 : & # $ 3 &
50 Slide by Satrajit Gosh OLE from Noisy Encodings Decode(w,L) 1. Ignore all $ & #! 1 '( )! + 2. Interpolate the polynomial!(-) and output! 0 = ! 1! 2! +
51 Slide by Satrajit Gosh OLE from Noisy Encodings / + ', ) +., # -3)456(/) #! $ " -OT $ & $ -./0(., ', )) 7 86)456 $ &, # (= /' + )) Constant overhead per multiplication!* *using packed secret sharing
52 Summary OT properties Symmetric ROT and OT equivalence OT can be stretched OT extension Passive security Multiplication protocols Gilboa (OT-based) #OTs = #bits (works on anyring) AHE (Pailler) Noisy Encoding (works for fields) #OTs independent on bitlength
53 Primary References Cryptographic Computing, lecture notes, (with theory and programming exercises) Extending Oblivious Transfers Efficiently (Ishai et al.) A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System (Damgård et al.) Public-Key CryptosystemsBased on Composite Degree Residuosity Classes (Paillier) Secure Arithmetic Computation with No Honest Majority (Ishai et al.) Two Party RSA Key Generation (Gilboa) Extending Oblivious Transfers Efficiently - How to get Robustness Almost for Free (Nielsen)
54 Other References Oblivious Polynomial Evaluation (Naor et al.) More Efficient Oblivious Transfer Extensions with Security for Malicious Adversaries (Asharov et al.) ActivelySecure OT Extension with Optimal Overhead (Keller et al.) Improved OT Extension for Transferring Short Secrets (Kolesnikov et al.) Efficient Batched Oblivious PRF with Applications to Private Set Intersection (Kolesnikov et al.) ActivelySecure OT-Extension from q-arylinear Codes (Cascudo et al.) Maliciously Secure Oblivious Linear Function Evaluation with Constant Overhead (Ghosh et al.) MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer (Keller et al.) A New Approach to Practical Active-Secure Two-Party Computation (Nielsen et al.)
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer
MASCOT: Faster Malicious Arithmetic Secure Computation with Oblivious Transfer Tore Frederiksen Emmanuela Orsini Marcel Keller Peter Scholl Aarhus University University of Bristol 31 May 2016 Secure Multiparty
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationA New Approach to Practical Secure Two-Party Computation. Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank
A New Approach to Practical Secure Two-Party Computation Jesper Buus Nielsen Peter Sebastian Nordholt Claudio Orlandi Sai Sheshank Secure Two-Party Computation Alice has an input a {0,1} * Bob has an input
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationSPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a
SPDZ 2 k: Efficient MPC mod 2 k for Dishonest Majority a Ronald Cramer 1 Ivan Damgård 2 Daniel Escudero 2 Peter Scholl 2 Chaoping Xing 3 August 21, 2018 1 CWI, Amsterdam 2 Aarhus University, Denmark 3
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationLecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures
Lecture 18 - Secret Sharing, Visual Cryptography, Distributed Signatures Boaz Barak November 27, 2007 Quick review of homework 7 Existence of a CPA-secure public key encryption scheme such that oracle
More informationSecure Arithmetic Computation with Constant Computational Overhead
Secure Arithmetic Computation with Constant Computational Overhead Benny Applebaum 1, Ivan Damgård 2, Yuval Ishai 3, Michael Nielsen 2, and Lior Zichron 1 1 Tel Aviv University, {bennyap@post,liorzichron@mail}.tau.ac.il
More informationReview. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm
Review CS311H: Discrete Mathematics Number Theory Instructor: Işıl Dillig What does it mean for two ints a, b to be congruent mod m? What is the Division theorem? If a b and a c, does it mean b c? What
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationLecture 18: Message Authentication Codes & Digital Signa
Lecture 18: Message Authentication Codes & Digital Signatures MACs and Signatures Both are used to assert that a message has indeed been generated by a party MAC is the private-key version and Signatures
More informationExtending Oblivious Transfers Efficiently
Extending Oblivious Transfers Efficiently Yuval Ishai Technion Joe Kilian Kobbi Nissim Erez Petrank NEC Microsoft Technion Motivation x y f(x,y) How (in)efficient is generic secure computation? myth don
More informationLecture 38: Secure Multi-party Computation MPC
Lecture 38: Secure Multi-party Computation Problem Statement I Suppose Alice has private input x, and Bob has private input y Alice and Bob are interested in computing z = f (x, y) such that each party
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationAdditive Conditional Disclosure of Secrets
Additive Conditional Disclosure of Secrets Sven Laur swen@math.ut.ee Helsinki University of Technology Motivation Consider standard two-party computation protocol. x f 1 (x, y) m 1 m2 m r 1 mr f 2 (x,
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 10
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 10 Lecture date: 14 and 16 of March, 2005 Scribe: Ruzan Shahinian, Tim Hu 1 Oblivious Transfer 1.1 Rabin Oblivious Transfer
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationKeyword Search and Oblivious Pseudo-Random Functions
Keyword Search and Oblivious Pseudo-Random Functions Mike Freedman NYU Yuval Ishai, Benny Pinkas, Omer Reingold 1 Background: Oblivious Transfer Oblivious Transfer (OT) [R], 1-out-of-N [EGL]: Input: Server:
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationSecurity of Symmetric Primitives under Incorrect Usage of Keys
Security of Symmetric Primitives under Incorrect Usage of Keys Pooya Farshim 1 Claudio Orlandi 2 Răzvan Roşie 1 1 ENS, CNRS, INRIA & PSL Research University, Paris, France 2 Aarhus University, Aarhus,
More informationIntroduction to Modern Cryptography Lecture 11
Introduction to Modern Cryptography Lecture 11 January 10, 2017 Instructor: Benny Chor Teaching Assistant: Orit Moskovich School of Computer Science Tel-Aviv University Fall Semester, 2016 17 Tuesday 12:00
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Secret Sharing Vault should only open if both Alice and Bob are present Vault should only open if Alice, Bob, and Charlie are
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationLecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension
CS 294 Secure Computation February 16 and 18, 2016 Lecture 9 and 10: Malicious Security - GMW Compiler and Cut and Choose, OT Extension Instructor: Sanjam Garg Scribe: Alex Irpan 1 Overview Garbled circuits
More informationYuval Ishai Technion
Winter School on, Israel 30/1/2011-1/2/2011 Yuval Ishai Technion 1 Several potential advantages Unconditional security Guaranteed output and fairness Universally composable security This talk: efficiency
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationSecure Equality and Greater-Than Tests with Sublinear Online Complexity
Secure Equality and Greater-Than Tests with Sublinear Online Complexity Helger Lipmaa 1 and Tomas Toft 2 1 Institute of CS, University of Tartu, Estonia 2 Dept. of CS, Aarhus University, Denmark Abstract.
More informationOblivious Evaluation of Multivariate Polynomials. and Applications
The Open University of Israel Department of Mathematics and Computer Science Oblivious Evaluation of Multivariate Polynomials and Applications Thesis submitted as partial fulfillment of the requirements
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationPublic-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP
Public-Key Cryptography Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP Diffie-Hellman Key-exchange Secure under DDH: (g x,g x,g xy ) (g x,g x,g r ) Random x {0,..,
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationScribe for Lecture #5
CSA E0 235: Cryptography 28 January 2016 Scribe for Lecture #5 Instructor: Dr. Arpita Patra Submitted by: Nidhi Rathi 1 Pseudo-randomness and PRG s We saw that computational security introduces two relaxations
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationLecture Note 3 Date:
P.Lafourcade Lecture Note 3 Date: 28.09.2009 Security models 1st Semester 2007/2008 ROUAULT Boris GABIAM Amanda ARNEDO Pedro 1 Contents 1 Perfect Encryption 3 1.1 Notations....................................
More informationPublic Key Cryptography. All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other.
Public Key Cryptography All secret key algorithms & hash algorithms do the same thing but public key algorithms look very different from each other. The thing that is common among all of them is that each
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationCIS 6930/4930 Computer and Network Security. Topic 5.2 Public Key Cryptography
CIS 6930/4930 Computer and Network Security Topic 5.2 Public Key Cryptography 1 Diffie-Hellman Key Exchange 2 Diffie-Hellman Protocol For negotiating a shared secret key using only public communication
More informationCommitment Schemes and Zero-Knowledge Protocols (2011)
Commitment Schemes and Zero-Knowledge Protocols (2011) Ivan Damgård and Jesper Buus Nielsen Aarhus University, BRICS Abstract This article is an introduction to two fundamental primitives in cryptographic
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationFoundations of Homomorphic Secret Sharing
Foundations of Homomorphic Secret Sharing Elette Boyle 1, Niv Gilboa 2, Yuval Ishai 3, Huijia Lin 4, and Stefano Tessaro 4 1 IDC Herzliya, Herzliya, Israel eboyle@alum.mit.edu 2 Ben Gurion University,
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationError-Tolerant Combiners for Oblivious Primitives
Error-Tolerant Combiners for Oblivious Primitives Bartosz Przydatek 1 and Jürg Wullschleger 2 1 Google Switzerland, (Zurich, Switzerland) przydatek@google.com 2 University of Bristol (Bristol, United Kingdom)
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationPseudorandom Generators
Outlines Saint Petersburg State University, Mathematics and Mechanics 2nd April 2005 Outlines Part I: Main Approach Part II: Blum-Blum-Shub Generator Part III: General Concepts of Pseudorandom Generator
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationA New Approach to Practical Active-Secure Two-Party Computation
A New Approach to Practical Active-Secure Two-Party Computation Jesper Buus Nielsen 1, Peter Sebastian Nordholt 1, Claudio Orlandi 1, Sai Sheshank Burra 2 1 Aarhus University, Denmark 2 Indian Institute
More informationMachine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser
Machine Learning Classification over Encrypted Data Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser Classification (Machine Learning) Supervised learning (training) Classification data set
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationEliminating Quadratic Slowdown in Two-Prime RSA Function Sharing
International Journal of Network Security, Vol.7, No.1, PP.107 114, July 2008 107 Eliminating Quadratic Slowdown in Two-Prime RSA Function Sharing Maged Hamada Ibrahim Department of Electronics, Communications
More informationThe Theory and Applications of Homomorphic Cryptography
The Theory and Applications of Homomorphic Cryptography by Kevin Henry A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More information1 Cryptographic hash functions
CSCI 5440: Cryptography Lecture 6 The Chinese University of Hong Kong 24 October 2012 1 Cryptographic hash functions Last time we saw a construction of message authentication codes (MACs) for fixed-length
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLecture 3,4: Multiparty Computation
CS 276 Cryptography January 26/28, 2016 Lecture 3,4: Multiparty Computation Instructor: Sanjam Garg Scribe: Joseph Hui 1 Constant-Round Multiparty Computation Last time we considered the GMW protocol,
More information16 Fully homomorphic encryption : Construction
16 Fully homomorphic encryption : Construction In the last lecture we defined fully homomorphic encryption, and showed the bootstrapping theorem that transforms a partially homomorphic encryption scheme
More informationDefinition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University
Number Theory, Public Key Cryptography, RSA Ahmet Burak Can Hacettepe University abc@hacettepe.edu.tr The Euler Phi Function For a positive integer n, if 0
More informationEfficient Set Intersection with Simulation-Based Security
Efficient Set Intersection with Simulation-Based Security Michael J. Freedman Carmit Hazay Kobbi Nissim Benny Pinkas September 4, 2014 Abstract We consider the problem of computing the intersection of
More information