Watermarking Cryptographic Functionalities from Standard Lattice Assumptions
|
|
- Cassandra Sutton
- 5 years ago
- Views:
Transcription
1 Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim Stanford University Joint work with David J. Wu
2 Digital Watermarking 1
3 Digital Watermarking Content is (mostly) viewable 2
4 Digital Watermarking Content is (mostly) viewable Difficult to remove (without destroying the image) 3
5 Watermarking Programs Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] 4
6 Watermarking Programs Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] 5
7 Watermarking Programs Watermarking Programs [NSS99, BGIRSVY01, HMW07, YF11, Nis13, CHNVW16, BLW17] Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not 6
8 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not 7
9 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Functionality Preserving: On input a circuit C, the Mark algorithm outputs a circuit C where: for all inputs x. C(x) = C (x) 8
10 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Functionality Preserving: On input a circuit C, the Mark algorithm outputs a circuit C where: for all inputs x. C(x) = C (x) Too Strong: Perfect functionality preserving is impossible for watermarking assuming indistinguishability obfuscation [BGIRSVY12]. 9
11 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Functionality Preserving: On input a circuit C, the Mark algorithm outputs a circuit C where: C(x) = C (x) on all but a negligible fraction of inputs x. 10
12 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Unremovability: Given a marked program C, no efficient adversary can construct a circuit C where C(x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 11
13 Watermarking Programs Two main algorithms: Mark(wsk, C) C : Takes circuit C and outputs marked circuit C Verify(wsk, C ) {0, 1}: Tests whether a circuit C is marked or not Unremovability: Given a marked program C, no efficient adversary can construct a circuit C where C(x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 Unforgeability: Given a set of marked programs C 1,..., C l, no efficient adversary can construct a circuit C where for all i: C i (x) C (x) on a noticeable fraction of inputs x Verify(wsk, C ) = 1 12
14 Can we watermark any programs? Watermarking only achievable for functions that are not learnable. 13
15 Can we watermark any programs? Watermarking only achievable for functions that are not learnable. Focus has been on cryptographic functions. 14
16 Can we watermark any programs? Watermarking only achievable for functions that are not learnable. Focus has been on cryptographic functions. This work: Focus on watermarking PRFs [CHNVW16, BLW17]. Enables watermarking of symmetric primitives built from PRFs (e.g., encryption, MACs, etc.) 15
17 Security Definition (Weaker) Adversary wins if PRF k (x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 16
18 Security Definition (Stronger) Adversary wins if PRF k (x) = C (x) on all but negligible fraction of inputs x Verify(wsk, C ) = 0 17
19 Main Results Construct watermarking scheme for PRFs satisfying (weaker) unremovability security definition (and unforgeability) from LWE Previous works: [CHNVW16]: (publicly verifiable) unremovability from io [BLW17]: (weaker) unremovability from io 18
20 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 1: Evaluate PRF on test points x 1, x 2, x 3 (part of the watermarking secret key) 19
21 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 2: Derive a pair (x, y ) from y 1, y 2, y 3 20
22 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y 21
23 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Step 3: Marked key is a circuit that implements the PRF at all points, except at x, the output is changed to y 22
24 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Verification: Evaluate function at x 1, x 2, x 3, derive (x, y ) and check if the value at x matches y. 23
25 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Functionality-preserving: Function differs at a single point Unremovable: As long as adversary cannot tell that (x, y ) is special 24
26 Blueprint for Watermarking PRFs [CHNVW16, BLW17] Prior solutions: Use obfuscation to hide (x, y ) Obfuscated program has PRF embedded inside and outputs PRF(k, x) on all inputs x x and y when x = x Question: How can we implement the blueprint just from LWE? 25
27 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Watermarked PRF implements PRF at all but a single point Structurally very similar to a puncturable PRF [BW13, BGI13, KPTZ13] Punctured key can be used to evaluate PRF on all points x x 26
28 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Recall general approach for watermarking: 1. Derive (x, y ) from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x 27
29 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Recall general approach for watermarking: 1. Derive (x, y ) from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark 28
30 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Recall general approach for watermarking: 1. Derive (x, y ) from input/output behavior of PRF 2. Give out a key that agrees with PRF everywhere, except has value y at x = x Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark Problem 2: Punctured keys typically do not provide flexibility in programming value at punctured point 29
31 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark Use private puncturable PRFs 30
32 Private Puncturable PRFs [BLW17, BKM17, CC17, BTVW17] Problem 1: Punctured key does not necessarily hide x, which allows adversary to remove watermark Use private puncturable PRFs Problem 2: Punctured keys typically do not provide flexibility in programming value at punctured point Relax programmability requirement 31
33 Private Translucent PRFs Output of any punctured key on a punctured point lies in a sparse, hidden subspace 32
34 Private Translucent PRFs Output of any punctured key on a punctured point lies in a sparse, hidden subspace 33
35 Private Translucent PRFs Output of any punctured key on a punctured point lies in a sparse, hidden subspace Secret testing key can be used to test for memership in the hidden subspace 34
36 Private Translucent PRFs Sets satisfying such properties are called translucent [CDNO97] Values in special set looks indistinguishable from a random value (without secret testing key) Indistinguishable even through it is easy to sample values from the set 35
37 Private Translucent PRFs Define watermarking secret key (wsk): Test points x 1,..., x d Testing key for private translucent PRF 36
38 Private Translucent PRFs To mark a PRF key k: derive special point x and puncture k at x Watermarked program is a program C that evaluates punctured key 37
39 Private Translucent PRFs To mark a PRF key k: derive special point x and puncture k at x To test a program C : 1. Derive test point x 2. Check whether C (x ) is in the translucent set 38
40 Constructing Private Translucent PRFs from Lattices
41 Road Map 39
42 Learning with Errors [Reg05] Parameters: n, m, q, χ Problem: Distinguish the following distributions (A, s T A + e T ) (A, u T ). for A R Z n m q, s R Z n q, e R χ m, u R Z m q 40
43 Learning with Rounding [BPR12] Parameters: n, m, q, p Problem: Distinguish the following distributions (A, s T A p ) (A, u T p ). for A R Z n m q, s R Z n q, u R Z m q 41
44 Lattice PRFs [BPR12,...] LWE says that s T A p u T p. Randomized PRF(?): For any x X, choose A x R Z n m q and define PRF(k, x) = s T A x p 42
45 Lattice PRFs [BPR12,...] LWE says that s T A p u T p. Randomized PRF(?): For any x X, choose A x R Z n m q and define PRF(k, x) = s T A x p Approach: Fix matrix A 1,..., A l Z n m q and set key k = s Z n q. For x X, derive A 1,..., A l A x and define PRF(k, x) = s T A x p 43
46 Lattice PRFs [BPR12,...] LWE says that s T A p u T p. Randomized PRF(?): For any x X, choose A x R Z n m q and define PRF(k, x) = s T A x p Approach: Fix matrix A 1,..., A l Z n m q and set key k = s Z n q. For x X, derive A 1,..., A l A x and define PRF(k, x) = s T A x p Question: What is a suitable way to derive A x? 44
47 Gadget matrix [MP12] Gadget matrix G Z n m q There is an efficiently computable function G 1 ( ) such that: G 1 : Z n m q for all C Z n m q : {0, 1} m m G G 1 (C) = C Implementation: G 1 is the bit decomposition function G consists of powers-of-2 45
48 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T 46
49 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] 47
50 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T ((A i + A j ) + (x i + x j ) G) + (e i + e j ) T 48
51 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise 49
52 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise Multiplication: To compute x i x j [ s T (A i + x i G) + e T i ] xj [ s T (A j + x j G) + e T j ] 1 G (A i ) 50
53 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise Multiplication: To compute x i x j [ s T (A i + x i G) + e T i = s T (A ( ) + (x i x j ) G) + noise ] xj [ s T (A j + x j G) + e T j ] 1 G (A i ) 51
54 Matrix Embeddings [BGGHNSVV14] Encode x {0, 1} with respect to matrix A Z n m q s T (A + x G) + e T Addition: To compute x i + x j : [ s T (A i + x i G) + e T i ] + [ s T (A j + x j G) + e T j ] = s T (A (+) + (x i + x j ) G) + noise Multiplication: To compute x i x j [ s T (A i + x i G) + e T i = s T (A ( ) + (x i x j ) G) + noise ] xj [ s T (A j + x j G) + e T j ] 1 G (A i ) Useful: Matrices A (+), A ( ) are independent of x i, x j. 52
55 Matrix Embeddings [BGGHNSVV14] Compute any circuit f : {0, 1} l {0, 1}: s T (A 1 + x 1 G) + e 1. s T (A l + x l G) + e 1 53
56 Matrix Embeddings [BGGHNSVV14] Compute any circuit f : {0, 1} l {0, 1}: s T (A 1 + x 1 G) + e 1. f = s T (A f + f (x) G) + noise s T (A l + x l G) + e 1 54
57 Matrix Embeddings [BGGHNSVV14] Compute any circuit f : {0, 1} l {0, 1}: s T (A 1 + x 1 G) + e 1. f = s T (A f + f (x) G) + noise s T (A l + x l G) + e 1 Useful property: Matrix A f does not depend on encoded values x 1,..., x l Can derive A 1,..., A l A f without knowing x 1,..., x l. 55
58 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise : 56
59 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = Define punctured key sk c : { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise : s T (A 1 + c 1 G) + e 1. s T (A l + c l G) + e 1 57
60 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = Define punctured key sk c : { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise : s T (A 1 + c 1 G) + e 1. eq x = s T (A eqx + eq x (c) G) + noise s T (A l + c l G) + e 1 58
61 Puncturable PRF [BV14] Idea: Define PRF with respect to eq x (c) = Define punctured key sk c : s T (A 1 + c 1 G) + e 1 { PRF(k, x) = s T A eqx p. 1 x = c 0 otherwise :. eq x = s T (A eqx + eq x (c) G) + noise s T (A l + c l G) + e 1 When x c, then eq x (c) = 0: s T A eqx + noise p = s T A eqx p When x = c, s T (A eqx + G) + noise p s T A eqx p 59
62 Private Constrained PRFs [BKM17, BTVW17] Hide punctured point? 60
63 Private Constrained PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) 61
64 Private Constrained PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) 62
65 Private Puncturable PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) Punctured key must include c in order to compute! 63
66 Private Puncturable PRFs [BKM17, BTVW17] Hide punctured point? Recall... Addition: To compute c i + c j : [ s T (A i + c i G) + e T i ] + [ s T (A j + c j G) + e T j ] = s T (A (+) + (c i + c j ) G) + noise Multiplication: To compute c i c j [ s T (A i + c i G) + e T i = s T (A ( ) + (c i c j ) G) + noise ] cj [ s T (A j + c j G) + e T j ] 1 G (A i ) Punctured key must include c in order to compute! Idea: Use FHE to hide encoded values [GVW15] 64
67 Fully Homomorphic Encryption For message x 1,..., x l and circuit f : {0, 1} l {0, 1}, compute only on ciphertext ( ) Enc(x 1 ),..., Enc(x l ), f = Enc(f (x)) 65
68 Fully Homomorphic Encryption For message x 1,..., x l and circuit f : {0, 1} l {0, 1}, compute only on ciphertext ( ) Enc(x 1 ),..., Enc(x l ), f = Enc(f (x)) For LWE-based constructions, Enc(f (x)) Z m q, sk Z m q, and decryption is an inner product Enc(f (x)), sk = q f (x) + noise. 2 66
69 Fully Homomorphic Encryption For message x 1,..., x l and circuit f : {0, 1} l {0, 1}, compute only on ciphertext ( ) Enc(x 1 ),..., Enc(x l ), f = Enc(f (x)) For LWE-based constructions, Enc(f (x)) Z m q, sk Z m q, and decryption is an inner product Enc(f (x)), sk = f (x). (cheating for simplicity) 67
70 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 68
71 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 s T (A x,1 + ct 1 G) + noise Eval eqx =. s T (A x,l + ct m G) + noise 69
72 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 s T (A x,1 + ct 1 G) + noise Eval eqx =. s T (A x,l + ct m G) + noise We have: ct = Enc(eq x (c)) How do we extract this value? 70
73 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. s T (A l + ct l G) + e 1 s T (A x,1 + ct 1 G) + noise Eval eqx =. s T (A x,l + ct m G) + noise s T (B 1 + sk 1 G) + e 1. s T (B l + sk m G) + e m Give out ct, but not sk 1,..., sk m! 71
74 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. IP Eval eqx = s T (A x + sk, ct G) + noise s T (A l + ct l G) + e 1 s T (A 1 + sk 1 G) + e 1. s T (A l + sk m G) + e m Give out ct, but not sk 1,..., sk m! 72
75 Private Puncturable PRF [BKM17, BTVW17] First encrypt ct Enc(c). Then define punctured key sk c : s T (A 1 + ct 1 G) + e 1. IP Eval eqx = s T (A x + eq x (c) G) + noise s T (A l + ct l G) + e 1 s T (A 1 + sk 1 G) + e 1. s T (A l + sk m G) + e m Give out ct, but not sk 1,..., sk m! 73
76 Private Puncturable PRF [BKM17, BTVW17] First ct Enc(c). Then punctured key sk c : s T (A 1 + ct 1 G) + e 1. IP Eval eqx = s T (A IP Evaleqx + eq x (c) G) + noise s T (A l + ct l G) + e 1 s T (A 1 + sk 1 G) + e 1. s T (A l + sk m G) + e m Define PRF with respect to IP Eval eqx : PRF(k, x) = s T A IP Evaleqx p 74
77 Programming Encode punctured point c (under FHE) Define PRF with respect to equality circuit: { 1 x = c eq x (c) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + eq x (c) G) + noise 75
78 Programming Encode punctured point c (under FHE) Define PRF with respect to equality circuit: { 1 x = c eq x (c) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + G) + noise 76
79 Programming Encode punctured point (c, w) (under FHE) for some w Z q Define PRF with respect to equality circuit: { 1 x = c eq x (c) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + G) + noise 77
80 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + G) + noise 78
81 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + eq x (c, w) G) + noise 79
82 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 80
83 Programming Encode punctured point (c, w) (under FHE) for w Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: There is some programmability here! We can choose w at key generation. s T (A IP Evaleqx + w G }{{} ) + noise 81
84 Programming Encode punctured point (c, w) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 82
85 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w x = c eq x (c, w) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 83
86 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w i x = c eq x,i (c, w i ) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx + w G) + noise 84
87 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w i x = c eq x,i (c, w i ) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx,1 + w 1 G 1 ) + noise. s T (A IP Evaleqx,N + w N G N ) + noise 85
88 Programming Encode punctured point (c, w 1,..., w N ) (under FHE) for w i Z q Define PRF with respect to equality circuit: { w i x = c eq x,i (c, w i ) = 0 otherwise Constrained key evaluation at c: s T (A IP Evaleqx,1 + w 1 G 1 ) + noise s T (A IP Evaleqx,N. + w N G N ) + noise Choose w 1,..., w N such that D = i [N] A IP Evaleqxi + w i G i i [N] 86
89 s T D p Programming Constrained key evaluation at c: Watermark key includes short vector w such that D w = 0 87
90 To Conclude... Open Problems: Achieve stronger security guarantees? Watermark other primitives? 88
91 To Conclude... Open Problems: Achieve stronger security guarantees? Watermark other primitives? Thanks! 89
from Standard Lattice Assumptions
Watermarking Cryptographic Functionalities from Standard Lattice Assumptions Sam Kim and David J. Wu Stanford University Digital Watermarking CRYPTO CRYPTO CRYPTO Often used to identify owner of content
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More informationPrivate Puncturable PRFs From Standard Lattice Assumptions
Private Puncturable PRFs From Standard Lattice Assumptions Dan Boneh Stanford University dabo@cs.stanford.edu Sam Kim Stanford University skim13@cs.stanford.edu Hart Montgomery Fujitsu Laboratories of
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationConstrained Keys for Invertible Pseudorandom Functions
Constrained Keys or Invertible Pseudorandom Functions Dan Boneh, Sam Kim, and David J. Wu Stanord University {dabo,skim13,dwu4}@cs.stanord.edu Abstract A constrained pseudorandom unction (PRF) is a secure
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationPublicly Verifiable Software Watermarking
Publicly Verifiable Software Watermarking Aloni Cohen Justin Holmgren Vinod Vaikuntanathan April 22, 2015 Abstract Software Watermarking is the process of transforming a program into a functionally equivalent
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationTowards Tightly Secure Lattice Short Signature and Id-Based Encryption
Towards Tightly Secure Lattice Short Signature and Id-Based Encryption Xavier Boyen Qinyi Li QUT Asiacrypt 16 2016-12-06 1 / 19 Motivations 1. Short lattice signature with tight security reduction w/o
More informationConstraining Pseudorandom Functions Privately
Constraining Pseudorandom Functions Privately Dan Boneh, Kevin Lewi, and David J. Wu Stanford University {dabo,klewi,dwu4}@cs.stanford.edu Abstract In a constrained pseudorandom function (PRF), the master
More informationCandidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation
Candidate Differing-Inputs Obfuscation from Indistinguishability Obfuscation and Auxiliary-Input Point Obfuscation Dongxue Pan 1,2, Hongda Li 1,2, Peifang Ni 1,2 1 The Data Assurance and Communication
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationA Lattice-Based Universal Thresholdizer for Cryptographic Systems
A Lattice-Based Universal Thresholdizer for Cryptographic Systems Dan Boneh Rosario Gennaro Steven Goldfeder Sam Kim Abstract We develop a general approach to thresholdizing a large class of (non-threshold)
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 3: Interactive Proofs and Zero-Knowledge
CS 355 Topics in Cryptography April 9, 2018 Lecture 3: Interactive Proofs and Zero-Knowledge Instructors: Henry Corrigan-Gibbs, Sam Kim, David J. Wu So far in the class, we have only covered basic cryptographic
More informationConstrained PRFs for NC 1 in Traditional Groups
Constrained PFs for NC 1 in Traditional Groups Nuttapong Attrapadung 1, Takahiro Matsuda 1, yo Nishimaki 2, Shota Yamada 1, Takashi Yamakawa 2 1 National Institute of Advanced Industrial Science and Technology
More informationIncreased efficiency and functionality through lattice-based cryptography
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, INRIA, PSL Research University RESEARCH UNIVERSITY PARIS ECRYPT-NET Cloud Summer School Leuven, Belgium
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More information16 Fully homomorphic encryption : Construction
16 Fully homomorphic encryption : Construction In the last lecture we defined fully homomorphic encryption, and showed the bootstrapping theorem that transforms a partially homomorphic encryption scheme
More informationIndistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption
Indistinguishability Obfuscation for All Circuits from Secret-Key Functional Encryption Fuyuki Kitagawa 1 Ryo Nishimaki 2 Keisuke Tanaka 1 1 Tokyo Institute of Technology, Japan {kitagaw1,keisuke}@is.titech.ac.jp
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationFUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS. Elette Boyle Shafi Goldwasser Ioana Ivan
FUNCTIONAL SIGNATURES AND PSEUDORANDOM FUNCTIONS Elette Boyle Shafi Goldwasser Ioana Ivan Traditional Paradigm: All or Nothing Encryption [DH76] Given SK, can decrypt. Otherwise, can t distinguish encryptions
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationConstrained Pseudorandom Functions for Unconstrained Inputs
Constrained Pseudorandom Functions for Unconstrained Inputs Apoorvaa Deshpande acdeshpa@cs.brown.edu Venkata Koppula kvenkata@cs.utexas.edu Brent Waters bwaters@cs.utexas.edu Abstract A constrained pseudo
More informationModern symmetric-key Encryption
Modern symmetric-key Encryption Citation I would like to thank Claude Crepeau for allowing me to use his slide from his crypto course to mount my course. Some of these slides are taken directly from his
More informationThreshold Cryptosystems From Threshold Fully Homomorphic Encryption
Threshold Cryptosystems From Threshold Fully Homomorphic Encryption Dan Boneh Rosario Gennaro Steven Goldfeder Aayush Jain Sam Kim Peter M. R. Rasmussen Amit Sahai Abstract We develop a general approach
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationFrom FE Combiners to Secure MPC and Back
From FE Combiners to Secure MPC and Back Prabhanjan Ananth Saikrishna Badrinarayanan Aayush Jain Nathan Manohar Amit Sahai Abstract Functional encryption (FE) has incredible applications towards computing
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationNew Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation
New Methods for Indistinguishability Obfuscation: Bootstrapping and Instantiation Shweta Agrawal Abstract Constructing indistinguishability obfuscation io [BGI + 01] is a central open question in cryptography.
More informationPoint Obfuscation and 3-round Zero-Knowledge
Point Obfuscation and 3-round Zero-Knowledge Nir Bitansky and Omer Paneth Tel Aviv University and Boston University September 21, 2011 Abstract We construct 3-round proofs and arguments with negligible
More informationLeakage-Resilient Public-Key Encryption from Obfuscation
Leakage-Resilient Public-Key Encryption from Obfuscation Dana Dachman-Soled S. Dov Gordon Feng-Hao Liu Adam O Neill Hong-Sheng Zhou July 25, 2016 Abstract The literature on leakage-resilient cryptography
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More information2 Message authentication codes (MACs)
CS276: Cryptography October 1, 2015 Message Authentication Codes and CCA2 Instructor: Alessandro Chiesa Scribe: David Field 1 Previous lecture Last time we: Constructed a CPA-secure encryption scheme from
More informationProjective Arithmetic Functional Encryption. and. Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps
Projective Arithmetic Functional Encryption and Indistinguishability Obfuscation (io) from Degree-5 Multilinear maps Prabhanjan Ananth Amit Sahai Constructions of io All current constructions of io are
More informationStronger Security for Reusable Garbled Circuits, General Definitions and Attacks
Stronger Security for Reusable Garbled Circuits, General Definitions and Attacks Shweta Agrawal Abstract We construct a functional encryption scheme for circuits which simultaneously achieves and improves
More informationWeak Zero-Knowledge Beyond the Black-Box Barrier
Weak Zero-Knowledge Beyond the Black-Box Barrier Nir Bitansky Dakshita Khurana Omer Paneth November 9, 2018 Abstract The round complexity of zero-knowledge protocols is a long-standing open question, yet
More informationBootstrapping Obfuscators via Fast Pseudorandom Functions
Bootstrapping Obfuscators via Fast Pseudorandom Functions Benny Applebaum October 26, 2013 Abstract We show that it is possible to upgrade an obfuscator for a weak complexity class WEAK into an obfuscator
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationOn the Communication Complexity of Secure Function Evaluation with Long Output
On the Communication Complexity of Secure Function Evaluation with Long Output Pavel Hubáček Daniel Wichs Abstract We study the communication complexity of secure function evaluation (SFE). Consider a
More informationFully Key-Homomorphic Encryption and its Applications
Fully Key-Homomorphic Encryption and its Applications D. Boneh, C. Gentry, S. Gorbunov, S. Halevi, Valeria Nikolaenko, G. Segev, V. Vaikuntanathan, D. Vinayagamurthy Outline Background on PKE and IBE Functionality
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationTargeted Homomorphic Attribute Based Encryption
Targeted Homomorphic Attribute Based Encryption Zvika Brakerski David Cash Rotem Tsabary Hoeteck Wee Abstract In (key-policy) attribute based encryption (ABE), messages are encrypted respective to attributes
More informationNotes for Lecture A can repeat step 3 as many times as it wishes. We will charge A one unit of time for every time it repeats step 3.
COS 533: Advanced Cryptography Lecture 2 (September 18, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Mark Zhandry Notes for Lecture 2 1 Last Time Last time, we defined formally what an encryption
More informationFully-secure Key Policy ABE on Prime-Order Bilinear Groups
Fully-secure Key Policy ABE on Prime-Order Bilinear Groups Luke Kowalczyk, Jiahui Liu, Kailash Meiyappan Abstract We present a Key-Policy ABE scheme that is fully-secure under the Decisional Linear Assumption.
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationRiding on Asymmetry: Efficient ABE for Branching Programs
Riding on Asymmetry: Efficient ABE for Branching Programs Sergey Gorbunov and Dhinakaran Vinayagamurthy Abstract. In an Attribute-Based Encryption ABE scheme the ciphertext encrypting a message µ, is associated
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim, Yongsoo Song (University of California, San Diego) Landscape of Homomorphic
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationSampling Lattice Trapdoors
Sampling Lattice Trapdoors November 10, 2015 Today: 2 notions of lattice trapdoors Efficient sampling of trapdoors Application to digital signatures Last class we saw one type of lattice trapdoor for a
More informationBEYOND POST QUANTUM CRYPTOGRAPHY
BEYOND POST QUANTUM CRYPTOGRAPHY Mark Zhandry Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical Beyond Post-Quantum Cryptography
More informationConstructing Witness PRF and Offline Witness Encryption Without Multilinear Maps
Constructing Witness PRF and Offline Witness Encryption Without Multilinear Maps Tapas Pal, Ratna Dutta Department of Mathematics, Indian Institute of Technology Kharagpur, Kharagpur-721302, India tapas.pal@iitkgp.ac.in,ratna@maths.iitkgp.ernet.in
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationCryptographic Solutions for Data Integrity in the Cloud
Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012 Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. Homomorphic
More informationHuijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro
Indistinguishability Obfuscation from Low-Degree Multilinear Maps and (Blockwise) Local PRGs [Lin16b, LT17, To appear, Crypto 17] Huijia (Rachel) Lin UCSB Partial Joint work with Stefano Tessaro Circuit
More informationTHE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY
THE RANK METHOD AND APPLICATIONS TO POST- QUANTUM CRYPTOGRAPHY Mark Zhandry - Stanford University Joint work with Dan Boneh Classical Cryptography Post-Quantum Cryptography All communication stays classical
More informationConstant-Round MPC with Fairness and Guarantee of Output Delivery
Constant-Round MPC with Fairness and Guarantee of Output Delivery S. Dov Gordon Feng-Hao Liu Elaine Shi April 22, 2015 Abstract We study the round complexity of multiparty computation with fairness and
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationUniversal Samplers with Fast Verification
Universal Samplers with Fast Verification Venkata Koppula University of Texas at Austin kvenkata@csutexasedu Brent Waters University of Texas at Austin bwaters@csutexasedu January 9, 2017 Andrew Poelstra
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationSpooky Encryption and its Applications
Spooky Encryption and its Applications Yevgeniy Dodis NYU Shai Halevi IBM Research Ron D. Rothblum MIT Daniel Wichs Northeastern University March 10, 2016 Abstract Consider a setting where inputs x 1,...,
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationAdaptively Simulation-Secure Attribute-Hiding Predicate Encryption
Adaptively Simulation-Secure Attribute-Hiding Predicate Encryption by Pratish Datta 1 joint work with Tatsuaki Okamoto 1 and Katsuyuki Takashima 2 1 NTT Secure Platform Laboratories 3-9-11 Midori-cho,
More informationOn the Complexity of Compressing Obfuscation
On the Complexity of Compressing Obfuscation Gilad Asharov Naomi Ephraim Ilan Komargodski Rafael Pass Abstract Indistinguishability obfuscation has become one of the most exciting cryptographic primitives
More informationFully Bideniable Interactive Encryption
Fully Bideniable Interactive Encryption Ran Canetti Sunoo Park Oxana Poburinnaya January 1, 19 Abstract While standard encryption guarantees secrecy of the encrypted plaintext only against an attacker
More informationECS 189A Final Cryptography Spring 2011
ECS 127: Cryptography Handout F UC Davis Phillip Rogaway June 9, 2011 ECS 189A Final Cryptography Spring 2011 Hints for success: Good luck on the exam. I don t think it s all that hard (I do believe I
More informationHow to Encrypt with the LPN Problem
How to Encrypt with the LPN Problem Henri Gilbert, Matt Robshaw, and Yannick Seurin ICALP 2008 July 9, 2008 Orange Labs the context the authentication protocol HB + by Juels and Weis [JW05] recently renewed
More informationLecture 7: CPA Security, MACs, OWFs
CS 7810 Graduate Cryptography September 27, 2017 Lecturer: Daniel Wichs Lecture 7: CPA Security, MACs, OWFs Scribe: Eysa Lee 1 Topic Covered Chosen Plaintext Attack (CPA) MACs One Way Functions (OWFs)
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationLecture 2: Perfect Secrecy and its Limitations
CS 4501-6501 Topics in Cryptography 26 Jan 2018 Lecture 2: Perfect Secrecy and its Limitations Lecturer: Mohammad Mahmoody Scribe: Mohammad Mahmoody 1 Introduction Last time, we informally defined encryption
More informationBlock Ciphers/Pseudorandom Permutations
Block Ciphers/Pseudorandom Permutations Definition: Pseudorandom Permutation is exactly the same as a Pseudorandom Function, except for every key k, F k must be a permutation and it must be indistinguishable
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationFrom Minicrypt to Obfustopia via Private-Key Functional Encryption
From Minicrypt to Obfustopia via Private-Key Functional Encryption Ilan Komargodski Weizmann Institute of Science Joint work with Gil Segev (Hebrew University) Functional Encryption [Sahai-Waters 05] Enc
More informationFully Secure and Fast Signing from Obfuscation
Fully Secure and Fast Signing from Obfuscation Kim Ramchen University of Texas at ustin kramchen@cs.utexas.edu Brent Waters University of Texas at ustin bwaters@cs.utexas.edu bstract In this work we explore
More informationCutting-Edge Cryptography Through the Lens of Secret Sharing
Cutting-Edge Cryptography Through the Lens of Secret Sharing Ilan Komargodski Mark Zhandry Abstract Secret sharing is a mechanism by which a trusted dealer holding a secret splits the secret into many
More informationAn Equivalence Between Attribute-Based Signatures and Homomorphic Signatures, and New Constructions for Both
An Equivalence Between Attribute-Based Signatures and Homomorphic Signatures, and New Constructions for Both Rotem Tsabary January 24, 2018 Abstract In Attribute-Based Signatures (ABS; first defined by
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationDelegating RAM Computations with Adaptive Soundness and Privacy
Delegating RAM Computations with Adaptive Soundness and Privacy Prabhanjan Ananth Yu-Chi Chen Kai-Min Chung Huijia Lin Wei-Kai Lin October 18, 2016 Abstract We consider the problem of delegating RAM computations
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationPublicly Verifiable Software Watermarking
Publicly Verifiable Software Watermarking Aloni Cohen Justin Holmgren Vinod Vaikuntanathan December 7, 2015 Abstract Software Watermarking is the process of transforming a program into a functionally equivalent
More informationCut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings
Cut-and-Choose Yao-Based Secure Computation in the Online/Offline and Batch Settings Yehuda Lindell Bar-Ilan University, Israel Technion Cryptoday 2014 Yehuda Lindell Online/Offline and Batch Yao 30/12/2014
More informationBetween a Rock and a Hard Place: Interpolating Between MPC and FHE
Between a Rock and a Hard Place: Interpolating Between MPC and FHE A. Choudhury, J. Loftus, E. Orsini, A. Patra and N.P. Smart Dept. Computer Science, University of Bristol, United Kingdom. {Ashish.Choudhary,Emmanuela.Orsini,Arpita.Patra}@bristol.ac.uk,
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More information