How to Shuffle in Public
|
|
- Samuel Hunt
- 6 years ago
- Views:
Transcription
1 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27
2 How to Shuffle in Public Ben Adida Harvard (work done at MIT) Douglas Wikström ETH Zürich TCC 27 February 24th, 27
3
4 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.
5 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.
6 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.
7 Rogers precinct, with more than 1 percent voter turnout, alarmed both of them.
8 Voting with Cryptographic Verification (1) Alice verifies her vote. (2) Everyone verifies tallying. (3) Alice cannot be coerced by Eve. [Chaum81], [Benaloh85], [PIK93], [BenalohTuinstra92], [SK94], [Abe98], [CFSY96], [CGS97], [BFPSP21], [Neff21], [FS21],[Chaum24], [Neff24], [Ryan24], [Chaum25], [W24], [W25], [WG25], [MN26]
9 Verification Ballot Data Flow
10 Alice Bridget encryption Encrypted Votes Verification Ballot Data Flow
11 Alice Bridget encryption Encrypted Votes Verification Ballot Data Flow
12 Alice Bridget encryption Encrypted Votes anonymization Verification Ballot Data Flow
13 decryption Alice Bridget encryption Encrypted Votes anonymization Verification Ballot Data Flow
14 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Results Verification Ballot Data Flow
15 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Registration Database Results Verification Ballot Data Flow
16 decryption Alice Bridget encryption Encrypted Votes anonymization Tally Registration Database Results Verification Ballot Data Flow
17 Mixnet [Chaum81, PP9, PIK93, SK94,..]
18 Mixnet [Chaum81, PP9, PIK93, SK94,..] George
19 Mixnet [Chaum81, PP9, PIK93, SK94,..] George Jacques
20 Mixnet [Chaum81, PP9, PIK93, SK94,..] George Jacques Mahmoud
21 Mixnet [Chaum81, PP9, PIK93, SK94,..] George Jacques Mahmoud Each mix server shuffles and reencrypts (or partially decrypts) inputs.
22 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N
23 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N ZKPoK [π, {r i }]
24 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N ZKPoK [π, {r i }] George can t cheat.
25 Proving the Mix [Neff21, FS21, ] c 1 c 2 c 1 c 2 c i = Reenc(c π(i), r i ) c N George c N ZKPoK [π, {r i }] George can t cheat. π and{r i } stay private.
26 Private vs. Public Private Public c 1 c 2 c 1 c 2 c N c N
27 Private vs. Public Private π, {r i} Public c 1 c 2 c 1 c 2 c N c N
28 Private vs. Public Private π, {r i} Public c 1 c 2 c 1 c 2 c N c N what if we could replace the private mixnet with a public program?
29 Private vs. Public Private π, {r i} Public c 1 c 2 c 1 c 2 c N c N what if we could replace the private mixnet with a public program?
30 Private vs. Public Private π, {r i} Public c 1 c 2 P c 1 c 2 c N c N what if we could replace the private mixnet with a public program?
31 Private vs. Public Private π, {r i} Public c 1 c 2 P c 1 c 2 c N c N what if we could replace the private mixnet with a public program?
32 So What? π, {r i} public program anyone can run it c 1 c 2 c N P c 1 c 2 c N pre-proven all proofs before mixing interesting! to obfuscate such a functionality
33 So What? π, {r i} public program anyone can run it c 1 c 2 c N P c 1 c 2 c N pre-proven all proofs before mixing interesting! to obfuscate such a functionality Can it really be done? [BGIRSVY21, GT-K25]
34 Our Results horribly inefficient generic construction (somewhat) efficient public-shuffle constructions using either BGN or Paillier cryptosystem (somewhat) efficient distributed generation of a public shuffle program a new class of obfuscatable programs under [OS25] or [BGIRSVY21]
35 A Generic Construction Two homomorphic cryptosystems Message Space of first contains Ciphertext Space of second Inefficient and less interesting than specific constructions (esp. decryption)
36 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2
37 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2
38 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2 Enc pk (m) = g m h r Dec sk (c) = log g p 2 (c p 2 )
39 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2 Enc pk (m) = g m h r Dec sk (c) = log g (c p 2 ) p 2 Enc pk (m 1 ) Enc pk (m 2 ) = Enc pk (m 1 + m 2 )
40 [BGN25] BGN Cryptosystem G 1, G 2, order n = p 1 p 2 e : G 1 G 1 G 2 e(g a, h b ) = e(g, h) ab g a h b e Z ab G 1 G 2 pk = (n, g, h = u p 1 ) sk = p 2 Enc Dec sk (c) = log g (c p 2 pk (m) = g m h r ) p 2 Enc pk (m 1 ) Enc pk (m 2 ) = Enc pk (m 1 + m 2 ) e(enc pk (m 1 ), Enc pk (m 2 )) = Enc pk (m 1 m 2 )
41 Oblivious Cancellation / Selection Enc pk (m) Enc pk () = Enc pk () Enc pk (m) Enc pk (1) = Enc pk (m) Enc pk () and Enc pk (1) are indistinguishable
42 Oblivious Cancellation / Selection Enc pk (m) Enc pk () = Enc pk () Enc pk (m) Enc pk (1) = Enc pk (m) Enc pk () and Enc pk (1) are indistinguishable Clearly Useful for PIR and OT [BGN25]. In fact, it s more powerful still.
43 Matrix Multiplication a a 1l a a 2l..... b b 1n b b 2n..... = c c 1n c c 2n..... a n1... a nl b l1... b ln c m1... c mn c ij = l a ik b kj k=1 Degree is exactly 2: only one multiplication!
44 Homomorphic MM m 1 m 2 m 3 m 4 m 5 = m 3 m 1 m 5 m 2 m 4
45 Homomorphic MM m 1 m 2 m 3 m 4 m 5 = m 3 m 1 m 5 m 2 m 4 Homomorphic matrix multiplication by an encrypted permutation matrix = Shuffling in Public!
46 Shuffling in Public Private π Public
47 Shuffling in Public Private π Public
48 Shuffling in Public Private π {r i } 1... Public
49 Shuffling in Public Private π Public c 1 c {r i } c N 1...
50 Shuffling in Public Private π {r i } 1... Public c 1 c = c 1 c 2 c N 1... c N
51 Shuffling in Public Private π {r i } 1... Public c 1 c P = c 1 c 2 c N 1... c N
52 Why Did We Succeed? [BGIRSVY21, GT-K25] tell us generic obfuscation is hard. Functionality defined on the plaintexts; we re only dealing with ciphertexts under the covers of encryption
53 Why Did We Succeed? [BGIRSVY21, GT-K25] tell us generic obfuscation is hard. Functionality defined on the plaintexts; we re only dealing with ciphertexts under the covers of encryption We don t know that this is really a permutation matrix! We must prove correct functionality.
54 Proving the Matrix is an encrypted permutation matrix? Use Proof of Partial Knowledge [CDS94] to show that each element is either or 1. Homomorphically compute the row and column sums and prove that they re all equal to 1. N 2 proofs. Not so great.
55 Proving the Matrix (better)
56 Proving the Matrix (better) t 1... t N
57 Proving the Matrix (better) t 1 = c 1... t N c N
58 Proving the Matrix (better) t 1 = c 1... t N c N Proof by Random Vector Challenge
59 Proving the Matrix (better) t 1 = c 1... t N c N Proof by Random Vector Challenge Neff: O(N) proof.
60 Proving the Matrix (better) t 1 = c 1... t N c N Proof by Random Vector Challenge Neff: O(N) proof. N 2 computation, N proofs.
61 Mixing more than once? George Jacques
62 Mixing more than once? George Jacques Not with BGN bilinear map Only one multiplication.
63 Distributed Generation
64 Distributed Generation George
65 Distributed Generation George Jacques
66 Distributed Generation George Jacques Use a Mixnet to shuffle the matrix rows
67 Distributed Generation George Jacques Use a Mixnet to shuffle the matrix rows Prove each one using Random Vector Test
68 Encapsulated Mixing Capture the shuffle actions of the mix servers. Prove that everything went well. Replay them on the encrypted inputs when they re available.
69 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2
70 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2 Enc pk,2 (m) = g m h r 3 mod n 3
71 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2 Enc pk,2 (m) = g m h r 3 mod n 3 generator of n 2 residues
72 [DJ21] Generalized Paillier Enc pk (m) = g m h r 2 mod n 2 Enc pk,2 (m) = g m h r 3 mod n 3 generator of n 2 residues Enc pk,2 (Enc pk (m)) = g gm h r 2 h s 3 mod n 3
73 GP Homomorphisms
74 GP Homomorphisms m = m =
75 GP Homomorphisms m = m = m = m = + m = m
76 GP Homomorphisms m = m = m = m = + m = m m = + m = m
77 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5
78 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5 Full-length plaintexts
79 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5 Full-length plaintexts Faster computation (modexp vs. BM)
80 GP Public Shuffle m 1 m 2 m 3 = m 4 m 5 m 31 m 12 m 53 m 2 m 4 m 4 m 5 Full-length plaintexts Faster computation (modexp vs. BM) More complicated distributed generation
81 GP Proof of Double Reenc
82 GP Proof of Double Reenc
83 GP Proof of Double Reenc
84 GP Proof of Double Reenc = + =
85 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3
86 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s)
87 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s) (r, s )
88 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s) (r, s ) (r r, s s h r r 2 )
89 GP Proof of Double Reenc = + = DREEnc(c, r, s) = c hr 2 h s 3 mod n 3 (r, s) (r, s ) (r r, s s h r r 2 )
90 Dist. Gen. of Diagonal
91 Dist. Gen. of Diagonal
92 Dist. Gen. of Diagonal
93 Dist. Gen. of Matrix...
94 Dist. Gen. of Matrix
95 Dist. Gen. of Matrix
96 Dist. Gen. of Matrix
97 Dist. Gen. of Matrix Proof with Random Vector Test.
98 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N
99 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N [BGIRSVY21] and [GT-K25] Models
100 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N [BGIRSVY21] and [GT-K25] Models simulation by generation of a new, random encrypted permutation matrix, based on semantic security (IND-CPA)
101 Obfuscation Model c 1 c 1 c 1 c 1 c 2 S P c 2 c 2 O(P) c 2 c N c N c N c N [BGIRSVY21] and [GT-K25] Models simulation by generation of a new, random encrypted permutation matrix, based on semantic security (IND-CPA) still need to capture indistinguishability of two obfuscated shuffles.
102 Obfuscation Model (II): BGN c 1 c 2 O(P) c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability
103 Obfuscation Model (II): BGN c 1 c 2 O(P) P c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability
104 Obfuscation Model (II): BGN c 1 c 2 O(P) P c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability [OS25]: public-key obfuscation
105 Obfuscation Model (II): BGN c 1 c 2 O(P) P c 1 c 2 Dec Dec m 1 m 2... c N c N Dec m N Indistinguishability [OS25]: public-key obfuscation with a twist: the program can depend on the cryptosystem: in this case the program decrypts
106 The Paillier Case c 1 c 2 O(P) c 1 c 2 Dec Dec c 1 c 2 Dec Dec m 1 m 2... c N c N Dec c n Dec m N Indistinguishability Reencryption Shuffle
107 The Paillier Case c 1 c 2 O(P) P c 1 c 2 Dec Dec c 1 c 2 Dec Dec m 1 m 2... c N c N Dec c n Dec m N Indistinguishability Reencryption Shuffle
108 Proof Ideas IND-CPA IND of encrypted matrices easy reduction using homomorphic properties UC Proof of Ideal Mixnet realization fill in corrupted inputs by extraction from simulation of F ZK fake decryption by using plaintexts returned by F MN indistinguishability of fake encrypted honest inputs given IND-CPA of cryptosystem (hybrid argument). indistinguishability of fake decryption by extraction of shuffle permutation (without SK) and correction of permutation by one honest mix server, given IND-CPA of cryptosystem (simulation of F CF ).
109 Shuffling in Public All proofs done prior to shuffling Shuffling becomes entirely deterministic Efficient enough for precinct-based elections
110 Shuffling in Public All proofs done prior to shuffling Shuffling becomes entirely deterministic Efficient enough for precinct-based elections Future Directions Better than O(N 2 )? Other obfuscations using unexpected homomorphic properties? Plugging in latest NIZK techniques
Evaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationRemote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant
Remote Electronic Voting can be Efficient, Verifiable and Coercion-Resistant Roberto Araújo, Amira Barki, Solenn Brunet and Jacques Traoré 1st Workshop on Advances in Secure Electronic Voting Schemes VOTING
More informationCryptographic Voting Systems (Ben Adida)
Cryptographic Voting Systems (Ben Adida) Click to edit Master subtitle style Jimin Park Carleton University COMP 4109 Seminar 15 February 2011 If you think cryptography is the solution to your problem.
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationLecture 19: Verifiable Mix-Net Voting. The Challenges of Verifiable Mix-Net Voting
6.879 Special Topics in Cryptography Instructors: Ran Canetti April 15, 2004 Lecture 19: Verifiable Mix-Net Voting Scribe: Susan Hohenberger In the last lecture, we described two types of mix-net voting
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationSelections:! Internet voting with over-the-shoulder coercion-resistance. Jeremy Clark
Selections:! Internet voting with over-the-shoulder coercion-resistance Jeremy Clark Overview We consider the problem of over-theshoulder adversaries in Internet voting We design a voting protocol resistant
More informationOn Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)
On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan) Secure Multiparty Computation (MPC) Ideal World/ Functionality
More informationHow To Shuffle in Public
How To Shuffle in Public Ben Adida 1 and Douglas Wikström 2 1 MIT, Computer Science and Artificial Intelligence Laboratory, ben@mit.edu 2 ETH Zürich, Department of Computer Science, douglas@inf.ethz.ch
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationNon-malleable encryption with proofs of plaintext knowledge and applications to voting
Non-malleable encryption with proofs of plaintext knowledge and applications to voting Ben Smyth 1 and Yoshikazu Hanatani 2 1 Interdisciplinary Centre for Security, Reliability and Trust, University of
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationA SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL
A SHUFFLE ARGUMENT SECURE IN THE GENERIC MODEL Prastudy Fauzi, Helger Lipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 OUR RESULTS A new efficient CRS-based NIZK shuffle argument OUR RESULTS
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationElection Verifiability or Ballot Privacy: Do We Need to Choose?
Election Verifiability or Ballot Privacy: Do We Need to Choose? Édouard Cuvelier, Olivier Pereira, and Thomas Peters Université catholique de Louvain ICTEAM Crypto Group 1348 Louvain-la-Neuve Belgium Abstract.
More informationImproving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo
Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araúo 15.08.2012 Fachbereich 20 CDC Denise Demirel 1 Helios Introduced 2008 by Ben Adida Web application
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationNotes for Lecture 9. Last time, we introduced zero knowledge proofs and showed how interactive zero knowledge proofs could be constructed from OWFs.
COS 533: Advanced Cryptography Lecture 9 (October 11, 2017) Lecturer: Mark Zhandry Princeton University Scribe: Udaya Ghai Notes for Lecture 9 1 Last Time Last time, we introduced zero knowledge proofs
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationSome ZK security proofs for Belenios
Some ZK security proofs for Belenios Pierrick Gaudry CNRS, INRIA, Université de Lorraine January 30, 2017 The purpose of this document is to justify the use of ZK proofs in Belenios. Most of them are exactly
More information1 Basic Number Theory
ECS 228 (Franklin), Winter 2013, Crypto Review 1 Basic Number Theory This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationProofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures
Proofs on Encrypted Values in Bilinear Groups and an Application to Anonymity of Signatures G. Fuchsbauer D. Pointcheval École normale supérieure Pairing'09, 13.08.2009 Fuchsbauer, Pointcheval (ENS) Proofs
More informationEfficient Receipt-Free Ballot Casting Resistant to Covert Channels
Efficient Receipt-Free Ballot Casting Resistant to Covert Channels Ben Adida C. Andrew Neff Abstract We present an efficient, covert-channel-resistant, receipt-free ballot casting scheme that can be used
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationLecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge
CMSC 858K Advanced Topics in Cryptography February 12, 2004 Lecturer: Jonathan Katz Lecture 6 Scribe(s): Omer Horvitz John Trafton Zhongchao Yu Akhil Gupta 1 Introduction In this lecture, we show how to
More informationChosen Plaintext Attacks (CPA)
Chosen Plaintext Attacks (CPA) Goals New Attacks! Chosen Plaintext Attacks (often CPA) is when Eve can choose to see some messages encoded. Formally she has Black Box for ENC k. We will: 1. Define Chosen
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationFang Song. Joint work with Sean Hallgren and Adam Smith. Computer Science and Engineering Penn State University
Fang Song Joint work with Sean Hallgren and Adam Smith Computer Science and Engineering Penn State University Are classical cryptographic protocols secure against quantum attackers? 2 Are classical cryptographic
More informationEfficient Fuzzy Matching and Intersection on Private Datasets
Efficient Fuzzy Matching and Intersection on Private Datasets Qingsong Ye 1, Ron Steinfeld 1, Josef Pieprzyk 1, and Huaxiong Wang 1,2 1 Centre for Advanced Computing Algorithms and Cryptography Department
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationOblivious Transfer (OT) and OT Extension
Oblivious Transfer (OT) and OT Extension School on Secure Multiparty Computation Arpita Patra Arpita Patra Roadmap o Oblivious Transfer - Construction from `special PKE o OT Extension - IKNP OT extension
More informationG /G Advanced Cryptography November 11, Lecture 10. defined Adaptive Soundness and Adaptive Zero Knowledge
G22.3220-001/G63.2180 Advanced Cryptography November 11, 2009 Lecture 10 Lecturer: Yevgeniy Dodis Scribe: Adriana Lopez Last time we: defined Adaptive Soundness and Adaptive Zero Knowledge defined Unbounded
More informationLecture 5, CPA Secure Encryption from PRFs
CS 4501-6501 Topics in Cryptography 16 Feb 2018 Lecture 5, CPA Secure Encryption from PRFs Lecturer: Mohammad Mahmoody Scribe: J. Fu, D. Anderson, W. Chao, and Y. Yu 1 Review Ralling: CPA Security and
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationPrastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016
Prastudy Fauzi, HelgerLipmaa, Michal Zajac University of Tartu, Estonia ASIACRYPT 2016 A new efficient CRS-based NIZK shuffle argument Four+ times more efficient verification than in prior work Verification
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationLecture 15 - Zero Knowledge Proofs
Lecture 15 - Zero Knowledge Proofs Boaz Barak November 21, 2007 Zero knowledge for 3-coloring. We gave a ZK proof for the language QR of (x, n) such that x QR n. We ll now give a ZK proof (due to Goldreich,
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationTowards a DL-based Additively Homomorphic Encryption Scheme
Towards a DL-based Additively Homomorphic Encryption Scheme Guilhem Castagnos 1 and Benoît Chevallier-Mames 2 1 DMI-XLIM, Université de Limoges, 123, Avenue Albert-Thomas 87060 Limoges Cedex, France guilhem.castagnos@unilim.fr
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationIII. Pseudorandom functions & encryption
III. Pseudorandom functions & encryption Eavesdropping attacks not satisfactory security model - no security for multiple encryptions - does not cover practical attacks new and stronger security notion:
More informationDecentralized Evaluation of Quadratic Polynomials on Encrypted Data
Decentralized Evaluation of Quadratic Polynomials on Encrypted Data Chloé Hébant 1,2, Duong Hieu Phan 3, and David Pointcheval 1,2 1 DIENS, École normale supérieure, CNRS, PSL University, Paris, France
More informationk-nearest Neighbor Classification over Semantically Secure Encry
k-nearest Neighbor Classification over Semantically Secure Encrypted Relational Data Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU May 9, 2014 1 2 3 4 5 Outline 1. Samanthula B K, Elmehdwi
More informationSingle Database Private Information Retrieval with Logarithmic Communication
Single Database Private Information Retrieval with Logarithmic Communication Yan-Cheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationPractical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes
Practical Provably Correct Voter Privacy Protecting End to End Voting Employing Multiparty Computations and Split Value Representations of Votes Michael O. Rabin Columbia University SEAS Harvard University
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationOverview of the Talk. Secret Sharing. Secret Sharing Made Short Hugo Krawczyk Perfect Secrecy
Overview of the Talk Secret Sharing CS395T Design and Implementation of Trusted Services Ankur Gupta Hugo Krawczyk. Secret Sharing Made Short, 1993. Josh Cohen Benaloh. Secret Sharing Homomorphisms: Keeping
More informationSemantic Security and Indistinguishability in the Quantum World
Semantic Security and Indistinguishability in the Quantum World Tommaso Gagliardoni 1, Andreas Hülsing 2, Christian Schaffner 3 1 IBM Research, Swiss; TU Darmstadt, Germany 2 TU Eindhoven, The Netherlands
More informationComputational security & Private key encryption
Computational security & Private key encryption Emma Arfelt Stud. BSc. Software Development Frederik Madsen Stud. MSc. Software Development March 2017 Recap Perfect Secrecy Perfect indistinguishability
More informationA More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument
A More Efficient Computationally Sound Non-Interactive Zero-Knowledge Shuffle Argument Helger Lipmaa 1 and Bingsheng Zhang 2 1 University of Tartu, Estonia 2 State University of New York at Buffalo, USA
More informationSingle-Database Private Information Retrieval
MTAT.07.006 Research Seminar in Cryptography 07.11.2005 Tartu University a g@ut.ee 1 Overview of the Lecture CMS - first single database private information retrieval scheme Gentry-Ramzan PBR Lipmaa Oblivious
More informationSimple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes
Simple, Efficient and Strongly KI-Secure Hierarchical Key Assignment Schemes Eduarda S. V. Freire and Bertram Poettering and Kenny G. Paterson Information Security Group Royal Holloway, University of London
More informationOblivious Transfer and Secure Multi-Party Computation With Malicious Parties
CS 380S Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties Vitaly Shmatikov slide 1 Reminder: Oblivious Transfer b 0, b 1 i = 0 or 1 A b i B A inputs two bits, B inputs the index
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationLecture 8 Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan. 1 Introduction. 2 The Dolev-Dwork-Naor (DDN) Scheme [1]
CMSC 858K Advanced Topics in Cryptography February 19, 2004 Lecturer: Jonathan Katz Lecture 8 Scribe(s): Alvaro A. Cardenas Nicholas Sze Yinian Mao Kavitha Swaminathan 1 Introduction Last time we introduced
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationQuestion 1. The Chinese University of Hong Kong, Spring 2018
CSCI 5440: Cryptography The Chinese University of Hong Kong, Spring 2018 Homework 2 Solutions Question 1 Consider the following encryption algorithm based on the shortlwe assumption. The secret key is
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationA Security Analysis of the Helios Voting Protocol and Application to the Norwegian County Election
A Security Analysis of the Helios Voting Protocol and Application to the Norwegian County Election Kristine Salamonsen Master of Science in Physics and Mathematics Submission date: June 2014 Supervisor:
More informationHow not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios
How not to Prove Yourself: Pitfalls of the Fiat-Shamir Heuristic and Applications to Helios David Bernhard 1, Olivier Pereira 2, and Bogdan Warinschi 1 1 University of Bristol, {csxdb,csxbw}@bristol.ac.uk
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More informationSolutions for week 1, Cryptography Course - TDA 352/DIT 250
Solutions for week, Cryptography Course - TDA 352/DIT 250 In this weekly exercise sheet: you will use some historical ciphers, the OTP, the definition of semantic security and some combinatorial problems.
More informationInteractive and Non-Interactive Proofs of Knowledge
Interactive and Non-Interactive Proofs of Knowledge Olivier Blazy ENS / CNRS / INRIA / Paris 7 RUB Sept 2012 O. Blazy (ENS RUB) INIPoK Sept 2012 1 / 63 1 General Remarks 2 Building blocks 3 Non-Interactive
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationPrivacy-preserving Data Mining
Privacy-preserving Data Mining What is [data] privacy? Privacy and Data Mining Privacy-preserving Data mining: main approaches Anonymization Obfuscation Cryptographic hiding Challenges Definition of privacy
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationAdaptive Security of Compositions
emester Thesis in Cryptography Adaptive ecurity of Compositions Patrick Pletscher ETH Zurich June 30, 2005 upervised by: Krzysztof Pietrzak, Prof. Ueli Maurer Email: pat@student.ethz.ch In a recent paper
More informationDavid Chaum s Voter Verification using Encrypted Paper Receipts
David Chaum s Voter Verification using Encrypted Paper Receipts Poorvi Vora In this document, we provide an exposition of David Chaum s voter verification method [1] that uses encrypted paper receipts.
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More informationPerfectly-Secret Encryption
Perfectly-Secret Encryption CSE 5351: Introduction to Cryptography Reading assignment: Read Chapter 2 You may sip proofs, but are encouraged to read some of them. 1 Outline Definition of encryption schemes
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationBlock ciphers And modes of operation. Table of contents
Block ciphers And modes of operation Foundations of Cryptography Computer Science Department Wellesley College Table of contents Introduction Pseudorandom permutations Block Ciphers Modes of Operation
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationPseudo-Code Algorithms for Verifiable Re-Encryption Mix-Nets
Pseudo-Code Algorithms for Verifiable Re-Encryption Mix-Nets Rolf Haenni, Philipp Locher, Reto Koenig, and Eric Dubuis Bern University of Applied Sciences, CH-2501 Biel, Switzerland {philipp.locher,rolf.haenni,
More informationSecret, verifiable auctions from elections
Secret, verifiable auctions from elections Elizabeth A. Quaglia 1 and Ben Smyth 2 1 Information Security Group, Royal Holloway, University of London 2 Interdisciplinary Centre for Security, Reliability
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More information