A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme
|
|
- Douglas McGee
- 6 years ago
- Views:
Transcription
1 A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme Presented by: Vincent Zucca 1 Joint work with: Jean-Claude Bajard 1, Julien Eynard 2 and Anwar Hasan 2 1 Sorbonne Universités, UPMC Univ. Paris 06, CNRS, LIP6 UMR 7606, France 2 Dept. of Electrical and Computer Engineering, University of Waterloo, Canada April 24th 2017 Vincent Zucca (UPMC) FV RNS April 24th / 17
2 Context Homomorphic Encryption (HE): Enc pkpm 1 q Enc pkpm 1 m 2 q Dec m 1 m 2 Enc pkpm 2 q p P t`, ˆuq sk Noisy encryption Each ciphertext contains a noise. After each homomorphic operation the noise grows. Decryption remains correct until the noise reaches a certain bound. ùñ Limited number of operations. ùñ Somewhat Homomorphic Encryption (SHE). Problem: not practical enough yet. Vincent Zucca (UPMC) FV RNS April 24th / 17
3 Context Homomorphic Encryption (HE): Enc pkpm 1 q Enc pkpm 1 m 2 q Dec m 1 m 2 Enc pkpm 2 q p P t`, ˆuq sk Noisy encryption Each ciphertext contains a noise. After each homomorphic operation the noise grows. Decryption remains correct until the noise reaches a certain bound. ùñ Limited number of operations. ùñ Somewhat Homomorphic Encryption (SHE). Goal: arithmetical optimization of a certain type of SHE schemes. Vincent Zucca (UPMC) FV RNS April 24th / 17
4 Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Vincent Zucca (UPMC) FV RNS April 24th / 17
5 Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Residue Number Systems Large x P r0, qq X Z Ø k small residues px mod q 1,..., x mod q k q. Parallel, carry-free arithmetic `,, ˆ, on residues. Non positional number system. Vincent Zucca (UPMC) FV RNS April 24th / 17
6 Overview of RNS and FV Chinese Remainder Theorem Pairwise coprime integers tq 1,..., q k u: RNS base (q ś k i 1 q i), Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Residue Number Systems Large x P r0, qq X Z Ø k small residues px mod q 1,..., x mod q k q. Parallel, carry-free arithmetic `,, ˆ, on residues. Non positional number system. Base extensions B q tq 1,..., q k u Ñ B tm 1,..., m l u Fast approximate base extension: x in B q Ñ x q ` αq in B ù Fast but q-overflow α P r0, kq X Z If needed, add an extra modulus m sk to B q to correct α efficiently Vincent Zucca (UPMC) FV RNS April 24th / 17
7 Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Vincent Zucca (UPMC) FV RNS April 24th / 17
8 Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Common optimizations for arithmetic on......coefficients: Residue Number Systems q free of form: choose q q 1... q k (small prime moduli q i ) Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z Vincent Zucca (UPMC) FV RNS April 24th / 17
9 Overview of RNS and FV Ambiant space in FV scheme (Fan and Vercauteren, 2012) R ZrX s{px n ` 1q, n 2 h Ø integer polynomials of degree ă n t: plaintext modulus, m P R t R{tR (coeff. modulo t) q: ciphertext modulus (" t), c P R q ˆ R q (coeff. modulo q) Common optimizations for arithmetic on......coefficients: Residue Number Systems q free of form: choose q q 1... q k (small prime moduli q i ) Z{qZ Z{q 1 Z ˆ... ˆ Z{q k Z...polynomials: Number Theoretic Transform Optimized polynomial product (n a power of 2): Opn log 2 pnqq Ñ matches with RNS representation Vincent Zucca (UPMC) FV RNS April 24th / 17
10 Overview of RNS and FV Ladder of representations Cost to climb up/down Integers Polynomials Main purposes positional coefficient comparison, division, round-off on coeff. Opn log 2 pqq 2 q Opkn log 2 pnqq RNS coefficient optimized integer arithmetic RNS NTT optimized polynomial arithmetic
11 Overview of RNS and FV Ladder of representations Cost to climb up/down used in Dec and Mult Opn log 2 pqq 2 q Opkn log 2 pnqq Integers Polynomials Main purposes positional RNS RNS coefficient coefficient NTT comparison, division, round-off on coeff. optimized integer arithmetic optimized polynomial arithmetic
12 Overview of RNS and FV Ladder of representations Cost to climb up/down Integers Polynomials Main purposes This work positional coefficient comparison, division, round-off on coeff. Opn log 2 pqq 2 q Dec and Mult Opkn log 2 pnqq RNS coefficient optimized integer arithmetic RNS NTT optimized polynomial arithmetic Vincent Zucca (UPMC) FV RNS April 24th / 17
13 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Vincent Zucca (UPMC) FV RNS April 24th / 17
14 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Vincent Zucca (UPMC) FV RNS April 24th / 17
15 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Encryption rms t P R t to be encrypted, public key pk, 1 sample pe 1, e 2, uq Ð pχ err q 2 ˆ U 2 output pc 0, c 1 q pr rms t ` p 0 u ` e 1 s q, rp 1 u ` e 2 s q q p t q t uq Vincent Zucca (UPMC) FV RNS April 24th / 17
16 Overview of RNS and FV χ key and χ err : narrow distributions on R q ; U: uniform distribution on R q Key Generation 1 sample s Ð χ key 2 sample pa, eq Ð U ˆ χ err 3 output pk pp 0, p 1 q pr pas ` eqs q, aq (RLWE sample) sk s Encryption rms t P R t to be encrypted, public key pk, 1 sample pe 1, e 2, uq Ð pχ err q 2 ˆ U 2 output pc 0, c 1 q pr rms t ` p 0 u ` e 1 s q, rp 1 u ` e 2 s q q p t q t uq rc 0 ` c 1 ss q rms t ` v (mod q) with v: fresh noise Vincent Zucca (UPMC) FV RNS April 24th / 17
17 Full RNS variant of FV decryption The original decryption process pc 0, c 1 q encrypting rms t with noise v: rc 0 ` c 1 ss q rms t ` v ` qr 1 scale-down: t q rc 0 ` c 1 ss q rms t ` v 1 q ` tr 2 round-off: t t q rc 0 ` c 1 ss q s rms t ` t v 1 q s ` tr If }v} 8 maxp v i q ă B dec ñ t v 1 q s 0 Decpc, skq rt t q rc 0 ` c 1 ss q ss t rrms t ` trs t rms t. Vincent Zucca (UPMC) FV RNS April 24th / 17
18 Full RNS variant of FV decryption The original decryption process pc 0, c 1 q encrypting rms t with noise v: rc 0 ` c 1 ss q rms t ` v ` qr 1 scale-down: t q rc 0 ` c 1 ss q rms t ` v 1 q ` tr 2 round-off: t t q rc 0 ` c 1 ss q s rms t ` t v 1 q s ` tr If }v} 8 maxp v i q ă B dec ñ t v 1 q s 0 Decpc, skq rt t q rc 0 ` c 1 ss q ss t rrms t ` trs t rms t. Issue for RNS (non positional) representation How to compute pt t q xs mod tq in RNS? Vincent Zucca (UPMC) FV RNS April 24th / 17
19 Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Vincent Zucca (UPMC) FV RNS April 24th / 17
20 Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Remark: since tx cancels modulo t, only compute p tx q`αqq q mod t. Vincent Zucca (UPMC) FV RNS April 24th / 17
21 Full RNS variant of FV decryption Our contribution: computing a round-off in RNS In RNS, exact division can be done efficiently, so we use: Z V t q x tx tx q ` b, pb P t0, 1uq q 1 fast approximate extension of tx q (in RNS) to RNS base ttu: FastBconvptx, q, ttuq tx q ` αq mod t pα P r0, kq X Zq 2 tx p tx q`αqq q t t q xu α t t q xs E mod t (with E α ` b ď k) Remark: since tx cancels modulo t, only compute p tx q`αqq q mod t. An error occurs Need to correct the error E for a correct decryption. Vincent Zucca (UPMC) FV RNS April 24th / 17
22 Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E Vincent Zucca (UPMC) FV RNS April 24th / 17
23 Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: Now comes the trick tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E If gap ε ą 0 ( q 2 ` ε ď rtxs q ď q 1 2 ε) then if γε ě k ` 2 we have: Z ˇ γ rtxs V q E q ˇ ă γ 2 U Y U ù compute Yγ tq x E ıγ E gives exactly the error γ rtxsq q Vincent Zucca (UPMC) FV RNS April 24th / 17
24 Full RNS variant of FV decryption Our contribution: correcting the error Rewrite in Z: scale by γ P N: Now comes the trick tx t t q xsq ` rtxs q U U Y Yγ tq x E γy t q x ` γ rtxsq q U E If gap ε ą 0 ( q 2 ` ε ď rtxs q ď q 1 2 ε) then if γε ě k ` 2 we have: Z ˇ γ rtxs V q E q ˇ ă γ 2 U Y U ù compute Yγ tq x E ıγ E gives exactly the error Strategy γ rtxsq q 1 Compute tγ t q xs modulo t and γ 2 Use centered remainder modulo γ to correct the error Vincent Zucca (UPMC) FV RNS April 24th / 17
25 Full RNS variant of FV decryption Dec RNS ppc 0, c 1 q, s, γq Require: pc 0, c 1 q an encryption of rms t, and s the secret key, both in base q; an integer γ coprime to t and q Ensure: rms t 1: for m P tt, γu do 2: s pmq Ð FastBconvp γtpc 0 ` c 1 sq, q, tmuq q 1 m 3: end for 4: s pγq Ð rs pγq s γ 5: m ptq Ð rps ptq s pγq q ˆ γ 1 t s t 6: return m ptq Vincent Zucca (UPMC) FV RNS April 24th / 17
26 Full RNS variant of FV decryption Dec RNS ppc 0, c 1 q, s, γq Require: pc 0, c 1 q an encryption of rms t, and s the secret key, both in base q; an integer γ coprime to t and q Ensure: rms t 1: for m P tt, γu do 2: s pmq Ð FastBconvp γtpc 0 ` c 1 sq, q, tmuq q 1 m 3: end for 4: s pγq Ð rs pγq s γ 5: m ptq Ð rps ptq s pγq q ˆ γ 1 t s t 6: return m ptq Results Better asymptotic complexity: Opn 3 q Ñ Opn 2 log 2 pnqq. Very flexible in terms of parallelization. Modified bound for noise: }v} 8 ă q t 2 k γ. (although no significant consequence in practice) Vincent Zucca (UPMC) FV RNS April 24th / 17
27 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc0 1, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c0 1, c 0c1 1 ` c1 0 c 1, c 1 c1 1 q over Z Vincent Zucca (UPMC) FV RNS April 24th / 17
28 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q Vincent Zucca (UPMC) FV RNS April 24th / 17
29 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Vincent Zucca (UPMC) FV RNS April 24th / 17
30 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Vincent Zucca (UPMC) FV RNS April 24th / 17
31 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Vincent Zucca (UPMC) FV RNS April 24th / 17
32 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Vincent Zucca (UPMC) FV RNS April 24th / 17
33 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c 1 0, c 0c 1 1 ` c1 0 c 1, c 1 c 1 1 q over Z 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Smaller noise growth }pb 0, b 1,..., b l q ÝÑ e } 8 ă lω ˆ nb err Vincent Zucca (UPMC) FV RNS April 24th / 17
34 Full RNS variant of FV multiplication Original homomorphic multiplication of pc 0, c 1 q by pc 1 0, c1 1 q Issues in original process for an RNS variant 1 Product p c 0, c 1, c 2 q pc 0 c0 1, c 0c1 1 ` c1 0 c 1, c 1 c1 1 q over Z (lift) 2 Division + Round-off: ĉ i t t q c is ù rĉ 0 ` ĉ 1 s ` ĉ 2 s 2 s q rm 1 m 2 s t ` v 11 mod q 3 Relinearization: pĉ 0 ` ĉ 2 s 2, ĉ 1 q ÝÝÝÝÑ s private pĉ 0 ` ĉ 2 ps 2 ` e ` asq, ĉ 1 aĉ 2 q Large noise growth }ĉ2 ˆ e} 8 ă q ˆ nb err Ñ Original solution is to... Decompose ĉ2 b 0 ` b 1 ω `... ` b l ω l 1 in radix ω Public relinearization key: prs 2 p1, ω,..., ω l 1 q ` ÝÑ e ` ÝÑ a ss q, ÝÑ a q Smaller noise growth }pb 0, b 1,..., b l q ÝÑ e } 8 ă lω ˆ nb err Issues for RNS representation Lift in Z, division and rounding, using positional system in radix ω... Vincent Zucca (UPMC) FV RNS April 24th / 17
35 Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Vincent Zucca (UPMC) FV RNS April 24th / 17
36 Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Problem 2: division and round-off ĉ i t t q c is in RNS. Ñ Solution: flooring instead of rounding in B sk, 1 FastBconvp c i, q, B sk q and computation of flooring in B sk ; 2 ĉ i Ð FastBconvSKp c i, B sk, qq (no extra multiple of B). Vincent Zucca (UPMC) FV RNS April 24th / 17
37 Full RNS variant of FV multiplication Problem 1: compute product p c 0, c 1, c 2 q in Z. Ñ Solution: } c i } 8 ă nq 2 : no lift in Z, 1 Fast extension to convert residues in second base B sk B Y tm sk u; 2 compute p c 0, c 1, c 2 q in q Y B sk. Problem 2: division and round-off ĉ i t t q c is in RNS. Ñ Solution: flooring instead of rounding in B sk, 1 FastBconvp c i, q, B sk q and computation of flooring in B sk ; 2 ĉ i Ð FastBconvSKp c i, B sk, qq (no extra multiple of B). Problem 3: decompose ĉ 2 in radix ω in base q. ÑSolution: decompose ĉ 2 in an RNS way, 1 ĉ 2 ĉ 2 q1 q q 1,, ĉ 2 qk q qk ; 2 evk RNS ˆ s 2 q q 1 q,, s 2 q q k q ` ÝÑ e ` ÝÑ ı a s q, ÝÑ a. Vincent Zucca (UPMC) FV RNS April 24th / 17
38 Full RNS variant of FV multiplication Results Prior costly operations over Z ù fast RNS base extensions. Fairly equivalent noise growth. Same number of polynomial products ñ same asymptotic complexity. Better complexity for operations on coefficients. Well suited for parallelization. Vincent Zucca (UPMC) FV RNS April 24th / 17
39 Experiments Software implementation C++, NFLlib (dedicated to RNS polynomial arith. in R with NTT), compared with a standard approach with NFLlib + GMP 6.1.0, laptop under Fedora 22 with i7-4810mq 2.80GHz, g , Hyper-Threading and Turbo Boost turned off. a Vincent Zucca (UPMC) FV RNS April 24th / 17
40 Experiments - Speed-up factors ν bit-size of moduli log 2 pnq k k t 2 10 γ 2 8 (sufficient; practical) Decryption ν 30 ν 62 4 Multiplication ν 30 ν log 2 pnq log 2 pnq n Õñ NTT s dominate computational effort ñ speed-up Œ. Vincent Zucca (UPMC) FV RNS April 24th / 17
41 Conclusion and perspectives Optimization of arithmetic on polynomials at the coefficient level. Benefits to SHE scheme like FV. No more need of any positional system: only RNS. Greater noise growth, but not significant in practice. Opens the door to highly competitive parallel implementation of homomorphic encryption on accelerator cards such as GPUs and FPGAs, to take full advantage of the parallelization potential offered by RNS and NTT representation. Jean Claude Bajard, Julien Eynard, Anwar Hasan and Vincent Zucca. A Full RNS Variant of FV like Somewhat Homomorphic Encryption Scheme. Selected Areas of Cryptography Vincent Zucca (UPMC) FV RNS April 24th / 17
42 Thank you for your attention, any question? Vincent Zucca (UPMC) FV RNS April 24th / 17
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationImplementation and Performance Evaluation of RNS Variants of the BFV Homomorphic Encryption Scheme
Implementation and Performance Evaluation of RNS Variants of the BFV Homomorphic Encryption Scheme Ahmad Al Badawi, Yuriy Polyakov, Khin Mi Mi Aung, Bharadwaj Veeravalli, and Kurt Rohloff DECEMBER 5, 018
More informationA Full RNS Variant of FV like Somewhat Homomorphic Encryption Schemes
A Full RNS Variant of FV like Somewhat Homomorphic Encryption Schemes Jean-Claude Bajard 1, Julien Eynard 2, M. Anwar Hasan 2, and Vincent Zucca 1 1 Sorbonne Universités, UPMC, CNRS, LIP6, Paris, France.
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationAn Improved RNS Variant of the BFV Homomorphic Encryption Scheme
An Improved RNS Variant of the BFV Homomorphic Encryption Scheme Shai Halevi 1, Yuriy Polyakov 2, and Victor Shoup 3 1 IBM Research 2 NJIT Cybersecurity Research Center 3 NYU Abstract. We present an optimized
More informationLecture 16: Public Key Encryption:II
Lecture 16: Public Key Encryption:II Instructor: Omkant Pandey Spring 2017 (CSE 594) Instructor: Omkant Pandey Lecture 16: Public Key Encryption:II Spring 2017 (CSE 594) 1 / 17 Last time PKE from ANY trapdoor
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationChosen-Ciphertext Security (I)
Chosen-Ciphertext Security (I) CS 601.442/642 Modern Cryptography Fall 2018 S 601.442/642 Modern Cryptography Chosen-Ciphertext Security (I) Fall 2018 1 / 20 Recall: Public-Key Encryption Syntax: Genp1
More informationPublic-Key Encryption
Public-Key Encryption 601.642/442: Modern Cryptography Fall 2017 601.642/442: Modern Cryptography Public-Key Encryption Fall 2017 1 / 14 The Setting Alice and Bob don t share any secret Alice wants to
More information4.4 Solving Congruences using Inverses
4.4 Solving Congruences using Inverses Solving linear congruences is analogous to solving linear equations in calculus. Our first goal is to solve the linear congruence ax b pmod mq for x. Unfortunately
More informationCarmen s Core Concepts (Math 135)
Carmen s Core Concepts (Math 135) Carmen Bruni University of Waterloo Week 8 1 The following are equivalent (TFAE) 2 Inverses 3 More on Multiplicative Inverses 4 Linear Congruence Theorem 2 [LCT2] 5 Fermat
More informationBabai round-off CVP method in RNS: application to latice based cryptographic protocols
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2015 Babai round-off CVP method in RNS: application
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationCrypto math II. Alin Tomescu May 27, Abstract A quick overview on group theory from Ron Rivest s course in Spring 2015.
Crypto math II Alin Tomescu alinush@mit.edu May 7, 015 Abstract A quick overview on group theory from Ron Rivest s 6.857 course in Spring 015. 1 Overview Group theory review Diffie-Hellman (DH) key exchange
More informationax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d
10. Linear congruences In general we are going to be interested in the problem of solving polynomial equations modulo an integer m. Following Gauss, we can work in the ring Z m and find all solutions to
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationManual for Using Homomorphic Encryption for Bioinformatics
1 Manual for Using Homomorphic Encryption for Bioinformatics Nathan Dowlin, Ran Gilad-Bachrach, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing Abstract Biological Data Science is an emerging
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationHigh-Precision Arithmetic in Homomorphic Encryption
High-Precision Arithmetic in Homomorphic Encryption Hao Chen 1, Kim Laine 2, Rachel Player 3, and Yuhou Xia 4 1 Microsoft Research, USA haoche@microsoft.com 2 Microsoft Research, USA kim.laine@microsoft.com
More informationSubring Homomorphic Encryption
Subring Homomorphic Encryption Seiko Arita Sari Handa June 7, 2017 Abstract In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationExam 2 Solutions. In class questions
Math 5330 Spring 2018 Exam 2 Solutions In class questions 1. (15 points) Solve the following congruences. Put your answer in the form of a congruence. I usually find it easier to go from largest to smallest
More informationCOMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION
#RSAC SESSION ID: CRYP-W02 COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION Rachel Player PhD Student // Postdoc Royal Holloway, University of London, UK // LIP6, Sorbonne
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationarxiv: v1 [math.nt] 3 May 2017
arxiv:1705.01363v1 [math.nt] 3 May 2017 Expansions of arithmetic functions of several variables with respect to certain modified unitary Ramanujan sums László Tóth Department of Mathematics, University
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim, Yongsoo Song (University of California, San Diego) Landscape of Homomorphic
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationComputer Architecture 10. Residue Number Systems
Computer Architecture 10 Residue Number Systems Ma d e wi t h Op e n Of f i c e. o r g 1 A Puzzle What number has the reminders 2, 3 and 2 when divided by the numbers 7, 5 and 3? x mod 7 = 2 x mod 5 =
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationMATH3302 Cryptography Problem Set 2
MATH3302 Cryptography Problem Set 2 These questions are based on the material in Section 4: Shannon s Theory, Section 5: Modern Cryptography, Section 6: The Data Encryption Standard, Section 7: International
More informationComputing Generator in Cyclotomic Integer Rings
A subfield algorithm for the Principal Ideal Problem in L 1 K 2 and application to the cryptanalysis of a FHE scheme Jean-François Biasse 1 Thomas Espitau 2 Pierre-Alain Fouque 3 Alexandre Gélin 2 Paul
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationJoseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia
ELLIPTIC CURVE CRYPTOGRAPHY USING MAPLE Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia 30060 jfadyn@spsu.edu An elliptic curve is one of the form: y 2 = x 3 + ax +
More informationSingle-Database Private Information Retrieval
MTAT.07.006 Research Seminar in Cryptography 07.11.2005 Tartu University a g@ut.ee 1 Overview of the Lecture CMS - first single database private information retrieval scheme Gentry-Ramzan PBR Lipmaa Oblivious
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationModular Multiplication in GF (p k ) using Lagrange Representation
Modular Multiplication in GF (p k ) using Lagrange Representation Jean-Claude Bajard, Laurent Imbert, and Christophe Nègre Laboratoire d Informatique, de Robotique et de Microélectronique de Montpellier
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationETIKA V PROFESII PSYCHOLÓGA
P r a ž s k á v y s o k á š k o l a p s y c h o s o c i á l n í c h s t u d i í ETIKA V PROFESII PSYCHOLÓGA N a t á l i a S l o b o d n í k o v á v e d ú c i p r á c e : P h D r. M a r t i n S t r o u
More informationEfficient Leak Resistant Modular Exponentiation in RNS
Efficient Leak Resistant Modular Exponentiation in RNS Andrea Lesavourey (1), Christophe Negre (1) and Thomas Plantard (2) (1) DALI (UPVD) and LIRMM (Univ. of Montpellier, CNRS), Perpignan, France (2)
More informationIntroduction to Modern Cryptography. Benny Chor
Introduction to Modern Cryptography Benny Chor RSA Public Key Encryption Factoring Algorithms Lecture 7 Tel-Aviv University Revised March 1st, 2008 Reminder: The Prime Number Theorem Let π(x) denote the
More informationAlgorithms for integer factorization and discrete logarithms computation
/* */ C,A, /* */ R,a, /* */ M,E, L,i= 5,e, d[5],q[999 ]={0};main(N ){for (;i--;e=scanf("%" "d",d+i));for(a =*d; ++i
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCandidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.
UNIVERSITY OF EAST ANGLIA School of Mathematics May/June UG Examination 2010 2011 CRYPTOGRAPHY Time allowed: 2 hours Attempt THREE questions. Candidates must show on each answer book the type of calculator
More informationApproximation in the Zygmund Class
Approximation in the Zygmund Class Odí Soler i Gibert Joint work with Artur Nicolau Universitat Autònoma de Barcelona New Developments in Complex Analysis and Function Theory, 02 July 2018 Approximation
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationFor example, p12q p2x 1 x 2 ` 5x 2 x 2 3 q 2x 2 x 1 ` 5x 1 x 2 3. (a) Let p 12x 5 1x 7 2x 4 18x 6 2x 3 ` 11x 1 x 2 x 3 x 4,
SOLUTIONS Math A4900 Homework 5 10/4/2017 1. (DF 2.2.12(a)-(d)+) Symmetric polynomials. The group S n acts on the set tx 1, x 2,..., x n u by σ x i x σpiq. That action extends to a function S n ˆ A Ñ A,
More informationReprésentation RNS des nombres et calcul de couplages
Représentation RNS des nombres et calcul de couplages Sylvain Duquesne Université Rennes 1 Séminaire CCIS Grenoble, 7 Février 2013 Sylvain Duquesne (Rennes 1) RNS et couplages Grenoble, 07/02/13 1 / 29
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More information10 Public Key Cryptography : RSA
10 Public Key Cryptography : RSA 10.1 Introduction The idea behind a public-key system is that it might be possible to find a cryptosystem where it is computationally infeasible to determine d K even if
More informationKeywords Homomorphic encryption, pairing-based cryptography, elliptic curves, low depth circuits.
Abstract Homomorphic Encryption is a recent promising tool in modern cryptography, that allows to carry out operations on encrypted data. In this paper we focus on the design of a scheme based on pairings
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationModular Arithmetic Investigation
The basics Modular Arithmetic Investigation Definition: Two numbers are considered congruent, modulo n if they are exactly a multiple of n apart. Equivalently, if the two numbers are the same distance
More informationEvaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems
Rochester Institute of Technology RIT Scholar Works Presentations and other scholarship 3-31-2016 Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems Peizhao Hu Rochester
More informationOn principal eigenpair of temporal-joined adjacency matrix for spreading phenomenon Abstract. Keywords: 1 Introduction
1,3 1,2 1 2 3 r A ptq pxq p0q 0 pxq 1 x P N S i r A ptq r A ÝÑH ptq i i ÝÑH t ptq i N t1 ÝÑ ź H ptq θ1 t 1 0 i `t1 ri ` A r ÝÑ H p0q ra ptq t ra ptq i,j 1 i j t A r ptq i,j 0 I r ś N ˆ N mś ĂA l A Ą m...
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationLocal behaviour of Galois representations
Local behaviour of Galois representations Devika Sharma Weizmann Institute of Science, Israel 23rd June, 2017 Devika Sharma (Weizmann) 23rd June, 2017 1 / 14 The question Let p be a prime. Let f ř 8 ně1
More informationSome multilinear algebra
Some multilinear algera Multilinear forms Let V e a finite dimensional R-vector space, dim V n. For k P N 0, we denote y T k V the vector space of k-linear forms Then T 1 V V and, y convention, T 0 V R.
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationFully Homomorphic Encryption
6.889: New Developments in Cryptography February 8, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption Scribe: Alessandro Chiesa Achieving fully-homomorphic encryption, under any kind of reasonable
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More information16 Fully homomorphic encryption : Construction
16 Fully homomorphic encryption : Construction In the last lecture we defined fully homomorphic encryption, and showed the bootstrapping theorem that transforms a partially homomorphic encryption scheme
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationRandom Variables. Andreas Klappenecker. Texas A&M University
Random Variables Andreas Klappenecker Texas A&M University 1 / 29 What is a Random Variable? Random variables are functions that associate a numerical value to each outcome of an experiment. For instance,
More informationChapter 8 Public-key Cryptography and Digital Signatures
Chapter 8 Public-key Cryptography and Digital Signatures v 1. Introduction to Public-key Cryptography 2. Example of Public-key Algorithm: Diffie- Hellman Key Exchange Scheme 3. RSA Encryption and Digital
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationFULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationLow-Weight Polynomial Form Integers for Efficient Modular Multiplication
1 Low-Weight Polynomial Form Integers for Efficient Modular Multiplication Jaewook Chung and M. Anwar Hasan February 9, 2006 Abstract In 1999, Jerome Solinas introduced families of moduli called the generalized
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationModulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain
Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven)
More informationTHE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018
THE UNIVERSITY OF CALGARY FACULTY OF SCIENCE DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS & STATISTICS MIDTERM EXAMINATION 1 FALL 2018 CPSC 418/MATH 318 L01 October 17, 2018 Time: 50 minutes
More informationRSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationECE 646 Lecture 8. RSA: Genesis, Security, Implementation & Key Generation
ECE 646 Lecture 8 RSA: Genesis, Security, Implementation & Key Generation Public Key (Asymmetric) Cryptosystems Public key of Bob - K B Private key of Bob - k B Network Alice Encryption Decryption Bob
More informationLA PRISE DE CALAIS. çoys, çoys, har - dis. çoys, dis. tons, mantz, tons, Gas. c est. à ce. C est à ce. coup, c est à ce
> ƒ? @ Z [ \ _ ' µ `. l 1 2 3 z Æ Ñ 6 = Ð l sl (~131 1606) rn % & +, l r s s, r 7 nr ss r r s s s, r s, r! " # $ s s ( ) r * s, / 0 s, r 4 r r 9;: < 10 r mnz, rz, r ns, 1 s ; j;k ns, q r s { } ~ l r mnz,
More informationMTH 505: Number Theory Spring 2017
MTH 505: Number Theory Spring 017 Homework 4 Drew Armstrong 4.1. (Squares Mod 4). We say that an element ras n P Z{nZ is square if there exists an element rxs n P Z{nZ such that ras n prxs n q rx s n.
More information1. Examples. We did most of the following in class in passing. Now compile all that data.
SOLUTIONS Math A4900 Homework 12 11/22/2017 1. Examples. We did most of the following in class in passing. Now compile all that data. (a) Favorite examples: Let R tr, Z, Z{3Z, Z{6Z, M 2 prq, Rrxs, Zrxs,
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationElliptic Curve Cryptography and Security of Embedded Devices
Elliptic Curve Cryptography and Security of Embedded Devices Ph.D. Defense Vincent Verneuil Institut de Mathématiques de Bordeaux Inside Secure June 13th, 2012 V. Verneuil - Elliptic Curve Cryptography
More informationNumber Theory & Modern Cryptography
Number Theory & Modern Cryptography Week 12 Stallings: Ch 4, 8, 9, 10 CNT-4403: 2.April.2015 1 Introduction Increasing importance in cryptography Public Key Crypto and Signatures Concern operations on
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More information