Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
|
|
- Scot Blake
- 6 years ago
- Views:
Transcription
1 Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part
2 GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of ClosestVector Problem (CVP). Our discussion of GGH is variant by D. Micciancio: "mproving lattice based cryptosystems using the Hermite normal form," Cryptography and Lattices 200.
3 Secret key ( ) The sceret key is a "good" basis R = r,, r of a lattice L. n For computational purpose, assume L. The quantity ρr = min ri is relatively large. 2 We know: λ ( L) min r ; i ( t L) thus, λ ( L) 2 ρ. Thus, the orthogonalized centered parallelepiped C( R ) is fat, containing a ball of radius ρ. n Any point t with dist, < ρ can be corrected to the closest lattice point (using the nearest plane algorithm). R R n R
4 A good basis and the corresponding correction radius Source: Daniele Micciancio's paper, CaLC 200
5 Public key ( ) The public key is a "bad" basis = b,, b of L. For example, = HNF( R). ts orthogonalized parallelepiped, P( ρ = CVP * ), is skiny. min bi is much smaller than ρr. 2 (DDC) is hard (w/o knowing R) even if dist t, L < ρ. * Denote by mod the unique P( ) s.t. s is congruent to t modulo L (i.e., s t or t s L). n ( ) * system of.) (Here we use P( t s ) as the representative L n L R
6 HNF basis and corresponding orthogonalized parallelepiped Source: Daniele Micciancio's paper, CaLC 200
7 Encryption and Decryption Encryption: to encrypt a message m, Encode m as a vector r, r < ρ. c rmod. Decryption: to decrypt a ciphertext c, Recover r from c by r cmod R. Recover m from r. R
8 Correcting small errors using the private basis From Micciancio's paper
9 s GGH homomorphic? f the encoding scheme is such that m m r m + m r + r r and if r, r < ρ 2, then GGH is additively R homomorphic: GGH( m + m ) = GGH( m ) + GGH( m 2 mod How to make it multiplicatively homomorphic? Genty's answer: use ideal lattices. 2 )
10 deals Gentry s scheme uses ideal lattices, which are lattices corresponding to some ideals
11 Rings A ring R is a set together with two binary operations + and satisfying the following axioms: ( R, + ) is an abelian group. is associative: ( a b) c= a ( b c) for all abc,, R. Distributive laws hold: ( a+ b) c= ( a c) + ( b c) and a ( b+ c) = ( a b) + ( a c). The ring R is commutative if a b= b a. The ring R is said to have an identity if there is an element R with a = a = a for all a R. We will only be interested in communative rings with an identy.
12 deals An ideal of a ring R is an additive subgroup of R s.t. r for all r R. (.e., a subset R s.t. a b and r a for all a, b, r R.) Example: Consider the ring. { na n } For any integer a, = : is an ideal. a Conversely, any ideal is equal to a for some a. The mapping f : a is a bijective function from { } { } nonnegative integers ideals of. a The name ideal comes from "ideal" numbers.
13 Some historical notes An algebraic integer n n 0 is a number [ α] satisfying n x + a x + + ax+ a = 0, where a. The set of all algebraic integers forms a ring. For any algebraic integer α, [ α ] { α} under +,,. [ i] = { a + bi a b } [ α ] x i denote the closure of Example: :,. Gaussian integers. resembles, and many question s concerning can be answered by considering.
14 For instance, Format's theorem on sums of two squares: 2 2 an odd prime can be expressed as (, ) iff p mod 4. This theorem can be proved by showing that if p p= x + y xy in [ i] p mod 4, then p factors into p = ( a + bi)( a bi) if p 3mod 4, then p cannot be factored. While has the unique prime factorization property, in general doesn't. For instance, in 5, 6 has two prime factorizations: 6 = 2 3 = ( + 5 )( 5 ). [ α ]
15 Eduard Kummer, inspired by the discovery of imaginary numbers, introduced ideal numbers. ( )( ) For instance, in the example of 6 = 2 3 = + 5 5, we may define ideal prime numbers p, p, p, p, are subject to the rules: which pp = 2, pp = 3, pp = + 5, pp = Then, 6 would have the unique prime factorization: 6 = pppp Kummer's concept of that of ideal numbers was later replaced by ideals, by Richard Dedekind.
16 Operations on deals Let, be ideals of the ring R. { } Sum of ideals: + a+ b: a, b, which is the smallest ideal containing both and. Product o f ideals: the set of all finite sums of the form a b with a, b..e., the smallest ideal { } containing a b: a, b. Thus, R is the identy. divides iff. Thus, gcd(, ) = (, ) = +. is a prime ideal if a, b R, ab a or b. Two ideal and are relatively prime if + = R.
17 Generators and ases of ideals Let be any subset of a ring R. Denote by ( ) the smallest ideal of R containing, called the ideal generated by. We have: { + n n i R, i, n } ( ) = rb + + rb : r b The ideal = ( ) is finitely generated if is finite, and is a principal ideal if contains a single element. is a basis of = ( ) if it is linearly independent.
18 Cosets Let be an ideal of a ring R. R is partitioned into cosets s.t. two elements a, b R are ( + ) in the same coset iff a b. R= a a Z [ ] = a+ = { + i i } The coset containing a is a a :. Define [ a] [ b] [ a b] [ a] [ b] [ a b] + = + and =. The cosets form a ring R, called the quotient ring. Choose an element from each coset as a representative, then we have a system of representatives for R. For x R, denote by x od the element representin [ x] m g.
19 Gentry s deal-based Scheme
20 Notations Let be an ideal of the ring R, and a basis of. R mod : a system of representatives for Rdefined by. f 2 in general ( ) are two bases for the same ideal, we have x mod xmod (not necessarily equal). Samp x, : samples the coset x + according to some probability distribution. C : a circuit whose gates perform + and operations mod. 2 gc ( ) : generalized C, the same as C but without mod. C : same as C, but gates perform mod operations instead.
21 From Micciancio's paper
22 Σ: an ideal-based encryption scheme KeyGen, ( R ) : nput: a ring R, a basis of an ideal. ( sk ) R ( R ), dealgen,. sk Public key : =. Secret key sk : =. Parameters: ( R,, Samp ), which are public info. Plaintext space P: = (a subset of) R mod Remarks: As in GGH, sk is a good (fat) basis and a bad (skiny) one. The ideal is used to encode plaintexts as ring elements.
23 ( π ) π ( ) Encrypt, : ( sk ψ ) ( sk ψ mod ) // P// π Samp π, // an element in coset π + // ψ π mod Decrypt, : π // the ciphertext // mod Remarks: π is encoded as a random element π π is then encrypted as in GGH. sk Decryption is correct if π mod. R in the same coset.
24 ( C ) Evaluate,, Ψ : nput: a public key ; a mod circuit C composed of Add and Mult (and identity) gates; and ciphertexts ( ) Ψ= ( ψ,, ψ ), where ψ = Encrypt, π, π P. t i i ( Ψ ) = gc( Π ) Output: ψ : = gc ( ) mod. // ( ) mod // i Remarks: ( ) Evaluate, Add, ψ, ψ : outputs ψ + ψ mod. ( ) 2 2 Evaluate, Mult, ψ, ψ : outputs ψ ψ mod. 2 2 Evaluate circuit C by evaluating its gates in a proper order.
25 Correctness: informal Evaluating yields: ( ) ( ) ( ) ψ : = C Ψ = gc ( ) Ψ mod = gc ( ) Π mod C encode ( π π ) ( π π ) where Π =,, Π =,, t mod ( ψ ψ ) Ψ=,,. sk Decrypting ψ will yield: π : = ψ mod mod. ( Π ) ( ) sk Correct if gc ( ) Rmod. Thus, if we restrict π,, π to be in certain region, the scheme will be homomorphic for circuits C for which sk ( Π ) R gc ( ) mod. t t
26 Correctness of the ideal-based scheme ( ) Let X Samp, M and X R mod. Enc Dec A mod circuit C (including the identity circuit) with t inputs is a permitted circuit w.r.t. the scheme if: x,, x X, g( C) x,, x X. ( ) t Enc t Dec Theorem: f CΣ is a set of permitted circuits containing the identity circuit, then the scheme is correct for CΣ..e., algorithm Decrypt correctly decrypts valid ciphertexts: ( Π ) = Decrypt (, Evaluate (,, Ψ) ), C CΣ Ψ ( sk Π) ( Ψ) C sk C where and Encrypt,. Valid ciphertexts: outputs of Evaluate, C,, C C. Σ Σ
27 coset π + π coset π + π ψ ψ Encrypt: Decrypt: ( π ) Samp, mod π π ψ sk mod mod π ψ ψ = sk t works if π ψ, i.e. if π R mod.
28 π π π π ψ Q: ( Π) ( )( Π ) ( Ψ) C gc C ( Π) = sk C ( Ψ) s C Decrypt, C ( ) ( ( ) mod ) sk C Ψ ( Π) = gc ( )( Π ) mod gc ( )( Π ) mod = C ( Ψ) ( Π ) sk ( Π ) = C ( Ψ) gc ( ) mod mod ( sk gc ( ) mod ) mod = C ( Ψ) ( mod ) sk sk mod mod? sk ( Π ) gc( Π ) d g C ( Π ) sk Yes, if g( C) = ( ) mo, i.e., ( ) R mod.
29 Security of the ideal-based scheme
30 deal Coset Problem (CP) Let R be a ring, an ideal, and a basis. dealgen: an algorithm that given ( R, sk two bases, of the same ideal. ) outputs Samp : a random algorithm that samples R (non-uniformly). deal Coset Problem: Fix R,, dealgen, Samp. ( sk ) R ( R ) Challenger:, dealgen,. b {0, }. b = r R t r f 0, then R Samp ( ), mod. f b=, then t uniformly R mod. Adversary: given t and, determine if b = 0 or. u
31 Essentially, the problem is to to distinguish between: b b [ t] [ t] = 0 : a coset is chosen according to some "Samp ". = : a coset is chosen uniformly ra ndomly. The hardness of CP depends on Samp. How does CP connect to Gentry's encryption scheme Σ? [ π ] A ciphertext is essentially a coset chosen by Samp. Σ is semantically secure if the ciphertext is random-like. CP is hard if coset t chosen by Samp is random-like. [ ] Will show CP distinguishing ciphertexts of scheme Σ. Will use Samp to def ine Samp.
32 Connect Samp to Samp r Samp ( R) samples an element in ring R. x Samp Wanted: Let ( s) ( x, ) [ x] r random = = R s [ x] Then, = x + R s. samples an element in coset. x random be a principal idel a generated by s. ( x, ) x ( R) Let Samp + Samp s.
33 Security of the ideal-based scheme Σ The deal Coset Problem is to distinguish between t t Samp ( R) mod ( R ) uniform mod. Encrypt, : where ψ ( π) Samp ( π, ) π Samp ( R) mod ( s) ( s) + mod = = R s is a principal ideal generated by s.
34 Theorem: f there is an algorithm A that breaks the semantic security of Σ with advantage ε when it uses Samp, then there is an algorithm, running in about the same time as A, that solves the CP with advantage ε 2. Proof: ( s) ( t ) The challenger of CP sends an instance,. chooses an ideal = relatively prime to and sets up the other parameters of Σ. We have two games: () the CP game between Challenger and (adversary), and (2) the Σ game between (challenger) and A (adversary). They run as follows.
35 Challenger b : = {0, } u t,, β : = {0, } u π, π 2 β β b : = β β ψ A where if b = 0, t Samp ( R) mod ; else, t R mod ; and ( ) ψβ πβ + t s mod. π π + β β u
36 ( R ) ( ) f b= 0, t Samp ( R) mod and ψ = π + t s mod ( ) = πβ + Samp ( ) s mod = Encrypt, πβ. π β Samp ( π β,) Pr[ b= b b= 0] = Pr[ β = β b= 0] = 2 + ε. f b=, t R mod, so ψ = π uniform β β β ( + ) β t s mod is unformly random (for ( s) = is relatively prime to s t πβ + t s πβ + t s exists bijective uniform.) Pr[ b= b b= ] = Pr[ β β b= ] = 2. Thus, has advantage ε 2.
Gentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationQuestion 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +
Homework #2 Question 2.1 Show that 1 p n + μ n is non-negligible 1. μ n + 1 p n > 1 p n 2. Since 1 p n is non-negligible so is μ n + 1 p n Question 2.1 Show that 1 p n - μ n is non-negligible 1. μ n O(
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationAlgebraic Structures Exam File Fall 2013 Exam #1
Algebraic Structures Exam File Fall 2013 Exam #1 1.) Find all four solutions to the equation x 4 + 16 = 0. Give your answers as complex numbers in standard form, a + bi. 2.) Do the following. a.) Write
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationTopics in Cryptography. Lecture 5: Basic Number Theory
Topics in Cryptography Lecture 5: Basic Number Theory Benny Pinkas page 1 1 Classical symmetric ciphers Alice and Bob share a private key k. System is secure as long as k is secret. Major problem: generating
More informationNew Cryptosystem Using The CRT And The Jordan Normal Form
New Cryptosystem Using The CRT And The Jordan Normal Form Hemlata Nagesh 1 and Birendra Kumar Sharma 2 School of Studies in Mathematics,Pt.Ravishankar Shukla University Raipur(C.G.). E-mail:5Hemlata5@gmail.com
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationMathematics for Cryptography
Mathematics for Cryptography Douglas R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, Ontario, N2L 3G1, Canada March 15, 2016 1 Groups and Modular Arithmetic 1.1
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationRings and Fields Theorems
Rings and Fields Theorems Rajesh Kumar PMATH 334 Intro to Rings and Fields Fall 2009 October 25, 2009 12 Rings and Fields 12.1 Definition Groups and Abelian Groups Let R be a non-empty set. Let + and (multiplication)
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationNumber Theory and Algebra: A Brief Introduction
Number Theory and Algebra: A Brief Introduction Indian Statistical Institute Kolkata May 15, 2017 Elementary Number Theory: Modular Arithmetic Definition Let n be a positive integer and a and b two integers.
More informationLattice Basis Reduction Part 1: Concepts
Lattice Basis Reduction Part 1: Concepts Sanzheng Qiao Department of Computing and Software McMaster University, Canada qiao@mcmaster.ca www.cas.mcmaster.ca/ qiao October 25, 2011, revised February 2012
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationSubrings and Ideals 2.1 INTRODUCTION 2.2 SUBRING
Subrings and Ideals Chapter 2 2.1 INTRODUCTION In this chapter, we discuss, subrings, sub fields. Ideals and quotient ring. We begin our study by defining a subring. If (R, +, ) is a ring and S is a non-empty
More informationCourse 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography
Course 2BA1: Trinity 2006 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2006 Contents 9 Introduction to Number Theory and Cryptography 1 9.1 Subgroups
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationA Digital Signature Scheme based on CVP
A Digital Signature Scheme based on CVP Thomas Plantard Willy Susilo Khin Than Win Centre for Computer and Information Security Research Universiy Of Wollongong http://www.uow.edu.au/ thomaspl thomaspl@uow.edu.au
More informationFully Homomorphic Encryption
Studienarbeit Fully Homomorphic Encryption Irena Schindler Leibniz Universität Hannover Fakultät für Elektrotechnik und Informatik Institut für Theoretische Informatik Contents 1 Introduction 1 2 Basic
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationGroups Subgroups Normal subgroups Quotient groups Homomorphisms Cyclic groups Permutation groups Cayley s theorem Class equations Sylow theorems
Group Theory Groups Subgroups Normal subgroups Quotient groups Homomorphisms Cyclic groups Permutation groups Cayley s theorem Class equations Sylow theorems Groups Definition : A non-empty set ( G,*)
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationJoseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia
ELLIPTIC CURVE CRYPTOGRAPHY USING MAPLE Joseph Fadyn Kennesaw State University 1100 South Marietta Parkway Marietta, Georgia 30060 jfadyn@spsu.edu An elliptic curve is one of the form: y 2 = x 3 + ax +
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationMASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication
MASTER Fully homomorphic encryption in JCrypTool Ramaekers, C.F.W. Award date: 2011 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationFully Homomorphic Encryption Using Ideal Lattices
Fully Homomorphic Encryption Using Ideal Lattices Craig Gentry Stanford University and IBM Watson cgentry@cs.stanford.edu ABSTRACT We propose a fully homomorphic encryption scheme i.e., a scheme that allows
More informationHistorical cryptography. cryptography encryption main applications: military and diplomacy
Historical cryptography cryptography encryption main applications: military and diplomacy ancient times world war II Historical cryptography All historical cryptosystems badly broken! No clear understanding
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationImplementing Homomorphic Encryption
Valentin Dalibard Implementing Homomorphic Encryption Computer Science Tripos, Part II St John s College May 18, 2011 Proforma Name: Valentin Dalibard College: St John s College Project Title: Implementing
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationLattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption
Lattices Part II Dual Lattices, Fourier Transform, Smoothing Parameter, Public Key Encryption Boaz Barak May 12, 2008 The first two sections are based on Oded Regev s lecture notes, and the third one on
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationCourse MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography
Course MA2C02, Hilary Term 2013 Section 9: Introduction to Number Theory and Cryptography David R. Wilkins Copyright c David R. Wilkins 2000 2013 Contents 9 Introduction to Number Theory 63 9.1 Subgroups
More informationA Little Beyond: Linear Algebra
A Little Beyond: Linear Algebra Akshay Tiwary March 6, 2016 Any suggestions, questions and remarks are welcome! 1 A little extra Linear Algebra 1. Show that any set of non-zero polynomials in [x], no two
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a k for some integer k. Notation
More informationBasic elements of number theory
Cryptography Basic elements of number theory Marius Zimand 1 Divisibility, prime numbers By default all the variables, such as a, b, k, etc., denote integer numbers. Divisibility a 0 divides b if b = a
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationDefinition List Modern Algebra, Fall 2011 Anders O.F. Hendrickson
Definition List Modern Algebra, Fall 2011 Anders O.F. Hendrickson On almost every Friday of the semester, we will have a brief quiz to make sure you have memorized the definitions encountered in our studies.
More informationDefinitions. Notations. Injective, Surjective and Bijective. Divides. Cartesian Product. Relations. Equivalence Relations
Page 1 Definitions Tuesday, May 8, 2018 12:23 AM Notations " " means "equals, by definition" the set of all real numbers the set of integers Denote a function from a set to a set by Denote the image of
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationFoundations of Cryptography
Foundations of Cryptography Ville Junnila viljun@utu.fi Department of Mathematics and Statistics University of Turku 2015 Ville Junnila viljun@utu.fi Lecture 7 1 of 18 Cosets Definition 2.12 Let G be a
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationRSA Cryptosystem and Factorization
RSA Cryptosystem and Factorization D. J. Guan Department of Computer Science National Sun Yat Sen University Kaoshiung, Taiwan 80424 R. O. C. guan@cse.nsysu.edu.tw August 25, 2003 RSA Cryptosystem was
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More informationENTRY GROUP THEORY. [ENTRY GROUP THEORY] Authors: started Mark Lezama: October 2003 Literature: Algebra by Michael Artin, Mathworld.
ENTRY GROUP THEORY [ENTRY GROUP THEORY] Authors: started Mark Lezama: October 2003 Literature: Algebra by Michael Artin, Mathworld Group theory [Group theory] is studies algebraic objects called groups.
More informationAn Efficient Broadcast Attack against NTRU
An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, zhugz08}@mailstsinghuaeducn
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationNumber Theory. Modular Arithmetic
Number Theory The branch of mathematics that is important in IT security especially in cryptography. Deals only in integer numbers and the process can be done in a very fast manner. Modular Arithmetic
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More information