An Attack on a Fully Homomorphic Encryption Scheme
|
|
- Allison Gregory
- 5 years ago
- Views:
Transcription
1 An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University, ,Jinan,China yhu@mail.xidian.edu.cn fenghe2166@163.com Abstract. In this aer we resent an attack on a fully homomorhic encrytion scheme on PKC2010. We construct a modified secret key, a modified decrytion algorithm and a subset of the cihertext sace. When the cihertext is from the subset, we can correctly decryt it by our modified secret key and modified decrytion algorithm. We also discuss when our modified decrytion algorithm is efficient, and when the subset is not negligible. Keywords: Fully Homomorhic Encrytion, lattice-based PKC, cloud-comutation. 1 Introduction: Bootstraing-based FHE and attacks Fully-homomorhic-Encrytion (FHE) is a novel technique alied to cloud-comutation. It is for such rocedure. The user needs to obtain the outut of ring-oerations in laintext sace, but wants to comute nothing but only decrytion. The sever imlements homomorhic oerations in cihertext sace of these oerations in laintext sace. That is, the server is given corresonding cihertexts of inut laintexts of these ring-oerations, and comutes corresonding cihertext of outut laintext of these ring-oerations. Then the server sends this outut cihertext to the user. The user then decryts this outut cihertext to obtain original outut laintext. To be fully-homomorhic, these ring-oerations in laintext sace must be of any deth. Lattice-based PKC can achieve homomorhic encrytion function for shallow ring-oerations in laintext sace. This homomorhic encrytion function is called somewhat homomorhic encrytion function. But lattice-based PKC belongs to the class of error correction tye PKC, so that the cihertext must include noise. Dee ring-oerations in laintext sace means dee homomorhic oerations in cihertext sace, and noise will be greatly enhanced, resulting in wrong decrytion. Therefore the major roblem to achieve fully-homomorhic-encrytion is to decrease the size of the noise. The frontier work to solve this roblem belongs to Gentry [1], who resented a novel technique named bootstraing. After that many fully-homomorhic-encrytion schemes were resented [2-21], with major efforts on decreasing the comutation comlexity. Among them is a fully-homomorhic-encrytion scheme [6], resented by Smart and Vercauteren, and on PKC2010. We call this aer SV10. SV10 scheme is one of efforts changing the cihertexts from olynomials to integers. It has relatively small key and cihertext sizes. In this aer we resent an attack on this fully homomorhic encrytion scheme. In fact, our attack only aims at its somewhat homomorhic encrytion algorithm. We construct a modified secret key, a modified decrytion algorithm and a subset of the cihertext sace. Whenever the cihertext is from the subset, we can correctly decryt it by our modified secret key and modified decrytion algorithm. We also discuss when our modified decrytion algorithm is efficient, and when the subset is not negligible. Our attack imlies that it should be careful for designing fully homomorhic encrytion over the integers.
2 The aer is organized as following. In section 2 we state the fully-homomorhic-encrytion scheme resented by SV10, including its correctness. In section 3 we resent our major roosition, which is the basis of our attack. In section 4 we resent our attack, including modified secret key, modified decrytion algorithm, and a subset of the cihertext sace. In this section we also discuss when our modified decrytion algorithm is efficient, and when the subset is not negligible. Section 5 is the conclusion. 2 The FHE scheme of SV The Somewhat Homomorhic Encrytion Algorithm Q[x] and Z[x] are resectively the set of olynomials with rational and integer coefficients. Given a olynomial g(x) = t g ix i Q[x], g(x) = max g i. For a ositive value r, B,N (r) is t=0,,t such set of olynomials with integer coefficients: B,N (r) = {g(x) = N 1 g i x i, g(x) r}. The scheme is arameterized by three values (N, η, µ). A tyical set of arameters would be (N, η, µ) = (N, 2 N, N), N = 2 n. KeyGen(.): 1. Set the laintext sace to be {0, 1}. Choose a monic irreducible olynomial F (x) Z[x] of degree N.Tyically we can take F (x) = x N + 1 = x 2n Reeat: S(x) R B,N (η/2). G(x) 1 + 2S(x). resultant(g(x), F (x)). -Until is rime. 3. D(x) gcd(g(x), F (x)) over F [x] -D(x) gcd(g(x), F (x)) over F [x] -Let α F denote the unique root of D(x). 4. Aly the XGCD algorithm over Q[x] to obtain Z(x) = N 1 z ix i Z[x] such that 5. B z 0 mod2 -The ublic key is (, α). The secret key B. Encryt(M,, α): 1. Let R(x) R B,N (µ/2). 2. Let C(x) M + 2R(x). 3. Let c C(α)mod. -Outut c. Z(x)G(x) = modf (x).
3 Decryt(c, B): M c cb/p mod2 -Outut M. Add(c 1, c 2,, α): c 3 c 1 + c 2 mod. -Outut c 3. Mult(c 1, c 2,, α): c 3 c 1 c 2 mod. -Outut c Some Notes It should be ointed out that, although Z(x) is obtained by the XGCD algorithm over Q[x], Z(x)Z(x) because = resultant(g(x), F (x)). According to tyical arameters, the cihertext can be correctly decryted. Again according to tyical arameters, the scheme allows about d homomorhic multilications over the cihertext sace, where d log 2 2 N log N. In other words, the N roduct of not more than d cihertexts can be correctly decryted. The value of d increases with the value of N. For N = 256, d = 0. For (N = 512, d = 1). For N = 65536, d = 10. The scheme of SV10 uses both the somewhat homomorhic encrytion algorithm and the bootstraing technique to achieve FHE. Our attack only aims at the somewhat homomorhic encrytion algorithm, so that we don t introduce the bootstraing. 3 Our Major Proosition 3.1 The Proosition Take a ositive integer δ such that δ < N. Take = 2α k (modq), k = 0, 1,, N 1. Define N + 2 sets {A 0, A 1,, A N 1, A, A } as follows. For k = 0, 1, 2,, N 1, if (mod2) = 0, and if (mod2) = 1. A k = (0, ) { + (2i 1, 2i 1 + ) } µ(δ + 2) µ(δ + 2) A k = (0, ) { + ((2i + 1) 1, (2i + 1) 1 + ) } µ(δ + 2) µ(δ + 2) A = (0, ) { + (2i 2(δ + 2), 2i + 2(δ + 2) )}. A = (0, ) { + 1 (2i + 1 µδ(δ + 2), 2i µδ(δ + 2) )}. It is clear that A = (0, 2(δ+2) ), A 0 = (0, µ(δ+2) ). For δ integers k 1, k 2,, k δ, such that 0 k 1 < k 2 < < k δ N 1, define the intersection set A(k 1, k 2,, k δ ) = A k1 Ak2 Akδ A A, N
4 and define the subset of the cihertext sace C(k 1, k 2,, k δ ) = { C(α)(mod) C(x) = M+r k1 x k 1 +r k2 x k 2 + +r kδ x k δ, r ki even, r ki µ, i = 1,, δ } Proosition 1. Take a real number B from the set A(k 1, k 2,, k δ ). Then any cihertext c from C(k 1, k 2,, k δ ) can be correctly decryted by the algorithm c cb/. Proof. c = M +( r k r k r k δ 2 δ ) u, where r k i 2 is an integer, r k 2 2 µ 2, i = 1, 2,, δ. It is immediate that 0 u µ 2 δ. Notice the definition of A(k 1, k 2,, k δ ). 0 MB 1 2 is in ( 1 2(δ+2), 1 2(δ+2) ) neighboring field of an integer, and that integer is modular 2 congruent with r ki i ub is in ( 1 2(δ+2), 1 2(δ+2) ) neighboring field of an integer, and that integer is modular 2 congruent with u. From all of the above, c cb/ (mod2) = M MB/ + r k1 1 r k1 1 B/ + r k1 1 r k2 2 B/ + + r k1 1 r kδ δ B/ u + ub (mod2) = M. 2(δ+2). r ki i B 3.2 Time Cost for Finding a B from A(k 1, k 2,, k δ ) Suose δ = 0(mod2) (δ = 1(mod2)), for i = 0, 1, check whether the interval (2i 1, 2i + 1 ) (the interval ((2i + 1) 1, (2i + 1) + 1 ) intersects the set {A 0, A 1,, A δ 1, A, A } until it intersects all of them. Then take any real number B from such intersection set. Checking whether an interval intersects the set {A k2, A k3,, A δ, A, A } is a quite simle task. On the other hand, A = (0, 2(δ+2) ), and is extremely large. The length of the set A k is about µ(δ+2). The length of the set A is about µδ(δ+2). Then the length of the intersection set A k1 Ak2 Akδ A is about. This means that the length of the µ δ+1 δ(δ+2) δ+1 intersection set A(k 1, k 2,, k δ ) = A k1 Ak2 Akδ A A is about, and 2µ δ+1 δ(δ+2) δ+2 A(k 1, k 2,, k δ ) (0, 2(δ+2) ). If k 1 > 0, the oint of A(k 1, k 2,, k δ ) are randomly distributed within (0, 2(δ+2) ). If k 1 = 0, A(k 1, k 2,, k δ ) (0, µ(δ+2) ), and the oints of A(k 1, k 2,, k δ ) are randomly distributed within (0, µ(δ+2) ). Therefore there should be a oint of A(k 1, k 2,, k δ ) which is smaller than O(µ δ+1 δ(δ + 2) δ+1 ), and checking at most O(µ δ+1 δ(δ + 2) δ+1 ) intervals should find a real number B of A(k 1, k 2,, k δ ). Suose N = 256, then µ = N = 16. Take δ = 3, O(µ δ+1 δ(δ + 2) δ+1 ) = O( ) O(2 27 ). Take δ = 9, O(µ δ+1 δ(δ + 2) δ+1 ) = O( ) O(2 78 ). Table 1 lists n(δ) the aroriate number of intervals for checking, with N = Our Attack 4.1 The Modified Decrytion Algorithm Suose that for any δ integers k 1, k 2,, k δ such that 0 k 1 < k 2 < < k δ N 1, we have chosen a real number B(k 1, k 2,, k δ ) from the set A(k 1, k 2,, k δ ). Our modified secret key is
5 Table 1. he Aroriate Number of Intervals for Checking (N=256) δ n(δ) δ n(δ) B(k 1, k 2,, k δ ) 0 k 1 < k 2 < < k δ N 1. For any δ 1 integers l 1, l 2,, l δ 1 such that 0 l 1 < l 2 < < l δ 1 N 1, define the set S(l 1, l 2,, l δ 1 ) = {B(k 1, k 2,, l δ ) {l 1, l 2,, l δ 1 }}. Notice that S(l 1, l 2,, l δ 1 ) = N δ + 1. The modified decrytion algorithm is as the follow. For a cihertext c, comute {c cb(k 1, k 2,, k δ )/ (mod2) 0 k 1 < k 2 < < k δ N 1}. If there is some S(l 1, l 2,, l δ 1 ), such that all values {c cb(k 1, k 2,, k δ )/ (mod2) B(k 1, k 2,, k δ ) S(l 1, l 2,, l δ 1 )} are same, take the laintext as such same value. If there is no such S(l 1, l 2,, l δ 1 ), the decrytion fails. 4.2 The Correctness For a cihertext c, the corresonding olynomial is C(x) = M + 2R(x). If R(x) has m non-zero coefficients, we say that the Hamming weight of c is m. Define C(m) as the set of all cihertexts with the Hamming weights not more than m. It is clear that C(m) =, and that 0 l 1 <l 2 < <l m N 1 C(0) C(1) C(N). C(N) is the cihertext sace. Now we exlain that our algorithm makes wrong decrytion with a negligible robability for the cihertexts from C(δ 1). Take any cihertext c C(δ 1), any C(l 1, l 2,, l δ 1 ) C(δ 1). If c C(l 1, l 2,, l δ 1 ), all value {c cb(k 1, k 2,, k δ )/ (modq) B(k 1, k 2,, k δ ) S(l 1, l 2,, l δ 1 )} are the laintext of c. If c / C(l 1, l 2,, l δ 1 ), value {c cb(k 1, k 2,, k δ )/ (modq) B(k 1, k 2,, k δ ) 1 S(l 1, l 2,, l δ 1 )} are random, therefore the robability they are same as the wrong value is. 2 N δ+1 There are at most C δ 1 N 1 different C(l 1, l 2,, l δ 1 ) such that c / C(l 1, l 2,, l δ 1 ), therefore the robability c is decryted as wrong value is not larger than Cδ 1 N 1. For N 256, δ 17, this 2 N δ+1 robability is negligible. 4.3 The Efficiency Our modified secret key includes C δ N real numbers. Our modified decrytion algorithm includes Cδ N ordinary decrytions, and a judgment.
6 4.4 The Imact Our modified decrytion algorithm can correctly decryt all cihertexts in C(δ 1). If in the encrytion rocedure, the ste R(x) R B,N (µ/2) is under uniform distribution, C(δ 1) is negligible in the cihertext sace. However, the cihertext with small Hamming weight will have great advantage in somewhat homomorhic oerations, esecially in multilication homomorhic oerations. If the ste R(x) R B,N (µ/2) is artial to the smaller Hamming weights C(δ 1) is not negligible, and our attack is effective. 5 Conclusions SV10 scheme is not as strong as some other fully homomorhic encrytion schemes. Our attack at least threatens the distribution of the ste R(x) R B,N (µ/2) of the encrytion rocedure. Our attack imlies that it should be careful for designing fully homomorhic encrytion over the integers. Acknowledgements This work was suorted by the National Natural Science Foundation of China (Grant Nos , ) and Science and Technology on Communication Security Laboratory (9140C C1102). This work was also suorted by Huawei Co. (YBCB ). References 1. C. Gentry. Fully homomorhic encrytion using ideal lattices. In STOC 09, , Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorhic encrytion from (standard) LWE. In FOCS 2011, D. Stehle and R. Steinfeld. Faster fully homomorhic encrytion. In Asiacryt 10, M. v. Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan. Fully homomorhic encrytion over the integers. In ASIACRYPT 10, Z. Brakerski and V. Vaikuntanathan. Fully Homomorhic Encrytion from Ring-LWE and Security for Key Deendent Messages. In CRYPTO 2011, N. P. Smart, F. Vercauteren. Fully Homomorhic Encrytion with Relatively Small Key and Cihertext Sizes. In PKC 2010, , C. Gentry, S. Halevi. Imlementing Gentry s full homomorhic encrytion scheme. In EUROCRYPT 2011, , C. Gentry. Toward basing fully homomorhic encrytion on worst-case hardness. In Cryto 2010, C. Gentry, S. Halevi. Fully homomorhic encrytion without squashing using deth-3 arithmetic circuits. In FOCS 2011, Z. Brakerski, C. Gentry, V. Vaikuntanathan. Fully homomorhic without Bootstraing. htt:// erint.iacr.org/2011/ Jean-Sbastien Coron, Avradi Mandal, David Naccache, Mehdi Tibouchi. Fully Homomorhic Encrytion over the Integers with Shorter Public Keys. In Cryto Yuanmi Chen, Phong Q. Nguyen. Faster Algorithms for Aroximate Common Divisors: Breaking Fully-Homomorhic-Encrytion Challenges over the Integers. In Eurocryto 2012, (htt://erint.iacr.org/2011/436) 13. Craig Gentry, Shai Halevi and Vinod Vaikuntanathan. i-ho Homomorhic Encrytion and Rerandomizable Yao Circuits. In Cryto Zvika Brakerski. Fully Homomorhic Encrytion without Modulus Switching from Classical GaSVP. htt://erint.iacr.org/2012/ Junfeng Fan and Frederik Vercauteren. Somewhat Practical Fully Homomorhic Encrytion. htt://erint.iacr.org/2012/ Craig Gentry and Shai Halevi and Nigel P. Smart. Fully Homomorhic Encrytion with Polylog Overhead. In Eurocryto 2012, (htt://erint.iacr.org/2011/566).
7 17. P. Scholl and N.P. Smart. Imroved Key Generation For Gentry s Fully Homomorhic Encrytion Scheme. htt://erint.iacr.org/2011/ Steven Myers and Mona Sergi and abhi shelat. Threshold Fully Homomorhic Encrytion and Secure Comutation. htt://erint.iacr.org/2011/ Loftus and A. May and N.P. Smart and F. Vercauteren. On CCA-Secure Fully Homomorhic Encrytion. htt://erint.iacr.org/2010/ Craig Gentry and Shai Halevi and Nigel P. Smart. Homomorhic Evaluation of the AES Circuit. htt://erint.iacr.org/2012/ Jean-Sbastien Coron, David Naccache, Mehdi Tibouchi. Public-key Comression and Modulus Switching for Fully Homomorhic Encrytion over the Integers. In Eurocryto
Lattice Attacks on the DGHV Homomorphic Encryption Scheme
Lattice Attacks on the DGHV Homomorhic Encrytion Scheme Abderrahmane Nitaj 1 and Tajjeeddine Rachidi 2 1 Laboratoire de Mathématiques Nicolas Oresme Université de Caen Basse Normandie, France abderrahmanenitaj@unicaenfr
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationCryptanalysis of Pseudorandom Generators
CSE 206A: Lattice Algorithms and Alications Fall 2017 Crytanalysis of Pseudorandom Generators Instructor: Daniele Micciancio UCSD CSE As a motivating alication for the study of lattice in crytograhy we
More information1. Introduction. 2. Background of elliptic curve group. Identity-based Digital Signature Scheme Without Bilinear Pairings
Identity-based Digital Signature Scheme Without Bilinear Pairings He Debiao, Chen Jianhua, Hu Jin School of Mathematics Statistics, Wuhan niversity, Wuhan, Hubei, China, 43007 Abstract: Many identity-based
More informationFully Homomorphic Encryption over the Integers Revisited
Fully Homomorhic Encrytion over the Integers Revisited Jung Hee Cheon 1 and Damien Stehlé 1 SNU, Reublic of Korea, ENS de Lyon, France. jhcheon@snu.ac.kr, damien.stehle@ens-lyon.fr Setember 4, 016 Abstract.
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationElliptic Curves and Cryptography
Ellitic Curves and Crytograhy Background in Ellitic Curves We'll now turn to the fascinating theory of ellitic curves. For simlicity, we'll restrict our discussion to ellitic curves over Z, where is a
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationFaster Homomorphic Function Evaluation using Non-Integral Base Encoding
Faster Homomorhic Function Evaluation using Non-Integral Base Encoding Charlotte Bonte 1, Carl Bootland 1, Joe W. Bos, Wouter Castryck 1,3, Ilia Iliashenko 1, and Frederik Vercauteren 1,4 1 imec-cosic,
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More informationScale-Invariant Fully Homomorphic Encryption over the Integers
Scale-Invariant Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, Tancrède Lepoint 1,,3, and Mehdi Tibouchi 4 1 University of Luxembourg, Luxembourg jean-sebastien.coron@uni.lu École
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationPublic Key Cryptosystems RSA
Public Key Crytosystems RSA 57 17 Receiver Sender 41 19 and rime 53 Attacker 47 Public Key Crytosystems RSA Comute numbers n = * 2337 323 57 17 Receiver Sender 41 19 and rime 53 Attacker 2491 47 Public
More informationAN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES. 1. Introduction
J. Al. Math. & Comuting Vol. 20(2006), No. 1-2,. 485-489 AN IMPROVED BABY-STEP-GIANT-STEP METHOD FOR CERTAIN ELLIPTIC CURVES BYEONG-KWEON OH, KIL-CHAN HA AND JANGHEON OH Abstract. In this aer, we slightly
More informationAdvanced Cryptography Midterm Exam
Advanced Crytograhy Midterm Exam Solution Serge Vaudenay 17.4.2012 duration: 3h00 any document is allowed a ocket calculator is allowed communication devices are not allowed the exam invigilators will
More informationCryptanalysis of a Homomorphic Encryption Scheme
Cryptanalysis of a Homomorphic Encryption Scheme Sonia Bogos, John Gaspoz and Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland {soniamihaela.bogos, john.gaspoz, serge.vaudenay}@epfl.ch Abstract. Homomorphic
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationConversions among Several Classes of Predicate Encryption and Applications to ABE with Various Compactness Tradeoffs
Conversions among Several Classes of Predicate Encrytion and Alications to ABE with Various Comactness Tradeoffs Nuttaong Attraadung, Goichiro Hanaoka, and Shota Yamada National Institute of Advanced Industrial
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From k -th Power Residue Symbols Fabrice Benhamouda, Javier Herranz, Marc Joye 3, and Benoît Libert 4, ENS Paris, CNRS, INRIA, and PSL 45 rue d Ulm, 7530 Paris Cedex 06, France fabrice.benhamouda@ens.fr
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationOutline. EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Simple Error Detection Coding
Outline EECS150 - Digital Design Lecture 26 Error Correction Codes, Linear Feedback Shift Registers (LFSRs) Error detection using arity Hamming code for error detection/correction Linear Feedback Shift
More informationCDH/DDH-Based Encryption. K&L Sections , 11.4.
CDH/DDH-Based Encrytion K&L Sections 8.3.1-8.3.3, 11.4. 1 Cyclic grous A finite grou G of order q is cyclic if it has an element g of q. { 0 1 2 q 1} In this case, G = g = g, g, g,, g ; G is said to be
More informationBilinear Entropy Expansion from the Decisional Linear Assumption
Bilinear Entroy Exansion from the Decisional Linear Assumtion Lucas Kowalczyk Columbia University luke@cs.columbia.edu Allison Bisho Lewko Columbia University alewko@cs.columbia.edu Abstract We develo
More informationCryptography. Lecture 8. Arpita Patra
Crytograhy Lecture 8 Arita Patra Quick Recall and Today s Roadma >> Hash Functions- stands in between ublic and rivate key world >> Key Agreement >> Assumtions in Finite Cyclic grous - DL, CDH, DDH Grous
More informationA New and Optimal Chosen-message Attack on RSA-type Cryptosystems
Published in Y. Han, T. Okamoto, and S. Qing, eds, Information and Communications Security (ICICS 97), vol. 1334 of Lecture Notes in Comer Science,. 30-313, Sringer-Verlag, 1997. A New and Otimal Chosen-message
More informationA Public-Key Cryptosystem Based on Lucas Sequences
Palestine Journal of Mathematics Vol. 1(2) (2012), 148 152 Palestine Polytechnic University-PPU 2012 A Public-Key Crytosystem Based on Lucas Sequences Lhoussain El Fadil Communicated by Ayman Badawi MSC2010
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Published in Journal of Crytology, 30(2:519 549, 2017. Efficient Crytosystems From 2 k -th Power Residue Symbols Fabrice Benhamouda 1, Javier Herranz 2, Marc Joye 3, and Benoît Libert 4, 1 ES Paris, CRS,
More informationNUMBER SYSTEMS. Number theory is the study of the integers. We denote the set of integers by Z:
NUMBER SYSTEMS Number theory is the study of the integers. We denote the set of integers by Z: Z = {..., 3, 2, 1, 0, 1, 2, 3,... }. The integers have two oerations defined on them, addition and multilication,
More informationEfficient Cryptosystems From 2 k -th Power Residue Symbols
Efficient Crytosystems From 2 k -th Power Residue Symbols Marc Joye and Benoît Libert Technicolor 975 avenue des Chams Blancs, 35576 Cesson-Sévigné Cedex, France {marc.joye,benoit.libert}@technicolor.com
More informationCryptography Assignment 3
Crytograhy Assignment Michael Orlov orlovm@cs.bgu.ac.il) Yanik Gleyzer yanik@cs.bgu.ac.il) Aril 9, 00 Abstract Solution for Assignment. The terms in this assignment are used as defined in [1]. In some
More informationA Full Homomorphic Message Authenticator with Improved Efficiency
International Journal of Computer and Communication Engineering, Vol. 3, No. 4, July 2014 A Full Homomorphic Message Authenticator with Improved Efficiency Wenbin Chen and Hao Lei Abstract In the system
More informationEfficient Chosen-Ciphtertext Secure Public Key Encryption Scheme From Lattice Assumption
Appl. Math. Inf. Sci. 8, No. 2, 633-638 (2014) 633 Applied Mathematics & Information Sciences An International Journal http://dx.doi.org/10.12785/amis/080221 Efficient Chosen-Ciphtertext Secure Public
More informationApproximating min-max k-clustering
Aroximating min-max k-clustering Asaf Levin July 24, 2007 Abstract We consider the roblems of set artitioning into k clusters with minimum total cost and minimum of the maximum cost of a cluster. The cost
More informationGOOD MODELS FOR CUBIC SURFACES. 1. Introduction
GOOD MODELS FOR CUBIC SURFACES ANDREAS-STEPHAN ELSENHANS Abstract. This article describes an algorithm for finding a model of a hyersurface with small coefficients. It is shown that the aroach works in
More informationFactorability in the ring Z[ 5]
University of Nebraska - Lincoln DigitalCommons@University of Nebraska - Lincoln Dissertations, Theses, and Student Research Paers in Mathematics Mathematics, Deartment of 4-2004 Factorability in the ring
More informationMODULAR FORMS, HYPERGEOMETRIC FUNCTIONS AND CONGRUENCES
MODULAR FORMS, HYPERGEOMETRIC FUNCTIONS AND CONGRUENCES MATIJA KAZALICKI Abstract. Using the theory of Stienstra and Beukers [9], we rove various elementary congruences for the numbers ) 2 ) 2 ) 2 2i1
More informationA CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS. 1. Abstract
A CONCRETE EXAMPLE OF PRIME BEHAVIOR IN QUADRATIC FIELDS CASEY BRUCK 1. Abstract The goal of this aer is to rovide a concise way for undergraduate mathematics students to learn about how rime numbers behave
More informationCombining Logistic Regression with Kriging for Mapping the Risk of Occurrence of Unexploded Ordnance (UXO)
Combining Logistic Regression with Kriging for Maing the Risk of Occurrence of Unexloded Ordnance (UXO) H. Saito (), P. Goovaerts (), S. A. McKenna (2) Environmental and Water Resources Engineering, Deartment
More informationOn Nonlinear Polynomial Selection and Geometric Progression (mod N) for Number Field Sieve
On onlinear Polynomial Selection and Geometric Progression (mod ) for umber Field Sieve amhun Koo, Gooc Hwa Jo, and Soonhak Kwon Email: komaton@skku.edu, achimheasal@nate.com, shkwon@skku.edu Det. of Mathematics,
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry IBM Shai Halevi IBM Nigel P. Smart University of Bristol December 15, 2011 Abstract Gentry s bootstrapping technique is currently the only
More informationMobius Functions, Legendre Symbols, and Discriminants
Mobius Functions, Legendre Symbols, and Discriminants 1 Introduction Zev Chonoles, Erick Knight, Tim Kunisky Over the integers, there are two key number-theoretic functions that take on values of 1, 1,
More informationHENSEL S LEMMA KEITH CONRAD
HENSEL S LEMMA KEITH CONRAD 1. Introduction In the -adic integers, congruences are aroximations: for a and b in Z, a b mod n is the same as a b 1/ n. Turning information modulo one ower of into similar
More informationImproved Hidden Vector Encryption with Short Ciphertexts and Tokens
Imroved Hidden Vector Encrytion with Short Cihertexts and Tokens Kwangsu Lee Dong Hoon Lee Abstract Hidden vector encrytion HVE) is a articular kind of redicate encrytion that is an imortant crytograhic
More informationSQUARES IN Z/NZ. q = ( 1) (p 1)(q 1)
SQUARES I Z/Z We study squares in the ring Z/Z from a theoretical and comutational oint of view. We resent two related crytograhic schemes. 1. SQUARES I Z/Z Consider for eamle the rime = 13. Write the
More informationON THE LEAST SIGNIFICANT p ADIC DIGITS OF CERTAIN LUCAS NUMBERS
#A13 INTEGERS 14 (014) ON THE LEAST SIGNIFICANT ADIC DIGITS OF CERTAIN LUCAS NUMBERS Tamás Lengyel Deartment of Mathematics, Occidental College, Los Angeles, California lengyel@oxy.edu Received: 6/13/13,
More informationTight Adaptively Secure Broadcast Encryption with Short Ciphertexts and Keys
Tight Adatively Secure Broadcast Encrytion with Short Cihertexts and Keys Romain Gay ENS, Paris, France romain.gay@ens.fr Lucas Kowalczyk Columbia University luke@cs.columbia.edu Hoeteck Wee ENS, Paris,
More informationPredicate Encryption Supporting Disjunctions, Polynomial Equations, and Inner Products
Predicate Encrytion Suorting Disjunctions, Polynomial Equations, and Inner Products Jonathan Katz jkatz@cs.umd.edu Amit Sahai sahai@cs.ucla.edu Brent Waters bwaters@csl.sri.com Abstract Predicate encrytion
More informationLinear diophantine equations for discrete tomography
Journal of X-Ray Science and Technology 10 001 59 66 59 IOS Press Linear diohantine euations for discrete tomograhy Yangbo Ye a,gewang b and Jiehua Zhu a a Deartment of Mathematics, The University of Iowa,
More information#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS
#A64 INTEGERS 18 (2018) APPLYING MODULAR ARITHMETIC TO DIOPHANTINE EQUATIONS Ramy F. Taki ElDin Physics and Engineering Mathematics Deartment, Faculty of Engineering, Ain Shams University, Cairo, Egyt
More informationFinding Shortest Hamiltonian Path is in P. Abstract
Finding Shortest Hamiltonian Path is in P Dhananay P. Mehendale Sir Parashurambhau College, Tilak Road, Pune, India bstract The roblem of finding shortest Hamiltonian ath in a eighted comlete grah belongs
More informationEfficient Hardware Architecture of SEED S-box for Smart Cards
JOURNL OF SEMICONDUCTOR TECHNOLOY ND SCIENCE VOL.4 NO.4 DECEMBER 4 37 Efficient Hardware rchitecture of SEED S-bo for Smart Cards Joon-Ho Hwang bstract This aer resents an efficient architecture that otimizes
More informationBayesian System for Differential Cryptanalysis of DES
Available online at www.sciencedirect.com ScienceDirect IERI Procedia 7 (014 ) 15 0 013 International Conference on Alied Comuting, Comuter Science, and Comuter Engineering Bayesian System for Differential
More informationHomework Set #3 Rates definitions, Channel Coding, Source-Channel coding
Homework Set # Rates definitions, Channel Coding, Source-Channel coding. Rates (a) Channels coding Rate: Assuming you are sending 4 different messages using usages of a channel. What is the rate (in bits
More informationMODELING THE RELIABILITY OF C4ISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL
Technical Sciences and Alied Mathematics MODELING THE RELIABILITY OF CISR SYSTEMS HARDWARE/SOFTWARE COMPONENTS USING AN IMPROVED MARKOV MODEL Cezar VASILESCU Regional Deartment of Defense Resources Management
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationMATH342 Practice Exam
MATH342 Practice Exam This exam is intended to be in a similar style to the examination in May/June 2012. It is not imlied that all questions on the real examination will follow the content of the ractice
More informationElementary Analysis in Q p
Elementary Analysis in Q Hannah Hutter, May Szedlák, Phili Wirth November 17, 2011 This reort follows very closely the book of Svetlana Katok 1. 1 Sequences and Series In this section we will see some
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationSolvability and Number of Roots of Bi-Quadratic Equations over p adic Fields
Malaysian Journal of Mathematical Sciences 10(S February: 15-35 (016 Secial Issue: The 3 rd International Conference on Mathematical Alications in Engineering 014 (ICMAE 14 MALAYSIAN JOURNAL OF MATHEMATICAL
More informationCERIAS Tech Report The period of the Bell numbers modulo a prime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education
CERIAS Tech Reort 2010-01 The eriod of the Bell numbers modulo a rime by Peter Montgomery, Sangil Nahm, Samuel Wagstaff Jr Center for Education and Research Information Assurance and Security Purdue University,
More informationMersenne and Fermat Numbers
NUMBER THEORY CHARLES LEYTEM Mersenne and Fermat Numbers CONTENTS 1. The Little Fermat theorem 2 2. Mersenne numbers 2 3. Fermat numbers 4 4. An IMO roblem 5 1 2 CHARLES LEYTEM 1. THE LITTLE FERMAT THEOREM
More informationFully Homomorphic Encryption using Hidden Ideal Lattice
1 Fully Homomorphic Encryption using Hidden Ideal Lattice Thomas Plantard, Willy Susilo, Senior Member, IEEE, Zhenfei Zhang Abstract All the existing fully homomorphic encryption schemes are based on three
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationA Modified Menezes-Vanstone Elliptic Curve Multi-Keys Cryptosystem
A Modified Menezes-Vanstone Ellitic Curve Multi-Keys Crytosystem By K.H. Rahouma Electrical Technology Deartment Technical College in Riyadh Riyadh, Kingdom of Saudi Arabia E-mail: kamel_rahouma@yahoo.com
More informationThe Smart-Vercauteren Fully Homomorphic Encryption Scheme
The Smart-Vercauteren Fully Homomorphic Encryption Scheme Vidar Klungre Master of Science in Physics and Mathematics Submission date: June 2012 Supervisor: Kristian Gjøsteen, MATH Norwegian University
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationComputer arithmetic. Intensive Computation. Annalisa Massini 2017/2018
Comuter arithmetic Intensive Comutation Annalisa Massini 7/8 Intensive Comutation - 7/8 References Comuter Architecture - A Quantitative Aroach Hennessy Patterson Aendix J Intensive Comutation - 7/8 3
More informationShadow Computing: An Energy-Aware Fault Tolerant Computing Model
Shadow Comuting: An Energy-Aware Fault Tolerant Comuting Model Bryan Mills, Taieb Znati, Rami Melhem Deartment of Comuter Science University of Pittsburgh (bmills, znati, melhem)@cs.itt.edu Index Terms
More informationMATH 371 Class notes/outline October 15, 2013
MATH 371 Class notes/outline October 15, 2013 More on olynomials We now consider olynomials with coefficients in rings (not just fields) other than R and C. (Our rings continue to be commutative and have
More informationWhen do the Fibonacci invertible classes modulo M form a subgroup?
Annales Mathematicae et Informaticae 41 (2013). 265 270 Proceedings of the 15 th International Conference on Fibonacci Numbers and Their Alications Institute of Mathematics and Informatics, Eszterházy
More informationt s (p). An Introduction
Notes 6. Quadratic Gauss Sums Definition. Let a, b Z. Then we denote a b if a divides b. Definition. Let a and b be elements of Z. Then c Z s.t. a, b c, where c gcda, b max{x Z x a and x b }. 5, Chater1
More informationMath 4400/6400 Homework #8 solutions. 1. Let P be an odd integer (not necessarily prime). Show that modulo 2,
MATH 4400 roblems. Math 4400/6400 Homework # solutions 1. Let P be an odd integer not necessarily rime. Show that modulo, { P 1 0 if P 1, 7 mod, 1 if P 3, mod. Proof. Suose that P 1 mod. Then we can write
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More information19th Bay Area Mathematical Olympiad. Problems and Solutions. February 28, 2017
th Bay Area Mathematical Olymiad February, 07 Problems and Solutions BAMO- and BAMO- are each 5-question essay-roof exams, for middle- and high-school students, resectively. The roblems in each exam are
More informationDistribution of Matrices with Restricted Entries over Finite Fields
Distribution of Matrices with Restricted Entries over Finite Fields Omran Ahmadi Deartment of Electrical and Comuter Engineering University of Toronto, Toronto, ON M5S 3G4, Canada oahmadid@comm.utoronto.ca
More informationAn Estimate For Heilbronn s Exponential Sum
An Estimate For Heilbronn s Exonential Sum D.R. Heath-Brown Magdalen College, Oxford For Heini Halberstam, on his retirement Let be a rime, and set e(x) = ex(2πix). Heilbronn s exonential sum is defined
More informationFULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationQUADRATIC RECIPROCITY
QUADRATIC RECIPROCITY JORDAN SCHETTLER Abstract. The goals of this roject are to have the reader(s) gain an areciation for the usefulness of Legendre symbols and ultimately recreate Eisenstein s slick
More informationSolved Problems. (a) (b) (c) Figure P4.1 Simple Classification Problems First we draw a line between each set of dark and light data points.
Solved Problems Solved Problems P Solve the three simle classification roblems shown in Figure P by drawing a decision boundary Find weight and bias values that result in single-neuron ercetrons with the
More informationUnit 1 - Computer Arithmetic
FIXD-POINT (FX) ARITHMTIC Unit 1 - Comuter Arithmetic INTGR NUMBRS n bit number: b n 1 b n 2 b 0 Decimal Value Range of values UNSIGND n 1 SIGND D = b i 2 i D = 2 n 1 b n 1 + b i 2 i n 2 i=0 i=0 [0, 2
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More information2-D Analysis for Iterative Learning Controller for Discrete-Time Systems With Variable Initial Conditions Yong FANG 1, and Tommy W. S.
-D Analysis for Iterative Learning Controller for Discrete-ime Systems With Variable Initial Conditions Yong FANG, and ommy W. S. Chow Abstract In this aer, an iterative learning controller alying to linear
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationA construction of bent functions from plateaued functions
A construction of bent functions from lateaued functions Ayca Cesmelioglu, Wilfried Meidl To cite this version: Ayca Cesmelioglu, Wilfried Meidl. A construction of bent functions from lateaued functions.
More information2 Asymptotic density and Dirichlet density
8.785: Analytic Number Theory, MIT, sring 2007 (K.S. Kedlaya) Primes in arithmetic rogressions In this unit, we first rove Dirichlet s theorem on rimes in arithmetic rogressions. We then rove the rime
More informationBatch Fully Homomorphic Encryption over the Integers
Batch Fully Homomorphic Encryption over the Integers Jung Hee Cheon 1, Jean-Sébastien Coron 2, Jinsu Kim 1, Moon Sung Lee 1, Tancrède Lepoint 3,4, Mehdi Tibouchi 5, and Aaram Yun 6 1 Seoul National University
More informationA CRITERION FOR POLYNOMIALS TO BE CONGRUENT TO THE PRODUCT OF LINEAR POLYNOMIALS (mod p) ZHI-HONG SUN
A CRITERION FOR POLYNOMIALS TO BE CONGRUENT TO THE PRODUCT OF LINEAR POLYNOMIALS (mod ) ZHI-HONG SUN Deartment of Mathematics, Huaiyin Teachers College, Huaian 223001, Jiangsu, P. R. China e-mail: hyzhsun@ublic.hy.js.cn
More informationOn generalizing happy numbers to fractional base number systems
On generalizing hay numbers to fractional base number systems Enriue Treviño, Mikita Zhylinski October 17, 018 Abstract Let n be a ositive integer and S (n) be the sum of the suares of its digits. It is
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationMATHEMATICAL MODELLING OF THE WIRELESS COMMUNICATION NETWORK
Comuter Modelling and ew Technologies, 5, Vol.9, o., 3-39 Transort and Telecommunication Institute, Lomonosov, LV-9, Riga, Latvia MATHEMATICAL MODELLIG OF THE WIRELESS COMMUICATIO ETWORK M. KOPEETSK Deartment
More information