GGHLite: More Efficient Multilinear Maps from Ideal Lattices
|
|
- Jason Parks
- 5 years ago
- Views:
Transcription
1 GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9
2 Our main result Decrease size of public parameters from O(λ 5 log λ) to O(λ log λ) Lower size of parameters and finer security analysis A more efficient cryptographic multilinear maps, obtained by formalizing, simplifying and improving the re-randomization process in the GGH construction. For each encoding Garg, Gentry and Halevi 3 Adeline Langlois GGHLite May, 4 / 9
3 Outline Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 3/ 9
4 Plan Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 4/ 9
5 Diffie-Hellman Key Exchange (976) Choose x U(Z q ) y = g x y = g x Choose x U(Z q ) Alice Bob Agreed secret key: K = g xx = y x = y x Security: Decisional Diffie-Hellman problem, DDH: For x, x, x 3 U(Z q), distinguish between (g x, g x, g x x ) and (g x, g x, g x 3 ). Adeline Langlois GGHLite May, 4 5/ 9
6 Cryptographic Multilinear Maps st Century variant Group of N > parties want to communicate privately via cloud. Choose x Z q Choose x 3 Z q y = g x Choose x Z q y = g x y 3 = g x 3 y N = g x N Choose x N Z q Secret key K = e(g,..., g) x x N = e(y, y 3,..., y N ) x. Security: Hardness of Multilinear Decisional DH problem, MDDH: For x,..., x N, x U(Z q), distinguish between (g x,..., g x N, e(g,..., g) x x N ) and (g x,..., g x N, e(g,..., g) x ). Adeline Langlois GGHLite May, 4 6/ 9
7 Cryptographic Multilinear Maps History : Applications for elliptic curves pairings ( = ): : 3-party non-interactive key agreement [Joux], -: Identity-Based Encryption (IBE) [SakaiOhgishiKasahara,BonehFranklin], -3: lots of others. : Applications for -linear maps [BonehSilverberg3] ( + )-party non-interactive key agreement, and others... [GargGentryHalevi3] First plausible realization for >, via ideal lattices, Applications: -3: Functional Encryption for arbitrary functions, 3: Program obfuscation notions for arbitrary functions. 3: Variant over the integers [CoronLepointTibouchi3] 4: GGHLite More efficient variant of GGH (this talk). Adeline Langlois GGHLite May, 4 7/ 9
8 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- level- level- Adeline Langlois GGHLite May, 4 8/ 9
9 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- encode at level- level- level- Adeline Langlois GGHLite May, 4 8/ 9
10 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- encode at level- level- level- Adeline Langlois GGHLite May, 4 8/ 9
11 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding level- level- encode at any level level- Adeline Langlois GGHLite May, 4 8/ 9
12 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding Addition S (α+α) i level- + S (α +α ) level- level- Adeline Langlois GGHLite May, 4 8/ 9
13 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding Multiplication S (α α) i +i level- level- S (α α) with i + i level- Adeline Langlois GGHLite May, 4 8/ 9
14 -Graded encoding scheme A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding Multiplication S (α α) i +i level- level- S (α α) 3 with i + i level- Adeline Langlois GGHLite May, 4 8/ 9
15 -Graded encoding scheme key exchange A ring R Plain of plaintext and a ring R Enc of, with a system of sets S = {S (α) i R Enc : α R Plain, i }. level- encoding S (α) level- S (α) level- S (α) α = α i level- S (α) S (α) (using extraction) Adeline Langlois GGHLite May, 4 8/ 9
16 Plan Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 9/ 9
17 Notations Polynomial Ring: R = Z[x]/ x n + for n power of, R is isomorphic to the ring of integers of K = Q[e iπ/n ]: K Q[x]/ x n +, O K Z[x]/ x n +. Rich algebraic structure (great for design and proofs). Let q and Z q = Z/qZ. We let R Enc = Z q [x]/ x n +, Arithmetic in R q costs Õ(n log q). Rq is isomorphic to O K /(q). Adeline Langlois GGHLite May, 4 / 9
18 Lattices b b Lattice { i n x ib i : x i Z}, for some lin. indep. b i R n. Adeline Langlois GGHLite May, 4 / 9
19 Lattices λ λ Minimum: λ (Λ) = min( b : b Λ \ ) γ-svp Find b Λ with: < b γ λ (Λ). Lattice { i n x ib i : x i Z}, for some lin. indep. b i R n. No known sub-exp. algorithm for γ = poly(n), Not even quantumly, Seems harder than Int-Fac and DLog. Adeline Langlois GGHLite May, 4 / 9
20 Discrete Gaussian on lattices For a n-dimensional lattice Λ, a non-singular matrix S R n n : x Λ : D Λ,S,c [x] exp ( π S (x c) ). Example: if Λ = Z and S = s Adeline Langlois GGHLite May, 4 / 9
21 Discrete Gaussian on lattices For a n-dimensional lattice Λ, a non-singular matrix S Rn n : x Λ : DΛ,S,c [x] exp πks (x c)k. I small size (depending on S), I sum is still Gaussian. Adeline Langlois GGHLite May, 4 / 9
22 GGH: High Level Description g principal ideal over R(= Z[x]/ x n + ) with small g (secret), R Enc = R q R Plain = R/ g Plaintext: e element of R/ g, Level- encoding: [c/z] q for z U(R q) (secret). where c is a small coset representative of e + g, Level-k encoding: [c/z k ] q Adeline Langlois GGHLite May, 4 3/ 9
23 GGH: High Level Description g principal ideal over R(= Z[x]/ x n + ) with small g (secret), R Enc = R q R Plain = R/ g Plaintext: e element of R/ g, Level- encoding: [c/z] q for z U(R q) (secret). where c is a small coset representative of e + g, Level-k encoding: [c/z k ] q Adding add: Given level-k u = [c /z k ] q and u = [c /z k ] q: Return u = [u + u ] q, a level-k encoding of [c + c ] g. u = [u + u ] q = [(c + c )/z k ] q Multiplying mult: Given level-k encoding u = [c /z k ] q, level-k encoding u = [c /z k ] q: Return u = [u u ] q, a level-(k + k ) encoding of [c c ] g. u = [u u ] q = [(c c )/z k +k ] q Adeline Langlois GGHLite May, 4 3/ 9
24 GGH: High Level Description g principal ideal over R(= Z[x]/ x n + ) with small g (secret), R Enc = R q R Plain = R/ g Public parameter: y level- encoding of, Plaintext: e element of R/ g, Level- encoding: [c/z] q = [e y] q for z U(R q) (secret). where c is a small coset representative of e + g, Level-k encoding: [c/z k ] q = [e y k ] q Adeline Langlois GGHLite May, 4 3/ 9
25 GGH: randomization To ensure security need randomization of the Public parameters {x j } j [mr] level- of zero. Plaintext: e element of R/ g, Level- encoding: [u + j ρ jx j ] q = [(c + gr)/z] q, where ρ j is sampled from a discrete Gaussian over Z, q c + gr. Encoding of zero Adeline Langlois GGHLite May, 4 4/ 9
26 GGH: randomization To ensure security need randomization of the Public parameters {x j } j [mr] level- of zero. Plaintext: e element of R/ g, Level- encoding: [u + j ρ jx j ] q = [(c + gr)/z] q, where ρ j is sampled from a discrete Gaussian over Z, q c + gr. Encoding of zero Discrete Gaussian over Z Adeline Langlois GGHLite May, 4 4/ 9
27 GGH Instance generation InstGen( λ, ): Sample g D R,σ. Sample z U(R q). Sample a level- encoding of : set y = [a z ] q with a D + g,σ. For i, sample m r level-i of : (x (i) j ) j m r. Return public parameters par = (n, q, y, {x (i) j } j m r,i ). Level-k encoding enc k (par, e): Given e R/ g : Encode e at level k: Compute u = [e y k ] q (u = [c /z k ] q). Re-randomize: Sample ρ j χ k for j m r and return [ u = u + [ ] m r j= ρ j x(k) j = c + ] j ρ j b (k) j q z k q Extraction at level Adeline Langlois GGHLite May, 4 5/ 9
28 Which security? Ext Graded Decisional Diffie-Hellman Ext-GDDH: Given + level- encoding u i of plaintexts e i, distinguish between the extraction of a level- encoding of the product of the e i and the extraction of level- encoding of a random element. To ensure security need randomization of the Without re-randomization, e can be efficiently recovered from u = [e y] q and y (by computing [u y ] q ). Re-randomization can prevent this attack. With which parameters? This work: understand the security of the re-randomization and propose efficient GGH variant achieving this security. Adeline Langlois GGHLite May, 4 6/ 9
29 Plan Introduction Cryptographic multilinear maps Graded encoding scheme GGH Preliminaries The GGH scheme Hardness assumption: GDDH Our contributions: GGHLite Improving the re-randomization Reduction from cgcdh to GCDH New LHL over rings Parameters and applications Adeline Langlois GGHLite May, 4 7/ 9
30 GGHLite: Our contribution We improve encoding re-randomization in GGH m r level- of : {x j } j mr, To randomize u = [e y] q, output u = [u + j ρ jx j ] q, Randomizers ρ j s are sampled from D Z,σ j ρ jx j Gaussian. Adeline Langlois GGHLite May, 4 8/ 9
31 GGHLite: Our contribution We improve encoding re-randomization in GGH m r level- of : {x j } j mr, To randomize u = [e y] q, output u = [u + j ρ jx j ] q, Randomizers ρ j s are sampled from D Z,σ j ρ jx j Gaussian. Question : What does it mean to prevent correlation attack? Question : How large σ should be? Question : Why are the ρ j integers? Adeline Langlois GGHLite May, 4 8/ 9
32 GGHLite: Formalizing Re-randomization Security Informal requirement: Prevent correlation of statistical properties of re-randomized encoding with encoded element. Formal requirement: Breaking Ext-GCDH problem is as hard as breaking canonical Ext-GCDH problem. We define: GCDH: B has columns the b j s canonical GCDH: Given u i = [(c i + m r j= ρ j,i b j )z ] q Given u i = [ c i z ] q = [ c i z ] q = Enc (e i ) with c i D g +ei,σ B T, compute the extraction of a level encoding of the product c c +. c i D g +ei,σ B T,c i small centre c i. c i D g +ei,σ B T, zero centre. Adeline Langlois GGHLite May, 4 9/ 9
33 GGHLite: First Main Ingredient Question : How large σ should be? In GGH: Exponential drowning suffices: σ / c λ, Makes distribution of u (almost) independent of u, But incurs severe efficiency penalty. Need q λ, Security deteriorates exponentially with log q, Need quadratic dimension: n λ. GGHLite first ingredient: We show that polynomial drowning is sufficient for security, our analysis only seems to apply to computational GDH problem. We use Rényi Divergence in place of Statistical Distance in analysing re-randomized distribution vs. canonical one. Adeline Langlois GGHLite May, 4 / 9
34 GGHLite Re-randomization Security: First Ingredient Distribution of c i (with u i = [c i /z] q ): Ext-GCDH D D g +ei,σ B T,c i small centre c i. can-ext-gcdh D D g +ei,σ B T, zero centre. GGH strong requirement based on statistical distance (SD): (D, D ) def = x D (x) D (x), Adversary A Ext-GCDH with success ε A canext-gcdh with success ε ε ε (D, D ), To handle ε = λ, need (D, D ) < λ. Consequently, need σ = c i Ω(λ) (exponential drowning). Adeline Langlois GGHLite May, 4 / 9
35 GGHLite Re-randomization Security: First Ingredient Distribution of c i (with u i = [c i /z] q ): Ext-GCDH D D g +ei,σ B T,c i small centre c i. can-ext-gcdh D D g +ei,σ B T, zero centre. GGHLite weak requirement based on Rényi divergence (RD): R(D D ) def = x D (x) D (x), Adversary A Ext-GCDH with success ε A canext-gcdh with success ε ε ε R(D D ), Useful even if ε < R(D, D ) use R(D D ) poly(λ). For R(D D ) poly(λ), can use σ = O( ). c i log λ Adeline Langlois GGHLite May, 4 / 9
36 First Result about Re-Randomization Question : What does it mean to prevent this attack? Question : How large σ should be? canonical Ext-GCDH, Reduction from canonical Ext-GCDH to Ext-GCDH using Rényi divergence, No more exponential drowning, Value of σ : from Õ(n5.5 ) to Õ(λ λn 4.5 ). Adeline Langlois GGHLite May, 4 / 9
37 First Result about Re-Randomization Question : What does it mean to prevent this attack? Question : How large σ should be? canonical Ext-GCDH, Reduction from canonical Ext-GCDH to Ext-GCDH using Rényi divergence, No more exponential drowning, Value of σ : from Õ(n5.5 ) to Õ(λ λn 4.5 ). Question : Why are the ρ j integers? Adeline Langlois GGHLite May, 4 / 9
38 GGHLite: Second Main Ingredient Question : Why are the ρ j integers? In GGH construction: Needs m r = Ω(n log n) of, Uses rational integer Gaussian randomizers (ρ j Z), Uses a discrete Gaussian Leftover Hash Lemma (LHL) to show j m r ρ j b j distribution is close to a discrete Gaussian on g. GGHLite second ingredient: m r = of are sufficient Uses Gaussian randomizers over full ring (ρ j R), New algebraic variant of discrete Gaussian LHL over R: j m r ρ j b j distribution is close to a discrete Gaussian on g. Adeline Langlois GGHLite May, 4 3/ 9
39 GGHLite Re-randomization Security: Second Ingredient Distribution of c i (with u i = [c i /z] q ): D in Ext-GCDH problem: D g +ei,σ B T,c small centre c i i. [(c i + ρ b + ρ b )/z] q with ρ i D R,σ. How do we show ρ b + ρ b D g,σ B T,? (B = g [t, t ] R ) Step : Show T R = [t, t ] R = R, except for proba C <. Probability that two random algebraic integers are co-prime, Step : Study the orthogonal module lattice A T = {v R : T v = }. Bound the minima λ n(a T ) of the lattice, Apply known results [AGHS] on smoothing of Gaussians modulo a lattice. Adeline Langlois GGHLite May, 4 4/ 9
40 Second Result about Re-Randomization Question : What does it mean to prevent this attack? Question : How large σ should be? canonical Ext-GCDH, Reduction from canonical Ext-GCDH to Ext-GCDH using Rényi divergence, No more exponential drowning, Value of σ : from Õ(λ n 4.5 (λ + log )) to Õ(n4.5 log ). Question : Why are the ρ j integers? New algebraic variant of discrete Gaussian LHL over R, Number of re-randomizers: from Ω(n log n) to. Adeline Langlois GGHLite May, 4 5/ 9
41 GGHLite: Asymptotic Parameters For level: Parameter GGHLite GGH m r Ω(n log n) σ Õ(n 5.5 ) Õ( λ λn 4.5 ) q Õ((n.5 ) 8 ) Õ(( λ λ.5 n 8.5 ) 8 ) n O(λ log λ) O(λ ) enc O( λ log λ) O( λ 3 ) par O( 3 λ log λ) O( 4 λ 5 log λ) Adeline Langlois GGHLite May, 4 6/ 9
42 Adapting Applications of GGH to GGHLite Applications often need semantic security: no partial information on key leaks. GGH security analysis: Extraction Graded DDH problem Given u = Enc (c ),..., u N = Enc (c N ), Distinguish between the distributions where c is uniform in R/ g. v D = Ext(Enc N (c c N )) and v R = Ext(Enc N (c c c N )). GGHLite security analysis only to Extraction Graded Computational DH problem (Ext-GCDH). Adeline Langlois GGHLite May, 4 7/ 9
43 Adapting Applications of GGH to GGHLite Question: How to adapt GGH applications to rely on Ext-GCDH rather than GDDH? Answer: Replace K = ext(v) in original protocol by K = H(ext(v)) in modified protocol, where H( ) is a cryptographic hash function. If H( ) is modelled as a Random Oracle Model, then security of modified protocol relies on Ext-GCDH our GGHLite analysis applies. Adeline Langlois GGHLite May, 4 8/ 9
44 Conclusion GGHLite: a more efficient variant of GGH graded encoding scheme. Open Problems: Can our Rényi divergence analysis be applied to the Decision Graded Diffie Hellman problem? Understand the complexity of canonical Ext-GCDH problem provable relation to standard lattice problems? Understand relation between GGH/GGHLite and more recent Jigsaw puzzle variants (obfuscation). Concrete computational / space efficiency of GGHLite based on best known attacks? Adeline Langlois GGHLite May, 4 9/ 9
GGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois 1, Damien Stehlé 1, Ron Steinfeld 2 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENS de Lyon, INRIA, UCBL), 46 Allée d Italie,
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois 1, Damien Stehlé 1, Ron Steinfeld 2 1 ENS de Lyon, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d Italie,
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationEvidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs
Evidence that the Diffie-Hellman Problem is as Hard as Computing Discrete Logs Jonah Brown-Cohen 1 Introduction The Diffie-Hellman protocol was one of the first methods discovered for two people, say Alice
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More information14 Diffie-Hellman Key Agreement
14 Diffie-Hellman Key Agreement 14.1 Cyclic Groups Definition 14.1 Example Let д Z n. Define д n = {д i % n i Z}, the set of all powers of д reduced mod n. Then д is called a generator of д n, and д n
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationIntroduction to Elliptic Curve Cryptography. Anupam Datta
Introduction to Elliptic Curve Cryptography Anupam Datta 18-733 Elliptic Curve Cryptography Public Key Cryptosystem Duality between Elliptic Curve Cryptography and Discrete Log Based Cryptography Groups
More informationCryptography and Security Midterm Exam
Cryptography and Security Midterm Exam Serge Vaudenay 23.11.2017 duration: 1h45 no documents allowed, except one 2-sided sheet of handwritten notes a pocket calculator is allowed communication devices
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationProvable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval
Provable Security for Public-Key Schemes I Basics David Pointcheval Ecole normale supérieure, CNRS & INRIA IACR-SEAMS School Cryptographie: Foundations and New Directions November 2016 Hanoi Vietnam Introduction
More informationImmunizing Multilinear Maps Against Zeroizing Attacks
Immunizing Multilinear Maps Against Zeroizing Attacks Dan Boneh Stanford University David J. Wu Stanford University Joe Zimmerman Stanford University Abstract In recent work Cheon, Han, Lee, Ryu, and Stehlé
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationCS 395T. Probabilistic Polynomial-Time Calculus
CS 395T Probabilistic Polynomial-Time Calculus Security as Equivalence Intuition: encryption scheme is secure if ciphertext is indistinguishable from random noise Intuition: protocol is secure if it is
More informationAn Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without an encoding of zero Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University (SNU), Republic of Korea Abstract.
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More information2. Cryptography 2.5. ElGamal cryptosystems and Discrete logarithms
CRYPTOGRAPHY 19 Cryptography 5 ElGamal cryptosystems and Discrete logarithms Definition Let G be a cyclic group of order n and let α be a generator of G For each A G there exists an uniue 0 a n 1 such
More informationImproved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance
Improved security proofs in lattice-based cryptography: using the Rényi divergence rather than the statistical distance Shi Bai, Tancrède Lepoint 3, Adeline Roux-Langlois 4, Amin Sakzad 5, Damien Stehlé
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More informationCS 355: Topics in Cryptography Spring Problem Set 5.
CS 355: Topics in Cryptography Spring 2018 Problem Set 5 Due: June 8, 2018 at 5pm (submit via Gradescope) Instructions: You must typeset your solution in LaTeX using the provided template: https://crypto.stanford.edu/cs355/homework.tex
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationComputational Number Theory. Adam O Neill Based on
Computational Number Theory Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Secret Key Exchange - * Is Alice Ka Public Network Ka = KB O KB 0^1 Eve should have a hard time getting information
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationAn Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero
An Algorithm for NTRU Problems and Cryptanalysis of the GGH Multilinear Map without a Low Level Encoding of Zero Jung Hee Cheon Jinhyuck Jeong Changmin Lee Seoul National University (SNU) Republic of Korea
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationGraph-Induced Multilinear Maps from Lattices
Graph-Induced Multilinear Maps from Lattices Craig Gentry IBM Sergey Gorbunov MIT November 11, 2014 Shai Halevi IBM Abstract Graded multilinear encodings have found extensive applications in cryptography
More informationElliptic curves: Theory and Applications. Day 4: The discrete logarithm problem.
Elliptic curves: Theory and Applications. Day 4: The discrete logarithm problem. Elisa Lorenzo García Université de Rennes 1 14-09-2017 Elisa Lorenzo García (Rennes 1) Elliptic Curves 4 14-09-2017 1 /
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationLecture 7: ElGamal and Discrete Logarithms
Lecture 7: ElGamal and Discrete Logarithms Johan Håstad, transcribed by Johan Linde 2006-02-07 1 The discrete logarithm problem Recall that a generator g of a group G is an element of order n such that
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationPUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS
PUBLIC KEY EXCHANGE USING MATRICES OVER GROUP RINGS DELARAM KAHROBAEI, CHARALAMBOS KOUPPARIS, AND VLADIMIR SHPILRAIN Abstract. We offer a public key exchange protocol in the spirit of Diffie-Hellman, but
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationPolynomial Interpolation in the Elliptic Curve Cryptosystem
Journal of Mathematics and Statistics 7 (4): 326-331, 2011 ISSN 1549-3644 2011 Science Publications Polynomial Interpolation in the Elliptic Curve Cryptosystem Liew Khang Jie and Hailiza Kamarulhaili School
More informationOn Ideal Lattices and Learning with Errors Over Rings
On Ideal Lattices and Learning with Errors Over Rings Vadim Lyubashevsky, Chris Peikert, and Oded Regev Abstract. The learning with errors (LWE) problem is to distinguish random linear equations, which
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA
More informationYou could have invented Supersingular Isogeny Diffie-Hellman
You could have invented Supersingular Isogeny Diffie-Hellman Lorenz Panny Technische Universiteit Eindhoven Πλατανιάς, Κρήτη, 11 October 2017 1 / 22 Shor s algorithm 94 Shor s algorithm quantumly breaks
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research
More informationThe Elliptic Curve in https
The Elliptic Curve in https Marco Streng Universiteit Leiden 25 November 2014 Marco Streng (Universiteit Leiden) The Elliptic Curve in https 25-11-2014 1 The s in https:// HyperText Transfer Protocol
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationPost-Quantum Cryptography
Post-Quantum Cryptography Sebastian Schmittner Institute for Theoretical Physics University of Cologne 2015-10-26 Talk @ U23 @ CCC Cologne This work is licensed under a Creative Commons Attribution-ShareAlike
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationAn Algorithm for NTRU Problems
An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationCurves, Cryptography, and Primes of the Form x 2 + y 2 D
Curves, Cryptography, and Primes of the Form x + y D Juliana V. Belding Abstract An ongoing challenge in cryptography is to find groups in which the discrete log problem hard, or computationally infeasible.
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationCryptanalysis of GGH15 Multilinear Maps
Cryptanalysis of GGH15 Multilinear Maps Jean-Sébastien Coron 1, Moon Sung Lee 1, Tancrède Lepoint 2, and Mehdi Tibouchi 3 1 University of Luxembourg 2 CryptoExperts 3 NTT Secure Platform Laboratories June
More informationShort generators without quantum computers: the case of multiquadratics
Short generators without quantum computers: the case of multiquadratics Daniel J. Bernstein University of Illinois at Chicago 31 July 2017 https://multiquad.cr.yp.to Joint work with: Jens Bauch & Henry
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationCourse Business. Homework 3 Due Now. Homework 4 Released. Professor Blocki is travelling, but will be back next week
Course Business Homework 3 Due Now Homework 4 Released Professor Blocki is travelling, but will be back next week 1 Cryptography CS 555 Week 11: Discrete Log/DDH Applications of DDH Factoring Algorithms,
More informationLecture 2: Program Obfuscation - II April 1, 2009
Advanced Topics in Cryptography Lecture 2: Program Obfuscation - II April 1, 2009 Lecturer: S. Goldwasser, M. Naor Scribe by: R. Marianer, R. Rothblum Updated: May 3, 2009 1 Introduction Barak et-al[1]
More informationDimension-Preserving Reductions Between Lattice Problems
Dimension-Preserving Reductions Between Lattice Problems Noah Stephens-Davidowitz Courant Institute of Mathematical Sciences, New York University. noahsd@cs.nyu.edu Last updated September 6, 2016. Abstract
More informationCryptographical Security in the Quantum Random Oracle Model
Cryptographical Security in the Quantum Random Oracle Model Center for Advanced Security Research Darmstadt (CASED) - TU Darmstadt, Germany June, 21st, 2012 This work is licensed under a Creative Commons
More informationarxiv: v3 [cs.cr] 15 Jun 2017
Use of Signed Permutations in Cryptography arxiv:1612.05605v3 [cs.cr] 15 Jun 2017 Iharantsoa Vero RAHARINIRINA ihvero@yahoo.fr Department of Mathematics and computer science, Faculty of Sciences, BP 906
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationRecovering Short Generators of Principal Ideals: Extensions and Open Problems
Recovering Short Generators of Principal Ideals: Extensions and Open Problems Chris Peikert University of Michigan and Georgia Tech 2 September 2015 Math of Crypto @ UC Irvine 1 / 7 Where We Left Off Short
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationCOMS W4995 Introduction to Cryptography October 12, Lecture 12: RSA, and a summary of One Way Function Candidates.
COMS W4995 Introduction to Cryptography October 12, 2005 Lecture 12: RSA, and a summary of One Way Function Candidates. Lecturer: Tal Malkin Scribes: Justin Cranshaw and Mike Verbalis 1 Introduction In
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationA New Key Exchange Protocol Based on DLP and FP in Centralizer Near-Ring
Volume 117 No. 14 2017, 247-252 ISSN: 1311-8080 (printed version); ISSN: 1314-3395 (on-line version) url: http://www.ijpam.eu ijpam.eu A New Key Exchange Protocol Based on DLP and FP in Centralizer Near-Ring
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More information