Fixed-Point Arithmetic in SHE Schemes
|
|
- Jeffrey O’Brien’
- 5 years ago
- Views:
Transcription
1 Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016
2 Outline Motivation Encoding integers and fixed-point numbers Lower bounds on ring parameters Application to homomorphic image processing Conclusion
3 Motivation
4 Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.
5 Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.
6 Somewhat Homomorphic Encryption Huge improvement in efficiency of FHE schemes since Yet, practical FHE schemes seem out of reach. Goal: to obtain practical SHE schemes for a given class of functions.
7 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.
8 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.
9 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.
10 Problem 1 Problem 1: how to encode/decode data types of an application into an SHE scheme? Application: emulate fixed point arithmetic. Target SHE schemes: ring-based SHE schemes currently among the most efficient, plaintext space R = Z[x]/(Φm (X ), p). Encoding considerably effects efficiency working with binary circuits is usually inefficient in practice.
11 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),
12 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),
13 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),
14 Problem 2 The parameters of an SHE scheme depends upon multiplicative depth, plaintext modulus p and degree of the ring d, security level Problem 2: derive lower bounds on plaintext modulus p to ensure no wrap around the modulus p, degree of the ring d to ensure no wrap around the modulus Φ m(x ),
15 Problem 1: Encoding data types
16 Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.
17 Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.
18 Encoding integers: Scalar encoding Integer encoded as the constant term. p must be greater than the largest integer occurring. For a regular circuit of multiplicative depth: M No. of additions per multiplicative depth: A, and for inputs in [ L,..., L] p > 2 2 A(2M+1 2) L 2 M.
19 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.
20 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.
21 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.
22 Encoding integers: Non-balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients in [0,.., B 1]. Example: 19 2 X 2 + 1, when base B = 3. Smaller-sized coefficients compared to scalar encoding. Every coefficient has the same sign.
23 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.
24 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.
25 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.
26 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.
27 Encoding integers: Balanced base-b encoding Integer encoded as a polynomial corresponding to base-b expansion. coefficients instead in [ (B 1)/2,..., (B 1)/2]. Example: 19 X 3 X 2 X 1, when bal. base B = 3. Tradeoff : size of coefficients and the degree of encodings. B = 3 turns out be optimal. Deriving bounds on the size of coefficients is more challenging.
28 Encoding fixed-point numbers: Scaled integer encoding Fixed-point number encoded as an integer scaled down by a power of a base B. y = y +.y (q(x ), i), y = q(b) B i, where the integer itself is represented by a balanced base-b encoding. Example: = (X 3 X 2 + 1, 1), when bal. base B = 3.
29 Encoding fixed-point numbers: Scaled integer encoding Fixed-point number encoded as an integer scaled down by a power of a base B. y = y +.y (q(x ), i), y = q(b) B i, where the integer itself is represented by a balanced base-b encoding. Example: = (X 3 X 2 + 1, 1), when bal. base B = 3.
30 Encoding fixed-point numbers: Scaled integer encoding Addition +: (q(x ), i) + (q (X ), i ) =: (Q, I ). (q + q X i i, i) if i > i (Q, I ) = (q + q X i i, i ) if i i. Multiplication : (q(x ), i) (q (X ), i ) = (q(x ) q (X ), i + i ).
31 Encoding fixed-point numbers: Scaled integer encoding Addition +: (q(x ), i) + (q (X ), i ) =: (Q, I ). (q + q X i i, i) if i > i (Q, I ) = (q + q X i i, i ) if i i. Multiplication : (q(x ), i) (q (X ), i ) = (q(x ) q (X ), i + i ).
32 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation
33 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation
34 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation
35 Encoding fixed-point numbers: Scaled integer encoding Let R 1 = {(q, i) q Z[X ]/Φ m (X ), i Z/φ(m)Z}. R 1 is a ring w.r.t. + and. Disadvantage: Keep track of the exponent i in the clear for every ciphertext not an issue if the evaluated circuit is public. Bounds: same as the balanced base integer representation
36 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).
37 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).
38 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).
39 Encoding fixed-point numbers: Fractional encoding Proposed by [Dowlin et al. 2015]. Closely related to Laurent polynomial representation. Suppose we are working in Z[X ]/(X n + 1). y = y +.y b i X i + i I + 0<i I b i X i (mod X n + 1), Since X n 1 (mod X n + 1), y = y +.y b i X i i I + 0<i I b i X n i (mod X n + 1).
40 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?
41 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?
42 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?
43 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?
44 Encoding fixed-point numbers: Fractional encoding Example: in Z[X ]/(X 8 + 1) and bal. base B = 3, X 7 + X 2 X. Advantage: Dispenses away the need for tracking the exponent need to separate coefficients in integer and fractional parts. Disadvantage works only in power-of-two cyclotomic rings, no slots for SIMD operations. Addition and Multiplication: as in R 2 := Z[X ]/(X n + 1). Bounds: seems more complicated than the scaled integer case?
45 Problem 2: bounding size of coefficients
46 Upper bounds on coefficients Problem: compute max. size of coefficients in encodings given circuit description, bounds on input numbers Our contribution: efficient computational procedure to bound arbitrary circuits precisely determining max. values can be very expensive, closed form upper bounds for regular circuits.
47 Upper bounds on coefficients Problem: compute max. size of coefficients in encodings given circuit description, bounds on input numbers Our contribution: efficient computational procedure to bound arbitrary circuits precisely determining max. values can be very expensive, closed form upper bounds for regular circuits.
48 Upper bounds on coefficients Two cases: balanced base-3 integer encoding scaled integer encoding, fractional encoding (modulo X n + 1) for fixed-point numbers.
49 Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i
50 Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i
51 Equivalence: scaled integer vs. fractional encoding Ring R 1 of scaled integer encodings R1 := {(q, i) q Z[X ]/(X n + 1), i Z/nZ)}. Ring R 2 of fractional encodings R2 := Z[X ]/(X n + 1). R 1 is isomorphic to R 2 R 1 R 2 Ψ : (q := q I X i + q F, i) q I q F X n i
52 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,
53 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,
54 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,
55 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R 1 ): (X 3 X 2 + 1, 1), fractional encoding (R2 ): X 7 + X 2 X,
56 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.
57 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.
58 Equivalence: scaled integer vs. fractional encoding Example: encoding 6.33 using balanced base-3 representation and Z[X ]/(X 8 + 1), scaled integer encoding (R1 ): (X 3 X 2 + 1, 1), fractional encoding (R 2 ): X 7 + X 2 X, (X 3 X 2 + 1) ( X 7 ) = X 7 + X 2 X (mod X 8 + 1). Note: infinity norm of intermediate polynomials is identical for any circuit. Suffices to analyse only the integer case.
59 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1
60 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1
61 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1
62 Bounding integer-valued arithmetic circuits Suppose there are t distinct input ranges [ L i,..., L i ]. d i : degree of corresponding balanced base-3 encoding polynomials. Input encoding polynomials have infinity norm 1. Define c [(d1,e 1 ),...,(d t,e t)] = t (1 + x + x x d i ) e i. i=1
63 Bounding integer-valued arithmetic circuits Upper bound is of the form L P = e 1,...,e t a [(d1,e 1 ),...,(d t,e t)] c [(d1,e 1 ),...,(d t,e t)],
64 Bounding integer-valued arithmetic circuits Compute the bounds iteratively L P = a [(d1,e 1 ),...,(d t,e t)] c [(d1,e 1 ),...,(d t,e t)], e 1,...,e t L P = a [(d1,e 1 ),...,(dt,e t )] c [(d1,e 1 ),...,(dt,e t )], e 1,...,e t
65 Bounding integer-valued arithmetic circuits Compute the bounds iteratively L P+P = L P + L P, L P P = e 1,...,e t,e 1,...,e t (a [(d1,e 1 ),...,(d t,e t)] a [(d1,e 1 ),...,(dt,e t )] ) ) (c [(d1,e 1 +e 1 ),...,(dt,et+e t )]
66 Bounding integer-valued arithmetic circuits Iteratively bounding c [(d1,e 1 ),...,(d t,e t)] = using the relation t (1 + x + x x d i ) e i. i=1 c [(d1,e 1 ),...,(d t,e t)] (d k e k + 1) c dk,e k c [(d1,e 1 ),...,(dt,e t )], where e i = e i except that e k = 0. Partial order: d i e i (d i+1 e i+1 ).
67 Bounding integer-valued arithmetic circuits Iteratively bounding c [(d1,e 1 ),...,(d t,e t)] = using the relation t (1 + x + x x d i ) e i. i=1 c [(d1,e 1 ),...,(d t,e t)] (d k e k + 1) c dk,e k c [(d1,e 1 ),...,(dt,e t )], where e i = e i except that e k = 0. Partial order: d i e i (d i+1 e i+1 ).
68 Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.
69 Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.
70 Bounding integer-valued arithmetic circuits Finally, bounding c d,e = (1 + x + x x d ) e. Simple bounds: (d+1)e d e+1 c d,e (d + 1) e. Tighter bound [Mattner & Roos 2008]: If e 2 or d {1, 2, 3}, then 6 c d,e < π d e (d + 2) (d + 1)e.
71 Bounding integer-valued arithmetic circuits They also show that e cd,e lim e (d + 1) e = 6 π d (d + 2).
72 Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, B M,A = c d,2 M 2 A(2M+1 2),
73 Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, 6 M B M,A < π 2 M (d + 1)2 2 A(2 M+1 2). d(d + 2) For an SHE scheme p > 2 B M,A, deg(r) > 2 M d.
74 Bounding integer-valued arithmetic circuits For a regular circuit having M levels of multiplication, A additions per multiplicative level, max. initial degree of encodings d = log(2 L + 1)/ log 3 1, 6 M B M,A < π 2 M (d + 1)2 2 A(2 M+1 2). d(d + 2) For an SHE scheme p > 2 B M,A, deg(r) > 2 M d.
75 Bounding integer-valued arithmetic circuits Concrete bounds for p (in bits) and deg(r) for 20-bit inputs: M A = A = A = A = A = A = deg(r)
76 Application: homomorphic image processing
77 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.
78 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.
79 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.
80 Homomorphic image processing FFT - Hadamard product - ifft: standard image processing pipeline. We performed a homomorphic evaluation of this pipeline matrix for Hadamard product was also encrypted, encrypted inputs were complex numbers FFT and HAD inputs: 8-bits precision, precision of roots of unity is variable - result to be within 32-bits precision. The whole operation is non-linear cannot apply additive homomorphic schemes.
81 Homomorphic image processing We use mixed Fourier transform instead of FFT tradeoff: depth vs. number of scalar multiplications, greater depth means longer modulus chain in SHE scheme and hence slower.
82 Homomorphic image processing Concrete parameters for the FFT-Hadamard-iFFT pipeline: FFT B = 1 B = n NFT B = n log 2 p deg(r) log 2 p deg(r) log 2 p deg(r) n
83 Homomorphic image processing Timing results (in sec) using HElib running on a 6-core cluster: HElib Amortization CPU Amortized n B deg(r) log 2 q Levels Amount Time Time
84 Conclusion
85 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.
86 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.
87 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.
88 Conclusion We investigated the growth of coefficients and the degree for various encoding schemes. Proved the equivalence of scaled integer and fractional encodings for fixed-point numbers. Computed concrete bounds for regular circuits. Implemented homomorphic evaluation of FFT-Hadamard product-ifft pipeline used in image processing.
89 Future Work Improve the current bounds for coefficient growth. SIMD implementation of FFT-Hadamard product-ifft pipeline for scaled integer encoding.
90 Future Work Improve the current bounds for coefficient growth. SIMD implementation of FFT-Hadamard product-ifft pipeline for scaled integer encoding.
91 Thank You!
Faster Homomorphic Evaluation of Discrete Fourier Transforms
Faster Homomorphic Evaluation of Discrete Fourier Transforms Anamaria Costache, Nigel P. Smart, and Srinivas Vivek University of Bristol, Bristol, UK Abstract. We present a methodology to achieve low latency
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationCOMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION
#RSAC SESSION ID: CRYP-W02 COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION Rachel Player PhD Student // Postdoc Royal Holloway, University of London, UK // LIP6, Sorbonne
More informationHigh-Precision Arithmetic in Homomorphic Encryption
High-Precision Arithmetic in Homomorphic Encryption Hao Chen 1, Kim Laine 2, Rachel Player 3, and Yuhou Xia 4 1 Microsoft Research, USA haoche@microsoft.com 2 Microsoft Research, USA kim.laine@microsoft.com
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More informationHomomorphic Encryption for Arithmetic of Approximate Numbers
Homomorphic Encryption for Arithmetic of Approximate Numbers Jung Hee Cheon 1, Andrey Kim 1, Miran Kim 2, and Yongsoo Song 1 1 Seoul National University, Republic of Korea {jhcheon, kimandrik, lucius05}@snu.ac.kr
More informationBootstrapping for HElib
Bootstrapping for HElib Shai Halevi 1 and Victor Shoup 1,2 1 IBM Research 2 New York University Abstract. Gentry s bootstrapping technique is still the only known method of obtaining fully homomorphic
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert October 9, 2013 Abstract Gentry s bootstrapping technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry IBM Shai Halevi IBM Nigel P. Smart University of Bristol December 15, 2011 Abstract Gentry s bootstrapping technique is currently the only
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon 1, Kyoohyung Han 1, Andrey Kim 1, Miran Kim 2, and Yongsoo Song 1,2 1 Seoul National University, Seoul, Republic of Korea {jhcheon, satanigh,
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationHomomorphic Encryption
Overdrive2k: Efficient Secure MPC over Z 2 k Homomorphic Encryption from Somewhat Emmanuela Orsini 1, Nigel P. Smart 1,2, and Frederik Vercauteren 1 1 imec-cosic, KU Leuven, Leuven, Belgium. 2 University
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationSubring Homomorphic Encryption
Subring Homomorphic Encryption Seiko Arita Sari Handa June 7, 2017 Abstract In this paper, we construct subring homomorphic encryption scheme that is a homomorphic encryption scheme built on the decomposition
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationFULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationThe RSA Cipher and its Algorithmic Foundations
Chapter 1 The RSA Cipher and its Algorithmic Foundations The most important that is, most applied and most analyzed asymmetric cipher is RSA, named after its inventors Ron Rivest, Adi Shamir, and Len Adleman.
More informationCPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication
CPSC 518 Introduction to Computer Algebra Schönhage and Strassen s Algorithm for Integer Multiplication March, 2006 1 Introduction We have now seen that the Fast Fourier Transform can be applied to perform
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More informationTOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION
TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION A Thesis Presented to The Academic Faculty by Jacob Alperin-Sheriff In Partial Fulfillment of the Requirements for the Degree Doctor of Philosophy in the
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationFast Evaluation of Polynomials over Binary Finite Fields. and Application to Side-channel Countermeasures
Fast Evaluation of Polynomials over Binary Finite Fields and Application to Side-channel Countermeasures Jean-Sébastien Coron 1, Arnab Roy 1,2, Srinivas Vivek 1 1 University of Luxembourg 2 DTU, Denmark
More informationPseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan
Pseudorandomness of Ring-LWE for Any Ring and Modulus Chris Peikert University of Michigan Oded Regev Noah Stephens-Davidowitz (to appear, STOC 17) 10 March 2017 1 / 14 Lattice-Based Cryptography y = g
More informationFinite Fields. Mike Reiter
1 Finite Fields Mike Reiter reiter@cs.unc.edu Based on Chapter 4 of: W. Stallings. Cryptography and Network Security, Principles and Practices. 3 rd Edition, 2003. Groups 2 A group G, is a set G of elements
More informationCPSC 518 Introduction to Computer Algebra Asymptotically Fast Integer Multiplication
CPSC 518 Introduction to Computer Algebra Asymptotically Fast Integer Multiplication 1 Introduction We have now seen that the Fast Fourier Transform can be applied to perform polynomial multiplication
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim, Yongsoo Song (University of California, San Diego) Landscape of Homomorphic
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Instructor: Michael Fischer Lecture by Ewa Syta Lecture 13 March 3, 2013 CPSC 467b, Lecture 13 1/52 Elliptic Curves Basics Elliptic Curve Cryptography CPSC
More informationDiscrete Mathematics GCD, LCM, RSA Algorithm
Discrete Mathematics GCD, LCM, RSA Algorithm Abdul Hameed http://informationtechnology.pk/pucit abdul.hameed@pucit.edu.pk Lecture 16 Greatest Common Divisor 2 Greatest common divisor The greatest common
More informationCompact Ring LWE Cryptoprocessor
1 Compact Ring LWE Cryptoprocessor CHES 2014 Sujoy Sinha Roy 1, Frederik Vercauteren 1, Nele Mentens 1, Donald Donglong Chen 2 and Ingrid Verbauwhede 1 1 ESAT/COSIC and iminds, KU Leuven 2 Electronic Engineering,
More informationVadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3
A Tooλκit for Riνγ-ΛΩE κρyπτ oγραφ Vadim Lyubashevsky 1 Chris Peikert 2 Oded Regev 3 1 INRIA & ENS Paris 2 Georgia Tech 3 Courant Institute, NYU Eurocrypt 2013 27 May 1 / 12 A Toolkit for Ring-LWE Cryptography
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationManual for Using Homomorphic Encryption for Bioinformatics
1 Manual for Using Homomorphic Encryption for Bioinformatics Nathan Dowlin, Ran Gilad-Bachrach, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing Abstract Biological Data Science is an emerging
More informationModulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain
Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven)
More informationHigh-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationGalois theory (Part II)( ) Example Sheet 1
Galois theory (Part II)(2015 2016) Example Sheet 1 c.birkar@dpmms.cam.ac.uk (1) Find the minimal polynomial of 2 + 3 over Q. (2) Let K L be a finite field extension such that [L : K] is prime. Show that
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationElliptic Curve Cryptography
Areas for Discussion Elliptic Curve Cryptography Joseph Spring Department of Computer Science 7COM1027 - Distributed Systems Security Lecture - Elliptic Curves 1 1 Motivation Elliptic Curves Security of
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationSection 18 Rings and fields
Section 18 Rings and fields Instructor: Yifan Yang Spring 2007 Motivation Many sets in mathematics have two binary operations (and thus two algebraic structures) For example, the sets Z, Q, R, M n (R)
More informationHOMEWORK 11 MATH 4753
HOMEWORK 11 MATH 4753 Recall that R = Z[x]/(x N 1) where N > 1. For p > 1 any modulus (not necessarily prime), R p = (Z/pZ)[x]/(x N 1). We do not assume p, q are prime below unless otherwise stated. Question
More informationax b mod m. has a solution if and only if d b. In this case, there is one solution, call it x 0, to the equation and there are d solutions x m d
10. Linear congruences In general we are going to be interested in the problem of solving polynomial equations modulo an integer m. Following Gauss, we can work in the ring Z m and find all solutions to
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationLattice Reduction Attack on the Knapsack
Lattice Reduction Attack on the Knapsack Mark Stamp 1 Merkle Hellman Knapsack Every private in the French army carries a Field Marshal wand in his knapsack. Napoleon Bonaparte The Merkle Hellman knapsack
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationMathematical Foundations of Public-Key Cryptography
Mathematical Foundations of Public-Key Cryptography Adam C. Champion and Dong Xuan CSE 4471: Information Security Material based on (Stallings, 2006) and (Paar and Pelzl, 2010) Outline Review: Basic Mathematical
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationNOTES ON FINITE FIELDS
NOTES ON FINITE FIELDS AARON LANDESMAN CONTENTS 1. Introduction to finite fields 2 2. Definition and constructions of fields 3 2.1. The definition of a field 3 2.2. Constructing field extensions by adjoining
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationHomomorphic SIM 2 D Operations: Single Instruction Much More Data
Homomorphic SIM 2 D Operations: Single Instruction Much More Data Wouter Castryck 1,2, Ilia Iliashenko 1, and Frederik Vercauteren 1 1 imec-cosic, Dept. Electrical Engineering, KU Leuven 2 Laboratoire
More informationDoing Real Work with FHE: The Case of Logistic Regression
Doing Real Work with FHE: The Case of Logistic Regression Jack L.H.Crawford Queen Mary Univ. of London Craig Gentry IBM Research Shai Halevi IBM Research Daniel Platt IBM Research Victor Shoup NYU February
More informationNumbers. Çetin Kaya Koç Winter / 18
Çetin Kaya Koç http://koclab.cs.ucsb.edu Winter 2016 1 / 18 Number Systems and Sets We represent the set of integers as Z = {..., 3, 2, 1,0,1,2,3,...} We denote the set of positive integers modulo n as
More informationCryptography IV: Asymmetric Ciphers
Cryptography IV: Asymmetric Ciphers Computer Security Lecture 7 David Aspinall School of Informatics University of Edinburgh 31st January 2011 Outline Background RSA Diffie-Hellman ElGamal Summary Outline
More informationFFT-Based Key Recovery for the Integral Attack
FFT-Based Key Recovery for the Integral Attack Yosuke Todo NTT Secure Platform Laboratories Abstract. The integral attack is one of the most powerful attack against block ciphers. In this paper, we propose
More information15. Polynomial rings Definition-Lemma Let R be a ring and let x be an indeterminate.
15. Polynomial rings Definition-Lemma 15.1. Let R be a ring and let x be an indeterminate. The polynomial ring R[x] is defined to be the set of all formal sums a n x n + a n 1 x n +... a 1 x + a 0 = a
More informationFloating-Point Homomorphic Encryption
Floating-Point Homomorphic Encryption Jung Hee Cheon, Andrey Kim, Miran Kim, and Yongsoo Song Department of Mathematical Sciences, Seoul National University, Republic of Korea {jhcheon, kimandrik, alfks500,
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationAdvanced Cryptography Quantum Algorithms Christophe Petit
The threat of quantum computers Advanced Cryptography Quantum Algorithms Christophe Petit University of Oxford Christophe Petit -Advanced Cryptography 1 Christophe Petit -Advanced Cryptography 2 The threat
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationLinear Ciphers. Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D Mainz
Linear Ciphers Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D-55099 Mainz January 16, 2000 English version July 28, 2014 last change August
More informationSieving for Shortest Vectors in Ideal Lattices:
Sieving for Shortest Vectors in Ideal Lattices: a Practical Perspective Joppe W. Bos Microsoft Research LACAL@RISC Seminar on Cryptologic Algorithms CWI, Amsterdam, Netherlands Joint work with Michael
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More informationLinear Multi-Prover Interactive Proofs
Quasi-Optimal SNARGs via Linear Multi-Prover Interactive Proofs Dan Boneh, Yuval Ishai, Amit Sahai, and David J. Wu Interactive Arguments for NP L C = x C x, w = 1 for some w P(x, w) V(x) accept / reject
More informationThe security of RSA (part 1) The security of RSA (part 1)
The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 The modulus n and its totient value φ(n) are known φ(n) = p q (p + q) + 1 = n (p + q) + 1 i.e. q = (n φ(n) + 1)
More informationPublic-key Cryptography and elliptic curves
Public-key Cryptography and elliptic curves Dan Nichols University of Massachusetts Amherst nichols@math.umass.edu WINRS Research Symposium Brown University March 4, 2017 Cryptography basics Cryptography
More informationSolution to Problem Set 3
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Handout #11 (rev. 2) Xueyuan Su October 27, 2008 Solution to Problem Set 3 Due on Wednesday, October 22, 2008.
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationHomomorphic SIM 2 D Operations: Single Instruction Much More Data
Homomorphic SIM 2 D Operations: Single Instruction Much More Data Wouter Castryck, Ilia Iliashenko, and Frederik Vercauteren imec-cosic, Dept. Electrical Engineering, KU Leuven firstname.lastname@esat.kuleuven.be
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationAn introduction to the algorithmic of p-adic numbers
An introduction to the algorithmic of p-adic numbers David Lubicz 1 1 Universté de Rennes 1, Campus de Beaulieu, 35042 Rennes Cedex, France Outline Introduction 1 Introduction 2 3 4 5 6 7 8 When do we
More informationToward High Performance Matrix Multiplication for Exact Computation
Toward High Performance Matrix Multiplication for Exact Computation Pascal Giorgi Joint work with Romain Lebreton (U. Waterloo) Funded by the French ANR project HPAC Séminaire CASYS - LJK, April 2014 Motivations
More informationComputational algebraic number theory tackles lattice-based cryptography
Computational algebraic number theory tackles lattice-based cryptography Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Moving to the left Moving to the right
More informationGalois groups with restricted ramification
Galois groups with restricted ramification Romyar Sharifi Harvard University 1 Unique factorization: Let K be a number field, a finite extension of the rational numbers Q. The ring of integers O K of K
More informationOverdrive: Making SPDZ Great Again
Overdrive: Making SPDZ Great Again Marcel Keller 1, Valerio Pastro 2, and Dragos Rotaru 1,3 1 University of Bristol 2 Yale University 3 imec-cosic, Dept. Electrical Engineering, KU Leuven m.keller@bristol.ac.uk,
More informationPublic Key Encryption
Public Key Encryption 3/13/2012 Cryptography 1 Facts About Numbers Prime number p: p is an integer p 2 The only divisors of p are 1 and p s 2, 7, 19 are primes -3, 0, 1, 6 are not primes Prime decomposition
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationRSA RSA public key cryptosystem
RSA 1 RSA As we have seen, the security of most cipher systems rests on the users keeping secret a special key, for anyone possessing the key can encrypt and/or decrypt the messages sent between them.
More informationCryptography and Security Protocols. Previously on CSP. Today. El Gamal (and DSS) signature scheme. Paulo Mateus MMA MEIC
Cryptography and Security Protocols Paulo Mateus MMA MEIC Previously on CSP Symmetric Cryptosystems. Asymmetric Cryptosystem. Basics on Complexity theory : Diffie-Hellman key agreement. Algorithmic complexity.
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationPhysics ; CS 4812 Problem Set 4
Physics 4481-7681; CS 4812 Problem Set 4 Six problems (six pages), all short, covers lectures 11 15, due in class 25 Oct 2018 Problem 1: 1-qubit state tomography Consider a 1-qubit state ψ cos θ 2 0 +
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationElliptic Curve Cryptography
Elliptic Curve Cryptography Elliptic Curves An elliptic curve is a cubic equation of the form: y + axy + by = x 3 + cx + dx + e where a, b, c, d and e are real numbers. A special addition operation is
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More informationHomomorphic AES Evaluation Using the Modified LTV Scheme
Noname manuscript No. (will be inserted by the editor) Homomorphic AES Evaluation Using the Modified LTV Scheme Yarkın Doröz Yin Hu Berk Sunar the date of receipt and acceptance should be inserted later
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 8 February 1, 2012 CPSC 467b, Lecture 8 1/42 Number Theory Needed for RSA Z n : The integers mod n Modular arithmetic GCD Relatively
More informationHomomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes
An extended abstract of this paper appears in the proceedings of COCOON 2016. This is the full version. Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes Pierre-Alain Fouque 1,3, Benjamin
More informationConstructing Abelian Varieties for Pairing-Based Cryptography
for Pairing-Based CWI and Universiteit Leiden, Netherlands Workshop on Pairings in Arithmetic Geometry and 4 May 2009 s MNT MNT Type s What is pairing-based cryptography? Pairing-based cryptography refers
More informationFinal Exam Math 105: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 30 April :30 11:00 a.m.
Final Exam Math 10: Topics in Mathematics Cryptology, the Science of Secret Writing Rhodes College Tuesday, 0 April 2002 :0 11:00 a.m. Instructions: Please be as neat as possible (use a pencil), and show
More informationA field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties:
Byte multiplication 1 Field arithmetic A field F is a set of numbers that includes the two numbers 0 and 1 and satisfies the properties: F is an abelian group under addition, meaning - F is closed under
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More information