Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain
|
|
- Sheila Todd
- 5 years ago
- Views:
Transcription
1 Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven) Financial Cryptography '10, Tenerife, Spain January 25, / 13
2 Overview Preliminaries Secure Modulo Reduction Eciency Analysis Applications Conclusions 2 / 13
3 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r 3 / 13
4 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r Homomorphic properties: Addition: x y = x + y Multiplication by constant: x c = xc Re-randomization: x 0 = x 3 / 13
5 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r Homomorphic properties: Addition: x y = x + y Multiplication by constant: x c = xc Re-randomization: x 0 = x (t, n)-threshold decryption Private key is shared among n parties such that any t can decrypt 3 / 13
6 Threshold Homomorphic Cryptosystems (THCs) x is a probabilistic encryption: x = Enc pk (x, r) under public key pk and for random r Homomorphic properties: Addition: x y = x + y Multiplication by constant: x c = xc Re-randomization: x 0 = x (t, n)-threshold decryption Private key is shared among n parties such that any t can decrypt We use the Paillier cryptosystem [Pai99, DJ01] 3 / 13
7 Secure Function Evaluation based on THCs On input of x 1,..., x L and a function f, the parties jointly compute f (x 1,..., x L ) (circuit for f ) x 1,..., x L f (x 1,..., x L ) 4 / 13
8 Secure Function Evaluation based on THCs On input of x 1,..., x L and a function f, the parties jointly compute f (x 1,..., x L ) (circuit for f ) x 1,..., x L f (x 1,..., x L ) Approach based on arithmetic circuits Circuit for f consists of sequential evaluations of (+,,, /) 4 / 13
9 Secure Function Evaluation based on THCs (cont.) Addition and scalar multiplication by homomorphic properties: computation of x + y and cx given x, y, c Multiplication gate [CDN01]: outputs xy given x, y 5 / 13
10 Secure Function Evaluation based on THCs (cont.) Addition and scalar multiplication by homomorphic properties: computation of x + y and cx given x, y, c Multiplication gate [CDN01]: outputs xy given x, y Our contribution: ecient gate for x mod a given x, a Implies a gate for integer division x div a 5 / 13
11 Secure Function Evaluation based on THCs (cont.) Addition and scalar multiplication by homomorphic properties: computation of x + y and cx given x, y, c Multiplication gate [CDN01]: outputs xy given x, y Our contribution: ecient gate for x mod a given x, a Implies a gate for integer division x div a Several other ecient gates: Random bit generation gate [CDN01, ST06]: outputs r for random r {0, 1} Comparison gate [DFK + 06, GSV07]: outputs x < y given the encrypted bits of x, y Least signicant bit gate [ST06]: outputs x mod 2 given x 5 / 13
12 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 6 / 13
13 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required 6 / 13
14 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 6 / 13
15 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 2. The parties set x = (x r + as) mod a = x r mod a Notice that x x + r mod a and 0 x + r < 2a 6 / 13
16 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 2. The parties set x = (x r + as) mod a = x r mod a Notice that x x + r mod a and 0 x + r < 2a 3. Correction: the parties compute c = a 1 x < r Notice that c = 0 x + r < a 6 / 13
17 Secure Modulo Reduction x = (x div a)a + (x mod a), with 0 x mod a < a By homomorphic properties, it suces to determine x mod a 1. Given x, one decryption of a blinded version of x is required Generate r (bitwise) for r R [0, a), and s for random s The blinded encryption x r + as is threshold decrypted 2. The parties set x = (x r + as) mod a = x r mod a Notice that x x + r mod a and 0 x + r < 2a 3. Correction: the parties compute c = a 1 x < r Notice that c = 0 x + r < a 4. Output x mod a = x + r ca = x r / c a 6 / 13
18 Secure Modulo Reduction (cont.) Technical detail: x r + as should not exceed the Paillier modulus, to prevent wrap-arounds x should be suciently small Using ecient zero-knowledge proofs, the protocol can be proven secure against actively malicious parties (in the security framework of [CDN01]) How to securely generate r (bitwise) for r R [0, a)? 7 / 13
19 How to Securely Generate r (bitwise) for r R [0, a)? If a = 2 l a Write r = l a 1 i=0 r i 2 i, with r i {0, 1} Generate random bits r i and output r = l a 1 i=0 r i 2i If 2 l a 1 < a < 2 l a 8 / 13
20 How to Securely Generate r (bitwise) for r R [0, a)? If a = 2 l a Write r = l a 1 i=0 r i 2 i, with r i {0, 1} Generate random bits r i and output r = l a 1 i=0 r i 2i If 2 l a 1 < a < 2 l a Repeat generating r for random r [0, 2 l a ), until r < a At most 2 restarts on average 8 / 13
21 Ours [DFK + 06] Eciency Analysis broadcast round O(nkl a ) O(n) O(n 2 kl a ) O(1) O(nkl x (log l x + l a )) O(n + l x ) O(nkl x (n + log l x + l a )) O(1) n is the number of participants l x is length of x k is a security parameter l a is length of a (Broadcast complexity represents the number of bits broadcasted. E.g., for O(nkl a ): each party needs to broadcast O(l a ) encryptions) Always l a l x, but often l a l x 9 / 13
22 Ours [DFK + 06] Eciency Analysis broadcast round O(nkl a ) O(n) O(n 2 kl a ) O(1) O(nkl x (log l x + l a )) O(n + l x ) O(nkl x (n + log l x + l a )) O(1) n is the number of participants l x is length of x k is a security parameter l a is length of a (Broadcast complexity represents the number of bits broadcasted. E.g., for O(nkl a ): each party needs to broadcast O(l a ) encryptions) Always l a l x, but often l a l x 100 millionaires securely compute their mean fortune ( x 1,..., x 100 ) x1+ +x Say x i < 2 30 Here, x = 100 i=1 x i and a = 100, so l x = 37 and l a = 7 9 / 13
23 Applications Integer division: x = (x div a)a + (x mod a) x div a = ( x / x mod a ) 1/a 10 / 13
24 Applications Integer division: x = (x div a)a + (x mod a) x div a = ( x / x mod a ) 1/a Access arbitrary bits of x: x i = (x div 2 i ) mod 2 10 / 13
25 Applications Integer division: x = (x div a)a + (x mod a) x div a = ( x / x mod a ) 1/a Access arbitrary bits of x: x i = (x div 2 i ) mod 2 Secure computation of statistics: Mean, median, variance,... require division Concrete example: variance (where x = (x x L )/L) var(x 1,..., x L ) = 1 L 1 L (x i x) 2 i=1 10 / 13
26 var(x 1,..., x L ) = 1 L 1 Computation of Statistics ( L (x i x) 2 1 L = L(L 1) i=1 i=1 Lx 2 i ) ( L ) 2 x i i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 11 / 13
27 var(x 1,..., x L ) = 1 Computation of Statistics L 1 ( L L ) (x i x) 2 1 ( L ) 2 = Lx 2 i x i L(L 1) i=1 i=1 }{{} i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 1. Compute ( L i=1 x i) 2 and x 2 using L + 1 multiplications i L 2. Compute V = i=1 Lx 2 ( L i i=1 x i) 2 =:V 11 / 13
28 var(x 1,..., x L ) = 1 Computation of Statistics L 1 ( L L ) (x i x) 2 1 ( L ) 2 = Lx 2 i x i L(L 1) i=1 i=1 }{{} i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 1. Compute ( L i=1 x i) 2 and x 2 using L + 1 multiplications i L 2. Compute V = i=1 Lx 2 ( L i i=1 x i) 2 3. Compute and output integer division V div L(L 1) =:V 11 / 13
29 var(x 1,..., x L ) = 1 Computation of Statistics L 1 ( L L ) (x i x) 2 1 ( L ) 2 = Lx 2 i x i L(L 1) i=1 i=1 }{{} i=1 How to compute var(x 1,..., x L ) given x 1,..., x L? 1. Compute ( L i=1 x i) 2 and x 2 using L + 1 multiplications i L 2. Compute V = i=1 Lx 2 ( L i i=1 x i) 2 3. Compute and output integer division V div L(L 1) =:V O(Lnk) broadcast complexity and O(n) rounds 11 / 13
30 Conclusions Modulo reduction: computing x mod a given x and a Integer division: computation of x div a Applicable to secure computation of statistics (mean, variance, median, range,...), packing of encrypted data, and many more! Our protocols improved performance. We take advantage of the fact that the modulus a is much smaller than x Complexities are independent of the length of x Proof of security can be found in the paper (full version) 12 / 13
31 Q u e s t i o n s? 13 / 13
32 HIDDEN SLIDES!!! 13 / 13
33 Sub-Protocol: Random Bitwise Value Generation Input: a with 2 la 1 < a 2 l a For generating r (bitwise) such that r R [0, a), the n servers do: 1. Jointly construct l a random bit encryptions r j (note that r = l a 1 j=0 r j2 j R [0, 2 l a )) 2. Compute and decrypt r < a. If r a, restart protocol If a = 2 l a, no restarts. Otherwise 2 l a/a < 2 restarts on average 13 / 13
34 Secure Modulo Reduction: Protocol Input: x, a, with x < 2 l x and 2 l a 1 < a 2 l a Requirement: an2 l x +l s < N s for security parameter l s For computing x mod a, the n servers do: 1. Jointly construct r b(la) for r R [0, a) 2. Individually construct s i for s i R {0, 1} l x +l s 3. Individually compute x = x r 1 n i=1 s i a n (note that x = x r + a i=1 s i and 0 x < N s ) 4. Jointly decrypt x and compute x = x mod a x r mod a (note that x + r x mod a and 0 x + r < 2a) 5. Using comparison gate, compute c = [a 1 x < r] (note that c = 0 x + r < a) 6. Individually compute output x r c a Protocol can be simulated in framework of [CDN01] 13 / 13
35 Secure Modulo Reduction: Security Proof Simulated for x = x (0) (1 b) + x (1) b given x (0), x (1), b Distinguisher for simulator is a distinguisher for bit-decryption n participants {P 1,..., P n } of which {P 1,..., P t 1} are malicious 1. Simulator takes r R [0, a), but simulates this phase with r = r (0) (1 b) + r (1) b, where r (b) = ( r + x (b)) mod a 2. Simulator lets the malicious parties construct and prove s i. For P t,..., P n 1 he executes the protocol as is. For P n he takes s n R [0, 2 l x +l s ), but simulates with s n = s (0) n (1 b) + s (1) n b, where s (b) n = s n ( r + x (b)) div a 3. Executes this phase. He obtains n 1 x = x r + a i=1 s n i + a s n = r + a i=1 s i n 4. Simulates the decryption on input x and r + a i=1 s i 5. Comparison gate is simulated r and s n indistinguishable from r and s n 13 / 13
Anonymous Credential Schemes with Encrypted Attributes
Anonymous Credential Schemes with Encrypted Attributes Bart Mennink (K.U.Leuven) joint work with Jorge Guajardo (Philips Research) Berry Schoenmakers (TU Eindhoven) Conference on Cryptology And Network
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationAre you the one to share? Secret Transfer with Access Structure
Are you the one to share? Secret Transfer with Access Structure Yongjun Zhao, Sherman S.M. Chow Department of Information Engineering The Chinese University of Hong Kong, Hong Kong Private Set Intersection
More informationSingle-Database Private Information Retrieval
MTAT.07.006 Research Seminar in Cryptography 07.11.2005 Tartu University a g@ut.ee 1 Overview of the Lecture CMS - first single database private information retrieval scheme Gentry-Ramzan PBR Lipmaa Oblivious
More informationLecture Notes 20: Zero-Knowledge Proofs
CS 127/CSCI E-127: Introduction to Cryptography Prof. Salil Vadhan Fall 2013 Lecture Notes 20: Zero-Knowledge Proofs Reading. Katz-Lindell Ÿ14.6.0-14.6.4,14.7 1 Interactive Proofs Motivation: how can parties
More informationThreshold Cryptography
Threshold Cryptography Cloud Security Mechanisms Björn Groneberg - Summer Term 2013 09.07.2013 Threshold Cryptography 1 ? 09.07.2013 Threshold Cryptography 2 Threshold Cryptography Sharing Secrets Treasure
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationCOMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION
#RSAC SESSION ID: CRYP-W02 COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION Rachel Player PhD Student // Postdoc Royal Holloway, University of London, UK // LIP6, Sorbonne
More informationElliptic Curves I. The first three sections introduce and explain the properties of elliptic curves.
Elliptic Curves I 1.0 Introduction The first three sections introduce and explain the properties of elliptic curves. A background understanding of abstract algebra is required, much of which can be found
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationCOMP424 Computer Security
COMP424 Computer Security Prof. Wiegley jeffw@csun.edu Rivest, Shamir & Adelman (RSA) Implementation 1 Relatively prime Prime: n, is prime if its only two factors are 1 and n. (and n 1). Relatively prime:
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More informationMultiparty Computation
Multiparty Computation Principle There is a (randomized) function f : ({0, 1} l ) n ({0, 1} l ) n. There are n parties, P 1,...,P n. Some of them may be adversarial. Two forms of adversarial behaviour:
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationNon-Interactive Zero-Knowledge from Homomorphic Encryption. Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU)
Non-Interactive Zero-Knowledge from Homomorphic Encryption Ivan Damgård (Aarhus Universitet) Nelly Fazio, Antonio Nicolosi (NYU) January 27th, 2006 NYU Crypto Reading Group Zero-Knowledge and Interaction
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationEfficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
An extended abstract of this paper was published in the proceedings of CT-RSA 2012. Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting Carmit Hazay Gert Læssøe Mikkelsen Tal Rabin
More informationUniversally Verifiable Multiparty Computation from Threshold Homomorphic Cryptosystems
Universally Verifiable Multiparty Computation from Threshold Homomorphic Cryptosystems Berry Schoenmakers and Meilof Veeningen Dept of Mathematics & Computer Science TU Eindhoven, The Netherlands berry@win.tue.nl,
More informationPrivacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors
Privacy Preserving Set Intersection Protocol Secure Against Malicious Behaviors Yingpeng Sang, Hong Shen School of Computer Science The University of Adelaide Adelaide, South Australia, 5005, Australia
More informationk-nearest Neighbor Classification over Semantically Secure Encry
k-nearest Neighbor Classification over Semantically Secure Encrypted Relational Data Reporter:Ximeng Liu Supervisor: Rongxing Lu School of EEE, NTU May 9, 2014 1 2 3 4 5 Outline 1. Samanthula B K, Elmehdwi
More informationSecret sharing schemes
Secret sharing schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Introduction Shamir s secret sharing scheme perfect secret
More informationLogic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation
Quantum logic gates Logic gates Classical NOT gate Quantum NOT gate (X gate) A NOT A α 0 + β 1 X α 1 + β 0 A N O T A 0 1 1 0 Matrix form representation 0 1 X = 1 0 The only non-trivial single bit gate
More informationSingle Database Private Information Retrieval with Logarithmic Communication
Single Database Private Information Retrieval with Logarithmic Communication Yan-Cheng Chang Harvard University ycchang@eecs.harvard.edu February 10, 2004 Abstract In this paper, we study the problem of
More informationEfficient Pseudorandom Generators Based on the DDH Assumption
Efficient Pseudorandom Generators Based on the DDH Assumption Andrey Sidorenko (Joint work with Reza Rezaeian Farashahi and Berry Schoenmakers) TU Eindhoven Outline Introduction provably secure pseudorandom
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSecure Vickrey Auctions without Threshold Trust
Secure Vickrey Auctions without Threshold Trust Helger Lipmaa Helsinki University of Technology, {helger}@tcs.hut.fi N. Asokan, Valtteri Niemi Nokia Research Center, {n.asokan,valtteri.niemi}@nokia.com
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationEncryption: The RSA Public Key Cipher
Encryption: The RSA Public Key Cipher Michael Brockway March 5, 2018 Overview Transport-layer security employs an asymmetric public cryptosystem to allow two parties (usually a client application and a
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationLecture 22: RSA Encryption. RSA Encryption
Lecture 22: Recall: RSA Assumption We pick two primes uniformly and independently at random p, q $ P n We define N = p q We shall work over the group (Z N, ), where Z N is the set of all natural numbers
More informationCryptography: Joining the RSA Cryptosystem
Cryptography: Joining the RSA Cryptosystem Greg Plaxton Theory in Programming Practice, Fall 2005 Department of Computer Science University of Texas at Austin Joining the RSA Cryptosystem: Overview First,
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationEfficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
An extended abstract of this paper was published in the proceedings of CT-RSA 2012. Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting Carmit Hazay Gert Læssøe Mikkelsen Tal Rabin
More informationRSA-256bit 數位電路實驗 TA: 吳柏辰. Author: Trumen
RSA-256bit 數位電路實驗 TA: 吳柏辰 Author: Trumen Outline Introduction to Cryptography RSA Algorithm Montgomery Algorithm for RSA-256 bit 2 Introduction to Cryptography 3 Communication Is Insecure Alice Bob Paparazzi
More informationNotes. Number Theory: Applications. Notes. Number Theory: Applications. Notes. Hash Functions I
Number Theory: Applications Slides by Christopher M. Bourke Instructor: Berthe Y. Choueiry Fall 2007 Computer Science & Engineering 235 Introduction to Discrete Mathematics Sections 3.4 3.7 of Rosen cse235@cse.unl.edu
More informationSecure Computation of Hidden Markov Models and Secure Floating-Point Arithmetic in the Malicious Model
Noname manuscript No. (will be inserted by the editor) Secure Computation of Hidden Markov Models and Secure Floating-Point Arithmetic in the Malicious Model Mehrdad Aliasgari Marina Blanton Fattaneh Bayatbabolghani
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationEfficient RSA Key Generation and Threshold Paillier in the Two-Party Setting
Efficient RSA Key Generation and Threshold Paillier in the Two-Party Setting Carmit Hazay Gert Læssøe Mikkelsen Tal Rabin Tomas Toft Abstract The problem of generating an RSA composite in a distributed
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationAsymmetric Encryption
-3 s s Encryption Comp Sci 3600 Outline -3 s s 1-3 2 3 4 5 s s Outline -3 s s 1-3 2 3 4 5 s s Function Using Bitwise XOR -3 s s Key Properties for -3 s s The most important property of a hash function
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection Yingpeng Sang 1, Hong Shen 2, Laurence T. Yang 3, Naixue Xiong 1, Yasuo Tan 1 1 School of Information Science, Japan Advanced Institute
More informationNumber Theory & Modern Cryptography
Number Theory & Modern Cryptography Week 12 Stallings: Ch 4, 8, 9, 10 CNT-4403: 2.April.2015 1 Introduction Increasing importance in cryptography Public Key Crypto and Signatures Concern operations on
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationbasics of security/cryptography
RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)
More informationLeakage Resilient ElGamal Encryption
Asiacrypt 2010, December 9th, Singapore Outline 1 Hybrid Encryption, the KEM/DEM framework 2 ElGamal KEM 3 Leakage Resilient Crypto Why? How? Other models? 4 Leakage Resilient ElGamal CCA1 secure KEM (Key
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCryptographic Protocols FS2011 1
Cryptographic Protocols FS2011 1 Stefan Heule August 30, 2011 1 License: Creative Commons Attribution-Share Alike 3.0 Unported (http://creativecommons.org/ licenses/by-sa/3.0/) Contents I Interactive Proofs
More informationReducing Garbled Circuit Size While Preserving Circuit Gate Privacy *
Reducing Garbled Circuit Size While Preserving Circuit Gate Privacy * Yongge Wang 1 and Qutaibah m. Malluhi 2 1 Department of SIS, UNC Charlotte, USA (yonwang@uncc.edu) 2 Department of CS, Qatar University,
More informationOutline. 1 Arithmetic on Bytes and 4-Byte Vectors. 2 The Rijndael Algorithm. 3 AES Key Schedule and Decryption. 4 Strengths and Weaknesses of Rijndael
Outline CPSC 418/MATH 318 Introduction to Cryptography Advanced Encryption Standard Renate Scheidler Department of Mathematics & Statistics Department of Computer Science University of Calgary Based in
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationCPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems
CPE 776:DATA SECURITY & CRYPTOGRAPHY Some Number Theory and Classical Crypto Systems Dr. Lo ai Tawalbeh Computer Engineering Department Jordan University of Science and Technology Jordan Some Number Theory
More informationCOS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018
COS433/Math 473: Cryptography Mark Zhandry Princeton University Spring 2018 Identification Identification Non- Repudiation Consider signature- based C- R sk ch=r res = Sig(vk,ch) Bob can prove to police
More informationMultiparty Computation from Threshold Homomorphic Encryption
Multiparty Computation from Threshold Homomorphic Encryption Ronald Cramer Ivan Damgård Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS October 31, 2000 Abstract We introduce a
More informationSolutions to homework 2
ICS 180: Introduction to Cryptography 4/22/2004 Solutions to homework 2 1 Security Definitions [10+20 points] Definition of some security property often goes like this: We call some communication scheme
More informationL7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015
L7. Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang, 5 March 2015 1 Outline The basic foundation: multiplicative group modulo prime The basic Diffie-Hellman (DH) protocol The discrete logarithm
More informationAddition. Ch1 - Algorithms with numbers. Multiplication. al-khwārizmī. al-khwārizmī. Division 53+35=88. Cost? (n number of bits) 13x11=143. Cost?
Ch - Algorithms with numbers Addition Basic arithmetic Addition ultiplication Division odular arithmetic factoring is hard Primality testing 53+35=88 Cost? (n number of bits) O(n) ultiplication al-khwārizmī
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationLecture 3.1: Public Key Cryptography I
Lecture 3.1: Public Key Cryptography I CS 436/636/736 Spring 2015 Nitesh Saxena Today s Informative/Fun Bit Acoustic Emanations http://www.google.com/search?source=ig&hl=en&rlz=&q=keyboard+acoustic+em
More informationD13.2 Efficient Verifiability and Precise Specification of Secure Computation Functionalities
D13.2 Efficient Verifiability and Precise Specification of Secure Computation Functionalities Project number: 609611 Project acronym: Project title: PRACTICE Project Start Date: 1 November, 2013 Duration:
More informationSealed-bid Auctions with Efficient Bids
Sealed-bid Auctions with Efficient Bids Toru Nakanishi, Daisuke Yamamoto, and Yuji Sugiyama Department of Communication Network Engineering, Faculty of Engineering, Okayama University 3-1-1 Tsushima-naka,
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationSecurity Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography
Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography Peter Schwabe October 21 and 28, 2011 So far we assumed that Alice and Bob both have some key, which nobody else has. How
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationCryptographic Asynchronous Multi-Party Computation with Optimal Resilience
Cryptographic Asynchronous Multi-Party Computation with Optimal Resilience Martin Hirt 1, Jesper Buus Nielsen 2, and Bartosz Przydatek 1 1 Department of Computer Science, ETH Zurich 8092 Zurich, Switzerland
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationFixed-Point Arithmetic in SHE Schemes
Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016 Outline Motivation
More informationImplementation Tutorial on RSA
Implementation Tutorial on Maciek Adamczyk; m adamczyk@umail.ucsb.edu Marianne Magnussen; mariannemagnussen@umail.ucsb.edu Adamczyk and Magnussen Spring 2018 1 / 13 Overview Implementation Tutorial Introduction
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationA Generalization of Paillier s Public-Key System with Applications to Electronic Voting
A Generalization of Paillier s Public-Key System with Applications to Electronic Voting Ivan Damgård, Mads Jurik and Jesper Buus Nielsen Aarhus University, Dept. of Computer Science, BRICS Abstract. We
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationSecure computation of hidden Markov models and secure floating-point arithmetic in the malicious model
Int. J. Inf. Secur. DOI 10.1007/s10207-016-0350-0 REGULAR CONTRIBUTION Secure computation of hidden Markov models and secure floating-point arithmetic in the malicious model Mehrdad Aliasgari 1 Marina
More informationMathematics of Cryptography
UNIT - III Mathematics of Cryptography Part III: Primes and Related Congruence Equations 1 Objectives To introduce prime numbers and their applications in cryptography. To discuss some primality test algorithms
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationn-party protocol for this purpose has maximum privacy if whatever a subset of the users can
Appeared in Crypto87, Springer Verlag, Lecture Note in Computer Science (293), pages 73{86. Reproduced (in June 1997) from an old tro le. How to Solve any Protocol Problem { An Eciency Improvement (Extended
More informationNumber Theory: Applications. Number Theory Applications. Hash Functions II. Hash Functions III. Pseudorandom Numbers
Number Theory: Applications Number Theory Applications Computer Science & Engineering 235: Discrete Mathematics Christopher M. Bourke cbourke@cse.unl.edu Results from Number Theory have many applications
More informationOWO Lecture: Modular Arithmetic with Algorithmic Applications
OWO Lecture: Modular Arithmetic with Algorithmic Applications Martin Otto Winter Term 2008/09 Contents 1 Basic ingredients 1 2 Modular arithmetic 2 2.1 Going in circles.......................... 2 2.2
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationThesis Proposal: Privacy Preserving Distributed Information Sharing
Thesis Proposal: Privacy Preserving Distributed Information Sharing Lea Kissner leak@cs.cmu.edu July 5, 2005 1 1 Introduction In many important applications, a collection of mutually distrustful parties
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationExtracting Witnesses from Proofs of Knowledge in the Random Oracle Model
Extracting Witnesses from Proofs of Knowledge in the Random Oracle Model Jens Groth Cryptomathic and BRICS, Aarhus University Abstract We prove that a 3-move interactive proof system with the special soundness
More informationIntroduction to Public-Key Cryptosystems:
Introduction to Public-Key Cryptosystems: Technical Underpinnings: RSA and Primality Testing Modes of Encryption for RSA Digital Signatures for RSA 1 RSA Block Encryption / Decryption and Signing Each
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationSharing DSS by the Chinese Remainder Theorem
Sharing DSS by the Chinese Remainder Theorem Kamer Kaya,a, Ali Aydın Selçuk b a Ohio State University, Columbus, 43210, OH, USA b Bilkent University, Ankara, 06800, Turkey Abstract In this paper, we propose
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationPrivacy Preserving Multiset Union with ElGamal Encryption
Privacy Preserving Multiset Union with ElGamal Encryption Jeongdae Hong 1, Jung Woo Kim 1, and Jihye Kim 2 and Kunsoo Park 1, and Jung Hee Cheon 3 1 School of Computer Science and Engineering, Seoul National
More information