Faster Fully Homomorphic Encryption
|
|
- Maude Gibson
- 5 years ago
- Views:
Transcription
1 Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 1/21
2 Main result Improved bit-complexity bound for homomorphically evaluating a binary gate with Gentry s fully homomorphic scheme: Õ(t 6 ) Õ(t3.5 ) bit operations, with t =security parameter. To compare with: standard RSA Enc/Dec costs Õ(t3 ) per bit. Two ingredients: A less pessimistic analysis of one of the hardness assumptions. An improved decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 2/21
3 Main result Improved bit-complexity bound for homomorphically evaluating a binary gate with Gentry s fully homomorphic scheme: Õ(t 6 ) Õ(t3.5 ) bit operations, with t =security parameter. To compare with: standard RSA Enc/Dec costs Õ(t3 ) per bit. Two ingredients: A less pessimistic analysis of one of the hardness assumptions. An improved decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 2/21
4 Main result Improved bit-complexity bound for homomorphically evaluating a binary gate with Gentry s fully homomorphic scheme: Õ(t 6 ) Õ(t3.5 ) bit operations, with t =security parameter. To compare with: standard RSA Enc/Dec costs Õ(t3 ) per bit. Two ingredients: A less pessimistic analysis of one of the hardness assumptions. An improved decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 2/21
5 1 Reminders on homomorphic encryption. 2 Ingredient 1: a less pessimistic analysis of S(V)SSP. 3 Ingredient 2: a shallower decryption algorithm. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 3/21
6 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21
7 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21
8 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21
9 Ideal lattices Let n be a power of 2 and R = Z[x]/(x n + 1). J R is an ideal if a, b J, r R : a + b r J. Any ideal is a lattice, i.e., an additive subgroup of Z n. Basis: (b i ) i n linearly independent s.t. L = { i n x ib i : x i Z} Minimum: λ = min( b : b L \ 0). Determinant: det = det((b i ) i ), for any basis. = volume of R n /L. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 4/21
10 Gentry s somewhat homomorphic scheme: SomHom Public key: B J a basis of an ideal J, with rather large det(j). Secret key: v sk J. Plaintext domain: P = {0, 1}. Ciphertext domain: C = R/B J. Encryption: π ψ = (π + 2ρ) mod B J, with ρ random and small. Decryption: ψ (ψ v sk J ψ ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 5/21
11 Gentry s somewhat homomorphic scheme: SomHom Public key: B J a basis of an ideal J, with rather large det(j). Secret key: v sk J. Plaintext domain: P = {0, 1}. Ciphertext domain: C = R/B J. Encryption: π ψ = (π + 2ρ) mod B J, with ρ random and small. Decryption: ψ (ψ v sk J ψ ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 5/21
12 Gentry s somewhat homomorphic scheme: SomHom Public key: B J a basis of an ideal J, with rather large det(j). Secret key: v sk J. Plaintext domain: P = {0, 1}. Ciphertext domain: C = R/B J. Encryption: π ψ = (π + 2ρ) mod B J, with ρ random and small. Decryption: ψ (ψ v sk J ψ ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 5/21
13 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21
14 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21
15 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21
16 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21
17 Properties of Gentry s scheme Enc(π 1 ) ( + ) Enc(π2 ) mod B J decrypts to π 1 ( + ) π2. π + 2ρ mod B J decrypts to π, if ρ < det(j) 1/n λ(j). An addition doubles ρ, a multiplication squares ρ. Best known attack: Finding π from π + 2ρ mod B J is an instance of the Bounded Distance Decoding problem. See [Gentry-CRYPTO 10] for a security proof of SomHom. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 6/21
18 Lattice reduction Rule of Thumb conjecture BDD γ Given (b i ) i basis of L and t Q n such that dist(t, L) γ 1 λ(l), find b L closest to t. SVP γ Given (b i ) i basis of L, find b L such that 0 < b γ λ(l). Lattice reduction rule of thumb conjecture There exists a constant c s.t. the following holds. Assuming there is nothing special with the lattice: with time 2 t, one cannot solve SVP γ /BDD γ for γ < c n/t. This conjecture is consistent with the current algorithmic knowledge. Essentially unchanged since [Schnorr 87]. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 7/21
19 Lattice reduction Rule of Thumb conjecture BDD γ Given (b i ) i basis of L and t Q n such that dist(t, L) γ 1 λ(l), find b L closest to t. SVP γ Given (b i ) i basis of L, find b L such that 0 < b γ λ(l). Lattice reduction rule of thumb conjecture There exists a constant c s.t. the following holds. Assuming there is nothing special with the lattice: with time 2 t, one cannot solve SVP γ /BDD γ for γ < c n/t. This conjecture is consistent with the current algorithmic knowledge. Essentially unchanged since [Schnorr 87]. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 7/21
20 Lattice reduction Rule of Thumb conjecture BDD γ Given (b i ) i basis of L and t Q n such that dist(t, L) γ 1 λ(l), find b L closest to t. SVP γ Given (b i ) i basis of L, find b L such that 0 < b γ λ(l). Lattice reduction rule of thumb conjecture There exists a constant c s.t. the following holds. Assuming there is nothing special with the lattice: with time 2 t, one cannot solve SVP γ /BDD γ for γ < c n/t. This conjecture is consistent with the current algorithmic knowledge. Essentially unchanged since [Schnorr 87]. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 7/21
21 From SomHom to FullHom, via bootstrapping An encryption scheme is bootstrappable if it can homomorphically evaluate its own decryption circuit. Decryption/security constraints SomHom is not bootstrappable. To squash the decryption, some effort is shifted from P to C: Splitting the secret key vj sk: vj sk = s i v i, for s {0, 1} n of Hamming weight n sub. i n set New secret key: (s i ) i ; New public key: B J, (v i ) i. Ciphertext expansion: ψ (ψ v i ) i. Decryption: ψ, (ψ v i ) i (ψ i s i(ψ v i ) ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 8/21
22 From SomHom to FullHom, via bootstrapping An encryption scheme is bootstrappable if it can homomorphically evaluate its own decryption circuit. Decryption/security constraints SomHom is not bootstrappable. To squash the decryption, some effort is shifted from P to C: Splitting the secret key vj sk: vj sk = s i v i, for s {0, 1} n of Hamming weight n sub. i n set New secret key: (s i ) i ; New public key: B J, (v i ) i. Ciphertext expansion: ψ (ψ v i ) i. Decryption: ψ, (ψ v i ) i (ψ i s i(ψ v i ) ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 8/21
23 From SomHom to FullHom, via bootstrapping An encryption scheme is bootstrappable if it can homomorphically evaluate its own decryption circuit. Decryption/security constraints SomHom is not bootstrappable. To squash the decryption, some effort is shifted from P to C: Splitting the secret key vj sk: vj sk = s i v i, for s {0, 1} n of Hamming weight n sub. i n set New secret key: (s i ) i ; New public key: B J, (v i ) i. Ciphertext expansion: ψ (ψ v i ) i. Decryption: ψ, (ψ v i ) i (ψ i s i(ψ v i ) ) mod 2. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 8/21
24 1 Reminders on homomorphic encryption. 2 Ingredient 1: a less pessimistic analysis of S(V)SSP. 3 Ingredient 2: a shallower decryption algorithm. Using the lattice rule of thumb for both BDD and S(V)SSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010 9/21
25 The Sparse Vector Subset Sum Problem SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Resembles Sparse Subset Sum Problem (with integers rather than ring elements), used for server-aided RSA. Gentry showed that FullHom is secure assuming the hardnesses of: BDD γ for ideal lattices, for a large γ. SVSSP nset,n sub for specific values of n sub n set. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
26 The Sparse Vector Subset Sum Problem SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Resembles Sparse Subset Sum Problem (with integers rather than ring elements), used for server-aided RSA. Gentry showed that FullHom is secure assuming the hardnesses of: BDD γ for ideal lattices, for a large γ. SVSSP nset,n sub for specific values of n sub n set. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
27 Known attacks on SVSSP SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Birthday paradox. Requires time ( n set n sub ) 1/2. Lattice attack: s is likely to be a shortest non-zero vector in L = {x Z nset : i x i a i = 0 mod 2J}. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
28 Known attacks on SVSSP SVSSP nset,n sub Distinguish between (a i ) i nset uniform in [R mod (2J)] nset and the same but conditioned on the existence of s {0, 1} nset of Hamming weight n sub s.t. i s ia i = 0 mod 2J. Birthday paradox. Requires time ( n set n sub ) 1/2. Lattice attack: s is likely to be a shortest non-zero vector in L = {x Z nset : i x i a i = 0 mod 2J}. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
29 Analysis of the lattice attack against SVSSP dim(l) = n set. λ(l) [1, n sub ]. L = {x Z nset : i x ia i = 0 mod 2J}. det(l) det(2j) = 2 n det(j). Former analysis: n set log 2 det(2j) implies the existence of too many short vectors (via Minkowski s theorem). Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
30 Analysis of the lattice attack against SVSSP dim(l) = n set. λ(l) [1, n sub ]. L = {x Z nset : i x ia i = 0 mod 2J}. det(l) det(2j) = 2 n det(j). Former analysis: n set log 2 det(2j) implies the existence of too many short vectors (via Minkowski s theorem). Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
31 A less pessimistic analysis of the lattice attack L = {x Z nset : i x ia i = 0 mod 2J}. The former analysis assumes being able to find extremely short vectors of L, i.e., essentially solve SVP. But for SomHom, we assumed BDD γ hard for a large γ. We homogenize the hardness assumptions: Rule of thumb in time 2 t, one cannot find vectors shorter than c nset/t, for some constant c. Minkowski s theorem implies that there are many vectors of L within that norm bound. Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
32 A less pessimistic analysis of the lattice attack L = {x Z nset : i x ia i = 0 mod 2J}. The former analysis assumes being able to find extremely short vectors of L, i.e., essentially solve SVP. But for SomHom, we assumed BDD γ hard for a large γ. We homogenize the hardness assumptions: Rule of thumb in time 2 t, one cannot find vectors shorter than c nset/t, for some constant c. Minkowski s theorem implies that there are many vectors of L within that norm bound. Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
33 A less pessimistic analysis of the lattice attack L = {x Z nset : i x ia i = 0 mod 2J}. The former analysis assumes being able to find extremely short vectors of L, i.e., essentially solve SVP. But for SomHom, we assumed BDD γ hard for a large γ. We homogenize the hardness assumptions: Rule of thumb in time 2 t, one cannot find vectors shorter than c nset/t, for some constant c. Minkowski s theorem implies that there are many vectors of L within that norm bound. Most are unlikely to give any insight for solving SVSSP. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
34 1 Reminders on homomorphic encryption. 2 Ingredient 1: a less pessimistic analysis of S(V)SSP. 3 Ingredient 2: a shallower decryption algorithm. Using fewer multiplications to homomorphically decrypt. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
35 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
36 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
37 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
38 Decryption For SomHom: ψ ψ vj sk Squashed decryption: ψ mod 2. ψ, (ψ v i ) i ψ i s i(ψ v i ) mod 2. The decryption circuit is to be evaluated homomorphically. What s important: not the time complexity, but the multiplicative degree of the algebraic decryption circuit. Because this fixes the homomorphic capacity of SomHom, and thus the size of J. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
39 Degree of the decryption Dominating component: sum of n sub reals y 1,...,y nsub, modulo 2. 1 Choose a precision p for the inputs: y i = p j=0 y i,j2 j. 2 For each j, compute S j = i n sub y i,j. 3 Compute S = ( j S j2 j ) mod 2. Step 2 dominates. If k S j,k2 k is the binary representation of S j, then S j,k has algebraic degree 2 k. S j can be as large as n sub decryption degree n sub Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
40 Degree of the decryption Dominating component: sum of n sub reals y 1,...,y nsub, modulo 2. 1 Choose a precision p for the inputs: y i = p j=0 y i,j2 j. 2 For each j, compute S j = i n sub y i,j. 3 Compute S = ( j S j2 j ) mod 2. Step 2 dominates. If k S j,k2 k is the binary representation of S j, then S j,k has algebraic degree 2 k. S j can be as large as n sub decryption degree n sub Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
41 Shallower decryption: first remark Dominating component: sum of n sub reals y 1,...y nsub, modulo 2. 1 Choose a precision p for the inputs: y i = p j=0 y i,j2 j. 2 For each j, compute S j = i n sub y i,j. 3 Compute S = ( j S j2 j ) mod 2. S j needs only being evaluated mod 2 j+1. Since j p, the decryption degree is min(2 p+1, n sub ). But which p do we need? Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
42 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
43 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
44 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
45 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
46 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
47 Shallower decryption: choice of p y i = y i + ε i, ε i 2 p i = 1..n sub. Promise: y i is at distance 1/4 of an integer. Former strategy: p = 4 + log 2 n sub i ε i 1/8. Worst-case scenario: the signs of the errors are equal. The worst-case scenario is very unlikely to happen! If the ε i s are iid with expectancy 0, Hoeffding s bound gives: [ ] Pr i ε i n sub 2 p ω( log t) n ω(1). Choose p 1 2 log 2 n sub. Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
48 Remarks on the shallower decryption Making the ε i s iid with expectancy 0 requires some care. Decryption is now probabilistic: it fails with negligible prob. Additional difficulty for the KDM-variant of Gentry s FullHom (to ensure independence). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
49 Conclusion Let q = det(2j), security goal 2 t. Condition [Gentry 09] Here Ideal-BDD hard q ( 1/n c n/t SVSSP-Combinatorial nset ) n sub 2 2t nset SVSSP-Lattice n set = Ω(log q) 2 t = Ω(log q) Bootstrappability n sub log q 1/n nsub < log q 1/n Complexity of homomorphically evaluating one gate: n set log q : Õ(t 6 ) Õ(t3.5 ). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
50 Conclusion Let q = det(2j), security goal 2 t. Condition [Gentry 09] Here Ideal-BDD hard q ( 1/n c n/t SVSSP-Combinatorial nset ) n sub 2 2t nset SVSSP-Lattice n set = Ω(log q) 2 t = Ω(log q) Bootstrappability n sub log q 1/n nsub < log q 1/n Complexity of homomorphically evaluating one gate: n set log q : Õ(t 6 ) Õ(t3.5 ). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
51 Open problems 1 Faster scheme, e.g., using more bits in the plaintext (see work by Smart and Vercauteren). 2 Fewer security assumptions, e.g., no S(V)SSP. 3 Better understood security assumptions: can we rely on more classical assumptions? can we improve Gentry s CRYPTO 10 reduction? 4 What about practice? (see work by Gentry and Halevi). Damien Stehlé Faster Fully Homomorphic Encryption 08/12/ /21
Faster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé 1,2 and Ron Steinfeld 2 1 CNRS/Department of Mathematics and Statistics (F07), University of Sydney NSW 2006, Australia. damien.stehle@gmail.com http://perso.ens-lyon.fr/damien.stehle
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationMASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication
MASTER Fully homomorphic encryption in JCrypTool Ramaekers, C.F.W. Award date: 2011 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationFully Homomorphic Encryption using Hidden Ideal Lattice
1 Fully Homomorphic Encryption using Hidden Ideal Lattice Thomas Plantard, Willy Susilo, Senior Member, IEEE, Zhenfei Zhang Abstract All the existing fully homomorphic encryption schemes are based on three
More informationLattice-Based Cryptography
Liljana Babinkostova Department of Mathematics Computing Colloquium Series Detecting Sensor-hijack Attacks in Wearable Medical Systems Krishna Venkatasubramanian Worcester Polytechnic Institute Quantum
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationUNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.
Department of Electrical and Computing Engineering UNIVERSITY OF CONNECTICUT CSE 5095-004 (15626) & ECE 6095-006 (15284) Secure Computation and Storage: Spring 2016 Oral Exam: Theory There are three problem
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationMaster of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption
Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption Maximilian Fillinger August 18, 01 1 Preliminaries 1.1 Notation Vectors and matrices are denoted by bold lowercase
More informationLattice Reduction for Modular Knapsack
Lattice Reduction for Modular Knapsack Thomas Plantard, Willy Susilo, and Zhenfei Zhang Centre for Computer and Information Security Research School of Computer Science & Software Engineering (SCSSE) University
More informationSolving the Shortest Lattice Vector Problem in Time n
Solving the Shortest Lattice Vector Problem in Time.465n Xavier Pujol 1 and Damien Stehlé 1 Université de Lyon, Laboratoire LIP, CNRS-ENSL-INRIA-UCBL, 46 Allée d Italie, 69364 Lyon Cedex 07, France CNRS,
More informationLattice-Based Cryptography: Mathematical and Computational Background. Chris Peikert Georgia Institute of Technology.
Lattice-Based Cryptography: Mathematical and Computational Background Chris Peikert Georgia Institute of Technology crypt@b-it 2013 1 / 18 Lattice-Based Cryptography y = g x mod p m e mod N e(g a, g b
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationAn intro to lattices and learning with errors
A way to keep your secrets secret in a post-quantum world Some images in this talk authored by me Many, excellent lattice images in this talk authored by Oded Regev and available in papers and surveys
More informationOn error distributions in ring-based LWE
On error distributions in ring-based LWE Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research ANTS-XII, Kaiserslautern, August
More informationApplications of Lattice Reduction in Cryptography
Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationLattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016
Lattice-Based Cryptography Chris Peikert University of Michigan QCrypt 2016 1 / 24 Agenda 1 Foundations: lattice problems, SIS/LWE and their applications 2 Ring-Based Crypto: NTRU, Ring-SIS/LWE and ideal
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationLattice reduction for modular knapsack
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 Lattice reduction for modular knapsack Thomas
More informationRevisiting Fully Homomorphic Encryption Schemes and Their Cryptographic Primitives
Revisiting Fully Homomorphic Encryption Schemes and Their Cryptographic Primitives A thesis submitted in fulfillment of the requirements for the award of the degree Doctor of Philosophy from UNIVERSITY
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More information(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces
(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces Koji Nuida Kaoru Kurosawa National Institute of Advanced Industrial Science and Technology (AIST), Japan, k.nuida@aist.go.jp
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationSolving All Lattice Problems in Deterministic Single Exponential Time
Solving All Lattice Problems in Deterministic Single Exponential Time (Joint work with P. Voulgaris, STOC 2010) UCSD March 22, 2011 Lattices Traditional area of mathematics Bridge between number theory
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationFinding Short Generators of Ideals, and Implications for Cryptography. Chris Peikert University of Michigan
Finding Short Generators of Ideals, and Implications for Cryptography Chris Peikert University of Michigan ANTS XII 29 August 2016 Based on work with Ronald Cramer, Léo Ducas, and Oded Regev 1 / 20 Lattice-Based
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Mitchell Harper June 2, 2014 1 Contents 1 Introduction 3 2 Cryptography Primer 3 2.1 Definitions............................. 3 2.2 Using a Public-key Scheme....................
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationImplementing Homomorphic Encryption
Valentin Dalibard Implementing Homomorphic Encryption Computer Science Tripos, Part II St John s College May 18, 2011 Proforma Name: Valentin Dalibard College: St John s College Project Title: Implementing
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationExercise Sheet Cryptography 1, 2011
Cryptography 1 http://www.cs.ut.ee/~unruh/crypto1-11/ Exercise Sheet Cryptography 1, 2011 Exercise 1 DES The Data Encryption Standard (DES) is a very famous and widely used block cipher. It maps 64-bit
More information(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces
(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces Koji Nuida 12 and Kaoru Kurosawa 3 1 National Institute of Advanced Industrial Science and Technology (AIST), Tsukuba, Ibaraki
More informationPost-Quantum Cryptography & Privacy. Andreas Hülsing
Post-Quantum Cryptography & Privacy Andreas Hülsing Privacy? Too abstract? How to achieve privacy? Under the hood... Public-key crypto ECC RSA DSA Secret-key crypto AES SHA2 SHA1... Combination of both
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Zvika Brakerski 1 Adeline Langlois 2 Chris Peikert 3 Oded Regev 4 Damien Stehlé 2 1 Stanford University 2 ENS de Lyon 3 Georgia Tech 4 New York University Our
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationPractical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits
Practical Key Recovery for Discrete-Logarithm Based Authentication Schemes from Random Nonce Bits Damien Vergnaud École normale supérieure CHES September, 15th 2015 (with Aurélie Bauer) Damien Vergnaud
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationLooking back at lattice-based cryptanalysis
September 2009 Lattices A lattice is a discrete subgroup of R n Equivalently, set of integral linear combinations: α 1 b1 + + α n bm with m n Lattice reduction Lattice reduction looks for a good basis
More informationMaking NTRU as Secure as Worst-Case Problems over Ideal Lattices
Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé 1 and Ron Steinfeld 2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d Italie, 69364 Lyon Cedex
More informationMaTRU: A New NTRU-Based Cryptosystem
MaTRU: A New NTRU-Based Cryptosystem Michael Coglianese 1 and Bok Min Goi 2 1 Macgregor, 321 Summer Street Boston, MA 02210, USA mcoglian@comcast.net 2 Centre for Cryptography and Information Security
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationCryptanalysis via Lattice Techniques
Cryptanalysis via Lattice Techniques Alexander May Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr-University Bochum crypt@b-it 2010, Aug 2010, Bonn Lecture 1, Mon Aug 2 Introduction
More informationPacked Homomorphic Encryption Based on Ideal Lattices and Its Application to Biometrics
Packed Homomorphic Encryption Based on Ideal Lattices and Its Application to Biometrics Masaya Yasuda, Takeshi Shimoyama, Jun Kogure, Kazuhiro Yokoyama, Takeshi Koshiba To cite this version: Masaya Yasuda,
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationFully Homomorphic Encryption Using Ideal Lattices
Fully Homomorphic Encryption Using Ideal Lattices Craig Gentry Stanford University and IBM Watson cgentry@cs.stanford.edu ABSTRACT We propose a fully homomorphic encryption scheme i.e., a scheme that allows
More informationA new security notion for asymmetric encryption Draft #10
A new security notion for asymmetric encryption Draft #10 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationImproved Zero-knowledge Protocol for the ISIS Problem, and Applications
Improved Zero-knowledge Protocol for the ISIS Problem, and Applications Khoa Nguyen, Nanyang Technological University (Based on a joint work with San Ling, Damien Stehlé and Huaxiong Wang) December, 29,
More informationGroup Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based
Group Signatures from Lattices: Simpler, Tighter, Shorter, Ring-based San Ling and Khoa Nguyen and Huaxiong Wang NTU, Singapore ENS de Lyon, 30/09/2015 Content 1 Introduction Previous Works on Lattice-Based
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationA new security notion for asymmetric encryption Draft #12
A new security notion for asymmetric encryption Draft #12 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationFully Homomorphic Encryption
Studienarbeit Fully Homomorphic Encryption Irena Schindler Leibniz Universität Hannover Fakultät für Elektrotechnik und Informatik Institut für Theoretische Informatik Contents 1 Introduction 1 2 Basic
More informationHardness and advantages of Module-SIS and Module-LWE
Hardness and advantages of Module-SIS and Module-LWE Adeline Roux-Langlois EMSEC: Univ Rennes, CNRS, IRISA April 24, 2018 Adeline Roux-Langlois Hardness and advantages of Module-SIS and LWE April 24, 2018
More informationDwork 97/07, Regev Lyubashvsky-Micciancio. Micciancio 09. PKE from worst-case. usvp. Relations between worst-case usvp,, BDD, GapSVP
The unique-svp World 1. Ajtai-Dwork Dwork 97/07, Regev 03 PKE from worst-case usvp 2. Lyubashvsky-Micciancio Micciancio 09 Shai Halevi, IBM, July 2009 Relations between worst-case usvp,, BDD, GapSVP Many
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More information