Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi
|
|
- Roderick Dixon
- 5 years ago
- Views:
Transcription
1 Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014
2 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications, but not an application in itself More a technique than a single primitive Several different variants, all share the same core properties but differ in details Extension of bilinear maps [J00,SOK00,BF01] Bilinear maps are extensions of DL-based crypto
3 Starting Point: DL-based Crypto The DDH assumption is a gold mine -- Boneh 98 Why is it so useful? Can hide values a i in g a i Some tasks are still easy in this representation Compute any linear/affine function of the a i s Check if a i = 0 Other tasks are seemingly hard E.g., computing/checking quadratic functions (CDH/DDH)
4 Starting Point: DL-based Crypto To use DH, design applications where: legitimate parties only compute linear functions adversary needs to compute/check quadratics Some examples: DH key-exchange, ElGamal Encryption, Cramer-Shoup CCA-Secure Encryption, Naor-Reingold PRF, Efficient ZKPs,
5 Beyond DDH: Bilinear Maps In bilinear-map groups you can compute quadratic functions in the exponent But computing/checking cubics is hard Now the legitimate parties can do a lot more Leads to new capabilities Identity-based encryption (IBE) Predicate encryption (for simple predicates) Efficient non-interactive zero-knowledge proofs
6 Why Stop at Two? Can we find groups that would let us compute cubics but not 4th powers? Or in general, upto degree k but no more? Cryptographic multilinear maps (MMAPs) Even more useful than bilinear [BS 03] explored applications of MMAPs Also argued that they are unlikely to be constructed similarly to bilinear maps
7 The [GGH 13] Approach Construct MMAPs from HE techniques By modifying the an existing HE scheme Recall somewhat homomorphic enc.(swhe) Public-key encryption with usual (KeyGen,Enc,Dec) An additional procedure c Eval pk (P, c) P is a low-degree polynomial If c = (c 1,, c t ) encrypts a = (a 1,, a t ), then c encrypts a = P(a 1,, a t ) This looks a little like what we want
8 MMAPs vs. SWHE MMAPs Encoding e a = g a Computing low-deg polynomials of the e a s is easy Sharp threshold for easy vs. hard Can test for zero SWHE Encrypting c a = E(a) Computing low-deg polynomials of the c a s is easy? Fuzzy threshold for easy vs. hard? Cannot test anything But if you have skey you can recover a itself
9 Main Ingredient: Testing for Zero To be useful, must be able to test if two degree-k expressions are equal Using homomorphism, that s the same as testing if a degree-k expression equals zero Our approach: augment a SWHE scheme with a handicapped secret key Can test if a ciphertext decrypts to zero, but cannot decrypt arbitrary cipehrtexts Assuming that the plaintext-space is large Called a zero-test parameter
10 Goal: Graded Encoding Schemes Encoding values a in levels Level-0: analogous to plaintext a Level-1: analogous to g a Level-i: product of i level-1 encodings Can test for encoding of zero at level k
11 Graded Encoding Schemes Instance generation: pp, sp IGEN(1 λ, 1 k ) Plaintext space implicit in pp, Isomorphic to some Z p Secret-key encoding: e a SEnc(sp, a, i) e a is a level-i encoding of a SEnc is randomized Addition and multiplication e a+b e a e b, lvl e a+b = max lvl e a, lvl e b e a b e a e b, lvl e a b = lvl e a + lvl e b Zero-test: ztst e a = Yes/No, lvl e a = k
12 Bird-Eye View of [GGH 13] Start from the NTRU HE scheme NTRU ciphertexts naturally come in levels Modify NTRU to obscure the plaintext space Needed for security when publishing the handicapped secret key Publish a shifted level-k secret key Can identify level-k encryption of zero, not decrypt Another scheme along similar lines in [CLT 13]
13 Starting From NTRU Encryption All ops are in some polynomial rings R = Z[X]/F(X), R q = R/qR Secret key is z R q Plaintext elements from (e.g.) R 3 = R/3R Encryption of a R 3 is c a = a+3r c a z q = a (mod 3) For level-i ctxt, c a z i q z = a (mod 3) q R q, s.t.
14 Obscuring the Plaintext Space All ops are in some polynomial rings R = Z[X]/F(X), R q = R/qR Secret key is z R q Plaintext elements from R g = R/gR g R is a small, secret element Encryption of a R g is c a = a+gr c a z q = a (mod g) For level-i ctxt, c a z i q z = a (mod g) q R q, s.t.
15 Encoding and Homomorphism A level-i encoding of a is e = a /z i q such that a = a(mod g) and a q (say < q 1/8 ) Homomorphism is obvious c a ± c b q = a+b+gr z i all at the same level c a c b q = a b+gr z i+j lvl(c a b )=lvl(c a )+lvl(c b ) q = c a±b q = c a b As long as no wraparound in the numerator
16 Zero-Test Parameter Publish information to recognize a level-k encoding of zero, e = gr/z k q For small r But not nonzero encodings gr+a z i q Also not encodings e at levels > k
17 Zero-Test Parameter 1st idea: set p zt = z k /g q If e z k q = g r then e p zt q = r is small If e z k q = g r + a then e p zt q = r + a g q is big Because of the term a/g q
18 Zero-Test Parameter 1st idea: set p zt = z k /g q 2 Problem: p zt q enables tests at levels > k If e z 2k 1 = g r, q and e 0 z q = g r then p 2 zt e 0 e q = r r is small 2 p zt q enables zero-testing at level 2k 1
19 Zero-Test Parameter (2) Instead, set p zt = h z k /g q With h q Squaring p zt already yields a wraparound Zero-testing procedure: Check if p zt e q < q 3/4
20 Correctness of Zero-Testing If e z k q = rg then p zt e = hr (mod q) rg < q 1/8, since e is a valid encoding Hence also r < q 1/8+ε This assumes g 1 is small in the field of fractions Since h < q 1/2+ε then hr < q 3/4 e hz k g q = hr and hr < q 3/4, so the zero-test pass
21 Correctness of Zero-Testing (2) The converse is a bit more complicated: Let g, h be such that the two ideals gr, hr are co-prime Lemma: For a s.t. ah < q/2, let w = ah/g q. If w is small enough so that wg < q/2, then a gr i.e., a = gr for some r Proof: wg = ah over R (since both < q/2) and since h, g co-prime then g a.
22 Correctness of Zero-Testing (3) Lemma: For a s.t. ah < q/2, let w = ah/g q. If w is small enough so that wg < q/2, then a gr i.e., a = gr for some r Corollary: if a/z k is a valid level-k encoding ( ah < q/2) and it passes zero-test ( w is small), so it is an encoding of zero
23 Zero-Testing Invalid Encodings Easy to come up with an invalid encoding that passes the zero test. If we need security against malicious encodings, publish many p zt s For many different mid-size h es Check p zt e q < q 3/4 for all of them Can prove that whp over the h es, only valid zero-encodings pass this test.
24 Extracting Unique Representation e a, e a are two level-k encoding of same a We know that p zt e a e a q q 3/4 This means that p zt e a q p zt e a q Unless there is a wraparound, which is unlikely So MSB( p zt e a q ) = MSB( p zt e a q) Define Ext e a = MSB( p zt e a q ) For level-k encodings we get Ext e = Ext e iff e, e encode the same element Can be used to extract a shared key
25 Hardness Assumptions An über-assumption for graded-encodings: For a collection of encodings e 1,, e t (at any level) e i is an encoding of some plaintext a i and polynomial P(x 1,, x t ) of degree > k Computation: Hard to compute a level-k encoding of P(a 1,, a t ) when the a i are uniform Decision: Hard to distinguish if the a i are uniform, or chosen as a random root of P An even more general assumption in [PST 14] Dubbed Semantically-Secure Graded Encodings
26 Weak-DL Attacks in [GGH 13] über-assumption does not hold if application provides level-1 encodings of zero, one Given: Level-i encoding of 1 Level-i encoding of some a, and Many Level-j encoding of 0, with i + j k Can compute in the clear a a + gr I.e., a = a + gr for some r a is large, a q (so not a level-0 encoding) But enough to violate über-assumption
27 Dealing with Weak DL Attacks Many applications do not need low-level encodings of 0,1 Other applications only need to assume security of level-k encodings If i + j k, the attack does not apply Or use other MMAPs [CTL 13] seemingly not susceptible to weak-dl Can perhaps immunize [GGH 13] against it Using GGH-encoded matrices and their eigenvalues
28 A Few Words About Performance Currently mostly a plausibility argument Somewhat practical multilinearity for a small constant Best reported implementation in [CLT 13] 6-linear scheme with pp size ~ 2.5 GB, operations in less than one minute Quite aggressive choice of the security parameter Main road-block: obscured plaintext space Rules out all the optimizations that we have for FHE Leaves us with something similar to Gentry s original 2009 scheme
29 Some Variants Public encoding: (a, e a ) PEnc(pp) a is uniform, e a is a level-1 encoding of a Re-randomize: e a ReRand(pp, e a ) e a, e a encode the same element Distribution of e a depends on a, but not on e a To do either, provide in the public parameters level-1 encodings of zero, one Susceptible to weak-dl attack
30 More Variants An asymmetric variant Instead of levels 1,2,, k, encodings associated with subsets of k = {1,2,, k} Can only multiply encodings relative to disjoint subsets Zero-test for encodings relative to k itself
31 Summary MMAPs are similar to DL-based crypto Can compute polynomials in the exponent Polynomials of degree up to k But not degree k + 1 or more One difference: need sk to exponentiate Or use one of the variants
32 Backup Slides
33 Weak DL attack (1) Suppose we have many level-1 encodings of 0, e i = g r i z q, i = 1,, t, and an encoding of 1, d = f 1 z q, f 1 = 1(mod g) For every i let h i = e i d k 1 p zt q = hr i f 1 k 1 No mod-q in the last equality If the r i s are co-prime, can use GCD to get (a basis for) the ideal (hf 1 k 1 )
34 Weak DL attack (2) Replace d by d = d + c 1 = f 1 z q With f 1 = f 1 + gr 1 Repeat the above to get (a basis for) the ideal (hf 1 k 1 ) If f 1, f 1 are co-prime, can use GCD again to get (a basis for) the ideal (h) Hence also a basis for the inverse (h 1 )
35 Weak DL attack (3) By multiplying two encodings of zero by p zt and d k 2, we can get (a basis for) the ideals (hgf 1 k 2 ) and (hgf 1 k 2 ) Then using GCD also (hg) From (hg) and (h 1 ) we can get (g)
36 Weak DL attack (4) For an encoding e = a z t q, we want to recover some a = a (mod g ) Compute α = e d k t 1 e 1 p zt q = a f 1 k t 1 r 1 h β = d k 1 e 1 p zt q = f 1 k 1 r 1 h Knowing g, set a = αβ 1 (mod (g)) Correctness follows since f 1 = 1 (mod g )
Shai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationGGHLite: More Efficient Multilinear Maps from Ideal Lattices
GGHLite: More Efficient Multilinear Maps from Ideal Lattices Adeline Langlois, Damien Stehlé and Ron Steinfeld Aric Team, LIP, ENS de Lyon May, 4 Adeline Langlois GGHLite May, 4 / 9 Our main result Decrease
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationObfuscation and Weak Multilinear Maps
Obfuscation and Weak Multilinear Maps Mark Zhandry Princeton University Joint work with Saikrishna Badrinarayanan, Sanjam Garg, Eric Miles, Pratyay Mukherjee, Amit Sahai, Akshayaram Srinivasan Obfuscation
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPublic-Key Encryption: ElGamal, RSA, Rabin
Public-Key Encryption: ElGamal, RSA, Rabin Introduction to Modern Cryptography Benny Applebaum Tel-Aviv University Fall Semester, 2011 12 Public-Key Encryption Syntax Encryption algorithm: E. Decryption
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationCryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur
Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 33 The Diffie-Hellman Problem
More informationLecture Summary. 2 Simplified Cramer-Shoup. CMSC 858K Advanced Topics in Cryptography February 26, Chiu Yuen Koo Nikolai Yakovenko
CMSC 858K Advanced Topics in Cryptography February 26, 2004 Lecturer: Jonathan Katz Lecture 10 Scribe(s): Jeffrey Blank Chiu Yuen Koo Nikolai Yakovenko 1 Summary We had previously begun to analyze the
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationDiscrete logarithm and related schemes
Discrete logarithm and related schemes Martin Stanek Department of Computer Science Comenius University stanek@dcs.fmph.uniba.sk Cryptology 1 (2017/18) Content Discrete logarithm problem examples, equivalent
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationPublic Key Cryptography
Public Key Cryptography Introduction Public Key Cryptography Unlike symmetric key, there is no need for Alice and Bob to share a common secret Alice can convey her public key to Bob in a public communication:
More informationCRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16
CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16 Groth-Sahai proofs helger lipmaa, university of tartu UP TO NOW Introduction to the field Secure computation protocols Interactive zero knowledge from Σ-protocols
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationAn Algorithm for NTRU Problems
An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationEvaluating 2-DNF Formulas on Ciphertexts
Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005 Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B],
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman Stanford University, USA Eurocrypt 2010 Monaco, Monaco 31 May 2010 David Mandell Freeman (Stanford)
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationAdvanced Cryptography 1st Semester Public Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 1st 2007 1 / 64 Last Time (I) Indistinguishability Negligible function Probabilities Indistinguishability
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationImmunizing Multilinear Maps Against Zeroizing Attacks
Immunizing Multilinear Maps Against Zeroizing Attacks Dan Boneh Stanford University David J. Wu Stanford University Joe Zimmerman Stanford University Abstract In recent work Cheon, Han, Lee, Ryu, and Stehlé
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationOn the CCA1-Security of Elgamal and Damgård s Elgamal
On the CCA1-Security of Elgamal and Damgård s Elgamal Cybernetica AS, Estonia Tallinn University, Estonia October 21, 2010 Outline I Motivation 1 Motivation 2 3 Motivation Three well-known security requirements
More informationCryptanalysis of branching program obfuscators
Cryptanalysis of branching program obfuscators Jung Hee Cheon 1, Minki Hhan 1, Jiseung Kim 1, Changmin Lee 1, Alice Pellet-Mary 2 1 Seoul National University 2 ENS de Lyon Crypto 2018 M. Hhan, A. Pellet-Mary
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup October 12, 2001 Abstract We present several new and fairly practical public-key
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationPeculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology
1 / 19 Peculiar Properties of Lattice-Based Encryption Chris Peikert Georgia Institute of Technology Public Key Cryptography and the Geometry of Numbers 7 May 2010 2 / 19 Talk Agenda Encryption schemes
More informationLemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).
1 Background 1.1 The group of units MAT 3343, APPLIED ALGEBRA, FALL 2003 Handout 3: The RSA Cryptosystem Peter Selinger Let (R, +, ) be a ring. Then R forms an abelian group under addition. R does not
More informationAn Introduction to Pairings in Cryptography
An Introduction to Pairings in Cryptography Craig Costello Information Security Institute Queensland University of Technology INN652 - Advanced Cryptology, October 2009 Outline 1 Introduction to Pairings
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationPrivate Puncturable PRFs from Standard Lattice Assumptions
Private Puncturable PRFs from Standard Lattice Assumptions Sam Kim Stanford University Joint work with Dan Boneh and Hart Montgomery Pseudorandom Functions (PRFs) [GGM84] Constrained PRFs [BW13, BGI13,
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim,1,2, Julia Hesse 1,2,3, Dennis Hofheinz,3, and Enrique Larraia 1 DIENS, École normale supérieure, CNRS, PSL Research University, Paris, France 2 INRIA
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More informationCOS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7
COS 597C: Recent Developments in Program Obfuscation Lecture 7 10/06/16 Lecturer: Mark Zhandry Princeton University Scribe: Jordan Tran Notes for Lecture 7 1 Introduction In this lecture, we show how to
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More information1 Indistinguishability for multiple encryptions
CSCI 5440: Cryptography Lecture 3 The Chinese University of Hong Kong 26 September 2012 1 Indistinguishability for multiple encryptions We now have a reasonable encryption scheme, which we proved is message
More informationThe Cramer-Shoup Cryptosystem
The Cramer-Shoup Cryptosystem Eileen Wagner October 22, 2014 1 / 28 The Cramer-Shoup system is an asymmetric key encryption algorithm, and was the first efficient scheme proven to be secure against adaptive
More informationComputational Number Theory. Adam O Neill Based on
Computational Number Theory Adam O Neill Based on http://cseweb.ucsd.edu/~mihir/cse207/ Secret Key Exchange - * Is Alice Ka Public Network Ka = KB O KB 0^1 Eve should have a hard time getting information
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationMultilinear Maps from Obfuscation
Multilinear Maps from Obfuscation Martin R. Albrecht (RHUL) Pooya Farshim (QUB) Shuai Han (SJTU) Dennis Hofheinz (KIT) Enrique Larraia (RHUL) Kenneth G. Paterson (RHUL) December 18, 2017 Abstract We provide
More informationPublic-Key Cryptosystems CHAPTER 4
Public-Key Cryptosystems CHAPTER 4 Introduction How to distribute the cryptographic keys? Naïve Solution Naïve Solution Give every user P i a separate random key K ij to communicate with every P j. Disadvantage:
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationEfficient Selective Identity-Based Encryption Without Random Oracles
Efficient Selective Identity-Based Encryption Without Random Oracles Dan Boneh Xavier Boyen March 21, 2011 Abstract We construct two efficient Identity-Based Encryption (IBE) systems that admit selectiveidentity
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationAttribute-based Encryption & Delegation of Computation
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin Attribute-based Encryption & Delegation of Computation April 9, 2013 Scribe: Steven Goldfeder We will cover the ABE
More informationHidden Field Equations
Security of Hidden Field Equations (HFE) 1 The security of Hidden Field Equations ( H F E ) Nicolas T. Courtois INRIA, Paris 6 and Toulon University courtois@minrank.org Permanent HFE web page : hfe.minrank.org
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationClassical Cryptography
Classical Cryptography CSG 252 Fall 2006 Riccardo Pucella Goals of Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to communications Alice and Bob share a key K Alice
More informationA survey on quantum-secure cryptographic systems
A survey on quantum-secure cryptographic systems Tomoka Kan May 24, 2018 1 Abstract Post-quantum cryptography refers to the search for classical cryptosystems which remain secure in the presence of a quantum
More informationNew and Improved Key-Homomorphic Pseudorandom Functions
New and Improved Key-Homomorphic Pseudorandom Functions Abhishek Banerjee 1 Chris Peikert 1 1 Georgia Institute of Technology CRYPTO 14 19 August 2014 Outline 1 Introduction 2 Construction, Parameters
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationA new security notion for asymmetric encryption Draft #8
A new security notion for asymmetric encryption Draft #8 Muhammad Rezal Kamel Ariffin 1,2 1 Al-Kindi Cryptography Research Laboratory, Institute for Mathematical Research, 2 Department of Mathematics,
More informationGraded Encoding Schemes from Obfuscation
Graded Encoding Schemes from Obfuscation Pooya Farshim 1&2, Julia Hesse 1&2&5, Dennis Hofheinz 3, and Enrique Larraia 4 1 Département d informatique de l ENS, École normale supérieure, CNRS, PSL Research
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationYou submitted this homework on Wed 31 Jul :50 PM PDT (UTC -0700). You got a score of out of You can attempt again in 10 minutes.
Feedback Week 6 - Problem Set You submitted this homework on Wed 31 Jul 2013 1:50 PM PDT (UTC -0700) You got a score of 1000 out of 1 You can attempt again in 10 minutes Question 1 Recall that with symmetric
More informationParallel Decryption Queries in Bounded Chosen Ciphertext Attacks
Parallel Decryption Queries in Bounded Chosen Ciphertext Attacks Takahiro Matsuda and Kanta Matsuura The University of Tokyo, Japan {tmatsuda,kanta}@iis.u-tokyo.ac.jp Abstract. Whether it is possible to
More informationPractice Final Exam Winter 2017, CS 485/585 Crypto March 14, 2017
Practice Final Exam Name: Winter 2017, CS 485/585 Crypto March 14, 2017 Portland State University Prof. Fang Song Instructions This exam contains 7 pages (including this cover page) and 5 questions. Total
More informationConverting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups
Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups David Mandell Freeman CWI and Universiteit Leiden freeman@cwi.nl Abstract. We develop an abstract framework that
More informationOn The Security of The ElGamal Encryption Scheme and Damgård s Variant
On The Security of The ElGamal Encryption Scheme and Damgård s Variant J. Wu and D.R. Stinson David R. Cheriton School of Computer Science University of Waterloo Waterloo, ON, Canada {j32wu,dstinson}@uwaterloo.ca
More informationIntro to Public Key Cryptography Diffie & Hellman Key Exchange
Introduction to Modern Cryptography Lecture 5 Number Theory: 1. Quadratic residues. 2. The discrete log problem. Intro to Public Key Cryptography Diffie & Hellman Key Exchange Course Summary - Math Part
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationCLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD
CLASSICAL CRYPTOSYSTEMS IN A QUANTUM WORLD Mark Zhandry Stanford University * Joint work with Dan Boneh But First: My Current Work Indistinguishability Obfuscation (and variants) Multiparty NIKE without
More information14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption. Victor Shoup New York University
14 Years of Chosen Ciphertext Security: A Survey of Public Key Encryption Victor Shoup New York University A Historical Perspective The wild years (mid 70 s-mid 80 s): Diffie-Hellman, RSA, ElGamal The
More information1 Secure two-party computation
CSCI 5440: Cryptography Lecture 7 The Chinese University of Hong Kong, Spring 2018 26 and 27 February 2018 In the first half of the course we covered the basic cryptographic primitives that enable secure
More informationLossy Trapdoor Functions and Their Applications
1 / 15 Lossy Trapdoor Functions and Their Applications Chris Peikert Brent Waters SRI International On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information 2 / 15 On Losing Information
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More information