Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
|
|
- Michael Sharp
- 5 years ago
- Views:
Transcription
1 NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain ACM AsiaCCS 2015 Singapore
2 1. Proxy Re-Encryption 2. NTRU 3. NTRUReEncrypt 4. PS-NTRUReEncrypt 5. Experimental results 6. Conclusions
3 Proxy Re-Encryption: Overview A Proxy Re-Encryption scheme is a public-key encryption scheme that permits a proxy to transform ciphertexts under Alice s public key into ciphertexts under Bob s public key The proxy needs a re-encryption key r A B to make this transformation possible, generated by the delegating entity Proxy Re-Encryption enables delegation of decryption rights
4 Syntax of Bidirectional Proxy Re-Encryption Definition. A bidirectional proxy re-encryption scheme is a tuple of algorithms (Setup, KeyGen, ReKeyGen, Enc, ReEnc, Dec): KeyGen() (pk A, sk A ) ReKeyGen(sk A, sk B ) rk A B Enc(pk A, M) C A ReEnc(rk A B, C A ) C B Dec(sk A, C A ) M
5 Correctness Definition: Multihop Correctness. A bidirectional PRE scheme (Setup, KeyGen, ReKeyGen, Enc, ReEnc, Dec) is multihop correct with respect to plaintext space M if: (Encrypted Ciphertexts) For all (pk A, sk A ) output by KeyGen and all messages M M, it holds that: Dec(sk A, Enc(pk A, M)) = M (Re-Encrypted Ciphertexts) For any sequence of pairs (pk i, sk i ) output by KeyGen, with 0 i N, all re-encryption keys rk j j+1 output by ReKeyGen(sk j, sk j+1 ), with j < N, all messages M M, and all ciphertexts C 1 output by Enc(pk 1, M), it holds that: Dec(sk N, ReEnc(rk N 1 N,...ReEnc(rk 1 2, C 1 ))) = M
6 Bidirectional CPA-security game Let us assume: k is the security parameter A is a polynomial-time adversary H, C are the sets of indices of honest and corrupt users The IND-CPA game consists of an execution of A with the following oracles, which can be invoked multiple times in any order, subject to the constraints below:
7 Bidirectional CPA-security game Phase 0: Phase 1: The challenger obtains global parameters params Setup(1 k ) and initializes sets H, C to. The challenger generates the public key pk of target user i, adds i to H, and sends pk to the adversary. Uncorrupted key generation O honest : On input an index i, where i H C, the oracle obtains a new keypair (pk i, sk i ) KeyGen() and adds index i to H. The adversary receives pk i. Corrupted key generation O corrupt : On input an index i, where i H C, the oracle obtains a new keypair (pk i, sk i ) KeyGen() and adds index i to C. The adversary receives (pk i, sk i ).
8 Bidirectional CPA-security game Phase 2: Phase 3: Re-encryption key generation O rkgen : On input (i, j), where i j, and either i, j H or i, j C, the oracle returns rk i j ReKeyGen(sk i, sk j ). Challenge oracle O challenge : This oracle can be queried only once. On input (M 0, M 1 ), the oracle chooses a bit b {0, 1} and returns the challenge ciphertext C Enc(pk, M b ), where pk corresponds to the public key of target user i. Decision: A outputs guess b {0, 1}. A wins the game if and only if b = b.
9 Other remarks Static corruption model We only allow queries to O rkgen where users are either both corrupt or both honest Otherwise, these queries would corrupt honest users Re-encryption oracle is not necessary in CPA
10 NTRUEncrypt: Overview Originally proposed by Hoffstein, Pipher and Silverman One of the first PKE schemes based on lattices NTRU Encryption is very efficient, orders of magnitude faster than other PKE schemes IEEE Standard and ANSI X It is conjectured to be based on hard problems over lattices Post-quantum cryptography It lacks a formal proof in the form of a reduction to a hard problem (i.e. not provably-secure)
11 NTRUEncrypt: Basics Defined over the quotient ring R NT RU = Z[x]/(x n 1), where n is a prime parameter Other parameters of NTRU: Integer q, which is a small power of 2 of the same order of magnitude than n Small polynomial p R NT RU, which usually takes values p = 3 or p = x + 2 In general, operations over polynomials will be performed in R NT RU /q or R NT RU /p
12 NTRUEncrypt: Key Generation Private key: sk = f R NT RU f is chosen at random, with a determined number of coefficients equal to 0, -1, and 1 f must be invertible in R NT RU /q and R NT RU /p fq 1, fp 1 For efficiency, f can be chosen to be 1 mod p Public key: pk = h = p g fq 1 mod q g R NT RU is chosen at random
13 NTRUEncrypt: Encryption and Decryption Encryption: plaintext M from message space R NT RU /p ciphertext C = h s + M mod q noise term s is a small random polynomial in R NT RU Decryption: Compute C = f C mod q Compute m = f 1 p C mod p Why does it work? C = f (p g fq 1 s + M) mod q = p g s + f M mod q This equation holds if f C is small enough fp 1 ( p g s + f M) mod p = fp 1 f M mod p = M If f = 1 mod p, then the last step is simply m = C mod p
14 NTRUReEncrypt We extended NTRUEncrypt to support re-encryption NTRUReEncrypt New requirement: secret polynomial f = 1 mod p Not for efficiency reasons, but necessary to correctly decrypt re-encrypted ciphertexts
15 NTRUReEncrypt: Key Generation Private key: sk A = f A R NT RU f A is chosen at random, with a determined number of coefficients equal to 0, -1, and 1 f A must be invertible in R NT RU /q f 1 A Since f is chosen to be 1 mod p, its inverse mod p is not necessary Public key: pk A = h A = p g A f 1 A mod q g A R NT RU is chosen at random
16 NTRUReEncrypt: Encryption and Decryption Encryption: plaintext M from message space R NT RU /p ciphertext C A = h A s + M mod q noise term s is a small random polynomial in R NT RU Decryption: Compute C A = f C A mod q Compute m = C A mod p
17 NTRUReEncrypt: Re-Encryption Key Generation Re-Encryption Key Generation: Input: secret keys sk A = f A and sk B = f B The re-encryption key between users A and B is rk A B = sk A sk 1 B = f A f 1 B Three-party protocol, so neither A, B nor the proxy learns any secret key. A selects a random r R NT RU /q A sends r f A mod q to B and r to the proxy B sends r f A f 1 B The proxy computes rk A B = f A f 1 B mod q to the proxy mod q
18 NTRUReEncrypt: Re-Encryption Re-Encryption Input: a re-encryption key rk A B and a ciphertext C A Samples a random polynomial e R NT RU Output re-encrypted ciphertext C B = C A rk A B + pe The noise e prevents B from extracting A s private key
19 NTRUReEncrypt: Re-Encryption Why does it work? Re-encrypted ciphertext: C B = C A rk A B + p e mod q = (p g f 1 A = p g f 1 B s + M) f A f 1 B s + f A f 1 B Decrypting a re-encrypted ciphertext: f B C B + p e mod q M + p e mod q mod p = (p g s + p e) + f A M mod p = f A M mod p = M
20 NTRUReEncrypt: Re-Encryption Limited Multihop: The scheme does not support unlimited re-encryptions The noise e added during the re-encryption accumulates on each hop, until eventually, decryption fails This depends heavily on the choice of parameters
21 NTRUReEncrypt: Analysis Computational costs: The core operation in NTRU is the multiplication of polynomials It can be done in O(n log n) time using the Fast Fourier Transform (FFT) Encryption, decryption and re-encryption only need a single multiplication
22 NTRUReEncrypt: Analysis Space costs: Keys and ciphertexts are polynomials of size O(n log 2 q) bits Ciphertext expansion is O(log 2 q) Other lattice-based schemes have ciphertexts of size O(n 2 ) Table : Comparison of space costs (in KB) Size Aono et al. NTRUReEncrypt Public keys Secret key Re-Encryption key Ciphertext
23 NTRUReEncrypt: Analysis Bidirectional: Given rk A B = f A f 1, one can easily compute Limited multihop rk B A = (rk A B ) 1 = f B f 1 A B Not collusion-safe: Secret keys can be extracted from the re-encryption key if the proxy colludes with a user involved f A = rk B A f B This is common in interactive bidirectional PRE schemes
24 PS-NTRUReEncrypt A second proxy re-encryption scheme, called PS-NTRUReEncrypt Provable secure under the Ring-LWE assumption Extends the NTRU variant proposed by Stehlé and Steinfeld [Eurocrypt 11], which is proven IND-CPA secure
25 Preliminaries Φ(x) is the cyclotomic polynomial x n + 1, with n a power of 2 q is a prime integer such that q = 1 mod 2n R is the ring Z[x]/Φ(x) R q = R/q = Z q [x]/φ(x) R q is the set of invertible elements of R q
26 The Ring-LWE problem The Ring Learning With Errors (Ring-LWE) problem is a hard decisional problem based on lattices We use a variant of this problem proposed by Stehlé and Steinfeld. s R q and ψ a distribution over R q A s,ψ is the distribution that samples pairs of the form (a, b) a is chosen uniformly from R q b = a s + e, for some e sampled from ψ The Ring-LWE problem is to distinguish distribution A s,ψ from a uniform distribution over R q R q The Ring-LWE assumption is that this problem is computationally infeasible
27 PS-NTRUReEncrypt: Setup and Key Generation Setup: Global parameters: (n, q, p, α, σ) Key Generation: D Z n,σ is a Gaussian distribution over Z n with standard deviation σ The keys are computed as follows: 1. Sample f from D Zn,σ Let f A = 1 + p f ; if (f A mod q) R q, resample 2. Sample g A from D Z n,σ; if (g A mod q) R q, resample 3. Compute h A = p g A f 1 A 4. Return secret key sk A = f A and pk A = h A
28 PS-NTRUReEncrypt: Encryption and Decryption Encryption: Input: public key pk A and message M M Sample noise polynomials s, e from a distribution Ψ α Output ciphertext: Decryption: C A = h A s + pe + M R q Input: secret key sk A = f A and ciphertext C A Compute C A = C A f A Output the message M = (C A mod p) M
29 PS-NTRUReEncrypt: Re-Encryption Key Generation and Re-Encryption Re-Encryption Key Generation: Input: secret keys sk A = f A and sk B = f B The re-encryption key between users A and B is Re-Encryption: rk A B = sk A sk 1 B = f A f 1 B Input: a re-encryption key rk A B and a ciphertext C A Samples a random polynomial e from a distribution Ψ α Output re-encrypted ciphertext C B = C A rk A B + pe
30 Multihop Correctness Ciphertext re-encrypted N times: C N = pg 0 f 1 N s + pe 0f 0 f 1 N + pe 1f 1 f 1 N pe N 1 f N 1 f 1 = pg 0 f 1 N s + [ N 1 i=0 pe i f i f 1 N ] N + pe N + Mf 0 f 1 N + pe N + Mf 0 f 1 N When decrypting C N (assuming no decryption failures): [ N ] C N = C N f N = pg 0 s + pe i f i + Mf 0 i=0 Since, f 0 = 1 mod p and pg 0 s = pe i f i = 0 mod p, then: C N mod p = M
31 Experimental setting Implementation of our proposals: NTRUReEncrypt is implemented on top of an available open-source Java implementation of NTRU PS-NTRUReEncrypt was coded from scratch, using the Java Lattice-Based Cryptography (jlbc) library Execution enviroment: Intel Core GHz
32 Performance of NTRUReEncrypt Table : Computation time (in ms) and number of hops of NTRUReEncrypt for different parameters Parameters Enc. Dec. Re-Enc. # Hops (439, no, 128) (439, yes, 128) (1087, no, 256) (1087, yes, 256) (1171, no, 256) (1171, yes, 256) (1499, no, 256) (1499, yes, 256)
33 Comparison of NTRUReEncrypt to other schemes Time (ms) Encryption Decryption Re-Encryption NTRUReEncrypt BBS Aono et al. Weng et al.
34 Comparison of NTRUReEncrypt to other schemes Table : Computation time of several proxy re-encryption schemes (in ms) Scheme Enc. Dec. Re-Enc. NTRUReEncrypt Aono et al BBS Weng et al Ateniese et al Libert and Vergnaud
35 Performance of PS-NTRUReEncrypt Table : Computation time (in ms) and size (in KB) of PS-NTRUReEncrypt for different parameters n log 2 q Enc. Dec. Re-Enc. Size
36 Conclusions NTRUReEncrypt is a highly-efficient proxy re-encryption scheme based on the NTRU cryptosystem This scheme is bidirectional and multihop, but not collusion-resistant The key strength of this scheme is its performance: outperforms other schemes by an order of magnitude Potential improvement with parallelization techniques Opens up new practical applications of PRE in constrained environments We also propose PS-NTRUReEncrypt, a provably-secure variant that is CPA-secure under the Ring-LWE assumption
37 Future Work Achieve CCA-security Definition of a unidirectional and collision-resistant scheme Fine-tune the parameters of NTRUReEncrypt for decreasing the probability of decryption failures after multiple re-encryptions Better bounds for the provably-secure version Analysis of the selection of parameters based on best known lattice attacks
38 Thank you!
Cryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS 15
Cryptanalysis of an NTRU-based Proxy Encryption Scheme from ASIACCS 15 Zhen Liu 1,2,3, Yanbin Pan 1, and Zhenfei Zhang 4 1 Key Laboratory of Mathematics Mechanization, NCMIS, Academy of Mathematics and
More informationProxy Re-encryption from Lattices
Proxy Re-encryption from Lattices Elena Kirshanova Horst Görtz Institute for IT-Security Faculty of Mathematics Ruhr University Bochum, Germany elena.kirshanova@rub.de Abstract. We propose a new unidirectional
More informationCCA-Secure Proxy Re-Encryption without Pairings
CCA-Secure Proxy Re-Encryption without Pairings Jun Shao 1,2 and Zhenfu Cao 1 1 Department of Computer Science and Engineering Shanghai Jiao Tong University 2 College of Information Sciences and Technology
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationPost-quantum security models for authenticated encryption
Post-quantum security models for authenticated encryption Vladimir Soukharev David R. Cheriton School of Computer Science February 24, 2016 Introduction Bellare and Namprempre in 2008, have shown that
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationCHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30
CHALMERS GÖTEBORGS UNIVERSITET CRYPTOGRAPHY TDA35 (Chalmers) - DIT50 (GU) 11 April 017, 8:30-1:30 No extra material is allowed during the exam except for pens and a simple calculator (not smartphones).
More informationType-based Proxy Re-encryption and its Construction
Type-based Proxy Re-encryption and its Construction Qiang Tang Faculty of EWI, University of Twente, the Netherlands q.tang@utwente.nl Abstract. Recently, the concept of proxy re-encryption has been shown
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationGentry IBE Paper Reading
Gentry IBE Paper Reading Y. Jiang 1 1 University of Wollongong September 5, 2014 Literature Craig Gentry. Practical Identity-Based Encryption Without Random Oracles. Advances in Cryptology - EUROCRYPT
More informationA Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM
A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM Paulo S. L. M. Barreto Bernardo David Rafael Dowsley Kirill Morozov Anderson C. A. Nascimento Abstract Oblivious Transfer
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationSearchable encryption & Anonymous encryption
Searchable encryption & Anonymous encryption Michel Abdalla ENS & CNS February 17, 2014 MPI - Course 2-12-1 Michel Abdalla (ENS & CNS) Searchable encryption & Anonymous encryption February 17, 2014 1 /
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationApplied cryptography
Applied cryptography Identity-based Cryptography Andreas Hülsing 19 November 2015 1 / 37 The public key problem How to obtain the correct public key of a user? How to check its authenticity? General answer:
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationLecture 7: Boneh-Boyen Proof & Waters IBE System
CS395T Advanced Cryptography 2/0/2009 Lecture 7: Boneh-Boyen Proof & Waters IBE System Instructor: Brent Waters Scribe: Ioannis Rouselakis Review Last lecture we discussed about the Boneh-Boyen IBE system,
More information5.4 ElGamal - definition
5.4 ElGamal - definition In this section we define the ElGamal encryption scheme. Next to RSA it is the most important asymmetric encryption scheme. Recall that for a cyclic group G, an element g G is
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationCertificateless Proxy Re-Encryption Without Pairing: Revisited
Certificateless Proxy Re-Encryption Without Pairing: Revisited Akshayaram Srinivasan C. Pandu Rangan February 10, 2015 Abstract Proxy Re-Encryption was introduced by Blaze, Bleumer and Strauss to efficiently
More informationCONSTRUCTIONS SECURE AGAINST RECEIVER SELECTIVE OPENING AND CHOSEN CIPHERTEXT ATTACKS
CONSRUCIONS SECURE AGAINS RECEIVER SELECIVE OPENING AND CHOSEN CIPHEREX AACKS Dingding Jia, Xianhui Lu, Bao Li jiadingding@iie.ac.cn C-RSA 2017 02-17 Outline Background Motivation Our contribution Existence:
More informationADVERTISING AGGREGATIONARCHITECTURE
SOMAR LAPS PRIVACY-PRESERVING LATTICE-BASED PRIVATE-STREAM SOCIAL MEDIA ADVERTISING AGGREGATIONARCHITECTURE OR: HOW NOT TO LEAVE YOUR PERSONAL DATA AROUND REVISITING PRIVATE-STREAM AGGREGATION: LATTICE-BASED
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationBlending FHE-NTRU keys The Excalibur Property
Blending FHE-NTRU keys The Excalibur Property Louis Goubin and Francisco José Vial Prado Laboratoire de Mathématiques de Versailles UVSQ, CNRS, Université Paris-Saclay 78035 Versailles, France May 2, 2017
More informationConditional Proxy Broadcast Re-Encryption
Conditional Proxy Broadcast Re-Encryption Cheng-Kang Chu 1, Jian Weng 1,2, Sherman S.M. Chow 3, Jianying Zhou 4, and Robert H. Deng 1 1 School of Information Systems Singapore Management University, Singapore
More informationImproving the Security of an Efficient Unidirectional Proxy Re-Encryption Scheme
Improving the Security of an Efficient Unidirectional Proxy Re-Encryption Scheme Sébastien Canard Orange Labs - Applied Crypto Group Caen, France sebastien.canard@orange-ftgroup.com Julien Devigne Orange
More informationEXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:
CHALMERS GÖTEBORGS UNIVERSITET EXAM IN CRYPTOGRAPHY TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:30 12.30 Tillåtna hjälpmedel: Typgodkänd räknare. Annan minnestömd räknare får användas efter godkännande
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationTheoretical Computer Science. Proxy-invisible CCA-secure type-based proxy re-encryption without random oracles
Theoretical Computer Science 49 (203) 83 93 Contents lists available at SciVerse ScienceDirect Theoretical Computer Science ournal homepage: www.elsevier.com/locate/tcs Proxy-invisible CCA-secure type-based
More informationShort Exponent Diffie-Hellman Problems
Short Exponent Diffie-Hellman Problems Takeshi Koshiba 12 and Kaoru Kurosawa 3 1 Secure Computing Lab., Fujitsu Laboratories Ltd. 2 ERATO Quantum Computation and Information Project, Japan Science and
More informationID-based Encryption Scheme Secure against Chosen Ciphertext Attacks
ID-based Encryption Scheme Secure against Chosen Ciphertext Attacks ongxing Lu and Zhenfu Cao Department of Computer Science and Engineering, Shanghai Jiao Tong University, Shanghai 200030, P.. China {cao-zf,
More informationBounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts
Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts Stefano Tessaro (UC Santa Barbara) David A. Wilson (MIT) Bounded-Collusion IBE from Semantically-Secure
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More information6.892 Computing on Encrypted Data October 28, Lecture 7
6.892 Computing on Encrypted Data October 28, 2013 Lecture 7 Lecturer: Vinod Vaikuntanathan Scribe: Prashant Vasudevan 1 Garbled Circuits Picking up from the previous lecture, we start by defining a garbling
More informationProxy Re-Encryption Schemes with Key Privacy from LWE
Proxy Re-Encryption Schemes with Key Privacy from LWE Le Trieu Phong Lihua Wang Yoshinori ono Manh Ha Nguyen Xavier Boyen bstract. Proxy re-encryption (PRE) is a cryptographic primitive in which a proxy
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationEfficient Identity-based Encryption Without Random Oracles
Efficient Identity-based Encryption Without Random Oracles Brent Waters Weiwei Liu School of Computer Science and Software Engineering 1/32 Weiwei Liu Efficient Identity-based Encryption Without Random
More informationProxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012
Proxy Re-Encryption in a Stronger Security Model Extended from CT-RSA2012 Manh Ha Nguyen Tokyo Institute of Technology Toshiyuki Isshiki 1,2 and Keisuke Tanaka 2 1 NEC Corporation 2 Tokyo Institute of
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 6: El Gamal. Chosen-ciphertext security, the Cramer-Shoup cryptosystem. Benny Pinkas based on slides of Moni Naor page 1 1 Related papers Lecture notes of Moni Naor,
More informationChosen-Ciphertext Security from Subset Sum
Chosen-Ciphertext Security from Subset Sum Sebastian Faust 1, Daniel Masny 1, and Daniele Venturi 2 1 Horst-Görtz Institute for IT Security and Faculty of Mathematics, Ruhr-Universität Bochum, Bochum,
More informationNTRU Cryptosystem and Its Analysis
NTRU Cryptosystem and Its Analysis Overview 1. Introduction to NTRU Cryptosystem 2. A Brief History 3. How the NTRU Cryptosystem works? Examples 4. Why the Decryption Works? 5. The Advantages of NTRU 6.
More informationLecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography
Lecture 19: (Diffie-Hellman Key Exchange & ElGamal Encryption) Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies
More informationProvable security. Michel Abdalla
Lecture 1: Provable security Michel Abdalla École normale supérieure & CNRS Cryptography Main goal: Enable secure communication in the presence of adversaries Adversary Sender 10110 10110 Receiver Only
More informationChosen-Ciphertext Secure Proxy Re-Encryption without Pairings
Chosen-Ciphertext Secure Proxy Re-Encryption without Pairings Jian Weng 1,2, Robert H. Deng 1, Shengli Liu 3, Kefei Chen 3, Junzuo Lai 3, Xu An Wang 4 1 School of Information Systems, Singapore Management
More informationCS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University
CS 4770: Cryptography CS 6750: Cryptography and Communication Security Alina Oprea Associate Professor, CCIS Northeastern University March 26 2017 Outline RSA encryption in practice Transform RSA trapdoor
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationSecure and Practical Identity-Based Encryption
Secure and Practical Identity-Based Encryption David Naccache Groupe de Cyptographie, Deṕartement d Informatique École Normale Supérieure 45 rue d Ulm, 75005 Paris, France david.nacache@ens.fr Abstract.
More informationASYMMETRIC ENCRYPTION
ASYMMETRIC ENCRYPTION 1 / 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters involved. 2 / 1 Recall
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationThe Random Oracle Paradigm. Mike Reiter. Random oracle is a formalism to model such uses of hash functions that abound in practical cryptography
1 The Random Oracle Paradigm Mike Reiter Based on Random Oracles are Practical: A Paradigm for Designing Efficient Protocols by M. Bellare and P. Rogaway Random Oracles 2 Random oracle is a formalism to
More informationRSA-OAEP and Cramer-Shoup
RSA-OAEP and Cramer-Shoup Olli Ahonen Laboratory of Physics, TKK 11th Dec 2007 T-79.5502 Advanced Cryptology Part I: Outline RSA, OAEP and RSA-OAEP Preliminaries for the proof Proof of IND-CCA2 security
More informationA Posteriori Openable Public Key Encryption *
A Posteriori Openable Public Key Encryption * Xavier Bultel 1, Pascal Lafourcade 1, CNRS, UMR 6158, LIMOS, F-63173 Aubière, France Université Clermont Auvergne, LIMOS, BP 10448, 63000 Clermont-Ferrand,
More informationLecture 11: Non-Interactive Zero-Knowledge II. 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian problem
CS 276 Cryptography Oct 8, 2014 Lecture 11: Non-Interactive Zero-Knowledge II Instructor: Sanjam Garg Scribe: Rafael Dutra 1 Non-Interactive Zero-Knowledge in the Hidden-Bits Model for the Graph Hamiltonian
More informationMaking NTRU as Secure as Worst-Case Problems over Ideal Lattices
Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé 1 and Ron Steinfeld 2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d Italie, 69364 Lyon Cedex
More informationIdentity-based encryption
Identity-based encryption Michel Abdalla ENS & CNRS MPRI - Course 2-12-1 Michel Abdalla (ENS & CNRS) Identity-based encryption 1 / 43 Identity-based encryption (IBE) Goal: Allow senders to encrypt messages
More informationOn the power of non-adaptive quantum chosen-ciphertext attacks
On the power of non-adaptive quantum chosen-ciphertext attacks joint work with Gorjan Alagic (UMD, NIST), Stacey Jeffery (QuSoft, CWI), and Maris Ozols (QuSoft, UvA) Alexander Poremba August 29, 2018 Heidelberg
More informationAdaptively Secure Proxy Re-encryption
Adaptively Secure Proxy Re-encryption Georg Fuchsbauer 1, Chethan Kamath 2, Karen Klein 2, and Krzysztof Pietrzak 2 1 Inria and ENS Paris georg.fuchsbauer@ens.fr 2 IST Austria {ckamath,karen.klein,pietrzak}@ist.ac.at
More informationStructure Preserving CCA Secure Encryption
Structure Preserving CCA Secure Encryption presented by ZHANG Tao 1 / 9 Introduction Veriable Encryption enable validity check of the encryption (Camenisch et al. @ CRYPTO'03): veriable encryption of discrete
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationFrom NewHope to Kyber. Peter Schwabe April 7, 2017
From NewHope to Kyber Peter Schwabe peter@cryptojedi.org https://cryptojedi.org April 7, 2017 In the past, people have said, maybe it s 50 years away, it s a dream, maybe it ll happen sometime. I used
More informationIntroduction to Cryptography. Lecture 8
Introduction to Cryptography Lecture 8 Benny Pinkas page 1 1 Groups we will use Multiplication modulo a prime number p (G, ) = ({1,2,,p-1}, ) E.g., Z 7* = ( {1,2,3,4,5,6}, ) Z p * Z N * Multiplication
More informationPost-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms
Post-Quantum Security of the Fujisaki-Okamoto (FO) and OAEP Transforms Made by: Ehsan Ebrahimi Theory of Cryptography Conference, Beijing, China Oct. 31 - Nov. 3, 2016 Joint work with Dominique Unruh Motivation:
More informationA Strong Identity Based Key-Insulated Cryptosystem
A Strong Identity Based Key-Insulated Cryptosystem Jin Li 1, Fangguo Zhang 2,3, and Yanming Wang 1,4 1 School of Mathematics and Computational Science, Sun Yat-sen University, Guangzhou, 510275, P.R.China
More informationStronger Public Key Encryption Schemes
Stronger Public Key Encryption Schemes Withstanding RAM Scraper Like Attacks Prof. C.Pandu Rangan Professor, Indian Institute of Technology - Madras, Chennai, India-600036. C.Pandu Rangan (IIT Madras)
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani Mathematical Institute Oxford University 1 of 74 Outline 1 Complexity measures 2 Algebra and Number Theory Background 3 Public Key Encryption: security notions
More informationA ciphertext-policy attribute-based proxy reencryption with chosen-ciphertext security
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2013 A ciphertext-policy attribute-based proxy
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationSecure Certificateless Public Key Encryption without Redundancy
Secure Certificateless Public Key Encryption without Redundancy Yinxia Sun and Futai Zhang School of Mathematics and Computer Science Nanjing Normal University, Nanjing 210097, P.R.China Abstract. Certificateless
More informationOn Post-Quantum Cryptography
On Post-Quantum Cryptography Ehsan Ebrahimi Quantum Cryptography Group University of Tartu, Estonia 15 March 2018 Information Security and Cryptography Group Seminar Post-Quantum Cryptography Users intend
More informationModern Cryptography Lecture 4
Modern Cryptography Lecture 4 Pseudorandom Functions Block-Ciphers Modes of Operation Chosen-Ciphertext Security 1 October 30th, 2018 2 Webpage Page for first part, Homeworks, Slides http://pub.ist.ac.at/crypto/moderncrypto18.html
More information1 Public-key encryption
CSCI 5440: Cryptography Lecture 4 The Chinese University of Hong Kong, Spring 2018 29 and 30 January 2018 1 Public-key encryption Public-key encryption is a type of protocol by which Alice can send Bob
More informationIdeal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015
Ideal Lattices and Ring-LWE: Overview and Open Problems Chris Peikert Georgia Institute of Technology ICERM 23 April 2015 1 / 16 Agenda 1 Ring-LWE and its hardness from ideal lattices 2 Open questions
More informationMiddle-Product Learning With Errors
Middle-Product Learning With Errors Miruna Roşca, Amin Sakzad, Damien Stehlé and Ron Steinfeld CRYPTO 2017 Miruna Roşca Middle-Product Learning With Errors 23/08/2017 1 / 24 Preview We define an LWE variant
More informationMarch 19: Zero-Knowledge (cont.) and Signatures
March 19: Zero-Knowledge (cont.) and Signatures March 26, 2013 1 Zero-Knowledge (review) 1.1 Review Alice has y, g, p and claims to know x such that y = g x mod p. Alice proves knowledge of x to Bob w/o
More informationNotes for Lecture 17
U.C. Berkeley CS276: Cryptography Handout N17 Luca Trevisan March 17, 2009 Notes for Lecture 17 Scribed by Matt Finifter, posted April 8, 2009 Summary Today we begin to talk about public-key cryptography,
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationVerifiable Security of Boneh-Franklin Identity-Based Encryption. Federico Olmedo Gilles Barthe Santiago Zanella Béguelin
Verifiable Security of Boneh-Franklin Identity-Based Encryption Federico Olmedo Gilles Barthe Santiago Zanella Béguelin IMDEA Software Institute, Madrid, Spain 5 th International Conference on Provable
More informationOutline. The Game-based Methodology for Computational Security Proofs. Public-Key Cryptography. Outline. Introduction Provable Security
The Game-based Methodology for Computational s David Pointcheval Ecole normale supérieure, CNRS & INRIA Computational and Symbolic Proofs of Security Atagawa Heights Japan April 6th, 2009 1/39 2/39 Public-Key
More informationLecture 11: Key Agreement
Introduction to Cryptography 02/22/2018 Lecture 11: Key Agreement Instructor: Vipul Goyal Scribe: Francisco Maturana 1 Hardness Assumptions In order to prove the security of cryptographic primitives, we
More informationLizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR
Lizard: Cut off the Tail! Practical Post-Quantum Public-Key Encryption from LWE and LWR Jung Hee Cheon 1, Duhyeong Kim 1, Joohee Lee 1, and Yongsoo Song 1 1 Seoul National University (SNU), Republic of
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationMATH 158 FINAL EXAM 20 DECEMBER 2016
MATH 158 FINAL EXAM 20 DECEMBER 2016 Name : The exam is double-sided. Make sure to read both sides of each page. The time limit is three hours. No calculators are permitted. You are permitted one page
More informationLecture 28: Public-key Cryptography. Public-key Cryptography
Lecture 28: Recall In private-key cryptography the secret-key sk is always established ahead of time The secrecy of the private-key cryptography relies on the fact that the adversary does not have access
More informationG Advanced Cryptography April 10th, Lecture 11
G.30-001 Advanced Cryptography April 10th, 007 Lecturer: Victor Shoup Lecture 11 Scribe: Kristiyan Haralambiev We continue the discussion of public key encryption. Last time, we studied Hash Proof Systems
More informationPractice Assignment 2 Discussion 24/02/ /02/2018
German University in Cairo Faculty of MET (CSEN 1001 Computer and Network Security Course) Dr. Amr El Mougy 1 RSA 1.1 RSA Encryption Practice Assignment 2 Discussion 24/02/2018-29/02/2018 Perform encryption
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More information