COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION
|
|
- Roderick Caldwell
- 6 years ago
- Views:
Transcription
1 #RSAC SESSION ID: CRYP-W02 COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION Rachel Player PhD Student // Postdoc Royal Holloway, University of London, UK // LIP6, Sorbonne Université, Joint work with: Hao Chen, Kim Laine, and Yuhou Xia
2 MOTIVATION #RSAC
3 Homomorphic encryption # R S A C x x, F Eval( x, F) F(x) F(x) 3
4 Raw data must be encoded into plaintexts # R S A C Encode(y) = x y F(y) x F(x), F Eval( x, F) Decode(F(x)) 4
5 Need to ensure correctness of decoding # R S A C TYPICAL PLAINTEXT SPACE Underlying plaintext coefficients grow during evaluation If plaintext wraps modulo t in any coefficient, decoding will fail Typically have to choose large t to avoid this 5
6 Example: binary encoding To encode an integer: Express in binary Each bit is coefficient of the corresponding polynomial # R S A C To decode: Evaluate polynomial at x= x
7 Challenges with traditional approach # R S A C Various encoders to choose from Choosing large t means more noise growth Batching is supported 7
8 Hoffstein-Silverman: a different approach Replace t by a small polynomial x-b for b a positive integer e.g. b = 2 # R S A C Easy to encode integers Huge amount of room for computation J. Hoffstein and J. Silverman. Optimizations for NTRU. In Public Key Cryptography and Computational Number Theory,
9 Related work Geihs and Cabarcas applied in context of BV scheme Lauter et al. apply the idea to YASHE scheme No performance analysis presented Unpublished work of Lopez-Alt and Naehrig is cited for details # R S A C M. Geihs and D. Cabarcas. Efficient integer encoding for homomorphic encryption via ring isomorphisms. In LATINCRYPT, K. E. Lauter, A. Lopez-Alt, and M. Naehrig. Private computation on encrypted genomic data. In LATINCRYPT, A. Lopez-Alt and M. Naehrig. Large integer plaintexts in ring-based fully homomorphic encryption, Unpublished. 9
10 OUR CONTRIBUTION #RSAC
11 Adapting the work of Lopez-Alt and Naehrig, we: Apply the Hoffstein-Silverman trick on the FV scheme Analyze its noise growth using new definition of noise Extend rational number encoders to work with the trick Present a detailed performance comparison to FV scheme Analyze impact on practical use-cases # R S A C A. Lopez-Alt and M. Naehrig. Large integer plaintexts in ring-based fully homomorphic encryption, Unpublished. J. Fan and F. Vercauteren. Somewhat practical fully homomorphic encryption. Eprint 2012/
12 Adapting the work of Lopez-Alt and Naehrig, we: Apply the Hoffstein-Silverman trick on the FV scheme Analyze its noise growth using new definition of noise Extend rational number encoders to work with the trick Present a detailed performance comparison to FV scheme Analyze impact on practical use-cases # R S A C A. Lopez-Alt and M. Naehrig. Large integer plaintexts in ring-based fully homomorphic encryption, Unpublished. J. Fan and F. Vercauteren. Somewhat practical fully homomorphic encryption. Eprint 2012/
13 Regular circuits Security is the same so we can fix (n, q, σ) Compare evaluation of regular circuit as in Costache et al. Do A additions and one multiplication, iterated D times Inputs are integers of norm at most L # R S A C A Costache, N. P. Smart, S. Vivek and A. Waller. Fixed point arithmetic in SHE scheme. In SAC,
14 Choosing an encoder for FV Well-known encoders are NAF or balanced base-b Short B enables smaller t Large B enables shorter encodings Cheon et al. show NAF encoding outperforms balanced base-b encoding for B = 2 and B = 3 # R S A C J. H. Cheon, J. Jeong, J. Lee and K. Lee. Privacy-preserving computations of predictive medical models with minimax approximation and Non-Adjacent Form. In WAHC,
15 Noise and plaintext growth constraints # R S A C FV CONSTRAINTS HP-FV CONSTRAINT 15
16 FV vs. HP-FV: results # R S A C FV + NAF HP-FV 16
17 HP-FV enables much higher depth # R S A C FV + NAF HP-FV 17
18 HP-FV enables much higher depth # R S A C FV + NAF HP-FV 18
19 HP-FV enables much higher depth # R S A C FV + NAF HP-FV 19
20 Larger n in HP-FV gives much more capability # R S A C FV + NAF HP-FV 20
21 Larger n in HP-FV gives much more capability # R S A C FV + NAF HP-FV 21
22 Addition hurts FV more than HP-FV # R S A C FV + NAF HP-FV 22
23 Addition hurts FV more than HP-FV # R S A C FV + NAF HP-FV 23
24 Addition hurts FV more than HP-FV # R S A C FV + NAF HP-FV 24
25 SUMMARY #RSAC
26 In this talk we Discussed the need for good encoding in homomorphic encryption # R S A C Applied Hoffstein-Silverman trick to FV Showed performance improvements compared to FV 26
27 Thank you! Any questions? # R S A C haoche@microsoft.com kim.laine@microsoft.com rachel.player@lip6.fr yuhoux@math.princeton.edu 27
28 SESSION ID: CRYP-W02 THRESHOLD PROPERTIES OF PRIME POWER SUBGROUPS WITH APPLICATION TO SECURE INTEGER COMPARISONS Aleksander Essex Assistant professor Western University, Co-authors: Rhys Carlton and Krzysztof Kapulkin
29 Encryption in Z n General form: Enc(m) = g m h r mod n g generates subgroup G of Z n h generates a subgroup H of Z n 2
30 Additive Homomorphism A useful property: Adding under encryption c 1 c 2 = g m 1 h r1 g m 2 h r 2 3
31 Additive Homomorphism A useful property: Adding under encryption c 1 c 2 = g m 1 h r1 g m 2 h r 2 = g m 1+m 2 h r 1+r 2 3
32 Additive Homomorphism A useful property: Adding under encryption c 1 c 2 = g m 1 h r1 g m 2 h r 2 = g m 1+m 2 h r 1+r 2 = Enc(m 1 + m 2 ) 3
33 Additive Homomorphism A useful property: Adding under encryption c 1 c 2 = g m 1 h r1 g m 2 h r 2 = g m 1+m 2 h r 1+r 2 = Enc(m 1 + m 2 ) 3
34 Additive Homomorphism Enc(m 1 ) Enc(m 2 ) = Enc(m 1 + m 2 ) Interesting, but over 35 years of examples... 4
35 Encryption in Z n Goldwasser-Micali (1982) Enc(m) = g m h r mod n G = 2 mod p, G = 2 mod q H = p 1 2 mod p, H = q 1 2 mod q 5
36 Encryption in Z n Benaloh (1994) Enc(m) = g m h r mod n G = s mod p, G = (q 1) mod q, for small/smooth s H = (p 1) s mod p, H = (q 1) mod q 6
37 Encryption in Z n Naccache-Stern (1998) Enc(m) = g m h r mod n G = u mod p, G = v mod q, for smooth relatively prime u, v H = (p 1) u mod p, H = (q 1) v mod q 7
38 Encryption in Z n Okamoto-Uchiyama (1998) Enc(m) = g m h r mod n n = p 2 q G = p (p 1) mod p 2, G = (q 1) mod q H = (p 1) mod p 2, H = (q 1) mod q 8
39 Encryption in Z n Paillier (1999) Enc(m) = g m h r mod n 2 G = p mod p 2, G = q mod q 2 H = (p 1) mod p 2, H = (q 1) mod q 2 9
40 Encryption in Z n Groth (2003) Enc(m) = g m h r mod n G = p s mod p, G = q s mod q for large smooth p s, q s H = p t = (p 1) p s mod p, H = q t = (q 1) q s mod q for just big enough primes p t, q t 10
41 Encryption in Z n Damgård-Geisler-Krøigaard (2007) Enc(m) = g m h r mod n G = u mod p, G = u mod q for small prime u H = p s mod p, H = q s mod q for just big enough primes p s, q s 11
42 Encryption in Z n Joye-Libert (2013) Enc(m) = g m h r mod n G = 2 k mod p, G = 2 k mod q H = p t = (p 1) 2 k mod p, H = q t = (q 1) 2 k mod q for primes p t, q t 12
43 A Scalar Threshold Homomorphism Something new: Computing a threshold under encryption Enc(m 1 ) m 2 = { Enc(m 1 + m 2 ) Enc( ) m 1 + m 2 < t otherwise. Enc( ) is the encryption of a fixed value outside the defined plaintext space. 13
44 A Scalar Threshold Homomorphism Our proposal: Enc(m) = g bm h r mod n G = b d mod p, G = b d mod q for small prime base b, and threshold d H = p s mod p, H = q s mod q for just big enough primes p s, q s 14
45 A Scalar Threshold Homomorphism Enc(m 1 ) bm 2 = (g bm1 h r ) bm 2 15
46 A Scalar Threshold Homomorphism Enc(m 1 ) bm 2 = (g bm1 h r ) bm 2 = g bm 1 b m2 h r 15
47 A Scalar Threshold Homomorphism Enc(m 1 ) bm 2 = (g bm1 h r ) bm 2 = g bm 1 b m2 h r = g b(m 1 +m 2 ) h r 15
48 A Scalar Threshold Homomorphism Enc(m 1 ) bm 2 = (g bm1 h r ) bm 2 = g bm 1 b m2 h r = g b(m 1 +m 2 ) h r = Enc(m 1 + m 2 ) 15
49 A Scalar Threshold Homomorphism Enc(m 1 ) bm 2 = (g bm1 h r ) bm 2 = g bm 1 b m2 h r = g b(m 1 +m 2 ) h r = Enc(m 1 + m 2 ) 15
50 A Scalar Threshold Homomorphism Except... Enc(m 1 + m 2 ) g bm 1 +m 2 mod b d h r mod n 16
51 A Scalar Threshold Homomorphism Except... Enc(m 1 + m 2 ) g bm 1 +m 2 mod b d h r mod n So if m 1 + m 2 d, then b m 1+m 2 0 mod b d. Then: Enc(m 1 + m 2 ) g 0 h r h r Enc( ) 16
52 A Scalar Threshold Homomorphism Limitation: The threshold is one-sided. May be interesting for certain applications, but to do a secure comparison (i.e., Millionaire s), we need a protocol to homomorphically blind the sum. 17
53 Secure Integer Comparison Protocol P 1 P 2 C Enc(m 1 ) = g bm 1 h r1 C 18
54 Secure Integer Comparison Protocol P 1 P 2 C Enc(m 1 ) = g bm 1 h r1 C D (C) b(d m 2 ) g s h r2 s.t. s 0 mod b 19
55 Secure Integer Comparison Protocol P 1 P 2 C Enc(m 1 ) = g bm 1 h r1 C D D (C) b(d m 2 ) g s h r2 s.t. s 0 mod b g w (D) x w log g (g w ) 20
56 Secure Integer Comparison Protocol P 1 P 2 C Enc(m 1 ) = g bm 1 h r1 C g w (D) x w log g (g w ) D PET CS (w, s) D (C) b(d m 2 ) g s h r2 s.t. s 0 mod b Output True if (w = s), Output False otherwise 21
57 Performance Threshold d consumes d bits of p and q Implication: Current range of RSA key-lengths puts an upper bound of d
58 Performance Threshold d consumes d bits of p and q Implication: Current range of RSA key-lengths puts an upper bound of d 2 10 Performance comparison in paper was done on 8 bits per protocol instance Extensible to arbitrary precision comparisons with multiple parallel protocol invocations 22
59 Performance Threshold d consumes d bits of p and q Implication: Current range of RSA key-lengths puts an upper bound of d 2 10 Performance comparison in paper was done on 8 bits per protocol instance Extensible to arbitrary precision comparisons with multiple parallel protocol invocations Performance times faster than DGK, in about 7.5 times less data transmitted 22
60 Conclusion Thank-you, Questions? h r g m 23
High-Precision Arithmetic in Homomorphic Encryption
High-Precision Arithmetic in Homomorphic Encryption Hao Chen 1, Kim Laine 2, Rachel Player 3, and Yuhou Xia 4 1 Microsoft Research, USA haoche@microsoft.com 2 Microsoft Research, USA kim.laine@microsoft.com
More informationFixed-Point Arithmetic in SHE Schemes
Fixed-Point Arithmetic in SHE Schemes Anamaria Costache 1, Nigel P. Smart 1, Srinivas Vivek 1, Adrian Waller 2 1 University of Bristol 2 Thales UK Research & Technology July 6, 2016 Outline Motivation
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationFaster Homomorphic Evaluation of Discrete Fourier Transforms
Faster Homomorphic Evaluation of Discrete Fourier Transforms Anamaria Costache, Nigel P. Smart, and Srinivas Vivek University of Bristol, Bristol, UK Abstract. We present a methodology to achieve low latency
More informationModulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain
Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis Bart Mennink (K.U.Leuven) Joint work with: Jorge Guajardo (Philips Research Labs) Berry Schoenmakers (TU Eindhoven)
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationEvaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems
Rochester Institute of Technology RIT Scholar Works Presentations and other scholarship 3-31-2016 Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems Peizhao Hu Rochester
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationWinter 2011 Josh Benaloh Brian LaMacchia
Winter 2011 Josh Benaloh Brian LaMacchia Fun with Public-Key Tonight we ll Introduce some basic tools of public-key crypto Combine the tools to create more powerful tools Lay the ground work for substantial
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 11 February 21, 2013 CPSC 467b, Lecture 11 1/27 Discrete Logarithm Diffie-Hellman Key Exchange ElGamal Key Agreement Primitive Roots
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationTheory of Computation Chapter 12: Cryptography
Theory of Computation Chapter 12: Cryptography Guan-Shieng Huang Dec. 20, 2006 0-0 Introduction Alice wants to communicate with Bob secretely. x Alice Bob John Alice y=e(e,x) y Bob y??? John Assumption
More informationThe Theory and Applications of Homomorphic Cryptography
The Theory and Applications of Homomorphic Cryptography by Kevin Henry A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Mathematics
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationRevisiting Lattice Attacks on overstretched NTRU parameters
Revisiting Lattice Attacks on overstretched NTRU parameters P. Kirchner & P-A. Fouque Université de Rennes 1, France EUROCRYPT 2017 05/01/17 1 Plan 1. Background on NTRU and Previous Attacks 2. A New Subring
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationduring transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL
THE MATHEMATICAL BACKGROUND OF CRYPTOGRAPHY Cryptography: used to safeguard information during transmission (e.g., credit card number for internet shopping) as opposed to Coding Theory: used to transmit
More informationImplementing Ring-LWE cryptosystems
Implementing Ring-LWE cryptosystems Tore Vincent Carstens December 16, 2016 Contents 1 Introduction 1 1.1 Motivation............................................ 1 2 Lattice Based Crypto 2 2.1 General Idea...........................................
More informationCompact Ring LWE Cryptoprocessor
1 Compact Ring LWE Cryptoprocessor CHES 2014 Sujoy Sinha Roy 1, Frederik Vercauteren 1, Nele Mentens 1, Donald Donglong Chen 2 and Ingrid Verbauwhede 1 1 ESAT/COSIC and iminds, KU Leuven 2 Electronic Engineering,
More informationBootstrapping for Approximate Homomorphic Encryption
Bootstrapping for Approximate Homomorphic Encryption Jung Hee Cheon, Kyoohyung Han, Andrey Kim (Seoul National University) Miran Kim, Yongsoo Song (University of California, San Diego) Landscape of Homomorphic
More informationHigh-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationRecent Advances in Identity-based Encryption Pairing-free Constructions
Fields Institute Workshop on New Directions in Cryptography 1 Recent Advances in Identity-based Encryption Pairing-free Constructions Kenny Paterson kenny.paterson@rhul.ac.uk June 25th 2008 Fields Institute
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationCryptanalysis of a homomorphic public-key cryptosystem over a finite group
Cryptanalysis of a homomorphic public-key cryptosystem over a finite group Su-Jeong Choi Simon R. Blackburn and Peter R. Wild Department of Mathematics Royal Holloway, University of London Egham, Surrey
More informationFrom Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited
From Fixed-Length to Arbitrary-Length RSA Encoding Schemes Revisited Julien Cathalo 1, Jean-Sébastien Coron 2, and David Naccache 2,3 1 UCL Crypto Group Place du Levant 3, Louvain-la-Neuve, B-1348, Belgium
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More information1 Number Theory Basics
ECS 289M (Franklin), Winter 2010, Crypto Review 1 Number Theory Basics This section has some basic facts about number theory, mostly taken (or adapted) from Dan Boneh s number theory fact sheets for his
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More information6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC)
6. ELLIPTIC CURVE CRYPTOGRAPHY (ECC) 6.0 Introduction Elliptic curve cryptography (ECC) is the application of elliptic curve in the field of cryptography.basically a form of PKC which applies over the
More informationBenny Pinkas Bar Ilan University
Winter School on Bar-Ilan University, Israel 30/1/2011-1/2/2011 Bar-Ilan University Benny Pinkas Bar Ilan University 1 Extending OT [IKNP] Is fully simulatable Depends on a non-standard security assumption
More informationIntroduction to Cryptography Lecture 13
Introduction to Cryptography Lecture 13 Benny Pinkas June 5, 2011 Introduction to Cryptography, Benny Pinkas page 1 Electronic cash June 5, 2011 Introduction to Cryptography, Benny Pinkas page 2 Simple
More informationA Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme
A Full RNS Implementation of Fan and Vercauteren Somewhat Homomorphic Encryption Scheme Presented by: Vincent Zucca 1 Joint work with: Jean-Claude Bajard 1, Julien Eynard 2 and Anwar Hasan 2 1 Sorbonne
More informationQuantum-resistant cryptography
Quantum-resistant cryptography Background: In quantum computers, states are represented as vectors in a Hilbert space. Quantum gates act on the space and allow us to manipulate quantum states with combination
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationEfficient and Secure Delegation of Linear Algebra
Efficient and Secure Delegation of Linear Algebra Payman Mohassel University of Calgary pmohasse@cpsc.ucalgary.ca Abstract We consider secure delegation of linear algebra computation, wherein a client,
More informationOutline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt
NTRUReEncrypt An Efficient Proxy Re-Encryption Scheme based on NTRU David Nuñez, Isaac Agudo, and Javier Lopez Network, Information and Computer Security Laboratory (NICS Lab) Universidad de Málaga, Spain
More informationAn Algorithm for NTRU Problems
An Algorithm for NTRU Problems Jung Hee Cheon, Jinhyuck Jeong, Changmin Lee Seoul National University August 29, 2016 Changmin Lee An Algorithm for NTRU Problems 2016. 8. 29. 1 / 27 Introduction The NTRU
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationInformation-theoretic Secrecy A Cryptographic Perspective
Information-theoretic Secrecy A Cryptographic Perspective Stefano Tessaro UC Santa Barbara WCS 2017 April 30, 2017 based on joint works with M. Bellare and A. Vardy Cryptography Computational assumptions
More informationManual for Using Homomorphic Encryption for Bioinformatics
1 Manual for Using Homomorphic Encryption for Bioinformatics Nathan Dowlin, Ran Gilad-Bachrach, Kim Laine, Kristin Lauter, Michael Naehrig, and John Wernsing Abstract Biological Data Science is an emerging
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More information8 Elliptic Curve Cryptography
8 Elliptic Curve Cryptography 8.1 Elliptic Curves over a Finite Field For the purposes of cryptography, we want to consider an elliptic curve defined over a finite field F p = Z/pZ for p a prime. Given
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More informationEfficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption
Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption Takuho Mistunaga 1, Yoshifumi Manabe 2, Tatsuaki Okamoto 3 1 Graduate School of Informatics, Kyoto University, Sakyo-ku Kyoto
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationCosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks
1 Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks Michael Albert michael.albert@cs.otago.ac.nz 2 This week Arithmetic Knapsack cryptosystems Attacks on knapsacks Some
More informationPrivate Comparison. Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5
Private Comparison Chloé Hébant 1, Cedric Lefebvre 2, Étienne Louboutin3, Elie Noumon Allini 4, Ida Tucker 5 1 École Normale Supérieure, CNRS, PSL University 2 IRIT 3 Chair of Naval Cyber Defense, IMT
More informationCryptoComputing with rationals
CryptoComputing with rationals Pierre-Alain Fouque 1,2, Jacques Stern 2, and Geert-Jan Wackers 3 1 D.C.S.S.I. Crypto Lab 51, bd Latour-Maubourg, F-75007 Paris, France 2 École Normale Supérieure, Département
More informationNTRU Cryptosystem and Its Analysis
NTRU Cryptosystem and Its Analysis Overview 1. Introduction to NTRU Cryptosystem 2. A Brief History 3. How the NTRU Cryptosystem works? Examples 4. Why the Decryption Works? 5. The Advantages of NTRU 6.
More informationChosen-Ciphertext Attacks on Optimized NTRU
Chosen-Ciphertext Attacks on Optimized NTRU Jin Hong, Jae Woo Han, Daesung Kwon, and Daewan Han December 9, 2002 Abstract NTRU([3]) is an efficient public-key cryptosystem proposed by Hoffstein, Pipher,
More informationEfficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply
CIS 2018 Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply Claudio Orlandi, Aarhus University Circuit Evaluation 3) Multiplication? How to compute [z]=[xy]? Alice, Bob
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationTheme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS
1 C Theme : Cryptography Instructor : Prof. C Pandu Rangan Speaker : Arun Moorthy 93115 CS 2 RSA Cryptosystem Outline of the Talk! Introduction to RSA! Working of the RSA system and associated terminology!
More informationAn Approach to Reduce Storage for Homomorphic Computations
An Approach to Reduce Storage for Homomorphic Computations Jung Hee Cheon and Jinsu Kim Seoul National University (SNU), Republic of Korea jhcheon@snu.ac.kr, kjs2002@snu.ac.kr Abstract. We introduce a
More informationComputing on Encrypted Data
Computing on Encrypted Data COSIC, KU Leuven, ESAT, Kasteelpark Arenberg 10, bus 2452, B-3001 Leuven-Heverlee, Belgium. August 31, 2018 Computing on Encrypted Data Slide 1 Outline Introduction Multi-Party
More information18.310A Final exam practice questions
18.310A Final exam practice questions This is a collection of practice questions, gathered randomly from previous exams and quizzes. They may not be representative of what will be on the final. In particular,
More informationSingle-Database Private Information Retrieval
MTAT.07.006 Research Seminar in Cryptography 07.11.2005 Tartu University a g@ut.ee 1 Overview of the Lecture CMS - first single database private information retrieval scheme Gentry-Ramzan PBR Lipmaa Oblivious
More informationTwo Generic Constructions of Probabilistic Cryptosystems and their Applications
Two Generic Constructions of Probabilistic Cryptosystems and their Applications Guilhem Castagnos GREYC, Ensicaen, Boulevard Maréchal Juin, BP 5186, 14032 Caen cedex, France guilhem.castagnos@info.unicaen.fr
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationHomomorphic Secret Sharing from Paillier Encryption
Homomorphic Secret Sharing from Paillier Encryption Nelly Fazio 1, Rosario Gennaro 1, Tahereh Jafarikhah 2, and William E. Skeith III 1 1 The City College and Graduate Center of CUNY, New York, NY, USA
More informationSecurity Protocols and Application Final Exam
Security Protocols and Application Final Exam Solution Philippe Oechslin and Serge Vaudenay 25.6.2014 duration: 3h00 no document allowed a pocket calculator is allowed communication devices are not allowed
More informationApplications of Lattice Reduction in Cryptography
Applications of Lattice Reduction in Cryptography Abderrahmane Nitaj University of Caen Basse Normandie, France Kuala Lumpur, Malaysia, June 27, 2014 AK Q ËAÓ Abderrahmane Nitaj (LMNO) Applications of
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationCryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000 Amr Youssef 1 and Guang Gong 2 1 Center for Applied Cryptographic Research Department of Combinatorics & Optimization 2 Department of Electrical
More informationMathematics of Public Key Cryptography
Mathematics of Public Key Cryptography Eric Baxter April 12, 2014 Overview Brief review of public-key cryptography Mathematics behind public-key cryptography algorithms What is Public-Key Cryptography?
More informationMulti-Party Computation with Conversion of Secret Sharing
Multi-Party Computation with Conversion of Secret Sharing Josef Pieprzyk joint work with Hossein Ghodosi and Ron Steinfeld NTU, Singapore, September 2011 1/ 33 Road Map Introduction Background Our Contribution
More informationEdwards Curves and the ECM Factorisation Method
Edwards Curves and the ECM Factorisation Method Peter Birkner Eindhoven University of Technology CADO Workshop on Integer Factorization 7 October 2008 Joint work with Daniel J. Bernstein, Tanja Lange and
More informationAn Efficient and Secure Protocol for Privacy Preserving Set Intersection
An Efficient and Secure Protocol for Privacy Preserving Set Intersection PhD Candidate: Yingpeng Sang Advisor: Associate Professor Yasuo Tan School of Information Science Japan Advanced Institute of Science
More informationLecture 1: Introduction to Public key cryptography
Lecture 1: Introduction to Public key cryptography Thomas Johansson T. Johansson (Lund University) 1 / 44 Key distribution Symmetric key cryptography: Alice and Bob share a common secret key. Some means
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationLecture Notes 15 : Voting, Homomorphic Encryption
6.857 Computer and Network Security October 29, 2002 Lecture Notes 15 : Voting, Homomorphic Encryption Lecturer: Ron Rivest Scribe: Ledlie/Ortiz/Paskalev/Zhao 1 Introduction The big picture and where we
More informationCOMP424 Computer Security
COMP424 Computer Security Prof. Wiegley jeffw@csun.edu Rivest, Shamir & Adelman (RSA) Implementation 1 Relatively prime Prime: n, is prime if its only two factors are 1 and n. (and n 1). Relatively prime:
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationBandwidth Efficient PIR from NTRU
Bandwidth Efficient PIR from NTRU Yarkın Doröz 1, Berk Sunar 1 and Ghaith Hammouri 2 1 Worcester Polytechnic Institute 2 Crags Inc. Abstract. We present a private information retrieval (PIR) scheme based
More informationA New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis
A New Baby-Step Giant-Step Algorithm and Some Applications to Cryptanalysis Jean Sébastien Coron 1, David Lefranc 2 and Guillaume Poupard 3 1 Université du Luxembourg Luxembourg coron@clipper.ens.fr 2
More informationAn Introduction to Probabilistic Encryption
Osječki matematički list 6(2006), 37 44 37 An Introduction to Probabilistic Encryption Georg J. Fuchsbauer Abstract. An introduction to probabilistic encryption is given, presenting the first probabilistic
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer 1 Lecture 13 October 16, 2017 (notes revised 10/23/17) 1 Derived from lecture notes by Ewa Syta. CPSC 467, Lecture 13 1/57 Elliptic Curves
More informationbasics of security/cryptography
RSA Cryptography basics of security/cryptography Bob encrypts message M into ciphertext C=P(M) using a public key; Bob sends C to Alice Alice decrypts ciphertext back into M using a private key (secret)
More informationSecurity Analysis of Some Batch Verifying Signatures from Pairings
International Journal of Network Security, Vol.3, No.2, PP.138 143, Sept. 2006 (http://ijns.nchu.edu.tw/) 138 Security Analysis of Some Batch Verifying Signatures from Pairings Tianjie Cao 1,2,3, Dongdai
More informationArithmétique et Cryptographie Asymétrique
Arithmétique et Cryptographie Asymétrique Laurent Imbert CNRS, LIRMM, Université Montpellier 2 Journée d inauguration groupe Sécurité 23 mars 2010 This talk is about public-key cryptography Why did mathematicians
More informationi-hop Homomorphic Encryption Schemes
i-hop Homomorphic Encryption Schemes Craig Gentry Shai Halevi Vinod Vaikuntanathan March 12, 2010 Abstract A homomorphic encryption scheme enables computing on encrypted data by means of a public evaluation
More informationLectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols
CS 294 Secure Computation January 19, 2016 Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols Instructor: Sanjam Garg Scribe: Pratyush Mishra 1 Introduction Secure multiparty computation
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationPublic Key Authentication with One (Online) Single Addition
Public Key Authentication with One (Online) Single Addition Marc Girault and David Lefranc France Télécom R&D 42 rue des Coutures F-14066 Caen, France {marc.girault,david.lefranc}@francetelecom.com Abstract.
More informationGeorge Danezis Microsoft Research, Cambridge, UK
George Danezis Microsoft Research, Cambridge, UK Identity as a proxy to check credentials Username decides access in Access Control Matrix Sometime it leaks too much information Real world examples Tickets
More information