Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
|
|
- Moses Barker
- 5 years ago
- Views:
Transcription
1 Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT,
2 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.
3 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.
4 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.
5 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.
6 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.
7 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.
8 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.
9 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits
10 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits
11 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits
12 Homomorphic Properties of DGHV Addition: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 Noise becomes twice larger.
13 Homomorphic Properties of DGHV Addition: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 Noise becomes twice larger.
14 Somewhat homomorphic scheme The number of multiplications is limited. Noise grows with the number of multiplications. Noise must remain < p for correct decryption. p ρ p 2ρ p 4ρ
15 Fully Homomorphic Encryption Gentry s breakthrough idea: refresh the ciphertext by evaluating the decryption circuit homomorphically: bootstrapping. Ciphertext bits Secret key bits Ciphertext bits Encryption of secret key bits ???? Decryption circuit + + Decryption circuit Plaintext bit? Encryption of plaintext bit = refreshed ciphertext
16 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1
17 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1
18 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1
19 Public Key Size γ bits x 1 = x 2 = τ 10 4 x i = x τ = Public-key size: τ γ = bits = 25 GB! In [CMNT11], with quadratic encryption, PK size of 1 GB.
20 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!
21 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!
22 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!
23 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!
24 Compressed Public Key γ bits η bits x 1 = x 2 = δ 1 = δ 2 = τ 10 4 x i = δ i = x τ = δ τ =
25 Compressed Public Key γ bits η bits x 1 = x 2 = δ 1 = δ 2 = τ 10 4 x i = δ i = x τ = δ τ = Old PK: 25 GB New PK: 3.4 MB!
26 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd.
27 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd.
28 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd. PK Generation χ i = H(seed, i) δ i = [χ i ] p + λ i p r i x i = χ i δ i
29 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd. PK Generation χ i = H(seed, i) δ i = [χ i ] p + λ i p r i x i = χ i δ i Simulation in ROM H(seed, i) x i + δ i δ i {0, 1} η+λ x i = q i p + r i
30 PK size and timings Instance λ ρ η γ pk size Recrypt Toy KB 0.41 s Small KB 4.5 s Medium MB 51 s Large MB 11 min Updated parameters to take into account the Chen-Nguyen attack. PK size: 10.3 MB instead of 1 GB in [CMNT11].
31 Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?
32 Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?
33 Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?
34 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.
35 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.
36 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.
37 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.
38 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.
39 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.
40 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.
41 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.
42 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0
43 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0
44 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0
45 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0
46 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0
47 Source Code in SAGE def attackgacd(rho=12,gam=1000,eta=100): p=random_prime(2^eta) s=rho B=floor(2^(1.*rho*(s+1)/(s-1))) fa=factorial(b) for j in range(1,s): x=p*zz.random_element(2^(gam-eta))+ \ ZZ.random_element(2^rho) z=prod([x-i for i in range(2^rho)]) if j==1: g=z; continue g=gcd(g,z) g=prime_to_m_part(g,fa) if g.nbits()==p.nbits(): break
48 GACD Attack Running Time Instance ρ γ time time [CN12] Micro s Toy (Section 8) min Toy ([CN12]) h 3495 h (est.) Chen-Nguyen attack: O(2 3ρ/2 ) time and O(2 ρ/2 ) memory. Our attack: O(2 ρ ) time and memory Time-memory tradeoffs are possible.
49 Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].
50 Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].
51 Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationScale-Invariant Fully Homomorphic Encryption over the Integers
Scale-Invariant Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, Tancrède Lepoint 1,,3, and Mehdi Tibouchi 4 1 University of Luxembourg, Luxembourg jean-sebastien.coron@uni.lu École
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24 Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework
More informationBatch Fully Homomorphic Encryption over the Integers
Batch Fully Homomorphic Encryption over the Integers Jung Hee Cheon 1, Jean-Sébastien Coron 2, Jinsu Kim 1, Moon Sung Lee 1, Tancrède Lepoint 3,4, Mehdi Tibouchi 5, and Aaram Yun 6 1 Seoul National University
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationAn RNS variant of fully homomorphic encryption over integers
An RNS variant of fully homomorphic encryption over integers by Ahmed Zawia A thesis presented to the University of Waterloo in fulfillment of the thesis requirement for the degree of Master of Applied
More informationFULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research
FULLY HOMOMORPHIC ENCRYPTION: CURRENT STATE OF THE ART Craig Gentry, IBM Research Africacrypt 2012 Homomorphic Encryption The special sauce! For security parameter k, Eval s running should be Time(f) poly(k)
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationFULLY HOMOMORPHIC ENCRYPTION
FULLY HOMOMORPHIC ENCRYPTION A Thesis Submitted in Partial Fulfilment of the Requirements for the Award of the Degree of Master of Computer Science - Research from UNIVERSITY OF WOLLONGONG by Zhunzhun
More informationGentry s SWHE Scheme
Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme.
More information(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces
(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces Koji Nuida Kaoru Kurosawa National Institute of Advanced Industrial Science and Technology (AIST), Japan, k.nuida@aist.go.jp
More informationBootstrapping for HElib
Bootstrapping for HElib Shai Halevi 1 and Victor Shoup 1,2 1 IBM Research 2 New York University Abstract. Gentry s bootstrapping technique is still the only known method of obtaining fully homomorphic
More information(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces
(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces Koji Nuida 12 and Kaoru Kurosawa 3 1 National Institute of Advanced Industrial Science and Technology (AIST), Tsukuba, Ibaraki
More informationFHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime
FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime Daniel Benarroch,1, Zvika Brakerski,1, and Tancrède Lepoint,2 1 Weizmann Institute of Science, Israel 2 SRI International, USA Abstract.
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationHomomorphic Evaluation of the AES Circuit
Homomorphic Evaluation of the AES Circuit IBM Research and University Of Bristol. August 22, 2012 Homomorphic Evaluation of the AES Circuit Slide 1 Executive Summary We present a working implementation
More informationCraig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012
Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 Bar-Ilan University Craig Gentry IBM Watson Optimizations of Somewhat Homomorphic Encryption
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationMultilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015
Multilinear Maps over the Integers From Design to Security Tancrède Lepoint CryptoExperts The Mathematics of Modern Cryptography Workshop, July 10th 2015 2 / 30 Timeline: The Hype Cycle of Multilinear
More informationOn Kilian s Randomization of Multilinear Map Encodings
On Kilian s Randomization of Multilinear Map Encodings Jean-Sébastien Coron and Hilder V. L. Pereira University of Luxembourg November 20, 2018 Abstract. Indistinguishability obfuscation constructions
More informationFully Homomorphic Encryption using Hidden Ideal Lattice
1 Fully Homomorphic Encryption using Hidden Ideal Lattice Thomas Plantard, Willy Susilo, Senior Member, IEEE, Zhenfei Zhang Abstract All the existing fully homomorphic encryption schemes are based on three
More informationParameter selection in Ring-LWE-based cryptography
Parameter selection in Ring-LWE-based cryptography Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R. Albrecht, Hao Chen, Kim Laine, and
More informationPractical Bootstrapping in Quasilinear Time
Practical Bootstrapping in Quasilinear Time Jacob Alperin-Sheriff Chris Peikert School of Computer Science Georgia Tech UC San Diego 29 April 2013 1 / 21 Fully Homomorphic Encryption [RAD 78,Gen 09] FHE
More information5199/IOC5063 Theory of Cryptology, 2014 Fall
5199/IOC5063 Theory of Cryptology, 2014 Fall Homework 2 Reference Solution 1. This is about the RSA common modulus problem. Consider that two users A and B use the same modulus n = 146171 for the RSA encryption.
More informationFully Homomorphic Encryption from LWE
Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011 Outsourcing
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research The Goal I want to delegate
More informationCryptanalysis of a Homomorphic Encryption Scheme
Cryptanalysis of a Homomorphic Encryption Scheme Sonia Bogos, John Gaspoz and Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland {soniamihaela.bogos, john.gaspoz, serge.vaudenay}@epfl.ch Abstract. Homomorphic
More informationAlgorithms for the Approximate Common Divisor Problem
Submitted exclusively to the London Mathematical Society doi:10.1112/0000/000000 Algorithms for the Approximate Common Divisor Problem Steven D. Galbraith, Shishay W. Gebregiyorgis and Sean Murphy Abstract
More informationOptimizing Fully Homomorphic Encryption
Optimizing Fully Homomorphic Encryption By Kevin C. King B.S., C.S. M.I.T., 2015 September 30, 2016 Submitted to the Department of Electrical Engineering and Computer Science In Partial Fulfillment of
More informationCryptanalysis of the Co-ACD Assumption
Cryptanalysis of the Co-ACD Assumption Pierre-Alain Fouque 1, Moon Sung Lee 2, Tancrède Lepoint 3, and Mehdi Tibouchi 4 1 Université de Rennes 1 and Institut Universitaire de France fouque@irisa.fr 2 Seoul
More informationCRYPTANALYSIS OF COMPACT-LWE
SESSION ID: CRYP-T10 CRYPTANALYSIS OF COMPACT-LWE Jonathan Bootle, Mehdi Tibouchi, Keita Xagawa Background Information Lattice-based cryptographic assumption Based on the learning-with-errors (LWE) assumption
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More informationHow to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions
Presentation Article presentation, for the ENS Lattice Based Crypto Workgroup http://www.di.ens.fr/~pnguyen/lbc.html, 30 September 2009 How to Use Short Basis : Trapdoors for http://www.cc.gatech.edu/~cpeikert/pubs/trap_lattice.pdf
More informationManipulating Data while It Is Encrypted
Manipulating Data while It Is Encrypted Craig Gentry IBM Watson ACISP 2010 The Goal A way to delegate processing of my data, without giving away access to it. Application: Private Google Search I want
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationHomomorphic Encryption. Liam Morris
Homomorphic Encryption Liam Morris Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism What Is
More informationClassical hardness of Learning with Errors
Classical hardness of Learning with Errors Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé Adeline Langlois Classical Hardness of LWE 1/ 13 Our
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationAn Attack on a Fully Homomorphic Encryption Scheme
An Attack on a Fully Homomorhic Encrytion Scheme Yuu Hu 1 and Fenghe Wang 2 1 Telecommunication School, Xidian University, 710071 Xi an, China 2 Deartment of Mathematics and Physics Shandong Jianzhu University,
More informationParameter Constraints on Homomorphic Encryption Over the Integers
Parameter Constraints on Homomorphic Encryption Over the Integers Melanie Pabstel Thesis submitted to the Faculty of Graduate and Postdoctoral Studies in partial fulfillment of the requirements for the
More informationA Full Homomorphic Message Authenticator with Improved Efficiency
International Journal of Computer and Communication Engineering, Vol. 3, No. 4, July 2014 A Full Homomorphic Message Authenticator with Improved Efficiency Wenbin Chen and Hao Lei Abstract In the system
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Abstract We present a new tensoring techniue for LWE-based fully homomorphic encryption. While in all previous
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More informationFully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation x x f f(x) Email, web-search, navigation, social networking What if x is private? Search
More informationCryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg
Course 1: Remainder: RSA Université du Luxembourg September 21, 2010 Public-key encryption Public-key encryption: two keys. One key is made public and used to encrypt. The other key is kept private and
More informationComputing with Encrypted Data Lecture 26
Computing with Encrypted Data 6.857 Lecture 26 Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption Encryption
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationRecovering Private Keys Generated With Weak PRNGs
Recovering Private Keys Generated With Weak PRNGs Pierre-Alain Fouque (Univ. Rennes 1) Mehdi Tibouchi (NTT Secure Platform Lab.) Jean-Christophe Zapalowicz (Inria) Journées C2 2014 Jean-Christophe Zapalowicz
More informationFaster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds
Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds I. Chillotti 1 N. Gama 2,1 M. Georgieva 3 M. Izabachène 4 1 2 3 4 Séminaire GTBAC Télécom ParisTech April 6, 2017 1 / 43 Table
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationMASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication
MASTER Fully homomorphic encryption in JCrypTool Ramaekers, C.F.W. Award date: 2011 Link to publication Disclaimer This document contains a student thesis (bachelor's or master's), as authored by a student
More informationCryptography CS 555. Topic 24: Finding Prime Numbers, RSA
Cryptography CS 555 Topic 24: Finding Prime Numbers, RSA 1 Recap Number Theory Basics Abelian Groups φφ pppp = pp 1 qq 1 for distinct primes p and q φφ NN = Z N gg xx mod N = gg [xx mmmmmm φφ NN ] mod
More informationAn Approach to Reduce Storage for Homomorphic Computations
An Approach to Reduce Storage for Homomorphic Computations Jung Hee Cheon and Jinsu Kim Seoul National University (SNU), Republic of Korea jhcheon@snu.ac.kr, kjs2002@snu.ac.kr Abstract. We introduce a
More informationFully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 13 (rev. 2) Professor M. J. Fischer October 22, 2008 53 Chinese Remainder Theorem Lecture Notes 13 We
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University zvika@stanford.edu Abstract. We present a new tensoring techniue for LWE-based fully homomorphic
More informationReport Fully Homomorphic Encryption
Report Fully Homomorphic Encryption Elena Fuentes Bongenaar July 28, 2016 1 Introduction Outsourcing computations can be interesting in many settings, ranging from a client that is not powerful enough
More informationClassical hardness of the Learning with Errors problem
Classical hardness of the Learning with Errors problem Adeline Langlois Aric Team, LIP, ENS Lyon Joint work with Z. Brakerski, C. Peikert, O. Regev and D. Stehlé August 12, 2013 Adeline Langlois Hardness
More informationBreaking Plain ElGamal and Plain RSA Encryption
Breaking Plain ElGamal and Plain RSA Encryption (Extended Abstract) Dan Boneh Antoine Joux Phong Nguyen dabo@cs.stanford.edu joux@ens.fr pnguyen@ens.fr Abstract We present a simple attack on both plain
More informationSolving LWE with BKW
Martin R. Albrecht 1 Jean-Charles Faugére 2,3 1,4 Ludovic Perret 2,3 ISG, Royal Holloway, University of London INRIA CNRS IIS, Academia Sinica, Taipei, Taiwan PKC 2014, Buenos Aires, Argentina, 28th March
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationLectures 2+3: Provable Security
Lectures 2+3: Provable Security Contents 1 Motivation 1 2 Syntax 3 3 Correctness 5 4 Security Definitions 6 5 Important Cryptographic Primitives 8 6 Proofs of Security 10 7 Limitations of Provable Security
More informationWeaknesses in Ring-LWE
Weaknesses in Ring-LWE joint with (Yara Elias, Kristin E. Lauter, and Ekin Ozman) and (Hao Chen and Kristin E. Lauter) ECC, September 29th, 2015 Lattice-Based Cryptography Post-quantum cryptography Ajtai-Dwork:
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationCryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95
Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95 Jean-Sébastien Coron and David Naccache Gemplus Card International 34 rue Guynemer, 92447 Issy-les-Moulineaux, France {jean-sebastien.coron,
More informationFrom Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes
From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes [Published in D. Naccache, Ed., Topics in Cryptology CT-RSA 2001, vol. 2020 of Lecture Notes in Computer
More informationImplementation Tutorial on RSA
Implementation Tutorial on Maciek Adamczyk; m adamczyk@umail.ucsb.edu Marianne Magnussen; mariannemagnussen@umail.ucsb.edu Adamczyk and Magnussen Spring 2018 1 / 13 Overview Implementation Tutorial Introduction
More informationHomomorphic AES Evaluation Using the Modified LTV Scheme
Noname manuscript No. (will be inserted by the editor) Homomorphic AES Evaluation Using the Modified LTV Scheme Yarkın Doröz Yin Hu Berk Sunar the date of receipt and acceptance should be inserted later
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationHigh-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationSide Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents
Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents Santanu Sarkar and Subhamoy Maitra Leuven, Belgium 12 September, 2012 Outline of the Talk RSA Cryptosystem
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry IBM Shai Halevi IBM Nigel P. Smart University of Bristol December 15, 2011 Abstract Gentry s bootstrapping technique is currently the only
More informationFully Homomorphic Encryption from the Finite Field Isomorphism Problem
Fully Homomorphic Encryption from the Finite Field Isomorphism Problem Yarkın Doröz 1, Jeffrey Hoffstein 2, Jill Pipher 2, Joseph H. Silverman 2, Berk Sunar 1, William Whyte 3, and Zhenfei Zhang 3 1 Worcester
More informationA New Attack on RSA with Two or Three Decryption Exponents
A New Attack on RSA with Two or Three Decryption Exponents Abderrahmane Nitaj Laboratoire de Mathématiques Nicolas Oresme Université de Caen, France nitaj@math.unicaen.fr http://www.math.unicaen.fr/~nitaj
More informationMulti-key fully homomorphic encryption report
Multi-key fully homomorphic encryption report Elena Fuentes Bongenaar July 12, 2016 1 Introduction Since Gentry s first Fully Homomorphic Encryption (FHE) scheme in 2009 [6] multiple new schemes have been
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationIntroduction to Cybersecurity Cryptography (Part 4)
Introduction to Cybersecurity Cryptography (Part 4) Review of Last Lecture Blockciphers Review of DES Attacks on Blockciphers Advanced Encryption Standard (AES) Modes of Operation MACs and Hashes Message
More informationFully Homomorphic Encryption
6.889: New Developments in Cryptography February 8, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption Scribe: Alessandro Chiesa Achieving fully-homomorphic encryption, under any kind of reasonable
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationCOMP4109 : Applied Cryptography
COMP409 : Applied Cryptography Fall 203 M. Jason Hinek Carleton University Applied Cryptography Day 3 public-key encryption schemes some attacks on RSA factoring small private exponent 2 RSA cryptosystem
More informationAlgorithmic Number Theory and Public-key Cryptography
Algorithmic Number Theory and Public-key Cryptography Course 3 University of Luxembourg March 22, 2018 The RSA algorithm The RSA algorithm is the most widely-used public-key encryption algorithm Invented
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Mitchell Harper June 2, 2014 1 Contents 1 Introduction 3 2 Cryptography Primer 3 2.1 Definitions............................. 3 2.2 Using a Public-key Scheme....................
More informationHomomorphic Encryption without Gaussian Noise
Homomorphic Encryption without Gaussian Noise Anamaria Costache and Nigel P. Smart Dept. Computer Science, University of Bristol, United Kingdom. Abstract. We propose a Somewhat Homomorphic Encryption
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationHomomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes
An extended abstract of this paper appears in the proceedings of COCOON 2016. This is the full version. Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes Pierre-Alain Fouque 1,3, Benjamin
More informationA Comment on Gu Map-1
A Comment on Gu Map-1 Yupu Hu and Huiwen Jia ISN Laboratory, Xidian University, 710071 Xi an, China yphu@mail.xidian.edu.cn Abstract. Gu map-1 is a modified version of GGH map. It uses same ideal lattices
More informationLattice-Based Non-Interactive Arugment Systems
Lattice-Based Non-Interactive Arugment Systems David Wu Stanford University Based on joint works with Dan Boneh, Yuval Ishai, Sam Kim, and Amit Sahai Soundness: x L, P Pr P, V (x) = accept = 0 No prover
More information