Gentry s SWHE Scheme
|
|
- Garry Moore
- 5 years ago
- Views:
Transcription
1 Homomorphic Encryption and Lattices, Spring 011 Instructor: Shai Halevi May 19, 011 Gentry s SWHE Scheme Scribe: Ran Cohen In this lecture we review Gentry s somewhat homomorphic encryption (SWHE) scheme. In Gentry s scheme, the plaintext space and the ciphertext space are rings (support addition and multiplication), and given encryptions of l messages, c 1,..., c l, where c i Enc(m i ), and a polynomial Q of bounded degree (and not-too-many terms), we have (except for negligible probability) Q(m 1,..., m l ) = Dec(Q(c 1,..., c l )). 1 Background: GGH-type Cryptosystems We briefly recall Micciancio s cleaned-up version of GGH cryptosystems [GGH97, Mic01]. The secret and public keys are good and bad bases of some lattice Λ. More specifically, the keyholder generates a good basis by choosing B to be a basis of short, nearly orthogonal vectors. def Then it sets the public key to be the Hermite normal form of the same lattice, B pk = HNF(Λ(B )). A ciphertext in a GGH-type cryptosystem is a vector c close to the lattice Λ(B pk ), and the message which is encrypted in this ciphertext is somehow encoded in the distance from c to the nearest lattice vector. To encrypt a message m, the sender chooses a short error vector e that encodes m, and then computes the ciphertext as c e mod B pk. Note that if e is short enough (i.e., less than λ 1 (Λ)/), then it is indeed the distance between c and the nearest lattice point. To decrypt, the key-holder uses its good basis B to recover e by setting e c mod B, and then recovers m from e. The reason decryption works is that, if the parameters are chosen correctly, then the parallelepiped P(B ) of the secret key will be a plump parallelepiped that contains a sphere of radius bigger than e, so that e is indeed the unique point inside P(B ) that equals c modulo Λ. On the other hand, the parallelepiped P(B pk ) of the public key will be very ewed, and will not contain a sphere of large radius, making it useless for solving BDDP. More algebraically, the secret-key basis B is chosen so that all the columns of B 1 have Eucledean length smaller than 1/ e. Recall that c = v + e for some v Λ, so we can write c = αb + e for some integer coefficient vector α. Also, reducing c mod B is done by computing c mod B = [ ] is distance to nearest integer {}}{ [ cb 1 ] B = [( αb + e)b 1 ]B = [ α + eb 1 ]B ( ) = [ eb 1 ]B where Equality ( ) follows since α is an integer vector and [ ] means taking only the fractional part. Each entry of eb 1 is the inner product of e with a column of B 1, and as the column is shorter than 1/ e then that entry is smaller than 1/ in absolute value. It follows that the fractional part [ eb 1 ] equals eb 1 exactly. Thus, c mod B = [ eb 1 ]B = eb 1 B Note that if the encoding of m into e is linear, then this scheme is already somewhat additively homomorphic, since for two ciphertexts c 1 = v 1 + e 1 and c = v + e, we get that e = e 1 + e encodes m 1 +m. If e is still short enough then decryption will recover it and thus returns m 1 +m. = e. 1
2 For example, if in order to encode m {0, 1} we denote m = (m, 0,..., 0) {0, 1} n, choose a short integer vector r and set e = r + m, then c 1 + c = ( v 1 + r 1 + m 1 ) + ( v + r + m ) = ( v 1 + v ) + ( r 1 + r ) + ( m 1 + m ) = v + e, where v = v 1 + v Λ, and e (m 1 m, 0,..., 0) mod. If e is short then we decrypt m 1 m. Recall that a lattice is a discrete additive subgroup of Z n. In order to obtain an encryption scheme that is (somewhat) homomorphic w.r.t. multiplication we need a ring structure as we have in ideal lattices. Consider the encryption scheme from the GGH example above, where Λ = Λ J is an ideal lattice with the underlying ring R n = Z[x]/ x n + 1, then we have c 1 c = ( v 1 + r 1 + m 1 ) ( v + r + m ) = v 1 ( v + r + m ) + v ( r 1 + m 1 ) + ( r }{{} 1 r + r 1 m + m 1 r ) + m 1 m }{{} v e where v Λ J since v 1, v Λ J and J is an ideal. Note that if m i = (m i, 0,..., 0), with the leftmost entry being the free term in the corresponding polynomial, then we have m 1 m = (m 1 m, 0,..., 0). If e is still small enough then we can recover it by m 1 m e mod. Gentry s Somewhat-Homomorphic Encryption (SWHE) Scheme The SWHE scheme that underlies Gentry s scheme is a GGH-type cryptosystem where the public key specifies an ideal lattice Λ J. Here we only cover a special case of Gentry s scheme where all the ideals are principal and the ring that is used for polynomial arithmetic is R n = Z[x]/ x n + 1, with n a power of two. (This is the variant that was implemented in [SV10] and [GH11].) The relation in the ring R n is x n 1, hence R n is closed under rotation-negation, i.e. if then so is v = (v 0,..., v ) = v 0 + v 1 x v x R n, x v = x v i x i = v + v 0 x + v 1 x v n x = ( v, v 0,..., v n ). Therefore, given v = (v 0,..., v ) R n, we can define the rotation basis of v as v v 0 v 1... v x v V =. = v v 0... v n x v v 1 v... v 0 Parameters: The security parameter is n = m, in addition we have 3 other size parameters ρ, σ, τ that satisfy τ σn log n and τ > (ρn log n) 4 n. For example one can set σ = n, and then determine ρ, τ. Key Gen: Choose s N (0, σ ) n and set v = (τ, 0,..., 0) + s. Ensure that det(v ) is odd and that s 1 < σn log n. The secret key is v whereas the public key is B = HNF( v), the HNF basis for the lattice spanned by the rows of V (corresponding to the ideal v ). Encrypt B (m): Given m {0, 1} choose at random r N (0, ρ ) n, and set c = r + (m, 0,..., 0) mod B.
3 Decrypt v ( c): Let V be the rotation basis of v, compute m = ( c mod V ) mod, and output the first entry, i.e. if W = V 1, then m = ([ cw ]V ) mod (where [ ] is the fractional part in the range [ 1, 1 )). As in the GGH scheme, in order for the decryption to work we require that ew < 1, so that we have [ ew ]V = ew V = e. Claim 1. Let e R n such that e < τ 4, then ew < 1. Proof. Since every entry of ew is an inner product of e with a column of W. it is enough to show that every column of W is small enough. Assume that ew 1, and we will show that w.h.p. e τ 4. Let t = ew = ev 1, i.e. e = tv = j t j(x j v). Let i be the largest such that t i 1. In the key generation procedure we set v = (τ, 0,..., 0) + s, therefore x j v = (0,..., 0, τ, 0,..., 0) + x j s, and the i th entry of e is It follows that e i = t i τ + i e i = t i τ + t i τ t i τ (i+1) t j s i j t j+i+1 s j. i i i = t i (τ s j ) (i+1) t j s i j t j+i+1 s j (i+1) t j s i j t j+i+1 s j (i+1) t i s i j t i s j = t i (τ s 1 ) However, since t i 1, s 1 < σn log n and τ σn log n we get e i 1 (τ σn log n) τ 4. It follows that e τ 4, and we get a contradiction. The following claim explains the somewhat homomorphic nature of the encryption scheme. Claim. Let Q(x 1,..., x l ) be a binary polynomial of degree at most n in each variable, with at most n n terms. For i = 1,..., l let m i {0, 1} and set c i Enc B (m i ). In addition, set c = Q( c 1,..., c l ) (where evaluation is over R n ). Then w.h.p. Dec( c) Q(m 1,..., m l ) mod. Proof. With high probability each one of the c i is of the form c i = u i + e i, for some u i v, with e i < ρ log n and e i (m i, 0,..., 0) mod. It follows that Q( c 1,..., c l ) = u + Q( e 1,..., e l ) for some u v (because the u i are in the ideal). Similarly, since e i = r i + m i we have Q( e 1,..., e l ) = r + Q( m 1,..., m l ) Q( m 1,..., m l ) mod. Note that for a, b R n we have a b n a b, hence e = Q( e 1,..., e l ) (max e i ) n n (# of terms) i (ρn log n) n n n < (ρn log n) 4 n τ/4. So by Claim 1 decryption will recover e = Q( e 1,..., e l ), and therefore also Q( m 1,..., m l ). 3
4 3 Security of Gentry s SWHE Scheme Claim 3. The scheme is CPA-secure if for v (τ, 0,..., 0) + N (0, σ ) n it is hard to distinguish N (0, ρ ) n mod B from a uniform integer vector modb, where B is the HNF of the lattice Λ V, assuming det(v ) is odd. Before we prove the claim we need to play a bit with some algebra. Let V be the rotation basis of v and denote d = det(v ). We know that d 0. Assume d is odd, an denote the adjoint matrix of V by A = dv 1, A is an integer matrix as it is the adjoint of an integer matrix. Let a = (a 0,..., a ) be the first row of A. On one hand, since AV = di we have av = (d, 0,..., 0), which is in fact the constant polynomial d R n. On the other hand we have av = a i (x i v) = (a i x i ) v mod (x n + 1) = a v R n. It follows that a v = d (the constant polynomial d). Note that x a v = xd = (0, d, 0,..., 0), hence the second row of A is x a. In fact A is the rotation basis of a, and a is the scaled inverse of v. Now, since d is odd, d 1 Z, and we can consider the constant polynomial d 1 R n. It holds that a v d 1 = d (d 1) = 1 R n, namely the polynomials v and are coprime in R n. It follows that the map x x mod v is a permutation. What do we actually mean by x x mod v? Since v is an ideal in R n, we can consider the quotient ring R n / v and the natural projection R n R n / v. Now x mod v is simply the image of this projection (by abuse of notation we write x R n / v for the equivalence class [ x] R n / v ). We can look at the doubling map over R n / v, sending x R n / v to x R n / v. Since and v are coprime in R n, has an inverse 1 d R n / v. Thus doubling induces a permutation on R n / v : x 1 d = x (1 a v) = x mod v. Two polynomials a, b R n are congruent mod v if a b v, i.e. there is some u R n such that a = b + u v, however u v = uv, hence a, b are congruent mod v iff a, b are congruent modv, and we can conclude that the mapping x x mod V is a permutation on R n / v. We are now ready to prove claim 3. Proof of Claim 3. Let A be a CPA adversary with advantage ɛ. We will show how to utilize it and construct a distinguisher between ( N (0, ρ ) n mod B) from a uniform integer vector in P(B), where v is chosen as in the key generation algorithm of the scheme and B is the HNF basis of v. Given B and x, we need to decide if x is uniform modb or Gaussian modb. We give A the basis B as public key, and A gives us two bits m 0, m 1. We choose a random bit b R {0, 1}, and give A the ciphertext c = x + (m b, 0,..., 0) mod B. When A returns a bit b we output 1 if b = b and 0 otherwise. If x is Gaussian then this is a perfect simulation of the scheme, hence A guesses correctly with probability 1 + ɛ. If x is uniform modb then x mod B = ( x mod V ) mod B, and since x mod V is uniform in P(V ) and doubling is a permutation, then x mod V is also uniform in P(V ), hence x mod B is uniform in P(B). It follows that x + m b mod B is uniform in P(B) regardless of b. Therefore A guesses correctly in this case with probability 1. 4
5 So how hard is it to distinguish between uniform and Gaussian modb? We don t really know, however one way is to solve the BDD problem for the Gaussian case. Note that when x is Gaussian then w.h.p. x ρ, whereas det(λ(v )) x i v (τ + σ log n) n < (τ) n. It follows that the ratio between the error distance ( c, Λ) and n det(λ) is n det(λ) ρ < τ ρ < 4 n, and we do not know how to solve BDD with this ratio. References [GGH97] Oded Goldreich, Shafi Goldwasser, and Shai Halevi. Public-key cryptosystems from lattice reduction problems. In Burton S. Kalii Jr., editor, Advances in Cryptology - CRYPTO 1997, volume 194 of Lecture Notes in Computer Science, pages Springer, [GH11] Craig Gentry and Shai Halevi. Implementing gentry s fully-homomorphic encryption scheme. In Advances in Cryptology - EUROCRYPT 11, volume 663 of Lecture Notes in Computer Science, pages Springer, 011. Full version available on-line from [Mic01] Daniele Micciancio. Improving lattice based cryptosystems using the hermite normal form. In CaLC 01, volume 146 of Lecture Notes in Computer Science, pages Springer, 001. [SV10] Nigel P. Smart and Frederik Vercauteren. Fully homomorphic encryption with relatively small key and ciphertext sizes. In Phong Q. Nguyen and David Pointcheval, editors, Public Key Cryptography - PKC 010, volume 6056 of Lecture Notes in Computer Science, pages Springer,
Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II
Fully homomorphic encryption scheme using ideal lattices Gentry s STOC 09 paper - Part GGH cryptosystem Gentry s scheme is a GGH-like scheme. GGH: Goldreich, Goldwasser, Halevi. ased on the hardness of
More informationGentry s Fully Homomorphic Encryption Scheme
Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta Email: rishabh@cse.iitk.ac.in Sanjari Srivastava Email: sanjari@cse.iitk.ac.in Abstract This report presents
More informationThe Distributed Decryption Schemes for Somewhat Homomorphic Encryption
Copyright c The Institute of Electronics, Information and Communication Engineers SCIS 2012 The 29th Symposium on Cryptography and Information Security Kanazawa, Japan, Jan. 30 - Feb. 2, 2012 The Institute
More informationOpen problems in lattice-based cryptography
University of Auckland, New Zealand Plan Goal: Highlight some hot topics in cryptography, and good targets for mathematical cryptanalysis. Approximate GCD Homomorphic encryption NTRU and Ring-LWE Multi-linear
More informationSome security bounds for the DGHV scheme
Some security bounds for the DGHV scheme Franca Marinelli f.marinelli@studenti.unitn.it) Department of Mathematics, University of Trento, Italy Riccardo Aragona riccardo.aragona@unitn.it) Department of
More informationIdeal Lattices and NTRU
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin April 23-30, 2013 Ideal Lattices and NTRU Scribe: Kina Winoto 1 Algebraic Background (Reminders) Definition 1. A commutative
More informationBackground: Lattices and the Learning-with-Errors problem
Background: Lattices and the Learning-with-Errors problem China Summer School on Lattices and Cryptography, June 2014 Starting Point: Linear Equations Easy to solve a linear system of equations A s = b
More informationCryptology. Scribe: Fabrice Mouhartem M2IF
Cryptology Scribe: Fabrice Mouhartem M2IF Chapter 1 Identity Based Encryption from Learning With Errors In the following we will use this two tools which existence is not proved here. The first tool description
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry 1, Shai Halevi 1, and Nigel P. Smart 2 1 IBM T.J. Watson Research Center 2 Dept. Computer Science, University of Bristol Abstract. Gentry
More informationMultikey Homomorphic Encryption from NTRU
Multikey Homomorphic Encryption from NTRU Li Chen lichen.xd at gmail.com Xidian University January 12, 2014 Multikey Homomorphic Encryption from NTRU Outline 1 Variant of NTRU Encryption 2 Somewhat homomorphic
More informationLecture 6: Lattice Trapdoor Constructions
Homomorphic Encryption and Lattices, Spring 0 Instructor: Shai Halevi Lecture 6: Lattice Trapdoor Constructions April 7, 0 Scribe: Nir Bitansky This lecture is based on the trapdoor constructions due to
More informationLattice Cryptography
CSE 206A: Lattice Algorithms and Applications Winter 2016 Lattice Cryptography Instructor: Daniele Micciancio UCSD CSE Lattice cryptography studies the construction of cryptographic functions whose security
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18
More informationLattice Cryptography
CSE 06A: Lattice Algorithms and Applications Winter 01 Instructor: Daniele Micciancio Lattice Cryptography UCSD CSE Many problems on point lattices are computationally hard. One of the most important hard
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer, Léo Ducas, Chris Peikert, Oded Regev 9 July 205 Simons Institute Workshop on Math of Modern Crypto / 5 Short Generators
More informationNew Cryptosystem Using The CRT And The Jordan Normal Form
New Cryptosystem Using The CRT And The Jordan Normal Form Hemlata Nagesh 1 and Birendra Kumar Sharma 2 School of Studies in Mathematics,Pt.Ravishankar Shukla University Raipur(C.G.). E-mail:5Hemlata5@gmail.com
More informationNotes for Lecture 16
COS 533: Advanced Cryptography Lecture 16 (11/13/2017) Lecturer: Mark Zhandry Princeton University Scribe: Boriana Gjura Notes for Lecture 16 1 Lattices (continued) 1.1 Last time. We defined lattices as
More informationFully Homomorphic Encryption and Bootstrapping
Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded
More informationGeneral Impossibility of Group Homomorphic Encryption in the Quantum World
General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1 An example
More informationPractical Fully Homomorphic Encryption without Noise Reduction
Practical Fully Homomorphic Encryption without Noise Reduction Dongxi Liu CSIRO, Marsfield, NSW 2122, Australia dongxi.liu@csiro.au Abstract. We present a new fully homomorphic encryption (FHE) scheme
More informationAn Efficient Broadcast Attack against NTRU
An Efficient Broadcast Attack against NTRU Jianwei Li, Yanbin Pan, Mingjie Liu, Guizhen Zhu Institute for Advanced Study, Tsinghua University Beijing 00084, China {lijianwei0, liu-mj07, zhugz08}@mailstsinghuaeducn
More informationENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange
ENEE 457: Computer Systems Security 10/3/16 Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange Charalampos (Babis) Papamanthou Department of Electrical and Computer Engineering University of Maryland,
More informationSIS-based Signatures
Lattices and Homomorphic Encryption, Spring 2013 Instructors: Shai Halevi, Tal Malkin February 26, 2013 Basics We will use the following parameters: n, the security parameter. =poly(n). m 2n log s 2 n
More informationImplementing Homomorphic Encryption
Valentin Dalibard Implementing Homomorphic Encryption Computer Science Tripos, Part II St John s College May 18, 2011 Proforma Name: Valentin Dalibard College: St John s College Project Title: Implementing
More informationU.C. Berkeley CS276: Cryptography Luca Trevisan February 5, Notes for Lecture 6
U.C. Berkeley CS276: Cryptography Handout N6 Luca Trevisan February 5, 2009 Notes for Lecture 6 Scribed by Ian Haken, posted February 8, 2009 Summary The encryption scheme we saw last time, based on pseudorandom
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg {jean-sebastien.coron, avradip.mandal}@uni.lu
More informationFully Homomorphic Encryption
Fully Homomorphic Encryption Boaz Barak February 9, 2011 Achieving fully homomorphic encryption, under any kind of reasonable computational assumptions (and under any reasonable definition of reasonable..),
More informationLecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004
CMSC 858K Advanced Topics in Cryptography February 5, 2004 Lecturer: Jonathan Katz Lecture 4 Scribe(s): Chiu Yuen Koo Nikolai Yakovenko Jeffrey Blank 1 Summary The focus of this lecture is efficient public-key
More informationShai Halevi IBM August 2013
Shai Halevi IBM August 2013 I want to delegate processing of my data, without giving away access to it. I want to delegate the computation to the cloud, I want but the to delegate cloud the shouldn t computation
More informationCS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7
CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky Lecture 7 Lecture date: Monday, 28 February, 2005 Scribe: M.Chov, K.Leung, J.Salomone 1 Oneway Trapdoor Permutations Recall that a
More informationScale-Invariant Fully Homomorphic Encryption over the Integers
Scale-Invariant Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, Tancrède Lepoint 1,,3, and Mehdi Tibouchi 4 1 University of Luxembourg, Luxembourg jean-sebastien.coron@uni.lu École
More informationPractical Analysis of Key Recovery Attack against Search-LWE Problem
Practical Analysis of Key Recovery Attack against Search-LWE Problem The 11 th International Workshop on Security, Sep. 13 th 2016 Momonari Kudo, Junpei Yamaguchi, Yang Guo and Masaya Yasuda 1 Graduate
More informationLecture 15 & 16: Trapdoor Permutations, RSA, Signatures
CS 7810 Graduate Cryptography October 30, 2017 Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures Lecturer: Daniel Wichs Scribe: Willy Quach & Giorgos Zirdelis 1 Topic Covered. Trapdoor Permutations.
More informationCPA-Security. Definition: A private-key encryption scheme
CPA-Security The CPA Indistinguishability Experiment PrivK cpa A,Π n : 1. A key k is generated by running Gen 1 n. 2. The adversary A is given input 1 n and oracle access to Enc k, and outputs a pair of
More informationPacking Messages and Optimizing Bootstrapping in GSW-FHE
Packing Messages and Optimizing Bootstrapping in GSW-FHE Ryo Hiromasa Masayuki Abe Tatsuaki Okamoto Kyoto University NTT PKC 15 April 1, 2015 1 / 13 Fully Homomorphic Encryption (FHE) c Enc(m) f, c ĉ Eval(
More informationBasics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018
Basics in Cryptology II Distributed Cryptography David Pointcheval Ecole normale supérieure, CNRS & INRIA ENS Paris 2018 NS/CNRS/INRIA Cascade David Pointcheval 1/26ENS/CNRS/INRIA Cascade David Pointcheval
More informationBetter Bootstrapping in Fully Homomorphic Encryption
Better Bootstrapping in Fully Homomorphic Encryption Craig Gentry IBM Shai Halevi IBM Nigel P. Smart University of Bristol December 15, 2011 Abstract Gentry s bootstrapping technique is currently the only
More informationEl Gamal A DDH based encryption scheme. Table of contents
El Gamal A DDH based encryption scheme Foundations of Cryptography Computer Science Department Wellesley College Fall 2016 Table of contents Introduction El Gamal Practical Issues The El Gamal encryption
More informationCryptanalysis of a Homomorphic Encryption Scheme
Cryptanalysis of a Homomorphic Encryption Scheme Sonia Bogos, John Gaspoz and Serge Vaudenay EPFL CH-1015 Lausanne, Switzerland {soniamihaela.bogos, john.gaspoz, serge.vaudenay}@epfl.ch Abstract. Homomorphic
More informationYALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467a: Cryptography and Computer Security Notes 23 (rev. 1) Professor M. J. Fischer November 29, 2005 1 Oblivious Transfer Lecture Notes 23 In the locked
More informationFully Homomorphic Encryption over the Integers
Fully Homomorphic Encryption over the Integers Many slides borrowed from Craig Marten van Dijk 1, Craig Gentry 2, Shai Halevi 2, Vinod Vaikuntanathan 2 1 MIT, 2 IBM Research Computing on Encrypted Data
More informationSomewhat Practical Fully Homomorphic Encryption
Somewhat Practical Fully Homomorphic Encryption Junfeng Fan and Frederik Vercauteren Katholieke Universiteit Leuven, COSIC & IBBT Kasteelpark Arenberg 10 B-3001 Leuven-Heverlee, Belgium firstname.lastname@esat.kuleuven.be
More information5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA
Leo Reyzin. Notes for BU CAS CS 538. 1 5 Public-Key Encryption: Rabin, Blum-Goldwasser, RSA 5.1 Public Key vs. Symmetric Encryption In the encryption we ve been doing so far, the sender and the recipient
More informationDiophantine equations via weighted LLL algorithm
Cryptanalysis of a public key cryptosystem based on Diophantine equations via weighted LLL algorithm Momonari Kudo Graduate School of Mathematics, Kyushu University, JAPAN Kyushu University Number Theory
More informationLecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security
Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security Boaz Barak November 21, 2007 Cyclic groups and discrete log A group G is cyclic if there exists a generator
More informationReport on Learning with Errors over Rings-based HILA5 and its CCA Security
Report on Learning with Errors over Rings-based HILA5 and its CCA Security Jesús Antonio Soto Velázquez January 24, 2018 Abstract HILA5 is a cryptographic primitive based on lattices that was submitted
More informationDensity of Ideal Lattices
Density of Ideal Lattices - Preliminary Draft - Johannes Buchmann and Richard Lindner Technische Universität Darmstadt, Department of Computer Science Hochschulstraße 10, 64289 Darmstadt, Germany buchmann,rlindner@cdc.informatik.tu-darmstadt.de
More informationOn the security of Jhanwar-Barua Identity-Based Encryption Scheme
On the security of Jhanwar-Barua Identity-Based Encryption Scheme Adrian G. Schipor aschipor@info.uaic.ro 1 Department of Computer Science Al. I. Cuza University of Iași Iași 700506, Romania Abstract In
More information9 Knapsack Cryptography
9 Knapsack Cryptography In the past four weeks, we ve discussed public-key encryption systems that depend on various problems that we believe to be hard: prime factorization, the discrete logarithm, and
More informationPublic Key Cryptography
Public Key Cryptography Ali El Kaafarani 1 Mathematical Institute 2 PQShield Ltd. 1 of 44 Outline 1 Public Key Encryption: security notions 2 RSA Encryption Scheme 2 of 44 Course main reference 3 of 44
More informationLattice Based Crypto: Answering Questions You Don't Understand
Lattice Based Crypto: Answering Questions You Don't Understand Vadim Lyubashevsky INRIA / ENS, Paris Cryptography Secure communication in the presence of adversaries Symmetric-Key Cryptography Secret key
More informationNotes for Lecture Decision Diffie Hellman and Quadratic Residues
U.C. Berkeley CS276: Cryptography Handout N19 Luca Trevisan March 31, 2009 Notes for Lecture 19 Scribed by Cynthia Sturton, posted May 1, 2009 Summary Today we continue to discuss number-theoretic constructions
More informationCryptographic Multilinear Maps. Craig Gentry and Shai Halevi
Cryptographic Multilinear Maps Craig Gentry and Shai Halevi China Summer School on Lattices and Cryptography, June 2014 Multilinear Maps (MMAPs) A Technical Tool A primitive for building applications,
More informationLecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004
CMSC 858K Advanced Topics in Cryptography February 24, 2004 Lecturer: Jonathan Katz Lecture 9 Scribe(s): Julie Staub Avi Dalal Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed
More informationPublic-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange
Public-Key Cryptography Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange Shared/Symmetric-Key Encryption (a.k.a. private-key encryption) SKE: Syntax KeyGen outputs K K E scheme E Syntax a.k.a.
More informationLattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.
Lattices A Lattice is a discrete subgroup of the additive group of n-dimensional space R n. Lattices have many uses in cryptography. They may be used to define cryptosystems and to break other ciphers.
More informationIdentifying Ideal Lattices
Identifying Ideal Lattices Jintai Ding 1 and Richard Lindner 2 1 University of Cincinnati, Department of Mathematical Sciences PO Box 2125, Cincinnati, OH 45221-25, USA jintaiding@ucedu 2 Technische Universität
More information4-3 A Survey on Oblivious Transfer Protocols
4-3 A Survey on Oblivious Transfer Protocols In this paper, we survey some constructions of oblivious transfer (OT) protocols from public key encryption schemes. We begin with a simple construction of
More informationNotes 10: Public-key cryptography
MTH6115 Cryptography Notes 10: Public-key cryptography In this section we look at two other schemes that have been proposed for publickey ciphers. The first is interesting because it was the earliest such
More informationRecovering Short Generators of Principal Ideals in Cyclotomic Rings
Recovering Short Generators of Principal Ideals in Cyclotomic Rings Ronald Cramer Chris Peikert Léo Ducas Oded Regev University of Leiden, The Netherlands CWI, Amsterdam, The Netherlands University of
More informationSolving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?
Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know? Alexander May, Maike Ritzenhofen Faculty of Mathematics Ruhr-Universität Bochum, 44780 Bochum,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 9 February 6, 2012 CPSC 467b, Lecture 9 1/53 Euler s Theorem Generating RSA Modulus Finding primes by guess and check Density of
More informationA key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme
A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme Eduardo Morais Ricardo Dahab October 2014 Abstract In this paper we present a key recovery attack to the scale-invariant
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 10 February 19, 2013 CPSC 467b, Lecture 10 1/45 Primality Tests Strong primality tests Weak tests of compositeness Reformulation
More informationFaster Fully Homomorphic Encryption
Faster Fully Homomorphic Encryption Damien Stehlé Joint work with Ron Steinfeld CNRS ENS de Lyon / Macquarie University Singapore, December 2010 Damien Stehlé Faster Fully Homomorphic Encryption 08/12/2010
More information6.892 Computing on Encrypted Data September 16, Lecture 2
6.89 Computing on Encrypted Data September 16, 013 Lecture Lecturer: Vinod Vaikuntanathan Scribe: Britt Cyr In this lecture, we will define the learning with errors (LWE) problem, show an euivalence between
More informationMultiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011
Multiparty Computation from Somewhat Homomorphic Encryption Ivan Damgård 1 Valerio Pastro 1 Nigel Smart 2 Sarah Zakarias 1 1 Aarhus University 2 Bristol University CTIC 交互计算 November 9, 2011 Damgård, Pastro,
More informationLecture 17: Constructions of Public-Key Encryption
COM S 687 Introduction to Cryptography October 24, 2006 Lecture 17: Constructions of Public-Key Encryption Instructor: Rafael Pass Scribe: Muthu 1 Secure Public-Key Encryption In the previous lecture,
More informationOn Homomorphic Encryption and Secure Computation
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM NYU Columbia Theory Day, May 7, 2010 Computing on Encrypted Data Wouldn t it be nice to be able to o Encrypt my data
More informationFaster Homomorphic Evaluation of Discrete Fourier Transforms
Faster Homomorphic Evaluation of Discrete Fourier Transforms Anamaria Costache, Nigel P. Smart, and Srinivas Vivek University of Bristol, Bristol, UK Abstract. We present a methodology to achieve low latency
More informationField Switching in BGV-Style Homomorphic Encryption
Field Switching in BGV-Style Homomorphic Encryption Craig Gentry IBM Research Shai Halevi IBM Research Nigel P. Smart University of Bristol Chris Peikert Georgia Institute of Technology September 13, 2013
More informationFully Homomorphic Encryption - Part II
6.889: New Developments in Cryptography February 15, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption - Part II Scribe: Elette Boyle 1 Overview We continue our discussion on the fully homomorphic
More informationMATH 361: NUMBER THEORY FOURTH LECTURE
MATH 361: NUMBER THEORY FOURTH LECTURE 1. Introduction Everybody knows that three hours after 10:00, the time is 1:00. That is, everybody is familiar with modular arithmetic, the usual arithmetic of the
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationFully Homomorphic Encryption over the Integers with Shorter Public Keys
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-Sébastien Coron, Avradip Mandal, David Naccache 2, and Mehdi Tibouchi,2 Université du Luxembourg 6, rue Richard Coudenhove-Kalergi
More informationLecture Notes, Week 6
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Week 6 (rev. 3) Professor M. J. Fischer February 15 & 17, 2005 1 RSA Security Lecture Notes, Week 6 Several
More informationAn Overview of Homomorphic Encryption
An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9,
More informationLecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography
CS 7880 Graduate Cryptography September 10, 2015 Lecture 1: Perfect Secrecy and Statistical Authentication Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Definition of perfect secrecy One-time
More informationCRT-based Fully Homomorphic Encryption over the Integers
CRT-based Fully Homomorphic Encryption over the Integers Jinsu Kim 1, Moon Sung Lee 1, Aaram Yun 2 and Jung Hee Cheon 1 1 Seoul National University (SNU), Republic of Korea 2 Ulsan National Institute of
More informationA Generic Hybrid Encryption Construction in the Quantum Random Oracle Model
A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model Presented by: Angela Robinson Department of Mathematical Sciences, Florida Atlantic University April 4, 2018 Motivation Quantum-resistance
More informationFully Homomorphic Encryption
6.889: New Developments in Cryptography February 8, 2011 Instructor: Boaz Barak Fully Homomorphic Encryption Scribe: Alessandro Chiesa Achieving fully-homomorphic encryption, under any kind of reasonable
More information10 Concrete candidates for public key crypto
10 Concrete candidates for public key crypto In the previous lecture we talked about public key cryptography and saw the Diffie Hellman system and the DSA signature scheme. In this lecture, we will see
More informationNotes on Alekhnovich s cryptosystems
Notes on Alekhnovich s cryptosystems Gilles Zémor November 2016 Decisional Decoding Hypothesis with parameter t. Let 0 < R 1 < R 2 < 1. There is no polynomial-time decoding algorithm A such that: Given
More informationHigh-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA
High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA Ahmad Al Badawi ahmad@u.nus.edu National University of Singapore (NUS) Sept 10 th 2018 CHES 2018 FHE The holy grail
More informationCryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97
Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97 Phong Nguyen and Jacques Stern École Normale Supérieure, Laboratoire d Informatique 45, rue d Ulm, F 75230 Paris Cedex 05 {Phong.Nguyen,Jacques.Stern}@ens.fr
More information1: Introduction to Lattices
CSE 206A: Lattice Algorithms and Applications Winter 2012 Instructor: Daniele Micciancio 1: Introduction to Lattices UCSD CSE Lattices are regular arrangements of points in Euclidean space. The simplest
More informationCryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev
Cryptography Lecture 2: Perfect Secrecy and its Limitations Gil Segev Last Week Symmetric-key encryption (KeyGen, Enc, Dec) Historical ciphers that are completely broken The basic principles of modern
More informationA Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes
A Lower Bound on the Key Length of Information-Theoretic Forward-Secure Storage Schemes Stefan Dziembowski Department of Computer Science University of Rome, La Sapienza Abstract. Forward-Secure Storage
More informationWhen Homomorphism Becomes a Liability
When Homomorphism Becomes a Liability Zvika Brakerski Stanford University zvika@stanford.edu Abstract. We show that an encryption scheme cannot have a simple decryption function and be homomorphic at the
More informationHOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51
HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY Abderrahmane Nitaj Laboratoire de Mathe matiques Nicolas Oresme Universite de Caen Normandie, France Nouakchott, February 15-26, 2016 Abderrahmane
More informationIntroduction to Cybersecurity Cryptography (Part 5)
Introduction to Cybersecurity Cryptography (Part 5) Prof. Dr. Michael Backes 13.01.2017 February 17 th Special Lecture! 45 Minutes Your Choice 1. Automotive Security 2. Smartphone Security 3. Side Channel
More informationAdvanced Cryptography 03/06/2007. Lecture 8
Advanced Cryptography 03/06/007 Lecture 8 Lecturer: Victor Shoup Scribe: Prashant Puniya Overview In this lecture, we will introduce the notion of Public-Key Encryption. We will define the basic notion
More informationLattices, Cryptography, and NTRU. An introduction to lattice theory and the NTRU cryptosystem. Ahsan Z. Zahid
Lattices, Cryptography, and NTRU An introduction to lattice theory and the NTRU cryptosystem Ahsan Z. Zahid A thesis presented for the degree of Bachelor of Science School of Science St. Mary s College
More informationLecture 13: Private Key Encryption
COM S 687 Introduction to Cryptography October 05, 2006 Instructor: Rafael Pass Lecture 13: Private Key Encryption Scribe: Ashwin Machanavajjhala Till this point in the course we have learnt how to define
More informationSmooth Projective Hash Function and Its Applications
Smooth Projective Hash Function and Its Applications Rongmao Chen University of Wollongong November 21, 2014 Literature Ronald Cramer and Victor Shoup. Universal Hash Proofs and a Paradigm for Adaptive
More informationThe Smart-Vercauteren Fully Homomorphic Encryption Scheme
The Smart-Vercauteren Fully Homomorphic Encryption Scheme Vidar Klungre Master of Science in Physics and Mathematics Submission date: June 2012 Supervisor: Kristian Gjøsteen, MATH Norwegian University
More informationCryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups
Great Theoretical Ideas in CS V. Adamchik CS 15-251 Upcoming Interview? Lecture 24 Carnegie Mellon University Cryptography and RSA How the World's Smartest Company Selects the Most Creative Thinkers Groups
More informationTutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction
Tutorial on Quantum Computing Vwani P. Roychowdhury Lecture 1: Introduction 1 & ) &! # Fundamentals Qubits A single qubit is a two state system, such as a two level atom we denote two orthogonal states
More informationFully Homomorphic Encryption without Modulus Switching from Classical GapSVP
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Abstract We present a new tensoring techniue for LWE-based fully homomorphic encryption. While in all previous
More informationEfficient Identity-Based Encryption Without Random Oracles
Efficient Identity-Based Encryption Without Random Oracles Brent Waters Abstract We present the first efficient Identity-Based Encryption (IBE) scheme that is fully secure without random oracles. We first
More information