Known-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme

Similar documents
Cryptanalysis of a Public Key Cryptosystem Proposed at ACISP 2000

A New Attack on RSA with Two or Three Decryption Exponents

Computers and Mathematics with Applications

New attacks on RSA with Moduli N = p r q

ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET

Partially homomorphic encryption schemes over finite fields

An Introduction to Probabilistic Encryption

Solving Systems of Modular Equations in One Variable: How Many RSA-Encrypted Messages Does Eve Need to Know?

Cryptanalysis of a key exchange protocol based on the endomorphisms ring End(Z p Z p 2)

Cryptanalysis of a Message Authentication Code due to Cary and Venkatesan

Deterministic Polynomial Time Equivalence of Computing the RSA Secret Key and Factoring

Generalized hyper-bent functions over GF(p)

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

A new attack on RSA with a composed decryption exponent

Cryptanalysis of Unbalanced RSA with Small CRT-Exponent

On Deterministic Polynomial-Time Equivalence of Computing the CRT-RSA Secret Keys and Factoring

Public Key Cryptography

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Mathematical Foundations of Public-Key Cryptography

Deterministic Polynomial Time Equivalence between Factoring and Key-Recovery Attack on Takagi s RSA

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Cryptanalysis of a Fast Public Key Cryptosystem Presented at SAC 97

Computing the RSA Secret Key is Deterministic Polynomial Time Equivalent to Factoring

A New Generalization of the KMOV Cryptosystem

Introduction to Modern Cryptography. Benny Chor

Partial Key Exposure: Generalized Framework to Attack RSA

Optimal Use of Montgomery Multiplication on Smart Cards

PREDICTING MASKED LINEAR PSEUDORANDOM NUMBER GENERATORS OVER FINITE FIELDS

Primitive sets in a lattice

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

Pseudo-random Number Generation. Qiuliang Tang

Breaking Plain ElGamal and Plain RSA Encryption

Cryptology. Scribe: Fabrice Mouhartem M2IF

CPSC 467b: Cryptography and Computer Security

Public Key Cryptography

CRT-based Fully Homomorphic Encryption over the Integers

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

SOBER Cryptanalysis. Daniel Bleichenbacher and Sarvar Patel Bell Laboratories Lucent Technologies

Cryptanalysis of a Knapsack Based Two-Lock Cryptosystem

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Cryptography. P. Danziger. Transmit...Bob...

10 Modular Arithmetic and Cryptography

CPSC 467b: Cryptography and Computer Security

A Knapsack Cryptosystem Based on The Discrete Logarithm Problem

Linear Ciphers. Klaus Pommerening Fachbereich Physik, Mathematik, Informatik der Johannes-Gutenberg-Universität Saarstraße 21 D Mainz

Public Key Encryption

CPSC 467b: Cryptography and Computer Security

A DPA Attack against the Modular Reduction within a CRT Implementation of RSA

Chapter 8 Public-key Cryptography and Digital Signatures

My brief introduction to cryptography

An Overview of Homomorphic Encryption

Multikey Homomorphic Encryption from NTRU

Asymmetric Cryptography

Chapter 4 Asymmetric Cryptography

Mathematics of Cryptography

Theme : Cryptography. Instructor : Prof. C Pandu Rangan. Speaker : Arun Moorthy CS

Discrete Mathematics GCD, LCM, RSA Algorithm

Cryptanalysis of Patarin s 2-Round Public Key System with S Boxes (2R)

SELECTED APPLICATION OF THE CHINESE REMAINDER THEOREM IN MULTIPARTY COMPUTATION

Practical Fully Homomorphic Encryption without Noise Reduction

Hidden Number Problem Given Bound of Secret Jia-ning LIU and Ke-wei LV *

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

CIS 551 / TCOM 401 Computer and Network Security

Basic elements of number theory

Modular Multiplication in GF (p k ) using Lagrange Representation

Basic elements of number theory

Cryptography. pieces from work by Gordon Royle

Compartmented Threshold RSA Based on the Chinese Remainder Theorem

Primitive Sets of a Lattice and a Generalization of Euclidean Algorithm

A NEW ATTACK ON RSA WITH A COMPOSED DECRYPTION EXPONENT

Some security bounds for the DGHV scheme

Public Key Algorithms

Candidates must show on each answer book the type of calculator used. Only calculators permitted under UEA Regulations may be used.

On a generalization of addition chains: Addition multiplication chains

Practical Fault Countermeasures for Chinese Remaindering Based RSA

Cryptanalysis of a homomorphic public-key cryptosystem over a finite group

Public-Key Encryption: ElGamal, RSA, Rabin

RSA ENCRYPTION USING THREE MERSENNE PRIMES

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Math 299 Supplement: Modular Arithmetic Nov 8, 2013

RABIN PUBLIC-KEY CRYPTOSYSTEM IN RINGS OF POLYNOMIALS OVER FINITE FIELDS

Algorithmic Number Theory and Public-key Cryptography

Cube attack in finite fields of higher order

New Variant of ElGamal Signature Scheme

Blind Signature Protocol Based on Difficulty of. Simultaneous Solving Two Difficult Problems

Hans Delfs & Helmut Knebl: Kryptographie und Informationssicherheit WS 2008/2009. References. References

Pollard s Rho Algorithm for Elliptic Curves

Computers and Electrical Engineering

19. Coding for Secrecy

RSA. Ramki Thurimella

Cryptography CS 555. Topic 18: RSA Implementation and Security. CS555 Topic 18 1

Introduction to Public-Key Cryptosystems:

Cosc 412: Cryptography and complexity Lecture 7 (22/8/2018) Knapsacks and attacks

Asymmetric Encryption

An Efficient Broadcast Attack against NTRU

Introduction to Cryptology. Lecture 2

Quadratic Equations from APN Power Functions

Cryptography IV: Asymmetric Ciphers

CSCI3390-Lecture 16: Probabilistic Algorithms: Number Theory and Cryptography

1 Number Theory Basics

Transcription:

Information Processing Letters 97 2006) 8 23 wwwelseviercom/locate/ipl Known-plaintext cryptanalysis of the Domingo-Ferrer algebraic privacy homomorphism scheme Jung Hee Cheon a, Woo-Hwan Kim b,, Hyun Soo Nam a a ISaC and Department of Mathematical Sciences, Seoul National University, San 56- Shinrim-dong, Kwanak-gu, Seoul 5-747, Republic of Korea b National Security Research Institute, 6 Gajeong-dong, Yuseong-gu, Daejeon 305-350, Republic of Korea Received May 2004; received in revised form 28 February 2005; accepted 27 September 2005 Available online 7 November 2005 Communicated by Y Desmedt Abstract We propose cryptanalysis of the First Domingo-Ferrer s algebraic privacy homomorphism E : Z n Z p Z q ) d where n = pq We show that the scheme can be broken by d + ) known plaintexts in Od 3 log 2 n) time Even when the modulus n is kept secret, it can be broken by 2d + ) known plaintexts in Od 4 log dn+ d 3 log 2 n + εm)) time with overwhelming probability 2005 Elsevier BV All rights reserved Keywords: Privacy homomorphism; Cryptanalysis; Safety/security in digital systems Introduction The conceptofprocessing encrypted data was firstly introduced by Rivest et al [] in 978 A privacy homomorphism is an encryption function which allows processing the encrypted data without knowledge of the decryption function More precisely, an algebraic privacy homomorphic encryption E over a ring R is an encryption function which has efficient algorithms to compute Exy) and Ex + y) from Ex) and Ey) without revealing x and y One example of an algebraic privacy homomorphism [] is as follows: * Corresponding author E-mail addresses: jhcheon@mathsnuackr JH Cheon), whkim5@etrirekr W-H Kim), hsnam@mathsnuackr HS Nam) Example Let p,q be large primes, and n = pq P = Z n, C = Z p Z q, Ex) = x mod p,x mod q) and decryption is done using the Chinese remainder theorem This function is an algebraic privacy homomorphism under the usual modular addition and modular multiplication Unfortunately, it is shown that this algebraic privacy homomorphism can be broken using a knownplaintext attack [5] In 99, Feigenbaum and Merritt [8] questioned directly whether an algebraic privacy homomorphism does exist Many schemes are suggested, but almost all of them are shown to be insecure [5,3,3,4] In particular, Ahituv et al showed that any algebraic privacy homomorphism can be broken efficiently by cho- 0020-090/$ see front matter 2005 Elsevier BV All rights reserved doi:006/jipl20050906

JH Cheon et al / Information Processing Letters 97 2006) 8 23 9 sen ciphertext attacks [2] Boneh and Lipton proved that any deterministic algebraic privacy homomorphism over rings Z n can be broken in sub-exponential time under a reasonable) number theoretic assumption [4] Domingo-Ferrer proposed two algebraic privacy homomorphisms in 996 and 2002 [6,7] The second one is broken by Bao [3] and Wagner [3,4] But there is no serious attack on the first scheme It is the only algebraic privacy homomorphism that remains secure to the authors knowledge In this paper, we analyze the original privacy homomorphism of Domingo-Ferrer [6], and show that it is not secure against known-plaintext attacks When we consider an encryption function from Z n to Z p Z q ) d for n = pq, it can be broken by d + plaintext ciphertext pairs in Od 3 log 2 n) with the probability larger than 2/p ) Even when n is kept secret, it can be broken by d + more pairs in Od 4 log dn + d 3 log 2 n + εm)) with the probability larger than /2 m 2 ) 2/p )) where εm) = O2 2m ) The outline of the paper is as follows: In Section 2, we introduce the Domingo-Ferrer s scheme In Section 3, we propose known-plaintext attacks for the scheme The analysis consists of two parts One is the case that the modulus of the input space is public and the second is the case that the modulus is kept secret We conclude in Section 4 2 Domingo-Ferrer s algebraic privacy homomorphism In this section, we introduce the first Domingo-Ferrer scheme [6] Let p,q be large primes and n = pq Fora positive integer d,wesetp = Z n, C = Z p Z q ) d ) SetupTaketwolargeprimesp and q and compute n = pq Choose a positive integer d r p Z p and r q Z q are randomly selected so that each of them generates a large subgroup of Z p and Z q, respectively The public parameter is d, n) and the secret parameter is p,q,r p,r q ) To increase the security n can be kept secret, but in this case encrypted data can be processed less efficiently 2) Encrypt Randomly split x Z n into x,x 2,,x d so that x = d i= x i mod n and x i Z n Ex) = [x r p mod p,x r q mod q],, [x d rp d mod p,x drq d mod q]) 3) Decrypt For each j, to retrieve the [x j mod p, x j mod q], compute the scalar product of the jth coordinate [x j rp j mod p,x j rq j mod q] pair by [rp j mod p,rq j mod q]) Add them up to get [x mod p,x mod q] Use the Chinese remainder theorem to get x mod n To explain the operation of ciphertexts, we adopt a polynomial notation: Denote a polynomial fx) = a X + a 2 X 2 + + a d X d by its coefficient vectors a,a 2,,a d ) Then we have Ex) = f x r p X) mod p, f x r q X) mod q) for a polynomial f x X) Z n [X] with f x 0) 0modn and f x ) x mod n GivenEx) = p x X), q x X)) and Ex ) = p x X), q x X)),wehave Ex + y) = p x X) + p x X) mod n, q x X) + q x X) mod n ), Exy) = p x X)p x X) mod n, q x X)q x X) mod n ) Note that a multiplication doubles up the number of components in a ciphertext If n is secret, the operations are done in Z[x] Domingo-Ferrer s scheme is an algebraic privacy homomorphism with respect to the operation of addition and multiplication in Z n [X] or Z[X] This scheme is claimed to be secure against knownplaintext attacks when d> Note that if d =, r p =, and r q =, Domingo-Ferrer s scheme is simply the scheme in Example 3 Cryptanalysis of Domingo-Ferrer s scheme We show that Domingo-Ferrer s scheme can be broken with d + known plaintexts when n is known and with one more known plaintexts when n is unknown Without loss of generality, we assume p<q throughout this paper 3 The case that n is public Assume we have d + plaintext ciphertext pairs {x i,y i,z i ) i =,,d + } where x i = x i + + x id mod n and Y i = y i,,y id ) = x i r p mod p,,x id rp d mod p), Z i = z i,,z id ) = x i r q mod q,,z id rq d mod q) for i =,,d + By letting t = rp,wehave f i t) = x i + y i t + y i2 t 2 + +y id t d 0modp for i =,,d+ This can be written as the following matrix:

20 JH Cheon et al / Information Processing Letters 97 2006) 8 23 x y y 2 y d x 2 y 2 y 22 y 2d x d+ y d+, y d+,2 y d+,d 0 0 0 ṭ t d mod p ) Since the homogeneous equation ) has a nontrivial solution in Z d+ p, the determinant deta p ) of the coefficient matrix A p of Eq ) is zero mod p Wemay apply Gaussian elimination to A p over Z n to compute deta p ) since a prime factor of n can be obtained when a failure happens in Gaussian elimination Gaussian elimination of a d + ) d + ) matrix over Z n takes Od 3 log 2 n) bit operations On the other hand, Pr[detA p ) 0modq] is overwhelming as in the following lemma: Lemma 2 Let p and q be primes with p<qand M = v ij ) be an l l random matrix with 0 v ij <p Then the probability that detm) 0modq is larger than e 3/2p ) Proof Let v i = v i,,v li ) be the ith column vector of M Then detm) 0modq if and only if {v,, v l } is linearly independent over Z q Thus we estimate the size of the set I = { v,,v l ) {v,,v l } is linearly independent over Z q, 0 v ij <p } Suppose that {v,,v k } is linearly independent over Z q and each entry of v i is contained in [0,p ] Consider an l k matrix whose ith column is v i Since the rank of the matrix is k, there is a submatrix of rank k made by k rows of the matrix: v j v j 2 v j k v jk v jk 2 v jk k Denote the set of linear combinations of {v,,v k } over Z q by v,,v k Suppose v k+ is contained in v,,v k and v j,k+ [0,p ] for all j Then a,,a k Z q are uniquely determined such that v j k+ v j v j k = a + +a k v jk k+ v jk v jk k Other places of v k+ are determined according to v k+ = a i v i and the number of such v k+ s cannot exceed p k Therefore I is larger than p l )p l p) p l p l ) The probability that {v,v 2,,v l } is linearly independent is larger than p l )p l p) p l p l ) p l ) l = p ) l ) p l ) p e 3 2 p l +p+ +pl ) e 2p ) 3 x e 3 2 x for 0 x ) 2 From Lemma 2, we can obtain gcddeta) mod n, n) = p and q = n/p with probability larger than e 2p ) 3 Once p is known, r p can be obtained by computing gt) := gcd f t),, f d+ t) ) since t rp ) divides gt) The greatest common divisor of two polynomials in Z p [x] of degrees less than d can be computed by Od 2 log 2 p) bit operations [0] Thus gt) can be computed by Od 3 log 2 p) bit operations The degree of gt) may not be but we show that the probability is negligible Let f i = f i/t rp ) for i =,,d + We may assume that f i s are random polynomials of degree d over Z p Lemma 3 Let g,,g k be random polynomials of degree l over Z p Then there is no common root of g i s with probability larger than /p k ) l Proof Assume g has l distinct roots x,,x l For each i = 2,,k, the probability that g i x ) = 0is/p Thus Pr [ i such that g i x ) 0 ] = /p k, Pr [ j, j i such that g ji x j ) 0 ] = /p k ) l Since the number of distinct roots of g may be less than l, the probability is larger than /p k ) l By Lemma 3, f i s have no common root other than rp with the probability larger than /p d ) d Similarly r q can be computed The success probability of determining r p and r q uniquely is larger than /p d ) d /q d ) d e 3d )/2pd 3d )/2q d e 3d )pd e /2p )

JH Cheon et al / Information Processing Letters 97 2006) 8 23 2 if d 2 and q>p>6d Hence the overall success probability is larger than e 3/2p ) e /2p ) e 2/p ) 2 p because e x x for 0 <x< 2 In summary, we have the following theorem Theorem 4 Suppose the modulus n = pq is public with 6d <p<qand d 2 in Domingo-Ferrer s privacy homomorphism The scheme can be broken by d + known plaintext ciphertext pairs in time Od 3 log 2 n) with probability larger than 2/p ) For example, when n 2 024 and p q 2 52, the probability that the algorithm fails is less than 2/p ) 2 5 32 The case that n is not public Domingo-Ferrer suggested that his scheme could be more secure by hiding the modulus n In this case, however, we can not perform many multiplications since one multiplication makes the length of ciphertexts four times longer We will show that even if n is not public, a similar cryptanalysis can be applied Assume that we have 2d + ) known plaintext ciphertext pairs From each d + pairs, we can induce two d + ) d + ) coefficient matrices, A and A 2 as ) First, we compute the determinant of A i s viewed as integer matrices When A = a ij ) is a d + ) d + ) integer matrix, it is known that deta) can be computed by Od 4 log d + log A ) + d 3 log 2 A ) bit operations where A =max i,j { a ij } [] and there are algorithms with the lower complexity For more detail, see [9]) For the matrix A i, we may assume that A i n and deta i ) can be computed by Od 4 log dn + d 3 log 2 n) bit operations Second, we compute p from the gcd of determinants of A i s We claim that gcddeta ), deta 2 )) = p, equivalently gcd deta )/p, deta 2 )/p ) = with high probability More precisely, we have Lemma 5 Assume that divisibility of an integer by different primes is independent Let N be a positive integer If positive integers n,,n k are randomly drawn from the interval 0,N), then the probability P k i) of the greatest common divisor of k integers n,,n k is equal to i, P k i) = lim Pr{ gcdn,n 2,,n k ) = i } N i k ζk), where ζk) is the Riemann s zeta function Proof See [2, Section 44] If l = gcddeta ), deta 2 )) is not prime and l has only small factors other than p, then we can easily calculate p by trial divisions or some integer factoring algorithms By Lemma 5, we have the probability for finding p greater than 2 m i= P 2 i) = 2 m i= = ζ2) i 2 ζ2) = ζ2) i=2 m + i 2 2 m i= i 2 assuming that prime factors of l smaller than 2 m can be easily calculated We can find q by the same method After getting p and q, we can compute the other secret keys r p and r q as the case that n is known Theorem 6 Suppose the modulus n = pq is secret with 2p>q>p 6d and d 2 in Domingo-Ferrer s algebraic privacy homomorphism The scheme can be broken by 2d +) known plaintext ciphertext pairs in time Od 4 log dn+ d 3 log 2 n + εm)) with the success probability larger than /2 m 2 ) 2/p )) where εm) = O2 2m ) is the complexity of a factorization algorithm to find all factors less than 2 m Proof The computing time of deta i ) for i =, 2in Z is estimated as Od 4 log dn + d 3 log 2 n) Next,using a suitable factorization algorithm whose complexity is εm)), we can discard prime factors smaller than 2 m and obtain p by computing the gcd of deta i ) s The number of primes less than 2 m is approximately 2 m /log 2 m ) = 2 m /m log 2) LetM be the product of primes less than 2 m, then M = p i <2 m p i 2 m 2m/log 2m) = 2 2m/log 2) The approximate value of ζk) for k = 2, 4, 6, 8, 0 is 060792706, 0923938406, 0982952590, 0995939987, 0999006406

22 JH Cheon et al / Information Processing Letters 97 2006) 8 23 and log M 2 m /log 2) 2 m+ The computation of gcdm, det A i ) takes O2 m+ ) 2 ) bit operations and εm) = O2 2m ) follows By Lemma 5, we have Pr [ gcd deta ), deta 2 ) ) = p ] ζ2) i=2 m + i 2 Also the same probability holds for computing q Let Error be the event that p or q is not determined Since i=2 m + and ζ2), i 2 2 m Pr[Error] ζ2) i=2 m + ) 2 i 2 ) 2 2 m 2 m 2 The computation of r p, r q and its complexity is the same as the case when n is known The total complexity is O d 4 log dn+ d 3 log 2 n + 2 2m) The success probability is Pr [ ] Error Findr p Findr q ) 2 m 2 2 ) p Note that the probability that the algorithm fails, is less than 0 3 if m 2, n 2 024 and d 0 Remark 7 In fact, d + 2) known plaintext ciphertext pairs are enough to make two d + ) d + ) matrices by use of a plaintext ciphertext pair twice In Lemma 5, it is assumed that the integers are chosen randomly and in order to apply the lemma, we assume 2d + ) known plaintext ciphertext pairs Table The summary of the proposed attacks Case The number of known-plaintexts The success probability Time complexity bit operations) n is known p 2 52 ) n is unknown m 2, d 0) d + 2d + ) 2 p 2 5 ) 2m 2 ) 2 p ) 0 3 ) Od 3 log 2 n) Od 4 log dn+ d 3 log 2 n + 2 2m ) 32 Example This example is in the paper of Domingo-Ferrer [6] We illustrate the above analysis by this example Let p = 7, q = 3, r p = 2, and r q = 3 be secret key We can encrypt, 3,, 2, 4, and 5 as follows: E ) = E2, 3) = [4, 6], [5, 2] ), E3) = E2, ) = [4, 6], [4, 9] ), E) = E4, 3) = [8, 2], [5, 2] ), E2) = E3, ) = [6, 9], [3, 4] ), E4) = E3, ) = [6, 9], [4, 9] ), E5) = E6, ) = [2, 5], [3, 4] ) We use three plaintext ciphertext pairs, {, E )), 3, E3)),, E))} to make a coefficient matrix A where ) 4 5 A = 3 4 4, deta) = 68, 8 5 gcd deta), 3 7 = 22 ) = 7 If n = 22 is unknown, with three more plaintext ciphertext pair, make another matrix for {2, E2)), 4, E4)), 5, E5))}, ) 2 6 3 B = 4 6 4, detb) = 02, 5 2 3 gcd deta), detb) ) = 34 We next calculate r p by using + 4t + 5t 2 = 0, 3 + 4t + 4t 2 = 0 then by elimination 9 + 4t = 0 mod 7 so t = 9 mod 7, r p = t mod 7 = 2 4 Conclusion Domingo-Ferrer proposed two algebraic privacy homomorphisms in 996 [6] and 2002 [7] The second was analyzed by Bao [3] and Wagner [3,4], but no attack against the first one was announced In this paper we firstly analyzed the first Domingo-Ferrer s algebraic privacy homomorphism It can be broken by d + ) plaintext ciphertext pairs by known plaintext attacks when the modulus is public Even when the modulus is kept secret, it can be broken by 2d + ) pairs Therefore, it is still open to decide whether an algebraic privacy homomorphism exists References [] J Abbot, M Bronstein, T Mulders, Fast deterministic computation of determinants of dense matrices, in: International Conference on Symbolic and Algebraic Computation Proceedings of

JH Cheon et al / Information Processing Letters 97 2006) 8 23 23 the 999 International Symposium on Symbolic and Algebraic Computation, pp 97 204 [2] N Ahituv, Y Lapid, S Neumann, Processing encrypted data, Comm ACM 20 987) 777 780 [3] F Bao, Cryptanalysis of a provable secure additive and multiplicative privacy homomorphism, in: International Workshop on Coding and Cryptography WCC), 2003 [4] D Boneh, R Lipton, Searching for elements in black-box fields and applications, in: Advances in Cryptology, Crypto 96, in: Lecture Notes in Comput Sci, vol 09, Springer-Verlag, Berlin, 996, pp 283 297 [5] E Brickell, Y Yacobi, On privacy homomorphisms, in: Advances in Cryptology, Eurocrypt 87, in: Lecture Notes in Comput Sci, vol 304, Springer-Verlag, Berlin, 988, pp 7 25 [6] J Domingo-Ferrer, A new privacy homomorphism and applications, Inform Process Lett 60 5) 996) 277 282 [7] J Domingo-Ferrer, A provably secure additive and multiplicative privacy homomorphism, in: ISC2002, in: Lecture Notes in Comput Sci, vol 2443, Springer-Verlag, Berlin, 2002, pp 47 483 [8] J Feigenbaum, M Merritt, Open questions, talk abstracts, and summary of discussions, in: DIMACS series in Discrete Mathematics and Theoretical Computer Science, vol 2, Amer Math Soc, 99, pp 45 [9] E Kaltofen, G Villard, Computing the sign or the value of the determinant of an integer matrix, a complexity survey, J Comput Appl Math 62 2004) 33 46 [0] A Menezes, P van Oorschot, S Vanstone, Handbook of Applied Cryptography, CRC Press, Inc, Boca Raton, FL, 997 [] R Rivest, L Adleman, M Dertouzos, On data banks and privacy homomorphisms, in: Foundations of Secure Computation, Academic Press, New York, 978, pp 69 79 [2] M Schroeder, Number Theory in Science and Communication, second ed, Springer-Verlag, Berlin, 986 [3] D Wagner, Cryptanalysis of an algebraic privacy homomorphism, in: ISC2003, in: Lecture Notes in Comput Sci, vol 285, Springer-Verlag, Berlin, 2003, pp 234 239 [4] D Wagner, Erratum concerning Cryptanalysis of an Algebraic Privacy Homomorphism, available at http://wwwcsberkeley edu/~daw/papers/

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback