Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Similar documents
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Some security bounds for the DGHV scheme

Fully Homomorphic Encryption over the Integers with Shorter Public Keys

Scale-Invariant Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers with Shorter Public Keys

Fully Homomorphic Encryption

Batch Fully Homomorphic Encryption over the Integers

Shai Halevi IBM August 2013

Packing Messages and Optimizing Bootstrapping in GSW-FHE

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

An RNS variant of fully homomorphic encryption over integers

FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research

Practical Fully Homomorphic Encryption without Noise Reduction

Fully Homomorphic Encryption over the Integers

FULLY HOMOMORPHIC ENCRYPTION

Gentry s SWHE Scheme

(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces

Bootstrapping for HElib

(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces

FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime

Open problems in lattice-based cryptography

Homomorphic Evaluation of the AES Circuit

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Fully Homomorphic Encryption

Fully Homomorphic Encryption and Bootstrapping

CRT-based Fully Homomorphic Encryption over the Integers

Multikey Homomorphic Encryption from NTRU

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

On Kilian s Randomization of Multilinear Map Encodings

Fully Homomorphic Encryption using Hidden Ideal Lattice

Parameter selection in Ring-LWE-based cryptography

Practical Bootstrapping in Quasilinear Time

5199/IOC5063 Theory of Cryptology, 2014 Fall

Fully Homomorphic Encryption from LWE

Fully Homomorphic Encryption over the Integers

Cryptanalysis of a Homomorphic Encryption Scheme

Algorithms for the Approximate Common Divisor Problem

Optimizing Fully Homomorphic Encryption

Cryptanalysis of the Co-ACD Assumption

CRYPTANALYSIS OF COMPACT-LWE

Somewhat Practical Fully Homomorphic Encryption

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Manipulating Data while It Is Encrypted

Better Bootstrapping in Fully Homomorphic Encryption

Homomorphic Encryption. Liam Morris

Classical hardness of Learning with Errors

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

An Attack on a Fully Homomorphic Encryption Scheme

Parameter Constraints on Homomorphic Encryption Over the Integers

A Full Homomorphic Message Authenticator with Improved Efficiency

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Faster Fully Homomorphic Encryption

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

Cryptography. Course 1: Remainder: RSA. Jean-Sébastien Coron. September 21, Université du Luxembourg

Computing with Encrypted Data Lecture 26

Cryptology. Scribe: Fabrice Mouhartem M2IF

An Overview of Homomorphic Encryption

Recovering Private Keys Generated With Weak PRNGs

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

SIS-based Signatures

Ideal Lattices and NTRU

MASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

An Approach to Reduce Storage for Homomorphic Computations

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Report Fully Homomorphic Encryption

Classical hardness of the Learning with Errors problem

Breaking Plain ElGamal and Plain RSA Encryption

Solving LWE with BKW

General Impossibility of Group Homomorphic Encryption in the Quantum World

Lectures 2+3: Provable Security

Weaknesses in Ring-LWE

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Cryptanalysis of a Zero-Knowledge Identification Protocol of Eurocrypt 95

From Fixed-Length Messages to Arbitrary-Length Messages Practical RSA Signature Padding Schemes

Implementation Tutorial on RSA

Homomorphic AES Evaluation Using the Modified LTV Scheme

Gentry s Fully Homomorphic Encryption Scheme

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

Side Channel Attack to Actual Cryptanalysis: Breaking CRT-RSA with Low Weight Decryption Exponents

Introduction to Cybersecurity Cryptography (Part 4)

Better Bootstrapping in Fully Homomorphic Encryption

Fully Homomorphic Encryption from the Finite Field Isomorphism Problem

A New Attack on RSA with Two or Three Decryption Exponents

Multi-key fully homomorphic encryption report

CPSC 467b: Cryptography and Computer Security

Introduction to Cybersecurity Cryptography (Part 4)

Fully Homomorphic Encryption

Lattice Based Crypto: Answering Questions You Don't Understand

COMP4109 : Applied Cryptography

Algorithmic Number Theory and Public-key Cryptography

Fully Homomorphic Encryption

Homomorphic Encryption without Gaussian Noise

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes

A Comment on Gu Map-1

Lattice-Based Non-Interactive Arugment Systems

Transcription:

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT, 2012-04-18

Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ 2 10 7 bits p : η 2700 bits r : ρ 71 bits

The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ 2 10 7 bits p : η 2700 bits r : ρ 71 bits

The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ 2 10 7 bits p : η 2700 bits r : ρ 71 bits

Homomorphic Properties of DGHV Addition: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 Noise becomes twice larger.

Homomorphic Properties of DGHV Addition: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 Noise becomes twice larger.

Somewhat homomorphic scheme The number of multiplications is limited. Noise grows with the number of multiplications. Noise must remain < p for correct decryption. p ρ p 2ρ p 4ρ

Fully Homomorphic Encryption Gentry s breakthrough idea: refresh the ciphertext by evaluating the decryption circuit homomorphically: bootstrapping. Ciphertext bits Secret key bits 0 1 1 1 0 1 1 0 Ciphertext bits Encryption of secret key bits 0 1 1 1???? Decryption circuit + + Decryption circuit + + 1 Plaintext bit? Encryption of plaintext bit = refreshed ciphertext

Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

Public Key Size γ 2 10 7 bits x 1 = x 2 = τ 10 4 x i = x τ = Public-key size: τ γ = 2 10 11 bits = 25 GB! In [CMNT11], with quadratic encryption, PK size of 1 GB.

New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ 2 10 7 bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: 2 700 bits instead of 2 10 7 bits!

New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ 2 10 7 bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: 2 700 bits instead of 2 10 7 bits!

New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ 2 10 7 bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: 2 700 bits instead of 2 10 7 bits!

New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ 2 10 7 bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: 2 700 bits instead of 2 10 7 bits!

Compressed Public Key γ 2 10 7 bits η 2 700 bits x 1 = x 2 = δ 1 = δ 2 = τ 10 4 x i = δ i = x τ = δ τ =

Compressed Public Key γ 2 10 7 bits η 2 700 bits x 1 = x 2 = δ 1 = δ 2 = τ 10 4 x i = δ i = x τ = δ τ = Old PK: 25 GB New PK: 3.4 MB!

Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd.

Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd.

Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd. PK Generation χ i = H(seed, i) δ i = [χ i ] p + λ i p r i x i = χ i δ i

Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd. PK Generation χ i = H(seed, i) δ i = [χ i ] p + λ i p r i x i = χ i δ i Simulation in ROM H(seed, i) x i + δ i δ i {0, 1} η+λ x i = q i p + r i

PK size and timings Instance λ ρ η γ pk size Recrypt Toy 42 27 1026 150 10 3 77 KB 0.41 s Small 52 41 1558 830 10 3 437 KB 4.5 s Medium 62 56 2128 4.2 10 6 2.2 MB 51 s Large 72 71 2698 19 10 6 10.3 MB 11 min Updated parameters to take into account the Chen-Nguyen attack. PK size: 10.3 MB instead of 1 GB in [CMNT11].

Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?

Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?

Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?

Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

Source Code in SAGE def attackgacd(rho=12,gam=1000,eta=100): p=random_prime(2^eta) s=rho B=floor(2^(1.*rho*(s+1)/(s-1))) fa=factorial(b) for j in range(1,s): x=p*zz.random_element(2^(gam-eta))+ \ ZZ.random_element(2^rho) z=prod([x-i for i in range(2^rho)]) if j==1: g=z; continue g=gcd(g,z) g=prime_to_m_part(g,fa) if g.nbits()==p.nbits(): break

GACD Attack Running Time Instance ρ γ time time [CN12] Micro 12 10 4 40 s Toy (Section 8) 13 61 10 3 13 min Toy ([CN12]) 17 1.6 10 5 17 h 3495 h (est.) Chen-Nguyen attack: O(2 3ρ/2 ) time and O(2 ρ/2 ) memory. Our attack: O(2 ρ ) time and memory Time-memory tradeoffs are possible.

Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].

Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].

Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback