Fully Homomorphic Encryption: Overview and Cryptanalysis

Size: px
Start display at page:

Download "Fully Homomorphic Encryption: Overview and Cryptanalysis"

Transcription

1 Technische Universität Darmstadt Department of Computer Science Cryptography and Computeralgebra Diploma Thesis July 2011 Fully Homomorphic Encryption: Overview and Cryptanalysis Patrick Schmidt Technische Universität Darmstadt Department of Mathematics Supervised by Prof. Dr. Johannes Buchmann Dr. Richard Lindner Michael Schneider

2

3 Acknowledgements First of all, I would like to thank Prof. Johannes Buchmann for giving me the opportunity to write my thesis under this topic and gain knowledge in the field of fully homomorphic schemes and moreover in the area of lattices. Furthermore, many thanks go to my two supervisors Dr. Richard Lindner and Michael Schneider who offered and spent much time answering me all my investigating questions and guiding me in the right direction. In addition I would like to thank all people that supported my work on this thesis by proofreading it, finding spelling mistakes and logical errors as well as supporting me in improving the structure of my thesis and its fluent reading; as there are: Richard Frankland, Maina Olembo, Denise Demirel, and Dr. Melanie Volkamer. Lastly, I thank all whom I have forgotten to mention before! Without your contributions this work would not be what it actually is. Warranty I hereby declare that the content of this thesis is the direct result of my own work and that any use of published or unpublished material in this thesis is fully and correctly referenced. Date: July 14th, 2011 Signature: P. Schmidt iii

4

5 Contents Introduction 1 I. Progress on Homomorphic Encryption and Signature Schemes 1. Preliminaries Lattices Computational Problems Security Models Homomorphic Encryption Schemes Lattice-Based Encryption Schemes Integer-Arithmetic Encryption Schemes Homomorphic Signature Schemes Additional Work to Homomorphic Signature Schemes II. Cryptanalysis of the Gentry-Halevi FHE Scheme 4. The Gentry-Halevi Scheme Brief Recall of the Construction Parameter Selection Attacking the Gentry-Halevi Scheme Attack Methodology and Strategies Strategy I LLL Strategy II Sublattice Attack Strategy III BKZ Practical Considerations Preparatory Work Post-Processing a Strategy Results Strategy I (LLL) Strategy II (Sublattice Attack) Strategy III (BKZ) Conclusion 47 A. The Code 55 v

6

7 Introduction Cryptography has a longstanding history the Egyptians in the year 3000 BC are believed to have been the first humans to use encryption, albeit a very simple form of it, but in previous centuries it simply was known as the science of encryption. Since its early years, cryptography and human kind s understanding of it have undergone a great development, nowadays consisting of far more areas than just encryption. Today, cryptography is more often used in daily life than a normal (end)user in the real world is aware of, e.g. in smartcards, USB-tokens, car or door keys, home wifi networks, mobile communication (using a cellular phone) and many more. Perhaps the most prominent example for the usage of cryptography is the internet, with its many applications and transactions. One can think of such transactions as online-banking, electronic/online voting, ing or using social networks. In most and hopefully all of these examples cryptography in the sense of encryption plays a huge role in ensuring confidentiality of the user s data and credentials like passwords, IDs, PINs, TANs, etc. Contrary to these instances, in some areas one explicitly wants to allow other people to perform some set of (permitted) applications on ones data without having access to the data in plaintext. One example is the delegation of computations according to [19] or [10], in which the delegator wants to outsource the computation of some function on many inputs to a worker and later maintain the correct result. A second example for this is electronic voting (which could be seen as a special case of delegation of computation) like in [15] or [45], where one would like the election authorities to be able to count the votes and present the final results, but dislikes the idea that individual votes are first decrypted and afterwards tallied. Two final examples are multiparty computations and commitment schemes as reported in [41]. In the setting of multiparty computations one wants different parties to jointly compute some function without revealing their inputs to each other, and for commitment schemes one can think of auctions where the auctioneer wants to assure that the offers are not publicly known in the bidding phase while at the same time ensuring that no one is able to repudiate their own offer. In the above settings, as well as in many others, a way to accomplish the goal of computing on encrypted data is needed. With homomorphic encryption one can assure that performing some operations on encrypted data is possible. To achieve the aim in the example of electronic voting, the election authorities add the encrypted votes (thus receiving the final result encrypted) and then only have to decrypt the computed ciphertext to obtain the final result. For delegation of computation, the delegator hands the function f and the encrypted inputs to the worker, and the worker returns the encrypted result. For the other examples similar operations have to be performed. A various number of homomorphic schemes have already been presented in the last decades: unpadded RSA [43] or the cryptosystem of ElGamal [16] and the cryptosystems of Goldwasser-Micali [27], Benaloh [4] or Paillier [40]. These examples contain additive-only or multiplicative-only homomorphic encryption schemes as well as addi- 1

8 tively homomorphic encryption schemes which support a very limited number of multiplications. This last type of scheme is able to homomorphically evaluate an arbitrary number of additions but only a small number of multiplications, i.e. such schemes can evaluate polynomials up to some small degree d but are unable to evaluate polynomials of a larger degree. For further examples of homomorphic encryption schemes see [20]. Depending on the function which shall be computed, miscellaneous complex operations (consisting of additions, multiplications, etc.) have to be evaluated homomorphically, e.g. encrypted queries to a search engine or searching on encrypted data (in a database). But the small number of homomorphically evaluable multiplications drastically limits the previously mentioned schemes. The question whether it is possible to construct a fully homomorphic encryption scheme, i.e. a scheme which supports the computation of arbitrary functions on encrypted data (with no limit on the number of multiplications), in the cryptographic community was long believed to be a holy grail. Not before 2009, Gentry theoretically solved this problem by presenting his fully homomorphic encryption scheme (FHE) based on ideal lattices in [20]. The goal of this thesis is twofold: Firstly we give an overview of the progress and results in the field of fully homomorphic encryption and signatures after the breakthrough of Gentry, and secondly we cryptanalyse an implementation of a FHE scheme to contribute experimental results concerning the security issues of such schemes. In the first part, we recapitulate Gentry s theoretical achievements in [20] to obtain a FHE scheme and then list a number of improvements to his work as well as further proposals from [47], [24], [39], [49], [48], [14], and [12] for lattice-based schemes and from [50] and [13] for integer-arithmetic schemes. In addition, we highlight the link between all these papers as they are the most common approaches to achieve a fully homomorphic encryption scheme. Furthermore, we provide an overview over the results in [7] and [6] on the field on fully homomorphic signatures schemes which is fairly new. For the second part we cryptanalyse the, to us, most efficient implementation of a fully homomorphic encryption scheme, presented by Gentry and Halevi in [24]. In detail, we concentrate on one of the two underlying (theoretical) hardness problems which is also suitable for, and used, in other cryptographic encryption schemes (not fully homomorphic ones). We analyse and estimate the robustness of the security parameters presented by the authors of [24] by applying some strategies to break the proposed scheme. We measure the running times and also the success rates of the chosen strategies and compare their effectiveness. 2

9 Part I. Progress on Homomorphic Encryption and Signature Schemes 1. Preliminaries We start by giving definitions that will be used throughout this paper and to which we will eventually refer. The definitions are split into three parts: There is the general part for (ideal) lattices, followed by the part of computational problems and lastly the part containing security models for (fully) homomorphic encryption and signatures. General Notations. With N, Z, Q, R we denote natural numbers (with zero), integers, rationals and reals, respectively; with K + we denote {x K : x > 0} and with K n we mean the usual n-dimensional vector space resp. module over K {N, Z, Q, R}. K p denotes K/(pK) and for prime p we write it as F p, since F p is (in this case) a field with p elements. We also consider F 2 = {0, 1}. Vectors are denoted with small letters (a, b,...) and we think of vectors as columns. We denote matrices with capital letters (A, B,...) and the set of all (m n)-matrices over K with K m n. A T stands for the transpose of the matrix A. We think of matrices as ordered sets of column vectors. v p denotes the l p -norm of the vector v which for a real p 1 is defined as v p := n p v i p. The frequently used norms will be the maximum norm v := max i=1,...,n { v i } and the Euclidean norm v 2 = n i=1 v i 2 corresponding to the intuitive notion of the length of the vector v in a Euclidean space. For a matrix A we write A p for max i=1,...,n { a i p } where a i denotes the i-th column of A. With t we mean the rounding of t to the nearest integer, as well as t and t denote the rounding up of t to the next integer and rounding down, respectively. (This in particular for a (possibly negative) real t means that t = sign(t) t, and similar for rounding up and down.) If we write t mod p, we mean the unique number t in [ p/2, p/2) Z such that t = kp + t for some integer k. (When t shall denote the unique number in {0,..., p 1}, we will address this separately.) With x := a or x a we assign the value a to (the variable) x, with x R A the assignment has some randomness involved (according to A respectively the right-hand side of the assignment), with x R A we uniformly choose x from the set A on the right, and for comparison in algorithms we use x == a if needed so as not to get mixed i=1 3

10 1 PRELIMINARIES up with the assignment x := a. The equation sign = is used in its full meaning in mathematics (e.g. containing assignments and comparisons, its actual use being clear from the context). A last notation we want to introduce is the Big O notation: With f O(g) or f = O(g) we mean 0 lim sup x f(x)/g(x) <, with f o(g) or f = o(g) we mean lim x f(x)/g(x) = 0, f Ω(g) or f = Ω(g) denotes g O(f), f ω(g) or f = ω(g) is the corresponding g o(f), and finally f Θ(g) or f = Θ(g) means both f O(g) and g O(f). Other notations concerning the definitions below will be introduced there Lattices General lattices. A lattice L is a discrete abelian subgroup of R n. Since this definition is too vague, we would like to have a better natural handle for the lattice L. A basis B := (b 1,..., b d ) for the lattice L consists of d n linearly independent vectors b i with L = L(B) := {Bx : x Z d }, i.e. L is the set of all integer combinations of vectors in B. The number d 1 is independent of the given basis for the lattice L, thus being a lattice constant. It is called the dimension of L and denoted d = dim(l). (The independence of d is due to the fact that for d 2 there exist infinitely many bases for L and a particular basis B can be transformed into any other basis B via B = B T for a (unimodular) matrix T GL d (Z) := {A Z d d : det(a) = 1}.) A lattice is of full-rank if d = n. The determinant of a lattice L with basis B is given by det(l) := det(b T B). It also is a lattice constant. For full-rank lattices there is a short version for the determinant, i.e. det(l) = det(b). A geometric interpretation of the determinant is the volume of the parallelepiped P (B) := {Bx : x [ 1/2, 1/2) d }. Albeit the shape of P (B) changes (since P (B) depends on the shape of B), the volume of P (B) is the same for all bases B of L. Although we stated above that there exist infinitely many bases for a lattice with dim(l) 2, there are differences between them. A good basis consists of short and nearly orthogonal vectors whereas a bad basis does not fulfill any of these two requirements. We will not go into detail what short here means, but in literature the Hermite Normal Form (HNF) of a basis is thought of as a bad basis. A matrix B is in Hermite Normal Form if B is an upper triangular matrix, b ii > 0 for i = 1,..., n and b ii > b ij 0 for all j = i + 1,..., n. The HNF of a basis B, denoted HNF(B), can be easily computed from B via HNF(B) = B U for a unimodular matrix U GL d (Z) denoting (invertible) column operations. By t mod B for a vector t we denote the unique vector t P (B) with t t L; t can be computed efficiently via t = t B B 1 t if L = L(B) is a full-rank lattice. The i-th successive minimum λ i (L) is defined as the radius of the smallest sphere which contains i linearly independent vectors of L. The value λ 1 (L) is also called minimal distance of L. The dual lattice or reciprocal lattice L of a lattice L is defined as L := {y span(l) : x L : x, y Z}, where, denotes the (standard) scalar product and span(l) := {Bx : x R n } for L = L(B). It holds that det(l) det(l ) = 1, and for full-rank lattices L = L(B) we get a basis B for L via B = (B 1 ) T. Furthermore, let Λ q (A) denote the set {x Z m : Ax 0 mod q}. 4

11 1.1 Lattices Ideal lattices. For the introduction of ideal lattices, we use another approach than for general lattices. Therefore, consider the (polynomial) ring Z[x] in one variable. An ideal I of a ring R (with unity) is a subset which is additively closed and also closed under multiplication with elements of R, i.e. for elements i, j I and r R we have i+rj I. We define (a 1,..., a n ) to be the ideal generated by elements a 1,..., a n R, i.e. k (a 1,..., a n ) := r j a ij : r j R, i j {1,..., n}, k n. j=1 The elements a 1,..., a n are then called generators of I, and for n = 1 the ideal I is called principal ideal. Now, we define the (polynomial factor) ring R := Z[x]/(f(x)) for a polynomial f(x) Z[x] of degree n. R bijectively corresponds to Z n and each element v in R can be viewed as a polynomial v(x) = v 0 + v 1 x v n 2 x n 2 + v n 1 x n 1 of degree n 1 or as a vector v = (v 0, v 1,..., v n 2, v n 1 ) T. By simply writing v, we simultaneously mean both. The ideal I = (v) in R then naturally corresponds to a lattice in Z n. By abuse of notation, we will write I for this lattice which is called an ideal lattice. The basis for I is B I := {v i := v x i mod f(x) : i = 0,..., n 1} and is called rotation basis. For an ideal I, we can also define a fractional ideal I 1 := {y K : x I : x y R}, where K is a field containing R, e.g. for R = Z[x]/(f(x)) we have K = Q[x]/(f(x)). So, I 1 is not necessarily a subset of R, but I 1 again is an ideal (hence, the definition of fractional ideal makes sense). (In general, the formal definition of a fractional ideal is much more complex, but the definition above is suitable for our needs.) A (fractional) ideal I is called invertible if there exists another (fractional) ideal J with IJ = R, where IJ = { n i=1 a ib i : a i I, b i J, n N + } is the product of I and J. If we have I = (v) then I 1 = (1/v), where 1/v is computed in K; for multiple generators v 1,..., v n of I, its inverse ideal is I 1 = n i=1 (1/v i). Two ideals I and J are called relatively prime or co-prime if I + J R. We sometimes call the determinant of an ideal lattice I its norm, denoted nm(i), and for I = (v) we have nm(i 1 ) = nm(i) 1. We introduce the (discrete) Gaussian distribution and the smoothing parameter, which have become more and more important in past years: For any s R + the Gaussian distribution (in R n ) centered around c R n is defined as ρ s,c, (x) := exp( π x c 2 /s 2 ) for all x R n. The parameter s is called the standard deviation of the distribution. (When it is clear which norm is used, we will write ρ s,c ; if c = 0, we just write ρ s for ρ s,c.) Besides this continuous version there is also the discrete Gaussian distribution over L, defined as D L,s,c (x) := ρ s,c(x) ρ s,c (L) for all x L and ρ s,c (L) := y L ρ s,c(y) for a set L (which will be a lattice in this paper). If c = 0, we will omit it in D L,s,c and just write D L,s. According to most definitions in literature, the smoothing parameter η ε (L) is defined here as follows: For a lattice L and ε R + we have η ε (L) := min{s R + : ρ 1/s (L \ {0}) ε}. 5

12 1 PRELIMINARIES The expansion factor γ of a ring R is defined as γ := γ(r) := sup r 1,r 2 R { r1 r 2 r 1 r 2 If the ring R is obvious or not necessary to mention, we will omit it and just write γ. For two polynomials f(x), g(x) the resultant res(f, g) is defined as res(f, g) := (x y) (x,y):f(x)=0=g(y) which for a separable polynomial f(x) is the same as res(f, g) = y:g(y)=0 f(y) Computational Problems Now we define the used computational problems, on which the security of the proposed homomorphic encryption and signature schemes relies. We will write dist(l, t) for min y L { t y }. Although there are a lot of different lattice problems, we will only consider the most important for this work. The first one is a problem in general lattices, whereas the following problems will occur in ideal lattices. Definition 1.1 (Small Integer Solution Problem (SIS)). Given positive integers m, n Z +, a positive real β R +, a prime q and A Zq n m, where A is chosen from a distribution negligibly close to uniform over Z n m q, find v Λ q (A) \ {0} with v β. This definition corresponds to one of Micciancio and Regev (cf. [37]). Roughly speaking, the SIS problem asks to find a small integral linearly dependent combination of the columns of A (modulo q). For a definition of negligible see Definition Definition 1.2 (Ideal Shortest Independent Vector Problem (Ideal SIVP)). Given a ring R, an ideal I in R with basis B I and a positive real d 1, find an independent set B in I with B d λ n (I). The ideal SIVP is a natural translation from the d-sivp in lattices, which asks to find n linearly independent vectors v 1,..., v n L with the condition max i=1,...,n v i d λ n (L). The first definition of the SIVP, to our knowledge, appeared in the work of Ajtai ([1], problem (P3)) in a slightly different manner to both notations before: Ajtai formulated to find a basis with the condition above. Definition 1.3 (Ideal Membership Problem (IMP)). Let R be a ring, I an ideal in R and Sample I an algorithm that efficiently samples I. The challenger randomly chooses a bit b R {0, 1}, and sets x R Sample I (R) for b = 0 and x R R otherwise. Given (x, R, Sample I ), find b. In particular, this means to decide if x is an element of the ideal I. }. 6

13 1.2 Computational Problems Definition 1.4 (Inner Ideal Membership Problem (IIMP)). Let R be a ring, I an ideal in R with basis B I, IdealGen an algorithm that samples two bases of an ideal in R and s R + a positive real. The challenger generates (BJ sk, Bpk J ) R IdealGen(R, B I ) and randomly chooses a bit b R {0, 1}. For b = 0 it sets x R D I,s, otherwise x R D R,s. At last, it sets t = x mod B pk J. Given (Bpk J, t), find b. This problem is like the IMP in the sense that one wants to know whether x is an element of the (inner) ideal I, but where the I-IMP is disturbed by the (outer) ideal J. Definition 1.5 (Ideal Coset Problem (ICP)). Let R be a ring, I an ideal in R with basis B I, IdealGen an algorithm that samples two bases of an ideal in R and Sample an algorithm which efficiently samples R. The challenger randomly chooses a bit b R {0, 1} and generates (BJ sk, Bpk J ) IdealGen(R, B I). For b = 0 it sets r R Sample(R) and t = r mod B pk J, otherwise t R R mod B pk J. Given (t, Bpk J ), find b. Definition 1.6 (Decisional Bounded Distance Decoding Problem (DBDDP) for Ideal Lattices). When the ICP is instantiated with a polynomial (factor) ring R = Z[x]/(f(x)) and the algorithm Sample efficiently samples from Z n R (for monic polynomial f(x) of degree n), the ICP is called DBDDP (in a version for ideal lattices). Definition 1.7 (SplitKey Distinguishing Problem (SKDP)). Let KeyGen, SplitKey be algorithms and (sk, pk) R KeyGen. The challenger randomly chooses a bit b R {0, 1}. For b = 0 it sets (sk, T ) R SplitKey(sk, pk), otherwise (sk, T ) R SplitKey(, pk) for some special symbol. Given (T, sk, pk), find b. The four problems IIMP, ICP, DBDDP and SKDP were introduced by Gentry in [20] and previous works. The ICP is said to be a fairly natural decisional version of the closest vector problem ([21]) in concrete terms. The last type of problems are problems on (integer) numbers, which can be adapted to a one-dimensional lattice: One shall find an approximate greatest common divisor (gcd) for some given numbers or a (sparse) subset in a set of numbers that sums up to a given number. The definitions are as follows: Definition 1.8 (Approximate-GCD Problem (AGCDP)). Given k numbers y 1,..., y k chosen according to the distribution Dist γ,ρ (p) := {choose q R Z [0, 2 γ /p), r R Z (2 ρ, 2 ρ ), output x = pq + r} for an odd positive integer p Z +, find p. The number p is called the (hidden) approximate-gcd of the given numbers y 1,..., y k, and the values γ, ρ define the maximal (bit)length of q, r. Definition 1.9 (Sparse Subset Sum Problem (SSSP)). Let s, t, q Z + be positive integers. The challenger randomly chooses a bit b R {0, 1}. For b = 0 it generates T as a set of t integers a 1,..., a t with a i R [ q/2, q/2) and the existence-constraint of S {1,..., t} with S = s and i S a i = 0 mod q; otherwise it generates T without the constraint. Given T, find b. 7

14 1 PRELIMINARIES This definition is the one for the decisional version of the subset sum problem in literature, the sparsity of the problem occurring when the parameters t, s are set according to those of Gentry in [20], Section 11. If one is asked to not just decide if a subset S exists, but rather to find and output S, the problem is called search SSSP Security Models This subsection is intended to give the definitions for the analysis of the security of the schemes presented later. Homomorphic Encryption Definition 1.10 (Homomorphic Encryption Scheme). A homomorphic encryption scheme consists of the following four algorithms: KeyGen(λ). On input the security parameter λ, this randomised algorithm outputs a tuple (sk, pk) consisting of the secret key sk and public key pk. Encrypt(pk, π). On input a public key pk and a plaintext π, this randomised algorithm outputs a ciphertext ψ. Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ, this algorithm outputs the corresponding plaintext π. Evaluate(pk, C, Ψ). On input a public key pk, a circuit C with t inputs (of the set C of allowed circuits) and a set Ψ of t ciphertexts ψ 1,..., ψ t, this (possibly randomised) algorithm outputs a ciphertext ψ. So, a homomorphic encryption scheme consists of all algorithms of a conventional public key encryption scheme and an extra one. The correctness-condition for the conventional part of a homomorphic encryption scheme is identical to the one for a (non-homomorphic) public key encryption scheme. Because of simplicity and size, we will give a rather informal explanation of the Evaluatealgorithm, an informal definition for fully homomorphic encryption (FHE) schemes and defer the detailed definitions to the references. The additional algorithm Evaluate roughly speaking is supposed to do the following: If ψ i is a ciphertext corresponding to the plaintext π i for i = 1,..., t and Ψ = (ψ 1,..., ψ t ), then Evaluate(pk, C, Ψ) shall return a ciphertext ψ corresponding to the plaintext C(π 1,..., π t ) for a circuit C with t inputs (cf. Figure 1). A homomorphic encryption scheme is said to correctly evaluate C (a set of circuits), if the correctness-condition on the algorithm Evaluate from above holds for all circuits C C. Definition 1.11 (Fully Homomorphic Encryption). We call a homomorphic encryption scheme fully homomorphic, if it correctly evaluates all circuits and the size of its decryption algorithm (as a circuit) is bounded by some (fixed) polynomial in the security parameter. 8

15 1.3 Security Models sk Ψ pk C sk π 1 Dec ψ 1 π 2. Dec. ψ 2. π t Dec ψt ψ t C Evaluate ψ Dec π C π 1 π 2. π t Figure 1: An illustrative view on the Evaluate-algorithm Remark. The size-constraint on the decryption algorithm excludes trivial schemes in which Evaluate simply outputs (C, Ψ) and Decrypt is adapted to first decrypt the single components of Ψ and then apply the circuit C to the decrypted parts. Now, we come to the definitions concerning the security of the schemes. Security Definitions for Homomorphic Encryption We consider games as the right purpose to introduce the notion of security which is covered by the definitions then. We start by defining the games for CCA2-, CCA1- and CPA-security for a homomorphic encryption scheme E. Definition 1.12 (Game Hom-CCA2-IND E ). Let P denote the plaintext space and C the ciphertext space, which in the case of a homomorphic encryption scheme E is supposed to be larger since C is the support of Evaluate and not just the support of Encrypt as for a conventional public key encryption scheme. Setup. The challenger B generates a tuple (sk, pk) R KeyGen(λ) and gives the public key pk to the adversary A. Query-Rounds. A sends decryption-queries about ciphertexts ψ i of its choice to B. The challenger answers with the output of Decrypt(sk, ψ i ). The adversary A is allowed to request decryption-queries even though it may have received the challenge from B. Challenge. The adversary A picks a circuit C with t inputs (t being polynomial in the security parameter), two plaintext tuples π i := (π1 i,..., πi t), i = 1, 2, of its choice and sends π 0, π 1 to B. The challenger randomly chooses a bit b R {0, 1}, computes Ψ := (ψ1 b,..., ψb t ) with ψj b R Encrypt(pk, πj b ) and sends ψ := Ψ to A. (Note that B does not have to compute ψ as Evaluate(pk, C, Ψ) since A can do this step on its own because only public values are involved.) Guess. A sends a bit b {0, 1} to B. Definition 1.13 (Game Hom-CCA1-IND E ). The game for CCA1-security is the same as the game for CCA2, except that the adversary is allowed to make queries only before the 1 challenge. 9

16 1 PRELIMINARIES Definition 1.14 (Game Hom-CPA-IND E ). The game for CPA-security omits the queryrounds of the CCA2/CCA1-games. The rest remains the same. Except for the challenge phase, the three defined games Game Hom-CCA2-IND E, Game Hom-CCA1-IND E and Game Hom-CPA-IND E equal the ordinary games for CCA2-, CCA1- and CPA-security for conventional public key encryption schemes. The difference in the challenge step in the ordinary games is that A only is allowed to choose two elements π 0, π 1 P (and not two t-tuples for a circuit C with t inputs) and receives an element ψ (and not a t-tuple) as the answer. We say that an adversary wins Game Hom-X-IND E for X {CCA2, CCA1, CPA} if b = b, and by Pr[b = b] we denote the probability for this event. Definition 1.15 (Advantage in Homomorphic Encryption). We define adversary A s advantage in Game Hom-X-IND E to be Adv Hom-X-IND A,E := Pr[b = b] 1 2, where Pr[b = b] is the probability for A to win Game Hom-X-IND E the randomness used by the challenger and the adversary). (the probability is over Roughly speaking, A s advantage is the difference between A s method and just guessing the correct value of b. Definition 1.16 (Negligible (Function)). A function f : N R is said to be negligible if for every integer c > 0 there exists a positive integer n c such that for all integers n > n c we have f(n) < 1 n c. Otherwise we call f non-negligible. For negligible f we write f(x) ε(x), for non-negligible f(x) ε(x). We now can define the security notions: Definition 1.17 (CCA2-, CCA1- and CPA-IND). A homomorphic encryption scheme E is X-IND for X {CCA2, CCA1, CPA}, if no probabilistic polynomial-time adversary A wins Game Hom-X-IND E with non-negligible advantage (in the security parameter λ), i.e. ε(λ). Adv Hom-X-IND A,E By simply writing semantically secure we mean secure in the CPA-IND sense. Homomorphic Signatures Definition 1.18 (Homomorphic Signature Scheme). A homomorphic signature scheme consists of the following four algorithms: Setup(1 n, t). On input the security parameter n and a data set size t, this randomised algorithm generates the secret key sk and public key pk and outputs the tuple (sk, pk). (The public key defines the message space M, the signature space and also the set F of allowed functions f : M t M with t inputs.) 10

17 1.3 Security Models Sign(sk, τ, i, πi τ ). On input a secret key sk, a tag τ {0, 1}n, an index i and a message πi τ, this randomised algorithm outputs a signature στ i. Verify(pk, τ, πi τ, στ i, f). On input a public key pk, a tag τ, a message πτ i, a signature σi τ and a function f F, this algorithm either outputs 0 (for rejection) or 1 (for acceptance). Evaluate(pk, τ, f, Σ τ ). On input a public key pk, a tag τ, a function f F and a signature tuple Σ τ = (σ1 τ,..., στ t ), this (possibly randomised) algorithm outputs a signature σ. Like for homomorphic encryption, the first three algorithms are (nearly) identical to those of a conventional public key signature scheme. The difference here the inclusion of a tag τ, an index i and a function f will become obvious: With the tag τ {0, 1} n we distinguish between different data sets Σ τ as input to the function f, the signature computed by the Sign-algorithm will require the presence of the index i, and the Verifyalgorithm will need a representation of f to do its job properly. The correctness-condition for conventional public key signature schemes must obviously be fulfilled for the converted algorithms Sign and Verify including the projection maps p i (π τ 1,..., πτ t ) := π τ i. This means that F at least contains all projection maps p i. The additional algorithm Evaluate informally does the following: If Σ τ consists of honestly created signatures σ τ i = Sign(sk, τ, i, πτ i ) for messages πτ i, then Evaluate(pk, τ, f, Στ ) shall return a signature σ corresponding to the message f(π τ 1,..., πτ t ) for a function f F. In addition to the correctness-condition for Sign and Verify, the one for Evaluate can be formulated as Verify(pk, τ, f(π τ 1,..., π τ t ), Evaluate(pk, τ, f, Σ τ ), f) = 1 for Σ τ = (σ1 τ,..., στ t ), σi τ = Sign(pk, τ, i, πτ i ) and for all f F. Definition 1.19 (Homomorphic with respect to F / F-Homomorphic). If all these conditions are satisfied for an allowed set F of functions, then the signature scheme S correctly evaluates F and is called F-homomorphic (or homomorphic with respect to F). Remark. There is one risky point in our definitions so far: The Evaluate-algorithm can create a signature σ from signatures Σ = (σ 1,..., σ t ) which themselves are obtained by Evaluate. Repeating this procedure several times, we could reach the point where the input signatures are valid, but the output signature of Evaluate is not. This is due to the fact that the noise in the aggregated signature becomes too large and thus the Evaluate-algorithm is no longer able to do its job properly. To keep it simple, we restrict the correctness-property of Evaluate to hold when the input signatures are fresh signatures created by Sign. 11

18 1 PRELIMINARIES Security Definitions for Homomorphic Signatures Definition 1.20 (Game Hom-CMA-UNF S ). Setup. The challenger B generates a tuple (sk, pk) R Setup(1 n, t) and gives the public key pk to the forger A. Query-Rounds. A sends adaptively-chosen signature-queries about message tuples Π i := (π1 i,..., πi t) to B. The challenger randomly chooses a tag τ i R {0, 1} n and sends the tag τ i and the signature tuple Σ τ i including the signatures σ τ i j = Sign(sk, τ i, j, πj i) back to A. (Note that B does not have to compute Evaluate(pk, τ, f, Σ τ ) since A can do this step on its own after it receives the signature tuple Σ τ.) Attempt. At the end, the forger A outputs a tag τ {0, 1} n, a message π, a function f and a signature σ. We say that the forger A wins in Game Hom-CMA-UNF S, if Verify(pk, τ, π, σ, f) = 1 and either Type-1 forgery. τ τ i for all queried i, or Type-2 forgery. τ = τ i for some i and π f(π i ). Definition 1.21 (Advantage in Homomorphic Signatures). We define forger A s advantage in Game Hom-CMA-UNF S to be Adv Hom-CMA-UNF A,S := Pr[Verify(pk, τ, π, σ, f) = 1], where Pr[Verify(pk, τ, π, σ, f) = 1] is the probability for A to win in Game Hom-CMA-UNF S (the probability is over the randomness used by the challenger and the forger). Definition 1.22 (CMA-UNF). A homomorphic signature scheme S is CMA-UNF, if no probabilistic polynomial-time forger A wins Game Hom-CMA-UNF S with non-negligible advantage (in the security parameter n), i.e. Adv Hom-CMA-UNF A,S ε(n). 12

19 2. Homomorphic Encryption Schemes In this section we want to describe the process that was made on (fully) homomorphic encryption schemes. The schemes published so far can be categorised in two parts. We start by introducing the lattice-based schemes Lattice-Based Encryption Schemes Though there were many (ordinary) lattice-based encryption schemes like the one of Goldreich, Goldwasser and Halevi (cf. [26]), Ajtai and Dwork (cf. [2]), the fast NTRU cryptosystem (cf. [29]), and cryptosystems based on the learning with errors -problem introduced by Regev (cf. [42]), the problem of a fully homomorphic encryption scheme was not solved until the breakthrough of Gentry in [20]. We will start by showing Gentry s techniques for obtaining a fully homomorphic encryption scheme based on ideal lattices, since it is a very important foundation for the work of Gentry and others, and then present further work that improves the proposed scheme or adapts the techniques and uses them in a similar way. Gentry s Fully Homomorphic Scheme Gentry s most important steps can be described briefly as follows: After constructing an abstract and a somewhat homomorphic encryption scheme, Gentry squashes the decryption circuit and by bootstrappability obtains a fully homomorphic scheme. Abstract Scheme. Gentry starts with a definition of an abstract scheme using rings and ideals, omitting instantiation details at first. His scheme is as follows (additional remarks appear after the description): KeyGen(R, B I ). On input a ring R and the basis B I of an ideal I, this randomised algorithm generates via (BJ sk, Bpk J ) R IdealGen(R, B I ) two bases for an ideal J and outputs the public key pk = (R, B I, B pk J, Samp) and secret key sk = (pk, Bsk J ). Encrypt(pk, π). On input a public key pk and a plaintext π, this algorithm generates ψ Samp(B I, π) and outputs ψ := ψ mod B pk J. Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ, this algorithm outputs π := ψ mod BJ sk mod B I = ψ BJ sk B sk J ψ mod B I. Evaluate(pk, C, Ψ). On input a public key pk, a circuit C with t inputs (of some special set C of allowed circuits) and a set of t ciphertexts Ψ = (ψ 1,..., ψ t ), this algorithm invokes the evaluation of the embedded additions (ψ i + ψ j ) mod B pk J and multiplications (ψ i ψ j ) mod B pk J in the circuit C in the right order to obtain a ciphertext ψ which it outputs. Remarks. 1. The plaintext space is (a subset of) R mod B I. 2. The (randomised) algorithms IdealGen and Samp remain abstract, but roughly speaking IdealGen(R, B I ) constructs a secret and public basis for an ideal J coprime to the input ideal I and Samp(B I, x) samples the coset x + I. 13

20 2 HOMOMORPHIC ENCRYPTION SCHEMES 3. Gentry describes how to construct C, the set of allowed (or permitted) circuits, and proves that this abstract scheme is correct for C. Gentry also proves that this abstract scheme E is semantically secure if the ICP is hard: Theorem 2.1 ([20], Theorem 5.3.1). Suppose that there is an algorithm A that breaks the semantic security of (the abstract scheme) E with advantage ε when it uses Samp. Then, there is an algorithm B, running in about the same time as A, that solves the ICP with advantage ε/2. Somewhat Homomorphic Scheme. Gentry s somewhat homomorphic encryption (SHE) scheme bases on the abstract scheme and is instantiated with ideal lattices, thus becoming a semi-concrete scheme (some details remain abstract). His motivation for using ideal lattices is that they not only have an additive, but also have a multiplicative structure that will enable us to evaluate deep arithmetic circuits (though we will need more tricks before we ultimately obtain a bootstrappable scheme). Bootstrappability means the scheme s ability of homomorphically evaluating augmented decryption circuits. Therefore, he geometrically interprets the sets of encryptable and decryptable elements as balls with some radii r Enc and r Dec, and in Theorem states the bound log log r Dec log log(γ r Enc ) on the depth of correctly evaluable circuits. After that, Gentry proposes instantiations for the underlying ring, for the Encrypt- and Decrypt-algorithms (thus, also values for r Dec and r Enc ), and in Section 7.7 he states that this instantiation of the abstract scheme is semantically secure if the underlying decisional bounded distance decoding problem (DBBDP) is hard. (In his words the ICP becomes the DBDDP if instantiated with ideal lattices.) Although this scheme is the first concrete one, keep in mind that some algorithms still remain abstract. Tweaks. Before Gentry comes to his squashing-technique, he applies two tweaks to the somewhat homomorphic scheme: 1. At first, he redefines the decryption equation to π = ψ vj sk ψ mod B I for a short vector vj sk J 1. By this Gentry simplifies the equation and reduces the computational complexity (he also lowers the range of decryptable elements). 2. The second tweak is to halve the radius r Dec of the ball B(r Dec ) of decryptable elements. This is done for the purpose of reducing the circuit complexity of the Decrypt-algorithm, since reducing r Dec by half ensures vectors to be closer to J and the decryption-process will need less precision. The second tweak is especially slightly more complicated, since several different techniques are applied. Therefore, the decryption equation π = ψ BJ sk (B sk J ) 1 ψ mod B I is split into and computed in three steps: 14

21 2.1 Lattice-Based Encryption Schemes I. Generate n vectors x 1,..., x n with n i=1 x i = (BJ sk) 1 ψ. II. From x 1,..., x n generate integer vectors y 1,..., y n+1 with n+1 i=1 y i = n i=1 x i. III. Compute π = ψ BJ sk ( n+1 i=1 y i) mod B I. It shall only be mentioned here that step I will be eliminated by the squashing-technique (i.e. transferred to the encrypting party), for step II only O(log n) bits of precision for the rational vectors x i are required when using Karp s 3-for-2-trick (cf. [31]), the computation of y i can be boosted using elementary symmetric polynomials, and in step III the computation can be done in constant depth (using a polynomial fan-in circuit). For further details see Section 9 in [20]. Squashing the Decrypt-Algorithm. The squashing-technique is as follows: The owner of the secret key sk adds a hint of sk inside the public key pk after creating the key-pair, which the encrypting party then uses in its (extended) computation. Thanks to Tweak 1, the secret key consists of the vector vj sk and the decryption equation is π = ψ vj sk ψ. Using the somewhat homomorphic scheme, one adds the following algorithms: SplitKey(sk, pk ). On input sk, which either is a secret key sk of the somewhat homomorphic scheme or the special symbol, and a public key pk of the somewhat homomorphic scheme, this algorithm outputs the tuple (sk, T ) where: 1. T is a set of t vectors v 1,..., v t uniformly random in J 1 mod B I with the constraint that there exists a subset S {1,..., t} with S = s such that i S v i vj sk + I. 2. sk is a matrix encoding which elements of T are elements of S. ExpandCT(pk, ψ ). On input a public key pk (which includes the set T = (v 1,..., v t )) and a ciphertext ψ of the somewhat homomorphic scheme, this algorithm outputs c i := v i ψ mod B I for i = 1,..., t. Making use of these two new methods, the algorithms for the squashed scheme have to be slightly adjusted: KeyGen(λ). Run the KeyGen-algorithm of the somewhat homomorphic scheme to obtain (sk, pk ) and run (sk, T ) SplitKey(sk, pk ). The secret key is sk, the public key pk = (pk, T ). Encrypt(pk, π). Run the Encrypt-algorithm of the somewhat homomorphic scheme using pk to obtain ψ, run ExpandCT(pk, ψ ) to receive the expansion (c 1,..., c t ) of ψ and output ψ = (ψ, c 1,..., c t ). Decrypt(sk, ψ). On input a secret key sk and a ciphertext ψ of the form ψ = (ψ, c 1,..., c t ), this algorithm performs the following steps: i. Generate the vectors x i using sk and the c i s. ii. Proceed with step II, and iii. Proceed with step III of the decryption equation like on page 14. Add(pk, ψ 1, ψ 2 ). Extract the ciphertexts ψ 1, ψ 2 from ψ 1, ψ 2, run the Add-algorithm of 15

22 2 HOMOMORPHIC ENCRYPTION SCHEMES the somewhat homomorphic scheme to obtain ψ, run ExpandCT on ψ and output (ψ, c 1,..., c t). Analogue steps are done for Mult. Remark. An easy way to generate T would be to generate t 1 uniform vectors v i in J 1 P (B I ), set v t := vj sk s i=1 v i and permute the resulting t vectors. The security of the squashed scheme relies on the hardness of the SKDP: Theorem 2.2 ([20], Theorem ). Suppose that there is an algorithm A that breaks the semantic security of (the squashed scheme) E above with advantage ε. Then, there exist algorithms B 0 and B 1, running in about the same time as A, such that either B 0 s advantage against the SplitKey Distinguishing Problem or B 1 s advantage against the semantic security of (the somewhat homomorphic scheme) E is at least ε/3. Gentry proves the security for the abstract version of the squashed scheme, using an abstract version of the SplitKey Distinguishing Problem (as stated in Definition 1.7). The proof easily carries over to a semi-concrete version of the squashed scheme based on the concrete instantiation of the SplitKey-algorithm as defined above. This semi-concrete version can be proven secure if the SSSP is hard: Theorem 2.3. Let A be an algorithm that decides the concrete version of the SKDP with advantage ε, and let B I and IdealGen be such that det(i) and det(j) are distinct primes and q/ det(ij) is super-polynomial (in the security parameter). Then, there is an algorithm B, running in about the same time as A, that decides the SSSP with advantage ε/(4t) up to negligible factors. Proof. The proof is just the combination of the proofs of Theorems and in [20]. There, an intermediate problem, namely the sparse vector subset sum problem, is introduced, which is needed for the reduction SSSP SVSSP SKDP to work. In addition, Gentry proves that the squashed scheme is hard if the search version of the SSSP is hard (Theorem ). Fully Homomorphic Encryption Scheme. The only question, which remains unanswered up to now, is: For which parameters is the proposed semi-concrete squashed scheme bootstrappable, or how can we choose the parameter s for the SSSP to be hard while still maintaining bootstrappability (the ability of homomorphically evaluating augmented decryption circuits)? Theorem 2.4 ([20], Theorem ). The (semi-concrete) scheme E is bootstrappable when s log c 1 s log(r Dec/m) 2 c 2 log(γ renc ), where log c 1 s is the polylog-term arising in Lemma 9.0.3, m arises from the redefinition of C E in the Tweaks (m = 2 when just Tweak 2 is used), and c 2 is a constant representing the depth needed in a circuit having Add BI gates with γ = n Ω(1) fan-in and Mult BI gates with constant fan-in to sequentially perform Decrypt steps i, iii and a NAND gate. 16

23 2.1 Lattice-Based Encryption Schemes Name Remaining abstract Instantiated (accumulative) Abstract Rings, ideals, ICP, encryption, decryption, key generation,... Somewhat homomorphic Key generation Ring, ideals ideal lattices, encryption, decryption, ICP BDDP Squashed Key generation, SKDP Semi-concrete Key generation SKDP Fully homomorphic Key generation (SampleD) Table 1: Overview of Gentry s Schemes After giving some optimizations to the squashed scheme, Gentry describes a concrete scheme, instantiating the remaining abstract methods: For the Sample-algorithm Gentry makes use of the SampleD-algorithm proposed by Gentry, Peikert and Vaikuntanathan in Section 3.2 (especially Theorem 3.3) in [25] which uses discrete Gaussian sampling. We call this instantiation Gentry s Fully Homomorphic Scheme. Gentry also proves the security of his fully homomorphic scheme, basing it on the IIMP: Theorem 2.5 ([20], Theorem ). Let s IIMP = G/ 2 where G := B I ω( log n) is the Gaussian deviation parameter in (Gentry s fully homomorphic) encryption scheme E, and suppose that s IIMP / 2 exceeds the smoothing parameter of I, i.e. ρ 2/s IIMP (I 1 \{0}) is negligible. Suppose that there is an algorithm A that breaks the semantic security of E with advantage ε. Then, there is an algorithm B, running in about the same time as A, that solves the IIMP with advantage ε/2 (up to negligible factors). Finally, Gentry finishes his investigation of the security of the scheme by proposing a (quantum-)reduction from SIVP to IVIP, hopping over four intermediate problems. Summarizing all results, this gives Theorem 2.6. Suppose that d ISIVP = (3 e) 1/n d IVIP s IVIP s HBDDP s HBDDP /(n 1.5 f ) 2 (s MIIMP 2n B I )/(γ n) s MIIMP s IIMP s IIMP ε/(n max{ B I }) G/ 2 17

24 2 HOMOMORPHIC ENCRYPTION SCHEMES where G is the Gaussian deviation parameter in (Gentry s fully homomorphic) encryption scheme E, e is Euler s constant and s IVIP > 8 γ n 2.5 ω( log n) for all ideals with determinant at least d n IVIP. Also suppose that s IIMP exceeds the smoothing parameter of I, that IdealGen always outputs an ideal J with G n < λ 1 (J) and that [R : I] is prime. Finally, suppose that there is an algorithm that breaks the semantic security of E with advantage ε. Then, there is a quantum algorithm B that solves s ISIVP -SIVP for an ε/4 (up to negligible factors) weight fraction of bases output by IdealGen. The running time of B is O([R : I] 1/ε log d IVIP time(a)). Proof. The proof for this theorem consists of using Theorems (Theorem 2.5), , , , and of [20] for creating the reduction queue SIVP ISIVP IVIP HBDDP MIIMP IIMP E sem. secure and thereby obtaining the abovementioned results. Remarks. 1. Gentry applies a random self-reduction to obtain a worst-case/averagecase connection for ideal lattices and to base the scheme s security on the worst-case hardness of SIVP to get more confidence that the scheme is secure. 2. In Section 18 Gentry describes how to adapt Kalai s algorithm to generate a random factored ideal and how to instantiate some (sub-) methods of the KeyGen-algorithm properly. Suggested Parameters for Gentry s Scheme. To provide resistance for the BDDP against lattice attacks (which run in time approx. 2 n/s for subset size s), the SSSP to be resistant against birthday attacks and lattice attacks (which run in time approx. 2 s if t is chosen large enough, e.g. t Ω(log q)), Gentry proposes to make use of the following parameters: s λ, n λ 2, log q λ 3 and t λ 3, where λ is the security parameter of the scheme. Improvements and Adaptions This subsection is intended to give an overview of work that bases on Gentry s constructions and improves them or adapts them in a similar way. Specialization of Gentry Smart and Vercauteren s construction in [47], presented at PKC 10, adapts Gentry s technique to build a fully homomorphic scheme from a somewhat homomorphic one. In particular, the scheme is a specialization of Gentry s scheme. Their somewhat homomorphic scheme has the plaintext space {0, 1}, the ring R in use is Z[x]/(f(x)) with the monic and irreducible polynomial f(x) = x 2n + 1, which minimises the expansion factor γ, the public key is a tuple (p, a) consisting of the prime p = res(f, g) and the (unique) root a F p of gcd(f, g) for some polynomial g over F p [x], and the secret key consists of (p, b) with b being the coefficient of x 0 in g s inverse polynomial modulo 18

25 2.1 Lattice-Based Encryption Schemes f(x) and 2p. For further details we refer the reader to [47], Section 3.1, in which it is compactly described how the polynomials and additional variables are chosen and how the algorithms of the scheme are computed. In Section 3.2 the proposed algorithms are analysed in detail in the sense of correctness and evaluation-depth d of the circuits for the somewhat homomorphic scheme. Therein, Smart and Vercauteren use Gentry s Theorem to obtain a bound on d, but one has to be careful since Gentry s analysis uses the 2-norm whereas Smart and Vercauteren make use of the -norm. For the security analysis of their scheme in Section 4 they introduce two new problems: The first problem, called Small Principal Ideal Problem (SPIP), asks to find a small generator for a principal ideal when given a two-element- or a HNF-representation. (This problem evolves when one tries to recover the secret from the public key, so called Key Recovery.) They only informally argue that no efficient solution for this problem can be found that is reasonably small, relying on the Baby-Step/Giant-Step method and Buchmann s sub-exponential algorithm for units and class groups, even though the SPIP is an instance of a classical and well studied problem in algorithmic number theory. The second problem, called Polynomial Coset Problem (PCP), is similar to Gentry s ICP and asks one to decide whether the value of r is the evaluation of a small polynomial in the root a or a random value (both taken mod p). Theorem 2.7. ([47], Theorem 1) Suppose there is an algorithm A which breaks the semantic security of our somewhat homomorphic scheme with advantage ε. Then there is an algorithm B, running in about the same time as A, which solves the PCP with advantage ε/2. They also informally argue that recovering a plaintext from a given ciphertext would be an instance of the CVP. They are unable to apply a worst-case/average-case reduction to their scheme, but state that the underlying lattice problem is well-studied. The encryption of a single bit with the established somewhat homomorphic scheme is then extended to a larger message space. The authors are able to encrypt and decrypt polynomials up to degree 2 n 1. Roughly speaking, they expand the secret key to be a vector of coefficients b i rather than a single coefficient b. For details on this extension see Section 6 of [47]. At the end one is given implementation results. There one can see that the scheme of Smart and Vercauteren in [47] cannot be made fully homomorphic for practical values of n. Furthermore it should be mentioned that their KeyGen-method has a disadvantage concerning time complexity, since the constraint until p is prime is very strict and entails a high number of iterations until it is satisfied. So we see that although Smart and Vercauteren s scheme is a specialization of Gentry s scheme and they obtain relatively small key and ciphertext sizes, there also are disadvantages in the practicality of this scheme. 19

Fully Homomorphic Encryption Using Ideal Lattices

Fully Homomorphic Encryption Using Ideal Lattices Fully Homomorphic Encryption Using Ideal Lattices Craig Gentry Stanford University and IBM Watson cgentry@cs.stanford.edu ABSTRACT We propose a fully homomorphic encryption scheme i.e., a scheme that allows

More information

A FULLY HOMOMORPHIC ENCRYPTION SCHEME

A FULLY HOMOMORPHIC ENCRYPTION SCHEME A FULLY HOMOMORPHIC ENCRYPTION SCHEME A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS

More information

Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

More information

Advanced Cryptography

Advanced Cryptography Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

More information

Computing on Encrypted Data

Computing on Encrypted Data Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015 Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy

More information

Introduction. Digital Signature

Introduction. Digital Signature Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

More information

Lecture 3: One-Way Encryption, RSA Example

Lecture 3: One-Way Encryption, RSA Example ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

More information

= 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that

= 2 + 1 2 2 = 3 4, Now assume that P (k) is true for some fixed k 2. This means that Instructions. Answer each of the questions on your own paper, and be sure to show your work so that partial credit can be adequately assessed. Credit will not be given for answers (even correct ones) without

More information

Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture

More information

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

More information

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6. 1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

More information

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

More information

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it

More information

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur

Cryptography and Network Security. Prof. D. Mukhopadhyay. Department of Computer Science and Engineering. Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Module No. # 01 Lecture No. # 12 Block Cipher Standards

More information

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski 1 and Vinod Vaikuntanathan 2 1 Weizmann Institute of Science zvika.brakerski@weizmann.ac.il 2 Microsoft

More information

a 11 x 1 + a 12 x 2 + + a 1n x n = b 1 a 21 x 1 + a 22 x 2 + + a 2n x n = b 2.

a 11 x 1 + a 12 x 2 + + a 1n x n = b 1 a 21 x 1 + a 22 x 2 + + a 2n x n = b 2. Chapter 1 LINEAR EQUATIONS 1.1 Introduction to linear equations A linear equation in n unknowns x 1, x,, x n is an equation of the form a 1 x 1 + a x + + a n x n = b, where a 1, a,..., a n, b are given

More information

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

More information

Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

More information

SOLILOQUY: A CAUTIONARY TALE

SOLILOQUY: A CAUTIONARY TALE SOLILOQUY: A CAUTIONARY TALE Peter Campbell, Michael Groves and Dan Shepherd CESG, Cheltenham, UK 1. Introduction The Soliloquy primitive, first proposed by the third author in 2007, is based on cyclic

More information

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.

More information

The van Hoeij Algorithm for Factoring Polynomials

The van Hoeij Algorithm for Factoring Polynomials The van Hoeij Algorithm for Factoring Polynomials Jürgen Klüners Abstract In this survey we report about a new algorithm for factoring polynomials due to Mark van Hoeij. The main idea is that the combinatorial

More information

minimal polyonomial Example

minimal polyonomial Example Minimal Polynomials Definition Let α be an element in GF(p e ). We call the monic polynomial of smallest degree which has coefficients in GF(p) and α as a root, the minimal polyonomial of α. Example: We

More information

Information Security Theory vs. Reality

Information Security Theory vs. Reality Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran Tromer Slides credit: Vinod Vaikuntanathan (U. Toronto)

More information

Lattice-based Cryptography

Lattice-based Cryptography Lattice-based Cryptography Daniele Micciancio Oded Regev July 22, 2008 1 Introduction In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic

More information

Continued Fractions and the Euclidean Algorithm

Continued Fractions and the Euclidean Algorithm Continued Fractions and the Euclidean Algorithm Lecture notes prepared for MATH 326, Spring 997 Department of Mathematics and Statistics University at Albany William F Hammond Table of Contents Introduction

More information

How To Prove The Dirichlet Unit Theorem

How To Prove The Dirichlet Unit Theorem Chapter 6 The Dirichlet Unit Theorem As usual, we will be working in the ring B of algebraic integers of a number field L. Two factorizations of an element of B are regarded as essentially the same if

More information

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra

U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009. Notes on Algebra U.C. Berkeley CS276: Cryptography Handout 0.1 Luca Trevisan January, 2009 Notes on Algebra These notes contain as little theory as possible, and most results are stated without proof. Any introductory

More information

Linear Codes. Chapter 3. 3.1 Basics

Linear Codes. Chapter 3. 3.1 Basics Chapter 3 Linear Codes In order to define codes that we can encode and decode efficiently, we add more structure to the codespace. We shall be mainly interested in linear codes. A linear code of length

More information

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called

More information

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z

FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z FACTORING POLYNOMIALS IN THE RING OF FORMAL POWER SERIES OVER Z DANIEL BIRMAJER, JUAN B GIL, AND MICHAEL WEINER Abstract We consider polynomials with integer coefficients and discuss their factorization

More information

1 Construction of CCA-secure encryption

1 Construction of CCA-secure encryption CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

More information

1 Message Authentication

1 Message Authentication Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

More information

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction

MATH 168: FINAL PROJECT Troels Eriksen. 1 Introduction MATH 168: FINAL PROJECT Troels Eriksen 1 Introduction In the later years cryptosystems using elliptic curves have shown up and are claimed to be just as secure as a system like RSA with much smaller key

More information

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 14, Number 1/2013, pp. 72 77 NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA Laurenţiu BURDUŞEL Politehnica

More information

Associate Prof. Dr. Victor Onomza Waziri

Associate Prof. Dr. Victor Onomza Waziri BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,

More information

Cryptosystem. Diploma Thesis. Mol Petros. July 17, 2006. Supervisor: Stathis Zachos

Cryptosystem. Diploma Thesis. Mol Petros. July 17, 2006. Supervisor: Stathis Zachos s and s and Diploma Thesis Department of Electrical and Computer Engineering, National Technical University of Athens July 17, 2006 Supervisor: Stathis Zachos ol Petros (Department of Electrical and Computer

More information

Privacy-Preserving Aggregation of Time-Series Data

Privacy-Preserving Aggregation of Time-Series Data Privacy-Preserving Aggregation of Time-Series Data Elaine Shi PARC/UC Berkeley elaines@eecs.berkeley.edu Richard Chow PARC rchow@parc.com T-H. Hubert Chan The University of Hong Kong hubert@cs.hku.hk Dawn

More information

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

More information

Elements of Applied Cryptography Public key encryption

Elements of Applied Cryptography Public key encryption Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

More information

Faster deterministic integer factorisation

Faster deterministic integer factorisation David Harvey (joint work with Edgar Costa, NYU) University of New South Wales 25th October 2011 The obvious mathematical breakthrough would be the development of an easy way to factor large prime numbers

More information

3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback 3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

More information

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu

MOP 2007 Black Group Integer Polynomials Yufei Zhao. Integer Polynomials. June 29, 2007 Yufei Zhao yufeiz@mit.edu Integer Polynomials June 9, 007 Yufei Zhao yufeiz@mit.edu We will use Z[x] to denote the ring of polynomials with integer coefficients. We begin by summarizing some of the common approaches used in dealing

More information

Adaptive Online Gradient Descent

Adaptive Online Gradient Descent Adaptive Online Gradient Descent Peter L Bartlett Division of Computer Science Department of Statistics UC Berkeley Berkeley, CA 94709 bartlett@csberkeleyedu Elad Hazan IBM Almaden Research Center 650

More information

ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS

ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS ABSTRACT ALGEBRA: A STUDY GUIDE FOR BEGINNERS John A. Beachy Northern Illinois University 2014 ii J.A.Beachy This is a supplement to Abstract Algebra, Third Edition by John A. Beachy and William D. Blair

More information

An Overview of Integer Factoring Algorithms. The Problem

An Overview of Integer Factoring Algorithms. The Problem An Overview of Integer Factoring Algorithms Manindra Agrawal IITK / NUS The Problem Given an integer n, find all its prime divisors as efficiently as possible. 1 A Difficult Problem No efficient algorithm

More information

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

Concrete Security of the Blum-Blum-Shub Pseudorandom Generator Appears in Cryptography and Coding: 10th IMA International Conference, Lecture Notes in Computer Science 3796 (2005) 355 375. Springer-Verlag. Concrete Security of the Blum-Blum-Shub Pseudorandom Generator

More information

Basic Algorithms In Computer Algebra

Basic Algorithms In Computer Algebra Basic Algorithms In Computer Algebra Kaiserslautern SS 2011 Prof. Dr. Wolfram Decker 2. Mai 2011 References Cohen, H.: A Course in Computational Algebraic Number Theory. Springer, 1993. Cox, D.; Little,

More information

Some applications of LLL

Some applications of LLL Some applications of LLL a. Factorization of polynomials As the title Factoring polynomials with rational coefficients of the original paper in which the LLL algorithm was first published (Mathematische

More information

Lecture 9 - Message Authentication Codes

Lecture 9 - Message Authentication Codes Lecture 9 - Message Authentication Codes Boaz Barak March 1, 2010 Reading: Boneh-Shoup chapter 6, Sections 9.1 9.3. Data integrity Until now we ve only been interested in protecting secrecy of data. However,

More information

Quotient Rings and Field Extensions

Quotient Rings and Field Extensions Chapter 5 Quotient Rings and Field Extensions In this chapter we describe a method for producing field extension of a given field. If F is a field, then a field extension is a field K that contains F.

More information

Overview of Public-Key Cryptography

Overview of Public-Key Cryptography CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

More information

RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks. By Abdulaziz Alrasheed and Fatima RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

More information

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

More information

Factorization Methods: Very Quick Overview

Factorization Methods: Very Quick Overview Factorization Methods: Very Quick Overview Yuval Filmus October 17, 2012 1 Introduction In this lecture we introduce modern factorization methods. We will assume several facts from analytic number theory.

More information

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

More information

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

More information

Ideal Class Group and Units

Ideal Class Group and Units Chapter 4 Ideal Class Group and Units We are now interested in understanding two aspects of ring of integers of number fields: how principal they are (that is, what is the proportion of principal ideals

More information

Lecture 13: Factoring Integers

Lecture 13: Factoring Integers CS 880: Quantum Information Processing 0/4/0 Lecture 3: Factoring Integers Instructor: Dieter van Melkebeek Scribe: Mark Wellons In this lecture, we review order finding and use this to develop a method

More information

Factoring & Primality

Factoring & Primality Factoring & Primality Lecturer: Dimitris Papadopoulos In this lecture we will discuss the problem of integer factorization and primality testing, two problems that have been the focus of a great amount

More information

Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

More information

1 Formulating The Low Degree Testing Problem

1 Formulating The Low Degree Testing Problem 6.895 PCP and Hardness of Approximation MIT, Fall 2010 Lecture 5: Linearity Testing Lecturer: Dana Moshkovitz Scribe: Gregory Minton and Dana Moshkovitz In the last lecture, we proved a weak PCP Theorem,

More information

Mathematics Course 111: Algebra I Part IV: Vector Spaces

Mathematics Course 111: Algebra I Part IV: Vector Spaces Mathematics Course 111: Algebra I Part IV: Vector Spaces D. R. Wilkins Academic Year 1996-7 9 Vector Spaces A vector space over some field K is an algebraic structure consisting of a set V on which are

More information

Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses

Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses Factoring pq 2 with Quadratic Forms: Nice Cryptanalyses Phong Nguyễn http://www.di.ens.fr/~pnguyen & ASIACRYPT 2009 Joint work with G. Castagnos, A. Joux and F. Laguillaumie Summary Factoring A New Factoring

More information

The Division Algorithm for Polynomials Handout Monday March 5, 2012

The Division Algorithm for Polynomials Handout Monday March 5, 2012 The Division Algorithm for Polynomials Handout Monday March 5, 0 Let F be a field (such as R, Q, C, or F p for some prime p. This will allow us to divide by any nonzero scalar. (For some of the following,

More information

15.062 Data Mining: Algorithms and Applications Matrix Math Review

15.062 Data Mining: Algorithms and Applications Matrix Math Review .6 Data Mining: Algorithms and Applications Matrix Math Review The purpose of this document is to give a brief review of selected linear algebra concepts that will be useful for the course and to develop

More information

Modern Optimization Methods for Big Data Problems MATH11146 The University of Edinburgh

Modern Optimization Methods for Big Data Problems MATH11146 The University of Edinburgh Modern Optimization Methods for Big Data Problems MATH11146 The University of Edinburgh Peter Richtárik Week 3 Randomized Coordinate Descent With Arbitrary Sampling January 27, 2016 1 / 30 The Problem

More information

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY

CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY January 10, 2010 CHAPTER SIX IRREDUCIBILITY AND FACTORIZATION 1. BASIC DIVISIBILITY THEORY The set of polynomials over a field F is a ring, whose structure shares with the ring of integers many characteristics.

More information

Identity-Based Encryption from the Weil Pairing

Identity-Based Encryption from the Weil Pairing Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

More information

Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes

Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes Ron Steinfeld (Macquarie University, Australia) (email: rons@ics.mq.edu.au) Joint work with: Huaxiong Wang (Macquarie University)

More information

Notes on Determinant

Notes on Determinant ENGG2012B Advanced Engineering Mathematics Notes on Determinant Lecturer: Kenneth Shum Lecture 9-18/02/2013 The determinant of a system of linear equations determines whether the solution is unique, without

More information

2.1 Complexity Classes

2.1 Complexity Classes 15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

More information

Approximation Algorithms

Approximation Algorithms Approximation Algorithms or: How I Learned to Stop Worrying and Deal with NP-Completeness Ong Jit Sheng, Jonathan (A0073924B) March, 2012 Overview Key Results (I) General techniques: Greedy algorithms

More information

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm.

Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. Chapter 4, Arithmetic in F [x] Polynomial arithmetic and the division algorithm. We begin by defining the ring of polynomials with coefficients in a ring R. After some preliminary results, we specialize

More information

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography. 8. Encryption -- CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

More information

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY

FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY FACTORING LARGE NUMBERS, A GREAT WAY TO SPEND A BIRTHDAY LINDSEY R. BOSKO I would like to acknowledge the assistance of Dr. Michael Singer. His guidance and feedback were instrumental in completing this

More information

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract

Victor Shoup Avi Rubin. fshoup,rubing@bellcore.com. Abstract Session Key Distribution Using Smart Cards Victor Shoup Avi Rubin Bellcore, 445 South St., Morristown, NJ 07960 fshoup,rubing@bellcore.com Abstract In this paper, we investigate a method by which smart

More information

Generalized compact knapsacks, cyclic lattices, and efficient one-way functions

Generalized compact knapsacks, cyclic lattices, and efficient one-way functions Generalized compact knapsacks, cyclic lattices, and efficient one-way functions Daniele Micciancio University of California, San Diego 9500 Gilman Drive La Jolla, CA 92093-0404, USA daniele@cs.ucsd.edu

More information

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 22

FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 22 FOUNDATIONS OF ALGEBRAIC GEOMETRY CLASS 22 RAVI VAKIL CONTENTS 1. Discrete valuation rings: Dimension 1 Noetherian regular local rings 1 Last day, we discussed the Zariski tangent space, and saw that it

More information

7. Some irreducible polynomials

7. Some irreducible polynomials 7. Some irreducible polynomials 7.1 Irreducibles over a finite field 7.2 Worked examples Linear factors x α of a polynomial P (x) with coefficients in a field k correspond precisely to roots α k [1] of

More information

Math 4310 Handout - Quotient Vector Spaces

Math 4310 Handout - Quotient Vector Spaces Math 4310 Handout - Quotient Vector Spaces Dan Collins The textbook defines a subspace of a vector space in Chapter 4, but it avoids ever discussing the notion of a quotient space. This is understandable

More information

A New Generic Digital Signature Algorithm

A New Generic Digital Signature Algorithm Groups Complex. Cryptol.? (????), 1 16 DOI 10.1515/GCC.????.??? de Gruyter???? A New Generic Digital Signature Algorithm Jennifer Seberry, Vinhbuu To and Dongvu Tonien Abstract. In this paper, we study

More information

Generic Polynomials of Degree Three

Generic Polynomials of Degree Three Generic Polynomials of Degree Three Benjamin C. Wallace April 2012 1 Introduction In the nineteenth century, the mathematician Évariste Galois discovered an elegant solution to the fundamental problem

More information

FUNCTIONAL ANALYSIS LECTURE NOTES: QUOTIENT SPACES

FUNCTIONAL ANALYSIS LECTURE NOTES: QUOTIENT SPACES FUNCTIONAL ANALYSIS LECTURE NOTES: QUOTIENT SPACES CHRISTOPHER HEIL 1. Cosets and the Quotient Space Any vector space is an abelian group under the operation of vector addition. So, if you are have studied

More information

Lecture 15 - Digital Signatures

Lecture 15 - Digital Signatures Lecture 15 - Digital Signatures Boaz Barak March 29, 2010 Reading KL Book Chapter 12. Review Trapdoor permutations - easy to compute, hard to invert, easy to invert with trapdoor. RSA and Rabin signatures.

More information

Computing Arbitrary Functions of Encrypted Data

Computing Arbitrary Functions of Encrypted Data Computing Arbitrary Functions of Encrypted Data Craig Gentry IBM T.J. Watson Research Center 19 Skyline Dr. Hawthorne, NY cbgentry@us.ibm.com ABSTRACT Suppose that you want to delegate the ability to process

More information

Introduction to Finite Fields (cont.)

Introduction to Finite Fields (cont.) Chapter 6 Introduction to Finite Fields (cont.) 6.1 Recall Theorem. Z m is a field m is a prime number. Theorem (Subfield Isomorphic to Z p ). Every finite field has the order of a power of a prime number

More information

The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

More information

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1

SYMMETRIC ENCRYPTION. Mihir Bellare UCSD 1 SYMMETRIC ENCRYPTION Mihir Bellare UCSD 1 Syntax A symmetric encryption scheme SE = (K,E,D) consists of three algorithms: K and E may be randomized, but D must be deterministic. Mihir Bellare UCSD 2 Correct

More information

Faster Fully Homomorphic Encryption

Faster Fully Homomorphic Encryption 1 Faster Fully Homomorphic Encryption Damien Stehlé 1 and Ron Steinfeld 2 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS de Lyon, INRIA, UCBL), 46 Allée d'italie, 69364 Lyon Cedex 07, France. damien.stehle@gmail.com

More information

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

More information

Factorization Algorithms for Polynomials over Finite Fields

Factorization Algorithms for Polynomials over Finite Fields Degree Project Factorization Algorithms for Polynomials over Finite Fields Sajid Hanif, Muhammad Imran 2011-05-03 Subject: Mathematics Level: Master Course code: 4MA11E Abstract Integer factorization is

More information

Inner Product Spaces

Inner Product Spaces Math 571 Inner Product Spaces 1. Preliminaries An inner product space is a vector space V along with a function, called an inner product which associates each pair of vectors u, v with a scalar u, v, and

More information

it is easy to see that α = a

it is easy to see that α = a 21. Polynomial rings Let us now turn out attention to determining the prime elements of a polynomial ring, where the coefficient ring is a field. We already know that such a polynomial ring is a UF. Therefore

More information

11 Ideals. 11.1 Revisiting Z

11 Ideals. 11.1 Revisiting Z 11 Ideals The presentation here is somewhat different than the text. In particular, the sections do not match up. We have seen issues with the failure of unique factorization already, e.g., Z[ 5] = O Q(

More information

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur

Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Cryptography and Network Security Prof. D. Mukhopadhyay Department of Computer Science and Engineering Indian Institute of Technology, Kharagpur Lecture No. # 11 Block Cipher Standards (DES) (Refer Slide

More information

Metric Spaces. Chapter 7. 7.1. Metrics

Metric Spaces. Chapter 7. 7.1. Metrics Chapter 7 Metric Spaces A metric space is a set X that has a notion of the distance d(x, y) between every pair of points x, y X. The purpose of this chapter is to introduce metric spaces and give some

More information

Vector and Matrix Norms

Vector and Matrix Norms Chapter 1 Vector and Matrix Norms 11 Vector Spaces Let F be a field (such as the real numbers, R, or complex numbers, C) with elements called scalars A Vector Space, V, over the field F is a non-empty

More information

Message Authentication Code

Message Authentication Code Message Authentication Code Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 Outline 1 CBC-MAC 2 Authenticated Encryption 3 Padding Oracle Attacks 4 Information Theoretic MACs 2 of 44

More information

Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

More information

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a

More information