# Paillier Threshold Encryption Toolbox

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Paillier Threshold Encryption Toolbox October 23, Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created the paillierp Java packages. By using a threshold variant of the Paillier Encryption scheme as laid out in [2], we use the methods described in [1] to allow secure multiparty computation. This implementation is heavily Object Oriented, having separate objects for (1) encryption/decryption environments, (2) keys, and (3) zero knowledge proofs. As the threshold variant of Paillier is an improvement on the original scheme, the original Paillier encryption scheme is included and is a superclass of the threshold version. 1.1 Paillier s Encryption Scheme Paillier s cryptosystem is a probabilistic encryption scheme wit a public key of an RSA modulus n. The plaintex space is Z n and the ciphertext space is Z n 2. As Damgård introduces Paillier s Encryption scheme is a probabilistic encryption scheme based on computations in the group Z n, where n is an RSA modulus. This scheme has 2 some very attractive properties, in that it is homomorphic, allows encryption of many bits in one operation with a constant expansion factor, and allows efficient decryption.[2] Addition of ciphertexts is trivially easy, and multiplying ciphertexts by a constant is also simple. 1.2 Paillier s Threshold Variant Working from Shoup s threshold version of RSA in [4], Damgård and Jurik propose in [2] a threshold version of Paillier s encryption scheme. Threshold encryption requires a pre-determined number of decryption servers to collaborate on fully decrypting a message. 1

2 Any collaboration between fewer than the specified number of decryption servers does not result in a complete decryption. When creating keys, variables w and l are chosen, resulting in 1 public key and l private keys being generated, set with a threshold of w. It is necessary for at least w of these keys to collaborate to decrypt a message encoded with the public key. The process for decryption involves at least w decryption servers to obtain the same ciphertext, and then apply their private key for decryption to produce a partial decryption or share, each partial decryption being shared with the remaining servers. Once a server obtains at least w unique shares, that server can obtain the original plaintext. Damgård and Jurik also proposed a generalization of the Paillier cryptosystem, allowing ciphertexts to range in Z n s+1 for any s 1. Such a feature can even allows the receiver to decide on s upon encryption and so can allow variable block lengths. In this implementation, we are more concerned with multiparty computations and so fix s to be one at every step. 1.3 Multiparty Computation Cramer, Damgård, and Nielsen suggests a method of multiparty computation based on homomorphic threshold cryptosystems [1]. Their method uses such a cryptosystem to create a Boolean circuit to compute secure functions. The requirements for such computation secure against active adversary is a cryptosystem that satisfies the following properties: 1. Addition of plaintexts From encryptions a and b (of plaintexts a and b, respectively), it is easy to compute an encryption of a + b. 2. Multiplication by a constant From encryption a and a constant α Z n, it is easy to compute a random encryption of α a. 3. Proving knowledge of plaintext If a process created an encryption a, it is easy to give a zero-knowledge proof that it knows a. 4. Proving knowledge of multiplication If a process created an encryption of α a and broadcasts the encryptions α and a, it can give a zero-knowledge proof that the decryption of that encryption is in deed the product of the decryptions of α and a. 5. Threshold decryption Given an encryption a and the corresponding public key used to encrypt it, each process could use their private key and share their partial decryptions so that each can securely compute a. Cramer, et al. provided exactly those zero-knowledge protocols for the threshold variant of Paillier, making multiparty computation possible using Paillier. 2

3 1.4 The Packages The intention of this suite is to provide the tools necessary to enable multiparty computation based on the threshold variant of the Paillier cryptosystem. The requirements enumerated above for such computation are all satisfied in Paillier and are provided to the user of this package. Three packages are included in this suite, namely: paillierp which includes the encryption/decryption environments. paillierp.keys which includes key objects needed for encryption and decryption. paillierp.zkp which include non-interactive zero-knowledge proofs to prove knowledge of a plaintext or multiplication or partial decryption. Most numbers here are BigInteger objects, capable of representing numbers up to This includes plaintexts, ciphertexts, and the like. 1.5 What is this document? This document is a manual to the paillierp packages. While the Javadoc for the implementation is rather thorough, this will provide a quick resource for basic usage without specific mathematics. 2 paillierp.keys Package - Keys In this cryptosystem, the primary step is key creation. Public keys are required for encryption, and private keys are required for decryption. Public keys are derivable from the private keys. 2.1 paillierp.keys.keygen - Key creation In this static class, one can generate a single private key for the original Paillier encryption scheme, or l partial private keys for the threshold variant of the same cryptosystem. PaillierKey(int s, long seed) is used to create a random PaillierPrivateKey of length s. Note that a seed is necessary for the randomness. PaillierThresholdKey(int s, int l, int w, long seed) is used to create l random PaillierPrivateThresholdKeys of length s, of which w must collaborate to produce a decryption. These two methods are the most necessary for random key generation. A further method to eliminate randomness is also provided. 3

4 2.2 paillierp.keys.paillierkey and paillierp.keys.paillierprivatekey As in the original version of the Paillier cryptosystem, the key is generated by choosing a RSA modulus n = pq of k bits for p, q prime. Originally, an element g Z n 2 is also chosen, but we fix g to be 1 + n without loss of security (as given in [2]). The private key is a value d which is the least common multiple of p 1 and q 1. While the choosing of these random numbers is left to paillierp.keys.keygen, the class PaillierKey holds the necessary values for a public key, PaillierPrivateKey for a private key. The constructors vary in arguments to provide flexibility. For the public key, the constructors are PaillierKey(BigInteger n, long seed) Creates a new public key when given the modulus n. PaillierKey(BigInteger p, BigInteger q, long seed) Creates a new public key from a given two odd primes p and q. PaillierPrivateKey(BigInteger n, BigInteger d, long seed) Creates a new private key when given the modulus n and the secret value d. PaillierPrivateKey(BigInteger p, BigInteger q, BigInteger d, long seed) Creates a new private key when given the primes p and q and the secret value d. 2.3 paillierp.keys.paillierthresholdkey and paillierp.keys.paillierthresholdprivatekey In the Threshold variant, the key is generated by finding four unique primes, p, q, p, q such that p = 2p + 1 and q = 2q + 1. We let n = pq and m = p q. We picked d to be equivalent to 0 mod m and 1 mod n. From this, we generate a polynomial P (x) with random coefficients, hiding d = P (0) as the secret key and s i = P (i) for the ith partial key. These partial keys are distributed in secrecy. In addition, public verification values are generated: the value v and a value v i = v s i mod n 2, where = l!. Only n is needed for encryption, but the further public values are included in the public threshold key. A share key requires the entire set of public values as well as s i and n. These values are necessary for each partial decryption. PaillierThresholdKey(BigInteger n, int l, int w, BigInteger v, BigInteger[] viarray, long seed) Creates a new public key for the generalized Paillier threshold scheme from the given modulus n, for use on l decryption servers, w of which are needed to decrypt any message encrypted by using this public key. 4

5 PaillierPrivateThresholdKey(BigInteger n, int l, int w, BigInteger v, BigInteger[] viarray, BigInteger si, int i, long seed) Creates a new private key for the generalized Paillier threshold scheme from the given modulus n, for use on l decryption servers, w of which are needed to decrypt any message encrypted by using this public key. The private value si is for this particular key ID i. Other constructors are available which include the combinesharesconstant. That parameter is available for efficiencey at key distribution, but it can be computed by the other values. 3 paillierp Package - Encryption environments The paillierp package includes two encryption/decryption environments (one for the original Paillier scheme, another for the threshold variant), and two utility classes used by both the Zero Knowledge Proofs and Keys. Each encryption environment is a class holding the key which allows encryption, decryption, the addition and multiplication of ciphertexts. We provide a class of byte utilities for later transmitting keys and proofs, and a partial decryption class for identifying partial decryptions ( shares ). 3.1 paillierp.paillier - Original Paillier Encryption Environment This class provides an environment for encrypting and decrypting, setting and retrieving keys. There is a number of constructors allowing for automatically setting encryption or encryption and decryption, depending if it sees a public or private key. The environment will store a public key (for encryption) and a private key (for decryption). To assign the public key, call setencryption( PaillierKey ). To assign the private key, call setdecryption( PaillierPrivateKey ), or to assign both for this case, call setencryptiondecryption( PaillierPrivateKey ) Encryption Once a public key has been assigned to the encryption environment, whether by the constructor or by setencryption or setencryptiondecryption, it is possible to call encrypt( BigInteger m ) to encode a message m. The resulting BigInteger is the encrypted message. Other encrypt methods are available, both static and otherwise, and are listed in the online documentation Decryption Once a private key has been assigned to the encryption environment, whether by the constructor or by setdecryption or setencryptiondecryption, it is possible to call 5

6 decrypt( BigInteger c ) to decode a ciphertext c. The resulting BigInteger is the original message. Just like above, other decrypt are available for greater flexibility. There are static and non-static methods, all of which are listed in the online documentation Other Utilities As listed in Section 1.3, there are several attractive features that we would like to make available to allow some computation. In the Paillier encryption environment, there is no thresholding, making it impossible to provide the 5th feature, but features 1-4 are available to this regular encryption environment. 1. Addition of Plaintexts is provided by add( BigInteger c1, BigInteger c2 ). Given c1 the encryption of a and c2 the encryption of b, the resulting BigInteger is an encryption of a + b. 2. Multiplication by a constant is provided by multiply( BigInteger c, BigInteger cons ). Given c the encryption of a, the resulting BigInteger is an encryption of cons a. 3. Proving knowledge of plaintext is provided by encryptproof( BigInteger ). The result is a non-interactive Zero Knowledge Proof detailed in??. 4. Proving knowledge of multiplication is provided by multiply Proof( BigInteger, BigInteger ) to produce a non-interactive Zero-Knowledge Proof as detailed in??. static variants of the addition and multiplication methods are also available. Also available are helpful utilities for random encryptions of 1 and of zero, and a method that will randomize a ciphertext at no distortion of the original message. 3.2 paillierp.paillierthreshold - Threshold Paillier Encryption Environment The threshold encryption environment provides an object through which one can encrypt and decrypt. As in Paillier, there is a number of constructors to ensure maximum flexibility Encryption Encryption with PaillierThreshold is just the same as with Paillier in Section

7 3.2.2 Decryption The decryption methods for PaillierThreshold differ from Paillier. Once a private key has been assigned to the encryption environment, whetherby the custroctor or by setdecryption or setencryptiondecryption, it is possible to call decrypt( BigInteger c ) to decode a ciphertext c. The result is a PartialDecryption, which is not the original message. Rather, one must provide many PartialDecryption objects to combineshares( PartialDecryption... ) to obtain a BigInteger which is the original message; at least deckey.getw() must be provided, where deckey is the private key. In order to fully decrypt a ciphertext c, the following must happen 1. One should partially decrypt a message c by invoking decrypt( c ). What results is a PartialDecryption. 2. One must obtain at least w separate such PartialDecryptions generated by w independent PaillierThreshold encryption environments with unique Paillier Threshold Private Keys. 3. Combine the at least w partial decryptions by calling combineshares( share 1, share 2,..., share w ). The result is a BigInteger which is the original message Other Utilities As above in 3.1.3, PaillierThreshold implements the full set of features needed for secure multiparty computation. 1. Addition of Plaintexts is provided by add( BigInteger c1, BigInteger c2 ). Given c1 the encryption of a and c2 the encryption of b, the resulting BigInteger is an encryption of a + b. 2. Multiplication by a constant is provided by multiply( BigInteger c, BigInteger cons ). Given c the encryption of a, the resulting BigInteger is an encryption of cons a. 3. Proving knowledge of plaintext is provided by encryptproof( BigInteger ). The result is a non-interactive Zero Knowledge Proof detailed in Section Proving knowledge of multiplication is provided by multiply Proof( BigInteger, BigInteger ) to produce a non-interactive Zero-Knowledge Proof as detailed in Section Threshold decryption is provided by decrypt and combineshares as detailed above in Further, proving knowledge of partial decryption is provided by decryptproof( BigInteger ). 7

8 3.3 paillierp.byteutils - Byte Manipulation Utilities ByteUtils is a bundle of static, byte manipulation methods for the tobytearray methods as listed in Section paillierp.partialdecryption - Product of Threshold Decryption This is simply a wrapper of a BigInteger and an ID number for the purposes of decryption with PaillierThreshold as detailed in Section paillierp.zkp Package - Non-interactive Zero Knowledge Proofs For secure multiparty computation, Cramer, et al. in [1] requires a cryptosystem to have five capabilities as listed on p. 4 in [1] (reproduced in this documentation at Section 1.3). To ensure complete security in these computations, even against malicious attacks, they have required two proofs of computation, viz. a proof that one knows the plaintext for a ciphertext and a proof that one knows a constant and has multiplied a ciphertext by that constant. A further proof has been developed to provide proof that one has indeed partially decrypted a ciphertext. Zero Knowledge Proofs is a method for one party to prove the veracity of a mathematical statements, without revealing particular numbers of that statement. Standardly, a zero knowledge proof is an interactive protocol for proving the veracity of the statement, where an input is given from without. On the other hand, a non-interactive proof is one which automatically chooses the input by something just as random as the possible input from without: the automatic input is the hash of the proving variables. Each of the original values are required in the constructors. That is to say, for example, EncryptionZKP requires knowledge of the plaintext and the private key before generating a zero knowledge proof. Nothing of sensitive data will be saved. But for the paranoid, methods and constructors for saving these objects as byte arrays are available. Each object generates the new ciphertext or partial decryption retrievable by getvalue(), and the method verify() recomputes the hash to provide veracity of the values. Also, verifykey( Paillier(Threshold)Key ) is available to ensure all public values used in the proof correspond with the given key. EncryptionZKP This provides knowledge that one knows the plaintext of a given encryption. This protocol is described on page 40 of [1]. MultiplicationZKP This provides knowledge that one has multiplied a ciphertext by a constant which only the multiplier knows. The protocol is from page 40 of [1]. 8

9 DecryptionZKP This provides knowledge that one has indeed partially decrypted a ciphertext. The method is found on pages of [3]. 5 Transferring information Transferring of both public and private keys, and of the PartialDecryption wrapper and of each zero knowledge proof is made easy in this package. Not only are they serializable, but they also are given a tobytearray() method to specifically encode the object as a byte array for communication. Each of the above objects are also given a constructor which takes as input the byte array as specifically engineered by that object s tobytearray(). 6 Example We close with an example of the paillierp package, particularly PaillierThreshold. 1 package testingpaillier ; 3 import paillierp. Paillier ; import paillierp. PaillierThreshold ; 5 import java. math. BigInteger ; 7 import java. util. Random ; 9 import paillierp. key. KeyGen ; import paillierp. key. PaillierPrivateThresholdKey ; 11 import paillierp. zkp. DecryptionZKP ; 13 public class Testing { public static void main ( String [] args ) { 15 System. out. println (" Create new keypairs.") ; 17 Random rnd = new Random (); PaillierPrivateThresholdKey [] keys = 19 KeyGen. PaillierThresholdKey (128, 6, 3, rnd. nextlong ()); System. out. println (" Six keys are generated, with a threshold of 3.") ; 21 System. out. println (" Six people use their keys : p1, p2, p3, p4, p5, p6 ") ; 23 PaillierThreshold p1 = new PaillierThreshold ( keys [0]) ; PaillierThreshold p2 = new PaillierThreshold ( keys [1]) ; 25 PaillierThreshold p3 = new PaillierThreshold ( keys [2]) ; PaillierThreshold p4 = new PaillierThreshold ( keys [3]) ; 27 PaillierThreshold p5 = new PaillierThreshold ( keys [4]) ; PaillierThreshold p6 = new PaillierThreshold ( keys [5]) ; 29 System. out. println (" Alice is given the public key.") ; 31 Paillier alice = new Paillier ( keys [0]. getpublickey ()); 9

10 33 // Alice encrypts a message BigInteger msg = BigInteger. valueof ( ) ; 35 BigInteger Emsg = alice. encrypt ( msg ); System. out. println (" Alice encrypts the message "+ msg +" and sends "+ 37 Emsg +" to everyone.") ; // Alice sends Emsg to everyone 39 System. out. println (" p1 receives the message and tries to decrypt all alone :") ; 41 BigInteger p1decrypt = p1. decryptonly ( Emsg ); if ( p1decrypt. equals ( msg )) { 43 System. out. println (" p1 succeeds decrypting the message all alone.") ; } else { 45 System. out. println (" p1 fails decrypting the message all alone. :(") ; } 47 System. out. println (" p2 and p3 receive the message and " + 49 " create a partial decryptions.") ; DecryptionZKP p2share = p2. decryptproof ( Emsg ); 51 DecryptionZKP p3share = p3. decryptproof ( Emsg ); // p2 sends the partial decryption to p3 53 // p3 sends the partial decryption to p2 55 System. out. println (" p2 receives the partial p3 s partial decryption " + " and attempts to decrypt the whole message using its own " + 57 " share twice "); try { 59 BigInteger p2decrypt = p2. combineshares ( p2share, p3share, p2share ); if ( p2decrypt. equals ( msg )) { 61 System. out. println (" p2 succeeds decrypting the message with p3.") ; } else { 63 System. out. println (" p2 fails decrypting the message with p3. :(") ; } 65 } catch ( IllegalArgumentException e) { System. out. println (" p2 fails decrypting and throws an error "); 67 } 69 System. out. println (" p4, p5, p6 receive Alice s original message and " + " create partial decryptions.") ; 71 DecryptionZKP p4share = p4. decryptproof ( Emsg ); DecryptionZKP p5share = p5. decryptproof ( Emsg ); 73 DecryptionZKP p6share = p6. decryptproof ( Emsg ); // p4, p5, and p6 share each of their partial decryptions with each other 75 System. out. println (" p4 receives and combines each partial decryption " + 77 " to decrypt whole message :") ; BigInteger p4decrypt = p4. combineshares ( p4share, p5share, p6share ); 79 if ( p4decrypt. equals ( msg )) { 10

11 System. out. println (" p4 succeeds decrypting the message with p5 and p6.") ; 81 } else { System. out. println (" p4 fails decrypting the message with p5 and p6. :(") ; 83 } } 85 } References [1] Cramer, R., Damgård, I., and Nielsen, J. B. Multiparty computation from threshold homomorphic encryption. In EUROCRYPT 01: Proceedings of the International Conference on the Theory and Application of Cryptographic Techniques (London, UK, 2001), Springer-Verlag, pp [2] Damgård, I., and Jurik, M. A generalisation, a simplification and some applications of Paillier s probabilistic public-key system. In PKC 01: Proceedings of the 4th International Workshop on Practice and Theory in Public Key Cryptography (London, UK, 2001), Springer-Verlag, pp [3] Damgård, I., Jurik, M., and Nielsen, J. B. A generalization of Paillier s publickey system with applications to electronic voting. GenPaillierfinaljour.ps, Manuscript. [4] Shoup, V. Practical threshold signatures. In EUROCRYPT 00: Proceedings of the 19th international conference on Theory and application of cryptographic techniques (Berlin, Heidelberg, 2000), Springer-Verlag, pp

### VoteID 2011 Internet Voting System with Cast as Intended Verification

VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Public-Key Cryptography. Oregon State University

Public-Key Cryptography Çetin Kaya Koç Oregon State University 1 Sender M Receiver Adversary Objective: Secure communication over an insecure channel 2 Solution: Secret-key cryptography Exchange the key

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Introduction to Cryptography

Introduction to Cryptography Part 2: public-key cryptography Jean-Sébastien Coron January 2007 Public-key cryptography Invented by Diffie and Hellman in 1976. Revolutionized the field. Each user now has

### 1 Public-Key Encryption in Practice

CS 120/CSCI E-177: Introduction to Cryptography Salil Vadhan and Alon Rosen Nov. 16, 2006 Lecture Notes 15: Public-Key Encryption in Practice Recommended Reading. KatzLindell, Sections 9.4, 9.5.3 1 Public-Key

### PUBLIC KEY ENCRYPTION

PUBLIC KEY ENCRYPTION http://www.tutorialspoint.com/cryptography/public_key_encryption.htm Copyright tutorialspoint.com Public Key Cryptography Unlike symmetric key cryptography, we do not find historical

### Asymmetric Cryptography. Mahalingam Ramkumar Department of CSE Mississippi State University

Asymmetric Cryptography Mahalingam Ramkumar Department of CSE Mississippi State University Mathematical Preliminaries CRT Chinese Remainder Theorem Euler Phi Function Fermat's Theorem Euler Fermat's Theorem

### Secure Computation Martin Beck

Institute of Systems Architecture, Chair of Privacy and Data Security Secure Computation Martin Beck Dresden, 05.02.2015 Index Homomorphic Encryption The Cloud problem (overview & example) System properties

### Outline. Cryptography. Bret Benesh. Math 331

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

### Cryptography: Authentication, Blind Signatures, and Digital Cash

Cryptography: Authentication, Blind Signatures, and Digital Cash Rebecca Bellovin 1 Introduction One of the most exciting ideas in cryptography in the past few decades, with the widest array of applications,

### Midterm Exam Solutions CS161 Computer Security, Spring 2008

Midterm Exam Solutions CS161 Computer Security, Spring 2008 1. To encrypt a series of plaintext blocks p 1, p 2,... p n using a block cipher E operating in electronic code book (ECB) mode, each ciphertext

### Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives To distinguish between two cryptosystems: symmetric-key

### Introduction to Security Proof of Cryptosystems

Introduction to Security Proof of Cryptosystems D. J. Guan November 16, 2007 Abstract Provide proof of security is the most important work in the design of cryptosystems. Problem reduction is a tool to

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0

A Chosen Ciphertext Attack on RSA Optimal Asymmetric Encryption Padding (OAEP) as Standardized in PKCS #1 v2.0 James Manger Telstra Research Laboratories, Level 7, 242 Exhibition Street, Melbourne 3000,

### Privacy-Preserving Television Audience Measurement Using Smart TVs

Privacy-Preserving Television Audience Measurement Using Smart TVs George Drosatos, Aimilia Tasidou, and Pavlos S. Efraimidis Dept. of Electrical and Computer Engineering, Democritus University of Thrace,

### Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography

Chapter 11 Security+ Guide to Network Security Fundamentals, Third Edition Basic Cryptography What Is Steganography? Steganography Process of hiding the existence of the data within another file Example:

### A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY USING A ONE WAY HASH FUNCTION

A NOVEL APPROACH FOR VERIFIABLE SECRET SHARING BY Abstract USING A ONE WAY HASH FUNCTION Keyur Parmar & Devesh Jinwala Sardar Vallabhbhai National Institute of Technology, Surat Email : keyur.beit@gmail.com

### In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

### Public Key Cryptography and RSA

Public Key Cryptography and RSA Raj Jain Washington University in Saint Louis Saint Louis, MO 63130 Jain@cse.wustl.edu Audio/Video recordings of this lecture are available at: http://www.cse.wustl.edu/~jain/cse571-11/

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport

### The mathematics of cryptology

The mathematics of cryptology Paul E. Gunnells Department of Mathematics and Statistics University of Massachusetts, Amherst Amherst, MA 01003 www.math.umass.edu/ gunnells April 27, 2004 What is Cryptology?

### E-Democracy and e-voting

E-Democracy and e-voting How to make them secure and transparent August 2013 Jordi Puiggali CSO and SVP R&D Jordi.puiggali@scytl.com Index Introduction e-democracy Security and Transparency in e-voting

### CRYPTOGRAPHIC ALGORITHMS (AES, RSA)

CALIFORNIA STATE POLYTECHNIC UNIVERSITY, POMONA CRYPTOGRAPHIC ALGORITHMS (AES, RSA) A PAPER SUBMITTED TO PROFESSOR GILBERT S. YOUNG IN PARTIAL FULFILLMENT OF THE REQUIREMENT FOR THE COURSE CS530 : ADVANCED

### Privacy-Preserving Network Aggregation

Privacy-Preserving Network Aggregation Troy Raeder 1,2, Marina Blanton 2, Nitesh V. Chawla 1,2, and Keith Frikken 3 1 Interdisciplinary Center for Network Science and Applications University of Notre Dame,

### Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation

### Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

### Today ENCRYPTION. Cryptography example. Basic principles of cryptography

Today ENCRYPTION The last class described a number of problems in ensuring your security and privacy when using a computer on-line. This lecture discusses one of the main technological solutions. The use

### Chapter 10 Asymmetric-Key Cryptography

Chapter 10 Asymmetric-Key Cryptography Copyright The McGraw-Hill Companies, Inc. Permission required for reproduction or display. 10.1 Chapter 10 Objectives Present asymmetric-key cryptography. Distinguish

### A New Approach for Algebraically Homomorphic Encryption

A New Approach for Algebraically Homomorphic Encryption Joint work with Ahmad Reza Sadeghi, supported by the EU project SPEED Frederik Armknecht Group for Cryptographic Mechanisms and Security Models Horst

### Crittografia e sicurezza delle reti. Digital signatures- DSA

Crittografia e sicurezza delle reti Digital signatures- DSA Signatures vs. MACs Suppose parties A and B share the secret key K. Then M, MAC K (M) convinces A that indeed M originated with B. But in case

### Verifiable Voting Systems

Chapter 69 Verifiable Voting Systems Thea Peacock 1, Peter Y. A. Ryan 1, Steve Schneider 2 and Zhe Xia 2 1 University of Luxembourg 2 University of Surrey 1 Introduction The introduction of technology

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### New Constructions and Practical Applications for Private Stream Searching (Extended Abstract)

New Constructions and Practical Applications for Private Stream Searching (Extended Abstract) John Bethencourt Carnegie Mellon University bethenco@cs.cmu.edu Dawn Song Carnegie Mellon University dawnsong@cmu.edu

### Efficient Binary Conversion for Paillier Encrypted Values

Efficient Binary Conversion for Paillier Encrypted Values Berry Schoenmakers 1 and Pim Tuyls 2 1 Dept. of Mathematics and Computing Science, TU Eindhoven, P.O. Box 513, 5600 MB Eindhoven, The Netherlands.

### Efficient Committed Oblivious Transfer of Bit Strings

Appears in Information Security (ISC 2007), Lecture Notes in Computer Science 4779 (2007) 130 144. Springer-Verlag. Efficient Committed Oblivious Transfer of Bit Strings Mehmet S. Kiraz, Berry Schoenmakers,

### CS 161 Computer Security

Song Spring 2015 CS 161 Computer Security Discussion 11 April 7 & April 8, 2015 Question 1 RSA (10 min) (a) Describe how to find a pair of public key and private key for RSA encryption system. Find two

### A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

### CPSC 467b: Cryptography and Computer Security

CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 1 January 9, 2012 CPSC 467b, Lecture 1 1/22 Course Overview Symmetric Cryptography CPSC 467b, Lecture 1 2/22 Course Overview CPSC

### Related Idea: RSA Encryption Step 1

Related Idea: RSA Encryption Step 1 Example (RSA Encryption: Step 1) Here is how Alice and Bob can do to share a secret from Carl: What Alice Does 1. Alice chooses two (large) prime numbers p and q, which

### A Study on Asymmetric Key Cryptography Algorithms

A Study on Asymmetric Key Cryptography Algorithms ASAITHAMBI.N School of Computer Science and Engineering, Bharathidasan University, Trichy, asaicarrier@gmail.com Abstract Asymmetric key algorithms use

### Embedding more security in digital signature system by using combination of public key cryptography and secret sharing scheme

International Journal of Computer Sciences and Engineering Open Access Research Paper Volume-4, Issue-3 E-ISSN: 2347-2693 Embedding more security in digital signature system by using combination of public

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Cryptographic and Physical Zero- Knowledge Proof Systems for Solutions of Sudoku Puzzles

Cryptographic and Physical Zero- Knowledge Proof Systems for Solutions of Sudoku Puzzles, University of Haifa Joint work with Ronen Gradwohl, Moni Naor and Guy Rothblum page 1 Sudoku Fill in the empty

### QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

### The Mathematics of RSA

The Mathematics of RSA Dimitri Papaioannou May 24, 2007 1 Introduction Cryptographic systems come in two flavors. Symmetric or Private key encryption and Asymmetric or Public key encryption. Strictly speaking,

### Network Security. Security Attacks. Normal flow: Interruption: 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室

Network Security 孫 宏 民 hmsun@cs.nthu.edu.tw Phone: 03-5742968 國 立 清 華 大 學 資 訊 工 程 系 資 訊 安 全 實 驗 室 Security Attacks Normal flow: sender receiver Interruption: Information source Information destination

### Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

### ΕΠΛ 674: Εργαστήριο 3

ΕΠΛ 674: Εργαστήριο 3 Ο αλγόριθμος ασύμμετρης κρυπτογράφησης RSA Παύλος Αντωνίου Department of Computer Science Private-Key Cryptography traditional private/secret/single key cryptography uses one key

### Chapter 7: Network security

Chapter 7: Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice: application layer: secure e-mail transport

### Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

### Threshold Identity Based Encryption Scheme without Random Oracles

WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

### Network Security. Abusayeed Saifullah. CS 5600 Computer Networks. These slides are adapted from Kurose and Ross 8-1

Network Security Abusayeed Saifullah CS 5600 Computer Networks These slides are adapted from Kurose and Ross 8-1 Public Key Cryptography symmetric key crypto v requires sender, receiver know shared secret

### CS Computer and Network Security: Applied Cryptography

CS 5410 - Computer and Network Security: Applied Cryptography Professor Patrick Traynor Spring 2016 Reminders Project Ideas are due on Tuesday. Where are we with these? Assignment #2 is posted. Let s get

### Cryptography for the Cloud

Cryptography for the Cloud ENS - CNRS - INRIA Cyber-Sécurité - SPECIF CNAM, Paris, France - November 7th, 2014 The Cloud Introduction 2 Access from Anywhere Introduction 3 Available for Everything One

### Public Key (asymmetric) Cryptography

Public-Key Cryptography UNIVERSITA DEGLI STUDI DI PARMA Dipartimento di Ingegneria dell Informazione Public Key (asymmetric) Cryptography Luca Veltri (mail.to: luca.veltri@unipr.it) Course of Network Security,

### 1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?

### Fully Homomorphic Encryption

Fully Homomorphic Encryption Jean-Sébastien Coron University of Luxembourg December 10, 2015 Homomorphic Encryption Homomorphic encryption: perform operations on plaintexts while manipulating only ciphertexts.

### Oblivious Transfer. Sven Laur University of Tartu

Oblivious Transfer Sven Laur swen@math.ut.ee University of Tartu Ideal implementation b x 0, x 1 b x 0, x 1 x b Ideal ( 2 1) -OT The protocol is always carried out between a client P 1 and a sender P 2.

### Dealing Cards in Poker Games

1 Dealing Cards in Poker Games Philippe Golle Palo Alto Research Center pgolle@parc.com Abstract This paper proposes a new protocol for shuffling and dealing cards, that is designed specifically for games

### Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

### Computer Networks. Network Security and Ethics. Week 14. College of Information Science and Engineering Ritsumeikan University

Computer Networks Network Security and Ethics Week 14 College of Information Science and Engineering Ritsumeikan University Security Intro for Admins l Network administrators can break security into two

### Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

### PRIME NUMBERS & SECRET MESSAGES

PRIME NUMBERS & SECRET MESSAGES I. RSA CODEBREAKER GAME This is a game with two players or teams. The players take turns selecting either prime or composite numbers as outlined on the board below. The

### Associate Prof. Dr. Victor Onomza Waziri

BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,

### The Elements of Cryptography

The Elements of Cryptography (March 30, 2016) Abdou Illia Spring 2016 Learning Objectives Discuss Cryptography Terminology Discuss Symmetric Key Encryption Discuss Asymmetric Key Encryption Distinguish

### Fully homomorphic encryption equating to cloud security: An approach

IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 9, Issue 2 (Jan. - Feb. 2013), PP 46-50 Fully homomorphic encryption equating to cloud security: An approach

### Introduction to Symmetric and Asymmetric Cryptography

Introduction to Symmetric and Asymmetric Cryptography Ali E. Abdallah Birmingham CityUniversity Email: Ali.Abdallah@bcu.ac.uk Lectures are part of the project: ConSoLiDatE Multi-disciplinary Cooperation

### Hey! Cross Check on Computation in Cloud

Hey! Cross Check on Computation in Cloud Ajeet Singh Rajput Computer Science and Engineering Department S.D.B.C.T, Mhow Road,Indore,(M.P), India ajeetsinghrajput@gmail.com M.E.(CSE), S.D.B.C.T, Indore

### Network Security Technology Network Management

COMPUTER NETWORKS Network Security Technology Network Management Source Encryption E(K,P) Decryption D(K,C) Destination The author of these slides is Dr. Mark Pullen of George Mason University. Permission

### Research Article Design of a Secure Smart Grid Architecture Model using Damgard Jurik Cryptosystem

Research Journal of Applied Sciences, Engineering and Technology 9(10): 895-901, 2015 DOI:10.19026/rjaset.9.2640 ISSN: 2040-7459; e-issn: 2040-7467 2015 Maxwell Scientific Publication Corp. Submitted:

### Title Goes Here An Introduction to Modern Cryptography. Mike Reiter

Title Goes Here An Introduction to Modern Cryptography Mike Reiter 1 Cryptography Study of techniques to communicate securely in the presence of an adversary Traditional scenario Goal: A dedicated, private

### APNIC elearning: Cryptography Basics. Contact: esec02_v1.0

APNIC elearning: Cryptography Basics Contact: training@apnic.net esec02_v1.0 Overview Cryptography Cryptographic Algorithms Encryption Symmetric-Key Algorithm Block and Stream Cipher Asymmetric Key Algorithm

### The Paillier Cryptosystem

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael O Keeffe The College of New Jersey Mathematics Department April 18, 2008 ABSTRACT So long as there are secrets,

### An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay Madria Professor and Site Director for NSF I/UCRC Center on Net-Centric Software and Systems Missouri University

### A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM

Konuralp Journal of Mathematics Volume 4 No. 1 pp. 122 129 (2016) c KJM A SYMMETRIC KEY FULLY HOMOMORPHIC ENCRYPTION SCHEME USING GENERAL CHINESE REMAINDER THEOREM EMİN AYGÜN AND ERKAM LÜY Abstract. The

### The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm

The RSA Algorithm: A Mathematical History of the Ubiquitous Cryptological Algorithm Maria D. Kelly December 7, 2009 Abstract The RSA algorithm, developed in 1977 by Rivest, Shamir, and Adlemen, is an algorithm

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Lecture 6 - Cryptography

Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about

### Virtual Private Networks

Outline Virtual Private Networks Cmput 410 Presentations November 25-2004 Introduction Types of VPNs Tunneling Security Encryption Future of VPNs VPN - Definition Introduction a way to provide remote access

### CS 4803 Computer and Network Security

pk CA User ID U, pk U CS 4803 Computer and Network Security Verifies the ID, picks a random challenge R (e.g. a message to sign) R I want pk U Alexandra (Sasha) Boldyreva PKI, secret key sharing, implementation

### Asymmetric Encryption. With material from Jonathan Katz, David Brumley, and Dave Levin

Asymmetric Encryption With material from Jonathan Katz, David Brumley, and Dave Levin Warmup activity Overview of asymmetric-key crypto Intuition for El Gamal and RSA And intuition for attacks Digital

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### Network Security. HIT Shimrit Tzur-David

Network Security HIT Shimrit Tzur-David 1 Goals: 2 Network Security Understand principles of network security: cryptography and its many uses beyond confidentiality authentication message integrity key

### Common security requirements Basic security tools. Example. Secret-key cryptography Public-key cryptography. Online shopping with Amazon

1 Common security requirements Basic security tools Secret-key cryptography Public-key cryptography Example Online shopping with Amazon 2 Alice credit card # is xxxx Internet What could the hacker possibly

### Introduction to Cryptography CS 355

Introduction to Cryptography CS 355 Lecture 30 Digital Signatures CS 355 Fall 2005 / Lecture 30 1 Announcements Wednesday s lecture cancelled Friday will be guest lecture by Prof. Cristina Nita- Rotaru

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### RSA Cryptosystem. Yufei Tao. Department of Computer Science and Engineering Chinese University of Hong Kong. RSA Cryptosystem

Yufei Tao Department of Computer Science and Engineering Chinese University of Hong Kong In this lecture, we will discuss the RSA cryptosystem, which is widely adopted as a way to encrypt a message, or

### Public Key Cryptography. Performance Comparison and Benchmarking

Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What

### Cryptographic Rule-Based Trading (Short Paper)

Cryptographic Rule-Based Trading (Short Paper) Christopher Thorpe and Steven R. Willis {cat,swillis}@generalcryptography.com General Cryptography Abstract. We present an interesting new protocol where

### Shared Secret = Trust

Trust The fabric of life! Holds civilizations together Develops by a natural process Advancement of technology results in faster evolution of societies Weakening the natural bonds of trust From time to