# Fully Homomorphic Encryption

Save this PDF as:

Size: px
Start display at page:

## Transcription

1 Fully Homomorphic Encryption Jean-Sébastien Coron University of Luxembourg December 10, 2015

2 Homomorphic Encryption Homomorphic encryption: perform operations on plaintexts while manipulating only ciphertexts. Normally, this is not possible. AES K (m 1 ) = 0x3c7317c6bc5634a4ad8479c64714f4f8 AES K (m 2 ) = 0x e1961b051be1aa407da6cac2c AES K (m 1 m 2 ) =? For some cryptosystems with algebraic structure, this is possible. For example RSA: c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N

3 Homomorphic Encryption Homomorphic encryption: perform operations on plaintexts while manipulating only ciphertexts. Normally, this is not possible. AES K (m 1 ) = 0x3c7317c6bc5634a4ad8479c64714f4f8 AES K (m 2 ) = 0x e1961b051be1aa407da6cac2c AES K (m 1 m 2 ) =? For some cryptosystems with algebraic structure, this is possible. For example RSA: c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N

4 Homomorphic Encryption Homomorphic encryption: perform operations on plaintexts while manipulating only ciphertexts. Normally, this is not possible. AES K (m 1 ) = 0x3c7317c6bc5634a4ad8479c64714f4f8 AES K (m 2 ) = 0x e1961b051be1aa407da6cac2c AES K (m 1 m 2 ) =? For some cryptosystems with algebraic structure, this is possible. For example RSA: c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N

5 Homomorphic Encryption with RSA Multiplicative property of RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c = c 1 c 2 = (m 1 m 2 ) e mod N Homomorphic encryption: given c 1 and c 2, we can compute the ciphertext c for m 1 m 2 mod N using only the public-key without knowing the plaintexts m 1 and m 2.

6 Homomorphic Encryption with RSA Multiplicative property of RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c = c 1 c 2 = (m 1 m 2 ) e mod N Homomorphic encryption: given c 1 and c 2, we can compute the ciphertext c for m 1 m 2 mod N using only the public-key without knowing the plaintexts m 1 and m 2.

7 Paillier Cryptosystem Additively homomorphic: Paillier cryptosystem c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Application: e-voting. Voter i encrypts his vote m i {0, 1} into: c i = g m i z N i mod N 2 Votes can be aggregated using only the public-key: c = i c i = g i m i z mod N 2 c is enventually decrypted to recover m = i m i

8 Paillier Cryptosystem Additively homomorphic: Paillier cryptosystem c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Application: e-voting. Voter i encrypts his vote m i {0, 1} into: c i = g m i z N i mod N 2 Votes can be aggregated using only the public-key: c = i c i = g i m i z mod N 2 c is enventually decrypted to recover m = i m i

9 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

10 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

11 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

12 Fully homomorphic public-key encryption We restrict ourselves to public-key encryption of a single bit: 0 203ef ab b327653c1... db Obviously, encryption must be probabilistic. Fully homomorphic property Given E(b 0 ) and E(b 1 ), one can compute E(b 0 b 1 ) and E(b 0 b 1 ) without knowing the private-key. Why is it important? Universality: any Boolean circuit can be written with Xors and Ands. Once you can homomorphically evaluate both a Xor and a And, you can evaluate any Boolean circuit, any computable function.

13 Fully homomorphic public-key encryption We restrict ourselves to public-key encryption of a single bit: 0 203ef ab b327653c1... db Obviously, encryption must be probabilistic. Fully homomorphic property Given E(b 0 ) and E(b 1 ), one can compute E(b 0 b 1 ) and E(b 0 b 1 ) without knowing the private-key. Why is it important? Universality: any Boolean circuit can be written with Xors and Ands. Once you can homomorphically evaluate both a Xor and a And, you can evaluate any Boolean circuit, any computable function.

14 Fully homomorphic public-key encryption We restrict ourselves to public-key encryption of a single bit: 0 203ef ab b327653c1... db Obviously, encryption must be probabilistic. Fully homomorphic property Given E(b 0 ) and E(b 1 ), one can compute E(b 0 b 1 ) and E(b 0 b 1 ) without knowing the private-key. Why is it important? Universality: any Boolean circuit can be written with Xors and Ands. Once you can homomorphically evaluate both a Xor and a And, you can evaluate any Boolean circuit, any computable function.

15 Outsourcing Computation The cloud receives some data m in encrypted form. It receives the ciphertexts c i corresponding to bits m i The cloud doesn t know the m i s The cloud performs some computation f (m), but without knowing m The computation of f is written as a Boolean circuit with Xors and Ands Every Xor z = x y is homomorphically evaluated from the ciphertexts c x and c y, to get ciphertext c z Every And z = x y is homomorphically evaluated from the ciphertexts c x and c y, to get ciphertext c z Eventally the cloud obtains a ciphertext c for f (m) The user decrypts c to recover f (m) The cloud learns nothing about m

16 Outsourcing Computation The cloud receives some data m in encrypted form. It receives the ciphertexts c i corresponding to bits m i The cloud doesn t know the m i s The cloud performs some computation f (m), but without knowing m The computation of f is written as a Boolean circuit with Xors and Ands Every Xor z = x y is homomorphically evaluated from the ciphertexts c x and c y, to get ciphertext c z Every And z = x y is homomorphically evaluated from the ciphertexts c x and c y, to get ciphertext c z Eventally the cloud obtains a ciphertext c for f (m) The user decrypts c to recover f (m) The cloud learns nothing about m

17 Outsourcing Computation The cloud receives some data m in encrypted form. It receives the ciphertexts c i corresponding to bits m i The cloud doesn t know the m i s The cloud performs some computation f (m), but without knowing m The computation of f is written as a Boolean circuit with Xors and Ands Every Xor z = x y is homomorphically evaluated from the ciphertexts c x and c y, to get ciphertext c z Every And z = x y is homomorphically evaluated from the ciphertexts c x and c y, to get ciphertext c z Eventally the cloud obtains a ciphertext c for f (m) The user decrypts c to recover f (m) The cloud learns nothing about m

18 What fully homomorphic encryption brings you You have a software that given the revenue, past income, headcount, etc., of a company can predict its future stock price. I want to know the future stock price of my company, but I don t want to disclose confidential information. And you don t want to give me your software containing secret formulas. Using homomorphic encryption: I encrypt all the inputs using fully homomorphic encryption and send them to you in encrypted form. You process all my inputs, viewing your software as a circuit. You send me the result, still encrypted. I decrypt the result and get the predicted stock price. You didn t learn any information about my company. More generally: Cool buzzwords like secure cloud computing. Cool mathematical challenges.

19 What fully homomorphic encryption brings you You have a software that given the revenue, past income, headcount, etc., of a company can predict its future stock price. I want to know the future stock price of my company, but I don t want to disclose confidential information. And you don t want to give me your software containing secret formulas. Using homomorphic encryption: I encrypt all the inputs using fully homomorphic encryption and send them to you in encrypted form. You process all my inputs, viewing your software as a circuit. You send me the result, still encrypted. I decrypt the result and get the predicted stock price. You didn t learn any information about my company. More generally: Cool buzzwords like secure cloud computing. Cool mathematical challenges.

20 What fully homomorphic encryption brings you You have a software that given the revenue, past income, headcount, etc., of a company can predict its future stock price. I want to know the future stock price of my company, but I don t want to disclose confidential information. And you don t want to give me your software containing secret formulas. Using homomorphic encryption: I encrypt all the inputs using fully homomorphic encryption and send them to you in encrypted form. You process all my inputs, viewing your software as a circuit. You send me the result, still encrypted. I decrypt the result and get the predicted stock price. You didn t learn any information about my company. More generally: Cool buzzwords like secure cloud computing. Cool mathematical challenges.

21 Cloud Computing Goal: cloud computing I encrypt my data before sending it to the cloud The cloud can still search, sort and edit my data on my behalf Data is kept in encrypted form in the cloud. The cloud learns nothing about my data The cloud returns encrypted answers that only I can decrypt

22 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping (modulus switching) [BGV11] Batch FHE [GHS12] Implementation with homomorphic evaluation of AES [GHS12] And many other papers van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. Public-key compression and modulus switching [CNT12] Batch and homomorphic evaluation of AES [CCKLLTY13].

23 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping (modulus switching) [BGV11] Batch FHE [GHS12] Implementation with homomorphic evaluation of AES [GHS12] And many other papers van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. Public-key compression and modulus switching [CNT12] Batch and homomorphic evaluation of AES [CCKLLTY13].

24 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping (modulus switching) [BGV11] Batch FHE [GHS12] Implementation with homomorphic evaluation of AES [GHS12] And many other papers van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. Public-key compression and modulus switching [CNT12] Batch and homomorphic evaluation of AES [CCKLLTY13].

25 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits

26 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits

27 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits

28 Addition: Homomorphic Properties of DGHV c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 c 1 + c 2 is an encryption of m 1 + m 2 mod 2 = m 1 m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 c 1 c 2 is an encryption of m 1 m 2 Noise becomes twice larger.

29 Addition: Homomorphic Properties of DGHV c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 c 1 + c 2 is an encryption of m 1 + m 2 mod 2 = m 1 m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 c 1 c 2 is an encryption of m 1 m 2 Noise becomes twice larger.

30 Somewhat homomorphic scheme The number of multiplications is limited. Noise grows with the number of multiplications. Noise must remain < p for correct decryption. p ρ p 2ρ p 4ρ

31 Gentry s technique To build a FHE scheme, start from the somewhat homomorphic scheme, that is: Only a polynomial of small degree can be homomorphically applied on ciphertexts. Otherwise the noise becomes too large and decryption becomes incorrect. Then, squash the decryption procedure: express the decryption function as a low degree polynomial in the bits of the ciphertext c and the secret key sk (equivalently a boolean circuit of small depth).

32 Gentry s technique To build a FHE scheme, start from the somewhat homomorphic scheme, that is: Only a polynomial of small degree can be homomorphically applied on ciphertexts. Otherwise the noise becomes too large and decryption becomes incorrect. Then, squash the decryption procedure: express the decryption function as a low degree polynomial in the bits of the ciphertext c and the secret key sk (equivalently a boolean circuit of small depth).

33 Ciphertext refresh: bootstrapping Gentry s breakthrough idea: refresh the ciphertext using the decryption circuit homomorphically. Evaluate the decryption polynomial not on the bits of the ciphertext c and the secret key sk, but homomorphically on the encryption of those bits. Instead of recovering the bit plaintext m, one gets an encryption of this bit plaintext, i.e. yet another ciphertext for the same plaintext. Ciphertext bits Secret key bits Encryption of Ciphertext bits secret key bits ???? Decryption Circuit + + Decryption Circuit Plaintext bit? Encryption of Plaintext bit = Refreshed Ciphertext

34 Ciphertext refresh Refreshed ciphertext: If the degree of the decryption polynomial is small enough, the resulting noise in this new ciphertext can be smaller than in the original ciphertext Fully homomorphic encryption: Given two refreshed ciphertexts one can apply again the homomorphic operation (either addition or multiplication), which was not necessarily possible on the original ciphertexts because of the noise threshold. Using this ciphertext refresh procedure the number of homomorphic operations becomes unlimited and we get a fully homomorphic encryption scheme.

35 Ciphertext refresh Refreshed ciphertext: If the degree of the decryption polynomial is small enough, the resulting noise in this new ciphertext can be smaller than in the original ciphertext Fully homomorphic encryption: Given two refreshed ciphertexts one can apply again the homomorphic operation (either addition or multiplication), which was not necessarily possible on the original ciphertexts because of the noise threshold. Using this ciphertext refresh procedure the number of homomorphic operations becomes unlimited and we get a fully homomorphic encryption scheme.

36 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

37 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

38 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

39 The squashed scheme from DGHV The basic decryption m (c mod p) mod 2 cannot be directly expressed as a boolean circuit of low depth. Alternative decryption formula for c = q p + 2r + m We have q = c/p and c = q + m (mod 2) Therefore m [c] 2 [ c (1/p) ] 2 Idea (Gentry, DGHV). Secret-share 1/p as a sparse subset sum: Θ 1/p = s i y i + ε i=1

40 The squashed scheme from DGHV The basic decryption m (c mod p) mod 2 cannot be directly expressed as a boolean circuit of low depth. Alternative decryption formula for c = q p + 2r + m We have q = c/p and c = q + m (mod 2) Therefore m [c] 2 [ c (1/p) ] 2 Idea (Gentry, DGHV). Secret-share 1/p as a sparse subset sum: Θ 1/p = s i y i + ε i=1

41 The squashed scheme from DGHV The basic decryption m (c mod p) mod 2 cannot be directly expressed as a boolean circuit of low depth. Alternative decryption formula for c = q p + 2r + m We have q = c/p and c = q + m (mod 2) Therefore m [c] 2 [ c (1/p) ] 2 Idea (Gentry, DGHV). Secret-share 1/p as a sparse subset sum: Θ 1/p = s i y i + ε i=1

42 Alternative equation Squashed decryption m [c] 2 [ c (1/p) ] 2 Secret-share 1/p as a sparse subset sum: 1/p = Θ s i y i + ε i=1 with random public κ-bit numbers y i, and sparse secret s i {0, 1}. Decryption becomes: [ Θ ] m [c] 2 s i (y i c) i=1 2

43 Alternative equation Squashed decryption m [c] 2 [ c (1/p) ] 2 Secret-share 1/p as a sparse subset sum: 1/p = Θ s i y i + ε i=1 with random public κ-bit numbers y i, and sparse secret s i {0, 1}. Decryption becomes: [ Θ ] m [c] 2 s i (y i c) i=1 2

44 Alternative equation Squashed decryption m [c] 2 [ c (1/p) ] 2 Secret-share 1/p as a sparse subset sum: 1/p = Θ s i y i + ε i=1 with random public κ-bit numbers y i, and sparse secret s i {0, 1}. Decryption becomes: [ Θ ] m [c] 2 s i (y i c) i=1 2

45 Squashed decryption Alternative decryption equation: [ Θ ] m [c] 2 s i z i where z i = y i c for public y i s Since s i is sparse with H(s i ) = θ, only n = log 2 (θ + 1) bits of precision for z i = y i c is required With θ = 15, only n = 4 bits of precision for z i = y i c i=1 The decryption function can then be expressed as a polynomial of low degree (30) in the s i s. 2

46 The decryption circuit Sb1 sb 0 1 sb = z1, = z1, = = z1,b = = q sb 0 i sb 1 j 0 0 = 1 Sb k=(i 1) θ+j zk, zk, = = = qk qθ = 0 zk,b = = Sbθ Plaintext bit sb 0 θ 0 1 sb 1 θ 1 0 = zθ, = zθ, = = zθ,b = =

47 Grade School addition The decryption equation is now: θ m c q k k=1 mod 2 where the q k s are rational in [0, 2) with n bits of precision after the binary point

48 Gentry s Bootstrapping The decryption circuit Can now be expressed as a polynomial of small degree d in the secret-key bits s i, given the z i = c y i. m = C zi (s 1,..., s Θ ) To refresh a ciphertext: Publish an encryption of the secret-key bits σ i = E pk (s i ) Homomorphically evaluate m = C zi (s 1,..., s Θ ), using the encryptions σ i = E pk (s i ) We get E pk (m), that is a new ciphertext but possibly with less noise (a recryption ). The new noise has size d ρ and is independent of the initial noise.

49 PK size and timings Instance λ ρ η γ pk size Recrypt Toy KB 0.41 s Small KB 4.5 s Medium MB 51 s Large MB 11 min

50 Conclusion Fully homomorphic encryption is a very active research area. Main challenge: make FHE pratical! Recent developments FHE without bootstrapping (modulus switching) [BGV11] Batch FHE [GHS12] Implementation with homomorphic evaluation of AES [GHS12]

### Information Security Theory vs. Reality

Information Security Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran Tromer Slides credit: Vinod Vaikuntanathan (U. Toronto)

### Computing on Encrypted Data

Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015 Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy

### NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA

THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 14, Number 1/2013, pp. 72 77 NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA Laurenţiu BURDUŞEL Politehnica

### Associate Prof. Dr. Victor Onomza Waziri

BIG DATA ANALYTICS AND DATA SECURITY IN THE CLOUD VIA FULLY HOMOMORPHIC ENCRYPTION Associate Prof. Dr. Victor Onomza Waziri Department of Cyber Security Science, School of ICT, Federal University of Technology,

### Homomorphic encryption and emerging technologies COSC412

Homomorphic encryption and emerging technologies COSC412 Learning objectives Describe useful work that can be done on encrypted data Appreciate the overall way in which an example homomorphic encryption

### Secure Computation Martin Beck

Institute of Systems Architecture, Chair of Privacy and Data Security Secure Computation Martin Beck Dresden, 05.02.2015 Index Homomorphic Encryption The Cloud problem (overview & example) System properties

### Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu

### Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

### Homomorphic Encryption Method Applied to Cloud Computing

International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 15 (2014), pp. 1519-1530 International Research Publications House http://www. irphouse.com Homomorphic Encryption

### Fully homomorphic encryption equating to cloud security: An approach

IOSR Journal of Computer Engineering (IOSR-JCE) e-issn: 2278-0661, p- ISSN: 2278-8727Volume 9, Issue 2 (Jan. - Feb. 2013), PP 46-50 Fully homomorphic encryption equating to cloud security: An approach

### Computing Arbitrary Functions of Encrypted Data

Computing Arbitrary Functions of Encrypted Data Craig Gentry IBM T.J. Watson Research Center 19 Skyline Dr. Hawthorne, NY cbgentry@us.ibm.com ABSTRACT Suppose that you want to delegate the ability to process

### Outsourcing the Decryption of ABE Ciphertexts

Outsourcing the Decryption of ABE Ciphertexts Matthew Green and Susan Hohenberger Johns Hopkins University Brent Waters UT Austin Background A problem Securing records in a data-sharing environment E.g.,

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

### Secure Network Communication Part II II Public Key Cryptography. Public Key Cryptography

Kommunikationssysteme (KSy) - Block 8 Secure Network Communication Part II II Public Key Cryptography Dr. Andreas Steffen 2000-2001 A. Steffen, 28.03.2001, KSy_RSA.ppt 1 Secure Key Distribution Problem

### A Survey of Cloud Storage Security Research. Mar Kheng Kok Nanyang Polytechnic mar_kheng_kok@nyp.gov.sg

A Survey of Cloud Storage Security Research Mar Kheng Kok Nanyang Polytechnic mar_kheng_kok@nyp.gov.sg Presentation Outline Security concerns of cloud storage Data confidentiality in the cloud Data availability/integrity

### Privacy, Security and Cloud

Privacy, Security and Cloud Giuseppe Di Luna July 2, 2012 Giuseppe Di Luna 2012 1 July 2, 2012 Giuseppe Di Luna 2012 2 July 2, 2012 Giuseppe Di Luna 2012 3 Security Concerns: Data leakage Data handling

### Cryptography. Identity-based Encryption. Jean-Sébastien Coron and David Galindo. May 15, 2014. Université du Luxembourg

Identity-based Encryption Université du Luxembourg May 15, 2014 Summary Identity-Based Encryption (IBE) What is Identity-Based Encryption? Difference with conventional PK cryptography. Applications of

### Cryptography for the Cloud

Cryptography for the Cloud ENS - CNRS - INRIA Cyber-Sécurité - SPECIF CNAM, Paris, France - November 7th, 2014 The Cloud Introduction 2 Access from Anywhere Introduction 3 Available for Everything One

### Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

Outsourcing Computations to Untrusted Servers Security of Symmetric Ciphers in Network Protocols ICMS, May 26, 2015, Edinburgh Problem Motivation Problem Motivation Problem Motivation Problem Motivation

### 3. Applications of Number Theory

3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

### The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

### Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

### Onion ORAM: Constant Bandwidth ORAM with Server Computation Chris Fletcher

Onion ORAM: Constant Bandwidth ORAM with Server Computation Chris Fletcher Joint work with: Ling Ren, Marten van Dijk, Srini Devadas Current art and where to go next State of the art schemes Bandwidth:

### Efficient Multi-keyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption

Efficient Multi-keyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption Mengxi Nie 1,2, Peng Ran 1 and HaoMiao Yang 1,2 1 University of Electronic Science and Technology of China,

### A Fully Homomorphic Encryption Implementation on Cloud Computing

International Journal of Information & Computation Technology. ISSN 0974-2239 Volume 4, Number 8 (2014), pp. 811-816 International Research Publications House http://www. irphouse.com A Fully Homomorphic

### Elements of Applied Cryptography Public key encryption

Network Security Elements of Applied Cryptography Public key encryption Public key cryptosystem RSA and the factorization problem RSA in practice Other asymmetric ciphers Asymmetric Encryption Scheme Let

### A Fast Single Server Private Information Retrieval Protocol with Low Communication Cost

A Fast Single Server Private Information Retrieval Protocol with Low Communication Cost Changyu Dong 1 and Liqun Chen 2 1 Department of Computer and Information Sciences, University of Strathclyde, Glasgow,

### A FULLY HOMOMORPHIC ENCRYPTION SCHEME

A FULLY HOMOMORPHIC ENCRYPTION SCHEME A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS

### CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

### Numerical SQL Value Expressions Over Encrypted Cloud Databases

Numerical SQL Value Expressions Over Encrypted Cloud Databases Sushil Jajodia George Mason University Fairfax, Virginia, USA 1.703. 9932952 jajodia@gmu.edu Witold Litwin Université Paris Dauphine Paris,

### Analysis of Privacy-Preserving Element Reduction of Multiset

Analysis of Privacy-Preserving Element Reduction of Multiset Jae Hong Seo 1, HyoJin Yoon 2, Seongan Lim 3, Jung Hee Cheon 4 and Dowon Hong 5 1,4 Department of Mathematical Sciences and ISaC-RIM, Seoul

### CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

### CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

### 3-6 Toward Realizing Privacy-Preserving IP-Traceback

3-6 Toward Realizing Privacy-Preserving IP-Traceback The IP-traceback technology enables us to trace widely spread illegal users on Internet. However, to deploy this attractive technology, some problems

### Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

### The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

### On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption

On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption Adriana López-Alt New York University Eran Tromer Tel Aviv University Vinod Vaikuntanathan MIT Abstract We propose

### Tackling The Challenges of Big Data. Tackling The Challenges of Big Data Big Data Systems. Security is a Negative Goal. Nickolai Zeldovich

Introduction is a Negative Goal No way for adversary to violate security policy Difficult to achieve: many avenues of attack 1 Example: Confidential Database Application server Database server Approach:

### Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

### An Introduction to the RSA Encryption Method

April 17, 2012 Outline 1 History 2 3 4 5 History RSA stands for Rivest, Shamir, and Adelman, the last names of the designers It was first published in 1978 as one of the first public-key crytographic systems

### HEtest: A Homomorphic Encryption Testing Framework

HEtest: A Homomorphic Encryption Testing Framework Mayank Varia 1, Sophia Yakoubov 1, and Yang Yang 2, 1 MIT Lincoln Laboratory, {mayank.varia, sophia.yakoubov}@ll.mit.edu 2 Blizzard Entertainment, y4n9@alum.mit.edu

### Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

### Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks

Efficient and Robust Secure Aggregation of Encrypted Data in Wireless Sensor Networks J. M. BAHI, C. GUYEUX, and A. MAKHOUL Computer Science Laboratory LIFC University of Franche-Comté Journée thématique

### EPiC: Efficient Privacy-Preserving Counting for MapReduce

EPiC: Efficient Privacy-Preserving Counting for MapReduce Abstract. In the face of an untrusted cloud infrastructure, outsourced data needs to be protected. We present EPiC, a practical protocol for the

### 9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

### A Comparison of the Homomorphic Encryption Schemes FV and YASHE

A Comparison of the Homomorphic Encryption Schemes FV and YASHE Tancrède Lepoint 1, and Michael Naehrig 2 1 CryptoExperts, École Normale Supérieure and University of Luxembourg tancrede.lepoint@cryptoexperts.com

### New Constructions and Practical Applications for Private Stream Searching (Extended Abstract)

New Constructions and Practical Applications for Private Stream Searching (Extended Abstract)???? John Bethencourt CMU Dawn Song CMU Brent Waters SRI 1 Searching for Information Too much on-line info to

### EPiC: Efficient Privacy-Preserving Counting for MapReduce

EPiC: Efficient Privacy-Preserving Counting for MapReduce Triet D. Vo-Huu 1, Erik-Oliver Blass 2, and Guevara Noubir 1 1 Northeastern University, Boston MA 02115, USA, 2 Airbus Group Innovations, 81663

### An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud Sanjay Madria Professor and Site Director for NSF I/UCRC Center on Net-Centric Software and Systems Missouri University

### Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski 1 and Vinod Vaikuntanathan 2 1 Weizmann Institute of Science zvika.brakerski@weizmann.ac.il 2 Microsoft

### Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

### Universal Padding Schemes for RSA

Universal Padding Schemes for RSA Jean-Sébastien Coron, Marc Joye, David Naccache, and Pascal Paillier Gemplus Card International, France {jean-sebastien.coron, marc.joye, david.naccache, pascal.paillier}@gemplus.com

### CIS 6930 Emerging Topics in Network Security. Topic 2. Network Security Primitives

CIS 6930 Emerging Topics in Network Security Topic 2. Network Security Primitives 1 Outline Absolute basics Encryption/Decryption; Digital signatures; D-H key exchange; Hash functions; Application of hash

### Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

### Can Homomorphic Encryption be Practical?

Can Homomorphic Encryption be Practical? Kristin Lauter Microsoft Research klauter@microsoft.com Michael Naehrig Microsoft Research mnaehrig@microsoft.com Vinod Vaikuntanathan Microsoft Research vinod@microsoft.com

### An Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm

An Efficient Data Security in Cloud Computing Using the RSA Encryption Process Algorithm V.Masthanamma 1,G.Lakshmi Preya 2 UG Scholar, Department of Information Technology, Saveetha School of Engineering

### Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

### Applied Cryptography Public Key Algorithms

Applied Cryptography Public Key Algorithms Sape J. Mullender Huygens Systems Research Laboratory Universiteit Twente Enschede 1 Public Key Cryptography Independently invented by Whitfield Diffie & Martin

### Symmetric Mechanisms for Authentication in IDRP

WG1/SG2 WP WG2/WP 488 International Civil Aviation Organization Aeronautical Telecommunication Network Panel (ATNP) WG2 and WG1/SG2 Meetings Honolulu, Hawaii, USA January 1999 Symmetric Mechanisms for

### Homomorphic Encryption Schema for Privacy Preserving Mining of Association Rules

Homomorphic Encryption Schema for Privacy Preserving Mining of Association Rules M.Sangeetha 1, P. Anishprabu 2, S. Shanmathi 3 Department of Computer Science and Engineering SriGuru Institute of Technology

### Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

### Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

### Secure Large-Scale Bingo

Secure Large-Scale Bingo Antoni Martínez-Ballesté, Francesc Sebé and Josep Domingo-Ferrer Universitat Rovira i Virgili, Dept. of Computer Engineering and Maths, Av. Països Catalans 26, E-43007 Tarragona,

### Introduction to Hill cipher

Introduction to Hill cipher We have explored three simple substitution ciphers that generated ciphertext C from plaintext p by means of an arithmetic operation modulo 26. Caesar cipher: The Caesar cipher

### 7! Cryptographic Techniques! A Brief Introduction

7! Cryptographic Techniques! A Brief Introduction 7.1! Introduction to Cryptography! 7.2! Symmetric Encryption! 7.3! Asymmetric (Public-Key) Encryption! 7.4! Digital Signatures! 7.5! Public Key Infrastructures

### Secure Data Storage on the Cloud using Homomorphic Encryption

Secure Data Storage on the Cloud using Homomorphic Encryption Manoj Kumar Mohanty Department of Computer Science and Engineering National Institute of Technology Rourkela Rourkela 769 008, India Secure

### Outline. Cryptography. Bret Benesh. Math 331

Outline 1 College of St. Benedict/St. John s University Department of Mathematics Math 331 2 3 The internet is a lawless place, and people have access to all sorts of information. What is keeping people

### A COMPARATIVE STUDY OF SECURE SEARCH PROTOCOLS IN PAY- AS-YOU-GO CLOUDS

A COMPARATIVE STUDY OF SECURE SEARCH PROTOCOLS IN PAY- AS-YOU-GO CLOUDS V. Anand 1, Ahmed Abdul Moiz Qyser 2 1 Muffakham Jah College of Engineering and Technology, Hyderabad, India 2 Muffakham Jah College

### Fully Homomorphic Encryption Using Ideal Lattices

Fully Homomorphic Encryption Using Ideal Lattices Craig Gentry Stanford University and IBM Watson cgentry@cs.stanford.edu ABSTRACT We propose a fully homomorphic encryption scheme i.e., a scheme that allows

### Attribute-Based Cryptography. Lecture 21 And Pairing-Based Cryptography

Attribute-Based Cryptography Lecture 21 And Pairing-Based Cryptography 1 Identity-Based Encryption 2 Identity-Based Encryption In PKE, KeyGen produces a random (PK,SK) pair 2 Identity-Based Encryption

### Cryptography and Network Security Chapter 9

Cryptography and Network Security Chapter 9 Fifth Edition by William Stallings Lecture slides by Lawrie Brown (with edits by RHB) Chapter 9 Public Key Cryptography and RSA Every Egyptian received two names,

### A Practical Security Framework for Cloud Storage and Computation

A Practical Security Framework for Cloud Storage and Computation Kavya Premkumar 1 *, Aditya Suresh Kumar 1, Saswati Mukherjee 2 1The Department of Computer Science Engineering, Guindy, Chennai, India.

### Batch Decryption of Encrypted Short Messages and Its Application on Concurrent SSL Handshakes

Batch Decryption of ncrypted Short Messages and Its Application on Concurrent SSL Handshakes Yongdong Wu and Feng Bao System and Security Department Institute for Infocomm Research 21, Heng Mui Keng Terrace,

### CSCE 465 Computer & Network Security

CSCE 465 Computer & Network Security Instructor: Dr. Guofei Gu http://courses.cse.tamu.edu/guofei/csce465/ Public Key Cryptogrophy 1 Roadmap Introduction RSA Diffie-Hellman Key Exchange Public key and

### Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890

Elliptic Curve Cryptography Methods Debbie Roser Math\CS 4890 Why are Elliptic Curves used in Cryptography? The answer to this question is the following: 1) Elliptic Curves provide security equivalent

### CLOUD computing systems, in which the clients

IEEE TRANSACTIONS ON CLOUD COMPUTING, VOL. X, NO. X, JANUARY 20XX 1 A Practical, Secure, and Verifiable Cloud Computing for Mobile Systems Sriram N. Premnath, Zygmunt J. Haas, Fellow, IEEE arxiv:1410.1389v1

### Research Article Two-Cloud-Servers-Assisted Secure Outsourcing Multiparty Computation

e Scientific World Journal, Article ID 413265, 7 pages http://dx.doi.org/10.1155/2014/413265 Research Article Two-Cloud-Servers-Assisted Secure Outsourcing Multiparty Computation Yi Sun, 1 Qiaoyan Wen,

### Notes for Recitation 5

6.042/18.062J Mathematics for Computer Science September 24, 2010 Tom Leighton and Marten van Dijk Notes for Recitation 5 1 Exponentiation and Modular Arithmetic Recall that RSA encryption and decryption

### Message Authentication Codes

2 MAC Message Authentication Codes : and Cryptography Sirindhorn International Institute of Technology Thammasat University Prepared by Steven Gordon on 28 October 2013 css322y13s2l08, Steve/Courses/2013/s2/css322/lectures/mac.tex,

### Enabling Real-Time Mobile Cloud Computing through Emerging Technologies

Enabling Real-Time Mobile Cloud Computing through Emerging Technologies Tolga Soyata University of Rochester, USA A volume in the Advances in Wireless Technologies and Telecommunication (AWTT) Book Series

### Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

### Computer Security: Principles and Practice

Computer Security: Principles and Practice Chapter 20 Public-Key Cryptography and Message Authentication First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Public-Key Cryptography

### Chapter 23. Database Security. Security Issues. Database Security

Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database

### Securing Cloud Infrastructure for High Performance Scientific Computations Using Cryptographic Techniques

Securing Cloud Infrastructure for High Performance Scientific Computations Using Cryptographic Techniques G K Patra 1, Nilotpal Chakraborty 2 Abstract In today's scenario, a large scale of engineering

### Meeting Cybersecurity Challenges through Innovative Computer System Design. Srini Devadas MIT

Meeting Cybersecurity Challenges through Innovative Computer System Design Srini Devadas MIT Attackers routinely compromise computer systems Attackers routinely compromise computer systems Attackers routinely

### References: Adi Shamir, How to Share a Secret, CACM, November 1979.

Ad Hoc Network Security References: Adi Shamir, How to Share a Secret, CACM, November 1979. Jiejun Kong, Petros Zerfos, Haiyun Luo, Songwu Lu, Lixia Zhang, Providing Robust and Ubiquitous Security Support

### Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM

Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM Srinivas Devadas, Marten van Dijk, Christopher W. Fletcher, Ling Ren, Elaine Shi, Daniel Wichs Massachusetts Institute of Technology {devadas, cwfletch,

### Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data Dario Catalano 1 and Dario Fiore 2 1 Dipartimento di Matematica e Informatica, Università di Catania, Italy. catalano@dmi.unict.it

### Security for Cloud & Big Data

Security for Cloud & Big Data CS 161: Computer Security Prof. David Wagner April 25, 2016 Awesome Project 2 Solutions Honorable mention: Vincent Wang and John Choi super-efficient updates (6-9x better

### Cryptographic Rule-Based Trading (Short Paper)

Cryptographic Rule-Based Trading (Short Paper) Christopher Thorpe and Steven R. Willis {cat,swillis}@generalcryptography.com General Cryptography Abstract. We present an interesting new protocol where

### Programmable Order-Preserving Secure Index for Encrypted Database Query

2012 IEEE Fifth International Conference on Cloud Computing Programmable Order-Preserving Secure Index for Encrypted Database Query Dongxi Liu Shenlu Wang CSIRO ICT Centre, Marsfield, NSW 2122, Australia

### VoteID 2011 Internet Voting System with Cast as Intended Verification

VoteID 2011 Internet Voting System with Cast as Intended Verification September 2011 VP R&D Jordi Puiggali@scytl.com Index Introduction Proposal Security Conclusions 2. Introduction Client computers could

### Chapter 23. Database Security. Security Issues. Database Security

Chapter 23 Database Security Security Issues Legal and ethical issues Policy issues System-related issues The need to identify multiple security levels 2 Database Security A DBMS typically includes a database

### A SOFTWARE COMPARISON OF RSA AND ECC

International Journal Of Computer Science And Applications Vol. 2, No. 1, April / May 29 ISSN: 974-13 A SOFTWARE COMPARISON OF RSA AND ECC Vivek B. Kute Lecturer. CSE Department, SVPCET, Nagpur 9975549138

### EFFICIENT ROOT FINDING OF POLYNOMIALS OVER FIELDS OF CHARACTERISTIC 2

EFFICIENT ROOT FINDING OF POLYNOMIALS OVER FIELDS OF CHARACTERISTIC 2 Vincent Herbert (Joint work with Bhaskar Biswas) WEWoRC 2009 INRIA Paris Rocquencourt V. Herbert (WEWoRC 2009) SECRET Project Team

### 1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies

1720 - Forward Secrecy: How to Secure SSL from Attacks by Government Agencies Dave Corbett Technical Product Manager Implementing Forward Secrecy 1 Agenda Part 1: Introduction Why is Forward Secrecy important?

### RSA Attacks. By Abdulaziz Alrasheed and Fatima

RSA Attacks By Abdulaziz Alrasheed and Fatima 1 Introduction Invented by Ron Rivest, Adi Shamir, and Len Adleman [1], the RSA cryptosystem was first revealed in the August 1977 issue of Scientific American.

### Private Inference Control For Aggregate Database Queries

Private Inference Control For Aggregate Database Queries Geetha Jagannathan geetha@cs.rutgers.edu Rebecca N. Wright Rebecca.Wright@rutgers.edu Department of Computer Science Rutgers, State University of