Learning with Errors


 Oliver Fox
 2 years ago
 Views:
Transcription
1 Learning with Errors Chethan Kamath IST Austria April 22, 2015
2 Table of contents Background PAC Model NoisyPAC Learning Parity with Noise The Parity Function Learning Parity with Noise BKW Algorithm Cryptography from LPN Background/LWE BitEncryption from LWE Security
3 BACKGROUND
4 Notation X : input set; Y : binary labelset {0, 1} D: distribution on the input set χ, η: distribution of the noise C: concept class, c: target concept R(h): generalisation error for a hypothesis h R(h) := P (h(x) c(x)) x D
5 PAC Model request D, c C L x D, b = c(x) h S
6 PAC Model Definition 1 A concept class C is called PAClearnable if there exists an algorithm L and a function q 0 = q 0 (ɛ, δ) s.t. for any 1. ɛ > 0 (accuracy: approximately correct) 2. δ > 0 (confidence: probably) 3. distribution D on X 4. target concept c C outputs a hypothesis h S C s.t. for any sample size q q 0 : P S D q(r(h S) ɛ) (1 δ) If L runs in poly(1/ɛ, 1/δ)time, C is efficiently PAClearnable Distributionfree 1 Valiant, 1984
7 NoisyPAC Model request D, c, η L x D, b η c(x) h S
8 NoisyPAC Model Definition 2 A concept class C is efficiently learnable in presence of random classification noise if there exists an algorithm L and a function q 0 = q 0 (ɛ, δ) s.t. for any 1. ɛ > 0 (accuracy: approximately correct) 2. δ > 0 (confidence: probably) 3. distribution D on X 4. target concept c C and fixed noiserate η < 1/2 outputs a hypothesis h S C s.t. for any sample size q q 0 : P S D q(r(h S) ɛ) (1 δ) and L runs in poly(1/ɛ, 1/δ)time 2 Angluin and Laird, 1998
9 LEARNING PARITY WITH NOISE
10 The Parity Function: Definition Denoted by f s, where s Z n 2 determines it The value of the function is given by the rule f s (x) := s, x (mod 2) C := {f s : s Z n 2 } and C = 2n Restricted parity function: f s depends on only the first k bits if all nonzero components of s lies in the first k bits
11 Learning the Parity Function s Z n 2 request L s x Z n 2, b = s, x (mod 2) Find s, given s, x 1 = b 1 (mod 2). s, x q = b q (mod 2) where s Z n 2, x i Z n 2 (D=uniform), b i Z 2 and q poly(n) It is possible to learn s using O(n) samples and poly(n) time: Gaussian elimination Learning for arbitrary D possible 3 3 Helmbold et al., 1992
12 Learning Parity with Noise s Z n 2 request L s x Z n 2, b η s, x (mod 2) Find s, given s, x 1 η b 1 (mod 2) s, x 2 η b 2 (mod 2). s, x q η b q (mod 2) where s Z n 2, x i Z n 2, b i Z 2, q poly(n) and η < 1/2 Let A s,χ denote this distribution
13 Hardness of LPN: Intuition Consider applying Gaussian elimination to the noisy samples to find the first bit Find S [q] s.t. i S x i = (1, 0,..., 0) But the noise is amplified: solution correct only with probability 1/2 + 2 Θ(n) Therefore, the procedure needs to be repeated 2 Θ(n) times Alternative: maximum likelihood estimation of s using O(n) samples and 2 O(n) time
14 Hardness of LPN Statistical Query 4 Model: the learning algorithm has access to statistical queries, that is instead of the label, it get the probability of a property holding for the particular example C is learnable in SQmodel imples it is learnable in the NoisyPAC model LPN: Hard to learn efficiently in the SQmodel 4 Kearns, 1998
15 BKW ALGORITHM
16 Overview Best known algorithm for LPN Solves LPN in time O(2 n/ log n ) Blockwise Gaussian elimination Works by iterative zeroising Focus: LPN on uniform distribution; algorithm works for arbitrary distributions
17 Setting Two parameters: a and b s.t. n ab Each sample is partitioned into a blocks of size b. That is, a sample, x = x 1,..., x n Z n 2 is split as x 1,..., x }{{ b... x } b(i 1)+1,..., x b(i 1)+b... x k b,..., x n }{{}}{{} block 1 block i block a Definition: V i, isample V i : the subspace of Z ab 2 consisting of those vectors whose last i blocks have all bits equal to zero isample of size s: a set of s vectors independently and uniformly distributed over V i. Example: 1sample x 1,..., x }{{ b... x } b(i 1)+1,..., x b(i 1)+b... 0, 0,..., 0 }{{}}{{} block 1 block i block a
18 Main Theorem Theorem 5 LPN can be solved with a samplesize and total computation time poly(( 1 1 2η )2a, 2 b ). Corollary LPN for constant noiserate η < 1/2 can be solved with samplesize and total computation time 2 O(n/ log n). Proof: Plug in a = (log n)/2 and b = 2n/ log n 5 Blum et al., 2003
19 Zeroising Input: isamples x 1,..., x s Output: (i + 1)samples u 1,..., u s Zeroise i (x 1,..., x s ). 1. Partition x 1,..., x s based on the values in block a i 2. For each partition p pick a vector x jp at random 3. Zeroise by x jp to each of the other vectors in the partition 4. Return the resulting vectors u 1,..., u s Lemma 1. u 1,..., u s are (i + 1)samples with s s 2 b 2. Each vector in u 1,..., u s is written as the sum of two vectors in x 1,..., x s 3. The runtime O(s)
20 Main Algorithm Input: s labelled examples (x 1, b 1 ),..., (x s, b s ) Output: set S [s] s.t. i S x i = (1, 0,..., 0) Solve(x 1,..., x s ): 1. For i = 1,..., a 1, iteratively call Zeroise i ( ) 2. Let u 1,..., u s be the resulting (a 1)samples 3. If (1, 0,..., 0) {u 1,..., u s } output the index of the 2 a 1 vectors subset of x 1,..., x s that resulted in (1, 0,..., 0) The first bit of s is: i S b i (mod 2) Analysis If s = a2 b, then s 2 b Probability of output is (1 1/e) Probability that output is correct is 1/2 + 1/2(1 2η) 2a 1 1 Repeat poly(( 1 2η )2a, b) times to reduce the error probability
21 Main Algorithm The rest of the bits of s can be found using Solve( ) on cycling shifting all the examples. Thus the effective computation time is poly(( 1 1 2η )2a, 2 b ) Recall: Restricted parity function depends only on k bits of s If k = O(log n) then we can learn the parity in O(n) Leads to separation between SQModel (where restrictedlpn is hard) and the noisypac model
22 CRYPTOGRAPHY FROM LPN
23 In some sense, cryptography is the opposite of learning. ShalevSchwartz and BenDavid
24 Cryptography 101 How to build protocols? 1. Assume a hard problem π (e.g., factorisation, discretelog) 2. Build a protocol Π on π 3. Aim: η is hard = Π is not breakable Π is breakable = π is not hard Reductions: π Π 1. Assume an adversary A against Π and use it to break π C π π Π B Π A 2. Since η is assumed to be hard, this leads to a contradiction.
25 Recall: LPN Find s, given s, x 1 η b 1 (mod 2) s, x 2 η b 2 (mod 2). s, x q η b q (mod 2) where s Z n 2, x i Z n 2, b i Z 2, q poly(n) and η < 1/2
26 Learning with Errors: LPN for higher moduli Find s, given s, x 1 χ b 1 (mod p) s, x 2 χ b 2 (mod p). s, x q χ b q (mod p) where s Z n p, x i Z n p, b i Z p, q poly and χ is a probability distribution on Z p LPN=LWE if p = 2 and χ(0) = 1 η, χ(1) = η
27 Hardness of LWE Conjectured to be hard to break Lattice problems reduce 6 to LWE for appropriate choice of p and χ Example: p = O(n 2 ), α = O( n log n) and χ = Ψ α, discrete Gaussian on Z p with s.d. αp For the above parameters SVP, SIVP LWE SVP: shortestvector problem SIVP: shortest independent vectors problem The above parameters used for the encryption scheme 6 Regev, 2005
28 REGEV S ENCRYPTION SCHEME
29 Encryption Scheme: Definitions Consists of three algorithms Π = {K, E, D} Key Generation. K : N K (pk, sk) $ K(1 n ) Encryption. E : M C c $ E(m, pk) Decryption. D : C M { } m D(c, sk) Requirements: 1. Correctness: for all (pk, sk) $ K(1 n ), m $ M D(E(pk, m), sk) = m 2. Security: ciphertext c should not leak any information about the plaintext m
30 BitEncryption from LWE BitEncryption: M = {0, 1} Parameters: 1. n N: the security parameter 2. p: prime modulus of the underlying group (p = O(n 2 )) 3. l: length of the public key (l = 5n) 4. χ = Ψ α
31 Key Generation, K(1 n ): BitEncryption from LWE 1. Secret key: sk := s $ Z n p 2. Public key: pk := {x i, b i } l i=1, where $ x 1,..., x l Z n $ p, e 1,..., e l χ and b i := x i, s + e i Encryption, E(m, pk): 1. Choose { random S [l] ( i S 2. c := x i, i S b i) if m = 0 ( i S x i, p/2 + i S b i) if m = 1 Decryption, D(c, sk): Note that c = (x, b) { 1. m 0 if b x, s is closer to 0 than p/2 (modulo p) := 1 otherwise
32 Correctness Intuition: since the noise is sampled from appropriate discrete Gaussian, it does not drown the message Argument Decryption: e := { i S e b x, s if m = 0 i = b x, s p/2 if m = 1 m = 0 m = 1 p/4 0 p/4 p/2 3p/4 Error in decryption only if e < p/4 Let s χ denote the distribution of e Claim: for χ = Ψ α P e χ (e < p/4) > 1 δ for some δ > 0
33 Security Distributions involved: 1. A s,η : LWE sampling 2. C m : ciphertext corresponding to encryption of bit m 3. U : uniform distribution on Z n p Z p D X Y : denotes that D distinguishes X from Y Argument 1. Assume that the ciphertexts are distinguishable 2. A s.t. C 0 C 1 = A A 3. A s.t. C 0 U [shifting + averaging] = 4. A s.t. A s,η A U [Leftover Hash Lemma]
34 More LWE PostQuantum Cryptosystems FullyHomomorphic Encryption 7 7 Brakerski and Vaikuntanathan, 2011
35 Sources Mohri et al. Foundations of Machine Learning ShalevSchwartz and BenDavid Understanding Machine Learning Regev On Lattices, Learning with Errors, Random Linear Codes, and Cryptography Blum et al. NoiseTolerant Learning, the Parity Problem and the SQ Model
36 THANK YOU!
The Learning with Errors Problem
The Learning with Errors Problem Oded Regev Abstract In this survey we describe the Learning with Errors (LWE) problem, discuss its properties, its hardness, and its cryptographic applications. 1 Introduction
More informationPostQuantum Cryptography #4
PostQuantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertextonly attack: This is the most basic type of attack
More informationAdvanced Cryptography
Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.
More informationLecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture  PRGs for one time pads
CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs
More informationCIS 5371 Cryptography. 8. Encryption 
CIS 5371 Cryptography p y 8. Encryption  Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: Allornothing secrecy.
More informationA Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem
A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.
More informationFully Homomorphic Encryption from RingLWE and Security for Key Dependent Messages
Fully Homomorphic Encryption from RingLWE and Security for Key Dependent Messages Zvika Brakerski 1 and Vinod Vaikuntanathan 2 1 Weizmann Institute of Science zvika.brakerski@weizmann.ac.il 2 Microsoft
More informationLecture 5  CPA security, Pseudorandom functions
Lecture 5  CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.
More informationLecture 13  Basic Number Theory.
Lecture 13  Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are nonnegative integers. We say that A divides B, denoted
More information9 Modular Exponentiation and Cryptography
9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.
More information(x + a) n = x n + a Z n [x]. Proof. If n is prime then the map
22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find
More informationCryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs
Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a
More information3. Applications of Number Theory
3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a
More informationQUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University
QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Postquantum Crypto c = E(pk,m) sk m = D(sk,c)
More informationSchool of Computer Science, Carnegie Mellon University, Pittsburgh, PA 15213
,, 1{8 () c A Note on Learning from MultipleInstance Examples AVRIM BLUM avrim+@cs.cmu.edu ADAM KALAI akalai+@cs.cmu.edu School of Computer Science, Carnegie Mellon University, Pittsburgh, PA 1513 Abstract.
More informationFuzzy IdentityBased Encryption
Fuzzy IdentityBased Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) IdentityBased Encryption Formal definition Security Idea Ingredients Construction Security Extensions
More information1 Message Authentication
Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions
More informationMODULAR ARITHMETIC. a smallest member. It is equivalent to the Principle of Mathematical Induction.
MODULAR ARITHMETIC 1 Working With Integers The usual arithmetic operations of addition, subtraction and multiplication can be performed on integers, and the result is always another integer Division, on
More informationHomework 5 Solutions
Homework 5 Solutions 4.2: 2: a. 321 = 256 + 64 + 1 = (01000001) 2 b. 1023 = 512 + 256 + 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = (1111111111) 2. Note that this is 1 less than the next power of 2, 1024, which
More informationPublic Key Cryptography: RSA and Lots of Number Theory
Public Key Cryptography: RSA and Lots of Number Theory Public vs. PrivateKey Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver
More informationLatticebased Cryptography
Latticebased Cryptography Daniele Micciancio Oded Regev July 22, 2008 1 Introduction In this chapter we describe some of the recent progress in latticebased cryptography. Latticebased cryptographic
More informationDiscrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof. Harper Langston New York University
Discrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof Harper Langston New York University Proof and Counterexample Discovery and proof Even and odd numbers number n from Z is called
More informationComputing exponents modulo a number: Repeated squaring
Computing exponents modulo a number: Repeated squaring How do you compute (1415) 13 mod 2537 = 2182 using just a calculator? Or how do you check that 2 340 mod 341 = 1? You can do this using the method
More informationDiscrete Mathematics, Chapter 4: Number Theory and Cryptography
Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility
More informationAn improved LPN algorithm
An improved LPN algorithm Éric Levieil and PierreAlain Fouque École normale supérieure, 45 rue d Ulm, 75230 Paris Cedex 05, France {Eric.Levieil,PierreAlain.Fouque}@ens.fr Abstract. HB + is a sharedkey
More informationBreaking An IdentityBased Encryption Scheme based on DHIES
Breaking An IdentityBased Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project  INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University
More informationIndex Calculation Attacks on RSA Signature and Encryption
Index Calculation Attacks on RSA Signature and Encryption JeanSébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jeansebastien.coron,david.naccache}@gemplus.com
More informationCryptography: RSA and the discrete logarithm problem
Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:
More informationDigital Signatures. Prof. Zeph Grunschlag
Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each
More informationOutline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg
Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian
More information1 Construction of CCAsecure encryption
CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of secure encryption We now show how the MAC can be applied to obtain a secure encryption scheme.
More informationComputing on Encrypted Data
Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015 Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy
More informationCS 758: Cryptography / Network Security
CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html
More informationIdentityBased Encryption from the Weil Pairing
Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages
More informationElementary Number Theory We begin with a bit of elementary number theory, which is concerned
CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,
More informationLinear Codes. In the V[n,q] setting, the terms word and vector are interchangeable.
Linear Codes Linear Codes In the V[n,q] setting, an important class of codes are the linear codes, these codes are the ones whose code words form a subvector space of V[n,q]. If the subspace of V[n,q]
More informationOverview of PublicKey Cryptography
CS 361S Overview of PublicKey Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.16 slide 2 PublicKey Cryptography public key public key? private key Alice Bob Given: Everybody knows
More informationCapture Resilient ElGamal Signature Protocols
Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department
More informationA Factoring and Discrete Logarithm based Cryptosystem
Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511517 HIKARI Ltd, www.mhikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques
More informationPrivacyPreserving Aggregation of TimeSeries Data
PrivacyPreserving Aggregation of TimeSeries Data Elaine Shi PARC/UC Berkeley elaines@eecs.berkeley.edu Richard Chow PARC rchow@parc.com TH. Hubert Chan The University of Hong Kong hubert@cs.hku.hk Dawn
More informationThe Paillier Cryptosystem
The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael O Keeffe The College of New Jersey Mathematics Department April 18, 2008 ABSTRACT So long as there are secrets,
More informationMATH 110 Spring 2015 Homework 6 Solutions
MATH 110 Spring 2015 Homework 6 Solutions Section 2.6 2.6.4 Let α denote the standard basis for V = R 3. Let α = {e 1, e 2, e 3 } denote the dual basis of α for V. We would first like to show that β =
More informationLecture 3: OneWay Encryption, RSA Example
ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: OneWay Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require
More informationLecture 1: Course overview, circuits, and formulas
Lecture 1: Course overview, circuits, and formulas Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: John Kim, Ben Lund 1 Course Information Swastik
More informationPublic Key Cryptography. c Eli Biham  March 30, 2011 258 Public Key Cryptography
Public Key Cryptography c Eli Biham  March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known apriori to all the users, before they can encrypt
More informationEfficient Recovery of Secrets
Efficient Recovery of Secrets Marcel Fernandez Miguel Soriano, IEEE Senior Member Department of Telematics Engineering. Universitat Politècnica de Catalunya. C/ Jordi Girona 1 i 3. Campus Nord, Mod C3,
More informationOverview of Cryptographic Tools for Data Security. Murat Kantarcioglu
UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the
More informationCSC474/574  Information Systems Security: Homework1 Solutions Sketch
CSC474/574  Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a oneround Feistel cipher
More informationThe application of prime numbers to RSA encryption
The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered
More informationThe Mathematics of the RSA PublicKey Cryptosystem
The Mathematics of the RSA PublicKey Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through
More informationKey Privacy for Identity Based Encryption
Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 20062 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March
More information2.1 Complexity Classes
15859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look
More informationBreaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring
Breaking Generalized DiffieHellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The DiffieHellman keyexchange protocol may naturally be extended to k > 2
More informationFinite and discrete probability distributions
8 Finite and discrete probability distributions To understand the algorithmic aspects of number theory and algebra, and applications such as cryptography, a firm grasp of the basics of probability theory
More informationMA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES
MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2016 47 4. Diophantine Equations A Diophantine Equation is simply an equation in one or more variables for which integer (or sometimes rational) solutions
More informationMTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu
MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic
More informationMathematics of Cryptography Modular Arithmetic, Congruence, and Matrices. A Biswas, IT, BESU SHIBPUR
Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices A Biswas, IT, BESU SHIBPUR McGrawHill The McGrawHill Companies, Inc., 2000 Set of Integers The set of integers, denoted by Z,
More informationPostQuantum Cryptography #2
PostQuantum Cryptography #2 Prof. Claude Crépeau McGill University 49 PostQuantum Cryptography Finite Fields based cryptography Codes Multivariate Polynomials Integers based cryptography Approximate
More informationLatticeBased ThresholdChangeability for Standard Shamir SecretSharing Schemes
LatticeBased ThresholdChangeability for Standard Shamir SecretSharing Schemes Ron Steinfeld (Macquarie University, Australia) (email: rons@ics.mq.edu.au) Joint work with: Huaxiong Wang (Macquarie University)
More information8.1 Makespan Scheduling
600.469 / 600.669 Approximation Algorithms Lecturer: Michael Dinitz Topic: Dynamic Programing: MinMakespan and Bin Packing Date: 2/19/15 Scribe: Gabriel Kaptchuk 8.1 Makespan Scheduling Consider an instance
More informationLecture 4: AC 0 lower bounds and pseudorandomness
Lecture 4: AC 0 lower bounds and pseudorandomness Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: Jason Perry and Brian Garnett In this lecture,
More informationBEFORE defining the LWE problem and its reductions
EDIC RESEARCH PROPOSAL 1 The Learning With Error Problem Alexandre Duc LASEC, I&C, EPFL Abstract Every publickey cryptosystem relies on problems that are believed computationally hard. Most of the systems
More informationLecture 3: Finding integer solutions to systems of linear equations
Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture
More informationSecure TwoParty kmeans Clustering
Secure TwoParty kmeans Clustering Paul Bunn Rafail Ostrovsky Abstract The kmeans Clustering problem is one of the mostexplored problems in data mining to date. With the advent of protocols that have
More informationUniversal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption
Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure PublicKey Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical publickey
More informationMESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC
MESSAGE AUTHENTICATION IN AN IDENTITYBASED ENCRYPTION SCHEME: 1KEYENCRYPTTHENMAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial
More informationIn this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamaltype sc
Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane
More informationEfficient GeneralAdversary MultiParty Computation
Efficient GeneralAdversary MultiParty Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multiparty computation (MPC) allows a set P of n players to evaluate
More information1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.
1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks
More informationCh.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis
Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography
More informationOutline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures
Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike
More informationAN INTRODUCTION TO ERROR CORRECTING CODES Part 1
AN INTRODUCTION TO ERROR CORRECTING CODES Part 1 Jack Keil Wolf ECE 154C Spring 2008 Noisy Communications Noise in a communications channel can cause errors in the transmission of binary digits. Transmit:
More informationShor s algorithm and secret sharing
Shor s algorithm and secret sharing Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 1/41 Goals: 1 To explain why the factoring is important. 2 To describe the oldest and most successful
More informationLecture 6  Cryptography
Lecture 6  Cryptography CSE497b  Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497bs07 Question 2 Setup: Assume you and I don t know anything about
More informationMath 319 Problem Set #3 Solution 21 February 2002
Math 319 Problem Set #3 Solution 21 February 2002 1. ( 2.1, problem 15) Find integers a 1, a 2, a 3, a 4, a 5 such that every integer x satisfies at least one of the congruences x a 1 (mod 2), x a 2 (mod
More informationLecture Note 5 PUBLICKEY CRYPTOGRAPHY. Sourav Mukhopadhyay
Lecture Note 5 PUBLICKEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security  MA61027 Modern/Publickey cryptography started in 1976 with the publication of the following paper. W. Diffie
More informationIntroduction. Digital Signature
Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology
More informationPrivacypreserving Data Mining: current research and trends
Privacypreserving Data Mining: current research and trends Stan Matwin School of Information Technology and Engineering University of Ottawa, Canada stan@site.uottawa.ca Few words about our research Universit[é
More informationPaillier Threshold Encryption Toolbox
Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created
More informationPublic Key Cryptography. Performance Comparison and Benchmarking
Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What
More informationNetwork Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23
Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest
More informationPublic Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers
Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers JeanSébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jeansebastien.coron@uni.lu
More informationIntroduction Proof by unique factorization in Z Proof with Gaussian integers Proof by geometry Applications. Pythagorean Triples
Pythagorean Triples Keith Conrad University of Connecticut August 4, 008 Introduction We seek positive integers a, b, and c such that a + b = c. Plimpton 3 Babylonian table of Pythagorean triples (1800
More informationThe Conference Call Search Problem in Wireless Networks
The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,
More informationInteractive Machine Learning. MariaFlorina Balcan
Interactive Machine Learning MariaFlorina Balcan Machine Learning Image Classification Document Categorization Speech Recognition Protein Classification Branch Prediction Fraud Detection Spam Detection
More informationALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION
ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION Aldrin W. Wanambisi 1* School of Pure and Applied Science, Mount Kenya University, P.O box 55350100, Kakamega, Kenya. Shem Aywa 2 Department of Mathematics,
More informationCryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur
Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)
More informationPrinciples of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms
Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport
More informationI. GROUPS: BASIC DEFINITIONS AND EXAMPLES
I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called
More informationBreaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and
Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study
More informationThreshold Identity Based Encryption Scheme without Random Oracles
WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yatsen University Guangzhou, P.R. China Yanming Wang Lingnan College
More informationSignature Schemes. CSG 252 Fall 2006. Riccardo Pucella
Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by
More informationLecture 7: Hashing III: Open Addressing
Lecture 7: Hashing III: Open Addressing Lecture Overview Open Addressing, Probing Strategies Uniform Hashing, Analysis Cryptographic Hashing Readings CLRS Chapter.4 (and.3.3 and.5 if interested) Open Addressing
More informationNoninteractive and Reusable Nonmalleable Commitment Schemes
Noninteractive and Reusable Nonmalleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider nonmalleable (NM) and universally composable (UC) commitment schemes in the
More informationEfficient Multikeyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption
Efficient Multikeyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption Mengxi Nie 1,2, Peng Ran 1 and HaoMiao Yang 1,2 1 University of Electronic Science and Technology of China,
More informationPolynomials and the Fast Fourier Transform (FFT) Battle Plan
Polynomials and the Fast Fourier Transform (FFT) Algorithm Design and Analysis (Wee 7) 1 Polynomials Battle Plan Algorithms to add, multiply and evaluate polynomials Coefficient and pointvalue representation
More informationCHAPTER 5. Number Theory. 1. Integers and Division. Discussion
CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a
More informationCOMMUTATIVE RINGS. Definition: A domain is a commutative ring R that satisfies the cancellation law for multiplication:
COMMUTATIVE RINGS Definition: A commutative ring R is a set with two operations, addition and multiplication, such that: (i) R is an abelian group under addition; (ii) ab = ba for all a, b R (commutative
More informationNEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA
THE PUBLISHING HOUSE PROCEEDINGS OF THE ROMANIAN ACADEMY, Series A, OF THE ROMANIAN ACADEMY Volume 14, Number 1/2013, pp. 72 77 NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA Laurenţiu BURDUŞEL Politehnica
More informationTextbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures
Textbook: Introduction to Cryptography 2nd ed. By J.A. Buchmann Chap 12 Digital Signatures Department of Computer Science and Information Engineering, Chaoyang University of Technology 朝 陽 科 技 大 學 資 工
More information