Learning with Errors

Save this PDF as:

Size: px
Start display at page:

Transcription

1 Learning with Errors Chethan Kamath IST Austria April 22, 2015

2 Table of contents Background PAC Model Noisy-PAC Learning Parity with Noise The Parity Function Learning Parity with Noise BKW Algorithm Cryptography from LPN Background/LWE Bit-Encryption from LWE Security

3 BACKGROUND

4 Notation X : input set; Y : binary label-set {0, 1} D: distribution on the input set χ, η: distribution of the noise C: concept class, c: target concept R(h): generalisation error for a hypothesis h R(h) := P (h(x) c(x)) x D

5 PAC Model request D, c C L x D, b = c(x) h S

6 PAC Model Definition 1 A concept class C is called PAC-learnable if there exists an algorithm L and a function q 0 = q 0 (ɛ, δ) s.t. for any 1. ɛ > 0 (accuracy: approximately correct) 2. δ > 0 (confidence: probably) 3. distribution D on X 4. target concept c C outputs a hypothesis h S C s.t. for any sample size q q 0 : P S D q(r(h S) ɛ) (1 δ) If L runs in poly(1/ɛ, 1/δ)-time, C is efficiently PAC-learnable Distribution-free 1 Valiant, 1984

7 Noisy-PAC Model request D, c, η L x D, b η c(x) h S

8 Noisy-PAC Model Definition 2 A concept class C is efficiently learnable in presence of random classification noise if there exists an algorithm L and a function q 0 = q 0 (ɛ, δ) s.t. for any 1. ɛ > 0 (accuracy: approximately correct) 2. δ > 0 (confidence: probably) 3. distribution D on X 4. target concept c C and fixed noise-rate η < 1/2 outputs a hypothesis h S C s.t. for any sample size q q 0 : P S D q(r(h S) ɛ) (1 δ) and L runs in poly(1/ɛ, 1/δ)-time 2 Angluin and Laird, 1998

9 LEARNING PARITY WITH NOISE

10 The Parity Function: Definition Denoted by f s, where s Z n 2 determines it The value of the function is given by the rule f s (x) := s, x (mod 2) C := {f s : s Z n 2 } and C = 2n Restricted parity function: f s depends on only the first k bits if all non-zero components of s lies in the first k bits

11 Learning the Parity Function s Z n 2 request L s x Z n 2, b = s, x (mod 2) Find s, given s, x 1 = b 1 (mod 2). s, x q = b q (mod 2) where s Z n 2, x i Z n 2 (D=uniform), b i Z 2 and q poly(n) It is possible to learn s using O(n) samples and poly(n) time: Gaussian elimination Learning for arbitrary D possible 3 3 Helmbold et al., 1992

12 Learning Parity with Noise s Z n 2 request L s x Z n 2, b η s, x (mod 2) Find s, given s, x 1 η b 1 (mod 2) s, x 2 η b 2 (mod 2). s, x q η b q (mod 2) where s Z n 2, x i Z n 2, b i Z 2, q poly(n) and η < 1/2 Let A s,χ denote this distribution

13 Hardness of LPN: Intuition Consider applying Gaussian elimination to the noisy samples to find the first bit Find S [q] s.t. i S x i = (1, 0,..., 0) But the noise is amplified: solution correct only with probability 1/2 + 2 Θ(n) Therefore, the procedure needs to be repeated 2 Θ(n) times Alternative: maximum likelihood estimation of s using O(n) samples and 2 O(n) time

14 Hardness of LPN Statistical Query 4 Model: the learning algorithm has access to statistical queries, that is instead of the label, it get the probability of a property holding for the particular example C is learnable in SQ-model imples it is learnable in the Noisy-PAC model LPN: Hard to learn efficiently in the SQ-model 4 Kearns, 1998

15 BKW ALGORITHM

16 Overview Best known algorithm for LPN Solves LPN in time O(2 n/ log n ) Block-wise Gaussian elimination Works by iterative zeroising Focus: LPN on uniform distribution; algorithm works for arbitrary distributions

17 Setting Two parameters: a and b s.t. n ab Each sample is partitioned into a blocks of size b. That is, a sample, x = x 1,..., x n Z n 2 is split as x 1,..., x }{{ b... x } b(i 1)+1,..., x b(i 1)+b... x k b,..., x n }{{}}{{} block 1 block i block a Definition: V i, i-sample V i : the subspace of Z ab 2 consisting of those vectors whose last i blocks have all bits equal to zero i-sample of size s: a set of s vectors independently and uniformly distributed over V i. Example: 1-sample x 1,..., x }{{ b... x } b(i 1)+1,..., x b(i 1)+b... 0, 0,..., 0 }{{}}{{} block 1 block i block a

18 Main Theorem Theorem 5 LPN can be solved with a sample-size and total computation time poly(( 1 1 2η )2a, 2 b ). Corollary LPN for constant noise-rate η < 1/2 can be solved with sample-size and total computation time 2 O(n/ log n). Proof: Plug in a = (log n)/2 and b = 2n/ log n 5 Blum et al., 2003

19 Zeroising Input: i-samples x 1,..., x s Output: (i + 1)-samples u 1,..., u s Zeroise i (x 1,..., x s ). 1. Partition x 1,..., x s based on the values in block a i 2. For each partition p pick a vector x jp at random 3. Zeroise by x jp to each of the other vectors in the partition 4. Return the resulting vectors u 1,..., u s Lemma 1. u 1,..., u s are (i + 1)-samples with s s 2 b 2. Each vector in u 1,..., u s is written as the sum of two vectors in x 1,..., x s 3. The run-time O(s)

20 Main Algorithm Input: s labelled examples (x 1, b 1 ),..., (x s, b s ) Output: set S [s] s.t. i S x i = (1, 0,..., 0) Solve(x 1,..., x s ): 1. For i = 1,..., a 1, iteratively call Zeroise i ( ) 2. Let u 1,..., u s be the resulting (a 1)-samples 3. If (1, 0,..., 0) {u 1,..., u s } output the index of the 2 a 1 vectors subset of x 1,..., x s that resulted in (1, 0,..., 0) The first bit of s is: i S b i (mod 2) Analysis If s = a2 b, then s 2 b Probability of output is (1 1/e) Probability that output is correct is 1/2 + 1/2(1 2η) 2a 1 1 Repeat poly(( 1 2η )2a, b) times to reduce the error probability

21 Main Algorithm The rest of the bits of s can be found using Solve( ) on cycling shifting all the examples. Thus the effective computation time is poly(( 1 1 2η )2a, 2 b ) Recall: Restricted parity function depends only on k bits of s If k = O(log n) then we can learn the parity in O(n) Leads to separation between SQ-Model (where restricted-lpn is hard) and the noisy-pac model

22 CRYPTOGRAPHY FROM LPN

23 In some sense, cryptography is the opposite of learning. Shalev-Schwartz and Ben-David

24 Cryptography 101 How to build protocols? 1. Assume a hard problem π (e.g., factorisation, discrete-log) 2. Build a protocol Π on π 3. Aim: η is hard = Π is not breakable Π is breakable = π is not hard Reductions: π Π 1. Assume an adversary A against Π and use it to break π C π π Π B Π A 2. Since η is assumed to be hard, this leads to a contradiction.

25 Recall: LPN Find s, given s, x 1 η b 1 (mod 2) s, x 2 η b 2 (mod 2). s, x q η b q (mod 2) where s Z n 2, x i Z n 2, b i Z 2, q poly(n) and η < 1/2

26 Learning with Errors: LPN for higher moduli Find s, given s, x 1 χ b 1 (mod p) s, x 2 χ b 2 (mod p). s, x q χ b q (mod p) where s Z n p, x i Z n p, b i Z p, q poly and χ is a probability distribution on Z p LPN=LWE if p = 2 and χ(0) = 1 η, χ(1) = η

27 Hardness of LWE Conjectured to be hard to break Lattice problems reduce 6 to LWE for appropriate choice of p and χ Example: p = O(n 2 ), α = O( n log n) and χ = Ψ α, discrete Gaussian on Z p with s.d. αp For the above parameters SVP, SIVP LWE SVP: shortest-vector problem SIVP: shortest independent vectors problem The above parameters used for the encryption scheme 6 Regev, 2005

28 REGEV S ENCRYPTION SCHEME

29 Encryption Scheme: Definitions Consists of three algorithms Π = {K, E, D} Key Generation. K : N K (pk, sk) \$ K(1 n ) Encryption. E : M C c \$ E(m, pk) Decryption. D : C M { } m D(c, sk) Requirements: 1. Correctness: for all (pk, sk) \$ K(1 n ), m \$ M D(E(pk, m), sk) = m 2. Security: ciphertext c should not leak any information about the plaintext m

30 Bit-Encryption from LWE Bit-Encryption: M = {0, 1} Parameters: 1. n N: the security parameter 2. p: prime modulus of the underlying group (p = O(n 2 )) 3. l: length of the public key (l = 5n) 4. χ = Ψ α

31 Key Generation, K(1 n ): Bit-Encryption from LWE 1. Secret key: sk := s \$ Z n p 2. Public key: pk := {x i, b i } l i=1, where \$ x 1,..., x l Z n \$ p, e 1,..., e l χ and b i := x i, s + e i Encryption, E(m, pk): 1. Choose { random S [l] ( i S 2. c := x i, i S b i) if m = 0 ( i S x i, p/2 + i S b i) if m = 1 Decryption, D(c, sk): Note that c = (x, b) { 1. m 0 if b x, s is closer to 0 than p/2 (modulo p) := 1 otherwise

32 Correctness Intuition: since the noise is sampled from appropriate discrete Gaussian, it does not drown the message Argument Decryption: e := { i S e b x, s if m = 0 i = b x, s p/2 if m = 1 m = 0 m = 1 p/4 0 p/4 p/2 3p/4 Error in decryption only if e < p/4 Let s χ denote the distribution of e Claim: for χ = Ψ α P e χ (e < p/4) > 1 δ for some δ > 0

33 Security Distributions involved: 1. A s,η : LWE sampling 2. C m : ciphertext corresponding to encryption of bit m 3. U : uniform distribution on Z n p Z p D X Y : denotes that D distinguishes X from Y Argument 1. Assume that the ciphertexts are distinguishable 2. A s.t. C 0 C 1 = A A 3. A s.t. C 0 U [shifting + averaging] = 4. A s.t. A s,η A U [Leftover Hash Lemma]

34 More LWE Post-Quantum Cryptosystems Fully-Homomorphic Encryption 7 7 Brakerski and Vaikuntanathan, 2011

35 Sources Mohri et al. Foundations of Machine Learning Shalev-Schwartz and Ben-David Understanding Machine Learning Regev On Lattices, Learning with Errors, Random Linear Codes, and Cryptography Blum et al. Noise-Tolerant Learning, the Parity Problem and the SQ Model

36 THANK YOU!

The Learning with Errors Problem

The Learning with Errors Problem Oded Regev Abstract In this survey we describe the Learning with Errors (LWE) problem, discuss its properties, its hardness, and its cryptographic applications. 1 Introduction

Post-Quantum Cryptography #4

Post-Quantum Cryptography #4 Prof. Claude Crépeau McGill University http://crypto.cs.mcgill.ca/~crepeau/waterloo 185 ( 186 Attack scenarios Ciphertext-only attack: This is the most basic type of attack

Family Name:... First Name:... Section:... Advanced Cryptography Final Exam July 18 th, 2006 Start at 9:15, End at 12:00 This document consists of 12 pages. Instructions Electronic devices are not allowed.

Lecture 10: CPA Encryption, MACs, Hash Functions. 2 Recap of last lecture - PRGs for one time pads

CS 7880 Graduate Cryptography October 15, 2015 Lecture 10: CPA Encryption, MACs, Hash Functions Lecturer: Daniel Wichs Scribe: Matthew Dippel 1 Topic Covered Chosen plaintext attack model of security MACs

CIS 5371 Cryptography. 8. Encryption --

CIS 5371 Cryptography p y 8. Encryption -- Asymmetric Techniques Textbook encryption algorithms In this chapter, security (confidentiality) is considered in the following sense: All-or-nothing secrecy.

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem Jintai Ding, Xiang Xie, Xiaodong Lin University of Cincinnati Chinese Academy of Sciences Rutgers University Abstract.

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski 1 and Vinod Vaikuntanathan 2 1 Weizmann Institute of Science zvika.brakerski@weizmann.ac.il 2 Microsoft

Lecture 5 - CPA security, Pseudorandom functions

Lecture 5 - CPA security, Pseudorandom functions Boaz Barak October 2, 2007 Reading Pages 82 93 and 221 225 of KL (sections 3.5, 3.6.1, 3.6.2 and 6.5). See also Goldreich (Vol I) for proof of PRF construction.

Lecture 13 - Basic Number Theory.

Lecture 13 - Basic Number Theory. Boaz Barak March 22, 2010 Divisibility and primes Unless mentioned otherwise throughout this lecture all numbers are non-negative integers. We say that A divides B, denoted

9 Modular Exponentiation and Cryptography

9 Modular Exponentiation and Cryptography 9.1 Modular Exponentiation Modular arithmetic is used in cryptography. In particular, modular exponentiation is the cornerstone of what is called the RSA system.

(x + a) n = x n + a Z n [x]. Proof. If n is prime then the map

22. A quick primality test Prime numbers are one of the most basic objects in mathematics and one of the most basic questions is to decide which numbers are prime (a clearly related problem is to find

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs

Cryptographic hash functions and MACs Solved Exercises for Cryptographic Hash Functions and MACs Enes Pasalic University of Primorska Koper, 2014 Contents 1 Preface 3 2 Problems 4 2 1 Preface This is a

3. Applications of Number Theory

3. APPLICATIONS OF NUMBER THEORY 163 3. Applications of Number Theory 3.1. Representation of Integers. Theorem 3.1.1. Given an integer b > 1, every positive integer n can be expresses uniquely as n = a

QUANTUM COMPUTERS AND CRYPTOGRAPHY. Mark Zhandry Stanford University

QUANTUM COMPUTERS AND CRYPTOGRAPHY Mark Zhandry Stanford University Classical Encryption pk m c = E(pk,m) sk m = D(sk,c) m??? Quantum Computing Attack pk m aka Post-quantum Crypto c = E(pk,m) sk m = D(sk,c)

School of Computer Science, Carnegie Mellon University, Pittsburgh, PA 15213

,, 1{8 () c A Note on Learning from Multiple-Instance Examples AVRIM BLUM avrim+@cs.cmu.edu ADAM KALAI akalai+@cs.cmu.edu School of Computer Science, Carnegie Mellon University, Pittsburgh, PA 1513 Abstract.

Fuzzy Identity-Based Encryption

Fuzzy Identity-Based Encryption Janek Jochheim June 20th 2013 Overview Overview Motivation (Fuzzy) Identity-Based Encryption Formal definition Security Idea Ingredients Construction Security Extensions

1 Message Authentication

Theoretical Foundations of Cryptography Lecture Georgia Tech, Spring 200 Message Authentication Message Authentication Instructor: Chris Peikert Scribe: Daniel Dadush We start with some simple questions

MODULAR ARITHMETIC. a smallest member. It is equivalent to the Principle of Mathematical Induction.

MODULAR ARITHMETIC 1 Working With Integers The usual arithmetic operations of addition, subtraction and multiplication can be performed on integers, and the result is always another integer Division, on

Homework 5 Solutions

Homework 5 Solutions 4.2: 2: a. 321 = 256 + 64 + 1 = (01000001) 2 b. 1023 = 512 + 256 + 128 + 64 + 32 + 16 + 8 + 4 + 2 + 1 = (1111111111) 2. Note that this is 1 less than the next power of 2, 1024, which

Public Key Cryptography: RSA and Lots of Number Theory

Public Key Cryptography: RSA and Lots of Number Theory Public vs. Private-Key Cryptography We have just discussed traditional symmetric cryptography: Uses a single key shared between sender and receiver

Lattice-based Cryptography

Lattice-based Cryptography Daniele Micciancio Oded Regev July 22, 2008 1 Introduction In this chapter we describe some of the recent progress in lattice-based cryptography. Lattice-based cryptographic

Discrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof. Harper Langston New York University

Discrete Mathematics Lecture 3 Elementary Number Theory and Methods of Proof Harper Langston New York University Proof and Counterexample Discovery and proof Even and odd numbers number n from Z is called

Computing exponents modulo a number: Repeated squaring

Computing exponents modulo a number: Repeated squaring How do you compute (1415) 13 mod 2537 = 2182 using just a calculator? Or how do you check that 2 340 mod 341 = 1? You can do this using the method

Discrete Mathematics, Chapter 4: Number Theory and Cryptography

Discrete Mathematics, Chapter 4: Number Theory and Cryptography Richard Mayr University of Edinburgh, UK Richard Mayr (University of Edinburgh, UK) Discrete Mathematics. Chapter 4 1 / 35 Outline 1 Divisibility

An improved LPN algorithm

An improved LPN algorithm Éric Levieil and Pierre-Alain Fouque École normale supérieure, 45 rue d Ulm, 75230 Paris Cedex 05, France {Eric.Levieil,Pierre-Alain.Fouque}@ens.fr Abstract. HB + is a shared-key

Breaking An Identity-Based Encryption Scheme based on DHIES

Breaking An Identity-Based Encryption Scheme based on DHIES Martin R. Albrecht 1 Kenneth G. Paterson 2 1 SALSA Project - INRIA, UPMC, Univ Paris 06 2 Information Security Group, Royal Holloway, University

Index Calculation Attacks on RSA Signature and Encryption

Index Calculation Attacks on RSA Signature and Encryption Jean-Sébastien Coron 1, Yvo Desmedt 2, David Naccache 1, Andrew Odlyzko 3, and Julien P. Stern 4 1 Gemplus Card International {jean-sebastien.coron,david.naccache}@gemplus.com

Cryptography: RSA and the discrete logarithm problem

Cryptography: and the discrete logarithm problem R. Hayden Advanced Maths Lectures Department of Computing Imperial College London February 2010 Public key cryptography Assymmetric cryptography two keys:

Digital Signatures. Prof. Zeph Grunschlag

Digital Signatures Prof. Zeph Grunschlag (Public Key) Digital Signatures PROBLEM: Alice would like to prove to Bob, Carla, David,... that has really sent them a claimed message. E GOAL: Alice signs each

Outline. CSc 466/566. Computer Security. 8 : Cryptography Digital Signatures. Digital Signatures. Digital Signatures... Christian Collberg

Outline CSc 466/566 Computer Security 8 : Cryptography Digital Signatures Version: 2012/02/27 16:07:05 Department of Computer Science University of Arizona collberg@gmail.com Copyright c 2012 Christian

1 Construction of CCA-secure encryption

CSCI 5440: Cryptography Lecture 5 The Chinese University of Hong Kong 10 October 2012 1 Construction of -secure encryption We now show how the MAC can be applied to obtain a -secure encryption scheme.

Computing on Encrypted Data

Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015 Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy

CS 758: Cryptography / Network Security

CS 758: Cryptography / Network Security offered in the Fall Semester, 2003, by Doug Stinson my office: DC 3122 my email address: dstinson@uwaterloo.ca my web page: http://cacr.math.uwaterloo.ca/~dstinson/index.html

Identity-Based Encryption from the Weil Pairing

Appears in SIAM J. of Computing, Vol. 32, No. 3, pp. 586-615, 2003. An extended abstract of this paper appears in the Proceedings of Crypto 2001, volume 2139 of Lecture Notes in Computer Science, pages

Elementary Number Theory We begin with a bit of elementary number theory, which is concerned

CONSTRUCTION OF THE FINITE FIELDS Z p S. R. DOTY Elementary Number Theory We begin with a bit of elementary number theory, which is concerned solely with questions about the set of integers Z = {0, ±1,

Linear Codes. In the V[n,q] setting, the terms word and vector are interchangeable.

Linear Codes Linear Codes In the V[n,q] setting, an important class of codes are the linear codes, these codes are the ones whose code words form a sub-vector space of V[n,q]. If the subspace of V[n,q]

Overview of Public-Key Cryptography

CS 361S Overview of Public-Key Cryptography Vitaly Shmatikov slide 1 Reading Assignment Kaufman 6.1-6 slide 2 Public-Key Cryptography public key public key? private key Alice Bob Given: Everybody knows

Capture Resilient ElGamal Signature Protocols

Capture Resilient ElGamal Signature Protocols Hüseyin Acan 1, Kamer Kaya 2,, and Ali Aydın Selçuk 2 1 Bilkent University, Department of Mathematics acan@fen.bilkent.edu.tr 2 Bilkent University, Department

A Factoring and Discrete Logarithm based Cryptosystem

Int. J. Contemp. Math. Sciences, Vol. 8, 2013, no. 11, 511-517 HIKARI Ltd, www.m-hikari.com A Factoring and Discrete Logarithm based Cryptosystem Abdoul Aziz Ciss and Ahmed Youssef Ecole doctorale de Mathematiques

Privacy-Preserving Aggregation of Time-Series Data

Privacy-Preserving Aggregation of Time-Series Data Elaine Shi PARC/UC Berkeley elaines@eecs.berkeley.edu Richard Chow PARC rchow@parc.com T-H. Hubert Chan The University of Hong Kong hubert@cs.hku.hk Dawn

The Paillier Cryptosystem

The Paillier Cryptosystem A Look Into The Cryptosystem And Its Potential Application By Michael O Keeffe The College of New Jersey Mathematics Department April 18, 2008 ABSTRACT So long as there are secrets,

MATH 110 Spring 2015 Homework 6 Solutions

MATH 110 Spring 2015 Homework 6 Solutions Section 2.6 2.6.4 Let α denote the standard basis for V = R 3. Let α = {e 1, e 2, e 3 } denote the dual basis of α for V. We would first like to show that β =

Lecture 3: One-Way Encryption, RSA Example

ICS 180: Introduction to Cryptography April 13, 2004 Lecturer: Stanislaw Jarecki Lecture 3: One-Way Encryption, RSA Example 1 LECTURE SUMMARY We look at a different security property one might require

Lecture 1: Course overview, circuits, and formulas

Lecture 1: Course overview, circuits, and formulas Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: John Kim, Ben Lund 1 Course Information Swastik

Public Key Cryptography. c Eli Biham - March 30, 2011 258 Public Key Cryptography

Public Key Cryptography c Eli Biham - March 30, 2011 258 Public Key Cryptography Key Exchange All the ciphers mentioned previously require keys known a-priori to all the users, before they can encrypt

Efficient Recovery of Secrets

Efficient Recovery of Secrets Marcel Fernandez Miguel Soriano, IEEE Senior Member Department of Telematics Engineering. Universitat Politècnica de Catalunya. C/ Jordi Girona 1 i 3. Campus Nord, Mod C3,

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

UT DALLAS Erik Jonsson School of Engineering & Computer Science Overview of Cryptographic Tools for Data Security Murat Kantarcioglu Pag. 1 Purdue University Cryptographic Primitives We will discuss the

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch

CSC474/574 - Information Systems Security: Homework1 Solutions Sketch February 20, 2005 1. Consider slide 12 in the handout for topic 2.2. Prove that the decryption process of a one-round Feistel cipher

The application of prime numbers to RSA encryption

The application of prime numbers to RSA encryption Prime number definition: Let us begin with the definition of a prime number p The number p, which is a member of the set of natural numbers N, is considered

The Mathematics of the RSA Public-Key Cryptosystem

The Mathematics of the RSA Public-Key Cryptosystem Burt Kaliski RSA Laboratories ABOUT THE AUTHOR: Dr Burt Kaliski is a computer scientist whose involvement with the security industry has been through

Key Privacy for Identity Based Encryption

Key Privacy for Identity Based Encryption Internet Security Research Lab Technical Report 2006-2 Jason E. Holt Internet Security Research Lab Brigham Young University c 2006 Brigham Young University March

2.1 Complexity Classes

15-859(M): Randomized Algorithms Lecturer: Shuchi Chawla Topic: Complexity classes, Identity checking Date: September 15, 2004 Scribe: Andrew Gilpin 2.1 Complexity Classes In this lecture we will look

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring

Breaking Generalized Diffie-Hellman Modulo a Composite is no Easier than Factoring Eli Biham Dan Boneh Omer Reingold Abstract The Diffie-Hellman key-exchange protocol may naturally be extended to k > 2

Finite and discrete probability distributions

8 Finite and discrete probability distributions To understand the algorithmic aspects of number theory and algebra, and applications such as cryptography, a firm grasp of the basics of probability theory

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES

MA257: INTRODUCTION TO NUMBER THEORY LECTURE NOTES 2016 47 4. Diophantine Equations A Diophantine Equation is simply an equation in one or more variables for which integer (or sometimes rational) solutions

MTAT.07.003 Cryptology II. Digital Signatures. Sven Laur University of Tartu

MTAT.07.003 Cryptology II Digital Signatures Sven Laur University of Tartu Formal Syntax Digital signature scheme pk (sk, pk) Gen (m, s) (m,s) m M 0 s Sign sk (m) Ver pk (m, s)? = 1 To establish electronic

Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices. A Biswas, IT, BESU SHIBPUR

Mathematics of Cryptography Modular Arithmetic, Congruence, and Matrices A Biswas, IT, BESU SHIBPUR McGraw-Hill The McGraw-Hill Companies, Inc., 2000 Set of Integers The set of integers, denoted by Z,

Post-Quantum Cryptography #2

Post-Quantum Cryptography #2 Prof. Claude Crépeau McGill University 49 Post-Quantum Cryptography Finite Fields based cryptography Codes Multi-variate Polynomials Integers based cryptography Approximate

Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes

Lattice-Based Threshold-Changeability for Standard Shamir Secret-Sharing Schemes Ron Steinfeld (Macquarie University, Australia) (email: rons@ics.mq.edu.au) Joint work with: Huaxiong Wang (Macquarie University)

8.1 Makespan Scheduling

600.469 / 600.669 Approximation Algorithms Lecturer: Michael Dinitz Topic: Dynamic Programing: Min-Makespan and Bin Packing Date: 2/19/15 Scribe: Gabriel Kaptchuk 8.1 Makespan Scheduling Consider an instance

Lecture 4: AC 0 lower bounds and pseudorandomness

Lecture 4: AC 0 lower bounds and pseudorandomness Topics in Complexity Theory and Pseudorandomness (Spring 2013) Rutgers University Swastik Kopparty Scribes: Jason Perry and Brian Garnett In this lecture,

BEFORE defining the LWE problem and its reductions

EDIC RESEARCH PROPOSAL 1 The Learning With Error Problem Alexandre Duc LASEC, I&C, EPFL Abstract Every public-key cryptosystem relies on problems that are believed computationally hard. Most of the systems

Lecture 3: Finding integer solutions to systems of linear equations

Lecture 3: Finding integer solutions to systems of linear equations Algorithmic Number Theory (Fall 2014) Rutgers University Swastik Kopparty Scribe: Abhishek Bhrushundi 1 Overview The goal of this lecture

Secure Two-Party k-means Clustering

Secure Two-Party k-means Clustering Paul Bunn Rafail Ostrovsky Abstract The k-means Clustering problem is one of the most-explored problems in data mining to date. With the advent of protocols that have

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption Ronald Cramer Victor Shoup December 12, 2001 Abstract We present several new and fairly practical public-key

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC

MESSAGE AUTHENTICATION IN AN IDENTITY-BASED ENCRYPTION SCHEME: 1-KEY-ENCRYPT-THEN-MAC by Brittanney Jaclyn Amento A Thesis Submitted to the Faculty of The Charles E. Schmidt College of Science in Partial

In this paper a new signature scheme and a public key cryptotsystem are proposed. They can be seen as a compromise between the RSA and ElGamal-type sc

Digital Signature and Public Key Cryptosystem in a Prime Order Subgroup of Z n Colin Boyd Information Security Research Centre, School of Data Communications Queensland University of Technology, Brisbane

Efficient General-Adversary Multi-Party Computation

Efficient General-Adversary Multi-Party Computation Martin Hirt, Daniel Tschudi ETH Zurich {hirt,tschudid}@inf.ethz.ch Abstract. Secure multi-party computation (MPC) allows a set P of n players to evaluate

1 Digital Signatures. 1.1 The RSA Function: The eth Power Map on Z n. Crypto: Primitives and Protocols Lecture 6.

1 Digital Signatures A digital signature is a fundamental cryptographic primitive, technologically equivalent to a handwritten signature. In many applications, digital signatures are used as building blocks

Ch.9 Cryptography. The Graduate Center, CUNY.! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis

Ch.9 Cryptography The Graduate Center, CUNY! CSc 75010 Theoretical Computer Science Konstantinos Vamvourellis Why is Modern Cryptography part of a Complexity course? Short answer:! Because Modern Cryptography

Outline. Computer Science 418. Digital Signatures: Observations. Digital Signatures: Definition. Definition 1 (Digital signature) Digital Signatures

Outline Computer Science 418 Digital Signatures Mike Jacobson Department of Computer Science University of Calgary Week 12 1 Digital Signatures 2 Signatures via Public Key Cryptosystems 3 Provable 4 Mike

AN INTRODUCTION TO ERROR CORRECTING CODES Part 1

AN INTRODUCTION TO ERROR CORRECTING CODES Part 1 Jack Keil Wolf ECE 154C Spring 2008 Noisy Communications Noise in a communications channel can cause errors in the transmission of binary digits. Transmit:

Shor s algorithm and secret sharing

Shor s algorithm and secret sharing Libor Nentvich: QC 23 April 2007: Shor s algorithm and secret sharing 1/41 Goals: 1 To explain why the factoring is important. 2 To describe the oldest and most successful

Lecture 6 - Cryptography

Lecture 6 - Cryptography CSE497b - Spring 2007 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse497b-s07 Question 2 Setup: Assume you and I don t know anything about

Math 319 Problem Set #3 Solution 21 February 2002

Math 319 Problem Set #3 Solution 21 February 2002 1. ( 2.1, problem 15) Find integers a 1, a 2, a 3, a 4, a 5 such that every integer x satisfies at least one of the congruences x a 1 (mod 2), x a 2 (mod

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY. Sourav Mukhopadhyay

Lecture Note 5 PUBLIC-KEY CRYPTOGRAPHY Sourav Mukhopadhyay Cryptography and Network Security - MA61027 Modern/Public-key cryptography started in 1976 with the publication of the following paper. W. Diffie

Introduction. Digital Signature

Introduction Electronic transactions and activities taken place over Internet need to be protected against all kinds of interference, accidental or malicious. The general task of the information technology

Privacy-preserving Data Mining: current research and trends

Privacy-preserving Data Mining: current research and trends Stan Matwin School of Information Technology and Engineering University of Ottawa, Canada stan@site.uottawa.ca Few words about our research Universit[é

Paillier Threshold Encryption Toolbox

Paillier Threshold Encryption Toolbox October 23, 2010 1 Introduction Following a desire for secure (encrypted) multiparty computation, the University of Texas at Dallas Data Security and Privacy Lab created

Public Key Cryptography. Performance Comparison and Benchmarking

Public Key Cryptography Performance Comparison and Benchmarking Tanja Lange Department of Mathematics Technical University of Denmark tanja@hyperelliptic.org 28.08.2006 Tanja Lange Benchmarking p. 1 What

Network Security. Computer Networking Lecture 08. March 19, 2012. HKU SPACE Community College. HKU SPACE CC CN Lecture 08 1/23

Network Security Computer Networking Lecture 08 HKU SPACE Community College March 19, 2012 HKU SPACE CC CN Lecture 08 1/23 Outline Introduction Cryptography Algorithms Secret Key Algorithm Message Digest

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu

Introduction Proof by unique factorization in Z Proof with Gaussian integers Proof by geometry Applications. Pythagorean Triples

Pythagorean Triples Keith Conrad University of Connecticut August 4, 008 Introduction We seek positive integers a, b, and c such that a + b = c. Plimpton 3 Babylonian table of Pythagorean triples (1800

The Conference Call Search Problem in Wireless Networks

The Conference Call Search Problem in Wireless Networks Leah Epstein 1, and Asaf Levin 2 1 Department of Mathematics, University of Haifa, 31905 Haifa, Israel. lea@math.haifa.ac.il 2 Department of Statistics,

Interactive Machine Learning. Maria-Florina Balcan

Interactive Machine Learning Maria-Florina Balcan Machine Learning Image Classification Document Categorization Speech Recognition Protein Classification Branch Prediction Fraud Detection Spam Detection

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION

ALGEBRAIC APPROACH TO COMPOSITE INTEGER FACTORIZATION Aldrin W. Wanambisi 1* School of Pure and Applied Science, Mount Kenya University, P.O box 553-50100, Kakamega, Kenya. Shem Aywa 2 Department of Mathematics,

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Module No. # 01 Lecture No. # 05 Classic Cryptosystems (Refer Slide Time: 00:42)

Principles of Public Key Cryptography. Applications of Public Key Cryptography. Security in Public Key Algorithms

Principles of Public Key Cryptography Chapter : Security Techniques Background Secret Key Cryptography Public Key Cryptography Hash Functions Authentication Chapter : Security on Network and Transport

I. GROUPS: BASIC DEFINITIONS AND EXAMPLES

I GROUPS: BASIC DEFINITIONS AND EXAMPLES Definition 1: An operation on a set G is a function : G G G Definition 2: A group is a set G which is equipped with an operation and a special element e G, called

Breaking The Code. Ryan Lowe. Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and

Breaking The Code Ryan Lowe Ryan Lowe is currently a Ball State senior with a double major in Computer Science and Mathematics and a minor in Applied Physics. As a sophomore, he took an independent study

Threshold Identity Based Encryption Scheme without Random Oracles

WCAN 2006 Threshold Identity Based Encryption Scheme without Random Oracles Jin Li School of Mathematics and Computational Science Sun Yat-sen University Guangzhou, P.R. China Yanming Wang Lingnan College

Signature Schemes. CSG 252 Fall 2006. Riccardo Pucella

Signature Schemes CSG 252 Fall 2006 Riccardo Pucella Signatures Signatures in real life have a number of properties They specify the person responsible for a document E.g. that it has been produced by

Lecture 7: Hashing III: Open Addressing

Lecture 7: Hashing III: Open Addressing Lecture Overview Open Addressing, Probing Strategies Uniform Hashing, Analysis Cryptographic Hashing Readings CLRS Chapter.4 (and.3.3 and.5 if interested) Open Addressing

Non-interactive and Reusable Non-malleable Commitment Schemes

Non-interactive and Reusable Non-malleable Commitment Schemes Ivan Damgård a Jens Groth b June 16, 2003 Abstract We consider non-malleable (NM) and universally composable (UC) commitment schemes in the

Efficient Multi-keyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption

Efficient Multi-keyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption Mengxi Nie 1,2, Peng Ran 1 and HaoMiao Yang 1,2 1 University of Electronic Science and Technology of China,

Polynomials and the Fast Fourier Transform (FFT) Battle Plan

Polynomials and the Fast Fourier Transform (FFT) Algorithm Design and Analysis (Wee 7) 1 Polynomials Battle Plan Algorithms to add, multiply and evaluate polynomials Coefficient and point-value representation

CHAPTER 5. Number Theory. 1. Integers and Division. Discussion

CHAPTER 5 Number Theory 1. Integers and Division 1.1. Divisibility. Definition 1.1.1. Given two integers a and b we say a divides b if there is an integer c such that b = ac. If a divides b, we write a

COMMUTATIVE RINGS. Definition: A domain is a commutative ring R that satisfies the cancellation law for multiplication:

COMMUTATIVE RINGS Definition: A commutative ring R is a set with two operations, addition and multiplication, such that: (i) R is an abelian group under addition; (ii) ab = ba for all a, b R (commutative