DOCSLIB.ORG

Secure Distributed Paillier Key Generation with Application to the Ordinos E-Voting System

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Secure Distributed Paillier Key Generation with Application to the Ordinos E-Voting System Institute of Information Security University of Stuttgart Universitätsstraße 38 D–70569 Stuttgart Masterarbeit Secure Distributed Paillier Key Generation with Application to the Ordinos E-Voting System Felix Truger Course of Study: Informatik Examiner: Prof. Dr. rer. nat. Ralf Küsters Supervisor: Julian Liedtke, M.Sc. Commenced: November 5, 2019 Completed: June 30, 2020 Abstract Ordinos is a novel verifiable tally-hiding e-voting system. At its heart, a homomorphic encryption scheme and secure multi-party computation (MPC) are used to tally votes and securely determine the voting result, without necessarily revealing the full tally (e.g., the number of votes per candidate). The proof of concept implementation of Ordinos is based on a threshold variant of the Paillier encryption scheme and two MPC protocols for the comparison of encrypted numbers (greater-than and equality). Due to the threshold construction, the decryption key is shared among a set of trustees. The MPC protocols for comparison require precomputed encrypted randomness of certain shape. Formerly, a trusted party was employed to generate the key shares and randomness and distribute them to the trustees. In this thesis, the trusted party was replaced by MPC protocols that allow to generate the key shares and randomness among the trustees. The protocols provide security against malicious parties in the honest-majority setting. The key generation follows a proposal by Nishide and Sakurai (2010) that is based on verifiable secret sharings and zero-knowledge proofs for committed values. We introduce a few adaptations to reduce its runtime using mostly standard techniques. The generation of randomness is based on the Paillier encryption scheme as an arithmetic black box and standard zero-knowledge proofs for Paillier encrypted values. The protocols were implemented and their performance was evaluated in a local network. Most notably, the implemented key generation protocol for threshold Paillier showed an expected average runtime around 95 minutes for generating 2048-bit keys among 3 trustees with a threshold of 2. Since existing implementations provide security only in the semi-honest setting, this is the first time that an approach with security against malicious parties was implemented and evaluated. Overall, the distributed generation of both key shares and randomness takes considerably more time compared to the use of a trusted party, but avoids security risks and trust problems that occur with trusted parties. Zusammenfassung Ordinos ist ein neuartiges verifizierbares E-Voting System mit der sogenannten Tally-Hiding- Eigenschaft. Im Kern werden ein homomorphes Verschlüsselungsschema und sichere Multi-Party Computations (MPC) verwendet, um Stimmen zu zählen und das Ergebnis einer Abstimmung zu bestimmen, ohne notwendigerweise das vollständige Auszählungsergebnis (z. B. die Anzahl der Stimmen je Kandidat) preiszugeben. Die Proof of Concept Implementierung von Ordinos basiert auf einer Threshold-Variante des Paillier-Verschlüsselungsschemas und zwei MPC-Protokollen für den Vergleich von verschlüsselten Zahlen (größer-als und Gleichheit). Aufgrund der Threshold-Variante wird der private Schlüssel unter mehreren Trustees verteilt aufbewahrt (engl.: sharing). Die MPC-Protokolle für die Vergleiche erfordern vorberechnete verschlüsselte Zufallszahlen bestimmter Form. Bisher wurde eine Trusted Third Party eingesetzt, um die Schlüssel-Shares und Zufallszahlen zu generieren und an die Trustees zu verteilen. In dieser Arbeit wurde die Trusted Third Party durch MPC-Protokolle ersetzt mit denen die Schlüssel-Shares und Zufallszahlen unter den Trustees generiert werden. Die Protokolle bieten Sicherheit gegen aktive Angreifer im Honest-Majority Szenario. Die Schlüsselgenerierung basiert auf einem Paper von Nishide and Sakurai (2010), wobei hierzu verifizierbare Secret-Sharings und Zero-Knowledge Beweise für Commitments eingesetzt werden. Um die Laufzeit zu reduzieren, werden einige Anpassungen vorgestellt, die sich überwiegend an Standardtechniken orientieren. Die Generierung der Zufallszahlen basiert auf dem 3 Paillier-Verschlüsselungsschema als arithmetische Black Box und Zero-Knowledge Beweisen für Paillier-Chiffren. Die Protokolle wurden implementiert und ihre Performance in einem lokalen Netzwerk evaluiert. Hervorzuheben ist, dass die implementierte Schlüsselgenerierung eine zu erwartende durchschnittliche Laufzeit von etwa 95 Minuten zwischen 3 Trustees mit einen Threshold von 2 und der Schlüssellänge 2048 Bit benötigt. Bestehende Implementierungen bieten Sicherheit gegen passive Angreifer. Somit setzt diese Arbeit zum ersten Mal ein Ansatz mit Sicherheit gegen aktive Angreifer um und evaluiert diesen. Insgesamt benötigt die verteilte Generierung der Schlüssel-Shares und Zufallszahlen zwar erheblich mehr Zeit verglichen zum Einsatz einer Trusted Third Party, vermeidet aber Sicherheitsrisiken und Vertrauensprobleme, die mit solchen auftreten. 4 Contents 1 Introduction 11 2 Fundamentals 15 2.1 Public-Key Encryption Schemes.......................... 15 2.2 The Paillier Encryption Scheme.......................... 16 2.2.1 Prerequisites................................ 16 Z∗ 2.2.2 The Group n2 ............................... 16 2.2.3 Definition of Paillier’s Encryption Scheme................ 18 2.2.4 Homomorphicity.............................. 19 2.3 Threshold Public-Key Encryption......................... 20 2.4 Building blocks................................... 21 2.4.1 Secret Sharing............................... 21 2.4.2 Lagrange Interpolation........................... 22 2.4.3 Commitment Schemes........................... 22 2.4.4 Verifiable Secret Sharing.......................... 24 2.4.5 Zero-Knowledge Proofs.......................... 25 2.4.6 Random Oracle Model........................... 31 2.4.7 Non-Interactive Zero-Knowledge Proofs.................. 31 3 Related Work 33 4 Secure Distributed Paillier Key Generation 35 4.1 Local Key Generation................................ 35 4.2 Distributed Key Generation with Semi-Honest Security.............. 36 4.2.1 Overview.................................. 36 4.2.2 Biprimality Test.............................. 37 4.2.3 Efficiency.................................. 39 4.2.4 Security................................... 40 4.3 Robust Distributed Key Generation......................... 40 4.3.1 Instantiation of the Pedersen Commitment Scheme............ 40 4.3.2 Robust Modulus Generation........................ 41 4.3.3 Robust Biprimality Test.......................... 42 4.3.4 Robust Sharing of the Secret Key..................... 43 4.3.5 Verifiable Shared Decryption........................ 45 5 Implementation 47 5.1 Adaptations..................................... 47 5.1.1 Omitting Distributed Trial Division.................... 47 5.1.2 Bulk Generation of Candidates....................... 47 5.1.3 Switching Pedersen Commitment Schemes................ 48 5 5.1.4 Postponement of Proofs During Modulus Generation........... 50 5.1.5 Postponement of Proofs in Biprimality Tests................ 52 5.2 Evaluation...................................... 52 5.2.1 Parameters................................. 52 5.2.2 Performance................................ 53 5.3 Comparison of Results for Semi-Honest Protocol................. 60 6 Generation of Randomness for MPC Protocols 63 6.1 Comparing Encrypted Numbers.......................... 64 6.1.1 Equality of Encrypted Numbers...................... 64 6.1.2 Greater-Than Comparison of Encrypted Numbers............. 65 6.2 Paillier as an ABB................................. 66 6.3 Securely Generating Randomness......................... 68 6.3.1 Composing Random l-bit Values...................... 69 6.3.2 Generating Randomness in ZN ....................... 71 6.3.3 Inverting a Random Secret......................... 71 6.4 Implementation & Evaluation............................ 71 7 Conclusion 75 Bibliography 77 A ZK-Proof of Equality of Commitments 81 B Computing the Coefficients of Pl¹xº 83 6 List of Figures κ 2.1 πdlog: Zero-knowledge proof of knowledge of discrete logarithm......... 26 2.2 πrange: Zero-knowledge range proof for committed value............. 27 2.3 πmrel: Zero-knowledge proof of multiplicative relation............... 28 2.4 πVKeq: Zero-knowledge proof for verification keys................. 29 2.5 πpartDec: Zero-knowledge proof for partial decryption shares........... 30 2.6 πcomEq: Zero-knowledge of equality of committed values............. 31 5.1 Average, minimum, and maximum runtime of semi-honest protocol version for 2048-bit moduli and bulk sizes b = 1 to 100 000 .................. 54 5.2 Average, minimum, and maximum runtime of semi-honest protocol version for 2048-bit moduli and bulk sizes b = 1 000 to 10 000 ................ 55 5.3 Average, minimum, and maximum runtime of robust protocol version for 512-bit moduli and bulk sizes b = 1 to 10 000 ....................... 56 5.4 Average, minimum, and maximum runtime of robust protocol version for 512-bit moduli and bulk sizes b = 1 to 10 000 with switching of commitment scheme.. 57 5.5 Measured runtime of robust protocol version for 2048-bit moduli......... 60 5.6 Observed number of failed trial divisions in runs of robust protocol version for 2048-bit moduli................................... 61 5.7 Observed number of failed biprimality tests in runs of robust protocol version for 2048-bit moduli................................... 61 5.8 Distribution of average runtime on different sub-protocols............. 62 κ
Load more

Recommended publications
  • A Survey Report on Partially Homomorphic Encryption Techniques in Cloud Computing
    International Journal of Engineering Research & Technology (IJERT) ISSN: 2278-0181 Vol. 2 Issue 12, December - 2013 A Survey Report On Partially Homomorphic Encryption Techniques In Cloud Computing 1. S. Ramachandram 2. R.Sridevi 3. P. Srivani 1. Professor &Vice Principal, Oucollege Of Engineering,Dept Of Cse,Hyd 2. Associate Professor, Jntuh, Dept Of Cse,Hyd 3. Research Scholar & Asso.Prof., Det Of Cse, Hitam, Hyd Abstract: Homomorphic encryption is a used to create secure voting systems, form of encryption which allows specific collision-resistant hash functions, private types of computations to be carried out on information retrieval schemes and enable cipher text and obtain an encrypted result widespread use of cloud computing by which decrypted matches the result of ensuring the confidentiality of processed operations performed on the plaintext. As data. cloud computing provides different services, homomorphic encryption techniques can be There are several efficient, partially used to achieve security. In this paper , We homomorphic cryptosystems. Although a presented the partially homomorphic cryptosystem which is unintentionally encryption techniques. homomorphic can be subject to attacks on this basis, if treated carefully, Keywords: Homomorphic, ElGamal, Pailler, homomorphism can also be used to perform RSA, Goldwasser–Micali , Benaloh, computations securely. Section 2 describes Okamoto Uchiyama cryptosystemIJERT, IJERTabout the partially homomorphic encryption Naccache–Stern cryptosystem, RNS. techniques. 2. Partially Homomorphic Encryption Techniques 1. INTRODUCTION RSA Security is a desirable feature in modern system architectures. Homomorphic In cryptography, RSA[1] is an asymmetric encryption would allow the chaining encryption system. If the RSA public key is together of different services without modulus and exponent , then the exposing the data to each of those services.
    [Show full text]
  • Authenticating Computation on Groups: New Homomorphic Primitives and Applications
    Universita` degli Studi di Catania Dipartimento di Matematica ed Informatica Dottorato di Ricerca in Matematica Pura ed Applicata XXVI ciclo Orazio Puglisi Authenticating Computation on Groups: New Homomorphic Primitives and Applications Advisor: Ch.mo Prof. Dario Catalano ANNO ACCADEMICO 2013-2014 Contents Contents i Acknowledgments iv 1 Introduction 1 1.1 Afewwordsaboutcryptographyhistory . 1 1.2 From Encryption to Homomorphic Encryption . 3 1.3 Whatabouthomomorphicsignatures? . 4 1.4 Fromaconcreteproblemtoanewprimitive . 6 1.5 Organizationofthisthesis . 8 2 Preliminaries and notations 10 2.1 BasicNotations .......................... 10 2.1.1 Probabilisticnotation. 10 2.1.2 NumberTheory...................... 11 2.1.3 Pairings .......................... 11 2.1.4 Computationalassumptions . 12 2.2 PrimitivesandSecurity. 13 2.2.1 Usersandprimitives . 13 2.2.2 Indistinguishability under CPA and CCA . 15 2.2.3 Theasymptoticapproach . 16 2.2.4 Primitives ......................... 17 2.2.4.1 HashFunction . 17 2.2.4.2 ChameleonHashFunction . 18 2.2.4.3 PublicKeyEncryption. 19 i CONTENTS ii 2.2.4.3.1 Security for Public Key Encryption Schemes. ............... 20 2.2.4.3.2 Paillier Encryption Scheme . 22 2.2.4.4 Signatures. 23 2.2.4.4.1 Security for Digital Signatures Schemes 24 2.2.4.4.2 WatersSignature . 26 2.2.4.5 AuthenticatedEncryption . 27 2.2.4.6 SigmaProtocol . 28 2.2.4.6.1 SchnorrSigmaProtocol . 30 2.2.5 Homomorphicprimitives . 30 3 A linearly homomorphic signature scheme to sign elements in bilinear groups 32 3.1 Linear Network Coding and Linearly Homomorphic Signatures 33 3.2 HomomorphicSignaturesscheme . 34 3.2.1 Correctness and Security for Homomorphic Signatures 35 3.3 LHSG:Definition ........................
    [Show full text]
  • Secure E-Voting System by Utilizing Homomorphic Properties of the Encryption Algorithm
    View metadata, citation and similar papers at core.ac.uk brought to you by CORE provided by TELKOMNIKA (Telecommunication Computing Electronics and Control) TELKOMNIKA, Vol.16, No.2, April 2018, pp. 862~867 ISSN: 1693-6930, accredited A by DIKTI, Decree No: 58/DIKTI/Kep/2013 DOI: 10.12928/TELKOMNIKA.v16i2.8420 862 Secure E-voting System by Utilizing Homomorphic Properties of the Encryption Algorithm Rifki Suwandi*, Surya Michrandi Nasution, Fairuz Azmi Electrical Engineering Faculty, Telkom University, Bandung, Indonesia *Corresponding author, e-mail: [email protected], [email protected], [email protected] Abstract The use of cryptography in the e-voting system to secure data is a must to ensure the authenticity of the data. In contrast to common encryption algorithms, homomorphic encryption algorithms had unique properties that can perform mathematical operations against ciphertext. This paper proposed the use of the Paillier and Okamoto-Uchiyama algorithms as two homomorphic encryption algorithms that have the additional properties so that it can calculate the results of voting data that has been encrypted without having to be decrypted first. The main purpose is to avoid manipulation and data falsification during vote tallying process by comparing the advantages and disadvantages of each algorithm. Keywords: cryptography, encryption, homomorphic, Paillier, Okamoto-Uchiyama Copyright © 2018 Universitas Ahmad Dahlan. All rights reserved. 1. Introduction There are numerous issues with the electronic vote casting system, together with system errors, network safety, information security, and so on. One of the primary issues is cheating committed by either insider or outsider, especially for some important role holders with authority that can access the system itself.
    [Show full text]
  • Decentralized Evaluation of Quadratic Polynomials on Encrypted Data
    This paper is a slight variant of the Extended Abstract that appears in the Proceedings of the 22nd Information Security Conference, ISC 2019 (September 16–18, New-York, USA) Springer-Verlag, LNCS ?????, pages ???–???. Decentralized Evaluation of Quadratic Polynomials on Encrypted Data Chloé Hébant1,2, Duong Hieu Phan3, and David Pointcheval1,2 1 DIENS, École normale supérieure, CNRS, PSL University, Paris, France 2 INRIA, Paris, France 3 Université de Limoges, France Abstract Since the seminal paper on Fully Homomorphic Encryption (FHE) by Gentry in 2009, a lot of work and improvements have been proposed, with an amazing number of possible applications. It allows outsourcing any kind of computations on encrypted data, and thus without leaking any information to the provider who performs the computations. This is quite useful for many sensitive data (finance, medical, etc.). Unfortunately, FHE fails at providing some computation on private inputs to a third party, in cleartext: the user that can decrypt the result is able to decrypt the inputs. A classical approach to allow limited decryption power is distributed decryption. But none of the actual FHE schemes allows distributed decryption, at least with an efficient protocol. In this paper, we revisit the Boneh-Goh-Nissim (BGN) cryptosystem, and the Freeman’s variant, that allow evaluation of quadratic polynomials, or any 2-DNF formula. Whereas the BGN scheme relies on integer factoring for the trapdoor in the composite-order group, and thus possesses one public/secret key only, the Freeman’s scheme can handle multiple users with one general setup that just needs to define a pairing-based algebraic structure.
    [Show full text]
  • Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations
    Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, Ida Tucker To cite this version: Guilhem Castagnos, Dario Catalano, Fabien Laguillaumie, Federico Savasta, Ida Tucker. Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations. CRYPTO 2019 - 39th Annual Inter- national Cryptology Conference, Aug 2019, Santa Barbara, United States. pp.191-221, 10.1007/978- 3-030-26954-8_7. hal-02281931 HAL Id: hal-02281931 https://hal.archives-ouvertes.fr/hal-02281931 Submitted on 9 Sep 2019 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Two-Party ECDSA from Hash Proof Systems and Efficient Instantiations Guilhem Castagnos1, Dario Catalano2, Fabien Laguillaumie3, Federico Savasta2;4, and Ida Tucker3 1 Université de Bordeaux, INRIA, CNRS, IMB UMR 5251, F-33405 Talence, France. 2 Università di Catania, Italy. 3 Univ Lyon, EnsL, UCBL, CNRS, Inria, LIP, F-69342, LYON Cedex 07, France. 4 Scuola Superiore di Catania, Italy Abstract. ECDSA is a widely adopted digital signature standard. Unfortunately, efficient distributed variants of this primitive are notoriously hard to achieveand known solutions often require expensive zero knowledge proofs to deal with malicious adversaries.
    [Show full text]
  • Fundamentals of Fully Homomorphic Encryption – a Survey
    Electronic Colloquium on Computational Complexity, Report No. 125 (2018) Fundamentals of Fully Homomorphic Encryption { A Survey Zvika Brakerski∗ Abstract A homomorphic encryption scheme is one that allows computing on encrypted data without decrypting it first. In fully homomorphic encryption it is possible to apply any efficiently com- putable function to encrypted data. We provide a survey on the origins, definitions, properties, constructions and uses of fully homomorphic encryption. 1 Homomorphic Encryption: Good, Bad or Ugly? In the seminal RSA cryptosystem [RSA78], the public key consists of a product of two primes ∗ N = p · q as well as an integer e, and the message space is the set of elements in ZN . Encrypting a message m involved simply raising it to the power e and taking the result modulo N, i.e. c = me (mod N). For the purpose of the current discussion we ignore the decryption process. It is not hard to see that the product of two ciphertexts c1 and c2 encrypting messages m1 and m2 allows e to compute the value c1 · c2 (mod N) = (m1m2) (mod N), i.e. to compute an encryption of m1 · m2 without knowledge of the secret private key. Rabin's cryptosystem [Rab79] exhibited similar behavior, where a product of ciphertexts corresponded to an encryption of their respective plaintexts. This behavior can be expressed in formal terms by saying that the ciphertext space and the plaintext space are homomorphic (multiplicative) groups. The decryption process defines the homomorphism by mapping a ciphertext to its image plaintext. Rivest, Adleman and Dertouzos [RAD78] realized the potential advantage of this property.
    [Show full text]
  • Homomorphic Encryption Applied to the Cloud Computing Security
    Proceedings of the World Congress on Engineering 2012 Vol I WCE 2012, July 4 - 6, 2012, London, U.K. Homomorphic Encryption Applied to the Cloud Computing Security Maha TEBAA, Saïd EL HAJJI, Abdellatif EL GHAZI Abstract—Cloud computing security challenges and it’s also In Section II, we are introducing the concept of Cloud an issue to many researchers; first priority was to focus on Computing and the necessity to adopt Homomorphic security which is the biggest concern of organizations that are Encryption to secure the calculation of data hosted by the considering a move to the cloud. The advantages of cloud Cloud provider. In section III, we’ll define Homomorphic computing include reduced costs, easy maintenance and re- provisioning of resources, and thereby increased profits. But Encryption and we’ll illustrate some examples of existing the adoption and the passage to the Cloud Computing applies Homomorphic cryptosystems. In section IV, we’ll present only if the security is ensured. How to guaranty a better data our scheme and our implementation. The conclusion and security and also how can we keep the client private perspectives will be mentioned in section V. information confidential? There are two major questions that present a challenge to Cloud Computing providers. When the data transferred to the Cloud we use standard encryption methods to secure the operations and the storage of II. Cloud computing the data. But to process data located on a remote server, the Definition [1]: By cloud computing we mean: The Cloud providers need to access the raw data. In this paper we Information Technology (IT) model for computing, which is are proposing an application of a method to execute operations composed of all the IT components (hardware, software, on encrypted data without decrypting them which will provide networking, and services) that are necessary to enable us with the same results after calculations as if we have worked development and delivery of cloud services via the Internet directly on the raw data.
    [Show full text]
  • Multicast Routing Over Computer Networks: Secure Performance Designs
    Digital Forensics in the Cloud: Encrypted Data Evidence Tracking ZHUANG TIAN, BSc (Hons) a thesis submitted to the graduate faculty of design and creative technologies Auckland University of Technology in partial fulfilment of the requirements for the degree of Master of Forensic Information Technology School of Computer and Mathematical Sciences Auckland, New Zealand 2014 ii Declaration I hereby declare that this submission is my own work and that, to the best of my knowledge and belief, it contains no material previously published or written by another person nor material which to a substantial extent has been accepted for the qualification of any other degree or diploma of a University or other institution of higher learning, except where due acknowledgement is made in the acknowledgements. ........................... Zhuang Tian iii Acknowledgements This thesis was completed at the Faculty of Design and Creative Technologies in the school of Computing and Mathematical Sciences at Auckland University of Technology, New Zealand. While conducting the research project I received support from many people in one way or another, without whose support, this thesis would not have been completed in its present form. It is my pleasure to take this opportunity to thank all of you, without the intention or possibility to be complete. I would like to apologize to those who I did not mention by name here; however, I highly value your kind support. Firstly, I would like to deeply thank my thesis supervisor Prof. Brian Cusack for the exceptional support given during the thesis project. He provided me with the freedom to explore research directions and to choose the routes that I wanted to investigate.
    [Show full text]
  • Homomorphic Encryption: Working and Analytical Assessment DGHV, Helib, Paillier, FHEW and HE in Cloud Security
    Master of Science in Computer Science February 2017 Homomorphic Encryption: Working and Analytical Assessment DGHV, HElib, Paillier, FHEW and HE in cloud security Srinivas Divya Papisetty Faculty of Computing Blekinge Institute of Technology SE-371 79 Karlskrona Sweden This thesis is submitted to the Faculty of Computing at Blekinge Institute of Technology in partial fulfillment of the requirements for the degree of Master of Science in Computer Science. The thesis is equivalent to 20 weeks of full time studies. Contact Information: Author(s): Srinivas Divya Papisetty E-mail: [email protected] University advisor: Dr. Emiliano Casalicchio Dept. of Computer Science & Engineering Faculty of Computing Internet : www.bth.se Blekinge Institute of Technology Phone : +46 455 38 50 00 SE-371 79 Karlskrona, Sweden Fax : +46 455 38 50 57 i i ABSTRACT Context. Secrecy has kept researchers spanning over centuries engaged in the creation of data protection techniques. With the growing rate of data breach and intervention of adversaries in confidential data storage and communication, efficient data protection has found to be a challenge. Homomorphic encryption is one such data protection technique in the cryptographic domain which can perform arbitrary computations on the enciphered data without disclosing the original plaintext or message. The first working fully homomorphic encryption scheme was proposed in the year 2009 and since then there has been a tremendous increase in the development of homomorphic encryption schemes such that they can be applied to a wide range of data services that demand security. All homomorphic encryption schemes can be categorized as partially homomorphic (PHE), somewhat homomorphic (SHE), leveled homomorphic (LHE), and fully homomorphic encryption (FHE).
    [Show full text]
  • A Fully Homomorphic Encryption Scheme
    A FULLY HOMOMORPHIC ENCRYPTION SCHEME A DISSERTATION SUBMITTED TO THE DEPARTMENT OF COMPUTER SCIENCE AND THE COMMITTEE ON GRADUATE STUDIES OF STANFORD UNIVERSITY IN PARTIAL FULFILLMENT OF THE REQUIREMENTS FOR THE DEGREE OF DOCTOR OF PHILOSOPHY Craig Gentry September 2009 °c Copyright by Craig Gentry 2009 All Rights Reserved ii I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Dan Boneh) Principal Adviser I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (John Mitchell) I certify that I have read this dissertation and that, in my opinion, it is fully adequate in scope and quality as a dissertation for the degree of Doctor of Philosophy. (Serge Plotkin) Approved for the University Committee on Graduate Studies. iii Abstract We propose the ¯rst fully homomorphic encryption scheme, solving a central open problem in cryptography. Such a scheme allows one to compute arbitrary functions over encrypted data without the decryption key { i.e., given encryptions E(m1);:::;E(mt) of m1; : : : ; mt, one can e±ciently compute a compact ciphertext that encrypts f(m1; : : : ; mt) for any e±- ciently computable function f. This problem was posed by Rivest et al. in 1978. Fully homomorphic encryption has numerous applications. For example, it enables private queries to a search engine { the user submits an encrypted query and the search engine computes a succinct encrypted answer without ever looking at the query in the clear.
    [Show full text]
  • Making Fully Homomorphic Encryption Accessible to All
    Research Collection Conference Paper Marble: Making fully homomorphic encryption accessible to all Author(s): Viand, Alexander; Shafagh, Hossein Publication Date: 2018 Permanent Link: https://doi.org/10.3929/ethz-b-000307502 Originally published in: http://doi.org/10.1145/3267973.3267978 Rights / License: Creative Commons Attribution 4.0 International This page was generated automatically upon download from the ETH Zurich Research Collection. For more information please consult the Terms of use. ETH Library Session 2 WAHC’18, October 19, 2018, Toronto, ON, Canada Marble: Making Fully Homomorphic Encryption Accessible to All Alexander Viand Hossein Shafagh Department of Computer Science Department of Computer Science ETH Zurich, Switzerland ETH Zurich, Switzerland [email protected] [email protected] ABSTRACT that require outsourcing storage and computation from client de- With the recent explosion of data breaches and data misuse cases, vices to powerful servers in the cloud. However, outsourcing puts there is more demand than ever for secure system designs that user data at risk and threatens privacy. This can be resolved by fundamentally tackle today’s data trust models. One promising encrypting user data on the client side with efficient symmetric alternative to today’s trust model is true end-to-end encryption key-based schemes, e.g., AES-CTR, before sending it to the cloud. without however compromising user experience nor data utility. However, this leaves the abundant computation resources on the Fully homomorphic encryption (FHE) provides a powerful tool in cloud unused and introduces significant application latencies, as the empowering users with more control over their data, while still user has to download large segments of the ever growing datasets benefiting from computing services of remote services, though locally, to perform computations on top, e.g., data analytics.
    [Show full text]
  • Eurocrypt'2000 Conference Report
    Eurocrypt'2000 Conference Report May 15–18, 2000 Bruges Richard Graveman Telcordia Technologies Morristown, NJ USA [email protected] Welcome This was the nineteenth annual Eurocrypt conference. Thirty-nine out of 150 papers were accepted, and there were two invited talks along with the traditional rump session. About 480 participants from 39 countries were present. Bart Preneel was Program Chair. The Proceedings were published by Springer Verlag as Advances in Cryptology— Eurocrypt'98, Lecture Notes in Computer Science, Volume 1807, Bart Preneel, editor. Session 1: Factoring and Discrete Logarithm, Chair: Bart Preneel Factorization of a 512-bit RSA Modulus, Stefania Cavallar (CWI, The Netherlands), Bruce Dodson (Lehigh University, USA), Arjen K. Lenstra (Citibank, USA), Walter Lioen (CWI, The Netherlands), Peter L. Montgomery (Microsoft Research, USA and CWI, The Netherlands), Brian Murphy (The Australian National University, Australia), Herman te Riele (CWI, The Netherlands), Karen Aardal (Utrecht University, The Netherlands), Jeff Gilchrist (Entrust Technologies Ltd., Canada), Gérard Guillerm (École Polytechnique, France), Paul Leyland (Microsoft Research Ltd., UK), Joël Marchand (École Polytechnique/CNRS, France), François Morain (École Polytechnique, France), Alec Muffett (Sun Microsystems, UK), Chris and Craig Putnam (USA), Paul Zimmermann (Inria Lorraine and Loria, France) The authors factored the RSA challenge number RSA-512 with the general number field sieve (NFS). The algorithm has four steps: polynomial selection, sieving, linear algebra, and square root extraction. For N known to be composite, two irreducible polynomials with a common root mod N are needed. f1 (of degree 5 in this case) should have many roots modulo small primes as well as being as small as possible.
    [Show full text]