DOCSLIB.ORG

Fully Homomorphic Encryption Using Ideal Lattices

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Fully Homomorphic Encryption Using Ideal Lattices Fully Homomorphic Encryption Using Ideal Lattices Craig Gentry Stanford University and IBM Watson [email protected] ABSTRACT duced by Rivest, Adleman and Dertouzos [54] shortly af- We propose a fully homomorphic encryption scheme – i.e., ter the invention of RSA by Rivest, Adleman and Shamir a scheme that allows one to evaluate circuits over encrypted [55]. Basic RSA is a multiplicatively homomorphic encryp- tion scheme – i.e., given RSA public key pk = (N, e) and data without being able to decrypt. Our solution comes e in three steps. First, we provide a general result – that, ciphertexts ψi πi mod N , one can efficiently compute ψ = ( { π ←)e mod N, a} ciphertext that encrypts the to construct an encryption scheme that permits evaluation i i i i of arbitrary circuits, it suffices to construct an encryption Qproduct ofQ the original plaintexts. Rivest et al. [54] asked scheme that can evaluate (slightly augmented versions of) a natural question: What can one do with an encryption its own decryption circuit; we call a scheme that can evaluate scheme that is fully homomorphic: a scheme with an effi- cient algorithm Evaluate that, for any validE public key pk, its (augmented) decryption circuit bootstrappable. E Next, we describe a public key encryption scheme using any circuit C (not just a circuit consisting of multiplication gates), and any ciphertexts ψi Encrypt (pk, πi), outputs ideal lattices that is almost bootstrappable. Lattice-based ← E cryptosystems typically have decryption algorithms with low ψ Evaluate (pk, C, ψ1, . , ψt) , circuit complexity, often dominated by an inner product ← E computation that is in NC1. Also, ideal lattices provide a valid encryption of C(π1, . , πt) under pk? Their answer: both additive and multiplicative homomorphisms (modulo a one can arbitrarily compute on encrypted data – i.e., one can public-key ideal in a polynomial ring that is represented as process encrypted data (query it, write into it, do anything a lattice), as needed to evaluate general circuits. to it that can be efficiently expressed as a circuit) without Unfortunately, our initial scheme is not quite bootstrap- the decryption key. As an application, they suggested pri- pable – i.e., the depth that the scheme can correctly evalu- vate data banks: a user can store its data on an untrusted ate can be logarithmic in the lattice dimension, just like the server in encrypted form, yet still allow the server to pro- depth of the decryption circuit, but the latter is greater than cess, and respond to, the user’s data queries (with responses the former. In the final step, we show how to modify the more concise than the trivial solution: the server just sends scheme to reduce the depth of the decryption circuit, and all of the encrypted data back to the user to process). Since thereby obtain a bootstrappable encryption scheme, with- then, cryptographers have accumulated a list of “killer” ap- out reducing the depth that the scheme can evaluate. Ab- plications for fully homomorphic encryption. However, prior stractly, we accomplish this by enabling the encrypter to to this proposal, we did not have a viable construction. start the decryption process, leaving less work for the de- crypter, much like the server leaves less work for the de- 1.1 Homomorphic Encryption crypter in a server-aided cryptosystem. A homomorphic public key encryption scheme has four E Categories and Subject Descriptors: E.3 [Data En- algorithms KeyGen , Encrypt , Decrypt , and an additional algorithm Evaluate E that takesE as inputE the public key pk, a cryption]: Public key cryptosystems E circuit C from a permitted set of circuits, and a tuple of General Terms: Algorithms, Design, Security, Theory CE ciphertexts Ψ = ψ1, . , ψt ; it outputs a ciphertext ψ. The computational complexityh i of all of these algorithms must 1. INTRODUCTION be polynomial in security parameter λ and (in the case of We propose a solution to the old open problem of con- Evaluate ) the size of C. is correct for circuits in if, E E structing a fully homomorphic encryption scheme. This no- for any key-pair (sk, pk) outputE by KeyGen (λ), any circuitC E tion, originally called a privacy homomorphism, was intro- C , any plaintexts π1, . , πt, and any ciphertexts Ψ = ∈ CE ψ1, . , ψt with ψi Encrypt (pk, πi), it is the case that: h i ← E ψ Evaluate (pk, C, Ψ) C(π1, . , πt) = Decrypt (sk, ψ) ← E ⇒ E Permission to make digital or hard copies of all or part of this work for 1 personal or classroom use is granted without fee provided that copies are By itself, mere correctness does not exclude trivial schemes. not made or distributed for profit or commercial advantage and that copies So, we require ciphertext size and decryption time to be up- bear this notice and the full citation on the first page. To copy otherwise, to 1In particular, we could define Evaluate (pk, C, Ψ) to just republish, to post on servers or to redistribute to lists, requires prior specific E permission and/or a fee. output (C, Ψ) without “processing” the circuit or ciphertexts STOC’09, May 31–June 2, 2009, Bethesda, Maryland, USA. at all, and Decrypt to decrypt the component ciphertexts E Copyright 2009 ACM 978-1-60558-506-2/09/05 ...$5.00. and apply C to results. 169 per bounded by a function of the security parameter λ, in- decrypt it! This is the idea behind bootstrapping: we do dependently of C (or perhaps, as a relaxation, dependent on decrypt the ciphertext, but homomorphically! the depth of C, but not the size). Specifically, suppose is bootstrappable with plaintext space is 0, 1 , and thatE circuits are boolean. Suppose we Definition 1 (Homomorphic Encryption). is ho- P { } have a ciphertext ψ1 that encrypts π under pk , which we momorphic for circuits in if is correct for E and 1 E E want to refresh. So that we can decrypt it homomorphically, Decrypt can be expressed asC a circuitE D of size poly(C λ). E E suppose we also have sk1, the secret key for pk1, encrypted under a second public key pk : let sk be the encrypted Definition 2 (Fully Homomorphic Encryption). 2 1j secret key bits. Consider the following algorithm. is fully homomorphic if it is homomorphic for all circuits. E Recrypt (pk2,D , sk1j , ψ1). Definition 3 (Leveled Fully Hom. Encryption). E E h i A family of schemes (d) : d Z+ is leveled fully homo- R {E ∈ } Set ψ1j Encrypt (pk2, ψ1j ) morphic if they all use the same decryption circuit, (d) is ← E E Output ψ2 Evaluate (pk2,D , sk1j , ψ1j ) homomorphic for all circuits of depth at most d (that use ← E E hh i h ii some specified set of gates Γ), and the computational com- Above, Evaluate takes in the bits of sk1 and ψ1, each en- plexity of (d)’s algorithms is polynomial in λ, d, and (in crypted under pk . Then, is used to evaluate the de- E 2 E the case of Evaluate (d) ) the size of C. cryption circuit homomorphically. The output ψ2 is thus an E 2 encryption under pk2 of Decrypt (sk1, ψ1) = π. Applying Remark 1. One may desire – e.g., for the two-party com- the decryption circuit D removesE the error vector associ- E putation setting – the additional property that Encrypt and ated to the first ciphertext, but Evaluate simultaneously Evaluate have the same output distribution, or thatE there E E introduces a new error vector. Intuitively, we have made is at least some post-hoc randomization procedure that in- progress as long as the second error vector is shorter. duces the same output distribution. We discuss such circuit Suppose contains not just D but also the augmen- E E privacy in Section 7. tation of DC by NAND (i.e., a NAND gate connecting two E copies of D ). Then, we say is bootstrappable. Here, we focus on constructing a scheme that is semanti- E E cally secure against chosen plaintext attacks (or just “seman- Theorem 1 (Informal). One can construct a (seman- tically secure”). Unfortunately a scheme that has nontriv- tically secure) family (d) of leveled fully homomorphic en- ial homomorphisms cannot be semantically secure against {E } adaptive chosen ciphertext attacks (CCA2), since it is mal- cryption schemes from any (semantically secure) bootstrap- pable encryption scheme . leable. There are relaxed notions of CCA2 security [3, 16, E 52], but they do not apply to a fully homomorphic scheme. (d)’s public key contains d + 1 public keys, basically one However, constructing a CCA1-secure fully homomorphic E E encryption scheme is an interesting open problem. for each level of the circuit, and an acyclic chain of encrypted secret keys. It evaluates a d-depth NAND-circuit as follows: 1.2 Our Results given ciphertexts encrypted under pki associated to wires We construct a fully homomorphic encryption scheme us- at the ith level of the circuit, it Recrypts them so that they ing ideal lattices. The result can roughly be broken down become encrypted under pki 1, applies the NAND gates at that level, and recurses for −i 1. If securely encrypts into three steps: a general “bootstrapping” result, an “initial − E construction”using ideal lattices, and a technique to“squash key-dependent messages (is KDM-secure) [9, 24, 12] – i.e., the decryption circuit” to permit bootstrapping. roughly, if providing a ciphertext that encrypts a function of the secret key does not hurt security – then the public Our research began with the second step: a PKE scheme E 1 described in Section 3 that uses ideal lattices and is homo- keys need not be distinct; we can have a “loop,” even a “self- morphicE for shallow circuits.
Load more

Recommended publications
  • Practical Homomorphic Encryption and Cryptanalysis
    Practical Homomorphic Encryption and Cryptanalysis Dissertation zur Erlangung des Doktorgrades der Naturwissenschaften (Dr. rer. nat.) an der Fakult¨atf¨urMathematik der Ruhr-Universit¨atBochum vorgelegt von Dipl. Ing. Matthias Minihold unter der Betreuung von Prof. Dr. Alexander May Bochum April 2019 First reviewer: Prof. Dr. Alexander May Second reviewer: Prof. Dr. Gregor Leander Date of oral examination (Defense): 3rd May 2019 Author's declaration The work presented in this thesis is the result of original research carried out by the candidate, partly in collaboration with others, whilst enrolled in and carried out in accordance with the requirements of the Department of Mathematics at Ruhr-University Bochum as a candidate for the degree of doctor rerum naturalium (Dr. rer. nat.). Except where indicated by reference in the text, the work is the candidates own work and has not been submitted for any other degree or award in any other university or educational establishment. Views expressed in this dissertation are those of the author. Place, Date Signature Chapter 1 Abstract My thesis on Practical Homomorphic Encryption and Cryptanalysis, is dedicated to efficient homomor- phic constructions, underlying primitives, and their practical security vetted by cryptanalytic methods. The wide-spread RSA cryptosystem serves as an early (partially) homomorphic example of a public- key encryption scheme, whose security reduction leads to problems believed to be have lower solution- complexity on average than nowadays fully homomorphic encryption schemes are based on. The reader goes on a journey towards designing a practical fully homomorphic encryption scheme, and one exemplary application of growing importance: privacy-preserving use of machine learning.
    [Show full text]
  • The Twin Diffie-Hellman Problem and Applications
    The Twin Diffie-Hellman Problem and Applications David Cash1 Eike Kiltz2 Victor Shoup3 February 10, 2009 Abstract We propose a new computational problem called the twin Diffie-Hellman problem. This problem is closely related to the usual (computational) Diffie-Hellman problem and can be used in many of the same cryptographic constructions that are based on the Diffie-Hellman problem. Moreover, the twin Diffie-Hellman problem is at least as hard as the ordinary Diffie-Hellman problem. However, we are able to show that the twin Diffie-Hellman problem remains hard, even in the presence of a decision oracle that recognizes solutions to the problem — this is a feature not enjoyed by the Diffie-Hellman problem in general. Specifically, we show how to build a certain “trapdoor test” that allows us to effectively answer decision oracle queries for the twin Diffie-Hellman problem without knowing any of the corresponding discrete logarithms. Our new techniques have many applications. As one such application, we present a new variant of ElGamal encryption with very short ciphertexts, and with a very simple and tight security proof, in the random oracle model, under the assumption that the ordinary Diffie-Hellman problem is hard. We present several other applications as well, including: a new variant of Diffie and Hellman’s non-interactive key exchange protocol; a new variant of Cramer-Shoup encryption, with a very simple proof in the standard model; a new variant of Boneh-Franklin identity-based encryption, with very short ciphertexts; a more robust version of a password-authenticated key exchange protocol of Abdalla and Pointcheval.
    [Show full text]
  • On Ideal Lattices and Learning with Errors Over Rings∗
    On Ideal Lattices and Learning with Errors Over Rings∗ Vadim Lyubashevskyy Chris Peikertz Oded Regevx June 25, 2013 Abstract The “learning with errors” (LWE) problem is to distinguish random linear equations, which have been perturbed by a small amount of noise, from truly uniform ones. The problem has been shown to be as hard as worst-case lattice problems, and in recent years it has served as the foundation for a plethora of cryptographic applications. Unfortunately, these applications are rather inefficient due to an inherent quadratic overhead in the use of LWE. A main open question was whether LWE and its applications could be made truly efficient by exploiting extra algebraic structure, as was done for lattice-based hash functions (and related primitives). We resolve this question in the affirmative by introducing an algebraic variant of LWE called ring- LWE, and proving that it too enjoys very strong hardness guarantees. Specifically, we show that the ring-LWE distribution is pseudorandom, assuming that worst-case problems on ideal lattices are hard for polynomial-time quantum algorithms. Applications include the first truly practical lattice-based public-key cryptosystem with an efficient security reduction; moreover, many of the other applications of LWE can be made much more efficient through the use of ring-LWE. 1 Introduction Over the last decade, lattices have emerged as a very attractive foundation for cryptography. The appeal of lattice-based primitives stems from the fact that their security can often be based on worst-case hardness assumptions, and that they appear to remain secure even against quantum computers.
    [Show full text]
  • Linear Generalized Elgamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow
    Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade, Léo Robert, Demba Sow To cite this version: Pascal Lafourcade, Léo Robert, Demba Sow. Linear Generalized ElGamal Encryption Scheme. In- ternational Conference on Security and Cryptography (SECRYPT), Jul 2020, Paris, France. hal- 02559556 HAL Id: hal-02559556 https://hal.archives-ouvertes.fr/hal-02559556 Submitted on 30 Apr 2020 HAL is a multi-disciplinary open access L’archive ouverte pluridisciplinaire HAL, est archive for the deposit and dissemination of sci- destinée au dépôt et à la diffusion de documents entific research documents, whether they are pub- scientifiques de niveau recherche, publiés ou non, lished or not. The documents may come from émanant des établissements d’enseignement et de teaching and research institutions in France or recherche français ou étrangers, des laboratoires abroad, or from public or private research centers. publics ou privés. Linear Generalized ElGamal Encryption Scheme Pascal Lafourcade1,Leo´ Robert1, and Demba Sow2 1LIMOS, Universite´ Clermont Auvergne, France, [email protected] , [email protected] 2LACGAA, Universite´ Cheikh Anta Diop de Dakar, Sen´ egal´ , [email protected] Keywords: Cryptography, Partial homomorphic encryption, Linear Assumption, ElGamal encryption scheme. Abstract: ElGamal public key encryption scheme has been designed in the 80’s. It is one of the first partial homomorphic encryption and one of the first IND-CPA probabilistic public key encryption scheme. A linear version has been recently proposed by Boneh et al. In this paper, we present a linear encryption based on a generalized version of ElGamal encryption scheme. We prove that our scheme is IND-CPA secure under linear assumption.
    [Show full text]
  • Semantic Security and Indistinguishability in the Quantum World June 1, 2016?
    Semantic Security and Indistinguishability in the Quantum World June 1, 2016? Tommaso Gagliardoni1, Andreas H¨ulsing2, and Christian Schaffner3;4;5 1 CASED, Technische Universit¨atDarmstadt, Germany [email protected] 2 TU Eindhoven, The Netherlands [email protected] 3 Institute for Logic, Language and Compuation (ILLC), University of Amsterdam, The Netherlands [email protected] 4 Centrum Wiskunde & Informatica (CWI) Amsterdam, The Netherlands 5 QuSoft, The Netherlands Abstract. At CRYPTO 2013, Boneh and Zhandry initiated the study of quantum-secure encryption. They proposed first indistinguishability def- initions for the quantum world where the actual indistinguishability only holds for classical messages, and they provide arguments why it might be hard to achieve a stronger notion. In this work, we show that stronger notions are achievable, where the indistinguishability holds for quantum superpositions of messages. We investigate exhaustively the possibilities and subtle differences in defining such a quantum indistinguishability notion for symmetric-key encryption schemes. We justify our stronger definition by showing its equivalence to novel quantum semantic-security notions that we introduce. Furthermore, we show that our new security definitions cannot be achieved by a large class of ciphers { those which are quasi-preserving the message length. On the other hand, we pro- vide a secure construction based on quantum-resistant pseudorandom permutations; this construction can be used as a generic transformation for turning a large class of encryption schemes into quantum indistin- guishable and hence quantum semantically secure ones. Moreover, our construction is the first completely classical encryption scheme shown to be secure against an even stronger notion of indistinguishability, which was previously known to be achievable only by using quantum messages and arbitrary quantum encryption circuits.
    [Show full text]
  • Making NTRU As Secure As Worst-Case Problems Over Ideal Lattices
    Making NTRU as Secure as Worst-Case Problems over Ideal Lattices Damien Stehlé1 and Ron Steinfeld2 1 CNRS, Laboratoire LIP (U. Lyon, CNRS, ENS Lyon, INRIA, UCBL), 46 Allée d’Italie, 69364 Lyon Cedex 07, France. [email protected] – http://perso.ens-lyon.fr/damien.stehle 2 Centre for Advanced Computing - Algorithms and Cryptography, Department of Computing, Macquarie University, NSW 2109, Australia [email protected] – http://web.science.mq.edu.au/~rons Abstract. NTRUEncrypt, proposed in 1996 by Hoffstein, Pipher and Sil- verman, is the fastest known lattice-based encryption scheme. Its mod- erate key-sizes, excellent asymptotic performance and conjectured resis- tance to quantum computers could make it a desirable alternative to fac- torisation and discrete-log based encryption schemes. However, since its introduction, doubts have regularly arisen on its security. In the present work, we show how to modify NTRUEncrypt to make it provably secure in the standard model, under the assumed quantum hardness of standard worst-case lattice problems, restricted to a family of lattices related to some cyclotomic fields. Our main contribution is to show that if the se- cret key polynomials are selected by rejection from discrete Gaussians, then the public key, which is their ratio, is statistically indistinguishable from uniform over its domain. The security then follows from the already proven hardness of the R-LWE problem. Keywords. Lattice-based cryptography, NTRU, provable security. 1 Introduction NTRUEncrypt, devised by Hoffstein, Pipher and Silverman, was first presented at the Crypto’96 rump session [14]. Although its description relies on arithmetic n over the polynomial ring Zq[x]=(x − 1) for n prime and q a small integer, it was quickly observed that breaking it could be expressed as a problem over Euclidean lattices [6].
    [Show full text]
  • Exploring Naccache-Stern Knapsack Encryption
    Exploring Naccache-Stern Knapsack Encryption Éric Brier1, Rémi Géraud2, and David Naccache2 1 Ingenico Terminals Avenue de la Gare f- Alixan, France [email protected] 2 École normale supérieure rue d’Ulm, f- Paris cedex , France {remi.geraud,david.naccache}@ens.fr Abstract. The Naccache–Stern public-key cryptosystem (NS) relies on the conjectured hardness of the modular multiplicative knapsack problem: Q mi Given p, {vi}, vi mod p, find the {mi}. Given this scheme’s algebraic structure it is interesting to systematically explore its variants and generalizations. In particular it might be useful to enhance NS with features such as semantic security, re-randomizability or an extension to higher-residues. This paper addresses these questions and proposes several such variants. Introduction In , Naccache and Stern (NS, []) presented a public-key cryptosystem based on the conjectured hardness of the modular multiplicative knapsack problem. This problem is defined as follows: Let p be a modulus and let v0, . , vn−1 ∈ Zp. n−1 Y mi Given p, v0, . , vn−1, and vi mod p, find the {mi}. i=0 Given this scheme’s algebraic structure it is interesting to determine if vari- ants and generalizations can add to NS features such as semantic security, re-randomizability or extend it to operate on higher-residues. This paper addresses these questions and explores several such variants. The Original Naccache–Stern Cryptosystem The NS cryptosystem uses the following sub-algorithms: p is usually prime but nothing prevents extending the problem to composite RSA moduli. – Setup: Pick a large prime p and a positive integer n.
    [Show full text]
  • Lattices That Admit Logarithmic Worst-Case to Average-Case Connection Factors
    Lattices that Admit Logarithmic Worst-Case to Average-Case Connection Factors Chris Peikert∗ Alon Rosen† April 4, 2007 Abstract We demonstrate an average-case problem that is as hard as finding γ(n)-approximate√ short- est vectors in certain n-dimensional lattices in the worst case, where γ(n) = O( log n). The previously best known factor for any non-trivial class of lattices was γ(n) = O˜(n). Our results apply to families of lattices having special algebraic structure. Specifically, we consider lattices that correspond to ideals in the ring of integers of an algebraic number field. The worst-case problem we rely on is to find approximate shortest vectors in these lattices, under an appropriate form of preprocessing of the number field. For the connection factors γ(n) we achieve, the corresponding decision problems on ideal lattices are not known to be NP-hard; in fact, they are in P. However, the search approximation problems still appear to be very hard. Indeed, ideal lattices are well-studied objects in com- putational number theory, and the best known algorithms for them seem to perform no better than the best known algorithms for general lattices. To obtain the best possible connection factor, we instantiate our constructions with infinite families of number fields having constant root discriminant. Such families are known to exist and are computable, though no efficient construction is yet known. Our work motivates the search for such constructions. Even constructions of number fields having root discriminant up to O(n2/3−) would yield connection factors better than O˜(n).
    [Show full text]
  • Cs 255 (Introduction to Cryptography)
    CS 255 (INTRODUCTION TO CRYPTOGRAPHY) DAVID WU Abstract. Notes taken in Professor Boneh’s Introduction to Cryptography course (CS 255) in Winter, 2012. There may be errors! Be warned! Contents 1. 1/11: Introduction and Stream Ciphers 2 1.1. Introduction 2 1.2. History of Cryptography 3 1.3. Stream Ciphers 4 1.4. Pseudorandom Generators (PRGs) 5 1.5. Attacks on Stream Ciphers and OTP 6 1.6. Stream Ciphers in Practice 6 2. 1/18: PRGs and Semantic Security 7 2.1. Secure PRGs 7 2.2. Semantic Security 8 2.3. Generating Random Bits in Practice 9 2.4. Block Ciphers 9 3. 1/23: Block Ciphers 9 3.1. Pseudorandom Functions (PRF) 9 3.2. Data Encryption Standard (DES) 10 3.3. Advanced Encryption Standard (AES) 12 3.4. Exhaustive Search Attacks 12 3.5. More Attacks on Block Ciphers 13 3.6. Block Cipher Modes of Operation 13 4. 1/25: Message Integrity 15 4.1. Message Integrity 15 5. 1/27: Proofs in Cryptography 17 5.1. Time/Space Tradeoff 17 5.2. Proofs in Cryptography 17 6. 1/30: MAC Functions 18 6.1. Message Integrity 18 6.2. MAC Padding 18 6.3. Parallel MAC (PMAC) 19 6.4. One-time MAC 20 6.5. Collision Resistance 21 7. 2/1: Collision Resistance 21 7.1. Collision Resistant Hash Functions 21 7.2. Construction of Collision Resistant Hash Functions 22 7.3. Provably Secure Compression Functions 23 8. 2/6: HMAC And Timing Attacks 23 8.1. HMAC 23 8.2.
    [Show full text]
  • Probabilistic Public-Key Encryption
    PROBABILISTIC PUBLIC-KEY ENCRYPTION By Azymbek Beibyt Fundamentals Semantic Security A public-key cryptosystem is semantically secure if it’s computationally infeasible for opponent to derive any information about plaintext given only ciphertext and public key. Semantic Security = Cryptosystem Indistinguishability Fundamentals Semantic Security (Cont.) Semantic security are obtained using trapdoor (one- way) functions: - prime factorization in RSA - discrete logarithm problem in ElGamal Fundamentals Semantic Security (Cont.) Why not use trapdoor functions as before? ¨ The fact that f is a trapdoor function does not rule out the possibility of computing x from f (x) when x is of a special form. ¨ The fact that f is a trapdoor function does not rule out the possibility of easily computing some partial information about x (even every other bit of x) from f(x). Probabilistic Encryption New approach introduced by Shafi Goldwasser and Silvio Micali in 1983. ¨ Replace deterministic block encryption by probabilistic encryption of single bits. ¨ Proved to be hard to extract any information about plaintext under polynomially bounded computational resources, because is based on intractability of deciding Quadratic Residuosity modulo composite numbers whose factorization is unknown. Probabilistic Public -Key Cryptosystem General Idea (P, C, K, E, D, R), where R is a set of randomizers, encryption is public and decryption is secret and following properties should be satisfied: 1. , where b Є P, r Є R and if Probabilistic Public -Key Cryptosystem General Idea (Cont.) 2. Let ϵ be specified security parameter. Define probability distribution on C, which denotes the probability that y is the ciphertext given that K is the key and x is the plaintext .
    [Show full text]
  • Cryptography from Ideal Lattices
    Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Ideal Lattices Damien Stehl´e ENS de Lyon Berkeley, 07/07/2015 Damien Stehl´e Ideal Lattices 07/07/2015 1/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2) space and cost ⇒ Example parameters: n 26, m n 2e4, log q 23 ≈ ≈ · 2 ≈ Damien Stehl´e Ideal Lattices 07/07/2015 2/32 Introduction Ideal lattices Ring-SIS Ring-LWE Other algebraic lattices Conclusion Lattice-based cryptography: elegant but impractical Lattice-based cryptography is fascinating: simple, (presumably) post-quantum, expressive But it is very slow Recall the SIS hash function: 0, 1 m Zn { } → q x xT A 7→ · Need m = Ω(n log q) to compress O(1) m n q is n , A is uniform in Zq × O(n2)
    [Show full text]
  • Lecture 9 1 Introduction 2 Background
    CMSC 858K | Advanced Topics in Cryptography February 24, 2004 Lecture 9 Julie Staub Avi Dalal Lecturer: Jonathan Katz Scribe(s): Abheek Anand Gelareh Taban 1 Introduction In previous lectures, we constructed public-key encryption schemes which were provably secure against non-adaptive chosen-ciphertext (CCA-1) attacks, and also adaptive chosen- ciphertext (CCA-2) attacks. However, both constructions used generic non-interactive zero- knowledge proof systems which | although poly-time | are not very efficient (as we will see later in the course). Therefore, the constructions are not very practical. In 1998, Cramer and Shoup proposed an encryption scheme [1] which was provably secure against adaptive chosen-ciphertext attacks and was also practical. The proof of security relies on the hardness of the Decisional Diffie-Hellman (DDH) problem in some underlying group. In this lecture, we will first review the Decisional Diffie-Hellman assumption and the El-Gamal cryptosystem. Then we will modify the El-Gamal encryption scheme to construct a scheme secure against non-adaptive chosen-ciphertext attacks. This will be a step toward the full Cramer-Shoup cryptosystem, which we will cover in later lectures. 2 Background The Cramer-Shoup cryptosystem relies on the DDH assumption in some finite group. In Lecture 4, we defined the Discrete Logarithm (DL) problem and DDH problem; we review them here. Let G be a finite cyclic group of prime order q, and let g 2 G be a generator. Given h 2 G, the discrete logarithm problem requires us to compute x 2 q such that x g = h. We denote this (unique) x by logg h.
    [Show full text]