Homomorphic Encryption
|
|
- Brittney Dean
- 5 years ago
- Views:
Transcription
1 Homomorphic Encryption Travis Mayberry
2 Cloud Computing
3 Cloud Computing
4 Cloud Computing
5 Cloud Computing
6 Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and reliability.
7 Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and reliability. How can I keep my sensitive information safe while still being able to take advantage of cloud computing resources?
8 Encryption Cloud users should encrypt their data for security and privacy Encrypting data makes it impossible to do many useful things: Search your mail in Gmail Statistical analysis of large data sets Serve targeted advertisements From the server s perspective, the encrypted data is indistinguishable from random!
9 What Can We Do? We need more robust encryption that can allow some computation on the underlying data How can we accomplish this? What kind of security can we get from such a scheme? What are the costs associated with using this encryption?
10 Homomorphic Encryption E(a) C E(b) =E(a P b) Ciphertext operation does not have to be the same as the message operation (only needs to be easily computable) Provides an interface for entities without the key to perform useful computations over the encrypted data Example: RSA C = P = Without the key, you can perform computations but not interpret the result
11 Crypto Voting One application for homomorphic encryption: How can we have a public election where individual votes are not disclosed, but anyone can verify that the final tally is correct? We can do this with a public key additively homomorphic encryption where: E(a) E(b) =E(a + b)
12 Rivest Scheme Publish public key pk Election Officials Batman Superman Alice E pk (1) E pk (0) Bob Steve E pk (0) E pk (0) E pk (1) E pk (1) E pk (1) E pk (2) Votes are tallied and decrypted totals are posted Anyone can compute a tally and verify that the posted total encrypts to the correct value!
13 IND-CPA A Learning m 1 E k (m 1 )... Challenge C One oracle: Encryption m 0,m 1 E k (m b ) b 0
14 IND-CCA A Learning m 1 E k (m 1 ) c 1 D k (c 1 )... Challenge C Two oracles: Encryption Decryption m 0,m 1 E k (m b ) b 0
15 IND-CCA2 A Learning m 1 E k (m 1 ) c 1 D k (c 1 ). Challenge m 0,m 1 E k (m b ) m 2 E k (m 2 ) c 1 D k (c 1 ). b 0 C Two oracles: Encryption Decryption Extra learning phase!
16 IND-CCA2 A Learning m 1 E k (m 1 ) c 1 D k (c 1 ). Challenge m 0,m 1 E k (m b ) m 2 E k (m 2 ) c 1 D k (c 1 ). b 0 C Two oracles: Encryption Decryption Extra learning phase! c i 6= E k (m b )
17 Security
18 Security If we hope to achieve IND-CPA we need...
19 Security If we hope to achieve IND-CPA we need... Probabilistic encryption!
20 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition:
21 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition: E(a) E(b) =E(a b)
22 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition: E(a) E(b) =E(a b) D(E(a) E(b)) = D(E(a b))
23 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition: E(a) E(b) =E(a b) D(E(a) E(b)) = D(E(a b)) Or E(a) E(b) E(a b)
24 Security What can we achieve for homomorphic encryption? IND-CCA2 Adversary submits m 0 = x, m 1 = x 0 and receives c = E(m b ) Calculate c c 1, send to be decrypted and apply Works because we can create related ciphertexts and submit them to the oracle (only requirement is that ciphertexts not be exactly equal to challenge)
25 RSA
26 RSA We know RSA is homomorphic: m e 1 m e 2 =(m 1 m 2 ) e
27 RSA We know RSA is homomorphic: m e 1 m e 2 =(m 1 m 2 ) e We know RSA is IND-CPA. That means we have IND-CPA homomorphic encryption!
28 RSA We know RSA is homomorphic: m e 1 m e 2 =(m 1 m 2 ) e We know RSA is IND-CPA. That means we have IND-CPA homomorphic encryption! Not so fast RSA is only IND-CPA with OAEP or another secure padding scheme. Padding schemes are not homomorphic!
29 Which Problems Are Hard? Factoring RSA Problem Discrete Log Quadratic residuosity Hard to determine if a number is a quadratic residue mod pq if p and q are not known
30 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test
31 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic!
32 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts R NR R R NR NR NR?
33 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts R NR R R NR NR NR? R if we choose our nonresidues carefully!
34 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts
35 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts Exclusive OR! 0 1 0
36 Goldwasser-Micali Cryptosystem Key gen: Random large primes p and q N = pq x non-residue in Z p and Z q Public key: (N,x) Private key: (p, q) Encrypt: y 2 Z N c = y 2 x m mod N Residue Non-residue if m = 1 Decrypt: If c is a residue, then m = 0, 1 otherwise
37 Goldwasser-Micali Cryptosystem Key gen: Random large primes p and q N = pq x non-residue in Z p and Z q Public key: (N,x) Private key: (p, q) Encrypt: y 2 Z N c = y 2 x m mod N Residue Non-residue if m = 1 Decrypt: If c is a residue, then m = 0, 1 otherwise This is homomorphic...
38 Goldwasser-Micali Cryptosystem Key gen: Random large primes p and q N = pq x non-residue in Z p and Z q Public key: (N,x) Private key: (p, q) Encrypt: y 2 Z N c = y 2 x m mod N Residue Non-residue if m = 1 Decrypt: If c is a residue, then m = 0, 1 otherwise This is homomorphic... and IND-CPA!
39 Random Self-reducibility
40 Random Self-reducibility So far our reductions have made some assumptions about key selection
41 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why?
42 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why? In practice, our message distribution will be unknown and the keys will be chosen randomly
43 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why? In practice, our message distribution will be unknown and the keys will be chosen randomly How can we show that a random key is as secure as the best keys?
44 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why? In practice, our message distribution will be unknown and the keys will be chosen randomly How can we show that a random key is as secure as the best keys? Reduce the problem of breaking an arbitrary key to the problem of breaking polynomially many random keys
45 Functional Completeness
46 Functional Completeness What is the smallest set of operations that can express any program?
47 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables?
48 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? AND NOT
49 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? AND NOT
50 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND
51 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND Others: {NOT, OR} {NOR} {AND, XOR}
52 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND Others: {NOT, OR} {NOR} {AND, XOR} AND 1 0 XOR
53 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND Others: {NOT, OR} {NOR} {AND, XOR} Multiplication 1 0 Addition
54 Algebraic Homomorphic Encryption Additive HE: Goldwasser-Micali Paillier Benaloh Decisional composite residuosity assumption Multiplicative HE: RSA ElGamal Factoring Discrete log Can we have a cipher that is algebraic (additive and multiplicative) and secure?
55 Algebraic Homomorphic Encryption Additive HE: Goldwasser-Micali Paillier Benaloh Decisional composite residuosity assumption Multiplicative HE: RSA ElGamal Factoring Discrete log Can we have a cipher that is algebraic (additive and multiplicative) and secure? Boneh and Lipton say no!
56 Traditional Trapdoor Function Easy to go one way c 1 m c 2 c 3 Hard to calculate the inverse unless you know the secret m c
57 Noise Based Trapdoor Function Easy to go both ways! c 1 m c 2 c 3 Hard to invert if you only have an approximate value m c
58 Noise Based Trapdoor Function Encryption m c ~r m Decryption c Recover original point from trapdoor secret
59 DGHV Encryption Key gen: p 2 [2 1, 2 ) Encrypt: Choose random q and r c = pq +2r + m Decrypt: m =(c mod p) mod 2
60 Somewhat Homomorphic
61 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic
62 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why?
63 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why? What is addition/multiplication of bits?
64 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why? What is addition/multiplication of bits? How does the ciphertext size vary with the number of operations performed?
65 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why? What is addition/multiplication of bits? How does the ciphertext size vary with the number of operations performed? Addition Multiplication n bits n bits n +1bits 2n bits n +2bits 4n bits
66 Fully Homomorphic Encryption Problem: Ciphertexts may grow very large depending on the number of homomorphic operations In order to be practical we need a cryptosystem that operates over a group so ciphertexts do not increase in size Solution: Allow ciphertexts to grow, but apply a squashing operation when they reach a certain threshold that will lower their size Definitions: E pk (m) - encryption D sk (c) - decryption Eval pk (c, P, x) - evaluate
67 Bootstrapping
68 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... Ciphertext is very large!
69 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key
70 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt
71 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2
72 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2 m pk 1
73 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2 m pk 1! m pk 1 pk 2
74 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2 Size is the same as a fresh ciphertext! pk 2 pk 2 m pk 1! m pk 1! m
75 Almost There We still need a long chain of keys to keep refreshing our ciphertext: E pk2 (pk 1 ),E pk3 (pk 2 ),...,E pkn (pk n 1 ) If we make an additional assumption, then we can get a fully homomorphic cipher with only one key: E pk (pk) does not give an adversary any advantage Key-dependent message security assumption Reencryption: c = Eval(E pk (c),d,e pk (pk))
76 Practicality Current FHE candidates require: Large keys (many MBs) Large ciphertexts Frequent computationally intensive bootstrapping May only be able to do one multiplication before having to bootstrap Current research: Homomorphic encryption without bootstrapping Practical uses for somewhat homomorphic encryption
77 Outsourcing Data Storage Request'Alice s'records' Oncologist' Cloud'may'learn'a'pa8ent'has'cancer' even'if'the'records'are'encrypted!'
78 Private Information Retrieval Client% Server% x 1 Request(i) x 2 x 3... x n x 1 x i x 2 x 3 Server%does%not% know%which%item% was%retrieved!%... x n
79 Method'using'addi.vely' homomorphic'encryp.on' Request Vector Database E(0) E(0) E(0) E(0) E(1) E(0) E(0) * * * * * * * x 1 x 2 x 3 x 4 x 5 x 6 x 7 = = = = = = = E(0) E(0) E(0) E(0) E(x 5 ) E(0) E(0) + E(x 5 )
Relaxing IND-CCA: Indistinguishability Against Chosen. Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Indian Statistical Institute Kolkata January 14, 2012 Outline 1 Definitions Encryption Scheme IND-CPA IND-CCA IND-CCVA
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 El Gamal Encryption RSA Encryption Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationCS573 Data Privacy and Security. Cryptographic Primitives and Secure Multiparty Computation. Li Xiong
CS573 Data Privacy and Security Cryptographic Primitives and Secure Multiparty Computation Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationIntroduction to Cryptography Lecture 7
Introduction to Cryptography Lecture 7 Public-Key Encryption: El-Gamal, RSA Benny Pinkas page 1 1 Public key encryption Alice publishes a public key PK Alice. Alice has a secret key SK Alice. Anyone knowing
More informationSecure Multiparty Computation
CS573 Data Privacy and Security Secure Multiparty Computation Problem and security definitions Li Xiong Outline Cryptographic primitives Symmetric Encryption Public Key Encryption Secure Multiparty Computation
More informationSHE AND FHE. Hammad Mushtaq ENEE759L March 10, 2014
SHE AND FHE Hammad Mushtaq ENEE759L March 10, 2014 Outline Introduction Needs Analogy Somewhat Homomorphic Encryption (SHE) RSA, EL GAMAL (MULT) Pallier (XOR and ADD) Fully Homomorphic Encryption (FHE)
More informationCS408 Cryptography & Internet Security
CS408 Cryptography & Internet Security Lectures 16, 17: Security of RSA El Gamal Cryptosystem Announcement Final exam will be on May 11, 2015 between 11:30am 2:00pm in FMH 319 http://www.njit.edu/registrar/exams/finalexams.php
More informationOAEP 3-Round A Generic and Secure Asymmetric Encryption Padding. Asiacrypt '04 Jeju Island - Korea
OAEP 3-Round A Generic and Secure Asymmetric Encryption Padding Duong Hieu Phan ENS France David Pointcheval CNRS-ENS France Asiacrypt '04 Jeju Island - Korea December 6 th 2004 Summary Asymmetric Encryption
More informationRelaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack
Relaxing IND-CCA: Indistinguishability Against Chosen Ciphertext Verification Attack Sumit Kumar Pandey, Santanu Sarkar and Mahavir Prasad Jhanwar CR Rao AIMSCS Hyderabad November 2, 2012 Outline 1 Definitions
More informationPublic-Key Cryptography
Computer Security Spring 2008 Public-Key Cryptography Aggelos Kiayias University of Connecticut A paradox Classic cryptography (ciphers etc.) Alice and Bob share a short private key using a secure channel.
More informationIntroduction. CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell
Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell 1 Cryptography Merriam-Webster Online Dictionary: 1. secret writing 2. the enciphering and deciphering
More informationChapter 11 : Private-Key Encryption
COMP547 Claude Crépeau INTRODUCTION TO MODERN CRYPTOGRAPHY _ Second Edition _ Jonathan Katz Yehuda Lindell Chapter 11 : Private-Key Encryption 1 Chapter 11 Public-Key Encryption Apologies: all numbering
More informationLecture 15: Public Key Encryption: I
CSE 594 : Modern Cryptography 03/28/2017 Lecture 15: Public Key Encryption: I Instructor: Omkant Pandey Scribe: Arun Ramachandran, Parkavi Sundaresan 1 Setting In Public-key Encryption (PKE), key used
More informationIntroduction to Cryptography and Security Mechanisms: Unit 5. Public-Key Encryption
Introduction to Cryptography and Security Mechanisms: Unit 5 Public-Key Encryption Learning Outcomes Explain the basic principles behind public-key cryptography Recognise the fundamental problems that
More informationLecture 20: Public-key Encryption & Hybrid Encryption. Public-key Encryption
Lecture 20: & Hybrid Encryption Lecture 20: & Hybrid Encryption Overview Suppose there is a 2-round Key-Agreement protocol. This means that there exists a protocol where Bob sends the first message m B
More informationIntroduction. Cambridge University Press Mathematics of Public Key Cryptography Steven D. Galbraith Excerpt More information
1 Introduction Cryptography is an interdisciplinary field of great practical importance. The subfield of public key cryptography has notable applications, such as digital signatures. The security of a
More informationFoundations of Cryptography CS Shweta Agrawal
Foundations of Cryptography CS 6111 Shweta Agrawal Course Information 4-5 homeworks (20% total) A midsem (25%) A major (35%) A project (20%) Attendance required as per institute policy Challenge questions
More informationRSA. Public Key CryptoSystem
RSA Public Key CryptoSystem DIFFIE AND HELLMAN (76) NEW DIRECTIONS IN CRYPTOGRAPHY Split the Bob s secret key K to two parts: K E, to be used for encrypting messages to Bob. K D, to be used for decrypting
More informationComputational Security, Stream and Block Cipher Functions
Computational Security, Stream and Block Cipher Functions 18 March 2019 Lecture 3 Most Slides Credits: Steve Zdancewic (UPenn) 18 March 2019 SE 425: Communication and Information Security 1 Topics for
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationCSC 5930/9010 Modern Cryptography: Public Key Cryptography
CSC 5930/9010 Modern Cryptography: Public Key Cryptography Professor Henry Carter Fall 2018 Recap Number theory provides useful tools for manipulating integers and primes modulo a large value Abstract
More informationPublic-Key Cryptography. Professor Yanmin Gong Week 3: Sep. 7
Public-Key Cryptography Professor Yanmin Gong Week 3: Sep. 7 Outline Key exchange and Diffie-Hellman protocol Mathematical backgrounds for modular arithmetic RSA Digital Signatures Key management Problem:
More informationAnalysis of Partially and Fully Homomorphic Encryption
Analysis of Partially and Fully Homomorphic Encryption Liam Morris lcm1115@rit.edu Department of Computer Science, Rochester Institute of Technology, Rochester, New York May 10, 2013 1 Introduction Homomorphic
More informationComputer Security CS 526
Computer Security CS 526 Topic 4 Cryptography: Semantic Security, Block Ciphers and Encryption Modes CS555 Topic 4 1 Readings for This Lecture Required reading from wikipedia Block Cipher Ciphertext Indistinguishability
More informationUsing Fully Homomorphic Encryption to Secure Cloud Computing
Internet of Things and Cloud Computing 2016; 4(2): 13-18 http://www.sciencepublishinggroup.com/j/iotcc doi: 10.11648/j.iotcc.20160402.12 ISSN: 2376-7715 (Print); ISSN: 2376-7731 (Online) Using Fully Homomorphic
More informationASYMMETRIC (PUBLIC-KEY) ENCRYPTION. Mihir Bellare UCSD 1
ASYMMETRIC (PUBLIC-KEY) ENCRYPTION Mihir Bellare UCSD 1 Recommended Book Steven Levy. Crypto. Penguin books. 2001. A non-technical account of the history of public-key cryptography and the colorful characters
More informationSecurity of Cryptosystems
Security of Cryptosystems Sven Laur swen@math.ut.ee University of Tartu Formal Syntax Symmetric key cryptosystem m M 0 c Enc sk (m) sk Gen c sk m Dec sk (c) A randomised key generation algorithm outputs
More informationCSCI 454/554 Computer and Network Security. Topic 5.2 Public Key Cryptography
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography Outline 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationEncrypted Data Deduplication in Cloud Storage
Encrypted Data Deduplication in Cloud Storage Chun- I Fan, Shi- Yuan Huang, Wen- Che Hsu Department of Computer Science and Engineering Na>onal Sun Yat- sen University Kaohsiung, Taiwan AsiaJCIS 2015 Outline
More informationOutline. CSCI 454/554 Computer and Network Security. Introduction. Topic 5.2 Public Key Cryptography. 1. Introduction 2. RSA
CSCI 454/554 Computer and Network Security Topic 5.2 Public Key Cryptography 1. Introduction 2. RSA Outline 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard 2 Introduction Public Key Cryptography
More informationIntroduction to Cryptography and Security Mechanisms. Abdul Hameed
Introduction to Cryptography and Security Mechanisms Abdul Hameed http://informationtechnology.pk Before we start 3 Quiz 1 From a security perspective, rather than an efficiency perspective, which of the
More informationAdvanced Topics in Cryptography
Advanced Topics in Cryptography Lecture 9: Identity based encryption (IBE), Cocks scheme. Benny Pinkas page 1 1 Related papers Lecture notes from MIT http://crypto.csail.mit.edu/classes/6.876/lecture-notes.html
More informationOther Topics in Cryptography. Truong Tuan Anh
Other Topics in Cryptography Truong Tuan Anh 2 Outline Public-key cryptosystem Cryptographic hash functions Signature schemes Public-Key Cryptography Truong Tuan Anh CSE-HCMUT 4 Outline Public-key cryptosystem
More informationOutline. Public Key Cryptography. Applications of Public Key Crypto. Applications (Cont d)
Outline AIT 682: Network and Systems Security 1. Introduction 2. RSA 3. Diffie-Hellman Key Exchange 4. Digital Signature Standard Topic 5.2 Public Key Cryptography Instructor: Dr. Kun Sun 2 Public Key
More informationA Study on the Security of Privacy Homomorphism
A Study on the Security of Privacy Homomorphism Yu Yu, Jussipekka Leiwo, Benjamin Premkumar Nanyang Technological University, School of Computer Engineering Block N4, Nanyang Avenue, Singapore 639798 Abstract
More informationAdvanced Cryptography 1st Semester Symmetric Encryption
Advanced Cryptography 1st Semester 2007-2008 Pascal Lafourcade Université Joseph Fourrier, Verimag Master: October 22th 2007 1 / 58 Last Time (I) Security Notions Cyclic Groups Hard Problems One-way IND-CPA,
More informationNew Public Key Cryptosystems Based on the Dependent RSA Problems
New Public Key Cryptosystems Based on the Dependent RSA Problems David Pointcheval LIENS CNRS, École Normale Supérieure, 45 rue d Ulm, 75230 Paris Cedex 05, France. David.Pointcheval@ens.fr http://www.dmi.ens.fr/
More informationIntroduction to Public-Key Cryptography
Introduction to Public-Key Cryptography Nadia Heninger University of Pennsylvania June 11, 2018 We stand today on the brink of a revolution in cryptography. Diffie and Hellman, 1976 Symmetric cryptography
More informationEncryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls
Security Outline Encryption Algorithms Authentication Protocols Message Integrity Protocols Key Distribution Firewalls Overview Cryptography functions Secret key (e.g., DES) Public key (e.g., RSA) Message
More informationTools for Computing on Encrypted Data
Tools for Computing on Encrypted Data Scribe: Pratyush Mishra September 29, 2015 1 Introduction Usually when analyzing computation of encrypted data, we would like to have three properties: 1. Security:
More informationIf DDH is secure then ElGamal is also secure w.r.t IND-CPA
CS 6903 Modern Cryptography May 5th, 2011 Lecture 12 Instructor:Nitesh Saxena Recap of the previous lecture Scribe:Orcun Berkem, Turki Turki, Preetham Deshikachar Shrinivas The ElGamal encryption scheme
More informationMTAT Research Seminar in Cryptography IND-CCA2 secure cryptosystems
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov October 31, 2005 Abstract Standard security assumptions (IND-CPA, IND- CCA) are explained. A number of cryptosystems
More informationLecture IV : Cryptography, Fundamentals
Lecture IV : Cryptography, Fundamentals Internet Security: Principles & Practices John K. Zao, PhD (Harvard) SMIEEE Computer Science Department, National Chiao Tung University Spring 2012 Basic Principles
More informationLecture 3.4: Public Key Cryptography IV
Lecture 3.4: Public Key Cryptography IV CS 436/636/736 Spring 2012 Nitesh Saxena Course Administration HW1 submitted Trouble with BB Trying to check with BB support HW1 solution will be posted very soon
More informationPublic key encryption: definitions and security
Online Cryptography Course Public Key Encryption from trapdoor permutations Public key encryption: definitions and security Public key encryption Bob: generates (PK, SK) and gives PK to Alice Alice Bob
More informationPublic Key Cryptography and RSA
Public Key Cryptography and RSA Major topics Principles of public key cryptosystems The RSA algorithm The Security of RSA Motivations A public key system is asymmetric, there does not have to be an exchange
More informationCryptanalysis of Brenner et al. s Somewhat Homomorphic Encryption Scheme
Proceedings of the Eleventh Australasian Information Security Conference (AISC 2013), Adelaide, Australia Cryptanalysis of Brenner et al. s Somewhat Homomorphic Encryption Scheme Russell Paulet Xun Yi
More informationAuthenticated encryption
Authenticated encryption Mac forgery game M {} k R 0,1 s m t M M {m } t mac k (m ) Repeat as many times as the adversary wants (m, t) Wins if m M verify m, t = 1 Mac forgery game Allow the adversary to
More informationPublic Key Algorithms
Public Key Algorithms 1 Public Key Algorithms It is necessary to know some number theory to really understand how and why public key algorithms work Most of the public key algorithms are based on modular
More informationIND-CCA2 secure cryptosystems, Dan Bogdanov
MTAT.07.006 Research Seminar in Cryptography IND-CCA2 secure cryptosystems Dan Bogdanov University of Tartu db@ut.ee 1 Overview Notion of indistinguishability The Cramer-Shoup cryptosystem Newer results
More informationBrief Introduction to Provable Security
Brief Introduction to Provable Security Michel Abdalla Département d Informatique, École normale supérieure michel.abdalla@ens.fr http://www.di.ens.fr/users/mabdalla 1 Introduction The primary goal of
More informationPaper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage
1 Announcements Paper presentation sign up sheet is up. Please sign up for papers by next class. Lecture summaries and notes now up on course webpage 2 Recap and Overview Previous lecture: Symmetric key
More informationCS 161 Computer Security
Paxson Spring 2013 CS 161 Computer Security 3/14 Asymmetric cryptography Previously we saw symmetric-key cryptography, where Alice and Bob share a secret key K. However, symmetric-key cryptography can
More informationApplied Cryptography and Computer Security CSE 664 Spring 2018
Applied Cryptography and Computer Security Lecture 13: Public-Key Cryptography and RSA Department of Computer Science and Engineering University at Buffalo 1 Public-Key Cryptography What we already know
More informationNon-interactive and Output Expressive Private Comparison from Homomorphic Encryption
Non-interactive and Output Expressive Private Comparison from Homomorphic Encryption Wen-jie Lu 1, Jun-jie Zhou 1, Jun Sakuma 1,2,3 1.University of Tsukuba 2.JST/CREST 3.RIKEN AIP Center Target Function:
More informationPublic-Key Encryption
Public-Key Encryption Glorianna Jagfeld & Rahiel Kasim University of Amsterdam 10 March 2016 Glorianna Jagfeld & Rahiel Kasim Public-Key Encryption 10 March 2016 1 / 24 Warmup: crossword puzzle! Please
More informationDr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010
CS 494/594 Computer and Network Security Dr. Jinyuan (Stella) Sun Dept. of Electrical Engineering and Computer Science University of Tennessee Fall 2010 1 Public Key Cryptography Modular Arithmetic RSA
More informationInternational Journal of Advance Engineering and Research Development A SURVEY ON HOMOMORPHIC ENCRYPTION TECHNIQUES IN CLOUD COMPUTING
Scientific Journal of Impact Factor (SJIF): 3.134 ISSN (Online): 2348-4470 ISSN (Print) : 2348-6406 International Journal of Advance Engineering and Research Development Volume 2, Issue 2, February -2015
More informationGreat Theoretical Ideas in Computer Science. Lecture 27: Cryptography
15-251 Great Theoretical Ideas in Computer Science Lecture 27: Cryptography What is cryptography about? Adversary Eavesdropper I will cut his throat I will cut his throat What is cryptography about? loru23n8uladjkfb!#@
More informationCryptography. Andreas Hülsing. 6 September 2016
Cryptography Andreas Hülsing 6 September 2016 1 / 21 Announcements Homepage: http: //www.hyperelliptic.org/tanja/teaching/crypto16/ Lecture is recorded First row might be on recordings. Anything organizational:
More informationHOMOMORPHIC ENCRYPTION: A SURVEY
HOMOMORPHIC ENCRYPTION: A SURVEY Daniel Okunbor and Chekad Sarami Department of Mathematics and Computer Science Fayetteville State University Fayetteville, NC 28301 {diokunbor, csarami}@uncfsu.edu) Abstract:
More informationIntroduction to Secure Multi-Party Computation
Introduction to Secure Multi-Party Computation Many thanks to Vitaly Shmatikov of the University of Texas, Austin for providing these slides. slide 1 Motivation General framework for describing computation
More informationCryptography: More Primitives
Design and Analysis of Algorithms May 8, 2015 Massachusetts Institute of Technology 6.046J/18.410J Profs. Erik Demaine, Srini Devadas and Nancy Lynch Recitation 11 Cryptography: More Primitives 1 Digital
More informationStudy Guide for the Final Exam
YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE CPSC 467b: Cryptography and Computer Security Handout #22 Professor M. J. Fischer April 30, 2005 1 Exam Coverage Study Guide for the Final Exam The final
More informationI.D. NUMBER SURNAME OTHER NAMES
THE UNIVERSITY OF CALGARY DEPARTMENT OF COMPUTER SCIENCE DEPARTMENT OF MATHEMATICS AND STATISTICS FINAL EXAMINATION SOLUTION KEY CPSC/PMAT 418 L01 Introduction to Cryptography Fall 2017 December 19, 2017,
More informationCPSC 467b: Cryptography and Computer Security
CPSC 467b: Cryptography and Computer Security Michael J. Fischer Lecture 7 January 30, 2012 CPSC 467b, Lecture 7 1/44 Public-key cryptography RSA Factoring Assumption Computing with Big Numbers Fast Exponentiation
More informationLecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 19 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak November 29, 2007 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationPublic-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7
Public-Key Encryption, Key Exchange, Digital Signatures CMSC 23200/33250, Autumn 2018, Lecture 7 David Cash University of Chicago Plan 1. Security of RSA 2. Key Exchange, Diffie-Hellman 3. Begin digital
More informationA CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model
A CCA2 Secure PKE Based on McEliece Assumptions in the Standard Model Jörn Müller-Quade European Institute for System Security KIT, Karlsruhe, Germany 04/23/09 Session ID: CRYP301 Session Classification:
More informationCPSC 467: Cryptography and Computer Security
CPSC 467: Cryptography and Computer Security Michael J. Fischer Lecture 8 September 28, 2015 CPSC 467, Lecture 8 1/44 Chaining Modes Block chaining modes Extending chaining modes to bytes Public-key Cryptography
More informationCSC 474/574 Information Systems Security
CSC 474/574 Information Systems Security Topic 2.5 Public Key Algorithms CSC 474/574 Dr. Peng Ning 1 Public Key Algorithms Public key algorithms covered in this class RSA: encryption and digital signature
More informationPublic Key Cryptography and the RSA Cryptosystem
Public Key Cryptography and the RSA Cryptosystem Two people, say Alice and Bob, would like to exchange secret messages; however, Eve is eavesdropping: One technique would be to use an encryption technique
More informationChapter 9 Public Key Cryptography. WANG YANG
Chapter 9 Public Key Cryptography WANG YANG wyang@njnet.edu.cn Content Introduction RSA Diffie-Hellman Key Exchange Introduction Public Key Cryptography plaintext encryption ciphertext decryption plaintext
More information1 Achieving IND-CPA security
ISA 562: Information Security, Theory and Practice Lecture 2 1 Achieving IND-CPA security 1.1 Pseudorandom numbers, and stateful encryption As we saw last time, the OTP is perfectly secure, but it forces
More informationPUBLIC KEY CRYPTO. Anwitaman DATTA SCSE, NTU Singapore CX4024. CRYPTOGRAPHY & NETWORK SECURITY 2018, Anwitaman DATTA
PUBLIC KEY CRYPTO Anwitaman DATTA SCSE, NTU Singapore Acknowledgement: The following lecture slides are based on, and uses material from the text book Cryptography and Network Security (various eds) by
More information10.1 Introduction 10.2 Asymmetric-Key Cryptography Asymmetric-Key Cryptography 10.3 RSA Cryptosystem
[Part 2] Asymmetric-Key Encipherment Asymmetric-Key Cryptography To distinguish between two cryptosystems: symmetric-key and asymmetric-key; To discuss the RSA cryptosystem; To introduce the usage of asymmetric-key
More informationLecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR)
Lecture 22 - Oblivious Transfer (OT) and Private Information Retrieval (PIR) Boaz Barak December 8, 2005 Oblivious Transfer We are thinking of the following situation: we have a server and a client (or
More informationEncryption from the Diffie-Hellman assumption. Eike Kiltz
Encryption from the Diffie-Hellman assumption Eike Kiltz Elliptic curve public-key crypto Key-agreement Signatures Encryption Diffie-Hellman 76 passive security ElGamal 84 passive security Hybrid DH (ECDH)
More informationNetwork Security Technology Project
Network Security Technology Project Shanghai Jiao Tong University Presented by Wei Zhang zhang-wei@sjtu.edu.cn!1 Part I Implement the textbook RSA algorithm. The textbook RSA is essentially RSA without
More informationCryptography Today. Ali El Kaafarani. Mathematical Institute Oxford University. 1 of 44
Cryptography Today Ali El Kaafarani Mathematical Institute Oxford University 1 of 44 About the Course Regular classes with worksheets so you can work with some concrete examples (every Friday at 1pm).
More informationSolutions to exam in Cryptography December 17, 2013
CHALMERS TEKNISKA HÖGSKOLA Datavetenskap Daniel Hedin DIT250/TDA351 Solutions to exam in Cryptography December 17, 2013 Hash functions 1. A cryptographic hash function is a deterministic function that
More informationHomework 3: Solution
Homework 3: Solution March 28, 2013 Thanks to Sachin Vasant and Xianrui Meng for contributing their solutions. Exercise 1 We construct an adversary A + that does the following to win the CPA game: 1. Select
More informationLecture 18 - Chosen Ciphertext Security
Lecture 18 - Chosen Ciphertext Security Boaz Barak November 21, 2005 Public key encryption We now go back to public key encryption. As we saw in the case of private key encryption, CPA security is not
More informationRSA Cryptography in the Textbook and in the Field. Gregory Quenell
RSA Cryptography in the Textbook and in the Field Gregory Quenell 1 In the beginning... 2 In the beginning... Diffie and Hellman 1976: A one-way function can be used to pass secret information over an insecure
More informationPublic Key Encryption
Public Key Encryption A case study THE RSA CRYPTOSYSTEM Public 31/05/14 Key Encryption 2 Rivest Shamir Adleman (1978) Key generation 1. Generate two large, distinct primes p, q (100 200 decimal digits)
More informationThe Application of Elliptic Curves Cryptography in Embedded Systems
The Application of Elliptic Curves Cryptography in Embedded Systems Wang Qingxian School of Computer Science and Engineering University of Electronic Science and Technology China Introduction to Cryptography
More informationImproved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space
Improved Delegation Of Computation Using Somewhat Homomorphic Encryption To Reduce Storage Space Dhivya.S (PG Scholar) M.E Computer Science and Engineering Institute of Road and Transport Technology Erode,
More informationChapter 9. Public Key Cryptography, RSA And Key Management
Chapter 9 Public Key Cryptography, RSA And Key Management RSA by Rivest, Shamir & Adleman of MIT in 1977 The most widely used public-key cryptosystem is RSA. The difficulty of attacking RSA is based on
More informationCrypto-systems all around us ATM machines Remote logins using SSH Web browsers (https invokes Secure Socket Layer (SSL))
Introduction (Mihir Bellare Text/Notes: http://cseweb.ucsd.edu/users/mihir/cse207/) Cryptography provides: Data Privacy Data Integrity and Authenticity Crypto-systems all around us ATM machines Remote
More informationBU CAS CS 538: Cryptography Lecture Notes. Fall itkis/538/
BU CAS CS 538: Cryptography Lecture Notes. Fall 2005. http://www.cs.bu.edu/ itkis/538/ Gene Itkis Boston University Computer Science Dept. 1 General One-Way and Trapdoor Functions In this section, we will
More informationBlum-Blum-Shub cryptosystem and generator. Blum-Blum-Shub cryptosystem and generator
BBS encryption scheme A prime p is called a Blum prime if p mod 4 = 3. ALGORITHM Alice, the recipient, makes her BBS key as follows: BBS encryption scheme A prime p is called a Blum prime if p mod 4 =
More informationCryptography Lecture 4. Attacks against Block Ciphers Introduction to Public Key Cryptography. November 14, / 39
Cryptography 2017 Lecture 4 Attacks against Block Ciphers Introduction to Public Key Cryptography November 14, 2017 1 / 39 What have seen? What are we discussing today? What is coming later? Lecture 3
More informationLecture 07: Private-key Encryption. Private-key Encryption
Lecture 07: Three algorithms Key Generation: Generate the secret key sk Encryption: Given the secret key sk and a message m, it outputs the cipher-text c (Note that the encryption algorithm can be a randomized
More informationThis chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest
1 2 3 This chapter continues our overview of public-key cryptography systems (PKCSs), and begins with a description of one of the earliest and simplest PKCS, Diffie- Hellman key exchange. This first published
More informationHomework 2: Symmetric Crypto Due at 11:59PM on Monday Feb 23, 2015 as a PDF via websubmit.
Homework 2: Symmetric Crypto February 17, 2015 Submission policy. information: This assignment MUST be submitted as a PDF via websubmit and MUST include the following 1. List of collaborators 2. List of
More informationA New Protocol for Conditional Disclosure of Secrets And Its Applications
A New Protocol for Conditional Disclosure of Secrets And Its Applications Sven Laur 1 and Helger Lipmaa 2 1 Helsinki University of Technology, Finland 2 University College London, UK Abstract. Many protocols
More informationCS Network Security. Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA.
CS 393 - Network Security Nasir Memon Polytechnic University Module 7 Public Key Cryptography. RSA. Course Logistics Homework 2 revised. Due next Tuesday midnight. 2/26,28/02 Module 7 - Pubic Key Crypto
More informationDeniable Cloud Storage: Sharing Files via Public-key Deniability
Deniable Cloud Storage: Sharing Files via Public-key Deniability Paolo Gasti University of Genoa Genoa, Italy gasti@disi.unige.it Giuseppe Ateniese Johns Hopkins University Baltimore, MD, USA ateniese@cs.jhu.edu
More informationFrom semantic security to chosen ciphertext security
Graduate Theses and Dissertations Graduate College 2010 From semantic security to chosen ciphertext security Sahnghyun Cha Iowa State University Follow this and additional works at: http://lib.dr.iastate.edu/etd
More informationSomewhat Homomorphic Encryption
Somewhat Homomorphic Encryption Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography Part 1: Homomorphic Encryption: Background, Applications, Limitations Computing
More information