Secure Distributed Computation on Private Inputs
|
|
- Percival Robinson
- 6 years ago
- Views:
Transcription
1 Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015
2 The Cloud David Pointcheval Introduction 2 / 30
3 Access from Anywhere David Pointcheval Introduction 3 / 30
4 Available for Everything One can Store documents, photos, etc Share them with colleagues, friends, family Process the data Ask queries on the data David Pointcheval Introduction 4 / 30
5 With Current Solutions The Cloud provider knows the content and claims to actually identify users and apply access rights safely store the data securely process the data protect privacy David Pointcheval Introduction 5 / 30
6 But For economical reasons, by accident, or attacks data can get deleted any user can access the data one can log all the connected users all the queries to analyze and sell/negotiate the information David Pointcheval Introduction 6 / 30
7 Requirements Users need more Storage guarantees Privacy guarantees confidentiality of the data anonymity of the users obliviousness of the queries How to process users queries? David Pointcheval Introduction 7 / 30
8 FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS 78] [Gentry - STOC 09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output AND Inputs OR Circuit NOT NOT Outputs AND OR David Pointcheval Some Approaches 8 / 30
9 FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS 78] [Gentry - STOC 09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output ENOT Encrypted Inputs EOR Circuit EAND ENOT Encrypted Outputs EAND EOR David Pointcheval Some Approaches 8 / 30
10 Outsourced Processing EOR Circuit ENOT EAND ENOT EAND EOR Inputs David Pointcheval Some Approaches 9 / 30
11 Outsourced Processing Encrypted Inputs ENOT EOR Circuit EAND EAND ENOT EOR Encrypted Outputs Inputs Outputs David Pointcheval Some Approaches 9 / 30
12 Outsourced Processing no information about the input/output data Encrypted Inputs ENOT EOR Circuit EAND EAND ENOT EOR Encrypted Outputs Inputs Outputs Symmetric encryption (secret key) is enough David Pointcheval Some Approaches 9 / 30
13 Strong Privacy EOR Universal Circuit EAND ENOT EOR EAND ENOT Inputs Program David Pointcheval Some Approaches 10 / 30
14 Strong Privacy Encrypted Inputs + Encrypted Program EOR Universal Circuit EAND ENOT EOR EAND ENOT Encrypted Outputs Inputs Outputs Program David Pointcheval Some Approaches 10 / 30
15 Strong Privacy no information about the input/output data nor the program Encrypted Inputs + Encrypted Program EOR Universal Circuit EAND ENOT EOR EAND ENOT Encrypted Outputs Inputs Outputs Program David Pointcheval Some Approaches 10 / 30
16 FHE: Ideal Solution? Allows private storage Allows private computations Private queries in an encrypted database Private «googling» The provider does not learn the content the queries Privacy by design the answers But each gate requires huge computations David Pointcheval Some Approaches 11 / 30
17 Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? David Pointcheval Some Approaches 12 / 30
18 Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? Specific people have full access to some data: with public-key encryption for multiple recipients Specific people have partial access such as statistics or aggregation of the data David Pointcheval Some Approaches 12 / 30
19 Broadcast Encryption [Fiat-Naor - Crypto 94] David Pointcheval Some Approaches 13 / 30
20 Broadcast Encryption [Fiat-Naor - Crypto 94] David Pointcheval Some Approaches 13 / 30
21 Broadcast Encryption [Fiat-Naor - Crypto 94] The sender can select the target group of receivers This allows to control who will access to the data David Pointcheval Some Approaches 13 / 30
22 Functional Encryption [Boneh-Sahai-Waters - TCC 11] The user generates sub-keys Ky according to the input y David Pointcheval Some Approaches 14 / 30
23 Functional Encryption [Boneh-Sahai-Waters - TCC 11] The user generates sub-keys Ky according to the input y From C = Encrypt(x), Decrypt(Ky, C) outputs f(x,y) This allows to control the amount of shared data David Pointcheval Some Approaches 14 / 30
24 Outline Broadcast Encryption Efficient solutions for sharing data Functional Encryption Some recent efficient solutions for inner product Fully Homomorphic Encryption Despite recent improvements, this is still inefficient With 2-party computation one can get an efficient alternative David Pointcheval 15 / 30
25 Multi-Party Computation input output input output input output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality David Pointcheval MPC 16 / 30
26 Multi-Party Computation input output input output input output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality In practice: many interactions between the parties Latency too high over Internet David Pointcheval MPC 17 / 30
27 Two-Party Computation x z y z = f(x, y) General construction: Yao Garbled Circuits For specific construction: quite inefficient f(x, y) =(x + y) e mod n David Pointcheval 2-PC 18 / 30
28 Encryption Switching Protocols f(x, y) =(x + y) e mod n With additive encryption E +, multiplication encryption E x and an interactive switch from c + to c x : Alices sends c + A = E + (x), and Bob sends c + B = E + (y) They compute c = c + A c + B = E + (x+y) They run the interactive switch to get c = E x (x+y) They compute C = e c = E x ((x+y) e ) They run the interactive decryption to gets z [Couteau-Peters-P - EPrint 2015/990] David Pointcheval 2-PC 19 / 30
29 Homomorphic Encryption Additive encryption on Z n : Paillier encryption Public key: n = pq Secret key: d =[ 1 mod n] Encryption: c =(1+n) m r n mod n 2 Decryption: m =[c d 1 mod n 2 ]/n Additively homomorphic Efficient interactive decryption [Paillier - Eurocrypt 99] David Pointcheval 2-PC 20 / 30
30 Homomorphic Encryption Multiplicative encryption on G: ElGamal encryption Secret key: x Z p Public key: h = g x Encryption: c =(c 0 = g r,c 1 = h r m) Decryption: m = c 1 /c x 0 Multiplicatively homomorphic Efficient interactive decryption If n = pq, with safe primes p =2p +1and q =2q +1 Works for G = n, under the DDH in Z p and Z q Works for G = J n, under the additional QR assumption But does not work in Z n [ElGamal - IEEE TIT 85] David Pointcheval 2-PC 21 / 30
31 Encoding of Messages Multiplicative encryption on Z n : by encoding m For n = pq, Z n \J n, generator g of J n of order using the CRT: Z n into J n = g t p mod p, for an even t p : p = g t q mod q, for an odd t p : q hence Z n \J n For m Z n, a R {1,...,n/2}, so that a m J n m 1 = g a mod n and m 2 = a m From m 1, one gets = a mod n using the CRT: = m t p 1 mod p and = mt q 1 mod q From m 2, one gets m = m 2 / mod n David Pointcheval 2-PC 22 / 30
32 Homomorphic Encryption Multiplicative encryption on Z n : for n = pq Secret key: x, t p,t q Z Public key: Z n \J n, J n = g, h = g x (ElGamal in J n ) Encryption: encode m into (m 1 = g a,m 2 = a m) J 2 n encrypt m 2 under h, to get (c 0,c 1 ) Multiplicatively homomorphic Efficient interactive decryption the ciphertext is C =(c 0,c 1,m 1 ) Decryption: decrypt (c 0,c 1 ) using x, to get m 2 convert m 1 = g a into = a using the CRT get m = m 2 / mod n Efficient encryption switching protocols with the Paillier encryption David Pointcheval 2-PC 23 / 30
33 Two-Party Computation? The two homomorphic encryption schemes together with the encryption switching protocols: Efficient two-party computation But in the intersection of the plaintext spaces! Z n Z n = Z n Cannot deal with zero! But cannot avoid zero either during computations! David Pointcheval 2-PC 24 / 30
34 How to Handle Zero? In order to multiplicatively encrypt m Z n : One defines One encrypts One encrypts One can note that A Z n, unless m is a non-trivial multiple of p or q B n = they can both be encrypted b =1if m =0, and b =0otherwise A = m + b mod n B = T b mod n for a random square T with appropriate ElGamal-like encryption Multiplicatively homomorphic: 0 is absorbing in B Encrypted Zero Test protocols: E + (m) E + (b) David Pointcheval 2-PC 25 / 30
35 Set Disjointness Testing Alice s friends: A = {a1,, am} Bob s friends: B = {b1,, bn} A B =? Alice computes P(X) = i (X - ai) = i Ai X i, and sends Ci = E + (Ai) Bob computes Bj = E + (P(bj)) = i bj i Ci They switch to B j = E x (P(bj)) They compute C = E x ( j P(bj)) = j B j They decrypt C c = j P(bj) = j i (bj - ai) c = 0 A B David Pointcheval 2-PC 26 / 30
36 Outsourced Computations ska skb Inputs David Pointcheval Advanced 2-PC 27 / 30
37 Outsourced Computations Encrypted Inputs ska skb Encrypted Outputs Inputs The user possesses n=pq The user gives the shares to 2 independent servers David Pointcheval Advanced 2-PC 27 / 30
38 Outsourced Computations Encrypted Inputs no information about the input/output data ska Encrypted Outputs skb Inputs Outputs The user possesses n=pq The user gives the shares to 2 independent servers Interactive Fully Homomorphic Encryption David Pointcheval Advanced 2-PC 27 / 30
39 Homomorphic Encryption [Bresson-Catalano-P. - Asiacrypt 03] Additive encryption on Z n : BCP encryption Parameters: n = pq and a square g Z n 2 Secret key: x Z n (n) Public key: h = g x mod n 2 Encryption: c 0 = g r mod n 2, for n [1..n 2 /2] c 1 = h r (1 + mn) mod n 2 Decryption: m =[c 1 /c x 0 1 mod n 2 ]/n Alternatively: with (n) x 0 = x mod n (where x = x 0 + nx 1 ) c 1 /c x 0 0 = g(x x 0)r (1 + mn) =(g rx 1 ) n (1 + mn) = u n (1 + n) m mod n 2 David Pointcheval Advanced 2-PC 28 / 30
40 Multi-User Setting The two independent servers share the Paillier s secret key for n=pq and setup a BCP scheme The servers can convert BCP ciphertexts into Paillier ciphertexts, and run the 2-party protocol The servers can convert a Paillier ciphertext into a BCP ciphertext for a specific user Secure efficient outsourced computations More servers can be used: unless all the servers corrupted, privacy guaranteed David Pointcheval Advanced 2-PC 29 / 30
41 Conclusion Threat However strong the trustfulness of the Cloud provider may be, any system or human vulnerability can be exploited against privacy Privacy by design Tools to limit data access The provider is just trusted to store the data (can be controlled) process and answer any request (or DoS) David Pointcheval 30 / 30
Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1
Cryptography CS 555 Topic 20: Other Public Key Encryption Schemes Topic 20 1 Outline and Readings Outline Quadratic Residue Rabin encryption Goldwasser-Micali Commutative encryption Homomorphic encryption
More informationSecure Function Evaluation
Secure Function Evaluation 1) Use cryptography to securely compute a function/program. 2) Secure means a) Participant s inputs stay secret even though they are used in the computation. b) No participant
More informationPublic Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014
7 Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014 Cryptography studies techniques for secure communication in the presence of third parties. A typical
More informationEfficient Privacy-Preserving Biometric Identification
Efficient Privacy-Preserving Biometric Identification Yan Huang Lior Malka David Evans Jonathan Katz http://www.mightbeevil.org/secure-biometrics/ Feb 9, 2011 Motivating Scenario: Private No-Fly Checking
More informationDiffie-Hellman key-exchange protocol
Diffie-Hellman key-exchange protocol This protocol allows two users to choose a common secret key, for DES or AES, say, while communicating over an insecure channel (with eavesdroppers). The two users
More informationDiscrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography
Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography Colin Stirling Informatics Some slides based on ones by Myrto Arapinis Colin Stirling (Informatics) Discrete
More informationCS 261 Notes: Zerocash
CS 261 Notes: Zerocash Scribe: Lynn Chua September 19, 2018 1 Introduction Zerocash is a cryptocurrency which allows users to pay each other directly, without revealing any information about the parties
More informationMAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.
MAT 302: ALGEBRAIC CRYPTOGRAPHY Department of Mathematical and Computational Sciences University of Toronto, Mississauga February 27, 2013 Mid-term Exam INSTRUCTIONS: The duration of the exam is 100 minutes.
More informationThe number theory behind cryptography
The University of Vermont May 16, 2017 What is cryptography? Cryptography is the practice and study of techniques for secure communication in the presence of adverse third parties. What is cryptography?
More informationPublic-key Cryptography: Theory and Practice
Public-key Cryptography Theory and Practice Department of Computer Science and Engineering Indian Institute of Technology Kharagpur Chapter 5: Cryptographic Algorithms Common Encryption Algorithms RSA
More informationIntroduction to Cryptography CS 355
Introduction to Cryptography CS 355 Lecture 25 Mental Poker And Semantic Security CS 355 Fall 2005 / Lecture 25 1 Lecture Outline Review of number theory The Mental Poker Protocol Semantic security Semantic
More informationSolution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.
Example - Coin Toss Coin Toss: Alice and Bob want to toss a coin. Easy to do when they are in the same room. How can they toss a coin over the phone? Mutual Commitments Solution: Alice tosses a coin and
More informationElGamal Public-Key Encryption and Signature
ElGamal Public-Key Encryption and Signature Çetin Kaya Koç koc@cs.ucsb.edu Çetin Kaya Koç http://koclab.org Winter 2017 1 / 10 ElGamal Cryptosystem and Signature Scheme Taher ElGamal, originally from Egypt,
More informationSimple And Efficient Shuffling With Provable Correctness and ZK Privacy
Simple And Efficient Shuffling With Provable Correctness and ZK Privacy Kun Peng, Colin Boyd and Ed Dawson Information Security Institute Queensland University of Technology {k.peng, c.boyd, e.dawson}@qut.edu.au
More informationDistributed Settlers of Catan
Distributed Settlers of Catan Hassan Alsibyani, Tim Mickel, Willy Vasquez, Xiaoyue Zhang Massachusetts Institute of Technology May 15, 2014 Abstract Settlers of Catan is a popular multiplayer board game
More informationBlock Ciphers Security of block ciphers. Symmetric Ciphers
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2016. Slide: 26 Assume encryption and decryption use the same key. Will discuss how to distribute key to all parties later Symmetric ciphers unusable
More informationPublic-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh
Public-Key Cryptosystem Based on Composite Degree Residuosity Classes aka Paillier Cryptosystem Harmeet Singh Harmeet Singh Winter 2018 1 / 26 Background s Background Foundation of public-key encryption
More informationPrimitives et constructions cryptographiques pour la confiance numrique
Primitives et constructions cryptographiques pour la confiance numrique Damien Vergnaud École normale supérieure C.N.R.S. I.N.R.I.A. 3 avril 2014 D. Vergnaud (ENS) Cryptographic Primitives for Digital
More informationAlgorithmic Number Theory and Cryptography (CS 303)
Algorithmic Number Theory and Cryptography (CS 303) Modular Arithmetic and the RSA Public Key Cryptosystem Jeremy R. Johnson 1 Introduction Objective: To understand what a public key cryptosystem is and
More informationA Public Shuffle without Private Permutations
A Public Shuffle without Private Permutations Myungsun Kim, Jinsu Kim, and Jung Hee Cheon Dep. of Mathematical Sciences, Seoul National University 1 Gwanak-ro, Gwanak-gu, Seoul 151-747, Korea {msunkim,kjs2002,jhcheon}@snu.ac.kr
More informationEE 418: Network Security and Cryptography
EE 418: Network Security and Cryptography Homework 3 Solutions Assigned: Wednesday, November 2, 2016, Due: Thursday, November 10, 2016 Instructor: Tamara Bonaci Department of Electrical Engineering University
More informationCryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);
18.310 lecture notes September 2, 2013 Cryptography Lecturer: Michel Goemans 1 Public Key Cryptosystems In these notes, we will be concerned with constructing secret codes. A sender would like to encrypt
More informationData security (Cryptography) exercise book
University of Debrecen Faculty of Informatics Data security (Cryptography) exercise book 1 Contents 1 RSA 4 1.1 RSA in general.................................. 4 1.2 RSA background.................................
More informationRSA hybrid encryption schemes
RSA hybrid encryption schemes Louis Granboulan École Normale Supérieure Louis.Granboulan@ens.fr Abstract. This document compares the two published RSA-based hybrid encryption schemes having linear reduction
More informationThe Chinese Remainder Theorem
The Chinese Remainder Theorem Theorem. Let m and n be two relatively prime positive integers. Let a and b be any two integers. Then the two congruences x a (mod m) x b (mod n) have common solutions. Any
More informationProvably weak instances of Ring-LWE revisited
Provably weak instances of Ring-LWE revisited Wouter Castryck 1,2, Ilia Iliashenko 1, Frederik Vercauteren 1,3 1 COSIC, KU Leuven 2 Ghent University 3 Open Security Research EUROCRYPT, May 9, 2016 Provably
More informationSelf-Scrambling Anonymizer. Overview
Financial Cryptography 2000 21-25 february 2000 - Anguilla Self-Scrambling Anonymizers Département d Informatique ENS - CNRS David.Pointcheval@ens.fr http://www.di.ens.fr/~pointche Overview Introduction
More informationRelated Ideas: DHM Key Mechanics
Related Ideas: DHM Key Mechanics Example (DHM Key Mechanics) Two parties, Alice and Bob, calculate a key that a third person Carl will never know, even if Carl intercepts all communication between Alice
More informationMathematics Explorers Club Fall 2012 Number Theory and Cryptography
Mathematics Explorers Club Fall 2012 Number Theory and Cryptography Chapter 0: Introduction Number Theory enjoys a very long history in short, number theory is a study of integers. Mathematicians over
More informationRSA hybrid encryption schemes
RSA hybrid encryption schemes Louis Granboulan École Normale Supérieure Louis.Granboulan@ens.fr Abstract. This document compares the two published RSA-based hybrid encryption schemes having linear reduction
More informationSecure Multiparty Computations
Secure Multiparty Computations CS 6750 Lecture 11 December 3, 2009 Riccardo Pucella The Last Few Lectures... Secret sharing: How to get two or more parties to share a secret in such a way that each individual
More informationBivariate Polynomials Modulo Composites and Their Applications
Bivariate Polynomials Modulo Composites and Their Applications Dan Boneh and Henry Corrigan-Gibbs Stanford University ASIACRYPT 8 December 2014 Crypto s Bread and Butter Let N = pq be an RSA modulus of
More informationCryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017
Name: Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017 INSTRUCTIONS Read Carefully Time: 50 minutes There are 5 problems. Write your name legibly at the top of this page. No calculators
More informationPrivacy at the communication layer
Privacy at the communication layer The Dining Cryptographers Problem: Unconditional Sender and Recipient Untraceability David Chaum 1988 CS-721 Carmela Troncoso http://carmelatroncoso.com/ (borrowed slides
More informationSecure multiparty computation without one-way functions
Secure multiparty computation without one-way functions Dima Grigoriev CNRS, Mathématiques, Université de Lille 59655, Villeneuve d Ascq, France dmitry.grigoryev@math.univ-lille1.fr Vladimir Shpilrain
More informationMA/CSSE 473 Day 9. The algorithm (modified) N 1
MA/CSSE 473 Day 9 Primality Testing Encryption Intro The algorithm (modified) To test N for primality Pick positive integers a 1, a 2,, a k < N at random For each a i, check for a N 1 i 1 (mod N) Use the
More informationNon-Interactive Secure 2PC in the Offline/Online and Batch Settings
Non-Interactive Secure 2PC in the Offline/Online and Batch Settings Payman Mohassel 1 and Mike Rosulek 2, 1 Visa Research. pmohasse@visa.com 2 Oregon State University. rosulekm@eecs.oregonstate.edu Abstract.
More informationInterleaving And Channel Encoding Of Data Packets In Wireless Communications
Interleaving And Channel Encoding Of Data Packets In Wireless Communications B. Aparna M. Tech., Computer Science & Engineering Department DR.K.V.Subbareddy College Of Engineering For Women, DUPADU, Kurnool-518218
More informationPrinciples of Ad Hoc Networking
Principles of Ad Hoc Networking Michel Barbeau and Evangelos Kranakis November 12, 2007 Wireless security challenges Network type Wireless Mobility Ad hoc Sensor Challenge Open medium Handover implies
More informationThe Chinese Remainder Theorem
The Chinese Remainder Theorem Theorem. Let n 1,..., n r be r positive integers relatively prime in pairs. (That is, gcd(n i, n j ) = 1 whenever 1 i < j r.) Let a 1,..., a r be any r integers. Then the
More informationJuan Garay (Yahoo Labs) Clint Givens (Maine School of Science and Mathematics) Rafail Ostrovsky (UCLA) Pavel Raykov (ETH)
Broadcast (and Round) Efficient Secure Multiparty Computation Juan Garay (Yahoo Labs) Clint Givens (Maine School of Science and Mathematics) Rafail Ostrovsky (UCLA) Pavel Raykov (ETH) Secure Multiparty
More informationXor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.
CS70: Lecture 9. Outline. 1. Public Key Cryptography 2. RSA system 2.1 Efficiency: Repeated Squaring. 2.2 Correctness: Fermat s Theorem. 2.3 Construction. 3. Warnings. Cryptography... m = D(E(m,s),s) Alice
More informationLecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.
Lecture 32 Instructor s Comments: This is a make up lecture. You can choose to cover many extra problems if you wish or head towards cryptography. I will probably include the square and multiply algorithm
More informationDUBLIN CITY UNIVERSITY
DUBLIN CITY UNIVERSITY SEMESTER ONE EXAMINATIONS 2013 MODULE: (Title & Code) CA642 Cryptography and Number Theory COURSE: M.Sc. in Security and Forensic Computing YEAR: 1 EXAMINERS: (Including Telephone
More informationCryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo
Lecturers: Mark D. Ryan and David Galindo. Cryptography 2017. Slide: 1 Cryptography Module in Autumn Term 2016 University of Birmingham Lecturers: Mark D. Ryan and David Galindo Slides originally written
More informatione-voting Scientific Events May 2004
e-voting Scientific Events May 2004 Trademarks All brand names and product names are trademarks or registered trademarks of their respective owners. Disclaimer This document is provided as is without warranty
More informationTMA4155 Cryptography, Intro
Trondheim, December 12, 2006. TMA4155 Cryptography, Intro 2006-12-02 Problem 1 a. We need to find an inverse of 403 modulo (19 1)(31 1) = 540: 540 = 1 403 + 137 = 17 403 50 540 + 50 403 = 67 403 50 540
More informationDTTF/NB479: Dszquphsbqiz Day 30
DTTF/NB479: Dszquphsbqiz Day 30 Announcements: Questions? This week: Digital signatures, DSA Coin flipping over the phone RSA Signatures allow you to recover the message from the signature; ElGamal signatures
More informationSequential Aggregate Signatures from Trapdoor Permutations
Sequential Aggregate Signatures from Trapdoor Permutations Anna Lysyanskaya Silvio Micali Leonid Reyzin Hovav Shacham Abstract An aggregate signature scheme (recently proposed by Boneh, Gentry, Lynn, and
More informationIntern, Computer Science Department Summer 2009 Mentor: Prof. Yehuda Lindell
Dana (Glasner) Dachman-Soled Department of Electrical and Computer Engineering and UMIACS University of Maryland Email: danadach@ece.umd.edu Phone: 301-405-0794 WWW: http://www.ece.umd.edu/~danadach/ Education
More informationGeneric Attacks on Feistel Schemes
Generic Attacks on Feistel Schemes -Extended Version- Jacques Patarin PRiSM, University of Versailles, 45 av. des États-Unis, 78035 Versailles Cedex, France This paper is the extended version of the paper
More informationDrill Time: Remainders from Long Division
Drill Time: Remainders from Long Division Example (Drill Time: Remainders from Long Division) Get some practice finding remainders. Use your calculator (if you want) then check your answers with a neighbor.
More informationCS70: Lecture 8. Outline.
CS70: Lecture 8. Outline. 1. Finish Up Extended Euclid. 2. Cryptography 3. Public Key Cryptography 4. RSA system 4.1 Efficiency: Repeated Squaring. 4.2 Correctness: Fermat s Theorem. 4.3 Construction.
More informationAndrei Sabelfeld. Joint work with Per Hallgren and Martin Ochoa
Andrei Sabelfeld Joint work with Per Hallgren and Martin Ochoa Privacy for location based services Explosion of interest to location based services (LBS) locating people, vehicles, vessels, cargo, devices
More informationPublic Key Encryption
Math 210 Jerry L. Kazdan Public Key Encryption The essence of this procedure is that as far as we currently know, it is difficult to factor a number that is the product of two primes each having many,
More informationV.Sorge/E.Ritter, Handout 2
06-20008 Cryptography The University of Birmingham Autumn Semester 2015 School of Computer Science V.Sorge/E.Ritter, 2015 Handout 2 Summary of this handout: Symmetric Ciphers Overview Block Ciphers Feistel
More informationLecture 39: GMW Protocol GMW
Lecture 39: Protocol Recall Last lecture we saw that we can securely compute any function using oblivious transfer (which can be constructed from the RSA assumption) However, the protocol is efficient
More information(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol
(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol 1 What to talk about? 2 What to talk about? Theory vs Practice vs Theory and Practice A key problem is someone s theory is
More informationClassical Cryptography
Classical Cryptography CS 6750 Lecture 1 September 10, 2009 Riccardo Pucella Goals of Classical Cryptography Alice wants to send message X to Bob Oscar is on the wire, listening to all communications Alice
More informationChapter 3 LEAST SIGNIFICANT BIT STEGANOGRAPHY TECHNIQUE FOR HIDING COMPRESSED ENCRYPTED DATA USING VARIOUS FILE FORMATS
44 Chapter 3 LEAST SIGNIFICANT BIT STEGANOGRAPHY TECHNIQUE FOR HIDING COMPRESSED ENCRYPTED DATA USING VARIOUS FILE FORMATS 45 CHAPTER 3 Chapter 3: LEAST SIGNIFICANT BIT STEGANOGRAPHY TECHNIQUE FOR HIDING
More informationApplication: Public Key Cryptography. Public Key Cryptography
Application: Public Key Cryptography Suppose I wanted people to send me secret messages by snail mail Method 0. I send a padlock, that only I have the key to, to everyone who might want to send me a message.
More informationSignal Processing in the Encrypted Domain
EURASIP Journal on Information Security Signal Processing in the Encrypted Domain Guest Editors: Alessandro Piva and Stefan Katzenbeisser Signal Processing in the Encrypted Domain EURASIP Journal on Information
More informationEfficient semi-static secure broadcast encryption scheme
University of Wollongong Research Online Faculty of Engineering and Information Sciences - Papers: Part A Faculty of Engineering and Information Sciences 2014 Efficient semi-static secure broadcast encryption
More informationA Second-price Sealed-bid Auction wi Discriminant of the p_<0>-th Root. Author(s)Omote, Kazumasa; Miyaji, Atsuko. Financial cryptography : 6th Interna
JAIST Reposi https://dspace.j Title A Second-price Sealed-bid Auction wi Discriminant of the p_-th Root Author(s)Omote, Kazumasa; Miyaji, Atsuko Citation Lecture Notes in Computer Science, 2 71 Issue
More informationPRECISE:PRivacy-prEserving Cloud-assisted quality Improvement Service in healthcare
PRECISE:PRivacy-prEserving Cloud-assisted quality Improvement Service in healthcare Feng Chen, Samuel Cheng School of Electrical and Computer Engineering University of Oklahoma, Tulsa, OK, 7435 USA Email:{achenfengb,
More informationMA 111, Topic 2: Cryptography
MA 111, Topic 2: Cryptography Our next topic is something called Cryptography, the mathematics of making and breaking Codes! In the most general sense, Cryptography is the mathematical ideas behind changing
More informationA Lightweight Implementation of a Shuffle Proof for Electronic Voting Systems
A Lightweight Implementation of a Shuffle Proof for Electronic Voting Systems Philipp Locher 1,2 and Rolf Haenni 1 1 Research Institute for Security in the Information Society Bern University of Applied
More informationKeywords: Network Security, Wireless Communications, piggybacking, Encryption.
Volume 3, Issue 5, May 2013 ISSN: 2277 128X International Journal of Advanced Research in Computer Science and Software Engineering Research Paper Available online at: www.ijarcsse.com A Framework for
More informationSecret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:
Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design: Secret Key Systems (block encoding) Encrypting a small block of text (say 128
More informationDiscrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions
CS 70 Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions PRINT Your Name: Oski Bear SIGN Your Name: OS K I PRINT Your Student ID: CIRCLE your exam room: Pimentel
More informationאני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים
אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים I Know What You Did Last Decryption: Side Channel Attacks on PCs Lev Pachmanov Tel Aviv University Daniel Genkin Technion and Tel Aviv University
More informationSuccessful Implementation of the Hill and Magic Square Ciphers: A New Direction
Successful Implementation of the Hill and Magic Square Ciphers: A New Direction ISSN:319-7900 Tomba I. : Dept. of Mathematics, Manipur University, Imphal, Manipur (INDIA) Shibiraj N, : Research Scholar
More informationGaming Security. Aggelos Kiayias
Gaming Security Aggelos Kiayias Online Gaming A multibillion $ industry. Computer games represent a 10 bn $ market. Single games have sold as many as 20 million copies. MMORPGs massively multiplayer online
More informationOn the Complexity of Broadcast Setup
On the Complexity of Broadcast Setup Martin Hirt, Pavel Raykov ETH Zurich, Switzerland {hirt,raykovp}@inf.ethz.ch July 5, 2013 Abstract Byzantine broadcast is a distributed primitive that allows a specific
More informationSynthesis and Analysis of 32-Bit RSA Algorithm Using VHDL
Synthesis and Analysis of 32-Bit RSA Algorithm Using VHDL Sandeep Singh 1,a, Parminder Singh Jassal 2,b 1M.Tech Student, ECE section, Yadavindra collage of engineering, Talwandi Sabo, India 2Assistant
More informationSecurity Enhancement and Speed Monitoring of RSA Algorithm
Security Enhancement and Speed Monitoring of RSA Algorithm Sarthak R Patel 1, Prof. Khushbu Shah 2 1 PG Scholar, 2 Assistant Professor Computer Engineering Department, LJIET, Gujarat Technological University,
More informationOn Symmetric Key Broadcast Encryption
On Symmetric Key Broadcast Encryption Sanjay Bhattacherjee and Palash Sarkar Indian Statistical Institute, Kolkata Elliptic Curve Cryptography (This is not) 2014 Bhattacherjee and Sarkar Symmetric Key
More informationUnlinkability and Redundancy in Anonymous Publication Systems
Unlinkability and Redundancy in Anonymous Publication Systems Christian Boesgaard pink@diku.dk Department of Computer Science University of Copenhagen Denmark January 22, 2004 1 Introduction An anonymous
More informationEncryption Systems 4/14/18. We have seen earlier that Python supports the sorting of lists with the built- in.sort( ) method
Sorting Encryption Systems CSC121, Introduction to Computer Programming We have seen earlier that Python supports the sorting of lists with the built- in.sort( ) method >>> a = [ 5, 2, 3, 1, 4 ] >>> a.sort(
More informationFermat s little theorem. RSA.
.. Computing large numbers modulo n (a) In modulo arithmetic, you can always reduce a large number to its remainder a a rem n (mod n). (b) Addition, subtraction, and multiplication preserve congruence:
More informationSymmetric-key encryption scheme based on the strong generating sets of permutation groups
Symmetric-key encryption scheme based on the strong generating sets of permutation groups Ara Alexanyan Faculty of Informatics and Applied Mathematics Yerevan State University Yerevan, Armenia Hakob Aslanyan
More informationCryptanalysis on short messages encrypted with M-138 cipher machine
Cryptanalysis on short messages encrypted with M-138 cipher machine Tsonka Baicheva Miroslav Dimitrov Institute of Mathematics and Informatics Bulgarian Academy of Sciences 10-14 July, 2017 Sofia Introduction
More informationPublic Key Cryptography
Public Key Cryptography How mathematics allows us to send our most secret messages quite openly without revealing their contents - except only to those who are supposed to read them The mathematical ideas
More informationo Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary
We spoke about defense challenges Crypto introduction o Secret, public algorithms o Symmetric, asymmetric crypto, one-way hashes Attacks on cryptography o Cyphertext-only, known, chosen, MITM, brute-force
More informationGeneric Attacks on Feistel Schemes
Generic Attacks on Feistel Schemes Jacques Patarin 1, 1 CP8 Crypto Lab, SchlumbergerSema, 36-38 rue de la Princesse, BP 45, 78430 Louveciennes Cedex, France PRiSM, University of Versailles, 45 av. des
More information- A CONSOLIDATED PROPOSAL FOR TERMINOLOGY
ANONYMITY, UNLINKABILITY, UNDETECTABILITY, UNOBSERVABILITY, PSEUDONYMITY, AND IDENTITY MANAGEMENT - A CONSOLIDATED PROPOSAL FOR TERMINOLOGY Andreas Pfitzmann and Marit Hansen Version v0.31, Feb. 15, 2008
More informationHigh-Capacity Reversible Data Hiding in Encrypted Images using MSB Prediction
High-Capacity Reversible Data Hiding in Encrypted Images using MSB Prediction Pauline Puteaux and William Puech; LIRMM Laboratory UMR 5506 CNRS, University of Montpellier; Montpellier, France Abstract
More informationAES Encryption and Decryption in Microsoft.NET
AES Encryption and Decryption in Microsoft.NET William J. Buchanan Centre for Distributed Computing and Security, Edinburgh Napier University {w.buchanan}@napier.ac.uk http://cdcs.napier.ac.uk Abstract.
More informationA Novel Encryption System using Layered Cellular Automata
A Novel Encryption System using Layered Cellular Automata M Phani Krishna Kishore 1 S Kanthi Kiran 2 B Bangaru Bhavya 3 S Harsha Chaitanya S 4 Abstract As the technology is rapidly advancing day by day
More informationMath 319 Problem Set #7 Solution 18 April 2002
Math 319 Problem Set #7 Solution 18 April 2002 1. ( 2.4, problem 9) Show that if x 2 1 (mod m) and x / ±1 (mod m) then 1 < (x 1, m) < m and 1 < (x + 1, m) < m. Proof: From x 2 1 (mod m) we get m (x 2 1).
More informationDeterring Voluntary Trace Disclosure in Re-encryption Mix Networks
Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks Philippe Golle PARC pgolle@parc.com XiaoFeng Wang Indiana University xw7@indiana.edu Markus Jakobsson Indiana University markus@indiana.edu
More informationNumber Theory and Security in the Digital Age
Number Theory and Security in the Digital Age Lola Thompson Ross Program July 21, 2010 Lola Thompson (Ross Program) Number Theory and Security in the Digital Age July 21, 2010 1 / 37 Introduction I have
More informationEliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA
Eliminating Random Permutation Oracles in the Even-Mansour Cipher Zulfikar Ramzan Joint work w/ Craig Gentry DoCoMo Labs USA ASIACRYPT 2004 Outline Even-Mansour work and open problems. Main contributions
More informationNetwork Security: Secret Key Cryptography
1 Network Security: Secret Key Cryptography Henning Schulzrinne Columbia University, New York schulzrinne@cs.columbia.edu Columbia University, Fall 2000 cfl1999-2000, Henning Schulzrinne Last modified
More informationYale University Department of Computer Science
LUX ETVERITAS Yale University Department of Computer Science Secret Bit Transmission Using a Random Deal of Cards Michael J. Fischer Michael S. Paterson Charles Rackoff YALEU/DCS/TR-792 May 1990 This work
More informationProceedings of Meetings on Acoustics
Proceedings of Meetings on Acoustics Volume 19, 213 http://acousticalsociety.org/ ICA 213 Montreal Montreal, Canada 2-7 June 213 Signal Processing in Acoustics Session 2pSP: Acoustic Signal Processing
More information1 Introduction to Cryptology
U R a Scientist (CWSF-ESPC 2017) Mathematics and Cryptology Patrick Maidorn and Michael Kozdron (Department of Mathematics & Statistics) 1 Introduction to Cryptology While the phrase making and breaking
More informationPhysical Layer Security for Wireless Networks
Physical Layer Security for Wireless Networks Şennur Ulukuş Department of ECE University of Maryland ulukus@umd.edu Joint work with Shabnam Shafiee, Nan Liu, Ersen Ekrem, Jianwei Xie and Pritam Mukherjee.
More informationWritten Exam Information Transmission - EIT100
Written Exam Information Transmission - EIT100 Department of Electrical and Information Technology Lund University 2016-06-03 8.00 13.00 *** SOLUTION *** The exam consists of five problems. 20 of 50 points
More informationDUBLIN CITY UNIVERSITY
DUBLIN CITY UNIVERSITY SEMESTER ONE EXAMINATIONS 2013/2014 MODULE: CA642/A Cryptography and Number Theory PROGRAMME(S): MSSF MCM ECSA ECSAO MSc in Security & Forensic Computing M.Sc. in Computing Study
More information