Results 1  10
of
13
Faster bootstrapping with polynomial error
, 2014
"... Bootstrapping is a technique, originally due to Gentry (STOC 2009), for “refreshing” ciphertexts of a somewhat homomorphic encryption scheme so that they can support further homomorphic operations. To date, bootstrapping remains the only known way of obtaining fully homomorphic encryption for arbitr ..."
Abstract

Cited by 10 (2 self)
 Add to MetaCart
Bootstrapping is a technique, originally due to Gentry (STOC 2009), for “refreshing” ciphertexts of a somewhat homomorphic encryption scheme so that they can support further homomorphic operations. To date, bootstrapping remains the only known way of obtaining fully homomorphic encryption for arbitrary unbounded computations. Over the past few years, several works have dramatically improved the efficiency of bootstrapping and the hardness assumptions needed to implement it. Recently, Brakerski and Vaikuntanathan (ITCS 2014) reached the major milestone of a bootstrapping algorithm based on Learning With Errors for polynomial approximation factors. Their method uses the GentrySahaiWaters (GSW) cryptosystem (CRYPTO 2013) in conjunction with Barrington’s “circuit sequentialization” theorem (STOC 1986). This approach, however, results in very large polynomial runtimes and approximation factors. (The approximation factors can be improved, but at even greater costs in runtime and space.) In this work we give a new bootstrapping algorithm whose runtime and associated approximation factor are both small polynomials. Unlike most previous methods, ours implements an elementary and efficient arithmetic procedure, thereby avoiding the inefficiencies inherent to the use of boolean circuits
New and improved keyhomomorphic pseudorandom functions. Cryptology ePrint Archive, Report 2014/074
, 2014
"... A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known const ..."
Abstract

Cited by 8 (3 self)
 Add to MetaCart
A keyhomomorphic pseudorandom function (PRF) family {Fs: D → R} allows one to efficiently compute the value Fs+t(x) given Fs(x) and Ft(x). Such functions have many applications, such as distributing the operation of a keydistribution center and updatable symmetric encryption. The only known construction of keyhomomorphic PRFs without random oracles, due to Boneh et al. (CRYPTO 2013), is based on the learning with errors (LWE) problem and hence on worstcase lattice problems. However, the security proof relies on a very strong LWE assumption (i.e., very large approximation factors), and hence has quite inefficient parameter sizes and runtimes. In this work we give new constructions of keyhomomorphic PRFs that are based on much weaker LWE assumptions, are much more efficient in time and space, and are still highly parallel. More specifically, we improve the LWE approximation factor from exponential in the input length to exponential in its logarithm (or less). For input length λ and 2λ security against known lattice algorithms, we improve the key size from λ3 to λ bits, the public parameters from λ6 to λ2 bits, and the runtime from λ7 to λω+1 bit operations (ignoring polylogarithmic factors in λ), where ω ∈ [2, 2.373] is the exponent of matrix multiplication. In addition, we give even more efficient ringLWEbased constructions whose key sizes, public parameters, and incremental runtimes on consecutive inputs are all quasilinear Õ(λ), which is optimal up to polylogarithmic factors. To our knowledge, these are the first lowdepth PRFs (whether key homomorphic or not) enjoying any of these efficiency measures together with nontrivial proofs of 2λ security under any conventional assumption. 1
Simpler Efficient Group Signatures from Lattices⋆,⋆⋆
"... Abstract. A group signature allows a group member to anonymously sign messages on behalf of the group. In the past few years, new group signatures based on lattice problems have appeared: the most efficient latticebased constructions are due to Laguillaumie et al. (Asiacrypt ’13) and Langlois et a ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. A group signature allows a group member to anonymously sign messages on behalf of the group. In the past few years, new group signatures based on lattice problems have appeared: the most efficient latticebased constructions are due to Laguillaumie et al. (Asiacrypt ’13) and Langlois et al. (PKC ’14). Both have at leastO(n2 log2 n logN)bit group public key andO(n log3 n logN)bit signature, where n is the security parameter and N is the maximum number of group members. In this paper, we present a simpler latticebased group signature, which is more efficient by aO(logN) factor in both the group public key and the signature size. We achieve this by using a new noninteractive zeroknowledge (NIZK) proof corresponding to a simple identityencoding function. The security of our group signature can be reduced to the hardness of SIS and LWE in the random oracle model. 1
Bootstrapping BGV Ciphertexts With A Wider Choice of p and q
"... Abstract. We describe a method to bootstrap a packed BGV ciphertext which does not depend (as much) on any special properties of the plaintext and ciphertext moduli. Prior “efficient ” methods such as that of Gentry et al (PKC 2012) required a ciphertext modulus q which was close to a power of the p ..."
Abstract

Cited by 1 (0 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a method to bootstrap a packed BGV ciphertext which does not depend (as much) on any special properties of the plaintext and ciphertext moduli. Prior “efficient ” methods such as that of Gentry et al (PKC 2012) required a ciphertext modulus q which was close to a power of the plaintext modulus p. This enables our method to be applied in a larger number of situations. Also unlike previous methods our depth grows only as log log q as opposed to the log q of previous methods. The basic bootstrapping technique makes use of a representation of the group Z + q over the finite field Fp (either based on polynomials or elliptic curves). This technique is then extended to the full BGV packed ciphertext space, using a method whose depth depends only logarithmically on the number of packed elements. This method may be of interest as an alternative to the method of AlperinSheriff and Peikert (CRYPTO 2013). To aid efficiency we utilize the ring/field switching technique of Gentry et al (SCN 2012, JCS 2013). 1
Towards a Unified Theory of Cryptographic Agents
"... In recent years there has been a fantastic boom of increasingly sophisticated “cryptographic objects ” — identitybased encryption, fullyhomomorphic encryption, functional encryption, and most recently, various forms of obfuscation. These objects often come in various flavors of security, and as t ..."
Abstract
 Add to MetaCart
In recent years there has been a fantastic boom of increasingly sophisticated “cryptographic objects ” — identitybased encryption, fullyhomomorphic encryption, functional encryption, and most recently, various forms of obfuscation. These objects often come in various flavors of security, and as these constructions have grown in number, complexity and interconnectedness, the relationships between them have become increasingly confusing. We provide a new framework of cryptographic agents that unifies various cryptographic objects and security definitions, similar to how the Universal Composition framework unifies various multiparty computation tasks like commitment, cointossing and zeroknowledge proofs. Our contributions can be summarized as follows. • Our main contribution is a new model of cryptographic computation, that unifies and extends cryptographic primitives such as Obfuscation, Functional Encryption, Fully Homomorphic Encryption, Witness encryption, Property Preserving Encryption and the like, all of which can be cleanly modeled as “schemata ” in our framework. We provide a new indistinguishability preserving (INDPRE) definition of security that interpolates indistinguishability and simulation
Fully Homomophic Encryption over the Integers Revisited
"... Abstract. Two main computational problems serve as security foundations of current fully homomorphic encryption schemes: Regev’s Learning With Errors problem (LWE) and HowgraveGraham’s Approximate Greatest Common Divisor problem (AGCD). Our first contribution is a reduction from LWE to AGCD. As a s ..."
Abstract
 Add to MetaCart
Abstract. Two main computational problems serve as security foundations of current fully homomorphic encryption schemes: Regev’s Learning With Errors problem (LWE) and HowgraveGraham’s Approximate Greatest Common Divisor problem (AGCD). Our first contribution is a reduction from LWE to AGCD. As a second contribution, we describe a new AGCDbased fully homomorphic encryption scheme, which outperforms all prior AGCDbased proposals: its security does not rely on the presumed hardness of the socalled Sparse Subset Sum problem, and the bitlength of a ciphertext is only Õ(λ), where λ refers to the security parameter.
Riding on Asymmetry: Efficient ABE for Branching Programs
, 2014
"... In an AttributeBased Encryption (ABE) a ciphertext, encrypting message µ, is associated with a public attribute vector x and a secret key skP is associated with a predicate P. The decryption returns µ if and only if P (x) = 1. ABE provides efficient and simple mechanism for data sharing supporting ..."
Abstract
 Add to MetaCart
(Show Context)
In an AttributeBased Encryption (ABE) a ciphertext, encrypting message µ, is associated with a public attribute vector x and a secret key skP is associated with a predicate P. The decryption returns µ if and only if P (x) = 1. ABE provides efficient and simple mechanism for data sharing supporting finegrained access control. Moreover, it is used as a critical component in constructions of succinct functional encryption, reusable garbled circuits, tokenbased obfuscation and more. In this work, we describe a new efficient ABE scheme for a family of branching programs with short secret keys over a small ring. In particular, in our constriction the size of the secret key for a branching program P is P +poly(λ), where λ is the security parameter. Our construction is secure assuming nω(1)hardness of standard Learning With Errors (LWE) problem, resulting in small ring modulo. Previous constructions relied on nO(logn)hardness of LWE (resulting in large ring modulo) or had large secret keys of size P ×poly(λ). We rely on techniques developed by Boneh et al. (EUROCRYPT’14) and Brakerski et al. (ITCS’14) in the context of ABE for circuits and fullyhomomorphic encryption.
Short Signatures from Homomorphic Trapdoor Functions
, 2015
"... We present a latticebased stateless signature scheme provably secure in the standard model. Our scheme has a constant number of matrices in the public key and a single lattice vector (plus a tag) in the signatures. The best previous latticebased encryption schemes were the scheme of Ducas and Micc ..."
Abstract
 Add to MetaCart
(Show Context)
We present a latticebased stateless signature scheme provably secure in the standard model. Our scheme has a constant number of matrices in the public key and a single lattice vector (plus a tag) in the signatures. The best previous latticebased encryption schemes were the scheme of Ducas and Micciancio (CRYPTO 2014), which required a logarithmic number of matrices in the public key and that of Bohl et. al (J. of Cryptology 2014), which required a logarithmic number of lattice vectors in the signature. Our main technique involves using fully homomorphic computation to compute a degree d polynomial over the tags hidden in the matrices in the public key. In the scheme of Ducas and Micciancio, only functions linear over the tags in the public key matrices were used, which necessitated having d matrices in the public key. As a matter of independent interest, we extend Wichs ’ (eprint 2014) recent construction of homomorphic trapdoor functions into a primitive we call puncturable homomorphic trapdoor functions (PHTDFs). This primitive abstracts out most of the properties required in many different latticebased cryptographic constructions. We then show how to combine a PHTDF along with a function satisfying certain properties (to be evaluated homomorphically) to give an euscma signature scheme.
SHIELD: Scalable Homomorphic Implementation of Encrypted DataClassifiers
"... Homomorphic encryption (HE) systems enable computations on encrypted data, without decrypting and without knowledge of the secret key. In this work, we describe an optimized RLWEbased implementation of a variant of the HE system recently proposed by Gentry, Sahai and Waters [21] (henceforth cal ..."
Abstract
 Add to MetaCart
(Show Context)
Homomorphic encryption (HE) systems enable computations on encrypted data, without decrypting and without knowledge of the secret key. In this work, we describe an optimized RLWEbased implementation of a variant of the HE system recently proposed by Gentry, Sahai and Waters [21] (henceforth called GSW). Although this system was widely believed to be less efficient than its contemporaries, we demonstrate quite the opposite behavior for a large class of applications. We first highlight and carefully exploit the algebraic features of the system to achieve significant speedup over the stateoftheart HE implementation, namely the IBM homomorphic encryption library (HElib) [23]. We introduce several optimizations on top of our HE implementation, and use the resulting scheme to construct a homo