Results 11  20
of
141
Cryptanalysis of the multilinear map over the integers
 In Advances in Cryptology  EUROCRYPT 2015  34th Annual International Conference on the Theory and Applications of Cryptographic Techniques
"... Abstract. We describe a polynomialtime cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the socalled zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastati ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
(Show Context)
Abstract. We describe a polynomialtime cryptanalysis of the (approximate) multilinear map of Coron, Lepoint and Tibouchi (CLT). The attack relies on an adaptation of the socalled zeroizing attack against the Garg, Gentry and Halevi (GGH) candidate multilinear map. Zeroizing is much more devastating for CLT than for GGH. In the case of GGH, it allows to break generalizations of the Decision Linear and Subgroup Membership problems from pairingbased cryptography. For CLT, this leads to a total break: all quantities meant to be kept secret can be efficiently and publicly recovered.
KeyDependent Message Security: Generic Amplification and Completeness
, 2011
"... Keydependent message (KDM) secure encryption schemes provide secrecy even when the attacker sees encryptions of messages related to the secretkey sk. Namely, the scheme should remain secure even when messages of the form f(sk) are encrypted, where f is taken from some function class F. A KDM ampli ..."
Abstract

Cited by 28 (2 self)
 Add to MetaCart
Keydependent message (KDM) secure encryption schemes provide secrecy even when the attacker sees encryptions of messages related to the secretkey sk. Namely, the scheme should remain secure even when messages of the form f(sk) are encrypted, where f is taken from some function class F. A KDM amplification procedure takes an encryption scheme which satisfies FKDM security and boost it into a GKDM secure scheme, where the function class G should be richer than F. It was recently shown by Brakerski et al. (TCC 2011) and Barak et al. (EUROCRYPT 2010), that a strong form of amplification is possible, provided that the underlying encryption scheme satisfies some special additional properties. In this work, we prove the first generic KDM amplification theorem which relies solely on the KDM security of the underlying scheme without making any other assumptions. Specifically, we show that an elementary form of KDM security against functions in which each output bit either copies or flips a single bit of the key (aka projections) can be amplified into KDM security with respect to any function family that can be computed in arbitrary fixed polynomialtime. Furthermore, our amplification theorem and its proof are insensitive to the exact setting of KDM security, and they hold in the presence of multiplekeys and in the symmetrickey/publickey and the CPA/CCA cases. As a result, we can amplify the security of all known KDM constructions, including ones that could not be amplified before. Finally, we study the minimal conditions under which fullKDM security (with respect to all functions) can be achieved. We show that under strong notion of KDM security, the existence of cyclicsecure fullyhomomorphic encryption is not only sufficient for fullKDM security, as shown by Barak et al., but also necessary. On the other hand, we observe that for standard KDM security, this condition can be relaxed by adopting Gentry’s bootstrapping technique (STOC 2009) to the KDM setting.
Faster Algorithms for Approximate Common Divisors: Breaking FullyHomomorphicEncryption Challenges over the Integers
 In Eurocrypto 2012
"... At EUROCRYPT ’10, van Dijk, Gentry, Halevi and Vaikuntanathan presented simple fullyhomomorphic encryption (FHE) schemes based on the hardness of approximate integer common divisors problems, which were introduced in 2001 by HowgraveGraham. There are two versions for these problems: the partial ve ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
At EUROCRYPT ’10, van Dijk, Gentry, Halevi and Vaikuntanathan presented simple fullyhomomorphic encryption (FHE) schemes based on the hardness of approximate integer common divisors problems, which were introduced in 2001 by HowgraveGraham. There are two versions for these problems: the partial version (PACD) and the general version (GACD). The seemingly easier problem PACD was recently used by Coron, Mandal, Naccache and Tibouchi at CRYPTO ’11 to build a more efficient variant of the FHE scheme by van Dijk et al.. We present a new PACD algorithm whose running time is essentially the “square root ” of that of exhaustive search, which was the best attack in practice. This allows us to experimentally break the FHE challenges proposed by Coron et al. Our PACD algorithm directly gives rise to a new GACD algorithm, which is exponentially faster than exhaustive search: namely, the running time is essentially the 3/4th root of that of exhaustive search. Interestingly, our main technique can also be applied to other settings, such as noisy factoring, fault attacks on CRTRSA signatures, and attacking lowexponent RSA encryption. 1
Vmcrypt  modular software architecture for scalable secure computation
, 2010
"... Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine th ..."
Abstract

Cited by 24 (3 self)
 Add to MetaCart
(Show Context)
Garbled circuits play a key role in secure computation. Unlike previous work, which focused mainly on efficiency and automation aspects of secure computation, in this paper we focus on software modularity and scalability, considering very large circuits. Our main contribution is a virtual machine that dynamically loads hardware descriptions into memory and destructs them as soon as they are done computing. Our software also introduces a new technique for parallel evaluation of garbled circuits. The software is designed in a completely modular fashion, allowing developers to integrate garbled circuits through an API (Abstract Programming Interface), without having to modify the base code. We measure the performance of this architecture on several circuits with hundreds of millions of gates. To the best of our knowledge, these are the largest scalable secure computations done to date.
Approximate common divisors via lattices. Cryptology ePrint Archive, Report 2011/437
, 2011
"... Abstract. We analyze the multivariate generalization of HowgraveGraham's algorithm for the approximate common divisor problem. In the mvariable case with modulus N and approximate common divisor of size N β , this improves the size of the error tolerated from N β 2 to N β (m+1)/m , under a c ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We analyze the multivariate generalization of HowgraveGraham's algorithm for the approximate common divisor problem. In the mvariable case with modulus N and approximate common divisor of size N β , this improves the size of the error tolerated from N β 2 to N β (m+1)/m , under a commonly used heuristic assumption. This gives a more detailed analysis of the hardness assumption underlying the recent fully homomorphic cryptosystem of van Dijk, Gentry, Halevi, and Vaikuntanathan. While these results do not challenge the suggested parameters, a 2 n ε approximation algorithm with ε < 2/3 for lattice basis reduction in n dimensions could be used to break these parameters. We have implemented the algorithm, and it performs better in practice than the theoretical analysis suggests. Our results fit into a broader context of analogies between cryptanalysis and coding theory. The multivariate approximate common divisor problem is the numbertheoretic analogue of multivariate polynomial reconstruction, and we develop a corresponding latticebased algorithm for the latter problem. In particular, it specializes to a latticebased list decoding algorithm for ParvareshVardy and GuruswamiRudra codes, which are multivariate extensions of ReedSolomon codes. This yields a new proof of the list decoding radii for these codes.
Homomorphic encryption: From privatekey to publickey
 In Proceedings of the 8th Theory of Cryptography Conference, TCC ’11
, 2011
"... We show that any privatekey encryption scheme that is weakly homomorphic with respect to addition modulo 2, can be transformed into a publickey encryption scheme. The homomorphic feature referred to is a minimalistic one; that is, the length of a homomorphically generated encryption should be inde ..."
Abstract

Cited by 16 (0 self)
 Add to MetaCart
(Show Context)
We show that any privatekey encryption scheme that is weakly homomorphic with respect to addition modulo 2, can be transformed into a publickey encryption scheme. The homomorphic feature referred to is a minimalistic one; that is, the length of a homomorphically generated encryption should be independent of the number of ciphertexts from which it was created. We do not require anything else on the distribution of homomorphically generated encryptions (in particular, we do not require them to be distributed like real ciphertexts). Our resulting publickey scheme is homomorphic in the following sense. If i+1 repeated applications of homomorphic operations can be applied to the privatekey scheme, then i repeated applications can be applied to the publickey scheme.
Fully homomorphic message authenticators
 IACR Cryptology ePrint Archive
"... We define and construct a new primitive called a fully homomorphic message authenticator. With such scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation (without knowing the secret key). This tag can be ve ..."
Abstract

Cited by 15 (4 self)
 Add to MetaCart
(Show Context)
We define and construct a new primitive called a fully homomorphic message authenticator. With such scheme, anybody can perform arbitrary computations over authenticated data and produce a short tag that authenticates the result of the computation (without knowing the secret key). This tag can be verified using the secret key to ensure that the claimed result is indeed the correct output of the specified computation over previously authenticated data (without knowing the underlying data). For example, Alice can upload authenticated data to “the cloud”, which then performs some specified computations over this data and sends the output to Bob, along with a short tag that convinces Bob of correctness. Alice and Bob only share a secret key, and Bob never needs to know Alice’s underlying data. Our construction relies on fully homomorphic encryption to build fully homomorphic message authenticators. 1
Garbled circuits for leakageresilience: Hardware implementation and evaluation of onetime programs
 CRYPTOLOGY EPRINT ARCHIVE, REPORT 2010/276
, 2010
"... The power of sidechannel leakage attacks on cryptographic implementations is evident. Today’s practical defenses are typically attackspecific countermeasures against certain classes of sidechannel attacks. The demand for a more general solution has given rise to the recent theoretical research th ..."
Abstract

Cited by 15 (8 self)
 Add to MetaCart
(Show Context)
The power of sidechannel leakage attacks on cryptographic implementations is evident. Today’s practical defenses are typically attackspecific countermeasures against certain classes of sidechannel attacks. The demand for a more general solution has given rise to the recent theoretical research that aims to build provably leakageresilient cryptography. This direction is, however, very new and still largely lacks practitioners ’ evaluation with regard to both efficiency and practical security. A recent approach, OneTime Programs (OTPs), proposes using Yao’s Garbled Circuit (GC) and very simple tamperproof hardware to securely implement oblivious transfer, to guarantee leakage resilience. Our main contributions are (i) a generic architecture for using GC/ OTP modularly, and (ii) hardware implementation and efficiency analysis of GC/OTP evaluation. We implemented two FPGAbased prototypes: a systemonaprogrammablechip with access to hardware crypto accelerator (suitable for smartcards and future smartphones), and a standalone hardware implementation (suitable for ASIC design). We chose AES as a representative complex function for implementation and measurements. As a result of this work, we are able to understand, evaluate and improve the practicality of employing GC/OTP as a leakageresistance approach.
Fully Homomorphic SIMD Operations
"... Abstract. At PKC 2010 Smart and Vercauteren presented a variant of Gentry’s fully homomorphic public key encryption scheme and mentioned that the scheme could support SIMD style operations. The slow key generation process of the Smart–Vercauteren system was then addressed in a paper by Gentry and Ha ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
(Show Context)
Abstract. At PKC 2010 Smart and Vercauteren presented a variant of Gentry’s fully homomorphic public key encryption scheme and mentioned that the scheme could support SIMD style operations. The slow key generation process of the Smart–Vercauteren system was then addressed in a paper by Gentry and Halevi, but their key generation method appears to exclude the SIMD style operation alluded to by Smart and Vercauteren. In this paper, we show how to select parameters to enable such SIMD operations, whilst still maintaining practicality of the key generation technique of Gentry and Halevi. As such, we obtain a somewhat homomorphic scheme supporting both SIMD operations and operations on large finite fields of characteristic two. This somewhat homomorphic scheme can be made fully homomorphic in a naive way by recrypting all data elements seperately. However, we show that the SIMD operations can be used to perform the recrypt procedure in parallel, resulting in a substantial speedup. Finally, we demonstrate how such SIMD operations can be used to perform various tasks by studying two use cases: implementing AES homomorphically and encrypted database lookup. 1
ihop homomorphic encryption and rerandomizable yao circuits
 In Advances in Cryptology  CRYPTO 2010, 30th Annual Cryptology Conference
, 2010
"... Homomorphic encryption (HE) schemes enable computing functions on encrypted data, by means of a public Eval procedure that can be applied to ciphertexts. But the evaluated ciphertexts so generated may differ from freshly encrypted ones. This brings up the question of whether one can keep computing ..."
Abstract

Cited by 14 (2 self)
 Add to MetaCart
(Show Context)
Homomorphic encryption (HE) schemes enable computing functions on encrypted data, by means of a public Eval procedure that can be applied to ciphertexts. But the evaluated ciphertexts so generated may differ from freshly encrypted ones. This brings up the question of whether one can keep computing on evaluated ciphertexts. An ihop homomorphic encryption scheme is one where Eval can be called on its own output up to i times, while still being able to decrypt the result. A multihop homomorphic encryption is a scheme which is ihop for all i. In this work we study ihop and multihop schemes in conjunction with the properties of functionprivacy (i.e., Eval’s output hides the function) and compactness (i.e., the output of Eval is short). We provide formal definitions and describe several constructions. First, we observe that “bootstrapping ” techniques can be used to convert any (1hop) homomorphic encryption scheme into an ihop scheme for any i, and the result inherits the functionprivacy and/or compactness of the underlying scheme. However, if the underlying scheme is not compact (such as schemes derived from Yao circuits) then the complexity of the resulting ihop scheme can be as high as kO(i). We then describe a specific DDHbased multihop homomorphic encryption scheme that does not suffer from this exponential blowup. Although not compact, this scheme has complexity linear in the size of the composed function, independently of the number of hops. The main technical ingredient in this solution is a rerandomizable variant of the Yao circuits. Namely, given a garbled circuit, anyone can regarble it in such a way that even the party that generated the original garbled circuit cannot recognize it. This construction may be of independent interest.