Results 1  10
of
62
Candidate indistinguishability obfuscation and functional encryption for all circuits
 In FOCS
, 2013
"... In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar size, the obfuscations of C0 and C1 should be computationally indistinguishable. In functional ..."
Abstract

Cited by 170 (37 self)
 Add to MetaCart
In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar size, the obfuscations of C0 and C1 should be computationally indistinguishable. In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C. Using the key SKC to decrypt a ciphertext CTx = Enc(x), yields the value C(x) but does not reveal anything else about x. Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually. We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomialsize circuits. We accomplish this goal in three steps: • We describe a candidate construction for indistinguishability obfuscation for NC 1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles. • We show how to use indistinguishability obfuscation for NC 1 together with Fully Homomorphic Encryption (with decryption in NC 1) to achieve indistinguishability obfuscation for all circuits.
Homomorphic evaluation of the AES circuit
 In CRYPTO
, 2012
"... We describe a working implementation of leveled homomorphic encryption (without bootstrapping) that can evaluate the AES128 circuit in three different ways. One variant takes under over 36 hours to evaluate an entire AES encryption operation, using NTL (over GMP) as our underlying software platform ..."
Abstract

Cited by 68 (6 self)
 Add to MetaCart
(Show Context)
We describe a working implementation of leveled homomorphic encryption (without bootstrapping) that can evaluate the AES128 circuit in three different ways. One variant takes under over 36 hours to evaluate an entire AES encryption operation, using NTL (over GMP) as our underlying software platform, and running on a largememory machine. Using SIMD techniques, we can process over 54 blocks in each evaluation, yielding an amortized rate of just under 40 minutes per block. Another implementation takes just over two and a half days to evaluate the AES operation, but can process 720 blocks in each evaluation, yielding an amortized rate of just over five minutes per block. We also detail a third implementation, which theoretically could yield even better amortized complexity, but in practice turns out to be less competitive. For our implementations we develop both AESspecific optimizations as well as several “generic” tools for FHE evaluation. These last tools include (among others) a different variant of the BrakerskiVaikuntanathan keyswitching technique that does not require reducing the norm of the ciphertext vector, and a method of implementing the BrakerskiGentryVaikuntanathan modulusswitching transformation on ciphertexts in CRT representation.
Practical Multilinear Maps over the Integers
"... Abstract. Extending bilinear elliptic curve pairings to multilinear maps is a longstanding open problem. The first plausible construction of such multilinear maps has recently been described by Garg, Gentry and Halevi, based on ideal lattices. In this paper we describe a different construction that ..."
Abstract

Cited by 56 (2 self)
 Add to MetaCart
Abstract. Extending bilinear elliptic curve pairings to multilinear maps is a longstanding open problem. The first plausible construction of such multilinear maps has recently been described by Garg, Gentry and Halevi, based on ideal lattices. In this paper we describe a different construction that works over the integers instead of ideal lattices, similar to the DGHV fully homomorphic encryption scheme. We also describe a different technique for proving the full randomization of encodings: instead of Gaussian linear sums, we apply the classical leftover hash lemma over a quotient lattice. We show that our construction is relatively practical: for reasonable security parameters a oneround 7party DiffieHellman key exchange requires about 25 seconds per party. 1
Improved Security for a RingBased Fully Homomorphic Encryption Scheme
"... Abstract. In 1996, Hoffstein, Pipher and Silverman introduced an efficient lattice based encryption scheme dubbed NTRUEncrypt. Unfortunately, this scheme lacks a proof of security. However, in 2011, Stehlé and Steinfeld showed how to modify NTRUEncrypt to reduce security to standard problems in idea ..."
Abstract

Cited by 27 (7 self)
 Add to MetaCart
Abstract. In 1996, Hoffstein, Pipher and Silverman introduced an efficient lattice based encryption scheme dubbed NTRUEncrypt. Unfortunately, this scheme lacks a proof of security. However, in 2011, Stehlé and Steinfeld showed how to modify NTRUEncrypt to reduce security to standard problems in ideal lattices. At STOC 2012, LópezAlt, Tromer and Vaikuntanathan proposed a fully homomorphic scheme based on this modified system. However, to allow homomorphic operations and prove security, a nonstandard assumption is required in their scheme. In this paper, we show how to remove this nonstandard assumption via techniques introduced by Brakerski at CRYPTO 2012 and construct a new fully homomorphic encryption scheme from the Stehlé and Steinfeld version based on standard lattice assumptions and a circular security assumption. The scheme is scaleinvariant and therefore avoids modulus switching, it eliminates ciphertext expansion in homomorphic multiplication, and the size of ciphertexts is one ring element. Moreover, we present a practical variant of our scheme, which is secure under stronger assumptions, along with parameter recommendations and promising implementation results. Finally, we present a novel approach for encrypting larger input sizes by applying a CRT approach on the input space.
Faster Algorithms for Approximate Common Divisors: Breaking FullyHomomorphicEncryption Challenges over the Integers
 In Eurocrypto 2012
"... At EUROCRYPT ’10, van Dijk, Gentry, Halevi and Vaikuntanathan presented simple fullyhomomorphic encryption (FHE) schemes based on the hardness of approximate integer common divisors problems, which were introduced in 2001 by HowgraveGraham. There are two versions for these problems: the partial ve ..."
Abstract

Cited by 26 (0 self)
 Add to MetaCart
(Show Context)
At EUROCRYPT ’10, van Dijk, Gentry, Halevi and Vaikuntanathan presented simple fullyhomomorphic encryption (FHE) schemes based on the hardness of approximate integer common divisors problems, which were introduced in 2001 by HowgraveGraham. There are two versions for these problems: the partial version (PACD) and the general version (GACD). The seemingly easier problem PACD was recently used by Coron, Mandal, Naccache and Tibouchi at CRYPTO ’11 to build a more efficient variant of the FHE scheme by van Dijk et al.. We present a new PACD algorithm whose running time is essentially the “square root ” of that of exhaustive search, which was the best attack in practice. This allows us to experimentally break the FHE challenges proposed by Coron et al. Our PACD algorithm directly gives rise to a new GACD algorithm, which is exponentially faster than exhaustive search: namely, the running time is essentially the 3/4th root of that of exhaustive search. Interestingly, our main technique can also be applied to other settings, such as noisy factoring, fault attacks on CRTRSA signatures, and attacking lowexponent RSA encryption. 1
Approximate common divisors via lattices. Cryptology ePrint Archive, Report 2011/437
, 2011
"... Abstract. We analyze the multivariate generalization of HowgraveGraham's algorithm for the approximate common divisor problem. In the mvariable case with modulus N and approximate common divisor of size N β , this improves the size of the error tolerated from N β 2 to N β (m+1)/m , under a c ..."
Abstract

Cited by 23 (1 self)
 Add to MetaCart
(Show Context)
Abstract. We analyze the multivariate generalization of HowgraveGraham's algorithm for the approximate common divisor problem. In the mvariable case with modulus N and approximate common divisor of size N β , this improves the size of the error tolerated from N β 2 to N β (m+1)/m , under a commonly used heuristic assumption. This gives a more detailed analysis of the hardness assumption underlying the recent fully homomorphic cryptosystem of van Dijk, Gentry, Halevi, and Vaikuntanathan. While these results do not challenge the suggested parameters, a 2 n ε approximation algorithm with ε < 2/3 for lattice basis reduction in n dimensions could be used to break these parameters. We have implemented the algorithm, and it performs better in practice than the theoretical analysis suggests. Our results fit into a broader context of analogies between cryptanalysis and coding theory. The multivariate approximate common divisor problem is the numbertheoretic analogue of multivariate polynomial reconstruction, and we develop a corresponding latticebased algorithm for the latter problem. In particular, it specializes to a latticebased list decoding algorithm for ParvareshVardy and GuruswamiRudra codes, which are multivariate extensions of ReedSolomon codes. This yields a new proof of the list decoding radii for these codes.
Somewhat practical fully homomorphic encryption
 IACR Cryptology ePrint Archive
"... Abstract. In this paper we port Brakerski’s fully homomorphic scheme based on the Learning With Errors (LWE) problem to the ringLWE setting. We introduce two optimised versions of relinearisation that not only result in a smaller relinearisation key, but also faster computations. We provide a detai ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we port Brakerski’s fully homomorphic scheme based on the Learning With Errors (LWE) problem to the ringLWE setting. We introduce two optimised versions of relinearisation that not only result in a smaller relinearisation key, but also faster computations. We provide a detailed, but simple analysis of the various homomorphic operations, such as multiplication, relinearisation and bootstrapping, and derive tight worst case bounds on the noise caused by these operations. The analysis of the bootstrapping step is greatly simplified by using a modulus switching trick. Finally, we derive concrete parameters for which the scheme provides a given level of security and becomes fully homomorphic. 1
Practical Bootstrapping in Quasilinear Time
, 2013
"... Gentry’s “bootstrapping ” technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme from a “somewhat homomorphic ” one that is powerful enough to evaluate its own decryption function. To date, it remains the only known way of obtaining unbounded FHE. Unfortunately, bootstrapping i ..."
Abstract

Cited by 10 (3 self)
 Add to MetaCart
Gentry’s “bootstrapping ” technique (STOC 2009) constructs a fully homomorphic encryption (FHE) scheme from a “somewhat homomorphic ” one that is powerful enough to evaluate its own decryption function. To date, it remains the only known way of obtaining unbounded FHE. Unfortunately, bootstrapping is computationally very expensive, despite the great deal of effort that has been spent on improving its efficiency. The current state of the art, due to Gentry, Halevi, and Smart (PKC 2012), is able to bootstrap “packed ” ciphertexts (which encrypt up to a linear number of bits) in time only quasilinear Õ(λ) = λ · log O(1) λ in the security parameter. While this performance is asymptotically optimal up to logarithmic factors, the practical import is less clear: the procedure composes multiple layers of expensive and complex operations, to the point where it appears very difficult to implement, and its concrete runtime appears worse than those of prior methods (all of which have quadratic or larger asymptotic runtimes). In this work we give simple, practical, and entirely algebraic algorithms for bootstrapping in quasilinear time, for both “packed ” and “nonpacked ” ciphertexts. Our methods are easy to implement (especially in the nonpacked case), and we believe that they will be substantially more efficient in practice than all prior realizations of bootstrapping. One of our main techniques is a substantial enhancement of the
Homomorphic Computation of Edit Distance
 IACR Cryptology ePrint Archive
, 2015
"... Abstract. These days genomic sequence analysis provides a key way of understanding the biology of an organism. However, since these sequences contain much private information, it can be very dangerous to reveal any part of them. It is desirable to protect this sensitive information when performing ..."
Abstract

Cited by 7 (3 self)
 Add to MetaCart
(Show Context)
Abstract. These days genomic sequence analysis provides a key way of understanding the biology of an organism. However, since these sequences contain much private information, it can be very dangerous to reveal any part of them. It is desirable to protect this sensitive information when performing sequence analysis in public. As a first step in this direction, we present a method to perform the edit distance algorithm on encrypted data to obtain an encrypted result. In our approach, the genomic data owner provides only the encrypted sequence, and the public commercial cloud can perform the sequence analysis without decryption. The result can be decrypted only by the data owner or designated representative holding the decryption key. In this paper, we describe how to calculate edit distance on encrypted data with a somewhat homomorphic encryption scheme and analyze its performance. More precisely, given two encrypted sequences of lengths n and m, we show that a somewhat homomorphic scheme of depth O((n + m) log log(n + m)) can evaluate the edit distance algorithm in O(nm log(n + m)) homomorphic computations. In the case of n = m, the depth can be brought down to O(n) using our optimization technique. Finally, we present the estimated performance of the edit distance algorithm and verify it by implementing it for short DNA sequences.
ScaleInvariant Fully Homomorphic Encryption over the Integers ⋆
"... Abstract. At Crypto 2012, Brakerski constructed a scaleinvariant fully homomorphic encryption scheme based on the LWE problem, in which the same modulus is used throughout the evaluation process, instead of a ladder of moduli when doing “modulus switching”. In this paper we describe a variant of th ..."
Abstract

Cited by 7 (0 self)
 Add to MetaCart
Abstract. At Crypto 2012, Brakerski constructed a scaleinvariant fully homomorphic encryption scheme based on the LWE problem, in which the same modulus is used throughout the evaluation process, instead of a ladder of moduli when doing “modulus switching”. In this paper we describe a variant of the van Dijk et al. FHE scheme over the integers with the same scaleinvariant property. Our scheme has a single secret modulus whose size is linear in the multiplicative depth of the circuit to be homomorphically evaluated, instead of exponential; we therefore construct a leveled fully homomorphic encryption scheme. This scheme can be transformed into a pure fully homomorphic encryption scheme using bootstrapping, and its security is still based on the ApproximateGCD problem. We also describe an implementation of the homomorphic evaluation of the full AES encryption circuit, and obtain significantly improved performance compared to previous implementations: about 23 seconds (resp. 3 minutes) per AES block at the 72bit (resp. 80bit) security level on a midrange workstation. Finally, we prove the equivalence between the (errorfree) decisional ApproximateGCD problem introduced by Cheon et al. (Eurocrypt 2013) and the classical computational ApproximateGCD problem. This equivalence allows to get rid of the additional noise in all the integerbased FHE schemes described so far, and therefore to simplify their security proof.