Embed Size (px)
Citation preview
SESSION ID
RSAC
SESSION ID
RSAC
CRYP-F03
University of Connecticut amp University of Athens joint work with Aggelos Kiayias Nikos Leonardos Helger Lipmaa and Kateryna Pavlyk
Qiang Tang
Communication Optimal Tardos-based Asymmetric Fingerprinting
RSACRSAC
A Motivational Example
2
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
3
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
4
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
5
Godfather-HD
$599
RSACRSAC
A Motivational Example
6
How to identify the source of the pirate
RSACRSAC
Fingerprinting
7
A Movie Producer
helliphellip
A$RT8^VFampt4(1 c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Motivational Example
2
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
3
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
4
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
5
Godfather-HD
$599
RSACRSAC
A Motivational Example
6
How to identify the source of the pirate
RSACRSAC
Fingerprinting
7
A Movie Producer
helliphellip
A$RT8^VFampt4(1 c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Motivational Example
3
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
4
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
5
Godfather-HD
$599
RSACRSAC
A Motivational Example
6
How to identify the source of the pirate
RSACRSAC
Fingerprinting
7
A Movie Producer
helliphellip
A$RT8^VFampt4(1 c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Motivational Example
4
A Movie Producer
helliphellip
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
5
Godfather-HD
$599
RSACRSAC
A Motivational Example
6
How to identify the source of the pirate
RSACRSAC
Fingerprinting
7
A Movie Producer
helliphellip
A$RT8^VFampt4(1 c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Motivational Example
5
Godfather-HD
$599
RSACRSAC
A Motivational Example
6
How to identify the source of the pirate
RSACRSAC
Fingerprinting
7
A Movie Producer
helliphellip
A$RT8^VFampt4(1 c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Motivational Example
6
How to identify the source of the pirate
RSACRSAC
Fingerprinting
7
A Movie Producer
helliphellip
A$RT8^VFampt4(1 c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Fingerprinting
7
A Movie Producer
helliphellip
A$RT8^VFampt4(1 c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Motivational Example
8
Godfather-HD
$599
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
9
Fingerprinting
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
10
VFampRT8^
Fingerprinting
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
11
pirate codeword
VFampRT8^
Fingerprinting
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
12
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
13
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
Fingerprinting
tracing algorithm
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
14
VFampt4(1
A$RT8^
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
15
VFampt4(1
A$RT8^
Cinema 1
Cinema 5
pirate codeword
VFampRT8^
tracing algorithm
Fingerprinting
compare to the DB
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
The Goals of Fingerprinting
16
Individualize contents
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
The Goals of Fingerprinting
17
Individualize contents Trace back to the sources
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Catch
18
Does fingerprinting really de-incentivize illegal content re-distribution
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Catch
19
Both the content provider and the content receiver can leak a copy
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
A Catch
20
Both the content provider and the content receiver can leak a copy The copy found in the public can not serve as a undeniable proof
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
21
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
22
A Movie Producer
helliphellip
1b6Gamp8I$
A$RT8^c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
23
A Movie Producer
helliphellip
t456ampE
1b6Gamp8I$c$f65I
A$RT8^
VFampt4( G^7TC4
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
24
A Movie Producer
helliphellip
t456ampEA$RT8^VFampt4(1b6Gamp8I$ G^7TC4c$f65I
Cinema 1 Cinema 2 Cinema 3
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
25
Godfather-HD
$599
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
26
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
27
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
28
half code
VFampt4(1Ab$amp8I$
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
29
half code
VFampt4(1Ab$amp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
30
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
tracing alg
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
31
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
32
half code
VFampt4(1Ab$amp8I$A$RT8^
1b6Gamp8I$ Cinema 2
Cinema 1
ldquohalf DBrdquo
tracing alg
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
33
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
34
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
35
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACRSAC
Asymmetric Fingerprinting
36
G^7TC4A$RT8^
VFampt4(11b6Gamp8I$ Cinema 2
Cinema 1
Cinema 1
Cinema 2
t456ampEA$RT8^
VFampt4(1b6Gamp8I$
t456ampE
VFampt4(
Cinema 1 Cinema 2
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
37
The content provider can not frame a theater
Security Considerations
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
38
The content provider can not frame a theater All suspects should be accused by the judge
Security Considerations
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
39
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
40
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Cinema 1 will be the suspect but the judge will not accuse him
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
41
t456ampEA$RT8^
VFampt4(1b6Gamp8I$VFampt4(A$RT8^
A Subtle Security Consideration
Accusation Withdraw
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
42
A Subtle Security Consideration
1 Cinema should not know how the two halves are mixed
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
43
1 Cinema should not know how the two halves are mixed
A Subtle Security Consideration
2 Lower down the tracing parameter at the judge side
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Important Efficiency Consideration
44
Building secure protocols brings some overhead
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Important Efficiency Consideration
45
Even transmitting 2 movie size kills the bandwidth
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Important Efficiency Consideration
46
Even transmitting 2 movie size kills the bandwidth
And will hinder the adoption of this technique
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Important Efficiency Consideration
47
Rate=Size of
Size of actual transmission
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Important Efficiency Consideration
48
Rate=Size of
Size of actual transmission1
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Important Efficiency Consideration
49
Fight Piracy without Extra Bandwidth Cost
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
High-level Construction Idea
50
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
High-level Construction Idea
51
Careful protocol design to meet both security and rate efficiency
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
High-level Construction Idea
52
Setup phase Fingerprint phase Identify phase Dispute phase
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Fingerprint Phase
53
A Movie Producer
Cinema 1
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Fingerprint Phase
54
A Movie Producer
Cinema 1
Oblivious Sampling
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Fingerprint Phase
55
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Fingerprint Phase
56
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Fingerprint Phase
57
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Fingerprint Phase
58
A Movie Producer
Cinema 1
tA4$56ampRT8E^
Oblivious Sampling
Conditional OT
OT
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Fingerprint Phase
59
A Movie Producer
Cinema 1
tA4$56ampRT8E^
A$RT8^
Oblivious Sampling
Conditional OT
OT
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
60
Content provider only knows half of the codeword
Fingerprint Phase
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
61
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP
Fingerprint Phase
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
62
Content provider only knows half of the codeword Theaters donrsquot know which part is known to the CP Rate optimal OT and COT are needed
Fingerprint Phase
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Identify Phase
63
Run the tracing algorithm of the underlying fingerprinting code on the half known to the content provider
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Dispute Phase
64
The accused theaters submit the other halves of the codewords (with proofs of validity)
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Dispute Phase
65
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSAC
Dispute Phase
66
The accused theaters submit the other halves of the codewords (with proofs of validity)
The judge also runs the tracing algorithm with a less restrict parameter on these halves
Weaker judge side parameter is to avoid accusation withdraw
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
RSACCommunication Optimal Tardos-Based Asymmetric Fingerprinting
67
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption bull Public key encryption scheme with the following properties
bull Suppose that the set of plaintexts ℳ is a ring
bull 119888 larr Encrypt(119901119896119898) 119888prime larr Encrypt(119901119896119898prime)
bull 1198881113568 larr 120228120271120250120261120242120270120262(119901119896 119888 119888prime) st
120227120254120252120267120274120265120269(119904119896 1198881113568) = 119898 + 119898prime
bull For α isin ℳ 1198881113569 larr 120228120271120250120261120242120252120250120261(119901119896 119888 α) st
120227120254120252120267120274120265120269(119904119896 1198881113569) = α119898
bull Applications Electronic Voting Private InformationRetrieval Mix-Net Oblivious Transfer Fingerprintinghellip
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Examples from Factoring
bull Goldwasser Micali (84)bull Plaintext space ℳ = Z2Zbull Ciphertext space ZNZ where N = 119901119902 is an RSA integer
bull Paillier (99)bull Plaintext space ℳ = ZNZbull Ciphertext space ZN1113569Z where N = 119901119902 is an RSA integer
bull Plaintext encoding
119898 isin ZNZ ↦ (1 + N)119898 equiv 1 + 119898N (mod N1113569)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
From DDH ElGamal ldquoin the exponentrdquo
bull Folklore message encoding 119898 isin 119821 ↦ 119892119898
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)
bull Decrypt(119901119896 119888) ∶ 11988811135691198881199091113568 = 119892119898 119898
bull 119898 must be small Can only do a bounded number ofhomomorphic operations
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119892119898) larr Encrypt(119901119896119898)bull (119888prime1113568 119888prime1113569) = (119892119903
prime ℎ119903prime119892119898prime ) larr Encrypt(119901119896119898prime)
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119892119898+119898prime )
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119892119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
120227120227120231 group with an easy 120227120235 subgroup
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull The 120227120235 problem is easy in F There exists 120242120264120261120271120254 adeterministic polynomial time algorithm st
120242120264120261120271120254(119901 119891 119891119909) 119909
bull The 120227120227120231 problem is hard in G even with access to the 120242120264120261120271120254algorithm
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Generic Linearly Homomorphic Encryption Scheme
bull ℳ = 119833119901119833
bull 119901119896 ∶ ℎ = 119892119909 119904119896 ∶ 119909 where 119892 has order 119899 = 119901119904 for an unknown 119904
bull 120228120263120252120267120274120265120269 ∶ 119888 = (1198881113568 1198881113569) = (119892119903 119891119898ℎ119903) where 119891 isin ⟨119892⟩ has order 119901
bull 120227120254120252120267120274120265120269 ∶ A larr 11988811135691198881199091113568 120242120264120261120271120254(119901 119891A) 119898
bull 120228120271120250120261120242120270120262 ∶
(1198881113568119888prime1113568 1198881113569119888prime1113569) = (119892119903+119903prime ℎ119903+119903prime119891119898+119898prime)
bull 120228120271120250120261120242120252120250120261 ∶
(119888α1113568 119888α1113569 ) = (119892119903α ℎ119903α119891119898α)
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
An Unsecure Instantiationbull 119901 a prime and G = ⟨119892⟩ = (1198331199011113569119833)times of order 119899 = 119901(119901 minus 1)bull 119891 = 1 + 119901 isin G F = ⟨119891⟩ = 1 + 119896119901 119896 isin Z119901Zbull 119891119898 = 1 + 119898119901bull There exist a unique (α 119903) isin (119833119901119833 (119833119901119833)times) such that119892 = 119891α119903119901
119892119901minus1113568 = 119891α(119901minus1113568) = 119891minusα
bull Public key ℎ = 119892119909
ℎ119901minus1113568 = 119891minusα119909 119909 mod 119901bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
119888119901minus11135681113568 = 119891minusα119903 119903 mod 119901
119888119901minus11135681113569 = 119891minusα119909119903minus119898 119898 mod 119901
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Partial Discrete Logarithm Problem
bull (G times) = ⟨119892⟩ a cyclic group of order 119899
bull 119899 = 119901119904 gcd(119901 119904) = 1
bull ⟨119891⟩ = F sub G subgroup of G of order 119901
bull Partial Discrete Logarithm (120239120227120235) Problem
Given X = 119892119909 compute 119909 mod 119901
bull The knowledge of 119904 makes the 120239120227120235 problem easy
119904 must be hidden or unknown
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Secure Instantiation
bull Bresson Catalano Pointcheval (03)
bull Let N be an RSA integer G = ⟨119892⟩ sub (119833N1113569119833)times
bull 119899 = Card(G) = N119904 with 119904 ∣ φ(N)
bull 119891 = 1 + N isin G F = ⟨119891⟩ = 1 + 119896N 119896 isin ZNZ of order N
bull Public key ℎ = 119892119909 119909 secret key
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898)
bull Based on 120227120227120231 in (119833N1113569119833)times and the Factorisation problem
bull The factorisation of N acts as a second trapdoor
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
DefinitionsImaginary Quadratic Fields
bull K = 119824(radicΔ1113692) Δ1113692 lt 0
bull Fundamental Discriminant
bull Δ1113692 equiv 1 (mod 4) square-free
bull Δ1113692 equiv 0 (mod 4) and Δ11136924 equiv 2 3 (mod 4) square-free
bull Non Fundamental Discriminantbull Δℓ = ℓ1113569Δ1113692bull ℓ is the conductor
Class Group of Discriminant Δ
bull Finite Group denoted C(Δ)bull Elements Equivalence classes of Idealsbull Class Number ℎ(Δ) asymp radic|Δ|
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
ElGamal in Class Group
bull Buchmann and Williams (88) Diffie-Hellman key exchangeand ElGamal
bull Duumlllmann Hamdy Moumlller Pohst Schielzeth Vollmer(90-07) Implementation
bull Size of Δ1113692 Index calculus algorithm to compute ℎ(Δ1113692) andDiscrete Logarithm in C(Δ1113692)
bull Security Estimates from Biasse Jacobson and Silvester (10)
bull Complexity conjectured L |11136551113718 |(12 119900(1))bull Δ119896 1348 bits as hard as factoring a 2048 bits RSA integer
bull Δ119896 1828 bits as hard as factoring a 3072 bits RSA integer
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Map between two Class Groups
bull Let Δ1113692 be a fondamental negative discriminant Δ1113692 ne minus3 minus4ℓ a conductor and Δℓ = ℓ1113569Δ1113692
bull There exists a surjective morphism denoted φℓ betweenC(Δℓ) and C(Δ1113692)
bull φℓ is effective can be computed if ℓ is known
bull Used by the 120237120232120226120228 cryptosystem by Paulus and Takagi (00)∆1113692 = minus119902 ∆119901 = minus1199021199011113569 119901 119902 primes 119901 is the trapdoor
bull C Laguillaumie (09)
In each non trivial class of ker φ119901 there exists an ideal of the
form 11140951199011113569119833 + 119887119901+radic11136551199011113569 1198331114098
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Outline
Linearly Homomorphic Encryption
Class Groups of Imaginary Quadratic Fields
New proposal
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A Subgroup with an Easy 120227120235 Problem
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4)
ℎ(Δ119901) = 119901 times ℎ(Δ1113692)
bull Let 119891 = 11140951199011113569119833 + 119901+radic11136551199011113569 1198331114098 isin C(Δ119901)
bull F = ker φ119901 = ⟨119891⟩ is of order 119901 and
119891119898 =⎡⎢⎢⎢⎢⎣1199011113569119833 +
[119898minus1113568 mod 119901]119901 + radicΔ1199012 119833
⎤⎥⎥⎥⎥⎦
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
A New Linearly Homomorphic Encryption Scheme
bull ∆1113692 = minus119901119902 ∆119901 = minus1199021199011113570 119901 119902 primes and 119901119902 equiv 3 (mod 4) and(119901119902) = minus1 119902 gt 4119901
bull Let 119892 be an element of C(Δ119901) ℎ = 119892119909 where 119909 secret key
bull 119892 has order 119901119904 for an unknown 119904|ℎ(Δ1113692)
bull (1198881113568 1198881113569) = (119892119903 ℎ119903119891119898) where 119891 has order 119901
bull Based on 120227120227120231 in C(Δ119901) (and the Class number problem)
bull Linearly homomorphic over 119833119901119833 where 119901 can be chosen(almost) independently from the security parameter
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Some Variants
bull Faster Variant most of the work in C(Δ1113692) (based on a nonstandard problem)
bull More general message spaces
bull 119833N119833 with N = prod119899119894=1113568 119901119894 with a discriminant of the form
Δ1113692 = minusN119902bull 119833119901119905119833 for 119905 gt 1 with discriminants of the form Δ119901119905 = 1199011113569119905Δ1113692
and Δ1113692 = minus119901119902
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Performance comparison
Cryptosystem Parameter Message Space Encryption (ms) Decryption (ms)Paillier 2048 bits modulus 2048 bits 28 28BCP03 2048 bits modulus 2048 bits 107 54
New Proposal 1348 bits 11136551113718 80 bits 93 49Fast Variant 1348 bits 11136551113718 80 bits 82 45Fast Variant 1348 bits 11136551113718 256 bits 105 68
Paillier 3072 bits modulus 3072 bits 109 109BCP03 3072 bits modulus 3072 bits 427 214
New Proposal 1828 bits 11136551113718 80 bits 179 91Fast Variant 1828 bits 11136551113718 80 bits 145 78Fast Variant 1828 bits 11136551113718 512 bits 226 159Fast Variant 1828 bits 11136551113718 912 bits 340 271
Timings performed with Sage and PARIGP
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
Linearly Homomorphic Encryption Class Groups of Imaginary Quadratic Fields New proposal
Linearly Homomorphic Encryption from 120227120227120231
Guilhem Castagnos1113568 Fabien Laguillaumie1113569
1113578 Universiteacute de BordeauxINRIA Bordeaux - Sud-Ouest - LFANT
Institut de Matheacutematiques de Bordeaux UMR 5251
1113579 Universiteacute Claude Bernard Lyon 1CNRSENSLINRIAUCBL LIP
Laboratoire de lrsquoInformatique du Paralleacutelisme
CT-RSA 2015
