Cryptographic Protocols (CRYPROT)

Lecture 2 - April 22, 2021

Basics

Department of Computer Science | ENCRYPTO | Prof. Dr.-Ing. Thomas Schneider

Summary from Lecture 1: Basics

What we will need throughout this course…

• Pseudo-Random Bits and Numbers

• Groups
• Security Parameters
• Diffie-Hellman Key Exchange
• Commitments
• Coin Flipping
• Secret-Sharing Schemes
• Homomorphic Encryption

2
Structure of Today’s Lecture

- Introduction
- Basic Number Theory and Hardness Assumptions
- Basic Cryptographic Protocols

3
Security Parameters in Implementations

In general, a cryptographic system offers security level 𝜿, if a general attack can be expected to
require effort approximately 2! . 𝜅 is called the computational (or symmetric) security parameter.

A statistical security parameter 𝝈 says that even a computationally unbounded attacker can
succeed with probability at most 2"# .

For implementations of cryptographic protocols, we usually set the following security parameters:
• Computational security parameter: 𝜅 = 128
• Statistical security parameter 𝜎 = 40

Details: [Lenstra04]

4
Pseudo-Random Numbers from Pseudo-Random Bits

Pseudo-Random Bit Generators (e.g., AES-CTR) produce a sequence of random bits.

For many cryptographic protocols, we need randomly chosen numbers 𝑎 ∈$ ℤ% = 0, 𝑟 − 1 .

Let 𝑚 be the number of bits to represent 𝑟 − 1.
• NEVER: Choose 𝑥 ∈$ 0,1 & and set 𝑎 = 𝑥 mod 𝑟. (not distributed equally)
• Better: Choose 𝑎 ∈$ 0,1 & until 𝑎 < 𝑟. (not constant time)
• Best: The Simple Modular Method (e.g., specified in [NIST, §A.5.3]):
Let 𝜎 = 40 be the statistical security parameter. Choose 𝑥 ∈$ 0,1 &'# and set 𝑎 = 𝑥 mod 𝑟.

5
The Random Oracle Model (ROM)

A random oracle (RO) is an oracle (i.e., a theoretical black box) that responds to every unique
query with a truly random response chosen uniformly at random from the output domain.
Querying the RO again on the same input yields the same output.

In practice, random oracles can then be instantiated with cryptographic hash functions.
Details in “Random Oracles are Practical: A Paradigm for Designing Efficient Protocols”
[BellareRogaway93].

Constructions that are proven secure in the Random Oracle Model (ROM) can make use of
such ROs and are often very efficient. Constructions in the Standard Model do not use ROs.

However, the ROM is controversial as there are counterexamples for constructions with a proof of
security in the ROM, whereas any implementation of the RO results in an insecure scheme
(e.g., for signature and encryption schemes in [CanettiGH98]).
6
BASIC NUMBER THEORY &
HARDNESS ASSUMPTIONS

More details: [KatzLindell, Chapter 7]

7
Groups

A group is a set 𝐺 together with an operation 9: 𝑎, 𝑏 ↦ 𝑎 ⋅ 𝑏 = 𝑎𝑏 that fulfils these group laws:
• Closure: ∀𝑎, 𝑏 ∈ 𝐺: 𝑎 ⋅ 𝑏 ∈ 𝐺
• Associativity: ∀𝑎, 𝑏, 𝑐 ∈ 𝐺: 𝑎 ⋅ 𝑏 ⋅ 𝑐 = 𝑎 ⋅ (𝑏 ⋅ 𝑐)
• Identity element: ∃𝑒 ∈ 𝐺: 𝑒 ⋅ 𝑎 = 𝑎 = 𝑎 ⋅ 𝑒 (easy to show: the identity element 𝑒 is unique)
• Inverse element: ∀𝑎 ∈ 𝐺 ∃𝑎"( ∈ 𝐺: 𝑎 ⋅ 𝑎"( = 𝑒 = 𝑎"( ⋅ 𝑎, where 𝑒 is the identity element

We call 𝐺 a finite group if it has a finite number of elements 𝐺 = ord(𝐺), called its order.

Exponentiation in groups: 𝑎) = 𝑎 ⋅ … ⋅ 𝑎 = 𝑎* )/* , if 𝑛 is even

𝑎 ⋅ 𝑎* ()"()/* , if 𝑛 is odd
𝑛 times
compute efficiently using square-and-multiply:
at most 2 log * 𝑛 group operations

8
Fields

A field is a set 𝐹 together with two operations addition and multiplication satisfying these laws:
• Closure: ∀𝑎, 𝑏 ∈ 𝐹: 𝑎 + 𝑏 ∈ 𝐹 and 𝑎 ⋅ 𝑏 ∈ 𝐹
• Commutativity: ∀𝑎, 𝑏 ∈ 𝐹: 𝑎 + 𝑏 = 𝑏 + 𝑎 and 𝑎 ⋅ 𝑏 = 𝑏 ⋅ 𝑎
• Associativity: ∀𝑎, 𝑏, 𝑐 ∈ 𝐹: 𝑎 + 𝑏 + 𝑐 = 𝑎 + 𝑏 + 𝑐 and 𝑎 ⋅ 𝑏 ⋅ 𝑐 = 𝑎 ⋅ (𝑏 ⋅ 𝑐)
• Additive and multiplicative identities: ∃0 ∈ 𝐹: 0 + 𝑎 = 𝑎 = 𝑎 + 0 and ∃1 ∈ 𝐹: 1 ⋅ 𝑎 = 𝑎 = 𝑎 ⋅ 1
• Additive and multiplicative inverses: ∀𝑎 ∈ 𝐹 ∃ − 𝑎 ∈ 𝐹: 𝑎 + −𝑎 = 0 = −𝑎 + 𝑎 and
∀𝑎 ∈ 𝐹 \{0} ∃𝑎"( ∈ 𝐹: 𝑎 ⋅ 𝑎"( = 1 = 𝑎"( ⋅ 𝑎
• Distributivity of multiplication over addition: ∀𝑎, 𝑏, 𝑐 ∈ 𝐹: 𝑎 ⋅ 𝑏 + 𝑐 = 𝑎 ⋅ 𝑏 + (𝑎 ⋅ 𝑐)

In cryptography we use finite fields (also called Galois fields) that are fields with a finite number
of elements.
Example for a finite field: prime field Ϝ. = 𝐺𝐹 𝑝 = ℤ/𝑝ℤ = ℤ. = 0,1, … , 𝑝 − 1 , where 𝑝 is prime
and the field operations are addition and multiplication modulo 𝑝.
9
Cyclic Groups
𝑔& 𝑔%
A cyclic group is a group 𝐺 where all group elements are generated
by a generator 𝑔: ∀𝑎 ∈ 𝐺 ∃0 ≤ 𝑖 < 𝑞: 𝑎 = 𝑔/ .
𝑔$ ℤ∗' 𝑔#
We write 𝐺 = 𝑔 = {𝑔0, 𝑔(, … , 𝑔1"(} and call 𝑞 ≔ ord 𝐺 its order.

𝑔" 𝑔!
Example for a cyclic group:
• Multiplicative group of integers modulo prime 𝑝: ℤ∗. = {1, … , 𝑝 − 1}, where 𝑝 is prime and the
group operation is multiplication modulo 𝑝. Here, 𝑞 = ord 𝐺 = 𝜑 𝑝 = 𝑝 − 1 since 𝑝 is prime.

In cryptography we prefer cyclic groups of prime order 𝒒:

• All group elements except the identity are generators.
• The group cannot be decomposed into smaller sub-groups to break assumptions more easily.
• All exponents can be inverted mod 𝑞 (needed in some cryptographic protocols).

10
Discrete Logarithm (DLOG)

Let 𝐺 be a cyclic group of order 𝑞 with generator 𝑔, i.e., 𝐺 = 𝑔 = {𝑔0, 𝑔(, … , 𝑔1"(}.
For every ℎ ∈ 𝐺 there exists a unique 𝑥 ∈ ℤ1 s.t. ℎ = 𝑔 3 .
We write 𝑥 = log 4 ℎ, i.e., 𝑥 is the discrete logarithm of ℎ.
The discrete logarithm problem requires to compute the DLOG of a random group element.
Formally, the discrete logarithm problem is hard if
∀PPT algorithm 𝐴 ∃negligible function negl s.t. Pr 𝐷𝐿𝑜𝑔5,7 𝑛 = 1 ≤ negl 𝑛 .
Where the discrete logarithm experiment 𝐷𝐿𝑜𝑔5,7 𝑛 is defined as follows:
1. (𝐺, 𝑞, 𝑔) = 𝐺𝑒𝑛(1) ), where 𝐺 is a cyclic group of order 𝑞 (with |𝑞| = 𝑛) and 𝑔 is a generator of 𝐺.
!
2. Choose ℎ ∈$ 𝐺. (This can be done by choosing 𝑥 8 ∈$ ℤ1 and setting ℎ = 𝑔 3 .)
3. 𝐴 is given 𝐺, 𝑞, 𝑔, ℎ, and outputs 𝑥 ∈ ℤ1 .
4. The output of the experiment is defined to be 1 if ℎ = 𝑔 3 , and 0 otherwise.
The DLOG assumption is the assumption that there exists a 𝐺 for which the DLOG problem is
hard.
11
Decisional Diffie-Hellman (DDH)

The decisional Diffie-Hellman (DDH) problem is given two randomly chosen group elements
ℎ( = 𝑔 3 and ℎ* = 𝑔 9 to distinguish 𝑔 39 from a randomly chosen group element 𝑔 : .

We say that the DDH problem is hard if ∀PPT algorithms 𝐴 ∃negligible function negl s.t.
Pr 𝐴 𝐺, 𝑞, 𝑔, 𝑔 3 , 𝑔 9 , 𝑔 : = 1 − Pr[𝐴 𝐺, 𝑞, 𝑔, 𝑔 3 , 𝑔 9 , 𝑔 39 = 1] ≤ negl 𝑛 .

The DDH assumption is the assumption that there exists a 𝐺 for which the DDH problem is hard.

It is easy to show that the DDH assumption implies the DLOG assumption, so DDH is a stronger
assumption than DLOG.
?
(If DLOG is easy, then one can break DDH by computing 𝑥 = log 4 𝑔 3 and checking 𝑔 : = (𝑔 9 )3 .)

12
Groups where DDH and DLOG are believed to be hard (1)

Candidate groups where DDH and DLOG are believed to be hard:

A) Subgroup of quadratic residues modulo B) In practice (e.g., for 𝑛 = 2048 and 𝜅 = 128),
."( computations are more efficient if we use a
safe prime p (i.e., both 𝑝 and 𝑞 = *
are
sub-group from ℤ∗. of prime order 𝑞
prime):
with 𝑞 = 2𝜅, 𝑝 = 𝑔 = 𝑛:

Gen 1! : Gen 1! :
"#$ 1) generate 2𝜅-bit prime 𝑞; choose
1) generate 𝑛-bit safe prime 𝑝; 𝑞 =
%
!#%(
𝑟 ∈& 0,1 until 𝑝 = 𝑟𝑞 + 1 is prime
2) choose 𝑥 ∈& ℤ∗" \ ±1 ; 𝑔 = 𝑥 % mod 𝑝
2) choose 𝑥 ∈& ℤ∗" until 𝑔 = 𝑥 ) = 𝑥 ("#$)/- ≠ 1
3) return 𝑝, 𝑞, 𝑔
3) return 𝑝, 𝑞, 𝑔

13
Groups where DDH and DLOG are believed to be hard (2)

C) Elliptic curves: Set of points satisfying equation 𝑦 * = 𝑥 ; + 𝑎𝑥 + 𝑏 over a finite field F.

14
Recommended Key Sizes

Standardization bodies bring out recommendations for key sizes based on currently best known
cryptanalytic techniques.
Good overview:
https://www.keylength.com

Better use conservative

choice (large parameters)
to be on the safe side!

15
BASIC CRYPTOGRAPHIC PROTOCOLS

16
Diffie-Hellman Key Exchange

𝐺, 𝑞, 𝑔 = Gen 1)
𝑥 ∈ * ℤ+
ℎ# = 𝑔 , 𝐺, 𝑞, 𝑔, ℎ#
𝑦 ∈ * ℤ+
ℎ! ℎ! = 𝑔 -
-
output 𝑘. = ℎ!, output 𝑘/ = ℎ#

-
Correctness: 𝑘. = ℎ!, = (𝑔 - ), = 𝑔 -, = 𝑔 ,- = (𝑔 , )- = ℎ# = 𝑘/ .

Security: If the DDH assumption holds in 𝐺, then the outputs 𝑘. = 𝑘/ are

indistinguishable from random group elements. Proof see [KatzLindell, Sect. 9.4].

17
Commitment Schemes

A (non-interactive) commitment scheme is the digital analogue to a locked box.

Sender Receiver

Commit phase: Input: message 𝑚

Choose random 𝑟 𝑐
𝑐 = Commit(𝑚, 𝑟) save 𝑐

𝑚, 𝑟 ?
Reveal phase: accept if 𝑐 = Commit(𝑚, 𝑟)

𝑐 is called ”commitment” and (𝑚, 𝑟) is called “opening” (or “de-commitment”).

Properties:
1) Hiding (secrecy): Receiver is unable to obtain any information about 𝑚 from 𝑐.
2) Binding (unambiguity): Sender is unable to open 𝑐 to any other message 𝑚’ ≠ 𝑚.
18
Perfectly/Statistical/Computationally Hiding/Binding

A commitment scheme is called perfectly hiding, if even a computationally unbounded receiver

cannot learn any information about 𝑚 from 𝑐.
It is called statistically (resp. computationally) hiding, if a computationally unbounded (resp.
bounded) receiver can succeed with probability at most 2"! .
Similarly, a commitment scheme is called perfectly binding, if even a computationally
unbounded sender cannot open the commitment to a different message 𝑚8 ≠ 𝑚.
It is called statistically (resp. computationally) binding, if a computationally unbounded
(resp. bounded) sender can succeed with probability at most 2"! .
Theorem: A non-interactive commitment scheme can never be both perfectly hiding and
perfectly binding.
Proof: Assume the commitment scheme is perfectly binding. This means that for all 𝑚′ ≠ 𝑚 even
a computationally unbounded sender cannot open the commitment correctly. However, now a
computationally unbounded receiver can brute force all possible values of 𝑚 to find the one for
which the commitment opens correctly. => not perfectly hiding.
19
Commitment in the Random Oracle Model

An efficient construction for a commitment scheme in the random oracle model is

𝑐 = Commit 𝑚, 𝑟 = 𝐻(𝑚||𝑟), for a cryptographic hash function 𝐻: 0,1 ∗ → 0,1 *! , symmetric
security parameter 𝜅, randomness 𝑟 ∈$ 0,1 ;! , and message 𝑚 ∈ 0,1 ∗ .

Theorem: This scheme is statistically hiding and computationally binding.

Proof (informal, see https://www.di.ens.fr/~pointche/enseignement/mpri2/td16.pdf and

https://people.eecs.berkeley.edu/~daw/teaching/cs276-s06/mtsol.ps for details):
Computationally binding: To break the binding property, the sender would need to find a
collision in 𝐻 which requires 𝑂 2! queries due to the birthday paradox.
Statistically hiding: Given a commitment 𝑐, for either 𝑚 or 𝑚′, if the adversary tries all the
random coins (2;! possibilities), on average 2;! /2*! = 2! will lead to 𝑐.
This is just statistically hiding: there is always a negligible but non-zero probability that for some
𝑚, 𝑚8 , there is 𝑟 such that 𝑐 = 𝐻(𝑚||𝑟), but for all 𝑟 8 : 𝑐 ≠ 𝐻(𝑚8 ||𝑟 8 ).

20
Pedersen Commitment in the Standard Model

The Pederson commitment scheme works in the standard model (i.e., without random oracles):
Let 𝑝 = 2𝑞 + 1 be a strong 𝑛-bit prime, 𝑔 be a random generator of 𝐺 = 𝑄𝑅(ℤ. ), and ℎ be a
random element of 𝐺.
𝑐 = Commit 𝑚, 𝑟 = 𝑔& ℎ% mod 𝑝 for 𝑚 ∈ ℤ1 and 𝑟 ∈$ ℤ∗1 .

Theorem: The Pedersen commitment scheme is perfectly hiding and computationally binding if
the DLOG assumption holds in 𝐺.

Proof: The scheme is perfectly hiding, because 𝑟 ∈$ ℤ∗1 , so 𝑐 is random in 𝐺, irrespective of 𝑚.

Binding: In order to open a commit to a different message 𝑚8 ≠ 𝑚, the adversary would find
𝑔& ℎ% = 𝑔& ℎ% mod 𝑝 which implies that ℎ = 𝑔 &"& /(%"% ) mod 𝑞 mod 𝑝.
! ! ! !

Hence, the adversary would have computed the discrete log of ℎ to base 𝑔, which contradicts
the DLOG assumption because ℎ is randomly chosen.
21
Coin Flipping

A two-party coin flipping protocol allows two parties to flip a coin, i.e., to agree on a randomly
chosen output bit.

A possible solution is as follows:

𝑚 ∈* 0,1
Choose random 𝑟 𝑐
𝑐 = Commit(𝑚, 𝑟) 𝑚0 ∈* {0,1}
𝑚′

𝑚, 𝑟
abort if 𝑐 ≠ Commit(𝑚, 𝑟)
output 𝑏 = 𝑚 ⊕ 𝑚′ output 𝑏 = 𝑚 ⊕ 𝑚′

22
Secret-Sharing Schemes

A 𝒕-out-of-𝒏 secret-sharing scheme allows to split a secret 𝑆 into 𝑛 shares s.t. 𝑆 can be
recovered from any 𝑡 shares, whereas 𝑡 − 1 shares leak no information about 𝑆:
Shr: 𝑆 ↦ 𝑠(, … , 𝑠)
Rec: 𝑠(8, … , 𝑠=8 ↦ 𝑆′
Correctness: ∀𝑆: 𝑅𝑒𝑐 𝑆ℎ𝑟 𝑆 = 𝑆.

Example for a 𝑛-out-of-𝑛 secret-sharing sharing scheme over 0,1 ℓ:

Shr: Choose 𝑠(, … , 𝑠)"( ∈$ 0,1 ℓ. Set 𝑠) = 𝑆 ⊕ 𝑠( ⊕ ⋯ ⊕ 𝑠)"(.
Rec: S′ = 𝑠(8 ⊕ ⋯ ⊕ 𝑠)8 .

23
Shamir’s Secret-Sharing Scheme

Shamir’s 𝑡-out-of-𝑛 secret-sharing scheme over finite field 𝐹

(e.g., a prime field Ϝ. with prime 𝑝 > 𝑆 and 𝑝 > 𝑛) [Shamir79]:
Shr: Choose random polynomial 𝑃 of degree (𝑡 − 1) s.t. 𝑃(0) = 𝑆. Set 𝑠/ = 𝑖, 𝑃 𝑖 for 1 ≤ 𝑖 ≤ 𝑛.
Rec: Interpolate unique polynomial 𝑃′ of degree (𝑡 − 1) through points 𝑠(8, … , 𝑠=8 . Set 𝑆 8 = 𝑃′(0).

2-out-of-3 secret sharing of 𝑆 = 1

Interpolating a polynomial of degree (𝑡 − 1) through points 𝑥(, 𝑦( , … , (𝑥= , 𝑦= ) can be done in

𝑂(𝑡 *) via Lagrange Interpolation:

=
𝑥 − 𝑥A
𝑃 𝑥 =• ‚ 𝑦
𝑥/ − 𝑥A /
/?( (@A@=,
AB/ 24
Homomorphic Encryption (HE)

A homomorphic encryption scheme allows to compute on encrypted data:

𝑥 ≔ 𝐸𝑛𝑐.C (𝑥), plaintext space P
∀𝑥, 𝑦 ∈ 𝑃: 𝑥 ⨀ 𝑦 = 𝑥 ∘ 𝑦

Example HE schemes + [Paillier99], [DamgårdJurik01], [DamgårdGK07], ...

that are semantically secure:
+, 1* [BonehGN05], [GentryHV10], ...

+, * [Gentry09], [SmartVercauteren10], [vanDijkGHV10],

...

25
Examples for Homomorphic Encryption Schemes

Multiplicatively homomorphic encryption:

• 𝑥 ⨀ 𝑦 = 𝑥 ⋅ 𝑦 (multiply under encryption)
Þ 𝑥 D = [𝑥 D ] (exponentiate with a non-encrypted constant 𝑎 under encryption)
• RSA [RSA78]: 𝑐(= 𝑥(E mod 𝑁, 𝑐* = 𝑥*E mod 𝑁,
𝑐( ∗ 𝑐* mod 𝑁 = 𝑥(E ∗ 𝑥*E mod 𝑁 = 𝑥(𝑥* E mod 𝑁
• ElGamal [ElGamal84]: 𝑐(= 𝑔%" ; 𝑥(ℎ%" , 𝑐* = 𝑔%# ; 𝑥*ℎ%# , 𝑐( ∗ 𝑐* = 𝑔%"'%# ; 𝑥(𝑥*ℎ%"'%#

Additively homomorphic encryption:

• 𝑥 ⊞ 𝑦 = 𝑥 + 𝑦 (add under encryption)
𝑎 ⋅ [𝑥] = [𝑎𝑥] (multiply with a non-encrypted constant 𝑎 under encryption)
• Paillier [Paillier99]: 𝑐( = 𝑔 3" 𝑟(F mod 𝑁 *, 𝑐* = 𝑔 3# 𝑟*F mod 𝑁 *,
𝑐( ∗ 𝑐* mod 𝑁 * = 𝑔 3"'3# 𝑟(𝑟* F mod 𝑁 *

26
Secure Two-Party Computation using Homomorphic Encryption

Input: private data 𝑥 Input: private data 𝑦

pk, [𝑥]

𝑧 = 𝑓( 𝑥 , 𝑦)
[𝑧]
Output: 𝑧

restricted to
specific
homomorphic
operation(s)

27
Interactive Multiplication using Additively Homomorphic Encryption

Mask must statistically hide value,

i.e., 𝑟3 = 𝑥 + 𝜎, where 𝜎 = 40
Input: 𝑥 , 𝑦 is the statistical security parameter.

choose random 𝑟3 , 𝑟9
𝑥̅ = 𝑥 ⊞ 𝑟3
𝑥̅ , 𝑦’ 𝑦’ = 𝑦 ⊞ 𝑟9

𝑧̅ = 𝑥̅ ∗ 𝑦’
𝑧̅
Output: 𝑥 ∗ 𝑦] = [𝑧̅ ⊞ −𝑟9 𝑥̅ ⊞ −𝑟3 𝑦’ ⊞ [−𝑟3 ∗ 𝑟9 ]

Security (informal):
• Bob sees only homomorphically encrypted ciphertexts
(learns no information due to semantic security of HE scheme)
• Alice sees only statistically blinded values
28
Fully Homomorphic Encryption

Fully Homomorphic Encryption (FHE) allows arbitrary computations under encryption with
minimal interaction, but is still relatively expensive:
• [SmartVercauteren10]:
3.5s to encrypt 1 bit for up to 2 multiplications under encryption
• [BosLN14]:
39ms / 5s for encrypted polynomial multiplication (depending on parameters)
• Gentry 2017 (https://www.maths.ox.ac.uk/system/files/attachments/FHE1.pptx):
8ms per AND gate using HElib [HaleviShoup14]

29
How to measure efficiency of a cryptographic protocol

• Runtime (depends on implementation & scenario)

• Communication
• # bits sent (important for networks with low bandwidth)
• # rounds (important for networks with high latency)
• Computation
• Usually: count # crypto operations, e.g.,
• # modular exponentiations
• # point multiplications

faster
• # hash function evaluations (SHA)
• # block cipher evaluations (AES)
• # one-time pad evaluations
• But also non-cryptographic operations do matter!

30
Standard Software

- GMP (GNU Multiple Precision Arithmetic Library): for large integers, https://gmplib.org
- OpenSSL: for secure channels, certificates, etc., https://www.openssl.org
- MIRACL (Multiprecision Integer and Rational Arithmetic C Library): for elliptic curve crypto,
https://github.com/miracl/MIRACL
- HElib [HaleviShoup14]: for homomorphic encryption, https://github.com/shaih/HElib
- Microsoft SEAL Library: for homomorphic encryption, https://github.com/Microsoft/SEAL

31
Bibliography (1)

[BellareRogaway93] M. Bellare, P. Rogaway: Random Oracles are Practical: A Paradigm for

Designing Efficient Protocols. In ACM CCS’93.
[BonehGN05] D.Boneh,E.Goh,K.Nissim: Evaluating2-DNF Formulas on Ciphertexts. In TCC’05.
[BosLN14] :J. Bos, K. Lauter, M. Naehrig: Private Predictive Analysis on Encrypted Medical Data.
In Journal of Biomedical Informatics, Volume 50, 2014.
[CanettiGH98] R. Canetti, O. Goldreich, S. Halevi: The Random Oracle Methodology, Revisited.
In STOC‘98.
[DamgårdGK07] I. Damgård, M. Geisler, M. Krøigaard: Efficient and Secure Comparison for On-
Line Auctions. In ACISP‘07.
[DamgårdJurik01] I. Damgård, M. Jurik: A Generalisation, a Simplification and some Applications
of Paillier’s Probabilistic Public-Key System. In PKC’01.
[ElGamal84] T. ElGamal: A Public-Key Cryptosystem and a Signature Scheme Based on Discrete
Logarithms. In CRYPTO‘84.
[Gentry09] C. Gentry: Fully Homomorphic Encryption using Ideal Latices. In STOC’09. 32
Bibliography (2)

[GentryHV10] C. Gentry, S. Halevi, V. Vaikuntanathan: A Simple BGN-Type Cryptosystem from

LWE. In EUROCRYPT’10.
[HaleviShoup14] S. Halevi, V. Shoup: Algorithms in HElib. In CRYPTO’14.
[KatzLindell] J. Katz, Y. Lindell: Introduction to Modern Cryptography. 2014.
[Lenstra04] A. Lenstra: Key Lengths. In The Handbook of Information Security. 2004.
[NIST] E. Barker, J.Kelsey: Recommendation for Random Number Generation Using
Deterministic Random Bit Generators, 2015. http://dx.doi.org/10.6028/NIST.SP.800-90Ar1
[Paillier99] P. Paillier: Public-Key Cryptosystems Based on Composite Degree Residuosity
Classes. In EUROCRYPT’99.
[RSA78] R. Rivest, A. Shamir, L. Adleman: Method for Obtaining Digital Signatures and Public-
Key Cryptosystems. In CACM‘78.
[Shamir79] A. Shamir: How to Share a Secret. In CACM’79.
[SmartVercauteren10] N. Smart, F. Vercauteren: Fully Homomorphic Encryption with Relatively
Small Key and Ciphertext Sizes. In PKC’10. 33
Bibliography (3)

[vanDijkGHV10] M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan: Fully Homomorphic

Encryption over the Integers. In EUROCRYPT’10.

34
THANKS FOR YOUR ATTENTION!

35