WO2015078533A1 - Method and system for encrypting data - Google Patents

Method and system for encrypting data Download PDF

Info

Publication number
WO2015078533A1
WO2015078533A1 PCT/EP2013/075164 EP2013075164W WO2015078533A1 WO 2015078533 A1 WO2015078533 A1 WO 2015078533A1 EP 2013075164 W EP2013075164 W EP 2013075164W WO 2015078533 A1 WO2015078533 A1 WO 2015078533A1
Authority
WO
WIPO (PCT)
Prior art keywords
key
data
secret key
public key
encrypted data
Prior art date
Application number
PCT/EP2013/075164
Other languages
French (fr)
Inventor
Sebastian Gajek
Oezguer DAGDELEN
Florian GOEPFERT
Original Assignee
Nec Europe Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Nec Europe Ltd. filed Critical Nec Europe Ltd.
Priority to PCT/EP2013/075164 priority Critical patent/WO2015078533A1/en
Publication of WO2015078533A1 publication Critical patent/WO2015078533A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/008Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols involving homomorphic encryption
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L9/00Cryptographic mechanisms or cryptographic arrangements for secret or secure communications; Network security protocols
    • H04L9/30Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy
    • H04L9/3006Public key, i.e. encryption algorithm being computationally infeasible to invert or user's encryption keys not requiring secrecy underlying computational problems or public-key parameters

Definitions

  • the present invention even further relates to a use of a method according to one of the claims 1 -13.
  • the El Gamal encryption scheme reduces to the decisional Diffie-Hellman problem.
  • the running time of such a black-box adversary is put against the encryption system in relation to the reduction, which relates to the hardness of breaking the assumption to a security parameter.
  • the decisional Diffie-Hellman problem requires time 0(2 80 ) for a security parameter of 160 bit then breaking the El Gamal system requires roughly the same time 0(2 80 ) as the reduction is tight. Therefore, the choice of the security parameter is crucial for adjusting the desired security level: It fixes the security of the overall system once and for the lifetime of the overall encryption system.
  • the method is characterized in that decryption of encrypted data encrypted with a method according to one of the claims 1 -13 is performed based on the actual secret key in the last round and the encrypted data.
  • the system is characterized by
  • patching means operable to patch the encrypted data with the generated update key to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data.
  • the generation of the public key/secret key pair and/or the encryption of the data is performed computationally parallelized. This enables a faster encryption and/or decryption on present multicore computers in particular.
  • a vector is sampled form an n-dimensional probability distribution function and an error term is sampled from the corresponding one-dimensional probability distribution function, wherein a first part and a second part of the encrypted data is based on the sampled vector, and wherein the second part is also based on the sampled error term with an error scaling factor.
  • a first public key/secret key pair PKO SKO based on a first security parameter 1 K0 is provided.
  • the second step S2 may be implemented in the following way:
  • the third step S3 may be implemented in the following way:
  • polynomical rings instead of groups may be used giving a public-key length of 0(n) instead of 0(n * m), and requires 0(n) instead of 0(n * m) group multiplications to compute the ciphertext, wherein n and m are integers representing dimensions.
  • the patching means PM patch the encrypted data with the generated update key UKO to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data.
  • a security parameter 1 K0 is input and the public key PKO and the secret key SKO are output.
  • the present invention assures security even in the case that at some point in time the Diffie-Hellman problem or the LWE problem is tractable.
  • the learning with error assumption LWE problem and the Diffie-Hellman problem are mutually exclusive due to their fundamentally different algebraic structure. Therefore there exists no reduction from the LWE problem to the Diffie-Hellman problem or vice versa.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computing Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Storage Device Security (AREA)

Abstract

The present invention relates to a method for encrypting data, preferably a message, using an asymmetric encryption scheme, comprising the steps of a) Providing a first public key/secret key pair based on a first security parameter, b) Encrypting the data with the first public key, c) Generating an update key and a second public key/secret key pair based on a second security parameter and based on the first public key/secret key pair, and d) Patching the encrypted data with the generated update key to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data.

Description

METHOD AND SYSTEM FOR ENCRYPTING DATA
The present invention relates to a method for encrypting data, preferably a message, using an asymmetric encryption scheme.
The present invention further relates to a system for encrypting data, preferably a message, using an asymmetric encryption scheme, preferably for performing with a method according to one of the claims 1 -13.
The present invention even further relates to a use of a method according to one of the claims 1 -13.
Although applicable in general to any asymmetric encryption scheme the present invention will be described with regard to public key/secret key pair encryption.
Asymmetric encryption schemes or methods in particular public key/secret key encryption enable a party holding the public key to conceal a message in such a way that the plaintext is intelligible to a party in possession of the secret key. The security of such an encryption system is proven by giving a polynomial-time black- box reduction to an intractability problem which is assumed to be unsolvable with existing computational resources.
For instance it can be shown that the El Gamal encryption scheme reduces to the decisional Diffie-Hellman problem. The running time of such a black-box adversary is put against the encryption system in relation to the reduction, which relates to the hardness of breaking the assumption to a security parameter. Suppose that the decisional Diffie-Hellman problem requires time 0(280) for a security parameter of 160 bit then breaking the El Gamal system requires roughly the same time 0(280) as the reduction is tight. Therefore, the choice of the security parameter is crucial for adjusting the desired security level: It fixes the security of the overall system once and for the lifetime of the overall encryption system. Due to the advances in computing power a security parameter which seemed to be sufficient 20 years ago might not be sufficient to preserve security nowadays anymore: For example, private long-term data preservation and archiving or more general data privacy provision is required in presence of an all-powerful eavesdropper that have more computational resources than expected at the time of choosing the security parameter.
In many countries legislative regulations demand to backup and preserve data for decades up to 25 years. To provide security highly sensitive data is encrypted with respect to a conservatively scaled security parameter, for example 4096bit RSA encryption and it is expected from the encryption system to withstand any present and future adversary. However, significant progress, for example in the complexity theory or in increasing computational resources may provide a decryption of the data nevertheless.
It is therefore an objective of the present invention to provide a method and a system for encrypting and/or decrypting data, providing a very strong security and guaranteeing robustness against all-powerful adversaries. It is a further objective of the present invention to provide a method and a system for encrypting and/or decrypting data which are robust against cryptoanalysis or brute-force attacks.
It is an even further objective of the present invention to provide a method and a system for encrypting and/or decrypting data being flexible in terms of hardness in particular in rescaling of the hardness.
The aforementioned objectives are accomplished by a method for encrypting data according to claim 1 , a method for decrypting data according to claim 14, a system for encrypting data according to claim 15 and a use according to claim 16.
In claim 1 a method for encrypting data, preferably a message, using an asymmetric encryption scheme, is defined. According to claim 1 the method is characterized by the steps of a) Providing a first public key/secret key pair based on a first security parameter,
b) Encrypting the data with the first public key,
c) Generating an update key and a second public key/secret key pair based on a second security parameter and based on the first public key/secret key pair, and
d) Patching the encrypted data with the generated update key to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data.
In claim 14 a method for decrypting data, preferably a message, using an asymmetric encryption scheme is defined.
According to claim 14 the method is characterized in that decryption of encrypted data encrypted with a method according to one of the claims 1 -13 is performed based on the actual secret key in the last round and the encrypted data.
In claim 15 a system for encrypting data, preferably a message, using an asymmetric encryption scheme, preferably for performing with a method according to one of the claim 1 -13, is defined.
According to claim 15 the system is characterized by
key generating means operable to provide a first public key/secret key pair based on a first security parameter,
encryption means operable to encrypt the data with the first public key,
update key generating means operable to generate an update key and a second public key/secret key pair based on a second security parameter and based on the first public key/secret key pair, and
patching means operable to patch the encrypted data with the generated update key to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data. According to claim 16 a use of a method according to one of the claims 1 -13 for increasing confidentiality of existing encrypting data is defined.
According to the invention it has been recognized that the encrypted data is secure against post-quantum attacks, safeguarding a long-term security.
According to the invention it has been further recognized that hardness can be rescaled by publicly - without any trust assumptions - updating ciphertexts without trivially re-encrypting the message plaintext.
According to the invention it has been further recognized that fall-back security is provided even if one of the underlying hardness assumptions is broken.
According to the invention it has been further recognized that a stronger security and robustness is guaranteed against side-channel adversaries.
According to the invention it has been further recognized that computational resources can be saved: With regard to the scalability of the security parameter conventional techniques require to re-encrypt the whole data with regard to a larger or "better" security parameter guaranteeing a higher level of security. However, such an update is crucial as it requires the update to be trusted. Further there are many situations where a trusted update is impossible or hard to achieve. Such an update in particular in case of large amounts of encrypted data requires a high bandwidth as it requires to retrieve all data to be decrypted, to re-encrypt the data and to transfer it back, for example to the cloud. In contrast the present invention does not require to retrieve, decrypt and reencrypt data since the ciphertexts are blindly refreshed and such an update may also occur without any trust assumptions. According to the invention it has been further recognized that encrypted data is upscaled by applying the update key on the already encrypted data thus providing a higher level of security. To summarize in other words the present invention of claim 1 and claims 14-16 is completely different from the conventional technique: As mentioned before a security parameter scales how "hard" it is to break the encryption scheme. The present invention provides an update mechanism to gradually increase the entropy of a ciphertext. For example when a message is encrypted with respect to a security parameter then at some point in time this security parameter is no more believed to assure a sufficient security level and then the update mechanism may boost security without decrypting the message plaintext. The present invention provides enhanced security: Even if one of the underlying hardness assumptions is broken the other "wingman" problem backs up the encryption of the data and ensures security of the encrypted data.
Further features, advantages and preferred embodiments are described in the following subclaims.
According to a preferred embodiment a round of steps b)-d) is at least performed twice, wherein in each round different security parameters are used. This further increases the security level of the encrypted data: By performing further "updates"; of the already encrypted data, the encrypted data gains more entropy and thus a higher level of security against adversaries is enabled upscaling the security of the encryptions.
According to a further preferred embodiment step d) is performed such that the size of the patched encrypted data is compact and/or constant in size, compared with the unpatched encrypted data. Therefore the storage size for the encrypted data is not increased which is in contrast to conventional encryption methods: For example when a message is encrypted with encryption scheme A provably secure under assumption A' and the obtained ciphertext is encrypted with encryption scheme B provably secure under assumption B' then the size of the encrypted data increases with each applied encryption.
According to a further preferred embodiment the generation of the second public- key and or secret key is performed such that the length of the second public key and/or secret key compared with a first public key and/or first secret key is compact. This enables to save memory, since the updated second keys have at least the same length with regard to the first public key/secret key pair.
According to a further preferred embodiment the generation of the public key/secret key pair and/or the encryption of the data is performed computationally parallelized. This enables a faster encryption and/or decryption on present multicore computers in particular.
According to a further preferred embodiment for providing a secret key, the secret key is sampled from an n-dimensional probability distribution function defined over an algebraic structure having even order with an RSA-module. When the secret key sampled from an n-dimensional distribution function, for example a discrete n- dimensional Gaussian distribution then the secret key can be provided in an efficient and easy manner.
According to a further preferred embodiment the algebraic structure is provided in form of a group, preferably a multiplicative group, or a ring, preferably a polynomial ring. When for example the algebraic structure is provided in form of a ring then the public key length for example is of the order 0(n) instead of O(nm) and requires 0(n) instead of O(nm) group multiplications to generate the ciphertext, i.e. to encrypt a message due to the use of vectors of dimension n instead of corresponding matrices of dimension nxm.
According to a further preferred embodiment for encrypting the data a vector is sampled form an n-dimensional probability distribution function and an error term is sampled from the corresponding one-dimensional probability distribution function, wherein a first part and a second part of the encrypted data is based on the sampled vector, and wherein the second part is also based on the sampled error term with an error scaling factor. This allows to easily provide the ciphertext, i.e. the encrypted message, without requiring more computational resources than needed to ensure security of the ciphertext.
According to a further preferred embodiment the probability distribution function is provided in form of a Gaussian distribution function or a uniform distribution function. When using a Gaussian distribution function the entropy of the output ciphertext is increased whereas when using a uniform distribution function sampling of the vector, the error term, etc. can be performed, much faster. According to a further preferred embodiment the update key is generated based on sampled vectors of an n-dimensional probability distribution function, preferably the same distribution function used for encrypting the data and a matrix sampled according to a second distribution function, preferably the uniform distribution function. For example when preferably the same distribution function is used for generating the update key computational resources can be saved as well as implementation effort, since already implemented distribution functions can be used when providing the update key.
According to a further preferred embodiment in case of data in form of a bit and the lowest possible error scaling factor an auxiliary variable based on the second part and on the secret key to the power of the order of the algebraic structure divided by the lowest possible error scaling factor is calculated based on Jacobi- symbols. This allows an efficient implementation since the auxiliary variable is based on Jacobi-symbols resulting in a significant speed-up when encrypting the bit. Jacobi symbols are defined based on a product over one or more Legendre symbols, wherein a Legendre symbol allows deciding whether an element of an algebraic structure is quadratic residue modulo the prime order of the algebraic structure. Therefore Legendre symbols may take values of -1 , 1 and 0 indicating the respective decision.
According to a further preferred embodiment the error scaling factor is determined based on the length of the message to be encrypted. This allows adapting the encryption scheme according to the length of the message, thus enhancing flexibility and providing an efficient encryption.
According to a further preferred embodiment the public key is based on the secret key, an error scaling factor and further vector sampled from the n-dimensional probability distribution function. This ensures a fast and efficient generation of the public key to a corresponding secret key. There are several ways how to design and further develop the teaching of the present invention in an advantageous way. To this end it is to be referred to the patent claims subordinate to patent claim 1 on the one hand and to the following explanation of preferred embodiments of the invention by way of example, illustrated by the figure on the other hand. In connection with the explanation of the preferred embodiments of the invention by the aid of the figure, generally preferred embodiments and further developments of the teaching will be explained. In the drawings
Fig. 1 shows steps of a method according to a first embodiment of the present invention; and Fig. 2 shows a system according to a second embodiment of the present invention.
Fig. 1 shows steps of a method according to a first embodiment of the present invention.
In detail in Fig. 1 steps for encrypting data are shown.
In a first step S1 a first public key/secret key pair PKO, SKO based on a first security parameter 1 K0 is provided.
In a second step S2 the data is encrypted with the first public key PKO.
In a third step S3 an update key UKO is generated and a second public key/secret key pair PK1 , SK1 based on a second security parameter 1 K1 and based on the first public key/secret key pair PKO, SKO. ln a fourth step S4 the encrypted data is patched with a generated update key UKO to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data. In detail the first step S1 may be implemented in the following way:
A composite modulus N = pq may be chosen with p, q being odd primes. Further a group G is defined to be a multiplicative group ZN such that the order of the ord(G) = (p-1 )(q-1 ) of the group G is even. Further g may be a generator of the group G. Then a scalar X is selected to be ord(G)/t, where t is a scalar satisfying 1 < t < ord(G).
Further a discrete Gaussian distribution Ψ over the multiplicative group ZN is chosen. Then the secret key SKO is sampled from Ψη and the public key PKO is then set equal to (G, g, gA, gAs+tx) for a chosen independent matrix A in ZN nxm and where X is sampled from Ψη. Therefore x represents an error vector scaled with the error scaling factor. Thus, PKO and SKO are provided.
In detail, the second step S2 may be implemented in the following way:
To encrypt the message m in Zord(G) a vector is sampled from an n-dimensional probability distribution function, preferably from Ψη and an error term is sampled from the corresponding one-dimensional probability distribution function Ψ, wherein the error term is denoted with e. Then the ciphertext C equals to (Co, ci), wherein Co = gu = gAr and wherein ci equals to gv = gbr+te gm.
In detail, the third step S3 may be implemented in the following way:
To perform the third step S3, i.e. to update a public key/secret key pair in the previous round here PKO, SKO - or more general PKi-1 , Ski-1 for a round i - vectors s', x' and r' may be sampled from Further the matrix A' is uniformly sampled from the multiplicative group ZNN(K')XM with i=1 here. Then the public key PK1 , respective PKi, is given by (G, g, g^', gAiA'sis'+txix') anc| SK1 , respectively SK, is equal to sis' and thus the update key UK1 , respectively Uk, , is given by (Uko, i , Uki, i) respectively (Uko, i, Uki, ,) = (gu', gv), wherein u' = A'r' and v' = (A's+tx')r' and the symbol "|" denotes a corresponding expansion of the first vector by a second vector. In detail the fourth step S4 may be implemented in the following way:
To perform the fourth step S4 the ciphertext CM = (co, M, ci, i-i), i.e. the corresponding first and second part is patched in the following way:
Co, i = (Co, i-i Uko, i) and Ci,i = (ci,i-i Uku) is computed.
To perform a fifth step S5 decryption, the auxiliary variable h = gv-<su> js computed and then hx = g ' .
Since ord(G)/t is a fixed parameter the message m can be looked up or the discrete logarithm for small m can be computed.
Inter alia the following optimizations may be used or performed together with one or more of the above mentioned steps S1-S4. In case of encrypting a bit, i.e. m=(0,1) and setting t=2, raising h to the power of χ can be efficiently implemented by computing the Jacobi symbol J(h,p,q), which gives a speed up of factor 0(n).
In order to shrink the size of public-keys and encryptions, polynomical rings instead of groups may be used giving a public-key length of 0(n) instead of 0(n*m), and requires 0(n) instead of 0(n*m) group multiplications to compute the ciphertext, wherein n and m are integers representing dimensions.
Fig. 2 shows a system according to a second embodiment of the present invention. In Fig. 2 the key generating means KGM are operable to provide a first public key/secret key pair PKO, SKO based on a first security parameter 1 K0.
After the first public key/secret key pair is generated the encryption means EM encrypt data m with generated first public key PKO.
After that the update key generation means UKGM generate an update 1 K1 key UKO and a second public key/secret key pair PK1 , SK1 based on a second security parameter and based on the first public key/secret key pair PKO, SKO.
Then the patching means PM patch the encrypted data with the generated update key UKO to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data. In general into the key generating means KGM respectively in the first step S1 a security parameter 1 K0 is input and the public key PKO and the secret key SKO are output.
Into the encryption means EM respectively in a second step S2 the generated public key PKO and a message m is input and a ciphertext CO is output.
Into the update key generating means UKGM respectively in the third step S3 a second security parameter 1 K1 , the public key PKO, the secret key SKO is input and an update key UK1 along the line of a refresh public key/private key tuple (PK1 , SK1) is output.
Into the patching means respectively in the fourth step S4 the update key UK1 and the ciphertext CO is input and a patched ciphertext C1 is output. For generalization the steps S2-S4 may be performed again leading to refreshed public key/secret key tuple PK2, SK2 with input of PK1 , SK1 of the previous round of steps S2-S4. In general the security parameter in round i is denoted with 1 Ki, the previous public key/secret key tuple with PKi-1 , Ski-1 , the update key with UKi and the updated public key/secret key tuple with PKi, SKi as well as the unpatched ciphertext with Ci-1 and the ciphertext Ci patched with the update key UKi
In the fifth step S5 respectively into the decryption means DM the secret key SK1 and the ciphertext C1 is input and the decrypted message m is output.
In summary the present invention addresses the resilience against breaking the underlying intractability problem. Fall-back security is provided even if the underlying hardness assumption is broken: There is another "Wingman" problem backing up the encryption. In particular the underlying hardness assumption can be reduced to the so-called learning with error assumption LWE or a Diffie- Hellman problem.
The present invention assures security even in the case that at some point in time the Diffie-Hellman problem or the LWE problem is tractable. The learning with error assumption LWE problem and the Diffie-Hellman problem are mutually exclusive due to their fundamentally different algebraic structure. Therefore there exists no reduction from the LWE problem to the Diffie-Hellman problem or vice versa.
The second fallback mechanism of the present invention addresses the scalability of the resilience: Since the security parameter scales how "hard" it is to break the encryption scheme conventional encryption methods require fixing the security parameter once in advance for the lifetime of the encryption method. In contrast thereto the present invention provides an update mechanism to gradually increase the entropy of the ciphertext. When encrypting a message with respect to a security parameter k at some point in future time k-security is no more believed to assure a sufficient security level. For example, NIST updates every 5-10 years the security parameter for a cryptographic algorithms. The present invention provides an update mechanism to boost security to for example 2k without decrypting a message plaintext.
Further the provided encrypting method of the present invention enables additive homomorphism. For example when decrypting denoted with references sign D the multiplication of two ciphertexts C1 x C2 the addition of the respective plaintexts ml , m2 is obtained: D(SK, C1 x C2) = ml + m2.
Therefore, in other words conventional encryptions schemes try to mingle different hardness assumptions. For instance the computational Diffie-Hellman problem with composite prime modules inherits the discrete-logarithm and RSA problem. However, the compound assumption breaks if already either assumption is weak in contrast to the present invention. The present invention provides a public key/secret key encryption scheme with fall-back security even if one of the underlying hardness assumptions is broken. The encryption scheme is additive homomorphic and works on even modulus arithmetic that is modulus q = 2n, wherein n is an integer providing fast implementations on 25 = 32 bit and 26 = 64 bit central processing units CPU. Even further the present invention enables to rescale the hardness in terms of the security parameter of breaking the scheme by publicly key - without any trust assumptions updating - the ciphertext without trivially re-encrypting the message plaintext. The present invention is further highly parallelizable due to the vector and/or matrix structure of the search structure and is secure against post-quantum attacks and safeguards long-term security. The present invention can easily replace existing conventional public key/secret key encryption methods providing a higher robustness and a higher security level. For example when one asks for confidentiality of high-risk documents, for example company confidential data, government files or the like, one migrates data from one system to another one, one archives data a long period of time or simple outsources the data to an honest computational powerful party like cloud storage or the like. Many modifications and other embodiments of the invention set forth herein will come to mind the one skilled in the art to which the invention pertains having the benefit of the teachings presented in the foregoing description and the associated drawings. Therefore, it is to be understood that the invention is not to be limited to the specific embodiments disclosed and that modifications and other embodiments are intended to be included within the scope of the appended claims. Although specific terms are employed herein, they are used in a generic and descriptive sense only and not for purposes of limitation.

Claims

C l a i m s
1. A method for encrypting data, preferably a message (m), using an asymmetric encryption scheme,
characterized by the steps of
a) Providing (S1 ) a first public key/secret key pair (PKO, SKO) based on a first security parameter (1 K0),
b) Encrypting (S2) the data (m) with the first public key (PKO),
c) Generating (S3) an update key (UKO) and a second public key/secret key pair (PK1 , SK1 ) based on a second security parameter (1 K1 ) and based on the first public key/secret key pair (PKO, SKO), and
d) Patching (S4) the encrypted data with the generated update key (UKO) to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data.
2. The method according to claim 1 , characterized in that a round (S2-S4) of steps b)-d) is at least performed twice, wherein in each round (S2-S4) different security parameters (1 K0, 1 K1 , ...) in particular relating to different encryption schemes are used.
3. The method according to one of the claims 1 -2, characterized in that step d) (S4) is performed such that the size of the patched encrypted data is compact and/or constant in size compared with the unpatched encrypted data.
4. The method according to one of the claims 1 -3, characterized in that the generation of the second public key and/or second secret key (PK1 , SK1 ) is performed such that the length of the second public key (PK1 , SK1 ) and/or second secret key compared with the first public key and/or first secret key (PKO, SKO) is compact.
5. The method according to one of the claims 1 -4, characterized in that the generation of the public key/secret key pair (PKO, SKO; PK1 , SK1 ) and/or the encryption of the data (m) is performed computationally parallelized.
6. The method according to one of the claims 1-5, characterized in that for providing a secret key (SKO, SK1 ), the secret key (SKO, SK1) is sampled from an n-dimensional probability distribution function (Ψη) defined over an algebraic structure (ZN), having even order with an RSA-module.
7. The method according to claim 6, characterized in that the public key (PKO) is based on the secret key (SKO, SK1 ), an error scaling factor (t) and a further vector sampled from the n-dimensional probability distribution function.
8. The method according to one of the claims 1 -7, characterized in that the algebraic structure is provided in form of a group (ZN), preferably a multiplicative group, or a ring, preferably a polynomial ring.
9. The method according to one of the claims 1-8, characterized in that for encrypting the data (m) a vector (r) is sampled from an n-dimensional probability distribution function (Ψη) and an error term (e) is sampled from the corresponding one-dimensional probability distribution function (Ψ), wherein a first part (co) and a second part (ci) of the encrypted data (C) is based on the sampled vector (r), and wherein the second part (ci) is also based on the sampled error term (e) with an error scaling factor (t).
10. The method according to claim 9, characterized in that the probability distribution function (Ψ) is provided in form of a Gaussian distribution function or a uniform distribution function.
1 1. The method according to one of the claims 1-10, characterized in that the update key (UK0) is generated based on sampled vectors of an n-dimensional probability distribution function, preferably the same distribution function (Ψη) used for encrypting the data (m) and a matrix (Α') sampled from a second distribution function, preferably the uniform distribution function.
12. The method according to one of the claims 1 -1 1 , characterized in that in case of data in form of a bit (m = (0, 1 )) and the lowest possible error scaling factor (t) an auxiliary variable (h) based on the second part (ci) and on the secret key (SK1 ) to the power of order (ord(G)) of the algebraic structure (G) divided by the lowest possible error scaling factor (t) is calculated based on Jacobi-symbols (J).
13. The method according to one of the claims 1-12, characterized in that the error scaling factor (t) is determined based on the length of the message (m) to be encrypted.
14. A method for decrypting data, preferably a message (m), using an asymmetric encryption scheme, characterized in that decryption (S5) of encrypted data encrypted with a method according to one of the claims 1 -13, is performed based on the actual secret key (SK1 ) in the last round and the encrypted data (c).
15. A system for encrypting data, preferably a message (m), using an asymmetric encryption scheme, preferably for performing with a method according to one of the claims 1-13,
characterized by
key generating means (KGM) operable to provide a first public key/secret key pair (PKO, SKO) based on a first security parameter (1 K0),
encryption means (EM) operable to encrypt the data (m) with the first public key (PKO),
update key generating means (UKGM) operable to generate an update key (UKO) and a second public key/secret key pair (PK1 , SK1 ) based on a second security parameter (1 K1 ) and based on the first public key/secret key pair (PKO, SKO), and patching means (PM) operable to patch the encrypted data with the generated update key (UKO) to obtain patched encrypted data with a higher entropy compared with the unpatched encrypted data.
16. Use of a method according to one of the claims 1 -13 for increasing confidentiality of existing encrypted data.
PCT/EP2013/075164 2013-11-29 2013-11-29 Method and system for encrypting data WO2015078533A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2013/075164 WO2015078533A1 (en) 2013-11-29 2013-11-29 Method and system for encrypting data

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2013/075164 WO2015078533A1 (en) 2013-11-29 2013-11-29 Method and system for encrypting data

Publications (1)

Publication Number Publication Date
WO2015078533A1 true WO2015078533A1 (en) 2015-06-04

Family

ID=49880688

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2013/075164 WO2015078533A1 (en) 2013-11-29 2013-11-29 Method and system for encrypting data

Country Status (1)

Country Link
WO (1) WO2015078533A1 (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656923A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Device association method, key update method and apparatuses
WO2018213875A1 (en) * 2017-05-22 2018-11-29 Commonwealth Scientific And Industrial Research Organisation Asymmetric cryptography and authentication
CN110214433A (en) * 2017-12-15 2019-09-06 首尔大学校产学协力团 It carries out the terminal installation of homomorphic cryptography, handle the server unit and its method of ciphertext
CN111245564A (en) * 2020-01-06 2020-06-05 电子科技大学 Triple security coding method based on hardware secret circuit
US11240014B1 (en) 2019-09-10 2022-02-01 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11322050B1 (en) 2020-01-30 2022-05-03 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11343270B1 (en) 2019-09-10 2022-05-24 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11449799B1 (en) 2020-01-30 2022-09-20 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11477016B1 (en) 2019-09-10 2022-10-18 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11533175B1 (en) 2020-01-30 2022-12-20 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography on a smartcard
US11626983B1 (en) 2019-09-10 2023-04-11 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11838410B1 (en) 2020-01-30 2023-12-05 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8515058B1 (en) * 2009-11-10 2013-08-20 The Board Of Trustees Of The Leland Stanford Junior University Bootstrappable homomorphic encryption method, computer program and apparatus

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8515058B1 (en) * 2009-11-10 2013-08-20 The Board Of Trustees Of The Leland Stanford Junior University Bootstrappable homomorphic encryption method, computer program and apparatus

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
GIUSEPPE ATENIESE ET AL: "Entangled Cloud Storage", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH,, vol. 20130625:075548, 25 June 2013 (2013-06-25), pages 1 - 34, XP061007634 *
ILYA MIRONOV ET AL: "Incremental Deterministic Public-Key Encryption", INTERNATIONAL ASSOCIATION FOR CRYPTOLOGIC RESEARCH,, vol. 20120201:041416, 31 January 2012 (2012-01-31), pages 1 - 21, XP061005877 *

Cited By (21)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN106656923A (en) * 2015-10-30 2017-05-10 阿里巴巴集团控股有限公司 Device association method, key update method and apparatuses
WO2018213875A1 (en) * 2017-05-22 2018-11-29 Commonwealth Scientific And Industrial Research Organisation Asymmetric cryptography and authentication
US11115183B2 (en) * 2017-12-15 2021-09-07 Crypto Lab Inc. Terminal device performing homomorphic encryption, server device processing ciphertext and methods thereof
CN110214433A (en) * 2017-12-15 2019-09-06 首尔大学校产学协力团 It carries out the terminal installation of homomorphic cryptography, handle the server unit and its method of ciphertext
CN110214433B (en) * 2017-12-15 2023-04-18 加密实验室公司 Terminal device for homomorphic encryption, encryption method thereof and ciphertext processing method of server device
US11101976B2 (en) * 2017-12-15 2021-08-24 Crypto Lab Inc. Terminal device performing homomorphic encryption, server device processing ciphertext and methods thereof
US11343270B1 (en) 2019-09-10 2022-05-24 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11240014B1 (en) 2019-09-10 2022-02-01 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11902431B1 (en) 2019-09-10 2024-02-13 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11736281B1 (en) 2019-09-10 2023-08-22 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11477016B1 (en) 2019-09-10 2022-10-18 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11750378B1 (en) 2019-09-10 2023-09-05 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11626983B1 (en) 2019-09-10 2023-04-11 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
CN111245564B (en) * 2020-01-06 2021-04-13 电子科技大学 Triple security coding method based on hardware secret circuit
CN111245564A (en) * 2020-01-06 2020-06-05 电子科技大学 Triple security coding method based on hardware secret circuit
US11449799B1 (en) 2020-01-30 2022-09-20 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11727829B1 (en) 2020-01-30 2023-08-15 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11727310B1 (en) 2020-01-30 2023-08-15 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11533175B1 (en) 2020-01-30 2022-12-20 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography on a smartcard
US11838410B1 (en) 2020-01-30 2023-12-05 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization
US11322050B1 (en) 2020-01-30 2022-05-03 Wells Fargo Bank, N.A. Systems and methods for post-quantum cryptography optimization

Similar Documents

Publication Publication Date Title
WO2015078533A1 (en) Method and system for encrypting data
Mahajan et al. A study of encryption algorithms AES, DES and RSA for security
CA3049531C (en) Homomorphic white box system and method for using same
US8429408B2 (en) Masking the output of random number generators in key generation protocols
CN109726567B (en) Moving target encryption method based on homomorphic encryption
WO2016000447A1 (en) Public key encryption communication method and apparatus
RU2459276C1 (en) Method for coding of m message represented as multidigit binary number
JP6033741B2 (en) Encryption key update system and method
CN113726517A (en) Information sharing method and device
JP4934010B2 (en) Public key encryption system, public key encryption method, encryption device, decryption device, encryption program, and decryption program
CA2742530C (en) Masking the output of random number generators in key generation protocols
Al-Kaabi et al. Methods toward enhancing RSA algorithm: a survey
WO2016082857A1 (en) Method for encrypting data for distributed storage
CN109495478B (en) Block chain-based distributed secure communication method and system
Rani A Novice’ s Perception of Partial Homomorphic Encryption Schemes
JP7125857B2 (en) Encryption system, encryption device, decryption device, encryption method, decryption method, and program
Kalaiselvi et al. Implementation Issues and analysis of cryptographic algorithms based on different security parameters
Berezin et al. Stream deniable-encryption computationally indistinguishable from probabilistic ciphering
WO2018011825A1 (en) Encryption and decryption of messages
Yadav et al. Hybrid cryptography approach to secure the data in computing environment
Kaur et al. Analysis of Security Algorithms in Cloud Environment
Odelu et al. A novel key management mechanism for dynamic hierarchical access control based on linear polynomials
Ohigashi et al. Implementation and evaluation of secure outsourcing scheme for secret sharing scheme on cloud storage services
Sirajudeen et al. Matrix-Based Data Security in Cloud Computing Using Advanced Cramer–Shoup Cryptosystem
Lizama-Pérez et al. Non-Commutative Key Exchange Protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13811811

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13811811

Country of ref document: EP

Kind code of ref document: A1