Strassen's 1969 algorithm for fast matrix multiplication 2] is based on the possibility to multiply two 2 2 matrices A and B by using 7 multiplications instead of the usual 8. The corresponding formulas are an important part of any algorithms course, but, unfortunately, even in the best textbook expositions (see, e.g., 1]), they look very ad hoc. In this paper, we show that the use of natural s...

Verifiable computing (VC) uses cryptography to delegate computation to untrusted workers. But in most VC schemes, the delegated program must first be arithmetized – expressed as a circuit with multiplication and addition over a finite field. Previous work has compiled subsets of languages like C, LLVM, and bespoke assembly to arithmetic circuits. In this paper, we report on a new DSL for VC, ca...

A key recovery attack allows an attacker to recover the private key of an underlying encryption scheme when given a number of decryption oracle accesses. Previous research has shown that most existing Somewhat Homomorphic Encryption (SHE) schemes suffer from this attack. In this paper, we propose efficient key recovery attacks against two NTRU-based SHE schemes, which have not gained much atten...

Designing efficient cryptographic protocols tolerating adaptive adversaries, who are able to corrupt parties on the fly as the computation proceeds, has been an elusive task. In this paper we make progress in this area. First, we introduce a new notion called semi-adaptive security which is slightly stronger than static security but significantly weaker than fully adaptive security. The main di...

The purpose of this paper is to compare side-by-side the NTRU and BGV schemes in their non-scale invariant (messages in the lower bits), and their scale invariant (message in the upper bits) forms. The scale invariant versions are often called the FV and YASHE schemes. As an additional optimization, we also investigate the affect of modulus reduction on the scale-invariant schemes. We compare t...

We present a hardware architecture for all building blocks required in polynomial ring based fully homomorphic schemes and use it to instantiate the somewhat homomorphic encryption scheme YASHE. Our implementation is the first FPGA implementation that is designed for evaluating functions on homomorphically encrypted data (up to a certain multiplicative depth) and we illustrate this capability b...

We propose distributed decryption schemes for somewhat homomorphic encryption (SHE). The proposed schemes are constructed based on the encryption scheme by Brakerski and Vaikuntanathan. In SHE, homomorphic multiplication increases the number of elements in a ciphertext. The proposed scheme can decrypt a ciphertext containing more than two elements with k out of N parties. The distributed decryp...

In his seminal paper at STOC 2009, Gentry left it as a future work to investigate (somewhat) homomorphic encryption schemes with IND-CCA1 security. At SAC 2011, Loftus et al. showed an IND-CCA1 attack against the somewhat homomorphic encryption scheme presented by Gentry and Halevi at Eurocrypt 2011. At ISPEC 2012, Zhang, Plantard and Susilo showed an IND-CCA1 attack against the somewhat homomo...