Download presentation

Presentation is loading. Please wait.

Published byJosephine Yep Modified over 2 years ago

1
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser 2 A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany ISG Research Seminar Royal Holloway University of London 20.01.2011 ISG Research Seminar Royal Holloway University of London 20.01.2011

2
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 2 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

3
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 3 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

4
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 4 Encryption Decryption CiphertextPlaintext Encryption key Decryption key Common goal: conceal data as much as possible Goal of homomorphic encryption: “conceal as little as possible”

5
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 5 Motivation 1: Outsourcing of Data Server What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen

6
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 6 Security Server Access control What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen

7
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 7 Store data encrypted On request, computation is done on encrypted data Encrypted result is given back Request Possible Solution

8
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 8 + + ++ ⊞ Motivation 2: Electronic Voting

9
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 9 Homomorphic Encryption (Informal) Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op 22 7 7 9 9 op *

10
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 10 Other Applications Private Information Retrieval Multiparty Computation Oblivious Polynomial Evaluation...

11
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 11 Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits) Plaintext space: Z N (={0,…,N-1} modulo N) Ciphertext: Z N (={0,…,N-1} modulo N) Encryption Key: e ∈ Z N with gcd(e, (p-1)(q-1) )=1 Decryption key: d ∈ Z N with e ∙ d mod ( (p-1)∙(q-1) ) = 1 Encryption of m: c := m e mod N Decryption of c: c d mod N = m Homomorphism: mm‘ = m∙m‘ Example: RSA (1978)

12
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 12 SchemePlaintext SpaceSecurity related to RSA; 1978Integers modulo N=p*qFactorization Goldwasser, Micali; 19841 BitQuadratic residues mod N Benaloh; 1985Integers modulo R s.t. …R th residues mod N ElGamal; 1985Cyclic group GDecision Diffie-Hellman in G Paillier; 1999Integers modulo NN th residues mod N 2 Damgaard, Jurik; 2001Integers modulo N s N th residues mod N s+1 Boneh, Goh, Nissim; 2005Group over elliptic curveDecision Diffie-Hellman Different approaches Some are much better understood than others Question: Unified view on security and design of theses schemes? Homomorphic Encryption Schemes (Overview)

13
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 13 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

14
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 14 Recall: “Homomorphic = allows for operations on encrypted data” Can mean different things, depending on the application. E.g., Addition/Multiplication of integers (i.e., algebraic operations) Evaluating certain circuits Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense A Large Class of Homomorphic Encryption

15
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 15 Plaintext space Ciphertext space Encryption E Decryption D Classical Encryption Scheme

16
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 16 Plaintext space Ciphertext space Encryption E Decryption D Groups Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’) Our Class of Homomorphic Encryption

17
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 17 Reminder: Group A group (in mathematical sense) is a set G together with a binary operation ∘ :G×G ➝ G such that Example: Rational numbers without zero Neutral element: 1 Inverse element: x-1 Group AxiomProperty Closure For all g,g‘ ∈ G: g ∘ g‘ ∈ G Associativity For all g,g‘,g’’ ∈ G: (g ∘ g’) ∘ g’’ = g ∘ (g’ ∘ g’’) Neutral element e ∘ g = g ∘ e = g Inverse element For all g ∈ G exists g‘ ∈ G such that g ∘ g’=g’ ∘ g= e

18
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 18 Defining security: IND-CPA Setup Public param. C Time M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b

19
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 19 Defining security: IND-CCA1 Setup Decrypt Public param. cjcjcjcj mjmjmjmj C Time ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b

20
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 20 Proof of Security Assumption: Mathematical problem is is hard to solve Approach: Reduce security Mathematical Problem Crypto scheme Reduction: Goal: Prove security of scheme

21
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 21 Security Notions for Encryption Schemes IND-CCA2 No Homomorphic Encryption Scheme can be IND-CCA2 secure! (because is an encryption of 1 for some i) IND-CCA1 IND-CPA (strongest)

22
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 22 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Security of Existing Schemes

23
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 23 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

24
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 24 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Daamgard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

25
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 25 Application: Easy Confirmation of Known Results SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005??

26
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 26 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Application: Missing Characterizations

27
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 27 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

28
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 28 SchemeIND-CPA Security ElGamal; 1985Decision Diffie-Hellman; 1998 Paillier; 1999N th residues mod N 2 ; 1999 Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 Boneh et al.; 2005Decision Diffie-Hellman; 2005 Scheme 1K-Linear Problem Scheme 2Gonzales-Nieto et al.; 2005 Ciphertext group has prime orderProblem instance always weak Ciphertext group is a vector space over a prime field (e.g. linear code) Problem instance always weak Application: Impossibility Results

29
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 29 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

30
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 30 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism Our Considered Class of Homomorphic Encryption Schemes (Reminder)

31
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 31 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 Encr. of 1 C1C1 Encryptions of „1“ form a normal subgroup C 1 of the ciphertext space C Easy Observations I

32
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 32 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 C1C1 Set of encryptions of „m“ equals the coset m ⋅ C 1 m Encr. of m m⋅C1m⋅C1 Easy Observations II

33
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 33 Consequence c = encryp- tion of m c ∈ m∙C 1 c∙m -1 ∈ C 1 Therefore: Consequence: Recognizing encryptions of m m‘ m‘=m? Recognizing encryptions of 1 m‘ m‘=1?

34
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 34 Immediate IND-CPA Security Characterization Scheme is IND-CPA SECURE Subgroup membership problem (SMP) is hard w.r.t. C 1 C1C1 c∈C1?c∈C1? c∈C1?c∈C1? c

35
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 35 Application Plaintexts Ciphertext encryption decryption Let a homomorphic scheme be given Goal: IND-CPA security characterization 1.Identify subgroup C 1 (= encryptions of 1) C1C1 2.Formulate SMP wrt. to C 1

36
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 36 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? What about IND-CCA1? Application: Easy IND-CPA Security Characterization of Existing Schemes

37
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 37 Abstraction of Computational and Decisional Problems I (Simplified) finite group G subgroups N and R of G such that the map is a group isomorphism. Its inverse is denoted by σ and is called the splitting map for (G,N,R). The Splitting Problem: compute σ(z) compute σ(z)

38
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 38 Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and Subgroup Membership Problem: Example instance (Diffie-Hellman): be a cyclic group of prime order p for The Splitting Problem for is the Computational Diffie-Hellman Problem The corresponding SMP for is the Decisional Diffie-Hellman Problem

39
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 39 SOAP = Splitting Oracle-Assisted SMP SMP for (G,N) N z ∈ N? z Phase 1: LearningPhase 2: Challenge Splitting Oracle Setup(λ) Algorithm outputs: (G,N,R) G

40
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 40 IND-CCA1 Security Characterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t.. Setup Decrypt Public param. cjcjcjcj mjmjmjmj C ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) Challenge Guess for b

41
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 41 Application: IND-CCA1 Characterization of Existing Schemes SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓

42
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 42 Plaintexts Ciphertexts encryption decryption 1 C1C1 Encryption of m: Sample c 1 ∈ C 1 Output c := m∙c 1 Decryption of c: Determine c mod C 1 (w.r.t. a fixed system of representatives of C/C 1 ) m m⋅C1m⋅C1 Generic Scheme (Simplified)

43
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 43 Group G Plaintext Space encryption decryption N Given: SMP for group G and subgroup N Interpret G as ciphertext space and N as encryption of 1 Construct encryption/decryption as in the generic scheme Scheme is IND-CPA secure iff initial SMP is hard C1C1 Ciphertext Space Application: Design of New Schemes

44
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 44 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

45
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 45 Plug into Generic Scheme New Homomorphic Scheme 1 (k-linear) The k-Linear Problem k-LP for Decisional problem that generalizes DDH Properties in the Generic Group Model: If (k+1)-LP is hard, then so is k-LP k-LP is hard If k-LP is easy, then (k+1)-LP is still hard k-SOAP – a new k-Problem: SOAP instance that corresponds to k-LP k-SOAP provably behaves as k-LP in the generic group model K-SOAP might be of independent interest

46
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 46 New Homomorphic Scheme 1 (k-linear) This Generic Scheme instance yields the first homomorphic scheme that is IND-CPA secure if and only if k-LP is hard (for k>2) IND-CCA1 secure if and only if k-SOAP is hard

47
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 47 New Homomorphic Scheme 2 (Motivation) “If there exist IND-CPA secure homomorphic schemes with cyclic ciphertext group, then we can efficiently construct IND-CCA2 secure encryption schemes” [HO10] The existence of such homomorphic schemes is an open question! We construct such a scheme whose IND-CPA security is equivalent to a new problem whose hardness is equivalent to the well-analyzed SMP of the GBD-scheme [GBD01]

48
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 48 New Homomorphic Scheme 2 (Construction) n=q 0 q 1 RSA-modulus such that p := 2n+1 is prime Consider the cyclic subgroups G n, G q0 and G q1 whose orders correspond to the divisors n, q 0 and q 1 of p-1, respectively Compute generators g 0 and g 1 of G q0 and G q1, respectively Then g 0 g 1 is a generator of G n Plug the Splitting Problem for (G n, G q1, G q0 ) into Generic Scheme Since G n is cyclic, this yields the first homomorphic scheme with a cyclic ciphertext group!

49
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 49 Application: Impossibility Results Any algebraic homomorphic scheme with prime-ordered ciphertext group is insecure in terms of IND-CPA! Any algebraic homomorphic scheme where the ciphertexts form a linear subspace of F n (for some prime field F), e.g. a linear code, is insecure in terms of IND-CPA! (this partly answers an open question whether using linear codes as ciphertext spaces yield more efficient constructions)

50
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 50 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

51
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 51 Summary Considered the class of algebraic homomorphic encryption schemes Presented a generic framework for such schemes Allows for an easy security characterization both in terms of IND-CPA and IND- CCA1 security Supports construction of new schemes (starting from the problem) Allows for certain impossibility results (code-based) Constructed two new schemes with special properties (k-linear, cyclic)

52
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 52 Most Recent Results and Future Work (Fully Homomorphic Encryption) Extension of IND-CPA characterization to Gentry‘s „blueprint“ for constructing fully homomorphic encryption schemes (encompasses all currently known schemes) o What are the consequences to existing schemes? Good news: e.g., [DGHV10] is based on an assumption that is too strong To get fully homomorphic encryption, Gentry needs a bootstrappable scheme that is KDM-secure. This, however, does only exist in the Random Oracle Model. o Extension to KDM-security and construction of a KDM-secure bootstrappable scheme in the standard model – if possible at all!

53
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 53 Open question: extension Plaintexts Ciphertext encryption decryption Rings Ring homomorphism 1 C1C1 Extension to rings (would allow for addition and multiplication) Ideal

54
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 54 Open question: relaxation Plaintexts Ciphertext encryption decryption “Almost” groups Decryption with error 1 C1C1 Goal: Cover other homomorphic schemes as well, e.g., lattice based

55
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 55 Thank you!

Similar presentations

Presentation is loading. Please wait....

OK

RSA and its Mathematics Behind

RSA and its Mathematics Behind

© 2018 SlidePlayer.com Inc.

All rights reserved.

Ads by Google

Ppt on total internal reflection periscope Ppt on obesity diet Ppt on public health administration in india Ppt on data collection methods ppt Ppt on market friendly state Ppt on importance of drinking water Ppt on physical properties of metals and nonmetals Ppt on rc phase shift oscillator circuit Ppt on education for sustainable development Ppt on power diode for microwave