Download presentation

Presentation is loading. Please wait.

Published byJosephine Yep Modified about 1 year ago

1
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser 2 A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany ISG Research Seminar Royal Holloway University of London ISG Research Seminar Royal Holloway University of London

2
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 2 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

3
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 3 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

4
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 4 Encryption Decryption CiphertextPlaintext Encryption key Decryption key Common goal: conceal data as much as possible Goal of homomorphic encryption: “conceal as little as possible”

5
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 5 Motivation 1: Outsourcing of Data Server What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen

6
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 6 Security Server Access control What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen

7
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 7 Store data encrypted On request, computation is done on encrypted data Encrypted result is given back Request Possible Solution

8
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | ⊞ Motivation 2: Electronic Voting

9
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 9 Homomorphic Encryption (Informal) Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op op *

10
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 10 Other Applications Private Information Retrieval Multiparty Computation Oblivious Polynomial Evaluation...

11
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 11 Parameters: N=p ∙ q with p,q large primes (approx bits) Plaintext space: Z N (={0,…,N-1} modulo N) Ciphertext: Z N (={0,…,N-1} modulo N) Encryption Key: e ∈ Z N with gcd(e, (p-1)(q-1) )=1 Decryption key: d ∈ Z N with e ∙ d mod ( (p-1)∙(q-1) ) = 1 Encryption of m: c := m e mod N Decryption of c: c d mod N = m Homomorphism: mm‘ = m∙m‘ Example: RSA (1978)

12
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 12 SchemePlaintext SpaceSecurity related to RSA; 1978Integers modulo N=p*qFactorization Goldwasser, Micali; BitQuadratic residues mod N Benaloh; 1985Integers modulo R s.t. …R th residues mod N ElGamal; 1985Cyclic group GDecision Diffie-Hellman in G Paillier; 1999Integers modulo NN th residues mod N 2 Damgaard, Jurik; 2001Integers modulo N s N th residues mod N s+1 Boneh, Goh, Nissim; 2005Group over elliptic curveDecision Diffie-Hellman Different approaches Some are much better understood than others Question: Unified view on security and design of theses schemes? Homomorphic Encryption Schemes (Overview)

13
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 13 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

14
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 14 Recall: “Homomorphic = allows for operations on encrypted data” Can mean different things, depending on the application. E.g., Addition/Multiplication of integers (i.e., algebraic operations) Evaluating certain circuits Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense A Large Class of Homomorphic Encryption

15
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 15 Plaintext space Ciphertext space Encryption E Decryption D Classical Encryption Scheme

16
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 16 Plaintext space Ciphertext space Encryption E Decryption D Groups Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’) Our Class of Homomorphic Encryption

17
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 17 Reminder: Group A group (in mathematical sense) is a set G together with a binary operation ∘ :G×G ➝ G such that Example: Rational numbers without zero Neutral element: 1 Inverse element: x-1 Group AxiomProperty Closure For all g,g‘ ∈ G: g ∘ g‘ ∈ G Associativity For all g,g‘,g’’ ∈ G: (g ∘ g’) ∘ g’’ = g ∘ (g’ ∘ g’’) Neutral element e ∘ g = g ∘ e = g Inverse element For all g ∈ G exists g‘ ∈ G such that g ∘ g’=g’ ∘ g= e

18
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 18 Defining security: IND-CPA Setup Public param. C Time M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b

19
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 19 Defining security: IND-CCA1 Setup Decrypt Public param. cjcjcjcj mjmjmjmj C Time ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b

20
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 20 Proof of Security Assumption: Mathematical problem is is hard to solve Approach: Reduce security Mathematical Problem Crypto scheme Reduction: Goal: Prove security of scheme

21
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 21 Security Notions for Encryption Schemes IND-CCA2 No Homomorphic Encryption Scheme can be IND-CCA2 secure! (because is an encryption of 1 for some i) IND-CCA1 IND-CPA (strongest)

22
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 22 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Security of Existing Schemes

23
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 23 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

24
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 24 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Daamgard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

25
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 25 Application: Easy Confirmation of Known Results SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005??

26
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 26 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Application: Missing Characterizations

27
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 27 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

28
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 28 SchemeIND-CPA Security ElGamal; 1985Decision Diffie-Hellman; 1998 Paillier; 1999N th residues mod N 2 ; 1999 Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 Boneh et al.; 2005Decision Diffie-Hellman; 2005 Scheme 1K-Linear Problem Scheme 2Gonzales-Nieto et al.; 2005 Ciphertext group has prime orderProblem instance always weak Ciphertext group is a vector space over a prime field (e.g. linear code) Problem instance always weak Application: Impossibility Results

29
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 29 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

30
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 30 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism Our Considered Class of Homomorphic Encryption Schemes (Reminder)

31
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 31 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 Encr. of 1 C1C1 Encryptions of „1“ form a normal subgroup C 1 of the ciphertext space C Easy Observations I

32
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 32 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 C1C1 Set of encryptions of „m“ equals the coset m ⋅ C 1 m Encr. of m m⋅C1m⋅C1 Easy Observations II

33
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 33 Consequence c = encryp- tion of m c ∈ m∙C 1 c∙m -1 ∈ C 1 Therefore: Consequence: Recognizing encryptions of m m‘ m‘=m? Recognizing encryptions of 1 m‘ m‘=1?

34
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 34 Immediate IND-CPA Security Characterization Scheme is IND-CPA SECURE Subgroup membership problem (SMP) is hard w.r.t. C 1 C1C1 c∈C1?c∈C1? c∈C1?c∈C1? c

35
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 35 Application Plaintexts Ciphertext encryption decryption Let a homomorphic scheme be given Goal: IND-CPA security characterization 1.Identify subgroup C 1 (= encryptions of 1) C1C1 2.Formulate SMP wrt. to C 1

36
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 36 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? What about IND-CCA1? Application: Easy IND-CPA Security Characterization of Existing Schemes

37
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 37 Abstraction of Computational and Decisional Problems I (Simplified) finite group G subgroups N and R of G such that the map is a group isomorphism. Its inverse is denoted by σ and is called the splitting map for (G,N,R). The Splitting Problem: compute σ(z) compute σ(z)

38
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 38 Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and Subgroup Membership Problem: Example instance (Diffie-Hellman): be a cyclic group of prime order p for The Splitting Problem for is the Computational Diffie-Hellman Problem The corresponding SMP for is the Decisional Diffie-Hellman Problem

39
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 39 SOAP = Splitting Oracle-Assisted SMP SMP for (G,N) N z ∈ N? z Phase 1: LearningPhase 2: Challenge Splitting Oracle Setup(λ) Algorithm outputs: (G,N,R) G

40
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 40 IND-CCA1 Security Characterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t.. Setup Decrypt Public param. cjcjcjcj mjmjmjmj C ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) Challenge Guess for b

41
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 41 Application: IND-CCA1 Characterization of Existing Schemes SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓

42
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 42 Plaintexts Ciphertexts encryption decryption 1 C1C1 Encryption of m: Sample c 1 ∈ C 1 Output c := m∙c 1 Decryption of c: Determine c mod C 1 (w.r.t. a fixed system of representatives of C/C 1 ) m m⋅C1m⋅C1 Generic Scheme (Simplified)

43
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 43 Group G Plaintext Space encryption decryption N Given: SMP for group G and subgroup N Interpret G as ciphertext space and N as encryption of 1 Construct encryption/decryption as in the generic scheme Scheme is IND-CPA secure iff initial SMP is hard C1C1 Ciphertext Space Application: Design of New Schemes

44
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 44 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

45
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 45 Plug into Generic Scheme New Homomorphic Scheme 1 (k-linear) The k-Linear Problem k-LP for Decisional problem that generalizes DDH Properties in the Generic Group Model: If (k+1)-LP is hard, then so is k-LP k-LP is hard If k-LP is easy, then (k+1)-LP is still hard k-SOAP – a new k-Problem: SOAP instance that corresponds to k-LP k-SOAP provably behaves as k-LP in the generic group model K-SOAP might be of independent interest

46
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 46 New Homomorphic Scheme 1 (k-linear) This Generic Scheme instance yields the first homomorphic scheme that is IND-CPA secure if and only if k-LP is hard (for k>2) IND-CCA1 secure if and only if k-SOAP is hard

47
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 47 New Homomorphic Scheme 2 (Motivation) “If there exist IND-CPA secure homomorphic schemes with cyclic ciphertext group, then we can efficiently construct IND-CCA2 secure encryption schemes” [HO10] The existence of such homomorphic schemes is an open question! We construct such a scheme whose IND-CPA security is equivalent to a new problem whose hardness is equivalent to the well-analyzed SMP of the GBD-scheme [GBD01]

48
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 48 New Homomorphic Scheme 2 (Construction) n=q 0 q 1 RSA-modulus such that p := 2n+1 is prime Consider the cyclic subgroups G n, G q0 and G q1 whose orders correspond to the divisors n, q 0 and q 1 of p-1, respectively Compute generators g 0 and g 1 of G q0 and G q1, respectively Then g 0 g 1 is a generator of G n Plug the Splitting Problem for (G n, G q1, G q0 ) into Generic Scheme Since G n is cyclic, this yields the first homomorphic scheme with a cyclic ciphertext group!

49
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 49 Application: Impossibility Results Any algebraic homomorphic scheme with prime-ordered ciphertext group is insecure in terms of IND-CPA! Any algebraic homomorphic scheme where the ciphertexts form a linear subspace of F n (for some prime field F), e.g. a linear code, is insecure in terms of IND-CPA! (this partly answers an open question whether using linear codes as ciphertext spaces yield more efficient constructions)

50
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 50 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

51
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 51 Summary Considered the class of algebraic homomorphic encryption schemes Presented a generic framework for such schemes Allows for an easy security characterization both in terms of IND-CPA and IND- CCA1 security Supports construction of new schemes (starting from the problem) Allows for certain impossibility results (code-based) Constructed two new schemes with special properties (k-linear, cyclic)

52
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 52 Most Recent Results and Future Work (Fully Homomorphic Encryption) Extension of IND-CPA characterization to Gentry‘s „blueprint“ for constructing fully homomorphic encryption schemes (encompasses all currently known schemes) o What are the consequences to existing schemes? Good news: e.g., [DGHV10] is based on an assumption that is too strong To get fully homomorphic encryption, Gentry needs a bootstrappable scheme that is KDM-secure. This, however, does only exist in the Random Oracle Model. o Extension to KDM-security and construction of a KDM-secure bootstrappable scheme in the standard model – if possible at all!

53
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 53 Open question: extension Plaintexts Ciphertext encryption decryption Rings Ring homomorphism 1 C1C1 Extension to rings (would allow for addition and multiplication) Ideal

54
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 54 Open question: relaxation Plaintexts Ciphertext encryption decryption “Almost” groups Decryption with error 1 C1C1 Goal: Cover other homomorphic schemes as well, e.g., lattice based

55
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 55 Thank you!

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google