Presentation is loading. Please wait.

Presentation is loading. Please wait.

18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser.

Published byTerrence Jose Modified over 9 years ago

Similar presentations

Presentation on theme: "18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser."— Presentation transcript:

1 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser 2 A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany ISG Research Seminar Royal Holloway University of London 20.01.2011 ISG Research Seminar Royal Holloway University of London 20.01.2011

2 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 2 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

3 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 3 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

4 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 4 Encryption Decryption CiphertextPlaintext Encryption key Decryption key Common goal: conceal data as much as possible Goal of homomorphic encryption: “conceal as little as possible”

5 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 5 Motivation 1: Outsourcing of Data Server What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen Server performs some computation on its stored data

6 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 6 Security Server Access control What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen

7 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 7 Store data encrypted On request, computation is done on encrypted data Encrypted result is given back Request Possible Solution

8 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 8 Homomorphic Encryption (Informal) Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op 22 7 7 9 9 op *

9 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 9 + + ++ ⊞ Example Application: Electronic Voting

10 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 10 Other Applications Private Information Retrieval Multiparty Computation Oblivious Polynomial Evaluation...

11 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 11 Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits) Plaintext space: Z N (={0,…,N-1} modulo N) Ciphertext: Z N (={0,…,N-1} modulo N) Encryption Key: e ∈ Z N with gcd(e, (p-1)(q-1) )=1 Decryption key: d ∈ Z N with e ∙ d mod ( (p-1)∙(q-1) ) = 1 Encryption of m: c := m e mod N Decryption of c: c d mod N = m Homomorphism: mm‘ = m∙m‘ Example Scheme: RSA (1978)

12 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 12 SchemePlaintext SpaceSecurity related to RSA; 1978Integers modulo N=p*qFactorization Goldwasser, Micali; 19841 BitQuadratic residues mod N Benaloh; 1985Integers modulo R s.t. …R th residues mod N ElGamal; 1985Cyclic group GDecision Diffie-Hellman in G Paillier; 1999Integers modulo NN th residues mod N 2 Damgaard, Jurik; 2001Integers modulo N s N th residues mod N s+1 Boneh, Goh, Nissim; 2005Group over elliptic curveDecision Diffie-Hellman Different approaches Some are much better understood than others Question: Unified view on security and design of theses schemes? Homomorphic Encryption Schemes (Overview)

13 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 13 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

14 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 14 Recall: “Homomorphic = allows for operations on encrypted data” Can mean different things, depending on the application. E.g.,  Addition/Multiplication of integers (i.e., algebraic operations)  Evaluating certain circuits  Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense A Large Class of Homomorphic Encryption

15 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 15 Plaintext space Ciphertext space Encryption E Decryption D Classical Encryption Scheme

16 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 16 Plaintext space Ciphertext space Encryption E Decryption D Groups Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’) Our Class of Homomorphic Encryption

17 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 17 Reminder: Group A group (in mathematical sense) is a set G together with a binary operation ∘ :G×G ➝ G such that Example: Rational numbers without zero Neutral element: 1 Inverse element: x-1 Group AxiomProperty Closure For all g,g‘ ∈ G: g ∘ g‘ ∈ G Associativity For all g,g‘,g’’ ∈ G: (g ∘ g’) ∘ g’’ = g ∘ (g’ ∘ g’’) Neutral element e ∘ g = g ∘ e = g Inverse element For all g ∈ G exists g‘ ∈ G such that g ∘ g’=g’ ∘ g= e

18 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 18 Proof of Security Assumption: Mathematical problem is is hard to solve Approach: Reduce security Mathematical Problem Crypto scheme Reduction: Goal: Prove security of scheme

19 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 19 Security Notions for Encryption Schemes IND-CCA2 IND-CCA1 IND-CPA (strongest)

20 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 20 Defining security: IND-CPA Setup Public param. C Time M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) Oracle Attacker Challenge Guess for b Attacker wins if he correctly guesses b

21 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 21 Security Notions for Encryption Schemes IND-CCA2 IND-CCA1 IND-CPA (strongest)

22 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 22 Defining security: IND-CCA1 Setup Decrypt Public param. cjcjcjcj mjmjmjmj C Time ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b

23 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 23 Security Notions for Encryption Schemes IND-CCA2 IND-CCA1 IND-CPA (strongest)

24 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 24 Defining security: IND-CCA2 Setup Decrypt Public param. cjcjcjcj mjmjmjmj C Time ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b ChooseCiphertext c j ≠ C mjmjmjmj Decrypt

25 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 25 Security Notions for Encryption Schemes IND-CCA2  No Homomorphic Encryption Scheme can be IND-CCA2 secure! (because is an encryption of 1 for some i) IND-CCA1 IND-CPA (strongest)

26 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 26 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Security of Existing Schemes

27 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 27 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

28 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 28 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Daamgard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

29 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 29 Application: Easy Confirmation of Known Results SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005??

30 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 30 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Application: Missing Characterizations

31 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 31 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

32 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 32 SchemeIND-CPA Security ElGamal; 1985Decision Diffie-Hellman; 1998 Paillier; 1999N th residues mod N 2 ; 1999 Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 Boneh et al.; 2005Decision Diffie-Hellman; 2005 Scheme 1K-Linear Problem Scheme 2Gonzales-Nieto et al.; 2005 Ciphertext group has prime orderProblem instance always weak Ciphertext group is a vector space over a prime field (e.g. linear code) Problem instance always weak Application: Impossibility Results

33 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 33 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

34 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 34 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism Our Considered Class of Homomorphic Encryption Schemes (Reminder)

35 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 35 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 Encr. of 1 C1C1 Encryptions of „1“ form a normal subgroup C 1 of the ciphertext space C Easy Observations I

36 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 36 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 C1C1 Set of encryptions of „m“ equals the coset m ⋅ C 1 m Encr. of m m⋅C1m⋅C1 Easy Observations II

37 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 37 Consequence c = encryp- tion of m c ∈ m∙C 1 c∙m -1 ∈ C 1 Therefore: Consequence: Recognizing encryptions of m m‘ m‘=m? Recognizing encryptions of 1 m‘ m‘=1?

38 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 38 Immediate IND-CPA Security Characterization Scheme is IND-CPA SECURE Subgroup membership problem (SMP) is hard w.r.t. C 1 C1C1 c∈C1?c∈C1? c∈C1?c∈C1? c

39 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 39 Application Plaintexts Ciphertext encryption decryption Let a homomorphic scheme be given Goal: IND-CPA security characterization 1.Identify subgroup C 1 (= encryptions of 1) C1C1 2.Formulate SMP wrt. to C 1

40 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 40 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? What about IND-CCA1? Application: Easy IND-CPA Security Characterization of Existing Schemes

41 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 41 Abstraction of Computational and Decisional Problems I (Simplified) finite group G subgroups N and R of G such that the map is a group isomorphism. Its inverse is denoted by σ and is called the splitting map for (G,N,R). The Splitting Problem: compute σ(z) compute σ(z)

42 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 42 Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and Subgroup Membership Problem: Example instance (Diffie-Hellman): be a cyclic group of prime order p for The Splitting Problem for is the Computational Diffie-Hellman Problem The corresponding SMP for is the Decisional Diffie-Hellman Problem

43 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 43 SOAP = Splitting Oracle-Assisted SMP SMP for (G,N) N z ∈ N? z Phase 1: LearningPhase 2: Challenge Splitting Oracle Setup(λ) Algorithm outputs: (G,N,R) G

44 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 44 IND-CCA1 Security Characterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t.. Setup Decrypt Public param. cjcjcjcj mjmjmjmj C ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) Challenge Guess for b

45 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 45 Application: IND-CCA1 Characterization of Existing Schemes SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓

46 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 46 Plaintexts Ciphertexts encryption decryption 1 C1C1 Encryption of m: Sample c 1 ∈ C 1 Output c := m∙c 1 Decryption of c: Determine c mod C 1 (w.r.t. a fixed system of representatives of C/C 1 ) m m⋅C1m⋅C1 Generic Scheme (Simplified)

47 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 47 Group G Plaintext Space encryption decryption N Given: SMP for group G and subgroup N Interpret G as ciphertext space and N as encryption of 1 Construct encryption/decryption as in the generic scheme Scheme is IND-CPA secure iff initial SMP is hard C1C1 Ciphertext Space Application: Design of New Schemes

48 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 48 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

49 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 49 Plug into Generic Scheme New Homomorphic Scheme 1 (k-linear) The k-Linear Problem k-LP for Decisional problem that generalizes DDH (=1-LP) If (k+1)-LP is hard, then so is k-LP Properties in the Generic Group Model: k-LP is hard If k-LP is easy, then (k+1)-LP is still hard k-SOAP – a new k-Problem: SOAP instance that corresponds to k-LP k-SOAP provably behaves as k-LP in the generic group model K-SOAP might be of independent interest

50 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 50 New Homomorphic Scheme 1 (k-linear) This Generic Scheme instance yields the first homomorphic scheme that is IND-CPA secure if and only if k-LP is hard (for k>2) IND-CCA1 secure if and only if k-SOAP is hard

51 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 51 New Homomorphic Scheme 2 (Motivation) “If there exist IND-CPA secure homomorphic schemes with cyclic ciphertext group, then we can efficiently construct IND-CCA2 secure encryption schemes” [HO10] The existence of such homomorphic schemes is an open question! We construct such a scheme whose IND-CPA security is equivalent to a new problem whose hardness is equivalent to the well-analyzed SMP of the GBD-scheme [GBD01] In particular, this yields a new IND-CCA2 scheme!

52 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 52 New Homomorphic Scheme 2 (Construction) n=q 0 q 1 RSA-modulus such that p := 2n+1 is prime Consider the cyclic subgroups G n, G q0 and G q1 whose orders correspond to the divisors n, q 0 and q 1 of p-1, respectively Compute generators g 0 and g 1 of G q0 and G q1, respectively Then g 0 g 1 is a generator of G n Plug the Splitting Problem for (G n, G q1, G q0 ) into Generic Scheme Since G n is cyclic, this yields the first homomorphic scheme with a cyclic ciphertext group!

53 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 53 Application: Impossibility Results Any algebraic homomorphic scheme with prime-ordered ciphertext group is insecure in terms of IND-CPA! Any algebraic homomorphic scheme where the ciphertexts form a linear subspace of F n (for some prime field F), e.g. a linear code, is insecure in terms of IND-CPA! (this partly answers an open question whether using linear codes as ciphertext spaces yield more efficient constructions)

54 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 54 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

55 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 55 Summary Considered the class of algebraic homomorphic encryption schemes Presented a generic framework for such schemes Allows for an easy security characterization both in terms of IND-CPA and IND- CCA1 security Supports construction of new schemes (starting from the problem) Allows for certain impossibility results (code-based) Constructed two new schemes with special properties (k-linear, cyclic) Thereby constructing a new IND-CCA2 scheme

56 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 56 Most Recent Results and Future Work (Fully Homomorphic Encryption) Extension of IND-CPA characterization to Gentry‘s „blueprint“ for constructing fully homomorphic encryption schemes (encompasses all currently known schemes) o What are the consequences to existing schemes? Good news: e.g., [DGHV10] is based on an assumption that is too strong To get fully homomorphic encryption, Gentry needs a bootstrappable scheme that is KDM-secure. This, however, does only exist in the Random Oracle Model. o Extension to KDM-security and construction of a KDM-secure bootstrappable scheme in the standard model – if possible at all!

57 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 57 Open question: extension Plaintexts Ciphertext encryption decryption Rings Ring homomorphism 1 C1C1 Extension to rings (would allow for addition and multiplication) Ideal

58 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 58 Open question: relaxation Plaintexts Ciphertext encryption decryption “Almost” groups Decryption with error 1 C1C1 Goal: Cover other homomorphic schemes as well, e.g., lattice based

59 18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 59 Thank you!

Download ppt "18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser."

Similar presentations

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.

Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”

Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser.

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.

Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-

7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp. 223-238, 1999. By Pascal Paillier Efficient.

Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Identity Based Encryption

Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date : 2008-06-03.

1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent

Similar presentations

Ads by Google