18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser.

Slides:



Advertisements
Similar presentations
Attacking Cryptographic Schemes Based on Perturbation Polynomials Martin Albrecht (Royal Holloway), Craig Gentry (IBM), Shai Halevi (IBM), Jonathan Katz.
Advertisements

On the Amortized Complexity of Zero-Knowledge Proofs Ronald Cramer, CWI Ivan Damgård, Århus University.
Secure Evaluation of Multivariate Polynomials
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Paper by: Craig Gentry Presented By: Daniel Henneberger.
Chapter 4 Finite Fields. Introduction of increasing importance in cryptography –AES, Elliptic Curve, IDEA, Public Key concern operations on “numbers”
| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Kurosawa, Takagi, ”Some RSA-based Encryption Schemes with Tight Security Reduction” Asiacrypt 2003, November 30 - December 4, Taipei, Taiwan Some RSA-based.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh
7. Asymmetric encryption-
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
Public-Key Cryptosystems Based on Composite Degree Residuosity Classes Presenter: 陳國璋 EUROCRYPT'99, LNCS 1592, pp , By Pascal Paillier Efficient.
Identity Based Encryption
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Identity-Based Encryption form the Weil Pairing Author : Dan Boneh Matthew Franklin Presentered by Chia Jui Hsu Date :
CMSC 414 Computer and Network Security Lecture 5 Jonathan Katz.
A Designer’s Guide to KEMs Alex Dent
Asymmetric Cryptography part 1 & 2 Haya Shulman Many thanks to Amir Herzberg who donated some of the slides from
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer and Network Security Lecture 7 Jonathan Katz.
Introduction to Computer and Network Security Iliano Cervesato 2 September 2008 – Public-key Encryption.
A Brief History of Provable Security and PKE Alex Dent Information Security Group Royal Holloway, University of London.
1 NTRU: A Ring-Based Public Key Cryptosystem Jeffrey Hoffstein, Jill Pipher, Joseph H. Silverman LNCS 1423, 1998.
Cramer-Shoup is Plaintext Aware in the Standard Model Alexander W. Dent Information Security Group Royal Holloway, University of London.
Tallinn University of Technology Quantum computer impact on public key cryptography Roman Stepanenko.
1 CIS 5371 Cryptography 8. Asymmetric encryption-.
The RSA Algorithm Rocky K. C. Chang, March
Cryptography Lecture 8 Stefan Dziembowski
FINITE FIELDS 7/30 陳柏誠.
RSA and its Mathematics Behind
Prelude to Public-Key Cryptography Rocky K. C. Chang, February
1 Lect. 13 : Public Key Encryption RSA ElGamal. 2 Shamir Rivest Adleman RSA Public Key Systems  RSA is the first public key cryptosystem  Proposed in.
Introduction to Algorithms Second Edition by Cormen, Leiserson, Rivest & Stein Chapter 31.
Public Key Cryptography. symmetric key crypto requires sender, receiver know shared secret key Q: how to agree on key in first place (particularly if.
Chapter 4 – Finite Fields
Data Security and Encryption (CSE348) 1. Lecture # 12 2.
Some Number Theory Modulo Operation: Question: What is 12 mod 9?
Public Key Encryption with keyword Search Author: Dan Boneh Rafail Ostroversity Giovanni Di Crescenzo Giuseppe Persiano Presenter: 陳昱圻.
CHES 2002 Presented at the workshop CHES 2002, August 13-15, 2002, Redwood Shores, California, USA.
RSA and its Mathematics Behind July Topics  Modular Arithmetic  Greatest Common Divisor  Euler’s Identity  RSA algorithm  Security in RSA.
Public Key Systems 1 Merkle-Hellman Knapsack Public Key Systems 2 Merkle-Hellman Knapsack  One of first public key systems  Based on NP-complete problem.
Scott CH Huang COM 5336 Cryptography Lecture 6 Public Key Cryptography & RSA Scott CH Huang COM 5336 Cryptography Lecture 6.
FHE Introduction Nigel Smart Avoncrypt 2015.
Cryptography and Network Security Chapter 4. Introduction  will now introduce finite fields  of increasing importance in cryptography AES, Elliptic.
The Pennsylvania State University CSE597B: Special Topics in Network and Systems Security The Miscellaneous Instructor: Sencun Zhu.
11 RSA Variants.  Scheme ◦ Select s.t. p and q = 3 mod 4 ◦ n=pq, public key =n, private key =p,q ◦ y= e k (x)=x (x+b) mod n ◦ x=d k (y)=  y mod n.
A New Paradigm of Hybrid Encryption Scheme Kaoru Kurosawa, Ibaraki Univ. Yvo Desmedt, UCL and FSU.
Weaknesses in the Generic Group Model
Lecture 3.1: Public Key Cryptography I CS 436/636/736 Spring 2015 Nitesh Saxena.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
Introduction to Elliptic Curve Cryptography CSCI 5857: Encoding and Encryption.
1 Diffie-Hellman (Key Exchange) Protocol Rocky K. C. Chang 9 February 2007.
1 The RSA Algorithm Rocky K. C. Chang February 23, 2007.
Cryptographic methods. Outline  Preliminary Assumptions Public-key encryption  Oblivious Transfer (OT)  Random share based methods  Homomorphic Encryption.
Packing Techniques for Homomorphic Encryption Schemes Scott Thompson CSCI-762 4/28/2016.
Key Exchange in Systems VPN usually has two phases –Handshake protocol: key exchange between parties sets symmetric keys –Traffic protocol: communication.
Prelude to Public-Key Cryptography
B504/I538: Introduction to Cryptography
RSA and El Gamal Cryptosystems
Elliptic Curves.
The Learning With Errors Problem
Background: Lattices and the Learning-with-Errors problem
B504/I538: Introduction to Cryptography
Topic 25: Discrete LOG, DDH + Attacks on Plain RSA
The power of Pairings towards standard model security
The RSA Public-Key Encryption Algorithm
Presentation transcript:

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1, Andreas Peter 2 and Stefan Katzenbeisser 2 A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany ISG Research Seminar Royal Holloway University of London ISG Research Seminar Royal Holloway University of London

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 2 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 3 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 4 Encryption Decryption CiphertextPlaintext Encryption key Decryption key Common goal: conceal data as much as possible Goal of homomorphic encryption: “conceal as little as possible”

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 5 Motivation 1: Outsourcing of Data Server What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen Server performs some computation on its stored data

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 6 Security Server Access control What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 7 Store data encrypted On request, computation is done on encrypted data Encrypted result is given back Request Possible Solution

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 8 Homomorphic Encryption (Informal) Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op op *

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | ⊞ Example Application: Electronic Voting

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 10 Other Applications Private Information Retrieval Multiparty Computation Oblivious Polynomial Evaluation...

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 11 Parameters: N=p ∙ q with p,q large primes (approx bits) Plaintext space: Z N (={0,…,N-1} modulo N) Ciphertext: Z N (={0,…,N-1} modulo N) Encryption Key: e ∈ Z N with gcd(e, (p-1)(q-1) )=1 Decryption key: d ∈ Z N with e ∙ d mod ( (p-1)∙(q-1) ) = 1 Encryption of m: c := m e mod N Decryption of c: c d mod N = m Homomorphism: mm‘ = m∙m‘ Example Scheme: RSA (1978)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 12 SchemePlaintext SpaceSecurity related to RSA; 1978Integers modulo N=p*qFactorization Goldwasser, Micali; BitQuadratic residues mod N Benaloh; 1985Integers modulo R s.t. …R th residues mod N ElGamal; 1985Cyclic group GDecision Diffie-Hellman in G Paillier; 1999Integers modulo NN th residues mod N 2 Damgaard, Jurik; 2001Integers modulo N s N th residues mod N s+1 Boneh, Goh, Nissim; 2005Group over elliptic curveDecision Diffie-Hellman Different approaches Some are much better understood than others Question: Unified view on security and design of theses schemes? Homomorphic Encryption Schemes (Overview)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 13 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 14 Recall: “Homomorphic = allows for operations on encrypted data” Can mean different things, depending on the application. E.g.,  Addition/Multiplication of integers (i.e., algebraic operations)  Evaluating certain circuits  Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense A Large Class of Homomorphic Encryption

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 15 Plaintext space Ciphertext space Encryption E Decryption D Classical Encryption Scheme

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 16 Plaintext space Ciphertext space Encryption E Decryption D Groups Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’) Our Class of Homomorphic Encryption

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 17 Reminder: Group A group (in mathematical sense) is a set G together with a binary operation ∘ :G×G ➝ G such that Example: Rational numbers without zero Neutral element: 1 Inverse element: x-1 Group AxiomProperty Closure For all g,g‘ ∈ G: g ∘ g‘ ∈ G Associativity For all g,g‘,g’’ ∈ G: (g ∘ g’) ∘ g’’ = g ∘ (g’ ∘ g’’) Neutral element e ∘ g = g ∘ e = g Inverse element For all g ∈ G exists g‘ ∈ G such that g ∘ g’=g’ ∘ g= e

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 18 Proof of Security Assumption: Mathematical problem is is hard to solve Approach: Reduce security Mathematical Problem Crypto scheme Reduction: Goal: Prove security of scheme

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 19 Security Notions for Encryption Schemes IND-CCA2 IND-CCA1 IND-CPA (strongest)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 20 Defining security: IND-CPA Setup Public param. C Time M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) Oracle Attacker Challenge Guess for b Attacker wins if he correctly guesses b

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 21 Security Notions for Encryption Schemes IND-CCA2 IND-CCA1 IND-CPA (strongest)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 22 Defining security: IND-CCA1 Setup Decrypt Public param. cjcjcjcj mjmjmjmj C Time ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 23 Security Notions for Encryption Schemes IND-CCA2 IND-CCA1 IND-CPA (strongest)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 24 Defining security: IND-CCA2 Setup Decrypt Public param. cjcjcjcj mjmjmjmj C Time ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) OracleAttacker Challenge Guess for b Attacker wins if he correctly guesses b ChooseCiphertext c j ≠ C mjmjmjmj Decrypt

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 25 Security Notions for Encryption Schemes IND-CCA2  No Homomorphic Encryption Scheme can be IND-CCA2 secure! (because is an encryption of 1 for some i) IND-CCA1 IND-CPA (strongest)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 26 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Security of Existing Schemes

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 27 SchemeIND-CPA secure if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 28 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Daamgard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP) Abstract problem: SOAP (splitting oracle assisted SMP) Our Result: Abstraction and Characterization

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 29 Application: Easy Confirmation of Known Results SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005??

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 30 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Application: Missing Characterizations

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 31 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 32 SchemeIND-CPA Security ElGamal; 1985Decision Diffie-Hellman; 1998 Paillier; 1999N th residues mod N 2 ; 1999 Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 Boneh et al.; 2005Decision Diffie-Hellman; 2005 Scheme 1K-Linear Problem Scheme 2Gonzales-Nieto et al.; 2005 Ciphertext group has prime orderProblem instance always weak Ciphertext group is a vector space over a prime field (e.g. linear code) Problem instance always weak Application: Impossibility Results

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 33 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 34 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism Our Considered Class of Homomorphic Encryption Schemes (Reminder)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 35 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 Encr. of 1 C1C1 Encryptions of „1“ form a normal subgroup C 1 of the ciphertext space C Easy Observations I

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 36 Plaintexts Ciphertexts encryption decryption Groups Group homomorphism 1 C1C1 Set of encryptions of „m“ equals the coset m ⋅ C 1 m Encr. of m m⋅C1m⋅C1 Easy Observations II

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 37 Consequence c = encryp- tion of m c ∈ m∙C 1 c∙m -1 ∈ C 1 Therefore: Consequence: Recognizing encryptions of m m‘ m‘=m? Recognizing encryptions of 1 m‘ m‘=1?

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 38 Immediate IND-CPA Security Characterization Scheme is IND-CPA SECURE Subgroup membership problem (SMP) is hard w.r.t. C 1 C1C1 c∈C1?c∈C1? c∈C1?c∈C1? c

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 39 Application Plaintexts Ciphertext encryption decryption Let a homomorphic scheme be given Goal: IND-CPA security characterization 1.Identify subgroup C 1 (= encryptions of 1) C1C1 2.Formulate SMP wrt. to C 1

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 40 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999?? Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001?? Boneh et al.; 2005Decision Diffie-Hellman; 2005?? What about IND-CCA1? Application: Easy IND-CPA Security Characterization of Existing Schemes

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 41 Abstraction of Computational and Decisional Problems I (Simplified) finite group G subgroups N and R of G such that the map is a group isomorphism. Its inverse is denoted by σ and is called the splitting map for (G,N,R). The Splitting Problem: compute σ(z) compute σ(z)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 42 Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and Subgroup Membership Problem: Example instance (Diffie-Hellman): be a cyclic group of prime order p for The Splitting Problem for is the Computational Diffie-Hellman Problem The corresponding SMP for is the Decisional Diffie-Hellman Problem

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 43 SOAP = Splitting Oracle-Assisted SMP SMP for (G,N) N z ∈ N? z Phase 1: LearningPhase 2: Challenge Splitting Oracle Setup(λ) Algorithm outputs: (G,N,R) G

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 44 IND-CCA1 Security Characterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t.. Setup Decrypt Public param. cjcjcjcj mjmjmjmj C ChooseCiphertext M 0,M 1 b ∈ R {0,1} C:= Encrypt(M b ) Challenge Guess for b

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 45 Application: IND-CCA1 Characterization of Existing Schemes SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 46 Plaintexts Ciphertexts encryption decryption 1 C1C1 Encryption of m: Sample c 1 ∈ C 1 Output c := m∙c 1 Decryption of c: Determine c mod C 1 (w.r.t. a fixed system of representatives of C/C 1 ) m m⋅C1m⋅C1 Generic Scheme (Simplified)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 47 Group G Plaintext Space encryption decryption N Given: SMP for group G and subgroup N Interpret G as ciphertext space and N as encryption of 1 Construct encryption/decryption as in the generic scheme Scheme is IND-CPA secure iff initial SMP is hard C1C1 Ciphertext Space Application: Design of New Schemes

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 48 SchemeIND-CPA secure if and only if the following problem is hard IND-CCA1 secure if and only if the following problem is hard ElGamal; 1985Decision Diffie-Hellman; 1998 [Lipmaa; 2010] Paillier; 1999N th residues mod N 2 ; 1999 ✓ Damgaard, Jurik; 2001N th residues mod N s+1 ; 2001 ✓ Boneh et al.; 2005Decision Diffie-Hellman; 2005 ✓ Scheme 1K-Linear ProblemNew K-Problem Scheme 2Gonzales-Nieto et al.; 2005New Problem Application: New Schemes

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 49 Plug into Generic Scheme New Homomorphic Scheme 1 (k-linear) The k-Linear Problem k-LP for Decisional problem that generalizes DDH (=1-LP) If (k+1)-LP is hard, then so is k-LP Properties in the Generic Group Model: k-LP is hard If k-LP is easy, then (k+1)-LP is still hard k-SOAP – a new k-Problem: SOAP instance that corresponds to k-LP k-SOAP provably behaves as k-LP in the generic group model K-SOAP might be of independent interest

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 50 New Homomorphic Scheme 1 (k-linear) This Generic Scheme instance yields the first homomorphic scheme that is IND-CPA secure if and only if k-LP is hard (for k>2) IND-CCA1 secure if and only if k-SOAP is hard

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 51 New Homomorphic Scheme 2 (Motivation) “If there exist IND-CPA secure homomorphic schemes with cyclic ciphertext group, then we can efficiently construct IND-CCA2 secure encryption schemes” [HO10] The existence of such homomorphic schemes is an open question! We construct such a scheme whose IND-CPA security is equivalent to a new problem whose hardness is equivalent to the well-analyzed SMP of the GBD-scheme [GBD01] In particular, this yields a new IND-CCA2 scheme!

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 52 New Homomorphic Scheme 2 (Construction) n=q 0 q 1 RSA-modulus such that p := 2n+1 is prime Consider the cyclic subgroups G n, G q0 and G q1 whose orders correspond to the divisors n, q 0 and q 1 of p-1, respectively Compute generators g 0 and g 1 of G q0 and G q1, respectively Then g 0 g 1 is a generator of G n Plug the Splitting Problem for (G n, G q1, G q0 ) into Generic Scheme Since G n is cyclic, this yields the first homomorphic scheme with a cyclic ciphertext group!

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 53 Application: Impossibility Results Any algebraic homomorphic scheme with prime-ordered ciphertext group is insecure in terms of IND-CPA! Any algebraic homomorphic scheme where the ciphertexts form a linear subspace of F n (for some prime field F), e.g. a linear code, is insecure in terms of IND-CPA! (this partly answers an open question whether using linear codes as ciphertext spaces yield more efficient constructions)

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 54 Outline 1.Introduction/Motivation 2.Our Results 3.Technical Details 4.Conclusion

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 55 Summary Considered the class of algebraic homomorphic encryption schemes Presented a generic framework for such schemes Allows for an easy security characterization both in terms of IND-CPA and IND- CCA1 security Supports construction of new schemes (starting from the problem) Allows for certain impossibility results (code-based) Constructed two new schemes with special properties (k-linear, cyclic) Thereby constructing a new IND-CCA2 scheme

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 56 Most Recent Results and Future Work (Fully Homomorphic Encryption) Extension of IND-CPA characterization to Gentry‘s „blueprint“ for constructing fully homomorphic encryption schemes (encompasses all currently known schemes) o What are the consequences to existing schemes? Good news: e.g., [DGHV10] is based on an assumption that is too strong To get fully homomorphic encryption, Gentry needs a bootstrappable scheme that is KDM-secure. This, however, does only exist in the Random Oracle Model. o Extension to KDM-security and construction of a KDM-secure bootstrappable scheme in the standard model – if possible at all!

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 57 Open question: extension Plaintexts Ciphertext encryption decryption Rings Ring homomorphism 1 C1C1 Extension to rings (would allow for addition and multiplication) Ideal

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 58 Open question: relaxation Plaintexts Ciphertext encryption decryption “Almost” groups Decryption with error 1 C1C1 Goal: Cover other homomorphic schemes as well, e.g., lattice based

| Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 59 Thank you!

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.