1 / 52

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP. Frederik Armknecht 1 , Andreas Peter 2 and Stefan Katzenbeisser 2. ISG Research Seminar Royal Holloway University of London 20.01.2011. 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany.

hinto
Download Presentation

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A CleanerView on IND-CCA1 SecureHomomorphicEncryptionusing SOAP Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2 ISG Research Seminar Royal Holloway University of London 20.01.2011 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany

  2. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  3. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  4. Motivation 1: Outsourcing of Data • Serverperformssomecomputation on itsstoreddata • What if the server itself is corrupted? • 2001: Heartland Information Services • 2003: University of California at San Francisco • 2005: Private data from 50 million Americans stolen Server

  5. Possible Solution • Store data encrypted • On request, computation is done on encrypted data • Encrypted result is given back Request

  6. 7 7 9 9 2 2 Homomorphic Encryption (Informal) • Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op op*

  7. ExampleApplication: Electronic Voting ⊞ + + + +

  8. Other Applications • Private Information Retrieval • Multiparty Computation • Oblivious Polynomial Evaluation • ...

  9. ExampleScheme: RSA (1978) Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits) Plaintext space:ZN (={0,…,N-1} modulo N) Ciphertext:ZN (={0,…,N-1} modulo N) Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1 Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1 Encryption of m: c := me mod N Decryption of c: cd mod N =m Homomorphism: = m m‘ m∙m‘

  10. HomomorphicEncryptionSchemes (Overview) • Different approaches • Some are much better understood than others • Question: Unified view on security and design of theses schemes?

  11. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  12. A Large Class of HomomorphicEncryption • Recall: “Homomorphic = allows for operations on encrypted data” • Can mean different things, depending on the application. E.g., • Addition/Multiplication of integers (i.e., algebraic operations) • Evaluating certain circuits • Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense

  13. ClassicalEncryptionScheme Plaintext space Ciphertext space Encryption E Decryption D

  14. OurClass of HomomorphicEncryption Plaintext space Ciphertext space Groups Encryption E Decryption D Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’)

  15. SecurityNotionsforEncryptionSchemes • IND-CCA2 • IND-CCA1 • IND-CPA (strongest)

  16. Defining security: IND-CPA Oracle Attacker Public param. Setup Time M0,M1 Challenge b∈R{0,1} C C:=Encrypt(Mb) Guess for b Attacker wins if he correctly guesses b

  17. SecurityNotionsforEncryptionSchemes • IND-CCA2 • IND-CCA1 • IND-CPA (strongest)

  18. Defining security: IND-CCA1 Oracle Attacker Public param. Setup cj Choose Ciphertext Decrypt mj Time b∈R{0,1} M0 ,M1 C:=Encrypt(Mb) Challenge C Guess for b Attacker wins if he correctly guesses b

  19. SecurityNotionsforEncryptionSchemes • IND-CCA2 • IND-CCA1 • IND-CPA (strongest)

  20. Defining security: IND-CCA2 Oracle Attacker Public param. Setup cj Choose Ciphertext Decrypt mj Time M0 ,M1 Challenge b∈R{0,1} C C:=Encrypt(Mb) cj ≠ C Choose Ciphertext Decrypt mj Guess for b Attacker wins if he correctly guesses b

  21. SecurityNotionsforEncryptionSchemes • IND-CCA2 • No HomomorphicEncryptionSchemecanbe IND-CCA2 secure! (becauseis an encryption of 1 forsome i) • IND-CCA1 • IND-CPA (strongest) (strongest)

  22. Security of ExistingSchemes

  23. OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)

  24. OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)

  25. Application: Easy Confirmation of KnownResults

  26. Application: Missing Characterizations

  27. Application: New Schemes

  28. Application: ImpossibilityResults

  29. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  30. OurConsideredClass of HomomorphicEncryptionSchemes (Reminder) Ciphertexts Plaintexts Groups encryption decryption Group homomorphism

  31. Easy Observations I Ciphertexts Plaintexts Groups encryption C1 Encr. of 1 decryption Group homomorphism 1 • Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C

  32. Easy Observations II Ciphertexts Plaintexts Groups Encr. of m m⋅C1 encryption C1 decryption Group homomorphism 1 m • Set of encryptions of „m“ equalsthecoset m⋅C1

  33. m‘ m‘ Consequence Therefore: c = encryp-tion of m ⟺ ⟺ c ∈ m∙C1 c∙m-1 ∈ C1 Consequence: Recognizing encryptions of 1 Recognizing encryptions of m ⟺ m‘=1? m‘=m?

  34. Immediate IND-CPA SecurityCharacterization Subgroup membership problem (SMP) is hard w.r.t. C1 Scheme is IND-CPA SECURE ⟺ C1 c∈C1? c

  35. Application: Easy IND-CPA SecurityCharacterization of ExistingSchemes What about IND-CCA1?

  36. Abstraction of Computational and Decisional Problems I (Simplified) The Splitting Problem: • finite group G • subgroups N and R of G such thatthemap • is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled • thesplittingmapfor (G,N,R). compute σ(z)

  37. Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and SubgroupMembership Problem: • Exampleinstance (Diffie-Hellman): • be a cyclicgroup of prime order p • for • The Splitting Problem for • istheComputationalDiffie-Hellman Problem • Thecorresponding SMP for • istheDecisionalDiffie-Hellman Problem

  38. SOAP = Splitting Oracle-Assisted SMP Setup(λ) Algorithmoutputs: (G,N,R) Phase 1: Learning Phase 2: Challenge SMP for (G,N) Splitting Oracle G N z∈N? z

  39. IND-CCA1 SecurityCharacterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t. . Public param. Setup cj Choose Ciphertext Decrypt mj ⟺ M0,M1 b∈R{0,1} Challenge C C:=Encrypt(Mb) Guess for b

  40. Application: IND-CCA1 Characterization of ExistingSchemes

  41. GenericScheme (Simplified) Ciphertexts Plaintexts m⋅C1 encryption decryption C1 • Encryption of m: • Sample c1∈C1 • Output c := m∙c1 • Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1) 1 m

  42. Application: Design of New Schemes Ciphertext Space Group G Plaintext Space encryption N C1 decryption • Given: SMP for group G and subgroup N • Interpret G as ciphertext space and N as encryption of 1 • Construct encryption/decryption as in the generic scheme • Scheme is IND-CPA secure iff initial SMP is hard

  43. Application: New Schemes

  44. New HomomorphicScheme 1 (k-linear) • Thek-Linear Problem k-LP for • Decisionalproblemthatgeneralizes DDH (=1-LP) • If (k+1)-LP ishard, then so is k-LP • Properties in theGeneric Group Model: • k-LP ishard • If k-LP iseasy, then (k+1)-LP is still hard k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP • k-SOAPprovablybehaves as k-LP in thegenericgroupmodel • K-SOAP mightbe of independent interest PlugintoGenericScheme

  45. New HomomorphicScheme 1 (k-linear) • ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis • IND-CPA secureif and onlyif k-LP ishard (for k>2) • IND-CCA1 secureif and onlyifk-SOAPishard

  46. New HomomorphicScheme 2 (Motivation) • “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10] • Theexistence of such homomorphicschemesis an openquestion! • Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to the well-analyzed SMP of the GBD-scheme [GBD01] • In particular, this yields a new IND-CCA2 scheme!

  47. New HomomorphicScheme 2 (Construction) • n=q0q1RSA-modulus such that p := 2n+1 is prime • ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively • Computegenerators g0 and g1 of Gq0 and Gq1, respectively • Then g0g1is a generator of Gn • Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme • SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!

  48. Application: ImpossibilityResults • Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA! • Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA! (thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)

  49. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  50. Summary • Consideredtheclass of algebraichomomorphicencryptionschemes • Presented a genericframeworkfor such schemes • Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security • Supports construction of newschemes (startingfromtheproblem) • Allowsforcertainimpossibilityresults (code-based) • Constructedtwonewschemeswithspecialproperties (k-linear, cyclic) • Thereby constructing a new IND-CCA2 scheme

More Related