540 likes | 785 Views
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP. Frederik Armknecht 1 , Andreas Peter 2 and Stefan Katzenbeisser 2. ISG Research Seminar Royal Holloway University of London 20.01.2011. 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany.
E N D
A CleanerView on IND-CCA1 SecureHomomorphicEncryptionusing SOAP Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2 ISG Research Seminar Royal Holloway University of London 20.01.2011 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany
Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion
Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion
Motivation 1: Outsourcing of Data • Serverperformssomecomputation on itsstoreddata • What if the server itself is corrupted? • 2001: Heartland Information Services • 2003: University of California at San Francisco • 2005: Private data from 50 million Americans stolen Server
Possible Solution • Store data encrypted • On request, computation is done on encrypted data • Encrypted result is given back Request
7 7 9 9 2 2 Homomorphic Encryption (Informal) • Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op op*
ExampleApplication: Electronic Voting ⊞ + + + +
Other Applications • Private Information Retrieval • Multiparty Computation • Oblivious Polynomial Evaluation • ...
ExampleScheme: RSA (1978) Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits) Plaintext space:ZN (={0,…,N-1} modulo N) Ciphertext:ZN (={0,…,N-1} modulo N) Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1 Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1 Encryption of m: c := me mod N Decryption of c: cd mod N =m Homomorphism: = m m‘ m∙m‘
HomomorphicEncryptionSchemes (Overview) • Different approaches • Some are much better understood than others • Question: Unified view on security and design of theses schemes?
Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion
A Large Class of HomomorphicEncryption • Recall: “Homomorphic = allows for operations on encrypted data” • Can mean different things, depending on the application. E.g., • Addition/Multiplication of integers (i.e., algebraic operations) • Evaluating certain circuits • Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense
ClassicalEncryptionScheme Plaintext space Ciphertext space Encryption E Decryption D
OurClass of HomomorphicEncryption Plaintext space Ciphertext space Groups Encryption E Decryption D Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’)
SecurityNotionsforEncryptionSchemes • IND-CCA2 • IND-CCA1 • IND-CPA (strongest)
Defining security: IND-CPA Oracle Attacker Public param. Setup Time M0,M1 Challenge b∈R{0,1} C C:=Encrypt(Mb) Guess for b Attacker wins if he correctly guesses b
SecurityNotionsforEncryptionSchemes • IND-CCA2 • IND-CCA1 • IND-CPA (strongest)
Defining security: IND-CCA1 Oracle Attacker Public param. Setup cj Choose Ciphertext Decrypt mj Time b∈R{0,1} M0 ,M1 C:=Encrypt(Mb) Challenge C Guess for b Attacker wins if he correctly guesses b
SecurityNotionsforEncryptionSchemes • IND-CCA2 • IND-CCA1 • IND-CPA (strongest)
Defining security: IND-CCA2 Oracle Attacker Public param. Setup cj Choose Ciphertext Decrypt mj Time M0 ,M1 Challenge b∈R{0,1} C C:=Encrypt(Mb) cj ≠ C Choose Ciphertext Decrypt mj Guess for b Attacker wins if he correctly guesses b
SecurityNotionsforEncryptionSchemes • IND-CCA2 • No HomomorphicEncryptionSchemecanbe IND-CCA2 secure! (becauseis an encryption of 1 forsome i) • IND-CCA1 • IND-CPA (strongest) (strongest)
OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)
OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)
Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion
OurConsideredClass of HomomorphicEncryptionSchemes (Reminder) Ciphertexts Plaintexts Groups encryption decryption Group homomorphism
Easy Observations I Ciphertexts Plaintexts Groups encryption C1 Encr. of 1 decryption Group homomorphism 1 • Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C
Easy Observations II Ciphertexts Plaintexts Groups Encr. of m m⋅C1 encryption C1 decryption Group homomorphism 1 m • Set of encryptions of „m“ equalsthecoset m⋅C1
m‘ m‘ Consequence Therefore: c = encryp-tion of m ⟺ ⟺ c ∈ m∙C1 c∙m-1 ∈ C1 Consequence: Recognizing encryptions of 1 Recognizing encryptions of m ⟺ m‘=1? m‘=m?
Immediate IND-CPA SecurityCharacterization Subgroup membership problem (SMP) is hard w.r.t. C1 Scheme is IND-CPA SECURE ⟺ C1 c∈C1? c
Application: Easy IND-CPA SecurityCharacterization of ExistingSchemes What about IND-CCA1?
Abstraction of Computational and Decisional Problems I (Simplified) The Splitting Problem: • finite group G • subgroups N and R of G such thatthemap • is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled • thesplittingmapfor (G,N,R). compute σ(z)
Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and SubgroupMembership Problem: • Exampleinstance (Diffie-Hellman): • be a cyclicgroup of prime order p • for • The Splitting Problem for • istheComputationalDiffie-Hellman Problem • Thecorresponding SMP for • istheDecisionalDiffie-Hellman Problem
SOAP = Splitting Oracle-Assisted SMP Setup(λ) Algorithmoutputs: (G,N,R) Phase 1: Learning Phase 2: Challenge SMP for (G,N) Splitting Oracle G N z∈N? z
IND-CCA1 SecurityCharacterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t. . Public param. Setup cj Choose Ciphertext Decrypt mj ⟺ M0,M1 b∈R{0,1} Challenge C C:=Encrypt(Mb) Guess for b
GenericScheme (Simplified) Ciphertexts Plaintexts m⋅C1 encryption decryption C1 • Encryption of m: • Sample c1∈C1 • Output c := m∙c1 • Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1) 1 m
Application: Design of New Schemes Ciphertext Space Group G Plaintext Space encryption N C1 decryption • Given: SMP for group G and subgroup N • Interpret G as ciphertext space and N as encryption of 1 • Construct encryption/decryption as in the generic scheme • Scheme is IND-CPA secure iff initial SMP is hard
New HomomorphicScheme 1 (k-linear) • Thek-Linear Problem k-LP for • Decisionalproblemthatgeneralizes DDH (=1-LP) • If (k+1)-LP ishard, then so is k-LP • Properties in theGeneric Group Model: • k-LP ishard • If k-LP iseasy, then (k+1)-LP is still hard k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP • k-SOAPprovablybehaves as k-LP in thegenericgroupmodel • K-SOAP mightbe of independent interest PlugintoGenericScheme
New HomomorphicScheme 1 (k-linear) • ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis • IND-CPA secureif and onlyif k-LP ishard (for k>2) • IND-CCA1 secureif and onlyifk-SOAPishard
New HomomorphicScheme 2 (Motivation) • “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10] • Theexistence of such homomorphicschemesis an openquestion! • Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to the well-analyzed SMP of the GBD-scheme [GBD01] • In particular, this yields a new IND-CCA2 scheme!
New HomomorphicScheme 2 (Construction) • n=q0q1RSA-modulus such that p := 2n+1 is prime • ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively • Computegenerators g0 and g1 of Gq0 and Gq1, respectively • Then g0g1is a generator of Gn • Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme • SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!
Application: ImpossibilityResults • Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA! • Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA! (thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)
Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion
Summary • Consideredtheclass of algebraichomomorphicencryptionschemes • Presented a genericframeworkfor such schemes • Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security • Supports construction of newschemes (startingfromtheproblem) • Allowsforcertainimpossibilityresults (code-based) • Constructedtwonewschemeswithspecialproperties (k-linear, cyclic) • Thereby constructing a new IND-CCA2 scheme