1 / 46

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP. Frederik Armknecht 1 , Andreas Peter 2 and Stefan Katzenbeisser 2. ISG Research Seminar Royal Holloway University of London 20 .01.2011. 1 Universität Mannheim, Germany

march
Download Presentation

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. A CleanerView on IND-CCA1 SecureHomomorphicEncryptionusing SOAP Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2 ISG Research Seminar Royal Holloway University of London 20.01.2011 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany

  2. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  3. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  4. Motivation 1: Outsourcingof Data • What if the server itself is corrupted? • 2001: Heartland Information Services • 2003: University of California at San Francisco • 2005: Private data from 50 million Americans stolen Server

  5. Possible Solution • Store data encrypted • On request, computation is done on encrypted data • Encrypted result is given back Request

  6. Motivation 2: Electronic Voting ⊞ + + + +

  7. 7 7 9 9 2 2 Homomorphic Encryption (Informal) • Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op op*

  8. Other Applications • Private Information Retrieval • Multiparty Computation • Oblivious Polynomial Evaluation • ...

  9. Example: RSA (1978) Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits) Plaintext space:ZN (={0,…,N-1} modulo N) Ciphertext:ZN (={0,…,N-1} modulo N) Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1 Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1 Encryption of m: c := me mod N Decryption of c: cd mod N =m Homomorphism: = m m‘ m∙m‘

  10. HomomorphicEncryptionSchemes (Overview) • Different approaches • Some are much better understood than others • Question: Unified view on security and design of theses schemes?

  11. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  12. A Large Class of HomomorphicEncryption • Recall: “Homomorphic = allows for operations on encrypted data” • Can mean different things, depending on the application. E.g., • Addition/Multiplication of integers (i.e., algebraic operations) • Evaluating certain circuits • Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense

  13. ClassicalEncryptionScheme Plaintext space Ciphertext space Encryption E Decryption D

  14. OurClass of HomomorphicEncryption Plaintext space Ciphertext space Groups Encryption E Decryption D Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’)

  15. SecurityNotionsforEncryptionSchemes • IND-CCA2 • No HomomorphicEncryptionSchemecanbe IND-CCA2 secure! (becauseis an encryption of 1 forsome i) • IND-CCA1 • IND-CPA (strongest) (strongest)

  16. Security of ExistingSchemes

  17. OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)

  18. OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)

  19. Application: Easy Confirmation of KnownResults

  20. Application: Missing Characterizations

  21. Application: New Schemes

  22. Application: ImpossibilityResults

  23. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  24. OurConsideredClass of HomomorphicEncryptionSchemes (Reminder) Ciphertexts Plaintexts Groups encryption decryption Group homomorphism

  25. Easy Observations I Ciphertexts Plaintexts Groups encryption C1 Encr. of 1 decryption Group homomorphism 1 • Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C

  26. Easy Observations II Ciphertexts Plaintexts Groups Encr. of m m⋅C1 encryption C1 decryption Group homomorphism 1 m • Set of encryptions of „m“ equalsthecoset m⋅C1

  27. m‘ m‘ Consequence Therefore: c = encryp-tion of m ⟺ ⟺ c ∈ m∙C1 c∙m-1 ∈ C1 Consequence: Recognizing encryptions of 1 Recognizing encryptions of m ⟺ m‘=1? m‘=m?

  28. Immediate IND-CPA SecurityCharacterization Subgroup membership problem (SMP) is hard w.r.t. C1 Scheme is IND-CPA SECURE ⟺ C1 c∈C1? c

  29. Application: Easy IND-CPA SecurityCharacterization of ExistingSchemes What about IND-CCA1?

  30. Abstraction of Computational and Decisional Problems I (Simplified) The Splitting Problem: • finite group G • subgroups N and R of G such thatthemap • is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled • thesplittingmapfor (G,N,R). compute σ(z)

  31. Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and SubgroupMembership Problem: • Exampleinstance (Diffie-Hellman): • be a cyclicgroup of prime order p • for • The Splitting Problem for • istheComputationalDiffie-Hellman Problem • Thecorresponding SMP for • istheDecisionalDiffie-Hellman Problem

  32. SOAP = Splitting Oracle-Assisted SMP Setup(λ) Algorithmoutputs: (G,N,R) Phase 1: Learning Phase 2: Challenge SMP for (G,N) Splitting Oracle G N z∈N? z

  33. IND-CCA1 SecurityCharacterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t. . Public param. Setup cj Choose Ciphertext Decrypt mj ⟺ M0,M1 b∈R{0,1} Challenge C C:=Encrypt(Mb) Guess for b

  34. Application: IND-CCA1 Characterization of ExistingSchemes

  35. GenericScheme (Simplified) Ciphertexts Plaintexts m⋅C1 encryption decryption C1 • Encryption of m: • Sample c1∈C1 • Output c := m∙c1 • Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1) 1 m

  36. Application: Design of New Schemes Ciphertext Space Group G Plaintext Space encryption N C1 decryption • Given: SMP for group G and subgroup N • Interpret G as ciphertext space and N as encryption of 1 • Construct encryption/decryption as in the generic scheme • Scheme is IND-CPA secure iff initial SMP is hard

  37. Application: New Schemes

  38. New HomomorphicScheme 1 (k-linear) • Thek-Linear Problem k-LP for • Decisionalproblemthatgeneralizes DDH • Properties in theGeneric Group Model: • If (k+1)-LP ishard, then so is k-LP • k-LP ishard • If k-LP iseasy, then (k+1)-LP is still hard k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP • k-SOAPprovablybehaves as k-LP in thegenericgroupmodel • K-SOAP mightbe of independent interest PlugintoGenericScheme

  39. New HomomorphicScheme 1 (k-linear) • ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis • IND-CPA secureif and onlyif k-LP ishard (for k>2) • IND-CCA1 secureif and onlyifk-SOAPishard

  40. New HomomorphicScheme 2 (Motivation) • “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10] • Theexistence of such homomorphicschemesis an openquestion! • Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to thewell-analyzed SMP of theGBD-scheme [GBD01]

  41. New HomomorphicScheme 2 (Construction) • n=q0q1RSA-modulus such that p := 2n+1 is prime • ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively • Computegenerators g0 and g1 of Gq0 and Gq1, respectively • Then g0g1is a generator of Gn • Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme • SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!

  42. Application: ImpossibilityResults • Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA! • Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA! (thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)

  43. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  44. Summary • Consideredtheclass of algebraichomomorphicencryptionschemes • Presented a genericframeworkfor such schemes • Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security • Supports construction of newschemes (startingfromtheproblem) • Allowsforcertainimpossibilityresults (code-based) • Constructedtwonewschemeswithspecialproperties (k-linear, cyclic)

  45. Most RecentResults and Future Work(FullyHomomorphicEncryption) • Extension of IND-CPA characterization to Gentry‘s „blueprint“ forconstructingfullyhomomorphicencryptionschemes (encompasses all currentlyknownschemes) • Whataretheconsequences to existingschemes? Good news: e.g., [DGHV10] isbased on an assumptionthatistoostrong • To getfullyhomomorphicencryption, Gentryneeds a bootstrappableschemethatisKDM-secure. This, however, doesonlyexist in theRandom Oracle Model. • Extension to KDM-security and construction of a KDM-securebootstrappablescheme in thestandardmodel – ifpossible at all!

  46. Thankyou!

More Related