a cleaner view on ind cca1 secure homomorphic encryption using soap
Download
Skip this Video
Download Presentation
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

Loading in 2 Seconds...

play fullscreen
1 / 46

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP - PowerPoint PPT Presentation


  • 118 Views
  • Uploaded on

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP. Frederik Armknecht 1 , Andreas Peter 2 and Stefan Katzenbeisser 2. ISG Research Seminar Royal Holloway University of London 20 .01.2011. 1 Universität Mannheim, Germany

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP' - march


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
a cleaner view on ind cca1 secure homomorphic encryption using soap
A CleanerView on IND-CCA1 SecureHomomorphicEncryptionusing SOAP

Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2

ISG Research Seminar

Royal Holloway University of London

20.01.2011

1 Universität Mannheim, Germany

2 Technische Universität Darmstadt, Germany

outline
Outline
  • Introduction/Motivation
  • Our Results
  • Technical Details
  • Conclusion
outline1
Outline
  • Introduction/Motivation
  • Our Results
  • Technical Details
  • Conclusion
motivation 1 outsourcing of data
Motivation 1: Outsourcingof Data
  • What if the server itself is corrupted?
    • 2001: Heartland Information Services
    • 2003: University of California at San Francisco
    • 2005: Private data from 50 million Americans stolen

Server

possible solution
Possible Solution
  • Store data encrypted
  • On request, computation is done on encrypted data
  • Encrypted result is given back

Request

homomorphic encryption informal

7

7

9

9

2

2

Homomorphic Encryption (Informal)
  • Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt

op

op*

other applications
Other Applications
  • Private Information Retrieval
  • Multiparty Computation
  • Oblivious Polynomial Evaluation
  • ...
example rsa 1978
Example: RSA (1978)

Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits)

Plaintext space:ZN (={0,…,N-1} modulo N)

Ciphertext:ZN (={0,…,N-1} modulo N)

Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1

Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1

Encryption of m: c := me mod N

Decryption of c: cd mod N =m

Homomorphism:

=

m

m‘

m∙m‘

homomorphic encryption schemes overview
HomomorphicEncryptionSchemes (Overview)
  • Different approaches
  • Some are much better understood than others
  • Question: Unified view on security and design of theses schemes?
outline2
Outline
  • Introduction/Motivation
  • Our Results
  • Technical Details
  • Conclusion
a large class of homomorphic encryption
A Large Class of HomomorphicEncryption
  • Recall: “Homomorphic = allows for operations on encrypted data”
  • Can mean different things, depending on the application. E.g.,
    • Addition/Multiplication of integers (i.e., algebraic operations)
    • Evaluating certain circuits
    • Operation on character strings, e.g., removing/inserting

Here: We concentrate on homomorphic encryption in the algebraic sense

classical encryption scheme
ClassicalEncryptionScheme

Plaintext

space

Ciphertext

space

Encryption E

Decryption D

our class of homomorphic encryption
OurClass of HomomorphicEncryption

Plaintext

space

Ciphertext

space

Groups

Encryption E

Decryption D

Group homomorphism, i.e.

D(c op* c’)=D(c) op D(c’)

security notions for encryption schemes
SecurityNotionsforEncryptionSchemes
  • IND-CCA2
      • No HomomorphicEncryptionSchemecanbe IND-CCA2 secure!

(becauseis an encryption of 1 forsome i)

    • IND-CCA1
    • IND-CPA

(strongest)

(strongest)

our result abstraction and characterization
OurResult: Abstraction and Characterization

Abstract scheme

Abstract problem:

SMP

(subgroup membership problem)

Abstract problem:

SOAP

(splitting oracle assisted SMP)

our result abstraction and characterization1
OurResult: Abstraction and Characterization

Abstract scheme

Abstract problem:

SMP

(subgroup membership problem)

Abstract problem:

SOAP

(splitting oracle assisted SMP)

outline3
Outline
  • Introduction/Motivation
  • Our Results
  • Technical Details
  • Conclusion
our considered class of homomorphic encryption schemes reminder
OurConsideredClass of HomomorphicEncryptionSchemes (Reminder)

Ciphertexts

Plaintexts

Groups

encryption

decryption

Group homomorphism

easy observations i
Easy Observations I

Ciphertexts

Plaintexts

Groups

encryption

C1

Encr. of 1

decryption

Group homomorphism

1

  • Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C
easy observations ii
Easy Observations II

Ciphertexts

Plaintexts

Groups

Encr. of m

m⋅C1

encryption

C1

decryption

Group homomorphism

1

m

  • Set of encryptions of „m“ equalsthecoset m⋅C1
consequence

m‘

m‘

Consequence

Therefore:

c = encryp-tion of m

c ∈ m∙C1

c∙m-1 ∈ C1

Consequence:

Recognizing encryptions of 1

Recognizing encryptions of m

m‘=1?

m‘=m?

immediate ind cpa security characterization
Immediate IND-CPA SecurityCharacterization

Subgroup membership problem (SMP)

is hard w.r.t. C1

Scheme is

IND-CPA SECURE

C1

c∈C1?

c

application easy ind cpa security characterization of existing schemes
Application: Easy IND-CPA SecurityCharacterization of ExistingSchemes

What about IND-CCA1?

abstraction of computational and decisional problems i simplified
Abstraction of Computational and Decisional Problems I (Simplified)

The Splitting Problem:

  • finite group G
  • subgroups N and R of G such thatthemap
  • is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled
  • thesplittingmapfor (G,N,R).

compute

σ(z)

abstraction of computational and decisional problems ii simplified
Abstraction of Computational and Decisional Problems II (Simplified)

The Splitting and SubgroupMembership Problem:

  • Exampleinstance (Diffie-Hellman):
  • be a cyclicgroup of prime order p
  • for
  • The Splitting Problem for
    • istheComputationalDiffie-Hellman Problem
  • Thecorresponding SMP for
    • istheDecisionalDiffie-Hellman Problem
soap s plitting o racle a ssisted sm p
SOAP = Splitting Oracle-Assisted SMP

Setup(λ) Algorithmoutputs: (G,N,R)

Phase 1: Learning

Phase 2: Challenge

SMP for (G,N)

Splitting Oracle

G

N

z∈N?

z

ind cca1 security characterization
IND-CCA1 SecurityCharacterization

Scheme is

IND-CCA1 SECURE

SOAP

is hard w.r.t. .

Public param.

Setup

cj

Choose

Ciphertext

Decrypt

mj

M0,M1

b∈R{0,1}

Challenge

C

C:=Encrypt(Mb)

Guess for b

generic scheme simplified
GenericScheme (Simplified)

Ciphertexts

Plaintexts

m⋅C1

encryption

decryption

C1

  • Encryption of m:
    • Sample c1∈C1
    • Output c := m∙c1
  • Decryption of c:
    • Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1)

1

m

application design of new schemes
Application: Design of New Schemes

Ciphertext Space

Group G

Plaintext

Space

encryption

N

C1

decryption

  • Given: SMP for group G and subgroup N
  • Interpret G as ciphertext space and N as encryption of 1
  • Construct encryption/decryption as in the generic scheme
  • Scheme is IND-CPA secure iff initial SMP is hard
new homomorphic scheme 1 k linear
New HomomorphicScheme 1 (k-linear)
  • Thek-Linear Problem k-LP for
  • Decisionalproblemthatgeneralizes DDH
  • Properties in theGeneric Group Model:
      • If (k+1)-LP ishard, then so is k-LP
      • k-LP ishard
      • If k-LP iseasy, then (k+1)-LP is still hard

k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP

    • k-SOAPprovablybehaves as k-LP in thegenericgroupmodel
    • K-SOAP mightbe of independent interest

PlugintoGenericScheme

new homomorphic scheme 1 k linear1
New HomomorphicScheme 1 (k-linear)
  • ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis
  • IND-CPA secureif and onlyif k-LP ishard (for k>2)
  • IND-CCA1 secureif and onlyifk-SOAPishard
new homomorphic scheme 2 motivation
New HomomorphicScheme 2 (Motivation)
  • “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10]
  • Theexistence of such homomorphicschemesis an openquestion!
  • Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to thewell-analyzed SMP of theGBD-scheme [GBD01]
new homomorphic scheme 2 construction
New HomomorphicScheme 2 (Construction)
  • n=q0q1RSA-modulus such that p := 2n+1 is prime
  • ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively
  • Computegenerators g0 and g1 of Gq0 and Gq1, respectively
  • Then g0g1is a generator of Gn
  • Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme
  • SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!
application impossibility results1
Application: ImpossibilityResults
  • Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA!
  • Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA!

(thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)

outline4
Outline
  • Introduction/Motivation
  • Our Results
  • Technical Details
  • Conclusion
summary
Summary
  • Consideredtheclass of algebraichomomorphicencryptionschemes
  • Presented a genericframeworkfor such schemes
      • Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security
      • Supports construction of newschemes (startingfromtheproblem)
      • Allowsforcertainimpossibilityresults (code-based)
  • Constructedtwonewschemeswithspecialproperties (k-linear, cyclic)
most recent results and future work fully homomorphic encryption
Most RecentResults and Future Work(FullyHomomorphicEncryption)
  • Extension of IND-CPA characterization to Gentry‘s „blueprint“ forconstructingfullyhomomorphicencryptionschemes (encompasses all currentlyknownschemes)
      • Whataretheconsequences to existingschemes? Good news: e.g., [DGHV10] isbased on an assumptionthatistoostrong
    • To getfullyhomomorphicencryption, Gentryneeds a bootstrappableschemethatisKDM-secure. This, however, doesonlyexist in theRandom Oracle Model.
      • Extension to KDM-security and construction of a KDM-securebootstrappablescheme in thestandardmodel – ifpossible at all!
ad