- 90 Views
- Uploaded on
- Presentation posted in: General

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2

ISG Research Seminar

Royal Holloway University of London

20.01.2011

1 Universität Mannheim, Germany

2 Technische Universität Darmstadt, Germany

- Introduction/Motivation
- Our Results
- Technical Details
- Conclusion

- Introduction/Motivation
- Our Results
- Technical Details
- Conclusion

- What if the server itself is corrupted?
- 2001: Heartland Information Services
- 2003: University of California at San Francisco
- 2005: Private data from 50 million Americans stolen

Server

- Store data encrypted
- On request, computation is done on encrypted data
- Encrypted result is given back

Request

⊞

+

+

+

+

7

7

9

9

2

2

- Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt

op

op*

- Private Information Retrieval
- Multiparty Computation
- Oblivious Polynomial Evaluation
- ...

Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits)

Plaintext space:ZN (={0,…,N-1} modulo N)

Ciphertext:ZN (={0,…,N-1} modulo N)

Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1

Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1

Encryption of m: c := me mod N

Decryption of c: cd mod N =m

Homomorphism:

=

m

m‘

m∙m‘

- Different approaches
- Some are much better understood than others
- Question: Unified view on security and design of theses schemes?

- Introduction/Motivation
- Our Results
- Technical Details
- Conclusion

- Recall: “Homomorphic = allows for operations on encrypted data”
- Can mean different things, depending on the application. E.g.,
- Addition/Multiplication of integers (i.e., algebraic operations)
- Evaluating certain circuits
- Operation on character strings, e.g., removing/inserting
Here: We concentrate on homomorphic encryption in the algebraic sense

Plaintext

space

Ciphertext

space

Encryption E

Decryption D

Plaintext

space

Ciphertext

space

Groups

Encryption E

Decryption D

Group homomorphism, i.e.

D(c op* c’)=D(c) op D(c’)

- IND-CCA2
- No HomomorphicEncryptionSchemecanbe IND-CCA2 secure!
(becauseis an encryption of 1 forsome i)

- No HomomorphicEncryptionSchemecanbe IND-CCA2 secure!
- IND-CCA1
- IND-CPA

(strongest)

(strongest)

Abstract scheme

Abstract problem:

SMP

(subgroup membership problem)

Abstract problem:

SOAP

(splitting oracle assisted SMP)

Abstract scheme

Abstract problem:

SMP

(subgroup membership problem)

Abstract problem:

SOAP

(splitting oracle assisted SMP)

- Introduction/Motivation
- Our Results
- Technical Details
- Conclusion

Ciphertexts

Plaintexts

Groups

encryption

decryption

Group homomorphism

Ciphertexts

Plaintexts

Groups

encryption

C1

Encr. of 1

decryption

Group homomorphism

1

- Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C

Ciphertexts

Plaintexts

Groups

Encr. of m

m⋅C1

encryption

C1

decryption

Group homomorphism

1

m

- Set of encryptions of „m“ equalsthecoset m⋅C1

m‘

m‘

Therefore:

c = encryp-tion of m

⟺

⟺

c ∈ m∙C1

c∙m-1 ∈ C1

Consequence:

Recognizing encryptions of 1

Recognizing encryptions of m

⟺

m‘=1?

m‘=m?

Subgroup membership problem (SMP)

is hard w.r.t. C1

Scheme is

IND-CPA SECURE

⟺

C1

c∈C1?

c

What about IND-CCA1?

The Splitting Problem:

- finite group G
- subgroups N and R of G such thatthemap

- is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled
- thesplittingmapfor (G,N,R).

compute

σ(z)

The Splitting and SubgroupMembership Problem:

- Exampleinstance (Diffie-Hellman):
- be a cyclicgroup of prime order p
- for
- The Splitting Problem for
- istheComputationalDiffie-Hellman Problem

- Thecorresponding SMP for
- istheDecisionalDiffie-Hellman Problem

Setup(λ) Algorithmoutputs: (G,N,R)

Phase 1: Learning

Phase 2: Challenge

SMP for (G,N)

Splitting Oracle

G

N

z∈N?

z

Scheme is

IND-CCA1 SECURE

SOAP

is hard w.r.t. .

Public param.

Setup

cj

Choose

Ciphertext

Decrypt

mj

⟺

M0,M1

b∈R{0,1}

Challenge

C

C:=Encrypt(Mb)

Guess for b

Ciphertexts

Plaintexts

m⋅C1

encryption

decryption

C1

- Encryption of m:
- Sample c1∈C1
- Output c := m∙c1

- Decryption of c:
- Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1)

1

m

Ciphertext Space

Group G

Plaintext

Space

encryption

N

C1

decryption

- Given: SMP for group G and subgroup N
- Interpret G as ciphertext space and N as encryption of 1
- Construct encryption/decryption as in the generic scheme
- Scheme is IND-CPA secure iff initial SMP is hard

- Thek-Linear Problem k-LP for
- Decisionalproblemthatgeneralizes DDH
- Properties in theGeneric Group Model:
- If (k+1)-LP ishard, then so is k-LP
- k-LP ishard
- If k-LP iseasy, then (k+1)-LP is still hard
k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP

- k-SOAPprovablybehaves as k-LP in thegenericgroupmodel
- K-SOAP mightbe of independent interest

PlugintoGenericScheme

- ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis
- IND-CPA secureif and onlyif k-LP ishard (for k>2)
- IND-CCA1 secureif and onlyifk-SOAPishard

- “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10]
- Theexistence of such homomorphicschemesis an openquestion!
- Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to thewell-analyzed SMP of theGBD-scheme [GBD01]

- n=q0q1RSA-modulus such that p := 2n+1 is prime
- ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively
- Computegenerators g0 and g1 of Gq0 and Gq1, respectively
- Then g0g1is a generator of Gn
- Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme
- SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!

- Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA!
- Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA!
(thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)

- Introduction/Motivation
- Our Results
- Technical Details
- Conclusion

- Consideredtheclass of algebraichomomorphicencryptionschemes
- Presented a genericframeworkfor such schemes
- Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security
- Supports construction of newschemes (startingfromtheproblem)
- Allowsforcertainimpossibilityresults (code-based)

- Extension of IND-CPA characterization to Gentry‘s „blueprint“ forconstructingfullyhomomorphicencryptionschemes (encompasses all currentlyknownschemes)
- Whataretheconsequences to existingschemes? Good news: e.g., [DGHV10] isbased on an assumptionthatistoostrong

- To getfullyhomomorphicencryption, Gentryneeds a bootstrappableschemethatisKDM-secure. This, however, doesonlyexist in theRandom Oracle Model.
- Extension to KDM-security and construction of a KDM-securebootstrappablescheme in thestandardmodel – ifpossible at all!