A cleaner view on ind cca1 secure homomorphic encryption using soap
This presentation is the property of its rightful owner.
Sponsored Links
1 / 46

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP PowerPoint PPT Presentation


  • 83 Views
  • Uploaded on
  • Presentation posted in: General

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP. Frederik Armknecht 1 , Andreas Peter 2 and Stefan Katzenbeisser 2. ISG Research Seminar Royal Holloway University of London 20 .01.2011. 1 Universität Mannheim, Germany

Download Presentation

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


A cleaner view on ind cca1 secure homomorphic encryption using soap

A CleanerView on IND-CCA1 SecureHomomorphicEncryptionusing SOAP

Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2

ISG Research Seminar

Royal Holloway University of London

20.01.2011

1 Universität Mannheim, Germany

2 Technische Universität Darmstadt, Germany


Outline

Outline

  • Introduction/Motivation

  • Our Results

  • Technical Details

  • Conclusion


Outline1

Outline

  • Introduction/Motivation

  • Our Results

  • Technical Details

  • Conclusion


Motivation 1 outsourcing of data

Motivation 1: Outsourcingof Data

  • What if the server itself is corrupted?

    • 2001: Heartland Information Services

    • 2003: University of California at San Francisco

    • 2005: Private data from 50 million Americans stolen

Server


Possible solution

Possible Solution

  • Store data encrypted

  • On request, computation is done on encrypted data

  • Encrypted result is given back

Request


Motivation 2 electronic voting

Motivation 2: Electronic Voting

+

+

+

+


Homomorphic encryption informal

7

7

9

9

2

2

Homomorphic Encryption (Informal)

  • Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt

op

op*


Other applications

Other Applications

  • Private Information Retrieval

  • Multiparty Computation

  • Oblivious Polynomial Evaluation

  • ...


Example rsa 1978

Example: RSA (1978)

Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits)

Plaintext space:ZN (={0,…,N-1} modulo N)

Ciphertext:ZN (={0,…,N-1} modulo N)

Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1

Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1

Encryption of m: c := me mod N

Decryption of c: cd mod N =m

Homomorphism:

=

m

m‘

m∙m‘


Homomorphic encryption schemes overview

HomomorphicEncryptionSchemes (Overview)

  • Different approaches

  • Some are much better understood than others

  • Question: Unified view on security and design of theses schemes?


Outline2

Outline

  • Introduction/Motivation

  • Our Results

  • Technical Details

  • Conclusion


A large class of homomorphic encryption

A Large Class of HomomorphicEncryption

  • Recall: “Homomorphic = allows for operations on encrypted data”

  • Can mean different things, depending on the application. E.g.,

    • Addition/Multiplication of integers (i.e., algebraic operations)

    • Evaluating certain circuits

    • Operation on character strings, e.g., removing/inserting

      Here: We concentrate on homomorphic encryption in the algebraic sense


Classical encryption scheme

ClassicalEncryptionScheme

Plaintext

space

Ciphertext

space

Encryption E

Decryption D


Our class of homomorphic encryption

OurClass of HomomorphicEncryption

Plaintext

space

Ciphertext

space

Groups

Encryption E

Decryption D

Group homomorphism, i.e.

D(c op* c’)=D(c) op D(c’)


Security notions for encryption schemes

SecurityNotionsforEncryptionSchemes

  • IND-CCA2

    • No HomomorphicEncryptionSchemecanbe IND-CCA2 secure!

      (becauseis an encryption of 1 forsome i)

  • IND-CCA1

  • IND-CPA

(strongest)

(strongest)


Security of existing schemes

Security of ExistingSchemes


Our result abstraction and characterization

OurResult: Abstraction and Characterization

Abstract scheme

Abstract problem:

SMP

(subgroup membership problem)

Abstract problem:

SOAP

(splitting oracle assisted SMP)


Our result abstraction and characterization1

OurResult: Abstraction and Characterization

Abstract scheme

Abstract problem:

SMP

(subgroup membership problem)

Abstract problem:

SOAP

(splitting oracle assisted SMP)


Application easy confirmation of known results

Application: Easy Confirmation of KnownResults


Application missing characterizations

Application: Missing Characterizations


Application new schemes

Application: New Schemes


Application impossibility results

Application: ImpossibilityResults


Outline3

Outline

  • Introduction/Motivation

  • Our Results

  • Technical Details

  • Conclusion


Our considered class of homomorphic encryption schemes reminder

OurConsideredClass of HomomorphicEncryptionSchemes (Reminder)

Ciphertexts

Plaintexts

Groups

encryption

decryption

Group homomorphism


Easy observations i

Easy Observations I

Ciphertexts

Plaintexts

Groups

encryption

C1

Encr. of 1

decryption

Group homomorphism

1

  • Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C


Easy observations ii

Easy Observations II

Ciphertexts

Plaintexts

Groups

Encr. of m

m⋅C1

encryption

C1

decryption

Group homomorphism

1

m

  • Set of encryptions of „m“ equalsthecoset m⋅C1


Consequence

m‘

m‘

Consequence

Therefore:

c = encryp-tion of m

c ∈ m∙C1

c∙m-1 ∈ C1

Consequence:

Recognizing encryptions of 1

Recognizing encryptions of m

m‘=1?

m‘=m?


Immediate ind cpa security characterization

Immediate IND-CPA SecurityCharacterization

Subgroup membership problem (SMP)

is hard w.r.t. C1

Scheme is

IND-CPA SECURE

C1

c∈C1?

c


Application easy ind cpa security characterization of existing schemes

Application: Easy IND-CPA SecurityCharacterization of ExistingSchemes

What about IND-CCA1?


Abstraction of computational and decisional problems i simplified

Abstraction of Computational and Decisional Problems I (Simplified)

The Splitting Problem:

  • finite group G

  • subgroups N and R of G such thatthemap

  • is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled

  • thesplittingmapfor (G,N,R).

compute

σ(z)


Abstraction of computational and decisional problems ii simplified

Abstraction of Computational and Decisional Problems II (Simplified)

The Splitting and SubgroupMembership Problem:

  • Exampleinstance (Diffie-Hellman):

  • be a cyclicgroup of prime order p

  • for

  • The Splitting Problem for

    • istheComputationalDiffie-Hellman Problem

  • Thecorresponding SMP for

    • istheDecisionalDiffie-Hellman Problem


Soap s plitting o racle a ssisted sm p

SOAP = Splitting Oracle-Assisted SMP

Setup(λ) Algorithmoutputs: (G,N,R)

Phase 1: Learning

Phase 2: Challenge

SMP for (G,N)

Splitting Oracle

G

N

z∈N?

z


Ind cca1 security characterization

IND-CCA1 SecurityCharacterization

Scheme is

IND-CCA1 SECURE

SOAP

is hard w.r.t. .

Public param.

Setup

cj

Choose

Ciphertext

Decrypt

mj

M0,M1

b∈R{0,1}

Challenge

C

C:=Encrypt(Mb)

Guess for b


Application ind cca1 characterization of existing schemes

Application: IND-CCA1 Characterization of ExistingSchemes


Generic scheme simplified

GenericScheme (Simplified)

Ciphertexts

Plaintexts

m⋅C1

encryption

decryption

C1

  • Encryption of m:

    • Sample c1∈C1

    • Output c := m∙c1

  • Decryption of c:

    • Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1)

1

m


Application design of new schemes

Application: Design of New Schemes

Ciphertext Space

Group G

Plaintext

Space

encryption

N

C1

decryption

  • Given: SMP for group G and subgroup N

  • Interpret G as ciphertext space and N as encryption of 1

  • Construct encryption/decryption as in the generic scheme

  • Scheme is IND-CPA secure iff initial SMP is hard


Application new schemes1

Application: New Schemes


New homomorphic scheme 1 k linear

New HomomorphicScheme 1 (k-linear)

  • Thek-Linear Problem k-LP for

  • Decisionalproblemthatgeneralizes DDH

  • Properties in theGeneric Group Model:

    • If (k+1)-LP ishard, then so is k-LP

    • k-LP ishard

    • If k-LP iseasy, then (k+1)-LP is still hard

      k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP

  • k-SOAPprovablybehaves as k-LP in thegenericgroupmodel

  • K-SOAP mightbe of independent interest

PlugintoGenericScheme


New homomorphic scheme 1 k linear1

New HomomorphicScheme 1 (k-linear)

  • ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis

  • IND-CPA secureif and onlyif k-LP ishard (for k>2)

  • IND-CCA1 secureif and onlyifk-SOAPishard


New homomorphic scheme 2 motivation

New HomomorphicScheme 2 (Motivation)

  • “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10]

  • Theexistence of such homomorphicschemesis an openquestion!

  • Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to thewell-analyzed SMP of theGBD-scheme [GBD01]


New homomorphic scheme 2 construction

New HomomorphicScheme 2 (Construction)

  • n=q0q1RSA-modulus such that p := 2n+1 is prime

  • ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively

  • Computegenerators g0 and g1 of Gq0 and Gq1, respectively

  • Then g0g1is a generator of Gn

  • Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme

  • SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!


Application impossibility results1

Application: ImpossibilityResults

  • Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA!

  • Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA!

    (thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)


Outline4

Outline

  • Introduction/Motivation

  • Our Results

  • Technical Details

  • Conclusion


Summary

Summary

  • Consideredtheclass of algebraichomomorphicencryptionschemes

  • Presented a genericframeworkfor such schemes

    • Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security

    • Supports construction of newschemes (startingfromtheproblem)

    • Allowsforcertainimpossibilityresults (code-based)

  • Constructedtwonewschemeswithspecialproperties (k-linear, cyclic)


  • Most recent results and future work fully homomorphic encryption

    Most RecentResults and Future Work(FullyHomomorphicEncryption)

    • Extension of IND-CPA characterization to Gentry‘s „blueprint“ forconstructingfullyhomomorphicencryptionschemes (encompasses all currentlyknownschemes)

      • Whataretheconsequences to existingschemes? Good news: e.g., [DGHV10] isbased on an assumptionthatistoostrong

    • To getfullyhomomorphicencryption, Gentryneeds a bootstrappableschemethatisKDM-secure. This, however, doesonlyexist in theRandom Oracle Model.

      • Extension to KDM-security and construction of a KDM-securebootstrappablescheme in thestandardmodel – ifpossible at all!


    Thank you

    Thankyou!


  • Login