Create Presentation
Download Presentation

Download Presentation

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

Download Presentation
## A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**A CleanerView on IND-CCA1 SecureHomomorphicEncryptionusing**SOAP Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2 ISG Research Seminar Royal Holloway University of London 20.01.2011 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany**Outline**• Introduction/Motivation • Our Results • Technical Details • Conclusion**Outline**• Introduction/Motivation • Our Results • Technical Details • Conclusion**Motivation 1: Outsourcingof Data**• What if the server itself is corrupted? • 2001: Heartland Information Services • 2003: University of California at San Francisco • 2005: Private data from 50 million Americans stolen Server**Possible Solution**• Store data encrypted • On request, computation is done on encrypted data • Encrypted result is given back Request**Motivation 2: Electronic Voting**⊞ + + + +**7**7 9 9 2 2 Homomorphic Encryption (Informal) • Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op op***Other Applications**• Private Information Retrieval • Multiparty Computation • Oblivious Polynomial Evaluation • ...**Example: RSA (1978)**Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits) Plaintext space:ZN (={0,…,N-1} modulo N) Ciphertext:ZN (={0,…,N-1} modulo N) Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1 Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1 Encryption of m: c := me mod N Decryption of c: cd mod N =m Homomorphism: = m m‘ m∙m‘**HomomorphicEncryptionSchemes (Overview)**• Different approaches • Some are much better understood than others • Question: Unified view on security and design of theses schemes?**Outline**• Introduction/Motivation • Our Results • Technical Details • Conclusion**A Large Class of HomomorphicEncryption**• Recall: “Homomorphic = allows for operations on encrypted data” • Can mean different things, depending on the application. E.g., • Addition/Multiplication of integers (i.e., algebraic operations) • Evaluating certain circuits • Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense**ClassicalEncryptionScheme**Plaintext space Ciphertext space Encryption E Decryption D**OurClass of HomomorphicEncryption**Plaintext space Ciphertext space Groups Encryption E Decryption D Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’)**SecurityNotionsforEncryptionSchemes**• IND-CCA2 • No HomomorphicEncryptionSchemecanbe IND-CCA2 secure! (becauseis an encryption of 1 forsome i) • IND-CCA1 • IND-CPA (strongest) (strongest)**OurResult: Abstraction and Characterization**Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)**OurResult: Abstraction and Characterization**Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)**Outline**• Introduction/Motivation • Our Results • Technical Details • Conclusion**OurConsideredClass of HomomorphicEncryptionSchemes**(Reminder) Ciphertexts Plaintexts Groups encryption decryption Group homomorphism**Easy Observations I**Ciphertexts Plaintexts Groups encryption C1 Encr. of 1 decryption Group homomorphism 1 • Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C**Easy Observations II**Ciphertexts Plaintexts Groups Encr. of m m⋅C1 encryption C1 decryption Group homomorphism 1 m • Set of encryptions of „m“ equalsthecoset m⋅C1**m‘**m‘ Consequence Therefore: c = encryp-tion of m ⟺ ⟺ c ∈ m∙C1 c∙m-1 ∈ C1 Consequence: Recognizing encryptions of 1 Recognizing encryptions of m ⟺ m‘=1? m‘=m?**Immediate IND-CPA SecurityCharacterization**Subgroup membership problem (SMP) is hard w.r.t. C1 Scheme is IND-CPA SECURE ⟺ C1 c∈C1? c**Application: Easy IND-CPA SecurityCharacterization of**ExistingSchemes What about IND-CCA1?**Abstraction of Computational and Decisional Problems I**(Simplified) The Splitting Problem: • finite group G • subgroups N and R of G such thatthemap • is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled • thesplittingmapfor (G,N,R). compute σ(z)**Abstraction of Computational and Decisional Problems II**(Simplified) The Splitting and SubgroupMembership Problem: • Exampleinstance (Diffie-Hellman): • be a cyclicgroup of prime order p • for • The Splitting Problem for • istheComputationalDiffie-Hellman Problem • Thecorresponding SMP for • istheDecisionalDiffie-Hellman Problem**SOAP = Splitting Oracle-Assisted SMP**Setup(λ) Algorithmoutputs: (G,N,R) Phase 1: Learning Phase 2: Challenge SMP for (G,N) Splitting Oracle G N z∈N? z**IND-CCA1 SecurityCharacterization**Scheme is IND-CCA1 SECURE SOAP is hard w.r.t. . Public param. Setup cj Choose Ciphertext Decrypt mj ⟺ M0,M1 b∈R{0,1} Challenge C C:=Encrypt(Mb) Guess for b**GenericScheme (Simplified)**Ciphertexts Plaintexts m⋅C1 encryption decryption C1 • Encryption of m: • Sample c1∈C1 • Output c := m∙c1 • Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1) 1 m**Application: Design of New Schemes**Ciphertext Space Group G Plaintext Space encryption N C1 decryption • Given: SMP for group G and subgroup N • Interpret G as ciphertext space and N as encryption of 1 • Construct encryption/decryption as in the generic scheme • Scheme is IND-CPA secure iff initial SMP is hard**New HomomorphicScheme 1 (k-linear)**• Thek-Linear Problem k-LP for • Decisionalproblemthatgeneralizes DDH • Properties in theGeneric Group Model: • If (k+1)-LP ishard, then so is k-LP • k-LP ishard • If k-LP iseasy, then (k+1)-LP is still hard k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP • k-SOAPprovablybehaves as k-LP in thegenericgroupmodel • K-SOAP mightbe of independent interest PlugintoGenericScheme**New HomomorphicScheme 1 (k-linear)**• ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis • IND-CPA secureif and onlyif k-LP ishard (for k>2) • IND-CCA1 secureif and onlyifk-SOAPishard**New HomomorphicScheme 2 (Motivation)**• “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10] • Theexistence of such homomorphicschemesis an openquestion! • Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to thewell-analyzed SMP of theGBD-scheme [GBD01]**New HomomorphicScheme 2 (Construction)**• n=q0q1RSA-modulus such that p := 2n+1 is prime • ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively • Computegenerators g0 and g1 of Gq0 and Gq1, respectively • Then g0g1is a generator of Gn • Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme • SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!**Application: ImpossibilityResults**• Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA! • Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA! (thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)**Outline**• Introduction/Motivation • Our Results • Technical Details • Conclusion**Summary**• Consideredtheclass of algebraichomomorphicencryptionschemes • Presented a genericframeworkfor such schemes • Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security • Supports construction of newschemes (startingfromtheproblem) • Allowsforcertainimpossibilityresults (code-based) • Constructedtwonewschemeswithspecialproperties (k-linear, cyclic)**Most RecentResults and Future**Work(FullyHomomorphicEncryption) • Extension of IND-CPA characterization to Gentry‘s „blueprint“ forconstructingfullyhomomorphicencryptionschemes (encompasses all currentlyknownschemes) • Whataretheconsequences to existingschemes? Good news: e.g., [DGHV10] isbased on an assumptionthatistoostrong • To getfullyhomomorphicencryption, Gentryneeds a bootstrappableschemethatisKDM-secure. This, however, doesonlyexist in theRandom Oracle Model. • Extension to KDM-security and construction of a KDM-securebootstrappablescheme in thestandardmodel – ifpossible at all!