A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP - PowerPoint PPT Presentation

a cleaner view on ind cca1 secure homomorphic encryption using soap n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP PowerPoint Presentation
Download Presentation
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

play fullscreen
1 / 46
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP
138 Views
Download Presentation
march
Download Presentation

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. A CleanerView on IND-CCA1 SecureHomomorphicEncryptionusing SOAP Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2 ISG Research Seminar Royal Holloway University of London 20.01.2011 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany

  2. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  3. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  4. Motivation 1: Outsourcingof Data • What if the server itself is corrupted? • 2001: Heartland Information Services • 2003: University of California at San Francisco • 2005: Private data from 50 million Americans stolen Server

  5. Possible Solution • Store data encrypted • On request, computation is done on encrypted data • Encrypted result is given back Request

  6. Motivation 2: Electronic Voting ⊞ + + + +

  7. 7 7 9 9 2 2 Homomorphic Encryption (Informal) • Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt op op*

  8. Other Applications • Private Information Retrieval • Multiparty Computation • Oblivious Polynomial Evaluation • ...

  9. Example: RSA (1978) Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits) Plaintext space:ZN (={0,…,N-1} modulo N) Ciphertext:ZN (={0,…,N-1} modulo N) Encryption Key: e∈ZN with gcd(e, (p-1)(q-1) )=1 Decryption key: d∈ZN with e ∙ d mod ((p-1)∙(q-1)) = 1 Encryption of m: c := me mod N Decryption of c: cd mod N =m Homomorphism: = m m‘ m∙m‘

  10. HomomorphicEncryptionSchemes (Overview) • Different approaches • Some are much better understood than others • Question: Unified view on security and design of theses schemes?

  11. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  12. A Large Class of HomomorphicEncryption • Recall: “Homomorphic = allows for operations on encrypted data” • Can mean different things, depending on the application. E.g., • Addition/Multiplication of integers (i.e., algebraic operations) • Evaluating certain circuits • Operation on character strings, e.g., removing/inserting Here: We concentrate on homomorphic encryption in the algebraic sense

  13. ClassicalEncryptionScheme Plaintext space Ciphertext space Encryption E Decryption D

  14. OurClass of HomomorphicEncryption Plaintext space Ciphertext space Groups Encryption E Decryption D Group homomorphism, i.e. D(c op* c’)=D(c) op D(c’)

  15. SecurityNotionsforEncryptionSchemes • IND-CCA2 • No HomomorphicEncryptionSchemecanbe IND-CCA2 secure! (becauseis an encryption of 1 forsome i) • IND-CCA1 • IND-CPA (strongest) (strongest)

  16. Security of ExistingSchemes

  17. OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)

  18. OurResult: Abstraction and Characterization Abstract scheme Abstract problem: SMP (subgroup membership problem) Abstract problem: SOAP (splitting oracle assisted SMP)

  19. Application: Easy Confirmation of KnownResults

  20. Application: Missing Characterizations

  21. Application: New Schemes

  22. Application: ImpossibilityResults

  23. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  24. OurConsideredClass of HomomorphicEncryptionSchemes (Reminder) Ciphertexts Plaintexts Groups encryption decryption Group homomorphism

  25. Easy Observations I Ciphertexts Plaintexts Groups encryption C1 Encr. of 1 decryption Group homomorphism 1 • Encryptions of „1“ form a normal subgroup C1 of theciphertextspace C

  26. Easy Observations II Ciphertexts Plaintexts Groups Encr. of m m⋅C1 encryption C1 decryption Group homomorphism 1 m • Set of encryptions of „m“ equalsthecoset m⋅C1

  27. m‘ m‘ Consequence Therefore: c = encryp-tion of m ⟺ ⟺ c ∈ m∙C1 c∙m-1 ∈ C1 Consequence: Recognizing encryptions of 1 Recognizing encryptions of m ⟺ m‘=1? m‘=m?

  28. Immediate IND-CPA SecurityCharacterization Subgroup membership problem (SMP) is hard w.r.t. C1 Scheme is IND-CPA SECURE ⟺ C1 c∈C1? c

  29. Application: Easy IND-CPA SecurityCharacterization of ExistingSchemes What about IND-CCA1?

  30. Abstraction of Computational and Decisional Problems I (Simplified) The Splitting Problem: • finite group G • subgroups N and R of G such thatthemap • is a groupisomorphism. Itsinverseisdenotedbyσ and iscalled • thesplittingmapfor (G,N,R). compute σ(z)

  31. Abstraction of Computational and Decisional Problems II (Simplified) The Splitting and SubgroupMembership Problem: • Exampleinstance (Diffie-Hellman): • be a cyclicgroup of prime order p • for • The Splitting Problem for • istheComputationalDiffie-Hellman Problem • Thecorresponding SMP for • istheDecisionalDiffie-Hellman Problem

  32. SOAP = Splitting Oracle-Assisted SMP Setup(λ) Algorithmoutputs: (G,N,R) Phase 1: Learning Phase 2: Challenge SMP for (G,N) Splitting Oracle G N z∈N? z

  33. IND-CCA1 SecurityCharacterization Scheme is IND-CCA1 SECURE SOAP is hard w.r.t. . Public param. Setup cj Choose Ciphertext Decrypt mj ⟺ M0,M1 b∈R{0,1} Challenge C C:=Encrypt(Mb) Guess for b

  34. Application: IND-CCA1 Characterization of ExistingSchemes

  35. GenericScheme (Simplified) Ciphertexts Plaintexts m⋅C1 encryption decryption C1 • Encryption of m: • Sample c1∈C1 • Output c := m∙c1 • Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of representatives of C/C1) 1 m

  36. Application: Design of New Schemes Ciphertext Space Group G Plaintext Space encryption N C1 decryption • Given: SMP for group G and subgroup N • Interpret G as ciphertext space and N as encryption of 1 • Construct encryption/decryption as in the generic scheme • Scheme is IND-CPA secure iff initial SMP is hard

  37. Application: New Schemes

  38. New HomomorphicScheme 1 (k-linear) • Thek-Linear Problem k-LP for • Decisionalproblemthatgeneralizes DDH • Properties in theGeneric Group Model: • If (k+1)-LP ishard, then so is k-LP • k-LP ishard • If k-LP iseasy, then (k+1)-LP is still hard k-SOAP– a newk-Problem: SOAP instancethatcorresponds to k-LP • k-SOAPprovablybehaves as k-LP in thegenericgroupmodel • K-SOAP mightbe of independent interest PlugintoGenericScheme

  39. New HomomorphicScheme 1 (k-linear) • ThisGenericSchemeinstanceyieldsthefirsthomomorphicschemethatis • IND-CPA secureif and onlyif k-LP ishard (for k>2) • IND-CCA1 secureif and onlyifk-SOAPishard

  40. New HomomorphicScheme 2 (Motivation) • “Ifthereexist IND-CPA securehomomorphicschemeswithcyclicciphertextgroup, thenwecanefficientlyconstruct IND-CCA2 secureencryptionschemes” [HO10] • Theexistence of such homomorphicschemesis an openquestion! • Weconstruct such a schemewhose IND-CPA securityisequivalent to a newproblemwhosehardnessisequivalent to thewell-analyzed SMP of theGBD-scheme [GBD01]

  41. New HomomorphicScheme 2 (Construction) • n=q0q1RSA-modulus such that p := 2n+1 is prime • ConsiderthecyclicsubgroupsGn, Gq0 and Gq1whoseorderscorrespond to thedivisors n, q0 and q1 of p-1, respectively • Computegenerators g0 and g1 of Gq0 and Gq1, respectively • Then g0g1is a generator of Gn • Plugthe Splitting Problem for (Gn, Gq1, Gq0) intoGenericScheme • SinceGniscyclic, thisyieldsthefirsthomomorphicschemewith a cyclicciphertextgroup!

  42. Application: ImpossibilityResults • Anyalgebraichomomorphicschemewithprime-orderedciphertextgroupisinsecure in terms of IND-CPA! • Anyalgebraichomomorphicschemewheretheciphertexts form a linear subspace of Fn (forsome prime fieldF), e.g. a linear code, isinsecure in terms of IND-CPA! (thispartlyanswers an openquestionwhetherusing linear codes as ciphertextspacesyieldmoreefficientconstructions)

  43. Outline • Introduction/Motivation • Our Results • Technical Details • Conclusion

  44. Summary • Consideredtheclass of algebraichomomorphicencryptionschemes • Presented a genericframeworkfor such schemes • Allowsfor an easysecuritycharacterizationboth in terms of IND-CPA and IND-CCA1 security • Supports construction of newschemes (startingfromtheproblem) • Allowsforcertainimpossibilityresults (code-based) • Constructedtwonewschemeswithspecialproperties (k-linear, cyclic)

  45. Most RecentResults and Future Work(FullyHomomorphicEncryption) • Extension of IND-CPA characterization to Gentry‘s „blueprint“ forconstructingfullyhomomorphicencryptionschemes (encompasses all currentlyknownschemes) • Whataretheconsequences to existingschemes? Good news: e.g., [DGHV10] isbased on an assumptionthatistoostrong • To getfullyhomomorphicencryption, Gentryneeds a bootstrappableschemethatisKDM-secure. This, however, doesonlyexist in theRandom Oracle Model. • Extension to KDM-security and construction of a KDM-securebootstrappablescheme in thestandardmodel – ifpossible at all!

  46. Thankyou!