A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1

Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

1 Universität Mannheim, Germany2 Technische Universität Darmstadt, Germany

ISG Research SeminarRoyal Holloway University of London

20.01.2011


Outline

1. Introduction/Motivation

2. Our Results

3. Technical Details

4. Conclusion


Outline


2. Our Results


4. Conclusion


Motivation 1: Outsourcing of Data

Server

• What if the server itself is corrupted?• 2001: Heartland Information Services• 2003: University of California at San Francisco• 2005: Private data from 50 million Americans stolen

• Server performs some computation on its stored data


Store data encryptedOn request, computation is done on encrypted data

Encrypted result is given back

Request

Possible Solution


Homomorphic Encryption (Informal)

• Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt

op

2 27 7

9 9

op*


++

+ +

⊞

Example Application: Electronic Voting


Other Applications

• Private Information Retrieval

• Multiparty Computation

• Oblivious Polynomial Evaluation

• ...


Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits)

Plaintext space: ZN (={0,…,N-1} modulo N)

Ciphertext: ZN (={0,…,N-1} modulo N)

Encryption Key: e ∈ ZN with gcd(e, (p-1)(q-1) )=1

Decryption key: d ∈ ZN with e ∙ d mod ((p-1)∙(q-1)) = 1

Encryption of m: c := me mod N

Decryption of c: cd mod N = m

Homomorphism:eee mmmm )'('

m m‘ = m∙m‘

Example Scheme: RSA (1978)


Scheme Plaintext Space Security related toRSA; 1978 Integers modulo N=p*q FactorizationGoldwasser, Micali; 1984 1 Bit Quadratic residues mod NBenaloh; 1985 Integers modulo R s.t. … Rth residues mod NElGamal; 1985 Cyclic group G Decision Diffie-Hellman in GPaillier; 1999 Integers modulo N Nth residues mod N2

Damgaard, Jurik; 2001 Integers modulo Ns Nth residues mod Ns+1

Boneh, Goh, Nissim; 2005 Group over elliptic curve Decision Diffie-Hellman

• Different approaches• Some are much better understood than others• Question: Unified view on security and design of theses schemes?

Homomorphic Encryption Schemes (Overview)


Outline


2. Our Results


4. Conclusion


Recall: “Homomorphic = allows for operations on encrypted data”

Can mean different things, depending on the application. E.g.,

Addition/Multiplication of integers (i.e., algebraic operations)

Evaluating certain circuits

Operation on character strings, e.g., removing/inserting

Here: We concentrate on homomorphic encryption in the algebraic sense

A Large Class of Homomorphic Encryption


Plaintextspace

Ciphertextspace

Encryption E

Decryption D

Classical Encryption Scheme


Plaintextspace

Ciphertextspace

Encryption E

Decryption D

Groups

Group homomorphism, i.e.D(c op* c’)=D(c) op D(c’)

Our Class of Homomorphic Encryption


Security Notions for Encryption Schemes

• IND-CCA2

• IND-CCA1

• IND-CPA

(strongest)


Defining security: IND-CPA

SetupPublic param.

C

TimeM0,M1b ∈R {0,1}

C:=Encrypt(Mb)

Oracle Attacker

Challenge

Guess for bAttacker wins if he correctly guesses b



• IND-CCA2

• IND-CCA1

• IND-CPA

(strongest)


Defining security: IND-CCA1

Setup

Decrypt

Public param.

cj

mj

C

Time

ChooseCiphertext

M0 ,M1b ∈R {0,1}C:=Encrypt(Mb)

Oracle Attacker

Challenge




• IND-CCA2

• IND-CCA1

• IND-CPA

(strongest)


Defining security: IND-CCA2

Setup

Decrypt

Public param.

cj

mj

C

Time

ChooseCiphertext

M0 ,M1b ∈R {0,1}C:=Encrypt(Mb)

Oracle Attacker

Challenge


ChooseCiphertext

cj ≠ Cmj

Decrypt



• IND-CCA2 No Homomorphic Encryption Scheme can be IND-CCA2 secure!

(because is an encryption of 1 for some i)

• IND-CCA1

• IND-CPA

(strongest)

(strongest)


Scheme IND-CPA secure if the following problem is hard

IND-CCA1 secure if the following problem is hard

ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]

Paillier; 1999 Nth residues mod N2; 1999 ??

Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??

Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ??

Security of Existing Schemes


Scheme IND-CPA secure if the following problem is hard






Abstract scheme

Abstract problem:SMP

(subgroup membership problem)

Abstract problem:SOAP

(splitting oracle assisted SMP)

Our Result: Abstraction and Characterization


Scheme IND-CPA secure if and only if the following problem is hard

IND-CCA1 secure if and only if the following problem is hard



Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??


Abstract scheme

Abstract problem:SMP

(subgroup membership problem)

Abstract problem:SOAP

(splitting oracle assisted SMP)

Our Result: Abstraction and Characterization


Application: Easy Confirmation of Known Results











Paillier; 1999 Nth residues mod N2; 1999 ✓Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ✓Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ✓

Application: Missing Characterizations





Paillier; 1999 Nth residues mod N2; 1999 ✓Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ✓Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ✓Scheme 1 K-Linear Problem New K-Problem

Scheme 2 Gonzales-Nieto et al.; 2005 New Problem

Application: New Schemes


Scheme IND-CPA Security

ElGamal; 1985 Decision Diffie-Hellman; 1998

Paillier; 1999 Nth residues mod N2; 1999

Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001

Boneh et al.; 2005 Decision Diffie-Hellman; 2005

Scheme 1 K-Linear Problem

Scheme 2 Gonzales-Nieto et al.; 2005

Ciphertext group has prime order Problem instance always weak

Ciphertext group is a vector space over a prime field (e.g. linear code)

Problem instance always weak

Application: Impossibility Results


Outline


2. Our Results


4. Conclusion


Plaintexts Ciphertexts

encryption

decryption

Groups

Group homomorphism

Our Considered Class of Homomorphic Encryption Schemes (Reminder)



encryption

decryption

Groups

Group homomorphism

1 Encr. of 1C1

• Encryptions of „1“ form a normal subgroup C1 of the ciphertext space C

Easy Observations I



encryption

decryption

Groups

Group homomorphism

1C1

• Set of encryptions of „m“ equals the coset m C⋅ 1

m

Encr. of mm C⋅ 1

Easy Observations II


Consequence

c = encryp-tion of m

⟺ c m∙C∈ 1 c∙m-1 C∈ 1⟺Therefore:

Consequence:Recognizing

encryptions of m

m‘m‘=m?

Recognizing encryptions of 1

m‘m‘=1?⟺


Immediate IND-CPA Security Characterization

Scheme isIND-CPA SECURE

⟺

Subgroup membership problem (SMP)is hard w.r.t. C1

C1

c C∈ 1?c








What about IND-CCA1?

Application: Easy IND-CPA Security Characterization of Existing Schemes


Abstraction of Computational and Decisional Problems I (Simplified)

• finite group G• subgroups N and R of G such that the map

is a group isomorphism. Its inverse is denoted by σ and is calledthe splitting map for (G,N,R).

The Splitting Problem:

computeσ(z)


Abstraction of Computational and Decisional Problems II (Simplified)

The Splitting and Subgroup Membership Problem:

Example instance (Diffie-Hellman):• be a cyclic group of prime order p

• for

• The Splitting Problem for

is the Computational Diffie-Hellman Problem

• The corresponding SMP for

is the Decisional Diffie-Hellman Problem


SOAP = Splitting Oracle-Assisted SMP

SMP for (G,N)

N

z N?∈z

Phase 1: Learning Phase 2: ChallengeSplitting Oracle

Setup(λ) Algorithm outputs: (G,N,R)

G


IND-CCA1 Security Characterization

Scheme isIND-CCA1 SECURE

⟺

SOAPis hard w.r.t. .

Setup

Decrypt

Public param.cj

mj

C

ChooseCiphertext

M0,M1

b ∈R {0,1}C:=Encrypt(Mb)

Challenge

Guess for b


Application: IND-CCA1 Characterization of Existing Schemes




Paillier; 1999 Nth residues mod N2; 1999 ✓Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ✓Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ✓



encryption

decryption1C1

• Encryption of m: • Sample c1 C∈ 1

• Output c := m∙c1

• Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of

representatives of C/C1)

mm C⋅ 1

Generic Scheme (Simplified)


Group GPlaintextSpace

encryption

decryptionN

• Given: SMP for group G and subgroup N• Interpret G as ciphertext space and N as encryption of 1• Construct encryption/decryption as in the generic scheme• Scheme is IND-CPA secure iff initial SMP is hard

C1

Ciphertext Space

Application: Design of New Schemes





Paillier; 1999 Nth residues mod N2; 1999 ✓Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ✓Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ✓Scheme 1 K-Linear Problem New K-Problem

Scheme 2 Gonzales-Nieto et al.; 2005 New Problem

Application: New Schemes


Plug into Generic Scheme

New Homomorphic Scheme 1 (k-linear)

The k-Linear Problem k-LP for

• Decisional problem that generalizes DDH (=1-LP) If (k+1)-LP is hard, then so is k-LP

• Properties in the Generic Group Model: k-LP is hard

If k-LP is easy, then (k+1)-LP is still hard

k-SOAP – a new k-Problem: SOAP instance that corresponds to k-LP

• k-SOAP provably behaves as k-LP in the generic group model

• K-SOAP might be of independent interest


New Homomorphic Scheme 1 (k-linear)

This Generic Scheme instance yields the first homomorphic scheme that is

• IND-CPA secure if and only if k-LP is hard (for k>2)

• IND-CCA1 secure if and only if k-SOAP is hard


New Homomorphic Scheme 2 (Motivation)

• “If there exist IND-CPA secure homomorphic schemes with cyclic ciphertext group, then we can efficiently construct IND-CCA2 secure encryption schemes” [HO10]

• The existence of such homomorphic schemes is an open question!

• We construct such a scheme whose IND-CPA security is equivalent to a new problem whose hardness is equivalent to the well-analyzed SMP of the GBD-scheme [GBD01]

• In particular, this yields a new IND-CCA2 scheme!


New Homomorphic Scheme 2 (Construction)

• n=q0q1 RSA-modulus such that p := 2n+1 is prime

• Consider the cyclic subgroups Gn, Gq0 and Gq1 whose orders correspond

to the divisors n, q0 and q1 of p-1, respectively

• Compute generators g0 and g1 of Gq0 and Gq1, respectively

• Then g0g1 is a generator of Gn

• Plug the Splitting Problem for (Gn, Gq1, Gq0) into Generic Scheme

• Since Gn is cyclic, this yields the first homomorphic scheme with a cyclic

ciphertext group!


Application: Impossibility Results

• Any algebraic homomorphic scheme with prime-ordered ciphertext group is insecure in terms of IND-CPA!

• Any algebraic homomorphic scheme where the ciphertexts form a linear subspace of Fn (for some prime field F), e.g. a linear code, is insecure in terms of IND-CPA!

(this partly answers an open question whether using linear codes as ciphertext spaces yield more efficient constructions)


Outline


2. Our Results


4. Conclusion


Summary

• Considered the class of algebraic homomorphic encryption schemes

• Presented a generic framework for such schemes• Allows for an easy security characterization both in terms of IND-CPA and IND-

CCA1 security

• Supports construction of new schemes (starting from the problem)

• Allows for certain impossibility results (code-based)

• Constructed two new schemes with special properties (k-linear, cyclic)• Thereby constructing a new IND-CCA2 scheme


Most Recent Results and Future Work(Fully Homomorphic Encryption)

Extension of IND-CPA characterization to Gentry‘s „blueprint“ for constructing fully homomorphic encryption schemes (encompasses all currently known schemes)oWhat are the consequences to existing schemes? Good news: e.g., [DGHV10]

is based on an assumption that is too strong

To get fully homomorphic encryption, Gentry needs a bootstrappable scheme that is KDM-secure. This, however, does only exist in the Random Oracle Model.o Extension to KDM-security and construction of a KDM-secure bootstrappable

scheme in the standard model – if possible at all!


Thank you!

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

Documents