18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1 Frederik Armknecht 1 , Andreas Peter 2 and Stefan Katzenbeisser 2 A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany ISG Research Seminar Royal Holloway University of London 20.01.2011
52
Embed
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP. Frederik Armknecht 1 , Andreas Peter 2 and Stefan Katzenbeisser 2. ISG Research Seminar Royal Holloway University of London 20.01.2011. 1 Universität Mannheim, Germany 2 Technische Universität Darmstadt, Germany. - PowerPoint PPT Presentation
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1
Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2
A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP
1 Universität Mannheim, Germany2 Technische Universität Darmstadt, Germany
ISG Research SeminarRoyal Holloway University of London
20.01.2011
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 2
Outline
1. Introduction/Motivation
2. Our Results
3. Technical Details
4. Conclusion
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 3
Outline
1. Introduction/Motivation
2. Our Results
3. Technical Details
4. Conclusion
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 5
Motivation 1: Outsourcing of Data
Server
• What if the server itself is corrupted?• 2001: Heartland Information Services• 2003: University of California at San Francisco• 2005: Private data from 50 million Americans stolen
• Server performs some computation on its stored data
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 7
Store data encryptedOn request, computation is done on encrypted data
Encrypted result is given back
Request
Possible Solution
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 8
Homomorphic Encryption (Informal)
• Encryption that allows one to evaluate certain functions over encrypted data without being able to decrypt
op
2 27 7
9 9
op*
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 9
++
+ +
⊞
Example Application: Electronic Voting
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 10
Other Applications
• Private Information Retrieval
• Multiparty Computation
• Oblivious Polynomial Evaluation
• ...
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 11
Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits)
Plaintext space: ZN (={0,…,N-1} modulo N)
Ciphertext: ZN (={0,…,N-1} modulo N)
Encryption Key: e ∈ ZN with gcd(e, (p-1)(q-1) )=1
Decryption key: d ∈ ZN with e ∙ d mod ((p-1)∙(q-1)) = 1
Encryption of m: c := me mod N
Decryption of c: cd mod N = m
Homomorphism:eee mmmm )'('
m m‘ = m∙m‘
Example Scheme: RSA (1978)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 12
Scheme Plaintext Space Security related toRSA; 1978 Integers modulo N=p*q FactorizationGoldwasser, Micali; 1984 1 Bit Quadratic residues mod NBenaloh; 1985 Integers modulo R s.t. … Rth residues mod NElGamal; 1985 Cyclic group G Decision Diffie-Hellman in GPaillier; 1999 Integers modulo N Nth residues mod N2
Damgaard, Jurik; 2001 Integers modulo Ns Nth residues mod Ns+1
Boneh, Goh, Nissim; 2005 Group over elliptic curve Decision Diffie-Hellman
• Different approaches• Some are much better understood than others• Question: Unified view on security and design of theses schemes?
Homomorphic Encryption Schemes (Overview)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 13
Outline
1. Introduction/Motivation
2. Our Results
3. Technical Details
4. Conclusion
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 14
Recall: “Homomorphic = allows for operations on encrypted data”
Can mean different things, depending on the application. E.g.,
Addition/Multiplication of integers (i.e., algebraic operations)
Evaluating certain circuits
Operation on character strings, e.g., removing/inserting
Here: We concentrate on homomorphic encryption in the algebraic sense
A Large Class of Homomorphic Encryption
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 15
Plaintextspace
Ciphertextspace
Encryption E
Decryption D
Classical Encryption Scheme
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 16
Plaintextspace
Ciphertextspace
Encryption E
Decryption D
Groups
Group homomorphism, i.e.D(c op* c’)=D(c) op D(c’)
Our Class of Homomorphic Encryption
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 19
Security Notions for Encryption Schemes
• IND-CCA2
• IND-CCA1
• IND-CPA
(strongest)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 20
Defining security: IND-CPA
SetupPublic param.
C
TimeM0,M1b ∈R {0,1}
C:=Encrypt(Mb)
Oracle Attacker
Challenge
Guess for bAttacker wins if he correctly guesses b
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 21
Security Notions for Encryption Schemes
• IND-CCA2
• IND-CCA1
• IND-CPA
(strongest)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 22
Defining security: IND-CCA1
Setup
Decrypt
Public param.
cj
mj
C
Time
ChooseCiphertext
M0 ,M1b ∈R {0,1}C:=Encrypt(Mb)
Oracle Attacker
Challenge
Guess for bAttacker wins if he correctly guesses b
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 23
Security Notions for Encryption Schemes
• IND-CCA2
• IND-CCA1
• IND-CPA
(strongest)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 24
Defining security: IND-CCA2
Setup
Decrypt
Public param.
cj
mj
C
Time
ChooseCiphertext
M0 ,M1b ∈R {0,1}C:=Encrypt(Mb)
Oracle Attacker
Challenge
Guess for bAttacker wins if he correctly guesses b
ChooseCiphertext
cj ≠ Cmj
Decrypt
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 25
Security Notions for Encryption Schemes
• IND-CCA2 No Homomorphic Encryption Scheme can be IND-CCA2 secure!
(because is an encryption of 1 for some i)
• IND-CCA1
• IND-CPA
(strongest)
(strongest)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 26
Scheme IND-CPA secure if the following problem is hard
Paillier; 1999 Nth residues mod N2; 1999 ✓Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ✓Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ✓
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 46
Plaintexts Ciphertexts
encryption
decryption1C1
• Encryption of m: • Sample c1 C∈ 1
• Output c := m∙c1
• Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of
representatives of C/C1)
mm C⋅ 1
Generic Scheme (Simplified)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 47
Group GPlaintextSpace
encryption
decryptionN
• Given: SMP for group G and subgroup N• Interpret G as ciphertext space and N as encryption of 1• Construct encryption/decryption as in the generic scheme• Scheme is IND-CPA secure iff initial SMP is hard
C1
Ciphertext Space
Application: Design of New Schemes
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 48
Scheme IND-CPA secure if and only if the following problem is hard
IND-CCA1 secure if and only if the following problem is hard
Paillier; 1999 Nth residues mod N2; 1999 ✓Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ✓Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ✓Scheme 1 K-Linear Problem New K-Problem
Scheme 2 Gonzales-Nieto et al.; 2005 New Problem
Application: New Schemes
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 49
Plug into Generic Scheme
New Homomorphic Scheme 1 (k-linear)
The k-Linear Problem k-LP for
• Decisional problem that generalizes DDH (=1-LP) If (k+1)-LP is hard, then so is k-LP
• Properties in the Generic Group Model: k-LP is hard
If k-LP is easy, then (k+1)-LP is still hard
k-SOAP – a new k-Problem: SOAP instance that corresponds to k-LP
• k-SOAP provably behaves as k-LP in the generic group model
• K-SOAP might be of independent interest
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 50
New Homomorphic Scheme 1 (k-linear)
This Generic Scheme instance yields the first homomorphic scheme that is
• IND-CPA secure if and only if k-LP is hard (for k>2)
• IND-CCA1 secure if and only if k-SOAP is hard
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 51
New Homomorphic Scheme 2 (Motivation)
• “If there exist IND-CPA secure homomorphic schemes with cyclic ciphertext group, then we can efficiently construct IND-CCA2 secure encryption schemes” [HO10]
• The existence of such homomorphic schemes is an open question!
• We construct such a scheme whose IND-CPA security is equivalent to a new problem whose hardness is equivalent to the well-analyzed SMP of the GBD-scheme [GBD01]
• In particular, this yields a new IND-CCA2 scheme!
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 52
New Homomorphic Scheme 2 (Construction)
• n=q0q1 RSA-modulus such that p := 2n+1 is prime
• Consider the cyclic subgroups Gn, Gq0 and Gq1 whose orders correspond
to the divisors n, q0 and q1 of p-1, respectively
• Compute generators g0 and g1 of Gq0 and Gq1, respectively
• Then g0g1 is a generator of Gn
• Plug the Splitting Problem for (Gn, Gq1, Gq0) into Generic Scheme
• Since Gn is cyclic, this yields the first homomorphic scheme with a cyclic
ciphertext group!
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 53
Application: Impossibility Results
• Any algebraic homomorphic scheme with prime-ordered ciphertext group is insecure in terms of IND-CPA!
• Any algebraic homomorphic scheme where the ciphertexts form a linear subspace of Fn (for some prime field F), e.g. a linear code, is insecure in terms of IND-CPA!
(this partly answers an open question whether using linear codes as ciphertext spaces yield more efficient constructions)
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 54
Outline
1. Introduction/Motivation
2. Our Results
3. Technical Details
4. Conclusion
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 55
Summary
• Considered the class of algebraic homomorphic encryption schemes
• Presented a generic framework for such schemes• Allows for an easy security characterization both in terms of IND-CPA and IND-
CCA1 security
• Supports construction of new schemes (starting from the problem)
• Allows for certain impossibility results (code-based)
• Constructed two new schemes with special properties (k-linear, cyclic)• Thereby constructing a new IND-CCA2 scheme
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 56
Most Recent Results and Future Work(Fully Homomorphic Encryption)
Extension of IND-CPA characterization to Gentry‘s „blueprint“ for constructing fully homomorphic encryption schemes (encompasses all currently known schemes)oWhat are the consequences to existing schemes? Good news: e.g., [DGHV10]
is based on an assumption that is too strong
To get fully homomorphic encryption, Gentry needs a bootstrappable scheme that is KDM-secure. This, however, does only exist in the Random Oracle Model.o Extension to KDM-security and construction of a KDM-secure bootstrappable
scheme in the standard model – if possible at all!
18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 59