a cleaner view on ind-cca1 secure homomorphic encryption using soap

18.01.2011 | Andreas Peter | A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP | 1

Frederik Armknecht1, Andreas Peter2 and Stefan Katzenbeisser2

A Cleaner View on IND-CCA1 Secure Homomorphic Encryption using SOAP

1 Universität Mannheim, Germany2 Technische Universität Darmstadt, Germany

ISG Research SeminarRoyal Holloway University of London

20.01.2011


Outline

1. Introduction/Motivation

2. Our Results

3. Technical Details

4. Conclusion


Outline


2. Our Results


4. Conclusion


Motivation 1: Outsourcing of Data

Server

• What if the server itself is corrupted?• 2001: Heartland Information Services• 2003: University of California at San Francisco• 2005: Private data from 50 million Americans stolen


Store data encryptedOn request, computation is done on encrypted data

Encrypted result is given back

Request

Possible Solution


+

+

+ +

⊞

Motivation 2: Electronic Voting


Homomorphic Encryption (Informal)

• Encryption that allows one to evaluate certain functions over encrypted

data without being able to decrypt

op

2 27 7

9 9

op*


Other Applications

• Private Information Retrieval

• Multiparty Computation

• Oblivious Polynomial Evaluation

• ...


Parameters: N=p ∙ q with p,q large primes (approx. 1000 bits)

Plaintext space: ZN (={0,…,N-1} modulo N)

Ciphertext: ZN (={0,…,N-1} modulo N)

Encryption Key: e ∈ ZN with gcd(e, (p-1)(q-1) )=1

Decryption key: d ∈ ZN with e ∙ d mod ((p-1)∙(q-1)) = 1

Encryption of m: c := me mod N

Decryption of c: cd mod N = m

Homomorphism:eee mmmm )'('

m m‘ = m∙m‘

Example: RSA (1978)


Scheme Plaintext Space Security related to

RSA; 1978 Integers modulo N=p*q Factorization

Goldwasser, Micali; 1984 1 Bit Quadratic residues mod N

Benaloh; 1985 Integers modulo R s.t. … Rth residues mod N

ElGamal; 1985 Cyclic group G Decision Diffie-Hellman in G

Paillier; 1999 Integers modulo N Nth residues mod N2

Damgaard, Jurik; 2001 Integers modulo Ns Nth residues mod Ns+1

Boneh, Goh, Nissim; 2005 Group over elliptic curve Decision Diffie-Hellman

• Different approaches• Some are much better understood than others• Question: Unified view on security and design of theses schemes?

Homomorphic Encryption Schemes (Overview)


Outline


2. Our Results


4. Conclusion


Recall: “Homomorphic = allows for operations on encrypted data”

Can mean different things, depending on the application. E.g.,

Addition/Multiplication of integers (i.e., algebraic operations)

Evaluating certain circuits

Operation on character strings, e.g., removing/inserting

Here: We concentrate on homomorphic encryption in the algebraic sense

A Large Class of Homomorphic Encryption


Plaintextspace

Ciphertextspace

Encryption E

Decryption D

Classical Encryption Scheme


Plaintextspace

Ciphertextspace

Encryption E

Decryption D

Groups

Group homomorphism, i.e.D(c op* c’)=D(c) op D(c’)

Our Class of Homomorphic Encryption


Security Notions for Encryption Schemes

• IND-CCA2

No Homomorphic Encryption Scheme can be IND-CCA2 secure!

(because is an encryption of 1 for some i)

• IND-CCA1

• IND-CPA

(strongest)

(strongest)


Scheme IND-CPA secure if the following problem is hard

IND-CCA1 secure if the following problem is hard

ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]

Paillier; 1999 Nth residues mod N2; 1999 ??

Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??

Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ??

Security of Existing Schemes


Scheme IND-CPA secure if the following problem is hard






Abstract scheme

Abstract problem:SMP

(subgroup membership problem)

Abstract problem:SOAP

(splitting oracle assisted SMP)

Our Result: Abstraction and Characterization


Scheme IND-CPA secure if and only if the following problem is hard

IND-CCA1 secure if and only if the following problem is hard



Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??


Abstract scheme

Abstract problem:SMP

(subgroup membership problem)

Abstract problem:SOAP

(splitting oracle assisted SMP)

Our Result: Abstraction and Characterization


Application: Easy Confirmation of Known Results











Paillier; 1999 Nth residues mod N2; 1999 ✓

Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001 ✓

Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ✓

Application: Missing Characterizations








Scheme 1 K-Linear Problem New K-Problem

Scheme 2 Gonzales-Nieto et al.; 2005 New Problem

Application: New Schemes


Scheme IND-CPA Security

ElGamal; 1985 Decision Diffie-Hellman; 1998

Paillier; 1999 Nth residues mod N2; 1999

Damgaard, Jurik; 2001 Nth residues mod Ns+1; 2001

Boneh et al.; 2005 Decision Diffie-Hellman; 2005

Scheme 1 K-Linear Problem

Scheme 2 Gonzales-Nieto et al.; 2005

Ciphertext group has prime order Problem instance always weak

Ciphertext group is a vector space over a prime field (e.g. linear code)

Problem instance always weak

Application: Impossibility Results


Outline


2. Our Results


4. Conclusion


Plaintexts Ciphertexts

encryption

decryption

Groups

Group homomorphism

Our Considered Class of Homomorphic Encryption Schemes (Reminder)



encryption

decryption

Groups

Group homomorphism

1 Encr. of 1C1

• Encryptions of „1“ form a normal subgroup C1 of the ciphertext space C

Easy Observations I



encryption

decryption

Groups

Group homomorphism

1C1

• Set of encryptions of „m“ equals the coset m C⋅ 1

m

Encr. of mm C⋅ 1

Easy Observations II


Consequence

c = encryp-tion of m

⟺ c m∙C∈ 1 c∙m-1 C∈ 1⟺

Therefore:

Consequence:Recognizing

encryptions of m

m‘m‘=m?

Recognizing encryptions of 1

m‘m‘=1?⟺


Immediate IND-CPA Security Characterization

Scheme isIND-CPA SECURE

⟺

Subgroup membership problem (SMP)is hard w.r.t. C1

C1

c C∈ 1?c








What about IND-CCA1?

Application: Easy IND-CPA Security Characterization of Existing Schemes


Abstraction of Computational and Decisional Problems I (Simplified)

• finite group G• subgroups N and R of G such that the map

is a group isomorphism. Its inverse is denoted by σ and is calledthe splitting map for (G,N,R).

The Splitting Problem:

computeσ(z)


Abstraction of Computational and Decisional Problems II (Simplified)

The Splitting and Subgroup Membership Problem:

Example instance (Diffie-Hellman):• be a cyclic group of prime order p

• for

• The Splitting Problem for

is the Computational Diffie-Hellman Problem

• The corresponding SMP for

is the Decisional Diffie-Hellman Problem


SOAP = Splitting Oracle-Assisted SMP

SMP for (G,N)

N

z N?∈z

Phase 1: Learning Phase 2: ChallengeSplitting Oracle

Setup(λ) Algorithm outputs: (G,N,R)

G


IND-CCA1 Security Characterization

Scheme isIND-CCA1 SECURE

⟺

SOAPis hard w.r.t. .

Setup

Decrypt

Public param.

cj

mj

C

ChooseCiphertext

M0,M1

b ∈R {0,1}C:=Encrypt(Mb)

Challenge

Guess for b


Application: IND-CCA1 Characterization of Existing Schemes









encryption

decryption1

C1

• Encryption of m: • Sample c1 C∈ 1

• Output c := m∙c1

• Decryption of c: • Determine c mod C1 (w.r.t. a fixed system of

representatives of C/C1)

mm C⋅ 1

Generic Scheme (Simplified)


Group GPlaintextSpace

encryption

decryptionN

• Given: SMP for group G and subgroup N• Interpret G as ciphertext space and N as encryption of 1• Construct encryption/decryption as in the generic scheme• Scheme is IND-CPA secure iff initial SMP is hard

C1

Ciphertext Space

Application: Design of New Schemes








Scheme 1 K-Linear Problem New K-Problem

Scheme 2 Gonzales-Nieto et al.; 2005 New Problem

Application: New Schemes


Plug into Generic Scheme

New Homomorphic Scheme 1 (k-linear)

The k-Linear Problem k-LP for

• Decisional problem that generalizes DDH

• Properties in the Generic Group Model:

If (k+1)-LP is hard, then so is k-LP

k-LP is hard

If k-LP is easy, then (k+1)-LP is still hard

k-SOAP – a new k-Problem: SOAP instance that corresponds to k-LP

• k-SOAP provably behaves as k-LP in the generic group model

• K-SOAP might be of independent interest


New Homomorphic Scheme 1 (k-linear)

This Generic Scheme instance yields the first homomorphic scheme that

is

• IND-CPA secure if and only if k-LP is hard (for k>2)

• IND-CCA1 secure if and only if k-SOAP is hard


New Homomorphic Scheme 2 (Motivation)

• “If there exist IND-CPA secure homomorphic schemes with cyclic

ciphertext group, then we can efficiently construct IND-CCA2 secure

encryption schemes” [HO10]

• The existence of such homomorphic schemes is an open question!

• We construct such a scheme whose IND-CPA security is equivalent to a

new problem whose hardness is equivalent to the well-analyzed SMP of

the GBD-scheme [GBD01]


New Homomorphic Scheme 2 (Construction)

• n=q0q1 RSA-modulus such that p := 2n+1 is prime

• Consider the cyclic subgroups Gn, Gq0 and Gq1 whose orders correspond

to the divisors n, q0 and q1 of p-1, respectively

• Compute generators g0 and g1 of Gq0 and Gq1, respectively

• Then g0g1 is a generator of Gn

• Plug the Splitting Problem for (Gn, Gq1, Gq0) into Generic Scheme

• Since Gn is cyclic, this yields the first homomorphic scheme with a cyclic

ciphertext group!


Application: Impossibility Results

• Any algebraic homomorphic scheme with prime-ordered ciphertext group

is insecure in terms of IND-CPA!

• Any algebraic homomorphic scheme where the ciphertexts form a linear

subspace of Fn (for some prime field F), e.g. a linear code, is insecure in

terms of IND-CPA!

(this partly answers an open question whether using linear codes as ciphertext

spaces yield more efficient constructions)


Outline


2. Our Results


4. Conclusion


Summary

• Considered the class of algebraic homomorphic encryption schemes

• Presented a generic framework for such schemes

• Allows for an easy security characterization both in terms of IND-CPA and IND-

CCA1 security

• Supports construction of new schemes (starting from the problem)

• Allows for certain impossibility results (code-based)

• Constructed two new schemes with special properties (k-linear, cyclic)


Most Recent Results and Future Work(Fully Homomorphic Encryption)

Extension of IND-CPA characterization to Gentry‘s „blueprint“ for

constructing fully homomorphic encryption schemes (encompasses all

currently known schemes)

oWhat are the consequences to existing schemes? Good news: e.g., [DGHV10]

is based on an assumption that is too strong

To get fully homomorphic encryption, Gentry needs a bootstrappable

scheme that is KDM-secure. This, however, does only exist in the

Random Oracle Model.

o Extension to KDM-security and construction of a KDM-secure bootstrappable

scheme in the standard model – if possible at all!


Thank you!

a cleaner view on ind-cca1 secure homomorphic encryption using soap

Documents