ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong...
-
Upload
donna-goodman -
Category
Documents
-
view
215 -
download
0
Transcript of ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong...
ON THE PROVABLE SECURITY OF
HOMOMORPHIC ENCRYPTION
Andrej BogdanovChinese University of Hong Kong
Bertinoro Summer School | July 2014
based on joint work with Chin Ho LeeNortheastern Unversity
Public-key bit encryption
SKPK
BobAliceb
EncPK(b) DecSK( )
b
EncPK(b)PK
message indistinguishability
(PK, EncPK(0)) and (PK, EncPK(1)) are computationally indistinguishable
El Gamal encryption
g, h in some large cyclic group
PK = ( g, h ) gSK = hsuch that
EncPK(b) = ( gr, 2bhr )where r random
DecSK(x, y) = b such that xSK = 2b y
Homomorphism of encryptions
EncPK(b) = ( gr, 2bhr )
EncPK(b) EncPK(b’) and EncPK(b + b’)are identically distributed
DecSK(EncPK(b) EncPK(b’)) = b + b’
strongly homomorphic
weakly homomorphic
Does P ≠ NP imply cryptography?
provided SAT is worst-case hard
requires average-case hardness
of distinguishing encryptions
Cryptography from lattices
Ajtaione-way functions
Ajtai-Dwork
public-key encryption
Regev, Peikert, Gentry, Brakerski and Vaikutanathan, ...“somewhat” homomorphic encryption
If short vectors in certain lattices are worst-case hard to find, then we have...
but we can find them
in NP ∩ coNP
Reductions
How to prove message indistinguishability?
distinguisher
(PK, EncPK(b))
biased towards b
x ∈ SAT?
q1
a1
q2
a2
YES/NO
From reductions to proof systems
L distinguisher
verifier prover
R
Brassard
randomness for R transcript
for every query (PK, C)answer b
randomness r s.t. EncPK(b, r) = C
is it correct?
are they correct?
OK
From reductions to proof systems
Conclusion
A reduction from L to distinguishing Encimplies that L is in NP ∩ coNP
Yes, but under implicit assumption thatqueries always have a unique answerGoldreich and Goldwasser
Brassard’s assumption
for every PKEncPK(0)
EncPK(1)query
what if
EncPK(0)
EncPK(1)
EncPK(0)
EncPK(1)
Restricting the reduction
If reduction is nonadaptive then L is in AM ∩ coAM
For general encryptions, best we can say
Feigenbaum and Fortnow, B. and Trevisan,Akavia Goldreich Goldwasser and Moshkovitz
Our result
If Enc has weak homomorphic evaluator for f, then L is in AM ∩ coAM
Reduction can be adaptive, queries arbitrary
If reduction has constant query complexity, then L is in statistical zero-knowledge
Let f be a “polynomially sensitive” function
Sensitivity of functions
f:0
0100
11000 1
01101
0101 sens0 f(0100) = 2
sens0 f = maxx sens0 f(x)
f: {0, 1}n → {0, 1} is polynomially sensitive if sens0 f, sens1 f are at least nW(1)
AM
SZK
P
coAM
Homomorphic encryptions,reductions of constantquery complexity
Homomorphic encryptions,arbitrary reductions
previous worksArbitrary encryptions,nonadaptive reductions
SAT
Rerandomization
The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key
C = ( gr, 2bhr )
PK = ( g, h ) gSK = hsuch that
RerPK(C) = C ∙ ( gr’, hr’ )
El Gamal example
is i.i.d with C
Rerandomization from evaluation
strong homomorphic evaluator for majority
HE
nc(0
)
Enc(b)
En
c(0
)
En
c(0
)
En
c(b
)
En
c(1
)
En
c(1
)
En
c(1
)
Rer
Rerandomization from evaluation
HE
nc(0
)
En
c(0
)
En
c(0
)
En
c(0
)
To H, Enc(0) indistinguishable from Enc(0)so output of H must forget most of Enc(0)
Rerandomization from evaluation
If H is a strong homomorphic evaluator for majority on k bits,
then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.
Lemma
We prove a weaker version for weak homomorphic evaluators and any sensitive f.
Distinguishing rerandomizations
Encryption can be broken using rerandomization and an SZK oracle
Enc(b)Rer( ) Enc(0)
If b = 0, they are statistically close
vs.
If b = 1, they must be statistically far
so they can be distinguished in SZK
The rest of the proof
Since we can decrypt in SZK, L can be solved with reduction + SZK oracle
So L is in BPPSZK ⊆ AM coAM⋂Mahmoody and Xiao
For weak homomorphism and general f, not sure if true; we give new proof system
Quality of rerandomization
If H is a homomorphic evaluator for majority on k bits,then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.
Lemma
For strong homomorphic evaluation, we can make this exponentially small.
Improving the rerandomization
En
c(b
)
En
c(0
)
En
c(1
)H
Enc(b)
H
Enc(1) Enc(0)
Enc(b)
Algorithm:Apply H iteratively t times.
Analysis
En
c(1
)
En
c(1
)
En
c(0
)
H
En
c(0
)
En
c(1
)
En
c(0
)
H
En
c(0
)
En
c(b
)
En
c(1
)H
H
Enc(b) Enc(1) Enc(0)
Enc(b)
Analysis
En
c(1
)
En
c(1
)
En
c(0
)
H
En
c(0
)
En
c(1
)
En
c(1
)H
H
Enc(1) Enc(1)
En
c(0
)
En
c(1
)
En
c(0
)
H
Enc(0)
Enc(1)
Analysis
If we recurse t times, original Enc(b) could be any one of 2t inputsApplying lemma, distinguishing advantage drops to O(√c/2t)
Value of t is determined by quality of HStatistical distance between output of H and
actual encryption