A New Approach for Algebraically Homomorphic Encryption

Transcription

1 A New Approach for Algebraically Homomorphic Encryption Joint work with Ahmad Reza Sadeghi, supported by the EU project SPEED Frederik Armknecht Group for Cryptographic Mechanisms and Security Models Horst Görtz Institute for IT Security Ruhr University Bochum, Germany ALI/SALSA joint seminar in cryptography, December 6, 2008; Paris, France 1

2 Overview 1. Introduction 2. The scheme 3. Discussion and conclusions 2

3 3 1. Introduction

4 Encryption key Encryption Decryption key Plaintext Ciphertext Encryption Decryption 4

5 Homomorphic Encryption Preserves algebraic structure of plaintext space Plaintext Space Ciphertext Space Encryption + Encryption 5

6 RSA (1978) Parameters: N=p q with p,q large primes (approx bits) Plaintext space: Z N (={0,,N 1} modulo N) Chiffretexte: Z N (={0,,N 1} modulo N) Encryption Key: e Z N with gcd(e, (p 1)(q 1) )=1 Decryption key: d Z N with e d mod ((p 1) (q 1)) = 1 Encryption of m: c := m e mod N Decryption of c: c d mod N = m Homomorphism: e e m m' = ( m m' ) e m m = m m 6

7 7 EU Project SPEED

8 Outsourcing of Data Amount of data increases Several users per database Outsourcing increases efficiency and saves costs Server 8

9 Security Encryption and access control protects againstoutsiderattackers What if the server itself is corrupted? 2001: Heartland Information Services 2003: University of California at San Francisco 2005: Private data from 50 million Americans stolen Access control Server 9

10 Possible Solution Use homomorphic encryption that is compatible with usual operations, e.g., searching Store data encrypted Request 10

11 Further Applications Private information retrieval Multiparty computation Electronic voting 11

12 Some existing homomorphic encryption schemes Scheme Plainext Space Security related to RSA; 1978 Integers modulo N=p*q Factorization Goldwasser, Micali; Bit Quadratic residues mod N Benaloh; 1985 Integers modulo R s.t. R th residues mod N ElGamal; 1985 Cyclic group G Decision Diffie Hellman in G Paillier; 1999 Integers modulo N N th residues mod N 2 Daamgard, Jurik; 2001 Integers modulo N s N th residues mod N s+1 Boneh, Goh, Nissim; 2005 Group over elliptic curve Decision Diffie Hellman Mainly support only one operation (group homomorphism) Plaintext space is group or a modulo ring Security always related to number theoretic problem 12

13 Algebraically Homomorphic Encryption Supports two operations, e.g. E k (m) E k (m )=E k (m+m ) and E k (m) E k (m )=E k (m m ) Existing schemes Authors Fellows, Koblitz (1993) Domingo Ferrer (2002) Boneh, Goh, Nissim (2005) Melchor, Gaborit, Herranz (2008) Comments Security unsure Broken Arbitrary many additions but only one multiplication Small plaintext space No proof of security Small plaintext space 13

14 Challenge Contribution Our contribution Algebraic homomorphism Provable secure Algebraic structure Large plaintext space Unlimited additions and a fixed (but arbitrary) number of multiplications Security based on a known decoding problem Works over arbitrary fields Unlimited field size Drawbacks: Symmetric Inefficient Number of encryptions needs to be limited Underlying problem needs more research 14

15 15 2. Scheme

16 Coding Theory Message Codeword Random errors Coding Errorneous channels Decoding 16

17 Reed Solomon Codes Error correction codes A message is in encoded such that a certain number of failures during transmission can be corrected Used in practice Pictures transmitted via the Voyager Missions s Compact Disc Cryptography and Coding Theory McEliece; 1978 Fischer, Stern; 1996 Kiayas, Yung; 2001, 2007 Augot, Finiasz;

18 Reed Solomon Codes: Encoding Parameters: Finite field F; support points x 0,x 1,,x n ; integers t,k Encoding of a message m F: Choose random polynomial p(x) of degree k with p(x 0 )=m Compute Y:=(y 1,,y n ):=(p(x 1 ),,p(x n )) and and submit it During transmission, some entries may get errorneous m y 1 y 3 y 8 y 12 y 2 y 4y5 y 7 y 9y10 y y 11 6 p(x) x 0 x 1 x 12 18

19 Reed Solomon Codes: Decoding Parameters: Finite field F; support points x 0,x 1,,x n ; integers t,k Decoding of transmission Y=(y 1,,y n ): Find a polynomial p(x) that meets most coordinates (x i,y i ) Compute p(x 0 )=m y 12 y 2 y 4y5 y m y 9 y 6 7 y 10 y p(x) 11 y 1 y 3 y 8 x 0 x 1 x 12 19

20 Encryption based on Coding Theory Artificial errors Message Errorneous codeword Encryption (= Encoding) Decryption (= Decoding) 20

21 Encryption Parameters: Finite field F; support points x 0,x 1,,x n ; integers t,k Encryption key: I {1,,n} of size t (= error positions) Encryption of a message m: Choose random polynomial p(x) of degree k with p(x 0 )=m Comute Y:=(y 1,,y n ):=(p(x 1 ),,p(x n )) Replace for each i I the value y i by a random value (= error). Ciphertext C=(y 1,,y n ) (= Reed Solomon codeword) m y 1 y 3 y 8 y 12 y 2 y 4y5 y 7 y 9y10 y y 11 6 p(x) x 0 x 1 x 12 21

22 Decryption Parameters: Finite field F; support points x 0,x 1,,x n ; integers t,k Decryption key: I {1,,n} of size t (= error positions) Decryption of a ciphertext C=(y 1,,y n ): Ignore errorneous y i values Interpolate p(x) through the remaining, correct y i values Compute p(x 0 )=m y 12 y 2 y 4y5 y m y 9 y 6 7 y 10 y p(x) 11 y 1 y 3 y 8 x 0 x 1 x 12 22

23 The Polynomial Reconstruction Problem (PRP) Public parameters: Finite field F, inputs (x 1,,x n ) F n, some integers k and t Input: Vector Y =(y 1,,y n ) F n Goal: Find all tuples (p(x); I) such that p(x) is a polynomial over F of degree k I is a subset of {1,,n} of size t p(x i )=y i for all i I Observe: Equivalent to decoding RS codes The PRP has been used to construct cryptographic schemes 23

24 An encryption scheme based on the PRP (Kiayas, Yung; 2002) Parameters: Public: Finite field F; input values x 1,,x n ; integers t,k Secret: I {1,,n} of size t (= the no error locations) Encryption: Encode plaintext m and a new index set I into a random polynomial p(x) of degree k Compute Y:=(y 1,,y n ):=(p(x 1 ),,p(x n )) Replace for all i not in I, y i by a random value (=error). Name this result C. Transmit C (=erroneous Y). Decryption: Given C and I, identify the pairs (x i, p(x i )) i I Use this knowledge to interpolate p(x) Reconstruct plaintext m and I from p(x) 24

25 Encryption based on Coding Theory Artificial errors Message Errorneous codeword Encryption (= Encoding) Decryption (= Decoding) Homomorphism: + = 25

26 Homomorphic Property Given: Two ciphertexts C=(y 1,,y n ) and C =(y 1,,y n ) under the same key I, i.e. ex. two polynomials p(x) and p (x) with m=p(x 0 ) and m =p (x 0 ) i I: y i =p(x i ) and y i =p (x i ) i I: y i and y i are errors Sum C :=(y 1,,y n ):=(y 1 +y 1,,y n +y n ): i I: y i =(p+p )(x i ) i I: y i is error Interpolation of C yields (p+p )(x) and in particular (p+p )(x 0 )=m+m. Produkt C :=(y 1,,y n ):=(y 1 y 1,,y n y n ): i I: y i =(p p )(x i ) i I: y i is error Interpolation of C yields (p p )(x) and in particular (p p )(x 0 )=m m. 26

27 The Synchronous Polynomial Reconstruction Problem (PRP) Public parameters: Finite field F, inputs (x 1,,x n ) F n, some integers k and t Input: Vectors {Y 1 =(y 1,1,,y 1,n ),, Y c =(y c,1,,y c,n )} F n Goal: Find tuples (p 1 (x),,p c (x); I) such that p j (x) is a polynomial over F of degree k, 1 j c I is a subset of {1,,n} of size t p j (x i )=y j,i for all i I and all 1 j c Observe: Equivalent to decoding special interleaved RS codes The SPRP has been investigated before SPRP is easier than the PRP Semantically secure under the assumption that SPRP is hard 27

28 28 3. Discussions and conclusions

29 Benefits Algebraic homomorphic Known non number theoretic problem Arbitrary finite fields In principle, non finite fields as well, but hardness of decoding problem is unclear Adaptive plaintext space extension Built in error correction 29

30 Parameter choice Parameters: c : number of encryptions m: number of multiplications s: security parameter n: length of the ciphertext (in field elements) k/2: length of the plaintext (in field elements) Conditions: Min(Binomial(n,k/2), Binomial(n,m k)) 2 s (Brute force) n/k (2m 1) c+1 /2 (Coppersmith et al.) n/k (c+1)m 1/2 (Shokrollahi et al.) 30

31 Some concrete values (80 bit security) c=5 c=10 c=20 c=100 m=2 8; ; ; ; m=3 6; ; ; m=5 4; ; ; m=10 4; ; m=20 3; ; m=100 2; ; ( Plaintext, Log 2 ( Ciphertext / Plaintext ) 31

32 Some concrete values (128 bit security) c=5 c=10 c=20 c=100 m=2 12; ; ; ; m=3 9; ; ; m=5 7; ; m=10 5; ; m=20 4; m=100 3; ( Plaintext, Log 2 ( Ciphertext / Plaintext ) 32

33 Drawbacks Interleaved RS codes: easier, the more code words are known. Ciphertext length has to be chosen in dependence of the number of encryptions Highly inefficient Symmetric encryption scheme Hardness assumption needs more research 33

34 Efficiency Open questions Hardness of the SPRP? Other coding schemes? Non finite fields Strengthen error correction aspect 34

35 35 Thank you