General Impossibility of Group Homomorphic Encryption in the Quantum World

Similar documents
arxiv: v2 [cs.cr] 13 Jan 2014

CS 282A/MATH 209A: Foundations of Cryptography Prof. Rafail Ostrovsky. Lecture 7

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Semantic Security and Indistinguishability in the Quantum World

5.4 ElGamal - definition

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Chapter 11 : Private-Key Encryption

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Modern symmetric-key Encryption

Public-Key Cryptography. Lecture 9 Public-Key Encryption Diffie-Hellman Key-Exchange

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 18 January 2019, 08:

5199/IOC5063 Theory of Cryptology, 2014 Fall

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Lecture 15 & 16: Trapdoor Permutations, RSA, Signatures

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Gentry s SWHE Scheme

Technische Universität München (I7) Winter 2013/14 Dr. M. Luttenberger / M. Schlund SOLUTION. Cryptography Endterm

COMP4109 : Applied Cryptography

1 Number Theory Basics

Public Key Cryptography

EXAM IN. TDA352 (Chalmers) - DIT250 (GU) 12 January 2018, 08:

El Gamal A DDH based encryption scheme. Table of contents

Provable security. Michel Abdalla

CHALMERS GÖTEBORGS UNIVERSITET. TDA352 (Chalmers) - DIT250 (GU) 11 April 2017, 8:30-12:30

Security Issues in Cloud Computing Modern Cryptography II Asymmetric Cryptography

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Lecture 22: RSA Encryption. RSA Encryption

Cryptography CS 555. Topic 24: Finding Prime Numbers, RSA

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Tuesday 30 October 2018

Provable Security for Public-Key Schemes. Outline. I Basics. Secrecy of Communications. Outline. David Pointcheval

Lecture Note 3 Date:

TECHNISCHE UNIVERSITEIT EINDHOVEN Faculty of Mathematics and Computer Science Exam Cryptology, Friday 25 January 2019

Introduction to Cybersecurity Cryptography (Part 5)

Public-Key Cryptography. Lecture 10 DDH Assumption El Gamal Encryption Public-Key Encryption from Trapdoor OWP

Lectures 2+3: Provable Security

Solutions to homework 2

Lecture Notes, Week 6

Question 2.1. Show that. is non-negligible. 2. Since. is non-negligible so is μ n +

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

The security of RSA (part 1) The security of RSA (part 1)

ASYMMETRIC ENCRYPTION

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Lecture 1: Perfect Secrecy and Statistical Authentication. 2 Introduction - Historical vs Modern Cryptography

Modern Cryptography Lecture 4

Introduction to Cybersecurity Cryptography (Part 4)

Public-Key Encryption: ElGamal, RSA, Rabin

Introduction to Cybersecurity Cryptography (Part 4)

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

Computing on Encrypted Data

YALE UNIVERSITY DEPARTMENT OF COMPUTER SCIENCE

Multikey Homomorphic Encryption from NTRU

Advanced Cryptography 1st Semester Public Encryption

Network Security Technology Spring, 2018 Tutorial 3, Week 4 (March 23) Due Date: March 30

On the CCA1-Security of Elgamal and Damgård s Elgamal

Shai Halevi IBM August 2013

RSA-OAEP and Cramer-Shoup

A Generic Hybrid Encryption Construction in the Quantum Random Oracle Model

Lecture 1. 1 Introduction to These Notes. 2 Trapdoor Permutations. CMSC 858K Advanced Topics in Cryptography January 27, 2004

Unforgeable quantum encryption. Christian Majenz Joint work with Gorjan Alagic and Tommaso Gagliardoni

Chosen-Ciphertext Security (I)

Introduction to Elliptic Curve Cryptography

Efficient and Secure Delegation of Linear Algebra

Packing Messages and Optimizing Bootstrapping in GSW-FHE

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Implementation Tutorial on RSA

Post-quantum security models for authenticated encryption

CPSC 467b: Cryptography and Computer Security

CPA-Security. Definition: A private-key encryption scheme

CTR mode of operation

Encryption Switching Protocols Revisited: Switching modulo p

G Advanced Cryptography April 10th, Lecture 11

On the power of non-adaptive quantum chosen-ciphertext attacks

RSA Algorithm. Factoring, EulerPhi, Breaking RSA. Çetin Kaya Koç Spring / 14

An Overview of Homomorphic Encryption

Strong Security Models for Public-Key Encryption Schemes

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Advanced Cryptography 03/06/2007. Lecture 8

Cryptography and Security Midterm Exam

Introduction to Public-Key Cryptosystems:

Computing with Encrypted Data Lecture 26

CPE 776:DATA SECURITY & CRYPTOGRAPHY. Some Number Theory and Classical Crypto Systems

Digital Signature Schemes and the Random Oracle Model. A. Hülsing

Some security bounds for the DGHV scheme

Public Key Cryptography

8 Security against Chosen Plaintext

On Homomorphic Encryption and Secure Computation

Applied cryptography

Chapter 8 Public-key Cryptography and Digital Signatures

Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption and Bootstrapping

Lecture 16 Chiu Yuen Koo Nikolai Yakovenko. 1 Digital Signature Schemes. CMSC 858K Advanced Topics in Cryptography March 18, 2004

1 Recommended Reading 1. 2 Public Key/Private Key Cryptography Overview RSA Algorithm... 2

Public-Key Encryption

Gentry s Fully Homomorphic Encryption Scheme

Lattices. A Lattice is a discrete subgroup of the additive group of n-dimensional space R n.

CPSC 467b: Cryptography and Computer Security

The Theory and Applications of Homomorphic Cryptography

Cryptography IV: Asymmetric Ciphers

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Public Key Cryptography

Transcription:

General Impossibility of Group Homomorphic Encryption in the Quantum World Frederik Armknecht Tommaso Gagliardoni Stefan Katzenbeisser Andreas Peter PKC 2014, March 28th Buenos Aires, Argentina 1

An example Consider the basic, unpadded RSA: let N = pq for large primes p and q, consider group (Z n, ) public exponent e s.t. gcd(e, φ(n)) = 1 secret exponent d = e 1 mod φ(n) Enc(m) = m e mod N for plaintext m Dec(c) = c d mod N for ciphertext c. 2

An example Consider the basic, unpadded RSA: let N = pq for large primes p and q, consider group (Z n, ) public exponent e s.t. gcd(e, φ(n)) = 1 secret exponent d = e 1 Enc(m) = m e mod φ(n) mod N for plaintext m Dec(c) = c d mod N for ciphertext c. Now consider two plaintexts m 1, m 2, and consider the product of their encryptions: c 1 = Enc(m 1 ), c 2 = Enc(m 2 ) Dec(c 1 c 2 ) = Dec(m e 1 me 2 ) = Dec((m 1 m 2 ) e ) = (m 1 m 2 ) ed mod N = m 1 m 2. 2

An example Consider the basic, unpadded RSA: let N = pq for large primes p and q, consider group (Z n, ) public exponent e s.t. gcd(e, φ(n)) = 1 secret exponent d = e 1 Enc(m) = m e mod φ(n) mod N for plaintext m Dec(c) = c d mod N for ciphertext c. Now consider two plaintexts m 1, m 2, and consider the product of their encryptions: c 1 = Enc(m 1 ), c 2 = Enc(m 2 ) Dec(c 1 c 2 ) = Dec(m e 1 me 2 ) = Dec((m 1 m 2 ) e ) = (m 1 m 2 ) ed mod N = m 1 m 2. In this case, decryption is a group homomorphism. 2

Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): 3

Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to 3

Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to the set of encryptions C := { Enc pk (m; r) m P, r Rnd } is a group in respect to 3

Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to the set of encryptions C := { Enc pk (m; r) m P, r Rnd } is a group in respect to the decryption is a group homomorphism: Dec sk (c 1 c 2 ) = Dec sk (c 1 ) Dec sk (c 2 ), for every c 1, c 2 C. 3

Group Homomorphic Encryption (GHE) A public-key encryption scheme E = (KeyGen, Enc, Dec) is called group homomorphic if, for any (pk, sk) Keygen(λ): the plaintext space P is a group in respect to the set of encryptions C := { Enc pk (m; r) m P, r Rnd } is a group in respect to the decryption is a group homomorphism: Dec sk (c 1 c 2 ) = Dec sk (c 1 ) Dec sk (c 2 ), for every c 1, c 2 C. (from now on we will only consider Abelian groups) 3

Fully Homomorphic Encryption (FHE) In Fully Homomorphic Encryption we have the following properties: plaintext and ciphertext spaces are rings, not just groups (so there are two operations) the set of encryptions C is usually just a set, not necessarily a group the decryption is guaranteed to run correctly only after less than p(λ) evaluations for some polynomial p. (even if p can be adjusted dynamically through bootstrapping, in GHE the decryption is guaranteed even after unbounded many evaluations) 4

The dierences 5

The dierences 5

The dierences 5

The dierences 5

The dierences GHE is not `FHE with just one operation': it is something dierent. 5

Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... 6

Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... Shor's algorithm Factorization of integers in quantum PPT. 6

Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken Shor's algorithm Factorization of integers in quantum PPT. 6

Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken Shor's algorithm Factorization of integers in quantum PPT. Watrous' and other variants Discrete logarithm and many related computational problems in quantum PPT. 6

Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken broken broken broken Shor's algorithm Factorization of integers in quantum PPT. Watrous' and other variants Discrete logarithm and many related computational problems in quantum PPT. 6

Examples of GHE schemes RSA ElGamal Goldwasser-Micali Pailler... broken broken broken broken Shor's algorithm Factorization of integers in quantum PPT. Watrous' and other variants Discrete logarithm and many related computational problems in quantum PPT. Question Is GHE possible at all in the quantum world? 6

Our result Theorem Let E be any IND-CPA secure GHE scheme. Then there exists a PPT quantum algorithm which breaks the security of E with non-negligible probability. 7

IND-CPA Security 8

IND-CPA Security 8

Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. 9

Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. Given an element x G drawn from some distribution: Problem: decide whether x H or x G \ H. 9

Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. Given an element x G drawn from some distribution: Problem: decide whether x H or x G \ H. Remark In a GHE scheme, the set of encryptions of the neutral element 1 G, { Enc pk (1 G ; r) r Rnd } is a subgroup of the ciphertext group. 9

Subgroup Membership Problem (SMP) Consider a group G and a non-trivial subgroup H < G. Given an element x G drawn from some distribution: Problem: decide whether x H or x G \ H. Remark In a GHE scheme, the set of encryptions of the neutral element 1 G, { Enc pk (1 G ; r) r Rnd } is a subgroup of the ciphertext group. Theorem For GHE schemes, IND-CPA security implies hardness of SMP respect to the subgroup of encryptions of 1 G. notice: vice versa does not hold. 9

An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. 10

An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. There is a simple way of reducing SMP to OFP. Given G, H, x G : 1 compute order of H 2 compute order of H, x (subgroup generated by H and x) 3 x H i the two orders are the same. 10

An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. There is a simple way of reducing SMP to OFP. Given G, H, x G : 1 compute order of H 2 compute order of H, x (subgroup generated by H and x) 3 x H i the two orders are the same. Watrous' order-nding quantum algorithm Given generators g 1,..., g k of subgroup H < G, there exists a PPT quantum algorithm which outputs o(h). 10

An attack based on Order Finding Order Finding Problem (OFP): given a non-trivial subgroup H < G, nd the order (cardinality) of H. There is a simple way of reducing SMP to OFP. Given G, H, x G : 1 compute order of H 2 compute order of H, x (subgroup generated by H and x) 3 x H i the two orders are the same. Watrous' order-nding quantum algorithm Given generators g 1,..., g k of subgroup H < G, there exists a PPT quantum algorithm which outputs o(h). Done! 10

End of this talk Thanks for your attention! tommaso@gagliardoni.net 11

Not so fast... 12

Not so fast... What do we mean by a description of a group H? 12

Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H 12

Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element 12

Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element black-box access to the group operation 12

Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element black-box access to the group operation black-box access to the inversion of group elements 12

Not so fast... What do we mean by a description of a group H? a black-box sampling algorithm to sample elements in H an explicit description of the neutral element black-box access to the group operation black-box access to the inversion of group elements Notice: in GHE, we do not necessary have a set of generators. 12

The problem 13

The problem Recall: we want to solve the SMP in G in respect to the subgroup of the encryption of 1 G ; this would break IND-CPA security. 13

The problem Recall: we want to solve the SMP in G in respect to the subgroup of the encryption of 1 G ; this would break IND-CPA security. Idea: use the sampling algorithm by requesting encryptions of the neutral element, and hope to nd a set of generators after not too many samples. 13

The uniform case If the Enc algorithm samples form H according to the uniform distribution, where ord(h) 2 k, then: Theorem [Pak,Bratus,'99] Sampling k + 4 elements yields a generating set for H with probability 3 4. 14

The uniform case If the Enc algorithm samples form H according to the uniform distribution, where ord(h) 2 k, then: Theorem [Pak,Bratus,'99] Sampling k + 4 elements yields a generating set for H with probability 3 4. But in general we can have arbitrary distributions! 14

Arbitrary distribution Much more dicult. 15

Arbitrary distribution Much more dicult. Idea: we restrict to a large enough subgroup. 15

Arbitrary distribution Much more dicult. Idea: we restrict to a large enough subgroup. Details are tricky 15

Arbitrary distribution Much more dicult. Idea: we restrict to a large enough subgroup. Details are tricky Theorem If H < G is a sampleable subgroup according to arbitrary distribution D, with ord(h) 2 k, then: sampling 7k (2 + log(k) ) + 1 elements yields a generating set for H with probability 3 4, regardless of D. 15

The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 16

The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 16

The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 16

The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 4 run Watrous' algorithm on {c 1,..., c n, c}, obtaining order o 2 16

The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 4 run Watrous' algorithm on {c 1,..., c n, c}, obtaining order o 2 5 if o 1 = o 2 then output 0, else output 1 16

The attack 1 generate a large enough number of encryptions of the neutral element 1 G, obtaining c 1,..., c n 2 run Watrous' algorithm on {c 1,..., c n }, obtaining order o 1 3 play the IND-CPA game by choosing m 0 = 1 G and m 1 1 G ; receive challenge ciphertext c 4 run Watrous' algorithm on {c 1,..., c n, c}, obtaining order o 2 5 if o 1 = o 2 then output 0, else output 1 Theorem No GHE scheme can be IND-CPA secure against quantum adversaries. 16

In the FHE case... Our attack strictly relies on the group structure. 17

In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: 17

In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H 17

In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H the probability that Enc(m 0 ) lies in H is high 17

In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H the probability that Enc(m 0 ) lies in H is high the probability that Enc(m 1 ) lies in G \ H is high 17

In the FHE case... Our attack strictly relies on the group structure. Sucient condition: there exist two plaintexts, m 0 m 1, and a subgroup H such that: we have a PPT algorithm which outputs a small set of generators for H the probability that Enc(m 0 ) lies in H is high the probability that Enc(m 1 ) lies in G \ H is high 17

End of this talk (for good...) Thanks for your attention! tommaso@gagliardoni.net 18

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback