Upload
others
View
3
Download
0
Embed Size (px)
Citation preview
Frederik Armknecht 1
Cryptographic ToolsFor Privacy-Preserving
Data Processing
Frederik ArmknechtGroup for Theoretical Computer Science and IT-Security
December 16, 2014Paris, France
Frederik Armknecht 2
Overview
ā¢ Introductionā¢ Group Homomorphic Encryptionā¢ Somewhat Homomorphic Encryptionā¢ Adapted Homomorphic Encryptionā¢ Conclusion
Frederik Armknecht 7
Possible Approaches
ā¢ Interactiveā¢ User and provider run an interactive protocolā¢ Cryptographic techniques: multi-party computation,
secure function evaluationā¢ Advantage: can be quite efficient, good control over who
learns whatā¢ Disadvantage: additional involvement of the user
ā¢ Non-interactiveā¢ Data needs to be available to the service provider but at
the same time intrinsically protectedā¢ Solution: encryption
Frederik Armknecht 8
Encryption
Encryption Decryption
CiphertextPlaintext
Encryptionkey
Decryptionkey
Common goal: destroy data structure as much as possibleContradicts outsourcing of operation
Frederik Armknecht 9
Homomorphic Encryption
Encryption that allows for meaningful operations on encrypted data
op
2 27 7
9 9
op*
Frederik Armknecht 10
Example: RSA (1978) Parameters: N=p ā q with p,q large primes (approx. 1000 bits)Plaintext space: ZN (={0,ā¦,N-1} modulo N)Ciphertext: ZN (={0,ā¦,N-1} modulo N)Encryption Key: e ā ZN with gcd(e, (p-1)(q-1) )=1
Decryption key: d ā ZN with e ā d mod ((p-1)ā(q-1)) = 1Encryption of m: c := me mod NDecryption of c: cd mod N = m
Homomorphism:eee mmmm )'(' ā =ā
m māā = māmā
Frederik Armknecht 12
Classical Encryption Scheme
Plaintextspace
Ciphertextspace
encryption
decryption
Frederik Armknecht 13
Reminder: Group
ā¢ A group (in mathematical sense) is a set G together with a binary operation ā:GĆGā G such that
Example: Rational numbers without zero Neutral element: 1Inverse element: x-1
Group Axiom Property
Closure For all g,gāāG: gāgāāG
Associativity For all g,gā,gāāāG: (gāgā) ā gāā = g ā (gā ā gāā)
Neutral element e ā g = g ā e = g
Inverse element For all gāG exists gāāG such that g ā gā=gā ā g= e
Frederik Armknecht 14
Considered Hom. Encr. Schemes
Plaintextspace
Ciphertextspace
encryption
decryption
Groups
Group homomorphism
Frederik Armknecht 15
Overview of some homomorphic encryption schemes
Scheme Plaintext Space Security related to
RSA; 1978 Integers modulo N=p*q Factorization
Goldwasser, Micali; 1984 1 Bit Quadratic residues mod N
Benaloh; 1985 Integers modulo R s.t. ā¦ Rth residues mod N
ElGamal; 1985 Cyclic group G Decision Diffie-Hellman in G
Paillier; 1999 Integers modulo N Nth residues mod N2
Daamgard, Jurik; 2001 Integers modulo Ns Nth residues mod Ns+1
ā¢ Different approachesā¢ For some proofs of security are known, for other notā¢ Some are much better understood than othersā¢ Question: Unified view on security and design of homomorphic
schemes
Frederik Armknecht 16
Security of Some Existing Schemes
Scheme IND-CPA secure if the following problem is hard
IND-CCA1 secure if the following problem is hard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ??
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ??
Frederik Armknecht 17
Our Result: Abstraction
Scheme IND-CPA secure if the following problem is hard
IND-CCA1 secure if the following problem is hard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ??
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ??
Abstract scheme
Abstract problem:SMP
(subgroup membership problem)
Abstract problem:SOAP
(splitting oracle assisted SMP)
A., Katzenbeisser, Peters. Designs, Codes and Cryptography 2013.
Frederik Armknecht 18
Application: Easy Confirmation of Known Results
Scheme IND-CPA secure if the following problem is hard
IND-CCA1 secure if the following problem is hard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ??
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ??
A., Katzenbeisser, Peters. Designs, Codes and Cryptography 2013.
Frederik Armknecht 19
Application: Missing Characterizations
Scheme IND-CPA secure if thefollowing problem is hard
IND-CCA1 secure if thefollowing problem is hard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ā
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ā
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ā
A., Katzenbeisser, Peters. Designs, Codes and Cryptography 2013.
Frederik Armknecht 20
Application: New Schemes
Scheme IND-CPA secure if thefollowing problem is hard
IND-CCA1 secure if thefollowing problem is hard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ā
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ā
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ā
Scheme 1 K-linear Problem New Problem
Scheme 2 Gonzales Nieto et al.; 2005 New Problem
A., Katzenbeisser, Peters. Designs, Codes and Cryptography 2013.
Frederik Armknecht 21
Summary
ā¢ Situation for group homomorphic encryptionschemes very well understood
ā¢ Open questions:ā¢ What about symmetric key schemes?ā¢ What about schemes that support more operations?
Frederik Armknecht 23
Somewhat Homomorphic EncryptionGeneralization: An encryption scheme is homomorphic wrt a
set of operations Ops if there exists a set Ops* such that ā¦
op
2 27 7
9 9
Ops
Operations
op* Opsā
Operations
Frederik Armknecht 24
Example
ā¢ Generic construction for homomorphic schemes based on certain error-correcting codes
ā¢ Advantagesā¢ Allows for unlimited additions and fixed (but arbitrary) number of
multiplicationsā¢ Many instantiations possible, e.g., Reed-Solomon codes, Reed-Muller
codesā¢ Simple operationsā¢ Decryption is very efficient
ā¢ Disadvantagesā¢ Number of encryptions needs to be limitedā¢ Length of ciphertexts
A., Augot, Perret, Sadeghi. Cryptography and Coding 2011.
Frederik Armknecht 25
Concrete Implementationā¢ šš ā 1 = #multiplications, #fresh encryptrions ā šš/ššā¢ Observe: we can use any finite field that is big enough, e.g.,
GF(2r) (efficiency)
Frederik Armknecht 26
Fully Homomorphic EncryptionA fully homomorphic encryption scheme is homomorphic wrt
all possible operations
op
2 27 7
9 9
op*
Operations
op* Opsā
Operations
Frederik Armknecht 31
Observations
ā¢ Somewhat-homomorphic ā fully-homomorphicseems to induce high costs
ā¢ Rothblumās result on fully-homomorphic encryption schemes: symmetric key ā public key
ā¢ Question: are efficient fully-homomorphicencryption schemes possible at all?
Counter-question: do we need fully-homomorphism in practice?
ā¢ Examples exist where a scheme with less functionalities would be sufficient
ā¢ Adapted homomorphic encryption schemes
Frederik Armknecht 33
Adapted Homomorphic Encryption1. Given: a concrete use case2. Identify the necessary operations3. Develop appropiate encryption scheme
op
2 27 7
9 9
Ops
Operations
op* Opsā
Operations
Frederik Armknecht 34
Example: Recommender Systemā¢ Recommender systems are a way of suggesting like
or similar items and ideas to a user.ā¢ Automates quotes like:
ā¢ "I like this book; you might be interested in it" ā¢ "I saw this movie, youāll like itāā¢ "Donāt go see that movie!"
ā¢ Examplesā¢ Amazonā¢ Ebay
Frederik Armknecht 35
Considered General Scenario
User
Preference vector:
Recommendation r
Service provider
Example: Regularized Matrix Factorization (RMF) Recommender
Frederik Armknecht 36
Threat: data misuse
User
Preference vector:
Recommendation r
Service provider
Question: Is it possible to ask for recommendations withoutrevealing the preferences?
Frederik Armknecht 37
Solution
User
Preference vector:
EncryptedRecommendation
Enck(r)
Service provider
Challenge: Develop an appropriate encryption scheme!
A., Strufe. Med-Hoc 2011.
Frederik Armknecht 38
Our Solution
ā¢ Encrypt preference vector such thatā¢ Service provider cannot read the encrypted preferencesā¢ Computation on encrypted data possible
ā¢ More formal:ā¢ Encryption scheme Enck(.) encrypts real-valued dataā¢ Additively homomorphic:
ā¢ āExternal homomorphismā:
Frederik Armknecht 39
Concrete Scheme
ā¢ Adaptation of the 2011 code-based schemeā¢ Key generation
ā¢ Sample vector š¾š¾ ā š š šš ā {0}ā¢ Encryption of a real value šš
ā¢ Generate a vector š¶š¶ ā š š šš such thatš¶š¶,š¾š¾ = šš
ā¢ Decryption of a ciphertext ā¢ Compute š¶š¶,š¾š¾ = šš
Frederik Armknecht 40
Properties
ā¢ Efficient (pre-computation)ā¢ Additive homomorphism: Let and be an
encryption of m and mā, respectively. Consider thedecrpytion of :
ā¢ External homomorphism: Let be an encryption ofm and let be an arbitrary real value. Consider thedecrpytion of :
Frederik Armknecht 42
Summary
ā¢ Homomorphic encryption allow for processing encrypted data without the need of decryption
ā¢ Many applicationsā¢ Problem: efficiency (in the case of huge data
amount)ā¢ Alternative approach: adapted homomorphic
encryption schemes
Frederik Armknecht 43
Open Questions
ā¢ Identify further (more realistic) use casesā¢ Improve understanding between conditions and
design possibilitiesā¢ Develop appropriate adapted cryptographic
schemes
Frederik Armknecht 46
Defining security: IND-CPA
SetupPublic param.
C
TimeM0,M1b āR {0,1}
C:=Encrypt(Mb)
Oracle Attacker
Challenge
Guess for bAttacker wins if he correctly guesses b
Frederik Armknecht 47
Defining security: IND-CCA1
Setup
Decrypt
Public param.
cj
mj
C
Time
ChooseCiphertext
M0 ,M1b āR {0,1}C:=Encrypt(Mb)
Oracle Attacker
Challenge
Guess for bAttacker wins if he correctly guesses b
Frederik Armknecht 48
Proof of Security
Assumption: Mathematicalproblem is ishard to solve
Approach: Reduce security Mathematical
Problem Cryptoscheme
Reduction: āŗ
Goal: Prove security of scheme
Frederik Armknecht 50
Recall: Considered Hom. Encr. Schemes
Plaintexts Ciphertext
encryption
decryption
Groups
Group homomorphism
Frederik Armknecht 51
1st Observation: Encryption of ā1ā
Plaintexts Ciphertext
encryption
decryption
Groups
Group homomorphism
1 Encr. of 1C1
Encryptions of ā1ā form a subgroup of the ciphertext space!
Frederik Armknecht 52
2nd Observation: Encryption of mā 1
Plaintexts Ciphertext
encryption
decryption
Groups
Group homomorphism
1C1
Set of encryptions of āmā is equal to mā C1
m
Encr. of mmā C1
Frederik Armknecht 53
Consequence
c = encryp-tion of m
āŗ c ā māC1 cām-1 ā C1āŗSimple observation:
Consequence:Recognizing
encryptions of m
māmā = m
?
Recognizing encryptions of 1
māmā = 1 ?
āŗ
Frederik Armknecht 54
Security Characterization
Scheme isIND-CPA SECURE
āŗ
Subgroup membership problem (SMP)is hard w.r.t. C1
C1
c āC1 ?c
Frederik Armknecht 55
Application
Plaintexts
Ciphertext
encryption
decryption
Let a homomorphic scheme be givenGoal: IND-CPA security characterization
1. Identify subgroup C1 (= encryptions of 1)
C1
2. Formulate SMP wrt. to C1
Frederik Armknecht 56
Application: Easy IND-CPA characterization of existing schemes
Scheme IND-CPA secure if and only ifthe following problem is hard
IND-CCA1 secure if the following problem is hard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ??
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ??
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ??
What about IND-CCA1 ?
Frederik Armknecht 57
SOAP
SMP w.r.t. C1
C1
c āC1 ?c
SOAP = Splitting oracle assisted SMP
Phase 1: Learning Phase 2: Challenge
C1c
Splitting Oracle
āc modC1ā
Frederik Armknecht 58
Security CharacterizationScheme is
IND-CCA1 SECURE
āŗ
SOAPis hard w.r.t. C1
Setup
Decrypt
Public param.
cj
mj
C
ChooseCiphertext
M0,M1
b āR {0,1}C:=Encrypt(Mb)
Challenge
Guess for b
Frederik Armknecht 59
Application: IND-CCA1 Characterization of Existing Schemes
Scheme IND-CPA secure if and only ifthe following problem ishard
IND-CCA1 secure if and onlyif the following problem ishard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ā
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ā
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ā
Frederik Armknecht 60
Generic scheme
Plaintexts Ciphertext
encryption
decryption1C1
ā¢Encryption of m: ā¢ Sample cā āC1ā¢ Output c:= mācā
ā¢Decryption of c: ā¢ Determine c mod C1
m
mā C1
Frederik Armknecht 61
Application: Design of New Schemes
Group GPlaintextSpace
encryption
decryptionS
ā¢ Given: SMP with group G and subgroup Sā¢ Interpret G as ciphertext space and S as encryption of 1ā¢ Construct encryption/decryption as described beforeā¢ Scheme is IND-CPA secure iff initial SMP is hard
C1
Ciphertext Space
Frederik Armknecht 62
Application: New Schemes
Scheme IND-CPA secure if thefollowing problem is hard
IND-CCA1 secure if thefollowing problem is hard
ElGamal; 1985 Decision Diffie-Hellman; 1998 [Lipmaa; 2010]
Paillier; 1999 Nth residues mod N2; 1999 ā
Daamgard, Jurik; 2001 Nth residues mod Ns+1; 2001 ā
Boneh et al.; 2005 Decision Diffie-Hellman; 2005 ā
Scheme 1 K-linear Problem New Problem
Scheme 2 Gonzales Nieto et al.; 2005 New Problem
Frederik Armknecht 63
Scheme 1
ā¢ IND-CPA secure if and only if k-linear problem ishard
ā¢ K-linear problem:ā¢ Extension of Diffie-Hellman problemā¢ Can be instantiated for any positive integer kā¢ In generic group model: is hard for k+1 even if weak for k
Frederik Armknecht 64
Scheme 2
ā¢ IND-CPA secure if and only if a problem introduced by Manuel GonzĆ”les, Boyd, and Dawson is hard
ā¢ Distinctive feature: First homomorphic scheme with a cyclic ciphertext group
ā¢ Can be directly combined with a work by Hemenway and Ostrovsky for efficiently constructing IND-CCA2 secure schemes
Frederik Armknecht 66
Coding Theory
Coding Decoding
CodewordMessage
Errorneous channels
Randomerrors
Frederik Armknecht 67
Encryption based on Coding Theory
Encryption (= Encoding)
Errorneouscodeword
Message
Artificialerrors
Decryption(= Decoding)
Frederik Armknecht 68
y11 p(x)
Example: Reed-Solomon Codes
x1 x12x0
Encryption of a plaintext mā¢ Parameters:
ā¢ Finite field F; support points x0,x1,ā¦,xn; degree dā¢ Encryption key: I = error positions
ā¢ Encryption of a message m:ā¢ Choose random polynomial p(x) of degree d with p(x0)=mā¢ Compute Y:=(y1,ā¦,yn):=(p(x1),ā¦,p(xn))ā¢ Randomize yi at error positionsā¢ Ciphertext C=(y1,ā¦,yn) (= erroneous Reed-Solomon codeword)
my7
y3
y1
y8y2 y4y5 y6
y9y10
y12
Frederik Armknecht 69
y11p(x)
Example: Reed-Solomon Codes
x1 x12x0
Decryption of a ciphertext šš =(y1,ā¦,yn):ā¢ Ignore errorneous yi - valuesā¢ Interpolate p(x) through the remaining, correct yi -valuesā¢ Compute p(x0)=m
m y7
y3
y1
y8
y2 y4y5 y6
y9
y12
y10
Frederik Armknecht 70
Additive Homomorphism
šš =(p(x1), c2, p(x3),c4, c5,p(x6)) = encryption of p(x0)=m
ššš =(pā(x1), cā2, pā(x3),cā4, cā5,pā(x6)) = encryption of pā(x0)=mā
+
šššš =((p+pā)(x1), cāā2, (p+pā)(x3),cāā4, cāā5,(p+pā)(x6)) = encryption of (p+pā)(x0)=m+mā
=
Frederik Armknecht 71
Multiplicative Homomorphism
šš=(p(x1), c2, p(x3),c4, c5,p(x6)) = encryption of p(x0)=m
ššš=(pā(x1), cā2, pā(x3),cā4, cā5,pā(x6)) = encryption of pā(x0)=mā
ā
šššš =((pā pā)(x1), cāā2, (pā pā)(x3),cāā4, cāā5,(pā pā)(x6)) = encryption of (pā pā)(x0)=mā mā
=
if degree is not too high
Frederik Armknecht 72
Generic Scheme
ā¢ Key generation:ā¢ Sample vector with certain properties
ā¢ Encryption of a real value mā¢ Output a vector such that
ā¢ Decryption of a ciphertextā¢ Compute
Frederik Armknecht 73
Restrictions
1. Number of encryptions needs to be limitedā¢ Otherwise, key can be recovered by solving a system of
linear equations
2. Cannot be public-keyā¢ All encryptions of 0 form a sub-space C0
ā¢ If public-key, an attacker can derive a basis for C0
ā¢ Once such a basis is known, one can easily decide if ciphertext is encryption of 0
ā¢ This is equivalent to win the IND-CPA game
Frederik Armknecht 74
Security
ā¢ Proof of securityā¢ Scheme is secure if Decisional Synchronized Codeword
Problem (DSCP) is hard
ā¢ Hardness of DSCP?ā¢ Depends on the deployed codeā¢ For Reed-Muller codes, extensive analysis conducted ā¢ Identified parameter ranges that seem to provide certain
levels of security