ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work with Chin Ho Lee Northeastern Unversity

Public-key bit encryption SKPK Bob Alice b Enc PK (b) Dec SK ( ) b Enc PK (b) PK message indistinguishability (PK, Enc PK ( 0 )) and (PK, Enc PK ( 1 )) are computationally indistinguishable

El Gamal encryption g, h in some large cyclic group PK = ( g, h )g SK = h such that Enc PK (b) = ( g r, 2 b h r ) where r random Dec SK (x, y) = b such that x SK = 2 b y

Homomorphism of encryptions Enc PK (b) = ( g r, 2 b h r ) Enc PK (b) Enc PK (b’) and Enc PK (b + b’) are identically distributed Dec SK (Enc PK (b) Enc PK (b’)) = b + b’ strongly homomorphic weakly homomorphic

Does P ≠ NP imply cryptography? provided SAT is worst-case hard requires average-case hardness of distinguishing encryptions requires average-case hardness of distinguishing encryptions

Cryptography from lattices Ajtai one-way functions Ajtai-Dwork public-key encryption Regev, Peikert, Gentry, Brakerski and Vaikutanathan,... “somewhat” homomorphic encryption If short vectors in certain lattices are worst-case hard to find, then we have... but we can find them in NP ∩ coNP but we can find them in NP ∩ coNP

Reductions How to prove message indistinguishability? distinguisher (PK, Enc PK (b)) biased towards b x ∈ SAT ? q1q1 a1a1 q2q2 a2a2 YES/NO

From reductions to proof systems L distinguisher verifier prover R Brassard randomness for R transcript for every query (PK, C) answer b randomness r s.t. Enc PK (b, r) = C is it correct? are they correct? OK

From reductions to proof systems Conclusion A reduction from L to distinguishing Enc implies that L is in NP ∩ coNP Yes, but under implicit assumption that queries always have a unique answer Goldreich and Goldwasser

Brassard’s assumption for every PK Enc PK ( 0 ) Enc PK ( 1 ) query what if Enc PK ( 0 ) Enc PK ( 1 ) Enc PK ( 0 ) Enc PK ( 1 )

Restricting the reduction If reduction is nonadaptive then L is in AM ∩ coAM For general encryptions, best we can say Feigenbaum and Fortnow, B. and Trevisan, Akavia Goldreich Goldwasser and Moshkovitz

Our result If Enc has weak homomorphic evaluator for f, then L is in AM ∩ coAM Reduction can be adaptive, queries arbitrary If reduction has constant query complexity, then L is in statistical zero- knowledge Let f be a “polynomially sensitive” function

Sensitivity of functions f:f: sens 0 f( 0100 ) = 2 sens 0 f = max x sens 0 f(x) f: {0, 1} n → {0, 1} is polynomially sensitive if sens 0 f, sens 1 f are at least n  (1)

AM SZK P coAM Homomorphic encryptions, reductions of constant query complexity Homomorphic encryptions, arbitrary reductions previous works Arbitrary encryptions, nonadaptive reductions SAT

Rerandomization The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key C = ( g r, 2 b h r ) PK = ( g, h )g SK = h such that Rer PK (C) = C ∙ ( g r’, h r’ ) El Gamal example is i.i.d with C

Rerandomization from evaluation strong homomorphic evaluator for majority H Enc( 0 ) Enc(b) Enc( 0 ) Enc(b) Enc( 1 ) Rer

Rerandomization from evaluation H Enc( 0 ) To H, Enc( 0 ) indistinguishable from Enc( 0 ) so output of H must forget most of Enc( 0 )

Rerandomization from evaluation If H is a strong homomorphic evaluator for majority on k bits, then (Enc(b), Rer(Enc(b)) is √ c/k -close to a pair of independent encryptions of b. Lemma We prove a weaker version for weak homomorphic evaluators and any sensitive f.

Distinguishing rerandomizations Encryption can be broken using rerandomization and an SZK oracle Enc(b) Rer( ) Enc( 0 ) If b = 0, they are statistically close vs. If b = 1, they must be statistically far so they can be distinguished in SZK

The rest of the proof Since we can decrypt in SZK, L can be solved with reduction + SZK oracle So L is in BPP SZK ⊆ AM ⋂ coAM Mahmoody and Xiao For weak homomorphism and general f, not sure if true; we give new proof system

Quality of rerandomization If H is a homomorphic evaluator for majority on k bits, then (Enc(b), Rer(Enc(b)) is √ c/k -close to a pair of independent encryptions of b. Lemma For strong homomorphic evaluation, we can make this exponentially small.

Improving the rerandomization Enc(b) Enc( 0 )Enc( 1 ) H Enc(b) H Enc( 1 ) Enc( 0 ) Enc(b) Algorithm: Apply H iteratively t times.

Analysis Enc( 1 ) Enc( 0 ) H Enc( 1 )Enc( 0 ) H Enc(b) Enc( 1 ) H H Enc(b) Enc( 1 ) Enc( 0 ) Enc(b)

Analysis Enc( 1 ) Enc( 0 ) H Enc( 1 ) H H Enc( 0 )Enc( 1 )Enc( 0 ) H Enc( 1 )

Analysis If we recurse t times, original Enc(b) could be any one of 2 t inputs Applying lemma, distinguishing advantage drops to O( √ c/2 t ) Value of t is determined by quality of H Statistical distance between output of H and actual encryption

Rerandomization theorem f : any function except for AND, OR, NOT then there is a rerandomization with statistical error 2 -  (h). Assume f has strong homomorphic evaluator with quality 2 -h