Presentation is loading. Please wait.

Presentation is loading. Please wait.

ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work.

Published byDonna Goodman Modified over 9 years ago

Similar presentations

Presentation on theme: "ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work."— Presentation transcript:

1 ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work with Chin Ho Lee Northeastern Unversity

2 Public-key bit encryption SKPK Bob Alice b Enc PK (b) Dec SK ( ) b Enc PK (b) PK message indistinguishability (PK, Enc PK ( 0 )) and (PK, Enc PK ( 1 )) are computationally indistinguishable

3 El Gamal encryption g, h in some large cyclic group PK = ( g, h )g SK = h such that Enc PK (b) = ( g r, 2 b h r ) where r random Dec SK (x, y) = b such that x SK = 2 b y

4 Homomorphism of encryptions Enc PK (b) = ( g r, 2 b h r ) Enc PK (b) Enc PK (b’) and Enc PK (b + b’) are identically distributed Dec SK (Enc PK (b) Enc PK (b’)) = b + b’ strongly homomorphic weakly homomorphic

5 Does P ≠ NP imply cryptography? provided SAT is worst-case hard requires average-case hardness of distinguishing encryptions requires average-case hardness of distinguishing encryptions

6 Cryptography from lattices Ajtai one-way functions Ajtai-Dwork public-key encryption Regev, Peikert, Gentry, Brakerski and Vaikutanathan,... “somewhat” homomorphic encryption If short vectors in certain lattices are worst-case hard to find, then we have... but we can find them in NP ∩ coNP but we can find them in NP ∩ coNP

7 Reductions How to prove message indistinguishability? distinguisher (PK, Enc PK (b)) biased towards b x ∈ SAT ? q1q1 a1a1 q2q2 a2a2 YES/NO

8 From reductions to proof systems L distinguisher verifier prover R Brassard randomness for R transcript for every query (PK, C) answer b randomness r s.t. Enc PK (b, r) = C is it correct? are they correct? OK

9 From reductions to proof systems Conclusion A reduction from L to distinguishing Enc implies that L is in NP ∩ coNP Yes, but under implicit assumption that queries always have a unique answer Goldreich and Goldwasser

10 Brassard’s assumption for every PK Enc PK ( 0 ) Enc PK ( 1 ) query what if Enc PK ( 0 ) Enc PK ( 1 ) Enc PK ( 0 ) Enc PK ( 1 )

11 Restricting the reduction If reduction is nonadaptive then L is in AM ∩ coAM For general encryptions, best we can say Feigenbaum and Fortnow, B. and Trevisan, Akavia Goldreich Goldwasser and Moshkovitz

12 Our result If Enc has weak homomorphic evaluator for f, then L is in AM ∩ coAM Reduction can be adaptive, queries arbitrary If reduction has constant query complexity, then L is in statistical zero- knowledge Let f be a “polynomially sensitive” function

13 Sensitivity of functions f:f: 0 0100 1100 0 1 0110 1 0101 sens 0 f( 0100 ) = 2 sens 0 f = max x sens 0 f(x) f: {0, 1} n → {0, 1} is polynomially sensitive if sens 0 f, sens 1 f are at least n  (1)

14 AM SZK P coAM Homomorphic encryptions, reductions of constant query complexity Homomorphic encryptions, arbitrary reductions previous works Arbitrary encryptions, nonadaptive reductions SAT

15 Rerandomization The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key C = ( g r, 2 b h r ) PK = ( g, h )g SK = h such that Rer PK (C) = C ∙ ( g r’, h r’ ) El Gamal example is i.i.d with C

16 Rerandomization from evaluation strong homomorphic evaluator for majority H Enc( 0 ) Enc(b) Enc( 0 ) Enc(b) Enc( 1 ) Rer

17 Rerandomization from evaluation H Enc( 0 ) To H, Enc( 0 ) indistinguishable from Enc( 0 ) so output of H must forget most of Enc( 0 )

18 Rerandomization from evaluation If H is a strong homomorphic evaluator for majority on k bits, then (Enc(b), Rer(Enc(b)) is √ c/k -close to a pair of independent encryptions of b. Lemma We prove a weaker version for weak homomorphic evaluators and any sensitive f.

19 Distinguishing rerandomizations Encryption can be broken using rerandomization and an SZK oracle Enc(b) Rer( ) Enc( 0 ) If b = 0, they are statistically close vs. If b = 1, they must be statistically far so they can be distinguished in SZK

20 The rest of the proof Since we can decrypt in SZK, L can be solved with reduction + SZK oracle So L is in BPP SZK ⊆ AM ⋂ coAM Mahmoody and Xiao For weak homomorphism and general f, not sure if true; we give new proof system

21 Quality of rerandomization If H is a homomorphic evaluator for majority on k bits, then (Enc(b), Rer(Enc(b)) is √ c/k -close to a pair of independent encryptions of b. Lemma For strong homomorphic evaluation, we can make this exponentially small.

22 Improving the rerandomization Enc(b) Enc( 0 )Enc( 1 ) H Enc(b) H Enc( 1 ) Enc( 0 ) Enc(b) Algorithm: Apply H iteratively t times.

23 Analysis Enc( 1 ) Enc( 0 ) H Enc( 1 )Enc( 0 ) H Enc(b) Enc( 1 ) H H Enc(b) Enc( 1 ) Enc( 0 ) Enc(b)

24 Analysis Enc( 1 ) Enc( 0 ) H Enc( 1 ) H H Enc( 0 )Enc( 1 )Enc( 0 ) H Enc( 1 )

25 Analysis If we recurse t times, original Enc(b) could be any one of 2 t inputs Applying lemma, distinguishing advantage drops to O( √ c/2 t ) Value of t is determined by quality of H Statistical distance between output of H and actual encryption

26 Rerandomization theorem f : any function except for AND, OR, NOT then there is a rerandomization with statistical error 2 -  (h). Assume f has strong homomorphic evaluator with quality 2 -h

Download ppt "ON THE PROVABLE SECURITY OF HOMOMORPHIC ENCRYPTION Andrej Bogdanov Chinese University of Hong Kong Bertinoro Summer School | July 2014 based on joint work."

Similar presentations

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
Shortest Vector In A Lattice is NP-Hard to approximate

Shortest Vector In A Lattice is NP-Hard to approximate
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.

Uniform Hardness vs. Randomness Tradeoffs for Arthur-Merlin Games. Danny Gutfreund, Hebrew U. Ronen Shaltiel, Weizmann Inst. Amnon Ta-Shma, Tel-Aviv U.
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.

Vote privacy: models and cryptographic underpinnings Bogdan Warinschi University of Bristol 1.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
Digital Signatures and Hash Functions. Digital Signatures.

Digital Signatures and Hash Functions. Digital Signatures.
Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 5 Lecturer: Moni Naor.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.

S EMANTICALLY - SECURE FUNCTIONAL ENCRYPTION : P OSSIBILITY RESULTS, IMPOSSIBILITY RESULTS AND THE QUEST FOR A GENERAL DEFINITION Adam O’Neill, Georgetown.
Immunizing Encryption Schemes from Decryption Errors Cynthia Dwork Moni Naor Omer Reingold Weizmann Institute of ScienceMicrosoft Research.

Immunizing Encryption Schemes from Decryption Errors Cynthia Dwork Moni Naor Omer Reingold Weizmann Institute of ScienceMicrosoft Research.
New Lattice Based Cryptographic Constructions

New Lattice Based Cryptographic Constructions
Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.

Complexity 18-1 Complexity Andrei Bulatov Probabilistic Algorithms.
CS151 Complexity Theory Lecture 7 April 20, 2004.

CS151 Complexity Theory Lecture 7 April 20, 2004.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
Lattice-Based Cryptography

Lattice-Based Cryptography

Similar presentations

Ads by Google