ON THE PROVABLE SECURITY OF

HOMOMORPHIC ENCRYPTION

Andrej BogdanovChinese University of Hong Kong

Bertinoro Summer School | July 2014

based on joint work with Chin Ho LeeNortheastern Unversity

Public-key bit encryption

SKPK

BobAliceb

EncPK(b) DecSK( )

b

EncPK(b)PK

message indistinguishability

(PK, EncPK(0)) and (PK, EncPK(1)) are computationally indistinguishable

El Gamal encryption

g, h in some large cyclic group

PK = ( g, h ) gSK = hsuch that

EncPK(b) = ( gr, 2bhr )where r random

DecSK(x, y) = b such that xSK = 2b y

Homomorphism of encryptions

EncPK(b) = ( gr, 2bhr )

EncPK(b) EncPK(b’) and EncPK(b + b’)are identically distributed

DecSK(EncPK(b) EncPK(b’)) = b + b’

strongly homomorphic

weakly homomorphic

Does P ≠ NP imply cryptography?

provided SAT is worst-case hard

requires average-case hardness

of distinguishing encryptions

Cryptography from lattices

Ajtaione-way functions

Ajtai-Dwork

public-key encryption

Regev, Peikert, Gentry, Brakerski and Vaikutanathan, ...“somewhat” homomorphic encryption

If short vectors in certain lattices are worst-case hard to find, then we have...

but we can find them

in NP ∩ coNP

Reductions

How to prove message indistinguishability?

distinguisher

(PK, EncPK(b))

biased towards b

x ∈ SAT?

q1

a1

q2

a2

YES/NO

From reductions to proof systems

L distinguisher

verifier prover

R

Brassard

randomness for R transcript

for every query (PK, C)answer b

randomness r s.t. EncPK(b, r) = C

is it correct?

are they correct?

OK

From reductions to proof systems

Conclusion

A reduction from L to distinguishing Encimplies that L is in NP ∩ coNP

Yes, but under implicit assumption thatqueries always have a unique answerGoldreich and Goldwasser

Brassard’s assumption

for every PKEncPK(0)

EncPK(1)query

what if

EncPK(0)

EncPK(1)

EncPK(0)

EncPK(1)

Restricting the reduction

If reduction is nonadaptive then L is in AM ∩ coAM

For general encryptions, best we can say

Feigenbaum and Fortnow, B. and Trevisan,Akavia Goldreich Goldwasser and Moshkovitz

Our result

If Enc has weak homomorphic evaluator for f, then L is in AM ∩ coAM

Reduction can be adaptive, queries arbitrary

If reduction has constant query complexity, then L is in statistical zero-knowledge

Let f be a “polynomially sensitive” function

Sensitivity of functions

f:0

0100

11000 1

01101

0101 sens0 f(0100) = 2

sens0 f = maxx sens0 f(x)

f: {0, 1}n → {0, 1} is polynomially sensitive if sens0 f, sens1 f are at least nW(1)

AM

SZK

P

coAM

Homomorphic encryptions,reductions of constantquery complexity

Homomorphic encryptions,arbitrary reductions

previous worksArbitrary encryptions,nonadaptive reductions

SAT

Rerandomization

The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key

C = ( gr, 2bhr )

PK = ( g, h ) gSK = hsuch that

RerPK(C) = C ∙ ( gr’, hr’ )

El Gamal example

is i.i.d with C

Rerandomization from evaluation

strong homomorphic evaluator for majority

HE

nc(0

)

Enc(b)

En

c(0

)

En

c(0

)

En

c(b

)

En

c(1

)

En

c(1

)

En

c(1

)

Rer

Rerandomization from evaluation

HE

nc(0

)

En

c(0

)

En

c(0

)

En

c(0

)

To H, Enc(0) indistinguishable from Enc(0)so output of H must forget most of Enc(0)

Rerandomization from evaluation

If H is a strong homomorphic evaluator for majority on k bits,

then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.

Lemma

We prove a weaker version for weak homomorphic evaluators and any sensitive f.

Distinguishing rerandomizations

Encryption can be broken using rerandomization and an SZK oracle

Enc(b)Rer( ) Enc(0)

If b = 0, they are statistically close

vs.

If b = 1, they must be statistically far

so they can be distinguished in SZK

The rest of the proof

Since we can decrypt in SZK, L can be solved with reduction + SZK oracle

So L is in BPPSZK ⊆ AM coAM⋂Mahmoody and Xiao

For weak homomorphism and general f, not sure if true; we give new proof system

Quality of rerandomization

If H is a homomorphic evaluator for majority on k bits,then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.

Lemma

For strong homomorphic evaluation, we can make this exponentially small.

Improving the rerandomization

En

c(b

)

En

c(0

)

En

c(1

)H

Enc(b)

H

Enc(1) Enc(0)

Enc(b)

Algorithm:Apply H iteratively t times.

Analysis

En

c(1

)

En

c(1

)

En

c(0

)

H

En

c(0

)

En

c(1

)

En

c(0

)

H

En

c(0

)

En

c(b

)

En

c(1

)H

H

Enc(b) Enc(1) Enc(0)

Enc(b)

Analysis

En

c(1

)

En

c(1

)

En

c(0

)

H

En

c(0

)

En

c(1

)

En

c(1

)H

H

Enc(1) Enc(1)

En

c(0

)

En

c(1

)

En

c(0

)

H

Enc(0)

Enc(1)

Analysis

If we recurse t times, original Enc(b) could be any one of 2t inputsApplying lemma, distinguishing advantage drops to O(√c/2t)

Value of t is determined by quality of HStatistical distance between output of H and

actual encryption

Rerandomization theorem

f : any function except for AND, OR, NOT

then there is a rerandomization with statistical error 2-W(h).

Assume f has strong homomorphic evaluator with quality 2-h