on the provable security of homomorphic encryption andrej bogdanov chinese university of hong kong...
TRANSCRIPT
ON THE PROVABLE SECURITY OF
HOMOMORPHIC ENCRYPTION
Andrej BogdanovChinese University of Hong Kong
Bertinoro Summer School | July 2014
based on joint work with Chin Ho LeeNortheastern Unversity
Public-key bit encryption
SKPK
BobAliceb
EncPK(b) DecSK( )
b
EncPK(b)PK
message indistinguishability
(PK, EncPK(0)) and (PK, EncPK(1)) are computationally indistinguishable
El Gamal encryption
g, h in some large cyclic group
PK = ( g, h ) gSK = hsuch that
EncPK(b) = ( gr, 2bhr )where r random
DecSK(x, y) = b such that xSK = 2b y
Homomorphism of encryptions
EncPK(b) = ( gr, 2bhr )
EncPK(b) EncPK(b’) and EncPK(b + b’)are identically distributed
DecSK(EncPK(b) EncPK(b’)) = b + b’
strongly homomorphic
weakly homomorphic
Does P ≠ NP imply cryptography?
provided SAT is worst-case hard
requires average-case hardness
of distinguishing encryptions
Cryptography from lattices
Ajtaione-way functions
Ajtai-Dwork
public-key encryption
Regev, Peikert, Gentry, Brakerski and Vaikutanathan, ...“somewhat” homomorphic encryption
If short vectors in certain lattices are worst-case hard to find, then we have...
but we can find them
in NP ∩ coNP
Reductions
How to prove message indistinguishability?
distinguisher
(PK, EncPK(b))
biased towards b
x ∈ SAT?
q1
a1
q2
a2
YES/NO
From reductions to proof systems
L distinguisher
verifier prover
R
Brassard
randomness for R transcript
for every query (PK, C)answer b
randomness r s.t. EncPK(b, r) = C
is it correct?
are they correct?
OK
From reductions to proof systems
Conclusion
A reduction from L to distinguishing Encimplies that L is in NP ∩ coNP
Yes, but under implicit assumption thatqueries always have a unique answerGoldreich and Goldwasser
Brassard’s assumption
for every PKEncPK(0)
EncPK(1)query
what if
EncPK(0)
EncPK(1)
EncPK(0)
EncPK(1)
Restricting the reduction
If reduction is nonadaptive then L is in AM ∩ coAM
For general encryptions, best we can say
Feigenbaum and Fortnow, B. and Trevisan,Akavia Goldreich Goldwasser and Moshkovitz
Our result
If Enc has weak homomorphic evaluator for f, then L is in AM ∩ coAM
Reduction can be adaptive, queries arbitrary
If reduction has constant query complexity, then L is in statistical zero-knowledge
Let f be a “polynomially sensitive” function
Sensitivity of functions
f:0
0100
11000 1
01101
0101 sens0 f(0100) = 2
sens0 f = maxx sens0 f(x)
f: {0, 1}n → {0, 1} is polynomially sensitive if sens0 f, sens1 f are at least nW(1)
AM
SZK
P
coAM
Homomorphic encryptions,reductions of constantquery complexity
Homomorphic encryptions,arbitrary reductions
previous worksArbitrary encryptions,nonadaptive reductions
SAT
Rerandomization
The ability to map a ciphertext into an i.i.d ciphertext without knowing the secret key
C = ( gr, 2bhr )
PK = ( g, h ) gSK = hsuch that
RerPK(C) = C ∙ ( gr’, hr’ )
El Gamal example
is i.i.d with C
Rerandomization from evaluation
strong homomorphic evaluator for majority
HE
nc(0
)
Enc(b)
En
c(0
)
En
c(0
)
En
c(b
)
En
c(1
)
En
c(1
)
En
c(1
)
Rer
Rerandomization from evaluation
HE
nc(0
)
En
c(0
)
En
c(0
)
En
c(0
)
To H, Enc(0) indistinguishable from Enc(0)so output of H must forget most of Enc(0)
Rerandomization from evaluation
If H is a strong homomorphic evaluator for majority on k bits,
then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.
Lemma
We prove a weaker version for weak homomorphic evaluators and any sensitive f.
Distinguishing rerandomizations
Encryption can be broken using rerandomization and an SZK oracle
Enc(b)Rer( ) Enc(0)
If b = 0, they are statistically close
vs.
If b = 1, they must be statistically far
so they can be distinguished in SZK
The rest of the proof
Since we can decrypt in SZK, L can be solved with reduction + SZK oracle
So L is in BPPSZK ⊆ AM coAM⋂Mahmoody and Xiao
For weak homomorphism and general f, not sure if true; we give new proof system
Quality of rerandomization
If H is a homomorphic evaluator for majority on k bits,then (Enc(b), Rer(Enc(b)) is √c/k-close to a pair of independent encryptions of b.
Lemma
For strong homomorphic evaluation, we can make this exponentially small.
Improving the rerandomization
En
c(b
)
En
c(0
)
En
c(1
)H
Enc(b)
H
Enc(1) Enc(0)
Enc(b)
Algorithm:Apply H iteratively t times.
Analysis
En
c(1
)
En
c(1
)
En
c(0
)
H
En
c(0
)
En
c(1
)
En
c(0
)
H
En
c(0
)
En
c(b
)
En
c(1
)H
H
Enc(b) Enc(1) Enc(0)
Enc(b)
Analysis
En
c(1
)
En
c(1
)
En
c(0
)
H
En
c(0
)
En
c(1
)
En
c(1
)H
H
Enc(1) Enc(1)
En
c(0
)
En
c(1
)
En
c(0
)
H
Enc(0)
Enc(1)
Analysis
If we recurse t times, original Enc(b) could be any one of 2t inputsApplying lemma, distinguishing advantage drops to O(√c/2t)
Value of t is determined by quality of HStatistical distance between output of H and
actual encryption