Additively Homomorphic IBE from Higher Residuosity

We present an identity-Based encryption (IBE) scheme that is group homomorphic for addition modulo a ``large\u27\u27 (i.e. superpolynomial) integer, the first such group homomorphic IBE. Our first result is the construction of an IBE scheme supporting homomorphic addition modulo a poly-sized prime $e$. Our construction builds upon the IBE scheme of Boneh, LaVigne and Sabin (BLS). BLS relies on a hash function that maps identities to $e$-th residues. However there is no known way to securely instantiate such a function. Our construction extends BLS so that it can use a hash function that can be securely instantiated. We prove our scheme IND-ID-CPA secure under the (slightly modified) $e$-th residuosity assumption in the random oracle model and show that it supports a (modular) additive homomorphism. By using multiple instances of the scheme with distinct primes and leveraging the Chinese Remainder Theorem, we can support homomorphic addition modulo a ``large\u27\u27 (i.e. superpolynomial) integer. We also show that our scheme for $e > 2$ is anonymous by additionally assuming the hardness of deciding solvability of a special system of multivariate polynomial equations. We provide a justification for this assumption by considering known attacks

A Survey on Homomorphic Encryption Schemes: Theory and Implementation

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the survey that is being submitted to ACM CSUR and has been uploaded to arXiv for feedback from stakeholder

A Note on Attribute-Based Group Homomorphic Encryption

Group Homomorphic Encryption (GHE), formally defined by Armknecht, Katzenbeisser and Peter, is a public-key encryption primitive where the decryption algorithm is a group homomorphism. Hence it supports homomorphic evaluation of a single algebraic operation such as modular addition or modular multiplication. Most classical homomorphic encryption schemes such as as Goldwasser-Micali and Paillier are instances of GHE. In this work, we extend GHE to the attribute-based setting. We introduce and formally define the notion of Attribute-Based GHE (ABGHE) and explore its properties. We then examine the algebraic structure on attributes induced by the group operation in an ABGHE. This algebraic stricture is a bounded semilattice. We consider some possible semilattices and how they can be realized by an ABGHE supporting inner product predicates. We then examine existing schemes from the literature and show that they meet our definition of ABGHE for either an additive or multiplicative homomorphism. Some of these schemes are in fact Identity-Based Group Homomorphic Encryption (IBGHE) schemes i.e. instances of ABGHE whose class of access policies are point functions. We then present a possibility result for IBGHE from indistinguishability obfuscation for any group for which a (public-key) GHE scheme exists

Anonymous IBE From Quadratic Residuosity With Fast Encryption

We develop two variants of Cocks\u27 identity-based encryption. One variant has faster encryption, where the most time-consuming part only requires several modular multiplications. The other variant makes the first variant anonymous under suitable complexity assumptions, while its decryption efficiency is about twice lower than the first one. Both the variants have ciphertext expansion twice more extensive than the original Cocks\u27 identity-based encryption. To alleviate the issue of the second variant\u27s large ciphertext expansion, we consider using it to construct a public-key encryption with keyword search scheme with a fast encryption algorithm

Simple Homomorphisms of Cocks IBE and Applications

The Cocks Identity Based Encryption (IBE) scheme, proposed in 2001 by Clifford Cocks, has been the standard for Quadratic Residue-based IBE. It had been long believed that this IBE did not have enough structure to have homomorphic properties. In 2013, Clear, Hughes, and Tewari (Africacrypt 2013) created a Cocks scheme derivative where they viewed ciphertexts as polynomials modulo a quadratic. While the scheme was homomorphic, it required sending twice as much information per ciphertext as the original Cocks scheme. A recent result by Joye (PKC 2016) used complex algebraic structures to demonstrate the fact that Cocks IBE, on its own, is additively homomorphic. In this work, we build upon the results from CHT and Joye. We take the simple intuition from CHT, that ciphertexts can be seen as polynomials, but also demonstrate that we only need to send as much data as in the original Cocks scheme. This perspective leads to better intuition as to why these ciphertexts are homomorphic and to explicit efficient algorithms for computing this homomorphic addition. We believe that our approach will facilitate other extensions of Cocks IBE. As an example, we exhibit a two-way proxy re-encryption algorithm, which arises as a simple consequence of the structure we propose. That is, given a re-encryption key, we can securely convert a ciphertext under one key to a ciphertext under the other key and vice-versa (hence two-way)

On Homomorphic Encryption and Chosen-Ciphertext Security

Abstract. Chosen-Ciphertext (IND-CCA) security is generally consid-ered the right notion of security for a cryptosystem. Because of its central importance much effort has been devoted to constructing IND-CCA se-cure cryptosystems. In this work, we consider constructing IND-CCA secure cryptosystems from (group) homomorphic encryption. Our main results give natural and efficient constructions of IND-CCA secure cryptosystems from any homomorphic encryption scheme that satisfies weak cyclic properties, either in the plaintext, ciphertext or randomness space. Our results have the added benefit of being simple to describe and analyze

Efficient Fully Homomorphic Encryption from (Standard) LWE

A fully homomorphic encryption (FHE) scheme allows anyone to transform an encryption of a message, m, into an encryption of any (efficient) function of that message, f(m), without knowing the secret key. We present a leveled FHE scheme that is based solely on the (standard) learning with errors (LWE) assumption. (Leveled FHE schemes are initialized with a bound on the maximal evaluation depth. However, this restriction can be removed by assuming “weak circular security.”) Applying known results on LWE, the security of our scheme is based on the worst-case hardness of “short vector problems” on arbitrary lattices. Our construction improves on previous works in two aspects: 1. We show that “somewhat homomorphic” encryption can be based on LWE, using a new relinearization technique. In contrast, all previous schemes relied on complexity assumptions related to ideals in various rings. 2. We deviate from the “squashing paradigm” used in all previous works. We introduce a new dimension-modulus reduction technique, which shortens the ciphertexts and reduces the decryption complexity of our scheme, without introducing additional assumptions. Our scheme has very short ciphertexts, and we therefore use it to construct an asymptotically efficient LWE-based single-server private information retrieval (PIR) protocol. The communication complexity of our protocol (in the public-key model) is k·polylog(k)+log |DB| bits per single-bit query, in order to achieve security against 2k-time adversaries (based on the best known attacks against our underlying assumptions). Key words. cryptology, public-key encryption, fully homomorphic encryption, learning with errors, private information retrieva

Biometric Cryptosystems : Authentication, Encryption and Signature for Biometric Identities

Biometrics have been used for secure identification and authentication for more than two decades since biometric data is unique, non-transferable, unforgettable, and always with us. Recently, biometrics has pervaded other aspects of security applications that can be listed under the topic of ``Biometric Cryptosystems''. Although the security of some of these systems is questionable when they are utilized alone, integration with other technologies such as digital signatures or Identity Based Encryption (IBE) schemes results in cryptographically secure applications of biometrics. It is exactly this field of biometric cryptosystems that we focused in this thesis. In particular, our goal is to design cryptographic protocols for biometrics in the framework of a realistic security model with a security reduction. Our protocols are designed for biometric based encryption, signature and remote authentication. We first analyze the recently introduced biometric remote authentication schemes designed according to the security model of Bringer et al.. In this model, we show that one can improve the database storage cost significantly by designing a new architecture, which is a two-factor authentication protocol. This construction is also secure against the new attacks we present, which disprove the claimed security of remote authentication schemes, in particular the ones requiring a secure sketch. Thus, we introduce a new notion called ``Weak-identity Privacy'' and propose a new construction by combining cancelable biometrics and distributed remote authentication in order to obtain a highly secure biometric authentication system. We continue our research on biometric remote authentication by analyzing the security issues of multi-factor biometric authentication (MFBA). We formally describe the security model for MFBA that captures simultaneous attacks against these systems and define the notion of user privacy, where the goal of the adversary is to impersonate a client to the server. We design a new protocol by combining bipartite biotokens, homomorphic encryption and zero-knowledge proofs and provide a security reduction to achieve user privacy. The main difference of this MFBA protocol is that the server-side computations are performed in the encrypted domain but without requiring a decryption key for the authentication decision of the server. Thus, leakage of the secret key of any system component does not affect the security of the scheme as opposed to the current biometric systems involving cryptographic techniques. We also show that there is a tradeoff between the security level the scheme achieves and the requirement for making the authentication decision without using any secret key. In the second part of the thesis, we delve into biometric-based signature and encryption schemes. We start by designing a new biometric IBS system that is based on the currently most efficient pairing based signature scheme in the literature. We prove the security of our new scheme in the framework of a stronger model compared to existing adversarial models for fuzzy IBS, which basically simulates the leakage of partial secret key components of the challenge identity. In accordance with the novel features of this scheme, we describe a new biometric IBE system called as BIO-IBE. BIO-IBE differs from the current fuzzy systems with its key generation method that not only allows for a larger set of encryption systems to function for biometric identities, but also provides a better accuracy/identification of the users in the system. In this context, BIO-IBE is the first scheme that allows for the use of multi-modal biometrics to avoid collision attacks. Finally, BIO-IBE outperforms the current schemes and for small-universe of attributes, it is secure in the standard model with a better efficiency compared to its counterpart. Another contribution of this thesis is the design of biometric IBE systems without using pairings. In fact, current fuzzy IBE schemes are secure under (stronger) bilinear assumptions and the decryption of each message requires pairing computations almost equal to the number of attributes defining the user. Thus, fuzzy IBE makes error-tolerant encryption possible at the expense of efficiency and security. Hence, we design a completely new construction for biometric IBE based on error-correcting codes, generic conversion schemes and weakly secure anonymous IBE schemes that encrypt a message bit by bit. The resulting scheme is anonymous, highly secure and more efficient compared to pairing-based biometric IBE, especially for the decryption phase. The security of our generic construction is reduced to the security of the anonymous IBE scheme, which is based on the Quadratic Residuosity assumption. The binding of biometric features to the user's identity is achieved similar to BIO-IBE, thus, preserving the advantages of its key generation procedure

Oblivious Enforcement of Hidden Information Release Policies Using Online Certification Authorities

This thesis examines a new approach to attribute-based access control with hidden policies and hidden credentials. In this setting, a resource owner has an access control policy that is a function of Boolean-valued attributes of the resource requester. Access to the resource should be granted if and only if the resource owner's policy is satisfied, but we wish to hide the access control policy from the resource requester and the requester's attributes from the resource owner.Previous solutions to this problem involved the use of cryptographic credentials held by the resource requester, but it is obvious that if no information is provided about the access control policy, then the resource requester must try to satisfy the policy using every available credential. An initial contribution of this thesis is the first published empirical evaluation of the state-of-the-art protocol of Frikken, Atallah, and Li for access control with hidden policies and hidden credentials, demonstrating that the computational cost of the required cryptographic operations is highly burdensome.A new system model is then proposed that includes the active involvement of online certification authorities (CAs). These are entities that can provide authoritative information about the attributes in a resource owner's access control policy. Allowing the resource owner to query these online CAs immediately removes the need for the resource requester to guess which credentials to use.If the resource owner was allowed to learn the values of a requester's attributes from online CAs, however, the requester's credentials would no longer be private. This thesis examines cryptographic solutions in which the CAs' replies do not directly reveal any attribute information to the resource owner, but can nevertheless be used in the enforcement of an access control policy. The techniques considered involve scrambled circuit evaluation, homomorphic encryption, and secure multiparty computation using arithmetic circuits and Shamir secret sharing. Empirical experiments demonstrate that the proposed protocols can provide an order-of-magnitude performance improvement over existing solutions