An Attack on a Fully Homomorphic Encryption Scheme

In this paper we present an attack on a fully homomorphic encryption scheme on PKC2010. We construct a modi¯ed secret key, a modi¯ed decryption algorithm and a subset of the ciphertext space. When the ciphertext is from the subset, we can correctly decrypt it by our modi¯ed secret key and modi¯ed decryption algorithm. We also discuss when our modi¯ed decryption algorithm is e±cient, and when the subset is not negligible

Studies on the Security of Selected Advanced Asymmetric Cryptographic Primitives

The main goal of asymmetric cryptography is to provide confidential communication, which allows two parties to communicate securely even in the presence of adversaries. Ever since its invention in the seventies, asymmetric cryptography has been improved and developed further, and a formal security framework has been established around it. This framework includes different security goals, attack models, and security notions. As progress was made in the field, more advanced asymmetric cryptographic primitives were proposed, with other properties in addition to confidentiality. These new primitives also have their own definitions and notions of security. This thesis consists of two parts, where the first relates to the security of fully homomorphic encryption and related primitives. The second part presents a novel cryptographic primitive, and defines what security goals the primitive should achieve. The first part of the thesis consists of Article I, II, and III, which all pertain to the security of homomorphic encryption schemes in one respect or another. Article I demonstrates that a particular fully homomorphic encryption scheme is insecure in the sense that an adversary with access only to the public material can recover the secret key. It is also shown that this insecurity mainly stems from the operations necessary to make the scheme fully homomorphic. Article II presents an adaptive key recovery attack on a leveled homomorphic encryption scheme. The scheme in question claimed to withstand precisely such attacks, and was the only scheme of its kind to do so at the time. This part of the thesis culminates with Article III, which is an overview article on the IND-CCA1 security of all acknowledged homomorphic encryption schemes. The second part of the thesis consists of Article IV, which presents Vetted Encryption (VE), a novel asymmetric cryptographic primitive. The primitive is designed to allow a recipient to vet who may send them messages, by setting up a public filter with a public verification key, and providing each vetted sender with their own encryption key. There are three different variants of VE, based on whether the sender is identifiable to the filter and/or the recipient. Security definitions, general constructions and comparisons to already existing cryptographic primitives are provided for all three variants.Doktorgradsavhandlin

Attack on Fully Homomorphic Encryption over the Integers

This paper presents a heuristic attack on the fully homomorphic encryption over the integers by using lattice reduction algorithm. Our result shows that the FHE in [DGHV10] is not secure for some parameter settings. We also present an improvement scheme to avoid the lattice attack in this paper.Comment: 24 page

Improved fully homomorphic public-key encryption with small ciphertext size

A cryptosystem which supports both addition and multiplication (thereby preserving the ring structure of the plaintexts) is known as fully homomorphic encryption (FHE) and is very powerful. Using such a scheme, any circuit can be homomorphically evaluated, effectively allowing the construction of programs which may be run on ciphertexts of their inputs to produce a ciphertext of their output. Since such a program never decrypts its input, it can be run by an untrusted party without revealing its inputs and internal state. The existence of an efficient and fully homomorphic cryptosystem would have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing. In previous work I proposed the fully homomorphic public-key encryption scheme with the size of ciphertext which is not small enough. In this paper the size of ciphertext is one-eighth of the size in the previously proposed scheme. Because proposed scheme adopts the medium text with zero norm, it is immune from the the “p and -p attack”. As the proposed scheme is based on computational difficulty to solve the multivariate algebraic equations of high degree, it is immune from the Gröbner basis attack, the differential attack, rank attack and so on

Keyed-Fully Homomorphic Encryption without Indistinguishability Obfuscation

(Fully) homomorphic encryption ((F)HE) allows users to publicly evaluate circuits on encrypted data. Although public homomorphic evaluation property has various applications, (F)HE cannot achieve security against chosen ciphertext attacks (CCA2) due to its nature. To achieve both the CCA2 security and homomorphic evaluation property, Emura et al. (PKC 2013) introduced keyed-homomorphic public key encryption (KH-PKE) and formalized its security denoted by KH-CCA security. KH-PKE has a homomorphic evaluation key that enables users to perform homomorphic operations. Intuitively, KH-PKE achieves the CCA2 security unless adversaries have a homomorphic evaluation key. Although Lai et al. (PKC 2016) proposed the first keyed-fully homomorphic encryption (keyed-FHE) scheme, its security relies on the indistinguishability obfuscation (iO), and this scheme satisfies a weak variant of KH-CCA security. Here, we propose a generic construction of a KH-CCA secure keyed-FHE scheme from an FHE scheme secure against non-adaptive chosen ciphertext attack (CCA1) and a strong dual-system simulation-sound non-interactive zero-knowledge (strong DSS-NIZK) argument system by using the Naor-Yung paradigm. We show that there are a strong DSS-NIZK and an IND-CCA1 secure FHE scheme that are suitable for our generic construction. This shows that there exists a keyed-FHE scheme from simpler primitives than iO

동형암호와 프로그램 비밀 분석

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2015. 8. 천정희.동형 암호는 복호화 과정을 거치지 않고 암호화 된 상태에서 암호문끼리 연산을 통해 데이터의 자료 처리를 가능하게 하는 암호 기술로 최근 많이 사용되고 있는 클라우드 서비스 환경에서 발생 할 수 있는 보안 문제들을 해결 할 수 있는 암호시스템으로 주목 받고 있다. 본 학위 논문에서는 동형 암호 응용 기술 연구와 함께 새로운 동형암호 알고리즘 개발에 대해 연구한다. 응용기술 연구에서는 Naccache-Stern 덧셈 동형 암호를 이용하여 프라이버시를 보존하는 합집합 연산 프로토콜과 RLWE기반 BGV 동형암호를 이용하여 비밀 프로그램 정적 분석 방법을 제안한다. 효율적인 합집합 연산을 지원하기 위해, 참여자의 집합원소들을 표현하는 특별한 인코딩 함수 제안하고, 제안한 인코딩 함수를 적용하여 유일 인수 분해 정역(unique factorization domain)이 아닌 공간에서도 다항식들의 근을 효율적으로 복구 할 수 있는 방법을 제안한다. 이를 바탕으로, 현존하는 가장 효율적인 상수라운드의 합집합 연산 프로토콜을 제안한다. 프로그램 비밀 분석에서는 동형암호를 이용하여 비밀 포인터 분석방법을 제시한다. 프로그램 변수의 타입 정보를 이용하여, 동형암호 연산시 필요한 곱 연산의 횟수를 $O(m^2 \log m)$ 에서 $O(\log m)$ 로 획기적으로 줄일 수 있는 방법을 제시하고, 이를 바탕으로 실제 생활에 이용 가능한 수준의 프로그램 비밀 분석 방법을 제안한다. 이를 통해 분석가는 암호화된 프로그램 정보를 이용하여 프로그램에 있는 포인터 변수가 실행 중 어느 변수 혹은 저장 장소를 가리킬 수 있는 지에 대한 분석이 가능해진다. 마지막으로 새로운 암호학적 난제인 다항식 근사공약수 문제를 제안하고, 이 문제에 기반하는 새로운 동형암호를 제안한다. 제안한 동형암호는 Djik 등이 제안한 동형암호의 다항식 버전으로 볼 수 있으며, 이에 따라 데이터 병렬처리뿐만 아니라 큰 정수 연산 지원하는 특징을 가지고 있다. Djik 등이 제안한 동형암호계열의 완전동형암호들은 비밀키를 나누는 연산을 제공하기 위해 부분합 문제가 어렵다는 가정을 사용하는 반면, 제안한 동형암호는 복호화 과정에서 비밀 정보를 나누는 과정이 필요 없기 때문에 부분합 문제의 가정을 필요로 하지 않는다.Homomorphic encryption enables computing certain functions on encrypted data without decryption. Many cloud-based services need efficient homomorphic encryption schemes to provide security to the data in cloud computing. In this thesis, we focus on applications of homomorphic encryptions for set operation and program analysis, and we suggest a new construction of homomorphic encryption. First, we present a new privacy preserving set union protocol and a secure points-to analysis method as applications of homomorphic encryptions. Our set union protocol is based on the additive homomorphic encryption scheme by Naccache and Stern, whose message space is $\Z_{\sigma}$ which $\sigma$ is a product of small primes. We introduce a special polynomial representation such that if a polynomial is represented as this form, then it is factorized uniquely in $\Z_\sigma[X]$. From this representation, we obtain an efficient constant round set union protocol without honest majority assumption. We adopt a somewhat homomorphic encryption to perform static analysis on encrypted programs. In our method, a somewhat homomorphic encryption scheme of depth $O(\log{m})$ is able to evaluate Andersen's pointer analysis with $O(\log{m})$ homomorphic matrix multiplications, for the number $m$ of pointer variables when the maximal pointer level is bounded. Finally, we propose a somewhat homomorphic encryption scheme over the polynomial ring. The security of the proposed scheme is based on the polynomial approximate common divisor problem which can be seen as a polynomial analogous of a base problem of DGHV fully homomorphic encryption and its extension. Our scheme is conceptually simple and does not require a complicated re-linearization process. For this reason, our scheme is more efficient than RLWE-based homomorphic encryption over the polynomial ring when evaluating low degree polynomial of large integers. Furthermore, we convert this scheme to a leveled fully homomorphic encryption scheme, and the resulting scheme has features similar to the variant of van Dijk et al.s scheme by Coron et al. Our scheme, however, does not use the subset sum, which makes its design much simpler.Abstract i 1 Introduction 1 2 Private Set Union Protocol 6 2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Polynomial Representation of a Set . . . . . . . . . . . 8 2.1.2 Reversed Laurent Series . . . . . . . . . . . . . . . . . 9 2.1.3 Additive Homomorphic Encryption . . . . . . . . . . . 10 2.1.4 Root Finding Algorithms . . . . . . . . . . . . . . . . 12 2.2 New Polynomial Representation of a Set . . . . . . . . . . . . 12 2.2.1 New Invertible Polynomial Representation . . . . . . . 14 2.2.2 The Expected Number of Root Candidates . . . . . . . 17 2.2.3 The Proper Size of $alpha$. . . . . . . . . . . . . . . . . . . 21 2.3 New Privacy-preserving Set Union Protocols . . . . . . . . . . 25 2.3.1 Application of Our Polynomial Representation . . . . . 25 2.3.2 Honest-But-Curious Model . . . . . . . . . . . . . . . 27 2.3.3 Malicious Model . . . . . . . . . . . . . . . . . . . . . 30 2.3.4 Extension to the Multi-set Union Protocol . . . . . . . 32 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3 Secure Static Program Analysis 37 3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.1.1 Homomorphic Encryption . . . . . . . . . . . . . . . . 39 3.1.2 The BGV-type Cryptosystem . . . . . . . . . . . . . . 42 3.1.3 Security Model . . . . . . . . . . . . . . . . . . . . . . 43 3.2 A Basic Construction of a Pointer Analysis in Secrecy . . . . . 44 3.2.1 Inclusion-based Pointer Analysis . . . . . . . . . . . . 44 3.2.2 The Pointer Analysis in Secrecy . . . . . . . . . . . . . 45 3.3 Improvement of the Pointer Analysis in Secrecy . . . . . . . . 48 3.3.1 Problems of the Basic Approach . . . . . . . . . . . . 49 3.3.2 Overview of Improvement . . . . . . . . . . . . . . . . 49 3.3.3 Level-by-level Analysis . . . . . . . . . . . . . . . . . . 50 3.3.4 Ciphertext Packing . . . . . . . . . . . . . . . . . . . . 53 3.3.5 Randomization of Ciphertexts . . . . . . . . . . . . . . 56 3.4 Experimental Result . . . . . . . . . . . . . . . . . . . . . . . 56 3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4 New Fully Homomorphic Encryption 63 4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.1.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.1.2 Chinese Remaindering for Polynomials over Composite Modulus . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.3 Distributions . . . . . . . . . . . . . . . . . . . . . . . 67 4.2 Our Fully Homomorphic Encryption Scheme . . . . . . . . . . 68 4.2.1 Basic Parameters . . . . . . . . . . . . . . . . . . . . . 68 4.2.2 The Somewhat Homomorphic Encryption Scheme . . . 69 4.2.3 Leveled Fully Homomorphic Encryption Scheme . . . . 71 4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.3.1 The Polynomial ACD Problems . . . . . . . . . . . . . 76 4.3.2 Security Proof . . . . . . . . . . . . . . . . . . . . . . 77 4.4 Analysis of the Polynomial ACD Problems . . . . . . . . . . . 80 4.4.1 Distinguishing Attack . . . . . . . . . . . . . . . . . . 80 4.4.2 Chen-Nguyens Attack . . . . . . . . . . . . . . . . . . 82 4.4.3 Coppersmiths Attack . . . . . . . . . . . . . . . . . . 83 4.4.4 Extension of Cohn-Heningers Attack . . . . . . . . . . 85 4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.5.1 Public Key Compression . . . . . . . . . . . . . . . . . 90 4.5.2 Implementation Results . . . . . . . . . . . . . . . . . 92 4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5 Conclusions 96 Abstract (in Korean) 110Docto

General Impossibility of Group Homomorphic Encryption in the Quantum World

Group homomorphic encryption represents one of the most important building blocks in modern cryptography. It forms the basis of widely-used, more sophisticated primitives, such as CCA2-secure encryption or secure multiparty computation. Unfortunately, recent advances in quantum computation show that many of the existing schemes completely break down once quantum computers reach maturity (mainly due to Shor's algorithm). This leads to the challenge of constructing quantum-resistant group homomorphic cryptosystems. In this work, we prove the general impossibility of (abelian) group homomorphic encryption in the presence of quantum adversaries, when assuming the IND-CPA security notion as the minimal security requirement. To this end, we prove a new result on the probability of sampling generating sets of finite (sub-)groups if sampling is done with respect to an arbitrary, unknown distribution. Finally, we provide a sufficient condition on homomorphic encryption schemes for our quantum attack to work and discuss its satisfiability in non-group homomorphic cases. The impact of our results on recent fully homomorphic encryption schemes poses itself as an open question.Comment: 20 pages, 2 figures, conferenc

A Verifiable Fully Homomorphic Encryption Scheme for Cloud Computing Security

Performing smart computations in a context of cloud computing and big data is highly appreciated today. Fully homomorphic encryption (FHE) is a smart category of encryption schemes that allows working with the data in its encrypted form. It permits us to preserve confidentiality of our sensible data and to benefit from cloud computing powers. Currently, it has been demonstrated by many existing schemes that the theory is feasible but the efficiency needs to be dramatically improved in order to make it usable for real applications. One subtle difficulty is how to efficiently handle the noise. This paper aims to introduce an efficient and verifiable FHE based on a new mathematic structure that is noise free