A Survey on Homomorphic Encryption Schemes: Theory and Implementation

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the survey that is being submitted to ACM CSUR and has been uploaded to arXiv for feedback from stakeholder

A Framework for Efficient Adaptively Secure Composable Oblivious Transfer in the ROM

Oblivious Transfer (OT) is a fundamental cryptographic protocol that finds a number of applications, in particular, as an essential building block for two-party and multi-party computation. We construct a round-optimal (2 rounds) universally composable (UC) protocol for oblivious transfer secure against active adaptive adversaries from any OW-CPA secure public-key encryption scheme with certain properties in the random oracle model (ROM). In terms of computation, our protocol only requires the generation of a public/secret-key pair, two encryption operations and one decryption operation, apart from a few calls to the random oracle. In~terms of communication, our protocol only requires the transfer of one public-key, two ciphertexts, and three binary strings of roughly the same size as the message. Next, we show how to instantiate our construction under the low noise LPN, McEliece, QC-MDPC, LWE, and CDH assumptions. Our instantiations based on the low noise LPN, McEliece, and QC-MDPC assumptions are the first UC-secure OT protocols based on coding assumptions to achieve: 1) adaptive security, 2) optimal round complexity, 3) low communication and computational complexities. Previous results in this setting only achieved static security and used costly cut-and-choose techniques.Our instantiation based on CDH achieves adaptive security at the small cost of communicating only two more group elements as compared to the gap-DH based Simplest OT protocol of Chou and Orlandi (Latincrypt 15), which only achieves static security in the ROM

Contributions to secret sharing and other distributed cryptosystems

The present thesis deals with primitives related to the eld of distributed cryptography. First, we study signcryption schemes, which provide at the same time the functionalities of encryption and signature, where the unsigncryption operation is distributed. We consider this primitive from a theoretical point of view and set a security framework for it. Then, we present two signcryption schemes with threshold unsigncryption, with di erent properties. Furthermore, we use their authenticity property to apply them in the development of a di erent primitive: digital signatures with distributed veri cation. The second block of the thesis deals with the primitive of multi-secret sharing schemes. After stating some e ciency limitations of multi-secret sharing schemes in an information-theoretic scenario, we present several multi-secret sharing schemes with provable computational security. Finally, we use the results in multi-secret sharing schemes to generalize the traditional framework of distributed cryptography (with a single policy of authorized subsets) into a multipolicy setting, and we present both a multi-policy distributed decryption scheme and a multi-policy distributed signature scheme. Additionally, we give a short outlook on how to apply the presented multi-secret sharing schemes in the design of other multi-policy cryptosystems, like the signcryption schemes considered in this thesis. For all the schemes proposed throughout the thesis, we follow the same formal structure. After de ning the protocols of the primitive and the corresponding security model, we propose the new scheme and formally prove its security, by showing a reduction to some computationally hard mathematical problem.Avui en dia les persones estan implicades cada dia més en diferents activitats digitals tant en la seva vida professional com en el seu temps lliure. Molts articles de paper, com diners i tiquets, estan sent reemplaçats més i més per objectes digitals. La criptografia juga un paper crucial en aquesta transformació, perquè proporciona seguretat en la comunicació entre els diferents participants que utilitzen un canal digital. Depenent de la situació específica, alguns requisits de seguretat en la comunicació poden incloure privacitat (o confidencialitat), autenticitat, integritat o no-repudi. En algunes situacions, repartir l'operació secreta entre un grup de participants fa el procés més segur i fiable que quan la informació secreta està centralitzada en un únic participant; la criptografia distribuïda és l’àrea de la criptografia que estudia aquestes situacions. Aquesta tesi tracta de primitives relacionades amb el camp de la criptografia distribuïda. Primer, estudiem esquemes “signcryption”, que ofereixen a la vegada les funcionalitats de xifrat i signatura, on l'operació de “unsigncryption” està distribuïda. Considerem aquesta primitiva des d’un punt de vista teòric i establim un marc de seguretat per ella. Llavors, presentem dos esquemes “signcryption” amb operació de “unsigncryption” determinada per una estructura llindar, cada un amb diferents propietats. A més, utilitzem la seva propietat d’autenticitat per desenvolupar una nova primitiva: signatures digitals amb verificació distribuïda. El segon bloc de la tesi tracta la primitiva dels esquemes de compartició de multi-secrets. Després de demostrar algunes limitacions en l’eficiència dels esquemes de compartició de multi-secrets en un escenari de teoria de la informació, presentem diversos esquemes de compartició de multi-secrets amb seguretat computacional demostrable. Finalment, utilitzem els resultats obtinguts en els esquemes de compartició de multi-secrets per generalitzar el paradigma tradicional de la criptografia distribuïda (amb una única política de subconjunts autoritzats) a un marc multi-política, i presentem un esquema de desxifrat distribuït amb multi-política i un esquema de signatura distribuïda amb multi-política. A més, donem indicacions de com es poden aplicar els nostres esquemes de compartició de multi-secrets en el disseny d’altres criptosistemes amb multi-política, com per exemple els esquemes “signcryption” considerats en aquesta tesi. Per tots els esquemes proposats al llarg d’aquesta tesi, seguim la mateixa estructura formal. Després de definir els protocols de la primitiva primitius i el model de seguretat corresponent, proposem el nou esquema i demostrem formalment la seva seguretat, mitjançant una reducció a algun problema matemàtic computacionalment difícil

Security and complexity of the McEliece cryptosystem based on QC-LDPC codes

In the context of public key cryptography, the McEliece cryptosystem represents a very smart solution based on the hardness of the decoding problem, which is believed to be able to resist the advent of quantum computers. Despite this, the original McEliece cryptosystem, based on Goppa codes, has encountered limited interest in practical applications, partly because of some constraints imposed by this very special class of codes. We have recently introduced a variant of the McEliece cryptosystem including low-density parity-check codes, that are state-of-the-art codes, now used in many telecommunication standards and applications. In this paper, we discuss the possible use of a bit-flipping decoder in this context, which gives a significant advantage in terms of complexity. We also provide theoretical arguments and practical tools for estimating the trade-off between security and complexity, in such a way to give a simple procedure for the system design.Comment: 22 pages, 1 figure. This paper is a preprint of a paper accepted by IET Information Security and is subject to Institution of Engineering and Technology Copyright. When the final version is published, the copy of record will be available at IET Digital Librar