Entangled cloud storage

Entangled cloud storage (Aspnes et al., ESORICS 2004) enables a set of clients to “entangle” their files into a single clew to be stored by a (potentially malicious) cloud provider. The entanglement makes it impossible to modify or delete significant part of the clew without affecting all files encoded in the clew. A clew keeps the files in it private but still lets each client recover his own data by interacting with the cloud provider; no cooperation from other clients is needed. At the same time, the cloud provider is discouraged from altering or overwriting any significant part of the clew as this will imply that none of the clients can recover their files. We put forward the first simulation-based security definition for entangled cloud storage, in the framework of universal composability (Canetti, 2001). We then construct a protocol satisfying our security definition, relying on an entangled encoding scheme based on privacy-preserving polynomial interpolation; entangled encodings were originally proposed by Aspnes et al. as useful tools for the purpose of data entanglement. As a contribution of independent interest we revisit the security notions for entangled encodings, putting forward stronger definitions than previous work (that for instance did not consider collusion between clients and the cloud provider). Protocols for entangled cloud storage find application in the cloud setting, where clients store their files on a remote server and need to be ensured that the cloud provider will not modify or delete their data illegitimately. Current solutions, e.g., based on Provable Data Possession and Proof of Retrievability, require the server to be challenged regularly to provide evidence that the clients’ files are stored at a given time. Entangled cloud storage provides an alternative approach where any single client operates implicitly on behalf of all others, i.e., as long as one client's files are intact, the entire remote database continues to be safe and unblemishe

Survey of Homomorphic schemes

Homomorphic encryption is increasingly becoming popular among researchers due to its future promises.Homomorphic encryption is a solution that allows a third party to process data in encrypted form. The decryption keys need not be shared.This paper summarizes the concept of homomorphic encryption and the work has been done in this field

A Survey on Homomorphic Encryption Schemes: Theory and Implementation

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the survey that is being submitted to ACM CSUR and has been uploaded to arXiv for feedback from stakeholder

동형암호와 프로그램 비밀 분석

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2015. 8. 천정희.동형 암호는 복호화 과정을 거치지 않고 암호화 된 상태에서 암호문끼리 연산을 통해 데이터의 자료 처리를 가능하게 하는 암호 기술로 최근 많이 사용되고 있는 클라우드 서비스 환경에서 발생 할 수 있는 보안 문제들을 해결 할 수 있는 암호시스템으로 주목 받고 있다. 본 학위 논문에서는 동형 암호 응용 기술 연구와 함께 새로운 동형암호 알고리즘 개발에 대해 연구한다. 응용기술 연구에서는 Naccache-Stern 덧셈 동형 암호를 이용하여 프라이버시를 보존하는 합집합 연산 프로토콜과 RLWE기반 BGV 동형암호를 이용하여 비밀 프로그램 정적 분석 방법을 제안한다. 효율적인 합집합 연산을 지원하기 위해, 참여자의 집합원소들을 표현하는 특별한 인코딩 함수 제안하고, 제안한 인코딩 함수를 적용하여 유일 인수 분해 정역(unique factorization domain)이 아닌 공간에서도 다항식들의 근을 효율적으로 복구 할 수 있는 방법을 제안한다. 이를 바탕으로, 현존하는 가장 효율적인 상수라운드의 합집합 연산 프로토콜을 제안한다. 프로그램 비밀 분석에서는 동형암호를 이용하여 비밀 포인터 분석방법을 제시한다. 프로그램 변수의 타입 정보를 이용하여, 동형암호 연산시 필요한 곱 연산의 횟수를 $O(m^2 \log m)$ 에서 $O(\log m)$ 로 획기적으로 줄일 수 있는 방법을 제시하고, 이를 바탕으로 실제 생활에 이용 가능한 수준의 프로그램 비밀 분석 방법을 제안한다. 이를 통해 분석가는 암호화된 프로그램 정보를 이용하여 프로그램에 있는 포인터 변수가 실행 중 어느 변수 혹은 저장 장소를 가리킬 수 있는 지에 대한 분석이 가능해진다. 마지막으로 새로운 암호학적 난제인 다항식 근사공약수 문제를 제안하고, 이 문제에 기반하는 새로운 동형암호를 제안한다. 제안한 동형암호는 Djik 등이 제안한 동형암호의 다항식 버전으로 볼 수 있으며, 이에 따라 데이터 병렬처리뿐만 아니라 큰 정수 연산 지원하는 특징을 가지고 있다. Djik 등이 제안한 동형암호계열의 완전동형암호들은 비밀키를 나누는 연산을 제공하기 위해 부분합 문제가 어렵다는 가정을 사용하는 반면, 제안한 동형암호는 복호화 과정에서 비밀 정보를 나누는 과정이 필요 없기 때문에 부분합 문제의 가정을 필요로 하지 않는다.Homomorphic encryption enables computing certain functions on encrypted data without decryption. Many cloud-based services need efficient homomorphic encryption schemes to provide security to the data in cloud computing. In this thesis, we focus on applications of homomorphic encryptions for set operation and program analysis, and we suggest a new construction of homomorphic encryption. First, we present a new privacy preserving set union protocol and a secure points-to analysis method as applications of homomorphic encryptions. Our set union protocol is based on the additive homomorphic encryption scheme by Naccache and Stern, whose message space is $\Z_{\sigma}$ which $\sigma$ is a product of small primes. We introduce a special polynomial representation such that if a polynomial is represented as this form, then it is factorized uniquely in $\Z_\sigma[X]$. From this representation, we obtain an efficient constant round set union protocol without honest majority assumption. We adopt a somewhat homomorphic encryption to perform static analysis on encrypted programs. In our method, a somewhat homomorphic encryption scheme of depth $O(\log{m})$ is able to evaluate Andersen's pointer analysis with $O(\log{m})$ homomorphic matrix multiplications, for the number $m$ of pointer variables when the maximal pointer level is bounded. Finally, we propose a somewhat homomorphic encryption scheme over the polynomial ring. The security of the proposed scheme is based on the polynomial approximate common divisor problem which can be seen as a polynomial analogous of a base problem of DGHV fully homomorphic encryption and its extension. Our scheme is conceptually simple and does not require a complicated re-linearization process. For this reason, our scheme is more efficient than RLWE-based homomorphic encryption over the polynomial ring when evaluating low degree polynomial of large integers. Furthermore, we convert this scheme to a leveled fully homomorphic encryption scheme, and the resulting scheme has features similar to the variant of van Dijk et al.s scheme by Coron et al. Our scheme, however, does not use the subset sum, which makes its design much simpler.Abstract i 1 Introduction 1 2 Private Set Union Protocol 6 2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Polynomial Representation of a Set . . . . . . . . . . . 8 2.1.2 Reversed Laurent Series . . . . . . . . . . . . . . . . . 9 2.1.3 Additive Homomorphic Encryption . . . . . . . . . . . 10 2.1.4 Root Finding Algorithms . . . . . . . . . . . . . . . . 12 2.2 New Polynomial Representation of a Set . . . . . . . . . . . . 12 2.2.1 New Invertible Polynomial Representation . . . . . . . 14 2.2.2 The Expected Number of Root Candidates . . . . . . . 17 2.2.3 The Proper Size of $alpha$. . . . . . . . . . . . . . . . . . . 21 2.3 New Privacy-preserving Set Union Protocols . . . . . . . . . . 25 2.3.1 Application of Our Polynomial Representation . . . . . 25 2.3.2 Honest-But-Curious Model . . . . . . . . . . . . . . . 27 2.3.3 Malicious Model . . . . . . . . . . . . . . . . . . . . . 30 2.3.4 Extension to the Multi-set Union Protocol . . . . . . . 32 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3 Secure Static Program Analysis 37 3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.1.1 Homomorphic Encryption . . . . . . . . . . . . . . . . 39 3.1.2 The BGV-type Cryptosystem . . . . . . . . . . . . . . 42 3.1.3 Security Model . . . . . . . . . . . . . . . . . . . . . . 43 3.2 A Basic Construction of a Pointer Analysis in Secrecy . . . . . 44 3.2.1 Inclusion-based Pointer Analysis . . . . . . . . . . . . 44 3.2.2 The Pointer Analysis in Secrecy . . . . . . . . . . . . . 45 3.3 Improvement of the Pointer Analysis in Secrecy . . . . . . . . 48 3.3.1 Problems of the Basic Approach . . . . . . . . . . . . 49 3.3.2 Overview of Improvement . . . . . . . . . . . . . . . . 49 3.3.3 Level-by-level Analysis . . . . . . . . . . . . . . . . . . 50 3.3.4 Ciphertext Packing . . . . . . . . . . . . . . . . . . . . 53 3.3.5 Randomization of Ciphertexts . . . . . . . . . . . . . . 56 3.4 Experimental Result . . . . . . . . . . . . . . . . . . . . . . . 56 3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4 New Fully Homomorphic Encryption 63 4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.1.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.1.2 Chinese Remaindering for Polynomials over Composite Modulus . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.3 Distributions . . . . . . . . . . . . . . . . . . . . . . . 67 4.2 Our Fully Homomorphic Encryption Scheme . . . . . . . . . . 68 4.2.1 Basic Parameters . . . . . . . . . . . . . . . . . . . . . 68 4.2.2 The Somewhat Homomorphic Encryption Scheme . . . 69 4.2.3 Leveled Fully Homomorphic Encryption Scheme . . . . 71 4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.3.1 The Polynomial ACD Problems . . . . . . . . . . . . . 76 4.3.2 Security Proof . . . . . . . . . . . . . . . . . . . . . . 77 4.4 Analysis of the Polynomial ACD Problems . . . . . . . . . . . 80 4.4.1 Distinguishing Attack . . . . . . . . . . . . . . . . . . 80 4.4.2 Chen-Nguyens Attack . . . . . . . . . . . . . . . . . . 82 4.4.3 Coppersmiths Attack . . . . . . . . . . . . . . . . . . 83 4.4.4 Extension of Cohn-Heningers Attack . . . . . . . . . . 85 4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.5.1 Public Key Compression . . . . . . . . . . . . . . . . . 90 4.5.2 Implementation Results . . . . . . . . . . . . . . . . . 92 4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5 Conclusions 96 Abstract (in Korean) 110Docto