6 research outputs found
On the IND-CCA1 Security of FHE Schemes
Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it first. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied, and we therefore provide an overview of the IND-CCA1 security of all acknowledged FHE schemes in this paper. To give this overview, we grouped the SHE schemes into broad categories based on their similarities and underlying hardness problems. For each category, we show that the SHE schemes are susceptible to either known adaptive key recovery attacks, a natural extension of known attacks, or our proposed attacks. Finally, we discuss the known techniques to achieve IND-CCA1-secure FHE and SHE schemes. We concluded that none of the proposed schemes were IND-CCA1-secure and that the known general constructions all had their shortcomings.publishedVersio
Studies on the Security of Selected Advanced Asymmetric Cryptographic Primitives
The main goal of asymmetric cryptography is to provide confidential communication, which allows two parties to communicate securely even in the presence of adversaries. Ever since its invention in the seventies, asymmetric cryptography has been improved and developed further, and a formal security framework has been established around it. This framework includes different security goals, attack models, and security notions. As progress was made in the field, more advanced asymmetric cryptographic primitives were proposed, with other properties in addition to confidentiality. These new primitives also have their own definitions and notions of security.
This thesis consists of two parts, where the first relates to the security of fully homomorphic encryption and related primitives. The second part presents a novel cryptographic primitive, and defines what security goals the primitive should achieve.
The first part of the thesis consists of Article I, II, and III, which all pertain to the security of homomorphic encryption schemes in one respect or another. Article I demonstrates that a particular fully homomorphic encryption scheme is insecure in the sense that an adversary with access only to the public material can recover the secret key. It is also shown that this insecurity mainly stems from the operations necessary to make the scheme fully homomorphic. Article II presents an adaptive key recovery attack on a leveled homomorphic encryption scheme. The scheme in question claimed to withstand precisely such attacks, and was the only scheme of its kind to do so at the time. This part of the thesis culminates with Article III, which is an overview article on the IND-CCA1 security of all acknowledged homomorphic encryption schemes.
The second part of the thesis consists of Article IV, which presents Vetted Encryption (VE), a novel asymmetric cryptographic primitive. The primitive is designed to allow a recipient to vet who may send them messages, by setting up a public filter with a public verification key, and providing each vetted sender with their own encryption key. There are three different variants of VE, based on whether the sender is identifiable to the filter and/or the recipient. Security definitions, general constructions and comparisons to already existing cryptographic primitives are provided for all three variants.Doktorgradsavhandlin
On Foundations of Protecting Computations
Information technology systems have become indispensable to uphold our
way of living, our economy and our safety. Failure of these systems can have
devastating effects. Consequently, securing these systems against malicious
intentions deserves our utmost attention.
Cryptography provides the necessary foundations for that purpose. In
particular, it provides a set of building blocks which allow to secure larger
information systems. Furthermore, cryptography develops concepts and tech-
niques towards realizing these building blocks. The protection of computations
is one invaluable concept for cryptography which paves the way towards
realizing a multitude of cryptographic tools. In this thesis, we contribute to
this concept of protecting computations in several ways.
Protecting computations of probabilistic programs. An indis-
tinguishability obfuscator (IO) compiles (deterministic) code such that it
becomes provably unintelligible. This can be viewed as the ultimate way
to protect (deterministic) computations. Due to very recent research, such
obfuscators enjoy plausible candidate constructions.
In certain settings, however, it is necessary to protect probabilistic com-
putations. The only known construction of an obfuscator for probabilistic
programs is due to Canetti, Lin, Tessaro, and Vaikuntanathan, TCC, 2015 and
requires an indistinguishability obfuscator which satisfies extreme security
guarantees. We improve this construction and thereby reduce the require-
ments on the security of the underlying indistinguishability obfuscator.
(Agrikola, Couteau, and Hofheinz, PKC, 2020)
Protecting computations in cryptographic groups. To facilitate
the analysis of building blocks which are based on cryptographic groups,
these groups are often overidealized such that computations in the group
are protected from the outside. Using such overidealizations allows to prove
building blocks secure which are sometimes beyond the reach of standard
model techniques. However, these overidealizations are subject to certain
impossibility results. Recently, Fuchsbauer, Kiltz, and Loss, CRYPTO, 2018
introduced the algebraic group model (AGM) as a relaxation which is closer
to the standard model but in several aspects preserves the power of said
overidealizations. However, their model still suffers from implausibilities.
We develop a framework which allows to transport several security proofs
from the AGM into the standard model, thereby evading the above implausi-
bility results, and instantiate this framework using an indistinguishability
obfuscator.
(Agrikola, Hofheinz, and Kastner, EUROCRYPT, 2020)
Protecting computations using compression. Perfect compression
algorithms admit the property that the compressed distribution is truly
random leaving no room for any further compression. This property is
invaluable for several cryptographic applications such as “honey encryption”
or password-authenticated key exchange. However, perfect compression
algorithms only exist for a very small number of distributions. We relax the
notion of compression and rigorously study the resulting notion which we
call “pseudorandom encodings”. As a result, we identify various surprising
connections between seemingly unrelated areas of cryptography. Particularly,
we derive novel results for adaptively secure multi-party computation which
allows for protecting computations in distributed settings. Furthermore, we
instantiate the weakest version of pseudorandom encodings which suffices
for adaptively secure multi-party computation using an indistinguishability
obfuscator.
(Agrikola, Couteau, Ishai, Jarecki, and Sahai, TCC, 2020
Functional encryption: definitional foundations and multiparty transformations
Classical cryptographic primitives do not allow for any fine-grained access control over encrypted
data. From an encryption of some data x, a decryptor, who is in possession of a decryption key,
can either obtain the whole data x or nothing. The notion of functional encryption overcomes
this drawback and enables access control over encrypted data. In this setting, a setup generator is
responsible for generating the public parameters and, so-called, functional keys. These functional
keys are decryption keys that are associated with a function f such that, when used in the
decryption procedure, the decryptor obtains f(x), which is the result of the function f applied
to the encrypted data x.
The standard security definition of functional encryption prevents a malicious decryptor from
learning more about the encrypted data than what can be obtained from the functional keys it
owns. In this thesis, we introduce the notion of consistency, a security definition that protects an
honest decryptor against a malicious encryptor and/or setup generator. We formally introduce
this notion using different security games and show that our notions are completely separated
from existing confidentiality notions. Additionally, we analyze existing schemes and show how
they can be modified to achieve consistency. Furthermore, we construct black-box compilers that
turn any functional encryption scheme into a consistent one. Finally, we also analyze consistency
in the universal composability (UC) framework and show that the consistency games imply UC
security.
A more general notion of functional encryption is the notion of multi-client functional
encryption, which allows a decryptor to evaluate multi-input functions on multiple ciphertexts
generated by several different clients. This notion also requires a setup generator that generates
the encryption keys for the different clients as well as the functional keys for the decryptor. A
corrupted setup generator is able to compromise the privacy of all the clients in the system
by generating arbitrary functional keys. To remove this single point of failure, the notion of
decentralized multi-client functional encryption has been introduced. In a decentralized multi-client functional encryption scheme the participating clients in the system are responsible for the
generation of the encryption and functional keys.
In this thesis, we present a compiler that decentralizes any multi-client functional encryption
scheme for inner-products, that fulfills certain properties. Furthermore, we show that we can
construct a (decentralized) multi-client functional encryption scheme for separable functions,
n-input functions that can be written as the sum of n single-input functions, from any general-purpose single-input functional encryption scheme.
An interactive version of multi-client functional encryption is the notion of multiparty
computation. In multiparty computation several parties can jointly compute a function involving
their private inputs by interacting in multiple rounds of communication.
We show how we can use functional encryption to amplify existing multiparty computation
protocols in terms of their communication complexity. In more detail, we show how to turn a
multiparty computation protocol with arbitrary communication complexity into a multiparty
computation protocol with a communication complexity only depending on the depth of the circuit
that is being computed, while preserving the number of rounds of interaction of the protocol.
Furthermore, we present an improved compiler that relies on fully homomorphic encryption, a
cryptographic notion that allows for the oblivious evaluation of functions on encrypted data,
where the communication complexity of the amplified protocol is completely independent of the
circuit that is being computed
CCA1 secure FHE from PIO, revisited
Abstract Fully data using only public information. So far, most FHE schemes are CPA secure. In PKC 2017, Canetti et al. extended the generic transformation of Boneh, Canetti, Halevi and Katz to turn any multi-key identity-based FHE scheme into a CCA1-secure FHE scheme. Their main construction of multi-key identity-based FHE is from probabilistic indistinguishability obfuscation (PIO) and statistical trapdoor encryption. We show that the above multi-key identity-based FHE is not secure by giving an attack. Then we give a solution to avoid the attack and redesign a more succinct and efficient multi-key identity-based FHE scheme. Compared with the scheme of Canetti et al., ours has smaller secret key of one identity and more efficient homomorphic operations. Thus we obtain a more efficient CCA1 secure FHE scheme
Jornadas Nacionales de Investigación en Ciberseguridad: actas de las VIII Jornadas Nacionales de Investigación en ciberseguridad: Vigo, 21 a 23 de junio de 2023
Jornadas Nacionales de Investigación en Ciberseguridad (8ª. 2023. Vigo)atlanTTicAMTEGA: Axencia para a modernización tecnolóxica de GaliciaINCIBE: Instituto Nacional de Cibersegurida