Hide The Modulus: A Secure Non-Interactive Fully Verifiable Delegation Scheme for Modular Exponentiations via CRT

Security protocols using public-key cryptography often requires large number of costly modular exponentiations (MEs). With the proliferation of resource-constrained (mobile) devices and advancements in cloud computing, delegation of such expensive computations to powerful server providers has gained lots of attention. In this paper, we address the problem of verifiably secure delegation of MEs using two servers, where at most one of which is assumed to be malicious (the OMTUP-model). We first show verifiability issues of two recent schemes: We show that a scheme from IndoCrypt 2016 does not offer full verifiability, and that a scheme for $n$ simultaneous MEs from AsiaCCS 2016 is verifiable only with a probability $0.5909$ instead of the author\u27s claim with a probability $0.9955$ for $n=10$. Then, we propose the first non-interactive fully verifiable secure delegation scheme by hiding the modulus via Chinese Remainder Theorem (CRT). Our scheme improves also the computational efficiency of the previous schemes considerably. Hence, we provide a lightweight delegation enabling weak clients to securely and verifiably delegate MEs without any expensive local computation (neither online nor offline). The proposed scheme is highly useful for devices having (a) only ultra-lightweight memory, and (b) limited computational power (e.g. sensor nodes, RFID tags)

Revisiting Single-server Algorithms for Outsourcing Modular Exponentiation

We investigate the problem of securely outsourcing modular exponentiations to a single, malicious computational resource. We revisit recently proposed schemes using single server and analyse them against two fundamental security properties, namely privacy of inputs and verifiability of outputs. Interestingly, we observe that the chosen schemes do not appear to meet both the security properties. In fact we present a simple polynomial-time attack on each algorithm, allowing the malicious server either to recover a secret input or to convincingly fool the client with wrong outputs. Then we provide a fix to the identified problem in the ExpSOS scheme. With our fix and without pre-processing, the improved scheme becomes the best to-date outsourcing scheme for single-server case. Finally we present the first precomputation-free single-server algorithm, \pi ExpSOS for simultaneous exponentiations

Bandwidth-optimized parallel private information retrieval

We present improved and parallel versions of Lipmaa’s computationally-private information retrieval (CPIR) protocol based on a additively-homomorphic cryptosystem. Lipmaa’s original CPIR utilizes binary decision diagrams, in which non-sink nodes have two children nodes and the data items to be retrieved are placed in the sink nodes. In our scheme, we employ, instead, quadratic and octal trees, where nonsink nodes have four and eight child nodes, respectively. Using other tree forms, which does not change the asymptotic complexity, results in shallow trees by which we can obtain an implementation that is an order of magnitude faster than the original scheme. We also present a non-trivial parallel algorithm that takes advantage of shared-memory multi-core architectures. Finally, our scheme proves to be highly efficient in terms of bandwidth requirement, the amount of data being exchanged in a run of the CPIR protocol

Secure Delegation of Isogeny Computations and Cryptographic Applications

We address the problem of speeding up isogeny computation for supersingular elliptic curves over finite fields using untrusted computational resources like third party servers or cloud service providers (CSPs). We first propose new, efficient and secure delegation schemes. This especially enables resource-constrained devices (e.g. smart cards, RFID tags, tiny sensor nodes) to effectively deploy post-quantum isogeny-based cryptographic protocols. To the best of our knowledge, these new schemes are the first attempt to generalize the classical secure delegation schemes for group exponentiations and pairing computation to an isogeny-based post-quantum setting. Then, we apply these secure delegation subroutines to improve the performance of supersingular isogeny-based zero-knowledge proofs of identity. Our experimental results show that, at the 128−bit quantum-security level, the proving party only needs about 3% of the original protocol cost, while the verifying party’s effort is fully reduced to comparison operations. Lastly, we also apply our delegation schemes to decrease the computational cost of the decryption step for the NIST postquantum standardization candidate SIKE

Secure Session Framework: An Identity-based Cryptographic Key Agreement and Signature Protocol

Die vorliegende Dissertation beschäftigt sich mit der Methode der identitätsbasierten Verschlüsselung. Hierbei wird der Name oder die Identität eines Zielobjekts zum Verschlüsseln der Daten verwendet. Diese Eigenschaft macht diese Methode zu einem passenden Werkzeug für die moderne elektronische Kommunikation, da die dort verwendeten Identitäten oder Endpunktadressen weltweit eindeutig sein müssen. Das in der Arbeit entwickelte identitätsbasierte Schlüsseleinigungsprotokoll bietet Vorteile gegenüber existierenden Verfahren und eröffnet neue Möglichkeiten. Eines der Hauptmerkmale ist die komplette Unabhängigkeit der Schlüsselgeneratoren. Diese Unabhängigkeit ermöglicht es, dass verschiedene Sicherheitsdomänen ihr eigenes System aufsetzen können. Sie sind nicht mehr gezwungen, sich untereinander abzusprechen oder Geheimnisse auszutauschen. Auf Grund der Eigenschaften des Protokolls sind die Systeme trotzdem untereinander kompatibel. Dies bedeutet, dass Anwender einer Sicherheitsdomäne ohne weiteren Aufwand verschlüsselt mit Anwendern einer anderen Sicherheitsdomäne kommunizieren können. Die Unabhängigkeit wurde ebenfalls auf ein Signatur-Protokoll übertragen. Es ermöglicht, dass Benutzer verschiedener Sicherheitsdomänen ein Objekt signieren können, wobei auch der Vorgang des Signierens unabhängig sein kann. Neben dem Protokoll wurde in der Arbeit auch die Analyse von bestehenden Systemen durchgeführt. Es wurden Angriffe auf etablierte Protokolle und Vermutungen gefunden, die aufzeigen, ob oder in welchen Situationen diese nicht verwendet werden sollten. Dabei wurde zum einen eine komplett neue Herangehensweise gefunden, die auf der (Un-)Definiertheit von bestimmten Objekten in diskreten Räumen basiert. Zum anderen wurde die bekannte Analysemethode der Gitterreduktion benutzt und erfolgreich auf neue Bereiche übertragen. Schlussendlich werden in der Arbeit Anwendungsszenarien für das Protokoll vorgestellt, in denen dessen Vorteile besonders relevant sind. Das erste Szenario bezieht sich auf Telefonie, wobei die Telefonnummer einer Zielperson als Schlüssel verwendet. Sowohl GSM-Telefonie als auch VoIP-Telefonie werden in der Arbeit untersucht. Dafür wurden Implementierungen auf einem aktuellen Mobiltelefon durchgeführt und bestehende VoIP-Software erweitert. Das zweite Anwendungsbeispielsind IP-Netzwerke. Auch die Benutzung der IP-Adresse eines Rechners als Schlüssel ist ein gutes Beispiel, jedoch treten hier mehr Schwierigkeiten auf als bei der Telefonie. Es gibt beispielsweise dynamische IP-Adressen oder die Methode der textit{Network Address Translation}, bei der die IP-Adresse ersetzt wird. Diese und weitere Probleme wurden identifiziert und jeweils Lösungen erarbeitet

Cryptographic Shuffles and Their Applications

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2012. 8. 천정희.For anonymization purposes, one can use a mix-net. A mix-net is a multi-party protocol to shuffle elements so that neither of the parties knows the permutation linking the input and output. One way to construct a mix-net is to let a set of mixers, so called mix-servers, take turns in permuting and re-encrypting or decrypting the inputs. If at least one of the mixers is honest, the input data and the output data can no longer be linked. In this role, shuffling constitutes an important building block in anonymization protocols and voting schemes. The problem is that the standard shuffle requires anyone who shuffles the input messages to keep his random permutation and randomizers secret. The assumption of a party keeping the secret information may be in some ways quite strong. Secondly, for this anonymization guarantee to hold we do need to ensure that all mixers act according to the protocol. In general, zero-knowledge proofs (ZKPs) are used for this purpose. However, ZKPs requires the expensive cost in the light of computation and communication. In TCC 2007, Adida and Wikstr\"{o}m proposed a novel approach to shuffle, called a public shuffle, in which a shuffler can perform shuffle publicly without needing information kept secret. Their scheme uses an encrypted permutation matrix to shuffle ciphertexts publicly. This approach significantly reduces the cost of constructing a mix-net to verifiable joint decryption. Though their method is successful in making shuffle to be a public operation, their scheme still requires that some trusted parties should choose a permutation to be encrypted and construct zero-knowledge proofs on the well-formedness of this permutation. In this dissertation, we study a method to construct a public shuffle without relying on permutations generated privately: Given an $n$-tuple of ciphertext $(c_1,\dots,c_n)$, our shuffle algorithm computes $f_i(c_1,\dots,c_n)$ for $i=1,\dots,\ell$ where each $f_i(x_1,\dots,x_n)$ is a symmetric polynomial in $x_1,\dots,x_n$. Depending on the symmetric polynomials we use, we propose two concrete constructions. One is to use ring homomorphic encryption with a constant ciphertext complexity and the other is to use simple ElGamal encryption with a linear ciphertext complexity in the number of users. Both constructions are free of zero-knowledge proofs and publicly verifiable.Abstract i 1 Introduction 1 1.1 ABriefHistoryofShuffles .................... 1 1.2 WhyShufflinginPublicHard?.................. 2 1.3 CryptographicShuffleSchemes.................. 4 1.4 ContributionsofThisWork ................... 6 1.4.1 OurDefinitionalApproach................ 6 1.4.2 OurConstructions .................... 6 1.5 Organization ........................... 8 2 Preliminaries 9 2.1 Basics ............................... 9 2.2 PublicKeyEncryption...................... 10 2.2.1 IND-CPASecurity .................... 11 2.2.2 IND-CCASecurity .................... 14 2.3 HomomorphicPublic-keyEncryption . . . . . . . . . . . . . . 15 2.4 Zero-KnowledgeProofs...................... 18 2.4.1 Zero-KnowledgeVariants................. 19 2.4.2 ProofofKnowledge.................... 20 2.5 Public-KeyObfuscation ..................... 21 3 Verifiable Secret Shuffles: A Review 24 3.1 Introduction............................ 24 3.2 NotationandDefinitions..................... 25 3.3 Security .............................. 27 3.3.1 VerifiabilityforSecretShuffles.............. 27 3.3.2 UnlinkabilityExperiments ................ 28 3.4 SelectedPriorWork ....................... 29 3.4.1 Furukawa-SakoProtocol ................. 30 3.4.2 GrothProtocol ...................... 31 3.5 PublicShuffleswithPrivatePermutation . . . . . . . . . . . . 33 3.5.1 Introduction........................ 33 3.5.2 AdidaandWikstro ̈mProtocol.............. 33 4 Verifiable Public Shuffles 36 4.1 Introduction............................ 36 4.2 GeneralizedShuffle ........................ 38 4.2.1 SyntaxofGeneralizedShuffle .............. 38 4.2.2 SecurityModel ...................... 39 4.2.3 CryptographicAssumption................ 43 4.3 Constructions from Ring Homomorphic Encryption . . . . . . 44 4.3.1 Construction from (n,n−1)-E . . . . . . . . . . 44 4.3.2 Construction from (1,n)-E ................ 45 4.4 Constructions from Group Homomorphic Encryption . . . . . 47 4.4.1 BuildingBlocks...................... 47 4.4.2 A Generalized Public Shuffle Scheme Based on Poly- nomialFactorization ................... 50 4.4.3 A Generalized Public Shuffle Scheme Based on Integer Factorization ....................... 58 5 Conclusion and Further Work 63 Abstract (in Korean) 72 Acknowledgement (in Korean) 74Docto

Parallel, scalable and bandwidth-optimized computational private information retrieval

With the current increase of interest in cloud computing, the security of user data stored in remote servers has become an important concern. Hiding access patterns of clients can be crucial in particular applications such as stock market or patent databases. Private Information Retrieval (PIR) is proposed to enable a client to retrieve a file stored in a cloud server without revealing the queried file to the server. In this work, we offer improvements to BddCpir, which is a PIR protocol proposed by Lipmaa. The original BddCpir uses Binary Decision Diagrams (BDD) as the data structure, where data items are stored at the sink nodes of the tree. First of all, we offer the usage of quadratic and octal trees instead, where every non-sink node has four and eight child nodes, respectively, to reduce the depth of the tree. By adopting more shallow trees, we obtain an improved server implementation which is an order of magnitude faster than the original scheme, without changing the asymptotic complexity. Secondly, we suggest a non-trivial parallelization method that takes advantage of the shared-memory multi-core architectures to further decrease server computation latencies. Finally, we show how to scale the PIR scheme for larger database sizes with only a small overhead in bandwidth complexity, with the utilization of shared-memory many-core processors. Consequently, we show how our scheme is bandwidth-efficient in terms of the data being exchanged in a run of the CPIR protocol, in proportion to the database size

Efficient Private Information Retrieval

A vast amount of today\u27s Internet users\u27 on line activities consists of queries to various types of databases. From traditional search engines to modern cloud based services, a person\u27s everyday queries over a period of time on various data sources, will leave a trail visible to the query processor, which can reveal significant and possibly sensitive information about her. Private Information Retrieval (PIR) algorithms can be leveraged for providing perfect privacy to users\u27 queries, though at a restrictive computational cost. In this work, we consider today\u27s highly distributed computing environments, as well as certain secure-hardware devices, for optimizing existing PIR solutions. In particular, we initially employ available secure-hardware in a novel approach with the goal of providing faster and constant private query responses, by sacrificing some degree of privacy. Further on, we utilize the widely used Message Passing Interface (MPI) protocol for designing a library which can be used in third party software for performing private queries

효율적인 정수 기반 동형 암호

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2015. 2. 천정희.Fully homomorphic encryption allows a worker to perform additions and multiplications on encrypted plaintext values without decryption. The first construction of a fully homomorphic scheme (FHE) based on ideal lattices was described by Gentry in 2009. Since Gentry's breakthrough result, many improvements have been made, introducing new variants, improving efficiency, and providing new features. The most FHE schemes still have very large ciphertexts (millions of bits for a single ciphertext). This presents a considerable bottleneck in practical deployments. To improve the efficiency of FHE schemes, especially ciphertext size, we can consider the following two observations. One is to improve the ratio of plaintext and ciphertext by packing many messages in one ciphertext and the other is to reduce the size of FHE-ciphertext by combining FHE with existing public-key encryption. In the dissertation, we study on construction of efficient FHE over the integers. First, we propose a new variant DGHV fully homomorphic encryption to extend message space. Using Chinese remainder theorem, our scheme reduces the overheads (ratio of ciphertext computation and plaintext computation) from $\tilde{O}(\lambda^4)$ to $\tilde{O}(\lambda)$. We reduce the security of our Somewhat Homomorphic Encryption scheme to a decisional version of Approximate GCD problem (DACD). To reduce the ciphertext size, we propose a hybrid scheme that combines public key encryption (PKE) and somewhat homomorphic encryption (SHE). In this model, messages are encrypted with a PKE and computations on encrypted data are carried out using SHE or FHE after homomorphic decryption. Our approach is suitable for cloud computing environments since it has small bandwidth, low storage requirement, and supports efficient computing on encrypted data. We also give alternative approach to reduce the FHE ciphertext size. Some of recent SHE schemes possess two properties, the public key compression and the key switching. By combining them, we propose a hybrid encryption scheme in which a block of messages is encrypted by symmetric version of the SHE and its secret key is encrypted by the (asymmetric) SHE. The ciphertext under the symmetric key encryption is compressed by using the public key compression technique and we convert the ciphertext into asymmetric encryption to enable homomorphic computations using key switching technique.Contents Abstract 1 Introduction 1 1.1 A Brief Overview of this Thesis 3 2 CRT-based FHE over the Integers 8 2.1 Preliminaries 12 2.2 Our Somewhat Homomorphic Encryption Scheme 14 2.2.1 Parameters 14 2.2.2 The Construction 15 2.2.3 Correctness 17 2.3 Security 19 2.4 FullyHomomorphicEncryption 27 2.4.1 BitMessageSpace 28 2.4.2 LargeMessageSpace 29 2.5 Discussion 35 2.5.1 SecureLargeIntegerArithmetic 35 2.5.2 Public key compression 35 3 A Hybrid Scheme of PKE and SHE 37 3.1 Preliminaries 39 3.1.1 HardProblems 40 3.1.2 Homomorphic Encryption Schemes 41 3.2 Encrypt with PKE and Compute with SHE 43 3.2.1 A Hybrid Scheme of PKE and SHE 44 3.2.2 Additive Homomorphic Encryptions for PKE in the HybridScheme 48 3.2.3 Multiplicative Homomorphic Encryptions for PKE in theHybridScheme 51 3.3 Homomorphic Evaluation of Exponentiation 56 3.3.1 Improved Exponentiation using Vector Decomposition 56 3.3.2 Improve the Bootstrapping without Squashing 59 3.4 Discussions 62 3.4.1 ApplicationModel 62 3.4.2 Advantages 63 3.5 Generic Conversion of SHE from Private-Key to Public-Key 68 4 A Hybrid Asymmetric Homomorphic Encryption 70 4.1 Preliminaries 72 4.2 A Hybrid Approach to Asymmetric FHE with Compressed Ciphertext 73 4.2.1 MainTools 73 4.2.2 Hybrid Encryption with Compressed Ciphertexts 76 4.3 ConcreteHybridConstructions 77 4.3.1 Hybrid Encryptions based on DGHV and Its Variants 77 4.3.2 Hybrid Encryptions based on LWE 87 4.4 Discussion 93 4.4.1 Comparison to Other Approaches 93 4.4.2 Other Fully Homomorphic Encryptions 94 5 Conclusion 95 Abstract (in Korean) 105 Acknowledgement (in Korean) 106Docto

Succinct Zero-Knowledge Batch Proofs for Set Accumulators

Cryptographic accumulators are a common solution to proving information about a large set $S$. They allow one to compute a short digest of $S$ and short certificates of some of its basic properties, notably membership of an element. Accumulators also allow one to track set updates: a new accumulator is obtained by inserting/deleting a given element. In this work we consider the problem of generating membership and update proofs for {\em batches} of elements so that we can succinctly prove additional properties of the elements (i.e., proofs are of constant size regardless of the batch size), and we can preserve privacy. Solving this problem would allow obtaining blockchain systems with improved privacy and scalability. The state-of-the-art approach to achieve this goal is to combine accumulators (typically Merkle trees) with zkSNARKs. This solution is however expensive for provers and does not scale for large batches of elements. In particular, there is no scalable solution for proving batch membership proofs when we require zero-knowledge (a standard definition of privacy-preserving protocols). In this work we propose new techniques to efficiently use zkSNARKs with RSA accumulators. We design and implement two main schemes: 1) \harisa, which proves batch membership in zero-knowledge; 2) \insarisa, which proves batch updates. For batch membership, the prover in \harisa is orders of magnitude faster than existing approaches based on Merkle trees (depending on the hash function). For batch updates we get similar cost savings compared to approaches based on Merkle trees; we also improve over the recent solution of Ozdemir et al. [USENIX\u2720]