Secure privacy-preserving computing applications on cloud using homomorphic cryptography

The advancement of cloud computing technologies has provided users and business organisations with various cloud-based options to store and access information externally, across multiple platforms and geographic locations. The cloud also has the ability to deliver scalable and high-performance computing services on demand and in a cost-effective manner while helping users to avoid the trouble of maintaining large data centres and complex computing facilities. The economies of scale increase revenue for cloud providers and lower costs for cloud users. The resulting on-demand model of computing allows providers to achieve better resource utilization through statistical multiplexing, and enables users to avoid the costs of resource over-provisioning through dynamic scaling. However, there are major security and privacy concerns when data is stored in external cloud storage systems. For example, when personal information is stored in unencrypted formats on the cloud, service providers can learn many details about the users such as their preferences, past behaviours and biometric identities. The widely distributed nature of cloud architectures means that server farms can be located in many countries or geographic locations that might be under different laws and regulations regarding user privacy. Furthermore, cloud service providers may encrypt data in-transit, but not while user data is stored on their servers, causing the reluctance of many business organisations to outsource the storage of their sensitive and valuable data, which can be major targets for attacks coming from both outside attackers and insiders. Therefore, encrypting the data when it is stored on the cloud is an important task to guarantee the confidentiality and privacy of users data. However, traditional cryptographic techniques make it difficult for processing tasks such as searching, updating or checking the integrity of encrypted data without asking clients to download and decrypt large amounts of data from the cloud. To realise the full potential of cloud computing, better cryptographic schemes are required. They should enable the cloud to perform various computing operations on encrypted data and return encrypted results to customers. Another desirable feature is how a cryptographic scheme can allow different parties to combine their encrypted data and perform some computing tasks on the cloud without compromising the confidentiality and privacy of the data of each party. Recently, homomorphic cryptography has increasingly been the focus of researchers because this technology has a great potential to provide the desirable features described above. Homomorphic encryption can be implemented either as a symmetric or a public-private asymmetric key paradigm. This technique allows many types of computing operations to be performed on ciphertext and output encrypted results which, when decrypted, are found to be identical to the results of the same operations performed on plaintext data. With a homomorphic cryptosystem, many computational circuits can now be homomorphically evaluated, producing programs that might be run on encryptions of their inputs to produce an encryption of their output. Since the inputs of such programs are encrypted, a computation task can be performed on an untrusted cloud without revealing any inputs and internal states. In this thesis, we focus the design and implementation of various application models of homomorphic cryptography so that the cloud can be used more effective and securely to store and process sensitive customer data. Our research works throughout many chapters of this thesis also provide valuable information regarding the security of homomorphic cryptography in many use case scenarios. We illustrate how homomorphic cryptography can be applied effectively with all of its flexibility, power and usefulness in many applications ranging from smart grid, e-commerce to secret sharing. In this thesis, we also propose approaches to enhance the efficiency and effectiveness of homomorphic cryptography, so that these cryptographic schemes can be applied not only in current cloud-based application, but also in larger, more mission-critical applications in the future

Theory and Practice of Cryptography and Network Security Protocols and Technologies

In an age of explosive worldwide growth of electronic data storage and communications, effective protection of information has become a critical requirement. When used in coordination with other tools for ensuring information security, cryptography in all of its applications, including data confidentiality, data integrity, and user authentication, is a most powerful tool for protecting information. This book presents a collection of research work in the field of cryptography. It discusses some of the critical challenges that are being faced by the current computing world and also describes some mechanisms to defend against these challenges. It is a valuable source of knowledge for researchers, engineers, graduate and doctoral students working in the field of cryptography. It will also be useful for faculty members of graduate schools and universities

On the Design and Improvement of Lattice-based Cryptosystems

Digital signatures and encryption schemes constitute arguably an integral part of cryptographic schemes with the goal to meet the security needs of present and future private and business applications. However, almost all public key cryptosystems applied in practice are put at risk due to its vulnerability to quantum attacks as a result of Shor's quantum algorithm. The magnitude of economic and social impact is tremendous inherently asking for alternatives replacing classical schemes in case large-scale quantum computers are built. Lattice-based cryptography emerged as a powerful candidate attracting lots of attention not only due to its conjectured resistance against quantum attacks, but also because of its unique security guarantee to provide worst-case hardness of average-case instances. Hence, the requirement of imposing further assumptions on the hardness of randomly chosen instances disappears, resulting in more efficient instantiations of cryptographic schemes. The best known lattice attack algorithms run in exponential time. In this thesis we contribute to a smooth transition into a world with practically efficient lattice-based cryptographic schemes. This is indeed accomplished by designing new algorithms and cryptographic schemes as well as improving existing ones. Our contributions are threefold. First, we construct new encryption schemes that fully exploit the error term in LWE instances. To this end, we introduce a novel computational problem that we call Augmented LWE (A-LWE), differing from the original LWE problem only in the way the error term is produced. In fact, we embed arbitrary data into the error term without changing the target distributions. Following this, we prove that A-LWE instances are indistinguishable from LWE samples. This allows to build powerful encryption schemes on top of the A-LWE problem that are simple in its representations and efficient in practice while encrypting huge amounts of data realizing message expansion factors close to 1. This improves, to our knowledge, upon all existing encryption schemes. Due to the versatility of the error term, we further add various security features such as CCA and RCCA security or even plug lattice-based signatures into parts of the error term, thus providing an additional mechanism to authenticate encrypted data. Based on the methodology to embed arbitrary data into the error term while keeping the target distributions, we realize a novel CDT-like discrete Gaussian sampler that beats the best known samplers such as Knuth-Yao or the standard CDT sampler in terms of running time. At run time the table size amounting to 44 elements is constant for every discrete Gaussian parameter and the total space requirements are exactly as large as for the standard CDT sampler. Further results include a very efficient inversion algorithm for ring elements in special classes of cyclotomic rings. In fact, by use of the NTT it is possible to efficiently check for invertibility and deduce a representation of the corresponding unit group. Moreover, we generalize the LWE inversion algorithm for the trapdoor candidate of Micciancio and Peikert from power of two moduli to arbitrary composed integers using a different approach. In the second part of this thesis, we present an efficient trapdoor construction for ideal lattices and an associated description of the GPV signature scheme. Furthermore, we improve the signing step using a different representation of the involved perturbation matrix leading to enhanced memory usage and running times. Subsequently, we introduce an advanced compression algorithm for GPV signatures, which previously suffered from huge signature sizes as a result of the construction or due to the requirement of the security proof. We circumvent this problem by introducing the notion of public and secret randomness for signatures. In particular, we generate the public portion of a signature from a short uniform random seed without violating the previous conditions. This concept is subsequently transferred to the multi-signer setting which increases the efficiency of the compression scheme in presence of multiple signers. Finally in this part, we propose the first lattice-based sequential aggregate signature scheme that enables a group of signers to sequentially generate an aggregate signature of reduced storage size such that the verifier is still able to check that each signer indeed signed a message. This approach is realized based on lattice-based trapdoor functions and has many application areas such as wireless sensor networks. In the final part of this thesis, we extend the theoretical foundations of lattices and propose new representations of lattice problems by use of Cauchy integrals. Considering lattice points as simple poles of some complex functions allows to operate on lattice points via Cauchy integrals and its generalizations. For instance, we can deduce for the one-dimensional and two-dimensional case simple expressions for the number of lattice points inside a domain using trigonometric or elliptic functions

Key-and-Argument-Updatable QA-NIZKs

There are several new efficient approaches to decreasing trust in the CRS creators for NIZK proofs in the CRS model. Recently, Groth et al. (CRYPTO 2018) defined the notion of NIZK with updatable CRS (updatable NIZK) and described an updatable SNARK. We consider the same problem in the case of QA-NIZKs. We also define an important new property: we require that after updating the CRS, one should be able to update a previously generated argument to a new argument that is valid with the new CRS. We propose a general definitional framework for key-and-argument-updatable QA-NIZKs. After that, we describe a key-and-argument-updatable version of the most efficient known QA-NIZK for linear subspaces by Kiltz and Wee. Importantly, for obtaining soundness, it suffices to update a universal public key that just consists of a matrix drawn from a KerMDH-hard distribution and thus can be shared by any pairing-based application that relies on the same hardness assumption. After specializing the universal public key to the concrete language parameter, one can use the proposed key-and-argument updating algorithms to continue updating to strengthen the soundness guarantee

Malleable zero-knowledge proofs and applications

In recent years, the field of privacy-preserving technologies has experienced considerable expansion, with zero-knowledge proofs (ZKPs) playing one of the most prominent roles. Although ZKPs have been a well-established theoretical construct for three decades, recent efficiency improvements and novel privacy applications within decentralized finance have become the main drivers behind the surge of interest and investment in this area. This momentum has subsequently sparked unprecedented technical advances. Non-interactive ZKPs (NIZKs) are now regularly implemented across a variety of domains, encompassing, but not limited to, privacy-enabling cryptocurrencies, credential systems, voting, mixing, secure multi-party computation, and other cryptographic protocols. This thesis, although covering several areas of ZKP technologies and their application, focuses on one important aspect of NIZKs, namely their malleability. Malleability is a quality of a proof system that describes the potential for altering an already generated proof. Different properties may be desired in different application contexts. On the one end of the spectrum, non-malleability ensures proof immutability, an important requirement in scenarios such as prevention of replay attacks in anonymous cryptocurrencies. At the other end, some NIZKs enable proof updatability, recursively and directly, a feature that is integral for a variety of contexts, such as private smart contracts, compact blockchains, ZK rollups, ZK virtual machines, and MPC protocols generally. This work starts with a detailed analysis of the malleability and overarching security of a popular NIZK, known as Groth16. Here we adopt a more definitional approach, studying certain properties of the proof system, and its setup ceremony, that are crucial for its precise modelling within bigger systems. Subsequently, the work explores the malleability of transactions within a private cryptocurrency variant, where we show that relaxing non-malleability assumptions enables a functionality, specifically an atomic asset swap, that is useful for cryptocurrency applications. The work culminates with a study of a less general, algebraic NIZK, and particularly its updatability properties, whose applicability we present within the context of ensuring privacy for regulatory compliance purposes

Encriptação com predicados baseada em reticulados

Orientadores: Ricardo Dahab, Michel AbdallaTese (doutorado) - Universidade Estadual de Campinas, Instituto de ComputaçãoResumo: Em um sistema de criptografia funcional, uma autoridade de posse de uma chave mestra pode gerar uma chave secreta que permite o cálculo de uma função sobre a mensagem nos dados criptografados. Assim, é possível calcular tal função no texto cifrado usando somente a chave secreta. Exemplos importantes de criptografia funcional são Criptografia Baseada em Identidades, Criptografia Baseada em Atributos, Criptografia com Produto Escalar, Criptografia Difusa Baseada em Identidades, Criptografia de Vector Oculto, Criptografia Baseada em Certificados, Criptografia com Pesquisa de Palavra-Chave e Criptografia Baseada em Identidades com Curinga. Esquemas de criptografia com predicados são uma especialização de esquemas de criptografia funcionais, em que a função utilizada não fornece informações sobre a mensagem, mas determina se a decriptação deve ou não funcionar corretamente. Criptografia baseada em reticulados é uma importante alternativa para os principais sistemas criptográficos utilizados atualmente, uma vez que elas são supostamente seguras contra algoritmos quânticos. O Algoritmo de Shor é capaz de resolver o Problema da Fatoração Inteira e o Problema do Logaritmo Discreto em tempo polinomial em um computador quântico, quebrando os sistemas criptográficos mais usados e importantes atualmente, como o RSA, o Diffie-Hellman e a Criptografia de Curvas Elípticas. Neste trabalho nos concentramos em esquemas de criptografia com predicados baseados em reticulados. Nós estudamos e descrevemos os principais sistemas baseados em reticulados encontrados na literatura, estendendo-os a versões hierárquicas e mostrando como o uso de um reticulado com estrutura ideal afeta a prova de segurança. Para cada esquema, uma prova formal de segurança é detalhada, as análises de complexidade e do tamanho das variáveis são mostradas e a escolha dos parâmetros garantindo o funcionamento correto da decriptação é dadaAbstract: In a functional encryption system, an authority holding a master secret key can generate a key that enables the computation of some function on the encrypted data. Then, using the secret key the decryptor can compute the function from the ciphertext. Important examples of functional encryption are Identity-Based Encryption, Attribute-Based Encryption, Inner Product Encryption, Fuzzy Identity-Based Encryption, Hidden Vector Encryption, Certificate-Based Encryption, Public Key Encryption with Keyword Search and Identity-Based Encryption with Wildcards. Predicate encryption schemes are a specialization of functional encryption schemes, in which the function does not give information of the plaintext, but it determines whether the decryption should or should not work properly. Lattice-Based Cryptography is an important alternative to the main cryptographic systems used today, since they are conjectured to be secure against quantum algorithms. Shor's algorithm is capable of solving the Integer Factorization Problem and the Discrete Logarithm Problem in polynomial time on a quantum computer, breaking the most used and important cryptosystems such as RSA, Diffie-Hellman and Elliptic Curve Cryptography. In this work we focus on Lattice-Based Predicate Encryption. We study and describe the main lattice-based schemes found in the literature, extending them to hierarchical versions and showing how the use of ideal lattice affects their security proof. For each scheme, a formal proof of security is detailed, analyses of complexity and variable's size are shown and the parameter's choice ensuring that the decryption works correctly is givenDoutoradoCiência da ComputaçãoDoutora em Ciência da Computaçã

On a New, Efficient Framework for Falsifiable Non-interactive Zero-Knowledge Arguments

Et kunnskapsløst bevis er en protokoll mellom en bevisfører og en attestant. Bevisføreren har som mål å overbevise attestanten om at visse utsagn er korrekte, som besittelse av kortnummeret til et gyldig kredittkort, uten å avsløre noen private opplysninger, som for eksempel kortnummeret selv. I mange anvendelser er det ønskelig å bruke IIK-bevis (Ikke-interaktive kunnskapsløse bevis), der bevisføreren produserer kun en enkelt melding som kan bekreftes av mange attestanter. En ulempe er at sikre IIK-bevis for ikke-trivielle språk kun kan eksistere ved tilstedeværelsen av en pålitelig tredjepart som beregner en felles referansestreng som blir gjort tilgjengelig for både bevisføreren og attestanten. Når ingen slik part eksisterer liter man av og til på ikke-interaktiv vitne-uskillbarhet, en svakere form for personvern. Studiet av effektive og sikre IIK-bevis er en kritisk del av kryptografi som har blomstret opp i det siste grunnet anvendelser i blokkjeder. I den første artikkelen konstruerer vi et nytt IIK-bevis for språkene som består av alle felles nullpunkter for en endelig mengde polynomer over en endelig kropp. Vi demonstrerer nytteverdien av beviset ved flerfoldige eksempler på anvendelser. Særlig verdt å merke seg er at det er mulig å gå nesten automatisk fra en beskrivelse av et språk på et høyt nivå til definisjonen av IIK-beviset, som minsker behovet for dedikert kryptografisk ekspertise. I den andre artikkelen konstruerer vi et IIV-bevis ved å bruke en ny kompilator. Vi utforsker begrepet Kunnskapslydighet (et sterkere sikkerhetsbegrep enn lydighet) for noen konstruksjoner av IIK-bevis. I den tredje artikkelen utvider vi arbeidet fra den første artikkelen ved å konstruere et nytt IIK-bevis for mengde-medlemskap som lar oss bevise at et element ligger, eller ikke ligger, i den gitte mengden. Flere nye konstruksjoner har bedre effektivitet sammenlignet med allerede kjente konstruksjoner.A zero-knowledge proof is a protocol between a prover, and a verifier. The prover aims to convince the verifier of the truth of some statement, such as possessing credentials for a valid credit card, without revealing any private information, such as the credentials themselves. In many applications, it is desirable to use NIZKs (Non-Interactive Zero Knowledge) proofs, where the prover sends outputs only a single message that can be verified by many verifiers. As a drawback, secure NIZKs for non-trivial languages can only exist in the presence of a trusted third party that computes a common reference string and makes it available to both the prover and verifier. When no such party exists, one sometimes relies on non interactive witness indistinguishability (NIWI), a weaker notion of privacy. The study of efficient and secure NIZKs is a crucial part of cryptography that has been thriving recently due to blockchain applications. In the first paper, we construct a new NIZK for the language of common zeros of a finite set of polynomials over a finite field. We demonstrate its usefulness by giving a large number of example applications. Notably, it is possible to go from a high-level language description to the definition of the NIZK almost automatically, lessening the need for dedicated cryptographic expertise. In the second paper, we construct a NIWI using a new compiler. We explore the notion of Knowledge Soundness (a security notion stronger than soundness) of some NIZK constructions. In the third paper, we extended the first paper’s work by constructing a new set (non-)membership NIZK that allows us to prove that an element belongs or does not belong to the given set. Many new constructions have better efficiency compared to already-known constructions.Doktorgradsavhandlin