Lattice-Based proof of a shuffle

In this paper we present the first fully post-quantum proof of a shuffle for RLWE encryption schemes. Shuffles are commonly used to construct mixing networks (mix-nets), a key element to ensure anonymity in many applications such as electronic voting systems. They should preserve anonymity even against an attack using quantum computers in order to guarantee long-term privacy. The proof presented in this paper is built over RLWE commitments which are perfectly binding and computationally hiding under the RLWE assumption, thus achieving security in a post-quantum scenario. Furthermore we provide a new definition for a secure mixing node (mix-node) and prove that our construction satisfies this definition.Peer ReviewedPostprint (author's final draft

Naor-Yung paradigm with shared randomness and applications

The Naor-Yung paradigm (Naor and Yung, STOC’90) allows to generically boost security under chosen-plaintext attacks (CPA) to security against chosen-ciphertext attacks (CCA) for public-key encryption (PKE) schemes. The main idea is to encrypt the plaintext twice (under independent public keys), and to append a non-interactive zero-knowledge (NIZK) proof that the two ciphertexts indeed encrypt the same message. Later work by Camenisch, Chandran, and Shoup (Eurocrypt’09) and Naor and Segev (Crypto’09 and SIAM J. Comput.’12) established that the very same techniques can also be used in the settings of key-dependent message (KDM) and key-leakage attacks (respectively). In this paper we study the conditions under which the two ciphertexts in the Naor-Yung construction can share the same random coins. We find that this is possible, provided that the underlying PKE scheme meets an additional simple property. The motivation for re-using the same random coins is that this allows to design much more efficient NIZK proofs. We showcase such an improvement in the random oracle model, under standard complexity assumptions including Decisional Diffie-Hellman, Quadratic Residuosity, and Subset Sum. The length of the resulting ciphertexts is reduced by 50%, yielding truly efficient PKE schemes achieving CCA security under KDM and key-leakage attacks. As an additional contribution, we design the first PKE scheme whose CPA security under KDM attacks can be directly reduced to (low-density instances of) the Subset Sum assumption. The scheme supports keydependent messages computed via any affine function of the secret ke

Secure k-Nearest Neighbor Query over Encrypted Data in Outsourced Environments

For the past decade, query processing on relational data has been studied extensively, and many theoretical and practical solutions to query processing have been proposed under various scenarios. With the recent popularity of cloud computing, users now have the opportunity to outsource their data as well as the data management tasks to the cloud. However, due to the rise of various privacy issues, sensitive data (e.g., medical records) need to be encrypted before outsourcing to the cloud. In addition, query processing tasks should be handled by the cloud; otherwise, there would be no point to outsource the data at the first place. To process queries over encrypted data without the cloud ever decrypting the data is a very challenging task. In this paper, we focus on solving the k-nearest neighbor (kNN) query problem over encrypted database outsourced to a cloud: a user issues an encrypted query record to the cloud, and the cloud returns the k closest records to the user. We first present a basic scheme and demonstrate that such a naive solution is not secure. To provide better security, we propose a secure kNN protocol that protects the confidentiality of the data, user's input query, and data access patterns. Also, we empirically analyze the efficiency of our protocols through various experiments. These results indicate that our secure protocol is very efficient on the user end, and this lightweight scheme allows a user to use any mobile device to perform the kNN query.Comment: 23 pages, 8 figures, and 4 table

General Impossibility of Group Homomorphic Encryption in the Quantum World

Group homomorphic encryption represents one of the most important building blocks in modern cryptography. It forms the basis of widely-used, more sophisticated primitives, such as CCA2-secure encryption or secure multiparty computation. Unfortunately, recent advances in quantum computation show that many of the existing schemes completely break down once quantum computers reach maturity (mainly due to Shor's algorithm). This leads to the challenge of constructing quantum-resistant group homomorphic cryptosystems. In this work, we prove the general impossibility of (abelian) group homomorphic encryption in the presence of quantum adversaries, when assuming the IND-CPA security notion as the minimal security requirement. To this end, we prove a new result on the probability of sampling generating sets of finite (sub-)groups if sampling is done with respect to an arbitrary, unknown distribution. Finally, we provide a sufficient condition on homomorphic encryption schemes for our quantum attack to work and discuss its satisfiability in non-group homomorphic cases. The impact of our results on recent fully homomorphic encryption schemes poses itself as an open question.Comment: 20 pages, 2 figures, conferenc

A spin glass model for reconstructing nonlinearly encrypted signals corrupted by noise

An encryption of a signal ${\bf s}\in\mathbb{R^N}$ is a random mapping ${\bf s}\mapsto \textbf{y}=(y_1,\ldots,y_M)^T\in \mathbb{R}^M$ which can be corrupted by an additive noise. Given the Encryption Redundancy Parameter (ERP) $\mu=M/N\ge 1$, the signal strength parameter $R=\sqrt{\sum_i s_i^2/N}$, and the ('bare') noise-to-signal ratio (NSR) $\gamma\ge 0$, we consider the problem of reconstructing ${\bf s}$ from its corrupted image by a Least Square Scheme for a certain class of random Gaussian mappings. The problem is equivalent to finding the configuration of minimal energy in a certain version of spherical spin glass model, with squared Gaussian-distributed random potential. We use the Parisi replica symmetry breaking scheme to evaluate the mean overlap $p_{\infty}\in [0,1]$ between the original signal and its recovered image (known as 'estimator') as $N\to \infty$, which is a measure of the quality of the signal reconstruction. We explicitly analyze the general case of linear-quadratic family of random mappings and discuss the full $p_{\infty} (\gamma)$ curve. When nonlinearity exceeds a certain threshold but redundancy is not yet too big, the replica symmetric solution is necessarily broken in some interval of NSR. We show that encryptions with a nonvanishing linear component permit reconstructions with $p_{\infty}>0$ for any $\mu>1$ and any $\gamma<\infty$, with $p_{\infty}\sim \gamma^{-1/2}$ as $\gamma\to \infty$. In contrast, for the case of purely quadratic nonlinearity, for any ERP $\mu>1$ there exists a threshold NSR value $\gamma_c(\mu)$ such that $p_{\infty}=0$ for $\gamma>\gamma_c(\mu)$ making the reconstruction impossible. The behaviour close to the threshold is given by $p_{\infty}\sim (\gamma_c-\gamma)^{3/4}$ and is controlled by the replica symmetry breaking mechanism.Comment: 33 pages, 5 figure