LNCS

Generalized Selective Decryption (GSD), introduced by Panjwani [TCC’07], is a game for a symmetric encryption scheme Enc that captures the difficulty of proving adaptive security of certain protocols, most notably the Logical Key Hierarchy (LKH) multicast encryption protocol. In the GSD game there are n keys k1,..., kn, which the adversary may adaptively corrupt (learn); moreover, it can ask for encryptions Encki (kj) of keys under other keys. The adversary’s task is to distinguish keys (which it cannot trivially compute) from random. Proving the hardness of GSD assuming only IND-CPA security of Enc is surprisingly hard. Using “complexity leveraging” loses a factor exponential in n, which makes the proof practically meaningless. We can think of the GSD game as building a graph on n vertices, where we add an edge i → j when the adversary asks for an encryption of kj under ki. If restricted to graphs of depth ℓ, Panjwani gave a reduction that loses only a factor exponential in ℓ (not n). To date, this is the only non-trivial result known for GSD. In this paper we give almost-polynomial reductions for large classes of graphs. Most importantly, we prove the security of the GSD game restricted to trees losing only a quasi-polynomial factor n3 log n+5. Trees are an important special case capturing real-world protocols like the LKH protocol. Our new bound improves upon Panjwani’s on some LKH variants proposed in the literature where the underlying tree is not balanced. Our proof builds on ideas from the “nested hybrids” technique recently introduced by Fuchsbauer et al. [Asiacrypt’14] for proving the adaptive security of constrained PRFs

Receiver and Sender Deniable Functional Encryption

Deniable encryption, first introduced by Canetti et al. (CRYPTO 1997), allows equivocation of encrypted communication. In this work we generalize its study to functional encryption (FE). Our results are summarized as follows: We first put forward and motivate the concept of receiver deniable FE, for which we consider two models. In the first model, as previously considered by O'Neill et al. (CRYPTO 2011) in the case of identity-based encryption, a receiver gets assistance from the master authority to generate a fake secret key. In the second model, there are ``normal'' and ``deniable'' secret keys, and a receiver in possession of a deniable secret key can produce a fake but authentic-looking normal key on its own. In the first model, we show a compiler from any FE scheme for the general circuit functionality to a FE scheme having receiver deniability. In addition we show an efficient receiver deniable FE scheme for Boolean Formulae from bilinear maps. In the second (multi-distributional) model, we present a specific FE scheme for the general circuit functionality having receiver deniability. To our knowledge, a scheme in the multi-distributional model was not previously known even for the special case of identity-based encryption. Finally, we construct the first sender (non-multi-distributional) deniable FE scheme

Encryption Schemes Secure against Chosen-Ciphertext Selective Opening Attacks

textabstractImagine many small devices send data to a single receiver, encrypted using the receiver's public key. Assume an adversary that has the power to adaptively corrupt a subset of these devices. Given the information obtained from these corruptions, do the ciphertexts from uncorrupted devices remain secure? Recent results suggest that conventional security notions for encryption schemes (like IND-CCA security) do not suffice in this setting. To fill this gap, the notion of security against selective-opening attacks (SOA security) has been introduced. It has been shown that lossy encryption implies SOA security against a passive, i.e., only eavesdropping and corrupting, adversary (SO-CPA). However, the known results on SOA security against an active adversary (SO-CCA) are rather limited. Namely, while there exist feasibility results, the (time and space) complexity of currently known SO-CCA secure schemes depends on the number of devices in the setting above. In this contribution, we devise a new solution to the selective opening problem that does not build on lossy encryption. Instead, we combine techniques from non-committing encryption and hash proof systems with a new technique (dubbed ``cross-authentication codes'') to glue several ciphertext parts together. The result is a rather practical SO-CCA secure public-key encryption scheme that does not suffer from the efficiency drawbacks of known schemes. Since we build upon hash proof systems, our scheme can be instantiated using standard number-theoretic assumptions such as decisional Diffie-Hellman (DDH), decisional composite residuosity (DCR), and quadratic residuosity (QR). Besides, we construct a conceptually very simple and comparatively efficient SO-CPA secure scheme from (slightly enhanced) trapdoor one-way permutations. We stress that our schemes are completely independent of the number of challenge ciphertexts, and we do not make assumptions about the underlying message distribution (beyond being efficiently samplable). In particular, we do not assume efficient conditional re-samplability of the message distribution. Hence, our schemes are secure in arbitrary settings, even if it is not known in advance how many ciphertexts might be considered for corruptions

Possibility and Impossibility Results for Encryption and Commitment Secure under Selective Opening

Abstract. The existence of encryption and commitment schemes secure under selective opening attack (SOA) has remained open despite consid-erable interest and attention. We provide the first public key encryption schemes secure against sender corruptions in this setting. The underly-ing tool is lossy encryption. We then show that no non-interactive or perfectly binding commitment schemes can be proven secure with black-box reductions to standard computational assumptions, but any statis-tically hiding commitment scheme is secure. Our work thus shows that the situation for encryption schemes is very different from the one for commitment schemes.

동형암호와 프로그램 비밀 분석

학위논문 (박사)-- 서울대학교 대학원 : 수리과학부, 2015. 8. 천정희.동형 암호는 복호화 과정을 거치지 않고 암호화 된 상태에서 암호문끼리 연산을 통해 데이터의 자료 처리를 가능하게 하는 암호 기술로 최근 많이 사용되고 있는 클라우드 서비스 환경에서 발생 할 수 있는 보안 문제들을 해결 할 수 있는 암호시스템으로 주목 받고 있다. 본 학위 논문에서는 동형 암호 응용 기술 연구와 함께 새로운 동형암호 알고리즘 개발에 대해 연구한다. 응용기술 연구에서는 Naccache-Stern 덧셈 동형 암호를 이용하여 프라이버시를 보존하는 합집합 연산 프로토콜과 RLWE기반 BGV 동형암호를 이용하여 비밀 프로그램 정적 분석 방법을 제안한다. 효율적인 합집합 연산을 지원하기 위해, 참여자의 집합원소들을 표현하는 특별한 인코딩 함수 제안하고, 제안한 인코딩 함수를 적용하여 유일 인수 분해 정역(unique factorization domain)이 아닌 공간에서도 다항식들의 근을 효율적으로 복구 할 수 있는 방법을 제안한다. 이를 바탕으로, 현존하는 가장 효율적인 상수라운드의 합집합 연산 프로토콜을 제안한다. 프로그램 비밀 분석에서는 동형암호를 이용하여 비밀 포인터 분석방법을 제시한다. 프로그램 변수의 타입 정보를 이용하여, 동형암호 연산시 필요한 곱 연산의 횟수를 $O(m^2 \log m)$ 에서 $O(\log m)$ 로 획기적으로 줄일 수 있는 방법을 제시하고, 이를 바탕으로 실제 생활에 이용 가능한 수준의 프로그램 비밀 분석 방법을 제안한다. 이를 통해 분석가는 암호화된 프로그램 정보를 이용하여 프로그램에 있는 포인터 변수가 실행 중 어느 변수 혹은 저장 장소를 가리킬 수 있는 지에 대한 분석이 가능해진다. 마지막으로 새로운 암호학적 난제인 다항식 근사공약수 문제를 제안하고, 이 문제에 기반하는 새로운 동형암호를 제안한다. 제안한 동형암호는 Djik 등이 제안한 동형암호의 다항식 버전으로 볼 수 있으며, 이에 따라 데이터 병렬처리뿐만 아니라 큰 정수 연산 지원하는 특징을 가지고 있다. Djik 등이 제안한 동형암호계열의 완전동형암호들은 비밀키를 나누는 연산을 제공하기 위해 부분합 문제가 어렵다는 가정을 사용하는 반면, 제안한 동형암호는 복호화 과정에서 비밀 정보를 나누는 과정이 필요 없기 때문에 부분합 문제의 가정을 필요로 하지 않는다.Homomorphic encryption enables computing certain functions on encrypted data without decryption. Many cloud-based services need efficient homomorphic encryption schemes to provide security to the data in cloud computing. In this thesis, we focus on applications of homomorphic encryptions for set operation and program analysis, and we suggest a new construction of homomorphic encryption. First, we present a new privacy preserving set union protocol and a secure points-to analysis method as applications of homomorphic encryptions. Our set union protocol is based on the additive homomorphic encryption scheme by Naccache and Stern, whose message space is $\Z_{\sigma}$ which $\sigma$ is a product of small primes. We introduce a special polynomial representation such that if a polynomial is represented as this form, then it is factorized uniquely in $\Z_\sigma[X]$. From this representation, we obtain an efficient constant round set union protocol without honest majority assumption. We adopt a somewhat homomorphic encryption to perform static analysis on encrypted programs. In our method, a somewhat homomorphic encryption scheme of depth $O(\log{m})$ is able to evaluate Andersen's pointer analysis with $O(\log{m})$ homomorphic matrix multiplications, for the number $m$ of pointer variables when the maximal pointer level is bounded. Finally, we propose a somewhat homomorphic encryption scheme over the polynomial ring. The security of the proposed scheme is based on the polynomial approximate common divisor problem which can be seen as a polynomial analogous of a base problem of DGHV fully homomorphic encryption and its extension. Our scheme is conceptually simple and does not require a complicated re-linearization process. For this reason, our scheme is more efficient than RLWE-based homomorphic encryption over the polynomial ring when evaluating low degree polynomial of large integers. Furthermore, we convert this scheme to a leveled fully homomorphic encryption scheme, and the resulting scheme has features similar to the variant of van Dijk et al.s scheme by Coron et al. Our scheme, however, does not use the subset sum, which makes its design much simpler.Abstract i 1 Introduction 1 2 Private Set Union Protocol 6 2.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 8 2.1.1 Polynomial Representation of a Set . . . . . . . . . . . 8 2.1.2 Reversed Laurent Series . . . . . . . . . . . . . . . . . 9 2.1.3 Additive Homomorphic Encryption . . . . . . . . . . . 10 2.1.4 Root Finding Algorithms . . . . . . . . . . . . . . . . 12 2.2 New Polynomial Representation of a Set . . . . . . . . . . . . 12 2.2.1 New Invertible Polynomial Representation . . . . . . . 14 2.2.2 The Expected Number of Root Candidates . . . . . . . 17 2.2.3 The Proper Size of $alpha$. . . . . . . . . . . . . . . . . . . 21 2.3 New Privacy-preserving Set Union Protocols . . . . . . . . . . 25 2.3.1 Application of Our Polynomial Representation . . . . . 25 2.3.2 Honest-But-Curious Model . . . . . . . . . . . . . . . 27 2.3.3 Malicious Model . . . . . . . . . . . . . . . . . . . . . 30 2.3.4 Extension to the Multi-set Union Protocol . . . . . . . 32 2.4 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 3 Secure Static Program Analysis 37 3.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 39 3.1.1 Homomorphic Encryption . . . . . . . . . . . . . . . . 39 3.1.2 The BGV-type Cryptosystem . . . . . . . . . . . . . . 42 3.1.3 Security Model . . . . . . . . . . . . . . . . . . . . . . 43 3.2 A Basic Construction of a Pointer Analysis in Secrecy . . . . . 44 3.2.1 Inclusion-based Pointer Analysis . . . . . . . . . . . . 44 3.2.2 The Pointer Analysis in Secrecy . . . . . . . . . . . . . 45 3.3 Improvement of the Pointer Analysis in Secrecy . . . . . . . . 48 3.3.1 Problems of the Basic Approach . . . . . . . . . . . . 49 3.3.2 Overview of Improvement . . . . . . . . . . . . . . . . 49 3.3.3 Level-by-level Analysis . . . . . . . . . . . . . . . . . . 50 3.3.4 Ciphertext Packing . . . . . . . . . . . . . . . . . . . . 53 3.3.5 Randomization of Ciphertexts . . . . . . . . . . . . . . 56 3.4 Experimental Result . . . . . . . . . . . . . . . . . . . . . . . 56 3.5 Discussions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 4 New Fully Homomorphic Encryption 63 4.1 Preliminaries . . . . . . . . . . . . . . . . . . . . . . . . . . . 65 4.1.1 Lattices . . . . . . . . . . . . . . . . . . . . . . . . . . 66 4.1.2 Chinese Remaindering for Polynomials over Composite Modulus . . . . . . . . . . . . . . . . . . . . . . . . 67 4.1.3 Distributions . . . . . . . . . . . . . . . . . . . . . . . 67 4.2 Our Fully Homomorphic Encryption Scheme . . . . . . . . . . 68 4.2.1 Basic Parameters . . . . . . . . . . . . . . . . . . . . . 68 4.2.2 The Somewhat Homomorphic Encryption Scheme . . . 69 4.2.3 Leveled Fully Homomorphic Encryption Scheme . . . . 71 4.3 Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 4.3.1 The Polynomial ACD Problems . . . . . . . . . . . . . 76 4.3.2 Security Proof . . . . . . . . . . . . . . . . . . . . . . 77 4.4 Analysis of the Polynomial ACD Problems . . . . . . . . . . . 80 4.4.1 Distinguishing Attack . . . . . . . . . . . . . . . . . . 80 4.4.2 Chen-Nguyens Attack . . . . . . . . . . . . . . . . . . 82 4.4.3 Coppersmiths Attack . . . . . . . . . . . . . . . . . . 83 4.4.4 Extension of Cohn-Heningers Attack . . . . . . . . . . 85 4.5 Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . 89 4.5.1 Public Key Compression . . . . . . . . . . . . . . . . . 90 4.5.2 Implementation Results . . . . . . . . . . . . . . . . . 92 4.6 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 95 5 Conclusions 96 Abstract (in Korean) 110Docto

Algebraic Frameworks for Cryptographic Primitives

A fundamental goal in theoretical cryptography is to identify the conceptually simplest abstractions that generically imply a collection of other cryptographic primitives. For symmetric-key primitives, this goal has been accomplished by showing that one-way functions are necessary and sufficient to realize primitives ranging from symmetric-key encryption to digital signatures. By contrast, for asymmetric primitives, we have no (known) unifying simple abstraction even for a few of its most basic objects. Moreover, even for public-key encryption (PKE) alone, we have no unifying abstraction that all known constructions follow. The fact that almost all known PKE constructions exploit some algebraic structure suggests considering abstractions that have some basic algebraic properties, irrespective of their concrete instantiation. We make progress on the aforementioned fundamental goal by identifying simple and useful cryptographic abstractions and showing that they imply a variety of asymmetric primitives. Our general approach is to augment symmetric abstractions with algebraic structure that turns out to be sufficient for PKE and much more, thus yielding a “bridge” between symmetric and asymmetric primitives. We introduce two algebraic frameworks that capture almost all concrete instantiations of (asymmetric) cryptographic primitives, and we also demonstrate their applicability by showing their cryptographic implications. Therefore, rather than manually building different cryptosystems from a new assumption, one only needs to build one (or more) of our simple structured primitives, and a whole host of cryptosystems immediately follows.PHDComputer Science & EngineeringUniversity of Michigan, Horace H. Rackham School of Graduate Studieshttp://deepblue.lib.umich.edu/bitstream/2027.42/166137/1/alamati_1.pd