On the IND-CCA1 Security of FHE Schemes

Fully homomorphic encryption (FHE) is a powerful tool in cryptography that allows one to perform arbitrary computations on encrypted material without having to decrypt it first. There are numerous FHE schemes, all of which are expanded from somewhat homomorphic encryption (SHE) schemes, and some of which are considered viable in practice. However, while these FHE schemes are semantically (IND-CPA) secure, the question of their IND-CCA1 security is much less studied, and we therefore provide an overview of the IND-CCA1 security of all acknowledged FHE schemes in this paper. To give this overview, we grouped the SHE schemes into broad categories based on their similarities and underlying hardness problems. For each category, we show that the SHE schemes are susceptible to either known adaptive key recovery attacks, a natural extension of known attacks, or our proposed attacks. Finally, we discuss the known techniques to achieve IND-CCA1-secure FHE and SHE schemes. We concluded that none of the proposed schemes were IND-CCA1-secure and that the known general constructions all had their shortcomings.publishedVersio

A Practical Adaptive Key Recovery Attack on the LGM (GSW-like) Cryptosystem

Under embargo until: 2022-07-15We present an adaptive key recovery attack on the leveled homomorphic encryption scheme suggested by Li, Galbraith and Ma (Provsec 2016), which itself is a modification of the GSW cryptosystem designed to resist key recovery attacks by using a different linear combination of secret keys for each decryption. We were able to efficiently recover the secret key for a realistic choice of parameters using a statistical attack. In particular, this means that the Li, Galbraith and Ma strategy does not prevent adaptive key recovery attacks.acceptedVersio

Studies on the Security of Selected Advanced Asymmetric Cryptographic Primitives

The main goal of asymmetric cryptography is to provide confidential communication, which allows two parties to communicate securely even in the presence of adversaries. Ever since its invention in the seventies, asymmetric cryptography has been improved and developed further, and a formal security framework has been established around it. This framework includes different security goals, attack models, and security notions. As progress was made in the field, more advanced asymmetric cryptographic primitives were proposed, with other properties in addition to confidentiality. These new primitives also have their own definitions and notions of security. This thesis consists of two parts, where the first relates to the security of fully homomorphic encryption and related primitives. The second part presents a novel cryptographic primitive, and defines what security goals the primitive should achieve. The first part of the thesis consists of Article I, II, and III, which all pertain to the security of homomorphic encryption schemes in one respect or another. Article I demonstrates that a particular fully homomorphic encryption scheme is insecure in the sense that an adversary with access only to the public material can recover the secret key. It is also shown that this insecurity mainly stems from the operations necessary to make the scheme fully homomorphic. Article II presents an adaptive key recovery attack on a leveled homomorphic encryption scheme. The scheme in question claimed to withstand precisely such attacks, and was the only scheme of its kind to do so at the time. This part of the thesis culminates with Article III, which is an overview article on the IND-CCA1 security of all acknowledged homomorphic encryption schemes. The second part of the thesis consists of Article IV, which presents Vetted Encryption (VE), a novel asymmetric cryptographic primitive. The primitive is designed to allow a recipient to vet who may send them messages, by setting up a public filter with a public verification key, and providing each vetted sender with their own encryption key. There are three different variants of VE, based on whether the sender is identifiable to the filter and/or the recipient. Security definitions, general constructions and comparisons to already existing cryptographic primitives are provided for all three variants.Doktorgradsavhandlin

Preventing Adaptive Key Recovery Attacks on the Gentry-Sahai-Waters Leveled Homomorphic Encryption Scheme

A major open problem is to protect leveled homomorphic encryption from adaptive attacks that allow an adversary to learn the private key. The only positive results in this area are by Loftus, May, Smart and Vercauteren. They use a notion of valid ciphertexts and obtain an IND-CCA1 scheme under a strong knowledge assumption, but they also show their scheme is not secure under a natural adaptive attack based on a ciphertext validity oracle . However, due to recent cryptanalysis their scheme is no longer considered secure. The main contribution of this paper is to explore a new approach to achieving this goal, which does not rely on a notion of valid ciphertexts . The idea is to generate a one-time private key every time the decryption algorithm is run, so that even if an attacker can learn some bits of the one-time private key from each decryption query, this does not allow them to compute a valid private key. This is the full version of the paper. The short version, which appeared in Provsec 2016, presented a variant of the Gentry-Sahai-Waters (GSW) levelled homomorphic encryption scheme. Damien Stehle pointed out an attack on our variant of this scheme that had not been anticipated in the Provsec paper; we explain the attack in this full version. This version of the paper also contains a new dual version of the GSW scheme. We give an explanation of why the known attacks no longer break the system. It remains an open problem to develop a scheme for which one can prove IND-CCA1 security

Cloud-based homomorphic encryption for privacy-preserving machine learning in clinical decision support

While privacy and security concerns dominate public cloud services, Homomorphic Encryption (HE) is seen as an emerging solution that ensures secure processing of sensitive data via untrusted networks in the public cloud or by third-party cloud vendors. It relies on the fact that some encryption algorithms display the property of homomorphism, which allows them to manipulate data meaningfully while still in encrypted form; although there are major stumbling blocks to overcome before the technology is considered mature for production cloud environments. Such a framework would find particular relevance in Clinical Decision Support (CDS) applications deployed in the public cloud. CDS applications have an important computational and analytical role over confidential healthcare information with the aim of supporting decision-making in clinical practice. Machine Learning (ML) is employed in CDS applications that typically learn and can personalise actions based on individual behaviour. A relatively simple-to-implement, common and consistent framework is sought that can overcome most limitations of Fully Homomorphic Encryption (FHE) in order to offer an expanded and flexible set of HE capabilities. In the absence of a significant breakthrough in FHE efficiency and practical use, it would appear that a solution relying on client interactions is the best known entity for meeting the requirements of private CDS-based computation, so long as security is not significantly compromised. A hybrid solution is introduced, that intersperses limited two-party interactions amongst the main homomorphic computations, allowing exchange of both numerical and logical cryptographic contexts in addition to resolving other major FHE limitations. Interactions involve the use of client-based ciphertext decryptions blinded by data obfuscation techniques, to maintain privacy. This thesis explores the middle ground whereby HE schemes can provide improved and efficient arbitrary computational functionality over a significantly reduced two-party network interaction model involving data obfuscation techniques. This compromise allows for the powerful capabilities of HE to be leveraged, providing a more uniform, flexible and general approach to privacy-preserving system integration, which is suitable for cloud deployment. The proposed platform is uniquely designed to make HE more practical for mainstream clinical application use, equipped with a rich set of capabilities and potentially very complex depth of HE operations. Such a solution would be suitable for the long-term privacy preserving-processing requirements of a cloud-based CDS system, which would typically require complex combinatorial logic, workflow and ML capabilities

Key-Recovery Attacks Against Somewhat Homomorphic Encryption Schemes

In 1978, Rivest, Adleman and Dertouzos introduced the concept of privacy homomorphism and asked whether it is possible to perform arbitrary operations on encrypted ciphertexts. Thirty years later, Gentry gave a positive answer in his seminal paper at STOC 2009, by proposing an ingenious approach to construct fully homomorphic encryption (FHE) schemes. With this approach, one starts with a somewhat homomorphic encryption (SHE) scheme that can perform only limited number of operations on ciphertexts (i.e. it can evaluate only low-degree polynomials). Then, through the so-called bootstrapping step, it is possible to turn this SHE scheme into an FHE scheme. After Gentry's work, many SHE and FHE schemes have been proposed; in total, they can be divided into four categories, according to the hardness assumptions underlying each SHE (and hence, FHE) scheme: hard problems on lattices, the approximate common divisor problem, the (ring) learning with errors problem, and the NTRU encryption scheme. Even though SHE schemes are less powerful than FHE schemes, they can already be used in many useful real-world applications, such as medical and financial applications. It is therefore of primary concern to understand what level of security these SHE schemes provide. By default, all the SHE schemes developed so far offer IND-CPA security - i.e. resistant against a chosen-plaintext attack - but nothing is said about their IND-CCA1 security - i.e. secure against an adversary who is able to perform a non-adaptive chosen-ciphertext attack. Considering such an adversary is in fact a more realistic scenario. Gentry emphasized it as a future work to investigate SHE schemes with IND-CCA1 security, and the task to make some clarity about it was initiated by Loftus, May, Smart and Vercauteren: at SAC 2011 they showed how one family of SHE schemes is not IND-CCA1 secure, opening the doors to an interesting investigation on the IND-CCA1 security of the existing schemes in the other three families of schemes. In this work we therefore continue this line of research and show that most existing somewhat homomorphic encryption schemes are not IND-CCA1 secure. In fact, we show that these schemes suffer from key recovery attacks (stronger than a typical IND-CCA1 attack), which allow an adversary to completely recover the private keys through a number of decryption oracle queries. As a result, this dissertation shows that all known SHE schemes fail to provide IND-CCA1 security. While it is true that IND-CPA security may be enough to construct cryptographic protocols in presence of semi-honest attackers, key recovery attacks will pose serious threats for practical usage of SHE and FHE schemes: if a malicious attacker (or a compromised honest party) submits manipulated ciphertexts and observes the behavior (side channel leakage) of the decryptor, then it may be able to recover all plaintexts in the system. Therefore, it is very desirable to design SHE and FHE with IND-CCA1 security, or at least design them to prevent key recovery attacks. This raises the interesting question whether it is possible or not to develop such IND-CCA1 secure SHE scheme. Up to date, the only positive result in this direction is a SHE scheme proposed by Loftus et al. at SAC 2011 (in fact, a modification of an existing SHE scheme and IND-CCA1 insecure). However, this IND-CCA1 secure SHE scheme makes use of a non standard knowledge assumption, while it would be more interesting to only rely on standard assumptions. We propose then a variant of the SHE scheme proposed by Lopez-Alt, Tromer, and Vaikuntanathan at STOC 2012, which offers good indicators about its possible IND-CCA1 security