Department of Computer Science and Engineering National Sun Yat-sen University Master Thesis. Applications of Homomorphic Encryption.

Transcription

1 國立中山大學資訊工程學系 碩士論文 Department of Computer Science and Engineering National Sun Yat-sen University Master Thesis 同態加密系統之應用 Applications of Homomorphic Encryption 研究生 蔡誠祐 Chen-Yu Tsai 指導教授 官大智 博士 D. J. Guan 中華民國102年6月 June 2013

2 c 中華民國102年6月 蔡誠祐 All Rights Reserved

3

4 學年度 101 學期 2 校院 國立中山大學 系所 資訊工程學系 論文名稱(中) 同態加密系統之應用 論文名稱(英) Applications of Homomorphic Encryption 學位類別 碩士 語文別 英文 學號 M 提要開放使用 是 頁數 43 研究生(中) 姓 蔡 研究生(中) 名 誠祐 研究生(英) 姓 Tsai 研究生(英) 名 Chen-Yu 指導教授(中) 姓名 官大智 指導教授(英) 姓名 D. J. Guan 關鍵字(中) 同態加密 對稱式加密 非對稱式加密 選擇明文攻擊法 偵測零 關鍵字(英) homomorphic encryption, symmetric encryption scheme, asymmetric encryption scheme, IND-CPA, detect zero ii

5 Acknowledgments 碩士生涯即將進入尾聲 兩年時光轉眼即逝 能夠順利畢業 首先要感謝官大智老師 在兩年之中的教導及鼓勵 兩年的指導中 教給我的東西不僅僅是課業及研究上的知 識 在做事態度方面也教會我許多事情 此外 也要特別感謝范俊逸老師 除了傳授 密碼學相關的知識以外 也讓我學習到其他資安領域的知識 讓我在這兩年對於資訊 安全有全方面的了解 謝謝元俊學長在事務上的幫忙 讓我能夠勝任實驗室內大小事 情 謝謝額碩學長和明佑學長在研究上的幫忙 讓我在研究上突破盲點 才有現在的 成果 謝謝昱誌學長 在我心情沮喪的時候鼓勵我 讓我振作起來 謝謝其他同學們 的鼓勵與陪伴 一起度過這兩年的研究時光 最後謝謝我的家人照顧我的生活起居 讓我可以專注於學業 若缺少了以上任何一位 就不會有現在的我 再次萬分感謝 蔡誠祐 June 20, 2013 iii

6 摘要 首先 本文給予一個證明 若有一非對稱式同態加密系統可以無限制地偵測其 密文是否為零 判斷兩個密文是否相等 判斷兩個密文的大小關係 以及偵測被運算 後的密文是否已經溢位 則此系統必定是不安全的 從證明中我們可以得知 若偵測 密文是否為零只需要做極少次數 則系統仍然是安全的 因此本文分析在不同環境下 偵測密文是否為零的方法 接著給予一個可以偵測密文是否為零的方法 本文接著出一個對稱式同態加密系統 此系統是基於一個新的難題 基於這個 難題 這個同態加密系統有兩把秘密金鑰 由於有兩把金鑰 我們可以把其中一把金 鑰交給其他人 如此一來在解密的時候 我們可以先解掉部分的密文 而另一個人再 把密文解完 本文也將此對稱式同態加密系統轉換成為非對稱式同態加密系統 最 後 若限制偵測零的次數 本文基於上述之對稱式同態加密系統實作本文提出偵測密 文是否為零的方法 提出另一個可偵測密文是否為零的對稱式同態加密系統 關 鍵 詞 同態加密 對稱式加密 非對稱式加密 選擇明文攻擊法 偵測零 iv

7 Abstract First, we prove that if an asymmetric homomorphic encryption (homomorphic on addoperation) which can detect zero, detect equality, compare the value or detect overflow without any restrictions, then the scheme is not IND-CPA. Form the proof, we can know that if we just want to detect zero few times, then the scheme is still secure. Hence, we analyze the methods of detecting zero in different situations, and give an idea of detecting zero. We then propose a symmetric homomorphic encryption based on the new version of ring-lwe. Based on this version of ring-lwe, our symmetric homomorphic encryption has two secret keys. Because the homomorphic encryption has two secret keys, one can partially decrypt the ciphertext, and send this ciphertext to another one to complete the decryption. We also transform this symmetric homomorphic encryption to asymmetric homomorphic encryption. Finally, we modify this symmetric homomorphic encryption to implement our idea of detecting zero. Hence, if we restrict the times of detecting zero, then we propose another symmetric homomorphic encryption which can detect zero. Keyword: homomorphic encryption, symmetric encryption scheme, asymmetric encryption scheme, IND-CPA, detect zero v

8 Contents Acknowledgments iii 摘要 iv Abstract v Chapter 1 Introduction Motivation and Contribution Related Work Chapter 2 Preliminary Background of Algebra Indistinguishability Learn with Error Definition of Security Chapter 3 Properties of Homomorphic Encryption Security of Specific Functions by Using Homomorphic Encryption Analysis of detecting zero Chapter 4 Homomorphic Encryption Based on Ring-LWE Brakerski and Vinod Vaikuntanathan s Symmetric Homomorphic Encryption Brakerski and Vinod Vaikuntanathan s Asymmetric Homomorphic Encryption Proposed Symmetric Homomorphic Encryption Proposed Asymmetric Homomorphic Encryption Detect Zero By Using Homomorphic Encryption vi

9 4.6 Encode Messages to Polynomial Ring Chapter 5 Conclusion and Future Works 39 Bibliography 41 vii

10 Chapter 1 Introduction 1.1 Motivation and Contribution In recent years, cloud computing become more and more popular. We hope we can upload our data to cloud, and cloud can help us compute the data with the functions we want. At the same time, we also hope that cloud does not know what we upload and what we compute. These two things seem to be a contradiction. How can cloud compute something it cannot know? Homomorphic encryption can meet our needs. Homomorphic encryption is the encryption that has the property of homomorphism; that is, Enc(m1 ) Enc(m2 ) = Enc(m1 + m2 ). We can compute some operations to ciphertext, and the result is equal to we compute some operations to plaintext. Furthermore, fully homomorphic encryption can homomorpically compute every operation we want. However, the results that homomorphic encryption compute on ciphertexts are still ciphertexts. We cannot know the state of the ciphertexts. For example, we cannot know whether the evaluated ciphertexts are overflow or not. Hence, the first problem we are interested in is to construct a homomorphic encryption that can know the state of the ciphertext. The second problem is that if we just want to implement a simple function, fully homomorphic encryption seems to be too powerful. We hope to construct a simple homomorphic encryption which can implement a simple function. For the first problem, we prove that an asymmetric homomorphic encryption (which is homomorphic on add-operation) cannot reach to indistinguishability under chosen-plaintext attack (IND-CPA) if it can detect zero, detect equality, compare two values, or detect overflow/underflow without any restrictions. Detecting zero means we can know whether the value 1

11 of the ciphertext is zero or not. Detecting equality means we can know whether the values of two ciphertexts are equal or not. Comparing two values means we can compare the values of two ciphertexts. Detecting overflow/undeflow means we can know whether the evaluated ciphertext is overflow/underflow or not. Although detect zero is not IND-CPA, the cost of breaking the scheme by detecting zero is 2λ 1, where λ is the secure parameter. Hence, if we add a restriction that detecting zero cannot be performed many times, then the scheme which can detect zero is still secure. Then we analyze some method of detecting zero. We first define that the key-owner is the person who has the secret keys of the homomorphic encryption and the detectors are the people who want to detect zero. The intuitive way to detect zero is that the key-owner decrypts the ciphertext and announces the result. However, if we just want someone to know the result, then key-owner has to perform encryption again. For this reason, we propose a symmetric homomorphic encryption which has two secret keys. Based on these two secret keys, key-owner can partially decrypt the ciphertext. After partially decrypting the ciphertext, key-owner randomizes the ciphertext so that the value of the ciphertext is converted to the result of detecting zero. Then detectors can decrypt the converted ciphertext and know the result. Hence, key-owner need not performed the encryption again. The proposed symmetric homomorphic encryption is based on the new version of ringlearn with error (ring-lwe). We prove that the scale-type ring-lwe [1] can be reduced to this new version of ring-lwe. Because the structure of ring-lwe is feasible, we also modify this version of ring-lwe to construct an asymmetric homomorphic encryption. Therefore, the proposed asymmetric homomorphic encryption also has two secret keys to decrypt the message. 1.2 Related Work The first encryption that has the property of homomorphism is RSA, which is constructed by R. L. Rivest and A. Shamir and L. Adleman [2]. However, the standard RSA is deterministic so that it cannot reach to IND-CPA, which is the highest security of homomorphic encryption. There is another famous homomorphic encryption, Elgamal, which is constructed by Elgamal and Taher [3]. This encryption is non-deterministic; that is, even if we encrypt the same message two times, the results of these two encryptions are different. Therefore, this encryption can 2

12 reach to IND-CPA. Although RSA and Elgamal are homomorphic on multiplication, the property of homomorphism on multiplication is not easy to use in the practical applications. There is another encryption which is homomorphic on XOR. The encryption is called GoldwasserMicali and constructed by Goldwasser, Shafi and Micali, Silvio [4, 5]. Goldwasser-Micali is also famous and there are many improvement papers later. There is no homomorphic encryption on add-operation until the encryption which is called Paillier [6]. Paillier is constructed by Pascal Paillier and use the complex algebraic structure to construct a homomorphic encryption on add-operation. We denote these homomorphic encryptions on only add-operation or on only multiply-operation partially homomorphic encryption or group homomorphic encryption. Although there are many homomorphic encryption constructed before 2000, the open problem is to construct a homomorphic encryption that satisfies both add-operation and multiplyoperation; that is, the ring homomorphic encryption. In 2005, Dan Boneh, Eu-Jin Goh and Kobbi Nissim [7] constructed a homomorphic encryption which can homomorphically compute add-operation arbitrarily but compute multiply-operation only one time. Their method is to construct a homomorphic encryption based on ecliptic curve. The encryption can homomorphically add two messages by multiplying these two ciphertexts, and homomorphically multiply two message by pairing these two ciphertexts. The applications and improvements of the homomorphic encryptions which we mentioned above can be shown in [8, 9]. So far, there is no one can construct a secure homomorphic encryption which can arbitrarily homomorphically compute add-operation and multiplyoperation. In 2009, Gentry [10, 11] gave a method to construct a fully homomorphic encryption; that is, a homomorphic encryption which can arbitrarily homomorphically compute addoperation and multiply-operation. His method is to construct a somewhat homomorphic encryption which allows arbitrary add-operation, but restricts multiply-operation finite times. If this somewhat homomorphic encryption is bootstrappable; that is, this somewhat homomorphic encryption can homomorphically compute the circuit of decryption, then Gentry gave a theorem: there must be a transformation that can transform the original somewhat homomorphic encryption to fully homomorphic encryption. Although Gentry gave a method to construct a fully homomorphic encryption, the encryption scheme is still not efficient. There are more and more methods [12, 13, 14, 15, 3

13 16] constructed in recent years, and one of these encryption schemes is Zvika Brakerski and Vinod Vaikuntanathan s encryption scheme [17, 1]. Their encryption scheme is based on the assumption called learn with error (LWE). Their method is the same as Gentry. They also constructed a bootstappable somewhat homomorphic encryption, and transform the encryption to fully homomorphic encryption. However, their encryption is much more efficient than Gentry, and their efficiency can be shown in [18]. Someone also implemented their method by using java s API called JLBC(Java Lattice Based Cryptography). The assumption of LWE can be reduced to the shortest vector problem (SVP) or shortest independent vector problem (SIVP), hence LWE is robust [19]. The first LWE are constructed by Oded Regev [20], and there are some other versions in the following years. The efficient version is ring-lwe, which also can be reduced to SVP. In addition, the homomorphic encryption scheme based on the assumption of ring-lwe is key dependent message-secure (KDM-secure) if the parameters are chosen correctly. In detail, even if the attackers can access the encryption of the secret keys, they still cannot break the encryption scheme. 4

14 Chapter 2 Preliminary In these section, we first introduce some basic backgrounds of algebra (especially for ring and polynomial ring) and the background of indistinguishability. We recommend those who are advanced reader to glimpse these contents. We then introduce the assumption of learn with error (LWE) in detail, and show variant versions of LWE. Finally, we introduce the definition of security in the area of cryptography; that is, indistinguishability under chosen-plaintext attack (IND-CPA), indistinguishability under chosen ciphertext attack (IND-CCA1) and indistinguishability under adaptive chosen ciphertext attack (IND-CCA2). 2.1 Background of Algebra (G, ) is said to be a group if the set G with an operation has four properties: 1. The operation is closure. 2. The operation is associative. 3. The set G has identity element. 4. The elements of the set G have the inverse elements. For example, the set (Z, +), a set of all integers with add-operation, is a group. Also, the set (Zp, +), a set of integers modular a prime p with add-operation, is a group. We call the groups with add-operation additive groups. 5

15 The set (Z, ), a set of all integers with multiply-operation, is not a group since there are some elements that have no inverse elements. However, if p is a prime, and we denote the set Z p = Zp {0}, then (Z p, ) is still a group with multiply-operation. We also note that every element in Z p is prime to p; that is, gcd(x, p) = 1 for every x Z p. We call the groups with multiply-operation multiplicative groups. In mathematics, if a set is with a symbol *, then the set is with multiply-operation, and if a set is without *, then the set is with add-operation. Hence, we denote additive groups as Z, Zp and multiplicative group as Z p without writing the operations. In addition, a group is said to be abelian group if the operation is commutative. For example, Z, Zp and Z p are abelian groups. (R,, ) is said to be a ring if the set R with operations and has three properties: 1. (R, ) is abelian group. 2. The operation is associative. 3. The operation is distributive over the operation. For example, one can easily prove that (Z, +, ) and (Zp, +, ) are rings. Similarly, in mathematics, we often say that Z and Zp are rings without writing the operations. In addition, a ring is said to be commutative ring if the operation is commutative. For example, both Z and Zp are commutative rings. (F,, ) is said to be a field if the set F with an operation and has three properties: 1. (F, ) is abelian group. 2. (F, ) is abelian group. 3. The operation is distributive over the operation. For example, (Zp, +, ) is a field if p is prime. We note that if p is not a prime, then Zp is a ring, but it is not a field. However, if p is prime, then Zp is both ring and field. The symbol F [x] is the set of all polynomials whose coefficients are in the field F with one variable x. We call F [x] the polynomial ring over the field F. Note that one can easily prove that F [x] is a commutative ring. We ignore the theoretical concept and place an emphasis 6

16 on the operations of the F [x]. The add-operation is X ai xi + i=0 X bi x i = i=0 X (ai + bi ) xi i=0 and the multiply-operation is X ai x i i=0 X bi x i = j=0 X (ai bj ) xi+j i,j For example, R[x] is a polynomial ring over the real number R, and Zp [x] is a polynomial ring over Zp. However. Z[x] is not a polynomial ring since Z is not a field. We denote a quotient ring by F [x]/f (x) where f (x) is a irreducible polynomial in F [x]. Similarly, we ignore the theoretical concept and place an emphasis on the operations of the F [x]/f (x). The operations are almost the same as F [x], but the results have to modular f (x). n For example, given a quotient ring Rq = Zq [x]/f (x) where q is a prime and f (x) = x2 1, then for all polynomial p1 (x) and p2 (x) in Rq p1 (x) + p2 (x) = p1 (x) + p2 (x) (mod f (x)) p1 (x) p2 (x) = p1 (x) p2 (x) (mod f (x)) In this paper, we use Rq heavily since in this paper, Rq is the important parameter of ring-lwe. Finally, we define χ is a probability distribution over a finite set Ω. Then, x χ means that x is sampled from the distribution χ and x Ω means that x is sampled uniformly from the set Ω. 2.2 Indistinguishability There are two kinds of indistinguishability: statical indistinguishability and computational indistinguishability. The first one means that if there are two probability distributions D1 and D2 which are almost identical, then they are hard to distinguish. In detail, If the statical distance between D1 and D2 is negligible, then there is no one can easily distinguish D1 from D2. The second one means that if there is an algorithm A, then the output of A(D1 ) and the output of A(D2 ) are hard to distinguish. We give a formal definition as follow. 7

17 b b Given a expression E(n), E(n) negl(n) means that for a polynomial p and a large 1 b. number n, E(n) p(n) Given two probability distributions D1 and D2 over a finite set Ω, the statical distance between D1 and D2 is defined as b. b Pr(X) (D1, D2 ) = max Pr(X) D1 b X Ω D2 There is also a useful equation that can easily compute the statical distance between D1 and D2. (D1, D2 ) = 1X Pr(x) Pr(x). D2 2 x Ω D1 If D1 and D2 are identical (D1 and D2 are the same probability distribution), then the statical distance between D1 and D2 is zero. Also, if the statical distance between D1 and D2 are negligible, then D1 and D2 are almost identical. We called D1 and D2 are statical s indistinguishable if the statical distance between D1 and D2 are negligible, denoted D1 D2. s If (D1, D2 ) = negl(n), then D1 D2. Given an algorithm A, two distribution D1 and D2, we define A s distinguishing advantage between D1 and D2 as AdvD1,D2 (A) = Pr[A(D1 ) = 1] Pr[A(D2 ) = 1]. The output 1 means the special output. If AdvD1,D2 (A) is negligible, then we call D1 and D2 are computational indistinguishc able, denoted by D1 D2. c If AdvD1,D2 (A) = negl(n), then D1 D Learn with Error In this section, we introduce variant types of learning with error. First we give a concept of learning with error. Given a equation AX = B where A is n by n matrix, X and B are both n by 1 matrixes. It can be solve easily by using Gaussian elimination. However, if the given equation is AX = B + E where E is the error vector whose elements are 1 or 1. Then it is 8

18 impossible to get the solution of AX = B since we only know the value of B + E and do not know the value of B. Based on this hard problem, Regev [20] proved that learn with error assumption can be reduced (quantumly) to the worst-case of the lattice problems called shortest vector problem (SVP) and shortest independent vector problem (SIVP). Later, Lyubashevsky, Peikert and Regev [21] showed another type of LWE called ring-lwe. They also proved that ring-lwe can be reduced (quantumly) to the SVP problem. First we define some parameters for the standard version of LWE. Let p 2 be some integers, χ : Zp R+ be some probability distribution on Zp, n be a integer and s Znp be a vector. Definition 1. The search version of LWE is that given (a, ha, si + e) one have to output s, where a is chosen uniformly from Znp, e is sampled from χ, and ha, si is the inner product of a and s. Definition 2. The decision version of LWE is : A = {(a, ha, si + e)} and B = {(a, u)} Randomly given (x, y), one have to show that (x, y) is from A or from B, where a and u are chosen uniformly from Znp, e is sampled from χ, and ha, si is the inner product of a and s. Regev [20] has proved that these two versions of LWE are equivalent. We note that the search version of LWE can be used in cryptosystem as s is a secret key. In addition, the decision version of LWE shows that (ha, si + e) is pseudo-random. Hence, if the message add this pseudo-random value, then the ciphertext is secure based on this version of LWE. Let n = 2k where k is a integer, q 1 (mod 2n), Rq = Zq [x]/(xn + 1), χ : Rq R+ be some probability distribution on Rq, and s is sampled from Rq. Definition 3. The search version of ring-lwe is that given (a, a s + e) one have to output s, where a is chosen uniformly from Rq, and e is sampled from χ. 9

19 Definition 4. The decision version of ring-lwe is : A = {(a, a s + e)} and B = {(a, u)} Randomly given (x, y), one have to show that (x, y) is from A or from B, where a and u are chosen uniformly from Rq, and e is sampled from χ. Definition 5. The scale-type search version of ring-lwe is that given (a, a s + te) one have to output s, where a is chosen uniformly from Rq, e is sampled from χ, and t is in Zq. Definition 6. The scale-type decision version of ring-lwe is : A = {(a, a s + te)} and B = {(a, u)} Randomly given (x, y), one have to show that (x, y) is from A or from B, where a and u are chosen uniformly from Rq, e is sampled from χ, and t is in Zq. In this paper, the proposed search (decision) version of ring-lwe can be reduced to the scale-type search (decision) version of ring-lwe, and the details are shown in section Definition of Security There are many definitions of security in the area of cryptography. The most common definitions that we use in the asymmetric scheme are indistinguishability under chosen plaintext attack(ind-cpa) and indistinguishability under chosen ciphertext attack (IND-CCA). We first show the concepts of IND-CPA and IND-CCA, and then give the precise definitions as follow. We can think both IND-CPA and IND-CCA as the games. In both games, we allow the adversary to learn something about the scheme. In the games of IND-CPA, we assume that the adversary have no ability to access any oracle except the encryption oracle. This is very intuitive because any one can encrypt the plaintexts in any asymmetric scheme. However, in the games of IND-CCA, the adversary can access the decryption oracle to learn more about the scheme. After learning the scheme, adversary have to choose two messages, and challenger will encrypt one of them. The adversary win the game if he/she can show the correct message which challenger encrypted. 10

20 Definition 7. Given an asymmetric encryption scheme S = (G, E, D), where G,E and D are the algorithm of key generation, encryption and decryption. IND-CPA can be defined by the game between the challenger and the adversary in the following steps : 1. The challenger uses G to generate the public key Kpk and private key Ksk. 2. The adversary can encrypt any messages he/she wants and gain any information of S he/she needs. 3. The adversary chooses two messages M0,M1 to the challenger. 4. The challenger randomly chooses x {0, 1} and encrypts Mx to the adversary. 5. The adversary outputs y. If y is equal to x, then the adversary wins the game. Therefore, we say that S is IND-CPA if adversary has no advantage to win the game; that is, the probability of the adversary winning the game is 21. Note that in the asymmetric scheme, everyone can encrypt the message and the environment of the game in IND-CPA is almost the same as every asymmetric scheme. Therefore, we have to ensure that any asymmetric scheme constructed is IND-CPA since IND-CPA is the lowest level of the security. However, in the real world, sometimes IND-CPA is not secure enough to the applications. Hence, we need an stronger definition of security : IND-CCA. As mentioned above, the adversary can access decryption oracle to learn more about the scheme in IND-CCA. The key point is that if adversary can access the decryption oracle only before choosing two messages, the adversary have less advantage to win the game. If the adversary can access the decryption oracle after choosing two messages, then the intuitive way to win the game is to decrypt the ciphertext which challenger encrypted. In this situation, we have to add one more restriction to avoid this way. The restriction is that adversary can not access the decryption oracle to decrypt the ciphertext challenger encrypted. Even though in the latter case, we give one more restriction, the adversary can still have more advantage than the former case. The concept is like whether we can open book to find the answer in the test or not. Therefore, in the IND-CCA, there are two version of definition : indistinguishability under non-adaptive chosen ciphertext attack (IND-CCA1) and indistinguishability under adaptive 11

21 chosen ciphertext attack (IND-CCA2). The different is that in the IND-CCA1, adversary can not access the decryption oracle after choosing two messages but in the IND-CCA2, adversary can still access the decryption oracle after choosing two messages. Definition 8. Given an asymmetric encryption scheme S = (G, E, D), where G,E and D are the algorithm of key generation, encryption and decryption. IND-CCA1 can be defined by the game between the challenger and the adversary in the following steps : 1. The challenger uses G to generate the public key Kpk and private key Ksk. 2. The adversary can encrypt any messages, decrypt any ciphertexts he/she wants and gain any information of S he/she needs. 3. The adversary chooses two messages M0,M1 to the challenger. 4. After the third step, adversary can not access the decryption oracle. 5. The challenger randomly chooses x {0, 1} and encrypts Mx to the adversary. 6. The adversary outputs y. If y is equal to x, then the adversary wins the game. Therefore, we say that S is IND-CCA1 if adversary has no advantage to win the game; that is, the probability of the adversary winning the game is 21. Definition 9. Given an asymmetric encryption scheme S = (G, E, D), where G,E and D are the algorithm of key generation, encryption and decryption. IND-CCA2 can be defined by the game between the challenger and the adversary in the following steps : 1. The challenger uses G to generate the public key Kpk and private key Ksk. 2. The adversary can encrypt any messages, decrypt any ciphertexts he/she wants and gain any information of S he/she needs. 3. The adversary chooses two messages M0,M1 to the challenger. 4. After the third step, adversary can still access the decryption oracle and learn more about S. 12

22 5. The challenger randomly chooses x {0, 1} and encrypts Mx to the adversary. 6. The adversary outputs y. Note that in the games of IND-CCCA2, the adversary cannot decrypt the ciphertext which challenger encrypted. If y is equal to x, then the adversary wins the game. Therefore, we say that S is IND-CCA2 if adversary has no advantage to win the game; that is, the probability of the adversary winning the game is

23 Chapter 3 Properties of Homomorphic Encryption Although homomorphic encryption can compute some functions on ciphertexts, the interesting problem is that how do we know the state of the ciphertexts? For example, how do we know the real data (the plaintexts) are overflow when they are evaluated by homomorphic encryption? Even if we use fully homomorphic encryption to implement a function that can know the state of ciphertexts, the result is still encrypted, so we still cannot know the state (if we do not want to decrypt the ciphertext). On the cloud computing, sometimes we have to let cloud know the state of ciphertexts. For instance, we hope cloud to stop computing if the data is overflow. In this section, we first prove that if an asymmetric homomorphic encryption (homomorphic on add-operation) which can detect zero, detect equality, compare two values and detect overflow without any restrictions, then the asymmetric homomorphic encryption is not secure. Detecting zero means that detecting whether the value of ciphertexts are zero or not. Detect equality means that detecting whether the values of two ciphertexts are the same or not. Comparing two values means that comparing the values of two ciphertexts. Detecting overflow means that detecting whether the evaluated ciphertexts are overflow or not. From the proof, we can know that if we just want to detect zero few times, then the scheme is still secure. Hence, we then analyze the methods of detecting zero in different situations and give an idea of detecting zero. 14

24 3.1 Security of Specific Functions by Using Homomorphic Encryption Given an asymmetric homomorphic encryption scheme S (homomorphic on add-operation), we first prove that if S can detect zero, but it may not restrict the times of detecting zero, then the scheme is not IND-CPA. The key-point is that the function of detecting zero with the property of homomorphism can leak too much information. Theorem 1. Given the asymmetric homomorphic encryption scheme S = (G, E, D) (homomorphic on add-operation) where G is key generation, E is encryption, D is decryption, if S has another function that can detect zero, then the scheme is not IND-CPA. Proof. We play an IND-CPA game to prove the theorem as follow: 1. The challenger first uses G to generate the public key, private key, and parameters. 2. The adversary can access the encryption oracle to learn about S. 3. After learning, the adversary chooses m1, m2 and gives them to the challenger. 4. The challenger randomly chooses x {0, 1}, encrypts mx and gives the ciphertext E(mx ) to the adversary. 5. The adversary partitions m1 into h1 and h2, and accesses encryption oracle to gain E(h1 ) and E(h2 ). 6. The adversary computes E(h1 ) + E(h2 ) E(mx ) and detects whether the result is zero or not. If E(h1 ) + E(h2 ) E(mx ) is zero, then the adversary knows that h1 + h2 is equal to mx, so the adversary outputs x to be one and wins the game. Since there is a method that the adversary can win the game with high probability, so the scheme is not IND-CPA. Now we know that detecting zero on homomorphic encryption is not secure, then we can also know that detecting equality is not secure. It is very intuitive since we can substract one ciphertext from another ciphertext and detect the result is zero or not, then we can know that these two ciphertexts are equal or not. 15

25 Theorem 2. Given the asymmetric homomorphic encryption scheme S = (G, E, D) (homomorphic on add-operation) where G is key generation, E is encryption, D is decryption, if S has another function that can detect equality, then the scheme is not IND-CPA. Proof. We play an IND-CPA game to prove the theorem as follow: 1. The challenger first uses G to generate the public key, private key, and parameters. 2. The adversary can access the encryption oracle to learn about S. 3. After learning, the adversary chooses m1, m2 and gives them to the challenger. 4. The challenger randomly chooses x {0, 1}, encrypts mx and gives the ciphertext E(mx ) to the adversary. 5. The adversary partitions m1 into h1 and h2, and accesses encryption oracle to gain E(h1 ) and E(h2 ). 6. The adversary detects whether E(h1 ) + E(h2 ) and E(mx ) are the same or not. If E(h1 ) + E(h2 ) is equal to E(mx ), then the adversary knows that h1 + h2 is equal to mx, so the adversary outputs x to be one and wins the game. Since there is a method that the adversary can win the game with high probability, so the scheme is not IND-CPA. These two proofs (detect zero and detect equality) are very similar. In fact, based on these two proofs, we can know that if the adversary wants to break the scheme S, then the method is using exhaustive search to search the value of the ciphertexts. In detail, given a secure parameter λ, then the space of the plaintexts in a encryption is 2λ. If the encryption scheme has the function of detecting zero or detecting equality, then the adversary can break the encryption by using exhaustive search, and the cost is 2λ 1. Hence, if we restrict the times of detecting zero, then the adversary cannot gather enough information to break the scheme. After we know that detecting equality is not secure, we prove that comparing two values is not secure since we can search the value of ciphertexts by using binary search which is based on the comparing values. Theorem 3. Given the asymmetric homomorphic encryption scheme S = (G, E, D) (homomorphic on add-operation) where G is key generation, E is encryption, D is decryption, if S has another function that can compare two values, then the scheme is not IND-CPA. 16

26 Proof. We play an IND-CPA game to prove the theorem as follow: 1. The challenger first uses G to generate the public key, private key, and parameters. 2. The adversary can access the encryption oracle to learn about S. 3. After learning, the adversary chooses m1, m2 and gives them to the challenger. 4. The challenger randomly chooses x {0, 1}, encrypts mx and gives the ciphertext E(mx ) to the adversary. 5. The adversary partitions m1 into h1 and h2, and accesses encryption oracle to gain E(h1 ) and E(h2 ). 6. The adversary compares the value of E(h1 ) + E(h2 ) and E(mx ). If the values of E(h1 ) + E(h2 ) and E(mx ) are the same, then the adversary knows that h1 + h2 is equal to mx, so the adversary outputs x to be one and wins the game. Since there is a method that the adversary can win the game with high probability, so the scheme is not IND-CPA. Finally, if we substract one ciphertext c1 with another ciphertext c2 and the result is underflow, then we know that c1 is smaller than c2. Therefore, detecting underflow is not secure, too. Theorem 4. Given the asymmetric homomorphic encryption scheme S = (G, E, D) (homomorphic on add-operation) where G is key generation, E is encryption, D is decryption, if S has another function that can detect underflow, then the scheme is not IND-CPA. Proof. We play an IND-CPA game to prove the theorem as follow: 1. The challenger first uses G to generate the public key, private key, and parameters. 2. The adversary can access the encryption oracle to learn about S. 3. After learning, the adversary chooses m1, m2 such that m1 + 1 < m2 and gives them to the challenger. 4. The challenger randomly chooses x {0, 1}, encrypts mx and gives the ciphertext E(mx ) to the adversary. 17

27 5. The adversary accesses the encryption oracle and gains the ciphertext E(m1 + 1). 6. The adversary detects whether E(m1 + 1) E(mx ) is underflow or not. If E(m1 + 1) E(mx ) is underflow, then the adversary knows that mx is greater than m1 + 1, so the adversary outputs x to be two and wins the game. Since there is a method that the adversary can win the game with high probability, so the scheme is not IND-CPA. In fact, these two proofs (compare two values and detect overflow) are based on the binary search. In the proof, we can know that the adversary can know the value of the plaintext by using binary search which is based on comparing values. In detail, given a secure parameter λ, then the space of the plaintexts in a encryption is 2λ. If the encryption scheme has the function of comparing two values or detecting overflow, then the adversary can break the encryption by using binary search, and the cost is 3.2 λ+1. 2 Analysis of detecting zero We first define two characters: key-owner and detectors. The key-owner is the person who has the secret keys of the scheme. The detectors are the people who want to detect zero. Now we analyze detecting zero in detail. If key-owner is off-line; that is, detectors does not need key-owner s help to detect zero. Then there is no one can restrict the times of detecting zero. For this part,given an asymmetric homomorphic encryption scheme, if everyone can detect zero, then we proved that the scheme must not be secure in section 3.1. However, if we just want someone to detect zero and trust them, then we still do not know whether the scheme is secure or not, but we guess the scheme may be secure. Furthermore, the reason that an asymmetric homomorphic scheme that can detect zero is not secure is that detector can access the encryption oracle. Hence, if the scheme is symmetric, then we guess that the scheme is still secure, but we does not confirm yet. If key-owner is online, and everyone can be the detector, then there is a intuitive method to detect zero: key-owner decrypts the ciphertext and announces the result. This is also an easiest method since everyone can know the result, the result need not be encrypted. However, if we just want someone to be a detector, then the method mentioned above does not work. The key-owner has to decrypts the ciphertext, knows the result, encrypts the result, send the 18

28 Table 3.1: Methods of detecting zero in different situations. Encryption Symmetric Detector Key-owner Method everyone on-line * key-owner replies the answer someone on-line Asymmetric Symmetric our s scheme Asymmetric maybe secure Symmetric maybe secure everyone off-line Asymmetric Not IND-CPA Symmetric maybe secure someone off-line Asymmetric * maybe secure On-line means that detectors need key-owner s help to detect zero. We guess the scheme is secure, but we still not confirm yet. encrypted result to detector. Then detector receives the encrypted result, decrypt it, and know the result. For this part, we propose a symmetric homomorphic encryption with two secret keys so that key-owner can partially decrypt the ciphertext. Then key-owner randomizes the ciphertext to convert the value of ciphertext to the result of detecting zero. Then key-owner sends the converted ciphertext to the detector. The detector then decrypt the converted ciphertext and know the result. The details are shown in section 4.5. The remain part is that the scheme is asymmetric, key-owner is online and detector is someone. For this part, we have proposed an asymmetric homomorphic encryption scheme with two secret keys and we are working hard to construct an asymmetric homomorphic encryption scheme that can detect zero. 19

29 Chapter 4 Homomorphic Encryption Based on Ring-LWE In these section, we first introduce Brakerski and Vinod Vaikuntanathan s fully homomorphic encryption scheme [17]. They give us a good method to transform the symmetric encryption baesd on ring-lwe to the asymmetric encryption. Then we propose another symmetric encryption based on the new version of ring-lwe. Although the proposed homomorphic encryption is just homomorphic on add-operation, this scheme uses two secret keys to encrypt the messages. These two keys can belong to different people, and the concept is similar to secret sharing. We also transform the proposed symmetric encryption to asymmetric encryption. Finally, we modify the proposed symmetric homomorphic encryption to construct a symmetric homomorphic encryption that can detect zero. 4.1 Brakerski and Vinod Vaikuntanathan s Symmetric Homomorphic Encryption Brakerski and Vinod Vaikuntanathan s (BV s) homomorphic encryption scheme S1 has four algorithms : key generation, encryption, decryption and evaluation. In this paper, we do not introduce evaluation in detail, but we introduce how they can homomorphically evaluate addoperation and multiply-operation. Based on these two operations, their homomorphic encryption is somewhat homomorphic encryption, and after some transformation, their homomorphic 20

30 encryption can be fully homomorphic encryption. We ignore the transformation from somewhat homomorphic encryption to fully homomorphic encryption since we do not care about this. Key Generation: input a secure parameter κ. 1. q 1 (mod 2n) and q is prime. 2. t is a prime in Z q. 3. n = 2blog κe 1, where be is a round function. 4. f (x) = xn Rq = Zq [x]/hf (x)i. 6. χ = DZn,r where r is a standard deviation. 7. D N is related to the maximal degree of homomorphism allowed (maximal degree of polynomials). private key: 1. s χ. 2. The secret key is S = (1, s, s2,..., sd ). The space of plaintexts is Rt, while the space of ciphertexts is Rq. Encryption: Input the secret key s and the message m. 1. a Rq. 2. e χ. 3. c0 = as + te + m. 4. c1 = a. Output C = (c0, c1 ). The fresh ciphertexts have two elements : c0 and c1. However, if the ciphertexts homomorphically multiply other ciphertexts, their size will grow up, and the maximum size is D

31 Add-operation: Input two ciphertext X = (x0, x1,..., xd ) and Y = (y0, y1,..., yd ). 1. xi + yi, for i = 0 to d. 2. C = (x0 + y0, x1 + y1,..., xd + yd ). Output C = (x0 + y0, x1 + y1,..., xd + yd ). The ciphertexts may have different size based on the times of evaluating multiply-operation. But we can use 0 to let two ciphertexts have same size. For example, given a ciphertext X1 = (x0, x1, x2 ) and another ciphertext Y1 = (y0, y1, y2, y3 ), then we can consider X1 = (x0, x1, x2, 0) so that we can add X1 and Y1 together. Hence, without loss of generality, we assume that two ciphertexts having the same size. Multiply-operation: X1 = (x0, x1,..., xα ) and Y1 = (y0, y1,..., yβ ). We think the ciphertexts C = (c0, c1,..., cd ) as the expression d X! ci v i over Rq where i=0 v is a variable. 1. α X! xi v i i=0 β X! yi v i i=0 α+β X cˆi v i. i=0 2. C = (c 0, c 1,..., c α+β ). Output C = (c 0, c 1,..., c α+β ). Multiply-operation need not two ciphertexts having the same length. This operation is similar to one polynomial multiplying another polynomial. The only different is that α + β have to smaller or equal to D. Decryption : Input the secret key S = (1, s, s2,..., sd ) and the ciphertext C = (c0, c1,..., cd ) C = D X ci s i. i= m C (mod t). Output m. Example of correctness : 22

32 Given two ciphertexts X and Y where X = (x0, x1 ) = (a0 s + te0 + m0, a0 ) and Y = (y0, y1 ) = (a1 s + te1 + m1, a1 ). After multiplying them together, we have X Y = (x0 y0, x0 y1 + x1 y0, x1 y1 ). Then we decrypt this ciphertexts 1. C 0 = (x0 y0 ) 1 + (x0 y1 + x1 y0 ) s + (x1 y1 ) s2 = t(te0 e1 + e0 m1 + e1 m0 ) + m0 m1. 2. m0 m1 C 0 (mod t). Finally, we get the correct plaintext m0 m1. Now we analyze the security of the scheme S1. Given a ciphertext (as + te + m, a), the attackers cannot find the plaintext m because m is adding with a pseudo-random value. For this part, the security is based on the decision version of (scale-type) ring-lwe. If the attackers want to find the secret key s, they still suffer from the search version of (scale-type) ring-lwe. Hence, the scheme S1 is secure based on these two versions of ring-lwe. 4.2 Brakerski and Vinod Vaikuntanathan s Asymmetric Homomorphic Encryption BV s symmetric homomorphic encryption are based on the scale-type version of ring-lwe. The method to transform the symmetric homomorphic encryption to asymmetric encryption is to construct a new version of ring-lwe. The scale-type ring-lwe is that (a, as + te) is indistinguishable to (a, u) where a and u are random values and e is a noise. We can think s as a secret and we use random values to hide s. The transformed version of ring-lwe is that ((a, b), (av + te0, bv + te00 )) is indistinguishable to ((a, b), (a0, a0 s + te00 )) where a, a0 and v are random values, e and e0 are noises, e00 is also a noise but it is sampled from another distribution, and b is (as + te). We can think that we hide s two times, the first time is (as + te) and the second time is (bv + te00 ). Based on this new version of ring-lwe, the secret key is s, and the public key is (a, b). 23

33 We first show three lemmas and the transformation, and then give the asymmetric encryption scheme. The first lemma shows the bound of norm of elements sampled from a distribution. The second lemma shows the bound of statistical distance between two distributions. The third lemma is the core of the transformation in this section, and can be proved by using lemma 1 and lemma 2. Lemma 1. (see [1], Lemma 1). Let n N. For any number r = w( log n), we have Prx DZn,r [kxk > r n] 2 n+1. Lemma 2. (see [1], Lemma 2). Let n N. For any number r = w( log n) and any c Zn, the statical distance between the distributions DZn,r and DZn,rc is at most kck. r Lemma 3. (see [1], Lemma 4). Given two distribution DZn,r and DZn,r0 where r0 2w(logn) r. Then (e00 + ev e0 s) is statical indistinguishable to e00 where v and s are sampled from DZn,r. Since BV s scheme is care about KDM-secure (key dependent message secure), s and v need to be sampled from DZn,r. In this paper, we only care about homomorphic encryption, hence s and v can sampled from Rq. Now, we want to prove that ((a, b), (av+te0, bv+te00 )) is indistinguishable to ((a, b), (a0, a0 s+ te00 )). Lemma 4. (see [1], Lemma 4). Let f, q, χ = DZn,r be the parameters for ring-lwe and t is prime to q. Let χ0 = DZn,r0 where r0 2w(logn) r. Let a, a0 are sampled from Rq, s, v, e, e0 are sampled from χ, e00 is sampled from χ0 and b = as + te, then c ((a, b), (av + te0, bv + te00 )) ((a, b), (a0, a0 s + te00 )). c Proof. First, we show that (av + te0 ) a0 by using the assumption of scale-type ring-lwe. c Hence, the remain we have to prove is that (bv + te00 ) (a0 s + te00 ). c Since (bv + te00 ) = (av + te0 )s + t(e00 + ve se0 ), we know that (bv + te00 ) a0 s + t(e00 + ve se0 ). By using lemma 3, we have c s (bv + te00 ) a0 s + t(e00 + ve se0 ) a0 s + te00 24

34 Finally, we show the BV s asymmetric encryption scheme S2 based on this transformed version of ring-lwe. The scheme S2 is similar to the scheme S1. The only different things is the algorithm of key generation and encryption. Decryption, add-operation and multiply-operation are the same. Key Generation: input a secure parameter κ. public parameter: 1. q 1 (mod 2n) and q is prime. 2. t is a prime in Z q. 3. n = 2blog κe 1, where be is a round function. 4. f (x) = xn Rq = Zq [x]/hf (x)i. 6. χ = DZn,r where r is a standard deviation. 7. χ0 = DZn,r0 where r0 2(ωlogn) r. 8. D N is related to the maximal degree of homomorphism allowed (maximal degree of polynomials). private key: 1. s χ. 2. The secret key is S = (1, s, s2,..., sd ). public key: 1. a Rq. 2. b = as + te where e0 χ. 3. The public key is (a, b). The space of plaintexts is Rt, while the space of ciphertexts is Rq. Encryption : Input the public key (a, b) and the message m. 1. v χ. 25

35 2. e0 χ. 3. e00 χ0. 4. c0 = bv + te00 + m. 5. c1 = (av + te0 ). Output C = (c0, c1 ). Add-operation : The same as the add-operation of S1. Multiply-operation : The same as the multiply-operation of S1. Decryption : The same as the decryption of S1. Now we analyze the security of the scheme S2. Given a ciphertext (bv +te00 +m, (av + te0 )), the attackers cannot find the plaintext m because (bv + te00 ) is indistinguishable from (a0 s + te00 ), and (a0 s + te00 ) is a pseudo-random value. For this part, the security is based on the decision version of ring-lwe. If the attackers want to find the secret key s, they still suffer from the search version of ring-lwe. Hence, the scheme S2 is secure based on these two versions of ring-lwe. 4.3 Proposed Symmetric Homomorphic Encryption Before we propose the new homomorphic encryption, we need to prove that the new version of ring-lwe is hard enough. In detail, we prove that the scale-type ring-lwe can be reduced to this version of ring-lwe, hence, our encryption based on our version of ring-lwe is secure. Because this new version of ring-lwe has two secrets, so we called this version of ring-lwe two-secrets ring-lwe. Definition 10. The search version of two-secrets ring-lwe is that given (a, as1 + bs2 + te) one have to output s1 and s2, where a and b are chosen uniformly from Rq, e is sampled from χ, and t is in Zq. 26

36 Definition 11. The decision version of two-secrets ring-lwe is: A = {(a, as1 + bs2 + te)} and B = {(a, u)} Randomly given (x, y), one have to show that (x, y) is from A or from B, where a, b and u are chosen uniformly from Rq, e is sampled from χ, and t is in Zq. Note that the scale-type ring-lwe has only one secret, but two-secrets ring-lwe has two secrets. The original scale-type ring-lwe is (a, as + te), but two-secrets is (a, b, as1 + bs2 + te) (where a, b are sampled uniformly from Rq and e is sampled from χ). We can also think (a, as + te) as (a, 0, as1 + 0 s2 + te), the special case of our version of ring-lwe. Hence, we give a lemma to prove that scale-type ring-lwe can be reduced to two-secrets ring-lwe. Lemma 5. The decision version (search version) of scale-type ring-lwe can be reduced to decision version (search version) of two-secrets ring-lwe. Proof. If there is an algorithm A can solve two-secrets ring-lwe; that is, given (a, b, as1 + b2 + te) where a and b are sampled uniformly from Rq, and e is sampled from χ, A can output s1 and s2. Then given (a, as + te), we can think (a, as + te) as (a, 0, as1 + 0 s2 + te). Hence, A can solve (a, 0, as1 + 0 s2 + te), and output s1. Based on two-secrets ring-lwe, The proposed homomorphic encryption is not homomorphic on multiply-operation, but it is still homomorphic on add-operation. Furthermore, the proposed encryption has two secret keys, and these two keys can belong to different people. The concept of this property is similar to secret sharing. We show the homomorphic encryption scheme S3 as follows. Key Generation: input a secure parameter κ. 1. q 1 (mod 2n) and q is prime. 2. t is a prime in Z q. 3. n = 2blog κe 1, where be is a round function. 4. f (x) = xn Rq = Zq [x]/hf (x)i. 6. χ = DZn,r where r is a standard deviation. 27

37 private keys: 1. s1 Rq. 2. s2 Rq. 3. The secret keys are s1 and s2. The space of plaintexts is Rt, while the space of ciphertexts is Rq. Note that some of the parameters are the same as BV s encryption. The different is that our secret keys are sampled from Rq instead of χ since we are not care about KDM-secure. Also, because our encryption is not homomorphic on multiply-operation, we need not use the parameter D that is related to the maximal degree of homomorphism allowed. Encryption: Input the secret keys s1 and s2, and the message m. 1. a Rq. 2. b Rq. 3. e χ. 4. c0 = as1 + bs2 + te + m. 5. c1 = a. 6. c2 = b. Output C = (c0, c1, c2 ) Different form BV s encryption, our fresh ciphertext has three elements. However, the size of our ciphertexts are always the same because we can not homomorphically evaluate multiply-operations. Add-operation: Input two ciphertext X1 = (x0, x1, x2 ) and Y1 = (y0, y1, y2 ). 1. xi + yi, for i = 0 to C = (x0 + y0, x1 + y1, x2 + y2 ). Output C = (x0 + y0, x1 + y1, x2 + y2 ) Decryption: Input the secret keys s1 and s2, and the ciphertext C = (c0, c1, c2 ) 28

38 1. C 0 = 2 X! ci s i. i= m C (mod t). Output m Example of correctness : Given two ciphertexts X and Y where X = (x0, x1, x2 ) = (a0 s1 + b0 s2 + te0 + m1, a0, b0 ) and Y = (y0, y1, y2 ) = (a1 s1 + b1 s2 + te1 + m2, a1, b1 ). After adding them together, we have X + Y = (a0 + a1 )s1 + (b0 + b1 )s2 + t(e1 + e2 ) + (m1 + m2 ). Then we decrypt this ciphertext 1. C 0 = (a0 + a1 )s1 + (b0 + b1 )s2 + t(e1 + e2 ) + (m1 + m2 ) + ( (a1 + a2 )s1 ) + ( (b1 + b2 )s2 ). 2. m1 + m2 C 0 (mod t). Finally, we get the correct plaintext m1 + m2. Now we analyze the security of the scheme S3. Given a ciphertext (as1 + bs2 + te + m, a, b), the attackers cannot find the plaintext m because m is adding with a pseudorandom value as1 + bs2 + te. For this part, the security is based on the decision version of two-secrets ring-lwe. If the attackers want to find the secret keys s1 and s2, they still suffer from the search version of two-secrets ring-lwe. Hence, the scheme S3 is secure based on these two versions of two-secrets ring-lwe. 4.4 Proposed Asymmetric Homomorphic Encryption The proposed transformation is similar to BV s transformation. We also want to hide our secret two times. However, the difference is that if we hide secret keys one by one, then there 29