Homomorphic Primitives in Secret-Key Cryptography for Privacy and Authenticity

Abstract

In this thesis, we define various security notions for HMA and HAE and study relations among them. For privacy, we define a homomorphic version of IND-CCA. While for homo- morphic encryption, the usual IND-CCA security is not achievable due to the malleability, nevertheless we may define a version of IND-CCA for HAE. It is because that for HAE, encryption of a plaintext is done with respect to a ‘label’, and similarly decryption of a ci- phertext is done with respect to a ‘labeled program’. So, while the ciphertext is still malleable by function evaluation, a decryption query should essentially declare how the ciphertext was produced. This allows a homomorphic version of IND-CCA to be defined naturally. For authenticity, we define UF-CMA for HMA, the homomorphic version of the unforge- ability when the adversary has access to the authentication oracle. We also consider UF-CTA, where the adversary not only has the authentication oracle but also the verification oracle. Moreover, we consider strong unforgeability flavors of authenticity and define homomorphic versions accordingly: SUF-CMA and SUF-CTA. These security notions of HMA can be nat- urally translated to those of HAE such as UF-CPA, UF-CCA, SUF-CPA and SUF-CCA. We investigate relationship between these notions, and, for example, show that SUF-CMA implies SUF-CTA and similarly SUF-CPA implies SUF-CCA. And, we show that IND-CPA and SUF-CPA imply IND-CCA. Together, this shows that a HAE scheme with IND-CPA and SUF-CPA security is in fact IND-CCA and SUF-CCA. Also, we propose an HAE scheme and an HMA scheme supporting arithmetic circuits. These schemes are not fully homomorphic, but only somewhat homomorphic, but we show that our schemes are fully secure. In case of our HMA scheme, it satisfies SUF-CTA and only needs a weak assumption that a PRF exists. In case of our HAE scheme, it satisfies both IND- CCA and SUF-CCA. And it is a simple and natural construction based on the error-free approximate GCD (EF-AGCD) assumption. EF-AGCD assumption was used before [25, 11, 12, 9, 10] in constructing fully homomorphic encryption schemes supporting boolean circuits, but here we use it to construct a HAE scheme supporting arithmetic circuits on ZQ for Q ∈ Z+. In case of our HMA scheme, it satisfies SUF-CTA, that is, it is strongly unforgeable even though an adversary is given not only the authentication oracle but also the verification oracle. Finally, we analyze the security of the homomorphic authenticated encryption schemes obtained by generic compositions of an homomorphic secret-key encryption (HSE) scheme and a homomorphic message authentication (HMA) scheme. There are three possible ways of generic compositions; Encrypt and Authenticate (E&A), Authenticate then Encrypt (AtE), Encrypt then Authenticate (EtA). The E&A composition preserves only unforgeability of HMA. The AtE composition preserves both privacy of HSE and unforgeability of HMA, but not strong unforgeability of HMA. The EtA composition preserves all security properties of HSE and HMA. In particular, if HSE is IND-CPA and HMA is UF-CTA, then their EtA composition achieves IND-CCA.