Finally, we analyze the security of the homomorphic verified encryption schemes obtained by generic compositions of a homomorphic secret key encryption (HSE) scheme and a homomorphic message authentication (HMA) scheme. EF-AGCD assumption has previously been used in the construction of fully homomorphic encryption schemes that support Boolean circuits, but here we use it to construct an HAE scheme that supports arithmetic circuits on ZQ for Q ∈ Z+.
Notations
And we define the approximate error-free greatest common divisor (EF-AGCD) guesses, which are used as our confidence guesses. Also, we give some lemmas and a description on arithmetic circuits, used as a calculation model.
Security assumptions
Later, we will show that our scheme is IND-CPA under the decisional EF-AGCD assumption. Therefore, the security of our scheme is based on the EC-AGCD assumption according to the equivalence.
Pseudo-Random Function
Labeled Program
Arithmetic Circuits
The power and size of an arithmetic circuit is the number of input gates or the total number of gates in the circuit. A labeled arithmetic circuit is an arithmetic circuit such that each input port is labeled with a bit string that differs from the elements in R.
Hash Tree
And the depth of an arithmetic circuit is the length of the longest directed path from an input port to an output port in the circuit. For an arithmetic circuit on R of arity l and l number of bit strings τ1, · · ·, τl, a labeled arithmetic circuit f(τ1, · · ·, τl) means that each ith input port is labeled with a bit string τi .
Security Notions
Construction
Security Proof
We say that an HMA scheme Π satisfies message constant testability (MCT) if there exists a PPT algorithm that determines whether the function m˜ = ˜mf,(mi)i∈I is constant or not with overwhelming probability, for each evaluation key. ek generated byΠ.Gen, any admissible functionf :Ml → Mof arityl, any subgroupI of the index set{1,· · · , l}and any(mi)i∈I ∈ M|I|. We say that an HMA scheme Π satisfies label constant testability (TCT) if there exists a PPT algorithm that determines whether the function σ˜f,(σi)i∈I is constant or not with overwhelming probability, for each generated evaluation key ek. byΠ.Gen, any admissible function f :Ml→ M of the array, any subgroupI of the index set{1,· · ·, l} and any (σi)i∈I ∈ T|I|.
Security Notions
But the testability of a message constant can be a difficult property to satisfy in general; for example, if HMA supports general logic circuits, then MCT implies that the CIRCUIT-SAT problem can be solved in polynomial time with high probability, so the PH polynomial hierarchy collapses. This is the case for our HMA scheme, which will be presented in this thesis, as shown in Theorem 16. Without loss of generality, we assume that the TCT property is an additional requirement that HMA must satisfy.
We say that an HMA satisfies UF-CMA if AdvUF-CMAA (1λ) is negligible for any PPT opponent. We say that an HMA satisfies SUF-CMA if AdvSUF-CMAA (1λ) is negligible for any PPT opponent A. We say that an HMA satisfies UF-CTA if AdvUF-CTAA (1λ) is negligible for any PPT - opponent A.
We say that an HMA satisfies SUF-CTA, ifAdvSUF-CTAA (1λ) is negligible for each PPT adversary A.
Relations on Security Notions
We prove the theorem by a hybrid argument to transform the game SUF-CTA into another game that is essentially the same as the game SUF-CMA. And note that the verification simulation does not use any secret information and can be efficiently calculated by the TCT property. Thus, the adversary Adoes does not get any useful information at all through the authentication requests in the game SUF-CTAq.
Let us show that the verification simulation fails for the verification query ˆt:= ((f, τ1,· · · , τl),m,ˆ σ) only if ˆˆ t is a strong forgery. If so, we can build an adversary PPTA00 for the SUF-CMA game using the verification question asked by A. Specifically, A00 guides the adversary until it asks the verification question while answering the verification questions using the questions own verification and answers the previous verification questions from the verification simulation.
Then A00 aborts the run of A, and the authentication query of Aas performs its own forgery attempt.
Generic Transformation to TCT
Π0 and Π share the same message space M, the same label space L, and the same set F of admissible functions. Below, we show that the constructed scheme Π0 satisfies the TCT property, and also this generic transformation preserves SUF-CMA. The above expression ˜c0 is a function of the values for the missing indices: (hi)i6∈I and (ci)i6∈I.
Since the underlying hash function H is collision resistant, the hash tree H cannot be constant on every variable except with negligible probability. Using A0, we construct a PPT opponent A for the security game SUF-CMAΠ,A, which simulates the game SUF-CMAΠ0,A0.
Construction
The message space is ZQ, the tag space is Z, and the label space is {0,1}λ.
Security Proof
Therefore, the error probability of the algorithm is negligible and we can efficiently determine whether ˜σ is constant or not with overwhelming probability. Define GAME1 as the game that is identical to GAME0, except that all encryption questions are answered by the following encryption simulation. An HAE is a bundle Π = (Gen,Enc,Eval,Dec) of the following four PPT algorithms. ek,sk) ← Gen(1λ): given a security parameter λ, Gen(1λ) derives a public evaluation key and a secret key.
This means that the size of the ciphertext is independent of the choice of admissibility functionf or arity off. Depending on whether we are working on messages or ciphertexts, we define two versions of constant testability accordingly. A HAE scheme Π is said to satisfy the requirement of constant plaintext testability (PCT) if there exists a PPT algorithm that determines whether the function m˜ = ˜mf,(mi)i∈I is constant or not, with a dominant probability for any the evaluation key ek is generated by Π.Gen, any admissible functionf :Ml → Mof arityl, any subsetI of the index set{1,· · · , l}and any(mi)i∈I ∈ M|I|.
We say that a HAE scheme satisfies constant ciphertext testability (CCT) if there exists a PPT algorithm that determines whether the function ˜cf,(ci)i∈I is constant or not with overwhelming probability, for each evaluation key ek generated byΠ .Gen , any admissible function f :Ml→ M of the array, any subsetI of the index group{1,· · ·, l} and any (ci)i∈I∈ C|I|.
Security Notions
The advantage of A in the game IND-CPA for the scheme Π is defined as AdvIND-CPAΠ,A (λ). We say that an HAE Π satisfies IND-CPA, if the advantage AdvIND-CPAΠ,A (λ) is negligible for each PPT opponent A. The advantage of A in the game IND-CCA for the scheme Π is defined as AdvIND-CCAΠ ,A (λ).
We say that an HAE satisfies UF-CPA, if AdvUF-CPAA (1λ) is negligible for every adversary PPT A. We say that an HAE satisfies SUF-CPA, if AdvSUF-CPAA (1λ) is negligible for every adversary PPT A. We say that an HAE satisfies UF-CCA, if AdvUF-CCAA (1λ) is negligible for any PPT A opponent.
An HAE is said to satisfy SUF-CCA if AdvSUF-CCAA (1λ) is negligible for any PPT opponent.
Relations on security notions
Therefore, we can construct the adversary PPT A00 for the game SUF-CPA using the decryption query performed by A. The proof of this theorem is similar to that of Theorem 11; we prove this theorem again with a hybrid argument to transform the IND-CCA game into another game that is essentially the same as the IND-CPA game. In the first phase of the queries, the A0 simulation for the IND-CCAa,qa game is complete.
We need to show that nevertheless the simulation of A0 for the game IND-CCAa,qa in the 'Queries After Challenge' phase is correct. Let's compare how this question is answered in the game IND-CCAa,qa and in the simulation of A0. In the game IND-CCAa, qa,m∗1 is encoded under the label τ∗ to produce the ciphertext c∗.
Meanwhile, when ˜c is constant equal to ˆc, then the game IND-CCAa,qa will output ˜f1, but the simulation of A0 will output ˜f0.
Generic transformation to CCT
In this case, A's double challenge output is handled by A00; A00 returns coinb← {0,$1} and obtains the challenge ciphertext via its encryption query (τ∗, m∗b). In conclusion, we see that IND-CPA and SUF-CPA together imply the strongest security notions, IND-CCA and SUF-CCA. When we discuss our construction in Section 5.5, we show that our scheme is IND-CPA and SUF-CPA.
We show below that the constructed scheme Π0 satisfies the CCT property, and also this generic transformation preserves SUF-CPA and IND-CPA. We construct the PPT of opponent A for the game IND-CPAΠ,A, which simulates the game IND-CPAΠ0,A0 for opponent A0. Most of the simulation is trivial message passing, but for a challenge (τ∗, m∗0, m∗1) made by A0, Are returns the challenge ciphertext (H(r), c∗) to A0, where ← {0 , $ 1}λ inc∗ is the challenge ciphertext given to Ain security game IND-CPAΠ,A.
Using A0, we construct an adversary PPT A for the security game SUF-CPAΠ,A that simulates the game SUF-CPAΠ0,A0 for adversary A0.
Construction
Then we can construct a PPT discriminator D for the decision-making (ρ, η, γ)-EF-AGCD problem, by simulating the game IND-CPAΠ,A as follows. We construct an adversary A0 for the game UF-CMAHMA with a non-negligible advantage, which simulates the game UF-CPAHAE, A as follows. Now we consider the case that A is a PPT opponent for the game UF-CCAHAE with a non-negligible advantage.
We construct an opponent A0 for the game UF-CTAHMA with a non-negligible advantage, which simulates the game UF-CCAHAE,A as follows. We construct an opponentA0 for the game IND-CPAHSE with a non-negligible advantage, which simulates the game IND-CPAHAE,A as follows. We construct an opponentA0 for the game UF-CMAHMA with a non-negligible advantage, which simulates the game UF-CPAHAE,A as follows.
We construct an adversary A0 for the game UF-CTAHMA with a non-negligible advantage, which simulates the game UF-CCAHAE,A as follows. Otherwise, encryptc←HSE.Enc(HSE.sk, m) and get an answerσfor the query (τ, c) from the authentication oracle HMA.Auth. We construct an adversary A0 for the game IND-CPAHSE with non-negligible advantage, which simulates the game IND-CCAHAE,A as follows.
