METHOD FOR CIPHERING A MESSAGE VIA A KEYED HOMOMORPHIC ENCRYPTION FUNCTION, CORRESPONDING ELECTRONIC DEVICE AND COMPUTER PROGRAM PRODUCT

TECHNICAL FIELD

The disclosure relates to cryptography, and more specifically to homomorphic encryption schemes.

BACKGROUND

This section is intended to introduce the reader to various aspects of art, which may be related to various aspects of the present invention that are described andor claimed below. This discussion is believed to be helpful in providing the reader with background information to facilitate a better understanding of the various aspects of the present invention. Accordingly, it should be understood that these statements are to be read in this light, and not as admissions of prior art.

In homomorphic encryption schemes (either partially or fully encryption schemes), it is possible to publicly operate on a ciphertext and turn it into an encryption of a related message without knowing the decryption key. Such feature is called the malleability of homomorphic encryption scheme. Due to this malleability feature, the notion of security under adaptive chosen ciphertext attack (also named CCA2 security) and homomorphic encryption scheme were contradictory. Indeed, no one can obtain a homomorphic encryption scheme with a CCA2 security proof (see for example the following article: “On CCA-Secure Somewhat Homomorphic Encryption” by J. Loftus et al. in the conference SAC (“Selected Areas in Cryptography”) 2012, for more details on that issue). However, in the article “Chosen Ciphertext Secure Keyed-Homomorphic Public-Key Encryption” by Emura et al., published in the proceedings of the conference PKC 2013 (of which the full version is available on the Cryptology ePrint Archive (Report 2013390)), the authors proposed a technique that limit such malleability only to a user that owns a dedicated key (which is named an evaluation key), different from the decryption key in the homomorphic encryption scheme. Such “keyed” homomorphic encryption scheme can be proven CCA2 secure against any adversary who does not have the evaluation key). Also, another mandatory condition on such scheme is that the evaluation key does not enable decryption by itself. But, as acknowledged in the full version of the article of Emura et al., their constructions only satisfy a relaxed security definition wherein the adversary is not allowed to obtain homomorphic evaluations of the challenge ciphertext. However, there is no reason to impose this restriction as long as the resulting homomorphic evaluations are not queried for decryption. The present disclosure aims to overcome this issue. Moreover, it appears that many applications of homomorphic encryption schemes (like electronic voting or multiparty computation protocols) require a threshold decryption mechanism in any large-scale deployment: the decryption key must be shared among n servers in such a way that at least t out of these n servers have to contribute to each decryption operation. Unfortunately, the Emura et al. constructions disclosed in the previously mentioned article do not readily extend to the threshold setting because they do not provide ciphertexts of publicly verifiable validity. Indeed, in such scheme, deciding whether a ciphertext is valid or not requires knowledge of the decryption key. The aim of the present disclosure is to overcome this issue. Indeed, the present disclosure is a chosen-ciphertext-secure keyed-homomorphic cryptosystem with publicly verifiable ciphertexts. As a result, it is possible to set up a threshold decryption scheme that can be proven and remains chosen-ciphertext-secure under adaptive corruptions.

SUMMARY

The present disclosure is directed to a method for ciphering a message by a sender device at destination to a receiver device, said method comprising a step of using a keyed homomorphic encryption function associated with a public key of said receiver device. Such step is remarkable in that it comprises:

- a step of ciphering said message with an encryption scheme secure against adaptive chosen-ciphertext attacks, in function of a first element of said public key, delivering a ciphertext;
- a step of determining for said ciphertext, an homomorphic non-interactive proof and a simulation-sound non-interactive proof, said homomorphic non-interactive proof being obtained in function of a set of signatures comprised in said public key, and said simulation-sound non-interactive proof being obtained in function of a second element comprised in said public key, and an evaluation key of said keyed homomorphic encryption function being an element linked to said second element;
- a step of delivering a cipher of said message comprising said ciphertext, said homomorphic non-interactive proof and said simulation-sound non-interactive proof.

Hence, the ciphertext obtained tough the execution of such method is publicly verifiable. Such technique can be applied either in cloud services, or in data mining where keyed-homomorphic cryptosystem are needed. More usage scenarios where homomorphic cryptosystem (and therefore keyed-homomorphic cryptosystem) are described in the document entitled: “KV Web Security: Applications of Homomorphic Encryption” by Gerhard Potzelsberger.

In a preferred embodiment, such method for ciphering is remarkable in that said cipher of said message further comprises a one-time verification public key SVK and a one-time signature corresponding to a signature of a concatenation of said ciphertext, said homomorphic non-interactive proof and said simulation-sound non-interactive proof, said signature being verifiable with said verification public key SVK.

In a preferred embodiment, such method for ciphering is remarkable in that said encryption scheme is based on the Naor-Yung encryption paradigm.

In a preferred embodiment, such method for ciphering is remarkable in that said encryption scheme is based on the Cramer-Shoup paradigm.

In a preferred embodiment, such method for ciphering is remarkable in that said ciphertext corresponds to an uplet (C₀, C₁, C₂, C₃)=(M·X₁^θ¹·X₂^θ2, f^θ¹, h^θ², g^θ¹^+θ²) where M is said message and belongs to a group custom-character encryption exponents θ₁, θ₂that belong to group _pare private random values, and elements X₁=f^x¹g^x⁰∈ and X₂=h^x²g^x⁰∈ are comprised in said public key, with (x₀, x₁, x₂) ∈ _p³being unknown elements for said sender device and corresponding to a private key for said receiver device, and elements g, f h are elements that belong to said group custom-character .

In a preferred embodiment, such method for ciphering is remarkable in that said step of determining said homomorphic non-interactive proof comprises:

- a step of obtaining said set of signatures which is a signature on independent vectors {right arrow over (f)}=(f 1,g) ∈ ³and {right arrow over (h)}=(1, h, g) ∈ ³comprising elements {(a_j,b, c_j)}_j=1²obtained through a use of a private key sk′={χ_i, γ_i, δ_i}_i=1ⁿ³, with (χ_i, γ_i, δ_i) ∈ _p³, and (a₁, b₁, c₁)=(f^−χ¹g^−χ³, f^−γ¹g^−γ³, f^−δ¹g^−δ³), (a₂, b₂, c₂)=(h^−χ²g^−χ³, h^−γ²g^−γ³, h^−δ²g^−δ³), and public key associated to said private key sk′ being comprised in said public key of said receiver device;
- a step of deriving a linearly homomorphic signature from said set of signatures and said encryption exponents θ₁, θ₂, delivering a derived signature (a, b, c)=(a₁^θ¹·a₂^θ2, b=b₁^θ1·b₂^θ2, c=c₁^θ¹·c₂^θ²) on vector (C₁, C₂, C₃), said derived signature being said homomorphic non-interactive proof.

In a preferred embodiment, such method for ciphering is remarkable in that said step of determining said simulation-sound non-interactive proof comprises:

- a step of obtaining said second element corresponding to a one time homomorphic signature on the independent vectors {right arrow over (f)}=(f 1, g) ∈ ³and {right arrow over (h)}=(1, h, g) ∈ ³generated with a private key, said evaluation key corresponding to said private key;
- a step of determining a derived signature on said second element, said derived signature being a one-time linearly homomorphic signature ;
- a step of generating commitments on said derived signature using a Groth-Sahai common reference string based on said one-time verification public key VK;
- a step of generating proofs with a randomizable linearly homomorphic structure-preserving signing method, said simulation-sound non-interactive proof being a concatenation of said commitments and said proofs.

In a preferred embodiment, such method for ciphering is remarkable in that said step of determining said simulation-sound non-interactive proof comprises a step of determining a non-interactive witness OR proof in function of said encryption exponents θ₁, θ₂and said second element, said second element being a verification key of a digital signature method, and said evaluation key being a corresponding private key of said verification key of said digital signature method.

In a preferred embodiment, such method for ciphering is remarkable in that said digital signature method is a Waters signature method.

In another embodiment, it is proposed a method for processing a cipher of a message, said method being executed by a receiver device. Such method is remarkable in that it comprises:

- a step of obtaining a homomorphic non-interactive proof and a simulation-sound non-interactive proof that are associated to said cipher;
- a step of verifying a validity of said homomorphic non-interactive proof and said simulation-sound non-interactive proof, delivering an information of validity of said cipher.

In a preferred embodiment, such method for processing is remarkable in that said method further comprises a step of obtaining said message from said cipher in case that said information of validity asserts that said cipher is valid, by using a private key.

In a preferred embodiment, such method for processing is remarkable in that when at least a first and a second cipher of a first message and a second message are obtained by said receiver device, the method further comprises a set of combining said first and said second cipher by using an evaluation key, delivering a third cipher comprising an homomorphic non-interactive proof and a simulation-sound non-interactive proof.

According to an exemplary implementation, the different steps of the method are implemented by a computer software program or programs, this software program comprising software instructions designed to be executed by a data processor of an electronic device (or module or a computer device) according to the disclosure and being designed to control the execution of the different steps of this method.

Consequently, an aspect of the disclosure also concerns a program liable to be executed by a computer or by a data processor, this program comprising instructions to command the execution of the steps of a method as mentioned here above.

This program can use any programming language whatsoever and be in the form of a source code, object code or code that is intermediate between source code and object code, such as in a partially compiled form or in any other desirable form.

The disclosure also concerns an information medium readable by a data processor and comprising instructions of a program as mentioned here above.

The information medium can be any entity or device capable of storing the program. For example, the medium can comprise a storage means such as a ROM (which stands for “Read Only Memory”), for example a CD-ROM (which stands for “Compact Disc—Read Only Memory”) or a microelectronic circuit ROM or again a magnetic recording means, for example a floppy disk or a hard disk drive.

Furthermore, the information medium may be a transmissible carrier such as an electrical or optical signal that can be conveyed through an electrical or optical cable, by radio or by other means. The program can be especially downloaded into an Internet-type network.

Alternately, the information medium can be an integrated circuit into which the program is incorporated, the circuit being adapted to executing or being used in the execution of the method in question.

According to one embodiment, an embodiment of the disclosure is implemented by means of software andor hardware components. From this viewpoint, the term “module” can correspond in this document both to a software component and to a hardware component or to a set of hardware and software components.

A software component corresponds to one or more computer programs, one or more sub-programs of a program, or more generally to any element of a program or a software program capable of implementing a function or a set of functions according to what is described here below for the module concerned. One such software component is executed by a data processor of a physical entity (terminal, server, etc.) and is capable of accessing the hardware resources of this physical entity (memories, recording media, communications buses, inputoutput electronic boards, user interfaces, etc.).

Similarly, a hardware component corresponds to any element of a hardware unit capable of implementing a function or a set of functions according to what is described here below for the module concerned. It may be a programmable hardware component or a component with an integrated circuit for the execution of software, for example an integrated circuit, a smart card, a memory card, an electronic board for executing firmware etc.

In another embodiment, it is proposed a sender device (which is an electronic device) comprising means for ciphering a message, said means comprising means for using a keyed homomorphic encryption function associated with a public key of a receiver device. These means for using are remarkable in that they comprise:

- means for ciphering said message with an encryption scheme secure against adaptive chosen-ciphertext attacks, in function of a first element of said public key, delivering a ciphertext;
- means for determining for said ciphertext, an homomorphic non-interactive proof and a simulation-sound non-interactive proof, said homomorphic non-interactive proof being obtained in function of a set of signatures comprised in said public key, and said simulation-sound non-interactive proof being obtained in function of a second element comprised in said public key, and an evaluation key of said keyed homomorphic encryption function being an element linked to said second element;
- means for delivering a cipher of said message comprising said ciphertext, said homomorphic non-interactive proof and said simulation-sound non-interactive proof.

In another embodiment, it is proposed a receiver device (which is an electronic device) comprising means for processing a cipher of a message. These means are remarkable in that they comprise:

- means for obtaining a homomorphic non-interactive proof and a simulation-sound non-interactive proof that are associated to said cipher;
- means for verifying a validity of said homomorphic non-interactive proof and said simulation-sound non-interactive proof, delivering an information of validity of said cipher.

BRIEF DESCRIPTION OF DRAWINGS

The above and other aspects of the disclosure will become more apparent by the following detailed description of exemplary embodiments thereof with reference to the attached drawings in which:

FIG. 1 presents the main functions that define a keyed homomorphic encryption scheme with publicly verifiable ciphertexts, according to one embodiment of the invention;

FIG. 2 describes the main functions that define a (t; n) threshold keyed homomorphic encryption scheme, according to an embodiment of the invention;

FIG. 3 presents a device that can be used to perform one or several steps of methods disclosed in the present document.

DESCRIPTION OF EMBODIMENTS

At a high level, we take a general approach that can be outlined as follows. We combine the Cramer-Shoup paradigm (described in the article “Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption”, by Ronald Cramer et al., and published in the proceedings of the conference Eurocrypt 2002) for constructing CCA2-secure encryption schemes with publicly verifiable simulation-sound proofs: simulation-soundness (see the article “Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security”, by Amit Sahai, published in the proceedings of the conference FOCS'99) refers to the inability of an adversary to convincingly prove a false statement, even after having observed a polynomial number of proofs for possibly false statements of its choice. Specifically, the construction below uses a variant of the Cramer-Shoup cryptosystem based on the Decision Linear assumption (as depicted in the article “Short Group Signatures”, by D. Boneh et al., published in the proceedings of the conference CRYPTO 2004), where ciphertexts are of the form (C₀, C₁, C₂, C₃)=(M·X₁^θ¹·X₂^θ², f^θ¹, h^θ², g^θ¹^+θ²). This cryptosystem is combined with a technique suggested by Groth (in the article “Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures”, by J. Groth, published in the proceedings of the conference Asiacrypt'06) for constructing efficient simulation-sound non-interactive proofs allowing to convince a verifier that (C₁, C₂, C₃) are correctly formed.

In short, in order to prove a statement in a simulation-sound manner, Groth's technique consists in proving a disjunction of two statements: the prover generates a key pair (SVK,SSK) for a one time signature scheme before in proving that either the statement is true OR the prover knows a valid signature (generated w.r.t. to a public key pk_wincluded in the common reference string, for which no one knows the private key) on the one-time verification key SVK. The one-time private key SSK is then used to create a one-time signature on the overall proof. The construction hereunder uses Waters signatures (described in the article “Efficient Identity-Based Encryption Without Random Oracles”, by B. Waters, published in the proceedings of the conference Eurocrypt 20005) because its verification equation uses linear pairing product equations, which allows for a better efficiency when used in combination with non-interactive proof systems.

The key idea for building a keyed homomorphic cryptosystem from these techniques is to use the simulation-trapdoor of the simulation-sound proof system (which is the private key sk_w, associated with pk_w, in such scheme) as an evaluation key for the homomorphic cryptosystem. This will allow the homomorphic evaluation algorithm to simulate a convincing proof that its output ciphertext is correctly formed without knowing the underlying encryption exponents (which are used to generate a real non-interactive proof in the encryption algorithm). The novelty of the approach is thus to use the simulation trapdoor of the proof system in the real scheme, and not only in the security proof.

In order to make sure that the keyed homomorphic encryption scheme remains secure against non-adaptive chosen-ciphertext attacks (IND-CCA1) if the attacker obtains the evaluation key at the beginning of the attack, the ciphertext comprises a second non-interactive proof of ciphertext validity. In order to be processed by the homomorphic evaluation algorithm, this non-interactive proof must be homomorphic itself. One possibility would be to use Groth-Sahai proofs (see the article “Efficient Non-interactive Proof Systems for Bilinear Groups”, by J. Groth et al. published in the proceedings of the conferenceEurocrypt'08) which are known to be homomorphic. Here, we obtain a better efficiency by using homomorphic proofs derived from linearly homomorphic structure-preserving signatures as described in the article “Linearly Homomorphic Structure-Preserving Signatures and their Applications”, by B. Libert et al., published in the proceedings of the conference Crypto 2013). FIG. 1 presents the main functions that define a keyed homomorphic encryption scheme with publicly verifiable ciphertexts, according to one embodiment of the invention.

The function Keygen(λ), referenced 101, takes as input a security parameter A, and outputs a public key, a private key and an evaluation key. Such function 101 comprises:

- a step of obtaining a bilinear groups (, _T) of prime order p>2^λ and obtaining the followings elements g, f,h x₀, x₁, x₂_p(where the notation s S means that the element s is picked uniformly at random from a set S, and the notation x,y,zS means that the elements x, y, z are picked independently and uniformly at random from the set S) and determining X₁=f^x¹g^x⁰∈, X₂=h^x²g^x⁰∈ , which form a Cramer-Shoup public key;
- a step of initiating the vectors {right arrow over (f)}=(f, 1,g) ∈ ³and {right arrow over (h)}=(1, h, g) ∈ ³;
- a step of obtaining the elements f₁, f₂ and initiating the vectors

${\vec{f}}_{1} = (f_{1}, 1, g), {\vec{f}}_{2} = (1, f_{2}, g), {\vec{f}}_{3} = {\vec{f}}_{1}^{φ_{1}} \cdot {\vec{f}}_{2}^{φ_{2}} \cdot {(1, 1, g)}^{- 1}$

- where Φ₁, Φ₂_pwhich will be used as a perfectly hiding Groth-Sahai CRS (for “Common Reference String”) for the generation of NIWI (for “Non-Interactive Witness Indistinguishable”) arguments;
- a step of obtaining a strongly unforgeable one-time signature Σ=(,S,υ) with verification keys consisting of L-bit strings, for some polynomially bounded L, and corresponds to a key generation algorithm, S corresponds to a signature algorithm and

υ corresponds to a verification algorithm;

- a step of generating a key pair for the one-time linearly homomorphic structure preserving signature scheme (suggested in “Linearly Homomorphic Structure-Preserving Signatures and their Applications”, by B. Libert et al., and published in the proceedings of the conference Crypto 2013) for vectors of dimension n=3. Let pk_ot=(g_z, g_r, h_z, h_u, {g_ih_i}_i=1³) be the public key, and let sk_ot=({χ_i, γ_i, δ_i}_i=1³) be the corresponding private key;
- a step of signing the independent vectors {right arrow over (f)}=(f,1, g) ∈ ³and {right arrow over (h)}=(1, h, g) ∈ ³via the use of the private key sk_ot, that delivers a one-time linearly homomorphic signature {(z_j, r_j, u_j)}_j=1²defined as follows:

(z₁, r¹, u₁)=(f^−χ¹g^−χ³, f^−γ¹g^−γ³, f^−δ¹g^−δ³),

(z₂, r₂, u₂)=(h^−χ²g^−χ³, h^−γ²g^−γ³, h^−δ²g−δ³);

- a step of generating a private key sk_w=Y^xand the corresponding public key pk_w=(X=g^x, Y, w=(w₀, . . . , w_L)) compliant with the Waters signature scheme. For any string τ=τ[1] . . . τ[L] ∈ {0,1}^L, we denote by H_G(τ)=w₀·Π_i=1^Lw_i^τ[i] the corresponding hash value; As mentioned previously, another signature scheme can be used instead of the Waters signature scheme. However, for efficiency issues, the Waters signature scheme should be used due to the fact that: (i) Its security is proved under the Diffie-Hellman assumption which is already implied by the Decision Linear assumption (so, it does not introduce any extra assumption); (ii) Its verification equation is a linear pairing product equation, which gives a shorter OR proof in the final ciphertext;
- a step of outputting a public key which is defined as follows:

PK=(g,{right arrow over (f)},{right arrow over (h)},{right arrow over (f)}₁,{right arrow over (f)}₂,{right arrow over (f)}₃,X₁,X₂, pk_otpk_w,{(z_j, r_j, u_j)}_j=1²)

- a step of outputting an evaluation key SK_h=sk_w=Y^x, and a decryption key

SK_d=(x₀, x₁, x₂).

The function Encrypt(M, PK), referenced 102, takes as input a message M E G and the public key PK (corresponding to the output of the function 101). It outputs a ciphertext that is publicly verifiable.

In order to encrypt a message M ∈ custom-character the function 102 comprises the following steps that must be executed by a device:

- a step of generating a one-time signature key pair (SVK,SSK)←(λ);
- a step of choosing elements θ₁, θ₂_p;
- step of determining the following elements based on the elements θ₁, θ₂and elements comprised in the public key PK:

C
₀
=M·X
₁
^θ
¹
·X
₂
^θ
²
, C
₁
=f
^θ
¹
, C
₂
=h
^θ2
, C
₃
=g
^θ
¹
^+θ
²;

- step of determining a derived one time linearly homomorphic signature (z, r, u) on the vectors (C₁, C₂, C₃) ∈ ³. More precisely, such step does not explicitly use the vectors (C₁, C₂, C₃) ∈ ³, but uses the elements θ₁, θ₂∈ _p, as encryption exponents in the following equations:

z=z
₁
^θ
¹
·z
₂
^θ
²
; r=r
₁
^θ
¹
·r
₂
^θ
²
; u=u
₁
^θ
¹
·u
₂
^θ
²;

- a step of choosing σ₀, σ₁ at random
- a step of generating perfectly hiding commitments using the vectors {right arrow over (f′)}=({right arrow over (f)}₁, {right arrow over (f)}₂, {right arrow over (f)}₃), as a Groth Sahai CRS, such step comprising the generation of commitments {right arrow over (C)}_σ₀, {right arrow over (C)}_Θ₁, {right arrow over (C)}_Θ₂to elements σ₀, Θ₁=g^θ¹and Θ₂=g^θ², respectively; p1 a step of determining a NIWI argument π_ORthat either the following equalities are satisfied

e(C₁,y)=e(f,Θ₁)

e(C₂,g)=e(h,Θ₂) (*)

e(C₃,g)=e(g,Θ₁·Θ₂)

or (σ₀,σ₁) is a valid Waters signature on the one-time verification key SVK, i.e. the following equality stands:

e(σ₀,g^1−γ)=e(X,Y^1−γ.e(H_G(SVK)^1−γ,σ₁);

In the real encryption method, the pair (σ₀, σ₁) does not satisfy the above equality (since it is chosen at random) but the proof of the statement (*) is a real proof. In the homomorphic evaluation algorithm, a simulated proof for a potentially false statement (*) will be obtained by using an actual Waters signature (σ₀, σ₁) as a witness for generating the OR proof π_OR.

To generate π_OR, such step of generating a NIWI argument comprises the following actions: define γ=1 and generate commitments {right arrow over (C)}_Γ_g{right arrow over (,C)}₆₄_f, {right arrow over (C)}_Γ_h, {right arrow over (C)}_Γ_Y, {right arrow over (C)}_Γ_Hto the variables Γ_g=g^γ, Γ_f=f^γ, Γ_h=h^γ, Γ_Y=Y^γand Γ_H= custom-character (SVK)^γ and non interactive proof (π₁, . . . , π₉) for the relations, referenced eq1 to eq 9 respectively):

e(Γ_g,Γ_g)=e(Γ_g,g)

e(Γ_g,f)=e(g,Γ_f)

e(Γ_g,h)=e(g,Γ_h)

e(Γ_g,Y)=e(g,Γ_Y)

e(Γ_g, custom-character (SVK))=e(g,Γ_H)

e(C₁,Γ_g)=e(Γ_f,Θ₁)

e(C₂,Γ_g)=e(Γ_h,Θ₂)

e(C₃.Θ₁⁻¹.Θ₂⁻¹,Γ_g)=1_G_T

e(σ₀,g/Γ_g)=e(X,Y/Γ_Y).e( custom-character (SVK)/Γ_H,σ₁))

The equation eq1 and eq6 to eq9 are quadratic, so that proofs π₁, π₆, π₇,π₈, π₉require 9 group elements each. Equations eq2 to eq5 are linear, so that π₂, π₃, π₄and π₅require 12 group elements altogether. The whole proof π_ORconsists of ({right arrow over (C)}_Γ_g{right arrow over (, C)}_Γ_f, {right arrow over (C)}_Γ_h, {right arrow over (C)}Γ_Y, {right arrow over (C)}_Γ_H, (π₁, . . . . , π₉)) and thus costs 72 group elements;

- a step of generate a one-time signature with the one-time signature private key SSK previously generated:

sig=S(SSK,(C₀,C₁,C₂,C₃,z,r,u, σ₁,{right arrow over (C)}_σ₀,{right arrow over (C)}_Θ₁,{right arrow over (C)}_Θ₂, π_OR));

- a step of outputting the ciphertext:

C=(SVK,C₀, C₁, C₂, C₃,z,r,u, σ₁,{right arrow over (C)}_σ₀,{right arrow over (C)}Θ₁,{right arrow over (C)}Θ₂,π_OR,sig).

The function Ciphertext-Verify(PK,C), referenced 103, is a function that determines from a ciphertext with the same form as the one outputted by the function 102, and the public key PK if a received ciphertext has been generated correctly with function 102 and the given public key PK. Such function returns 1 if and only if sig is a valid one time signature with regards to the verification key SVK and if the element π_ORis a valid proof. In that case, it means that the ciphertext has been obtained through the use of the function 102 and the given public key PK. Otherwise (if the function 103 outputs 0), it means that the ciphertext has not been obtained through the use of the function 102 and the given public key PK.

The function Decrypt(PK, SK_d, C), referenced 104, takes on input the private key SK_d=(x₀, x₁, x₂), the ciphertext C and a public key PK. It outputs the message that was encrypted with the function 102. Such function 104 comprises an execution of the function 103. Indeed, the function 1104 returns ⊥ in the event that Ciphertext-Verify(PK,C)=0. Otherwise, the function 104 performs a step of determining the following element C₀.C₁^−x¹.C₂^−x²C₃^−x⁰from elements comprised in the ciphertext C and the private key SK_d. The element C₀.C₁^−x¹.C₂^−x²C₃^−x⁰corresponds to the message M.

The function Eval(PK, SK_h, C⁽¹⁾, C⁽²⁾), referenced 105, enables to determine a ciphertext from two ciphertexts C⁽¹⁾and C⁽²⁾, the public key PK and an evaluation key SK_h. For reminders, the evaluation key is defined as follows : SK_h=sk_w=Y^x. The function 105 comprises a step of parsing the ciphertexts C^(j)(for each j ∈ {1,2}) as follows:

C^(j)=(SVK^j,C₀^(j),C₁^(j),C₂^(j),C₃^(j),z^(j),r^(j),u^(j),σ₁^(j),{right arrow over (C)}_σ₀^(j),{right arrow over (C)}_Θ₁^(j),{right arrow over (C)}_Θ₂^(j)π_OR^(j),sig^(j))

Moreover, the function 105 comprises:

- a step of determining the elements C₀=Π_j=1²C₀^(j), C₁=Π_j=1²₁^(j), C₂=Π_j=1²C₂^(j)and C₃=Π_j=1²C₃^(j)as well as z=Π_j=1²z^(j), r4=Π_j=1²r^(j)and u=Π^j=1²u^(j);
- a step of generating a new one-time signature key pair (SVK,SSK)←(λ);
- a step of using the private evaluation key SK_h=sk_w=Y^xin order to generate a valid Waters signature (σ₀, σ₁);
- a step of using such Waters signature (σ₀,σ₁) as a witness to generate a NIWI OR proof π_ORthat either e(C₁, g)=e(f, Θ₁); e(C₂,g)=e(h, Θ₂); e(C₃,g)=e(g, Θ₁.Θ₂); or (σ₀,σ₁) is a valid Waters signature on SKV, i.e., e(σ₀, g)=e(X,Y).e((SVK),σ₁)); said proof having the following form π_OR=({right arrow over (C)}_Γ_g,{right arrow over (C)}_Γ_f,{right arrow over (C)}_Γ_h,{right arrow over (C)}_Γ_Y,{right arrow over (C)}_Γ_H, (π₁, . . . , π₉)) and comprising 72 group elements;
- a step of generating a one time signature

sig=S(SSK,(C₀, C₁, C₂, C₃, z,r,u,σ₁,{right arrow over (C)}_σ₀,{right arrow over (C)}_Θ₁,{right arrow over (C)}_Θ₂,π_OR));

- a step of outputting the following ciphertext C=(SVK, C₀, C₁, C₂, C₃, z,r,u,σ₁, {right arrow over (C)}_σ₀, {right arrow over (C)}_Θ₁, {right arrow over (C)}_Θ₂, π_OR, sig).

If the scheme is instantiated using Groth's one-time signature, the whole ciphertext requires 94 group elements. At the 128-bit security level, each ciphertext fits within 5.8 kB.

Such scheme defined that the use of functions 101, 102, 103, 104 and 105 is a keyed homomorphic public key encryption scheme that is secure against chosen-ciphertext attacks (also named KH-CCA secure) and for which ciphertexts are publicly verifiable (that therefore enables to easily define a threshold keyed homomorphic public key encryption scheme). Indeed, with such scheme, no PPT (for “Probabilistic Polynomial Time”) adversary (i.e. a computationally bounded adversary) has a non-negligible advantage in this game:

- 1. The challenger runs the function 101 to obtain a public key PK, a decryption key SK_dand a , homomorphic evaluation key SK_h. He gives the public PK to an adversary A and keeps private both the evaluation key SK_hand the decyption key SK_dto itself. In addition, the challenge initializes a set D as an empty set;
- 2. The adversary A adaptively makes queries to the following oracles:
- Evaluation query: at any time, the adversary A can invoke the evaluation oracle Eval(PK,SK_h,.) (i.e. the function 105) on a pair (C(¹), C(²)) of ciphertexts of its choice. If there exists j ∈ {1,2} such that Ciphertext-Verify(PK, C^{(j )})=0, the algorithm returns ⊥. Otherwise, the oracle Eval(PK,SK_h,.) delivers a ciphertext C←Eval(SK_h, C⁽¹⁾, C⁽²⁾). In addition, if C⁽¹⁾∈ D or C⁽²⁾∈ D, he sets D←D ∪ {C};
- Reveal query: at any time, the adversary A may also decide to corrupt the evaluator by invoking a RevHK oracle on a unique occasion. The oracle responds by returning the evaluation key SK_h, which is no more a secret parameter for the adversary;
- Decryption query: the adversary A can also invoke the decryption oracle on arbitrary ciphertexts C of his choice. If Ciphertext-Verify(PK, C)=0, or if C ∈ D, the oracle returns ⊥. Otherwise, the oracle returns the output of the function Decrypt(PK, SK_d, C);

3. The adversary A chooses two equal-length messages M₀, M₁and obtains a ciphertext C*=Encrypt(PK, M_β) (i.e. the result of the function 102) for some random bit β custom-character {0,1}. In addition, the challenger sets D←D ∪ {C*};

4. Then, the adversary A makes further queries as in step 2 with one additional restriction.

Namely, if the adversary A chooses to obtain the evaluation key SK_h(via a reveal query) at some point, no more decryption query is allowed beyond that point.

5. The adversary A outputs a bit β′ and is deemed successful if β′=β. As usual, the adversary A's advantage is measured as the distance

$Adv (A) = \langle \Pr (β^{'} = β) - \frac{1}{2} \rangle .$

The keyed homomorphic encryption scheme with publicly verifiable ciphertexts described previously relies on the use of non-interactive OR proofs as in a similar CCA-secure cryptosystem suggested by Groth in (“Simulation-Sound NIZK Proofs for a Practical Language and Constant Size Group Signatures”, by Jens Groth, Asiacrypt'06, pp. 444-459). Specifically, the device that uses the function 102 generates a non-interactive proof that either: (i) the ciphertext is well-formed (namely, that the elements (C₁, C₂, C₃) live in a two-dimensional subspace); (ii) or it knows a valid digital signature (for a signature scheme whose public key is part of the receiver's public key) on the one-time verification key SVK or which a one-time signature is generated on the entire ciphertext. In this case, the homomorphic evaluation key SK_hconsists of the private key of the digital signature whose verification key is included in the receiver's public key. For efficiency reasons, the previous scheme was instantiated by using Waters signatures as it makes it possible to work with linear pairing product equations in order to have shorter Groth-Sahai NIWI proofs. Other signature schemes than Waters' could be used for this purpose, but they are likely to incur quadratic pairing-product equations during the verification of OR proofs. When running the homomorphic evaluation algorithm, the evaluator is able to generate a non-interactive proof by generating the OR proof using a valid Waters signature (σ₀, σ₁) as a witness. In contrast, the sender is not able to compute Waters signatures (as he does not have the private key) and always generates the OR proof using the witness (θ₁, θ₂) showing that the ciphertext is well-formed. Consequently, the sender is unable to generate a proof for an invalid ciphertext unless he is able to forge valid Waters signatures. To generate OR proofs, we use a technique which consists in introducing extra binary exponents γ ∈ {0,1}.The NIWI property of these OR proofs guarantees that no one will be able to distinguish proofs generated using the encryption exponents (θ₁, θ₂) as witnesses from proofs generated by the evaluator using a Waters signature (σ₀, σ₁).

The drawback of the previous solution is that it requires relatively large ciphertexts, each of which costs about 90 group elements. To reduce this overhead, another embodiment hereunder builds on the same design principle (notably in that the homomorphic evaluation key consists of the simulation-trapdoor of a simulation-sound non-interactive proof system) but uses a different simulation-sound proof system which is tailored to proving membership in a linear subspaces is depicted. The advantage of this proof system is that it does not require OR proofs and thus provides much shorter non-interactive proofs. Each non-interactive simulation-sound proof consists of a linearly homomorphic structure preserving signature (based on a scheme suggested in the article “Linearly Homomorphic Structure-Preserving Signatures and their Applications”, by B. Libert et al., published in the proceedings of the conference Crypto 2013) and can be seen as a Groth-Sahai-based proof of knowledge of a one-time linearly homomorphic signature.

FIG. 2 describes the main functions that define a (t; n) threshold keyed homomorphic encryption scheme, according to an embodiment of the invention.

The function Keygen(λ, t, n), referenced 201, takes as input a security parameter λand integers t,n ∈ poly(λ) (with 1≦t≦n), where n is the number of decryption servers and t is the decryption threshold (let's remark that when t=n=1, the definition of a threshold keyed homomorphic public key encryption scheme corresponds to the one of a keyed homomorphic public key encryption scheme). It outputs elements (PK, SK_h, VK, SK_d), where PK is the public key, SK_his the homomorphic evaluation key, SK_d=(SK_d,1, . . . , SK_d,n) is a vector of private key shares and VK=(VK₁, . . . , VK_n) is a vector of verification keys. For each i, the decryption server i is given the share (i, SK_d,i). The verification key VK_iwill be used to check the validity of decryption shares generated using SK_d,i. In one embodiment, such function 201 comprises:

- a step of obtaining:
  - bilinear groups (, , _T) of prime order p>2^λ, with an efficient isomorphism Ψ: →;
  - generators f, h , ĝ;
  - elements x₀, x₁, x₂_p;
  - elements X₁=f^x¹g^x⁰∈ , X₂=h^x²g⁰∈ , where g=Ψ(ĝ);
- a step of initiating some vectors as follows: {right arrow over (f)}=(f, 1,g) ∈ ³and {right arrow over (h)}=(1, h, g) ∈ ³;
- a step of obtaining random polynomials P₁[Z], P₂[Z], P[Z] ∈ _p[Z] of degree t-1 such that P₁(0)=x₁, P₂(0)=x₂and P(0)=x₀. For each i ∈ {1, . . . , n}, such step comprises a step of obtaining VK_i=(Y_i,1, Y_i,2) where Y_i,1=f^P¹⁽ⁱ⁾g^P(i)and Y_i,2=h^P_2(i)g^P(i);
- a step of obtaining random elements in the group : {circumflex over (f)}_r,1, {circumflex over (f)}_r,2 and defining vectors

${\vec{f}}_{r, 1} = ({\hat{f}}_{r, 1}, 1, \hat{g}), {\vec{f}}_{r, 2} = (1, {\hat{f}}_{r, 2}, \hat{g}), {\vec{f}}_{r, 3} = {\vec{f}}_{r, 1}^{φ_{1}} \cdot {\vec{f}}_{r, 2}^{φ_{2}} \cdot {(1, 1, \hat{g})}^{- 1}$

where Φ₁, Φ₂ custom-character _p. The vectors {right arrow over (f)}_r,1, {right arrow over (f)}_r,2and {right arrow over (f)}_r,3are used as a Groth-Sahai Common reference string (CRS) for the generation of NIZK proofs showing the validity of decryption shares;

- a step of obtaining a strongly unforgeable one-time signature Σ=(, S, υ) with verification keys consisting of L-bit strings, for some L ∈ poly(λ);
- a step of generating a key pair for the one-time linearly homomorphic structure-preserving signature, as the one described in the section entitled “One-time linearly homomorphic structure-preserving signature”, after the description of the FIG. 3, with n=3. Let pk_ot=(, , , {, , }_i=1³) be the public key, and let sk_ot={(φ_i, θ_i, ω_i)}_i=1³be the corresponding private key;
- a step of generating a one time homomorphic signatures {(Z_j, R_j, U_j)}_j=1²on the vectors {right arrow over (f)}=(f, 1, g) ∈ ³and {right arrow over (h)}=(1, h, g) ∈ ³. These consist of:

(Z₁, R₁, U₁)=(f^−φ¹g^−φ³, f^−θ1g^−θ³, f^{− ω}¹g^{− ω}³);

(Z₂, R₂, U₂)=(h^−φ²g^−φ³, h^−γ²g^−θ³, h^{− ω}¹h^{− ω}³);

- a step of generating Generate a key pair (pk_rand, sk_rand) for the randomizable signature described in the section of the description entitled “randomizable linearly homomorphic structure-preserving signature” after the description of the FIG. 3.

Let pk_rand=(( custom-character , , _T), , , , , {, }_i=1³,{right arrow over ({circumflex over (f)}=({right arrow over ({circumflex over (f)}₁)}, {right arrow over ({circumflex over (f)}₂)}, {{right arrow over ({circumflex over (f)}_3,)}}_i=0^L)) denotes the public key and let sk_rand=({χ_i, γ_i, δ_i}_i=1³) be the corresponding private key. For simplicity, the generation of (pk_rand, sk_rand) can re-use the same (g, ĝ) as in the step of obtaining the generators (in the first step);

- a step of using the key sk_randto generate one-time linearly homomorphic signatures {(z_j, r_j, u_j)}_j=1²on the independent vectors {right arrow over (f)}=(f, 1, g) ∈ ³and {right arrow over (h)}=(1, h, g) ∈ ³. These are obtained as:

(z₁, r₁, u₁)=(f^−χg^−χ³, f^−γ¹g^−γ³, f^−δ¹g^−δ³);

(z₂, r₂, u₂)=(h^−χg^−χ³, h^−γ²g^−γ³, h−δ²g^−δ³);

- a step of outputting the public key defined as follows:

PK=(g, {right arrow over (f)},{right arrow over (h)},{right arrow over (f)}_r,1,{right arrow over (f)}_r,2,{right arrow over (f)}_r,3, X₁,X₂,pk_ot, pk_rand,{(Z_j, R_j,U_j)}_j=1′²{(z_j, r_j, u_j)}_j=1²)

The evaluation key is SK_h=Sk_rand={χ_i, γ_i, δ_i}_i=1³, while the i-th decryption key share is defined to be SK_d,i=(P₁(i), P₂(i), P(i)). The vector of verification keys is VK=(VK₁, . . . , VK_n) where VK_i=for i=1 to n.

The function Encrypt'(PK; M), referenced 202, takes in a public key PK and a plaintext M. It outputs a ciphertext C.

In one embodiment, such function 202 comprises:

- a step of generating a one-time signature key pair (SVK,SSK)→(λ);
- a step of obtaining elements θ₁, θ₂_pand determining the following elements:

C
₀
=M·X
₁
^θ
¹
·X
₂
^θ
²
,C
₁
=f
^θ
¹
,C
₂
=h
^θ
²
,C
₃
=g
^θ
¹
^+θ
²;

- a step of obtaining a derived one time linearly homomorphic signature (Z, R, U) on the vectors (C₁, C₂, C₃) ∈ ³. Namely, such derived signature is obtained by computing:

Z=Z
₁
⁻
¹
·Z
₂
^θ
²
R=R
₁
^θ
¹
·R
₂
^θ
₂
U=U
₁
^θ
¹
·U
₂
^θ
²;

- a step of using the signatures {(z_j,r_j, u_j)}_j=1²from the public key PK to derive another one time linearly homomorphic signature (z, r, u) on (C₁, C₂, C₃). Namely, using the encryption exponents θ₁, θ₂∈ _p, the following elements are determined:

z=z
₁
^θ
¹
·z
₂
^θ
²
r=r
₁
^θ
¹
·r
₂
^θ
²
u=u
₁
^θ
²;

- a step of using SVK=(SVK[1], . . . ,SVK[L]) ∈ {0,1}^Lin order to define the vector {right arrow over (f)}_SVK={right arrow over (f)}_3,0·Π_i=1^L{right arrow over (f)}_3,i^SVK[i] and assemble a Groth Sahai common reference string f_SVK=({right arrow over (f)}₁, {right arrow over (f)}₂, {right arrow over (f)}_SVK), where {right arrow over (f)}_j=Ψ({right arrow over ({circumflex over (f)}_j) for j ∈ {1,2} and {right arrow over (f)}_SVKis obtained in the same way. Then, using f_SVK, generate commitments C_z, C_r, C_uto the components of (z, r, u) ∈ ³along with proofs π₁, π₂as in step 3 of the signing algorithm of the randomizable linearly homomorphic structure preserving signature described in the section of the description entitled “randomizable linearly homomorphic structure-preserving signature” after the description of the FIG. 3). Let (C_z, C_r, C_u, π₁, π₂) ∈ ¹⁵be the resulting signature;
- a step of generating a one-time signature with the private key SSK applied on the element (C₀, C₁C₂, C₃, Z, R, U, C_z, C_r, C_u, π₁, π₂, σ). The resulting one-time signature is =S(SSK, (C₀, C₁, C₂, C₃, Z, R, U, C_z, C_r, C_u, π₁, π₂);
- a step of outputting a ciphertext C=(SVK, C₀, C₁, C₂, C₃, Z, R, U, C_z, C_r, C_u, π₁, π₂, σ).

The function Ciphertext-Verify'(PK, C), referenced 203, takes as input a public key PK and a ciphertext C. It outputs 1 if C is deemed valid with regards to the public key PK, and 0 otherwise. Such function 203 comprises:

- a step of verifying a one-time signature: i.e., determining if V(SVK, (C₀, C₁, C₂, C₃, Z, R, U, C_z, C_r, C_u, π₁, π₂), σ)=1;
- a step of verifying that both (Z, R, U) ∈ ³and (C_z, C_r, C_u, π₁, π₂) ∈¹⁵are valid linearly homomorphic signature of (C₁, C₂, C₃). Namely, they should satisfy the relations 1_G_T=e(Z,Ĝ_z)·e(R, Ĝ_r)·Π_i=1³e(C_i, Ĝ_i) and 1_G_T=e(Z,Ĥ_z)·e(U, Ĥ_u)·Π_i=1³e(C_i, {right arrow over (H)}_i). As well as, if we define {right arrow over ({circumflex over (f)}_SVK)}={right arrow over ({circumflex over (f)}_3,0)}Π_i=1^L{right arrow over ({circumflex over (f)}_3,l)}^SVK[i] the equalities

Π_i=1³E((1_G, 1_G,C_i),ĝ_l)⁻¹=E({right arrow over (C)}_z,{circumflex over (g_z)}).E({right arrow over (C)}_r,{circumflex over (g_r)}).E(π_1,1, {right arrow over ({circumflex over (f)}₁).E(π_1,2,{right arrow over ({circumflex over (f)}₂).E(π_1,3,{right arrow over ({circumflex over (f)}_SVK);

Π_i=1³E((1_G,1_G, C_i),ĥ{circumflex over (h_l)})⁻¹=E({right arrow over (C)}_z,{circumflex over (h_z)}).E({right arrow over (C)}_u,{circumflex over (h_u)}).E(π_2,1, {right arrow over ({circumflex over (f)}₁).E(π_2,2,{right arrow over ({circumflex over (f)}₂).E(π_2,3,{right arrow over ({circumflex over (f)}_SVK).

If these conditions are satisfied, the function 203 returns 1, otherwise, it returns 0.

The function Share-Decrypt(PK, i, SK_d,i, C), referenced 204, takes on input a public key PK, a ciphertext C and a private key share (i, SK_d,i), and outputs a special symbol (i, ⊥) if Ciphertext-Verify'(PK, C)=0, otherwise, it outputs a decryption share μ_i=(i, {circumflex over (μ)}_i).

More precisely, in one embodiment, such function 204 takes on input the private key SK _d,i=(P₁(i), P₂(i), P(i)) ∈ custom-character _p³and C, return (i, ⊥) if Ciphertext-Verify'(PK,C)=0. Otherwise, such function 204 comprises a step of determining the decryption share {circumflex over (μ)}_i=(ν_i, {right arrow over (C)}_P₁, {right arrow over (C)}_P₂, {right arrow over (C)}_P, π_ν_i) which consists of a partial decryption ν_i=C₁^P¹⁽ⁱ⁾·C₂^P²⁽ⁱ⁾·C₃^P(i), commitments {right arrow over (C)}_P₁, {right arrow over (C)}_P₂, {right arrow over (C)}_Pto exponents P₁(i), P₂(i), P(i) ∈ custom-character _pand a proof π_ν_ithat these relations are satisfied:

ν_i=C₁^P¹⁽ⁱ⁾·C₂^P²⁽ⁱ⁾·C₃^P(i), Y_i,1=f^P¹⁽ⁱ⁾g^P(i), Y_i,2=h^P²⁽ⁱ⁾g^P(i).

The commitments {right arrow over (C)}_P¹, {right arrow over (C)}_P², {right arrow over (C)}_Pand the proof π_νⁱare generated using the Groth-Sahai common reference string ({right arrow over (f)}_r,1, {right arrow over (f)}_r,2, {right arrow over (f)}_r,3).

The function Share-Verify(PK, VK_i, C, μ_i), referenced 205, takes as input the public key PK, the verification key VK_i, a ciphertext C and purported decryption share μ_i={circumflex over (μ)}_i). It outputs either 1 or 0. In the former case, μ_iis said to be a valid decryption share. We adopt the convention that (i, ⊥) is an invalid decryption share. In one embodiment, the verification key VK_ihas the following form: Y_i,2) ∈ custom-character ². If {circumflex over (μ)}_i=⊥ or if {circumflex over (μ)}_icannot be parsed properly as (ν_i, {right arrow over (C)}_P¹, {right arrow over (C)}_P₂, {right arrow over (C)}_P, π_μ_i), 0 is returned. Otherwise, if π_ν_iis a valid proof, 1 is returned.

The function Combine(PK, VK, C, {μ_i}_i∈s), referenced 206, takes as input the elements PK, VK, C and a t-subset S ⊂ {1, . . . , n} with decryption shares {μ_i}_i∈s, and outputs either a plaintext M or ⊥ if the set contains invalid decryption shares. Such function 206 comprises a step of parsing the decryption share {circumflex over (μ)}_ias (ν_i, {right arrow over (C)}_P₁, {right arrow over (C)}_P₂, {right arrow over (C)}_P, π_μ_i) for each i ⊂ S, such step returns ⊥ if Share-Verify(PK, VK, C, (i, {circumflex over (μ)}_i))=0. If Share-Verify(PK, VK, C, (i, {circumflex over (μ)}_i))=1 for each i ∈ S the function comprises a further step of determining (by Lagrange interpolation) the following value:

$v = \prod_{i \in S} v_{i}^{Δ_{i, s} (0)} = C_{1}^{x_{1}} \cdot C_{2}^{x_{2}} \cdot C_{3}^{y} = X_{1}^{θ_{1}} \cdot X_{2}^{θ_{2}}$

which allows recovering M=C₀ν.

At last, the function Eval'(PK, SK_h, C⁽¹⁾, C⁽²⁾), referenced 207, is an homomorphic evaluation algorithm. It takes as input the evaluation key SK_hand two distinct ciphertexts C⁽¹⁾and C⁽²⁾. If there exists j ∈ {1,2} such that Ciphertext-Verify'(PK, C^(j))=0, the algorithm returns ⊥. Otherwise, it conducts a binary homomorphic operation over C⁽¹⁾and C⁽²⁾and outputs a ciphertext C.

More precisely, in one embodiment of the invention, such function 207 comprises:

- a step of parsing SK_has {χ_i, γ_i, δ_i}_i=1³and for each j ∈ {1,2}, parsing C^(j)as:

C
^(j)=(SVK^j, C₀^(j), C₁^(j), C₂^(j), C₃^(j), Z^(j), R^(j), U^(j), C_z^(j), C_r^(j), C_u^(j)^(j), π₁^(j), π₂^(j), σ^(j));

- a step of determining the elements C₀=Π_j=1²C₀^(j), C₁=Π_j=1²C₁^(j), C₂=Π_j=1²C₂^(j)and C₃=Π_j=1²c₃^(j)as well as Z=C₀=Π_j=1²Z^(j), R=Π_j=1²R^(j)and U=Π_j=1²U^(j);
- a step of generating a new one-time signature key pair (SVK,SSK)←(λ);
- a step of using the private evaluation key SK_h={χ_i, γ_i, δ_i}_i=1³in order to generate a linearly homomorphic signature on {right arrow over (C)}_z, {right arrow over (C)}_r, {right arrow over (C)}_u, {right arrow over (π₁)}, {right arrow over (π₂)} on the vector (C₁, C₂, C₃) using a randomizable linearly homomorphic structure-preserving signature (as the one described in the section of the description after the description of the FIG. 3) for the file identifier SVK;
- a step of outputting the derived ciphertext (SVK, C₀, C₁, C₂, C₃, Z, R, U, {right arrow over (C)}_z, {right arrow over (C)}_r, {right arrow over (C)}_u, {right arrow over (π₁)}, {right arrow over (π₂)}σ) where σ=S (SSK, (C₀, C₁, C₂, C₃, Z, R, U, {right arrow over (C)}_z, {right arrow over (C)}_r, {right arrow over (C)}_u, {right arrow over (π₁)}, {right arrow over (π₂)})).

If such scheme is instantiated using Groth's discrete-logarithm-based one-time signature as described in the article “Simulation-sound NIZK proofs for a practical language and constant size group signatures” by Groth and published in the proceedings of the conference Asiacrypt 2006, the ciphertext consists of 26 elements of custom-character and one element of _p. It can be proven that the KH-CCA security of the scheme assuming that Σ is a strongly unforgeable one-time signature and that the DLIN assumption (i.e. the Decision Linear Problem assumption) holds in and . The security proof stands in the standard model and does not rely on random oracles.

Let's remark that the above syntax generalizes that of ordinary threshold cryptosystems. By setting SK_h=E and discarding the evaluation algorithm, we obtain the definition of a threshold encryption system.

The threshold keyed-homomorphic public-key cryptosystem disclosed in FIG. 2 is secure against chosen ciphertext attacks (or KH-CCA secure). Indeed, no PPT adversary has noticeable advantage in this game:

- 1. The challenger runs Keygen(λ; t; n) to obtain a public key PK, a vector of decryption key shares SK_d=(SK_d,1, . . . , SK_d,n) and a, homomorphic evaluation key SK_h. It gives PK and keeps (SK_h; SK_d) to itself. In addition, the challenge initializes a set D as an empty set;
- 2. The adversary A adaptively makes queries to the following oracles on a polynomial number of occasions:
  - Corruption query: at any time, the adversary A may decide to corrupt a server. To this end, it specifies an index i ∈ {1, . . . , n} and obtains the private key share
  - Evaluation query: at any time, the adversary A can invoke the evaluation oracle Evalλ(SK_h,.) on a pair (C⁽¹⁾, C⁽²⁾) of ciphertexts of its choice. If there exists j ∈ {1,2} such that Ciphertext-Verify'(PK, C_(j))=0, the algorithm returns ⊥. Otherwise, the oracle Eval(SK_h,.) computes C←Eval(SK_h, C⁽¹⁾, C⁽²⁾) and returns C. In addition, if C⁽¹⁾) ∈ D or C⁽²⁾∈ D, it sets D←D ∪ U {C}.
  - Reveal query: at any time, the adversary A may also decide to corrupt the evaluator by invoking the RevHK oracle on a unique occasion. The oracle responds by returning SK_h.
  - Decryption query: the adversary A can also invoke the partial decryption oracle on arbitrary ciphertexts C and indexes i E ∈ {1, . . . , n}. If Ciphertext-Verify'(PK, C)=0, or if C ∈ D , the oracle returns ⊥. Otherwise, the oracle returns the decryption share μ_i←Share-Decrypt(PK, i, SK_d,i, C);
- 3. The adversary A chooses two equal-length messages M₀, M₁and obtains a ciphertext C*=Encrypt'(PK, M_β) for some random bit β {0,1}. In addition, the challenger sets D←D ∪ U {C*};
- 4. The adversary A makes further queries as in step 2 with some restrictions. Namely, the adversary A cannot corrupt more than t-1 servers throughout the entire game. Moreover, if the adversary A chooses to obtain SK_h(via the RevHK oracle) at some point, no more decryption query is allowed beyond that point;
- 5. The adversary A outputs a bit β′ and is deemed successful if β′=β. As usual, adversary A's advantage is measured as the distance

$Adv (A) = \langle \Pr (β^{'} = β) - \frac{1}{2} \rangle .$

Again, if we set SK_h=∈ and remove the Eval and RevHK oracles, we obtain a definition of chosen-ciphertext security for classical threshold cryptosystems. It is important to note that, even if the adversary A chooses to obtain SK_himmediately after having seen the public key PK it still has access to the decryption oracle before the challenge phase. In other words, the scheme should remain IND-CCA1 (i.e. secure against non-adaptive chosen ciphertext attacks, where the adversary has no access to decryption oracles beyond the challenge phase) if the adversary A is given PK and SK_hat the outset of the game.

The schemes depicted in the FIGS. 1 and 2 prevent an adversary to obtain information by invoking the decryption oracle on invalid ciphertexts either before or after post challenge decryption queries.

Such schemes rely on the three following features:

- (a) The use of a derived signature (z, r, u) on the vectors (C₁, C₂, C₃) ∈ ³obtained from the execution of the function 102 and comprised in the ciphertext (in the first embodiment), and of a derived signature (Z, R, U) on the vectors (C₁, C₂, C₃) ∈ ³obtained from the execution of the function 202 and comprised in the ciphertext (in the first embodiment). Such derived signature serves as publicly verifiable evidence that elements (f, g, h, C₁, C₂, C₃) has the right form; The second derived signature (Z, R, U) can be seen as a homomorphic proof that (C₁, C₂, C₃) ∈ ³are well-formed and it allows retaining CCA1 security when the evaluation key is compromised
- (b) The use of a simulation-sound proof that (C₁, C₂, C₃) ∈ G³is well-formed.

This proof (C_z,C_r, C_u, π₁, π₂) ∈ custom-character ¹⁵consists of commitments to group elements (z, r, u) that are obtained as functions of private random values θ₁, θ₂, and proofs associated to these commitments. This simulation-sound proof can be viewed as an additional homomorphic signature comprised in the ciphertext. In the first embodiment, this simulation-sound proof is obtained as a set of elements σ₁, {right arrow over (C)}_σ₀, {right arrow over (C)}_Θ₁, {right arrow over (C)}_Θ₂and π_OR. In the second embodiment, it corresponds to the determination of another derived signature on the vectors (C₁, C₂, C₃) ∈ custom-character ³, i.e. the signature (z, r, u), the generation of commitments C_z, C_r, C_uto the components of (z, r, u) ∈ ³along with proofs π₁,π₂. In such embodiment, additional signature corresponds to (C_z, C_r, C_u,π₁,π₂) ∈¹⁵;

- (c) The generation and the use of a one time key pair (the pair (SVK , SSK) in the first embodiment and in the second embodiment) in order to sign the concatenation of the elements (C₀C₁, C₂, C₃) with the derived signature mentioned at point (a) and the additional signature mentioned at point (b). The ciphertext then comprises the signature obtained at point (c), the verification key SVK and the signed elements (i.e. the previously mentioned concatenation).

Let's remark that the new simulation-sound non-interactive proof based on homomorphic signatures can be used in other constructions. In the second embodiment, it was used in combination with the Cramer-Shoup encryption paradigm. Alternatively, it can be used in the Naor-Yung encryption paradigm (described in the article “Public-key Cryptosystems Provably Secure against Chosen Ciphertext Attacks”by M. Naor et al., published in the proceedings of the conference STOC 1990,) and its refinement suggested by Sahai described in the article “Non-Malleable Non-Interactive Zero Knowledge and Adaptive Chosen-Ciphertext Security”, published in the proceedings of the conference FOCS 1999). In its basic form, the Naor-Yung technique consists in encrypting the same message under two distinct public keys and appending a non-interactive proof of plaintext equality. Sahai showed that, if the underlying proof system is simulation-sound, the resulting cryptosystem is secure against adaptive chosen-ciphertext attacks (IND-CCA2). The new unbounded simulation-sound proof system can be used for this purpose because, in the El-gamal and Boneh-Boyen-Shacham encryption schemes, the equality of two encrypted plaintexts can be expressed in termed of membership (of a vector of group elements obtained by dividing the two ciphertexts) in a linear subspace. The described embodiments in the present document rather uses the Cramer-Shoup paradigm because it yields shorter ciphertexts and, in the threshold setting, it makes it easier to prove security against adaptive corruptions (as pointed out in the article “Non-Interactive CCA2-Secure Threshold Cryptosystems with Adaptive Security: New Framework and Constructions” by B. Libert, published in the proceedings of the conference, TCC 2012). However, one skilled in the art could adapt the presented embodiments from the teachings of the present document.

FIG. 3 presents a device that can be used to perform one or several steps of methods disclosed in the present document.

Such device referenced 300 comprises a computing unit (for example a CPU, for “Central Processing Unit”), referenced 301, and one or several memory units (for example a RAM (for “Random Access Memory”) block in which intermediate results can be stored temporarily during the execution of instructions a computer program, or a ROM block in which, among other things, computer programs are stored, or an EEPROM (“Electrically-Erasable Programmable Read-Only Memory”) block, or a flash block) referenced 302. Computer programs are made of instructions that can be executed by the computing unit. Such device 300 can also comprise a dedicated unit, referenced 303, constituting an input-output interface to allow the device 300 to communicate with other devices. In particular, this dedicated unit 303 can be connected with an antenna (in order to perform communication without contacts), or with serial ports (to carry communications “contact”). Let's remark that the arrows in FIG. 3 means that the linked units can exchange data through buses for example together.

In an alternative embodiment, some or all of the steps of the method previously described, can be implemented in hardware in a programmable FPGA (“Field Programmable Gate Array”) component or ASIC (“Application-Specific Integrated Circuit”) component.

In an alternative embodiment, some or all of the steps of the method previously described, can be executed on an electronic device comprising memory units and processing units as the one disclosed in the FIG. 3.

A One-Time Linearly Homomorphic Structure-Preserving Signatures

A one-time linearly homomorphic signature scheme is a scheme where messages and signatures only consist of group elements (here, “one time” means that only one linear subspace can be signed using a private key). The security of such scheme can be proven under an assumption which is implied by the DLIN assumption.

A one-time linearly homomorphic structure-preserving signature scheme is defined by a set of algorithms functions defined as follows:

Keygen(λ, n): given a security parameter λ, and the dimension n ∈ custom-character of the subspace to be signed, choose bilinear group (, , _T) of prime order p>2^λ. Then, conduct the following steps.

1. Choose custom-character , , ,

2. For i=1 to n, pick χ_i, γ_i, δ_i custom-character _p* and compute group elements ĝ_l=^χi·^γiand ĥ_l=^χi·^γi;

The private key is sk=({χ_i,γ_i, δ_i}_i=1ⁿ) while the public key consists of pk=( custom-character , , ,{ĝ_l, }_i=1ⁿ).

Sign(sk, τ, (M₁, . . . , M_n): to sign a vector (M₁, . . . , M_n) ∈ custom-character ⁿwith regards to the file identifier τ using sk=({χ_i, γ_i, δ_i}_i=1ⁿ), compute and output σ=(z, r, u) ∈ ³where

z=Π_i=^lM_i^−χⁱ, r=Π_i=1^lM_i^−γⁱand u=Π_i=1^lM_i^−δi.

SignDerive (pk, τ, ({ω_i, σ_i}_i=1^l)): given pk, an identifier τ and l uplet (ω_i, σ_i), parse σ_ias σ_i=(z_i, r_i, u_i)) ∈ custom-character ³for i=1 to l. Then, compute and return=(z, r, u) ∈ ³, where z=Π_i=1_lz_i^ωⁱ, r= 529_i=1^lr_i^ωⁱr=and u=Π_i=1^lu_i^ωⁱ.

Verify(pk, σ, τ, (M₁, . . . , M_n): given a signature σ=(z, r, u) ∈ custom-character ³, a file identifier τ and a vector (M₁, . . . , M_n), return 1 if and only if (M₁, . . . , M_n)≠(1, . . . , 1) and (z, r, u) satisfy

1 custom-character _T=e(z,).e(r,).Π_i=1ⁿe(M_i,{right arrow over (g)}_l) and

1 custom-character _T=e(z,).e(r,).Π_i=1ⁿe(M_i,).

A Randomizable Linearly Homomorphic Structure Preserving Signature

This section describes a randomizable linearly homomorphic structure-preserving signature scheme. Compared to the known original scheme, there is one slight modification: while the original scheme uses symmetric pairings, the description below allows for asymmetric pairing configurations ( custom-character , , _T) of Type II. Namely, we assume the availability of an efficiently computable isomorphism Ψ: →. The reason is that the security proof would require a less standard assumption than SXDLIN in Type III configurations. In this construction, each signature basically consists of a NIWI proof of knowledge of a one-time signature. This proof of knowledge is generated on a Groth-Sahai CRS ({right arrow over (f)}₁, {right arrow over (f)}₂, {right arrow over (f)}_τ) that depends on the tag τ that identifies the dataset which is being signed. In the following, for any vectors {right arrow over (f)}={circumflex over (f)}₁, {right arrow over (f)}₂, {right arrow over (f)}₃) and {right arrow over (g)}=g₂, g₃), we define the notations E (g, {right arrow over (f)})=(e(g, {circumflex over (f)}₁), e(g, {right arrow over (f)}₂), e(g, {circumflex over (f)}₃)) and E({right arrow over (g)}, f)=(e(g₁, f), e(g₂, f), e(g₃, f)).

Keygen(λ, n): given a security parameter λ and the dimension n ∈ N of the subspace to be signed, choose bilinear group ( custom-character , , _T) of prime order p>^λ with an efficient isomorphism Ψ: →. Then, conduct the following steps:

- Choose generators ĝand determine g=Ψ(ĝ);
- Choose ĥ_u, α_z, α_r, β_z_p* and define ĝ_z=ĥ_u^α^z, ĝ_r=ĥ_u^α^r, ĥ_r, {right arrow over (h)}_z=ĥ_u^βz
- For i=1 to n, pick random χ_i, γ_i, δ_i^R→_pn* and compute group elements ĝ_i=ĝ_z^χⁱ.ĝ_r^γⁱ, ĥ_i=ĥ_z^χⁱ.ĥ_u^δⁱ.
- Generate L+1 Groth Sahai common reference strings. To this end, choose {circumflex over (f)}₁, {circumflex over (f)}₂ and define vectors {right arrow over ({circumflex over (f)}₁)}=({circumflex over (f)}₁, 1, ĝ) ∈ ³, {right arrow over ({circumflex over (f)}₂)}=(1, {circumflex over (f)}₂, ĝ) ∈ ³.
- Then, pick {right arrow over ({circumflex over (f)}_3,i³i=0 to L.

The public key consists of PK=(( custom-character , , _T), ĝ_z, ĝ_r, ĥ_z, ĥ_u, {ĝ_iĥ_i,}_i=1ⁿ, {right arrow over ({circumflex over (f)}=({right arrow over ({circumflex over (f)}₁)}, {right arrow over ({circumflex over (f)}₂)}, {{right arrow over ({circumflex over (f)}_3,i}_i=0^L)), while the private key is sk=(Ψ(ĥ_z)^α^r, {χ_i, γ_i, δ_i}_i=1ⁿ). Sign(sk, τ, (M₁, . . . , M_n): to sign a vector (M₁, . . . , M_n) ∈ custom-character ⁿwith the file identifier τ using sk=(Ψ(ĥ_z)^α^r, {χ_i, γ_i, δ_i}_i=1ⁿ), conduct the following steps:

- 1. Choose θ _pand determine the following elements z, r and u as follows:

z=Ψ(ĝ_r)^θΠ_i=1^lM_i^−χⁱ,r=Ψ(ĝ_z)^−θΠ_i=1^lM_i^−γⁱand u=Ψ(ĥ_z)^−θα^rΠ_i=1^lM_i^−δⁱ.

- 2. Using the bits of the file identifier τ=(τ[1], . . . , τ[L]) ∈ {0,1}^L, define the vector {right arrow over (f)}_τ={right arrow over (f)}_3,0.Π_i=1^L{right arrow over (f)}_3,i^τ[i] and assemble a Groth Sahai common reference string f_τ=({right arrow over (f)}₁, {right arrow over (f)}₂, {right arrow over (f)}_τ), where {right arrow over (f)}_j=Ψ({right arrow over ({circumflex over (f)}_j) for j ∈ {1,2} and {right arrow over (f)}_3,k=Ψ({right arrow over ({circumflex over (f)}_3,i) for k ∈ {0, . . . , L}.
- 3. Then, using f_τ, generate Groth Sahai commitments {right arrow over (C)}_z, {right arrow over (C)}_r, {right arrow over (C)}_uto the components of (z, r, u) ∈ ³along with proofs π₁, π₂as follows: {right arrow over (C)}_z=(1, 1, z).{right arrow over (f)}₁^ν^z,1{right arrow over (f)}₂^ν^z,2. {right arrow over (f)}₃^ν^z,3, {right arrow over (C)}_r=(, , r).{right arrow over (f)}₁^ν^r,1{right arrow over (f)}₂^ν^r,3and Ĉ_u=(, , u).{right arrow over (f)}₁^ν^u,1{right arrow over (f)}₂^ν^u,2.{right arrow over (f)}₃^ν^u,3. Then generate a NIWI proofs {right arrow over (π)}₁=(π_1,1, π_1,2, π_1,3) ∈ ³and {right arrow over (π)}₂=(π_2,1, π_2,2, π_2,3) ∈ ³that (z, r, u) satisfy the equations 1_T=e(z, ĝ_z).e(r,ĝ_r).√_i=1ⁿe(M_i, ĝ_i) and 1_G_T=e(z, ĥ_z).e(u, ĥ_u). Π_i=1ⁿe(M_i,ĥ_i).

These proofs are obtained as

{right arrow over (π)}₁=(Ψ(ĝ_z)^−ν^z,1.Ψ(ĝ_r)^−ν_r,1, Ψ(ĝ_z)^−ν^z,2.Ψ(ĝ_r)^−ν^r,2,Ψ(ĝ_z)^−ν^z,3.Ψ(ĝ_r)^−ν^r,3);

{right arrow over (π)}₂=(Ψ(ĥ_z)^−ν^z,1.Ψ(ĥ_u)^−ν^u,1, Ψ(ĥ_z)^−ν^z,2.Ψ(ĥ_u)^−ν_u,2,Ψ(ĥ_z)^−ν^z,3.Ψ(ĥ_u)^−ν^u,3);

and satisfy the verification equations

Π_i=1ⁿE(( custom-character ,, M_i),ĝ_i)⁻¹=E({right arrow over (C)}_z,ĝ_z).E({right arrow over (C)}_r, {right arrow over (g)}_r).E(π_1,1,{right arrow over ({circumflex over (f)}₁).E(π_1,2,{right arrow over ({circumflex over (f)}₂).E(π_1,3,{right arrow over ({circumflex over (f)}_τ)

and

Π_i=1ⁿE(( custom-character ,,M_i),ĥ_i)⁻¹=E({right arrow over (C)}_z,ĥ_z).E({right arrow over (C)}_u,ĥ_u).E(π_2,1,{right arrow over ({circumflex over (f)}₁)}).E(π_2,2,{right arrow over ({circumflex over (f)}₂)}).E(π_2,3,{right arrow over ({circumflex over (f)}_τ)})

The signature consists of σ=({right arrow over (C)}_z, {right arrow over (C)}_r, {right arrow over (C)}_u, {right arrow over (π)}₁, {right arrow over (π)}₂) ∈ custom-character ¹⁵. SignDerive (pk, τ, ({ω_i,σ_i}_i=1^l)): given pk, an identifier τ and l uplet (ω_i, σ_i), parse σ_ias σ_i=({right arrow over (C)}_z,i, {right arrow over (C)}_r,i, {right arrow over (C)}_u,i, {right arrow over (π)}_1,i, {right arrow over (π)}_2,i)) ∈ ¹⁵for i =1 to l. Then, compute the elements

{right arrow over (C)}_z=Π_i=1^l{right arrow over (C)}_z,i^ωⁱ, {right arrow over (C)}_r=Π_i=1^l{right arrow over (C)}_r,i^ωⁱ, {right arrow over (C)}_u=Π_i=1^l{right arrow over (C)}_u,i^ωⁱ, {right arrow over (π)}₁=Π=1^l{right arrow over (π)}_1,i^ωⁱand, {right arrow over (π)}₂=Π_i=1^l{right arrow over (π)}_2,i^ωⁱ.

Then, re-randomize the above commitments and proofs and return the re-randomized values of σ=({right arrow over (C)}_z, {right arrow over (C)}_r, {right arrow over (C)}_u, {right arrow over (π)}₁, {right arrow over (π)}₂).

Verify(pk, σ, τ, (M₁, . . . , M_n)): given a purported signature σ=(z, r, u) ∈ custom-character ³, a file identifier and a message (M₁, . . . , M_n), parse σ as ({right arrow over (C)}_z, {right arrow over (C)}_r, {right arrow over (C)}_u, {right arrow over (π)}₁, {right arrow over (π)}₂). Return 1 if and only if (M₁, . . . , ≠(, . . . , ) and (z, r, u) satisfy the equations

Π_i=1ⁿE(( custom-character , ,M_i),ĝ_i)⁻¹=E({right arrow over (C)}_z,ĝ_z).E({right arrow over (C)}_r,ĝ_r).E(π_1,1,{right arrow over ({circumflex over (f)}₁)}).E(π_1,2,{right arrow over ({circumflex over (f)}₂)}).E(π_1,3,{right arrow over ({circumflex over (f)}_τ)}) and

Π_i=1ⁿE(( custom-character ,,M_i),ĥ_i)⁻¹E({right arrow over (C)}_z,{right arrow over (h)}_z).E({right arrow over (C)}_z).E({right arrow over (C)}_u,ĥ_u).E(π_2,1,{right arrow over ({circumflex over (f)}₁)}).E(π_2,2,{right arrow over ({circumflex over (f)}₂)}).E(π_2,3,{right arrow over ({circumflex over (f)}_τ)}).

We remark that the above scheme can be simplified by setting 0=0, in the signing algorithm: since all non-interactive proofs are generated for a perfectly NIWI Groth-Sahai CRS, this modification does not affect the distribution of signatures. In this case, the private key component Ψ(ĥ_z)^α^ris no longer necessary. Such simplification is used in the second embodiment of the invention.

METHOD FOR CIPHERING A MESSAGE VIA A KEYED HOMOMORPHIC ENCRYPTION FUNCTION, CORRESPONDING ELECTRONIC DEVICE AND COMPUTER PROGRAM PRODUCT

Information

Publication Number

Date Filed

Date Published

Inventors

Original Assignees

CPC

US Classifications

International Classifications

Abstract

Description

Claims

Priority Claims (1)