Malleable Encryption - Computerphile

Multiplication and Addition: A Similar Connection

In exploring the concept of homomorphic encryption, we often find ourselves dealing with properties that are similar to multiplication and addition. One such example is the connection between these two operations. By raising a cipher text to a power and then multiplying it by another number, we can create an equation where addition is equivalent to multiplication. For instance, if we have a cipher text 'G' and raise it to the power of 42, then multiply it by another number, such as 12, we get G^42 * (G^12). This expression can be rewritten as G^(42+12) = G^54. By recognizing this equivalence, we can use addition instead of multiplication in our encryption schemes.

The Implications of Small Bases

When working with homomorphic encryption, it's essential to consider the base of the exponentiation operation. If the base is very small, such as 54 for a computer, we can calculate the exponents for each possible value and create a table. This allows us to quickly determine the result of any given exponentiation operation without having to compute the logarithm. For example, if we have a cipher text 'G' and want to compute G^54, we can look up the corresponding value in our table instead of performing the actual calculation.

Homomorphic Encryption for Voting Schemes

One of the most significant applications of homomorphic encryption is in secure voting systems. In this context, we need to ensure that individual votes remain confidential while still allowing the tallying of votes to be performed securely. To achieve this, we can use a system where voters encrypt their vote using either G^1 or G^0, depending on whether they voted yes or no. By multiplying the encrypted values together, we can compute the total number of yes votes without revealing individual results. This process can be completed by a central authority who knows the decryption key 'd', which is then used to retrieve the original value of G.

However, using RSA for homomorphic encryption in this context poses an issue. The scheme relies on deterministic encryption, where each encrypted value corresponds to a unique message. Since there are only two possible values (G^0 or G^1), an attacker can quickly learn both values and determine who voted yes or no. This is known as a non-secure voting scheme.

Deterministic Encryption vs. Non-Deterministic Schemes

There exist alternative schemes that offer homomorphic encryption without the drawbacks of deterministic encryption. One such example is Algal, which allows for secure computation without requiring the decryption key to be used in every step of the process. Another notable example is the P crypto system, which simplifies the process even further by making multiplication equivalent to addition.

The P Crypto System: A Simplified Approach

The P crypto system offers a more streamlined approach to homomorphic encryption. By using a different mathematical structure, it eliminates the need for logarithms and makes computation even more efficient. This system is designed to work with addition instead of multiplication, which can simplify the encryption process. However, its security relies on the assumption that an attacker cannot combine their knowledge from two separate attacks.

The Importance of Collaboration

In exploring homomorphic encryption, it's essential to recognize the importance of collaboration between researchers and developers. When working together, they can identify potential vulnerabilities and develop solutions that improve the security and usability of these systems. For instance, combining Algal with RSA might provide a more secure voting system than using RSA alone.

The Future of Homomorphic Encryption

As research in homomorphic encryption continues to evolve, we can expect to see new applications and improvements in existing ones. By pushing the boundaries of what is possible with this technology, we can create more efficient, secure, and accessible systems for various applications. The development of deterministic encryption schemes like RSA has provided a foundation for these advancements, but ongoing research will be necessary to overcome the limitations of current systems.

References:

1. RSA: An overview of RSA encryption

2. Algal: A homomorphic encryption scheme with deterministic encryption

3. P Crypto System: A simplified approach to homomorphic encryption

"WEBVTTKind: captionsLanguage: enso what are we going to be looking at today then Tim uh malleable encryption problem is it's not you the encryptor that can change it but it's actually anyone including the attacker malleable encryption on the face of it is is a bad thing right um I'm going to go through some examples of malleable encryption um and and you can imagine why an attacker might want to do it um now I don't know if you've ever heard of a something called a one time pad yes that's this is where you have a set of supposedly random things that you can then exor or whatever with the with the message is that right that's exactly right so you you have a bit string that is the same length as the data that you want to encrypt and the other person on the other side is aware of the same one time pad and they will use it as well and they will get the original message out and sometimes this is described as being the perfect encryption but the problem is that it's malleable so let's say that you every day the first thing you do when you go into the office is you're logging into a particular website and you're entering um your password it may use something called a a stream Cipher um and a stream Cipher um uses a a pseudo random bit string um for one time pad so we have a key you and I that we agree on beforehand it's symmetric encryption so it's the same key for both of us um let's call it key K and it goes into a box now there's also something called an initialization Vector that's not very important right now um but what it does is it outputs a bit string let's call it B and it will look something like uh 0 1 1 0 one it's a random bit string Etc now we have the plain text which is also a bit string uh which in this case was the website that you visit that morning H so let's say that it's one one 0 1 1 right now we uh take this bit string and we pretend that it is actually random there's no issues now with with doing that there can be issues other attacks that are based on the fact that it's not actually random but for now let's assume that it's actually random um and what we do is we aor all the bits one by one 0 and 1 is 1 1 and 1 is zero 1 and 0 is 1 0 and 1 is 1 1 and one again is zero and we keep doing that for the entire string now you get your website you enter your password and on the website there will be a field somewhere that tells you where the data is sent right you're sending your password to a particular location um but I'm the attacker and I want your password so if I can change that value the location where you're sending it which is just a part of the web page I win so let's say that you want to send it to your bank um who are you banking with uh sand there santand there well I created a fake website called salamand there and if I can get you to submit your password to salamand there instead of sand there I win right so then I know what the website should look like and somewhere in there there will be like a form with a submit field so let's say that it's just two bits different right I I was Che key I just made sure that it was two bits different all I need to do is flip those two bits I know what the web page looks like and I know what the location of that bit is if I can intercept the cipher text so this is the plain text M this is the bit string that we use to encrypt and this is the resulting Cipher text now let's say that it is this bit that I want to alter in the message and I want to change it from a one to a zero right if I flip this bit to a zero and I send it to you you will then take the cipher text which is the altered Cipher text which is 1 0 1 0 0 right this one has been changed into a zero so let's call that c Prime the change Cipher text and you will take the bit string you computed which is 0 1 1 0 1 I can't change that because I don't know the key and I don't know the initialization Vector so That Remains the Same but when you exort these two things you will get the changed message the modified message which will be 1 1 0 0 1 and as you can see the resulting message M Prime differs in exactly the bit that we have swapped in the cipher text so flipping that Cipher text bit actually flips the message bit the message bit okay um so if I know the location I can change it now the beauty here is that the attacker at no point is able to decrypt any of the messages right he's not he doesn't crack the system in that sense um but he was still able to break the system you know in in the human sense um of course if I was wrong and that morning you loaded up a totally different page then my attack is completely useless and I don't even know that my attack failed right uh other than the fact that you're now not sending your password to my salon and there um so that's one example of encryption and you can see here that this you know this is bad in a future video I will actually have a use case based on stream ciphers where exactly the same property is actually a good thing now stream ciphers are malleable uh but more famously um there is a class of malleable encryption where it's actually really really useful so again the attacker can still use it to exploit um but you can also build more advanced protocols on the basis of it uh that's known as homomorphic encryption RSA is one example of homomorphic encryption I'm not going to explain the basics of RSA again I invite you to watch that video in short it's asymmetric encryption which means that there's a different key for encrypting as there is for decrypting now we typically call the public key e and the private key D and there's also a modulus n which everyone knows just like the public key now if I want to uh encrypt a message I can take m to the power e and then the person that owns a private key D they have the ability of decrypting it by simply taking the cipher text that they received so let's call it C is m to the E so they take C and they raise it to the power D so they get M the power e to the power D which is equal to m^ e d and then and this was the special magic property of RSA this is equivalent to M mod n so in other words if you send me m to the power e this is actually also modulo n uh if you send me m to the power e mod n and I take that value and I raisee it to the power D I get the original value back and I'm the only person in the whole world who knows D so I'm the only one who can decrypt it now RSA is is malleable um so let's say that you're trying to send me a particular value um for example you're bidding on an object that you want to buy right um and you're bidding let's say 13 now what a malicious user might want to do is they say I'm desperate to win this auction so I'm going to take whatever value was sent in and I'm going to double it um so they cannot decrypt the value just like they couldn't decrypt the stream Cipher but they can still double it without knowing what they're doing and this is what they need to do right you're sending me the number 13 to the power e mod n you want to send in 26 to the power e so you need to multiply this by 2 to the power e e being a public value so you can just compute to 2 to power e and of course this is equal to 26 to the power e and if I raise the value that you sent in the power D what I get is 26 right so you were able to modify the bit by multiplying it with a specific value in this case this was bad because it allowed someone to cheat right so attackers can use malleability U but it actually can also be very useful so in this case um what an attacker but not just attackers actually anyone is able to do is to multiply two Cipher texts together right um so we had the cipher text 13 and we had the cipher text 2 and we were able to multiply these to get 26 so if I multiply cyppher text I'm also multiplying the plain text and this is known as a homomorphic property that's where the name comes from it's a fancy mathematical name um but what it means is if I do an operation in one world the plain text world I'm doing another operation in the cipher text world now in this case the operations are the same I'm multiplying and I'm multiplying uh there's also crypto systems where if you multiply to Cipher text um the result is actually the addition of the pl text and there's also a world where it's doing an exor on the plain text um and most of the sort of simple homomorphic schemes only have one operation that they support in this case it's multiplication and in some other case it's addition those are the typical ones um there is also fully homomorphic encryption which I'm not going to go into details with that's really computationally expensive but it can do addition multiplication or and and or for example so what can we use this for we've got multiplicative homomorphic encryption we can multiply Cipher texts now I would like to convince you that multiplication and addition are actually kind of the same so if I have a cipher text some random number let's call it G and I raise it to a power of a chosen number give me a number 42 42 and I multiply that with G to the power of yet another number 12 12 If I multiply these two numbers together what I get is g^ 42 + 12 54 now that means that we can translate multiplication into addition now little bit of a warning here U because if you're trying to figure out uh G to the power x for a general value of x that's computationally hard that's the whole basis of um of encryption here right um we cannot reverse engineer the logarithm of any number but if the base is very very small 54 for a computer is very small what I can do is I can compute the first 100 exponents of g g to the^ 0 g to the^ 1 I just compute them all and I have a table of all the values and now you give me G to the^ 54 I can look it up and I know ah so the number is 54 right so I never did a logarithm I just tried all of them let's say that we have a little election there's let's say 100 people and they either vote Yes or they vote no now what we want to do is we want to be able to tally up the votes at the very end and I don't want anyone to be able to see any individual vote M um so that means that uh we make the following agreement there's two possible messages um either you vote Yes in which case you take the message G to the power 1 or you vote no and you send G to the power zero now I'm going to use RSA here for homomorphic encryption and viewers that are paying attention might notice a problem with me doing so H this scheme doesn't actually work with RSA so the homomorphic bit which I'm about to explain does work but it's not secure um see if you can figure out why it's not secure um and I'll get back to it at the end so you've got 100 people voting so all of them agree to encrypt their value so they take uh either G to the power 1 to the power e encrypted or they take G to the power 0 to the power e what you can do is you can take all 100 votes and you multiply them with each other right so we get a big computation like this G to the power Z to the power e time G to ^ 1 to the power e times let's say another yes vote G to the^ 1 to the power e Etc now you can just do this multiplication and what you will end up with is g to the power however many people voted yes let's say 61 people voted yes to the power e and now a central Authority who knows the key d can take that number and raise it to the deth power which is decrypting it and what they will see is g to the^ 61 which they will look up in their table and they will recognize this corresponds to 61 yes votes and that's I would say the the a killer example of what homomorphic encryption can do it gets a lot more complicated if you want to do real voting schemes where you've got multiple candidates and things like that um but there are homomorphic schemes that have been designed for for more complicated elections yes to get back to the original thing I said um it doesn't actually work for RSA not because what I just showed you is not true because it is it it works it's functional but it's not uh confidential because if you vote zero anyone can recognize G to the^ 0 to the power e it will always be the same value there's only two possible values that you could be sending G to the power 0 to the power e or G to ^ 1 to the power E I will quickly learn both values and I can tell who you voted by looking at that value um this is known as deterministic encryption um there's other schemes that are homomorphic that are not deterministic the most famous one is algal um if you just use algal instead of RSA um the protocol would be fixed for this problem uh another example is the P crypto system uh which would make your life even easier easier because they multiplying is adding and you don't need to use the trick with the logarithm and they both want to attack this city here and they know if they attack together they win if only one of them attacks and the other one hasn't got a message to they're free to send messages butso what are we going to be looking at today then Tim uh malleable encryption problem is it's not you the encryptor that can change it but it's actually anyone including the attacker malleable encryption on the face of it is is a bad thing right um I'm going to go through some examples of malleable encryption um and and you can imagine why an attacker might want to do it um now I don't know if you've ever heard of a something called a one time pad yes that's this is where you have a set of supposedly random things that you can then exor or whatever with the with the message is that right that's exactly right so you you have a bit string that is the same length as the data that you want to encrypt and the other person on the other side is aware of the same one time pad and they will use it as well and they will get the original message out and sometimes this is described as being the perfect encryption but the problem is that it's malleable so let's say that you every day the first thing you do when you go into the office is you're logging into a particular website and you're entering um your password it may use something called a a stream Cipher um and a stream Cipher um uses a a pseudo random bit string um for one time pad so we have a key you and I that we agree on beforehand it's symmetric encryption so it's the same key for both of us um let's call it key K and it goes into a box now there's also something called an initialization Vector that's not very important right now um but what it does is it outputs a bit string let's call it B and it will look something like uh 0 1 1 0 one it's a random bit string Etc now we have the plain text which is also a bit string uh which in this case was the website that you visit that morning H so let's say that it's one one 0 1 1 right now we uh take this bit string and we pretend that it is actually random there's no issues now with with doing that there can be issues other attacks that are based on the fact that it's not actually random but for now let's assume that it's actually random um and what we do is we aor all the bits one by one 0 and 1 is 1 1 and 1 is zero 1 and 0 is 1 0 and 1 is 1 1 and one again is zero and we keep doing that for the entire string now you get your website you enter your password and on the website there will be a field somewhere that tells you where the data is sent right you're sending your password to a particular location um but I'm the attacker and I want your password so if I can change that value the location where you're sending it which is just a part of the web page I win so let's say that you want to send it to your bank um who are you banking with uh sand there santand there well I created a fake website called salamand there and if I can get you to submit your password to salamand there instead of sand there I win right so then I know what the website should look like and somewhere in there there will be like a form with a submit field so let's say that it's just two bits different right I I was Che key I just made sure that it was two bits different all I need to do is flip those two bits I know what the web page looks like and I know what the location of that bit is if I can intercept the cipher text so this is the plain text M this is the bit string that we use to encrypt and this is the resulting Cipher text now let's say that it is this bit that I want to alter in the message and I want to change it from a one to a zero right if I flip this bit to a zero and I send it to you you will then take the cipher text which is the altered Cipher text which is 1 0 1 0 0 right this one has been changed into a zero so let's call that c Prime the change Cipher text and you will take the bit string you computed which is 0 1 1 0 1 I can't change that because I don't know the key and I don't know the initialization Vector so That Remains the Same but when you exort these two things you will get the changed message the modified message which will be 1 1 0 0 1 and as you can see the resulting message M Prime differs in exactly the bit that we have swapped in the cipher text so flipping that Cipher text bit actually flips the message bit the message bit okay um so if I know the location I can change it now the beauty here is that the attacker at no point is able to decrypt any of the messages right he's not he doesn't crack the system in that sense um but he was still able to break the system you know in in the human sense um of course if I was wrong and that morning you loaded up a totally different page then my attack is completely useless and I don't even know that my attack failed right uh other than the fact that you're now not sending your password to my salon and there um so that's one example of encryption and you can see here that this you know this is bad in a future video I will actually have a use case based on stream ciphers where exactly the same property is actually a good thing now stream ciphers are malleable uh but more famously um there is a class of malleable encryption where it's actually really really useful so again the attacker can still use it to exploit um but you can also build more advanced protocols on the basis of it uh that's known as homomorphic encryption RSA is one example of homomorphic encryption I'm not going to explain the basics of RSA again I invite you to watch that video in short it's asymmetric encryption which means that there's a different key for encrypting as there is for decrypting now we typically call the public key e and the private key D and there's also a modulus n which everyone knows just like the public key now if I want to uh encrypt a message I can take m to the power e and then the person that owns a private key D they have the ability of decrypting it by simply taking the cipher text that they received so let's call it C is m to the E so they take C and they raise it to the power D so they get M the power e to the power D which is equal to m^ e d and then and this was the special magic property of RSA this is equivalent to M mod n so in other words if you send me m to the power e this is actually also modulo n uh if you send me m to the power e mod n and I take that value and I raisee it to the power D I get the original value back and I'm the only person in the whole world who knows D so I'm the only one who can decrypt it now RSA is is malleable um so let's say that you're trying to send me a particular value um for example you're bidding on an object that you want to buy right um and you're bidding let's say 13 now what a malicious user might want to do is they say I'm desperate to win this auction so I'm going to take whatever value was sent in and I'm going to double it um so they cannot decrypt the value just like they couldn't decrypt the stream Cipher but they can still double it without knowing what they're doing and this is what they need to do right you're sending me the number 13 to the power e mod n you want to send in 26 to the power e so you need to multiply this by 2 to the power e e being a public value so you can just compute to 2 to power e and of course this is equal to 26 to the power e and if I raise the value that you sent in the power D what I get is 26 right so you were able to modify the bit by multiplying it with a specific value in this case this was bad because it allowed someone to cheat right so attackers can use malleability U but it actually can also be very useful so in this case um what an attacker but not just attackers actually anyone is able to do is to multiply two Cipher texts together right um so we had the cipher text 13 and we had the cipher text 2 and we were able to multiply these to get 26 so if I multiply cyppher text I'm also multiplying the plain text and this is known as a homomorphic property that's where the name comes from it's a fancy mathematical name um but what it means is if I do an operation in one world the plain text world I'm doing another operation in the cipher text world now in this case the operations are the same I'm multiplying and I'm multiplying uh there's also crypto systems where if you multiply to Cipher text um the result is actually the addition of the pl text and there's also a world where it's doing an exor on the plain text um and most of the sort of simple homomorphic schemes only have one operation that they support in this case it's multiplication and in some other case it's addition those are the typical ones um there is also fully homomorphic encryption which I'm not going to go into details with that's really computationally expensive but it can do addition multiplication or and and or for example so what can we use this for we've got multiplicative homomorphic encryption we can multiply Cipher texts now I would like to convince you that multiplication and addition are actually kind of the same so if I have a cipher text some random number let's call it G and I raise it to a power of a chosen number give me a number 42 42 and I multiply that with G to the power of yet another number 12 12 If I multiply these two numbers together what I get is g^ 42 + 12 54 now that means that we can translate multiplication into addition now little bit of a warning here U because if you're trying to figure out uh G to the power x for a general value of x that's computationally hard that's the whole basis of um of encryption here right um we cannot reverse engineer the logarithm of any number but if the base is very very small 54 for a computer is very small what I can do is I can compute the first 100 exponents of g g to the^ 0 g to the^ 1 I just compute them all and I have a table of all the values and now you give me G to the^ 54 I can look it up and I know ah so the number is 54 right so I never did a logarithm I just tried all of them let's say that we have a little election there's let's say 100 people and they either vote Yes or they vote no now what we want to do is we want to be able to tally up the votes at the very end and I don't want anyone to be able to see any individual vote M um so that means that uh we make the following agreement there's two possible messages um either you vote Yes in which case you take the message G to the power 1 or you vote no and you send G to the power zero now I'm going to use RSA here for homomorphic encryption and viewers that are paying attention might notice a problem with me doing so H this scheme doesn't actually work with RSA so the homomorphic bit which I'm about to explain does work but it's not secure um see if you can figure out why it's not secure um and I'll get back to it at the end so you've got 100 people voting so all of them agree to encrypt their value so they take uh either G to the power 1 to the power e encrypted or they take G to the power 0 to the power e what you can do is you can take all 100 votes and you multiply them with each other right so we get a big computation like this G to the power Z to the power e time G to ^ 1 to the power e times let's say another yes vote G to the^ 1 to the power e Etc now you can just do this multiplication and what you will end up with is g to the power however many people voted yes let's say 61 people voted yes to the power e and now a central Authority who knows the key d can take that number and raise it to the deth power which is decrypting it and what they will see is g to the^ 61 which they will look up in their table and they will recognize this corresponds to 61 yes votes and that's I would say the the a killer example of what homomorphic encryption can do it gets a lot more complicated if you want to do real voting schemes where you've got multiple candidates and things like that um but there are homomorphic schemes that have been designed for for more complicated elections yes to get back to the original thing I said um it doesn't actually work for RSA not because what I just showed you is not true because it is it it works it's functional but it's not uh confidential because if you vote zero anyone can recognize G to the^ 0 to the power e it will always be the same value there's only two possible values that you could be sending G to the power 0 to the power e or G to ^ 1 to the power E I will quickly learn both values and I can tell who you voted by looking at that value um this is known as deterministic encryption um there's other schemes that are homomorphic that are not deterministic the most famous one is algal um if you just use algal instead of RSA um the protocol would be fixed for this problem uh another example is the P crypto system uh which would make your life even easier easier because they multiplying is adding and you don't need to use the trick with the logarithm and they both want to attack this city here and they know if they attack together they win if only one of them attacks and the other one hasn't got a message to they're free to send messages but\n"