Download presentation

Presentation is loading. Please wait.

Published byLeslie Maddocks Modified about 1 year ago

1
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM|NYU|Columbia Theory Day, May 7, 2010

2
May 7, 2010IBM|NYU|Columbia Theory Day2 Computing on Encrypted Data Wouldn’t it be nice to be able to… oEncrypt my data in the cloud oWhile still allowing the cloud to search/sort/edit/… this data on my behalf oKeeping the data in the cloud in encrypted form Without needing to ship it back and forth to be decrypted

3
May 7, 2010IBM|NYU|Columbia Theory Day3 Computing on Encrypted Data Wouldn’t it be nice to be able to… oEncrypt my queries to the cloud oWhile still allowing the cloud to process them oCloud returns encrypted answers that I can decrypt

4
May 7, 2010IBM|NYU|Columbia Theory Day4 … Computing on Encrypted Data Directions From: 19 Skyline Drive, Hawothorne, NY 10532, USA To: Columbia University

5
May 7, 2010IBM|NYU|Columbia Theory Day5 Computing on Encrypted Data &maXxjq02bflx m^00a2nm5,A4. pE.abxp3m58bsa (3saM%w,snanba nq~mD=3akm2,A Z,ltnhde83|3mz{n dewiunb4]gnbTa* kjew^bwJ^mdns0 typo

6
Part I: Constructing Homomorphic Encryption

7
May 7, 2010IBM|NYU|Columbia Theory Day7 Privacy Homomorphisms [RAD78] Some examples: o“Raw RSA”: c x e mod N ( x c d mod N ) x 1 e x x 2 e = ( x 1 x x 2 ) e mod N oGM84: Enc( 0 ) R QR, Enc( 1 ) R QNR (in Z N * ) Enc( x 1 ) x Enc( x 2 ) = Enc( x 1 x 2 ) mod N Plaintext space P Ciphertext space C x 1 x 2 c i Enc( x i ) c 1 c 2 yd y Dec( d )

8
May 7, 2010IBM|NYU|Columbia Theory Day8 More Privacy Homomorphisms oMult-mod-p [ElGamal’84] oAdd-mod-N [Pallier’98] oNC1 circuits [SYY’00] oQuadratic-polys mod p [BGN’06] oPoly-size branching programs [IP’07] oSee Part II for a “different type of solution” for any poly-size circuit [Yao’82,…]

9
May 7, 2010IBM|NYU|Columbia Theory Day9 (x,+)-Homomorphic Encryption It will be really nice to have… oPlaintext space Z 2 (w/ ops +,x) oCiphertext space some ring R (w/ ops +,x) oHomomorphic for both + and x Enc( x 1 ) + Enc( x 2 ) in R = Enc( x 1 + x 2 mod 2) Enc( x 1 ) x Enc( x 2 ) in R = Enc( x 1 x x 2 mod 2) oThen we can compute any function on the encryptions Since every binary function is a polynomial oWe won’t get exactly this, but it’s a good motivation

10
May 7, 2010IBM|NYU|Columbia Theory Day10 Some Notations oAn encryption scheme: (KeyGen, Enc, Dec) Plaintext-space = {0,1} ( pk,sk) KeyGen($), c Enc pk ( b ), b Dec sk ( c ) oSemantic security [GM’84]: ( pk, Enc pk ( 0 )) ( pk, Enc pk ( 1 )) means indistinguishable by efficient algorithms

11
May 7, 2010IBM|NYU|Columbia Theory Day11 oH = { KeyGen, Enc, Dec, Eval } c* Eval pk ( f, c ) oHomomorphic: Dec sk (Eval pk ( f, Enc pk ( x ))) = f ( x ) (“Fully” Homomorphic: for every function f ) Enc pk ( f(x) ), Eval pk ( f, Enc pk ( x )) may differ As long as both distributions decrypt to f(x) oFunction-private: Eval pk ( f, Enc pk ( x )) hides f oCompact: |Eval pk ( f, Enc pk ( x ))| independent of | f | Homomorphic Encryption

12
May 7, 2010IBM|NYU|Columbia Theory Day12 (x,+)-Homomorphic Encryption, the Gentry Way [G’09] Evaluate any function in four “easy” steps oStep 1: Encryption from linear ECCs Additive homomorphism oStep 2: ECC lives inside a ring Also multiplicative homomorphism But only for a few operations (i.e., low-degree poly’s) oStep 3: Bootstrapping Few ops (but not too few) any number of ops oStep 4: Everything else

13
May 7, 2010IBM|NYU|Columbia Theory Day13 Step One: Encryption from Linear ECCs oFor “random looking” codes, hard to distinguish close/far from code oMany cryptosystems built on this hardness E.g., [McEliece’78, AD’97, GGH’97, R’03,…]

14
May 7, 2010IBM|NYU|Columbia Theory Day14 Encryption from linear ECCs oKeyGen: choose a “random” code C Secret key: “good representation” of C Allows correction of “large” errors Public key: “bad representation” of C oEnc(0): a word close to C oEnc(1): a random word Far from C (with high probability)

15
May 7, 2010IBM|NYU|Columbia Theory Day15 An Example: Integers mod p (similar to [Regev’03]) oCode determined by an integer p Codewords: multiples of p oGood representation: p itself oBad representation: N = pq, and also many many x i = pq i + r i oEnc(0): subset-sum( x i ’s)+ r mod N oEnc(1): random integer mod N ri pri p p N

16
May 7, 2010IBM|NYU|Columbia Theory Day16 p is odd A Different Input Encoding oPlaintext bit is LSB of dist( c, C ) Enc(0/1): close to C, distance is even/odd In our example of integers mod p : Enc( b ) = 2(subset-sum( x i ’s )+ r ) + b mod N Dec( c ) = ( c mod p ) mod 2 oThm: If “ C co-prime with 2”, then Enc(0), Enc(1) indistinguishable w is near- C /random 2w+b is Enc(b)/random

17
May 7, 2010IBM|NYU|Columbia Theory Day17 Additive Homomorphism oc 1 +c 2 = (codeword 1 + codeword 2 ) +2(r 1 +r 2 )+b 1 +b 2 codeword 1 + codeword 2 C If 2(r 1 +r 2 )+b 1 +b 2 < min-dist/2, then it is the distance between c 1 +c 2 and C dist( c 1 +c 2, C ) = b 1 +b 2 mod 2 oAdditively-homomorphic while close to C

18
May 7, 2010IBM|NYU|Columbia Theory Day18 Step 2: ECC Lives in a Ring R oWhat happens when multiplying in R : c 1 c 2 = (codeword 1 +2r 1 +b 1 ) x (codeword 2 +2r 2 +b 2 ) = codeword 1 X + Y codeword 2 + ( 2r 1 +b 1 )( 2r 2 +b 2 ) oIf: codeword 1 X + Y codeword 2 C ( 2r 1 +b 1 )( 2r 2 +b 2 ) < min-dist/2 oThen dist( c 1 c 2, C ) = ( 2r 1 +b 1 )( 2r 2 +b 2 ) = b 1 b 2 mod 2 C is both a left-ideal and a right-ideal Product in R of small elements is small

19
May 7, 2010IBM|NYU|Columbia Theory Day19 Integers Rings [vDGHV’10] oRecall mod- p scheme: c i = q i p + 2r i +b i (mod N = qp ) Parameters: |r i |=n, |p|=n 2, |q|=|q i |=n 5 oc 1 +c 2 mod N = ( q 1 +q 2 q ) p + 2( r 1 +r 2 )+( b 1 +b 2 ) sum mod p = 2( r 1 +r 2 ) + ( b 1 +b 2 ) oc 1 x c 2 mod N = ( c 1 q 2 +q 1 c 2 q 1 q 2 q)p + 2 ( 2r 1 r 2 +r 1 m 2 +m 1 r 2 ) + b 1 b 2 product mod p = 2 ( 2r 1 r 2 + …) + b 1 b 2 oCan evaluate polynomials of degree ~ n before the distance from C exceeds p /2

20
May 7, 2010IBM|NYU|Columbia Theory Day20 Integers Rings [vDGHV’10] Thm: “Approximate GCD” is hard Enc(0), Enc(1) are indistinguishable oApprixmate-GCD: Given N = qp and many x i = pq i + r i, hard to recover p

21
May 7, 2010IBM|NYU|Columbia Theory Day21 Polynomial Rings [G’09] oR = polynomial ring modulo some f(x) E.g., f(x) = x n +1 o C is an ideal in R E.g., random g(x), C g = { g x h mod f : h R } C is also a lattice Good representation: g itself Bad representation: Hermite-Normal-Form oIf g has t -bit coefficients, can evaluate polynomials of degree O( t/log n )

22
May 7, 2010IBM|NYU|Columbia Theory Day22 Polynomial Rings [G’09] Thm: Bounded-Distance Decoding in ideal lattices is hard Enc(0), Enc(1) are indistinguishable oBounded-Distance-Decoding: Given x close to the lattice, find dist( x, lattice)

23
May 7, 2010IBM|NYU|Columbia Theory Day23 Matrix Rings* [GHV’10] o R = ring of m x m matrices over Z q q = poly( n ), m > n log q ( n security-parameter) o C has low-rank matrices mod q (rank= n ) A is a random n x m matrix, C A = { AX : X R } Bad representation: A itself Good representation: full rank T m x m (over Z ), small entries, TA = 0 mod q Problem: C A is left-ideal, but not right-ideal Can still evaluate quadratic formulas, no more *Doesn’t quite fit the mold

24
May 7, 2010IBM|NYU|Columbia Theory Day24 Matrix Rings* [GHV’10] Thm: Learning with Errors hard Enc(0), Enc(1) are indistinguishable oLearning with Errors: Given A, Ax + e (random A,x, small error e ), find x *Doesn’t quite fit the mold

25
May 7, 2010IBM|NYU|Columbia Theory Day25 Step 3: Bootstrapping [G’09] oSo far, can evaluate low-degree polynomials P(x 1, x 2, …, x t ) x1x1 … x2x2 xtxt P

26
May 7, 2010IBM|NYU|Columbia Theory Day26 Step 3: Bootstrapping [G’09] oSo far, can evaluate low-degree polynomials oCan eval y = P(x 1,x 2 …,x n ) when x i ’s are “fresh” oBut y is an “evaluated ciphertext” Can still be decrypted But eval Q(y) will increase noise too much P(x 1, x 2, …, x t ) x1x1 … x2x2 xtxt P

27
May 7, 2010IBM|NYU|Columbia Theory Day27 Step 3: Bootstrapping [G’09] oSo far, can evaluate low-degree polynomials oBootstrapping to handle higher degrees: oFor ciphertext c, consider D c (sk) = Dec sk ( c ) Hope: D c ( ) is a low-degree polynomial in sk Then so are A c 1,c 2 (sk) = Dec sk ( c 1 ) + Dec sk ( c 2 ) and M c 1,c 2 (sk) = Dec sk ( c 1 ) x Dec sk ( c 2 ) x1x1 … x2x2 xtxt P P(x 1, x 2, …, x t )

28
May 7, 2010IBM|NYU|Columbia Theory Day28 M c 1,c 2 Step 3: Bootstrapping [G’09] oInclude in the public key also Enc pk ( sk ) x1x1 x2x2 sk 1 sk 2 sk n … c1c1 c2c2 M c 1,c 2 (sk) = Dec sk (c 1 ) x Dec sk (c 2 ) = x 1 x x 2 c Requires “ circular security ”

29
May 7, 2010IBM|NYU|Columbia Theory Day29 M c 1,c 2 Step 3: Bootstrapping [G’09] oInclude in the public key also Enc pk ( sk ) oHomomorphic computation applied only to the “fresh” encryption of sk x1x1 x2x2 sk 1 sk 2 sk n … c1c1 c2c2 M c 1,c 2 (sk) = Dec sk (c 1 ) x Dec sk (c 2 ) = x 1 x x 2 c Requires “ circular security ”

30
May 7, 2010IBM|NYU|Columbia Theory Day30 Step 4: Everything Else oCryptosystems from [G’09, vDGHV’10] cannot handle their own decryption as-is oApply some tricks to “squash” the decryption procedure

31
Part II: Homomorphic Encryption vs. Secure Computation

32
May 7, 2010IBM|NYU|Columbia Theory Day32 Client Alice has data x Server Bob has function f Alice wants to learn f(x) 1.Without telling Bob what x is 2.Bob may not want Alice to know f 3.Client Alice may also want server Bob to do most of the work computing f(x) Secure Function Evaluation (SFE)

33
May 7, 2010IBM|NYU|Columbia Theory Day33 Two-Message SFE [Yao’82,…] oMany different instantiations are available Based on hardness of factoring/DL/lattices/… oAlice’s x and Bob’s f are kept private oBut Alice does as much work as Bob Bob’s reply of size poly( n ) x (| f |+| x |) ( c,s ) SFE1( x ) r SFE2( f,c ) r y SFE3( s,r ) c Alice( x )Bob( f )

34
May 7, 2010IBM|NYU|Columbia Theory Day34 oH = { KeyGen, Enc, Dec, Eval } oSemantic security: ( pk, Enc pk (0)) ( pk, Enc pk (1)) oHomomorphic: Dec sk (Eval pk ( f, Enc pk ( x ))) = f ( x ) (“Fully” Homomorphic: for every function f ) Enc pk ( f(x) ), Eval pk ( f, Enc pk ( x )) may differ As long as both distributions decrypt to f(x) oFunction-private: Eval pk ( f, Enc pk ( x )) hides f oCompact: |Eval pk ( f, Enc pk ( x ))| independent of | f | Recall: Homomorphic Encryption

35
May 7, 2010IBM|NYU|Columbia Theory Day35 Aside: a Trivial Solution oEval( f,c ) =, Dec*( ) = f (Dec( c )) oNeither function-private, nor compact oNot very useful in applications

36
May 7, 2010IBM|NYU|Columbia Theory Day36 HE Two-Message SFE oAlice encrypts data x sends to Bob c Enc( x ) oBob computes on encrypted data sets c* Eval( f, c ) c* is supposed to be an encryption of f ( x ) Hopefully it hides f (function-private scheme) oAlice decrypts, recovers y Dec( c* )

37
May 7, 2010IBM|NYU|Columbia Theory Day37 Two-Message SFE HE oRoughly: Alice ’ s message c SFE1( x ) is Enc( x ) Bob’s reply r SFE2( f, c ) is Eval( f, c ) oNot quite public-key encryption yet Where are ( pk, sk )? Can be fixed with an auxiliary PKE scheme

38
May 7, 2010IBM|NYU|Columbia Theory Day38 Alice( x ) Two-Message SFE HE oAdd an auxiliary encryption scheme with ( pk,sk ) Alice( pk, x )Bob( f ) ( c,s ) SFE1( x ) r SFE2( f,c ) r y SFE3( s,r ) c Dora( sk )

39
May 7, 2010IBM|NYU|Columbia Theory Day39 Two-Message SFE HE oRecall: | r | could be as large as poly( n )(| f |+| x |) Not compact Alice( pk, x )Bob( f )Dora( sk ) Dec sk ( r,c ’) Eval pk ( f, c,c ’) Enc’ pk ( x ) c, c ’ r, c ’ ( c,s ) SFE1( x ) c ’ Enc pk ( s ) r SFE2( f,c ) s Dec sk ( c ’) y SFE3( s,r )

40
May 7, 2010IBM|NYU|Columbia Theory Day40 A More Complex Setting: i-Hop HE [GHV10b] oc 1 is not a fresh ciphertext May look completely different oCan Charlie process it at all? What about security? Alice( x )Bob( f )Charlie( g )Dora( sk ) c 0 Enc( x ) c 1 Eval( f,c 0 ) c 2 Eval( g,c 1 ) y Dec( c 2 ) c0c0 c1c1 c2c2 2-Hop Homomorphic Encryption

41
May 7, 2010IBM|NYU|Columbia Theory Day41 Multi-Hop Homomorphic Encryption oH = { KeyGen, Enc, Eval, Dec } as before oi -Hop Homomorphic ( i is a parameter) y = f j (f j 1 (… f 1 (x) …)) for any x, f 1,…,f j oSimilarly for i -Hop function-privacy, compactness oMulti-Hop: i -Hop for any i Eval pk ( f 1,c 0 )Enc pk ( x )Eval pk ( f 2,c 1 )Dec sk ( x ) c0c0 c1c1 c2c2 cjcj yx … Any number j i hops

42
May 7, 2010IBM|NYU|Columbia Theory Day42 1-Hop multi-Hop HE o(KeyGen,Enc,Eval,Dec) is 1-Hop HE Can evaluate any single function on ctxt oWe have c 1 =Eval pk (f 1,c 0 ), and some other f 2 Bootstrapping: oInclude with pk also c*= Enc pk ( sk ) oConsider F c 1, f 2 (sk) = f 2 ( Dec sk (c 1 ) ) Let c 2 =Eval pk (F c 1, f 2, c*)

43
May 7, 2010IBM|NYU|Columbia Theory Day43 F c i-1, f i 1-Hop multi-Hop HE oDrawback: | c i | grows exponentially with i : | F c i 1, f i | | c i 1 |+| f i | | c i |= |Eval pk ( F c i 1, f i, c* )| poly(n)(| c i 1 |+| f i |) oDoes not happen if underlying scheme is compact Or even |Eval pk ( F c i 1, f i, c* )| = | c i 1 |+poly(n)| f i | x i-1 sk ci1ci1 fifi F c i-1, f i (sk) c i+1 = f i ( Dec sk (c i 1 ) ) = f i (x i 1 ) c*c*

44
May 7, 2010IBM|NYU|Columbia Theory Day44 Other Constructions oPrivate 1-hop HE + Compact 1-hop HE Compact, Private 1-hop HE Compact, Private multi-hop HE oA direct construction of multi-hop HE from Yao’s protocol

45
May 7, 2010IBM|NYU|Columbia Theory Day45 Summary oHomomorphic Encryption is useful Especially multi-hop HE oA method for constructing HE schemes from linear ECCs in rings Two (+ ) known instances so far oConnection to two-message protocols for secure computation

46
Thank You

Similar presentations

© 2017 SlidePlayer.com Inc.

All rights reserved.

Ads by Google