Presentation is loading. Please wait.

Presentation is loading. Please wait.

Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut."— Presentation transcript:

1 Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut

2 Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.

3 Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.

4 Homomorphic Encryption Basic Aggregation Operation : a “bush”

5 The computing server model for Secure Multiparty Computation Computing server is a (perhaps distributed) party in the protocol that manages the contributions and delivery of results. This model has been applied in voting, auctions and other specialized secure multiparty computations. Contributors provide (encrypted) input under the specifications of the protocol (Access control allows them to write a on a bulletin board – Role specification). Processing / Aggregation of encrypted contributions by computing server. Delivery of results / output decryption.

6 Computing Server Model: Correctness Aspect All valid contributions are included. No unauthorized contributions are permitted. Contribution Processing is done according to specifications. Auditing & Replication is added to cope with various faults and failures.

7 Computing Server Model: Privacy Aspect The computation / processing does not leak any information about contributions, beyond what trivially inferred from the public-output. Computing servers are honest w.r.t. privacy. Or, threshold techniques: –Share decryption capabilities. –Split contribution.

8 The Large Scale Setting The “Bush” model insufficient for the large scale: Load Balancing Issues. Remote Geographic Locations. Overlay networks in P2P. Non-bush approach is needed:

9 Aggregation over Trees : Scalability Each node Implements a gate for ciphertext processing Structure: Imposed by Geographic Load balancing parameters Contributions: Bush aggregation of homomorphic encryption consistent with tree deployment: every node is a bush for its children. Aggregation complexity linear in the number of children nodes

10 Connection to Elections Top-Level Regional Level (micro-) Precinct Level

11 Correctness Aspect across the Tree Scaling over tree structure: Each node is comprised by set of agents that Collectively ensure the Correctness aspect of the local Node operation Scales well over the tree hierarchical structure.

12 Privacy Aspect Decryption Agents

13 The BIGGEST brother problem Inner nodes in the tree are assuring correctness – no decryption capability. Decryption capability shared at the root? –Possible, but all kinds of privacy advocates, known election experts and election non- experts will protest: –why should the little guy put his privacy at the end of the BIGGEST brother?

14 Does old solutions work? Sharing decryption capability to decipher the result at the root among all tree nodes using threshold techniques does not scale. But scalability is our primary objective to begin with!

15 Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.

16 Idea. To solve the BIGGEST brother problem : distribute decryption capability along the tree structure. Since aggregation along the tree structure scales – enforce decryption capability to follow the same pattern.

17 User trust path User Perspective User nodes that user trusts for correctness So: the same nodes must share Decryption Capability w.r.t. that user’s privacy.

18 Our Solution: Tree homomorphic encryption with Scalable Decryption Tree is suggested by network architecture, load-balancing parameters, geography, network overlay, etc. Spreading Decryption capability across the paths of the tree so that user privacy is not violated unless the whole user trust path is corrupt.

19 Homomorphic Encryption and Aggregation. Groups: Embedding of a Z-interval within Inputs to the computation belong to set of integer Values: Capacity: length of the Z-interval. Homomorphic over randomness is useful for constructing generic proofs of knowledge.

20 Homomorphic Encryption and Aggregation, II EXAMPLE: Voting among c candidates # of votes won by j-th candidate.

21 Proofs of Knowledge Voter contributes the encryption and a proof Of knowledge. EXAMPLE: Voting among c candidates, II Proof possible for generic Homomorphic encryption scheme. Length = linear in c

22 Three steps Key generation across the tree. Encryption of inputs at leaves. along tree paths.

23 Key Generation and distribution across user trust paths Each node generates a key (independently) Can be threshold of agents within the Node. Public Keys Are Propa- Gated Down To the User level across all trust paths

24 Blind-and-Share operation l = # of levels Encryptions of shares: Capacity Condition: Encryption functions of levels for user j j-th user selects:

25 consistency Encryptions in general are over different domains (each node has independent public- key). We need consistency checks to ensure correct blind-and-sharing of the input (independent of the individual domains).

26 Proof of consistency Each of the ciphertexts Is accompanied by a commitment to the plaintext – over the same domain. Together with a proof of knowledge that ensures: 1. Each ciphertext and commitment hide the same value. 2. The aggregation of the commitments hides a value of the form such that:

27 Proof of consistency, II It follows that an encrypted contribution Contains an additive sharing of a value So that

28 Tree Aggregation … Lowest level: … … Encrypted contributions

29 Tree Aggregation, II Lowest level node obtains the aggregated ciphertext: … Where are the users assigned to the node V.

30 Tree Aggregation + Partial Decryption. … Lowest Level node Decrypts the Last entry And apply modulo operation: Lowest level: the block is propagated to the upper level

31 Tree Aggregation + Partial Decryption, II j-th level: … … The j-th level Receives partially decrypted entries From its children That are of the form: j

32 Tree Aggregation + Partial Decryption, III The j-th level node aggregate as follows: … … … … And decrypt The j-th Level.

33 Tree Aggregation + Partial Decryption, IV Top level agents, after aggregation and decryption of the top level entry obtain: … The totally decrypted Sum of shares:

34 Output recovery THEN: Top level agents recover the results as follows: … This operation Reveals the result Of the procedure In the form:

35 Output Recovery, II This works because: … = …

36 Tree Homomorphic Encryption with Scalable Decryption: implementations Generic based on any additive homomorphic encryption: Paillier or (modified) ElGamal. –Size of encrypted contribution equals length of user trust path.

37 Implementations, II Modified ElGamal accepts more efficient implementation of scalable decryption: –Constant size of contribution: independent of the length of the user trust path. –Onion style decryption.

38 Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.

39 Tree Homomorphic Encryption with Onion decryption ElGamal-specific case. Shortening of contribution encryption size. –Based on: Composition of public-key across user trust paths.

40 Initialization/Setup Additive ElGamal Specific Setup Each node creates local public key pk=g a. Global Parameters: G, g, f, h generators of G multiplicative group of prime order q. Each node computes its local combined_pk by multiplying its local pk with the combined_pk of the parent node.

41 Submission of Contributions Additive ElGamal Specific Each user makes a selection v  {1, M, M 2,..., M c-1 } and publishes combined_pk is the combined public-key local to the lowest level node, i.e. combined_pk=h 0 h 1 h 2... h k where h 0, h 1, h 2,..., h k are the local pk’s of the nodes in the user trust path. r<q is selected at random.

42 Submission of Contributions, II Additive ElGamal Specific the user proves that the Encryption, is formed according to the specifications. The voter publishes: NIZK[ r : (B 1 = g r )  ( v  C (B 2 = (combined_pk) r f v )]

43 Tree Aggregation + Decryption by “Onion Peeling” The low level node multiplies all encrypted contributions point-wise:       is a valid ElGamal encryption of f  v (due to the homomorphic property) under the public-key of all nodes in the user trust path. THEN: The node “peels-off” its layer of encryption (by doing ElGamal Decryption w.r.t. its local private-key. The process continues recursively up to the top-level node. 

44 Output The top node receives the tally T = f  v The space of all possible values for  v is of size O(n c-1 ) and as a result it can be found in time O(n c-1 ). Using the baby-step giant-step method this can be improved to O(n (c-1)/2 ) Recovery of output:

45 Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.

46 Application To E-Voting: “Scalable” Secret Ballot Elections Arbitrary elections’ structure, size and distributions Security properties scale in parallel to the elections structure

47 Voter Distribution Smallest Administrative Unit: Microprecinct

48 The Election Tree Setup Ballot-Casting Results Security Horizon Secure Subelections

49 Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.

50 Conclusions Tree Homomorphic Encryption with Scalable Decryption. motivated by load-balancing / network topology geography constraints / overlay P2P networks. Assuming multi-level trust can eliminate big brother presence. Further increase of security possible by employing “paranoid security” or “multi-path election” Future applications?

Download ppt "Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut."

Similar presentations

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)

Private Inference Control David Woodruff MIT Joint work with Jessica Staddon (PARC)
Private Inference Control

Private Inference Control
Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.

Non-interactive Zero- Knowledge Arguments for Voting Jens Groth UCLA.
I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.

I have a DREAM! (DiffeRentially privatE smArt Metering) Gergely Acs and Claude Castelluccia {gergely.acs, INRIA 2011.
Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.

Multi-Dimensional Range Query over Encrypted Data Authors: Elaine Shi, Joint work with John Bethencourt, Hubert Chan, Dawn Song, Adrian Perrig Slides originated.
Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.

Spreading Alerts Quietly and the Subgroup Escape Problem Aleksandr Yampolskiy (Yale) Joint work with James Aspnes, Zoë Diamadi, Kristian Gjøsteen, and.
Secure Multiparty Computations on Bitcoin

Secure Multiparty Computations on Bitcoin
P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.

P2P data retrieval DHT (Distributed Hash Tables) Partially based on Hellerstein’s presentation at VLDB2004.
Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)

Civitas Security and Transparency for Remote Voting Swiss E-Voting Workshop September 6, 2010 Michael Clarkson Cornell University with Stephen Chong (Harvard)
Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, 2010. ICWCSC 2010. International.

Efficient Public Key Infrastructure Implementation in Wireless Sensor Networks Wireless Communication and Sensor Computing, ICWCSC International.
Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)

Research & development A Practical and Coercion-resistant scheme for Internet Voting Jacques Traoré (joint work with Roberto Araújo and Sébastien Foulle)
A Dependable Auction System: Architecture and an Implementation Framework

A Dependable Auction System: Architecture and an Implementation Framework
CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.

CSCE 715 Ankur Jain 11/16/2010. Introduction Design Goals Framework SDT Protocol Achievements of Goals Overhead of SDT Conclusion.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.

10/25/20061 Threshold Paillier Encryption Web Service A Master’s Project Proposal by Brett Wilson.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
1 Intro To Encryption Exercise 12. 2 Problem What may be the problem with a central KDC?

1 Intro To Encryption Exercise Problem What may be the problem with a central KDC?
Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.

Secure Efficient Multiparty Computing of Multivariate Polynomials and Applications Dana Dachman-Soled, Tal Malkin, Mariana Raykova, Moti Yung.
Efficient, Proximity-Aware Load Balancing for DHT-Based P2P Systems Yingwu Zhu, Yiming Hu Appeared on IEEE Trans. on Parallel and Distributed Systems,

Efficient, Proximity-Aware Load Balancing for DHT-Based P2P Systems Yingwu Zhu, Yiming Hu Appeared on IEEE Trans. on Parallel and Distributed Systems,
01101100101001001010011001011110010110101000101010010010110010100010100101010101010001101001010101001000101001011110011110100110 100100101010100010101010100101010101010010100101010101010010100111001001001000101000001010110000100101000100111101001010100101

Similar presentations

Ads by Google