Manipulating Encrypted Data
You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data. But you want to keep the data encrypted. Basic Question: Is it possible to compute with encrypted data without first decrypting?
One Goal: Design an encryption method E K and a decryption method D K (K is the key) with the following property: If f is some function (algorithm), then we can find a function F, independent of K, such that for every message m : f(m) = D K ( F(E K (m))) This means that if we want to compute f(m), we can encrypt m, then F is applied to the encrypted message, then we decrypt. This has been done, in theory, by Gentry (homomorphic encryption)
E(M) F(E(M)) E D f M f(M) M=message f=function E=encryption D=decryption
Search About 1,330,000 results (0.28 seconds) Cheating on Your Taxes Read these tips to find some smart, under the radar, and legal ways to cheat on your taxes. The IRS has been screwing you for long enough. It's time to turn the … Tax Fraud Penalties - Cheating On Taxes - Esquire Apr 18, 2011 –... in on five ways to hypothetically bend the law and cheat on your taxes.... When the IRS comes a-knocking you're guilty until you can prove... Cheating the IRS
Fhrah$5&&$$$$$123mNmErTIoppYtEQCCV9&T Cheating the IRS Encrypt
Nxvs$%432MnUiiOPlTRttyR^%$^&IHKVGRYGKNjkjkJ 6T%$3CvDrk$65IhkU%eksaggYGFMVKHFkhvyrkGKJk HcjgkllJkknlkGKknljlJllniy89^y;jTYNffsd9u123npih;xkn;k gihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlhlkjU dhstuhgerkekfklxkgh;knklHOlkn^(*^&$&%$OIHpj45ihkh gfklxkgh;knklHOlkn^(*&885^%$OIHpj45ihkh ; d;knfae,npih;x kn;kgihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlh gkfdhstuhgerkekgeksaggYGFMVKHFkhvyrkGKJkg, gfklxkgh;knklHOlkn^(*^&$&%$OIHTYVbnmT**7%nBBnnHtFr …… Fhrah$5&&$$$$$123mNmErTIoppYtEQCCV9&T
DECRYPT
Search About 1,330,000 results (0.28 seconds) Cheating on Your Taxes Read these tips to find some smart, under the radar, and legal ways to cheat on your taxes. The IRS has been screwing you for long enough. It's time to turn the … Tax Fraud Penalties - Cheating On Taxes - Esquire Apr 18, 2011 –... in on five ways to hypothetically bend the law and cheat on your taxes.... When the IRS comes a-knocking you're guilty until you can prove... Cheating the IRS
Cheating hte IRS Encrypt
W#$RrDqPlOiuYuIgn^Tpihk;k^%$^&IHKVGRYGKNjkjkJ Fjklk$65IhkU%eksaggYGFMVKHFkhvyrkGKJkg,nvkvtbvv HcjgkllJkknlkGKknljlJllniy89^y;jTYNffsd9u123npih;xkn;k gihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlhgkf dhstuhgerkekfklxkgh;knklHOlkn^(*^&$&%$OIHpj45ihkh gfklxkgh;knklHOlkn^(*^&$&%$OIHpj45ihkh ; d;knfae,npih;x kn;kgihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlh gkfdhstuhgerkekgeksaggYGFMVKHFkhvyrkGKJkg, nvkvtbvvgfklxkgh;knklHOlkn^(*^&$&%$OIHTYVbnmTbCfT$#w ……
Search About 1,330,000 results (0.28 seconds) Cheating on Your Taxes Read these tips to find some smart, under the radar, and legal ways to cheat on your taxes. The IRS has been screwing you for long enough. It's time to turn the … Tax Fraud Penalties - Cheating On Taxes - Esquire Apr 18, 2011 –... in on five ways to hypothetically bend the law and cheat on your taxes.... When the IRS comes a-knocking you're guilty until you can prove... Cheating hte IRS Did you mean cheating the IRS Search instead for cheating hte IRS
Somewhat Homomorphic Encryption (SWHE) This will allow several additions and subtractions but only a few multiplications. Secret key is a large odd integer p. We want to encrypt a bit m, where m = 0 or 1. Choose a random integer r (much smaller than p) and another integer s and let the ciphertext be c = m + 2r + ps To decrypt (i.e., recover m), compute m = c (mod p) (mod 2)
We can add ciphertexts: c 1 = m 1 + 2r 1 + ps 1 c 2 = m 2 + 2r 2 + ps 2 Then c 1 + c 2 decrypts to m 1 + m 2 Products: c 1 c 2 = m 1 m 2 + 2(m 1 r 2 +m 2 r 1 +r 1 r 2 ) + p( ) This decrypts to m 1 m 2 if r 1 r 2 is not too big. Think of this as the encryption of m 1 m 2 plus some noise. If we do too many multiplications, the noise increases enough that decryption fails.
E(M) E(f 1 (M))+noise E(f 2 f 1 (M))+NOISE E(f 3 f 2 f 1 (M))+ NOISE M f 1 (M) f 2 f 1 (M) f 3 f 2 f 1 (M) If we compute by a series of bit operations f 1, f 2, f 3 :
Bootstrapping (Craig Gentry, 2008) E(M)||E(K) E(f(M))+ noise ||E(K) E( E(f(M))+ noise ||E(K) ) M||K f(M)||K E(E(f(M))+ noise ||E(K)) E(f(M)) + noise D E(f(M))+ noise ||E(K) f(M) The noise has been reduced, so we can continue.
Bootstrapping can sometimes change a Somewhat Homomorphic system into a Fully Homomorphic system. Are Fully Homomorphic Sytems practical? Not yet.
A similar idea that is practical is Secure Multiparty Computation But first, a digression...
You are the manager of a bank. You want to allow your employees to open the safe. Requirements : 1. One person alone cannot open the safe. 2. Any two people can open the safe.
TwoPeople determine aSecret
TwoPoints determine aLine
The secret combination to the lock is ab cd ef For example, the combination could be
Let B = abcdef mod p where p is prime. Choose a random M We now have a line y = Mx + B (mod p)
For example, if the combination is 14 – 15 – 03, then B = We could randomly choose M = The line is y = x
If there are 30 people, compute 30 points on the line y = Mx + B : (1, M+B), (2, 2M+B), (3, 3M+B),. (30, 30M+B) Give each person one point.
Summary: Someone shares a secret B by choosing a random integer m and forming the linear function f(x) = B+mx. f(1)=B+m is given to person 1 f(2)=B+2m is given to person 2 f(3)=B+3m is given to person 3 These numbers are their “shares” of the secret. Any two people can determine B.
Arithmetic Operations on Secrets P 1, P 2, P 3 have shares of f(0) and of g(0). P 1 adds f(1) + g(1), P 2 adds f(2) + g(2), P 3 adds f(3) + g(3) They now share f(0) + g(0) We can add secrets:
Can We Multiply Secrets? P 1, P 2, P 3 share f(0) and share g(0). They want to share f(0) g(0). Problem: f(x) g(x) is a quadratic polynomial, so it takes three values to reconstruct it: f(0) g(0) = 3f(1)g(1) – 3 f(2)g(2) + f(3)g(3) So all three can recover the secret. But “Sharing” requires that 2 people can reconstruct the secret.
How to Share Products: (Gennaro, Rabin, Rabin) Person 1 shares f(1)g(1) (i.e., gives shares to 1, 2, 3) Person 2 shares f(2)g(2) Person 3 shares f(3)g(3) Each person computes Share prod =3(Share received from 1) – 3(Share from 2) + (Share from 3) This is a share of f(0)g(0). Why? The numbers Share prod are the values at x=1, 2, 3 of a linear function whose y-intercept is 3f(1)g(1) – 3f(2)g(2) + f(3)g(3) = f(0)g(0)
Bit operations Let a and b be bits (0 or 1). Then a b = a + b – 2ab ( denotes addition mod 2) If P 1, P 2, P 3 share a and b, then they can share a b
Suppose a = a 0 + 2a 1 + 4a 2 + … and b = b 0 + 2b 1 + 4b 2 + … A bit of a + b can be calculated via bit operations such as and multiplication (“and”) If the bits of a and b are shared, then the value of this bit is shared
Is d < s ? s and d are shared numbers between 0 and 2 n Nobody knows s and d but we want to determine which is larger. Key idea: d < s if and only if the n-th bit of 2 n + d –s is 0
SUGAR BEETS
Participants : 1200 Danish farmers Danisco : the (only) Danish sugar beet processor Danish cryptographers Farmer i is willing to sell s i,k sugar beets at Price k There are 4000 possible prices : Price 1 < Price 2 <... < Price 4000 Let s k = s 1k + s 2,k s 1200,k Then s k is the supply at Price k : s 1 < s 2 <... < s 4000 Parameters Let d k be the amount Danisco is willing to buy at Price k d 1 > d 2 >... > d 4000
Problem: Find k so that s k = d k Constraint: No one wants to reveal their strategy Solution : There are three participants: 1.The farmers’ union 2.Danisco 3.The Danish cryptography group For each Price k, the Farmer i chooses a linear function f ik (x) = s ik + a ik x and sends f ik (1) to P 1, f ik (2) to P 2, f ik (3) to P 3. That is, the farmer shares s ik P 1 adds up the numbers it receives. Similarly for P 2 and P 3. They now have shares of each supply number s 1,..., s 4000
For Price k, Danisco chooses a linear function g k (x) = d k + c k x and gives g k (1) to P 1, g k (2) to P 2, g k (3) to P 3 Therefore, d 1, d 2,..., d 4000 are shared The 3 Participants determine whether s 2000 < d No: Is s 1000 < d 1000 ?Yes: Is s 3000 < d 3000 ? Etc.
They determine k such that s k = d k. The 3 participants together reveal each farmer’s supply amount s k for this price (and only for this price). This concludes the auction.
Number theory Interlude: Let p be a prime and assume that p = 3 (mod 4). Let x be a square mod p and let y = x (p+1)/4 (mod p). Then y 2 = x (mod p). Example: Let p = 19. Let x = 17 = -2 (mod 19). Compute x (19+1)/4 = (-2) 5 = -32 = 6 (mod 19). Check: 6 2 = 17 (mod 19)
Flipping a Coin without Knowing the Result (Sharing a Random Bit) P 1 chooses a random number b 1 and shares b 1 P 2 chooses a random number b 2 and shares b 2 P 3 chooses a random number b 3 and shares b 3 Let b = b 1 + b 2 + b 3 They now have shares of b (but they do not know b ) Each person adds together the shares received. This means: there is a linear function f(x) = b + ax and P 1 knows f(1), P 2 knows f(2), P 3 knows f(3)
Construct shared random bits b 0, b 1,..., b n+k Share R = b 0 + 2b n+k b n+k Compute A = 2 n+k+1 – R + 2 n + d – s = a 0 + 2a n+k+1 a n+k+1 A is originally shared, but it can revealed since s and d are masked by R. This allows us to compute the binary expansion of A. Compute the shares of the nth bit of A + R = 2 n+k n + d – s This can be done by a series of shared bit operations. If the bit is 0 then s>d. If the bit is 1 then s < d. P 1, P 2, P 3 together reveal this bit.
Flipping a Coin without Knowing the Result (Continued) Recall: f(x) = b + ax and b = b 1 + b 2 + b 3 P 1 computes f(1) 2 and tells P 2 and P 3 the result, P 2 computes f(2) 2 and tells P 1 and P 3 the result, P 3 computes f(3) 2 and tells P 1 and P 2 the result, They compute 3f(1) 2 – 3f(2) 2 + f(3) 2 = b 2 They compute v = (b 2 ) (p+1)/4 = +b or –b (mod p) v -1 b = +1 or -1 (mod p) The shares of b are v -1 f(1), v -1 f(2), v -1 f(3)