Presentation is loading. Please wait.

Presentation is loading. Please wait.

On Homomorphic Encryption and Secure Computation challenge response Shai Halevi June 16, 2011.

Published byJosephine Dean Modified over 9 years ago

Similar presentations

Presentation on theme: "On Homomorphic Encryption and Secure Computation challenge response Shai Halevi June 16, 2011."— Presentation transcript:

1 On Homomorphic Encryption and Secure Computation challenge response Shai Halevi June 16, 2011

2 2 Computing on Encrypted Data Wouldn’t it be nice to be able to… oEncrypt my data in the cloud oWhile still allowing the cloud to search/sort/edit/… this data on my behalf oKeeping the data in the cloud in encrypted form  Without needing to ship it back and forth to be decrypted

3 June 16, 20113 Computing on Encrypted Data Wouldn’t it be nice to be able to… oEncrypt my queries to the cloud oWhile still allowing the cloud to process them oCloud returns encrypted answers  that I can decrypt

4 June 16, 20114 $skj#hS28ksytA@ … Computing on Encrypted Data Directions From: Tel-Aviv University, Tel-Aviv, Israel To: Technion, Haifa, Israel

5 June 16, 20115 Computing on Encrypted Data $kjh9*mslt@na0 &maXxjq02bflx m^00a2nm5,A4. pE.abxp3m58bsa (3saM%w,snanba nq~mD=3akm2,A Z,ltnhde83|3mz{n dewiunb4]gnbTa* kjew^bwJ^mdns0

6 Constructing Homomorphic Encryption

7 June 16, 20117 Privacy Homomorphisms [RAD78] Some examples: o“Raw RSA”: c  x e mod N ( x  c d mod N )  x 1 e x x 2 e = ( x 1 x x 2 ) e mod N oGM84: Enc( 0 )  R QR, Enc( 1 )  R QNR (in Z N * )  Enc( x 1 ) x Enc( x 2 ) = Enc( x 1  x 2 ) mod N Plaintext space P Ciphertext space C x 1 x 2 c i  Enc( x i ) c 1 c 2  yd y  Dec( d )

8 June 16, 20118 More Privacy Homomorphisms oMult-mod-p [ElGamal’84] oAdd-mod-N [Pallier’98] oQuadratic-polys mod p [BGN’06] oBranching programs [IP’07] oLater, a “different type of solution” for any circuit [Yao’82,…]  Also NC1 circuits [SYY’00]

9 June 16, 20119 (x,+)-Homomorphic Encryption It will be really nice to have… oPlaintext space Z 2 (w/ ops +,x) oCiphertexts live in an algebraic ring R (w/ ops +,x) oHomomorphic for both + and x  Enc( x 1 ) + Enc( x 2 ) in R = Enc( x 1 + x 2 mod 2)  Enc( x 1 ) x Enc( x 2 ) in R = Enc( x 1 x x 2 mod 2) oThen we can compute any function on the encryptions  Since every binary function is a polynomial oWe won’t get exactly this, but it’s a good motivation

10 June 16, 201110 Some Notations oAn encryption scheme: (KeyGen, Enc, Dec)  Plaintext-space = {0,1}  ( pk,sk)  KeyGen($), c  Enc pk ( b ), b  Dec sk ( c ) oSemantic security [GM’84]: ( pk, Enc pk ( 0 ))  ( pk, Enc pk ( 1 ))  means indistinguishable by efficient algorithms

11 June 16, 201111 oH = { KeyGen, Enc, Dec, Eval } c*  Eval pk ( f, c ) oHomomorphic: Dec sk (Eval pk ( f, Enc pk ( x ))) = f ( x )  c* may not look like a “fresh” ciphertext  As long as it decrypts to f(x) oFunction-private: c* hides f oCompact: Decrypting c* easier than computing f  | c* | independent of the complexity of f Homomorphic Encryption c*c*

12 June 16, 201112 (x,+)-Homomorphic Encryption, the [Gentry09] blueprint Evaluate any function in four “easy” steps oStep 1: Encryption from linear ECCs  Additive homomorphism oStep 2: ECC lives inside a ring  Also multiplicative homomorphism  But only for a few operations (i.e., low-degree poly’s) oStep 3: Bootstrapping  Few ops (but not too few)  any number of ops oStep 4: Everything else

13 June 16, 201113 Step One: Encryption from Linear ECCs oFor “random looking” codes, hard to distinguish close/far from code oMany cryptosystems built on this hardness  E.g., [McEliece’78, AD’97, GGH’97, R’03,…]

14 June 16, 201114 Encryption from linear ECCs oKeyGen: choose a “random” code C  Secret key: “good representation” of C  Allows correction of “large” errors  Public key: “bad representation” of C oEnc(0): a word close to C oEnc(1): a random word  Far from C (with high probability)

15 June 16, 201115 An Example: Integers mod p (similar to [Regev’03]) oCode determined by an integer p  Codewords: multiples of p oGood representation: p itself oBad representation:  N = pq, and also many many x i = pq i + r i oEnc(0): subset-sum( x i ’s)+ r mod N oEnc(1): random integer mod N r i << p p N

16 A Different Input Encoding oBoth Enc(0), Enc(1) close to the code  Enc(0): distance to code is even  Enc(1): distance to code is odd oIn our example of integers mod p :  Enc( b ) = 2(subset-sum( x i ’s )+ r ) + b mod N  Dec( c ) = ( c mod p ) mod 2 June 16, 201116

17 June 16, 201117 Additive Homomorphism oc 1 +c 2 = (codeword 1 + codeword 2 ) +2(r 1 +r 2 )+b 1 +b 2  codeword 1 + codeword 2  Code  If 2(r 1 +r 2 )+b 1 +b 2 < min-dist/2, then it is the dist( c 1 +c 2, Code ) = 2(r 1 +r 2 )+b 1 +b 2  dist( c 1 +c 2, Code ) mod 2 = b 1 +b 2 oAdditively-homomorphic while close to Code

18 June 16, 201118 Step 2: ECC Lives in a Ring R oWhat happens when multiplying in R :  c 1 c 2 = (codeword 1 +2r 1 +b 1 ) x (codeword 2 +2r 2 +b 2 ) = codeword 1 X + Y codeword 2 + ( 2r 1 +b 1 )( 2r 2 +b 2 ) oIf:  codeword 1 X + Y codeword 2  Code  ( 2r 1 +b 1 )( 2r 2 +b 2 ) < min-dist/2 oThen  dist( c 1 c 2, Code ) = ( 2r 1 +b 1 )( 2r 2 +b 2 ) = b 1 b 2 mod 2 Code is an ideal Product in R of small elements is small

19 Instantiations o[Gentry ‘09] Polynomial Rings  Security based on hardness of “Bounded-Distance Decoding” in ideal lattices o[vDGHV ‘10] Integer Ring  Security based on hardness of the “approximate- GCD” problem o[GHV ‘10] Matrix Rings*  Only degree-2 polynomials, security based on hardness of “Learning with Errors” o[BV ‘11a] Polynomial Rings  Security based on “ring LWE” June 16, 201119

20 June 16, 201120 Integers Rings [vDGHV’10] oRecall mod- p scheme: c i = q i p + 2r i +b i (mod N = qp )  Parameters: |r i |=n, |p|=n 2, |q|=|q i |=n 5 oc 1 +c 2 mod N = ( q 1 +q 2 ) p + 2( r 1 +r 2 )+( b 1 +b 2 )  N  sum mod p = 2( r 1 +r 2 ) + ( b 1 +b 2 ) oc 1 x c 2 mod N = ( c 1 q 2 +q 1 c 2  q 1 q 2 )p  N + 2 ( 2r 1 r 2 +r 1 m 2 +m 1 r 2 ) + b 1 b 2  product mod p = 2 ( 2r 1 r 2 + …) + b 1 b 2 oCan evaluate polynomials of degree ~ n before the distance from Code exceeds p /2

21 June 16, 201121 Integers Rings [vDGHV’10] Thm: “Approximate GCD” is hard  Enc(0), Enc(1) are indistinguishable oApprixmate-GCD: Given N = qp and many x i = pq i + r i, hard to recover p

22 June 16, 201122 Polynomial Rings [G’09] oR = polynomial ring modulo some f(x)  E.g., f(x) = x n +1 o Code is an ideal in R  E.g., random g(x), Code g = { g x h mod f : h  R }  Code is also a lattice  Good representation: g itself  Bad representation: Hermite-Normal-Form oIf g has t -bit coefficients, can evaluate polynomials of degree O( t/log n )

23 June 16, 201123 Polynomial Rings [G’09, G’10] Thm: If Bounded-Distance Decoding in ideal lattices is hard, then Enc(0), Enc(1) are indistinguishable oBounded-Distance-Decoding: Given x close to the lattice, find dist( x, lattice)

24 June 16, 201124 Matrix Rings* [GHV’10] o R = ring of m x m matrices over Z q  q = poly( n ), m > n log q ( n security-parameter) o C has low-rank matrices mod q (rank= n )  A is a random n x m matrix, C A = { AX : X  R }  Bad representation: A itself  Good representation: full rank T m x m (over Z ), small entries, TA = 0 mod q Problem: C A is left-ideal, but not right-ideal Can still evaluate quadratic formulas, no more *Doesn’t quite fit the mold

25 June 16, 201125 Matrix Rings* [GHV’10] Thm: Learning with Errors hard  Enc(0), Enc(1) are indistinguishable oLearning with Errors: Given A, Ax + e (random A,x, small error e ), find x *Doesn’t quite fit the mold

26 June 16, 201126 Step 3: Bootstrapping [G’09] oSo far, can evaluate low-degree polynomials P(x 1, x 2, …, x t ) x1x1 … x2x2 xtxt P

27 June 16, 201127 Step 3: Bootstrapping [G’09] oSo far, can evaluate low-degree polynomials oCan eval y = P(x 1,x 2 …,x n ) when x i ’s are “fresh” oBut y is an “evaluated ciphertext”  Can still be decrypted  But eval Q(y) will increase noise too much P(x 1, x 2, …, x t ) x1x1 … x2x2 xtxt P

28 June 16, 201128 Step 3: Bootstrapping [G’09] oSo far, can evaluate low-degree polynomials oBootstrapping to handle higher degrees: oFor ciphertext c, consider D c (sk) = Dec sk ( c )  Hope: D c (  ) is a low-degree polynomial in sk  Then so are A c 1,c 2 (sk) = Dec sk ( c 1 ) + Dec sk ( c 2 ) and M c 1,c 2 (sk) = Dec sk ( c 1 ) x Dec sk ( c 2 ) x1x1 … x2x2 xtxt P P(x 1, x 2, …, x t )

29 June 16, 201129 M c 1,c 2 Step 3: Bootstrapping [G’09] oInclude in the public key also Enc pk ( sk ) x1x1 x2x2 sk 1 sk 2 sk n … c1c1 c2c2 M c 1,c 2 (sk) = Dec sk (c 1 ) x Dec sk (c 2 ) = x 1 x x 2 c Requires “ circular security ”

30 June 16, 201130 M c 1,c 2 Step 3: Bootstrapping [G’09] oInclude in the public key also Enc pk ( sk ) oHomomorphic computation applied only to the “fresh” encryption of sk x1x1 x2x2 sk 1 sk 2 sk n … c1c1 c2c2 M c 1,c 2 (sk) = Dec sk (c 1 ) x Dec sk (c 2 ) = x 1 x x 2 c Requires “ circular security ”

31 June 16, 201131 Step 4: Everything Else oCryptosystems from [G’09, vDGHV’10, BG’11a] cannot handle their own decryption oTricks to “squash” the decryption procedure, making it low-degree

32 Performance oEvaluating only low-degree polynomials may be reasonable oBut bootstrapping is inherently inefficient  Homomorphic decryption for each multiplication oBest implementation so far is [GH’11a]  Public key size ~ 2GB  Evaluating a multiplication takes 30 minutes June 16, 201132

33 Beyond the [G’09] Blueprint o[GH’11b] no “squashing”, still very inefficient o[BV’11b] no underlying ring, only vectors  Also no “squashing”, but still inefficient o[G’11] no bootstrapping  Builds heavily on [BV’11b]  Reduces noise “cheaply” after each multiplication  Should be at least 2-3 orders of magnitude better than [GV’11a] June 16, 201133

34 Homomorphic Encryption vs. Secure Computation

35 June 16, 201135 Client Alice has data x Server Bob has function f Alice wants to learn f(x) 1.Without telling Bob what x is 2.Bob may not want Alice to know f 3.Client Alice may also want server Bob to do most of the work computing f(x) Secure Function Evaluation (SFE)

36 June 16, 201136 Two-Message SFE [Yao’82,…] oMany different instantiations are available  Based on hardness of factoring/DL/lattices/… oAlice’s x and Bob’s f are kept private oBut Alice does as much work as Bob  Bob’s reply of size poly( n ) x (| f |+| x |) ( c,s )  SFE1( x ) r  SFE2( f,c ) r y  SFE3( s,r ) c Alice( x )Bob( f )

37 June 16, 201137 oH = { KeyGen, Enc, Dec, Eval } oSemantic security: ( pk, Enc pk (0))  ( pk, Enc pk (1)) oHomomorphic: Dec sk (Eval pk ( f, Enc pk ( x ))) = f ( x )  c* may not look like a “fresh” ciphertext  As long as it decrypts to f(x) oFunction-private: c* hides f oCompact: Decrypting c* easier than computing f  | c* | independent of the complexity of f Recall: Homomorphic Encryption c*c*

38 June 16, 201138 Aside: a Trivial Solution oEval( f,c ) =, Dec*( ) = f (Dec( c )) oNeither function-private, nor compact oNot very useful in applications

39 June 16, 201139 HE  Two-Message SFE oAlice encrypts data x  sends to Bob c  Enc( x ) oBob computes on encrypted data  sets c*  Eval( f, c )  c* is supposed to be an encryption of f ( x )  Hopefully it hides f (function-private scheme) oAlice decrypts, recovers y  Dec( c* )

40 June 16, 201140 Two-Message SFE  HE oRoughly:  Alice ’ s message c  SFE1( x ) is Enc( x )  Bob’s reply r  SFE2( f, c ) is Eval( f, c ) oNot quite public-key encryption yet  Where are ( pk, sk )?  Can be fixed with an auxiliary PKE scheme

41 June 16, 201141 Alice( x ) Two-Message SFE  HE oAdd an auxiliary encryption scheme  with ( pk,sk ) Alice( pk, x )Bob( f ) ( c,s )  SFE1( x ) r  SFE2( f,c ) r y  SFE3( s,r ) c Dora( sk )

42 June 16, 201142 Two-Message SFE  HE oRecall: | r | could be as large as poly( n )(| f |+| x |)  Not compact Alice( pk, x )Bob( f )Dora( sk ) Dec sk ( r,c ’) Eval pk ( f, c,c ’) Enc’ pk ( x ) c, c ’ r, c ’ ( c,s )  SFE1( x ) c ’  Enc pk ( s ) r  SFE2( f,c ) s  Dec sk ( c ’) y  SFE3( s,r )

43 June 16, 201143 A More Complex Setting: i-Hop HE [GHV’10b] oc 1 is not a fresh ciphertext  May look completely different oCan Charlie process it at all?  What about security? Alice( x )Bob( f )Charlie( g )Dora( sk ) c 0  Enc( x ) c 1  Eval( f,c 0 ) c 2  Eval( g,c 1 ) y  Dec( c 2 ) c0c0 c1c1 c2c2 2-Hop Homomorphic Encryption

44 June 16, 201144 Multi-Hop Homomorphic Encryption oH = { KeyGen, Enc, Eval, Dec } as before oi -Hop Homomorphic ( i is a parameter)  y = f j (f j  1 (… f 1 (x) …)) for any x, f 1,…,f j oSimilarly for i -Hop function-privacy, compactness oMulti-Hop: i -Hop for any i Eval pk ( f 1,c 0 )Enc pk ( x )Eval pk ( f 2,c 1 )Dec sk ( x ) c0c0 c1c1 c2c2 cjcj yx … Any number j  i hops

45 June 16, 201145 1-Hop  multi-Hop HE o(KeyGen,Enc,Eval,Dec) is 1-Hop HE  Can evaluate any single function on ctxt oWe have c 1 =Eval pk (f 1,c 0 ), and some other f 2 Bootstrapping: oInclude with pk also c*= Enc pk ( sk ) oConsider F c 1, f 2 (sk) = f 2 ( Dec sk (c 1 ) )  Let c 2 =Eval pk (F c 1, f 2, c*)

46 June 16, 201146 F c i-1, f i 1-Hop  multi-Hop HE oDrawback: | c i | grows exponentially with i :  | F c i  1, f i |  | c i  1 |+| f i |  | c i |= |Eval pk ( F c i  1, f i, c* )|  poly(n)(| c i  1 |+| f i |) oDoes not happen if underlying scheme is compact Or even |Eval pk ( F c i  1, f i, c* )| = | c i  1 |+poly(n)| f i | x i-1 sk ci1ci1 fifi F c i-1, f i (sk) c i+1 = f i ( Dec sk (c i  1 ) ) = f i (x i  1 ) c*c*

47 June 16, 201147 Other Constructions oPrivate 1-hop HE + Compact 1-hop HE  Compact, Private 1-hop HE  Compact, Private multi-hop HE oA direct construction of multi-hop HE from Yao’s protocol

48 June 16, 201148 Summary oHomomorphic Encryption is useful  Especially multi-hop HE oA method for constructing HE schemes from linear ECCs in rings  Two (+  ) known instances so far oConnection to two-message protocols for secure computation

49 Thank You

Download ppt "On Homomorphic Encryption and Secure Computation challenge response Shai Halevi June 16, 2011."

Similar presentations

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM|NYU|Columbia Theory Day, May 7, 2010.

On Homomorphic Encryption and Secure Computation challenge response Shai Halevi IBM|NYU|Columbia Theory Day, May 7, 2010.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
On i -Hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research No relation to.

On i -Hop Homomorphic Encryption Craig Gentry, Shai Halevi, Vinod Vaikuntanathan IBM Research No relation to.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
7. Asymmetric encryption-

7. Asymmetric encryption-
Lattice-Based Cryptography

Lattice-Based Cryptography
Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )

Elliptic Curve. p2. Outline EC over Z p EC over GF(2 n )
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
A Designer’s Guide to KEMs Alex Dent

A Designer’s Guide to KEMs Alex Dent
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Similar presentations

Ads by Google