Download presentation
Presentation is loading. Please wait.
1
Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut
2
Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.
3
Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.
4
Homomorphic Encryption Basic Aggregation Operation : a “bush”
5
The computing server model for Secure Multiparty Computation Computing server is a (perhaps distributed) party in the protocol that manages the contributions and delivery of results. This model has been applied in voting, auctions and other specialized secure multiparty computations. Contributors provide (encrypted) input under the specifications of the protocol (Access control allows them to write a on a bulletin board – Role specification). Processing / Aggregation of encrypted contributions by computing server. Delivery of results / output decryption.
6
Computing Server Model: Correctness Aspect All valid contributions are included. No unauthorized contributions are permitted. Contribution Processing is done according to specifications. Auditing & Replication is added to cope with various faults and failures.
7
Computing Server Model: Privacy Aspect The computation / processing does not leak any information about contributions, beyond what trivially inferred from the public-output. Computing servers are honest w.r.t. privacy. Or, threshold techniques: –Share decryption capabilities. –Split contribution.
8
The Large Scale Setting The “Bush” model insufficient for the large scale: Load Balancing Issues. Remote Geographic Locations. Overlay networks in P2P. Non-bush approach is needed:
9
Aggregation over Trees : Scalability Each node Implements a gate for ciphertext processing Structure: Imposed by Geographic Load balancing parameters Contributions: Bush aggregation of homomorphic encryption consistent with tree deployment: every node is a bush for its children. Aggregation complexity linear in the number of children nodes
10
Connection to Elections Top-Level Regional Level (micro-) Precinct Level
11
Correctness Aspect across the Tree Scaling over tree structure: Each node is comprised by set of agents that Collectively ensure the Correctness aspect of the local Node operation Scales well over the tree hierarchical structure.
12
Privacy Aspect Decryption Agents
13
The BIGGEST brother problem Inner nodes in the tree are assuring correctness – no decryption capability. Decryption capability shared at the root? –Possible, but all kinds of privacy advocates, known election experts and election non- experts will protest: –why should the little guy put his privacy at the end of the BIGGEST brother?
14
Does old solutions work? Sharing decryption capability to decipher the result at the root among all tree nodes using threshold techniques does not scale. But scalability is our primary objective to begin with!
15
Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.
16
Idea. To solve the BIGGEST brother problem : distribute decryption capability along the tree structure. Since aggregation along the tree structure scales – enforce decryption capability to follow the same pattern.
17
User trust path User Perspective User nodes that user trusts for correctness So: the same nodes must share Decryption Capability w.r.t. that user’s privacy.
18
Our Solution: Tree homomorphic encryption with Scalable Decryption Tree is suggested by network architecture, load-balancing parameters, geography, network overlay, etc. Spreading Decryption capability across the paths of the tree so that user privacy is not violated unless the whole user trust path is corrupt.
19
Homomorphic Encryption and Aggregation. Groups: Embedding of a Z-interval within Inputs to the computation belong to set of integer Values: Capacity: length of the Z-interval. Homomorphic over randomness is useful for constructing generic proofs of knowledge.
20
Homomorphic Encryption and Aggregation, II EXAMPLE: Voting among c candidates # of votes won by j-th candidate.
21
Proofs of Knowledge Voter contributes the encryption and a proof Of knowledge. EXAMPLE: Voting among c candidates, II Proof possible for generic Homomorphic encryption scheme. Length = linear in c
22
Three steps Key generation across the tree. Encryption of inputs at leaves. along tree paths.
23
Key Generation and distribution across user trust paths Each node generates a key (independently) Can be threshold of agents within the Node. Public Keys Are Propa- Gated Down To the User level across all trust paths
24
Blind-and-Share operation l = # of levels Encryptions of shares: Capacity Condition: Encryption functions of levels for user j j-th user selects:
25
consistency Encryptions in general are over different domains (each node has independent public- key). We need consistency checks to ensure correct blind-and-sharing of the input (independent of the individual domains).
26
Proof of consistency Each of the ciphertexts Is accompanied by a commitment to the plaintext – over the same domain. Together with a proof of knowledge that ensures: 1. Each ciphertext and commitment hide the same value. 2. The aggregation of the commitments hides a value of the form such that:
27
Proof of consistency, II It follows that an encrypted contribution Contains an additive sharing of a value So that
28
Tree Aggregation … Lowest level: … … Encrypted contributions
29
Tree Aggregation, II Lowest level node obtains the aggregated ciphertext: … Where are the users assigned to the node V.
30
Tree Aggregation + Partial Decryption. … Lowest Level node Decrypts the Last entry And apply modulo operation: Lowest level: the block is propagated to the upper level
31
Tree Aggregation + Partial Decryption, II j-th level: … … The j-th level Receives partially decrypted entries From its children That are of the form: j
32
Tree Aggregation + Partial Decryption, III The j-th level node aggregate as follows: … … … … And decrypt The j-th Level.
33
Tree Aggregation + Partial Decryption, IV Top level agents, after aggregation and decryption of the top level entry obtain: … The totally decrypted Sum of shares:
34
Output recovery THEN: Top level agents recover the results as follows: … This operation Reveals the result Of the procedure In the form:
35
Output Recovery, II This works because: … = …
36
Tree Homomorphic Encryption with Scalable Decryption: implementations Generic based on any additive homomorphic encryption: Paillier or (modified) ElGamal. –Size of encrypted contribution equals length of user trust path.
37
Implementations, II Modified ElGamal accepts more efficient implementation of scalable decryption: –Constant size of contribution: independent of the length of the user trust path. –Onion style decryption.
38
Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.
39
Tree Homomorphic Encryption with Onion decryption ElGamal-specific case. Shortening of contribution encryption size. –Based on: Composition of public-key across user trust paths.
40
Initialization/Setup Additive ElGamal Specific Setup Each node creates local public key pk=g a. Global Parameters: G, g, f, h generators of G multiplicative group of prime order q. Each node computes its local combined_pk by multiplying its local pk with the combined_pk of the parent node.
41
Submission of Contributions Additive ElGamal Specific Each user makes a selection v {1, M, M 2,..., M c-1 } and publishes combined_pk is the combined public-key local to the lowest level node, i.e. combined_pk=h 0 h 1 h 2... h k where h 0, h 1, h 2,..., h k are the local pk’s of the nodes in the user trust path. r<q is selected at random.
42
Submission of Contributions, II Additive ElGamal Specific the user proves that the Encryption, is formed according to the specifications. The voter publishes: NIZK[ r : (B 1 = g r ) ( v C (B 2 = (combined_pk) r f v )]
43
Tree Aggregation + Decryption by “Onion Peeling” The low level node multiplies all encrypted contributions point-wise: is a valid ElGamal encryption of f v (due to the homomorphic property) under the public-key of all nodes in the user trust path. THEN: The node “peels-off” its layer of encryption (by doing ElGamal Decryption w.r.t. its local private-key. The process continues recursively up to the top-level node.
44
Output The top node receives the tally T = f v The space of all possible values for v is of size O(n c-1 ) and as a result it can be found in time O(n c-1 ). Using the baby-step giant-step method this can be improved to O(n (c-1)/2 ) Recovery of output:
45
Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.
46
Application To E-Voting: “Scalable” Secret Ballot Elections Arbitrary elections’ structure, size and distributions Security properties scale in parallel to the elections structure
47
Voter Distribution Smallest Administrative Unit: Microprecinct
48
The Election Tree Setup Ballot-Casting Results Security Horizon Secure Subelections
49
Outline The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case. Application to E-voting. Conclusions.
50
Conclusions Tree Homomorphic Encryption with Scalable Decryption. motivated by load-balancing / network topology geography constraints / overlay P2P networks. Assuming multi-level trust can eliminate big brother presence. Further increase of security possible by employing “paranoid security” or “multi-path election” Future applications?
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.