Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation.

Published byLeonard Strickland Modified over 9 years ago

Similar presentations

Presentation on theme: "1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation."— Presentation transcript:

1 1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation material by Vinod Vaikuntanathan, MIT

2 2 Fully Homomorphic Encryption

3 33 Confidentiality of static data: plain encryption x1x1

4 44 Confidentiality of data inside computation: Fully Homomorphic Encryption v=x+y; w=f(v); return w;

5 55 Fully Homomorphic Encryption Goal: delegate computation on data without revealing it A confidentiality goal

6 66 Example 1: Private search Delegate processing of data without revealing it ► You:Encrypt the query, send to Google (Google does not know the key, cannot “see” the query) ► Google:Encrypted query → Encrypted results (You decrypt and recover the search results)

7 77 Example 2: Private Cloud Computing Delegate processing of data without revealing it (Input: x)(Program: P) (Enc(x), P) → Enc(P(x)) Encrypt x

8 88 Fully Homomorphic Encryption Encrypted x, Program P → Encrypted P(x) Definition: ( KeyGen, Enc, Dec, Eval ) (as in regular public/private-key encryption) – If c = Enc ( PK, x ) and c′ = Eval ( PK, c, P ),  Compactness: Length of c′ independent of size of P  Security: semantic security / indistinguishability [GM82]  Correctness of Eval: For every input x, program P then Dec ( SK, c’ ) = P(x).

9 99 History of Fully Homomorphic Encryption – First Defined: “Privacy homomorphism” [Rivest Adleman Dertouzos 78] motivation: searching encrypted data Non-compact homomorphic encryption: Based on Yao garbled circuits [SYY 99] [MGH 08]: c* grows exp with degree/depth [IP 07] branching programs Since 1978 Eval: P, Enc(x)  Enc(P(x))

10 10 Fully Homomorphic Encryption – using just integer addition and multiplication ►Full-semester course ►Today: an alternative construction [DGHV 10] Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” – easier to understand, implement and improve Since 1978 Eval: P, Enc(x)  Enc(P(x))

11 11 Constructing fully-homomoprhic encryption assuming hardness of approximate GCD

12 12 A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 2. Public-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 3. Public-key FULLY Homomorphic Encryption (under approx GCD + sparse subset sum) (a simple transformation) (borrows from Gentry’s techniques) 12

13 13 Secret-key Homomorphic Encryption  Secret key: a large n 2 -bit odd number p  To Encrypt a bit b: – pick a random “large” multiple of p, say q·p – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) “noise” (sec. param = n)

14 14 Secret-key Homomorphic Encryption  How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2

15 15 Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail) – Consider c = qp+2r+b ← Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r’ ≠ 2r+b r’ – lsb(r’) ≠ b

16 16 Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail)  Can perform “limited” number of hom. operations  What we have: “Somewhat Homomorphic” Encryption

17 17 Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 encryptions of 0 Δ – Wlog, assume that x 0 is the largest of them

18 18 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t )  To Encrypt a bit b: pick random subset S [1…t] Δ

19 19 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t )  To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (“small” even noise) + b

20 20 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval: Reduce mod x 0 after each operation  To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult

21 21 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval: Reduce mod x 0 after each operation  To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult

22 22 A Roadmap  Secret-key “Somewhat” Homomorphic Encryption  Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption

23 23 How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if d << n. f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x 2 ·x 5 ·x d-2 Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or m terms

24 24 Bootstrapping: from “somewhat HE” to “fully HE” Decrypt-then-NAND circuit Dec NAND c1c1 sk c2c2

25 25 “Somewhat” HE“Bootstrappable” Bootstrapping: from “somewhat HE” to “fully HE” FHE = Can eval all circuits Theorem [Gentry’09]: Convert “bootstrappable” → FHE. Decrypt-then-NAND circuit Dec NAND c1c1 sk c2c2

26 26 Is our Scheme “Bootstrappable”? What functions can the scheme evaluate? Complexity of the Decrypt-then-NAND circuit (?) Can be made bootstrappable by “preprocessing” some of the decryption outside the decryption circuit (Following [Gentry 09]) Caveat: Assume Hardness of “Sparse Subset Sum” (polynomials of degree < n) (degree ~ n 1.73 polynomial)

27 27 Security (of the “somewhat” homomorphic scheme)

28 28 The Approximate GCD Assumption q 1 p+r 1 p? p q 1 ← [0…Q] r 1 ← [-R…R] odd p ← [0…P] (q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R

29 29 p? p Assumption: no PPT adversary can guess the number p Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q 0 p+2r 0,{q i p+2r i }) Enc(b) =(qp+2r+b) = (proof of security) (q 1 p+r 1,…, q t p+r t )

30 30 Progress in FHE ►“Galactic” → “Efficient” Asymptotically: nearly linear-time* algorithms ► Strange assumptions → Mild assumptions *linear-time in the security parameter – Best Known [BGV11]: (leveled) FHE from worst-case hardness of n O(log n) -approx short vectors on lattices 30

31 31 Multi-key FHE Function f x1x1 c 1 = Enc(pk 1,x 1 ) x2x2 c 2 = Enc(pk 2,x 2 ) sk 1, pk 1 sk 2, pk 2

32 32 Multi-key FHE Function f x1x1 y = Eval(f,c 1,c 2 ) Dec(sk 1,sk 2 y)=f(x 1,x 2 ) Correctness: x2x2 sk 1, pk 1 sk 2, pk 2 Dec

33 33 Fully Homomorphic Encryption Whiteboard discussion: Properties Performance Contrast with obfuscation Usefulness

34 34 Protecting memory using Oblivious RAM

35 35 Motivation: memory/storage attacks Physical attacks –Memory/storage is on a physical separate device (DRAM chip, SD card, hard disk, …) –Communication between CPU and device is easy to tap –Memory/storage device may be under attack or stolen Aggravated by data remanence problem Software side channels –Leakage of accesses memory addresses across software confinement boundaries (via data cache, instruction cache, page table, …) Network attacks –External storage (file server, Network Attached Storage, cloud service, …) –Remote server/appliance/provider may be compromised

36 36 Protecting against memory attack Computation model: –Random access memory –Small processor (logarithmic in memory size) Leakage/tampering model: –All memory accesses (both data and address) leak or are corrupted arbitrary (relaxation: by polytime adversary) –Processor assumed secure Goal: a compiler that converts any program into one that resists memory attacks –Functionality: input/output precisely preserved –Security: privacy against leakage [MR04] with suitable (restricted) circuit classes and admissible functions

37 37 Protecting memory content from leakage Encrypt the whole memory as a single message Encrypt every block separately –encrypt block data using AES –encrypt block number + data using AES –encrypt block using semantically-secure (probabilistic encryption Keep the decryption key inside the secure processor inefficient Insecure OK

38 38 Protecting memory content from corruption Sign every block, keep the signing key inside the secure processor Hash every block, keep digests inside the secure processor Using Merkle trees –Maintain a Merkle hash tree over the memory –Merkle nodes stored in the unstrusted memory –Merkle root stored in secure processor –At every read, processor verifies Merkle path –At every write, update Merkle path OK Insecure inefficient

39 39 Oblivious RAM [Goldreich Ostrovsky ‘96]… Protecting against memory access leakage

40 40 “Simple ORAM” construction [Chung Pass ‘13]

41 41 Simple ORAM” construction: reading

42 42 Simple “ORAM” construction: further details

Download ppt "1 Information Security – Theory vs. Reality 0368-4474, Winter 2015-2016 Lecture 11: Fully homomorphic encryption Lecturer: Eran Tromer Including presentation."

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.

Side-Channel Attacks on RSA with CRT Weakness of RSA Alexander Kozak Jared Vanderbeck.
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.

CS555Topic 241 Cryptography CS 555 Topic 24: Secure Function Evaluation.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.

11 Provable Security. 22 Given a ciphertext, find the corresponding plaintext.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Software Certification and Attestation Rajat Moona Director General, C-DAC.

Software Certification and Attestation Rajat Moona Director General, C-DAC.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.

Protecting Circuits from Leakage the computationally bounded and noisy cases Sebastian Faust Eurocrypt 2010, Nice Joint work with KU Leuven Tal Rabin Leo.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:

Dr Alejandra Flores-Mosri Message Authentication Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to:
Lattice-Based Cryptography

Lattice-Based Cryptography
Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.

Cryptography in The Presence of Continuous Side-Channel Attacks Ali Juma University of Toronto Yevgeniy Vahlis Columbia University.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Similar presentations

Ads by Google