Presentation is loading. Please wait.

Presentation is loading. Please wait.

Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016.

Published byMerilyn Gibson Modified over 9 years ago

Similar presentations

Presentation on theme: "Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016."— Presentation transcript:

1 Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016

2  Construct optimal rate cryptographic protocol to privately retrieve a database element  Construction:  recursive, starts from a ”semi-good” construction  We use complicated techniques from algebra / analysis  Galois theory, Newton-Puiseux algorithm  Not really much crypto…  Getting good rate important in other areas of (T)(CS)  but our techniques seem to be unique

3 I am boooored I want to watch a movie Bob sells them!

4 Yo, send me “Teletubbies” 0x123456789ABCDEF… Accompanied with a payment But Bob thinks I am a cool guy, I don’t want him to know I watch “Teletubbies”

5 Encrypt pk (index) Encrypt pk (movie[index]) index Generates pk, sk Uses sk to decrypt, obtains movie[index] n movies, each ℓ bits

6 Encrypt pk (index) Encrypt pk (movie[index]) Correctness: Alice obtains movie[index] Bob’s privacy: Alice obtains only movie[index] Alice’s privacy: Bob obtains no information about index Efficiency: It should be communication- wise and computation-wise efficient index ∈ {1,…,n} movie[1]…movie[n]

7 = log 2 n + ℓ bits

8  Achieve optimal rate 1 – o (1)  As close to 1 as possible  So we get a good rate for practically relevant values of ℓ  Some communication overhead inherent due to privacy

9 Focus was on minimizing communication as a function of n Rate [Lipmaa, 2005]1 / (log 2 n + 1) – o (1) [Gentry, Ramzan 2005]1 / 4 – o (1) [Lipmaa, 2009]1 / 2 – o (1)

10 Rate [Lipmaa, 2005]1 / (log 2 n + 1) – o (1) [Gentry, Ramzan 2005]1 / 4 – o (1) [Lipmaa, 2009]1 / 2 – o (1) This work1 – o (1) Focus was on minimizing communication as a function of n Focus on minimizing communication as a function of ℓ

11  Cryptosystem: encrypts messages…  Additively homomorphic:  Enc s (m 1 ) Enc s (m 2 ) = Enc s (m 1 + m 2 )  Optimal rate:  For any m, |Enc s (m)| = |m| + k, where s = ℓ / k  k = log N – security parameter (key length) - needed for privacy Enc s (m mod N s ; r) =(1+N) m r n^s mod N s+1

12  Only known optimal rate AH cryptosystems are DJ01, DJ03  Optimal rate non-homomorphic, homomorphic non-optimal rate: many candidates  IND-CPA Security:  Enc s (m 0 ) and Enc s (m 1 ) are computationally indistinguishable  DJ01 is IND-CPA secure under the DCRA assumption  Tautological but well-known assumption DJ01: Enc s (m mod N s ; r) =(1+N) m r N^s mod N s+1 DJ03: Enc s (m mod N s ; r) =(g r mod N,(1+N) m (h r mod N) N^s mod N s+1 )

13  Alice transfers  C i = Enc s ([index = i]), i = 1 … w – 1  Bob does:  C w = Enc s (1) / Π i<w C i = Enc s ([index = w])  Return D = Π i C i movie[i] ... = Enc s ( Σ i [index = i] movie[i]) ... = Enc s (movie[index]) Computationally private: index is hidden iff Enc is secure |C i | = |D| = ℓ +k

14  Alice transfers w – 1 ciphertexts, (w – 1) ( ℓ + k) bits  Bob transfers one ciphertext, ℓ + k bits  ”Semi-good” rate: 1 / w – O ( ℓ -1 )  Best rate (w = 2): 1 / 2 – O ( ℓ -1 )  We need good (1 – o (1)) rate CPIR for large w  Recursive construction  relies on Bob’s message being short

15 x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 ……

16 x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 2CPIR(x 1,)( ) D0D0 D1D1 D2D2 D3D3 D4D4 D5D5 Dx1Dx1 D 2+x 1 D 4+x 1 D 6+x 1 2CPIR(x 2, ) ) ( D x 1 +2x 2 D 4+x 1 +2x 2 2CPIR(x 3, ) D x 1 +2x 2 +4x 3 Generalization: use w-ary tree instead of binary

17  Let m = log w n // tree depth  Alice sends:  Enc s + m ([x i = j]), for i = 1.. m, j = 0.. w – 1  Appr. (w - 1) m ( ℓ + mk) bits  Small optimizations possible  Bob sends:  Enc s+m (… (Enc s+1 (Enc s (movie[index]))))  m times encryption  Appr. ℓ + mk bits

18  Communication of [Lip05] (N, ℓ )CPIR: rec5 (w, n, ℓ, k) = ( ℓ + (log w n + 1)k/2) (w – 1) log w n sen5 (w, n, ℓ, k) = ( ℓ / k + log w n) k = ℓ + k log w n  Rate of [Lip05]:  ( ℓ + log 2 n) / (rec5 + sen5) = 1 / ((w – 1) log w n + 1) – O ( ℓ -1 )  Optimal when w = 2: 1 / (log 2 n + 1) – O ( ℓ -1 ) Alice Bob

19  For some t, parallel-execute t copies of (w, ℓ /t)CPIR rec9 (w, n, ℓ, k) = rec5 (w, n, ℓ / t, k) = ( ℓ / t + (log w n + 1) k / 2) (w – 1) log w n sen9 (w, n, ℓ, k) = t sen5 (w, n, ℓ / t, k) = ℓ + kt log w n  Rate: ( ℓ + log 2 n) / (rec + sen) = t / ((w – 1) log w n + t) – O ( ℓ -1 )  t must be independent of ℓ [Lip09] recommendation: if w = 2, t = log 2 n, then rate = 1 / 2 – O ( ℓ -1 ) Alice Bob

20 x2x2 x3x3 x2x2 x1x1 x1x1 x1x1 x1x1 …… D0D0 D1D1 D2D2 D3D3 D4D4 D5D5 ℓ =s 1 k bits t 1 pieces, Each s 1 k / t 1 bits t 1 pieces, each (s 1 +1)k/t 1 bits t 2 pieces, each s 2 k/t 2 bits (s 2 +1)k bits t 2 pieces, each (s 2 +1)k/t 2 bits t 3 pieces, each s 3 k/t 3 bits …. (s 1 +1)k bits s 2 k bits

21  Communication for m = log w n: com (w, m, s, k, ℓ ) =(w - 1) k (∑ i=1…m s i + m) + ℓ ∏ i=1...m (1 + 1/s i )  Using multivariate optimization, ∂com / ∂s i = 0:  Optimal choice s 1 = … = s m =: s com (w, m, s, k, ℓ ) = (w - 1) k (s + 1) m + ℓ (1 + 1/s) m  Optimal s:  When ∂com / ∂s = (w – 1) mk – m (s + 1) m-1 / s m+1 ℓ = 0

22  Alternatively: f m (s, σ ) = 0 where  f m (x, y) := yx m+1 – (x + 1) m-1  σ = (w – 1) k / ℓ  Optimal s: root of a degree-(m+1) polynomial  Abel-Ruffini: cannot find roots for m > 3  In practice m < 15 but still… Abel-Ruffini: cannot solve degree-(m+1) polynomials in general. We use Galois theory to show that we cannot even do it for f 4 (x, 1)

23  Analysis to the rescue!  Newton-Puiseux series: ∑ i ≥ k c i X i/n for integer n  Newton-Puiseux theorem: the solution in x, viewed as function of y, of any polynomial equation f (x, y) =0 can be expanded as Puiseux series that are convergent in some neighborhood of the origin  Newton-Puiseux algorithm:  given polynomial f (x, y), finds such series  First finds c k, then c k+1, …

24 σ = (w – 1) k / ℓ

25 m = log w n Quinary decision trees?!

26  In practice:  Suffices to find an integer approximation of s  Recall s = σ -1/2 + (m – 1) / 2 + …  We show σ -1/2 < s < σ -1/2 + (m – 1) / 2  We find optimal integer s by using Boolean search  ≈ log 2 m ≈ log 2 log 2 n steps  … in practice up to 3 steps σ = (w – 1) k / ℓ

27 ℓ Integer srate 200 k = 409.6 KB100.27013 1200 k = 2.4576 MB200.511077 10 4 k = 20.48 MB530.765346 6.95 * 10 4 k = 142.3MB1350.901275 10 5 k = 204.8 MB1620.915617 10 6 k = 2.048 GB5030.971661 10 7 k = 20.48 GB15850.991067 k = 2048 w = 5 n= 5 7 =78125

28  Getting an asymptotically good rate is important  Getting o o o o o in 1 – o (1) as small as possible is more important  Rate > 0.9 for realistic movie sizes!  Nice math is also important

29 (w, ℓ )CPIR with rate-optimal output Rate-optimal (w m, ℓ )CPIR Rate-optimal additively homomorphic PKC Rate-optimal homomorphic PKC for poly-size decision diagrams Decision tree Decision diagram

30 Horrible-rate general functionalities (FHE) Rate-1 linear functionalities New: Rate-1 poly-size decision diagram functionalities

31

32  Simpler analysis?  Even smaller o?  Computation?  Yet another million-dollar question in cryptography:  Construct computationally efficient optimal rate (additively) homomorphic cryptosystem  For at least the same complexity class

33

Download ppt "Aggelos Kiayias, Nikos Leonardos, Helger Lipmaa, Kateryna Pavlyk, and Qiang Tang FIT 2016, February 6, 2016."

Similar presentations

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.

Asymptotically Optimal Communication for Torus- Based Cryptography David Woodruff MIT Joint work with Marten van Dijk Philips/MIT.
Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.

Efficient Private Approximation Protocols Piotr Indyk David Woodruff Work in progress.
RSA.

RSA.
Public Key Cryptosystem

Public Key Cryptosystem
Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.

Multi-Query Computationally-Private Information Retrieval with Constant Communication Rate Jens Groth, University College London Aggelos Kiayias, University.
Computer Security Set of slides 4 Dr Alexei Vernitski.

Computer Security Set of slides 4 Dr Alexei Vernitski.
Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.

Efficiency vs. Assumptions in Secure Computation Yuval Ishai Technion & UCLA.
An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.

An Introduction to Pairing Based Cryptography Dustin Moody October 31, 2008.
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Oblivious Branching Program Evaluation

Oblivious Branching Program Evaluation
Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 10 Lecturer: Moni Naor.
An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.

An Ω(n 1/3 ) Lower Bound for Bilinear Group Based Private Information Retrieval Alexander Razborov Sergey Yekhanin.
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
What is Elliptic Curve Cryptography?

What is Elliptic Curve Cryptography?
22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.

22C:19 Discrete Math Integers and Modular Arithmetic Fall 2010 Sukumar Ghosh.
7. Asymmetric encryption-

7. Asymmetric encryption-
Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.

Foundations of Network and Computer Security J J ohn Black Lecture #10 Sep 18 th 2009 CSCI 6268/TLEN 5550, Fall 2009.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google