challenge response Shai Halevi June 16 2011 June 16 2011 2 Computing on Encrypted Data Wouldnt it be nice to be able to Encrypt my data in the cloud While still allowing the cloud to searchsortedit this data on my behalf ID: 308021
Download Presentation The PPT/PDF document "On Homomorphic Encryption and Secure Com..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
On Homomorphic Encryption and Secure Computation
challenge
response
Shai
Halevi
June 16, 2011Slide2
June 16, 2011
2
Computing on Encrypted Data
Wouldn’t it be nice to be able to…Encrypt my data in the cloudWhile still allowing the cloud to search/sort/edit/… this data on my behalf
Keeping the data in the cloud in encrypted formWithout needing to ship it back and forth to be decryptedSlide3
June 16, 2011
3
Computing on Encrypted Data
Wouldn’t it be nice to be able to…Encrypt my queries to the cloudWhile still allowing the cloud to process them
Cloud returns encrypted answersthat I can decryptSlide4
June 16, 2011
4
$skj#hS28ksytA@ …
Computing on Encrypted Data
Directions
From:
Tel-Aviv University, Tel-Aviv, Israel
To:
Technion
, Haifa, IsraelSlide5
June 16, 2011
5
Computing on Encrypted Data
$kjh9*mslt@na0
&maXxjq02bflx
m^00a2nm5,A4.
pE.abxp3m58bsa
(3saM%w,snanba
nq~mD=3akm2,A
Z,ltnhde83|3mz{n
dewiunb4]gnbTa*
kjew^bwJ^mdns0Slide6
Constructing Homomorphic
EncryptionSlide7
June 16, 2011
7
Privacy Homomorphisms [RAD78]
Some examples:“Raw RSA”:
c
xe mod
N (x
cd
mod
N
)
x
1
e
x
x
2
e
=
(
x
1
x
x
2
)
e
mod
N
GM84: Enc(
0
)
R
QR, Enc(
1
)
R
QNR (in
ZN*)Enc(x1) x Enc(x2) = Enc(x1x2) mod N
Plaintext space P
Ciphertext space C
x1 x2
ci Enc(xi)
c1 c2
*
#
y
d
y
Dec(
d
)Slide8
June 16, 2011
8
More Privacy HomomorphismsMult
-mod-p [ElGamal’84]Add-mod-N [Pallier’98]Quadratic-polys mod p [BGN’06]
Branching programs [IP’07]Later, a “different type of solution” for any circuit [Yao’82,…]Also NC1 circuits [SYY’00]Slide9
June 16, 2011
9
(x,+)-Homomorphic EncryptionIt will be really nice to have…
Plaintext space Z2 (w/ ops +,x)
Ciphertexts live in an algebraic ring
R (w/ ops +,x)Homomorphic for both + and x
Enc(x
1) + Enc(x
2
) in
R
= Enc(
x
1
+
x
2
mod 2)
Enc(
x
1
) x Enc(
x
2
) in
R
= Enc(
x
1
x
x
2
mod 2)
Then we can compute any function on the encryptions
Since every binary function is a polynomial
We won’t get exactly this, but it’s a good motivationSlide10
June 16, 2011
10Some Notations
An encryption scheme: (KeyGen
, Enc, Dec)Plaintext-space = {0,1}(
pk,sk)
KeyGen($), c
Encpk(
b),
b
Dec
sk
(
c
)
Semantic security
[GM’84]:
(
pk
,
Enc
pk
(
0
))
(
pk
,
Enc
pk
(
1
))
means indistinguishable by efficient algorithmsSlide11
June 16, 2011
11
H = {
KeyGen, Enc, Dec, Eval}
c
* Eval
pk(f
, c
)
Homomorphic
:
Dec
sk
(
Eval
pk
(
f
,
Enc
pk
(
x
))) =
f
(
x
)
c
*
may not look like a “fresh”
ciphertext
As long as it decrypts to
f
(
x
)
Function-private
:
c
*
hides fCompact: Decrypting c* easier than computing f
|c*| independent of the complexity of
fHomomorphic Encryption
c
*Slide12
June 16, 2011
12
(x,+)-Homomorphic Encryption, the [Gentry09] blueprint
Evaluate any function in four “easy” stepsStep 1: Encryption from linear ECCs
Additive homomorphismStep 2: ECC lives inside a ringAlso multiplicative homomorphism
But only for a few operations (i.e., low-degree poly’s)Step 3: BootstrappingFew ops (but not too few)
any number of opsStep 4: Everything elseSlide13
June 16, 2011
13
Step One:Encryption from Linear ECCs
For “random looking” codes, hard to distinguish close/far from codeMany cryptosystems built on this hardnessE.g., [McEliece’78, AD’97, GGH’97, R’03,…] Slide14
June 16, 2011
14Encryption from linear ECCs
KeyGen: choose a “random” code
CSecret key: “good representation” of CAllows correction of “large” errors
Public key: “bad representation” of CEnc(0): a word close to
CEnc(1): a random wordFar from C
(with high probability)Slide15
June 16, 2011
15
An Example: Integers mod p (similar to [Regev’03])
Code determined by an integer
p
Codewords: multiples of
p
Good representation:
p
itself
Bad representation:
N
=
pq
, and also many many
x
i
=
pq
i
+
r
i
Enc(0): subset-sum(
x
i
’s)+
r
mod
N
Enc(1): random integer mod
N
r
i
<<
p
p
NSlide16
A Different Input Encoding
Both Enc(0), Enc(1) close to the codeEnc(0): distance to code is evenEnc(1): distance to code is odd
In our example of integers mod p:
Enc(b) = 2(subset-sum(x
i’s)+
r)
+b mod N
Dec(c) = (
c
mod
p
) mod 2
June 16, 2011
16Slide17
June 16, 2011
17Additive Homomorphism
c
1
+c2 =
(codeword1+codeword
2)
+2(r
1
+r
2
)
+b
1
+b
2
codeword
1
+
codeword
2
Code
If
2
(
r
1
+r
2
)
+b
1
+b
2
< min-dist/2, then it is the dist(
c
1
+c
2, Code) = 2(r1+r2)
+b1+b2
dist(c
1+c2, Code) mod 2 =
b1+b2Additively-homomorphic while close to CodeSlide18
June 16, 2011
18
Step 2: ECC Lives in a Ring
R
What happens when multiplying in
R
:
c
1
c
2
= (codeword
1
+2
r
1
+
b
1
) x (codeword
2
+2
r
2
+
b
2
)
= codeword
1
X
+
Y
codeword
2
+
(
2
r
1+b1)(2r2+b
2)If:codeword1
X + Y codeword
2 Code
(2r1+b1)(
2r2+
b2)
< min-dist/2Then
dist(c1
c2,
Code) = (2r
1+
b1)(
2r2
+b
2) = b1
b2 mod 2Code
is an ideal
Product in
R
of small elements is smallSlide19
Instantiations
[Gentry ‘09] Polynomial RingsSecurity based on hardness of “Bounded-Distance Decoding” in ideal lattices
[vDGHV ‘10] Integer RingSecurity based on hardness of the “approximate-GCD” problem
[GHV ‘10] Matrix Rings*Only degree-2 polynomials
, security based on hardness of “Learning with Errors”[BV ‘11a] Polynomial RingsSecurity based on “ring LWE”
June 16, 2011
19Slide20
June 16, 2011
20
Integers Rings [vDGHV’10]
Recall mod-p scheme:
ci =
qi
p + 2
ri+
b
i
(mod
N
=
qp
)
Parameters:
|
r
i
|=
n
, |
p
|=
n
2
, |
q
|=|
q
i
|=
n
5
c
1
+
c
2
mod
N
= (q1+q2)p + 2(
r1+r
2)+(b1
+b2)
- kNsum mod p = 2(
r1+
r2) + (
b
1+
b2)
c1 x
c2 mod
N = (c
1q2
+q
1c
2-q1q2
)p -
k
N
+
2
(
2
r
1
r
2
+
r
1
m
2
+
m
1
r
2
) +
b
1
b
2
product mod
p
=
2
(
2
r
1
r
2
+
…) +
b
1
b
2
Can evaluate polynomials of degree ~
n
before the distance from
Code
exceeds
p
/2Slide21
June 16, 2011
21
Integers Rings [vDGHV’10]Thm:
“Approximate GCD” is hard Enc(0), Enc(1) are indistinguishableApprixmate-GCD: Given
N=qp and many
xi =
pqi +
ri, hard to recover pSlide22
June 16, 2011
22
Polynomial Rings [G’09]
R = polynomial ring modulo some f
(x)
E.g., f
(x) =
xn
+1
Code
is an ideal in
R
E.g., random
g
(
x
),
Code
g
= {
g
x
h
mod
f
:
h
R
}
Code
is also a lattice
Good representation:
g itselfBad representation: Hermite-Normal-FormIf g has
t-bit coefficients, can evaluate polynomials of degree O(t/log n)Slide23
June 16, 2011
23
Polynomial Rings [G’09, G’10]Thm
: If Bounded-Distance Decoding in ideal lattices is hard, then Enc(0), Enc(1) are indistinguishableBounded-Distance-Decoding: Given
x close to the lattice, find dist(x, lattice)Slide24
June 16, 2011
24
Matrix Rings* [GHV’10]
R = ring of mx
m matrices over Z
q q = poly(
n), m
> n log
q
(
n
security-parameter)
C
has low-rank matrices mod
q
(rank=
n
)
A
is a random
n
x
m
matrix,
C
A
= {
AX
:
X
R
}
Bad representation:
A
itself
Good representation: full rank
T
mxm (over Z), small entries, TA = 0 mod qProblem: CA is left-ideal, but not right-idealCan still evaluate quadratic formulas, no more
*Doesn’t quite fit the moldSlide25
June 16, 2011
25
Matrix Rings* [GHV’10]Thm: Learning with Errors hard
Enc(0), Enc(1) are indistinguishableLearning with Errors: Given
A, A
x+e (random
A,
x, small error e), find
x
*Doesn’t quite fit the moldSlide26
June 16, 2011
26
Step 3: Bootstrapping [G’09]
So far, can evaluate low-degree polynomials
P(
x1, x2
,…, xt)
x
1
…
x
2
x
t
PSlide27
June 16, 2011
27
Step 3: Bootstrapping [G’09]
So far, can evaluate low-degree polynomials
Can eval
y
=
P
(
x
1
,x
2
…,x
n
)
when
x
i
’s are “fresh”
But
y
is an “evaluated ciphertext”
Can still be decrypted
But eval
Q
(
y
)
will increase noise too much
P(
x
1
,
x
2
,
…
,
x
t
)x1…
x
2
xtPSlide28
June 16, 2011
28
Step 3: Bootstrapping [G’09]
So far, can evaluate low-degree polynomials
Bootstrapping to handle higher degrees:For ciphertext
c, consider D
c(
sk) =
Dec
sk
(
c
)
Hope:
D
c
(
*
)
is a low-degree polynomial in
sk
Then so are
A
c
1
,c
2
(
sk
) =
Dec
sk
(
c
1
)
+
Dec
sk
(c2)and Mc1,c
2(sk
) = Decsk(
c1) x Dec
sk(c2)
x1
…
x
2
x
t
P
P(
x1, x2 ,…, x
t)Slide29
June 16, 2011
29
M
c
1,c2
Step 3: Bootstrapping [G’09]
Include in the public key also Encpk(
sk)
x
1
x
2
sk
1
sk
2
sk
n
…
c
1
c
2
M
c
1
,
c
2
(
sk
)
= Dec
sk
(
c
1
)
x
Dec
sk
(c2) = x1 x
x2c
Requires “circular security
”Slide30
June 16, 2011
30
M
c
1,c2
Step 3: Bootstrapping [G’09]
Include in the public key also Encpk(
sk)Homomorphic computation applied only to the “fresh” encryption of
sk
x
1
x
2
sk
1
sk
2
sk
n
…
c
1
c
2
M
c
1
,
c
2
(
sk
)
= Dec
sk
(
c
1
)
x
Dec
sk(c
2) = x1 x x2
c
Requires “circular security”Slide31
June 16, 2011
31Step 4: Everything Else
Cryptosystems from [G’09, vDGHV’10, BG’11a] cannot handle their own decryption
Tricks to “squash” the decryption procedure, making it low-degreeSlide32
Performance
Evaluating only low-degree polynomials may be reasonableBut bootstrapping is inherently inefficientHomomorphic
decryption for each multiplication Best implementation so far is [GH’11a]Public key size ~ 2GBEvaluating a multiplication takes 30 minutes
June 16, 2011
32Slide33
Beyond the [G’09] Blueprint
[GH’11b] no “squashing”, still very inefficient[BV’11b] no underlying ring, only vectorsAlso no “squashing”, but still inefficient
[G’11] no bootstrappingBuilds heavily on [BV’11b]Reduces noise “cheaply” after each multiplicationShould be at least 2-3 orders of magnitude better than [GV’11a]
June 16, 2011
33Slide34
Homomorphic Encryption
vs. Secure ComputationSlide35
June 16, 2011
35
Client Alice has data
x
Server Bob has function f
Alice wants to learn f
(x)
Without telling Bob what x
is
Bob may not want Alice to know
f
Client Alice may also want server Bob
to do most of the work computing
f
(
x
)
Secure Function Evaluation (SFE)Slide36
June 16, 2011
36Two-Message SFE [Yao’82,…]
Many different instantiations are available
Based on hardness of factoring/DL/lattices/…Alice’s
x and Bob’s f are kept private
But Alice does as much work as BobBob’s reply of size poly(
n) x (|f|+|
x|)
(
c,s
)
SFE1(
x
)
r
SFE2(
f
,
c
)
r
y
SFE3(
s,r
)
c
Alice(
x
)
Bob(
f
)Slide37
June 16, 2011
37
H = {
KeyGen, Enc, Dec, Eval}Semantic security
: (pk
, Enc
pk(0))
(pk
,
Enc
pk
(1))
Homomorphic
:
Dec
sk
(
Eval
pk
(
f
,
Enc
pk
(
x
))) =
f
(
x
)
c
*
may not look like a “fresh”
ciphertext
As long as it decrypts to
f
(
x
)
Function-private
: c* hides fCompact: Decrypting
c* easier than computing f
|c*
| independent of the complexity of fRecall:
Homomorphic Encryptionc*Slide38
June 16, 2011
38Aside: a Trivial Solution
Eval(
f,c) = <f,c>, Dec*(<
f,c>) = f
(Dec(c))Neither function-private, nor compact
Not very useful in applicationsSlide39
June 16, 2011
39HE
Two-Message SFE
Alice encrypts data xsends to Bob
c Enc(x
)Bob computes on encrypted datasets
c* Eval(
f, c
)
c*
is supposed to be an encryption of
f
(
x
)
Hopefully it hides
f
(function-private scheme)
Alice decrypts, recovers
y
Dec(
c*
)Slide40
June 16, 2011
40
Two-Message SFE HE
Roughly:Alice’s message
c SFE1(
x) is Enc(x)Bob’s reply
r SFE2(
f,c) is Eval(f
,
c
)
Not quite public-key encryption yet
Where are (
pk
,
sk
)?
Can be fixed with an auxiliary PKE schemeSlide41
June 16, 2011
41
Alice(x
)Two-Message SFE
HE
Add an auxiliary encryption schemewith (pk,sk
)
Alice(pk,
x
)
Bob(
f
)
(
c,s
)
SFE1(
x
)
r
SFE2(
f
,
c
)
r
y
SFE3(
s,r
)
c
Dora(
sk
)Slide42
June 16, 2011
42
Two-Message SFE HE
Recall: |
r| could be as large as poly(n)(|
f|+|x|)
Not compact
Alice(pk,
x
)
Bob(
f
)
Dora(
sk
)
Dec
sk
(
r,c
’
)
Eval
pk
(
f
,
c,c
’
)
Enc’
pk
(
x
)
c
,
c
’
r
,
c
’
(
c,s
)
SFE1(
x
)
c
’Enc
pk
(
s
)
r
SFE2(f,c)
s
Dec
sk
(
c
’)
y
SFE3(
s,r
)Slide43
June 16, 2011
43
A More Complex Setting: i-Hop HE [GHV’10b]
c
1 is not a fresh ciphertextMay look completely different
Can Charlie process it at all?What about security?
Alice(
x
)
Bob(
f
)
Charlie(
g
)
Dora(
sk
)
c
0
Enc(
x
)
c
1
Eval(
f
,
c
0
)
c
2
Eval(
g
,
c
1
)
y
Dec(
c
2
)
c
0
c
1
c2
2-Hop Homomorphic EncryptionSlide44
June 16, 2011
44
Multi-Hop Homomorphic Encryption
H = {
KeyGen, Enc, Eval, Dec} as before
i-Hop Homomorphic (
i is a parameter)y = f
j
(
f
j
-
1
(… f
1
(
x
)
…
))
for any
x, f
1
,…,
f
j
Similarly for
i
-Hop function-privacy
,
compactness
Multi-Hop:
i
-Hop for any
i
Eval
pk
(
f
1
,
c
0
)
Encpk(x
)Evalpk(f
2,c1)
Dec
sk
(x)
c
0
c
1
c
2
c
j
y
x
…
Any number
j
i
hopsSlide45
June 16, 2011
451-Hop
multi-Hop HE
(KeyGen,Enc,Eval,Dec) is 1-Hop HECan evaluate any single function on ctxtWe have
c1
=Evalpk
(f
1,c
0
)
, and some other
f
2
Bootstrapping:
Include with
pk
also
c
*=
Enc
pk
(
sk
)
Consider
F
c
1
,
f
2
(
sk
) =
f
2
(
Dec
sk
(
c1) )Let c2=Evalpk
(Fc
1,
f2 , c
*)Slide46
June 16, 2011
46
F
c
i-1, f
i1-Hop
multi-Hop HEDrawback: |
ci| grows exponentially with
i
:
|
F
c
i
-
1
,
f
i
|
|
c
i
-
1
|+|
f
i
|
|
c
i
|= |Eval
pk
(
F
c
i
-
1, fi , c*)| poly(n)(|ci-
1|+| f
i|)Does not happen if underlying scheme is compactOr even
|Evalpk(Fc
i-1, fi
, c*)| = |
ci-
1|+poly(n)|
f
i|
xi-1
sk
c
i
-1
fi
Fci-1, fi(sk)
ci+1
=
f
i
(
Dec
sk
(
c
i
-
1
) ) =
f
i
(
x
i
-
1
)
c
*Slide47
June 16, 2011
47Other Constructions
Private 1-hop HE + Compact 1-hop HE
Compact, Private 1-hop HE Compact, Private multi-hop HE
A direct construction of multi-hop HE from Yao’s protocol Slide48
June 16, 2011
48Summary
Homomorphic Encryption is useful
Especially multi-hop HEA method for constructing HE schemesfrom linear ECCs in ringsTwo (+
e) known instances so farConnection to two-message protocols for secure computationSlide49
Thank You