Evaluating 2-DNF Formulas on Ciphertexts

Similar documents
On Homomorphic Encryption and Secure Computation

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

How to Shuffle in Public

Computing with Encrypted Data Lecture 26

Lecture 28: Public-key Cryptography. Public-key Cryptography

Fully Homomorphic Encryption from LWE

Benny Pinkas Bar Ilan University

i-hop Homomorphic Encryption Schemes

Introduction to Cryptography. Lecture 8

1 Number Theory Basics

Cryptographic Solutions for Data Integrity in the Cloud

Fully Homomorphic Encryption over the Integers

Lecture Notes 20: Zero-Knowledge Proofs

Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption

Fully Homomorphic Encryption over the Integers

Machine Learning Classification over Encrypted Data. Raphael Bost, Raluca Ada Popa, Stephen Tu, Shafi Goldwasser

On the CCA1-Security of Elgamal and Damgård s Elgamal

Keyword Search and Oblivious Pseudo-Random Functions

Lecture Notes 15 : Voting, Homomorphic Encryption

1 Secure two-party computation

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Lecture 17: Constructions of Public-Key Encryption

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Peculiar Properties of Lattice-Based Encryption. Chris Peikert Georgia Institute of Technology

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

On the Communication Complexity of Secure Function Evaluation with Long Output

Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

Multiparty Computation

Encryption Switching Protocols Revisited: Switching modulo p

Public Key Encryption with Conjunctive Field Keyword Search

Oblivious Transfer and Secure Multi-Party Computation With Malicious Parties

CRYPTOGRAPHIC PROTOCOLS 2016, LECTURE 16

Computing on Encrypted Data

Introduction to Cybersecurity Cryptography (Part 4)

Notes for Lecture 17

Fully Homomorphic Encryption and Bootstrapping

Efficient Secure Auction Protocols Based on the Boneh-Goh-Nissim Encryption

Introduction to Cybersecurity Cryptography (Part 4)

Practical Verifiable Encryption and Decryption of Discrete Logarithms

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

Introduction to Cybersecurity Cryptography (Part 5)

CPSC 467b: Cryptography and Computer Security

March 19: Zero-Knowledge (cont.) and Signatures

Improving Helios with Everlasting Privacy Towards the Public Denise Demirel, Jeroen van de Graaf, Roberto Araújo

The Theory and Applications of Homomorphic Cryptography

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

Single Database Private Information Retrieval with Logarithmic Communication

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Lecture 38: Secure Multi-party Computation MPC

Lecture 17 - Diffie-Hellman key exchange, pairing, Identity-Based Encryption and Forward Security

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Perfect Secure Computation in Two Rounds

k-nearest Neighbor Classification over Semantically Secure Encry

An Overview of Homomorphic Encryption

Security Protocols and Application Final Exam

A Note On Groth-Ostrovsky-Sahai Non-Interactive Zero-Knowledge Proof System

Question 1. The Chinese University of Hong Kong, Spring 2018

COS433/Math 473: Cryptography. Mark Zhandry Princeton University Spring 2018

4-3 A Survey on Oblivious Transfer Protocols

Are you the one to share? Secret Transfer with Access Structure

Fully Homomorphic Encryption

Shai Halevi IBM August 2013

Lecture 6. 2 Adaptively-Secure Non-Interactive Zero-Knowledge

L7. Diffie-Hellman (Key Exchange) Protocol. Rocky K. C. Chang, 5 March 2015

Public-Key Encryption: ElGamal, RSA, Rabin

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

Property Preserving Symmetric Encryption

Honest-Verifier Private Disjointness Testing without Random Oracles

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Logic gates. Quantum logic gates. α β 0 1 X = 1 0. Quantum NOT gate (X gate) Classical NOT gate NOT A. Matrix form representation

Tutorial on Quantum Computing. Vwani P. Roychowdhury. Lecture 1: Introduction

6.892 Computing on Encrypted Data September 16, Lecture 2

Non-interactive Zaps and New Techniques for NIZK

On i-hop Homomorphic Encryption

Winter 2011 Josh Benaloh Brian LaMacchia

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

Single-Database Private Information Retrieval

Encryption Switching Protocols

CSA E0 312: Secure Computation September 09, [Lecture 9-10]

Lecture Notes, Week 6

Public-Key Encryption

An Efficient and Secure Protocol for Privacy Preserving Set Intersection

Lecture 9 Julie Staub Avi Dalal Abheek Anand Gelareh Taban. 1 Introduction. 2 Background. CMSC 858K Advanced Topics in Cryptography February 24, 2004

MTAT Cryptology II. Zero-knowledge Proofs. Sven Laur University of Tartu

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

ANALYSIS OF PRIVACY-PRESERVING ELEMENT REDUCTION OF A MULTISET

basics of security/cryptography

Instantiating the Dual System Encryption Methodology in Bilinear Groups

Decentralized Evaluation of Quadratic Polynomials on Encrypted Data

Efficient and Secure Delegation of Linear Algebra

Basics in Cryptology. Outline. II Distributed Cryptography. Key Management. Outline. David Pointcheval. ENS Paris 2018

Public Key Cryptography

1 Basic Number Theory

Revisiting Cryptographic Accumulators, Additional Properties and Relations to other Primitives

Classical hardness of the Learning with Errors problem

Efficient Set Intersection with Simulation-Based Security

Privacy-Preserving Ridge Regression Without Garbled Circuits

Efficient Fuzzy Matching and Intersection on Private Datasets

Lecture 1: Introduction to Public key cryptography

Lecture 15 - Zero Knowledge Proofs

Transcription:

Evaluating 2-DNF Formulas on Ciphertexts Dan Boneh, Eu-Jin Goh, and Kobbi Nissim Theory of Cryptography Conference 2005

Homomorphic Encryption Enc. scheme is homomorphic to function f if from E[A], E[B], can compute E[f(A,B)] e.g. f can be +,,, Ideally, want f = NAND, or f = {+, } Called doubly homomorphic encryption Can do universal computation on ciphertext!

Why is doubly homomorphic encryption useful? Gives efficient solutions for many problems. e.g. 1. 2 party Secure Function Evaluation 2. Computing on encrypted databases

App: Database Computation Outsourced server with database containing encrypted data User wants to compute function g on encrypted data e.g. data mining, data aggregation With doubly homomorphic encryption, Database encrypted with doubly hom. enc. User sends g to server Server computes g on encrypted database Encrypted result returned to user

These applications are pretty cool, so where can I get a fully homomorphic encryption scheme? Sorry, it doesn t exist (yet). Long standing open problem [RAD78] Existing schemes hom. to 1 function E.g. ElGamal ( ), Paillier (+), GM ( ) But some progress

Main Result Homomorphic encryption scheme that supports one and arbitrary +. Based on finite bilinear groups with composite order Semantic security based on natural decision problem

Related Work Sander et al. [SYY99] Enc. scheme NC 1 circuit eval. on CTs Can evaluate 2-DNFs on CTs But CT len. exponential in circuit depth CT size doubles for every + op Poly. len. 2-DNF gives poly. size CT Our scheme constant size CT crucial for our apps

Enc. Scheme Keygen(τ): G: bilinear group order n = q 1 q 2 on ell. curve over F p. Pick rand g,u G. Set h = u q 2. PK = (n, G, G 1, e, g, h) SK = q 1 Encrypt(PK, m): m {1,,T} Pick random r from Z n. Output C = g m h r G. Decrypt(SK, C): Let C q 1 = ( g m h r ) q 1 = (g q 1 ) m ; v = g q 1 Output m = Dlog of C q 1 base v. Note: decrypt time is O( T).

Given A = g a h r and B = g b h s : To get encryption of a + b Homomorphisms pick random t Z n compute C = AB h t = g a+ b h r + s + t G To get encryption of a b let h = g α q 2, g 1 = e(g,g), h 1 = e(g,h) pick random t Z n compute t C = e(a,b) h 1 = g ab r 1 h 1 G1

Complexity Assumption Subgroup assumption: Gen. rand. bilinear group G of order n = q 1 q 2, then following two distributions indistinguishable: x is uniform in G x is uniform in q 1 subgroup of G. Thm: system is semantically secure, unless the subgroup assumption is false.

Why not use Pallier directly? Paillier CT: C = g m r n (mod n 2 ) Can we directly apply bilinear map to C? Short ans: No. Miller s alg. for pairing needs order of curve. Fact: Knowing order of curve mod n allows factoring of n.

Applications what can you do with 1 and arbitrary +? 1. Evaluate multi-variate polynomials of total degree 2 Caveat: result in small set e.g. {0,1} 2. Evaluate 2-DNF formulas (b i,1 b i,2 ) By arithmetizing 2-DNF formulas to multi-variate poly. with deg 2

1) Evaluating Quadratic Poly. polynomials of total deg 2 x 1 x 2 + x 3 x 4 + +, hom. allow eval. of such poly. on CT but to decrypt, result must be in known poly. size interval. evaluate dot products

2) 2 Party SFE for 2-DNF Bob A = (a 1,,a n ) {0,1} n Alice φ(x 1,,x n ) = k i=1 (y i,1 y i,2 ) s.t. y i,* {x 1, x 1,, x n, x n }. Get Arithmetization Φ: replace by +, by, x i by (1- x i ). Φ is poly. with total deg 2!

2-DNF Protocol (Semi-Honest) Bob A = (a 1,,a n ) Alice φ(x 1,,x n ) = k i=1 (y i,1 y i,2 ) Φ = arith. of φ Invoke Keygen(τ) Encrypt A If decrypt = 0, emit 0. Else, 1. PK, E[a 1 ],,E[a n ] E[r Φ(A)] Eval. E[r Φ(A)] for random r Bob s Security: Alice cannot distinguish bet. Bob s possible inputs from semantic security of E. Alice s Security: Bob only knows if A satisfies φ() by design, Bob output distrib. depends only on this.

SFE for 2-DNF Communication Complexity = O(n τ) garbled circuit comm. comp. = Θ(n 2 ) Secure against unbounded Bob garbled circuit (Alice garbles φ) secure against unbounded Alice Prove security against malicious Bob (details in paper)

Concrete applications 1. Improve basic step in Kushilevitz-Ostrovsky PIR protocol from n to 3 n 2. Gadget: check if CT contains 1 of 2 values. Most voter efficient E-voting scheme Universally verifiable computation

PIR/SPIR Bob: wants D(R,S) Set assignment A: x R = y S = 1, x i = x j = 0 for i R, j S Do 2-DNF SFE with A and φ Get φ(a) = D(R,S) Database D n D = n n D uses 2-DNF φ(x 1,,x n, y 1,,y n ) = D(i,j)=1 (x i y j ) Comm. Complexity = O(τ n) [O(τ 3 n) balanced] Alternative scheme each db entry O(log n) bits

Suppose CT: C = E[v]. Given 2 messages v 0,v 1 and random r, anyone can compute E [ r (v - v 0 ) (v - v 1 ) ] If v v 0,v 1, result is E[random] Otherwise, result is E[0] Gadget can ensure/verify that CT is enc. of v 0 or v 1 Applications: 1. 2-DNF SFE secure against malicious Bob 2. E-voting: voter ballots need no ZK proofs 3. Universally Verifiable Computation Anyone can check comp. public function on private inputs done correctly without learning anything else

Conclusions Adding even limited additional homomorphism has many uses. Open Problems: Extend encryption scheme to 1. efficiently handle arbitrary messages 2. arbitrary # of multiplications Find n-linear maps allow eval. of polynomials with total deg n

Questions?

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback