Cryptographic Solutions for Stanford University, USA Stanford Computer Forum 2 April 2012
Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy.
Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. The Cloud pk
Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k
Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2 c i = encryption of ith score.. Kevin c k sk
Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? sk
Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? c sk c = encryption of mean
Homomorphic Encryption Homomorphic encryption allows users to delegate computation while ensuring secrecy. pk encrypted grades The Cloud Student CT Adam c 1 Becky c 2. Kevin c i = encryption of ith score. c k mean? Validity: c decrypts to the correct mean. c sk c = encryption of mean Security: no adversary can obtain any info about scores. Length efficiency: c is short. Privacy: decrypted mean reveals nothing else about data.
Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity.
Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity.
Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk
Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k σ 1 = signature on ( grades, 91, Adam )
Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... pk Kevin 84 σ k σ 1 = signature on ( grades, 91, Adam )
Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk signed grades Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? pk σ 1 = signature on ( grades, 91, Adam )
Homomorphic Signatures Homomorphic signatures allow users to delegate computation while ensuring integrity. The Cloud sk signed grades Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ 1 = signature on ( grades, 91, Adam ) σ = signature on ( grades, 87.3, mean )
Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean )
Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly.
Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean.
Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean. 3 Length efficiency: σ is short.
Properties of Homomorphic Signatures What properties do we want the derived signature σ to have? σ = signature on ( grades, 87.3, mean ) 1 Validity: σ authenticates 87.3 as the mean, and that the mean was computed correctly. 2 Unforgeability: no adversary can produce a σ that authenticates a different mean. 3 Length efficiency: σ is short. 4 Privacy: σ reveals nothing about data other than the mean.
Trivial Solution: Verify the Whole Database sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ = {all scores and all signatures} Bob authenticates database, then computes mean himself.
Trivial Solution: Verify the Whole Database sk signed grades The Cloud Student Score Sig Adam 91 σ 1 Becky 73 σ 2... Kevin 84 σ k mean? 87.3, σ pk σ = {all scores and all signatures} Bob authenticates database, then computes mean himself. Does not have length efficiency and privacy properties: σ is as big as entire database. Bob learns the whole database
Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject
Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject Correctness: Verify accepts if m = f (m 1,..., m k ). Security goal: no adversary can authenticate (m, f ) for m f (m 1,..., m k ). Privacy goal: if f (m 1,..., m k ) = f ( ˆm 1,..., ˆm k ) = m, no one can tell which data set σ was derived from.
Nontrivial Solution: Move Work to the Cloud Messages (m 1,..., m k ) grouped together into files. Sign sk (m i ) signature σ i on ith message Eval pk (σ 1,..., σ k, f ) signature σ on f (m 1,..., m k ) Verify pk (m, σ, f ) accept/reject Correctness: Verify accepts if m = f (m 1,..., m k ). Security goal: no adversary can authenticate (m, f ) for m f (m 1,..., m k ). Privacy goal: if f (m 1,..., m k ) = f ( ˆm 1,..., ˆm k ) = m, no one can tell which data set σ was derived from. Linearly homomorphic signatures: messages m i are vectors. functions f are linear combinations.
Applications What are homomorphic signatures good for? f Linear functions Application Mean Fourier transform Network coding Regression models (time series data)
Applications What are homomorphic signatures good for? f Linear functions Subsets Application Mean Fourier transform Network coding Regression models (time series data) Message redaction
Applications What are homomorphic signatures good for? f Linear functions Subsets Polynomials Application Mean Fourier transform Network coding Regression models (time series data) Message redaction Standard deviation & higher moments Regression models (general data)
Applications What are homomorphic signatures good for? f Linear functions Subsets Polynomials Arbitrary circuits Application Mean Fourier transform Network coding Regression models (time series data) Message redaction Standard deviation & higher moments Regression models (general data) Non-linear estimators and regression Data mining (decision trees, SVM, etc.)
Application: Least Squares Fits
Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values.
Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M 0 1800 1900 2000
Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000
Least Squares Fits For a data set {(x i, y i )} k i=1, the degree d least squares fit is the polynomial f (x) = c 0 + c 1 x + + c d x d that best approximates the observed y values. 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values.
Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values.
Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values. For time series x values, c is linear function of y values.
Authenticating a least-squares fit 300M U.S. population by year 200M 100M y = f (x) = c 0 + c 1 x + c 2 x 2 0 1800 1900 2000 Formula: (c 0, c 1, c 2 ) = (X t X) 1 X t y X = matrix of x values, y = vector of y values. For time series x values, c is linear function of y values. Census bureau stores signed population counts on server using linearly homomorphic signature. Server can authenticate coefficients of least-squares fit.
State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear functions Subsets Polynomials Arbitrary circuits
State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear [GM82], [B88], [P99], functions others Subsets Polynomials Arbitrary circuits [BGN05], [GHV10] (quadratic) [G09], [DGHV10], [BV11],[BGV12],[B12]
State of the art How can we compute on encrypted or authenticated data? F Hom. encryption Hom. signatures Linear [GM82], [B88], [P99], [KFM04], [CJL06], functions others [ZKMH07], [BFKW09], [GKKR10], [BF11a], [F12] Subsets [JMSW02], [ABC+12], others Polynomials [BGN05], [GHV10] [BF11b] (quadratic) (bounded degree) Arbitrary circuits [G09], [DGHV10], [BV11],[BGV12],[B12]
Recent Advances in Homomorphic Signatures
New Results [F12] Improved security for linearly homomorphic signatures: 1 Security based on harder problems. 2 Systems resistant to a stronger adversary. Achieved via a generic construction from existing (ordinary) signatures satisfying certain properties. Single framework gives many homomorphic schemes. Users can choose based on security/efficiency tradeoffs.
Security Based on Hard Problems Security paradigm: Show that any adversary that can forge a signature can be used to solve a computational problem believed to be hard. E.g.: Factoring: given N = pq, find p, q. RSA: given (N, x, e), find x 1/e mod N. Strong RSA: given (N, x), find some (e, x 1/e mod N).
Security Based on Hard Problems Security paradigm: Show that any adversary that can forge a signature can be used to solve a computational problem believed to be hard. E.g.: Factoring: given N = pq, find p, q. RSA: given (N, x, e), find x 1/e mod N. Strong RSA: given (N, x), find some (e, x 1/e mod N). Hierarchy of problems: solving (1) solving (2) solving (3). (converse not known to be true or false) Top of hierarchy: stronger security guarantees. Bottom of hierarchy: more efficient constructions.
Contribution 1: Constructions from Harder Problems Previous constructions of linearly homomorphic signatures: [GKKR10]: Based on RSA, requires ideal hash function (indistinguishable from random). [CFW11]: Based on Strong RSA, uses real world hash function (collision-resistant).
Contribution 1: Constructions from Harder Problems Previous constructions of linearly homomorphic signatures: [GKKR10]: Based on RSA, requires ideal hash function (indistinguishable from random). [CFW11]: Based on Strong RSA, uses real world hash function (collision-resistant). Our construction: [F12]: Based on RSA, uses real world hash function. Similar results using hierarchy of Diffie-Hellman problems.
Contrubution 2: Stronger Adversary Security model for homomorphic signatures:
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. Adversary sk
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. pk Adversary sk
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. pk file F = {m 1,..., m k } Adversary sk
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k Adversary
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k repeat Adversary
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ).
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once.
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk file F = {m 1,..., m k } sigs σ F 1,..., σf k forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file.
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk tuple (F, i, m i ) sig σ F i forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file.
Contrubution 2: Stronger Adversary Security model for homomorphic signatures: Chall. sk pk tuple (F, i, m i ) sig σ F i forgery F, m, σ, f repeat Adversary Forgery is a valid signature σ on (F, m, f ) with m f (messages in file F ). Original adversary: must query entire files at once. Stronger adversary: adaptively queries one message at a time from any file. Our new schemes are secure against the stronger adversary.
Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w).
Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w.
Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w. New idea: Tie together signature on F and hash of v: for public x and real-world hash function η, ( Sign(v) = x 1/η(F ), H hom (v) 1/η(F )).
Ideas behind the Construction Homomorphic hash : for fixed h 1,..., h n Z N, vector v = (v 1,..., v n ) Z n, define H hom (v) = h v 1 1 hvn n (mod N). Homomorphic property: H hom (v) H hom (w) = H hom (v + w). [GKKR10] construction: Sign(v) = H hom (v) 1/e (mod N). h i derived from filename F using ideal hash function. Sign(v) Sign(w) authenticates v + w. New idea: Tie together signature on F and hash of v: for public x and real-world hash function η, ( Sign(v) = x 1/η(F ), H hom (v) 1/η(F )). This example derived from [GHR99] signatures; mechanism also applies to [BB04],[W05],[HW09],[LW10],...
Thank you! Questions? Job Offers? Comments?