Computing with Encrypted Data Lecture 26

Similar documents
Shai Halevi IBM August 2013

Fully Homomorphic Encryption from LWE

Multikey Homomorphic Encryption from NTRU

Lattice Based Crypto: Answering Questions You Don't Understand

Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption and Bootstrapping

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

Fully Homomorphic Encryption

Fully Homomorphic Encryption

On Homomorphic Encryption and Secure Computation

Report Fully Homomorphic Encryption

FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Evaluating 2-DNF Formulas on Ciphertexts

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Ideal Lattices and NTRU

Classical hardness of the Learning with Errors problem

Fully Homomorphic Encryption over the Integers

Weaknesses in Ring-LWE

i-hop Homomorphic Encryption Schemes

An RNS variant of fully homomorphic encryption over integers

Some security bounds for the DGHV scheme

The LTV Homomorphic Encryption Scheme and Implementation in Sage

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Manipulating Data while It Is Encrypted

Fully Key-Homomorphic Encryption and its Applications

An Overview of Homomorphic Encryption

Packing Messages and Optimizing Bootstrapping in GSW-FHE

Multi-key fully homomorphic encryption report

COMPUTING ON ENCRYPTED DATA: HIGH-PRECISION ARITHMETIC IN HOMOMORPHIC ENCRYPTION

Homomorphic Encryption. Liam Morris

Fully Homomorphic Encryption - Part II

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Classical hardness of Learning with Errors

Gentry s Fully Homomorphic Encryption Scheme

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Lectures 1&2: Introduction to Secure Computation, Yao s and GMW Protocols

Computing on Encrypted Data

General Impossibility of Group Homomorphic Encryption in the Quantum World

6.892 Computing on Encrypted Data September 16, Lecture 2

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Efficient and Secure Delegation of Linear Algebra

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Fully Homomorphic Encryption

Cryptography. Lecture 2: Perfect Secrecy and its Limitations. Gil Segev

Fixed-Point Arithmetic in SHE Schemes

1 Public-key encryption

On the CCA1-Security of Elgamal and Damgård s Elgamal

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

Practical Bootstrapping in Quasilinear Time

Homomorphic Evaluation of the AES Circuit

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Gentry s SWHE Scheme

Modulo Reduction for Paillier Encryptions and Application to Secure Statistical Analysis. Financial Cryptography '10, Tenerife, Spain

El Gamal A DDH based encryption scheme. Table of contents

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

Bootstrapping for HElib

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Bandwidth Efficient PIR from NTRU

Efficient MPC Oblivious Transfer and Oblivious Linear Evaluation aka How to Multiply

Better Bootstrapping in Fully Homomorphic Encryption

Outline Proxy Re-Encryption NTRU NTRUReEncrypt PS-NTRUReEncrypt Experimental results Conclusions. NTRUReEncrypt

Lecture Notes 15 : Voting, Homomorphic Encryption

COS 597C: Recent Developments in Program Obfuscation Lecture 7 (10/06/16) Notes for Lecture 7

Cryptology. Scribe: Fabrice Mouhartem M2IF

6.892 Computing on Encrypted Data October 28, Lecture 7

TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION

Introduction to Cryptography. Lecture 8

The Smart-Vercauteren Fully Homomorphic Encryption Scheme

On i-hop Homomorphic Encryption

Secure Multi-Party Computation. Lecture 17 GMW & BGW Protocols

Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems

Homomorphic AES Evaluation Using the Modified LTV Scheme

Introduction to Cybersecurity Cryptography (Part 5)

Introduction to Cybersecurity Cryptography (Part 4)

Watermarking Cryptographic Functionalities from Standard Lattice Assumptions

CS 4770: Cryptography. CS 6750: Cryptography and Communication Security. Alina Oprea Associate Professor, CCIS Northeastern University

MASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication

Strongly Unforgeable Signatures Based on Computational Diffie-Hellman

Spooky Encryption and its Applications

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Introduction to Cybersecurity Cryptography (Part 4)

Lecture 30: Hybrid Encryption and Prime Number Generation. Hybrid Encryption & Primes

Security Protocols and Application Final Exam

Blending FHE-NTRU keys The Excalibur Property

Lecture 17: Constructions of Public-Key Encryption

Increased efficiency and functionality through lattice-based cryptography

Bounded-Collusion IBE from Semantically-Secure PKE: Generic Constructions with Short Ciphertexts

ADVERTISING AGGREGATIONARCHITECTURE

Fully Homomorphic Encryption Using Ideal Lattices

On Adaptively Secure Multiparty Computation with a Short CRS [SCN 16] Ran Cohen (Tel Aviv University) Chris Peikert (University of Michigan)

Multi-Party Computation with Conversion of Secret Sharing

Chapter 11 : Private-Key Encryption

Lecture 28: Public-key Cryptography. Public-key Cryptography

SIS-based Signatures

Private Puncturable PRFs From Standard Lattice Assumptions

Transcription:

Computing with Encrypted Data 6.857 Lecture 26

Encryption for Secure Communication M Message M All-or-nothing Have Private Key, Can Decrypt No Private Key, No Go cf. Non-malleable Encryption

Encryption for Cloud Computing Data Analysis & Statistics, Classification, Search, Image Processing, Compute Function F Medical, Financial and other Personal Information Enc(Data) Enc(F(Data)) Cloud Need: Privacy + Functionality

Fully Homomorphic Encryption Compute arbitrary functions on encrypted data? Enc(data), F Enc(F(data))

Outline Homomorphic Encryption Multiplicative Homomorphism: El Gamal Additive Homomorphism: Goldwasser-Micali Fully Homomorphic Encryption: based on NTRU What Computing I didn t on tell Secret you (and Shares how to learn more) Secure Multiparty Computation: the BGW protocol [Ben Or-Goldwasser-Wigderson 88]

then we are done. FHE: The Big Picture Function Arithmetic Circuit x 1 x 2 + x 3 (x 1 +x 2 ) x 3 If we had: Enc(x 1 ), Enc(x 2 ) Enc(x 1 +x 2 ) Enc(x 1 ), Enc(x 2 ) Enc(x 1 x 2 )

Multiplicative Homomorphism El Gamal Encryption Setup: Group G of prime order p (e.g., set of quadratic residues mod q where q = 2p+1)

Multiplicative Homomorphism El Gamal Encryption Setup: Group G of prime order p (e.g., set of quadratic residues mod q where q = 2p+1) X is an encryption of the product m 1 m 2

Additive Homomorphism Goldwasser Micali Encryption Public key: N, y: non-square mod N Secret key: factorization of N Enc(0): r 2 mod N, Enc(1): y * r 2 mod N square (0) * square (0) = square (0) non-square (1) * square (0) = non-square (1) square (0) * non-square (1) = square (1) non-square (1) * non-square (1) = non-square (0) XOR-homomorphic: Just multiply the ciphertexts

Other HE Schemes Additively Homomorphic: Paillier Damgard-Jurik (both addition of large numbers) Additions + a single Multiplication: Boneh-Goh-Nissim (based on gap groups) Gentry-Halevi-V. (based on lattices) HE with Large ciphertext blowup: Sander-Young-Yung

How to Construct an FHE Scheme

The Big Picture STEP 1 Somewhat Homomorphic (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS 12] Evaluate arithmetic circuits of depth d = ε log n * C d = ε log n EVAL * (0 < ε < 1 is a constant, and n is the security parameter)

The Big Picture STEP 2 Bootstrapping Theorem [Gen09] (Qualitative) Homomorphic enough Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) msg Dec C CT sk Decryption Circuit EVAL

The Big Picture STEP 1 STEP 3 Somewhat Homomorphic (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS 12] Evaluate arithmetic circuits of depth d = ε log n Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε STEP 2 Bootstrapping Method Homomorphic enough Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

The NTRU Encryption Scheme [Hofstein-Pipher-Silverman 97] Central characters: Polynomials mod q Polynomials of degree less than n (think n = 256) Coefficients over Z q (think q = small prime) Addition: coefficient-wise (6x 2 +5x+10) + (5x 2 +x+2) = 6x+1 (mod 11) Multiplication: polynomial mult, modulo an irreducible (6x 2 +5x+10) X (5x 2 +x+2) = 9x 3 +x 2 +9x+9 (mod 11, x 4 +1) Ring (x n +1 cyclotomic, q = 1 mod 2n prime)

The NTRU Encryption Scheme KeyGen: Sample small polynomials f, g R q (s.t. f=1 mod 2) coefficients B Secret key SK=f and Public key PK=h=2g/f Encryption Enc pk (m), where Multiplying m {0,1} by f kills h Sample small polynomials s, e R q, output C = hs + 2e + m (mod q, x n +1) Decryption Dec sk (C): Output (fc (mod q,x n +1)) mod 2. Correctness: fc = f(hs+2e+m) = 2(gs+fe) + fm (mod q, x n +1) If 2(gs+fe) + fm < q/2, taking mod 2 gives m.

The NTRU Encryption Scheme The Small Polynomial Ratios (SPR) Assumption: Choose two polynomials f and g with small coefficients (of magnitude at most B). Then, g/f c uniform over R q The key security parameter: The signal-to-noise ratio q/b If q/b is too large (> 2 n ), we can break NTRU in poly time. Theorem: The encryption scheme is secure under the SPR assumption

Additive Homomorphism c 1 = hs 1 +2e 1 +m 1 c 2 = hs 2 +2e 2 +m 2 f.c 1 = 2E 1 + fm 1 f.c 2 = 2E 2 + fm 2 Add the ciphertexts: c add = c 1 + c 2 (over R q ) + f.c 1 = 2E 1 + fm 1 f.c 2 = 2E 2 + fm 2 f.(c 1 +c 2 ) = 2(E 1 +E 2 ) + f.(m 1 +m 2 ) E Dec f (c add ) = 2E + f.(m 1 +m 2 ) (mod 2) = f. (m 1 +m 2 ) (mod 2)

Multiplicative Homomorphism c 1 = hs 1 +2e 1 +m 1 c 2 = hs 2 +2e 2 +m 2 f.c 1 = 2E 1 + fm 1 f.c 2 = 2E 2 + fm 2 Multiply the ciphertexts: c mlt = c 1.c 2 (over R q ) X f.c 1 = 2E 1 + fm 1 f.c 2 = 2E 2 + fm 2 f 2.(c 1 c 2 ) = 2(E 1 m 2 +E 2 m 1 +2E 1 E 2 ) + f 2 (m 1 m 2 ) E Dec f^2 (c mlt ) = 2E + f 2 m 1 m 2 (mod 2) = f 2 m 1 m 2 (mod 2)

Noise Growth Assume the input ciphertext noise is at most B. Addition: norm of E 1 +E 2 is at most 2B Multiplication: noise E 1 E 2 Norm of E 1 E 2 is at most nb 2

How Homomorphic is this: The Reservoir Analogy noise=q/2 Additive Homomorphism: B 2B Multiplicative Homomorphism: B nb 2 nb 2 AFTER d LEVELS: noise B (worst case) 2B initial noise=b noise=0 Correctness SPR with q/b ratio 2 n^ε

How Homomorphic is this: The Reservoir Analogy noise=q/2 Additive Homomorphism: B 2B Multiplicative Homomorphism: B nb 2 nb 2 AFTER d LEVELS: noise B (worst case) initial noise=b noise=0

The Big Picture STEP 1 STEP 3 Somewhat Homomorphic (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS 12] Evaluate arithmetic circuits of depth d = ε log n Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε STEP 2 Bootstrapping Method Homomorphic enough Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Bootstrapping Bootstrapping Theorem [Gen09] If you can homomorphically evaluate depth d circuits and the depth of your decryption cicuit < d * FHE

Bootstrapping Bootstrapping Theorem [Gen09] Homomorphic d-he with decryption enough depth Encryption < d * FHE FHE Bootstrapping = Valve at a fixed height noise=q/2 (that depends on decryption depth) Say n(b dec ) 2 < q/2 noise=b dec noise=0

Bootstrapping Bootstrapping Theorem [Gen09] Homomorphic d-he with decryption enough depth Encryption < d * FHE FHE Bootstrapping = Valve at a fixed height noise=q/2 (that depends on decryption depth) Say n(b dec ) 2 < q/2 noise=b dec noise=0

Bootstrapping: How But the evaluator (cloud) does not have SK! Best Possible Noise Reduction = Decryption! m Noiseless ciphertext Dec Very Noisy ciphertext CT SK Decryption Circuit

Bootstrapping, Concretely Next Best = Homomorphic Decryption! * Assume Enc(SK) is public. (OK assuming the scheme is circular secure ) Enc PK (m) Noise = B dec B dec Independent of B input Dec Noise = B input CT Enc PK (SK)

Wrap Up: Bootstrapping Assume Circular Security: Public key contains Enc SK (SK) Function f g

Wrap Up: Bootstrapping Assume Circular Security: Public key contains Enc SK (SK) Function f g Each Gate g Gadget G: g(a,b) g g(a,b) a b g Dec Dec a b c a sk c b sk

Wrap Up: Bootstrapping Assume Circular Security: Public key contains Enc SK (SK) Function f g Each Gate g Gadget G: g(a,b) g Enc(g(a,b)) g Dec Dec a b c a Enc(SK) c b Enc(SK)

Wrap-up: FHE STEP 1 STEP 3 Somewhat Homomorphic (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS 12] Evaluate arithmetic circuits of depth d = ε log n Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε STEP 2 Bootstrapping Method Homomorphic enough Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Boosting Depth from log n to n ε (in one slide)

Wrap-up: FHE STEP 1 STEP 3 Somewhat Homomorphic (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,BGV12,LTV12,GHS 12] Evaluate arithmetic circuits of depth d = ε log n Depth Boosting / Modulus Reduction [BV11b] Boost the SwHE to depth d = n ε STEP 2 Bootstrapping Method Homomorphic enough Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

What We Didn t Do A Lot! Functional Encryption Software Obfuscation: how to encrypt programs Practical techniques for computing on encrypted data: searchable encryption, deterministic encryption, Secure Multiparty protocols, Come to 6.892!

Thanks! Good luck with the project write-ups!

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback