HOMOMORPHIC ENCRYPTION HElib (2013) IBM release of HElib

HElib (2013)
HOMOMORPHIC
ENCRYPTION
IBM release of HElib
These slide only introduce HE.
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Overview
Example
• What is homomorphic encryption
• Definition
• HE over Boolean circuits and integers
• Probabilistic encryption
• Full homomorphic encryption
• Gentry’s result and next
• HE and cloud computing
• Consider RSA encryption Enc(m)= me mod n
• Processing on encrypted data without HE
• This means we can compute the multiplication (mod n) of
• Then Enc(a) x Enc(b) mod n = Enc(a x b) mod n
two clear text messages by operating on their encrypted
versions
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Public-key Encryption
Semantic security
• Three procedures: KeyGen, Enc, Dec
• (sk,pk)
KeyGen( random )
• A cryptosystem is Semantically Secure (SS) if any probabilistic,
• Generate random public/secret key-pair
• c
Encpk(m)
polynomial-time algorithm (PPTA) that is given the ciphertext of a
certain message m and the message's length, cannot determine any
partial information on the message with probability non-negligibly
higher than all other PPTA's that only have access to the message
length (i.e. not the ciphertext).
• Encrypt a message with the public key
• m
• SS is the computational complexity counter part of Shannon's
Decsk(c)
• Decrypt a ciphertext with the secret key
• e.g., RSA: c
me mod N, m
• (N,e) public key, d secret key
cd mod N
concept of perfect secrecy. Perfect secrecy means that the ciphertext
reveals no information at all about the plaintext, whereas semantic
security implies that any information revealed cannot be feasibly
extracted.
• Recall discussion on message authentication codes!
• SS was first put forward by Goldwasser and Micali. Goldwasser/Micali
• Semantic Security [GM’84]: (pk, Encpk(0)) ? (pk, Encpk(1))
? means indistinguishable by efficient algorithms
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
later showed that SS is equivalent to ciphertext indistinguishability.
This security definition works better when proving the security of
practical cryptosystems.
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
What is HE?
What is HE? (cont’d)
In general
• Suppose we have an encryption operation Enc with the
properties
• Inputs to Enc are elements from a group G with operation x
• Outputs from a group H with operation
and Enc(a x b) = Enc(a) Enc(b)
(thus Enc is a homomorphism, which explains the naming)
• Somewhat Homomorphic Encryption
• Additive
• Multiplicative
• Fully Homomorphic Encryption
• On bits: XOR, AND
• On Integers: add, multiply
• Then we can perform x operations in G by operating on
their encrypted counter parts using
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
(+,x)-Homomorphic Encryption
Probabilistic encryption
It will be really nice to have…
• Plaintext space Z2 (with ops +,x)
• Ciphertext space some ring R ( ops +,x)
• Homomorphic for both + and x
• Enc(x1) + Enc(x2) in R = Enc(x1+ x2 mod 2)
• Enc(x1) x Enc(x2) in R = Enc(x1 x x2 mod 2)
Encrypt
Fixed m
C
R {c1,
…,cm}
• Then we can compute any function on the encryptions
• Since every binary function is a polynomial
•
(We won’t get exactly this, but it gives an idea)
randomness
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Fully Homomorphic Encryption
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Fully Homomorphic Encryption
A public key encryption scheme (KeyGen, Enc, Dec)
is fully homomorphic if
Encrypted x, Program P
Encrypted P(x)
there exists an additional efficient algorithm Eval
that, for a valid public key pk,
a permitted circuit (read program if you want) and
a set of cipher texts =(c1,…ct) where ci=Encpk(mi),
Outputs
c=Evalpk( ; ) under pk
Definition: (KeyGen, Enc, Dec, Eval)
(regular public/private-key encryption)
Correctness of Eval: For every input x, program P
– If c = Enc(PK, x) and
= Eval (PK, c, P),
then Dec (SK, c ) = P(x).
Compactness: Length of c independent of size of P
Security = Semantic Security
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Early History (1978-start)
First Defined: “Privacy homomorphism” [RAD’78]
Early History (1978-2009)
Additively Homomorphic
[GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
“Can we search in encrypted data?”
Goldwasser-Micali’82
Public key: N, y: non-square mod N
Secret key: factorization of N
Enc(a)=ya * r2 mod N
r2
Enc(0): mod N,
Enc(1): y * r2 mod N
[Rivest-Adleman-Dertouzos]
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Early History (1978-2009)
Enc(a) x Enc(b) = Enc(a xor b)
(Additively) homomorphic over Z2
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Paillier's Cryptosystem: additive scheme
Additively Homomorphic
[GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
Multiplicatively Homomorphic [ElG’85,…]
Add + One Multipl [BGN’05,GHV’09]
A Negative Result [Boneh-Lipton’97,DHI’03]
Any deterministic FHE can be broken in
sub-exponential (or, quantum poly) time.
From: The development of homomorphic cryptography - From RSA to Gentry's privacy homomorphism,
Sigrun Goluch, TU Wien, 2011
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Paillier's Cryptosystem: additive scheme
Consider
Then
,
=
is product of primes p and q and let
,
×
,
=
×
=(
)
= (
+
,
,
=
mod 2,
random r’s
Circuits: Add & Mult Are Universal
Arith. Circuit (+, ) over GF(2).
(+, ) over GF(2)
Boolean (XOR,AND)
= Universal set
f(x1,x2,x3)=(x1+x2 x3
x2
x1
Enc(x1)
Enc(x2)
If we had:
)
• Eval(+, Enc(x1), Enc(x2))
Enc(x1+x2)
• Eval( , Enc(x1), Enc(x2))
Enc(x1 x2)
Enc(x3)
Enc(x1+x2)
then we are done.
Thus the product of encryptions of two messages is an
encryption of the sum of the two messages.
2014-10-08 B. Smeets
x3
+
EITN50 - Dept of Electrical and Information technology
See Johannesson and Smeets,
Design of Digital Circuits – a systems approach
2014-10-08 B. Smeets
Enc((x1+x2 x3)
EITN50 - Dept of Electrical and Information technology
Gentry (2009)
Since then
FIRST Fully Homomorphic Encryption!
Gentry’s initial scheme had astronomic complexity
Also the original proof was quite involved and there were
many assumptions.
Achieved:
• Much more efficient solutions
• Shorter proofs
• Relaxing of assumptions
But this is still a very active field of cryptographic research
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
HE and cloud computing
The basic idea:
• Suppose we want to do a computation on a set of data
(m1,…,mN) but want to utilize cloud servers for the
computation.
• Yet we do not want to give the cloud servers access to the
data itself
• HE might be able to help us here – in principle
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Some other uses of HE
• Secure voting schemes
Outsourcing Computation
Untrusted
x
Function
x
f
f(x)
medical
records
risk factors
2014-10-08 B. Smeets
analysis
EITN50 - Dept of Electrical and Information technology
Back to HElib
• IBM has released a new GPL-licensed encryption library called HElib which boasts the property of being
fully homomorphic. This means that the encrypted message can be manipulated (subject to certain
constraints), and the transformations applied to it will propagate correctly to the plaintext message. For
example, given a number n and its encrypted "ciphertext" E(n), a homomorphic encryption scheme might
allow you to multiply by a constant, and decrypting 42 * E(n) would give you 42 * n.
• Multi-party computations
• Exactly which operations preserve this property varies with the encryption scheme used. Schemes which
are partially homomorphic preserve the homomorphic property only for addition or for multiplication, but not
both. A fully homomorphic scheme preserves computation for both addition and multiplication, which is
considerably more powerful. Such a system also preserves the useful algebraic properties of a ring:
•
•
•
•
The
The
The
The
associative property of addition: (a + b) + c = a + (b + c)
commutative property of addition: a + b = b + a
associative property of multiplication: (a * b) * c = a * (b * c)
distributive property: a * (b + c) = (a * b) + (a * c)
• In short, with a fully homomorphic encryption scheme, you can perform a wide variety of computations on a
file without decrypting it first. Consequently, untrusted programs can operate on encrypted data without
risking the disclosure of its information. Remote servers could adjust financial documents without knowing
their contents (for example, crediting an account, or computing sales tax on a purchase), voting machines
could track totals without disclosing what the intermediate counts are, sensitive databases can be
recklessly stored on public web sites, and so on (well, perhaps not that final example). There are several
well-known cryptosystems which are partially homomorphic; for example, RSA encryption is homomorphic
over multiplication only. But only recently have there been practical systems that are fully homomorphic.
• The downside is that the few known fully homomorphic systems are considerably slower than are partially
homomorphic schemes.
• Nathan Willis, May 2013, http://lwn.net/Articles/549665/
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Alternatives
Database operations on encrypted data
• Can we do processing on encrypted data without relying
• This is indeed possible (http://css.csail.mit.edu/cryptdb/)
on HE if we only ask for certain types of processing
YES, we know that already but how complex
processing we can do ?
Encrypted query
Application
Encrypted results
Encrypted
DB
Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. CryptDB: Protecting Confidentiality with
Encrypted Query Processing. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP), Cascais,
Portugal, October 2011.
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Two techniques
SQL-aware encryption strategy
1.
•
•
Obs.: set of SQL operators is limited
Different encryption schemes provide different functionality
Adjustable query-based encryption
2.
•
2014-10-08 B. Smeets
Application
EITN50 - Dept of Electrical and Information technology
Example – order preserving
60
100
800
100
SELECT * FROM emp
WHERE salary = 100
table1 (emp)
Proxy
SELECT * FROM table1
WHERE col3 = x5a8c34
x638e54
Adapt encryption of data based on user queries
col1/rank col2/name col3/salary
x934bc1
x1eab81
x4be219
x5a8c34
x638e54
x95c623
x5a8c34
x638e54
?
x5a8c34
x922eb4
x922eb4
x84a21c
x2ea887
x638e54
x5a8c34
x17cea7
x5a8c34
x638e54
Slide from: CryptDB: Confidentiality for Database Applications with Encrypted Query Processing, Raluca Ada Popa, Catherine Redfield, Nickolai
Zeldovich, and Hari Balakrishnan, MIT CSAIL
Application
CryptoDB architecture
Example
60
100
800
100
SELECT * FROM emp
WHERE salary = 100
table1 (emp)
Proxy
SELECT * FROM table1
WHERE col3 = x5a8c34
x638e54
SQL Interface
Query
col1/rank col2/name col3/salary
Application
x934bc1x4be219
CryptDB
Results
Proxy
Server
Encrypted Query
Unmodified
DBMS
Encrypted Results
CryptDB
PK tables
CryptDB UDFs
(user-defined
functions)
x5a8c34x95c623
x5a8c34
?
x5a8c34
x638e54
x5a8c34
x922eb4
x5a8c34
x84a21c x2ea887
x1eab81
x17cea7
x5a8c34
x638e54
x5a8c34
x638e54
x922eb4
No change to the DBMS
• Portable: from Postgres to MySQL with 86 lines
• One-key: no change to applications
• Multi-user keys: annotations and login/logout
•
x638e54
Slide from: CryptDB: Confidentiality for Database Applications with Encrypted Query Processing, Raluca Ada Popa, Catherine Redfield, Nickolai
Zeldovich, and Hari Balakrishnan, MIT CSAIL
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
Experimental work
Complexity
• Google:
• https://code.google.com/p/encrypted-bigquery-client/
TPC-C
Throughput loss 27%
• SAP:
http://www.fkerschbaum.org/sicherheit14.pdf
With phpBB application: throughput loss of 13%
Encrypted DBMS is practical
TPC-C is an on-line transaction processing benchmark
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology
2014-10-08 B. Smeets
EITN50 - Dept of Electrical and Information technology