HElib (2013) HOMOMORPHIC ENCRYPTION IBM release of HElib These slide only introduce HE. 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Overview Example • What is homomorphic encryption • Definition • HE over Boolean circuits and integers • Probabilistic encryption • Full homomorphic encryption • Gentry’s result and next • HE and cloud computing • Consider RSA encryption Enc(m)= me mod n • Processing on encrypted data without HE • This means we can compute the multiplication (mod n) of • Then Enc(a) x Enc(b) mod n = Enc(a x b) mod n two clear text messages by operating on their encrypted versions 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Public-key Encryption Semantic security • Three procedures: KeyGen, Enc, Dec • (sk,pk) KeyGen( random ) • A cryptosystem is Semantically Secure (SS) if any probabilistic, • Generate random public/secret key-pair • c Encpk(m) polynomial-time algorithm (PPTA) that is given the ciphertext of a certain message m and the message's length, cannot determine any partial information on the message with probability non-negligibly higher than all other PPTA's that only have access to the message length (i.e. not the ciphertext). • Encrypt a message with the public key • m • SS is the computational complexity counter part of Shannon's Decsk(c) • Decrypt a ciphertext with the secret key • e.g., RSA: c me mod N, m • (N,e) public key, d secret key cd mod N concept of perfect secrecy. Perfect secrecy means that the ciphertext reveals no information at all about the plaintext, whereas semantic security implies that any information revealed cannot be feasibly extracted. • Recall discussion on message authentication codes! • SS was first put forward by Goldwasser and Micali. Goldwasser/Micali • Semantic Security [GM’84]: (pk, Encpk(0)) ? (pk, Encpk(1)) ? means indistinguishable by efficient algorithms 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology later showed that SS is equivalent to ciphertext indistinguishability. This security definition works better when proving the security of practical cryptosystems. 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology What is HE? What is HE? (cont’d) In general • Suppose we have an encryption operation Enc with the properties • Inputs to Enc are elements from a group G with operation x • Outputs from a group H with operation and Enc(a x b) = Enc(a) Enc(b) (thus Enc is a homomorphism, which explains the naming) • Somewhat Homomorphic Encryption • Additive • Multiplicative • Fully Homomorphic Encryption • On bits: XOR, AND • On Integers: add, multiply • Then we can perform x operations in G by operating on their encrypted counter parts using 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology (+,x)-Homomorphic Encryption Probabilistic encryption It will be really nice to have… • Plaintext space Z2 (with ops +,x) • Ciphertext space some ring R ( ops +,x) • Homomorphic for both + and x • Enc(x1) + Enc(x2) in R = Enc(x1+ x2 mod 2) • Enc(x1) x Enc(x2) in R = Enc(x1 x x2 mod 2) Encrypt Fixed m C R {c1, …,cm} • Then we can compute any function on the encryptions • Since every binary function is a polynomial • (We won’t get exactly this, but it gives an idea) randomness 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Fully Homomorphic Encryption 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Fully Homomorphic Encryption A public key encryption scheme (KeyGen, Enc, Dec) is fully homomorphic if Encrypted x, Program P Encrypted P(x) there exists an additional efficient algorithm Eval that, for a valid public key pk, a permitted circuit (read program if you want) and a set of cipher texts =(c1,…ct) where ci=Encpk(mi), Outputs c=Evalpk( ; ) under pk Definition: (KeyGen, Enc, Dec, Eval) (regular public/private-key encryption) Correctness of Eval: For every input x, program P – If c = Enc(PK, x) and = Eval (PK, c, P), then Dec (SK, c ) = P(x). Compactness: Length of c independent of size of P Security = Semantic Security 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Early History (1978-start) First Defined: “Privacy homomorphism” [RAD’78] Early History (1978-2009) Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…] “Can we search in encrypted data?” Goldwasser-Micali’82 Public key: N, y: non-square mod N Secret key: factorization of N Enc(a)=ya * r2 mod N r2 Enc(0): mod N, Enc(1): y * r2 mod N [Rivest-Adleman-Dertouzos] 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Early History (1978-2009) Enc(a) x Enc(b) = Enc(a xor b) (Additively) homomorphic over Z2 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Paillier's Cryptosystem: additive scheme Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…] Multiplicatively Homomorphic [ElG’85,…] Add + One Multipl [BGN’05,GHV’09] A Negative Result [Boneh-Lipton’97,DHI’03] Any deterministic FHE can be broken in sub-exponential (or, quantum poly) time. From: The development of homomorphic cryptography - From RSA to Gentry's privacy homomorphism, Sigrun Goluch, TU Wien, 2011 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Paillier's Cryptosystem: additive scheme Consider Then , = is product of primes p and q and let , × , = × =( ) = ( + , , = mod 2, random r’s Circuits: Add & Mult Are Universal Arith. Circuit (+, ) over GF(2). (+, ) over GF(2) Boolean (XOR,AND) = Universal set f(x1,x2,x3)=(x1+x2 x3 x2 x1 Enc(x1) Enc(x2) If we had: ) • Eval(+, Enc(x1), Enc(x2)) Enc(x1+x2) • Eval( , Enc(x1), Enc(x2)) Enc(x1 x2) Enc(x3) Enc(x1+x2) then we are done. Thus the product of encryptions of two messages is an encryption of the sum of the two messages. 2014-10-08 B. Smeets x3 + EITN50 - Dept of Electrical and Information technology See Johannesson and Smeets, Design of Digital Circuits – a systems approach 2014-10-08 B. Smeets Enc((x1+x2 x3) EITN50 - Dept of Electrical and Information technology Gentry (2009) Since then FIRST Fully Homomorphic Encryption! Gentry’s initial scheme had astronomic complexity Also the original proof was quite involved and there were many assumptions. Achieved: • Much more efficient solutions • Shorter proofs • Relaxing of assumptions But this is still a very active field of cryptographic research 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology HE and cloud computing The basic idea: • Suppose we want to do a computation on a set of data (m1,…,mN) but want to utilize cloud servers for the computation. • Yet we do not want to give the cloud servers access to the data itself • HE might be able to help us here – in principle 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Some other uses of HE • Secure voting schemes Outsourcing Computation Untrusted x Function x f f(x) medical records risk factors 2014-10-08 B. Smeets analysis EITN50 - Dept of Electrical and Information technology Back to HElib • IBM has released a new GPL-licensed encryption library called HElib which boasts the property of being fully homomorphic. This means that the encrypted message can be manipulated (subject to certain constraints), and the transformations applied to it will propagate correctly to the plaintext message. For example, given a number n and its encrypted "ciphertext" E(n), a homomorphic encryption scheme might allow you to multiply by a constant, and decrypting 42 * E(n) would give you 42 * n. • Multi-party computations • Exactly which operations preserve this property varies with the encryption scheme used. Schemes which are partially homomorphic preserve the homomorphic property only for addition or for multiplication, but not both. A fully homomorphic scheme preserves computation for both addition and multiplication, which is considerably more powerful. Such a system also preserves the useful algebraic properties of a ring: • • • • The The The The associative property of addition: (a + b) + c = a + (b + c) commutative property of addition: a + b = b + a associative property of multiplication: (a * b) * c = a * (b * c) distributive property: a * (b + c) = (a * b) + (a * c) • In short, with a fully homomorphic encryption scheme, you can perform a wide variety of computations on a file without decrypting it first. Consequently, untrusted programs can operate on encrypted data without risking the disclosure of its information. Remote servers could adjust financial documents without knowing their contents (for example, crediting an account, or computing sales tax on a purchase), voting machines could track totals without disclosing what the intermediate counts are, sensitive databases can be recklessly stored on public web sites, and so on (well, perhaps not that final example). There are several well-known cryptosystems which are partially homomorphic; for example, RSA encryption is homomorphic over multiplication only. But only recently have there been practical systems that are fully homomorphic. • The downside is that the few known fully homomorphic systems are considerably slower than are partially homomorphic schemes. • Nathan Willis, May 2013, http://lwn.net/Articles/549665/ 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Alternatives Database operations on encrypted data • Can we do processing on encrypted data without relying • This is indeed possible (http://css.csail.mit.edu/cryptdb/) on HE if we only ask for certain types of processing YES, we know that already but how complex processing we can do ? Encrypted query Application Encrypted results Encrypted DB Raluca Ada Popa, Catherine M. S. Redfield, Nickolai Zeldovich, and Hari Balakrishnan. CryptDB: Protecting Confidentiality with Encrypted Query Processing. In Proceedings of the 23rd ACM Symposium on Operating Systems Principles (SOSP), Cascais, Portugal, October 2011. 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Two techniques SQL-aware encryption strategy 1. • • Obs.: set of SQL operators is limited Different encryption schemes provide different functionality Adjustable query-based encryption 2. • 2014-10-08 B. Smeets Application EITN50 - Dept of Electrical and Information technology Example – order preserving 60 100 800 100 SELECT * FROM emp WHERE salary = 100 table1 (emp) Proxy SELECT * FROM table1 WHERE col3 = x5a8c34 x638e54 Adapt encryption of data based on user queries col1/rank col2/name col3/salary x934bc1 x1eab81 x4be219 x5a8c34 x638e54 x95c623 x5a8c34 x638e54 ? x5a8c34 x922eb4 x922eb4 x84a21c x2ea887 x638e54 x5a8c34 x17cea7 x5a8c34 x638e54 Slide from: CryptDB: Confidentiality for Database Applications with Encrypted Query Processing, Raluca Ada Popa, Catherine Redfield, Nickolai Zeldovich, and Hari Balakrishnan, MIT CSAIL Application CryptoDB architecture Example 60 100 800 100 SELECT * FROM emp WHERE salary = 100 table1 (emp) Proxy SELECT * FROM table1 WHERE col3 = x5a8c34 x638e54 SQL Interface Query col1/rank col2/name col3/salary Application x934bc1x4be219 CryptDB Results Proxy Server Encrypted Query Unmodified DBMS Encrypted Results CryptDB PK tables CryptDB UDFs (user-defined functions) x5a8c34x95c623 x5a8c34 ? x5a8c34 x638e54 x5a8c34 x922eb4 x5a8c34 x84a21c x2ea887 x1eab81 x17cea7 x5a8c34 x638e54 x5a8c34 x638e54 x922eb4 No change to the DBMS • Portable: from Postgres to MySQL with 86 lines • One-key: no change to applications • Multi-user keys: annotations and login/logout • x638e54 Slide from: CryptDB: Confidentiality for Database Applications with Encrypted Query Processing, Raluca Ada Popa, Catherine Redfield, Nickolai Zeldovich, and Hari Balakrishnan, MIT CSAIL 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology Experimental work Complexity • Google: • https://code.google.com/p/encrypted-bigquery-client/ TPC-C Throughput loss 27% • SAP: http://www.fkerschbaum.org/sicherheit14.pdf With phpBB application: throughput loss of 13% Encrypted DBMS is practical TPC-C is an on-line transaction processing benchmark 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology 2014-10-08 B. Smeets EITN50 - Dept of Electrical and Information technology
© Copyright 2024