Homomorphic Encryption

Transcription

1 Homomorphic Encryption Travis Mayberry

2 Cloud Computing

3 Cloud Computing

4 Cloud Computing

5 Cloud Computing

6 Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and reliability.

7 Cloud Computing Northeastern saves money on infrastructure and gets the benefit of redundancy and reliability. How can I keep my sensitive information safe while still being able to take advantage of cloud computing resources?

8 Encryption Cloud users should encrypt their data for security and privacy Encrypting data makes it impossible to do many useful things: Search your mail in Gmail Statistical analysis of large data sets Serve targeted advertisements From the server s perspective, the encrypted data is indistinguishable from random!

9 What Can We Do? We need more robust encryption that can allow some computation on the underlying data How can we accomplish this? What kind of security can we get from such a scheme? What are the costs associated with using this encryption?

10 Homomorphic Encryption E(a) C E(b) =E(a P b) Ciphertext operation does not have to be the same as the message operation (only needs to be easily computable) Provides an interface for entities without the key to perform useful computations over the encrypted data Example: RSA C = P = Without the key, you can perform computations but not interpret the result

11 Crypto Voting One application for homomorphic encryption: How can we have a public election where individual votes are not disclosed, but anyone can verify that the final tally is correct? We can do this with a public key additively homomorphic encryption where: E(a) E(b) =E(a + b)

12 Rivest Scheme Publish public key pk Election Officials Batman Superman Alice E pk (1) E pk (0) Bob Steve E pk (0) E pk (0) E pk (1) E pk (1) E pk (1) E pk (2) Votes are tallied and decrypted totals are posted Anyone can compute a tally and verify that the posted total encrypts to the correct value!

13 IND-CPA A Learning m 1 E k (m 1 )... Challenge C One oracle: Encryption m 0,m 1 E k (m b ) b 0

14 IND-CCA A Learning m 1 E k (m 1 ) c 1 D k (c 1 )... Challenge C Two oracles: Encryption Decryption m 0,m 1 E k (m b ) b 0

15 IND-CCA2 A Learning m 1 E k (m 1 ) c 1 D k (c 1 ). Challenge m 0,m 1 E k (m b ) m 2 E k (m 2 ) c 1 D k (c 1 ). b 0 C Two oracles: Encryption Decryption Extra learning phase!

16 IND-CCA2 A Learning m 1 E k (m 1 ) c 1 D k (c 1 ). Challenge m 0,m 1 E k (m b ) m 2 E k (m 2 ) c 1 D k (c 1 ). b 0 C Two oracles: Encryption Decryption Extra learning phase! c i 6= E k (m b )

17 Security

18 Security If we hope to achieve IND-CPA we need...

19 Security If we hope to achieve IND-CPA we need... Probabilistic encryption!

20 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition:

21 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition: E(a) E(b) =E(a b)

22 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition: E(a) E(b) =E(a b) D(E(a) E(b)) = D(E(a b))

23 Security If we hope to achieve IND-CPA we need... Probabilistic encryption! Relax our previous definition: E(a) E(b) =E(a b) D(E(a) E(b)) = D(E(a b)) Or E(a) E(b) E(a b)

24 Security What can we achieve for homomorphic encryption? IND-CCA2 Adversary submits m 0 = x, m 1 = x 0 and receives c = E(m b ) Calculate c c 1, send to be decrypted and apply Works because we can create related ciphertexts and submit them to the oracle (only requirement is that ciphertexts not be exactly equal to challenge)

25 RSA

26 RSA We know RSA is homomorphic: m e 1 m e 2 =(m 1 m 2 ) e

27 RSA We know RSA is homomorphic: m e 1 m e 2 =(m 1 m 2 ) e We know RSA is IND-CPA. That means we have IND-CPA homomorphic encryption!

28 RSA We know RSA is homomorphic: m e 1 m e 2 =(m 1 m 2 ) e We know RSA is IND-CPA. That means we have IND-CPA homomorphic encryption! Not so fast RSA is only IND-CPA with OAEP or another secure padding scheme. Padding schemes are not homomorphic!

29 Which Problems Are Hard? Factoring RSA Problem Discrete Log Quadratic residuosity Hard to determine if a number is a quadratic residue mod pq if p and q are not known

30 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test

31 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic!

32 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts R NR R R NR NR NR?

33 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts R NR R R NR NR NR? R if we choose our nonresidues carefully!

34 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts

35 Idea! Encrypt one bit by selecting either a quadratic residue or a non-residue Indistinguishable if quadratic residuosity is hard to test Possibly Homomorphic! Multiplying ciphertexts Exclusive OR! 0 1 0

36 Goldwasser-Micali Cryptosystem Key gen: Random large primes p and q N = pq x non-residue in Z p and Z q Public key: (N,x) Private key: (p, q) Encrypt: y 2 Z N c = y 2 x m mod N Residue Non-residue if m = 1 Decrypt: If c is a residue, then m = 0, 1 otherwise

37 Goldwasser-Micali Cryptosystem Key gen: Random large primes p and q N = pq x non-residue in Z p and Z q Public key: (N,x) Private key: (p, q) Encrypt: y 2 Z N c = y 2 x m mod N Residue Non-residue if m = 1 Decrypt: If c is a residue, then m = 0, 1 otherwise This is homomorphic...

38 Goldwasser-Micali Cryptosystem Key gen: Random large primes p and q N = pq x non-residue in Z p and Z q Public key: (N,x) Private key: (p, q) Encrypt: y 2 Z N c = y 2 x m mod N Residue Non-residue if m = 1 Decrypt: If c is a residue, then m = 0, 1 otherwise This is homomorphic... and IND-CPA!

39 Random Self-reducibility

40 Random Self-reducibility So far our reductions have made some assumptions about key selection

41 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why?

42 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why? In practice, our message distribution will be unknown and the keys will be chosen randomly

43 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why? In practice, our message distribution will be unknown and the keys will be chosen randomly How can we show that a random key is as secure as the best keys?

44 Random Self-reducibility So far our reductions have made some assumptions about key selection We have proven security for the most secure (hardest) keys and ciphertexts. Why? In practice, our message distribution will be unknown and the keys will be chosen randomly How can we show that a random key is as secure as the best keys? Reduce the problem of breaking an arbitrary key to the problem of breaking polynomially many random keys

45 Functional Completeness

46 Functional Completeness What is the smallest set of operations that can express any program?

47 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables?

48 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? AND NOT

49 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? AND NOT

50 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND

51 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND Others: {NOT, OR} {NOR} {AND, XOR}

52 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND Others: {NOT, OR} {NOR} {AND, XOR} AND 1 0 XOR

53 Functional Completeness What is the smallest set of operations that can express any program? What boolean operators are necessary to express all possible truth tables? NAND Others: {NOT, OR} {NOR} {AND, XOR} Multiplication 1 0 Addition

54 Algebraic Homomorphic Encryption Additive HE: Goldwasser-Micali Paillier Benaloh Decisional composite residuosity assumption Multiplicative HE: RSA ElGamal Factoring Discrete log Can we have a cipher that is algebraic (additive and multiplicative) and secure?

55 Algebraic Homomorphic Encryption Additive HE: Goldwasser-Micali Paillier Benaloh Decisional composite residuosity assumption Multiplicative HE: RSA ElGamal Factoring Discrete log Can we have a cipher that is algebraic (additive and multiplicative) and secure? Boneh and Lipton say no!

56 Traditional Trapdoor Function Easy to go one way c 1 m c 2 c 3 Hard to calculate the inverse unless you know the secret m c

57 Noise Based Trapdoor Function Easy to go both ways! c 1 m c 2 c 3 Hard to invert if you only have an approximate value m c

58 Noise Based Trapdoor Function Encryption m c ~r m Decryption c Recover original point from trapdoor secret

59 DGHV Encryption Key gen: p 2 [2 1, 2 ) Encrypt: Choose random q and r c = pq +2r + m Decrypt: m =(c mod p) mod 2

60 Somewhat Homomorphic

61 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic

62 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why?

63 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why? What is addition/multiplication of bits?

64 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why? What is addition/multiplication of bits? How does the ciphertext size vary with the number of operations performed?

65 Somewhat Homomorphic This encryption is both additively homomorphic and multiplicatively homomorphic Why? What is addition/multiplication of bits? How does the ciphertext size vary with the number of operations performed? Addition Multiplication n bits n bits n +1bits 2n bits n +2bits 4n bits

66 Fully Homomorphic Encryption Problem: Ciphertexts may grow very large depending on the number of homomorphic operations In order to be practical we need a cryptosystem that operates over a group so ciphertexts do not increase in size Solution: Allow ciphertexts to grow, but apply a squashing operation when they reach a certain threshold that will lower their size Definitions: E pk (m) - encryption D sk (c) - decryption Eval pk (c, P, x) - evaluate

67 Bootstrapping

68 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... Ciphertext is very large!

69 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key

70 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt

71 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2

72 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2 m pk 1

73 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2 m pk 1! m pk 1 pk 2

74 Bootstrapping c pk1 = E pk1 (m 1 ) E pk1 (m 2 )... c = E (c )(E (E (m))) pk2 pk1 pk2 pk1 Ciphertext is very large! Encrypt with a second key c pk2 = Eval(c,D,E pk2 (pk 1 )) Homomorphically decrypt Result: c pk1! c pk2 Size is the same as a fresh ciphertext! pk 2 pk 2 m pk 1! m pk 1! m

75 Almost There We still need a long chain of keys to keep refreshing our ciphertext: E pk2 (pk 1 ),E pk3 (pk 2 ),...,E pkn (pk n 1 ) If we make an additional assumption, then we can get a fully homomorphic cipher with only one key: E pk (pk) does not give an adversary any advantage Key-dependent message security assumption Reencryption: c = Eval(E pk (c),d,e pk (pk))

76 Practicality Current FHE candidates require: Large keys (many MBs) Large ciphertexts Frequent computationally intensive bootstrapping May only be able to do one multiplication before having to bootstrap Current research: Homomorphic encryption without bootstrapping Practical uses for somewhat homomorphic encryption

77 Outsourcing Data Storage Request'Alice s'records' Oncologist' Cloud'may'learn'a'pa8ent'has'cancer' even'if'the'records'are'encrypted!'

78 Private Information Retrieval Client% Server% x 1 Request(i) x 2 x 3... x n x 1 x i x 2 x 3 Server%does%not% know%which%item% was%retrieved!%... x n

79 Method'using'addi.vely' homomorphic'encryp.on' Request Vector Database E(0) E(0) E(0) E(0) E(1) E(0) E(0) * * * * * * * x 1 x 2 x 3 x 4 x 5 x 6 x 7 = = = = = = = E(0) E(0) E(0) E(0) E(x 5 ) E(0) E(0) + E(x 5 )