Berkeley CS276 & MIT 6.875 Specialized homomorphic encryption, - PowerPoint PPT Presentation

Berkeley CS276 & MIT 6.875 Specialized homomorphic encryption, commitments and applications Lecturer: Raluca Ada Popa

Announcements Starting to record •

Specialized/partial homomorphic encryption • An encryption scheme that is homomorphic with respect to a specific function, and cannot compute arbitrary functions like FHE • Usually faster than FHE due to specialization (but not always) 3

El Gamal encryption (1985) A semantically secure public-key encryption scheme Setup( 1 ) ): Enc( 𝑞𝑙, 𝑛): 𝑛 ∈ [1, 𝑞 − 1] Why? -Generate large prime 𝑞 of size 𝑙 - Choose random 0 ≤ 𝑠 ≤ 𝑞 − 2 -Choose generator 1 < 𝑕 < 𝑞 − 1 Output (𝑕 ! 𝑛𝑝𝑒 𝑞, 𝑛 × 𝑞𝑙 ! 𝑛𝑝𝑒 𝑞) - -Output (𝑞, 𝑕) KeyGen( 1 ) ): Dec 𝑡𝑙, 𝑑 ! , 𝑑 " : How to decrypt? - Choose random 0 ≤ sk ≤ 𝑞 − 2 $%& 𝑛𝑝𝑒 𝑞 - Output 𝑑 " 𝑑 # -Let 𝑞𝑙 = 𝑕 %& 𝑛𝑝𝑒 𝑞 -Output (𝑡𝑙, 𝑞𝑙) #$% = 𝑛 𝑞𝑙 & 𝑕 #&$% = 𝑛 𝑕 $% & 𝑕 #& $% = 𝑛 𝑑 ! 𝑑 " 4

DDH assumption Enc( 𝑞𝑙, 𝑛): - Choose random 0 ≤ 𝑠 ≤ 𝑞 − 2 Output (𝑕 ! 𝑛𝑝𝑒 𝑞, 𝑛 × 𝑞𝑙 ! 𝑛𝑝𝑒 𝑞) - Diffie-Hellman key exchange in disguise + used as one time pad Semantic security relies on the Decisional Diffie Hellman assumption: For all nonuniform PPT A, | Pr 𝑕, 𝑞 ← 𝑇𝑓𝑢𝑣𝑞 1 % ; 𝑏, 𝑐 ← 0, 𝑞 − 2 , 𝐵 𝑞, 𝑕, 𝑕 ' , 𝑕 ( , 𝒉 𝒃𝒄 = 1 − Pr 𝑕, 𝑞 ← 𝑇𝑓𝑢𝑣𝑞 1 % ; 𝑏, 𝑐, 𝑑 ← 0, 𝑞 − 2 , 𝐵 𝑞, 𝑕, 𝑕 ' , 𝑕 ( , 𝒉 𝒅 = 1 | < 𝑜𝑓𝑕𝑚(𝑙) 5

Proof of security Decisional Diffie Hellman assumption: ∀ nonuniform PPT 𝐵 , | Pr 𝑕, 𝑞 ← 𝑇𝑓𝑢𝑣𝑞 1 % ; 𝑏, 𝑐 ← 0, 𝑞 − 2 , 𝐵 𝑞, 𝑕, 𝑕 ' , 𝑕 ( , 𝒉 𝒃𝒄 = 1 − Pr 𝑕, 𝑞 ← 𝑇𝑓𝑢𝑣𝑞 1 % ; 𝑏, 𝑐, 𝑑 ← 0, 𝑞 − 2 , 𝐵 𝑞, 𝑕, 𝑕 ' , 𝑕 ( , 𝒉 𝒅 = 1 | < 𝑜𝑓𝑕𝑚(𝑙) Claim: If DDH holds, El Gamal is semantically secure. Proof: Assume 𝐵 can break El Gamal’s security, let’s show that 𝐶 can break DDH. 𝐶 must distinguish between 𝑕 ' , 𝑕 ( , 𝑕 '( and 𝑕 ' , 𝑕 ( , 𝑕 , 𝐵 can distinguish between 𝑕 $% , 𝑕 & , 𝑛 - 𝑕 $%& and 𝑕 $% , 𝑕 & , 𝑛 " 𝑕 $% & B feeds 𝑕 '( or 𝑕 , times 𝑛 ( to A for 𝑐 random. If it is 𝑕 , , A cannot guess, else A guesses 6 correctly.

Other partially homomorphic encryption schemes Scheme Homomorphism Goldwasser-Micali’82 XOR Paillier’99 + Boneh-Goh-Nissim’05 +, then one *, then + based on bilinear maps PHE/SHE (partially homomorphic Some polynomial encryption) 7

Recall: commitments 8

Pedersen commitment Setup (1 & ) - at the receiver: – select large primes 𝑞 and 𝑟 of size 𝑙 such that 𝑟 divides 𝑞 − 1 ∗ – select a generator 𝑕 of the order- 𝑟 subgroup of 𝑎 ' – generate randomly 𝑏 ← 𝑎 ) – let ℎ = 𝑕 𝑏 𝑛𝑝𝑒 𝑞 – output (𝑕, ℎ, 𝑞) Commit (𝑕, ℎ, 𝑞, 𝑦) - by the sender: - choose random 𝑠 ← 𝑎 𝑟 output 𝑑𝑝𝑛𝑛 = 𝑕 𝑦 ℎ 𝑠 𝑛𝑝𝑒 𝑞 - Reveal - by the sender: - send 𝑦 and 𝑠 to receiver - the receiver verifies that 𝑑𝑝𝑛𝑛 = 𝑕 𝑦 ℎ 𝑠 𝑛𝑝𝑒 𝑞 and accepts if so, else rejects 9

Perfectly hiding Commit (𝑕, ℎ, 𝑞, 𝑦) - by the sender: - choose random 𝑠 ← 𝑎 𝑟 - output 𝑑𝑝𝑛𝑛 = 𝑕 𝑦 ℎ 𝑠 𝑛𝑝𝑒 𝑞 • For a commitment 𝑑𝑝𝑛𝑛 , every 𝑦 could have been committed to in 𝑑𝑝𝑛𝑛 • Given 𝑦, 𝑠 and any 𝑦’ , ∃𝑠’ such that 𝑕 𝑦 ℎ 𝑠 = 𝑕 𝑦’ ℎ 𝑠’ 𝑦 − 𝑦’ 𝑏 !" + 𝑠 𝑛𝑝𝑒 𝑟 𝑠’ = 10

Computationally binding Assume the sender can find 𝑦’, 𝑠 ’, s.t 𝑦 C ≠ 𝑦 and • 𝑑𝑝𝑛𝑛 = 𝑕 D ℎ E = 𝑕 D ! ℎ E ! • ℎ = 𝑕 𝑏 𝑛𝑝𝑒 𝑞 implies 𝑦 + 𝑏𝑠 = 𝑦’ + 𝑏𝑠’ 𝑛𝑝𝑒 𝑟 𝑠 − 𝑠’ F! • The sender can compute 𝑏 = 𝑦’ − 𝑦 => Sender solved discrete logarithm of h base g!! 11

Why is Pedersen homomorphic? Commit (𝑕, ℎ, 𝑞, 𝑦) - by the sender: - choose random 𝑠 ← 𝑎 𝑟 - output 𝑑𝑝𝑛𝑛(𝑦, 𝑠) = 𝑕 𝑦 ℎ 𝑠 𝑛𝑝𝑒 𝑞 ! = 𝑕 2 ! 32 " ℎ & ! 3& " 𝑛𝑝𝑒 𝑞 𝑑𝑝𝑛𝑛 𝑦 " , 𝑠 " ∗ 𝑑𝑝𝑛𝑛 𝑦 ! , 𝑠 The sender reveals this commitment by showing 𝑦 " + 𝑦 ! and 𝑠 " + 𝑠 ! 12

[Narula-Wasquez-Virza’18] Application: zkLedger • Privacy-preserving auditing for distributed ledgers • A cryptographic system built out of: – Pedersen commitments and their homomorphism – Zero-knowledge proofs 13

First: the use case (all cryptographic systems should have a use case) 14

zkLedger slides adapted from Neha Narula Structure of the financial system Dozens of large • investment banks Trading: JP Morgan Goldman Sachs Citibank Bank of America • – Securities – Currencies Credit Suisse Barclays Deutsche Bank UBS – Commodities – Derivatives Trillions of dollars • Morgan Stanley HSBC Wells Fargo BNY Mellon Financial Investments Regulatory Authority on OTC markets 15

A ledger records financial transactions Assume a trusted ledger: append-only, immutable, consistent & visible to everyone ID Asset From To Amount 90 $ Citibank Goldman Sachs 1,000,000 sig 91 € JP Morgan UBS 200,000 sig 92 € JP Morgan Barclays 3,000,000 sig Citibank JP Morgan Barclays 16

Can verify important financial invariants ID Asset From To Amount 90 $ Citibank Goldman Sachs 1,000,000 sig 91 € JP Morgan UBS 200,000 sig 92 € JP Morgan Barclays 3,000,000 sig Verify Consent to transfer Has assets to transfer Examining ledger Assets neither created nor destroyed 17

Banks care about privacy Trades reveal sensitive strategy information 18

Verifying invariants are maintained with privacy ID Asset From To Amount 90 $ Citibank Goldman Sachs 1,000,000 sig 91 € JP Morgan UBS 200,000 sig 92 € JP Morgan Barclays 3,000,000 sig Verify Consent to transfer Has assets to transfer Assets neither created nor destroyed 19

Verifying invariants are maintained with privacy ID Asset From, To, Amount 90 $ 91 € 92 € Verify Consent to transfer Zerocash (zk-SNARKs) [S&P 2014] Has assets to transfer Solidus (PVORM) [CCS 2017] Assets neither created nor destroyed 20

Problem Regulators need insight into markets to maintain financial stability and protect investors Participants would like to measure counterparty risk Leverage • Exposure • • Overall market concentration 21

How to confidently audit banks to determine risk? What fraction of your assets are in Euros? Auditor 3 million / 100 million How exposed is this bank to a ??? drop in the Euro? 22

zkLedger A private, auditable transaction ledger • Privacy: Hides transacting banks and amounts • Integrity with public verification: Everyone can verify transactions are well-formed • Auditing: Compute provably-correct linear functions over transactions 23

Outline • System & threat model • zkLedger design – Pedersen commitments – Ledger table format – Zero-knowledge proofs • Evaluation 24

Outline • System & threat model • zkLedger design – Pedersen commitments – Ledger table format – Zero-knowledge proofs • Evaluation 25

zkLedger system model ID Asset Transaction details 1 $ 2 € 3 € 26

An auditor can obtain correct answers on ledger contents What fraction of your assets are in Euros? 3 million / 100 million Auditor ID Asset Transaction details 1 $ π 2 € 3 € 27

Measurements zkLedger supports Ratios and percentages of holdings • Sums, averages, variance, skew • Outliers • Approximations and orders of magnitude • Changes over time • Well-known financial risk measurements (Herfindahl- • Hirschmann index) 28

Security goals • The auditor and non-involved parties cannot see transaction participants or amounts • Banks cannot lie to the auditor or omit transactions • Banks cannot violate financial invariants – Honest banks can always convince the auditor of a correct answer • A malicious bank cannot block other banks from transacting 29

Threat model Banks might attempt to steal or hide assets, manipulate balances, or lie to the auditor Banks can arbitrarily collude Banks or the auditor might try to learn transaction contents Out of scope: A ledger that omits transactions or is unavailable An adversary watching network traffic Banks leaking their own transactions 30

Outline • System & threat model • zkLedger design – Pedersen commitments – Ledger table format – Zero-knowledge proofs • Evaluation 31

Example public transaction ledger ID Asset From To Amount 1 € Depositor Goldman Sachs 30,000,000 2 € Goldman Sachs JP Morgan 10,000,000 3 € JP Morgan Barclays 1,000,000 4 € JP Morgan Barclays 2,000,000 32