c hiffrement compl tement homomorphe
play

C HIFFREMENT ( COMPLTEMENT ) HOMOMORPHE : DE LA THORIE LA PRATIQUE - PowerPoint PPT Presentation

C HIFFREMENT ( COMPLTEMENT ) HOMOMORPHE : DE LA THORIE LA PRATIQUE Tancrde Lepoint CryptoExperts Sminaire sur la Confiance Numrique Jeudi 9 Octobre 2014 Outline 1. Introduction 1.1 What is Fully Homomorphic Encryption? Use


  1. C HIFFREMENT ( COMPLÈTEMENT ) HOMOMORPHE : DE LA THÉORIE À LA PRATIQUE Tancrède Lepoint CryptoExperts Séminaire sur la Confiance Numérique – Jeudi 9 Octobre 2014

  2. Outline 1. Introduction 1.1 What is Fully Homomorphic Encryption? Use Cases? 1.2 Somewhat Homomorphic Encryption over the Integers 2. Implementations and Cloud Communications 2.1 Pointers to Implementations and Libraries 2.2 Cloud Communication Issues 2 / 36

  3. Outline 1. Introduction 1.1 What is Fully Homomorphic Encryption? Use Cases? 1.2 Somewhat Homomorphic Encryption over the Integers 2. Implementations and Cloud Communications 2.1 Pointers to Implementations and Libraries 2.2 Cloud Communication Issues 2 / 36

  4. Encryption Alice Bob “My cell number is 444 264 2999” Eve To:4442642999 (scam) 3 / 36

  5. Encryption Alice Bob ??? 0x93ac584f00. . . 0ab369 Eve ??? To: (scam) 3 / 36

  6. Encryption Alice Bob 0x93ac584f00. . . 0ab369 Eve ??? Alice’s number: 444 264 2999 To: (scam) 3 / 36

  7. One Motivation: Cloud Computing Program or application on connected server(s) rather than locally 4 / 36

  8. Modelization { m i } i f ( m 0 , . . . , m i ) f f is the service provided by the Cloud on your data m i 5 / 36

  9. Confidentiality of Your Data { m i } i { m i } i f ( m 0 , . . . , m i ) f The Cloud knows all your data Confidentiality of your data in the Cloud? 6 / 36

  10. Confidentiality of Your Data { m i } i { m i } i f ( m 0 , . . . , m i ) f Secure channel � The Cloud knows all your data Confidentiality of your data in the Cloud? ◮ We assume communication with the Cloud is secure � (e.g. HTTPS) 6 / 36

  11. Confidentiality w.r.t. The Cloud { Enc ( m i ) } i ??? f The Cloud knows nothing about your data ◮ For confidentiality, we use encryption 7 / 36

  12. Confidentiality w.r.t. The Cloud { Enc ( m i ) } i { Enc ( m i ) } i ∈ I Storage/Retrieval The Cloud knows nothing about your data ◮ For confidentiality, we use encryption ◮ Now... limited to storage / retrieval 7 / 36

  13. Confidentiality w.r.t. The Cloud { Enc ( m i ) } i { Enc ( m i ) } i ∈ I Storage/Retrieval The Cloud knows nothing about your data ◮ For confidentiality, we use encryption ◮ Now... limited to storage / retrieval ◮ This is not even what Dropbox / Google Drive / Microsoft OneDrive / Amazon S2 / iCloud Drive / etc. are doing ◮ Allow access control and sharing, interaction with whole app universe, etc. 7 / 36

  14. Operating on Encrypted Data [ RivestAdlemanDertouzos78 ] Going beyond the storage / retrieval of encrypted data by permitting encrypted data to be operated on for interesting operations, in a public fashion? 8 / 36

  15. Operating on Encrypted Data [ RivestAdlemanDertouzos78 ] Going beyond the storage / retrieval of encrypted data by permitting encrypted data to be operated on for interesting operations, in a public fashion? ◮ Additive Homomorphic Encryption: E = Enc ( a ) + Enc ( b ) ⇒ Dec ( E ) = a + b e.g. Paillier’s cryptosystem [ Paillier99 ] c = g m · r N mod N 2 c ′ = g m ′ · r ′ N mod N 2 ⇒ c · c ′ = g m + m ′ · ( r · r ′ ) N mod N 2 8 / 36

  16. Operating on Encrypted Data [ RivestAdlemanDertouzos78 ] Going beyond the storage / retrieval of encrypted data by permitting encrypted data to be operated on for interesting operations, in a public fashion? ◮ Additive Homomorphic Encryption: E = Enc ( a ) + Enc ( b ) ⇒ Dec ( E ) = a + b ◮ Multiplicative Homomorphic Encryption: E = Enc ( a ) × Enc ( b ) Dec ( E ) = a × b ⇒ e.g. ‘textbook ElGamal’ � g y , m · ( g x ) y � c = � g y + y ′ , ( m · m ′ ) · ( g x ) y + y ′ � g y ′ , m ′ · ( g x ) y ′ � ⇒ c ⊙ c ′ = � c ′ = 8 / 36

  17. Operating on Encrypted Data [ RivestAdlemanDertouzos78 ] Going beyond the storage / retrieval of encrypted data by permitting encrypted data to be operated on for interesting operations, in a public fashion? ◮ Additive Homomorphic Encryption: E = Enc ( a ) + Enc ( b ) Dec ( E ) = a + b ⇒ ◮ Multiplicative Homomorphic Encryption: E = Enc ( a ) × Enc ( b ) ⇒ Dec ( E ) = a × b FULLY Homomorphic Encryption : Additive and Multiplicative on { 0,1 } 8 / 36

  18. Fully Homomorphic Encryption Enable unlimited computation on encrypted data (w.l.o.g. m i ’s are bits and f Boolean circuit) pk FHE { Enc FHE ( m i ) } i Enc FHE ( f ( m 0 , . . . , m i )) f ( public homomorphic computations) 9 / 36

  19. Towards Fully Homomorphic Encryption ◮ [ RivestAdlemanDertouzos78 ] : notion of privacy homomorphism ◮ [ GoldwasserMicali84 ] : XOR of bits ◮ [ ElGamal84 ] : multiplication mod p ◮ [ Paillier98 ] : addition mod N = pq ◮ [ BonehGohNissim05 ] : additions and one multiplication mod p 10 / 36

  20. Towards Fully Homomorphic Encryption ◮ [ RivestAdlemanDertouzos78 ] : notion of privacy homomorphism ◮ [ GoldwasserMicali84 ] : XOR of bits ◮ [ ElGamal84 ] : multiplication mod p ◮ [ Paillier98 ] : addition mod N = pq ◮ [ BonehGohNissim05 ] : additions and one multiplication mod p ◮ [ Gentry09 ] : additions and multiplications mod 2! 10 / 36

  21. Awesome! Can We Use It? ◮ In theory , plentiful of applications ◮ Everything can be viewed as a circuit ◮ Humongous potential ◮ Solve many problems on privacy 11 / 36

  22. Awesome! Can We Use It? ◮ In theory , plentiful of applications ◮ Everything can be viewed as a circuit ◮ Humongous potential ◮ Solve many problems on privacy ◮ In practice ... problem because of sequential homomorphic multiplications! ◮ State-of-the-art in 2011: 30 minutes after each bit-multiplication 11 / 36

  23. Awesome! Can We Use It? ◮ In theory , plentiful of applications ◮ Everything can be viewed as a circuit ◮ Humongous potential ◮ Solve many problems on privacy ◮ In practice ... problem because of sequential homomorphic multiplications! ◮ State-of-the-art in 2011: 30 minutes after each bit-multiplication ◮ State-of-the-art in 2014: not much better... for fully homomorphic encryption ◮ (But I heard about exciting new results to come...) 11 / 36

  24. (Fully ?) Homomorphic Encryption Question [ NaehrigLauterVaikuntanathan12 ] : Do we really need fully homomorphic encryption? 12 / 36

  25. (Fully ?) Homomorphic Encryption Question [ NaehrigLauterVaikuntanathan12 ] : Do we really need fully homomorphic encryption? ◮ Work over bits? � 10 ◮ e.g. computing i = 1 t i where t i are 8-bit values: ◮ 135 ‘ × ’ and ‘ × depth’ = 8 if working over bits [ FauSirdeyFontaineAguilar-MelchorGogniat13 ] ◮ 0 ‘ × ’ if plaintext space is ≥ 2560 12 / 36

  26. (Fully ?) Homomorphic Encryption Question [ NaehrigLauterVaikuntanathan12 ] : Do we really need fully homomorphic encryption? ◮ Work over bits? � 10 ◮ e.g. computing i = 1 t i where t i are 8-bit values: ◮ 135 ‘ × ’ and ‘ × depth’ = 8 if working over bits [ FauSirdeyFontaineAguilar-MelchorGogniat13 ] ◮ 0 ‘ × ’ if plaintext space is ≥ 2560 ◮ “Real World”: limited number of multiplications ◮ Statistics on medical data: mean, variance, linear regression, etc. ◮ Geolocalization (Euclidean distance, etc.) 12 / 36

  27. Somewhat Homomorphic Encryption ◮ Somewhat Homomorphic Encryption (SHE): limited number of homomorphic operations ◮ Know in advance the × depth of the circuit to be evaluated SHE is sufficient for many applications, and this is on what we (& the community) focus on 13 / 36

  28. Somewhat Homomorphic Encryption ◮ Somewhat Homomorphic Encryption (SHE): limited number of homomorphic operations ◮ Know in advance the × depth of the circuit to be evaluated SHE is sufficient for many applications, and this is on what we (& the community) focus on ◮ Interestingly enough: FHE = (SHE that evaluates its decryption circuit) [ Gentry09 ] ◮ If c = Enc ( m ) , run homomorphically Dec : � � � � � � c result = Enc Dec ( c ) = Enc Dec ( Enc ( m )) = Enc m 13 / 36

  29. Use-Cases? Information and Communications Technologies call for projects (H2020) Construction of “Resource efficient, real-time, highly secure fully homomorphic cryptography” is a key challenge ◮ We need to focus on applications driven by real use-cases having small multiplicative depth ◮ Statistical Computations ◮ Mean ◮ Standard deviation ◮ Genomics (e.g. χ 2 test: statistical tests) ◮ Machine learning ◮ ... 14 / 36

  30. Mean ◮ Cloud want to compute the mean on private values { x 1 ,..., x n } n � � � ¯ x = x i / n i = 1 ◮ SHE encryption scheme Enc (with decryption Dec ) 15 / 36

  31. Mean ◮ Cloud want to compute the mean on private values { x 1 ,..., x n } n � � � ¯ x = x i / n i = 1 ◮ SHE encryption scheme Enc (with decryption Dec ) � n 1. We can assume that n is public, so we only need to compute i = 1 x i 15 / 36

  32. Mean ◮ Cloud want to compute the mean on private values { x 1 ,..., x n } n � � � ¯ x = x i / n i = 1 ◮ SHE encryption scheme Enc (with decryption Dec ) � n 1. We can assume that n is public, so we only need to compute i = 1 x i 2. The cloud has Enc ( x 1 ) ,..., Enc ( x n ) 15 / 36

  33. Mean ◮ Cloud want to compute the mean on private values { x 1 ,..., x n } n � � � ¯ x = x i / n i = 1 ◮ SHE encryption scheme Enc (with decryption Dec ) � n 1. We can assume that n is public, so we only need to compute i = 1 x i 2. The cloud has Enc ( x 1 ) ,..., Enc ( x n ) 3. The cloud can homomorphically compute and send back to me X = Enc ( x 1 ) + ··· + Enc ( x n ) 15 / 36

Recommend


More recommend