E NCR YP T E D ME S S AGE S FR OM T HE HE IGHT S OF CR - PowerPoint PPT Presentation

E NCR YP T E D ME S S AGE S FR OM T HE HE IGHT S OF CR Y PT OMANIA Craig Gentry, IB M Joint work with Sanjam Garg, Shai Halevi, Amit Sahai, B rent Waters Supported by IAR PA contract number D11PC20202 T CC 2013 T okyo, Japan

F ully Homomorphic E ncryption (FHE )  A wesome!  I give the cloud encrypted program E (P)  For (possibly encrypted) x, cloud can compute E (P(x))  I can decrypt to recover P(x)  Cloud learns nothing about P , or even P(x)  Problem …  What if I want ant the cloud to learn P(x) (but still not P)?  So that the cloud can take some action if P(x) = 1.

Obfuscation cation  Obfus  I give the cloud an “ encrypted ” program E (P).  For any input x, cloud can compute E (P)(x) = P(x).  Cloud learns “ nothing ” about P , except {x i ,P(x i )}.  B arak et al: “ On the (Im)possibility of Obfuscating Programs ”  Difference between obfuscation and FHE :  In FHE , cloud computes E (P(x)) and can ’ t decrypt to get P(x).  Step in right direction? Modify FHE so that cloud can detect when some special value, say ‘ 0 ’ , is encrypted  A zero tes t (or equality tes t )

F HE with a Zero T es t  Seems as powerful as FHE (if message space is large).  T o regain semantic security:  Use a composite N = pq message space  Mod-p part for message, mod-q part for randomness  Perhaps more powerful  Control when cloud extracts information  E .g, when residues mod-p and mod-q “ align ” to 0.  Difficulty:  Can we enable zero-testing without breaking the FHE scheme?

B lack B ox F ields (B B F s ) [B L 96]  B B Fs:  E ach element x encoded by arbitrary string [x] (maybe more than 1)  Given [x], [y], B B F oracle provides [x+y] and [x · y]  E quality test: Given [x], [y], E q([x],[y]) outputs 1 iff x = y.  Sort of like FHE scheme with zero test

Attacks on B lack B ox F ields  B B F Problem: Given encoding [x] of x in F p , output x.  Solvable in sub-exponential time.  T echnique: Solve DL A (x,y) over elliptic curve with smooth order.  Solvable in quantum polynomial time [vDHI03]  Corollary: FHE over F p with a zero test is breakable in subexponential or quantum polynomial time.  Not fatal, but troubling.  Anyway, we don ’ t have a construction of FHE with zero test.

t S om ewhat HE (S WHE ) with a Zero T es  SWHE  Can evaluate functions of degree bounded by some polynomial in the security parameter  SWHE with zero test  B oneh-L ipton subexponential attack does not apply. Nor does quantum attack.  T urns out to be like a multilinear map!

B ilinear Maps  Cryptographic bilinear map (for groups)  Groups G 1 , G 2 of order p with generators g 1 ,g 2  B ilinear map: e : G 1 × G 1 → G 2 where  a ,g 1 b ) = g 2 ab for all a,b 2 F  e(g 1 p .  B ilinear DDH: Given g 1 a 1 , g 1 a 2 , g 1 a 3 2 G 1 , and h 2 G 2 , a 1 a 2 a 3 or is random. distinguish whether h = g 2 ilinear group ≈ Degree-2 HE  B with equality test nc i (a) → g i a  E

Multilinear Maps  Cryptographic k-multilinear map (for groups)  Groups G 1 , … , G k of order p with generators g 1 , … , g k  Family of maps: e i,j : G i × G j → G i+j for i+j ≤ k, where a ,g j b ) = g i+j ab for all a,b 2 F  e i, j (g i p .  Notation Simplification: e(g i1 , … , g it ) = g i1+...+it . a 1 , … , g 1 a k+1 2 G 1 , and h 2 G k ,  k-linear DDH: Given g 1 a 1 … a k+1 or is random. distinguish whether h = g k  k-linear group ≈ Degree-k SWHE with a zero test a . E  E nc i (a) = g i val degree-k polys on level-1 encodings.

xtraction P robabilis tic E ncodings and E  For multilinear groups, encoding is deterministic  Zero test is immediate  E xtraction: Parties that arrive at the same encoding can easily extract a shared key  For a SWHE scheme with a zero test, encoding is probabilistic  A zero test doesn ’ t imply an extraction procedure.  So, let ’ s assume an extraction procedure for now.

Multilinear Maps: Applications T hanks to B rent for s om e of thes e s lides

Applications  E asy Application: (k+1)-partite key agreement using k-linear map [B oneh-Silverberg ‘ 03]:  Party i generates level-0 encoding of a i .  Party I broadcasts level-1 encoding of a i . ach party separately computes key e(g 1 , … , g 1 ) a 1 … a k+1 .  E a 1 , … , g 1 a k+1 2  Secure assuming k-linear DDH: Given g 1 a 1 … a k+1 . G 1 , and h 2 G n , hard to distinguish whether h = g k  More interesting applications:  Attribute-based encryption for circuits [GGHSW12].  Witness encryption [GGSW13]

Attribute B as ed E ncryption (AB E ) etup (1 λ ,F): takes as input a S S e security parameter and a class of n → {0,1}}. functions F = {f : {0,1} Outputs master secret and public keys MSK , MPK . Key eyGen (MSK ,f): Authority uses MSK to generate a key SK f for the function f. f represents a user ’ s “ key policy ” that specifies when it can decrypt. Decrypt ption on (SK f ,CT ): Decrypter recovers M iff f(A)=1.

P rior Work on AB E  F = simple functions in prior AB E schemes  E xample: F = formulas.  For F = circuits, prior schemes have exponential complexity  T ools:  B ilinear maps [SW05,GOSW06, … ]  L attices (learning with error (L WE )) [B oyen13].  B ig open problem: E fficient AB E for circuits .  Just like HE for circuits was open.  Note: Monotone circuits → general circuits.

ing MMaps [GGHSW12] AB E for Circuits us OR gate: Given L = # levels; k = L +1; n-bit inputs T here is also a For input wires, rxs for input x. g j B AND gate: similar oneh-B oyen-type k-linear map: G 1 , … , G k ; g 1 , … , g k rws = Output g j+1 use B oneh-B oyen to OR gate decryption key for s , g j rw-awrx ) e(g 1 rws . key to get g 2 the input wires. rxs , g 1 aw ) e(g j andom r w ← F eyGen : R p for each wire Key w in circuit, except r w = α for output wire. OR gate: Input wires x,y and output wire w at depth j. Choose random a w , b w in F p . Give g 1 aw , g j rw-awrx , g 1 bw , g j rw-bwry . AND gate: Give g 1 aw , g 1 bw , g j rw-awrx-bwry . Decrypt ption on : Gate-by-gate to output wire, compute rws for wires at depth j g j+1

S um m ary of AB E for Circuits  Now we have AB E for arbitrarily complex policies  T he scheme is quite simple.  Ciphertexts are “ succinct ”  Do not grow with size of circuit.  Grow with size of input.  Grow with depth of circuit (due to our construction of mmaps)  Security: based on k-linear DDH  Interesting concurrent work:  [GVW13] AB E for circuits based on L WE

Witnes s E ncryption Can we encrypt a message so that it can opened only by a recipient who knows a witnes s to a NP relation ?  Unlike AB E : L ike a proof of  No “ authority ” in the system the R iemann  No “ secret key ” per se Hypothesis.  R elated concepts:  R udich ’ 89: Comp. secret sharing for NP-comp access structures

Witnes s E ncryption: Definition NP language L with witness relation R ( · , · ) ncrypt(1 λ , x, M) → CT E Notice the gap. ┴ No immediate security promises when x in L . Correctness Security

E xact Cover P roblem [Karp72] 

xact Cover) Our WE Cons truction (for E 

L im itations in P roving  Suppose we have a black box reduction of WE to some non-interactive assumption. E ither:  Assumption depends on NP instance  R eduction uses enough computation to decide relation R  Decision No E xact Cover Problem Family

: F un Application of WE Public K ey E nc with Super-Fast K eyGen 

P roof S ketch for P KE S chem e G security → indistinguishable whether PK  PR is a PR G output or truly random  If PK truly random, then x not in L (with high prob), and we can rely on soundness of WE scheme

Multilinear Maps from Ideal L attices

Cryptographic Multilinear Maps: Do T hey E xist?  B oneh and Silverberg ‘ 03 say it ’ s unlikely cryptographic m-maps can be constructed from abelian varieties: “ We also give evidence that such maps might have to either come from outside the realm of algebraic geometry, or occur as ‘ unnatural ’ com putable m aps aris ing from geom etry . ”  Unnatural geometric maps: Why not the ‘ noisy ’ mappings of lattice-based crypto?

Overview of Our Nois y M -Maps ncoding: m → g i m (groups) becomes m → E  E nc i (m) for us.  E nc i (m) is a “ level-i encoding of m ” .  Our encoding system builds on the NT R U encryption scheme.  Zero test: For k-linear maps, we use a level-k zero tester to test equality of level-k encodings and extract keys.  R epairs: Zero testers cause security issues to fix.  Certain aspects of the “ message space ” of our encodings must be kept secret.  Our params only enable encoding of random elements.  Sufficient for our AB E and WE applications.

S tarting P oint: the NT R U Cryptos ys tem 

ncrypt, Decrypt NT R U Cryptos ys tem : E 