Homomorphic Encryption Lecture 18 And some applications - PowerPoint PPT Presentation

An OT Protocol (for passive corruption) Using an (unlinkable) rerandomizable encryption scheme Receiver picks (PK,SK). Sends PK and E(0), E(1) in suitable order Sender “multiplies” c i with x i : 1*c:=ReRand(c), 0*c:=E(0) Simulation for passive-corrupt receiver: set z b = E(x b ) and c b =E(1), c 1-b =E(0) z 0 = x 0 * c 0 z 1-b = E(0) z 1 = x 1 * c 1 PK, c 0 , c 1 x b =D(z b ) z 0 , z 1 x 0 ,x 1 b x b

An OT Protocol (for passive corruption) Using an (unlinkable) rerandomizable encryption scheme Receiver picks (PK,SK). Sends PK and E(0), E(1) in suitable order Sender “multiplies” c i with x i : 1*c:=ReRand(c), 0*c:=E(0) Simulation for passive-corrupt receiver: set z b = E(x b ) and c b =E(1), c 1-b =E(0) z 0 = x 0 * c 0 z 1-b = E(0) z 1 = x 1 * c 1 Simulation for passive-corrupt PK, c 0 , c 1 x b =D(z b ) sender: Extract x 0 ,x 1 from z 0 , z 1 input; set c 0 ,c 1 to be say E(1) x 0 ,x 1 b x b

Private Information Retrieval

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i Client wants privacy against an honest-but-curious server

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i Client wants privacy against an honest-but-curious server Server has no security requirements

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i Client wants privacy against an honest-but-curious server Server has no security requirements Trivial solution: Server sends the entire vector to the client

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i Client wants privacy against an honest-but-curious server Server has no security requirements Trivial solution: Server sends the entire vector to the client PIR: to do it with significantly less communication

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i Client wants privacy against an honest-but-curious server Server has no security requirements Trivial solution: Server sends the entire vector to the client PIR: to do it with significantly less communication Variant (we don’ t look at): multiple-server PIR, with non-colluding servers

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i Client wants privacy against an honest-but-curious server Server has no security requirements Trivial solution: Server sends the entire vector to the client PIR: to do it with significantly less communication Variant (we don’ t look at): multiple-server PIR, with non-colluding servers Tool: Homomorphic encryption over the message space

Private Information Retrieval Setting: A server holds a large vector of values (“database”). Client wants to retrieve the value at a particular index i Client wants privacy against an honest-but-curious server Server has no security requirements Trivial solution: Server sends the entire vector to the client PIR: to do it with significantly less communication Variant (we don’ t look at): multiple-server PIR, with non-colluding servers Tool: Homomorphic encryption over the message space When message space is Z n : additively homomorphic encryption

Paillier’ s Scheme

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n)

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n *

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n * ψ can be efficiently inverted if p,q known

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n * ψ can be efficiently inverted if p,q known (Additive) Homomorphism: Enc(m).Enc(m’) is Enc(m+m’)

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n * ψ can be efficiently inverted if p,q known (Additive) Homomorphism: Enc(m).Enc(m’) is Enc(m+m’) ψ (m,r). ψ (m’,r’) = ψ (m+m’,r.r’)

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n * ψ can be efficiently inverted if p,q known (Additive) Homomorphism: Enc(m).Enc(m’) is Enc(m+m’) ψ (m,r). ψ (m’,r’) = ψ (m+m’,r.r’) in Z n

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n * ψ can be efficiently inverted if p,q known (Additive) Homomorphism: Enc(m).Enc(m’) is Enc(m+m’) ψ (m,r). ψ (m’,r’) = ψ (m+m’,r.r’) in Z n in Z n 2 *

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n * ψ can be efficiently inverted if p,q known (Additive) Homomorphism: Enc(m).Enc(m’) is Enc(m+m’) ψ (m,r). ψ (m’,r’) = ψ (m+m’,r.r’) in Z n in Z n 2 * IND-CPA secure under “Decisional Composite Residuosity” assumption: Given n=pq (but not p,q), ψ (0,rand) looks random (i.e. like ψ (rand,rand))

Paillier’ s Scheme Uses Z n 2 * ≃ Z n x Z n *, n=pq, p,q primes within 2x of each other To ensure gcd(n, ϕ (n))=1 Isomorphism: ψ (a,b) = g a b n (mod n 2 ) where g=(1+n) Enc(m) = ψ (m,r) for m in Z n and a random r in Z n * ψ can be efficiently inverted if p,q known (Additive) Homomorphism: Enc(m).Enc(m’) is Enc(m+m’) ψ (m,r). ψ (m’,r’) = ψ (m+m’,r.r’) in Z n in Z n 2 * IND-CPA secure under “Decisional Composite Residuosity” assumption: Given n=pq (but not p,q), ψ (0,rand) looks random (i.e. like ψ (rand,rand)) Unlinkability: ReRand(c) = c.Enc(0)

Private Information Retrieval

Private Information Retrieval Using additive homomorphic encryption (need not be unlinkable)

Private Information Retrieval Using additive homomorphic encryption (need not be unlinkable) Client sends some encrypted representation of the index (need CPA security here)

Private Information Retrieval Using additive homomorphic encryption (need not be unlinkable) Client sends some encrypted representation of the index (need CPA security here) Server operates on the entire database using this encryption (homomorphically), so that the message in the resulting encrypted data has the relevant answer (and maybe more). It sends this (short) encrypted data to client, who decrypts to get answer (depends on correctness here)

Private Information Retrieval Using additive homomorphic encryption (need not be unlinkable) Client sends some encrypted representation of the index (need CPA security here) Server operates on the entire database using this encryption (homomorphically), so that the message in the resulting encrypted data has the relevant answer (and maybe more). It sends this (short) encrypted data to client, who decrypts to get answer (depends on correctness here) In the following: database values are integers in [0,m); homom. enc. over a group with an element 1 s.t. ord(1) ≥ m. For integer x and ciphertext c, define x*c using “repeated doubling”: 0*c = E(0); 1*c = c; (a+b)*c = Add( a*c, b*c ).

Private Information Retrieval Using additive homomorphic encryption (need not be unlinkable) Client sends some encrypted representation of the index (need CPA security here) Server operates on the entire database using this encryption (homomorphically), so that the message in the resulting encrypted data has the relevant answer (and maybe more). It sends this (short) encrypted data to client, who decrypts to get answer (depends on correctness here) In the following: database values are integers in [0,m); For homom. enc. over a group with an element 1 s.t. ord(1) ≥ m. Paillier, can For integer x and ciphertext c, define x*c using “repeated use doubling”: 0*c = E(0); 1*c = c; (a+b)*c = Add( a*c, b*c ). exponentiat ion

Private Information Retrieval x 1 x 2 : i x i : x N

Private Information Retrieval 0 0 x 1 0 0 x 2 : : : i 1 1 x i : : : 0 0 x N

Private Information Retrieval 0 x 1 0 0 x 2 0 : : : i 1 x i 1 : : : 0 x N 0

Private Information Retrieval 0 x 1 0 0 0 x 2 0 0 : : : : * i 1 x i 1 x i : : : : 0 x N 0 0

Private Information Retrieval 0 x 1 0 0 x 2 0 : : : * i 1 x i x i : : : 0 x N 0 [+] x i

Private Information Retrieval 0 x 1 0 0 x 2 0 : : : * i 1 x i x i : : : 0 x N 0 [+] x i x i

Private Information Retrieval 0 x 1 0 0 x 2 0 : : : * i 1 x i x i : : : 0 x N 0 [+] Dec x i x i x i

Private Information Retrieval 0 x 1 0 Server communication is very short. But 0 x 2 0 client communication is larger than the db! : : : * i 1 x i x i : : : 0 x N 0 [+] Dec x i x i x i

Private Information Retrieval x 11 x 1N x 21 x 2N : : x i1 x ij x iN : : x N x NN

Private Information Retrieval x 11 x 1N 0 x 21 x 2N 0 : : : x i1 x ij x iN 1 : : : x N x NN 0

Private Information Retrieval x 11 x 1N 0 x 21 x 2N 0 : : : x i1 x ij x iN 1 : : : x N x NN 0

Private Information Retrieval 0 .. 0 x 11 x 1N 0 0 0 x 21 x 2N 0 : : : : : x i1 .. x ij .. x iN x i1 x ij x iN 1 : : : : : 0 .. 0 x N x NN 0

Private Information Retrieval 0 .. 0 x 11 x 1N 0 0 0 x 21 x 2N 0 : : : : : x i1 .. x ij .. x iN x i1 x ij x iN 1 : : : : : 0 .. 0 x N x NN 0 x i1 .. x ij .. x iN

Private Information Retrieval 0 .. 0 x 11 x 1N 0 0 0 x 21 x 2N 0 : : : : : x i1 .. x ij .. x iN x i1 x ij x iN 1 : : : : : 0 .. 0 x N x NN 0 x i1 .. x ij .. x iN Use PIR again!

Private Information Retrieval 0 .. 0 x 11 x 1N 0 0 0 x 21 x 2N 0 : : : : : x i1 .. x ij .. x iN x i1 x ij x iN 1 : : : : : 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again!

Private Information Retrieval 0 .. 0 x 11 x 1N 0 0 0 x 21 x 2N 0 : : : : : x i1 .. x ij .. x iN x i1 x ij x iN 1 : : : : : 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again!

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : x i1 .. x ij .. x iN x i1 x ij x iN 1 : : : : : 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again!

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : Can chop x i1 .. x ij .. x iN ciphertexts x i1 x ij x iN 1 into smaller : : : : : blocks 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again!

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : Can chop x i1 .. x ij .. x iN ciphertexts x i1 x ij x iN 1 into smaller : : : : : blocks 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again!

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : Can chop x i1 .. x ij .. x iN ciphertexts x i1 x ij x iN 1 into smaller : : : : : blocks 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again! 0 .. x ij .. 0

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : Can chop x i1 .. x ij .. x iN ciphertexts x i1 x ij x iN 1 into smaller : : : : : blocks 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again! x ij 0 .. x ij .. 0

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : Can chop x i1 .. x ij .. x iN ciphertexts x i1 x ij x iN 1 into smaller : : : : : blocks 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again! x ij 0 .. x ij .. 0

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : Can chop x i1 .. x ij .. x iN ciphertexts x i1 x ij x iN 1 into smaller : : : : : blocks 0 .. 0 x N x NN 0 0 .. 1 .. 0 x i1 .. x ij .. x iN Use PIR again! x ij x ij 0 .. x ij .. 0

Private Information Retrieval Considering ciphertext as plaintext 0 .. 0 x 11 x 1N 0 for the 0 0 x 21 x 2N 0 sub-PIR : : : : : Can chop x i1 .. x ij .. x iN ciphertexts x i1 x ij x iN 1 into smaller : : : : : blocks 0 .. 0 x N x NN 0 Recurse? Exponential in recursion 0 .. 1 .. 0 x i1 .. x ij .. x iN depth Use PIR again! x ij x ij 0 .. x ij .. 0

Private Information Retrieval

Private Information Retrieval Can dramatically improve efficiency if we have an efficient “recursive” homomorphic encryption scheme

Private Information Retrieval Can dramatically improve efficiency if we have an efficient “recursive” homomorphic encryption scheme Ciphertext in one level is plaintext in the next level

Private Information Retrieval Can dramatically improve efficiency if we have an efficient “recursive” homomorphic encryption scheme Ciphertext in one level is plaintext in the next level In Paillier, public-key (i.e., n) fixes the group for homomorphic operation (i.e., Z n )

Private Information Retrieval Can dramatically improve efficiency if we have an efficient “recursive” homomorphic encryption scheme Ciphertext in one level is plaintext in the next level In Paillier, public-key (i.e., n) fixes the group for homomorphic operation (i.e., Z n ) Ciphertext size increases only “additively” from level to level

Private Information Retrieval Can dramatically improve efficiency if we have an efficient “recursive” homomorphic encryption scheme Ciphertext in one level is plaintext in the next level In Paillier, public-key (i.e., n) fixes the group for homomorphic operation (i.e., Z n ) Ciphertext size increases only “additively” from level to level In Paillier, size of ciphertext about double that of the plaintext. (Note: can’ t use “hybrid encryption” if homomorphic property is to be preserved.)

Private Information Retrieval Can dramatically improve efficiency if we have an efficient “recursive” homomorphic encryption scheme Ciphertext in one level is plaintext in the next level In Paillier, public-key (i.e., n) fixes the group for homomorphic operation (i.e., Z n ) Ciphertext size increases only “additively” from level to level In Paillier, size of ciphertext about double that of the plaintext. (Note: can’ t use “hybrid encryption” if homomorphic property is to be preserved.) Does such a family of encryption schemes exist?

Damgård-Jurik Scheme

Damgård-Jurik Scheme Uses Z n (s+1) * ≃ Z n s x Z n *, n=pq, p,q primes within 2x of each other