Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015
The Cloud David Pointcheval Introduction 2 / 30
Access from Anywhere David Pointcheval Introduction 3 / 30
Available for Everything One can Store documents, photos, etc Share them with colleagues, friends, family Process the data Ask queries on the data David Pointcheval Introduction 4 / 30
With Current Solutions The Cloud provider knows the content and claims to actually identify users and apply access rights safely store the data securely process the data protect privacy David Pointcheval Introduction 5 / 30
But … For economical reasons, by accident, or attacks data can get deleted any user can access the data one can log all the connected users all the queries to analyze and sell/negotiate the information David Pointcheval Introduction 6 / 30
Requirements Users need more Storage guarantees Privacy guarantees confidentiality of the data anonymity of the users obliviousness of the queries How to process users’ queries? David Pointcheval Introduction 7 / 30
FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS ’78] [Gentry - STOC ’09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output AND OR NOT Circuit Outputs Inputs NOT AND OR David Pointcheval Some Approaches 8 / 30
FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS ’78] [Gentry - STOC ’09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output ENOT EOR EAND Encrypted Encrypted Circuit ENOT Inputs Outputs EOR EAND David Pointcheval Some Approaches 8 / 30
Outsourced Processing ENOT EOR EAND Circuit ENOT EOR EAND Inputs David Pointcheval Some Approaches 9 / 30
Outsourced Processing ENOT EOR Encrypted EAND Encrypted Circuit Outputs ENOT Inputs EOR EAND Inputs Outputs David Pointcheval Some Approaches 9 / 30
Outsourced Processing no information about the input/output data ENOT EOR Encrypted EAND Encrypted Circuit Outputs ENOT Inputs EOR EAND Inputs Outputs Symmetric encryption ( secret key ) is enough David Pointcheval Some Approaches 9 / 30
Strong Privacy ENOT EOR Universal EAND ENOT Circuit EOR EAND Inputs Program David Pointcheval Some Approaches 10 / 30
Strong Privacy Encrypted ENOT EOR Inputs Encrypted Universal EAND + Outputs ENOT Circuit Encrypted EOR EAND Program Inputs Outputs Program David Pointcheval Some Approaches 10 / 30
Strong Privacy no information about the input/output data nor the program Encrypted ENOT EOR Inputs Encrypted Universal EAND + Outputs ENOT Circuit Encrypted EOR EAND Program Inputs Outputs Program David Pointcheval Some Approaches 10 / 30
FHE: Ideal Solution? Allows private storage Allows private computations Private queries in an encrypted database Private « googling » The provider does not learn the content Privacy by design … the queries the answers … But each gate requires huge computations … David Pointcheval Some Approaches 11 / 30
Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? David Pointcheval Some Approaches 12 / 30
Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? Specific people have full access to some data: with public-key encryption for multiple recipients Specific people have partial access such as statistics or aggregation of the data David Pointcheval Some Approaches 12 / 30
Broadcast Encryption [Fiat-Naor - Crypto ‘94] David Pointcheval Some Approaches 13 / 30
Broadcast Encryption [Fiat-Naor - Crypto ‘94] David Pointcheval Some Approaches 13 / 30
Broadcast Encryption [Fiat-Naor - Crypto ‘94] The sender can select the target group of receivers This allows to control who will access to the data David Pointcheval Some Approaches 13 / 30
Functional Encryption [Boneh-Sahai-Waters - TCC ‘11] The user generates sub-keys K y according to the input y David Pointcheval Some Approaches 14 / 30
Functional Encryption [Boneh-Sahai-Waters - TCC ‘11] The user generates sub-keys K y according to the input y From C = Encrypt ( x ) , Decrypt ( K y, C ) outputs f ( x,y ) This allows to control the amount of shared data David Pointcheval Some Approaches 14 / 30
Outline Broadcast Encryption Efficient solutions for sharing data Functional Encryption Some recent efficient solutions for inner product Fully Homomorphic Encryption Despite recent improvements, this is still inefficient With 2-party computation one can get an efficient alternative David Pointcheval 15 / 30
Multi-Party Computation input output input input output output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality David Pointcheval MPC 16 / 30
Multi-Party Computation input output input input output output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality In practice: many interactions between the parties Latency too high over Internet …… David Pointcheval MPC 17 / 30
Two-Party Computation x y z z = f ( x, y ) General construction: Yao Garbled Circuits For specific construction: quite inefficient f ( x, y ) = ( x + y ) e mod n David Pointcheval 2-PC 18 / 30
Encryption Switching Protocols f ( x, y ) = ( x + y ) e mod n With additive encryption E + , multiplication encryption E x and an interactive switch from c + to c x : Alices sends c +A = E + ( x ), and Bob sends c +B = E + ( y ) They compute c = c +A ⊕ c +B = E + ( x+y ) They run the interactive switch to get c ’ = E x ( x+y ) They compute C = ⊗ e c ’ = E x (( x+y ) e ) They run the interactive decryption to gets z [Couteau-Peters-P - EPrint 2015/990] David Pointcheval 2-PC 19 / 30
Homomorphic Encryption [Paillier - Eurocrypt ’99] Additive encryption on Z n : Paillier encryption Public key: n = pq d = [ λ − 1 mod n ] × λ Secret key: c = (1 + n ) m · r n mod n 2 Encryption: Decryption: m = [ c d − 1 mod n 2 ]/ n Additively homomorphic Efficient interactive decryption David Pointcheval 2-PC 20 / 30
Homomorphic Encryption [ElGamal - IEEE TIT ’85] Multiplicative encryption on G : ElGamal encryption Secret key: x ∈ Z p Public key: h = g x Encryption: c = ( c 0 = g r , c 1 = h r · m ) Decryption: m = c 1 / c x 0 Multiplicatively homomorphic Efficient interactive decryption If n = pq , with safe primes p = 2 p � + 1 and q = 2 q � + 1 Works for G = �� n , under the DDH in Z � p � and Z � q � Works for G = J n , under the additional QR assumption But does not work in Z � n … David Pointcheval 2-PC 21 / 30
Encoding of Messages Multiplicative encryption on Z ∗ n : by encoding m � Z ∗ n into J n For n = pq , generator g of J n of order λ n \ J n , using the CRT: χ � Z ∗ χ = g t p mod p , for an even t p : χ � �� p χ = g t q mod q , for an odd t p : χ �� �� q hence χ � Z ∗ n \ J n a � R { 1 , . . . , n /2 } , so that χ a · m � J n For m � Z ∗ n , m 1 = g a mod n and m 2 = χ a · m one gets α = χ a mod n using the CRT: From m 1 , α = m t p 1 mod p and α = m t q 1 mod q From m 2 , one gets m = m 2 / α mod n David Pointcheval 2-PC 22 / 30
Homomorphic Encryption Multiplicative encryption on Z ∗ n : for n = pq Secret key: x, t p , t q � Z λ n \ J n , J n = � g � , h = g x (ElGamal in J n ) Public key: χ � Z ∗ encode m into ( m 1 = g a , m 2 = χ a · m ) � J 2 Encryption: n encrypt m 2 under h , to get ( c 0 , c 1 ) the ciphertext is C = ( c 0 , c 1 , m 1 ) Decryption: decrypt ( c 0 , c 1 ) using x , to get m 2 convert m 1 = g a into α = χ a using the CRT get m = m 2 / α mod n Multiplicatively homomorphic Efficient interactive decryption Efficient encryption switching protocols with the Paillier encryption David Pointcheval 2-PC 23 / 30
Two-Party Computation? The two homomorphic encryption schemes together with the encryption switching protocols: Efficient two-party computation But in the intersection of the plaintext spaces! Z n ∩ Z ∗ n = Z ∗ n Cannot deal with zero! But cannot avoid zero either during computations! David Pointcheval 2-PC 24 / 30
How to Handle Zero? In order to multiplicatively encrypt m ∈ Z n : One defines b = 1 if m = 0 , and b = 0 otherwise One encrypts A = m + b mod n B = T b mod n for a random square T One encrypts One can note that n , unless m is a non-trivial multiple of p or q A ∈ Z ∗ B ∈ �� n ⇒ they can both be encrypted = with appropriate ElGamal-like encryption Multiplicatively homomorphic: 0 is absorbing in B Encrypted Zero Test protocols: E + ( m ) → E + ( b ) David Pointcheval 2-PC 25 / 30
Recommend
More recommend