Secure Distributed Computation on Private Inputs

Similar documents
Cryptography CS 555. Topic 20: Other Public Key Encryption Schemes. CS555 Topic 20 1

Secure Function Evaluation

Public Key Cryptography Great Ideas in Theoretical Computer Science Saarland University, Summer 2014

Efficient Privacy-Preserving Biometric Identification

Diffie-Hellman key-exchange protocol

Discrete Mathematics & Mathematical Reasoning Multiplicative Inverses and Some Cryptography

CS 261 Notes: Zerocash

MAT 302: ALGEBRAIC CRYPTOGRAPHY. Department of Mathematical and Computational Sciences University of Toronto, Mississauga.

The number theory behind cryptography

Public-key Cryptography: Theory and Practice

Introduction to Cryptography CS 355

Solution: Alice tosses a coin and conveys the result to Bob. Problem: Alice can choose any result.

ElGamal Public-Key Encryption and Signature

Simple And Efficient Shuffling With Provable Correctness and ZK Privacy

Distributed Settlers of Catan

Block Ciphers Security of block ciphers. Symmetric Ciphers

Public-Key Cryptosystem Based on Composite Degree Residuosity Classes. Paillier Cryptosystem. Harmeet Singh

Primitives et constructions cryptographiques pour la confiance numrique

Algorithmic Number Theory and Cryptography (CS 303)

A Public Shuffle without Private Permutations

EE 418: Network Security and Cryptography

Cryptography. 2. decoding is extremely difficult (for protection against eavesdroppers);

Data security (Cryptography) exercise book

RSA hybrid encryption schemes

The Chinese Remainder Theorem

Provably weak instances of Ring-LWE revisited

Self-Scrambling Anonymizer. Overview

Related Ideas: DHM Key Mechanics

Mathematics Explorers Club Fall 2012 Number Theory and Cryptography

RSA hybrid encryption schemes

Secure Multiparty Computations

Bivariate Polynomials Modulo Composites and Their Applications

Cryptography Math 1580 Silverman First Hour Exam Mon Oct 2, 2017

Privacy at the communication layer

Secure multiparty computation without one-way functions

MA/CSSE 473 Day 9. The algorithm (modified) N 1

Non-Interactive Secure 2PC in the Offline/Online and Batch Settings

Interleaving And Channel Encoding Of Data Packets In Wireless Communications

Principles of Ad Hoc Networking

The Chinese Remainder Theorem

Juan Garay (Yahoo Labs) Clint Givens (Maine School of Science and Mathematics) Rafail Ostrovsky (UCLA) Pavel Raykov (ETH)

Xor. Isomorphisms. CS70: Lecture 9. Outline. Is public key crypto possible? Cryptography... Public key crypography.

Lecture 32. Handout or Document Camera or Class Exercise. Which of the following is equal to [53] [5] 1 in Z 7? (Do not use a calculator.

DUBLIN CITY UNIVERSITY

Cryptography. Module in Autumn Term 2016 University of Birmingham. Lecturers: Mark D. Ryan and David Galindo

e-voting Scientific Events May 2004

TMA4155 Cryptography, Intro

DTTF/NB479: Dszquphsbqiz Day 30

Sequential Aggregate Signatures from Trapdoor Permutations

Intern, Computer Science Department Summer 2009 Mentor: Prof. Yehuda Lindell

Generic Attacks on Feistel Schemes

Drill Time: Remainders from Long Division

CS70: Lecture 8. Outline.

Andrei Sabelfeld. Joint work with Per Hallgren and Martin Ochoa

Public Key Encryption

V.Sorge/E.Ritter, Handout 2

Lecture 39: GMW Protocol GMW

(Or Living Between a Rock and a Hard Place) Nigel Smart University Of Bristol

Classical Cryptography

Chapter 3 LEAST SIGNIFICANT BIT STEGANOGRAPHY TECHNIQUE FOR HIDING COMPRESSED ENCRYPTED DATA USING VARIOUS FILE FORMATS

Application: Public Key Cryptography. Public Key Cryptography

Signal Processing in the Encrypted Domain

Efficient semi-static secure broadcast encryption scheme

A Second-price Sealed-bid Auction wi Discriminant of the p_<0>-th Root. Author(s)Omote, Kazumasa; Miyaji, Atsuko. Financial cryptography : 6th Interna

PRECISE:PRivacy-prEserving Cloud-assisted quality Improvement Service in healthcare

MA 111, Topic 2: Cryptography

A Lightweight Implementation of a Shuffle Proof for Electronic Voting Systems

Keywords: Network Security, Wireless Communications, piggybacking, Encryption.

Secret Key Systems (block encoding) Encrypting a small block of text (say 128 bits) General considerations for cipher design:

Discrete Mathematics and Probability Theory Spring 2018 Ayazifar and Rao Midterm 2 Solutions

אני יודע מה עשית בפענוח האחרון: התקפות ערוצי צד על מחשבים אישיים

Successful Implementation of the Hill and Magic Square Ciphers: A New Direction

Gaming Security. Aggelos Kiayias

On the Complexity of Broadcast Setup

Synthesis and Analysis of 32-Bit RSA Algorithm Using VHDL

Security Enhancement and Speed Monitoring of RSA Algorithm

On Symmetric Key Broadcast Encryption

Unlinkability and Redundancy in Anonymous Publication Systems

Encryption Systems 4/14/18. We have seen earlier that Python supports the sorting of lists with the built- in.sort( ) method

Fermat s little theorem. RSA.

Symmetric-key encryption scheme based on the strong generating sets of permutation groups

Cryptanalysis on short messages encrypted with M-138 cipher machine

Public Key Cryptography

o Broken by using frequency analysis o XOR is a polyalphabetic cipher in binary

Generic Attacks on Feistel Schemes

- A CONSOLIDATED PROPOSAL FOR TERMINOLOGY

High-Capacity Reversible Data Hiding in Encrypted Images using MSB Prediction

AES Encryption and Decryption in Microsoft.NET

A Novel Encryption System using Layered Cellular Automata

Math 319 Problem Set #7 Solution 18 April 2002

Deterring Voluntary Trace Disclosure in Re-encryption Mix Networks

Number Theory and Security in the Digital Age

Eliminating Random Permutation Oracles in the Even-Mansour Cipher. Zulfikar Ramzan. Joint work w/ Craig Gentry. DoCoMo Labs USA

Network Security: Secret Key Cryptography

Yale University Department of Computer Science

Proceedings of Meetings on Acoustics

1 Introduction to Cryptology

Physical Layer Security for Wireless Networks

Written Exam Information Transmission - EIT100

DUBLIN CITY UNIVERSITY

Transcription:

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015

The Cloud David Pointcheval Introduction 2 / 30

Access from Anywhere David Pointcheval Introduction 3 / 30

Available for Everything One can Store documents, photos, etc Share them with colleagues, friends, family Process the data Ask queries on the data David Pointcheval Introduction 4 / 30

With Current Solutions The Cloud provider knows the content and claims to actually identify users and apply access rights safely store the data securely process the data protect privacy David Pointcheval Introduction 5 / 30

But For economical reasons, by accident, or attacks data can get deleted any user can access the data one can log all the connected users all the queries to analyze and sell/negotiate the information David Pointcheval Introduction 6 / 30

Requirements Users need more Storage guarantees Privacy guarantees confidentiality of the data anonymity of the users obliviousness of the queries How to process users queries? David Pointcheval Introduction 7 / 30

FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS 78] [Gentry - STOC 09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output AND Inputs OR Circuit NOT NOT Outputs AND OR David Pointcheval Some Approaches 8 / 30

FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS 78] [Gentry - STOC 09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output ENOT Encrypted Inputs EOR Circuit EAND ENOT Encrypted Outputs EAND EOR David Pointcheval Some Approaches 8 / 30

Outsourced Processing EOR Circuit ENOT EAND ENOT EAND EOR Inputs David Pointcheval Some Approaches 9 / 30

Outsourced Processing Encrypted Inputs ENOT EOR Circuit EAND EAND ENOT EOR Encrypted Outputs Inputs Outputs David Pointcheval Some Approaches 9 / 30

Outsourced Processing no information about the input/output data Encrypted Inputs ENOT EOR Circuit EAND EAND ENOT EOR Encrypted Outputs Inputs Outputs Symmetric encryption (secret key) is enough David Pointcheval Some Approaches 9 / 30

Strong Privacy EOR Universal Circuit EAND ENOT EOR EAND ENOT Inputs Program David Pointcheval Some Approaches 10 / 30

Strong Privacy Encrypted Inputs + Encrypted Program EOR Universal Circuit EAND ENOT EOR EAND ENOT Encrypted Outputs Inputs Outputs Program David Pointcheval Some Approaches 10 / 30

Strong Privacy no information about the input/output data nor the program Encrypted Inputs + Encrypted Program EOR Universal Circuit EAND ENOT EOR EAND ENOT Encrypted Outputs Inputs Outputs Program David Pointcheval Some Approaches 10 / 30

FHE: Ideal Solution? Allows private storage Allows private computations Private queries in an encrypted database Private «googling» The provider does not learn the content the queries Privacy by design the answers But each gate requires huge computations David Pointcheval Some Approaches 11 / 30

Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? David Pointcheval Some Approaches 12 / 30

Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? Specific people have full access to some data: with public-key encryption for multiple recipients Specific people have partial access such as statistics or aggregation of the data David Pointcheval Some Approaches 12 / 30

Broadcast Encryption [Fiat-Naor - Crypto 94] David Pointcheval Some Approaches 13 / 30

Broadcast Encryption [Fiat-Naor - Crypto 94] David Pointcheval Some Approaches 13 / 30

Broadcast Encryption [Fiat-Naor - Crypto 94] The sender can select the target group of receivers This allows to control who will access to the data David Pointcheval Some Approaches 13 / 30

Functional Encryption [Boneh-Sahai-Waters - TCC 11] The user generates sub-keys Ky according to the input y David Pointcheval Some Approaches 14 / 30

Functional Encryption [Boneh-Sahai-Waters - TCC 11] The user generates sub-keys Ky according to the input y From C = Encrypt(x), Decrypt(Ky, C) outputs f(x,y) This allows to control the amount of shared data David Pointcheval Some Approaches 14 / 30

Outline Broadcast Encryption Efficient solutions for sharing data Functional Encryption Some recent efficient solutions for inner product Fully Homomorphic Encryption Despite recent improvements, this is still inefficient With 2-party computation one can get an efficient alternative David Pointcheval 15 / 30

Multi-Party Computation input output input output input output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality David Pointcheval MPC 16 / 30

Multi-Party Computation input output input output input output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality In practice: many interactions between the parties Latency too high over Internet David Pointcheval MPC 17 / 30

Two-Party Computation x z y z = f(x, y) General construction: Yao Garbled Circuits For specific construction: quite inefficient f(x, y) =(x + y) e mod n David Pointcheval 2-PC 18 / 30

Encryption Switching Protocols f(x, y) =(x + y) e mod n With additive encryption E +, multiplication encryption E x and an interactive switch from c + to c x : Alices sends c + A = E + (x), and Bob sends c + B = E + (y) They compute c = c + A c + B = E + (x+y) They run the interactive switch to get c = E x (x+y) They compute C = e c = E x ((x+y) e ) They run the interactive decryption to gets z [Couteau-Peters-P - EPrint 2015/990] David Pointcheval 2-PC 19 / 30

Homomorphic Encryption Additive encryption on Z n : Paillier encryption Public key: n = pq Secret key: d =[ 1 mod n] Encryption: c =(1+n) m r n mod n 2 Decryption: m =[c d 1 mod n 2 ]/n Additively homomorphic Efficient interactive decryption [Paillier - Eurocrypt 99] David Pointcheval 2-PC 20 / 30

Homomorphic Encryption Multiplicative encryption on G: ElGamal encryption Secret key: x Z p Public key: h = g x Encryption: c =(c 0 = g r,c 1 = h r m) Decryption: m = c 1 /c x 0 Multiplicatively homomorphic Efficient interactive decryption If n = pq, with safe primes p =2p +1and q =2q +1 Works for G = n, under the DDH in Z p and Z q Works for G = J n, under the additional QR assumption But does not work in Z n [ElGamal - IEEE TIT 85] David Pointcheval 2-PC 21 / 30

Encoding of Messages Multiplicative encryption on Z n : by encoding m For n = pq, Z n \J n, generator g of J n of order using the CRT: Z n into J n = g t p mod p, for an even t p : p = g t q mod q, for an odd t p : q hence Z n \J n For m Z n, a R {1,...,n/2}, so that a m J n m 1 = g a mod n and m 2 = a m From m 1, one gets = a mod n using the CRT: = m t p 1 mod p and = mt q 1 mod q From m 2, one gets m = m 2 / mod n David Pointcheval 2-PC 22 / 30

Homomorphic Encryption Multiplicative encryption on Z n : for n = pq Secret key: x, t p,t q Z Public key: Z n \J n, J n = g, h = g x (ElGamal in J n ) Encryption: encode m into (m 1 = g a,m 2 = a m) J 2 n encrypt m 2 under h, to get (c 0,c 1 ) Multiplicatively homomorphic Efficient interactive decryption the ciphertext is C =(c 0,c 1,m 1 ) Decryption: decrypt (c 0,c 1 ) using x, to get m 2 convert m 1 = g a into = a using the CRT get m = m 2 / mod n Efficient encryption switching protocols with the Paillier encryption David Pointcheval 2-PC 23 / 30

Two-Party Computation? The two homomorphic encryption schemes together with the encryption switching protocols: Efficient two-party computation But in the intersection of the plaintext spaces! Z n Z n = Z n Cannot deal with zero! But cannot avoid zero either during computations! David Pointcheval 2-PC 24 / 30

How to Handle Zero? In order to multiplicatively encrypt m Z n : One defines One encrypts One encrypts One can note that A Z n, unless m is a non-trivial multiple of p or q B n = they can both be encrypted b =1if m =0, and b =0otherwise A = m + b mod n B = T b mod n for a random square T with appropriate ElGamal-like encryption Multiplicatively homomorphic: 0 is absorbing in B Encrypted Zero Test protocols: E + (m) E + (b) David Pointcheval 2-PC 25 / 30

Set Disjointness Testing Alice s friends: A = {a1,, am} Bob s friends: B = {b1,, bn} A B =? Alice computes P(X) = i (X - ai) = i Ai X i, and sends Ci = E + (Ai) Bob computes Bj = E + (P(bj)) = i bj i Ci They switch to B j = E x (P(bj)) They compute C = E x ( j P(bj)) = j B j They decrypt C c = j P(bj) = j i (bj - ai) c = 0 A B David Pointcheval 2-PC 26 / 30

Outsourced Computations ska skb Inputs David Pointcheval Advanced 2-PC 27 / 30

Outsourced Computations Encrypted Inputs ska skb Encrypted Outputs Inputs The user possesses n=pq The user gives the shares to 2 independent servers David Pointcheval Advanced 2-PC 27 / 30

Outsourced Computations Encrypted Inputs no information about the input/output data ska Encrypted Outputs skb Inputs Outputs The user possesses n=pq The user gives the shares to 2 independent servers Interactive Fully Homomorphic Encryption David Pointcheval Advanced 2-PC 27 / 30

Homomorphic Encryption [Bresson-Catalano-P. - Asiacrypt 03] Additive encryption on Z n : BCP encryption Parameters: n = pq and a square g Z n 2 Secret key: x Z n (n) Public key: h = g x mod n 2 Encryption: c 0 = g r mod n 2, for n [1..n 2 /2] c 1 = h r (1 + mn) mod n 2 Decryption: m =[c 1 /c x 0 1 mod n 2 ]/n Alternatively: with (n) x 0 = x mod n (where x = x 0 + nx 1 ) c 1 /c x 0 0 = g(x x 0)r (1 + mn) =(g rx 1 ) n (1 + mn) = u n (1 + n) m mod n 2 David Pointcheval Advanced 2-PC 28 / 30

Multi-User Setting The two independent servers share the Paillier s secret key for n=pq and setup a BCP scheme The servers can convert BCP ciphertexts into Paillier ciphertexts, and run the 2-party protocol The servers can convert a Paillier ciphertext into a BCP ciphertext for a specific user Secure efficient outsourced computations More servers can be used: unless all the servers corrupted, privacy guaranteed David Pointcheval Advanced 2-PC 29 / 30

Conclusion Threat However strong the trustfulness of the Cloud provider may be, any system or human vulnerability can be exploited against privacy Privacy by design Tools to limit data access The provider is just trusted to store the data (can be controlled) process and answer any request (or DoS) David Pointcheval 30 / 30

2024 © hobbydocbox.com Privacy Policy | Terms of Service | Feedback