decentralized computing over encrypted data · decentralized computing over encrypted data 4...
TRANSCRIPT
Chloé Hébant
Decentralized Computing over Encrypted Data
Decentralization
Fully Homomorphic Encryption Gentry 2009
Decentralized Computing over Encrypted Data 3
ð¥ð¥1, ⊠, ð¥ð¥ðð
ðžðžâðððð(ð¥ð¥1), ⊠,ðžðžâðððð(ð¥ð¥ðð)
ðð
ðžðžâðððð ðð(ð¥ð¥1, ⊠, ð¥ð¥ðð)
ðð(ð¥ð¥1, ⊠, ð¥ð¥ðð)
Fully Homomorphic Encryption
Decentralized Computing over Encrypted Data 4
ð¥ð¥1, ⊠, ð¥ð¥ðð
ðžðžâðððððððð (ð¥ð¥1), ⊠,ðžðžâðððð
ðððð (ð¥ð¥ðð)
ðžðžâðððððððð ðð(ð¥ð¥1, ⊠, ð¥ð¥ðð)
ðð(ð¥ð¥1, ⊠, ð¥ð¥ðð)
Re-encryptionDistributedController
ðžðžâðððððððððð ðð(ð¥ð¥1, ⊠, ð¥ð¥ðð)
Distribution
+
No authority
Decentralization
Decentralized Computing over Encrypted Data 5
Decentralization
â Efficient decentralized key generation
This talk :
Decentralized Re-encryption for a Quadratic Scheme
1. Example of application
2. Encryption scheme for quadratic multivariate polynomials
3. Decentralized scheme
Outline
Decentralized Computing over Encrypted Data 6
Group Testing
Motivation: Group Testing
8
OR
1 1 00 1 0
1 0 10 1 1
âŠ
1011
Decentralized Computing over Encrypted Data
Motivation: Group Testing
9
1 1 00 1 0
1 0 10 1 1
âŠ
OR
1011
Decentralized Computing over Encrypted Data
Motivation: Group Testing
10
1011
1 0 1 1 0 0
1 1 00 1 0
1 0 10 1 1
âŠ
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
11
1011
1 0 1 1 0 0
1 1 00 1 0
1 0 10 1 1
âŠ
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
12
ðŠðŠ1ðŠðŠ2âŠðŠðŠðð
ï¿œð¹ð¹ðð = ï¿œðð
(ð¥ð¥ððððâï¿œðŠðŠðð)
ð¥ð¥11 ð¥ð¥12 ⊠ð¥ð¥1ððâŠ
ð¥ð¥ðð1 ð¥ð¥ðð2 ⊠ð¥ð¥ðððð
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
13
ï¿œð¹ð¹ðð = ï¿œðð
(ð¥ð¥ðððð â (1 â ðŠðŠðð))
ð¥ð¥11 ð¥ð¥12 ⊠ð¥ð¥1ððâŠ
ð¥ð¥ðð1 ð¥ð¥ðð2 ⊠ð¥ð¥ðððð
OR
ðŠðŠ1ðŠðŠ2âŠðŠðŠðð
Decentralized Computing over Encrypted Data
2-DNF on Encrypted Data
Decentralized Computing over Encrypted Data 14
ð¥ð¥1, ⊠, ð¥ð¥ðð â {0,1}
ï¿œðð=1
ðð
(âðð,1 ⧠âðð,2) âðð,1 ⧠âðð,2 â {ð¥ð¥1, ⊠, ð¥ð¥ðð} ⪠{ð¥ð¥1, ⊠, ð¥ð¥ðð}
ï¿œðð=1
ðð
(ðŠðŠðð,1 â ðŠðŠðð,2) ðŠðŠðð,ðð = âðð,ðððŠðŠðð,ðð = 1 â âðð,ðð
if âðð,ðð â ð¥ð¥1, ⊠, ð¥ð¥ððif âðð,ðð â {ð¥ð¥1, ⊠, ð¥ð¥ðð}ï¿œ
2-DNF:
Multivariate polynomial degree 2:
Encryption Scheme
⢠BGN 2005
⢠Freeman 2010
⢠Our Scheme
⢠Multi-user setting
⢠Efficient distributed decryption
⢠Efficient distributed re-encryption
⢠Decentralized key generation
The Encryption Scheme
Decentralized Computing over Encrypted Data 16
Notations
Decentralized Computing over Encrypted Data 17
ðð â â€ðð, ðð ð ð = ððð ð ðððŸðŸð ð = < ððð ð >
ðð:ðŸðŸ1 à ðŸðŸ2 â ðŸðŸðð
ðð = ð¥ð¥1, ⊠, ð¥ð¥ðð â â€ðððð, ðð ð ð = (ððð ð ð¥ð¥1 , ⊠,ððð ð
ð¥ð¥ðð)
ðð11 ðð12ðð21 ðð22 âšð©ð© = ðð11 â ð©ð© ðð12 â ð©ð©
ðð21 â ð©ð© ðð22 â ð©ð©
ðð 1 ⢠ðð 2 = ððâšðð ðð
The Encryption Scheme
18
Keygen
Decentralized Computing over Encrypted Data
0 00 1
0 00 1
0 00 1
The Encryption Scheme
19
ðŒðŒ20 00 1
Projection
ððð ð â ker ð·ð·ð ð = {ðð:ðð ï¿œ ð·ð·ð ð = 0 0 }
â GL2(â€ðð)
skð ð
pkð ð = ððð ð ð ð â ððð ð ð ð ï¿œ ð·ð·ð ð = 0 0 ð ð
ð©ð©ð ð â1 ð©ð©ð ð ð·ð·ð ð =
Keygen
ððð ð â ker ð·ð·ð ð = {ðð:ðð ï¿œ ð·ð·ð ð = 0 0 }
pkð ð = ððð ð ð ð â ððð ð ð ð ï¿œ ð·ð·ð ð = 0 0 ð ð
Decentralized Computing over Encrypted Data
⢠Keygen:
skð ð = ð·ð·ðð = 0 00 1
0 00 1
0 00 1 skðð = (sk1, sk2)
pkð ð = ððð ð ð ð â ððð ð ð ð ï¿œ ð·ð·ð ð = ðð ð ð pkðð = (pk1, pk2)
⢠Encrypt:
⢠ð¶ð¶ð ð = ( ððð ð ,1 ð ð , ððð ð ,2 ð ð ) = (ðð ï¿œ ððð ð ð ð + ðð ï¿œ ððð ð ð ð , ððð ð ð ð ) ðð â$ â€ðð
⢠ð¶ð¶ðð = ( ðððð,1 ðð , ðððð,2 ðð) = (ðð ï¿œ ðð1 1 ⢠ðð2 2 + ðð1 1 ⢠ðð2 2 + ðð1 1 ⢠ðð2 2,
ðð1 1 ⢠ðð2 2) ðð1 1 â$ ðŸðŸ12, ðð2 2 â$ ðŸðŸ22
⢠Decrypt:
⢠ð¶ð¶ð ð ï¿œ ð·ð·ðð = (ðð ï¿œ ððð ð ð ð ï¿œ ð·ð·ðð + ðð s, ððð ð ð ð ï¿œ ð·ð·ðð)
⢠ð¶ð¶ðð ï¿œ (ð·ð·ððâšð·ð·ðð) = (ðð ï¿œ ðð1 1 ⢠ðð2 2 ï¿œ (ð·ð·ððâšð·ð·ðð) + ðð T, ðð1 1 ⢠ðð2 2 ï¿œ (ð·ð·ððâšð·ð·ðð))
The Encryption Scheme
Decentralized Computing over Encrypted Data 20
ðŒðŒ2 ð©ð©ð ð ð©ð©ð ð â1
â ker(ð·ð·1âšð·ð·2)
â ker(ð·ð·ð ð )
⢠Add: Many times
⢠ððð ð ð ð + ðððð ð ð ð = (ðð + ððâ²) ï¿œ ððð ð ð ð + (ðð + ððâ²) ï¿œ ððð ð ð ð
⢠ðððð ðð + ðððð ðð = ðð + ððâ² ï¿œ ðð1 1 ⢠ðð2 2 + ðð1 1 ⢠ðð2 + ððâ²2 2 +
ðð1 + ððð1 1 ⢠ðð2 2
⢠Multiply: Once
⢠ðð1 1 ⢠ðð2 2 = ðð1 ï¿œ ðð2 ï¿œ ðð1 1 ⢠ðð2 2 + ðð1 1 ⢠ððâ² 2 + ðð 1 ⢠ðð2 2
with ðð 1 = ðð1ðð2ðð1
ððð 2 = ðð2ðð1ðð2 + ðð1ðð2ðð2
The Homomorphic Properties
Decentralized Computing over Encrypted Data 21
Re-Encryption
22
skðð
rkððâðð
rkððâðð
pkðð
skðð
pkðð
Decentralized Computing over Encrypted Data
ð·ð· = ð©ð©â1ðŒðŒ2ð©ð© ð·ð·ð = ð©ð©â²â1ðŒðŒ2ð©ð©ð
ð¹ð¹ = ð©ð©â1ð©ð©ð
Problem
⢠Distributed decryption and re-encryption ?
⢠Yes, with distributed keys
⢠Decentralized key generation ?
⢠No âŠ
Problem
Decentralized Computing over Encrypted Data 24
0 00 1
0 00 1 ðŒðŒ2
0 00 1ð©ð©ð ð
â1 ð©ð©ð ð ð·ð·ð ð =
Simplification
Decentralized Computing over Encrypted Data 25
ð·ð·ð ð = 1 0ð¥ð¥ 0
ððð ð ð ð = âð¥ð¥ 1 ð ð
skð ð = ð¥ð¥
pkð ð = âð¥ð¥ ð ð
â Size of the keys:
â Size of the ciphertexts:
ððð ð ð ð = 1 0 ð ð ð¶ð¶ð ð â ðŸðŸð ð
2 à ðŸðŸð ð 2 â ð¶ð¶ð ð â ðŸðŸð ð
2
ð¶ð¶ðð â ðŸðŸðð4 à ðŸðŸðð
4 â ð¶ð¶ðð â ðŸðŸðð4
⢠Keygen:skð ð = ð¥ð¥ skðð = (sk1, sk2)pkð ð = âð¥ð¥ ð ð pkðð = (pk1, pk2)
⢠Encrypt:⢠ð¶ð¶ð ð = ððð ð ðð ï¿œ pkð ð ðð ,ððð ð ðð ðð â$ â€ðð
⢠ð¶ð¶ðð =
ðððð,1 = ðð ðð1,ðð2 ðð ï¿œ ðð ðð1, pk2 ðð11 ï¿œ ðð pk1,ðð2 ðð21
ðððð,2 = ðð ðð1,ðð2 ðð11 ï¿œ ðð pk1,ðð2 ðð22 ᅵᅵᅵ ðð ðð1,ðð2 ðð
ðððð,3 = ðð ðð1, pk2 ðð12 ï¿œ ðð ðð1,ðð2 ðð21 ᅵᅵᅵ ðð ðð1,ðð2 ðð
ðððð,4 = ðð ðð1,ðð2 ðð12+ðð22 ᅵᅵᅵ ðð ðð1,ðð2 ðððð ðð1,ðð2 ðð
ðð11, ðð12, ðð21, ðð22 â$ â€ðð4
⢠Decrypt:
⢠ððð ð ,1 ï¿œ ððð ð ,2skð ð
⢠ðððð,1 ï¿œ ðððð,2sk2 ï¿œ ðððð,3
sk1 ï¿œ ðððð,4sk1ï¿œsk2
The Optimized Encryption Scheme
Decentralized Computing over Encrypted Data 26
Decentralization
Decentralization:1) Decentratized Key Generation
⢠ðð points ð¥ð¥1,ðŠðŠ1 , ⊠, (ð¥ð¥ðð ,ðŠðŠðð) with distinct abscissa
⢠Theorem (Lagrange interpolation):
â!ðð ðð s.t. deg ðð = ðð â 1 and ðð ð¥ð¥ðð = ðŠðŠðð
⢠Shamir Secret Sharing:
⢠ð ð ðð = ð¥ð¥ = ðð(0), ðððð = ððð¥ð¥
⢠skðð = ðð ðð for ðð = 1 âŠðð
⢠For any subset ðð of ðð indices:
ð¥ð¥ = ï¿œððâðð
ðððð,ððð ð ðððð
ðŠðŠ = âððâðð ð£ð£ðððððð,ðð for ð£ð£ðð = ððð ð ðððð
Shamir Secret Sharing 1979
Decentralized Computing over Encrypted Data 29
Decentralization:2) Distributed Re-Encryption
⢠ððð ð = ððð ð ,1, ððð ð ,2 under ððððð ð â ð¶ð¶ð ð = ð¶ð¶ð ð ,1,ð¶ð¶ð ð ,2 under ððððð ð
⢠Shamir Secret Sharing: ð ð ððð ð = âðð ðððð ï¿œ ð ð ððð ð ,ðð
⢠Player ðð computes:
ððððâ² âð ð â€ðð,ðŒðŒðð = ððð ð ,2ð ð ððð ð ,ðð ï¿œ ððððð ð
ððððâ²,ðœðœðð = ððð ð
ððððâ²
⢠Anybody can compute:
ð¶ð¶ð ð = (ððð ð ,1 à ᅵðð
ðŒðŒðððððð ,ï¿œ
ðð
ðœðœðððððð)
= (ððð ð ðð ï¿œ ððððð ð ððâ² ,ððð ð ðð
â²) ððâ² = âðð ðððð ï¿œ ððððâ²
Distributed Re-encryption
Decentralized Computing over Encrypted Data 31
Solution: Group Testing
32
ð¶ð¶ðð = RandT(Addðð(Multiply(ð¶ð¶ð¥ð¥ðððð ,ð¶ð¶ðŠðŠðð)))
ðð
ð¶ð¶ð¥ð¥ðððð ð¶ð¶ðŠðŠðð
Decentralized Computing over Encrypted Data
Conclusion
⢠Efficient scheme to evaluate quadratic multivariate polynomials
⢠Distributed decryption
⢠Distributed re-encryption
⢠Decentralized key generation
⢠Open problem:
Decentralized FHE
Conclusion
Decentralized Computing over Encrypted Data 34
Thank you
ia.cr/2018/1019
Joined work with David Pointcheval and Duong-Hieu Phan