homomorphic encryptions - 수리과학부에 오신 것을...

Homomorphic Encryptions


Jung Hee Cheon(Jointly with Myungsun Kim)

ISaC & Dept. of Math. SciencesSeoul National University

October 24, 2011

1 / 36


Roadmap

Contents

Privacy Homomorphism

Asymetric Homomorphic Encryption

Computing on Encrypted Data

Set Operations on Encrypted Data

Practical Applications

2 / 36


Introduction

What We Need


Homomorphic Encryptions ...

Fully Homomorphic Encryption

Overkill or not?

Is there either jump or overlook?

3 / 36


Introduction

Brief History

[RSA78]

[GM86]

[Gen09] [Ben87] [Pai99]

[SYY99]

[DJ01]

[BGN05]

[DGHV10]

[ElG85]

[OU98]

One-‐wayness Mul-plica-ve IND-‐CPA

IND-‐CPA XOR

Addi-ve Addi-ve w/ 1-‐Mul

Fully Homo

AND

4 / 36


Introduction

Homomorphic Schemes

Privacy Homomorphism: [RAD78]

XOR: [GM86]

AND: [SYY99]

Addition: [Ben87], [OU98], [NS98],[Pai99], [DJ01] and soon...

Multiplication: [RSA], [ElG85]

Addition + d-Multiplication: [BGN05],[MGH10]

Full Operations: [Gen09], [DGHV10], and so on...

5 / 36




“encryption functions which permit encrypted data to beoperated on without preliminary decryption of the operands,for many sets of interesting operations”

Data can be processed by an external computing facility(Database as a service)

Suppose the loan company stores their data in a outsourceddatabase [RAD78]

What is the size of the average loan outstanding?How much income from loan payments is expected nextmonth?How many loans over $5, 000 have been granted?

6 / 36



PH by Rivest et al.

Private key: two large primes p and q

Public key: n = pq

Encryption: En(a) = (a mod p, a mod q) for a ∈ Zn

Decryption:Dp,q(d1, d2) = d1q(q−1 mod p) + d2p(p−1 mod q) mod n

Support modular addition, subtraction, and multiplication

Very efficient!

7 / 36



Security of RAD-PH

Secure under no message attack

What if we have a pair of pt and ct? (Brickell and Yacobi)

Remedy by introducing random factors, but broken

A homomorphic encryption is insecure under the chosenciphertext attack

8 / 36



Research Direction

Construct an efficient additive homomorphic symmetricencryption

Construct a secure ring homomorphic symmetric encryption

9 / 36


Homomorphic Encryption

Homomorphic in Boolean Operations

XOR Homomorphic Encryption

Goldwasser-Micali Scheme [GM86]

Basic Idea: Map 0 to a random QR and 1 to a random QNR

on the QR assumption & IND-CPA security

Work flow

KeyGen(1λ): pk = (n = pq, α) and sk = (p, q)

– α 6∈ QRn s.t(αp

)= −1 and

(αq

)= −1.

Enc(pk,m): To encrypt a message m = {0, 1}– c = αmr2 (mod n) for a random r

$←− Z×nDec(sk, c):– m = 0 if c ∈ QR; otherwise m = 1

Homomorphism– c1c2 = αm1r2

1 · αm2r22 = α(m1+m2 mod 2)(r1r2)2

10 / 36




AND Homomorphic Encryptions

The Sander-Young-Yung Encryption [SYY99]

Basic Idea: Special Encoding/Decoding + [GM86]

Encode {0, 1} → {0, 1}`, 0 7→ r ∈R {0, 1}` and 1 7→ 0`

Encrypt each bit in the `-bit vector using HE E of [GM86]Decrypt and decode (msg is 1 iff output is a zero vector)

Homomorphism

Enc(m1) = (E(a1), . . . E(a`)) and Enc(m2) = (E(b1), . . . E(b`))where ai , bi ∈ {0, 1}Enc(m1) ∧ Enc(m2) = (E(a1) · E(b1), . . . , E(a`) · E(b`))Note random ⊕ random = random, random ⊕ 0` = random,0` ⊕ 0` = 0`

Message expansion: `n

11 / 36




Research Direction

Construct an homomorphic encryption w.r.t an operationwhich is functionally complete

NOR, NAND, ...

Asymmetric or symmetric

12 / 36



Multiplicative Homomorphism

Homomorphic in mod M multiplication

RSA encryption– on the RSA assumption– One-wayness security– M is a secret composite number (i.e. φ(N))

ElGamal encryption– on the DDH assumption– IND-CPA security– M is a public prime– Variants based on different hardness assumptions

13 / 36



Additive homomorphism

Additively Homomorphic in ZN

The Benaloh Encryption [Ben87]

on the `-th Residuosity Problem

Basic idea: Remove random part by unknown order and findexhaustively a correct message in Z`Message expansion = n

` (vs [GM86]: n)

The Naccache-Stern Encryption [NS98]

on the Factoring n Problem

Basic idea: Messages are represented by small primes andreconstructed using CRT based on [Ben87]

Message expansion ≥ 4

14 / 36




Example of NS98

Outline

Message space M = ZM where M = 2a3b

Decryption utilizes Pohlig-Hellman for solving DLIn [OU98] M is unknown prime and in [Pai99] M = n is ahard-to-factor composite

Scheme

KeyGen: pk = (n = pq, g , h, a, b) and sk = (p, q) s.tp − 1 = 2ap′, q − 1 = 3bq′ for some primes p′, q′, and g is arandom generator of order λ(n) = Mp′q′ and h a randomelement of order p′q′

Enc(pk,m): To encrypt m ∈ ZM

– c = gmhr mod n for some random r ∈ [1, p′q′]Dec(sk, c):– Compute cp

′q′ = (gp′q′)m and solve DL usingPohlig-Hellman

15 / 36




The Okamoto-Uchiyama Encryption [OU98]

on the Factoring n = p2q Problem/Sylow p-subgroup Problem

Basic idea:

H: the unique subgroup of order p of Z×p2 ⊂ Z×nSolve the DLP on H ⊂ Z×n easily.

Logarithm

(1 + p)x ≡ 1 + xp mod p2 and (1 + p)p ≡ 1 mod p2

ζ := 1 + p is an order-p element of Z∗p2 .Given h ∈ H, exist x ∈ Zp s.t. h = ζx . Thenx := (h − 1)/p mod p.Define an isom L = logζ : H → Zp, h 7→ (h − 1)/pGiven g , h ∈ H,logg h = (logζ h)/(logζ g) = L(h)/L(g) = (h − 1)/(g − 1)

16 / 36




The Okamoto-Uchiyama Encryption [OU98]

Work flow

KeyGen: pk = (n = p2q, g , h, `) and sk = (p, q) where p, q:

`-bit primes, g ∈R Z×n s.t gϕ(p2) = 1 mod p2 and gp−1 6=mod p2, and h = gn mod nEnc(pk,m): to encrypt m ∈ Zp

– c = gmhr mod n for some random r ∈ Zn

Dec(sk, c)

– m = L(cp−1 mod p2)L(gp−1 mod p2) mod p

Message expansion = 3

17 / 36




The Paillier Encryption [Pai99]

Drawbacks of [OU98]: Decryption oracle enables factoring N

Consider the modulus N2 for N = pq instead of p2q. Thenthe message is defined over ZN

Logarithm

(1 + N)x ≡ 1 + xN mod N2 and (1 + N)N ≡ 1 mod N2

ζ := 1 + N is an order-N element of Z∗N2 .Given h ∈ H, we have h = ζx for x := (h − 1)/N mod N.Define an isom L : H → ZN , h 7→ (h − 1)/NGiven g , h ∈ H, logg h = (logζ h)/(logζ g) = (h − 1)/(g − 1)

18 / 36




The Paillier Encryption [Pai99]

E(m) = gmhr mod N2 for g = gΦ(N)0 and h = gN

0 .

E(m)φ(N) ≡ gm mod N2. Then L(gm)/L(g) ≡ m mod N

Paillier: E(m) = gmrN mod N2 for g = 1 + N and randomr ∈ Z∗N2

Use λ(N) instead of φ(N)

Variants: EC version [Gal02], Generalized version [DJ01]

19 / 36



Additive with d-Multiplicative Homomorphism

Additively Homomorphic Encryption with 2-Mul.

The Boneh-Goh-Nissim Encryption [BGN05]

on the Subgroup Decision Problem

Basic idea

|G| = pg , |g | = p and |h| = q. E(m) = gmhr is add homo onZp

Use a bilinear map e : G×G→ G1

Allow one mul: e(gm1hr1 , gm2hr2) = e(gm1gαr1 , gm2gαr2)= e(g , g)(m1+αr1)(m2+αr2) = gm1m2

1 · ♣How to decrypt ..

Scalar Mul is not possible is p is large

20 / 36



Additive with d-Multiplicative Homomorphism

Research Direction

BGN with large plaintext

Additive HE allowing d multiplications

Efficient Fully Homomorphic Enc using Lattice

FHE with bilinear product groups

21 / 36



Ciphertext Operations

1 Numeric Data: Additive Homomorphic Encryption,Multiplicative Homomorphic Encryption

Basic Integer Operations: Add, Subtract, Mul, DivAdvanced Operations: Euclidean Alg, GCD, ModularOperationsFast Operations: Gaussian Elimination, Newton Method, FFT

2 Non-Numeric Data: what is the operation of data?

Search

22 / 36



Encrypted Set Operations

1 We wish to design an encryption scheme satisfying ...

Intersection: E(A ∪ B) from E(A),E (B)Union: E(A ∩ B) from E(A), E(B)Difference: E(A \ B) from E(A), E(B)

Find E(A ∪ B) or E(A ∩ B) from A and E(B)

Reduced to the above for PKE EFind A ∪ B or A ∩ B from A and E(B)

Keyword Privacy: Use encrypted keywords

2 Easy Solution: Use deterministic encryption for individual data:-)

23 / 36



Privacy Preserving Set Intersection

1 There are n players Pi with set Si

2 They want to compute the intersection of Si without revealingother information

3 Application

Several companies collaboratively find their common customerswithout revealing other information (privacy)In cloud, ...

4 With TTP, it is easy. W/o TTP, use secure multipartycomputation, which runs in poly time, but not so practical

24 / 36



Privacy Preserving Set Intersection (Kissner-Song [C05])

1 Si : a subset of ZN

2 Poly Rep of Si : fi (x) = (x − α1) · · · (x − αk) for aj ∈ SiV (f ): the set of all roots of f (x) (in ZN)V (fi ) = Si

3 Set Union: V (f1(x) · f2(x)) = S1 ∪ S2

4 Set Intersection: V (af1(x) + bf2(x)) ⊃ S1 ∩ S2

25 / 36



Privacy Preserving Set Intersection: Set Encryption

1 E : an Additive Homo Enc on ZN

E (a) + E (b) = E (a + b) for a, b ∈ ZN

aE (b) = E (ab) for a, b ∈ ZN

2 Define an encryption of poly: E (f )

E (a0 + a1x + · · ·+ akxk) := E (a0) + E (a1)x + · · ·+ E (ak)xk

3 Can compute E (fg) given E (f ) and E (g)?

Yes if E is ring homomorphic.

4 Can compute gE (f ) given E (f ) and g?(∑i E (ai )x

i)

(∑

j bjxj) =

∑k(∑

i+j=k bjE (ai ))xk

where bjE (ai ) = E (aibj)

26 / 36



Non-Interactive Version

1 How to make it non-interactive

Use Fully Homomorphic Encryption :-)Use BGN encryption supporting one multiplication: Supportonly one time intersection operation!Use constant gi :

∑i figi is not uniformly distributed on ZN [x ].

e.g. Given R(x) = af1(x) + bf2(x) and f1(x), guess a andcheck if R(x)− af1(x) splits?

27 / 36



Encrypted Set Intersection

1 Let P be an encoding to ℘, the set of `-bit primes.

2 Let E be an additive homomorphic encryption on Zn, i.e.E (x)⊗ E (y) = E (x + y)

3 For a subset A ⊂ ℘, define E (A) := E (rAMA) forMA =

∏p∈A p and random rA ∈ Z∗n

4 E (A)⊗ E (B) := E (rAMA)E (rBMB) = E (rAMA + rBMB)

5 Its decryption is a product of the elements in A ∩ B and somegarbage if n is large enough.

6 Need to analyze the randomness of (rAMA + rBMB)!

28 / 36



Encrypted Set Intersection

1 Non-interactive

2 Can repeat many times

3 Ciphertext expansion for each operation

4 Scalability: Increase n or ??

29 / 36



Encrypted Set Union

1 Let E be a multiplicative homomorphic encryption on Zn, i.e.E (x)� E (y) = E (xy)

2 E (A)� E (B) := E (rAMA)� E (rBMB) = E (rArBMAMB)

3 Its decryption is a product of the elements in A ∪ B if n islarge enough

4 How to remove the garbage: Use the redundancy function(e.g. each element of ℘ ends with 11111.)

30 / 36



Encrypted Set Union

1 Non-interactive

2 Can repeat many times

3 Ciphertext expansion for each operation is unavoidable

4 Scalability: Increase n or ??

5 Provide an unlinkable property between ciphertexts andplaintexts obtained after decryption

6 i.e. which element comes from which encryptor

31 / 36



Research Directions

Scalability in Set Intersection: What is optimal?

How should it be large, the coefficients of random linearcombination?

How to merge: Support Intersection and Union with oneencryption

Set Union with Additive Homo.: interactiveSet Intersection with Multiplicative Homo.??

Towards complete set operations ...

Application senario in voting, cloud computing

32 / 36



Research Directions toward Practice

Privacy Preserving version of frequently used heavy operations

Outsourced DB:

Cloud: Image processing?

33 / 36


For Further Reading

For Further Reading

J. Benaloh, “Verifiable secret-ballot elections,” PhD Thesis, Yale Univ.,1987

D. Boneh, E. Goh, and K. Nissm, “Evaluating 2-DNF formulas onciphertexts,” TCC 2005

I. Damgard and M. Jurik, “A generalization, a simplification and someapplications of Paillier’s probabilistic public-key system,” PKC 2001

T. ElGamal, “A public-key cryptosystem and a signature scheme based ondiscrete logarithms,” IEEE Tran. Info. Theory, 1985

S. Galbraith, “Elliptic curve Paillier schemes,” J. Cryptology, 2002.

C. Gentry, “Fully homomorphic encryption using ideal lattices,” STOC2009.

S. Goldwasser and S. Micali, “Probabilistic encryption,” JCSS 1984.

34 / 36


For Further Reading

For Further Reading

A. Kawachi, K. Tanaka and K. Xagawa, “Multi-bit cryptosystems basedon lattice problems,” PKC 2007

C. Melchor, P. Gaborit, and J. Herrandz, “Additively homomorphicencryption with d-Operand multiplication”, Crypto 2010

D. Naccache and J. Stern, “A new public key cryptosystem based onhigher residues,” ACM CCS 1998

T. Okamoto and S. Uchiyama, “A new public-key cryptosystem as secureas factoring,” Eurocrypt 1998.

P. Paillier, “Public-key cryptosystems based on composite residuosityclasses,” Eurocrypt 1999

R. Rivest, L. Addleman, and M. Dertouzos, “On data banks and privacy

homomorphism,” Foundations of Sec. Comp., 1978.

35 / 36


For Further Reading

For Further Reading

R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digitalsignatures and public-key cryptosystems,” Comm. ACM, 1978.

T. Sander, A. Young and M. Yung, “Non-interactive CryptoComputing for

NC 1,” FOCS 1999

M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully

homomorphic encryption over the integers,” Eurocrypt 2010.

> The source of all pictures is from Google Image

36 / 36

homomorphic encryptions - 수리과학부에 오신 것을...

Documents