homomorphic encryptions - 수리과학부에 오신 것을...
TRANSCRIPT
Homomorphic Encryptions
Homomorphic Encryptions
Jung Hee Cheon(Jointly with Myungsun Kim)
ISaC & Dept. of Math. SciencesSeoul National University
October 24, 2011
1 / 36
Homomorphic Encryptions
Roadmap
Contents
Privacy Homomorphism
Asymetric Homomorphic Encryption
Computing on Encrypted Data
Set Operations on Encrypted Data
Practical Applications
2 / 36
Homomorphic Encryptions
Introduction
What We Need
Computing on Encrypted Data
Homomorphic Encryptions ...
Fully Homomorphic Encryption
Overkill or not?
Is there either jump or overlook?
3 / 36
Homomorphic Encryptions
Introduction
Brief History
[RSA78]
[GM86]
[Gen09] [Ben87] [Pai99]
[SYY99]
[DJ01]
[BGN05]
[DGHV10]
[ElG85]
[OU98]
One-‐wayness Mul-plica-ve IND-‐CPA
IND-‐CPA XOR
Addi-ve Addi-ve w/ 1-‐Mul
Fully Homo
AND
4 / 36
Homomorphic Encryptions
Introduction
Homomorphic Schemes
Privacy Homomorphism: [RAD78]
XOR: [GM86]
AND: [SYY99]
Addition: [Ben87], [OU98], [NS98],[Pai99], [DJ01] and soon...
Multiplication: [RSA], [ElG85]
Addition + d-Multiplication: [BGN05],[MGH10]
Full Operations: [Gen09], [DGHV10], and so on...
5 / 36
Homomorphic Encryptions
Privacy Homomorphism
Privacy Homomorphism
“encryption functions which permit encrypted data to beoperated on without preliminary decryption of the operands,for many sets of interesting operations”
Data can be processed by an external computing facility(Database as a service)
Suppose the loan company stores their data in a outsourceddatabase [RAD78]
What is the size of the average loan outstanding?How much income from loan payments is expected nextmonth?How many loans over $5, 000 have been granted?
6 / 36
Homomorphic Encryptions
Privacy Homomorphism
PH by Rivest et al.
Private key: two large primes p and q
Public key: n = pq
Encryption: En(a) = (a mod p, a mod q) for a ∈ Zn
Decryption:Dp,q(d1, d2) = d1q(q−1 mod p) + d2p(p−1 mod q) mod n
Support modular addition, subtraction, and multiplication
Very efficient!
7 / 36
Homomorphic Encryptions
Privacy Homomorphism
Security of RAD-PH
Secure under no message attack
What if we have a pair of pt and ct? (Brickell and Yacobi)
Remedy by introducing random factors, but broken
A homomorphic encryption is insecure under the chosenciphertext attack
8 / 36
Homomorphic Encryptions
Privacy Homomorphism
Research Direction
Construct an efficient additive homomorphic symmetricencryption
Construct a secure ring homomorphic symmetric encryption
9 / 36
Homomorphic Encryptions
Homomorphic Encryption
Homomorphic in Boolean Operations
XOR Homomorphic Encryption
Goldwasser-Micali Scheme [GM86]
Basic Idea: Map 0 to a random QR and 1 to a random QNR
on the QR assumption & IND-CPA security
Work flow
KeyGen(1λ): pk = (n = pq, α) and sk = (p, q)
– α 6∈ QRn s.t(αp
)= −1 and
(αq
)= −1.
Enc(pk,m): To encrypt a message m = {0, 1}– c = αmr2 (mod n) for a random r
$←− Z×nDec(sk, c):– m = 0 if c ∈ QR; otherwise m = 1
Homomorphism– c1c2 = αm1r2
1 · αm2r22 = α(m1+m2 mod 2)(r1r2)2
10 / 36
Homomorphic Encryptions
Homomorphic Encryption
Homomorphic in Boolean Operations
AND Homomorphic Encryptions
The Sander-Young-Yung Encryption [SYY99]
Basic Idea: Special Encoding/Decoding + [GM86]
Encode {0, 1} → {0, 1}`, 0 7→ r ∈R {0, 1}` and 1 7→ 0`
Encrypt each bit in the `-bit vector using HE E of [GM86]Decrypt and decode (msg is 1 iff output is a zero vector)
Homomorphism
Enc(m1) = (E(a1), . . . E(a`)) and Enc(m2) = (E(b1), . . . E(b`))where ai , bi ∈ {0, 1}Enc(m1) ∧ Enc(m2) = (E(a1) · E(b1), . . . , E(a`) · E(b`))Note random ⊕ random = random, random ⊕ 0` = random,0` ⊕ 0` = 0`
Message expansion: `n
11 / 36
Homomorphic Encryptions
Homomorphic Encryption
Homomorphic in Boolean Operations
Research Direction
Construct an homomorphic encryption w.r.t an operationwhich is functionally complete
NOR, NAND, ...
Asymmetric or symmetric
12 / 36
Homomorphic Encryptions
Homomorphic Encryption
Multiplicative Homomorphism
Homomorphic in mod M multiplication
RSA encryption– on the RSA assumption– One-wayness security– M is a secret composite number (i.e. φ(N))
ElGamal encryption– on the DDH assumption– IND-CPA security– M is a public prime– Variants based on different hardness assumptions
13 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive homomorphism
Additively Homomorphic in ZN
The Benaloh Encryption [Ben87]
on the `-th Residuosity Problem
Basic idea: Remove random part by unknown order and findexhaustively a correct message in Z`Message expansion = n
` (vs [GM86]: n)
The Naccache-Stern Encryption [NS98]
on the Factoring n Problem
Basic idea: Messages are represented by small primes andreconstructed using CRT based on [Ben87]
Message expansion ≥ 4
14 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive homomorphism
Example of NS98
Outline
Message space M = ZM where M = 2a3b
Decryption utilizes Pohlig-Hellman for solving DLIn [OU98] M is unknown prime and in [Pai99] M = n is ahard-to-factor composite
Scheme
KeyGen: pk = (n = pq, g , h, a, b) and sk = (p, q) s.tp − 1 = 2ap′, q − 1 = 3bq′ for some primes p′, q′, and g is arandom generator of order λ(n) = Mp′q′ and h a randomelement of order p′q′
Enc(pk,m): To encrypt m ∈ ZM
– c = gmhr mod n for some random r ∈ [1, p′q′]Dec(sk, c):– Compute cp
′q′ = (gp′q′)m and solve DL usingPohlig-Hellman
15 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive homomorphism
The Okamoto-Uchiyama Encryption [OU98]
on the Factoring n = p2q Problem/Sylow p-subgroup Problem
Basic idea:
H: the unique subgroup of order p of Z×p2 ⊂ Z×nSolve the DLP on H ⊂ Z×n easily.
Logarithm
(1 + p)x ≡ 1 + xp mod p2 and (1 + p)p ≡ 1 mod p2
ζ := 1 + p is an order-p element of Z∗p2 .Given h ∈ H, exist x ∈ Zp s.t. h = ζx . Thenx := (h − 1)/p mod p.Define an isom L = logζ : H → Zp, h 7→ (h − 1)/pGiven g , h ∈ H,logg h = (logζ h)/(logζ g) = L(h)/L(g) = (h − 1)/(g − 1)
16 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive homomorphism
The Okamoto-Uchiyama Encryption [OU98]
Work flow
KeyGen: pk = (n = p2q, g , h, `) and sk = (p, q) where p, q:
`-bit primes, g ∈R Z×n s.t gϕ(p2) = 1 mod p2 and gp−1 6=mod p2, and h = gn mod nEnc(pk,m): to encrypt m ∈ Zp
– c = gmhr mod n for some random r ∈ Zn
Dec(sk, c)
– m = L(cp−1 mod p2)L(gp−1 mod p2) mod p
Message expansion = 3
17 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive homomorphism
The Paillier Encryption [Pai99]
Drawbacks of [OU98]: Decryption oracle enables factoring N
Consider the modulus N2 for N = pq instead of p2q. Thenthe message is defined over ZN
Logarithm
(1 + N)x ≡ 1 + xN mod N2 and (1 + N)N ≡ 1 mod N2
ζ := 1 + N is an order-N element of Z∗N2 .Given h ∈ H, we have h = ζx for x := (h − 1)/N mod N.Define an isom L : H → ZN , h 7→ (h − 1)/NGiven g , h ∈ H, logg h = (logζ h)/(logζ g) = (h − 1)/(g − 1)
18 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive homomorphism
The Paillier Encryption [Pai99]
E(m) = gmhr mod N2 for g = gΦ(N)0 and h = gN
0 .
E(m)φ(N) ≡ gm mod N2. Then L(gm)/L(g) ≡ m mod N
Paillier: E(m) = gmrN mod N2 for g = 1 + N and randomr ∈ Z∗N2
Use λ(N) instead of φ(N)
Variants: EC version [Gal02], Generalized version [DJ01]
19 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive with d-Multiplicative Homomorphism
Additively Homomorphic Encryption with 2-Mul.
The Boneh-Goh-Nissim Encryption [BGN05]
on the Subgroup Decision Problem
Basic idea
|G| = pg , |g | = p and |h| = q. E(m) = gmhr is add homo onZp
Use a bilinear map e : G×G→ G1
Allow one mul: e(gm1hr1 , gm2hr2) = e(gm1gαr1 , gm2gαr2)= e(g , g)(m1+αr1)(m2+αr2) = gm1m2
1 · ♣How to decrypt ..
Scalar Mul is not possible is p is large
20 / 36
Homomorphic Encryptions
Homomorphic Encryption
Additive with d-Multiplicative Homomorphism
Research Direction
BGN with large plaintext
Additive HE allowing d multiplications
Efficient Fully Homomorphic Enc using Lattice
FHE with bilinear product groups
21 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Ciphertext Operations
1 Numeric Data: Additive Homomorphic Encryption,Multiplicative Homomorphic Encryption
Basic Integer Operations: Add, Subtract, Mul, DivAdvanced Operations: Euclidean Alg, GCD, ModularOperationsFast Operations: Gaussian Elimination, Newton Method, FFT
2 Non-Numeric Data: what is the operation of data?
Search
22 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Encrypted Set Operations
1 We wish to design an encryption scheme satisfying ...
Intersection: E(A ∪ B) from E(A),E (B)Union: E(A ∩ B) from E(A), E(B)Difference: E(A \ B) from E(A), E(B)
Find E(A ∪ B) or E(A ∩ B) from A and E(B)
Reduced to the above for PKE EFind A ∪ B or A ∩ B from A and E(B)
Keyword Privacy: Use encrypted keywords
2 Easy Solution: Use deterministic encryption for individual data:-)
23 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Privacy Preserving Set Intersection
1 There are n players Pi with set Si
2 They want to compute the intersection of Si without revealingother information
3 Application
Several companies collaboratively find their common customerswithout revealing other information (privacy)In cloud, ...
4 With TTP, it is easy. W/o TTP, use secure multipartycomputation, which runs in poly time, but not so practical
24 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Privacy Preserving Set Intersection (Kissner-Song [C05])
1 Si : a subset of ZN
2 Poly Rep of Si : fi (x) = (x − α1) · · · (x − αk) for aj ∈ SiV (f ): the set of all roots of f (x) (in ZN)V (fi ) = Si
3 Set Union: V (f1(x) · f2(x)) = S1 ∪ S2
4 Set Intersection: V (af1(x) + bf2(x)) ⊃ S1 ∩ S2
25 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Privacy Preserving Set Intersection: Set Encryption
1 E : an Additive Homo Enc on ZN
E (a) + E (b) = E (a + b) for a, b ∈ ZN
aE (b) = E (ab) for a, b ∈ ZN
2 Define an encryption of poly: E (f )
E (a0 + a1x + · · ·+ akxk) := E (a0) + E (a1)x + · · ·+ E (ak)xk
3 Can compute E (fg) given E (f ) and E (g)?
Yes if E is ring homomorphic.
4 Can compute gE (f ) given E (f ) and g?(∑i E (ai )x
i)
(∑
j bjxj) =
∑k(∑
i+j=k bjE (ai ))xk
where bjE (ai ) = E (aibj)
26 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Non-Interactive Version
1 How to make it non-interactive
Use Fully Homomorphic Encryption :-)Use BGN encryption supporting one multiplication: Supportonly one time intersection operation!Use constant gi :
∑i figi is not uniformly distributed on ZN [x ].
e.g. Given R(x) = af1(x) + bf2(x) and f1(x), guess a andcheck if R(x)− af1(x) splits?
27 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Encrypted Set Intersection
1 Let P be an encoding to ℘, the set of `-bit primes.
2 Let E be an additive homomorphic encryption on Zn, i.e.E (x)⊗ E (y) = E (x + y)
3 For a subset A ⊂ ℘, define E (A) := E (rAMA) forMA =
∏p∈A p and random rA ∈ Z∗n
4 E (A)⊗ E (B) := E (rAMA)E (rBMB) = E (rAMA + rBMB)
5 Its decryption is a product of the elements in A ∩ B and somegarbage if n is large enough.
6 Need to analyze the randomness of (rAMA + rBMB)!
28 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Encrypted Set Intersection
1 Non-interactive
2 Can repeat many times
3 Ciphertext expansion for each operation
4 Scalability: Increase n or ??
29 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Encrypted Set Union
1 Let E be a multiplicative homomorphic encryption on Zn, i.e.E (x)� E (y) = E (xy)
2 E (A)� E (B) := E (rAMA)� E (rBMB) = E (rArBMAMB)
3 Its decryption is a product of the elements in A ∪ B if n islarge enough
4 How to remove the garbage: Use the redundancy function(e.g. each element of ℘ ends with 11111.)
30 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Encrypted Set Union
1 Non-interactive
2 Can repeat many times
3 Ciphertext expansion for each operation is unavoidable
4 Scalability: Increase n or ??
5 Provide an unlinkable property between ciphertexts andplaintexts obtained after decryption
6 i.e. which element comes from which encryptor
31 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Research Directions
Scalability in Set Intersection: What is optimal?
How should it be large, the coefficients of random linearcombination?
How to merge: Support Intersection and Union with oneencryption
Set Union with Additive Homo.: interactiveSet Intersection with Multiplicative Homo.??
Towards complete set operations ...
Application senario in voting, cloud computing
32 / 36
Homomorphic Encryptions
Computing on Encrypted Data
Research Directions toward Practice
Privacy Preserving version of frequently used heavy operations
Outsourced DB:
Cloud: Image processing?
33 / 36
Homomorphic Encryptions
For Further Reading
For Further Reading
J. Benaloh, “Verifiable secret-ballot elections,” PhD Thesis, Yale Univ.,1987
D. Boneh, E. Goh, and K. Nissm, “Evaluating 2-DNF formulas onciphertexts,” TCC 2005
I. Damgard and M. Jurik, “A generalization, a simplification and someapplications of Paillier’s probabilistic public-key system,” PKC 2001
T. ElGamal, “A public-key cryptosystem and a signature scheme based ondiscrete logarithms,” IEEE Tran. Info. Theory, 1985
S. Galbraith, “Elliptic curve Paillier schemes,” J. Cryptology, 2002.
C. Gentry, “Fully homomorphic encryption using ideal lattices,” STOC2009.
S. Goldwasser and S. Micali, “Probabilistic encryption,” JCSS 1984.
34 / 36
Homomorphic Encryptions
For Further Reading
For Further Reading
A. Kawachi, K. Tanaka and K. Xagawa, “Multi-bit cryptosystems basedon lattice problems,” PKC 2007
C. Melchor, P. Gaborit, and J. Herrandz, “Additively homomorphicencryption with d-Operand multiplication”, Crypto 2010
D. Naccache and J. Stern, “A new public key cryptosystem based onhigher residues,” ACM CCS 1998
T. Okamoto and S. Uchiyama, “A new public-key cryptosystem as secureas factoring,” Eurocrypt 1998.
P. Paillier, “Public-key cryptosystems based on composite residuosityclasses,” Eurocrypt 1999
R. Rivest, L. Addleman, and M. Dertouzos, “On data banks and privacy
homomorphism,” Foundations of Sec. Comp., 1978.
35 / 36
Homomorphic Encryptions
For Further Reading
For Further Reading
R. Rivest, A. Shamir, and L. Adleman, “A method for obtaining digitalsignatures and public-key cryptosystems,” Comm. ACM, 1978.
T. Sander, A. Young and M. Yung, “Non-interactive CryptoComputing for
NC 1,” FOCS 1999
M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, “Fully
homomorphic encryption over the integers,” Eurocrypt 2010.
> The source of all pictures is from Google Image
36 / 36