Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Computing on Encrypted Data
Secure Internet of Things Seminar
David Wu
January, 2015
New Applications in the Internet of Things
Smart Homes
report energy consumption
aggregation + analytics
usage statistics and reports
The Power of the Cloud
BIG DATA
analyticsrecommendations
personalization
lots of user information = big
incentives
Question: provide service, preserve
privacy
Secure Multiparty Computation (MPC)
Multiple parties want to compute a joint function on private inputs
private input: individual power consumption
at end of computation, each party learns the
average power consumption
privacy guarantee: no party learns anything extra about
other partiesā inputs
Two Party Computation (2PC)
ā¢ Simpler scenario: two-party computation (2PC)
ā¢ 2PC: Mostly āsolvedā problem: Yaoās circuits [Yao82]ā¢ Express function as a Boolean circuit
garbled version ofcircuit
oblivious transfer to obtain garbled inputs
output of garbled circuit
Party A Party B
Two-Party Computation (2PC)
ā¢ Yaoās circuits very efficient and heavily optimized [KSS09]ā¢ Evaluating circuits with 1.29 billion gates in 18 minutes (1.2
gates / Āµs) [ALSZ13]
ā¢ Yaoās circuit provides semi-honest security: malicious security via cut-and-choose, but not as efficient
Going Beyond 2PC
ā¢ General MPC also āsolvedā [GMW87]
secret share inputs with all parties
jointly evaluate circuit, gate-by-gate
Secure Multiparty Computation
ā¢ General MPC suffices to evaluate arbitrary functions amongst many parties: should be viewed as a feasibilityresult
ā¢ Limitations of general MPCā¢ many rounds of communication / interactionā¢ possibly large bandwidthā¢ hard to coordinate interactions with large number of parties
ā¢ Other considerations (not discussed): fairness, guaranteeing output delivery
This Talk: Homomorphic Encryption
Interaction
GMW Protocol and General MPC
Homomorphic Encryption
Custom Protocols
Many rounds of interactionBoolean circuits (typically)
Few rounds of interactionArithmetic circuits
General methods for secure computation
Homomorphic Encryption
Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts
Comprises of three functions:
Encm
c
pk
c
Decm
sk
Must satisfy usual notion of semantic security
Homomorphic Encryption
Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts
Comprises of three functions:
Decš š Evašš šš, š1, š2 = š š1, š2
š1 = Encšš(š1)
Evalšš3
š2 = Encšš(š2)
šš
Fully Homomorphic Encryption (FHE)
Many homomorphic encryption schemes:ā¢ ElGamal: š š0, š1 = š0š1
ā¢ Paillier: š š0, š1 = š0 + š1
Fully homomorphic encryption: homomorphic with respect to two operations: addition and multiplication
ā¢ [BGN05]: one multiplication, many additionsā¢ [Gen09]: first FHE construction from lattices
Privately Outsourcing Computation
encrypted data
encrypted results of computation
Leveraging computational power
of the cloud
Machine Learning in the Cloud
report energy consumption
aggregation + analytics
1. Publish public key
2. Upload encrypted values
3. Compute model homomorphically
4. Decrypt to obtain model
Machine Learning in the Cloud
ā¢ Passive adversary sitting in the cloud does not see client data
ā¢ Power company only obtains resulting model, not individual data points (assuming no collusion)
ā¢ Parties only need to communicate with cloud (the power of public-key encryption)
Big Data, Limited Computation
ā¢Homomorphic encryption is expensive, especially compared to symmetric primitives such as AES
ā¢Can be unsuitable for encrypting large volumes of data
āHybridā Homomorphic Encryption
Encšš š , AESš šHomomorphically evaluate the AES decryption circuit
AESš š Encšš AESš š
Encšš š Encšš š
encrypt
evaluate AES decryption
Encšš š š
homomorphic evaluation
Encrypt AES key using homomorphic encryption
(expensive), encrypt data using AES (cheap)
Current performance: ā 400 seconds to decrypt 120 AES-128 blocks (4 s/block)
[GHS15]
Constructing FHE
ā¢ FHE: can homomorphically compute arbitrary number of operations
ā¢Difficult to construct ā start with something simpler:somewhat homomorphic encryption scheme (SWHE)
ā¢ SWHE: can homomorphically evaluate a few operations (circuits of low depth)
Gentryās Blueprint: SWHE to FHE
ā¢Gentry described general bootstrapping method of achieving FHE from SWHE [Genā09]
ā¢ Starting point: SWHE scheme that can evaluate its own decryption circuit
Gentryās Blueprint: From SWHE to FHE
Homomorphism Remaining
many operations remaining
no operations remaining
šš
ciphertext
š š
encryption of secret key
encrypt the ciphertext
š
homomorphically evaluate the decryption function
recryptfunctionality
Bootstrappable SWHE
ā¢ First bootstrappable construction by Gentry based on ideal lattices [Gen09]
ā¢ Tons of progress in constructions of FHE in the ensuing years [vDGHV10, SV10, BV11a, BV11b, Bra12, BGV12, GHS12, GSW13], and more!
ā¢ Have been simplified enough that the description can fit in a blog post [BB12]
Conceptually Simple FHE [GSW13]
ā¢ Ciphertexts are š Ć š matrices over ā¤š
ā¢ Secret key is a vector š£ ā ā¤šš
š¶ š£Ć = š š£Ć š+
ciphertext secret key message noise
Encryption of š satisfies above relation
š£ is a ānoisyā eigenvector of š¶
Conceptually Simple FHE [GSW13]
ā¢ Suppose that š£ has a ālargeā component š£š
ā¢ Can decrypt as follows:
š¶š , š£
š£š=
šš£š + šš
š£š= š
š¶ š£Ć = š š£Ć š+
ciphertext secret key message noise
š¶š is šth row of š¶ Relation holds if
šš
š£š<
1
2
Conceptually Simple FHE [GSW13]
Homomorphic addition
š¶1 š£Ć = š1 š£Ć š1+ š¶2 š£Ć = š2 š£Ć š2+
š¶1 + š¶2 š£Ć = š1 + š2 š£Ć š1+ š2+
homomorphic addition is matrix addition
noise terms also add
Conceptually Simple FHE [GSW13]
Homomorphic multiplication
š¶1 š£Ć = š1 š£Ć š1+ š¶2 š£Ć = š2 š£Ć š2+
š¶1š¶2 š£ = š1š2 š£ + š¶1š2 + š2š1
homomorphic multiplication is matrix multiplication noise could blow up if
š¶1 or š2 are not small
Conceptually Simple FHE [GSW13]
ā¢Basic principles: ciphertexts are matrices, messages are approximate eigenvalues
ā¢Homomorphic operations correspond to matrix addition and multiplication (and some tricks to constrain noise)
ā¢Hardness based on learning with errors (LWE) [Reg05]
The Story so Farā¦
ā¢ Simple FHE schemes exist
ā¢ Butā¦ bootstrapping is expensive!ā¢ At 76 bits of security: each bootstrapping operation requires 320
seconds and 3.4 GB of memory [HS14]ā¢ Other implementations exist, but generally less flexible / efficient
ā¢ SWHE (without bootstrapping) closer to practical: can evaluate shallow circuits
Application: Statistical Analysis
ā¢ Consider simple statistical models: computing the mean or covariance (for example, average power consumption)
ā¢ Problem: given š vectors š„1, ā¦ , š„š, compute
ā¢ Mean: š =1
š š=1
š š„š
ā¢ Covariance: Ī£š =1
š2(šššš ā
Application: Statistical Analysis
ā¢ Can also perform linear regression: given design matrix š and response vector š¦, evaluate normal equations
š = ššš ā1ššš¦
ā¢ Matrix inversion (over ā) using Cramerās rule
ā¢ Depth š for š-dimensional data
Batch Computation [SV11]
Algebraic structure of some schemes enable encryption + operations on vectors at no extra cost
Plaintext Space: ring š
š š1š š2
āÆ š šš
Chinese Remainder Theorem: š ā āš=1š š šš
Batch Computation [SV11]
Encrypt + process array of values at no extra cost:
1 2 3 4
7 5 3 1
+
8 7 6 5
In practice: ā„ 5000 slots
One homomorphic operation
2025303540455055606570
2,000 20,000 200,000 2,000,000
Tim
e (
min
ute
s)
Number of Datapoints
Time to Compute Mean and Covariance over Encrypted Data (Dimension 4)
Multiplications dominate
Few ciphertexts due to batching
Based on implementation of Brakerskiās scheme [Bra12]
0
10
20
30
40
50
60
70
80
1000 10000 100000 1000000
Tim
e (
min
ute
s)
Number of Datapoints
Time to Perform Linear Regression on Encrypted Data(2 Dimensions)
Few ciphertexts due to batching
Multiplications dominate
Application: Private Information Retrieval
I want to see record šā¦
???
PIR protocol
client learns record š, server learns nothing
cloud database
PIR from Homomorphic Encryption [KO97]
š£11 š£12 š£13
š£21 š£22 š£23
š£31 š£32 š£33
100
represent database as matrix
query is an encrypted basis
vector
Ć
š£11
š£21
š£31
=
server evaluates inner product
response
database components in the clear: additive homomorphism suffices
š( š)communication
PIR from Homomorphic Encryption
ā¢ š š communication with additive homomorphism aloneā¢ Naturally generalizes:
ā¢ š 3 š with one multiplication
ā¢ š š š with degree š ā 1 -homomorphism
ā¢ Benefits tremendously from batching
database
š1, ā¦ , ššš1, ā¦ , šš/3
š1+š/3, ā¦ , š2š/3
š1+2š/3, ā¦ , šš
split database into many small
databases, query in parallel
1
10
100
1,000
10,000
100,000
1,000,000
1 10 100 1000 10000
Re
spo
nse
Tim
e (
s)
Number of Records (Millions)
FHE-PIR Timing Results (5 Mbps)
FHE-PIR (d = 2) FHE-PIR (d = 3) FHE-PIR (d = 4) Trivial PIR
PIR from Homomorphic Encryption
ā¢ Outperforms trivial PIR for very large databases
ā¢ However, recursive KO-PIR with additive homomorphism is still state-of-the-art
Concluding Remarksā¢ Internet of Things brings many security challenges
ā¢ Many generic cryptographic tools: 2PC, MPC, FHE
ā¢ 2PC/MPC work well for small number of parties
ā¢ SWHE/FHE preferable with many parties (IoT scale)
ā¢ FHE still nascent technology ā should be viewed as a āproof-of-conceptā rather than practical solution
ā¢ SWHE closer to practical, suitable for evaluating simple (low-depth) functionalities
ā¢ Big open problem to develop more practical constructions!
Questions?