Upload
others
View
1
Download
0
Embed Size (px)
Citation preview
ChloΓ© HΓ©bant
Decentralized Computing over Encrypted Data
Decentralization
Fully Homomorphic Encryption Gentry 2009
Decentralized Computing over Encrypted Data 3
π₯π₯1, β¦ , π₯π₯ππ
πΈπΈβππππ(π₯π₯1), β¦ ,πΈπΈβππππ(π₯π₯ππ)
ππ
πΈπΈβππππ ππ(π₯π₯1, β¦ , π₯π₯ππ)
ππ(π₯π₯1, β¦ , π₯π₯ππ)
Fully Homomorphic Encryption
Decentralized Computing over Encrypted Data 4
π₯π₯1, β¦ , π₯π₯ππ
πΈπΈβππππππππ (π₯π₯1), β¦ ,πΈπΈβππππ
ππππ (π₯π₯ππ)
πΈπΈβππππππππ ππ(π₯π₯1, β¦ , π₯π₯ππ)
ππ(π₯π₯1, β¦ , π₯π₯ππ)
Re-encryptionDistributedController
πΈπΈβππππππππππ ππ(π₯π₯1, β¦ , π₯π₯ππ)
Distribution
+
No authority
Decentralization
Decentralized Computing over Encrypted Data 5
Decentralization
β Efficient decentralized key generation
This talk :
Decentralized Re-encryption for a Quadratic Scheme
1. Example of application
2. Encryption scheme for quadratic multivariate polynomials
3. Decentralized scheme
Outline
Decentralized Computing over Encrypted Data 6
Group Testing
Motivation: Group Testing
8
OR
1 1 00 1 0
1 0 10 1 1
β¦
1011
Decentralized Computing over Encrypted Data
Motivation: Group Testing
9
1 1 00 1 0
1 0 10 1 1
β¦
OR
1011
Decentralized Computing over Encrypted Data
Motivation: Group Testing
10
1011
1 0 1 1 0 0
1 1 00 1 0
1 0 10 1 1
β¦
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
11
1011
1 0 1 1 0 0
1 1 00 1 0
1 0 10 1 1
β¦
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
12
π¦π¦1π¦π¦2β¦π¦π¦ππ
οΏ½πΉπΉππ = οΏ½ππ
(π₯π₯ππππβοΏ½π¦π¦ππ)
π₯π₯11 π₯π₯12 β¦ π₯π₯1ππβ¦
π₯π₯ππ1 π₯π₯ππ2 β¦ π₯π₯ππππ
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
13
οΏ½πΉπΉππ = οΏ½ππ
(π₯π₯ππππ β (1 β π¦π¦ππ))
π₯π₯11 π₯π₯12 β¦ π₯π₯1ππβ¦
π₯π₯ππ1 π₯π₯ππ2 β¦ π₯π₯ππππ
OR
π¦π¦1π¦π¦2β¦π¦π¦ππ
Decentralized Computing over Encrypted Data
2-DNF on Encrypted Data
Decentralized Computing over Encrypted Data 14
π₯π₯1, β¦ , π₯π₯ππ β {0,1}
οΏ½ππ=1
ππ
(βππ,1 β§ βππ,2) βππ,1 β§ βππ,2 β {π₯π₯1, β¦ , π₯π₯ππ} βͺ {π₯π₯1, β¦ , π₯π₯ππ}
οΏ½ππ=1
ππ
(π¦π¦ππ,1 β π¦π¦ππ,2) π¦π¦ππ,ππ = βππ,πππ¦π¦ππ,ππ = 1 β βππ,ππ
if βππ,ππ β π₯π₯1, β¦ , π₯π₯ππif βππ,ππ β {π₯π₯1, β¦ , π₯π₯ππ}οΏ½
2-DNF:
Multivariate polynomial degree 2:
Encryption Scheme
β’ BGN 2005
β’ Freeman 2010
β’ Our Scheme
β’ Multi-user setting
β’ Efficient distributed decryption
β’ Efficient distributed re-encryption
β’ Decentralized key generation
The Encryption Scheme
Decentralized Computing over Encrypted Data 16
Notations
Decentralized Computing over Encrypted Data 17
ππ β β€ππ, ππ π π = πππ π πππΎπΎπ π = < πππ π >
ππ:πΎπΎ1 Γ πΎπΎ2 β πΎπΎππ
ππ = π₯π₯1, β¦ , π₯π₯ππ β β€ππππ, ππ π π = (πππ π π₯π₯1 , β¦ ,πππ π
π₯π₯ππ)
ππ11 ππ12ππ21 ππ22 β¨π©π© = ππ11 β π©π© ππ12 β π©π©
ππ21 β π©π© ππ22 β π©π©
ππ 1 β’ ππ 2 = ππβ¨ππ ππ
The Encryption Scheme
18
Keygen
Decentralized Computing over Encrypted Data
0 00 1
0 00 1
0 00 1
The Encryption Scheme
19
πΌπΌ20 00 1
Projection
πππ π β ker π·π·π π = {ππ:ππ οΏ½ π·π·π π = 0 0 }
β GL2(β€ππ)
skπ π
pkπ π = πππ π π π β πππ π π π οΏ½ π·π·π π = 0 0 π π
π©π©π π β1 π©π©π π π·π·π π =
Keygen
πππ π β ker π·π·π π = {ππ:ππ οΏ½ π·π·π π = 0 0 }
pkπ π = πππ π π π β πππ π π π οΏ½ π·π·π π = 0 0 π π
Decentralized Computing over Encrypted Data
β’ Keygen:
skπ π = π·π·ππ = 0 00 1
0 00 1
0 00 1 skππ = (sk1, sk2)
pkπ π = πππ π π π β πππ π π π οΏ½ π·π·π π = ππ π π pkππ = (pk1, pk2)
β’ Encrypt:
β’ πΆπΆπ π = ( πππ π ,1 π π , πππ π ,2 π π ) = (ππ οΏ½ πππ π π π + ππ οΏ½ πππ π π π , πππ π π π ) ππ β$ β€ππ
β’ πΆπΆππ = ( ππππ,1 ππ , ππππ,2 ππ) = (ππ οΏ½ ππ1 1 β’ ππ2 2 + ππ1 1 β’ ππ2 2 + ππ1 1 β’ ππ2 2,
ππ1 1 β’ ππ2 2) ππ1 1 β$ πΎπΎ12, ππ2 2 β$ πΎπΎ22
β’ Decrypt:
β’ πΆπΆπ π οΏ½ π·π·ππ = (ππ οΏ½ πππ π π π οΏ½ π·π·ππ + ππ s, πππ π π π οΏ½ π·π·ππ)
β’ πΆπΆππ οΏ½ (π·π·ππβ¨π·π·ππ) = (ππ οΏ½ ππ1 1 β’ ππ2 2 οΏ½ (π·π·ππβ¨π·π·ππ) + ππ T, ππ1 1 β’ ππ2 2 οΏ½ (π·π·ππβ¨π·π·ππ))
The Encryption Scheme
Decentralized Computing over Encrypted Data 20
πΌπΌ2 π©π©π π π©π©π π β1
β ker(π·π·1β¨π·π·2)
β ker(π·π·π π )
β’ Add: Many times
β’ πππ π π π + ππππ π π π = (ππ + ππβ²) οΏ½ πππ π π π + (ππ + ππβ²) οΏ½ πππ π π π
β’ ππππ ππ + ππππ ππ = ππ + ππβ² οΏ½ ππ1 1 β’ ππ2 2 + ππ1 1 β’ ππ2 + ππβ²2 2 +
ππ1 + πππ1 1 β’ ππ2 2
β’ Multiply: Once
β’ ππ1 1 β’ ππ2 2 = ππ1 οΏ½ ππ2 οΏ½ ππ1 1 β’ ππ2 2 + ππ1 1 β’ ππβ² 2 + ππ 1 β’ ππ2 2
with ππ 1 = ππ1ππ2ππ1
πππ 2 = ππ2ππ1ππ2 + ππ1ππ2ππ2
The Homomorphic Properties
Decentralized Computing over Encrypted Data 21
Re-Encryption
22
skππ
rkππβππ
rkππβππ
pkππ
skππ
pkππ
Decentralized Computing over Encrypted Data
π·π· = π©π©β1πΌπΌ2π©π© π·π·π = π©π©β²β1πΌπΌ2π©π©π
πΉπΉ = π©π©β1π©π©π
Problem
β’ Distributed decryption and re-encryption ?
β’ Yes, with distributed keys
β’ Decentralized key generation ?
β’ No β¦
Problem
Decentralized Computing over Encrypted Data 24
0 00 1
0 00 1 πΌπΌ2
0 00 1π©π©π π
β1 π©π©π π π·π·π π =
Simplification
Decentralized Computing over Encrypted Data 25
π·π·π π = 1 0π₯π₯ 0
πππ π π π = βπ₯π₯ 1 π π
skπ π = π₯π₯
pkπ π = βπ₯π₯ π π
β Size of the keys:
β Size of the ciphertexts:
πππ π π π = 1 0 π π πΆπΆπ π β πΎπΎπ π
2 Γ πΎπΎπ π 2 β πΆπΆπ π β πΎπΎπ π
2
πΆπΆππ β πΎπΎππ4 Γ πΎπΎππ
4 β πΆπΆππ β πΎπΎππ4
β’ Keygen:skπ π = π₯π₯ skππ = (sk1, sk2)pkπ π = βπ₯π₯ π π pkππ = (pk1, pk2)
β’ Encrypt:β’ πΆπΆπ π = πππ π ππ οΏ½ pkπ π ππ ,πππ π ππ ππ β$ β€ππ
β’ πΆπΆππ =
ππππ,1 = ππ ππ1,ππ2 ππ οΏ½ ππ ππ1, pk2 ππ11 οΏ½ ππ pk1,ππ2 ππ21
ππππ,2 = ππ ππ1,ππ2 ππ11 οΏ½ ππ pk1,ππ2 ππ22 οΏ½οΏ½οΏ½ ππ ππ1,ππ2 ππ
ππππ,3 = ππ ππ1, pk2 ππ12 οΏ½ ππ ππ1,ππ2 ππ21 οΏ½οΏ½οΏ½ ππ ππ1,ππ2 ππ
ππππ,4 = ππ ππ1,ππ2 ππ12+ππ22 οΏ½οΏ½οΏ½ ππ ππ1,ππ2 ππππ ππ1,ππ2 ππ
ππ11, ππ12, ππ21, ππ22 β$ β€ππ4
β’ Decrypt:
β’ πππ π ,1 οΏ½ πππ π ,2skπ π
β’ ππππ,1 οΏ½ ππππ,2sk2 οΏ½ ππππ,3
sk1 οΏ½ ππππ,4sk1οΏ½sk2
The Optimized Encryption Scheme
Decentralized Computing over Encrypted Data 26
Decentralization
Decentralization:1) Decentratized Key Generation
β’ ππ points π₯π₯1,π¦π¦1 , β¦ , (π₯π₯ππ ,π¦π¦ππ) with distinct abscissa
β’ Theorem (Lagrange interpolation):
β!ππ ππ s.t. deg ππ = ππ β 1 and ππ π₯π₯ππ = π¦π¦ππ
β’ Shamir Secret Sharing:
β’ π π ππ = π₯π₯ = ππ(0), ππππ = πππ₯π₯
β’ skππ = ππ ππ for ππ = 1 β¦ππ
β’ For any subset ππ of ππ indices:
π₯π₯ = οΏ½ππβππ
ππππ,πππ π ππππ
π¦π¦ = βππβππ π£π£ππππππ,ππ for π£π£ππ = πππ π ππππ
Shamir Secret Sharing 1979
Decentralized Computing over Encrypted Data 29
Decentralization:2) Distributed Re-Encryption
β’ πππ π = πππ π ,1, πππ π ,2 under πππππ π β πΆπΆπ π = πΆπΆπ π ,1,πΆπΆπ π ,2 under πππππ π
β’ Shamir Secret Sharing: π π πππ π = βππ ππππ οΏ½ π π πππ π ,ππ
β’ Player ππ computes:
ππππβ² βπ π β€ππ,πΌπΌππ = πππ π ,2π π πππ π ,ππ οΏ½ πππππ π
ππππβ²,π½π½ππ = πππ π
ππππβ²
β’ Anybody can compute:
πΆπΆπ π = (πππ π ,1 Γ οΏ½ππ
πΌπΌππππππ ,οΏ½
ππ
π½π½ππππππ)
= (πππ π ππ οΏ½ πππππ π ππβ² ,πππ π ππ
β²) ππβ² = βππ ππππ οΏ½ ππππβ²
Distributed Re-encryption
Decentralized Computing over Encrypted Data 31
Solution: Group Testing
32
πΆπΆππ = RandT(Addππ(Multiply(πΆπΆπ₯π₯ππππ ,πΆπΆπ¦π¦ππ)))
ππ
πΆπΆπ₯π₯ππππ πΆπΆπ¦π¦ππ
Decentralized Computing over Encrypted Data
Conclusion
β’ Efficient scheme to evaluate quadratic multivariate polynomials
β’ Distributed decryption
β’ Distributed re-encryption
β’ Decentralized key generation
β’ Open problem:
Decentralized FHE
Conclusion
Decentralized Computing over Encrypted Data 34
Thank you
ia.cr/2018/1019
Joined work with David Pointcheval and Duong-Hieu Phan