Manipulating Encrypted Data. You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data

Manipulating Encrypted

Data

You store your data in the cloud, encrypted of course.

You want to use the computing power of the cloud to analyze your data.

But you want to keep the data encrypted.

Basic Question: Is it possible to compute with encrypted data without first decrypting?

One Goal: Design an encryption method EK and a decryptionmethod DK (K is the key) with the following property:

If f is some function (algorithm), then we can find a function F, independent of K, such that for every message m :

f(m) = DK( F(EK(m)))

This means that if we want to compute f(m), we can encrypt m, then F is applied to the encrypted message, then we decrypt.

This has been done, in theory, by Gentry (homomorphic encryption)

E(M) F(E(M))

E D

f M f(M)

M=message f=function

E=encryptionD=decryption

Search About 1,330,000 results (0.28 seconds)

Cheating on Your Taxeswww.thecheatfactory.com/taxes.htmlRead these tips to find some smart, under the radar, and legal ways to cheat on your taxes. The IRS has been screwing you for long enough. It's time to turn the …

Tax Fraud Penalties - Cheating On Taxes - Esquirewww.esquire.com/the-side/feature/tax-deductions-032009Apr 18, 2011 – ... in on five ways to hypothetically bend the law and cheat on your taxes. ... When the IRS comes a-knocking you're guilty until you can prove ...

Cheating the IRS

Fhrah$5&&$$$$$123mNmErTIoppYtEQCCV9&T

Cheating the IRS

Encrypt

Nxvs$%432MnUiiOPlTRttyR^%$^&IHKVGRYGKNjkjkJ6T%%$3CvDrk$65IhkU%eksaggYGFMVKHFkhvyrkGKJkHcjgkllJkknlkGKknljlJllniy89^y;jTYNffsd9u123npih;xkn;kgihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlhlkjUdhstuhgerkekfklxkgh;knklHOlkn^(*^&$&%$OIHpj45ihkhgfklxkgh;knklHOlkn^(*&885^%$OIHpj45ihkh;d;knfae,npih;xkn;kgihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlhgkfdhstuhgerkekgeksaggYGFMVKHFkhvyrkGKJkg,gfklxkgh;knklHOlkn^(*^&$&%$OIHTYVbnmT**7%nBBnnHtFr…………

Fhrah$5&&$$$$$123mNmErTIoppYtEQCCV9&T

DECRYPT




Cheating the IRS

h&&$%#@$123mNmrah$5ErTIoppYtEQMMYfr

Cheating hte IRS

Encrypt

W#$RrDqPlOiuYuIgn^Tpihk;k^%$^&IHKVGRYGKNjkjkJFjklk$65IhkU%eksaggYGFMVKHFkhvyrkGKJkg,nvkvtbvvHcjgkllJkknlkGKknljlJllniy89^y;jTYNffsd9u123npih;xkn;kgihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlhgkfdhstuhgerkekfklxkgh;knklHOlkn^(*^&$&%$OIHpj45ihkhgfklxkgh;knklHOlkn^(*^&$&%$OIHpj45ihkh;d;knfae,npih;xkn;kgihHIH:KH;khj;;J;J;LSJRKN;N;KNHJSJ;;l;vrjpsihtihlhgkfdhstuhgerkekgeksaggYGFMVKHFkhvyrkGKJkg,nvkvtbvvgfklxkgh;knklHOlkn^(*^&$&%$OIHTYVbnmTbCfT$#w…………

h&&$%#@$123mNmrah$5ErTIoppYtEQMMYfr




Cheating hte IRS

Did you mean cheating the IRSSearch instead for cheating hte IRS

Somewhat Homomorphic Encryption (SWHE)

This will allow several additions and subtractions but only a few multiplications.

Secret key is a large odd integer p.

We want to encrypt a bit m, where m = 0 or 1.

Choose a random integer r (much smaller than p) and another integer s and let the ciphertext be

c = m + 2r + ps

To decrypt (i.e., recover m), compute

m = c (mod p) (mod 2)

We can add ciphertexts:

c1 = m1 + 2r1 + ps1

c2 = m2 + 2r2 + ps2

Then c1 + c2 decrypts to m1 + m2

Products:

c1c2 = m1m2 + 2(m1r2+m2r1+r1r2) + p(- - - - - - )

This decrypts to m1m2 if r1r2 is not too big.

Think of this as the encryption of m1m2 plus some noise.

If we do too many multiplications, the noise increases enough that decryption fails.

E(M) E(f1(M))+noise E(f2f1(M))+NOISE E(f3f2f1(M))+NOISE

M f1(M) f2f1(M) f3f2f1(M)

If we compute by a series of bit operations f1, f2, f3 :

Bootstrapping (Craig Gentry, 2008)

E(M)||E(K) E(f(M))+noise||E(K) E(E(f(M))+noise ||E(K))

M||K f(M)||K

E(E(f(M))+noise ||E(K)) E(f(M)) + noise

D

E(f(M))+noise||E(K) f(M)

The noise has been reduced, so we can continue.

Bootstrapping can sometimes change a Somewhat Homomorphic system into a Fully Homomorphic system.

Are Fully Homomorphic Sytems practical?

Not yet.

A similar idea that is practical isSecure Multiparty Computation

But first, a digression . . .

You are the manager of a bank. You want to allow your employees to open the safe.

Requirements:

1. One person alone cannot open the safe.

2. Any two people can open the safe.

Two People

determine a Secret

Two Points

determine a Line

The secret combination to the lock is

ab cd ef

For example, the combination could be

14 15 03

Let B = abcdef mod pwhere p is prime.

Choose a random M

We now have a line y = Mx + B (mod p)

For example, if the combination is 14 – 15 – 03,then B = 141503. We could randomly choose M = 3456789. The line is y = 141503 + 3456789 x

If there are 30 people, compute 30 points on the line y = Mx + B :

(1, M+B), (2, 2M+B), (3, 3M+B), . . . (30, 30M+B)

Give each person one point.

Summary: Someone shares a secret B by choosing a random integer m and formingthe linear function f(x) = B+mx.

f(1)=B+m is given to person 1f(2)=B+2m is given to person 2f(3)=B+3m is given to person 3

These numbers are their “shares” of the secret. Any two people can determine B.

Arithmetic Operations on Secrets

P1, P2, P3 have shares of f(0) and of g(0).

P1 adds f(1) + g(1), P2 adds f(2) + g(2), P3 adds f(3) + g(3)

They now share f(0) + g(0)

We can add secrets:

Can We Multiply Secrets?

P1, P2, P3 share f(0) and share g(0).

They want to share f(0) g(0).

Problem: f(x) g(x) is a quadratic polynomial, so it takes three values to reconstruct it:

f(0) g(0) = 3f(1)g(1) – 3 f(2)g(2) + f(3)g(3)

So all three can recover the secret. But “Sharing” requires that 2 people can reconstruct the secret.

How to Share Products: (Gennaro, Rabin, Rabin)

Person 1 shares f(1)g(1) (i.e., gives shares to 1, 2, 3)Person 2 shares f(2)g(2)Person 3 shares f(3)g(3)

Each person computes

Shareprod =3(Share received from 1) – 3(Share from 2) + (Share from 3)

This is a share of f(0)g(0).

Why? The numbers Shareprod are the values at x=1, 2, 3 ofa linear function whose y-intercept is

3f(1)g(1) – 3f(2)g(2) + f(3)g(3) = f(0)g(0)

Bit operations

Let a and b be bits (0 or 1). Then

a b = a + b – 2ab

( denotes addition mod 2)

If P1, P2, P3 share a and b, then they can share a b

Suppose

a = a0 + 2a1 + 4a2 + …

and

b = b0 + 2b1 + 4b2 + …

A bit of a + b can be calculated via bit operationssuch as and multiplication (“and”)

If the bits of a and b are shared, then the value of this bit is shared

Is d < s ?

s and d are shared numbers between 0 and 2n

Nobody knows s and d but we want to determine which is larger.

Key idea: d < s if and only if the n-th bit of 2n + d –s is 0

SUGAR BEETS

Participants:

1200 Danish farmers

Danisco : the (only) Danish sugar beet processor

Danish cryptographers

Farmeri is willing to sell si,k sugar beets at Pricek

There are 4000 possible prices : Price1 < Price2 < . . . < Price4000

Let sk = s1k + s2,k + . . . + s1200,k

Then sk is the supply at Pricek : s1 < s2 < . . . < s4000

Parameters

Let dk be the amount Danisco is willing to buy at Pricek

d1 > d2 > . . . > d4000

Problem: Find k so that sk = dk

Constraint: No one wants to reveal their strategy

Solution:

There are three participants:1.The farmers’ union2.Danisco3.The Danish cryptography group

For each Pricek, the Farmeri chooses a linear function fik(x) = sik + aikx

and sends fik(1) to P1, fik(2) to P2, fik(3) to P3. That is, the farmer shares sik

P1 adds up the numbers it receives. Similarly for P2 and P3.

They now have shares of each supply number s1, . . . , s4000

For Pricek, Danisco chooses a linear function

gk(x) = dk + ckx

and gives gk(1) to P1, gk(2) to P2, gk(3) to P3

Therefore, d1, d2, . . . , d4000 are shared

The 3 Participants determine whether s2000 < d2000.

No: Is s1000 < d1000 ? Yes: Is s3000 < d3000 ?

Etc. Etc.

They determine k such that sk = dk.

The 3 participants together reveal each farmer’s supply amount sk for this price(and only for this price).

This concludes the auction.

Number theory Interlude:

Let p be a prime and assume that p = 3 (mod 4).

Let x be a square mod p and let

y = x(p+1)/4 (mod p).

Then y2 = x (mod p).

Example: Let p = 19. Let x = 17 = -2 (mod 19).

Compute x(19+1)/4 = (-2)5 = -32 = 6 (mod 19).

Check: 62 = 17 (mod 19)

Flipping a Coin without Knowing the Result (Sharing a Random Bit)

P1 chooses a random number b1 and shares b1



Let b = b1 + b2 + b3

They now have shares of b (but they do not know b )

Each person adds together the shares received.

This means: there is a linear function f(x) = b + ax and

P1 knows f(1), P2 knows f(2), P3 knows f(3)

Construct shared random bits b0, b1, . . . , bn+k

Share R = b0 + 2b1 + . . . + 2n+kbn+k

Compute A = 2n+k+1 – R + 2n + d – s

= a0 + 2a1 + . . . + 2n+k+1an+k+1

A is originally shared, but it can revealed since s and d are masked by R. This allows us to compute the binary expansion of A.

Compute the shares of the nth bit of A + R = 2n+k+1 + 2n + d – s

This can be done by a series of shared bit operations.

If the bit is 0 then s>d. If the bit is 1 then s < d.

P1, P2, P3 together reveal this bit.

Flipping a Coin without Knowing the Result (Continued)

Recall: f(x) = b + ax and b = b1 + b2 + b3

P1 computes f(1)2 and tells P2 and P3 the result,



They compute 3f(1)2 – 3f(2)2 + f(3)2 = b2

They compute v = (b2) (p+1)/4 = +b or –b (mod p)

v-1 b = +1 or -1 (mod p)

The shares of b are v-1f(1), v-1f(2), v-1f(3)

Documents

Manipulating Encrypted Data. You store your data in the cloud, encrypted of course. You want to use the computing power of the cloud to analyze your data