Computing on Encrypted Data - Computer Science
Transcript of Computing on Encrypted Data - Computer Science
Computing on Encrypted Data
Secure Internet of Things Seminar
David Wu
January, 2015
New Applications in the Internet of Things
Smart Homes
report energy consumption
aggregation + analytics
usage statistics and reports
The Power of the Cloud
BIG DATA
analyticsrecommendations
personalization
lots of user information = big
incentives
Question: provide service, preserve
privacy
Secure Multiparty Computation (MPC)
Multiple parties want to compute a joint function on private inputs
private input: individual power consumption
at end of computation, each party learns the
average power consumption
privacy guarantee: no party learns anything extra about
other partiesβ inputs
Two Party Computation (2PC)
β’ Simpler scenario: two-party computation (2PC)
β’ 2PC: Mostly βsolvedβ problem: Yaoβs circuits [Yao82]β’ Express function as a Boolean circuit
garbled version ofcircuit
oblivious transfer to obtain garbled inputs
output of garbled circuit
Party A Party B
Two-Party Computation (2PC)
β’ Yaoβs circuits very efficient and heavily optimized [KSS09]β’ Evaluating circuits with 1.29 billion gates in 18 minutes (1.2
gates / Β΅s) [ALSZ13]
β’ Yaoβs circuit provides semi-honest security: malicious security via cut-and-choose, but not as efficient
Going Beyond 2PC
β’ General MPC also βsolvedβ [GMW87]
secret share inputs with all parties
jointly evaluate circuit, gate-by-gate
Secure Multiparty Computation
β’ General MPC suffices to evaluate arbitrary functions amongst many parties: should be viewed as a feasibilityresult
β’ Limitations of general MPCβ’ many rounds of communication / interactionβ’ possibly large bandwidthβ’ hard to coordinate interactions with large number of parties
β’ Other considerations (not discussed): fairness, guaranteeing output delivery
This Talk: Homomorphic Encryption
Interaction
GMW Protocol and General MPC
Homomorphic Encryption
Custom Protocols
Many rounds of interactionBoolean circuits (typically)
Few rounds of interactionArithmetic circuits
General methods for secure computation
Homomorphic Encryption
Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts
Comprises of three functions:
Encm
c
pk
c
Decm
sk
Must satisfy usual notion of semantic security
Homomorphic Encryption
Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts
Comprises of three functions:
Decπ π Evaππ ππ, π1, π2 = π π1, π2
π1 = Encππ(π1)
Evalππ3
π2 = Encππ(π2)
ππ
Fully Homomorphic Encryption (FHE)
Many homomorphic encryption schemes:β’ ElGamal: π π0, π1 = π0π1
β’ Paillier: π π0, π1 = π0 + π1
Fully homomorphic encryption: homomorphic with respect to two operations: addition and multiplication
β’ [BGN05]: one multiplication, many additionsβ’ [Gen09]: first FHE construction from lattices
Privately Outsourcing Computation
encrypted data
encrypted results of computation
Leveraging computational power
of the cloud
Machine Learning in the Cloud
report energy consumption
aggregation + analytics
1. Publish public key
2. Upload encrypted values
3. Compute model homomorphically
4. Decrypt to obtain model
Machine Learning in the Cloud
β’ Passive adversary sitting in the cloud does not see client data
β’ Power company only obtains resulting model, not individual data points (assuming no collusion)
β’ Parties only need to communicate with cloud (the power of public-key encryption)
Big Data, Limited Computation
β’Homomorphic encryption is expensive, especially compared to symmetric primitives such as AES
β’Can be unsuitable for encrypting large volumes of data
βHybridβ Homomorphic Encryption
Encππ π , AESπ πHomomorphically evaluate the AES decryption circuit
AESπ π Encππ AESπ π
Encππ π Encππ π
encrypt
evaluate AES decryption
Encππ π π
homomorphic evaluation
Encrypt AES key using homomorphic encryption
(expensive), encrypt data using AES (cheap)
Current performance: β 400 seconds to decrypt 120 AES-128 blocks (4 s/block)
[GHS15]
Constructing FHE
β’ FHE: can homomorphically compute arbitrary number of operations
β’Difficult to construct β start with something simpler:somewhat homomorphic encryption scheme (SWHE)
β’ SWHE: can homomorphically evaluate a few operations (circuits of low depth)
Gentryβs Blueprint: SWHE to FHE
β’Gentry described general bootstrapping method of achieving FHE from SWHE [Genβ09]
β’ Starting point: SWHE scheme that can evaluate its own decryption circuit
Gentryβs Blueprint: From SWHE to FHE
Homomorphism Remaining
many operations remaining
no operations remaining
ππ
ciphertext
π π
encryption of secret key
encrypt the ciphertext
π
homomorphically evaluate the decryption function
recryptfunctionality
Bootstrappable SWHE
β’ First bootstrappable construction by Gentry based on ideal lattices [Gen09]
β’ Tons of progress in constructions of FHE in the ensuing years [vDGHV10, SV10, BV11a, BV11b, Bra12, BGV12, GHS12, GSW13], and more!
β’ Have been simplified enough that the description can fit in a blog post [BB12]
Conceptually Simple FHE [GSW13]
β’ Ciphertexts are π Γ π matrices over β€π
β’ Secret key is a vector π£ β β€ππ
πΆ π£Γ = π π£Γ π+
ciphertext secret key message noise
Encryption of π satisfies above relation
π£ is a βnoisyβ eigenvector of πΆ
Conceptually Simple FHE [GSW13]
β’ Suppose that π£ has a βlargeβ component π£π
β’ Can decrypt as follows:
πΆπ , π£
π£π=
ππ£π + ππ
π£π= π
πΆ π£Γ = π π£Γ π+
ciphertext secret key message noise
πΆπ is πth row of πΆ Relation holds if
ππ
π£π<
1
2
Conceptually Simple FHE [GSW13]
Homomorphic addition
πΆ1 π£Γ = π1 π£Γ π1+ πΆ2 π£Γ = π2 π£Γ π2+
πΆ1 + πΆ2 π£Γ = π1 + π2 π£Γ π1+ π2+
homomorphic addition is matrix addition
noise terms also add
Conceptually Simple FHE [GSW13]
Homomorphic multiplication
πΆ1 π£Γ = π1 π£Γ π1+ πΆ2 π£Γ = π2 π£Γ π2+
πΆ1πΆ2 π£ = π1π2 π£ + πΆ1π2 + π2π1
homomorphic multiplication is matrix multiplication noise could blow up if
πΆ1 or π2 are not small
Conceptually Simple FHE [GSW13]
β’Basic principles: ciphertexts are matrices, messages are approximate eigenvalues
β’Homomorphic operations correspond to matrix addition and multiplication (and some tricks to constrain noise)
β’Hardness based on learning with errors (LWE) [Reg05]
The Story so Farβ¦
β’ Simple FHE schemes exist
⒠But⦠bootstrapping is expensive!⒠At 76 bits of security: each bootstrapping operation requires 320
seconds and 3.4 GB of memory [HS14]β’ Other implementations exist, but generally less flexible / efficient
β’ SWHE (without bootstrapping) closer to practical: can evaluate shallow circuits
Application: Statistical Analysis
β’ Consider simple statistical models: computing the mean or covariance (for example, average power consumption)
β’ Problem: given π vectors π₯1, β¦ , π₯π, compute
β’ Mean: π =1
π π=1
π π₯π
β’ Covariance: Ξ£π =1
π2(ππππ β
Application: Statistical Analysis
β’ Can also perform linear regression: given design matrix π and response vector π¦, evaluate normal equations
π = πππ β1πππ¦
β’ Matrix inversion (over β) using Cramerβs rule
β’ Depth π for π-dimensional data
Batch Computation [SV11]
Algebraic structure of some schemes enable encryption + operations on vectors at no extra cost
Plaintext Space: ring π
π π1π π2
β― π ππ
Chinese Remainder Theorem: π β βπ=1π π ππ
Batch Computation [SV11]
Encrypt + process array of values at no extra cost:
1 2 3 4
7 5 3 1
+
8 7 6 5
In practice: β₯ 5000 slots
One homomorphic operation
2025303540455055606570
2,000 20,000 200,000 2,000,000
Tim
e (
min
ute
s)
Number of Datapoints
Time to Compute Mean and Covariance over Encrypted Data (Dimension 4)
Multiplications dominate
Few ciphertexts due to batching
Based on implementation of Brakerskiβs scheme [Bra12]
0
10
20
30
40
50
60
70
80
1000 10000 100000 1000000
Tim
e (
min
ute
s)
Number of Datapoints
Time to Perform Linear Regression on Encrypted Data(2 Dimensions)
Few ciphertexts due to batching
Multiplications dominate
Application: Private Information Retrieval
I want to see record πβ¦
???
PIR protocol
client learns record π, server learns nothing
cloud database
PIR from Homomorphic Encryption [KO97]
π£11 π£12 π£13
π£21 π£22 π£23
π£31 π£32 π£33
100
represent database as matrix
query is an encrypted basis
vector
Γ
π£11
π£21
π£31
=
server evaluates inner product
response
database components in the clear: additive homomorphism suffices
π( π)communication
PIR from Homomorphic Encryption
β’ π π communication with additive homomorphism aloneβ’ Naturally generalizes:
β’ π 3 π with one multiplication
β’ π π π with degree π β 1 -homomorphism
β’ Benefits tremendously from batching
database
π1, β¦ , πππ1, β¦ , ππ/3
π1+π/3, β¦ , π2π/3
π1+2π/3, β¦ , ππ
split database into many small
databases, query in parallel
1
10
100
1,000
10,000
100,000
1,000,000
1 10 100 1000 10000
Re
spo
nse
Tim
e (
s)
Number of Records (Millions)
FHE-PIR Timing Results (5 Mbps)
FHE-PIR (d = 2) FHE-PIR (d = 3) FHE-PIR (d = 4) Trivial PIR
PIR from Homomorphic Encryption
β’ Outperforms trivial PIR for very large databases
β’ However, recursive KO-PIR with additive homomorphism is still state-of-the-art
Concluding Remarksβ’ Internet of Things brings many security challenges
β’ Many generic cryptographic tools: 2PC, MPC, FHE
β’ 2PC/MPC work well for small number of parties
β’ SWHE/FHE preferable with many parties (IoT scale)
β’ FHE still nascent technology β should be viewed as a βproof-of-conceptβ rather than practical solution
β’ SWHE closer to practical, suitable for evaluating simple (low-depth) functionalities
β’ Big open problem to develop more practical constructions!
Questions?