computing on encrypted data - computer science
TRANSCRIPT
![Page 1: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/1.jpg)
Computing on Encrypted Data
Secure Internet of Things Seminar
David Wu
January, 2015
![Page 2: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/2.jpg)
New Applications in the Internet of Things
Smart Homes
report energy consumption
aggregation + analytics
usage statistics and reports
![Page 3: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/3.jpg)
The Power of the Cloud
BIG DATA
analyticsrecommendations
personalization
lots of user information = big
incentives
Question: provide service, preserve
privacy
![Page 4: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/4.jpg)
Secure Multiparty Computation (MPC)
Multiple parties want to compute a joint function on private inputs
private input: individual power consumption
at end of computation, each party learns the
average power consumption
privacy guarantee: no party learns anything extra about
other parties’ inputs
![Page 5: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/5.jpg)
Two Party Computation (2PC)
• Simpler scenario: two-party computation (2PC)
• 2PC: Mostly “solved” problem: Yao’s circuits [Yao82]• Express function as a Boolean circuit
garbled version ofcircuit
oblivious transfer to obtain garbled inputs
output of garbled circuit
Party A Party B
![Page 6: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/6.jpg)
Two-Party Computation (2PC)
• Yao’s circuits very efficient and heavily optimized [KSS09]• Evaluating circuits with 1.29 billion gates in 18 minutes (1.2
gates / µs) [ALSZ13]
• Yao’s circuit provides semi-honest security: malicious security via cut-and-choose, but not as efficient
![Page 7: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/7.jpg)
Going Beyond 2PC
• General MPC also “solved” [GMW87]
secret share inputs with all parties
jointly evaluate circuit, gate-by-gate
![Page 8: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/8.jpg)
Secure Multiparty Computation
• General MPC suffices to evaluate arbitrary functions amongst many parties: should be viewed as a feasibilityresult
• Limitations of general MPC• many rounds of communication / interaction• possibly large bandwidth• hard to coordinate interactions with large number of parties
• Other considerations (not discussed): fairness, guaranteeing output delivery
![Page 9: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/9.jpg)
This Talk: Homomorphic Encryption
Interaction
GMW Protocol and General MPC
Homomorphic Encryption
Custom Protocols
Many rounds of interactionBoolean circuits (typically)
Few rounds of interactionArithmetic circuits
General methods for secure computation
![Page 10: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/10.jpg)
Homomorphic Encryption
Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts
Comprises of three functions:
Encm
c
pk
c
Decm
sk
Must satisfy usual notion of semantic security
![Page 11: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/11.jpg)
Homomorphic Encryption
Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts
Comprises of three functions:
Dec𝑠𝑘 Eva𝑙𝑓 𝑒𝑘, 𝑐1, 𝑐2 = 𝑓 𝑚1, 𝑚2
𝑐1 = Enc𝑝𝑘(𝑚1)
Eval𝑓𝑐3
𝑐2 = Enc𝑝𝑘(𝑚2)
𝑒𝑘
![Page 12: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/12.jpg)
Fully Homomorphic Encryption (FHE)
Many homomorphic encryption schemes:• ElGamal: 𝑓 𝑚0, 𝑚1 = 𝑚0𝑚1
• Paillier: 𝑓 𝑚0, 𝑚1 = 𝑚0 + 𝑚1
Fully homomorphic encryption: homomorphic with respect to two operations: addition and multiplication
• [BGN05]: one multiplication, many additions• [Gen09]: first FHE construction from lattices
![Page 13: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/13.jpg)
Privately Outsourcing Computation
encrypted data
encrypted results of computation
Leveraging computational power
of the cloud
![Page 14: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/14.jpg)
Machine Learning in the Cloud
report energy consumption
aggregation + analytics
1. Publish public key
2. Upload encrypted values
3. Compute model homomorphically
4. Decrypt to obtain model
![Page 15: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/15.jpg)
Machine Learning in the Cloud
• Passive adversary sitting in the cloud does not see client data
• Power company only obtains resulting model, not individual data points (assuming no collusion)
• Parties only need to communicate with cloud (the power of public-key encryption)
![Page 16: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/16.jpg)
Big Data, Limited Computation
•Homomorphic encryption is expensive, especially compared to symmetric primitives such as AES
•Can be unsuitable for encrypting large volumes of data
![Page 17: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/17.jpg)
“Hybrid” Homomorphic Encryption
Enc𝑝𝑘 𝑘 , AES𝑘 𝑚Homomorphically evaluate the AES decryption circuit
AES𝑘 𝑚 Enc𝑝𝑘 AES𝑘 𝑚
Enc𝑝𝑘 𝑘 Enc𝑝𝑘 𝑚
encrypt
evaluate AES decryption
Enc𝑝𝑘 𝑓 𝑚
homomorphic evaluation
Encrypt AES key using homomorphic encryption
(expensive), encrypt data using AES (cheap)
Current performance: ≈ 400 seconds to decrypt 120 AES-128 blocks (4 s/block)
[GHS15]
![Page 18: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/18.jpg)
Constructing FHE
• FHE: can homomorphically compute arbitrary number of operations
•Difficult to construct – start with something simpler:somewhat homomorphic encryption scheme (SWHE)
• SWHE: can homomorphically evaluate a few operations (circuits of low depth)
![Page 19: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/19.jpg)
Gentry’s Blueprint: SWHE to FHE
•Gentry described general bootstrapping method of achieving FHE from SWHE [Gen’09]
• Starting point: SWHE scheme that can evaluate its own decryption circuit
![Page 20: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/20.jpg)
Gentry’s Blueprint: From SWHE to FHE
Homomorphism Remaining
many operations remaining
no operations remaining
𝑚𝑚
ciphertext
𝑠𝑘
encryption of secret key
encrypt the ciphertext
𝑚
homomorphically evaluate the decryption function
recryptfunctionality
![Page 21: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/21.jpg)
Bootstrappable SWHE
• First bootstrappable construction by Gentry based on ideal lattices [Gen09]
• Tons of progress in constructions of FHE in the ensuing years [vDGHV10, SV10, BV11a, BV11b, Bra12, BGV12, GHS12, GSW13], and more!
• Have been simplified enough that the description can fit in a blog post [BB12]
![Page 22: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/22.jpg)
Conceptually Simple FHE [GSW13]
• Ciphertexts are 𝑛 × 𝑛 matrices over ℤ𝑞
• Secret key is a vector 𝑣 ∈ ℤ𝑞𝑛
𝐶 𝑣× = 𝑚 𝑣× 𝑒+
ciphertext secret key message noise
Encryption of 𝑚 satisfies above relation
𝑣 is a “noisy” eigenvector of 𝐶
![Page 23: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/23.jpg)
Conceptually Simple FHE [GSW13]
• Suppose that 𝑣 has a “large” component 𝑣𝑖
• Can decrypt as follows:
𝐶𝑖 , 𝑣
𝑣𝑖=
𝑚𝑣𝑖 + 𝑒𝑖
𝑣𝑖= 𝑚
𝐶 𝑣× = 𝑚 𝑣× 𝑒+
ciphertext secret key message noise
𝐶𝑖 is 𝑖th row of 𝐶 Relation holds if
𝑒𝑖
𝑣𝑖<
1
2
![Page 24: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/24.jpg)
Conceptually Simple FHE [GSW13]
Homomorphic addition
𝐶1 𝑣× = 𝑚1 𝑣× 𝑒1+ 𝐶2 𝑣× = 𝑚2 𝑣× 𝑒2+
𝐶1 + 𝐶2 𝑣× = 𝑚1 + 𝑚2 𝑣× 𝑒1+ 𝑒2+
homomorphic addition is matrix addition
noise terms also add
![Page 25: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/25.jpg)
Conceptually Simple FHE [GSW13]
Homomorphic multiplication
𝐶1 𝑣× = 𝑚1 𝑣× 𝑒1+ 𝐶2 𝑣× = 𝑚2 𝑣× 𝑒2+
𝐶1𝐶2 𝑣 = 𝑚1𝑚2 𝑣 + 𝐶1𝑒2 + 𝑚2𝑒1
homomorphic multiplication is matrix multiplication noise could blow up if
𝐶1 or 𝑚2 are not small
![Page 26: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/26.jpg)
Conceptually Simple FHE [GSW13]
•Basic principles: ciphertexts are matrices, messages are approximate eigenvalues
•Homomorphic operations correspond to matrix addition and multiplication (and some tricks to constrain noise)
•Hardness based on learning with errors (LWE) [Reg05]
![Page 27: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/27.jpg)
The Story so Far…
• Simple FHE schemes exist
• But… bootstrapping is expensive!• At 76 bits of security: each bootstrapping operation requires 320
seconds and 3.4 GB of memory [HS14]• Other implementations exist, but generally less flexible / efficient
• SWHE (without bootstrapping) closer to practical: can evaluate shallow circuits
![Page 28: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/28.jpg)
Application: Statistical Analysis
• Consider simple statistical models: computing the mean or covariance (for example, average power consumption)
• Problem: given 𝑛 vectors 𝑥1, … , 𝑥𝑛, compute
• Mean: 𝜇 =1
𝑛 𝑖=1
𝑛 𝑥𝑖
• Covariance: Σ𝑋 =1
𝑛2(𝑛𝑋𝑇𝑋 −
![Page 29: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/29.jpg)
Application: Statistical Analysis
• Can also perform linear regression: given design matrix 𝑋 and response vector 𝑦, evaluate normal equations
𝜃 = 𝑋𝑇𝑋 −1𝑋𝑇𝑦
• Matrix inversion (over ℚ) using Cramer’s rule
• Depth 𝑛 for 𝑛-dimensional data
![Page 30: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/30.jpg)
Batch Computation [SV11]
Algebraic structure of some schemes enable encryption + operations on vectors at no extra cost
Plaintext Space: ring 𝑅
𝑅𝔭1𝑅𝔭2
⋯ 𝑅𝔭𝑘
Chinese Remainder Theorem: 𝑅 ≅⊗𝑖=1𝑘 𝑅𝔭𝑖
![Page 31: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/31.jpg)
Batch Computation [SV11]
Encrypt + process array of values at no extra cost:
1 2 3 4
7 5 3 1
+
8 7 6 5
In practice: ≥ 5000 slots
One homomorphic operation
![Page 32: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/32.jpg)
2025303540455055606570
2,000 20,000 200,000 2,000,000
Tim
e (
min
ute
s)
Number of Datapoints
Time to Compute Mean and Covariance over Encrypted Data (Dimension 4)
Multiplications dominate
Few ciphertexts due to batching
Based on implementation of Brakerski’s scheme [Bra12]
![Page 33: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/33.jpg)
0
10
20
30
40
50
60
70
80
1000 10000 100000 1000000
Tim
e (
min
ute
s)
Number of Datapoints
Time to Perform Linear Regression on Encrypted Data(2 Dimensions)
Few ciphertexts due to batching
Multiplications dominate
![Page 34: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/34.jpg)
Application: Private Information Retrieval
I want to see record 𝑖…
???
PIR protocol
client learns record 𝑖, server learns nothing
cloud database
![Page 35: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/35.jpg)
PIR from Homomorphic Encryption [KO97]
𝑣11 𝑣12 𝑣13
𝑣21 𝑣22 𝑣23
𝑣31 𝑣32 𝑣33
100
represent database as matrix
query is an encrypted basis
vector
×
𝑣11
𝑣21
𝑣31
=
server evaluates inner product
response
database components in the clear: additive homomorphism suffices
𝑂( 𝑛)communication
![Page 36: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/36.jpg)
PIR from Homomorphic Encryption
• 𝑂 𝑛 communication with additive homomorphism alone• Naturally generalizes:
• 𝑂 3 𝑛 with one multiplication
• 𝑂 𝑘 𝑛 with degree 𝑘 − 1 -homomorphism
• Benefits tremendously from batching
database
𝑟1, … , 𝑟𝑁𝑟1, … , 𝑟𝑁/3
𝑟1+𝑁/3, … , 𝑟2𝑁/3
𝑟1+2𝑁/3, … , 𝑟𝑁
split database into many small
databases, query in parallel
![Page 37: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/37.jpg)
1
10
100
1,000
10,000
100,000
1,000,000
1 10 100 1000 10000
Re
spo
nse
Tim
e (
s)
Number of Records (Millions)
FHE-PIR Timing Results (5 Mbps)
FHE-PIR (d = 2) FHE-PIR (d = 3) FHE-PIR (d = 4) Trivial PIR
![Page 38: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/38.jpg)
PIR from Homomorphic Encryption
• Outperforms trivial PIR for very large databases
• However, recursive KO-PIR with additive homomorphism is still state-of-the-art
![Page 39: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/39.jpg)
Concluding Remarks• Internet of Things brings many security challenges
• Many generic cryptographic tools: 2PC, MPC, FHE
• 2PC/MPC work well for small number of parties
• SWHE/FHE preferable with many parties (IoT scale)
• FHE still nascent technology – should be viewed as a “proof-of-concept” rather than practical solution
• SWHE closer to practical, suitable for evaluating simple (low-depth) functionalities
• Big open problem to develop more practical constructions!
![Page 40: Computing on Encrypted Data - Computer Science](https://reader036.vdocuments.us/reader036/viewer/2022062510/6157d1f7ce5a9d02d46f7183/html5/thumbnails/40.jpg)
Questions?