cwit-poster_logo

1
Database Query Privacy Using Homomorphic Encryptions Sudharaka Palamakumbura and Hamid Usefi {sudharakap, usefi} @ mun.ca Memorial University of Newfoundland Database Query Privacy Using Homomorphic Encryptions Sudharaka Palamakumbura and Hamid Usefi {sudharakap, usefi} @ mun.ca Memorial University of Newfoundland Usefulness of Fully Homomorhpic Encryption Suppose Alice wants to give her data to Bob to perform a certain calculation. Alice does not trust Bob but has a Fully Homomorphic Encryption scheme with private key s k and public key p k . c 1 = Enc p k (x 1 ), c 2 = Enc p k (x 2 ), c 3 = Enc p k (x 3 ) c 1 × (c 2 + c 3 ) Dec s k (c 1 × (c 2 + c 3 )) = x 1 × (x 2 + x 3 ) Alice Bob c 1 × (c 2 + c 3 ) DGVH Scheme Let λ be the security parameter and set, N = λ, P = λ 2 and Q = λ 5 . The scheme is based on the following algorithms; KeyGen(λ): The key generation algorithm which randomly chooses a P -bit integer p as the secret key. Enc(m, p): The bit m ∈{0, 1} is encrypted by c m 0 + pq where m 0 = m (mod 2) and q, m 0 are random Q-bit and N -bit numbers respectively. Gahi’s Method for Query Privacy Bob now has a list of sequences. r Database Records I r S r 1 (1, 1, 0, 0, 0) Enc(p, 1) Enc(p, 1) 2 (1, 0, 1, 0, 0) Enc(p, 0) Enc(p, 1) 3 (1, 1, 0, 0, 0) Enc(p, 1) Enc(p, 2) 4 (1, 1, 0, 1, 0) Enc(p, 0) Enc(p, 2) 5 (1, 0, 0, 0, 0) Enc(p, 0) Enc(p, 2) 5 i=1 (1 + v i + c i ) S r = ir I r I r,j = I r 5 i=1 (1 + j i + S r,i ) (I 1 ) = (Enc(p, 1)) (I 2 ) = (Enc(p, 0), Enc(p, 0)) (I 3 ) = (Enc(p, 0), Enc(p, 1), Enc(p, 0)) (I 4 ) = (Enc(p, 0), Enc(p, 0), Enc(p, 0), Enc(p, 0)) (I 5 ) = (Enc(p, 0), Enc(p, 0), Enc(p, 0), Enc(p, 0), Enc(p, 0)) Generalization of Gahi’s Method Recall that in Gahi’s method we used the expression, 5 Y i=1 (1 + v i + c i ) to calculate the I r values corresponding to each record. We replace this expression by, F i = Q j 6=i Enc(h, m - R j ) Q k 6=i Enc(h, R i - R k ) where R j denotes the j -th record in the database, m is the plaintext message and h is the public key. Bob calculates the sequence (F 0 i,k ) 5 k =1 corresponding to each record as follows. F 0 r,k = F r Q j 6=k (S r - Enc(h, j )) Enc(h, Q j 6=k (k - j )) ! for all k r Therefore, F 0 r,k = Enc(h, 1) if F r = Enc(h, 1) and S r = Enc(h, k ), Enc(h, 0) Otherwise. Fully Homomorphic Encryption Homomorphic with respect to two operations (ex: Addition and Multiplication). The idea was first proposed by Ronald Rivest, Len Adleman and Michael Dertouzos in 1978. A scheme E with an efficient algorithm Evaluate E such that, for any valid public key p k , any circuit C , and any ciphertexts ψ i Encrypt E (p k i ) outputs ψ Evaluate E (p k ,C,ψ 1 ,...,ψ t ) where ψ is a valid encryption of C (ψ 1 ,...,ψ t ) under p k . Gahi’s Method for Query Privacy By calculating the multiplication, 5 Y i=1 (1 + v i + c i )= Enc(1) if c = Enc(v ), Enc(0) Otherwise. (c 1 ,c 2 ,c 3 ,c 4 ,c 5 ) Query(m 1 ,m 2 ,m 3 ,m 4 ,m 5 ) Alice Bob (v 1 ,v 2 ,v 3 ,v 4 ,v 5 ) (m 1 ,m 2 ,m 3 ,m 4 ,m 5 ) DGHV ----→ (c 1 ,c 2 ,c 3 ,c 4 ,c 5 ) Calculates 5 i=1 (1 + v i + c i ) Finally ..... Finally Alice can decrypt the results to get the exact records that she searched for. (c 1 ,c 2 ,c 3 ,c 4 ,c 5 ) Query(1, 1, 0, 0, 0) Alice Bob (1, 1, 0, 0, 0) DGHV ----→ (c 1 ,c 2 ,c 3 ,c 4 ,c 5 ) r I r Dec r I r , sk =2 (Enc(R 1 ), Enc(R 3 )) Generalization of Gahi’s Method Bob now has a list of sequences as before. S r = ir F i (F 1 ) = (Enc(h, 0)) (F 2 ) = (Enc(h, 0), Enc(h, 0)) (F 3 ) = (Enc(h, 0), Enc(h, 1), Enc(h, 0)) (F 4 ) = (Enc(h, 0), Enc(h, 0), Enc(h, 0), Enc(h, 0)) (F 5 ) = (Enc(h, 0), Enc(p, 0), Enc(h, 0), Enc(h, 0), Enc(h, 0)) F i = j =i (Enc(h, m) - Enc(h, R j )) Enc(h, k=i (R i - R k )) F r,k = F r j =k (S r - Enc(h, j )) Enc(h, j =k (k - j )) r Database Records F i S r 1 R 1 = m Enc(h, 1) Enc(h, 1) 2 R 2 = m Enc(h, 0) Enc(h, 1) 3 R 3 = m Enc(h, 1) Enc(h, 2) 4 R 4 = m Enc(h, 0) Enc(h, 2) 5 R 5 = m Enc(h, 0) Enc(h, 2) Drawbacks Enormous number of operations due to DGHV schemes inherent bitwise nature. Restricted to DGHV scheme and it’s underlying structure. The protocol cannot be directly used with any other fully homomorphic encryption scheme. Thereby we propose an alternative method which improves (or generalizes) Gahi’s method and could be used with any fully homomorphic en- cryption scheme. Advantages and Disadvantages Not restricted to DGHV scheme. Can be used with other fully homomorphic encryption schemes. Not dependent upon bitwise encryption. Can be used with block based fully homomorphic encryption schemes. Zvika Brakerski’s Fully Homomorphic Encryption Scheme based on the Ring LWE problem, Jean Coron’s Batch Fully Homomorphic Encryption Scheme over the Integers. Our scheme involves homomorphic division which might not be practical.

Upload: sudharaka-palamakumbura

Post on 21-Aug-2015

2 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: cwit-poster_logo

Database Query Privacy Using Homomorphic Encryptions

Sudharaka Palamakumbura and Hamid Usefi{sudharakap, usefi} @ mun.ca

Memorial University of Newfoundland

Database Query Privacy Using Homomorphic Encryptions

Sudharaka Palamakumbura and Hamid Usefi{sudharakap, usefi} @ mun.ca

Memorial University of Newfoundland

Usefulness of Fully Homomorhpic Encryption• Suppose Alice wants to give her data to Bob to perform a certain calculation.

•Alice does not trust Bob but has a Fully Homomorphic Encryption scheme with privatekey sk and public key pk.

c1 = Encpk(x1),

c2 = Encpk(x2),

c3 = Encpk(x3)

c1 × (c2 + c3)

Decsk(c1 × (c2 + c3)) = x1 × (x2 + x3)

AliceBob

c1 × (c2 + c3)

DGVH SchemeLet λ be the security parameter and set, N = λ, P = λ2 and Q = λ5. The scheme isbased on the following algorithms;

•KeyGen(λ): The key generation algorithm which randomly chooses a P -bit integer pas the secret key.

•Enc(m, p): The bit m ∈ {0, 1} is encrypted by

c← m′ + pq

where m′ = m (mod 2) and q, m′ are random Q-bit and N -bit numbers respectively.

Gahi’s Method for Query Privacy

•Bob now has a list of sequences.

r Database Records Ir Sr

1 (1, 1, 0, 0, 0) Enc(p, 1) Enc(p, 1)2 (1, 0, 1, 0, 0) Enc(p, 0) Enc(p, 1)3 (1, 1, 0, 0, 0) Enc(p, 1) Enc(p, 2)4 (1, 1, 0, 1, 0) Enc(p, 0) Enc(p, 2)5 (1, 0, 0, 0, 0) Enc(p, 0) Enc(p, 2)

5∏

i=1

(1 + vi + ci)

Sr =∑

i≤rIr

I ′r,j = Ir

5∏

i=1

(1 + ji + Sr,i)

(I ′1) = (Enc(p, 1))(I ′2) = (Enc(p, 0),Enc(p, 0))

(I ′3) = (Enc(p, 0),Enc(p, 1),Enc(p, 0))(I ′4) = (Enc(p, 0),Enc(p, 0),Enc(p, 0),Enc(p, 0))

(I ′5) = (Enc(p, 0),Enc(p, 0),Enc(p, 0),Enc(p, 0),Enc(p, 0))

Generalization of Gahi’s Method•Recall that in Gahi’s method we used the expression,

5∏

i=1

(1 + vi + ci)

to calculate the Ir values corresponding to each record.

•We replace this expression by,

Fi =

∏j 6=i Enc(h,m−Rj)∏k 6=i Enc(h,Ri −Rk)

where Rj denotes the j-th record in the database, m is the plaintext message and h isthe public key.

•Bob calculates the sequence (F ′i,k)5k=1 corresponding to each record as follows.

F ′r,k = Fr

(∏j 6=k (Sr − Enc(h, j))

Enc(h,∏j 6=k(k − j))

)for all k ≤ r

•Therefore,

F ′r,k =

Enc(h, 1) if Fr = Enc(h, 1) and Sr = Enc(h, k),

Enc(h, 0) Otherwise.

Fully Homomorphic Encryption

•Homomorphic with respect to two operations (ex: Addition and Multiplication).

•The idea was first proposed by Ronald Rivest, Len Adleman and Michael Dertouzos in1978.

•A scheme E with an efficient algorithm EvaluateE such that, for any valid public key pk,any circuit C, and any ciphertexts ψi← EncryptE(pk, πi) outputs

ψ ← EvaluateE(pk, C, ψ1, . . . , ψt)

where ψ is a valid encryption of C(ψ1, . . . , ψt) under pk.

Gahi’s Method for Query Privacy

•By calculating the multiplication,5∏

i=1

(1 + vi + ci) =

Enc(1) if c = Enc(v),

Enc(0) Otherwise.

(c1, c2, c3, c4, c5)

“Query”→ (m1,m2,m3,m4,m5)

AliceBob

(v1, v2, v3, v4, v5)

(m1,m2,m3,m4,m5)DGHV−−−−→ (c1, c2, c3, c4, c5) Calculates

5∏

i=1

(1 + vi + ci)

Finally.....Finally Alice can decrypt the results to get the exact records that she searched for.

(c1, c2, c3, c4, c5)

“Query”→ (1, 1, 0, 0, 0)

Alice

Bob

(1, 1, 0, 0, 0)DGHV−−−−→ (c1, c2, c3, c4, c5)

r

Ir

Dec

(∑

r

Ir, sk

)= 2

(Enc(R1),Enc(R3))

Generalization of Gahi’s MethodBob now has a list of sequences as before.

Sr =∑

i≤rFi

(F ′1) = (Enc(h, 0))(F ′2) = (Enc(h, 0),Enc(h, 0))

(F ′3) = (Enc(h, 0),Enc(h, 1),Enc(h, 0))(F ′4) = (Enc(h, 0),Enc(h, 0),Enc(h, 0),Enc(h, 0))

(F ′5) = (Enc(h, 0),Enc(p, 0),Enc(h, 0),Enc(h, 0),Enc(h, 0))

Fi =

∏j 6=i (Enc(h,m)− Enc(h,Rj))

Enc(h,∏

k 6=i (Ri −Rk))

F ′r,k = Fr

(∏j 6=k (Sr − Enc(h, j))

Enc(h,∏

j 6=k(k − j))

)

r Database Records Fi Sr

1 R1 = m Enc(h, 1) Enc(h, 1)2 R2 6= m Enc(h, 0) Enc(h, 1)3 R3 = m Enc(h, 1) Enc(h, 2)4 R4 6= m Enc(h, 0) Enc(h, 2)5 R5 6= m Enc(h, 0) Enc(h, 2)

Drawbacks

• Enormous number of operations due to DGHVschemes inherent bitwise nature.

•Restricted to DGHV scheme and it’s underlyingstructure. The protocol cannot be directly usedwith any other fully homomorphic encryptionscheme.

• Thereby we propose an alternative method whichimproves (or generalizes) Gahi’s method andcould be used with any fully homomorphic en-cryption scheme.

Advantages and Disadvantages

•Not restricted to DGHV scheme. Can be used with other fully homomorphic encryption schemes.

•Not dependent upon bitwise encryption. Can be used with block based fully homomorphic encryption schemes.

– Zvika Brakerski’s Fully Homomorphic Encryption Scheme based on the Ring LWE problem,

– Jean Coron’s Batch Fully Homomorphic Encryption Scheme over the Integers.

•Our scheme involves homomorphic division which might not be practical.

Sudharaka
logo1
Sudharaka
logo2