C
OMPUTING
ON
E
NCRYPTED
DATA
Shai
Halevi
, IBM Research
January 5, 2012
I want to
delegate
processing
of my data,
without
giving away
access
to it.
Computing on Encrypted Data
Computing on Encrypted Data
•
Wouldn’t it be nice to be able to…
–
Encrypt my data before sending to the cloud
–
While still allowing the cloud to
search/sort/edit/… this data on my behalf
–
Keeping the data in the cloud in encrypted form
•
Without needing to ship it back and forth to be
decrypted
Computing on Encrypted Data
•
Wouldn’t it be nice to be able to…
–
Encrypt my queries to the cloud
–
While still allowing the cloud to process them
–
Cloud returns encrypted answers
•
that I can decrypt
Outsourcing Computation Privately
Client
Server/Cloud
(Input:
x
)
(Function:
f
)
“I want to delegate the computation to the cloud”
“I want to delegate the computation to the cloud,
but the cloud shouldn’t see my input”
Enc
[
f
(
x
)
]
Enc(
x
)
f
$skj#hS28ksytA@ …
Outsourcing Computation Privately
Outsourcing Computation Privately
$kjh9*mslt@na0
&maXxjq02bflx
m^00a2nm5,A4.
pE.abxp3m58bsa
(3saM%w,snanba
nq~mD
=3akm2,A
Z,ltnhde833mz{n
dewiunb4]
gnbTa
*
kjew^bwJ^mdns0
Example
:
RSA_encrypt
(
e
,
N
)
(
x
) =
x
e
mod
N
•
x
1
e
x
x
2
e
=
(
x
1
x
x
2
)
e
mod
N
“Somewhat
Homomorphic
”: can compute some
functions on encrypted data, but not all
Privacy
Homomorphisms
Plaintext space
P
Ciphertext space
C
x
1
x
2
c
i
Enc(
x
i
)
c
1
c
2
*
#
y
d
y
Dec(
d
)
•
Rivest

Adelman

Dertouzos
1978
“Fully
Homomorphic
” Encryption
•
Encryption for which we can compute
arbitrary
functions
on the encrypted data
•
Another example: private information retrieval
Enc
(
f
(
x
)
)
Enc(
x
)
Eval
f
Enc
(
A[
i
]
)
Enc
(
i
)
i
A[1 …
n
]
H
OW
TO
DO
IT
?
Step 1: Boolean Circuit for
f
•
Every function can be constructed from
Boolean AND, OR, NOT
–
Think of building it from hardware gates
•
For any two bits b
1
, b
2
(both 0/1 values)
–
NOT b
1
= 1
–
b
1
–
b
1
AND b
2
= b
1
b
2
–
b1 OR b2 = b
1
+
b
2
–
b
1
b
2
•
If we can do +,
–
, x, we can do everything
Step 2: Encryption Supporting
,
•
Open Problem for over 30 years
•
Gentry 2009: first plausible scheme
–
Security relies on hard problems in integer lattices
•
Several other schemes in last two years
Fully
homomorphic
encryption
is possible
H
OW
MUCH
DOES
IT
COST
?
Performance
•
A little slow…
•
First working implementation in mid

2010,
½

hour to compute a single AND gate
–
13

14 orders of magnitude slowdown
vs. computing on non

encrypted data
•
A faster “dumbed down” version
–
C
an only evaluate “very simple functions”
–
About ½

second for an AND gate
•
Underlying “somewhat
homomorphic
” scheme
•
PK
is 2 integers, SK is one
integer
Dimension
KeyGen
Enc
(amortized)
Dec / AND
2048
800,000

bit
integers
1.25 sec
60
millisec
23
millisec
8192
3,200,000

bit
integers
10 sec
0.7 sec
0.12 sec
32768
13,000,000

bit
integers
95 sec
5.3 sec
0.6 sec
Large Medium Small
Performance
Dimension
KeyGen
PK size
AND
2048
800,000

bit
integers
40 sec
70
MByte
31 sec
8192
3,200,000

bit
integers
8 min
285
MByte
3 min
32768
13,000,000

bit
integers
2
hours
2.3
GByte
30 min
Large Medium Small
Performance
•
Fully
homomorphic
scheme
Performance
•
A little slow…
•
Butler Lampson: “
I
don’t think we’ll see
anyone using Gentry’s solution in our
lifetimes […]
”
–
Forbes, Dec

19, 2011
New Stuff
•
New techniques suggested during 2011
•
Promise ~3 orders of magnitude improvement
vs. Gentry’s original scheme
–
Implementations on the way
•
Still very expensive, but maybe suitable for
some niche applications
•
Computing “simple functions” using these
tools may be realistic
W
HAT
C
AN
I
USE
?
Things we can already use today
•
Sometimes simple functions is all we need
–
Statistics, simple keyword match, etc.
•
Interactive solutions are sometime faster
–
vs. the single round trip of
Homomorphic
Enc
•
Great
efficiency
gains when settling for
weaker notions of secrecy
–
“Order preserving encryption”
–
MIT’s
CryptDB
(onion encryption)
Q
UESTIONS
?
BACKUP
SLIDES
Limitations of function

as

circuit
•
Some performance optimizations are ruled out
•
Example: Binary search
–
log(
n
) steps to find element in an
n

element array
–
But circuit must be of size ~n
•
Example: private information retrieval
–
Non

encrypted access with one lookup
–
But encrypted access must touch all entries
•
Else you leak information (element is not in
i’th
entry)
•
Only data

oblivious computation is possible
Evaluate any function in four “easy” steps
•
Step 1: Encryption from linear ECCs
–
Additive homomorphism
•
Step 2: ECC lives inside a ring
–
Also multiplicative homomorphism
–
But only for a few operations (low

degree poly’s)
•
Step 3: Bootstrapping
–
Few ops (but not too few)
any number of ops
•
Step 4: Everything else
–
“Squashing” and other fun activities
The [Gentry 2009] blueprint
Error

Correcting Codes
•
For “random looking” codes, hard to
distinguish close/far from code
•
Many cryptosystems built on this hardness
–
E.g., [McEliece’78, AD’97, GGH’97, R’03,…]
Step 1
: Encryption from Linear ECCs
•
KeyGen
: choose a “random”
Code
–
Secret key: “good representation” of
Code
•
Allows correction of “large” errors
–
Public key: “bad representation” of
Code
•
Can generate “random code

words”
•
Hard to distinguish close/far from the code
•
Enc
(0): a word close to
Code
•
Enc
(1): a random word
–
Far from
Code
(with high probability)
Step 1
: Encryption from Linear ECCs
•
Code determined by a secret integer
p
–
Codewords
: multiples of
p
•
Good representation:
p
itself
•
Bad representation:
–
N
=
pq
, and also many
x
i
=
pq
i
+
r
i
•
Enc
(0): subset

sum(
x
i
’s)+
r
mod
N
–
r
is new noise, chosen by
encryptor
•
Enc
(1): random integer mod
N
Example: Integers mod
p
[
vDGHV
2010]
r
i
<<
p
p
N
•
Both Enc(0), Enc(1) close to the code
–
Enc(0): distance to code is even
–
Enc(1): distance to code is odd
–
Security unaffected when p is odd
•
In our example of integers mod
p
:
–
Enc(
b
) = 2(
r
+subset

sum
(
x
i
’s
)
)
+
b
mod
N
=
k
p
+ 2(
r
+subset

sum
(
r
i
’s
)
)+
b
–
Dec(
c
) = (
c
mod
p
) mod 2
A Different Input Encoding
N
p
x
i
=
pq
i
+
r
i
much smaller
than p/2
Plaintext encoded
in the “noise”
•
c
1
+c
2
=
(codeword
1
+
codeword
2
)
+
(
2
r
1
+b
1
)
+
(2
r
2
+b
2
)
–
codeword
1
+
codeword
2
Code
–
(2
r
1
+b
1
)
+
(
2
r
2
+b
2
)
=2
(
r
1
+r
2
)
+b
1
+b
2
is still small
•
If
2
(
r
1
+r
2
)
+b
1
+b
2
< min

dist/2, then
dist
(
c
1
+c
2
,
Code
) =
2
(
r
1
+r
2
)
+b
1
+b
2
dist(
c
1
+c
2
,
Code
)
b
1
+
b
2
(
mod
2)
•
Additively

homomorphic
while close to
Code
Additive Homomorphism
Product in
Ring
of
small elements is small
•
What happens when multiplying in
Ring
:
–
c
1
∙
c
2
= (codeword
1
+2
r
1
+
b
1
)∙(codeword
2
+2
r
2
+
b
2
)
= codeword
1
∙
X
+
Y
∙codeword
2
+
(
2
r
1
+
b
1
)∙(
2
r
2
+
b
2
)
•
If:
–
codeword
1
∙
X
+
Y
∙codeword
2
Code
–
(
2
r
1
+
b
1
)∙(
2
r
2
+
b
2
)
< min

dist/2
•
Then
–
dist(
c
1
c
2
,
Code
) = (
2
r
1
+
b
1
)∙(
2
r
2
+
b
2
) =
b
1
∙
b
2
mod 2
Step 2:
Code
Lives in a
Ring
Code
is
an
ideal
•
Secret

key is
p
, public

key is
N
and the
x
i
’s
•
c
i
=
Enc
pk
(
b
i
) = 2(
r
+subset

sum
(
x
i
’s
)
)
+
b
mod
N
=
k
i
p
+ 2
r
i
+
b
i
–
Dec
sk
(
c
i
)
= (
c
i
mod
p
) mod 2
•
c
1
+
c
2
mod
N
=
(
k
1
p
+2
r
1
+
b
1
)+
(
k
2
p
+2
r
2
+
b
2
)
–
kqp
=
k
’
p
+ 2(
r
1
+
r
2
) + (
b
1
+
b
2
)
•
c
1
c
2
mod
N
= (
k
1
p
+2
r
1
+
b
1
)
(
k
2
p
+2
r
2
+
b
2
)
–
kqp
=
k
’
p
+
2(2
r
1
r
2
+
r
1
b
2
+
r
2
b
1
)
+
b
1
b
2
•
Additive, multiplicative homomorphism
–
A
s long as noise <
p
/2
Example: Integers mod
p
[
vDGHV
2010]
x
i
=
pq
i
+
r
i
N
p
•
We need a linear error

correcting code
C
–
With “good” and “bad” representations
–
C
lives inside an algebraic ring
R
–
C
is an ideal in
R
–
Sum, product of small elements in
R
is still small
•
Can find such codes in Euclidean space
–
Often associated with lattices
•
Then we get a “somewhat
homomorphic
”
encryption, supporting low

degree polynomials
–
Homomorphism while close to the code
Summary Up To Now
Step 3: Bootstrapping
P(
x
1
,
x
2
,
…
,
x
t
)
x
1
…
x
2
x
t
P
•
So far, can evaluate low

degree polynomials
•
So far, can evaluate low

degree polynomials
•
Can
eval
y
=
P
(
x
1
,x
2
…,
x
n
)
when
x
i
’s are “fresh”
•
But
y
is an “evaluated
ciphertext
”
–
Can still be decrypted
–
But
eval
Q
(
y
)
will increase noise too much
•
“Somewhat
Homomorphic
” encryption (SWHE)
Step 3: Bootstrapping
x
1
…
x
2
x
t
P
P(
x
1
,
x
2
,
…
,
x
t
)
•
So far, can evaluate low

degree polynomials
•
Bootstrapping to handle higher degrees
–
We have a noisy evaluated
ciphertext
y
–
Want to get another y with less noise
Step 3: Bootstrapping
x
1
…
x
2
x
t
P
P(
x
1
,
x
2
,
…
,
x
t
)
•
For
ciphertext
c
, consider
D
c
(
sk
) =
Dec
sk
(
c
)
–
Hope:
D
c
(
*
)
is a low

degree polynomial in
sk
•
Include in the public key also
Enc
pk
(
sk
)
•
Homomorphic
computation applied only to the
“fresh” encryption of
sk
Step 3: Bootstrapping
D
c
y
sk
1
sk
2
sk
n
…
c
D
c
(
sk
)
=
Dec
sk
(
c
) =
y
c’
Requires
“
circular
security
”
sk
1
sk
2
sk
n
…
•
Similarly define
M
c
1
,c
2
(
sk
) =
Dec
sk
(
c
1
)∙
Dec
sk
(
c
1
)
•
Homomorphic
computation applied only to the
“fresh” encryption of
sk
Step 3: Bootstrapping
M
c
1
,c
2
y
2
sk
1
sk
2
sk
n
…
c
2
M
c
1
,
c
2
(
sk
)
=
Dec
sk
(
c
1
)
x
Dec
sk
(
c
2
) =
y
1
x
y
2
c’
y
1
c
1
sk
1
sk
2
sk
n
…
•
Cryptosystems from [G’09, vDGHV’10, BG’11a]
cannot handle their own decryption
•
Tricks to “squash” the decryption procedure,
making it low

degree
–
Nontrivial, requires putting more information
about the secret key in the public key
–
Requires yet another assumption, namely hardness
of the Sparse

Subset

Sum Problem (SSSP)
–
I will not talk about squashing here
Step 4: Everything Else
Comments 0
Log in to post a comment