Computing on Encrypted Data

Similar documents
Associate Prof. Dr. Victor Onomza Waziri

Secure Computation Martin Beck

Information Security Theory vs. Reality

NEW CRYPTOGRAPHIC CHALLENGES IN CLOUD COMPUTING ERA

Verifiable Outsourced Computations Outsourcing Computations to Untrusted Servers

3-6 Toward Realizing Privacy-Preserving IP-Traceback

Exploring Privacy Preservation in Outsourced K-Nearest Neighbors with Multiple Data Owners

An Efficient and Secure Data Sharing Framework using Homomorphic Encryption in the Cloud

Boosting Linearly-Homomorphic Encryption to Evaluate Degree-2 Functions on Encrypted Data

Secure Data Exchange: A Marketplace in the Cloud

Whitewash: Securely Outsourcing Garbled Circuit Generation

Onion ORAM: Constant Bandwidth ORAM with Server Computation Chris Fletcher

A Fully Homomorphic Encryption Implementation on Cloud Computing

Security and Privacy in Big Data, Blessing or Curse?

Private Inference Control For Aggregate Database Queries

Research Article Two-Cloud-Servers-Assisted Secure Outsourcing Multiparty Computation

Secure Deduplication of Encrypted Data without Additional Independent Servers

Privacy Preserving Similarity Evaluation of Time Series Data

A FULLY HOMOMORPHIC ENCRYPTION SCHEME

CLOUD computing systems, in which the clients

A Fast Single Server Private Information Retrieval Protocol with Low Communication Cost

SOME SECURITY CHALLENGES IN CLOUD COMPUTING. Hoang N.V.

Cryptography for the Cloud

Digital Object Identifier /MSP Date of publication: 5 December 2012

Some Security Challenges of Cloud Compu6ng. Kui Ren Associate Professor Department of Computer Science and Engineering SUNY at Buffalo

Privacy and Security in Cloud Computing

Restructuring the NSA Metadata Program

Big Data - Security and Privacy

Homomorphic encryption and emerging technologies COSC412

Efficient Multi-keyword Ranked Search over Outsourced Cloud Data based on Homomorphic Encryption

Secure Transformation for Multiparty Linear Programming

Whitewash: Outsourcing Garbled Circuit Generation for Mobile Devices

On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption

Privacy, Security and Cloud

Onion ORAM: A Constant Bandwidth Blowup Oblivious RAM

Experimental Analysis of Privacy-Preserving Statistics Computation

An Overview of Common Adversary Models

Fully homomorphic encryption equating to cloud security: An approach

An Efficient Multi-Keyword Ranked Secure Search On Crypto Drive With Privacy Retaining

Lecture 17: Re-encryption

Advanced Cryptography

CPSC 467b: Cryptography and Computer Security

K-NN CLASSIFICATION OVER SECURE ENCRYPTED RELATIONAL DATA IN OUTSOURCED ENVIRONMENT

Privacy-Preserving Set Operations

Secure Deduplication of Encrypted Data without Additional Servers

Controlled Functional Encryption

Privacy-Preserving Aggregation of Time-Series Data

Privacy Patterns in Public Clouds

Survey on Efficient Information Retrieval for Ranked Query in Cost-Efficient Clouds

Verifying a Secret-Ballot Election with Cryptography

Lecture 3: One-Way Encryption, RSA Example

PARTICIPATORY sensing and data surveillance are gradually

How To Create A Multi-Keyword Ranked Search Over Encrypted Cloud Data (Mrse)

The Role of Cryptography in Database Security

Solutions to Problem Set 1

Private Inference Control

Survey on Securing Data using Homomorphic Encryption in Cloud Computing

Cryptography and Network Security Department of Computer Science and Engineering Indian Institute of Technology Kharagpur

Paillier Threshold Encryption Toolbox

Secure Framework and Sparsity Structure of Linear Programming in Cloud Computing P.Shabana 1 *, P Praneel Kumar 2, K Jayachandra Reddy 3

EasyCrypt - Lecture 6 Overview and perspectives. Tuesday November 25th

Security of Cloud Computing

CIS 5371 Cryptography. 8. Encryption --

1 Message Authentication

Universal Hash Proofs and a Paradigm for Adaptive Chosen Ciphertext Secure Public-Key Encryption

Canon-MPC, A System for Casual Non-Interactive Secure Multi-Party Computation Using Native Client

Secure and Efficient Outsourcing of Sequence Comparisons

Outsourcing the Decryption of ABE Ciphertexts

Tackling The Challenges of Big Data. Tackling The Challenges of Big Data Big Data Systems. Security is a Negative Goal. Nickolai Zeldovich

Fully Homomorphic Encryption Using Ideal Lattices

Post-Quantum Cryptography #4

[1] Diagonal factorization

Computational Soundness of Symbolic Security and Implicit Complexity

A COMPARATIVE STUDY OF SECURE SEARCH PROTOCOLS IN PAY- AS-YOU-GO CLOUDS

On Acceleration and Scalability of Number Theoretic Private Information Retrieval

Authenticated encryption

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages

Public Key Encryption that Allows PIR Queries

CS 758: Cryptography / Network Security

A Comparison of the Homomorphic Encryption Schemes FV and YASHE

Homomorphic Encryption Method Applied to Cloud Computing

Similar matrices and Jordan form

Overview of Cryptographic Tools for Data Security. Murat Kantarcioglu

Secure Collaborative Privacy In Cloud Data With Advanced Symmetric Key Block Algorithm

Arnab Roy Fujitsu Laboratories of America and CSA Big Data WG

A NOVEL APPROACH FOR MULTI-KEYWORD SEARCH WITH ANONYMOUS ID ASSIGNMENT OVER ENCRYPTED CLOUD DATA

An Application of the Goldwasser-Micali Cryptosystem to Biometric Authentication

The Best of Both Worlds: Combining Information-Theoretic and Computational PIR for Communication Efficiency

Secure semantic based search over cloud

On the Impossibility of Cryptography Alone for Privacy-Preserving Cloud Computing

Secure Attribute Based Mechanism through Access cipher policy in Outsourced Cloud Data

How to Garble RAM Programs

A Survey of Cloud Storage Security Research. Mar Kheng Kok Nanyang Polytechnic

Verifiable Delegation of Computation over Large Datasets

Lei Wei & Michael K. Reiter

Searchable Symmetric Encryption: Improved Definitions and Efficient Constructions

A Simple Provably Secure Key Exchange Scheme Based on the Learning with Errors Problem

1 Construction of CCA-secure encryption

Conditional Encrypted Mapping and Comparing Encrypted Numbers

Entangled Encodings and Data Entanglement

Transcription:

Computing on Encrypted Data Secure Internet of Things Seminar David Wu January, 2015

Smart Homes New Applications in the Internet of Things aggregation + analytics usage statistics and reports report energy consumption

The Power of the Cloud BIG DATA Question: provide service, preserve privacy analytics recommendations personalization lots of user information = big incentives

Secure Multiparty Computation (MPC) Multiple parties want to compute a joint function on private inputs privacy guarantee: no party learns anything extra about other parties inputs at end of computation, each party learns the average power consumption private input: individual power consumption

Two Party Computation (2PC) Simpler scenario: two-party computation (2PC) 2PC: Mostly solved problem: Yao s circuits [Yao82] Express function as a Boolean circuit garbled version of circuit oblivious transfer to obtain garbled inputs Party A output of garbled circuit Party B

Two-Party Computation (2PC) Yao s circuits very efficient and heavily optimized [KSS09] Evaluating circuits with 1.29 billion gates in 18 minutes (1.2 gates / µs) [ALSZ13] Yao s circuit provides semi-honest security: malicious security via cut-and-choose, but not as efficient

Going Beyond 2PC General MPC also solved [GMW87] secret share inputs with all parties jointly evaluate circuit, gate-bygate

Secure Multiparty Computation General MPC suffices to evaluate arbitrary functions amongst many parties: should be viewed as a feasibility result Limitations of general MPC many rounds of communication / interaction possibly large bandwidth hard to coordinate interactions with large number of parties Other considerations (not discussed): fairness, guaranteeing output delivery

This Talk: Homomorphic Encryption Many rounds of interaction Boolean circuits (typically) Few rounds of interaction Arithmetic circuits Interaction GMW Protocol and General MPC Custom Protocols Homomorphic Encryption General methods for secure computation

Homomorphic Encryption Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts Comprises of three functions: m pk Enc c c sk Dec m Must satisfy usual notion of semantic security

Homomorphic Encryption Homomorphic encryption scheme: encryption scheme that allows computation on ciphertexts Comprises of three functions: c 1 = Enc pk (m 1 ) c 2 = Enc pk (m 2 ) ek Eval f c 3 Dec sk Eval f ek, c 1, c 2 = f m 1, m 2

Fully Homomorphic Encryption (FHE) Many homomorphic encryption schemes: ElGamal: f m 0, m 1 = m 0 m 1 Paillier: f m 0, m 1 = m 0 + m 1 Fully homomorphic encryption: homomorphic with respect to two operations: addition and multiplication [BGN05]: one multiplication, many additions [Gen09]: first FHE construction from lattices

Privately Outsourcing Computation encrypted results of computation encrypted data Leveraging computational power of the cloud

Machine Learning in the Cloud aggregation + analytics 3. Compute model homomorphically 1. Publish public key 4. Decrypt to obtain model report energy consumption 2. Upload encrypted values

Machine Learning in the Cloud Passive adversary sitting in the cloud does not see client data Power company only obtains resulting model, not individual data points (assuming no collusion) Parties only need to communicate with cloud (the power of public-key encryption)

Big Data, Limited Computation Homomorphic encryption is expensive, especially compared to symmetric primitives such as AES Can be unsuitable for encrypting large volumes of data

Hybrid Homomorphic Encryption Enc pk k, AES k m Encrypt AES key using homomorphic encryption (expensive), encrypt data using AES (cheap) Current performance: 400 seconds to decrypt 120 AES-128 blocks (4 s/block) [GHS15] AES k m encrypt Enc pk k Homomorphically evaluate the AES decryption circuit evaluate AES decryption homomorphic evaluation Enc pk AES k m Enc pk m Enc pk f m

Constructing FHE FHE: can homomorphically compute arbitrary number of operations Difficult to construct start with something simpler: somewhat homomorphic encryption scheme (SWHE) SWHE: can homomorphically evaluate a few operations (circuits of low depth)

Gentry s Blueprint: SWHE to FHE Gentry described general bootstrapping method of achieving FHE from SWHE [Gen 09] Starting point: SWHE scheme that can evaluate its own decryption circuit

Gentry s Blueprint: From SWHE to FHE recrypt functionality m ciphertext encrypt the ciphertext m sk encryption of secret key homomorphically evaluate the decryption function m many operations remaining no operations remaining Homomorphism Remaining

Bootstrappable SWHE First bootstrappable construction by Gentry based on ideal lattices [Gen09] Tons of progress in constructions of FHE in the ensuing years [vdghv10, SV10, BV11a, BV11b, Bra12, BGV12, GHS12, GSW13], and more! Have been simplified enough that the description can fit in a blog post [BB12]

Conceptually Simple FHE [GSW13] Ciphertexts are n n matrices over Z q Secret key is a vector v Z q n v is a noisy eigenvector of C C v = m v + e ciphertext secret key message noise Encryption of m satisfies above relation

Conceptually Simple FHE [GSW13] Suppose that v has a large component v i C v = m v + e ciphertext secret key message noise Can decrypt as follows: C i, v C i is i th row of C v i = mv i + e i v i = m Relation holds if e i v i < 1 2

Conceptually Simple FHE [GSW13] Homomorphic addition C 1 v = m 1 v + e 1 C 2 v = m 2 v + e 2 C 1 + C 2 v = m 1 + m 2 v + e 1 + e 2 homomorphic addition is matrix addition noise terms also add

Conceptually Simple FHE [GSW13] Homomorphic multiplication C 1 v = m 1 v + e 1 C 2 v = m 2 v + e 2 C 1 C 2 v = m 1 m 2 v + C 1 e 2 + m 2 e 1 homomorphic multiplication is matrix multiplication noise could blow up if C 1 or m 2 are not small

Conceptually Simple FHE [GSW13] Basic principles: ciphertexts are matrices, messages are approximate eigenvalues Homomorphic operations correspond to matrix addition and multiplication (and some tricks to constrain noise) Hardness based on learning with errors (LWE) [Reg05]

The Story so Far Simple FHE schemes exist But bootstrapping is expensive! At 76 bits of security: each bootstrapping operation requires 320 seconds and 3.4 GB of memory [HS14] Other implementations exist, but generally less flexible / efficient SWHE (without bootstrapping) closer to practical: can evaluate shallow circuits

Application: Statistical Analysis Consider simple statistical models: computing the mean or covariance (for example, average power consumption) Problem: given n vectors x 1,, x n, compute Mean: μ = 1 n i=1 n x i Covariance: Σ X = 1 n 2 (nxt X

Application: Statistical Analysis Can also perform linear regression: given design matrix X and response vector y, evaluate normal equations θ = X T X 1 X T y Matrix inversion (over Q) using Cramer s rule Depth n for n-dimensional data

Batch Computation [SV11] Algebraic structure of some schemes enable encryption + operations on vectors at no extra cost Plaintext Space: ring R R p1 R p2 R pk Chinese Remainder Theorem: R k i=1 R pi

Batch Computation [SV11] Encrypt + process array of values at no extra cost: 1 2 3 4 + 7 5 3 1 One homomorphic operation 8 7 6 5 In practice: 5000 slots

Time (minutes) 70 65 60 55 50 45 40 35 30 25 20 Time to Compute Mean and Covariance over Encrypted Data (Dimension 4) Few ciphertexts due to batching Multiplications dominate 2,000 20,000 200,000 2,000,000 Number of Datapoints Based on implementation of Brakerski s scheme [Bra12]

Time (minutes) 80 70 60 50 40 30 20 10 Time to Perform Linear Regression on Encrypted Data (2 Dimensions) Few ciphertexts due to batching Multiplications dominate 0 1000 10000 100000 1000000 Number of Datapoints

Application: Private Information Retrieval I want to see record i PIR protocol??? cloud database client learns record i, server learns nothing

PIR from Homomorphic Encryption [KO97] v 11 v 12 v 13 v 21 v 22 v 23 v 31 v 32 v 33 1 0 0 = v 11 v 21 v 31 represent database as matrix query is an encrypted basis vector server evaluates inner product response O( n) communication database components in the clear: additive homomorphism suffices

PIR from Homomorphic Encryption O n communication with additive homomorphism alone Naturally generalizes: O 3 n with one multiplication O k n with degree k 1 -homomorphism Benefits tremendously from batching r 1,, r N database r 1,, r N/3 r 1+N/3,, r 2N/3 r 1+2N/3,, r N split database into many small databases, query in parallel

Response Time (s) 1,000,000 FHE-PIR Timing Results (5 Mbps) 100,000 10,000 1,000 100 10 1 1 10 100 1000 10000 Number of Records (Millions) FHE-PIR (d = 2) FHE-PIR (d = 3) FHE-PIR (d = 4) Trivial PIR

PIR from Homomorphic Encryption Outperforms trivial PIR for very large databases However, recursive KO-PIR with additive homomorphism is still state-of-the-art

Concluding Remarks Internet of Things brings many security challenges Many generic cryptographic tools: 2PC, MPC, FHE 2PC/MPC work well for small number of parties SWHE/FHE preferable with many parties (IoT scale) FHE still nascent technology should be viewed as a proof-ofconcept rather than practical solution SWHE closer to practical, suitable for evaluating simple (lowdepth) functionalities Big open problem to develop more practical constructions!

Questions?

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information