Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Secure and privacy-preserving data transmission and processing using homomorphic encryption

59 visualizaciones

Publicado el

Razvan Bocu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Publicado en: Tecnología
  • Sé el primero en comentar

  • Sé el primero en recomendar esto

Secure and privacy-preserving data transmission and processing using homomorphic encryption

  1. 1. Homomorphic Encryption Secure and privacy-preserving data transmission and processing Dr. Razvan Bocu Transilvania University of Brasov, Romania
  2. 2. History Julius Ceasar (100-44 BC) In the beginning, there was symmetric encryption. Message: ATTACK AT DAWN
  3. 3. History Julius Ceasar (100-44 BC) Message: ATTACK AT DAWN Key: +3 Ciphertext: ↓↓↓↓↓↓ ↓↓ ↓↓↓↓ DWWDFN DW GDZQ If you had the key, you could encrypt… DWWDFN DW GDZQ
  4. 4. History Julius Ceasar (100-44 BC) Ciphertext: DWWDFN DW GDZQ Key: -3 Message: ↓↓↓↓↓↓ ↓↓ ↓↓↓↓ ATTACK AT DAWN If you had the key, you could decrypt… DWWDFN DW GDZQ
  5. 5. History Julius Ceasar (100-44 BC) If you had the key, you could decrypt… DWWDFN DW GDZQ Symmetric Encryption: Encryption and Decryption use the same key
  6. 6. History Symmetric Encryption: Encryption and Decryption use the same key Vigenere Enigma Claude Shannon and Information Theory 1900-1950
  7. 7. History Asymmetric Encryption Merkle, Hellman and Diffie (1976) Shamir, Rivest and Adleman (1978) Encryption uses a public key, Decryption uses the secret key (1970s)
  8. 8. History Asymmetric Encryption: The Foundation of E-Commerce
  9. 9. History RSA: The first and most popular asymmetric encryption 𝐸 𝑚 = 𝑚 𝑒 (mod 𝑛) D 𝑐 = 𝑐 𝑑 (mod 𝑛)
  10. 10. YET… The world was black and white
  11. 11. YET… The world was black and white The only thing anyone did with encrypted data was … … decrypt it.
  12. 12. YET… Encryption =
  13. 13. Further possible use cases Function f x search query Google searchSearch results x f(x) Driving force: The need for privacy.
  14. 14. Computations on Encrypted Data Further possible use cases Function f x Enc(x) Enc(f(x)) Driving force: The need for privacy.
  15. 15. Computations on Encrypted Data The algebraic structure in RSA… 𝐸 𝑚1 = 𝑚1 𝑒 𝐸 𝑚2 = 𝑚2 𝑒 Thus, … 𝐸 𝑚1 × 𝐸 𝑚2 = 𝑚1 𝑒 × 𝑚2 𝑒 = (𝑚1 × 𝑚2) 𝑒 = 𝐸(𝑚1 × 𝑚2) 𝐸 𝑚1 × 𝐸 𝑚2 = 𝐸(𝑚1 × 𝑚2) Multiplicative Homomorphism
  16. 16. Computations on Encrypted Data RSA is multiplicatively homomorphic 𝐸 𝑚1 = 𝑚1 𝑒 𝐸 𝑚2 = 𝑚2 𝑒 Ergo … 𝐸 𝑚1 × 𝐸 𝑚2 = 𝑚1 𝑒 × 𝑚2 𝑒 = (𝑚1 × 𝑚2) 𝑒 = 𝐸(𝑚1 × 𝑚2) 𝐸 𝑚1 × 𝐸 𝑚2 = 𝐸(𝑚1 × 𝑚2) Multiplicative Homomorphism
  17. 17. Computations on Encrypted Data RSA is multiplicatively homomorphic 𝐸 𝑚1 = 𝑚1 𝑒 𝐸 𝑚2 = 𝑚2 𝑒 Ergo … 𝐸 𝑚1 × 𝐸 𝑚2 = 𝑚1 𝑒 × 𝑚2 𝑒 = (𝑚1 × 𝑚2) 𝑒 = 𝐸(𝑚1 × 𝑚2) 𝐸 𝑚1 × 𝐸 𝑚2 = 𝐸(𝑚1 × 𝑚2) Multiplicative Homomorphism (but not additively homomorphic)
  18. 18. Computations on Encrypted Data Other Encryption systems were additively homomorphic 𝐸 𝑚1 + 𝐸 𝑚2 = 𝐸(𝑚1 + 𝑚2) Additive Homomorphism (but not multiplicatively homomorphic)
  19. 19. Computations on Encrypted Data The ultimate goal: computations over encrypted data… … this requires the computation of both sums and products … … over the same encrypted data set!
  20. 20. Computations on Encrypted Data XOR 0 XOR 0 1 XOR 0 0 XOR 1 1 XOR 1 0 1 1 0 AND 0 AND 0 1 AND 0 0 AND 1 1 AND 1 0 0 0 1 Why SUMs and PRODUCTs? SUM = PRODUCT =
  21. 21. Computations on Encrypted Data XOR 0 XOR 0 1 XOR 0 0 XOR 1 1 XOR 1 0 1 1 0 AND 0 AND 0 1 AND 0 0 AND 1 1 AND 1 0 0 0 1 Considering the system {XOR,AND} is Turing-complete … … any function is a combination of XOR and AND gates
  22. 22. Computations on Encrypted Data Considering the system {XOR,AND} is Turing-complete … … any function is a combination of XOR and AND gates Example: Indexing a database 0 1 1 0 DB index i = i1i0 return DBi i0 i1 DB3 DB2 DB0 DB1
  23. 23. Corollary Considering the system {XOR,AND} is Turing-complete … … if one can compute sums and products on encrypted bits … one can compute ANY function on encrypted inputs E(x1) E(x2) E(x3) E(x4) E(x3 AND x4)E(x1 XOR x2) E(f(x1,x2,x3,x4))
  24. 24. Fully-Homomorphic Encryption! Cryptography’s Holy Grail
  25. 25. Fully-Homomorphic Encryption! Amazing Applications: Private Cloud Computing Delegate arbitrary processing of data without giving away access to it
  26. 26. Fully-Homomorphic Encryption! Continuous unsucccessful quest for years
  27. 27. … until, in October 2008 … … Craig Gentry came up with the first fully homomorphic encryption scheme …
  28. 28. What is the mechanism?
  29. 29. What kind of mathematical models can we use?
  30. 30. What kind of objects can we add and multiply? Polynomials? (𝑥2 + 6𝑥 + 1) + 𝑥2 − 6𝑥 = (2𝑥2 + 1) (𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥)
  31. 31. Polynomials? Matrices? (𝑥2 + 6𝑥 + 1) + 𝑥2 − 6𝑥 = (2𝑥2 + 1) (𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥) 1 0 1 2 + −1 1 0 1 = 0 1 1 3 1 0 1 2 𝑋 −1 1 0 1 = −1 1 −1 3 What kind of objects can we add and multiply?
  32. 32. Polynomials? Matrices? (𝑥2 + 6𝑥 + 1) + 𝑥2 − 6𝑥 = (2𝑥2 + 1) (𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥) Maybe integers?!? 3 + 4 = 7 3 X 4 = 12 1 0 1 2 + −1 1 0 1 = 0 1 1 3 1 0 1 2 𝑋 −1 1 0 1 = −1 1 −1 3 What kind of objects can we add and multiply?
  33. 33. Nowadays, in use: Symmetric Encryption
  34. 34. Secret key: large odd number p 0 p 2p 3p-3p -2p -p
  35. 35. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p 0 p 2p 3p-3p -2p -p
  36. 36. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p – choose a (preferably random) “small” number 2·r+b 0 p 2p 3p-3p -2p -p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b
  37. 37. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p – choose a (preferably random) “small” number 2·r+b – Resulting ciphertext: c = q·p+2·r+b 0 p 2p 3p-3p -2p -p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b
  38. 38. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p – choose a (preferably random) “small” number 2·r+b – Resulting ciphertext: c = q·p+2·r+b 0 p 2p 3p-3p -2p -p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b To Decrypt a ciphertext c: Applying the operation c mod p recovers the noise
  39. 39. How safe is this model? If there was no noise (r=0) 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b … and one provides two encryptions of 0 (q1p & q2p) … then the secret key p can be recovered GCD_attack(q1p, q2p) Greatest common divisor Coppersmith’s attack
  40. 40. How safe is this model? If there is noise 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b … the GCD attack doesn’t work … and neither does any conventional attack  the approximate GCD assumption
  41. 41. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c2 = q2·p + (2·r2 + b2)
  42. 42. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) – c2 = q2·p + (2·r2 + b2)
  43. 43. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) Odd if b1=0, b2=1 (or) b1=1, b2=0 Even if b1=0, b2=0 (or) b1=1, b2=1 – c2 = q2·p + (2·r2 + b2)
  44. 44. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) least_significant_bit= b1 XOR b2 – c2 = q2·p + (2·r2 + b2)
  45. 45. AND operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c2 = q2·p + (2·r2 + b2) – c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
  46. 46. AND operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) least_significant_bit= b1 AND b2 – c2 = q2·p + (2·r2 + b2) – c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
  47. 47. 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b The noise increases!
  48. 48. 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b The noise increases! – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) noise= 2 * (initial noise)
  49. 49. 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b The noise increases! – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) noise= 2 * (initial noise) noise = (initial noise)2 – c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
  50. 50. 0 17 34 51-51 -34 -17 noise=-14 The noise increases! Why does this matter? 20
  51. 51. 0 17 34 51-51 -34 -17 noise=-14 The noise increases! Why does this matter? 20 decryption will recover noise’=3
  52. 52. 0 17 34 51-51 -34 -17 noise=-14 The noise increases! Why does this matter? 20 If the |noise| > p/2, then: Decryption will output an incorrect bit! decryption will recover noise’=3
  53. 53. The accomplishment … Possibility to do lots of additions and … some multiplications (= a “somewhat homomorphic” encryption)
  54. 54. The accomplishment … … we can do lots of additions and … some multiplications It is enough to do many useful tasks, such as, database search, spam filtering etc. (= a “somewhat homomorphic” encryption)
  55. 55. The accomplishment ... … we can do lots of additions and … some multiplications … enough to do many useful tasks, e.g., database search, spam filtering etc. But, there is much more … (= a “somewhat homomorphic” encryption)
  56. 56. RSA&friends MANY mult ZERO add Fully homomorphic MANY additions MANY multiplications WE ARE HERE!
  57. 57. Fully homomorphic MANY add MANY mult WE ARE HERE! [bootstrapping] How is this possible? The “bootstrapping method” Principle: If you can go a (large) part of the way, then you can go all the way. RSA&friends MANY mult ZERO add
  58. 58. noise=0 noise=p/2 Initial noise The “bootstrapping method”
  59. 59. Noise after some sums and products noise=0 noise=p/2 The “bootstrapping method”
  60. 60. noise=0 noise=p/2 Bootstrapping = “Valve” at a fixed height The “bootstrapping method”
  61. 61. noise=0 noise=p/2 Bootstrapping = “Valve” at a fixed height The “bootstrapping method”
  62. 62. noise=0 noise=p/2 … repeat until done The “bootstrapping method”
  63. 63. noise=0 noise=p/2 … repeat until done The “bootstrapping method”
  64. 64.  Lots of new Encryption Schemes … simpler, more secure, more efficient  Dramatic Efficiency Improvements 1 100 10000 1000000 2011 2010 2009 Time (in millisec) for a basic operation
  65. 65. Gentry’s “bootstrapping method” … The same principle: if you can go a (large) part of the way, you probably can go all the way. noise=0 noise=p/2
  66. 66. Gentry’s “bootstrapping method” … The same principle: if you can go a (large) part of the way, you probably can go all the way. noise=0 noise=p/2 Issue to address: Addition and Multiplication increase noise (Addition doubles, Multiplication squares the noise)
  67. 67. Gentry’s “bootstrapping method” … The same principle: if you can go a (large) part of the way, you probably can go all the way. noise=0 noise=p/2 Issue to address: Addition and Multiplication increase noise (Addition doubles, Multiplication squares the noise) Goal: noise reduction
  68. 68. noise=0 noise=p/2 Reflection topic What is the best noise-reduction procedure?
  69. 69. noise=0 noise=p/2 Reflection topic What is the best noise-reduction procedure? … To get rid of all the noise.
  70. 70. noise=0 noise=p/2 Reflection topic What is the best noise-reduction procedure? … To get rid of all the noise, … and computationally optimal recover the original message.
  71. 71. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computationally optimal recover the original message Direct Decryption!
  72. 72. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computational optimal recover the original message Direct Decryption! Ctxt = Enc(b) Secret key Decrypt b
  73. 73. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computationally optimal recover the original message Direct Decryption! Secret key Decrypt bFunction that acts on ciphertext and eliminates noise Ctxt = Enc(b)
  74. 74. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computationally optimal recover the message Decryption! Secret key Decrypt b Ctxt = Enc(b) But I can’t give the secret key out for free!
  75. 75. noise=0 noise=p/2 Reflection topic Secret key Decrypt b But I can’t give the secret key out for free! Ctxt = Enc(b) Goal: I want to reduce noise without letting you decrypt
  76. 76. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Secret key Decrypt b Ctxt = Enc(b)
  77. 77. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) This is called “Circular Encryption” Secret key Decrypt b Ctxt = Enc(b)
  78. 78. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) This is called “Circular Encryption” Decrypt b Ctxt = Enc(b) Enc(Secret key)
  79. 79. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt b … Homomorphically evaluate the decryption circuit!!! Ctxt = Enc(b) In order to reduce noise …
  80. 80. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt … Homomorphically evaluate the decryption circuit!!! Ctxt = Enc(b) In order to reduce noise … Enc(b)
  81. 81. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt … Homomorphically evaluate the decryption circuit!!! Ctxt = Enc(b) In order to reduce noise … Enc(b)
  82. 82. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt The input Enc(b) and output Enc(b) have different noise levels. Ctxt = Enc(b) KEY OBSERVATION: Enc(b)
  83. 83. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  84. 84. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  85. 85. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  86. 86. noise=0 noise=p/2 KEY IDEA … I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  87. 87. Long story short: whenever noise level increases beyond a limit … noise=0 noise=p/2 … use bootstrapping to reset it to a fixed level
  88. 88. noise=0 noise=p/2 Bootstrapping requires the homomorphic evaluation of the decryption circuit.
  89. 89. noise=0 noise=p/2 Thus, Gentry’s “bootstrapping theorem”: If an enc scheme can evaluate its own decryption circuit, then it can evaluate everything
  90. 90. Real world use case Reference paper: • R., Bocu, C., Costache, A Homomorphic Encryption-Based System for Securely Managing Personal Health Metrics Data, IBM Journal of Research and Development ISSN 0018-8646, Volume 62, Issue 1, 2018, pp. 1:1-1:10. • Use case: the convenient and full privacy preserving collection, transportation, processing, analysis, and storage of personal health information (PHI). • Software system: SafeBioMetrics – this system addresses the four essential requirements, the biomedical data collection at the user’s end, its transfer to the storage and processing backend, the proper and secure storage of this data, and its privacy-preserving processing. • Distinctive feature: clear separation between the long-term data storage and data processing paths. The system can easily accommodate any use case that involves the data collection through sensors and mobile devices at the user’s side.
  91. 91. System architecture
  92. 92. System features • Data privacy assured during all four stages: data collection, data transmission, data storage, FHE-based data processing. • Data storage and processing backend is deployed in the cloud (in this case, IBM Bluemix, but any other cloud platform is fine). • The collected data is efficiently store in the cloud (in this case, the relevant service is IBM Cloudant, but any other similar cloud service is fine). • The FHE computations are performed using Apache Spark, but any other computing service may be adapted and used. • The processing events are intercepted, and the proper actions triggered using a programming service (in this case, IBM OpenWhisk, but any other similar service may be adapted). • Advantages • Any use case that involves the safe (private) processing of sensitive data can benefit from the usage of this model. • The approach offloads the expensive processing operations to the cloud infrastructure, while keeping intact the data privacy. • The model is fully customizable and adaptable to various use cases and hardware/software infrastructures.
  93. 93. FHE Core Model – Supported Operations • Homomorphic addition (+h) – It takes as operands two ciphertexts, which correspond to a slot wise XOR operation of the related plaintext elements. • Homomorphic multiplication (Xh) – It takes as operands two ciphertexts, which correspond to a slot wise AND operation of the related plaintext elements. • Homomorphic rotate (<<<h, >>>h) – This essentially provides the possibility to rotate the data elements’ slots. The concept of slots refers to the storage bits that determine the data elements processed by the rotate operation. • Homomorphic select (selmask) – It has the role to correct the potentially altered slots (bits) of the data elements after the rotate operation. It preserves the data consistency during the fully homomorphic encryption process.
  94. 94. FHE Core Model – The Level • The level (L) – It must be determined before starting any computation instruction. • The level L is calibrated considering the depth of the multiplication operations to be performed in the given computational context. • This parameter assures the accuracy of the FHE operations’ results. • The multiplication increments by 1 the level L of the operation. • The depth of the multiplication operations determines the value of the calibrated level L. • This operation considers a number of NCT ciphertexts, which encrypt an array with n bits that stores the relevant data (in the case of the SafeBioMetrics, the cardiac rhythm data). • The computationally expensive multiplication operations should be reduced. • Consequently, the depth of the multiplication operations is reduced, in order to achieve an optimal calibration of the level L.
  95. 95. Optimized FHE Scheme
  96. 96. Optimized FHE Scheme (cont’d) • The data storage and processing backend efficiently and safely computes the received data. • The efficient incorporation of the FHE routines into the SafeBioMetrics system relies on the utilization of the communication data path illustrated in the previous slide (the top data path). • Each bit of the plaintext data is properly packed into the respective plaintext message. • The ciphertext is generated through an FHE model considering the top data path steps. • The bottom data path in the figure implies that the input data is translated into a binary format, which is efficiently understood by the CPU. This is achieved using the computation (fc(.)) and aggregation (fa(.)) functions from the bottom data processing path. • The binary data is processed using a parallel single instruction, multiple data (SIMD) model. • The four operations already mentioned are fully supported.
  97. 97. Test Use Case •The detection of three medical conditions has been considered: the average heart rate, the delayed repolarization of the heart, the minimum and maximum heart rates. •Outcomes: • The model performed well considering the detection of all three medical conditions. • The resulted performance metrics prove that the system is time and resources efficient. • The data privacy can be preserved, even if the hosting (cloud) environment is affected by a security incident (e.g., unauthorized access by an employee or hacker, CPU vulnerability issues, etc.). • The amount of transferred data depends arithmetically on the size of the encrypted data.
  98. 98. Performance Metrics (1) - Explanation • Network capacity: XFERIN (the amount of data transferred from the client devices to the backend), XFEROUT (the amount of data that is transferred from the backend to the client devices). • Storage ratio (SR): this assesses the amount of storage that is necessary to store one byte of plaintext data in a FHE format. As an example, if SR=500, there are necessary 500 bytes in order to store one plaintext byte in the FHE format. • Processing speed (PS): This is defined through the ratio PS=PTO / PIN. Here, the numerator represents the amount of time to send the data from the client device to the backend, while the denominator is the amount of time that is required by the backend to process the received data. • NCT: The number of the involved ciphertexts. • Level L: The value of the calibration parameter.
  99. 99. Performance metrics (2)
  100. 100. Performance metrics (3) – DRHS Condition
  101. 101. Test Use Case - Conclusions • Flexible and decoupled architecture – the system is capable of accommodating most of the existing and, with a high probability, future client-side data collection devices. • SafeBioMetrics demonstrates that it is perfectly possible to sustain a completely secure, privacy preserving and resource efficient data management over large amounts of data. • This case study demonstrates that fully homomorphic encryption is useable in order to secure a system like SafeBioMetrics. • This model can be adapted to any other use case, which involves the processing of large amounts of sensitive data.
  102. 102. Thank You! Questions and Discussion

×