Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.
Próxima SlideShare
Cargando en…5
×

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

404 visualizaciones

a slide of Hanaoka's talk in ECC2018(https://cy2sec.comm.eng.osaka-u.ac.jp/ecc2018/program.html)

• Full Name
Comment goes here.

Are you sure you want to Yes No
• Sé el primero en comentar

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

1. 1. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 1
2. 2. Outline • Background • Two-level Homomorphic encryption • An efficient construction • Security • Implementation • Conclusion 2018/11/21 ECC 2018 2
3. 3. Background 2018/11/21 ECC 2018 3
4. 4. 2018/11/21 ECC 2018 4 Computing on encrypted data • Data analysis with taking care of sensitive data Disease Risk 70% If X2>∑Y then ◯◯70% F : Diagnosis Y : Database
5. 5. Homomorphic Encryption (HE) • Allows computation on encrypted data • Many applications related to privacy-preserving schemes • Types of HE • Additively HE (ex. Goldwasser-Micali, Okamoto- Uchiyama, Paillier, Lifted-ElGamal) • Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′) • Multiplicatively HE (ex. RSA, ElGamal) • Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′ • Fully HE (ex. Gentry, BGV, BV, GSW, …) • Can do homomorphic add. and mult. 2018/11/21 ECC 2018 5
6. 6. Pros and Cons • Add. HE, Mult. HE • Applications are restricted • Fully HE (FHE) • Any computations possible, but inefficient • Security relies on less standard assumptions • Leveled HE • The number of homomorphic mult. is restricted. • An intermediate notion between A/M HE and FHE. 2018/11/21 ECC 2018 6 A/M HE Leveled HE FHE Efficiency very good medium bad Functionality medium good very good
7. 7. Two-level HE • HE that allows one homomorphic multiplication • Allows degree-2 polynomial homomorphic evaluations • Allows inner product of two vectors • 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, … • σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖 2018/11/21 ECC 2018 7 ×1 2 3 3 4 12 12 13 25 ++ : Level-1 : Level-2
8. 8. Applications • Secure 2-DNF formula evaluation • Delegated secure inner-product on encrypted data • Efficient (symmetric) private information retrieval • Cross tabulation on encrypted data • Efficient election protocol • … 2018/11/21 ECC 2018 8
9. 9. Existing Two-level HE • Boneh, Goh, Nissim (TCC 2005) • Based on Composite-order pairings, hence much less efficient • Freeman (EUROCRYPT 2010) • Composite-to-prime-order transformation framework, applied to BGN • Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014) • Improving Freeman’s frameworks • Only Type 1 pairings, inefficient • Catalano, Fiore (ACM CCS 2015) • Transformation from d-Level HE to (2d)-level • Instantiations are not necessarily efficient • AHM+ (AsiaCCS 2018): This talk • Efficient construction based on the lifted-ElGamal encryption • Portable high-speed implementations • Note: • Decryption in all these schemes requires discrete log (DL) • Hence plaintext space should be sufficiently small (up to 32-bit) 2018/11/21 ECC 2018 9
10. 10. An Efficient Construction of Two-level HE 2018/11/21 ECC 2018 10
11. 11. Basic Idea •Existing schemes • Establish a “broader fundamental & theoretical framework” • Then, construct L2HE as an “application” •Our scheme • Concentrate on “L2HE-dedicated design” • Start from “promising tools” for fast HE, i.e. Type-3 pairing and ElGamal • Not general but fully tuned for L2HE 2018/11/21 ECC 2018 11
12. 12. An Efficient Construction • Combine the lifted-ElGamal encryption scheme with Type 3 pairings • First, straightforwardly construct two-level HE • Then, consider “simpler” construction • While Freeman considered a conversion of composite-to- prime order • Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal • Format of level-2 (L2) CT is same as Freeman’s scheme • Note: Type 3 pairings • Cyclic groups 𝔾1, 𝔾2, 𝔾T of order prime 𝑝 with bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T • 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2 • 𝔾1 ≠ 𝔾2 and no efficient map between 𝔾1 and 𝔾22018/11/21 ECC 2018 12
13. 13. Summary of Constructions 2018/11/21 ECC 2018 13 Freeman (EUROCRYPT 2018) AHM+ (AsiaCCS 2018, this talk) BGN scheme based on composite order BGN (Freeman) scheme based on prime order (includes 2-level HE) Construction by converting Lifted-ElGamal Enc 𝑚 = 𝑔 𝑚ℎ 𝑟, 𝑔 𝑟 Type 3 pairing 𝑒 𝑎𝑃1, 𝑏𝑃2 = 𝑔T 𝑎𝑏 AHM+ 2-level HE scheme Construction by combining algebraic structures
14. 14. Setup and Key Generation • Setup • Cyclic group 𝔾𝑖 = ⟨𝑃𝑖⟩ over an elliptic curve with prime order 𝑝 for 𝑖 = 1, 2 • 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2 • Key generation • Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random • Public key 𝑄1 = 𝑠1 𝑃1, 𝑄2 = 𝑠2 𝑃2 (with optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2) • Note: Colors • Green: Public part • Blue: Secret and hidden part 2018/11/21 ECC 2018 14
15. 15. Level-1 CT and Enc./Dec. • Encrypt • Plaintext 𝑚 and randomness 𝑟 • Enc 𝔾 𝑖 𝑚 = (𝑚𝑃𝑖 + 𝑟𝑄𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2 • Duplicated form: Enc1 𝑚 ≔ Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚 • Note: 𝔾1 can be mult. with 𝔾2 only, vice versa, so that duplicated form is needed for general usage • Decrypt • For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖 𝑚 = (𝑆, 𝑇) by 𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑄𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖 and then, to obtain 𝑚, solve DL • Almost same as lifted-ElGamal 2018/11/21 ECC 2018 15
16. 16. Homomorphic Addition on L1 CT • For 𝑖 = 1, 2, Enc 𝔾 𝑖 𝑚1 + Enc 𝔾 𝑖 𝑚2 = 𝑚1 𝑃𝑖 + 𝑟1 𝑄𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑄𝑖, 𝑟2 𝑃𝑖 = 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑄𝑖, 𝑟1 + 𝑟2 𝑃𝑖 = Enc 𝔾 𝑖 (𝑚1 + 𝑚2) • Also, same as lifted-ElGamal 2018/11/21 ECC 2018 16 1 2 3 + : Level-1
17. 17. Homomorphic Multiplication • 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑄1, 𝑟1 𝑃1 = Enc 𝔾1 𝑚1 ∈ 𝔾1 2 • 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑄2, 𝑟2 𝑃2 = Enc 𝔾2 𝑚2 ∈ 𝔾2 2 • 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 = 𝑧1 𝑚1 𝑚2 𝑧4 𝜏′, 𝑧2 𝜎′, 𝑧3 𝜌′, 𝑧1 𝜎′+𝜌′−𝜏′ = Enc2 𝑚1 𝑚2 ∈ 𝔾T 4 • 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 • Tensor product of 𝐶1, 𝐶2 • Its result is an level-2 ciphertext 2018/11/21 ECC 2018 17 ×3 4 12 : Level-1 : Level-2
18. 18. Homomorphic Addition on L2 CT • Enc2 𝑚1 + Enc2 𝑚2 = 𝑧1 𝑚1 𝑧4 𝜏1, 𝑧2 𝜎1, 𝑧3 𝜌1, 𝑧1 𝜎1+𝜌1−𝜏1 + 𝑧1 𝑚2 𝑧4 𝜏2, 𝑧2 𝜎2, 𝑧3 𝜌2, 𝑧1 𝜎2+𝜌2−𝜏2 = ( 𝑧1 𝑚1+𝑚2 𝑧4 𝜏1+𝜏2, 𝑧2 𝜎1+𝜎2, ൯𝑧3 𝜌1+𝜌2, 𝑧1 (𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2) = Enc2(𝑚1 + 𝑚2) • Usual vector addition 2018/11/21 ECC 2018 18 12 13 25 + : Level-2
19. 19. Decryption for Level-2 CT • Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4 Dec2 c1, c2, 𝑐3, 𝑐4 ≔ 𝑐1 𝑐4 𝑠1 𝑠2 𝑐2 𝑠2 𝑐3 𝑠1 = 𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2 𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2 = 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2 = 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2 𝑚𝑚′ then solve DLP to obtain 𝑚𝑚′ • Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 = 𝑧1 𝑚𝑚′ 𝑧4 𝜏 , 𝑧2 𝜎 , 𝑧3 𝜌 , 𝑧1 𝜎+𝜌−𝜏 ∈ 𝔾T 4 , where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 2018/11/21 ECC 2018 19
20. 20. Size and Benchmark on BN462 • Note: • Use x64 Linux on Core i7-6700 • Without compressed form • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 20 Calc. time in msec Enc1 0.452 Enc2 1.14 Dec1 9.01 Dec2 10.01 ReRand1 0.447 ReRand2 1.14 Add1 0.0109 Add2 0.0231 Mult 8.47 Bit size Secret key 924 Public key 27720 Dup. L1 CT 5544 L2 CT 22176
21. 21. Comparison of Size • Fre10: Freemen’s scheme (EUROCRYPT 2010) • Compare bit size on a 462-bit Barreto-Naehrig (BN) curve 2018/11/21 ECC 2018 21
22. 22. Comparison of Time • CT: Ciphertext • Fre10: Freemen’s scheme in EUROCRYPT 2010 • Compare calculation time on a 462-bit BN curve 2018/11/21 ECC 2018 22
23. 23. Proving the Knowledge of Plaintexts • Zero-knowledge proof protocols can be applied • Example 1: Duplicated form of L1 CT • Dup. L1 CT is Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ • Attach a proof of “𝑚 = 𝑚′” • Example 2: Proving a CT encrypts a bit • Attach a proof of “encrypted plaintext is 0 or 1” • Applications: Voting, two-party computation 2018/11/21 ECC 2018 23
24. 24. Proof of Equality • Duplicated L1 CT: • Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ = 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) where 𝜌, 𝜎 ← ℤ 𝑝 are randomly chosen • Should be “𝑚 = 𝑚′” • Equality can be proved in the same way of NIZK DH-tuple proof 2018/11/21 ECC 2018 24
25. 25. NIZK Proof of Equality • L1 CT: 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) • Prove: • Randomly choose: 𝑟𝜌, 𝑟𝜎, 𝑟 𝑚 ← ℤ 𝑝 • 𝑅1, 𝑅2, 𝑅3, 𝑅4 ← 𝑟 𝑚 𝑃1 + 𝑟𝜌 𝑄1, 𝑟𝜌 𝑃1, 𝑟 𝑚 𝑃2 + 𝑟𝜎 𝑄2, 𝑟𝜎 𝑃2 • 𝑐 ← 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1, 𝑅2, 𝑅3, 𝑅4 • 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 ← 𝑟𝜌 + 𝑐𝜌, 𝑟𝜎 + 𝑐𝜎, 𝑟 𝑚 + 𝑐𝑚 • Proof 𝜋 = 𝑐, 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 • Verify: • 𝑐 = 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ where 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ ← 𝑠 𝑚 𝑃1 + 𝑠𝜌 𝑄1 − 𝑐𝐶1, 𝑠𝜌 𝑃1 − 𝑐𝐶2, 𝑠 𝑚 𝑃2 + 𝑠 𝜎 𝑄2 − 𝑐𝐶3, 𝑠 𝜎 𝑃2 − 𝑐𝐶4 2018/11/21 ECC 2018 25
26. 26. Security 2018/11/21 ECC 2018 26
27. 27. Confidentiality • Shown scheme is IND-CPA secure under the SXDH assumption • Note1: IND-CPA (INDistinguishability against Chosen Plaintext Attack) • Hidden plaintext from ciphertext • Standard base-line security notion • Note2: SXDH (Symmetric eXternal Diffie-Hellman) assumption • 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾, 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2 are computationally indistinguishable 2018/11/21 ECC 2018 27
28. 28. Circuit Privacy • Shown scheme is circuit private • Namely, ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 ) • Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0) • ReRand𝑖 𝑐 removes a trace of circuit from 𝑐 • Note: Arithmetic circuit depends on secret • E.g., for 𝑖 = 1, 2, and for a secret integer 𝑛, 𝑛 × Enc𝑖 𝑚 = ෍ 𝑗=1 𝑛 Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚 • Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′ • Note: It is obvious that CTs are in which group 𝔾1, 𝔾2, 𝔾T 2018/11/21 ECC 2018 28
29. 29. Implementation 2018/11/21 ECC 2018 29
30. 30. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 30
31. 31. Our Implementation • Available in “mcl”: A library for pairings • BN254, 381, 462, BLS12-381 • C++: https://github.com/herumi/mcl • Web browser/Node.js: https://github.com/herumi/she-wasm • High-performance implementation for x64/ARM64 • WebAssembly (wasm) • Runs on Microsoft Edge, Firefox, Chrome, Safari without any plug-ins • Open source: BSD 3-clause 2018/11/21 ECC 2018 31
32. 32. Benchmarks on wasm • Calculation times in msec • Use BN254 • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 32 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
33. 33. Demo 2018/11/21 ECC 2018 33
34. 34. Importance of WebAssembly (wasm) Implementation • Large deployment advantages • wasm is a portable and fast binary instruction format • Runs on many modern browser • Microsoft Edge, Safari, Google Chrome, and Mozilla Firefox on Windows, Linux, macOS, iPhone, Android, and so on… • Requires no plugins • Being developed as a web standard via the W3C • Distribution is easy 2018/11/21 ECC 2018 34
35. 35. Demonstrations of wasm • Inner product: https://herumi.github.i o/she-wasm/she- demo.html • Oblivious transfer: https://ppdm.jp/ot/ 2018/11/21 ECC 2018 35
36. 36. Conclusion • Practical efficient two-level homomorphic encryption • Many times add. and one-time mult. on encrypted data • Based on Type 3 (asymmetric) pairing • Combine the lifted-ElGamal encryption scheme • Faster than Freeman’s scheme (EUROCRYPT 2010) • Portable high-performance implementation • C++/asm/WebAssembly • https://github.com/herumi/mcl • https://github.com/herumi/she-wasm • Open source: BSD 3-clause 2018/11/21 ECC 2018 36 Thank you!