Computations on Encrypted Data for the Cloud David Pointcheval - - PowerPoint PPT Presentation

computations on encrypted data for the cloud
SMART_READER_LITE
LIVE PREVIEW

Computations on Encrypted Data for the Cloud David Pointcheval - - PowerPoint PPT Presentation

Oct 17, 2022 115 likes •295 views

Computations on Encrypted Data for the Cloud David Pointcheval CNRS - ENS - INRIA Secure Cloud Services and Storage Workshop Oslo, Norway - September 10th, 2017 The Cloud David Pointcheval Introduction 2 / 17 Anything from Anywhere One

slide-1
SLIDE 1

Computations on Encrypted Data for the Cloud

Secure Cloud Services and Storage Workshop Oslo, Norway - September 10th, 2017

David Pointcheval CNRS - ENS - INRIA

slide-2
SLIDE 2

David Pointcheval / 17

The Cloud

2 Introduction

slide-3
SLIDE 3

David Pointcheval / 17

Anything from Anywhere

3 Introduction

One can store Documents to share Pictures to edit Databases to query and access from everywhere

slide-4
SLIDE 4

David Pointcheval / 17

Security Requirements

As from a local hard drive/server, one expects Storage guarantees Privacy guarantees confidentiality of the data anonymity of the users

  • bliviousness of the queries/processing

How to proceed?

4 Introduction

slide-5
SLIDE 5

David Pointcheval / 17

Confidentiality vs Sharing & Computations

Classical Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner

How to share the data? How to compute on the data?

5 Some Approaches

slide-6
SLIDE 6

David Pointcheval / 17

Broadcast Encryption

The sender chooses a target set Users get all-or-nothing about the data

[Fiat-Naor - Crypto ‘94] Some Approaches 6

No computations!

slide-7
SLIDE 7

David Pointcheval / 17 Inputs Outputs Circuit

AND OR NOT OR AND NOT

Circuit

EAND EOR ENOT EOR EAND ENOT

Fully Homomorphic Encryption

FHE allows any computations on encrypted data But the result is encrypted as the inputs!

Encrypted Inputs Encrypted Outputs 7 Some Approaches [Gentry - STOC ’09] [Rivest-Adleman-Dertouzos - FOCS ’78]

No sharing!

slide-8
SLIDE 8

David Pointcheval / 17

Functional Encryption

The authority generates functional decryption keys DKf 
 according to functions f From C = Encrypt(x), Decrypt(DKf, C) outputs f(x) This allows controlled sharing of data

8 [Boneh-Sahai-Waters - TCC ‘11]

Result in clear

Functional Encryption

slide-9
SLIDE 9

David Pointcheval / 17

Functional Encryption is Powerful

Functional Encryption allows access control: with fid(x || y) = (if y = id, then x, else ⊥): identity-based encryption with fG(x || y) = (if y ∈ G, then x, else ⊥): broadcast encryption Functional Encryption allows computations: any function f : in theory, with iO (Indistinguishable Obfuscation) concrete functions: inner product

9 Functional Encryption

slide-10
SLIDE 10

David Pointcheval / 17

Name English CS Math Year 1 Year 2 Year 3 Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Avg Name Avg Year 1 Year 2 Year 3 Name Avg 3Years Name English CS Math Year 1 Year 2 Year 3 Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Avg Name Avg Year 1 Year 2 Year 3 Name Avg 3Years Name English CS Math Year 1 Year 2 Year 3 Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Avg Name Avg Year 1 Year 2 Year 3 Name Avg 3Years

Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Year 1 Year 2 Year 3 Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Year 1 Year 2 Year 3 Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Year 1 Year 2 Year 3

FE: Concrete Case

10 Functional Encryption

For each student: transcript with all the grades Access to partial information for each student And even global grades for the class

Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Year 1 Year 2 Year 3

Name English CS Math Year 1 Year 2 Year 3 Student Name English CS Math Written Spoken Theory Practice Algebra Analysis Total Name Total Year 1 Year 2 Year 3 Name Total 3Years Class English CS Math Year 1 Year 2 Year 3 Class English CS Math Written Spoken Theory Practice Algebra Analysis Total Class Total Year 1 Year 2 Year 3 Class Total 3Years

slide-11
SLIDE 11

David Pointcheval / 17

FE: Inner Product

11 Inner-Product Functional Encryption

Cells of derived tables are linear combinations


  • f the grades from the main table:

: vector of the private grades, encrypted in the main table : vector of the public coefficients for the cell ci, defines fi With ElGamal encryption: computations modulo p if grades, coefficients, and classes small enough: DLog computation

ci =

  • j

ai,jbj = − → ai · − → b − → ai − → b

[Abdalla-Bourse-De Caro-P. - PKC ’15 - EPrint 2015/017]

slide-12
SLIDE 12

David Pointcheval / 17

FE: Limitations

12

Initial result: selective security But improved to adaptive security Anyway:

  • ne key limits to one function on any vector

a malicious player could ask many functional keys too many keys reveal the plaintexts… a unique sender can encrypt a vector Multi-Input Functional Encryption (MIFE)

[Abdalla-Bourse-De Caro-P. - PKC ’15 - EPrint 2015/017] [Agrawal-Libert-Stehlé - Crypto ’16 - EPrint 2015/608] [Goldwasser-Gordon-Goyal-Jain-Katz-Liu-Sahai-Shi-Zhou - Eurocrypt ’14 - EPrint 2013/727 - EPrint 2013/774]

😟 😟 🙃 🙃

Inner-Product Functional Encryption

slide-13
SLIDE 13

David Pointcheval / 17

IP-FE: Concrete Security?

13

IP-FE: from c = E(x) and dky, for n-vectors x and y, one gets x.y n different keys reveal x for the indistinguishability between two sets of vectors,
 the adversary is not allowed to ask keys that trivially tell them appart.
 ⇒ if n vectors in the sets, the adversary cannot ask any key! IP-MIFE: from c1 = E(x1), …, cn = E(xn) and dky, one gets x.y if no ordering: one immediately gets n! linear relations on x even with ordering, if public-key encryption: mix-and-match attack

😟 😟 😟 😟

Inner-Product Functional Encryption

slide-14
SLIDE 14

David Pointcheval / 17

IP-FE: Too Many Messages/Keys?

14 Improvements

IP-FE with Helper: from c = E(x) and dky, for n-vectors x and y, one must ask an helper the helper learns as few as possible about the input
 (possibly the ciphertext, the function, the user, etc) limits the number of answers (according to a bound on the inputs) learns nothing about the output whereas there are additional interactions no much leakage of information to the helper more reasonable security model

[Dupont-P. - AsiaCCS ’17]

🙃

slide-15
SLIDE 15

David Pointcheval / 17

IP-MIFE: Mix-and-Match Attacks?

15

IP-MCFE
 Multi-Client Functional Encryption with Private Encryption: Senders have secret encryption keys eki
 to generate ci = E(i,𝛍,xi) for a label 𝛍 From c1, …, cn, for the same label 𝛍, and sky, one gets x.y Multi-User Inputs Mix-and-match attacks avoided by private encryption More reasonable security model

[Chotard-Phan-P. - Work in progress]

🙃

Improvements

slide-16
SLIDE 16

David Pointcheval / 17

FE: More Applications

16

The Graal in Privacy: Machine Learning on Encrypted Data One has access to a HUGE encrypted labeled training data Functional Encryption outputs the prediction function in clear No information leaked about the training data? No more than in the prediction function…
 but the latter may leak a lot about training data
 with model inversion attacks
 even just from black-box prediction queries!

[Fredrickson-Lantz-Jha-Lin-Page-Ristenpart - Usenix Security ’14] Improvements

slide-17
SLIDE 17

David Pointcheval / 17

Conclusion

Functional Encryption Ideal functionalities on encrypted data But unlimited access In practice The ideal functionality leaks a lot! Queries should remain under some control Or answers should be noisy (differential privacy)

17