dating + big data user . . . . . . . . dating + big data - - PowerPoint PPT Presentation

. . . . . . . .

encrypted computation

from lattices

Hoeteck Wee

ENS, Paris

. . . . . . . .

dating + big data

user

. . . . . . . .

dating + big data

user profile

limit access?

. . . . . . . .

dating + big data

user profile tall ∧ dark ∧ handsome

. . . . . . . .

dating + big data

user profile (tall ∧ dark ∧ handsome) ∨ (phd ∧ cs)

. . . . . . . .

dating + big data

user me tall dark handsome cs math phd profile (tall ∧ dark ∧ handsome) ∨ (phd ∧ cs)

. . . . . . . .

dating + big data

user me tall dark handsome cs math phd profile (tall ∧ dark ∧ handsome) ∨ (phd ∧ cs)

. . . . . . . .

dating + big data

user me tall dark handsome cs math phd (tall ∧ dark ∧ handsome) ∨ (phd ∧ cs)

. . . . . . . .

dating + big data

user me tall dark handsome cs math phd profile (tall ∧ dark ∧ handsome) ∨ (phd ∧ cs)

. . . . . . . .

dating + big data

user me tall dark handsome cs math phd

collusion

profile (tall ∧ dark ∧ handsome) ∨ (phd ∧ cs)

. . . . . . . .

attribute-based encryption

[GPSW06,SW05]

sender receiver f, M x, skx learns M ⇔ f(x) = 1

M

. . . . . . . .

attribute-based encryption

[GPSW06,SW05]

sender receiver

security against collusions

receiver x′, skx′ + f, M x, skx learns M ⇔ f(x) = 1

M

. . . . . . . .

attribute-based encryption

[GPSW06,SW05]

sender receiver receiver x′, skx′ + f, M x, skx learns M ⇔ f(x) = 1

M

2001 – 2013. shallow circuits

[BF01, CHK04, BB04, GPSW06, W09, LW10, LOSTW10, OT10, ...]

. . . . . . . .

attribute-based encryption

[GPSW06,SW05]

sender receiver receiver x′, skx′ + f, M x, skx learns M ⇔ f(x) = 1

M

• 2013. all circuits from LWE

[Gorbunov Vaikuntanathan W 13, Boneh Gentry Gorbunov Halevi

Nikolaenko Segev Vaikuntanathan Vinayagamurthy 14]

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

+

M

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

+

collusion

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

Rcs, Rphd Rcs, Rmsc Rbio, Rphd

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

M ⊕ Rcs ⊕ Rphd Rcs, Rphd Rcs, Rmsc Rbio, Rphd

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

M ⊕ Rcs ⊕ Rphd Rcs, Rphd Rcs, Rmsc Rbio, Rphd

+

M

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

M ⊕ Rcs ⊕ Rphd Rcs, Rphd Rcs, Rmsc Rbio, Rphd

+ +

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

M ⊕ Rcs ⊕ Rphd Rcs, Rphd Rcs, Rmsc Rbio, Rphd

+

collusion

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

M ⊕ Rcs ⊕ Rphd Rcs, Rphd Rcs, Rmsc Rbio, Rphd

+

collusion

M

mix and match

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

M ⊕ Rcs ⊕ Rphd Rcs, Rphd Rcs, Rmsc Rbio, Rphd

+

collusion

M

mix and match

⇒

insecure against

collusions

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

M ⊕ Rcs ⊕ Rphd Rcs, Rphd Rcs, Rmsc Rbio, Rphd

mix and match

Key Idea.

[GVW13]

strings R → functions φ(·)

• ne-use → many-use

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

Rcs, Rphd Rcs, Rmsc Rbio, Rphd φcs(·), φphd(·) φcs(·), φmsc(·) φbio(·), φphd(·)

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

Rcs, Rphd Rcs, Rmsc Rbio, Rphd φcs(s), φphd(s) φcs(t), φmsc(t) φbio(u), φphd(u)

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

Rcs, Rphd Rcs, Rmsc Rbio, Rphd φcs(s), φphd(s) φcs(t), φmsc(t) φbio(u), φphd(u)

+

M

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

Rcs, Rphd Rcs, Rmsc Rbio, Rphd φcs(s), φphd(s) φcs(t), φmsc(t) φbio(u), φphd(u) φcs(s′), φphd(s′)

+

M

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

Rcs, Rphd Rcs, Rmsc Rbio, Rphd φcs(s), φphd(s) φcs(t), φmsc(t) φbio(u), φphd(u)

+

collusion

mix and match

φcs(t), φmsc(t) φbio(u), φphd(u)

. . . . . . . .

attribute-based encryption (I)

M

phd ∧ cs cs phd cs msc bio phd

Rcs, Rphd Rcs, Rmsc Rbio, Rphd φcs(s), φphd(s) φcs(t), φmsc(t) φbio(u), φphd(u)

+

collusion

mix and match

φcs(t), φmsc(t) φbio(u), φphd(u)

theorem.

[GVW13]

secure against collusions

works for general circuits

. . . . . . . .

attribute-based encryption (I)

theorem.

[GVW13]

secure against collusions

works for general circuits ∧ φcs φphd ∨ φ1 φ2 ∧ φ4 φ3 φout

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

lemma II .

Ai x f

small Hf x

A x G An xnG Hf x Af f x G

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M Af · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M Af · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

• correctness. f(x) = 0 ⇒ learns M

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M Af · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

• correctness. f(x) = 0 ⇒ learns M

s[A1 − x1G | · · · | An − xnG]Hf,x skf = s(Af − f(x)G)

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M Af · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

• correctness. f(x) = 0 ⇒ learns M

s[A1 − x1G | · · · | An − xnG]Hf,x skf = sAf

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M Af · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

• correctness. f(x) = 0 ⇒ learns M

s[A1 − x1G | · · · | An − xnG]Hf,x · skf = sAf · skf

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M Af · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

• correctness. f(x) = 0 ⇒ learns M

s[A1 − x1G | · · · | An − xnG]Hf,x · skf = sP

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A, A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M, sA + e′ Af · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A, A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M, sA + e′ [A | Af] · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A, A1, . . . , An, P s[A1 − x1G | · · · | An − xnG] + e, sP + M, sA + e′ [A | Af] · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x [A1 − x1G | · · · | An − xnG]·Hf,x = Af − f(x)G

• security. M hidden given ciphertext, skf, f(x) ̸= 0

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A, A1, . . . , An, P sAR + e, sP + M, sA + e′ [A | Af] · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x AR·Hf,x = Af − f(x)G

• security. M hidden given ciphertext, skf, f(x) ̸= 0

. . . . . . . .

attribute-based encryption (II)

sender receiver x, M f, skf learns M ⇔ f(x) = 0

M

A, A1, . . . , An, P sAR + e, sP + M, sA + e′ [A | Af] · skf = P

lemma II∗.

∀Ai, ∀x, ∀f, ∃ small Hf,x AR·Hf,x = Af − f(x)G

• security. M hidden given ciphertext, skf =

(−RHf,x

I

) G−1( 1

f(x)P)

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f learns f(x)

• security. semi-honest Bob learns f x and nothing else about x

efficiency.

• NOTE. naive solution with FHE requires additional interaction

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest learns f(x)

• security. semi-honest Bob learns f x and nothing else about x

efficiency.

• NOTE. naive solution with FHE requires additional interaction

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

• security. semi-honest Bob learns f x and nothing else about x

efficiency.

• NOTE. naive solution with FHE requires additional interaction

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

• security. hides x
• efficiency. ≈ Alice sends x
• NOTE. naive solution with FHE requires additional interaction

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

• security. semi-honest Bob learns f(x) and nothing else about x
• efficiency. ≈ Alice sends x
• NOTE. naive solution with FHE requires additional interaction

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

• security. semi-honest Bob learns f(x) and nothing else about x
• efficiency. Alice’s computation independent of f
• NOTE. naive solution with FHE requires additional interaction

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

• security. semi-honest Bob learns f(x) and nothing else about x
• efficiency. Alice’s computation independent of f
• NOTE. naive solution with FHE requires additional interaction

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

construction.

digest = A1, . . . , An, Af

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

construction.

digest = A1, . . . , An, Af ciphertext ≈ s[A1 − x1G | · · · | An − xnG], sAf

. . . . . . . .

laconic function evaluation

[Quach W Wichs 18, CDGGMP17]

alice bob x f digest ciphertext learns f(x)

construction.

digest = A1, . . . , An, Aˆ

f

where ˆ f = fhe.eval(f, ·) [GKPVZ13, GVW12, GVW15, ...]

. . . . . . . .

conclusion

• today. lattices ⇒ encrypted computation

[A1 − x1G | · · · | An − xnG] · Hf,x = Af − f(x)G

• tomorrow. another way to encode computation into lattices

[GGH15, CC17, GKW17, WZ17, CVW18]

. . . . . . . .

conclusion

• today. lattices ⇒ encrypted computation

[A1 − x1G | · · · | An − xnG] · Hf,x = Af − f(x)G

• tomorrow. another way to encode computation into lattices

[GGH15, CC17, GKW17, WZ17, CVW18]

communication

// thank you

. . . . . . . .

internet

// thank you

. . . . . . . .

communication computation

// thank you

. . . . . . . .

big data internet

// thank you

. . . . . . . .

big data internet

// thank you

. . . . . . . .