Dynamic Decentralized Functional Encryption Jérémy Chotard, Edouard Dufour Sans , Romain Gay, Duong Hieu Phan, and David Pointcheval CRYPTO 2020, Monday August 17th 2020
The technological landscape of the early 21st century • Lots of data. + Much better software products. • Increasing parallel computing power. - Privacy concerns. • Investments in Machine Learning talent. Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
Can we protect privacy without sacrificing the benefits of modern data science? Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
Isn’t that what FHE is for? • In FHE, a client sends a ciphertext to a server. • The server obliviously computes on the ciphertext. • The client gets back the result. • Multiparty extensions exist. • But no non-interactive way for server to extract intelligence from multiparty data. Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
Today’s Topic Allowing a server to aggregate my data with that of other users, non-interactively . Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
The Agenda • How does DDFE relate to FE? • What is DDFE? • Construction of DSum-DDFE • Construction of AoNE-DDFE • Construction of IP-DDFE Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
A Brief History of Functional Encryption Public Key Encryption [Cocks 1973, RSA 1977] Identity-Based Encryption [BF 2001, Cocks 2001] Attribute-Based Encryption [SW 2004, GPSW 2006] Functional Encryption [SW 2008, O’Neill 2010, BSW 2011] Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
Functional Encryption is a framework • PKE is not a special case of IBE. It is a weaker primitive. • IBE is not a special case of ABE. It is a weaker primitive. • IBE and ABE are special cases of FE. Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
Functional Encryption for Multiple Users Multi Input / Multi Client Function Encryption [GGJS 13, GKLSZ 13] Decentralized Multi Client Functional Encryption [ CDGPP 18] Ad Hoc Multi Input Functional Encryption [ACFGOT 19] Dynamic Decentralized Functional Encryption Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
The Agenda • How does DDFE relate to FE? ✓ • What is DDFE? • Construction of DSum-DDFE • Construction of AoNE-DDFE • Construction of IP-DDFE Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally Alice Bob Charlie Diane Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally We want to train a 10000-layer deep Convolutional Neural Network to do image classification from your photos Alice Bob Not Very Evil Corp™ Charlie Diane Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally Ok, but I care about my Ok, but I care about my Alice Bob privacy… privacy… Ok, but I care about my Ok, but I care about my Charlie Diane privacy… privacy… Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally Alice Bob Date: 3/1/2020 Date: 3/1/2020 To be aggregated with data To be aggregated with data from Bob, Charlie, and Diane from Alice, Charlie, and Diane Charlie Diane Date: 3/1/2020 Date: 3/1/2020 To be aggregated with data To be aggregated with data from Alice, Bob, and Charlie from Alice, Bob, and Diane Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally I cannot learn anything from this data, it’s encrypted! Not Very Evil Corp™ Date: 3/1/2020 Date: 3/1/2020 Date: 3/1/2020 Date: 3/1/2020 To be aggregated with data To be aggregated with data To be aggregated with data To be aggregated with data Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally Alice Allow training of Neural Allow training of Neural Bob Network on data from Me, Network on data from Alice, Bob, Charlie, Diane Me, Charlie, Diane Charlie Diane Allow training of Neural Allow training of Neural Network on data from Alice, Network on data from Alice, Bob, Me, Diane Bob, Charlie, Me Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally Now it’s on! Not Very Evil Corp™ Allow training of Neural Allow training of Neural Allow training of Neural Allow training of Neural Network on data from Me, Network on data from Alice, Network on data from Alice, Network on data from Alice, Date: 3/1/2020 Date: 3/1/2020 Date: 3/1/2020 Date: 3/1/2020 To be aggregated with data To be aggregated with data To be aggregated with data To be aggregated with data Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Informally Allow training of Neural Allow training of Neural Allow training of Neural Allow training of Neural Network on data from Me, Network on data from Alice, Network on data from Alice, Network on data from Alice, Date: 3/1/2020 Date: 3/1/2020 Date: 3/1/2020 Date: 3/1/2020 To be aggregated with data To be aggregated with data To be aggregated with data To be aggregated with data Not Very Evil Corp™ Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Formally • A Functionality ℱ : ℒ ( 𝒬 × ) × ℒ ( 𝒬 × ℳ ) → {0,1}* • : Generate public parameters. Setup ( λ ) • : Generate my public/private key pair. pk , sk pk ← KeyGen () : Generate a ciphertext . • Encrypt ( sk pk , m ) ct pk : Generate a functional key . • DKeyGen ( sk pk , k ) dk pk , k : Evaluate . ℱ • Decrypt (( dk pk , k pk ) pk ∈𝒱 K , ( ct pk ) pk ∈𝒱 M ) Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Functionality examples • = 𝒯 ( 𝒬 ) × 𝒟 Set of users and a Allow training of Neural Network on data from Me, circuit Bob, Charlie, Diane • ℳ = ℐ mages × ates × 𝒯 ( 𝒬 ) An image, a date, a set Date: 3/1/2020 of users To be aggregated with data from Bob, Charlie, and Diane Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DDFE - Functionality examples ℱ (( pk , ( 𝒱 , NN_training )) pk ∈𝒱 , ( pk , ( x pk , Date , 𝒱 )) pk ∈𝒱 ) = NN_training (( x pk ) pk ∈𝒱 ) • 𝒱 M = 𝒱 K = 𝒱 Allow training of Neural Network on data from Me, Bob, Charlie, Diane • is the same for all cts Date • NN_training is the same for all keys Date: 3/1/2020 To be aggregated with data from Bob, Charlie, and Diane Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
The Agenda • How does DDFE relate to FE? ✓ • What is DDFE? ✓ • Construction of DSum-DDFE • Construction of AoNE-DDFE • Construction of IP-DDFE Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DSum-DDFE: The functionality - Sums over an Abelian Group . 𝔹 - ℳ = 𝔹 × 𝒯 ( 𝒬 ) × {0,1}* A group element, a set of users, a label. - = ∅ No keys. ℱ ( ϵ , ( pk , ( x pk , 𝒱 , ℓ )) pk ∈𝒱 ) = ∑ - x pk pk ∈𝒱 Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
If the user can compute pk a mask such that r pk , 𝒱 , ℓ ∈ 𝔹 ∑ , r pk ′ , 𝒱 , ℓ = 0 pk ′ ∈𝒱 then they can just publish x pk + r pk , 𝒱 , ℓ Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
Can we sample from ∑ ( r pk ) pk ∈𝒱 r pk = 0 pk ∈𝒱 in a decentralized and non-interactive way? Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DSum-DDFE: Sum-of-PRFs [Waters in CC09] • Computational solution. • Compute shared randomnesses via DH. K pk , pk ′ • Compute as r pk , 𝒱 , ℓ F K pk , pk ′ ( ℓ ) − ∑ ∑ F K pk , pk ′ ( ℓ ) pk ′ ∈ 𝒱 pk ′ ∈ 𝒱 pk ′ < pk pk < pk ′ Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DSum-DDFE: Technical Difficulties x Alice = 3 ∈ ℤ 2 32 Alice 𝒱 = { Alice , Bob } Bob ℓ = Today Charlie Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
DSum-DDFE: Technical Difficulties x Alice = 3 ∈ ℤ 2 32 Alice 𝒱 = { Alice , Bob } Bob ℓ = Today I learn nothing. Charlie Edouard Dufour Sans Dynamic Decentralized Functional Encryption CRYPTO 2020
Recommend
More recommend
