Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai - PowerPoint PPT Presentation

Homomorphic Secret Sharing Ele2e Boyle Niv Gilboa Yuval Ishai IDC BGU Technion & UCLA

PrimiLves AssumpLons 1970 PKE 1980 Signatures ZK OT Factoring Discrete Log 1990 Secure ComputaLon 2000 2010

PrimiLves AssumpLons 1970 PKE 1980 Signatures ZK OT Factoring Discrete Log 1990 Secure ComputaLon 2000 • Minimize communicaLon? • Minimize interacLon? • Minimize local computaLon? 2010

PrimiLves AssumpLons 1970 PKE 1980 Signatures ZK OT Factoring Discrete Log 1990 Secure ComputaLon 2000 Bilinear Maps IBE ABE FHE 2010 LaSces FE IO

Fully Homomorphic EncrypLon [RAD79,Gen09] P(x) FuncLon Privacy Dec sk [P(x)] Compactness: Eval |Dec|<< |P| P [x] Enc pk sk x

State of the FHE • The good – Huge impact on the field – Solid foundaLons [BV11, … ] – Major progress on efficiency [BGV12,HS15,DM15,CGGI16] Given a generic group G: • UncondiLonally secure PKE and even secure computaLon • The not so good • Not known to be helpful for FHE – Narrow set of assumpLons and underlying structures, all related to laSces • SuscepLble to laSce reducLon a2acks and other a2acks – Concrete efficiency sLll leaves much to be desired

IN SOME SENSE

Recall: FHE P(x) Dec sk [P(x)] Eval P [x] Enc pk x

“1/2 FHE” P(x) Dec sk [P(x)] 1 [P(x)] 2 Eval Eval P P [x] 1 [x] 2 computaLonally computaLonally hides x hides x Enc pk x

(2-Party) Homomorphic Secret Sharing P(x) Dec ⊕ [P(x)] 1 [P(x)] 2 Eval Eval P P [x] 1 [x] 2 Share x

(2-Party) Homomorphic Secret Sharing P(x) Dec + [P(x)] 1 [P(x)] 2 Eval Eval P P [x] 1 [x] 2 Share x

HSS vs. FHE • HSS is generally weaker … – 2 (or more) shares vs. single ciphertext – Non-collusion assumpLon • … but has some advantages – UlLmate output compactness – Efficient and public decoding – Can aggregate many outputs

ApplicaLons DelegaLng ComputaLons to the Cloud HSS FHE [x] 1 [x] 2 [x] [P(x)] 1 [P(x)] 2 [P(x)] ⊕ P(x) P(x) sk

ApplicaLons DelegaLng ComputaLons to the Cloud HSS FHE [x] 1 [x] 2 [x] Bonus features: [P(x)] 1 [P(x)] 2 • MulLple clients [P(x)] ⊕ • Useful also for small P P(x) P(x) sk

ApplicaLons CommunicaLon complexity of securely compuLng C? (a,b) C C(a,b) • Classically: > |C| [Yao86,GMW87,BGW88,CCD88, … ] … even for restricted classes, such as formulas • Using FHE: ~ |input|+|output|

ApplicaLons Succinct Secure ComputaLon FHE HSS [a] sk a b a b [C b (a)] [(a,b)] 1 [(a,b)] 2 Eval Eval C(a,b) Bonus features: [C(a,b)] 1 [C(a,b)] 2 • Beats FHE for long outputs • Useful for generaLng correlaLons C(a,b)

HSS for Circuits from LWE via FHE • From mulL-key FHE [LTV12,CM15,MW16,DHRW16] – “AddiLve-spooky” encrypLon [Dodis-Halevi-Rothblum-Wichs16] • From threshold FHE [AJLTVW12,BGI15,DHRW16]

HSS without FHE? 20 th century assumpLons?

Coming Up • HSS for “simple” funcLons from OWF • HSS for branching programs from DDH • Many open quesLons

Low-End HSS from OWF

FuncLon Secret Sharing [BGI15] • Reverse roles of funcLon/program and input • Share size can grow with program size P(x) ⊕ ⊕ [P(x)] 1 [P(x)] 2 x x Eval Eval [P] 1 [P] 2 Share P

FuncLon Secret Sharing [BGI15] • Reverse roles of funcLon/program and input • Share size can grow with program size P(x) • Very efficient construcLons for “simple” classes from ⊕ ⊕ one-way funcLons [GI14,BGI15,BGI16] - Point funcLons [P(x)] 1 [P(x)] 2 - Intervals - Decision trees x x Eval Eval • ApplicaLons to privacy-preserving data access [P] 1 [P] 2 - Reading (e.g., PIR [CGKS95,CG97], “Splinter” [WYGVZ17]) - WriLng (e.g., private storage [OS98], “Riposte” [CBM15], Share “PULSAR” [DARPA-Brandeis]) P

Distributed Point FuncLons • Point funcLon f α,β :{0,1} n à G – f α,β (α)=β – f α,β (x)=0 for x≠α • DPF = FSS for class of point funcLons – Simple soluLon: share truth-table of f α,β – Goal: poly(n) share size • Implies OWF – Super-poly DPF implicit in PIR protocols [CGKS95,CG97]

ApplicaLons: Reading • Keyword search [CGN96,FIPR05,OS05,HL08, …] X= {x 1 ,…,x N } x i ∈ {0,1} n Server 1 Server 2 f 1 f 2 y 2 = ⊕ i f 2 (x i ) y 1 = ⊕ i f 1 (x i ) f x,1 :{0,1} n à Z 2 Client Is x ∈ X? 1-bit answers! y 1 ⊕ y 2 No data structures, no error Works well on streaming data

ApplicaLons: Reading • Keyword search with payloads X= {(x 1 ,p 1 ),…,(x N ,p N )} x i ∈ {0,1} n Server 1 Server 2 f 1 f 2 . f 2 (x i ) y 1 = ⊕ i p i . f 1 (x i ) y 2 = ⊕ i p i f x,1 :{0,1} n à Z 2 Client Get payload of y 1 ⊕ y 2 keyword x

ApplicaLons: Reading • Generalized keyword search X= {x 1 , …, x N } x i ∈ {0,1} n Server 1 Server 2 f 1 f 2 y 1 = Σ i f 1 (x i ) y 2 = Σ i f 2 (x i ) f:{0,1} n à Z u Client How many x i y 1 +y 2 saLsfy f(x i )=1?

ApplicaLons: Reading • Generalized keyword search with payloads? X= {(x 1 ,p 1 ),…,(x N ,p N )} x i ∈ {0,1} n Server 1 Server 2 f 1 f 2 y 1 = Σ i E(p i ) . f 1 (x i ) y 2 = Σ i E(p i ) . f 2 (x i ) f:{0,1} n à Z u Client Return (some) y 1 +y 2 p i with f(x i )=1

ApplicaLons: WriLng • PIR-wriLng [OS98, … ] (“private informaLon storage”) X= (x 1 ,…,x N ) x i ∈ {0,1} d X 1 X 2 Server 1 Server 2 X i 1 ß X i 1 ⊕ f 1 (i) f 1 f 2 f α, β :[N] à Z 2 d Client X α ß X α ⊕ β

ApplicaLons: WriLng • Secure aggregaLon Subscriber 2 Subscriber 1 α 1 α 2 α 3 α 4 α 5 α 6 α 7 α 8 α 9 α 10 α α = “msnbc.com” X α +=1

ApplicaLons: WriLng • Secure aggregaLon X 1 X 2 α 1 α 2 α 3 α 4 α 5 α 6 α 7 α 8 α 9 α 10 Server 1 Server 2 X i 1 ß X i 1 +f 1 (α i ) f 1 f 2 f α, 1 :{0,1} n à Z u - Client doesn’t need to know α = “penisland.com” which items are being tracked X α +=1 - Server work proporLonal to number of items being tracked

ApplicaLons: WriLng • Large scale MPC over small domains X 1 X 2 Server 1 Server 2

ApplicaLons: WriLng • Anonymous messaging [CBM15] m X 1 X 2 Server 1 Server 2 f 1 f 2 Client Anonymously post m

ApplicaLons: WriLng • Anonymous messaging [CBM15] m’’ m’ m X 1 X 2 Server 1 Server 2 f 1 f 2 Anonymously post m’’ Client Client Anonymously Client post m’ Client

PRG-based DPF • Let <x> denote addiLve (XOR) secret sharing – <x>=(x 1 ,x 2 ) s.t. x 1 -x 2 =x • Exploit two simple types of homomorphism – AddiLve: <x> , <y> à <x+y> by local addiLon – Weak expansion: <x> à <X> by locally applying PRG • x=0 λ à X=0 2λ • x = random à X = pseudo-random

PRG-based DPF share 1 share 2 α 1 α 1 α 2 α 2 α 3 α 3 α 4 α 4 β β Shares define two correlated “GGM-like” trees

PRG-based DPF share 1 share 2 Invariant for Eval: 1-bit λ-bit For each node v on evaluaLon path we have <S>|<b>

PRG-based DPF share 1 share 2 <$>|<1> Invariant for Eval: For each node v on evaluaLon path we have <S>|<b> • v on special path: S is pseudorandom, b=1 • v off special path: S=0, b=0

PRG-based DPF share 1 share 2 <$>|<1> Invariant for Eval: For each node v on evaluaLon path we have <S>|<b> • v on special path: S is pseudorandom, b=1 • v off special path: S=0, b=0

Gadget: CondiLonal CorrecLon R 2 =R 1 ⊕ R R 1 ∈ {0,1} k <R> b 1 ∈ {0,1} <b> b 2 =b 1 ⊕ b Δ ∈ {0,1} k R 1 ⊕ b 1 . Δ R 2 ⊕ b 2 . Δ <R ⊕ b . Δ>

PRG-based DPF share 1 share 2 [$],[1] Δ 1 Δ 2 Δ n Correct to <β>,<0>

Concrete Efficiency of DPF • Share size ≅ n . λ, for PRG:{0,1} λ à {0,1} 2(λ+1) – Slightly be2er for binary output • Concrete cost of Eval ≅ n x PRG, Gen ≅ 2 x Eval – EvaluaLng on the enLre domain [N] ≅ N/λ x PRG (N/64 x AES) • Example: 2-server PIR on 2 25 records of length d – CommunicaLon: 2578 bits to each server, d bits in return – ComputaLon: dominated by reading + XORing all records

Extensions • m-party DPF from PRG [BGI15] – Near-quadraLc improvement over naive soluLon … with 2 m overhead • FSS for intervals, decision trees (leaking topology), d-dimensional intervals [BGI16] • Barrier (?): FSS for class F containing decrypLon è Succinct 2PC for F from OT (w/reusable preprocessing) – Meaningful even for F=AC 0 – May lead to posiLve results!

Open Problems: FSS from OWF • 3-party DPF – o(N 1/2 ) key size from OWF? • Limits of 2-party FSS from OWF – FSS for conjuncLons / parLal match? – Stronger barriers • Power of informaLon-theoreLc (m,t)-FSS – Even 2-party FSS with non-addiLve output • Efficiency of 2-party DPF – Beat n . λ key size? – AmorLzing cost of mulL-point DPF?

HSS for Branching Programs from DDH

Recall: Homomorphic Secret Sharing Eval P Share y 1 x 1 x = P(x) + x 2 y 2 Eval P • Security: x i hides x • Correctness: Eval P (x 1 ) + Eval P (x 2 ) = P (x)

δ-HSS Eval P Share y 1 x 1 x = P(x) + x 2 y 2 Eval P • Security: x i hides x • δ-Correctness: Except with prob. δ (over Share), Eval P (x 1 ) + Eval P (x 2 ) = P (x)