Increased efficiency and functionality through lattice-based - - PowerPoint PPT Presentation
Increased efficiency and functionality through lattice-based cryptography Michele Minelli ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris) ECRYPT-NET School on Correct and Secure Implementation Crete, Greece 8
Increased efficiency and functionality through lattice-based cryptography
Michele Minelli
ENS, CNRS, PSL Research University, INRIA (Internship at CryptoExperts, Paris)
ECRYPT-NET School on Correct and Secure Implementation – Crete, Greece 8 – 12 October 2017
Why lattice-based cryptography?
Why lattice-based cryptography?
Conjectured hardness against quantum attacks
Why lattice-based cryptography?
Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc.
Why lattice-based cryptography?
Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc. Strong security guarantees from worst-case hardness
Why lattice-based cryptography?
Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc. Strong security guarantees from worst-case hardness Versatility
Why lattice-based cryptography?
Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc. Strong security guarantees from worst-case hardness Versatility We can build FHE
Why lattice-based cryptography?
Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc. Strong security guarantees from worst-case hardness Versatility We can build FHE!
Why lattice-based cryptography?
Conjectured hardness against quantum attacks Simplicity, efficiency and parallelism: linear ops, rings, etc. Strong security guarantees from worst-case hardness Versatility We can build FHE!
But we can build FHE also from other assumptions...
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers.
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD Encryption: c = s · r1 + q · r2 + m
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD Encryption: c = s · r1 + q · r2 + m Decryption: return (c mod s) mod q
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD Encryption: c = s · r1 + q · r2 + m Decryption: return (c mod s) mod q
c1 + c2 = s (r11 + r21) + q (r12 + r22) + (m1 + m2)
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD Encryption: c = s · r1 + q · r2 + m Decryption: return (c mod s) mod q
c1 + c2 = s (r11 + r21) + q (r12 + r22) + (m1 + m2)
c1 · c2 = s (· · · ) + q (· · · ) + (m1 · m2)
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD Encryption: c = s · r1 + q · r2 + m Decryption: return (c mod s) mod q
c1 + c2 = s (r11 + r21) + q (r12 + r22) + (m1 + m2)
c1 · c2 = s (· · · ) + q (· · · ) + (m1 · m2) Warning: huge numbers ahead
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD Encryption: c = s · r1 + q · r2 + m Decryption: return (c mod s) mod q
c1 + c2 = s (r11 + r21) + q (r12 + r22) + (m1 + m2)
c1 · c2 = s (· · · ) + q (· · · ) + (m1 · m2) Parameter selection for FHE: |s| ≈ 2700 bits, |r2| ≈ 70 bits, |c| ≈ 2 · 107 bits
The DGHV scheme (extended to Zq)
Fully Homomorphic Encryption over the integers. Assumptions: approximate GCD Encryption: c = s · r1 + q · r2 + m Decryption: return (c mod s) mod q
c1 + c2 = s (r11 + r21) + q (r12 + r22) + (m1 + m2)
c1 · c2 = s (· · · ) + q (· · · ) + (m1 · m2) Parameter selection for FHE: |s| ≈ 2700 bits, |r2| ≈ 70 bits, |c| ≈ 2 · 107 bits But we don’t really need this
The use case
Final goal
Enabling cooperation between law enforcement agencies
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data.
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data. Concrete example (2009)
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data. Concrete example (2009)
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data. Concrete example (2009) April 28 June 18 November 25
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data. Concrete example (2009) April 28 June 18 November 25
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data. Concrete example (2009) April 28 June 18 November 25
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data. Concrete example (2009) April 28 June 18 November 25 150 000 people intercepted!
The use case
Final goal
Enabling cooperation between law enforcement agencies, while maintaining an adequate level of privacy for citizens’ personal data. Concrete example (2009) April 28 June 18 November 25 150 000 people intercepted! The intersection gives the criminals but... privacy?
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain.
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration Tools: DNA, fingerprints and vehicle registration data
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration Tools: DNA, fingerprints and vehicle registration data
In practice
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration Tools: DNA, fingerprints and vehicle registration data
In practice
Should use state-of-the-art but...
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration Tools: DNA, fingerprints and vehicle registration data
In practice
Should use state-of-the-art but... AES-256 and RSA-1024
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration Tools: DNA, fingerprints and vehicle registration data
In practice
Should use state-of-the-art but... AES-256 and RSA-1024 H : SHA-1
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration Tools: DNA, fingerprints and vehicle registration data
In practice
Should use state-of-the-art but... AES-256 and RSA-1024 H : SHA-1
Current situation
EU Council Decision 2008/615/JHA
Picks up a treaty signed in 2005 by Austria, Belgium, France, Germany, Luxembourg, the Netherlands and Spain. Goal: cross-border cooperation against terrorism, crime and illegal migration Tools: DNA, fingerprints and vehicle registration data
In practice
Should use state-of-the-art but... AES-256 and RSA-1024 H : SHA-1 Plus, there are other issues: fairness, privacy, . . .
Improving the current situation
Let’s say. . .
France (FR) wants to query a DB with criminal records held by Germany (DE). Both countries recognize the authority of a Judge (JU).
Improving the current situation
Let’s say. . .
France (FR) wants to query a DB with criminal records held by Germany (DE). Both countries recognize the authority of a Judge (JU). Our goals: DE does not learn FR’s query Even if authorized by JU, FR does not learn more than the records that match JU does not learn the result of the query
Improving the current situation
Let’s say. . .
France (FR) wants to query a DB with criminal records held by Germany (DE). Both countries recognize the authority of a Judge (JU). Our goals: DE does not learn FR’s query Even if authorized by JU, FR does not learn more than the records that match JU does not learn the result of the query Supported queries: Simple match (c) Conjunction (c1 ∩ c2) Disjunction (c1 ∪ c2)
Key concepts
From database to inverted database: Featurek : {i1, i2, . . . , in}
Key concepts
From database to inverted database: Featurek : {i1, i2, . . . , in} Encode indices in a polynomial: p (x) =
(x − i)
Key concepts
From database to inverted database: Featurek : {i1, i2, . . . , in} Encode indices in a polynomial: p (x) =
(x − i) Disjunction query: p1 (x) · p2 (x)
Key concepts
From database to inverted database: Featurek : {i1, i2, . . . , in} Encode indices in a polynomial: p (x) =
(x − i) Disjunction query: p1 (x) · p2 (x) Conjunction query: p1 (x) · r1 (x) + p2 (x) · r2 (x) , r{1,2} (x) ← $
Key concepts
From database to inverted database: Featurek : {i1, i2, . . . , in} Encode indices in a polynomial: p (x) =
(x − i) Disjunction query: p1 (x) · p2 (x) Conjunction query: p1 (x) · r1 (x) + p2 (x) · r2 (x) , r{1,2} (x) ← $ Possible parasitic roots → repeat and intersect
Our protocol
Our protocol
(0) one-time setup
Our protocol
(0) one-time setup (1) compute search token
Our protocol
(0) one-time setup (1) compute search token ( 2 ) h i t / n
i t
Our protocol
(0) one-time setup (1) compute search token ( 2 ) h i t / n
i t (3) obtain judge’s signature
Our protocol
(0) one-time setup (1) compute search token ( 2 ) h i t / n
i t (3) obtain judge’s signature (4) obtain information
Demo
Library developed in C++
Demo
Library developed in C++ 3 entities (FR, DE, JU) in Python + flask
Demo
Library developed in C++ 3 entities (FR, DE, JU) in Python + flask Simulates 3 web interfaces: easy to “push” to the Cloud
Demo
Library developed in C++ 3 entities (FR, DE, JU) in Python + flask Simulates 3 web interfaces: easy to “push” to the Cloud Respects and improves the EU’s constraints
Demo
Library developed in C++ 3 entities (FR, DE, JU) in Python + flask Simulates 3 web interfaces: easy to “push” to the Cloud Respects and improves the EU’s constraints
Demo
Library developed in C++ 3 entities (FR, DE, JU) in Python + flask Simulates 3 web interfaces: easy to “push” to the Cloud Respects and improves the EU’s constraints
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input.
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
with argmax (scores) = 7.
Ongoing project: Homomorphic NNs
(with F. Bourse, M. Minihold, and P. Paillier)
Goal of the project
Applying Neural Networks homomorphically over encrypted data. More specifically, classifying an encrypted input. High level description:
with argmax (scores) = 7.