secure distributed computation on private inputs
play

Secure Distributed Computation on Private Inputs David Pointcheval - PowerPoint PPT Presentation

Nov 20, 2023 •334 likes •761 views

Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015 The Cloud David Pointcheval Introduction 2 / 30 Access from

  1. Secure Distributed Computation on Private Inputs David Pointcheval ENS - CNRS - INRIA Foundations & Practice of Security Clermont-Ferrand, France - October 27th, 2015

  2. The Cloud David Pointcheval Introduction 2 / 30

  3. Access from Anywhere David Pointcheval Introduction 3 / 30

  4. Available for Everything One can Store documents, photos, etc Share them with colleagues, friends, family Process the data Ask queries on the data David Pointcheval Introduction 4 / 30

  5. With Current Solutions The Cloud provider knows the content and claims to actually identify users and apply access rights safely store the data securely process the data protect privacy David Pointcheval Introduction 5 / 30

  6. But … For economical reasons, by accident, or attacks data can get deleted any user can access the data one can log all the connected users all the queries to analyze and sell/negotiate the information David Pointcheval Introduction 6 / 30

  7. Requirements Users need more Storage guarantees Privacy guarantees confidentiality of the data anonymity of the users obliviousness of the queries How to process users’ queries? David Pointcheval Introduction 7 / 30

  8. FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS ’78] [Gentry - STOC ’09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output AND OR NOT Circuit Outputs Inputs NOT AND OR David Pointcheval Some Approaches 8 / 30

  9. FHE: The Killer Tool [Rivest-Adleman-Dertouzos - FOCS ’78] [Gentry - STOC ’09] Fully Homomorphic Encryption allows to process encrypted data, and get the encrypted output ENOT EOR EAND Encrypted Encrypted Circuit ENOT Inputs Outputs EOR EAND David Pointcheval Some Approaches 8 / 30

  10. Outsourced Processing ENOT EOR EAND Circuit ENOT EOR EAND Inputs David Pointcheval Some Approaches 9 / 30

  11. Outsourced Processing ENOT EOR Encrypted EAND Encrypted 
 Circuit Outputs ENOT Inputs EOR EAND Inputs Outputs David Pointcheval Some Approaches 9 / 30

  12. Outsourced Processing no information about 
 the input/output data ENOT EOR Encrypted EAND Encrypted 
 Circuit Outputs ENOT Inputs EOR EAND Inputs Outputs Symmetric encryption ( secret key ) is enough David Pointcheval Some Approaches 9 / 30

  13. Strong Privacy ENOT EOR Universal EAND ENOT Circuit EOR EAND Inputs Program David Pointcheval Some Approaches 10 / 30

  14. Strong Privacy Encrypted 
 ENOT EOR Inputs Encrypted Universal EAND + Outputs ENOT Circuit Encrypted 
 EOR EAND Program Inputs Outputs Program David Pointcheval Some Approaches 10 / 30

  15. Strong Privacy no information about 
 the input/output data nor the program Encrypted 
 ENOT EOR Inputs Encrypted Universal EAND + Outputs ENOT Circuit Encrypted 
 EOR EAND Program Inputs Outputs Program David Pointcheval Some Approaches 10 / 30

  16. FHE: Ideal Solution? Allows private storage Allows private computations Private queries in an encrypted database Private « googling » The provider does not learn the content Privacy by design … the queries the answers … But each gate requires huge computations … David Pointcheval Some Approaches 11 / 30

  17. Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? David Pointcheval Some Approaches 12 / 30

  18. Confidentiality & Sharing Encryption allows to protect data the provider stores them without knowing them nobody can access them either, except the owner How to share them with friends? Specific people have full access to some data: with public-key encryption for multiple recipients Specific people have partial access such as statistics or aggregation of the data David Pointcheval Some Approaches 12 / 30

  19. Broadcast Encryption [Fiat-Naor - Crypto ‘94] David Pointcheval Some Approaches 13 / 30

  20. Broadcast Encryption [Fiat-Naor - Crypto ‘94] David Pointcheval Some Approaches 13 / 30

  21. Broadcast Encryption [Fiat-Naor - Crypto ‘94] The sender can select the target group of receivers This allows to control who will access to the data David Pointcheval Some Approaches 13 / 30

  22. Functional Encryption [Boneh-Sahai-Waters - TCC ‘11] The user generates sub-keys K y according to the input y David Pointcheval Some Approaches 14 / 30

  23. Functional Encryption [Boneh-Sahai-Waters - TCC ‘11] The user generates sub-keys K y according to the input y From C = Encrypt ( x ) , Decrypt ( K y, C ) outputs f ( x,y ) This allows to control the amount of shared data David Pointcheval Some Approaches 14 / 30

  24. Outline Broadcast Encryption Efficient solutions for sharing data Functional Encryption Some recent efficient solutions for inner product Fully Homomorphic Encryption Despite recent improvements, this is still inefficient With 2-party computation 
 one can get an efficient alternative David Pointcheval 15 / 30

  25. Multi-Party Computation input output input input output output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality David Pointcheval MPC 16 / 30

  26. Multi-Party Computation input output input input output output Secure Multi-Party Computation Ideally: each party gives its input and just learns its output for any ideal functionality In practice: many interactions between the parties Latency too high over Internet …… David Pointcheval MPC 17 / 30

  27. Two-Party Computation x y z z = f ( x, y ) General construction: Yao Garbled Circuits For specific construction: quite inefficient f ( x, y ) = ( x + y ) e mod n David Pointcheval 2-PC 18 / 30

  28. Encryption Switching Protocols f ( x, y ) = ( x + y ) e mod n With additive encryption E + , multiplication encryption E x 
 and an interactive switch from c + to c x : Alices sends c +A = E + ( x ), and Bob sends c +B = E + ( y ) They compute c = c +A ⊕ c +B = E + ( x+y ) They run the interactive switch to get c ’ = E x ( x+y ) They compute C = ⊗ e c ’ = E x (( x+y ) e ) They run the interactive decryption to gets z [Couteau-Peters-P - EPrint 2015/990] David Pointcheval 2-PC 19 / 30

  29. Homomorphic Encryption [Paillier - Eurocrypt ’99] Additive encryption on Z n : Paillier encryption Public key: n = pq d = [ λ − 1 mod n ] × λ Secret key: c = (1 + n ) m · r n mod n 2 Encryption: Decryption: m = [ c d − 1 mod n 2 ]/ n Additively homomorphic Efficient interactive decryption David Pointcheval 2-PC 20 / 30

  30. Homomorphic Encryption [ElGamal - IEEE TIT ’85] Multiplicative encryption on G : ElGamal encryption Secret key: x ∈ Z p Public key: h = g x Encryption: c = ( c 0 = g r , c 1 = h r · m ) Decryption: m = c 1 / c x 0 Multiplicatively homomorphic Efficient interactive decryption If n = pq , with safe primes p = 2 p � + 1 and q = 2 q � + 1 Works for G = �� n , under the DDH in Z � p � and Z � q � Works for G = J n , under the additional QR assumption But does not work in Z � n … David Pointcheval 2-PC 21 / 30

  31. Encoding of Messages Multiplicative encryption on Z ∗ n : by encoding m � Z ∗ n into J n For n = pq , generator g of J n of order λ n \ J n , using the CRT: χ � Z ∗ χ = g t p mod p , for an even t p : χ � �� p χ = g t q mod q , for an odd t p : χ �� �� q hence χ � Z ∗ n \ J n a � R { 1 , . . . , n /2 } , so that χ a · m � J n For m � Z ∗ n , m 1 = g a mod n and m 2 = χ a · m one gets α = χ a mod n using the CRT: From m 1 , α = m t p 1 mod p and α = m t q 1 mod q From m 2 , one gets m = m 2 / α mod n David Pointcheval 2-PC 22 / 30

  32. Homomorphic Encryption Multiplicative encryption on Z ∗ n : for n = pq Secret key: x, t p , t q � Z λ n \ J n , J n = � g � , h = g x (ElGamal in J n ) Public key: χ � Z ∗ encode m into ( m 1 = g a , m 2 = χ a · m ) � J 2 Encryption: n encrypt m 2 under h , to get ( c 0 , c 1 ) the ciphertext is C = ( c 0 , c 1 , m 1 ) Decryption: decrypt ( c 0 , c 1 ) using x , to get m 2 convert m 1 = g a into α = χ a using the CRT get m = m 2 / α mod n Multiplicatively homomorphic Efficient interactive decryption Efficient encryption switching protocols with the Paillier encryption David Pointcheval 2-PC 23 / 30

  33. Two-Party Computation? The two homomorphic encryption schemes together with the encryption switching protocols: Efficient two-party computation But in the intersection of the plaintext spaces! Z n ∩ Z ∗ n = Z ∗ n Cannot deal with zero! But cannot avoid zero either during computations! David Pointcheval 2-PC 24 / 30

  34. How to Handle Zero? In order to multiplicatively encrypt m ∈ Z n : One defines b = 1 if m = 0 , and b = 0 otherwise One encrypts A = m + b mod n B = T b mod n for a random square T One encrypts One can note that n , unless m is a non-trivial multiple of p or q A ∈ Z ∗ B ∈ �� n ⇒ they can both be encrypted = with appropriate ElGamal-like encryption Multiplicatively homomorphic: 0 is absorbing in B Encrypted Zero Test protocols: E + ( m ) → E + ( b ) David Pointcheval 2-PC 25 / 30

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

2-party secure computation Problem: Two parties, Alice and Bob, with private inputs, a and b ,

1 International Conference on Practice and Theory of Public-Key Cryptography (PKC) 2020 Mon Z a: fast maliciously-secure 2-party computation on the ring 2 k Dario Catalano 1 , Mario Di Raimondo 1 , Dario Fiore 2 and Irene Giacomelli 3 1

504 views • 25 slides
Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit

Adaptively Secure Multi-Party Computation with Dishonest Majority Sanjam Garg Amit Sahai UCLA Secure Multiparty Computation A set of mutually distrustful parties (n) wish to compute a joint function of their private inputs

309 views • 16 slides
Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation

Communication Locality in C i i L li i Secure Multi Party Secure Multi-Party Computation Computation How to Run Sublinear Algorithms in a Distributed Algorithms in a Distributed Setting Elette Boyle Shafi Goldwasser Stefano Tessaro

1.01k views • 36 slides
Secure Distributed Computation and Storage Jed Liu Michael D. George K. Vikram Xin Qi Lucas

Secure Distributed Computation and Storage Jed Liu Michael D. George K. Vikram Xin Qi Lucas

A Platform for Secure Distributed Computation and Storage Jed Liu Michael D. George K. Vikram Xin Qi Lucas Waye Andrew C. Myers Department of Computer Science Cornell University 22 nd ACM SIGOPS Symposium on Operating Systems Principles 14

650 views • 38 slides
Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.)

Secure Computation with Low Communication from Cross-checking Dov Gordon (George Mason U.) Samuel Ranellucci (Unbound Tech) Xiao Wang (MIT & Boston U.) Secure Computation 4 parties each hold private data. They wish to compute C(x 1

414 views • 24 slides
Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam

Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam

Near-Linear Unconditionally-Secure MPC with a Dishonest Minority Serge Fehr CWI Amsterdam www.cwi.nl/~fehr Eli Ben-Sasson Rafail Ostrovsky Technion UCLA Multiparty Computation (MPC) x 2 x 3 Goal: x 1 Compute function f on private inputs x

373 views • 13 slides
YFS 1.0 is the next generation distributed file system for secure private, public and hybrid

YFS 1.0 is the next generation distributed file system for secure private, public and hybrid

YFS 1.0 is the next generation distributed file system for secure private, public and hybrid cloud storage deployments. YFS 1.0 is not a hardware appliance. Backward compatible with IBM AFS 3.6 and OpenAFS. No flag day required

359 views • 16 slides
Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li

Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li

CS573 Data Privacy and Security Secure Multiparty Computation Introduction to Privacy Preserving Distributed Data Mining Li Xiong Slides credit: Chris Clifton, Purdue University; Murat Kantarcioglu, UT Dallas Outline Overview Data

901 views • 42 slides
Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

1.33k views • 102 slides
Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F

Secure 2-Party Computation Lecture 14 Yao s Garbled Circuit RECALL SIM-Secure MPC F F proto proto iface iface Secure (and correct) if: s.t. output of is distributed Env Env identically in REAL IDEAL REAL and

1.28k views • 126 slides
Entangled Polynomial Codes for Secure, Private, and Batch Distributed Matrix Multiplication:

Entangled Polynomial Codes for Secure, Private, and Batch Distributed Matrix Multiplication:

Entangled Polynomial Codes for Secure, Private, and Batch Distributed Matrix Multiplication: Breaking the "Cubic" Barrier QIAN YU (USC) joint work with Salman Avestimehr (USC) IEEE International Symposium on Information Theory (ISIT)

409 views • 21 slides
Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School

Practical Secure Two-Party Computation and Applications Thomas Schneider Estonian Winter School in Computer Science 2016 Overview Lecture 1: Introduction to Secure Two-Party Computation Lecture 2: Private Set Intersection Lecture 3: Tools

935 views • 67 slides
Secure computation With material from Matthew Green, Elaine Shi, CS Unplugged, others Secure

Secure computation With material from Matthew Green, Elaine Shi, CS Unplugged, others Secure

https://2.bp.blogspot.com/-Q_39kDXs93c/UOecpSOTX5I/AAAAAAAAA2k/WaIfMiKzQOw/s1600/eniac1+%281%29.jpg Secure computation With material from Matthew Green, Elaine Shi, CS Unplugged, others Secure computation Zero-knowledge proofs

465 views • 33 slides
Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi

Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi

Privacy-Preserving Search of Similar Patients in Genomic Data Gilad Asharov Shai Halevi Yehuda Lindell Tal Rabin Secure Computation Computation on private inputs without revealing anything but the output Applications :

299 views • 25 slides
Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a

Secure Outsourcing of Computation Ron Rothblum MIT Outsourcing Computation Motivation: allow a computationally weak client to outsource its computation to an untrusted server. = () Main security concerns: 1. Correctness:

377 views • 4 slides
Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai

Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai

Round-Optimal Secure Multiparty Computation with Honest Majority Prabhanjan Ananth Arka Rai Choudhuri Aarushi Goel Abhishek Jain CRYPTO 2018 Secure Multiparty Computation ! # ! $ ! " ! % Secure Multiparty Computation Securely compute

1.18k views • 102 slides
Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations

Formal Methods and Cryptography Lecture 25 Formal Methods Formal Methods Logical foundations of computer science Formal Methods Logical foundations of computer science A language that machines can understand Formal Methods Logical

1.67k views • 123 slides
High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago

High-speed cryptography, DNSSEC, and DNSCurve D. J. Bernstein University of Illinois at Chicago NSF ITR0716498 Stealing Internet mail: easy! Given a mail message: Your mail software sends a DNS request, receives a server address, makes

924 views • 61 slides
Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args)

Recall the Racket PostFix Interpreter Metaprogramming in SML: ;; Contents of postfix-fancy-transform.rkt (define (postfix-run pgm args) ) PostFix and S-expressions (define (postfix-exec-commands cmds init-stk) ) (define

306 views • 6 slides
CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's

CSE 105 THEORY OF COMPUTATION Fall 2016 http://cseweb.ucsd.edu/classes/fa16/cse105-abc/ Today's learning goals Sipser Sec 3.2 Prove Turing-recognizability using Turing machines Enumerators State and use the Church-Turing thesis.

512 views • 16 slides
Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov

Why Your Encrypted Database Is Not Secure Paul Grubbs Tom Ristenpart Vitaly Shmatikov Outsourced Applications Today Server data data Encrypt the data! Encrypt the Data App functionality no App functionality no longer works :( longer

1.42k views • 58 slides
High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois

High-speed cryptography, part 3: more cryptosystems Daniel J. Bernstein University of Illinois at Chicago & Technische Universiteit Eindhoven Cryptographers Working systems Cryptanalytic algorithm designers Unbroken

739 views • 44 slides
Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint

Functional Encryption for Inner Product with Full Function Privacy by Sourav Mukhopadhyay joint work with Pratish Datta and Ratna Dutta Department of Mathematics Indian Institute of Technology Kharagpur Kharagpur-721302 India PKC 2016

340 views • 23 slides
Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay

Advanced Tools from Modern Cryptography Lecture 0 Manoj Prabhakaran IIT Bombay Old Cryptography Scytale (ancient Greece) Caesar Cipher 100 BC - 44 BC Cryptanalysis (simple frequency analysis) of Caesar cipher by

368 views • 13 slides

More recommend