Ce diaporama a bien été signalé.
Nous utilisons votre profil LinkedIn et vos données d’activité pour vous proposer des publicités personnalisées et pertinentes. Vous pouvez changer vos préférences de publicités à tout moment.
Homomorphic Encryption
Secure and privacy-preserving data
transmission and processing
Dr. Razvan Bocu
Transilvania Univers...
History
Julius Ceasar (100-44 BC)
In the beginning, there was symmetric encryption.
Message: ATTACK AT DAWN
History
Julius Ceasar (100-44 BC)
Message: ATTACK AT DAWN
Key: +3
Ciphertext:
↓↓↓↓↓↓ ↓↓ ↓↓↓↓
DWWDFN DW GDZQ
If you had the...
History
Julius Ceasar (100-44 BC)
Ciphertext: DWWDFN DW GDZQ
Key: -3
Message:
↓↓↓↓↓↓ ↓↓ ↓↓↓↓
ATTACK AT DAWN
If you had the...
History
Julius Ceasar (100-44 BC)
If you had the key, you could decrypt…
DWWDFN DW GDZQ
Symmetric Encryption:
Encryption a...
History
Symmetric Encryption:
Encryption and Decryption use the same key
Vigenere Enigma
Claude Shannon and
Information Th...
History
Asymmetric Encryption
Merkle, Hellman and Diffie (1976) Shamir, Rivest and Adleman (1978)
Encryption uses a public...
History
Asymmetric Encryption:
The Foundation of E-Commerce
History
RSA: The first and most popular
asymmetric encryption
𝐸 𝑚 = 𝑚 𝑒 (mod 𝑛)
D 𝑐 = 𝑐 𝑑
(mod 𝑛)
YET…
The world was black and white
YET…
The world was black and white
The only thing anyone did with
encrypted data was …
… decrypt it.
YET…
Encryption =
Further possible use cases
Function
f
x
search
query Google
searchSearch results
x
f(x)
Driving force: The need for privac...
Computations on Encrypted Data
Further possible use cases
Function
f
x
Enc(x)
Enc(f(x))
Driving force: The need for privac...
Computations on Encrypted Data
The algebraic structure in RSA…
𝐸 𝑚1 = 𝑚1
𝑒
𝐸 𝑚2 = 𝑚2
𝑒
Thus, … 𝐸 𝑚1 × 𝐸 𝑚2
= 𝑚1
𝑒 × 𝑚2
𝑒
=...
Computations on Encrypted Data
RSA is multiplicatively homomorphic
𝐸 𝑚1 = 𝑚1
𝑒
𝐸 𝑚2 = 𝑚2
𝑒
Ergo … 𝐸 𝑚1 × 𝐸 𝑚2
= 𝑚1
𝑒 × 𝑚2
...
Computations on Encrypted Data
RSA is multiplicatively homomorphic
𝐸 𝑚1 = 𝑚1
𝑒
𝐸 𝑚2 = 𝑚2
𝑒
Ergo … 𝐸 𝑚1 × 𝐸 𝑚2
= 𝑚1
𝑒 × 𝑚2
...
Computations on Encrypted Data
Other Encryption systems were additively homomorphic
𝐸 𝑚1 + 𝐸 𝑚2 = 𝐸(𝑚1 + 𝑚2)
Additive Homo...
Computations on Encrypted Data
The ultimate goal: computations over encrypted
data…
… this requires the computation of
bot...
Computations on Encrypted Data
XOR
0 XOR 0
1 XOR 0
0 XOR 1
1 XOR 1
0
1
1
0
AND
0 AND 0
1 AND 0
0 AND 1
1 AND 1
0
0
0
1
Why...
Computations on Encrypted Data
XOR
0 XOR 0
1 XOR 0
0 XOR 1
1 XOR 1
0
1
1
0
AND
0 AND 0
1 AND 0
0 AND 1
1 AND 1
0
0
0
1
Con...
Computations on Encrypted Data
Considering the system {XOR,AND} is Turing-complete …
… any function is a combination of XO...
Corollary
Considering the system {XOR,AND} is Turing-complete …
… if one can compute sums and products on encrypted bits
…...
Fully-Homomorphic Encryption!
Cryptography’s Holy Grail
Fully-Homomorphic Encryption!
Amazing Applications:
Private Cloud Computing
Delegate arbitrary processing of data
without ...
Fully-Homomorphic Encryption!
Continuous unsucccessful quest for years
… until, in October 2008 …
… Craig Gentry came up with the first
fully homomorphic encryption scheme …
What is the mechanism?
What kind of mathematical models can we use?
What kind of objects can we add and multiply?
Polynomials? (𝑥2
+ 6𝑥 + 1) + 𝑥2
− 6𝑥 = (2𝑥2
+ 1)
(𝑥2
+ 6𝑥 + 1) X 𝑥2
− 6𝑥 = (...
Polynomials?
Matrices?
(𝑥2
+ 6𝑥 + 1) + 𝑥2
− 6𝑥 = (2𝑥2
+ 1)
(𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥)
1 0
1 2
+
−1 1
0 1
=...
Polynomials?
Matrices?
(𝑥2
+ 6𝑥 + 1) + 𝑥2
− 6𝑥 = (2𝑥2
+ 1)
(𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥)
Maybe integers?!?
3 ...
Nowadays, in use: Symmetric Encryption
Secret key: large odd number p
0 p 2p 3p-3p -2p -p
Secret key: large odd number p
To Encrypt a bit b:
– choose a (preferably random) “large” multiple of p, say q·p
0 p 2p 3p...
Secret key: large odd number p
To Encrypt a bit b:
– choose a (preferably random) “large” multiple of p, say q·p
– choose ...
Secret key: large odd number p
To Encrypt a bit b:
– choose a (preferably random) “large” multiple of p, say q·p
– choose ...
Secret key: large odd number p
To Encrypt a bit b:
– choose a (preferably random) “large” multiple of p, say q·p
– choose ...
How safe is this model?
If there was no noise (r=0)
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
… and one provides two encrypt...
How safe is this model?
If there is noise
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
… the GCD attack doesn’t work
… and neit...
XOR operations on two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c2 = q2·p + (2·r...
XOR operations on two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c1+c2 = p·(q1 + ...
XOR operations on two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c1+c2 = p·(q1 + ...
XOR operations on two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c1+c2 = p·(q1 + ...
AND operations on two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c2 = q2·p + (2·r...
AND operations on two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
least_significant_...
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
The noise increases!
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
The noise increases!
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
noise= 2 * (initi...
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
The noise increases!
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
noise= 2 * (initi...
0 17 34 51-51 -34 -17
noise=-14
The noise increases!
Why does this matter?
20
0 17 34 51-51 -34 -17
noise=-14
The noise increases!
Why does this matter?
20
decryption will
recover noise’=3
0 17 34 51-51 -34 -17
noise=-14
The noise increases!
Why does this matter?
20
If the |noise| > p/2, then:
Decryption will ...
The accomplishment …
Possibility to do lots of additions and
… some multiplications
(= a “somewhat homomorphic” encryption)
The accomplishment …
… we can do lots of additions and
… some multiplications
It is enough to do many useful tasks, such a...
The accomplishment ...
… we can do lots of additions and
… some multiplications
… enough to do many useful tasks, e.g.,
da...
RSA&friends
MANY mult
ZERO add
Fully homomorphic
MANY additions
MANY multiplications
WE ARE HERE!
Fully homomorphic
MANY add
MANY mult
WE ARE HERE!
[bootstrapping]
How is this possible?
The “bootstrapping method”
Princip...
noise=0
noise=p/2
Initial noise
The “bootstrapping method”
Noise after some
sums and products
noise=0
noise=p/2
The “bootstrapping method”
noise=0
noise=p/2
Bootstrapping =
“Valve” at a fixed height
The “bootstrapping method”
noise=0
noise=p/2
Bootstrapping =
“Valve” at a fixed height
The “bootstrapping method”
noise=0
noise=p/2
… repeat until done
The “bootstrapping method”
noise=0
noise=p/2
… repeat until done
The “bootstrapping method”
 Lots of new Encryption Schemes
… simpler, more secure, more efficient
 Dramatic Efficiency Improvements
1 100 10000 100...
Gentry’s “bootstrapping method” …
The same principle: if you can go a (large)
part of the way, you probably can go all
the...
Gentry’s “bootstrapping method” …
The same principle: if you can go a (large)
part of the way, you probably can go all
the...
Gentry’s “bootstrapping method” …
The same principle: if you can go a (large)
part of the way, you probably can go all
the...
noise=0
noise=p/2
Reflection topic
What is the best noise-reduction procedure?
noise=0
noise=p/2
Reflection topic
What is the best noise-reduction procedure?
… To get rid of all the noise.
noise=0
noise=p/2
Reflection topic
What is the best noise-reduction procedure?
… To get rid of all the noise,
… and comput...
noise=0
noise=p/2
Reflection topic
… What is the best noise-reduction procedure?
… To get rid of all the noise
… and compu...
noise=0
noise=p/2
Reflection topic
… What is the best noise-reduction procedure?
… To get rid of all the noise
… and compu...
noise=0
noise=p/2
Reflection topic
… What is the best noise-reduction procedure?
… To get rid of all the noise
… and compu...
noise=0
noise=p/2
Reflection topic
… What is the best noise-reduction procedure?
… To get rid of all the noise
… and compu...
noise=0
noise=p/2
Reflection topic
Secret key
Decrypt
b
But I can’t
give the
secret key
out for free!
Ctxt = Enc(b)
Goal: ...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secret...
noise=0
noise=p/2
KEY IDEA
… I cannot release the secret key (or else, everyone sees my data)
… but I can release Enc(secr...
Long story short: whenever noise level increases
beyond a limit …
noise=0
noise=p/2
… use bootstrapping to reset it to a f...
noise=0
noise=p/2 Bootstrapping requires the homomorphic
evaluation of the decryption circuit.
noise=0
noise=p/2
Thus, Gentry’s “bootstrapping theorem”:
If an enc scheme can evaluate its own
decryption circuit, then i...
Real world use case
Reference paper:
• R., Bocu, C., Costache, A Homomorphic Encryption-Based System
for Securely Managing...
System architecture
System features
• Data privacy assured during all four stages: data collection, data
transmission, data storage, FHE-based...
FHE Core Model – Supported Operations
• Homomorphic addition (+h) – It takes as operands two ciphertexts,
which correspond...
FHE Core Model – The Level
• The level (L) – It must be determined before starting any computation
instruction.
• The leve...
Optimized FHE Scheme
Optimized FHE Scheme (cont’d)
• The data storage and processing backend efficiently and safely computes
the received data....
Test Use Case
•The detection of three medical conditions has
been considered: the average heart rate, the
delayed repolari...
Performance Metrics (1) - Explanation
• Network capacity: XFERIN (the amount of data transferred from the
client devices t...
Performance metrics (2)
Performance metrics (3) – DRHS Condition
Test Use Case - Conclusions
• Flexible and decoupled architecture – the system is capable
of accommodating most of the exi...
Thank You!
Questions and Discussion
Prochain SlideShare
Chargement dans…5
×

Secure and privacy-preserving data transmission and processing using homomorphic encryption

50 vues

Publié le

Razvan Bocu in Bucharest, Romania on November 8-9th 2018 at DefCamp #9.

The videos and other presentations can be found on https://def.camp/archive

Publié dans : Technologie
  • Soyez le premier à commenter

  • Soyez le premier à aimer ceci

Secure and privacy-preserving data transmission and processing using homomorphic encryption

  1. 1. Homomorphic Encryption Secure and privacy-preserving data transmission and processing Dr. Razvan Bocu Transilvania University of Brasov, Romania
  2. 2. History Julius Ceasar (100-44 BC) In the beginning, there was symmetric encryption. Message: ATTACK AT DAWN
  3. 3. History Julius Ceasar (100-44 BC) Message: ATTACK AT DAWN Key: +3 Ciphertext: ↓↓↓↓↓↓ ↓↓ ↓↓↓↓ DWWDFN DW GDZQ If you had the key, you could encrypt… DWWDFN DW GDZQ
  4. 4. History Julius Ceasar (100-44 BC) Ciphertext: DWWDFN DW GDZQ Key: -3 Message: ↓↓↓↓↓↓ ↓↓ ↓↓↓↓ ATTACK AT DAWN If you had the key, you could decrypt… DWWDFN DW GDZQ
  5. 5. History Julius Ceasar (100-44 BC) If you had the key, you could decrypt… DWWDFN DW GDZQ Symmetric Encryption: Encryption and Decryption use the same key
  6. 6. History Symmetric Encryption: Encryption and Decryption use the same key Vigenere Enigma Claude Shannon and Information Theory 1900-1950
  7. 7. History Asymmetric Encryption Merkle, Hellman and Diffie (1976) Shamir, Rivest and Adleman (1978) Encryption uses a public key, Decryption uses the secret key (1970s)
  8. 8. History Asymmetric Encryption: The Foundation of E-Commerce
  9. 9. History RSA: The first and most popular asymmetric encryption 𝐸 𝑚 = 𝑚 𝑒 (mod 𝑛) D 𝑐 = 𝑐 𝑑 (mod 𝑛)
  10. 10. YET… The world was black and white
  11. 11. YET… The world was black and white The only thing anyone did with encrypted data was … … decrypt it.
  12. 12. YET… Encryption =
  13. 13. Further possible use cases Function f x search query Google searchSearch results x f(x) Driving force: The need for privacy.
  14. 14. Computations on Encrypted Data Further possible use cases Function f x Enc(x) Enc(f(x)) Driving force: The need for privacy.
  15. 15. Computations on Encrypted Data The algebraic structure in RSA… 𝐸 𝑚1 = 𝑚1 𝑒 𝐸 𝑚2 = 𝑚2 𝑒 Thus, … 𝐸 𝑚1 × 𝐸 𝑚2 = 𝑚1 𝑒 × 𝑚2 𝑒 = (𝑚1 × 𝑚2) 𝑒 = 𝐸(𝑚1 × 𝑚2) 𝐸 𝑚1 × 𝐸 𝑚2 = 𝐸(𝑚1 × 𝑚2) Multiplicative Homomorphism
  16. 16. Computations on Encrypted Data RSA is multiplicatively homomorphic 𝐸 𝑚1 = 𝑚1 𝑒 𝐸 𝑚2 = 𝑚2 𝑒 Ergo … 𝐸 𝑚1 × 𝐸 𝑚2 = 𝑚1 𝑒 × 𝑚2 𝑒 = (𝑚1 × 𝑚2) 𝑒 = 𝐸(𝑚1 × 𝑚2) 𝐸 𝑚1 × 𝐸 𝑚2 = 𝐸(𝑚1 × 𝑚2) Multiplicative Homomorphism
  17. 17. Computations on Encrypted Data RSA is multiplicatively homomorphic 𝐸 𝑚1 = 𝑚1 𝑒 𝐸 𝑚2 = 𝑚2 𝑒 Ergo … 𝐸 𝑚1 × 𝐸 𝑚2 = 𝑚1 𝑒 × 𝑚2 𝑒 = (𝑚1 × 𝑚2) 𝑒 = 𝐸(𝑚1 × 𝑚2) 𝐸 𝑚1 × 𝐸 𝑚2 = 𝐸(𝑚1 × 𝑚2) Multiplicative Homomorphism (but not additively homomorphic)
  18. 18. Computations on Encrypted Data Other Encryption systems were additively homomorphic 𝐸 𝑚1 + 𝐸 𝑚2 = 𝐸(𝑚1 + 𝑚2) Additive Homomorphism (but not multiplicatively homomorphic)
  19. 19. Computations on Encrypted Data The ultimate goal: computations over encrypted data… … this requires the computation of both sums and products … … over the same encrypted data set!
  20. 20. Computations on Encrypted Data XOR 0 XOR 0 1 XOR 0 0 XOR 1 1 XOR 1 0 1 1 0 AND 0 AND 0 1 AND 0 0 AND 1 1 AND 1 0 0 0 1 Why SUMs and PRODUCTs? SUM = PRODUCT =
  21. 21. Computations on Encrypted Data XOR 0 XOR 0 1 XOR 0 0 XOR 1 1 XOR 1 0 1 1 0 AND 0 AND 0 1 AND 0 0 AND 1 1 AND 1 0 0 0 1 Considering the system {XOR,AND} is Turing-complete … … any function is a combination of XOR and AND gates
  22. 22. Computations on Encrypted Data Considering the system {XOR,AND} is Turing-complete … … any function is a combination of XOR and AND gates Example: Indexing a database 0 1 1 0 DB index i = i1i0 return DBi i0 i1 DB3 DB2 DB0 DB1
  23. 23. Corollary Considering the system {XOR,AND} is Turing-complete … … if one can compute sums and products on encrypted bits … one can compute ANY function on encrypted inputs E(x1) E(x2) E(x3) E(x4) E(x3 AND x4)E(x1 XOR x2) E(f(x1,x2,x3,x4))
  24. 24. Fully-Homomorphic Encryption! Cryptography’s Holy Grail
  25. 25. Fully-Homomorphic Encryption! Amazing Applications: Private Cloud Computing Delegate arbitrary processing of data without giving away access to it
  26. 26. Fully-Homomorphic Encryption! Continuous unsucccessful quest for years
  27. 27. … until, in October 2008 … … Craig Gentry came up with the first fully homomorphic encryption scheme …
  28. 28. What is the mechanism?
  29. 29. What kind of mathematical models can we use?
  30. 30. What kind of objects can we add and multiply? Polynomials? (𝑥2 + 6𝑥 + 1) + 𝑥2 − 6𝑥 = (2𝑥2 + 1) (𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥)
  31. 31. Polynomials? Matrices? (𝑥2 + 6𝑥 + 1) + 𝑥2 − 6𝑥 = (2𝑥2 + 1) (𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥) 1 0 1 2 + −1 1 0 1 = 0 1 1 3 1 0 1 2 𝑋 −1 1 0 1 = −1 1 −1 3 What kind of objects can we add and multiply?
  32. 32. Polynomials? Matrices? (𝑥2 + 6𝑥 + 1) + 𝑥2 − 6𝑥 = (2𝑥2 + 1) (𝑥2 + 6𝑥 + 1) X 𝑥2 − 6𝑥 = (𝑥4 − 35𝑥2 − 6𝑥) Maybe integers?!? 3 + 4 = 7 3 X 4 = 12 1 0 1 2 + −1 1 0 1 = 0 1 1 3 1 0 1 2 𝑋 −1 1 0 1 = −1 1 −1 3 What kind of objects can we add and multiply?
  33. 33. Nowadays, in use: Symmetric Encryption
  34. 34. Secret key: large odd number p 0 p 2p 3p-3p -2p -p
  35. 35. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p 0 p 2p 3p-3p -2p -p
  36. 36. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p – choose a (preferably random) “small” number 2·r+b 0 p 2p 3p-3p -2p -p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b
  37. 37. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p – choose a (preferably random) “small” number 2·r+b – Resulting ciphertext: c = q·p+2·r+b 0 p 2p 3p-3p -2p -p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b
  38. 38. Secret key: large odd number p To Encrypt a bit b: – choose a (preferably random) “large” multiple of p, say q·p – choose a (preferably random) “small” number 2·r+b – Resulting ciphertext: c = q·p+2·r+b 0 p 2p 3p-3p -2p -p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b To Decrypt a ciphertext c: Applying the operation c mod p recovers the noise
  39. 39. How safe is this model? If there was no noise (r=0) 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b … and one provides two encryptions of 0 (q1p & q2p) … then the secret key p can be recovered GCD_attack(q1p, q2p) Greatest common divisor Coppersmith’s attack
  40. 40. How safe is this model? If there is noise 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b … the GCD attack doesn’t work … and neither does any conventional attack  the approximate GCD assumption
  41. 41. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c2 = q2·p + (2·r2 + b2)
  42. 42. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) – c2 = q2·p + (2·r2 + b2)
  43. 43. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) Odd if b1=0, b2=1 (or) b1=1, b2=0 Even if b1=0, b2=0 (or) b1=1, b2=1 – c2 = q2·p + (2·r2 + b2)
  44. 44. XOR operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) least_significant_bit= b1 XOR b2 – c2 = q2·p + (2·r2 + b2)
  45. 45. AND operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) – c2 = q2·p + (2·r2 + b2) – c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
  46. 46. AND operations on two encrypted bits: 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b – c1 = q1·p + (2·r1 + b1) least_significant_bit= b1 AND b2 – c2 = q2·p + (2·r2 + b2) – c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
  47. 47. 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b The noise increases!
  48. 48. 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b The noise increases! – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) noise= 2 * (initial noise)
  49. 49. 0 p 2p 3p-3p -2p -p the “noise” = 2·r+b The noise increases! – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) noise= 2 * (initial noise) noise = (initial noise)2 – c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
  50. 50. 0 17 34 51-51 -34 -17 noise=-14 The noise increases! Why does this matter? 20
  51. 51. 0 17 34 51-51 -34 -17 noise=-14 The noise increases! Why does this matter? 20 decryption will recover noise’=3
  52. 52. 0 17 34 51-51 -34 -17 noise=-14 The noise increases! Why does this matter? 20 If the |noise| > p/2, then: Decryption will output an incorrect bit! decryption will recover noise’=3
  53. 53. The accomplishment … Possibility to do lots of additions and … some multiplications (= a “somewhat homomorphic” encryption)
  54. 54. The accomplishment … … we can do lots of additions and … some multiplications It is enough to do many useful tasks, such as, database search, spam filtering etc. (= a “somewhat homomorphic” encryption)
  55. 55. The accomplishment ... … we can do lots of additions and … some multiplications … enough to do many useful tasks, e.g., database search, spam filtering etc. But, there is much more … (= a “somewhat homomorphic” encryption)
  56. 56. RSA&friends MANY mult ZERO add Fully homomorphic MANY additions MANY multiplications WE ARE HERE!
  57. 57. Fully homomorphic MANY add MANY mult WE ARE HERE! [bootstrapping] How is this possible? The “bootstrapping method” Principle: If you can go a (large) part of the way, then you can go all the way. RSA&friends MANY mult ZERO add
  58. 58. noise=0 noise=p/2 Initial noise The “bootstrapping method”
  59. 59. Noise after some sums and products noise=0 noise=p/2 The “bootstrapping method”
  60. 60. noise=0 noise=p/2 Bootstrapping = “Valve” at a fixed height The “bootstrapping method”
  61. 61. noise=0 noise=p/2 Bootstrapping = “Valve” at a fixed height The “bootstrapping method”
  62. 62. noise=0 noise=p/2 … repeat until done The “bootstrapping method”
  63. 63. noise=0 noise=p/2 … repeat until done The “bootstrapping method”
  64. 64.  Lots of new Encryption Schemes … simpler, more secure, more efficient  Dramatic Efficiency Improvements 1 100 10000 1000000 2011 2010 2009 Time (in millisec) for a basic operation
  65. 65. Gentry’s “bootstrapping method” … The same principle: if you can go a (large) part of the way, you probably can go all the way. noise=0 noise=p/2
  66. 66. Gentry’s “bootstrapping method” … The same principle: if you can go a (large) part of the way, you probably can go all the way. noise=0 noise=p/2 Issue to address: Addition and Multiplication increase noise (Addition doubles, Multiplication squares the noise)
  67. 67. Gentry’s “bootstrapping method” … The same principle: if you can go a (large) part of the way, you probably can go all the way. noise=0 noise=p/2 Issue to address: Addition and Multiplication increase noise (Addition doubles, Multiplication squares the noise) Goal: noise reduction
  68. 68. noise=0 noise=p/2 Reflection topic What is the best noise-reduction procedure?
  69. 69. noise=0 noise=p/2 Reflection topic What is the best noise-reduction procedure? … To get rid of all the noise.
  70. 70. noise=0 noise=p/2 Reflection topic What is the best noise-reduction procedure? … To get rid of all the noise, … and computationally optimal recover the original message.
  71. 71. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computationally optimal recover the original message Direct Decryption!
  72. 72. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computational optimal recover the original message Direct Decryption! Ctxt = Enc(b) Secret key Decrypt b
  73. 73. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computationally optimal recover the original message Direct Decryption! Secret key Decrypt bFunction that acts on ciphertext and eliminates noise Ctxt = Enc(b)
  74. 74. noise=0 noise=p/2 Reflection topic … What is the best noise-reduction procedure? … To get rid of all the noise … and computationally optimal recover the message Decryption! Secret key Decrypt b Ctxt = Enc(b) But I can’t give the secret key out for free!
  75. 75. noise=0 noise=p/2 Reflection topic Secret key Decrypt b But I can’t give the secret key out for free! Ctxt = Enc(b) Goal: I want to reduce noise without letting you decrypt
  76. 76. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Secret key Decrypt b Ctxt = Enc(b)
  77. 77. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) This is called “Circular Encryption” Secret key Decrypt b Ctxt = Enc(b)
  78. 78. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) This is called “Circular Encryption” Decrypt b Ctxt = Enc(b) Enc(Secret key)
  79. 79. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt b … Homomorphically evaluate the decryption circuit!!! Ctxt = Enc(b) In order to reduce noise …
  80. 80. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt … Homomorphically evaluate the decryption circuit!!! Ctxt = Enc(b) In order to reduce noise … Enc(b)
  81. 81. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt … Homomorphically evaluate the decryption circuit!!! Ctxt = Enc(b) In order to reduce noise … Enc(b)
  82. 82. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt The input Enc(b) and output Enc(b) have different noise levels. Ctxt = Enc(b) KEY OBSERVATION: Enc(b)
  83. 83. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  84. 84. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  85. 85. noise=0 noise=p/2 KEY IDEA I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  86. 86. noise=0 noise=p/2 KEY IDEA … I cannot release the secret key (or else, everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b), Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED.
  87. 87. Long story short: whenever noise level increases beyond a limit … noise=0 noise=p/2 … use bootstrapping to reset it to a fixed level
  88. 88. noise=0 noise=p/2 Bootstrapping requires the homomorphic evaluation of the decryption circuit.
  89. 89. noise=0 noise=p/2 Thus, Gentry’s “bootstrapping theorem”: If an enc scheme can evaluate its own decryption circuit, then it can evaluate everything
  90. 90. Real world use case Reference paper: • R., Bocu, C., Costache, A Homomorphic Encryption-Based System for Securely Managing Personal Health Metrics Data, IBM Journal of Research and Development ISSN 0018-8646, Volume 62, Issue 1, 2018, pp. 1:1-1:10. • Use case: the convenient and full privacy preserving collection, transportation, processing, analysis, and storage of personal health information (PHI). • Software system: SafeBioMetrics – this system addresses the four essential requirements, the biomedical data collection at the user’s end, its transfer to the storage and processing backend, the proper and secure storage of this data, and its privacy-preserving processing. • Distinctive feature: clear separation between the long-term data storage and data processing paths. The system can easily accommodate any use case that involves the data collection through sensors and mobile devices at the user’s side.
  91. 91. System architecture
  92. 92. System features • Data privacy assured during all four stages: data collection, data transmission, data storage, FHE-based data processing. • Data storage and processing backend is deployed in the cloud (in this case, IBM Bluemix, but any other cloud platform is fine). • The collected data is efficiently store in the cloud (in this case, the relevant service is IBM Cloudant, but any other similar cloud service is fine). • The FHE computations are performed using Apache Spark, but any other computing service may be adapted and used. • The processing events are intercepted, and the proper actions triggered using a programming service (in this case, IBM OpenWhisk, but any other similar service may be adapted). • Advantages • Any use case that involves the safe (private) processing of sensitive data can benefit from the usage of this model. • The approach offloads the expensive processing operations to the cloud infrastructure, while keeping intact the data privacy. • The model is fully customizable and adaptable to various use cases and hardware/software infrastructures.
  93. 93. FHE Core Model – Supported Operations • Homomorphic addition (+h) – It takes as operands two ciphertexts, which correspond to a slot wise XOR operation of the related plaintext elements. • Homomorphic multiplication (Xh) – It takes as operands two ciphertexts, which correspond to a slot wise AND operation of the related plaintext elements. • Homomorphic rotate (<<<h, >>>h) – This essentially provides the possibility to rotate the data elements’ slots. The concept of slots refers to the storage bits that determine the data elements processed by the rotate operation. • Homomorphic select (selmask) – It has the role to correct the potentially altered slots (bits) of the data elements after the rotate operation. It preserves the data consistency during the fully homomorphic encryption process.
  94. 94. FHE Core Model – The Level • The level (L) – It must be determined before starting any computation instruction. • The level L is calibrated considering the depth of the multiplication operations to be performed in the given computational context. • This parameter assures the accuracy of the FHE operations’ results. • The multiplication increments by 1 the level L of the operation. • The depth of the multiplication operations determines the value of the calibrated level L. • This operation considers a number of NCT ciphertexts, which encrypt an array with n bits that stores the relevant data (in the case of the SafeBioMetrics, the cardiac rhythm data). • The computationally expensive multiplication operations should be reduced. • Consequently, the depth of the multiplication operations is reduced, in order to achieve an optimal calibration of the level L.
  95. 95. Optimized FHE Scheme
  96. 96. Optimized FHE Scheme (cont’d) • The data storage and processing backend efficiently and safely computes the received data. • The efficient incorporation of the FHE routines into the SafeBioMetrics system relies on the utilization of the communication data path illustrated in the previous slide (the top data path). • Each bit of the plaintext data is properly packed into the respective plaintext message. • The ciphertext is generated through an FHE model considering the top data path steps. • The bottom data path in the figure implies that the input data is translated into a binary format, which is efficiently understood by the CPU. This is achieved using the computation (fc(.)) and aggregation (fa(.)) functions from the bottom data processing path. • The binary data is processed using a parallel single instruction, multiple data (SIMD) model. • The four operations already mentioned are fully supported.
  97. 97. Test Use Case •The detection of three medical conditions has been considered: the average heart rate, the delayed repolarization of the heart, the minimum and maximum heart rates. •Outcomes: • The model performed well considering the detection of all three medical conditions. • The resulted performance metrics prove that the system is time and resources efficient. • The data privacy can be preserved, even if the hosting (cloud) environment is affected by a security incident (e.g., unauthorized access by an employee or hacker, CPU vulnerability issues, etc.). • The amount of transferred data depends arithmetically on the size of the encrypted data.
  98. 98. Performance Metrics (1) - Explanation • Network capacity: XFERIN (the amount of data transferred from the client devices to the backend), XFEROUT (the amount of data that is transferred from the backend to the client devices). • Storage ratio (SR): this assesses the amount of storage that is necessary to store one byte of plaintext data in a FHE format. As an example, if SR=500, there are necessary 500 bytes in order to store one plaintext byte in the FHE format. • Processing speed (PS): This is defined through the ratio PS=PTO / PIN. Here, the numerator represents the amount of time to send the data from the client device to the backend, while the denominator is the amount of time that is required by the backend to process the received data. • NCT: The number of the involved ciphertexts. • Level L: The value of the calibration parameter.
  99. 99. Performance metrics (2)
  100. 100. Performance metrics (3) – DRHS Condition
  101. 101. Test Use Case - Conclusions • Flexible and decoupled architecture – the system is capable of accommodating most of the existing and, with a high probability, future client-side data collection devices. • SafeBioMetrics demonstrates that it is perfectly possible to sustain a completely secure, privacy preserving and resource efficient data management over large amounts of data. • This case study demonstrates that fully homomorphic encryption is useable in order to secure a system like SafeBioMetrics. • This model can be adapted to any other use case, which involves the processing of large amounts of sensitive data.
  102. 102. Thank You! Questions and Discussion

×