SlideShare une entreprise Scribd logo

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

MITSUNARI Shigeo
MITSUNARI Shigeo

a slide of Hanaoka's talk in ECC2018(https://cy2sec.comm.eng.osaka-u.ac.jp/ecc2018/program.html)

Technologie
1  sur  36
Télécharger pour lire hors ligne
Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 1
Outline • Background • Two-level Homomorphic encryption • An efficient construction • Security • Implementation • Conclusion 2018/11/21 ECC 2018 2
Background 2018/11/21 ECC 2018 3
2018/11/21 ECC 2018 4 Computing on encrypted data • Data analysis with taking care of sensitive data Disease Risk 70% If X2>∑Y then ◯◯70% F : Diagnosis Y : Database
Homomorphic Encryption (HE) • Allows computation on encrypted data • Many applications related to privacy-preserving schemes • Types of HE • Additively HE (ex. Goldwasser-Micali, Okamoto- Uchiyama, Paillier, Lifted-ElGamal) • Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′) • Multiplicatively HE (ex. RSA, ElGamal) • Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′ • Fully HE (ex. Gentry, BGV, BV, GSW, …) • Can do homomorphic add. and mult. 2018/11/21 ECC 2018 5
Pros and Cons • Add. HE, Mult. HE • Applications are restricted • Fully HE (FHE) • Any computations possible, but inefficient • Security relies on less standard assumptions • Leveled HE • The number of homomorphic mult. is restricted. • An intermediate notion between A/M HE and FHE. 2018/11/21 ECC 2018 6 A/M HE Leveled HE FHE Efficiency very good medium bad Functionality medium good very good
Two-level HE • HE that allows one homomorphic multiplication • Allows degree-2 polynomial homomorphic evaluations • Allows inner product of two vectors • 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, … • σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖 2018/11/21 ECC 2018 7 ×1 2 3 3 4 12 12 13 25 ++ : Level-1 : Level-2
Applications • Secure 2-DNF formula evaluation • Delegated secure inner-product on encrypted data • Efficient (symmetric) private information retrieval • Cross tabulation on encrypted data • Efficient election protocol • … 2018/11/21 ECC 2018 8
Existing Two-level HE • Boneh, Goh, Nissim (TCC 2005) • Based on Composite-order pairings, hence much less efficient • Freeman (EUROCRYPT 2010) • Composite-to-prime-order transformation framework, applied to BGN • Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014) • Improving Freeman’s frameworks • Only Type 1 pairings, inefficient • Catalano, Fiore (ACM CCS 2015) • Transformation from d-Level HE to (2d)-level • Instantiations are not necessarily efficient • AHM+ (AsiaCCS 2018): This talk • Efficient construction based on the lifted-ElGamal encryption • Portable high-speed implementations • Note: • Decryption in all these schemes requires discrete log (DL) • Hence plaintext space should be sufficiently small (up to 32-bit) 2018/11/21 ECC 2018 9
An Efficient Construction of Two-level HE 2018/11/21 ECC 2018 10
Basic Idea •Existing schemes • Establish a “broader fundamental & theoretical framework” • Then, construct L2HE as an “application” •Our scheme • Concentrate on “L2HE-dedicated design” • Start from “promising tools” for fast HE, i.e. Type-3 pairing and ElGamal • Not general but fully tuned for L2HE 2018/11/21 ECC 2018 11
An Efficient Construction • Combine the lifted-ElGamal encryption scheme with Type 3 pairings • First, straightforwardly construct two-level HE • Then, consider “simpler” construction • While Freeman considered a conversion of composite-to- prime order • Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal • Format of level-2 (L2) CT is same as Freeman’s scheme • Note: Type 3 pairings • Cyclic groups 𝔾1, 𝔾2, 𝔾T of order prime 𝑝 with bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T • 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2 • 𝔾1 ≠ 𝔾2 and no efficient map between 𝔾1 and 𝔾22018/11/21 ECC 2018 12
Summary of Constructions 2018/11/21 ECC 2018 13 Freeman (EUROCRYPT 2018) AHM+ (AsiaCCS 2018, this talk) BGN scheme based on composite order BGN (Freeman) scheme based on prime order (includes 2-level HE) Construction by converting Lifted-ElGamal Enc 𝑚 = 𝑔 𝑚ℎ 𝑟, 𝑔 𝑟 Type 3 pairing 𝑒 𝑎𝑃1, 𝑏𝑃2 = 𝑔T 𝑎𝑏 AHM+ 2-level HE scheme Construction by combining algebraic structures
Setup and Key Generation • Setup • Cyclic group 𝔾𝑖 = ⟨𝑃𝑖⟩ over an elliptic curve with prime order 𝑝 for 𝑖 = 1, 2 • 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2 • Key generation • Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random • Public key 𝑄1 = 𝑠1 𝑃1, 𝑄2 = 𝑠2 𝑃2 (with optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2) • Note: Colors • Green: Public part • Blue: Secret and hidden part 2018/11/21 ECC 2018 14
Level-1 CT and Enc./Dec. • Encrypt • Plaintext 𝑚 and randomness 𝑟 • Enc 𝔾 𝑖 𝑚 = (𝑚𝑃𝑖 + 𝑟𝑄𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2 • Duplicated form: Enc1 𝑚 ≔ Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚 • Note: 𝔾1 can be mult. with 𝔾2 only, vice versa, so that duplicated form is needed for general usage • Decrypt • For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖 𝑚 = (𝑆, 𝑇) by 𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑄𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖 and then, to obtain 𝑚, solve DL • Almost same as lifted-ElGamal 2018/11/21 ECC 2018 15
Homomorphic Addition on L1 CT • For 𝑖 = 1, 2, Enc 𝔾 𝑖 𝑚1 + Enc 𝔾 𝑖 𝑚2 = 𝑚1 𝑃𝑖 + 𝑟1 𝑄𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑄𝑖, 𝑟2 𝑃𝑖 = 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑄𝑖, 𝑟1 + 𝑟2 𝑃𝑖 = Enc 𝔾 𝑖 (𝑚1 + 𝑚2) • Also, same as lifted-ElGamal 2018/11/21 ECC 2018 16 1 2 3 + : Level-1
Homomorphic Multiplication • 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑄1, 𝑟1 𝑃1 = Enc 𝔾1 𝑚1 ∈ 𝔾1 2 • 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑄2, 𝑟2 𝑃2 = Enc 𝔾2 𝑚2 ∈ 𝔾2 2 • 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 = 𝑧1 𝑚1 𝑚2 𝑧4 𝜏′, 𝑧2 𝜎′, 𝑧3 𝜌′, 𝑧1 𝜎′+𝜌′−𝜏′ = Enc2 𝑚1 𝑚2 ∈ 𝔾T 4 • 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 • Tensor product of 𝐶1, 𝐶2 • Its result is an level-2 ciphertext 2018/11/21 ECC 2018 17 ×3 4 12 : Level-1 : Level-2
Homomorphic Addition on L2 CT • Enc2 𝑚1 + Enc2 𝑚2 = 𝑧1 𝑚1 𝑧4 𝜏1, 𝑧2 𝜎1, 𝑧3 𝜌1, 𝑧1 𝜎1+𝜌1−𝜏1 + 𝑧1 𝑚2 𝑧4 𝜏2, 𝑧2 𝜎2, 𝑧3 𝜌2, 𝑧1 𝜎2+𝜌2−𝜏2 = ( 𝑧1 𝑚1+𝑚2 𝑧4 𝜏1+𝜏2, 𝑧2 𝜎1+𝜎2, ൯𝑧3 𝜌1+𝜌2, 𝑧1 (𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2) = Enc2(𝑚1 + 𝑚2) • Usual vector addition 2018/11/21 ECC 2018 18 12 13 25 + : Level-2
Decryption for Level-2 CT • Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4 Dec2 c1, c2, 𝑐3, 𝑐4 ≔ 𝑐1 𝑐4 𝑠1 𝑠2 𝑐2 𝑠2 𝑐3 𝑠1 = 𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2 𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2 = 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2 = 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2 𝑚𝑚′ then solve DLP to obtain 𝑚𝑚′ • Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 = 𝑧1 𝑚𝑚′ 𝑧4 𝜏 , 𝑧2 𝜎 , 𝑧3 𝜌 , 𝑧1 𝜎+𝜌−𝜏 ∈ 𝔾T 4 , where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 2018/11/21 ECC 2018 19
Size and Benchmark on BN462 • Note: • Use x64 Linux on Core i7-6700 • Without compressed form • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 20 Calc. time in msec Enc1 0.452 Enc2 1.14 Dec1 9.01 Dec2 10.01 ReRand1 0.447 ReRand2 1.14 Add1 0.0109 Add2 0.0231 Mult 8.47 Bit size Secret key 924 Public key 27720 Dup. L1 CT 5544 L2 CT 22176
Comparison of Size • Fre10: Freemen’s scheme (EUROCRYPT 2010) • Compare bit size on a 462-bit Barreto-Naehrig (BN) curve 2018/11/21 ECC 2018 21
Comparison of Time • CT: Ciphertext • Fre10: Freemen’s scheme in EUROCRYPT 2010 • Compare calculation time on a 462-bit BN curve 2018/11/21 ECC 2018 22
Proving the Knowledge of Plaintexts • Zero-knowledge proof protocols can be applied • Example 1: Duplicated form of L1 CT • Dup. L1 CT is Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ • Attach a proof of “𝑚 = 𝑚′” • Example 2: Proving a CT encrypts a bit • Attach a proof of “encrypted plaintext is 0 or 1” • Applications: Voting, two-party computation 2018/11/21 ECC 2018 23
Proof of Equality • Duplicated L1 CT: • Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ = 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) where 𝜌, 𝜎 ← ℤ 𝑝 are randomly chosen • Should be “𝑚 = 𝑚′” • Equality can be proved in the same way of NIZK DH-tuple proof 2018/11/21 ECC 2018 24
NIZK Proof of Equality • L1 CT: 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) • Prove: • Randomly choose: 𝑟𝜌, 𝑟𝜎, 𝑟 𝑚 ← ℤ 𝑝 • 𝑅1, 𝑅2, 𝑅3, 𝑅4 ← 𝑟 𝑚 𝑃1 + 𝑟𝜌 𝑄1, 𝑟𝜌 𝑃1, 𝑟 𝑚 𝑃2 + 𝑟𝜎 𝑄2, 𝑟𝜎 𝑃2 • 𝑐 ← 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1, 𝑅2, 𝑅3, 𝑅4 • 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 ← 𝑟𝜌 + 𝑐𝜌, 𝑟𝜎 + 𝑐𝜎, 𝑟 𝑚 + 𝑐𝑚 • Proof 𝜋 = 𝑐, 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 • Verify: • 𝑐 = 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ where 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ ← 𝑠 𝑚 𝑃1 + 𝑠𝜌 𝑄1 − 𝑐𝐶1, 𝑠𝜌 𝑃1 − 𝑐𝐶2, 𝑠 𝑚 𝑃2 + 𝑠 𝜎 𝑄2 − 𝑐𝐶3, 𝑠 𝜎 𝑃2 − 𝑐𝐶4 2018/11/21 ECC 2018 25
Security 2018/11/21 ECC 2018 26
Confidentiality • Shown scheme is IND-CPA secure under the SXDH assumption • Note1: IND-CPA (INDistinguishability against Chosen Plaintext Attack) • Hidden plaintext from ciphertext • Standard base-line security notion • Note2: SXDH (Symmetric eXternal Diffie-Hellman) assumption • 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾, 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2 are computationally indistinguishable 2018/11/21 ECC 2018 27
Circuit Privacy • Shown scheme is circuit private • Namely, ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 ) • Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0) • ReRand𝑖 𝑐 removes a trace of circuit from 𝑐 • Note: Arithmetic circuit depends on secret • E.g., for 𝑖 = 1, 2, and for a secret integer 𝑛, 𝑛 × Enc𝑖 𝑚 = ෍ 𝑗=1 𝑛 Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚 • Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′ • Note: It is obvious that CTs are in which group 𝔾1, 𝔾2, 𝔾T 2018/11/21 ECC 2018 28
Implementation 2018/11/21 ECC 2018 29
Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 30
Our Implementation • Available in “mcl”: A library for pairings • BN254, 381, 462, BLS12-381 • C++: https://github.com/herumi/mcl • Web browser/Node.js: https://github.com/herumi/she-wasm • High-performance implementation for x64/ARM64 • WebAssembly (wasm) • Runs on Microsoft Edge, Firefox, Chrome, Safari without any plug-ins • Open source: BSD 3-clause 2018/11/21 ECC 2018 31
Benchmarks on wasm • Calculation times in msec • Use BN254 • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 32 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
Demo 2018/11/21 ECC 2018 33
Importance of WebAssembly (wasm) Implementation • Large deployment advantages • wasm is a portable and fast binary instruction format • Runs on many modern browser • Microsoft Edge, Safari, Google Chrome, and Mozilla Firefox on Windows, Linux, macOS, iPhone, Android, and so on… • Requires no plugins • Being developed as a web standard via the W3C • Distribution is easy 2018/11/21 ECC 2018 34
Demonstrations of wasm • Inner product: https://herumi.github.i o/she-wasm/she- demo.html • Oblivious transfer: https://ppdm.jp/ot/ 2018/11/21 ECC 2018 35
Conclusion • Practical efficient two-level homomorphic encryption • Many times add. and one-time mult. on encrypted data • Based on Type 3 (asymmetric) pairing • Combine the lifted-ElGamal encryption scheme • Faster than Freeman’s scheme (EUROCRYPT 2010) • Portable high-performance implementation • C++/asm/WebAssembly • https://github.com/herumi/mcl • https://github.com/herumi/she-wasm • Open source: BSD 3-clause 2018/11/21 ECC 2018 36 Thank you!

Recommandé

Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...MITSUNARI Shigeo
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...MITSUNARI Shigeo
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11MITSUNARI Shigeo
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6MITSUNARI Shigeo
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted DataNew York Technology Council
 
Rsa in CTF
Rsa in CTFRsa in CTF
Rsa in CTFSoL ymx
 

Recommandé

Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...MITSUNARI Shigeo
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...MITSUNARI Shigeo
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11MITSUNARI Shigeo
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6MITSUNARI Shigeo
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted DataNew York Technology Council
 
Rsa in CTF
Rsa in CTFRsa in CTF
Rsa in CTFSoL ymx
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 
Engineering fast indexes
Engineering fast indexesEngineering fast indexes
Engineering fast indexesDaniel Lemire
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Daniel Lemire
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesGuido Chari
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
CPM2013-tabei201306
CPM2013-tabei201306CPM2013-tabei201306
CPM2013-tabei201306Yasuo Tabei
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonAMD Developer Central
 
Probabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyProbabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyAndrii Gakhov
 
Probabilistic data structures
Probabilistic data structuresProbabilistic data structures
Probabilistic data structuresshrinivasvasala
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMDWei-Ta Wang
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsAlex Pruden
 
Deep Learning meetup
Deep Learning meetupDeep Learning meetup
Deep Learning meetupIvan Goloskokovic
 
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Andrii Gakhov
 
Hubba Deep Learning
Hubba Deep LearningHubba Deep Learning
Hubba Deep LearningIvan Goloskokovic
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
SciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilitySciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilityESUG
 
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksPaper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksChenYiHuang5
 
DTLC-GAN
DTLC-GANDTLC-GAN
DTLC-GANShinagawa Seitaro
 

Contenu connexe

Tendances

Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 
Engineering fast indexes
Engineering fast indexesEngineering fast indexes
Engineering fast indexesDaniel Lemire
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Daniel Lemire
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesGuido Chari
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
CPM2013-tabei201306
CPM2013-tabei201306CPM2013-tabei201306
CPM2013-tabei201306Yasuo Tabei
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonAMD Developer Central
 
Probabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyProbabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyAndrii Gakhov
 
Probabilistic data structures
Probabilistic data structuresProbabilistic data structures
Probabilistic data structuresshrinivasvasala
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMDWei-Ta Wang
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsAlex Pruden
 
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Andrii Gakhov
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
SciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilitySciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilityESUG
 

Tendances (20)

Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Engineering fast indexes
Engineering fast indexesEngineering fast indexes
Engineering fast indexes
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual Machines
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
CPM2013-tabei201306
CPM2013-tabei201306CPM2013-tabei201306
CPM2013-tabei201306
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
 
Probabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyProbabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. Frequency
 
Probabilistic data structures
Probabilistic data structuresProbabilistic data structures
Probabilistic data structures
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMD
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
 
Deep Learning meetup
Deep Learning meetupDeep Learning meetup
Deep Learning meetup
 
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
 
Hubba Deep Learning
Hubba Deep LearningHubba Deep Learning
Hubba Deep Learning
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
 
SciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilitySciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with Agility
 

Similaire à Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksPaper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksChenYiHuang5
 
Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!ChenYiHuang5
 
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)Alex Pruden
 
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...ssuser4b1f48
 
Recurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRURecurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRUananth
 
Efficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketchingEfficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketchingHsing-chuan Hsieh
 
Hardware Acceleration for Machine Learning
Hardware Acceleration for Machine LearningHardware Acceleration for Machine Learning
Hardware Acceleration for Machine LearningCastLabKAIST
 
SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15Hao Zhuang
 
Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...Universität Rostock
 
A CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural NetworksA CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural NetworksShinya Takamaeda-Y
 
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...Tu Nguyen
 
Paper study: Learning to solve circuit sat
Paper study: Learning to solve circuit satPaper study: Learning to solve circuit sat
Paper study: Learning to solve circuit satChenYiHuang5
 
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020NECST Lab @ Politecnico di Milano
 
Seq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) modelSeq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) model佳蓉 倪
 
Dueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learningDueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learningTaehoon Kim
 
1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.ppt1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.pptssuser0cd7c9
 
ODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identificationODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identificationKuldeep Jiwani
 

Similaire à Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups (20)

Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksPaper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
 
DTLC-GAN
DTLC-GANDTLC-GAN
DTLC-GAN
 
Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!
 
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
 
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
 
Recurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRURecurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRU
 
Efficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketchingEfficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketching
 
Hardware Acceleration for Machine Learning
Hardware Acceleration for Machine LearningHardware Acceleration for Machine Learning
Hardware Acceleration for Machine Learning
 
SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15
 
Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...
 
A CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural NetworksA CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural Networks
 
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
 
Paper study: Learning to solve circuit sat
Paper study: Learning to solve circuit satPaper study: Learning to solve circuit sat
Paper study: Learning to solve circuit sat
 
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
 
QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...
QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...
QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...
 
Classification of indoor actions through deep neural networks
Classification of indoor actions through deep neural networksClassification of indoor actions through deep neural networks
Classification of indoor actions through deep neural networks
 
Seq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) modelSeq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) model
 
Dueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learningDueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learning
 
1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.ppt1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.ppt
 
ODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identificationODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identification
 

Plus de MITSUNARI Shigeo

暗号技術の実装と数学
暗号技術の実装と数学暗号技術の実装と数学
暗号技術の実装と数学MITSUNARI Shigeo
 
範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコルMITSUNARI Shigeo
 
暗認本読書会13 advanced
暗認本読書会13 advanced暗認本読書会13 advanced
暗認本読書会13 advancedMITSUNARI Shigeo
 
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenIntel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenMITSUNARI Shigeo
 
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法MITSUNARI Shigeo
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装MITSUNARI Shigeo
 
BLS署名の実装とその応用
BLS署名の実装とその応用BLS署名の実装とその応用
BLS署名の実装とその応用MITSUNARI Shigeo
 
LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介MITSUNARI Shigeo
 
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたIntro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたMITSUNARI Shigeo
 

Plus de MITSUNARI Shigeo (20)

暗号技術の実装と数学
暗号技術の実装と数学暗号技術の実装と数学
暗号技術の実装と数学
 
範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル
 
暗認本読書会13 advanced
暗認本読書会13 advanced暗認本読書会13 advanced
暗認本読書会13 advanced
 
暗認本読書会12
暗認本読書会12暗認本読書会12
暗認本読書会12
 
暗認本読書会10
暗認本読書会10暗認本読書会10
暗認本読書会10
 
暗認本読書会9
暗認本読書会9暗認本読書会9
暗認本読書会9
 
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenIntel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
 
暗認本読書会8
暗認本読書会8暗認本読書会8
暗認本読書会8
 
暗認本読書会7
暗認本読書会7暗認本読書会7
暗認本読書会7
 
暗認本読書会5
暗認本読書会5暗認本読書会5
暗認本読書会5
 
暗認本読書会4
暗認本読書会4暗認本読書会4
暗認本読書会4
 
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
 
私とOSSの25年
私とOSSの25年私とOSSの25年
私とOSSの25年
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号
 
HPC Phys-20201203
HPC Phys-20201203HPC Phys-20201203
HPC Phys-20201203
 
BLS署名の実装とその応用
BLS署名の実装とその応用BLS署名の実装とその応用
BLS署名の実装とその応用
 
LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介
 
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたIntro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみた
 
ゆるバグ
ゆるバグゆるバグ
ゆるバグ
 

Dernier

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 

Dernier (20)

Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

  • 1. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 1
  • 2. Outline • Background • Two-level Homomorphic encryption • An efficient construction • Security • Implementation • Conclusion 2018/11/21 ECC 2018 2
  • 4. 2018/11/21 ECC 2018 4 Computing on encrypted data • Data analysis with taking care of sensitive data Disease Risk 70% If X2>∑Y then ◯◯70% F : Diagnosis Y : Database
  • 5. Homomorphic Encryption (HE) • Allows computation on encrypted data • Many applications related to privacy-preserving schemes • Types of HE • Additively HE (ex. Goldwasser-Micali, Okamoto- Uchiyama, Paillier, Lifted-ElGamal) • Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′) • Multiplicatively HE (ex. RSA, ElGamal) • Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′ • Fully HE (ex. Gentry, BGV, BV, GSW, …) • Can do homomorphic add. and mult. 2018/11/21 ECC 2018 5
  • 6. Pros and Cons • Add. HE, Mult. HE • Applications are restricted • Fully HE (FHE) • Any computations possible, but inefficient • Security relies on less standard assumptions • Leveled HE • The number of homomorphic mult. is restricted. • An intermediate notion between A/M HE and FHE. 2018/11/21 ECC 2018 6 A/M HE Leveled HE FHE Efficiency very good medium bad Functionality medium good very good
  • 7. Two-level HE • HE that allows one homomorphic multiplication • Allows degree-2 polynomial homomorphic evaluations • Allows inner product of two vectors • 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, … • σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖 2018/11/21 ECC 2018 7 ×1 2 3 3 4 12 12 13 25 ++ : Level-1 : Level-2
  • 8. Applications • Secure 2-DNF formula evaluation • Delegated secure inner-product on encrypted data • Efficient (symmetric) private information retrieval • Cross tabulation on encrypted data • Efficient election protocol • … 2018/11/21 ECC 2018 8
  • 9. Existing Two-level HE • Boneh, Goh, Nissim (TCC 2005) • Based on Composite-order pairings, hence much less efficient • Freeman (EUROCRYPT 2010) • Composite-to-prime-order transformation framework, applied to BGN • Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014) • Improving Freeman’s frameworks • Only Type 1 pairings, inefficient • Catalano, Fiore (ACM CCS 2015) • Transformation from d-Level HE to (2d)-level • Instantiations are not necessarily efficient • AHM+ (AsiaCCS 2018): This talk • Efficient construction based on the lifted-ElGamal encryption • Portable high-speed implementations • Note: • Decryption in all these schemes requires discrete log (DL) • Hence plaintext space should be sufficiently small (up to 32-bit) 2018/11/21 ECC 2018 9
  • 10. An Efficient Construction of Two-level HE 2018/11/21 ECC 2018 10
  • 11. Basic Idea •Existing schemes • Establish a “broader fundamental & theoretical framework” • Then, construct L2HE as an “application” •Our scheme • Concentrate on “L2HE-dedicated design” • Start from “promising tools” for fast HE, i.e. Type-3 pairing and ElGamal • Not general but fully tuned for L2HE 2018/11/21 ECC 2018 11
  • 12. An Efficient Construction • Combine the lifted-ElGamal encryption scheme with Type 3 pairings • First, straightforwardly construct two-level HE • Then, consider “simpler” construction • While Freeman considered a conversion of composite-to- prime order • Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal • Format of level-2 (L2) CT is same as Freeman’s scheme • Note: Type 3 pairings • Cyclic groups 𝔾1, 𝔾2, 𝔾T of order prime 𝑝 with bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T • 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2 • 𝔾1 ≠ 𝔾2 and no efficient map between 𝔾1 and 𝔾22018/11/21 ECC 2018 12
  • 13. Summary of Constructions 2018/11/21 ECC 2018 13 Freeman (EUROCRYPT 2018) AHM+ (AsiaCCS 2018, this talk) BGN scheme based on composite order BGN (Freeman) scheme based on prime order (includes 2-level HE) Construction by converting Lifted-ElGamal Enc 𝑚 = 𝑔 𝑚ℎ 𝑟, 𝑔 𝑟 Type 3 pairing 𝑒 𝑎𝑃1, 𝑏𝑃2 = 𝑔T 𝑎𝑏 AHM+ 2-level HE scheme Construction by combining algebraic structures
  • 14. Setup and Key Generation • Setup • Cyclic group 𝔾𝑖 = ⟨𝑃𝑖⟩ over an elliptic curve with prime order 𝑝 for 𝑖 = 1, 2 • 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2 • Key generation • Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random • Public key 𝑄1 = 𝑠1 𝑃1, 𝑄2 = 𝑠2 𝑃2 (with optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2) • Note: Colors • Green: Public part • Blue: Secret and hidden part 2018/11/21 ECC 2018 14
  • 15. Level-1 CT and Enc./Dec. • Encrypt • Plaintext 𝑚 and randomness 𝑟 • Enc 𝔾 𝑖 𝑚 = (𝑚𝑃𝑖 + 𝑟𝑄𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2 • Duplicated form: Enc1 𝑚 ≔ Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚 • Note: 𝔾1 can be mult. with 𝔾2 only, vice versa, so that duplicated form is needed for general usage • Decrypt • For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖 𝑚 = (𝑆, 𝑇) by 𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑄𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖 and then, to obtain 𝑚, solve DL • Almost same as lifted-ElGamal 2018/11/21 ECC 2018 15
  • 16. Homomorphic Addition on L1 CT • For 𝑖 = 1, 2, Enc 𝔾 𝑖 𝑚1 + Enc 𝔾 𝑖 𝑚2 = 𝑚1 𝑃𝑖 + 𝑟1 𝑄𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑄𝑖, 𝑟2 𝑃𝑖 = 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑄𝑖, 𝑟1 + 𝑟2 𝑃𝑖 = Enc 𝔾 𝑖 (𝑚1 + 𝑚2) • Also, same as lifted-ElGamal 2018/11/21 ECC 2018 16 1 2 3 + : Level-1
  • 17. Homomorphic Multiplication • 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑄1, 𝑟1 𝑃1 = Enc 𝔾1 𝑚1 ∈ 𝔾1 2 • 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑄2, 𝑟2 𝑃2 = Enc 𝔾2 𝑚2 ∈ 𝔾2 2 • 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 = 𝑧1 𝑚1 𝑚2 𝑧4 𝜏′, 𝑧2 𝜎′, 𝑧3 𝜌′, 𝑧1 𝜎′+𝜌′−𝜏′ = Enc2 𝑚1 𝑚2 ∈ 𝔾T 4 • 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 • Tensor product of 𝐶1, 𝐶2 • Its result is an level-2 ciphertext 2018/11/21 ECC 2018 17 ×3 4 12 : Level-1 : Level-2
  • 18. Homomorphic Addition on L2 CT • Enc2 𝑚1 + Enc2 𝑚2 = 𝑧1 𝑚1 𝑧4 𝜏1, 𝑧2 𝜎1, 𝑧3 𝜌1, 𝑧1 𝜎1+𝜌1−𝜏1 + 𝑧1 𝑚2 𝑧4 𝜏2, 𝑧2 𝜎2, 𝑧3 𝜌2, 𝑧1 𝜎2+𝜌2−𝜏2 = ( 𝑧1 𝑚1+𝑚2 𝑧4 𝜏1+𝜏2, 𝑧2 𝜎1+𝜎2, ൯𝑧3 𝜌1+𝜌2, 𝑧1 (𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2) = Enc2(𝑚1 + 𝑚2) • Usual vector addition 2018/11/21 ECC 2018 18 12 13 25 + : Level-2
  • 19. Decryption for Level-2 CT • Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4 Dec2 c1, c2, 𝑐3, 𝑐4 ≔ 𝑐1 𝑐4 𝑠1 𝑠2 𝑐2 𝑠2 𝑐3 𝑠1 = 𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2 𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2 = 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2 = 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2 𝑚𝑚′ then solve DLP to obtain 𝑚𝑚′ • Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 = 𝑧1 𝑚𝑚′ 𝑧4 𝜏 , 𝑧2 𝜎 , 𝑧3 𝜌 , 𝑧1 𝜎+𝜌−𝜏 ∈ 𝔾T 4 , where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 2018/11/21 ECC 2018 19
  • 20. Size and Benchmark on BN462 • Note: • Use x64 Linux on Core i7-6700 • Without compressed form • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 20 Calc. time in msec Enc1 0.452 Enc2 1.14 Dec1 9.01 Dec2 10.01 ReRand1 0.447 ReRand2 1.14 Add1 0.0109 Add2 0.0231 Mult 8.47 Bit size Secret key 924 Public key 27720 Dup. L1 CT 5544 L2 CT 22176
  • 21. Comparison of Size • Fre10: Freemen’s scheme (EUROCRYPT 2010) • Compare bit size on a 462-bit Barreto-Naehrig (BN) curve 2018/11/21 ECC 2018 21
  • 22. Comparison of Time • CT: Ciphertext • Fre10: Freemen’s scheme in EUROCRYPT 2010 • Compare calculation time on a 462-bit BN curve 2018/11/21 ECC 2018 22
  • 23. Proving the Knowledge of Plaintexts • Zero-knowledge proof protocols can be applied • Example 1: Duplicated form of L1 CT • Dup. L1 CT is Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ • Attach a proof of “𝑚 = 𝑚′” • Example 2: Proving a CT encrypts a bit • Attach a proof of “encrypted plaintext is 0 or 1” • Applications: Voting, two-party computation 2018/11/21 ECC 2018 23
  • 24. Proof of Equality • Duplicated L1 CT: • Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ = 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) where 𝜌, 𝜎 ← ℤ 𝑝 are randomly chosen • Should be “𝑚 = 𝑚′” • Equality can be proved in the same way of NIZK DH-tuple proof 2018/11/21 ECC 2018 24
  • 25. NIZK Proof of Equality • L1 CT: 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) • Prove: • Randomly choose: 𝑟𝜌, 𝑟𝜎, 𝑟 𝑚 ← ℤ 𝑝 • 𝑅1, 𝑅2, 𝑅3, 𝑅4 ← 𝑟 𝑚 𝑃1 + 𝑟𝜌 𝑄1, 𝑟𝜌 𝑃1, 𝑟 𝑚 𝑃2 + 𝑟𝜎 𝑄2, 𝑟𝜎 𝑃2 • 𝑐 ← 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1, 𝑅2, 𝑅3, 𝑅4 • 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 ← 𝑟𝜌 + 𝑐𝜌, 𝑟𝜎 + 𝑐𝜎, 𝑟 𝑚 + 𝑐𝑚 • Proof 𝜋 = 𝑐, 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 • Verify: • 𝑐 = 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ where 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ ← 𝑠 𝑚 𝑃1 + 𝑠𝜌 𝑄1 − 𝑐𝐶1, 𝑠𝜌 𝑃1 − 𝑐𝐶2, 𝑠 𝑚 𝑃2 + 𝑠 𝜎 𝑄2 − 𝑐𝐶3, 𝑠 𝜎 𝑃2 − 𝑐𝐶4 2018/11/21 ECC 2018 25
  • 27. Confidentiality • Shown scheme is IND-CPA secure under the SXDH assumption • Note1: IND-CPA (INDistinguishability against Chosen Plaintext Attack) • Hidden plaintext from ciphertext • Standard base-line security notion • Note2: SXDH (Symmetric eXternal Diffie-Hellman) assumption • 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾, 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2 are computationally indistinguishable 2018/11/21 ECC 2018 27
  • 28. Circuit Privacy • Shown scheme is circuit private • Namely, ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 ) • Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0) • ReRand𝑖 𝑐 removes a trace of circuit from 𝑐 • Note: Arithmetic circuit depends on secret • E.g., for 𝑖 = 1, 2, and for a secret integer 𝑛, 𝑛 × Enc𝑖 𝑚 = ෍ 𝑗=1 𝑛 Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚 • Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′ • Note: It is obvious that CTs are in which group 𝔾1, 𝔾2, 𝔾T 2018/11/21 ECC 2018 28
  • 30. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 30
  • 31. Our Implementation • Available in “mcl”: A library for pairings • BN254, 381, 462, BLS12-381 • C++: https://github.com/herumi/mcl • Web browser/Node.js: https://github.com/herumi/she-wasm • High-performance implementation for x64/ARM64 • WebAssembly (wasm) • Runs on Microsoft Edge, Firefox, Chrome, Safari without any plug-ins • Open source: BSD 3-clause 2018/11/21 ECC 2018 31
  • 32. Benchmarks on wasm • Calculation times in msec • Use BN254 • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 32 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
  • 34. Importance of WebAssembly (wasm) Implementation • Large deployment advantages • wasm is a portable and fast binary instruction format • Runs on many modern browser • Microsoft Edge, Safari, Google Chrome, and Mozilla Firefox on Windows, Linux, macOS, iPhone, Android, and so on… • Requires no plugins • Being developed as a web standard via the W3C • Distribution is easy 2018/11/21 ECC 2018 34
  • 35. Demonstrations of wasm • Inner product: https://herumi.github.i o/she-wasm/she- demo.html • Oblivious transfer: https://ppdm.jp/ot/ 2018/11/21 ECC 2018 35
  • 36. Conclusion • Practical efficient two-level homomorphic encryption • Many times add. and one-time mult. on encrypted data • Based on Type 3 (asymmetric) pairing • Combine the lifted-ElGamal encryption scheme • Faster than Freeman’s scheme (EUROCRYPT 2010) • Portable high-performance implementation • C++/asm/WebAssembly • https://github.com/herumi/mcl • https://github.com/herumi/she-wasm • Open source: BSD 3-clause 2018/11/21 ECC 2018 36 Thank you!