Protecting Privacy through HomomorphicEncryption

Kristin Lauter • Wei Dai • Kim LaineEditors

Protecting Privacy throughHomomorphic Encryption

EditorsKristin LauterWest Coast Research ScienceFacebook AI ResearchSeattle, WA, USA

Wei DaiCryptography and Privacy Research GroupMicrosoft ResearchRedmond, WA, USA

Kim LaineCryptography and Privacy Research GroupMicrosoft ResearchRedmond, WA, USA

ISBN 978-3-030-77286-4 ISBN 978-3-030-77287-1 (eBook)https://doi.org/10.1007/978-3-030-77287-1

© The Editor(s) (if applicable) and The Author(s), under exclusive license to Springer Nature SwitzerlandAG 2021, corrected publication 2022This work is subject to copyright. All rights are solely and exclusively licensed by the Publisher, whetherthe whole or part of the material is concerned, specifically the rights of translation, reprinting, reuseof illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, andtransmission or information storage and retrieval, electronic adaptation, computer software, or by similaror dissimilar methodology now known or hereafter developed.The use of general descriptive names, registered names, trademarks, service marks, etc. in this publicationdoes not imply, even in the absence of a specific statement, that such names are exempt from the relevantprotective laws and regulations and therefore free for general use.The publisher, the authors, and the editors are safe to assume that the advice and information in this bookare believed to be true and accurate at the date of publication. Neither the publisher nor the authors orthe editors give a warranty, expressed or implied, with respect to the material contained herein or for anyerrors or omissions that may have been made. The publisher remains neutral with regard to jurisdictionalclaims in published maps and institutional affiliations.

This Springer imprint is published by the registered company Springer Nature Switzerland AGThe registered company address is: Gewerbestrasse 11, 6330 Cham, Switzerland

Preface

This book is concerned with explaining methods for protecting privacy usingHomomorphic Encryption. Privacy means different things to different people. Inthis volume, we will use the term privacy to refer to the notion defined by somesocial scientists as the guarantee that an individual or an organization should havethe right to control how their data is used or shared. Privacy is not possible withouttools from cryptography necessary to protect the security of data from unauthorizedaccess or use.

Encryption is a tool for protecting data by transforming it using mathematicalmethods and the knowledge of a cryptographic key. Assuming a sound implemen-tation of an encryption scheme and the hardness of the underlying mathematicalproblems, encryption can be used to protect both the security and the privacyof data. Traditional encryption schemes such as the US government standardizedAES block cipher can be used to protect data while in transit or in storage. Butto protect data while in use requires a new kind of encryption which allows formeaningful computation on ciphertexts without decryption. Such encryption iscalled Homomorphic Encryption (HE), because homomorphic is a common termin mathematics meaning to preserve structure. It means that the encryption mappreserves the underlying algebraic structure of the data, resulting in the same outputif the order of encryption and computation are exchanged.

The existence of a solution for Homomorphic Encryption was an open problemfor more than three decades. A partially homomorphic encryption scheme wasknown already in the mid-1970s: RSA encryption allows for one operation onciphertexts. But computation on today’s (classical) computers is implemented asoperations on bits described as circuits of AND and OR gates. So, two operationson encrypted data are required to implement general circuits for computation. Thefirst blueprint for a solution was introduced by [1] in 2009, including the notion ofbootstrapping to allow for arbitrary computation. The lattice-based solutions usedin all the homomorphic encryption libraries today implement schemes based onthe Ring Learning with Errors (RLWE) problem, which will be further explained

v

vi Preface

in Part II. The first RLWE-based solution [2] was later extended to [3], and otherproposed schemes followed, which will all be explained in Parts I and II. The firstpractical approach to computation on real data was introduced in [4], includingthe encoding of integers and real data as ciphertexts, replacing bitwise encryption.This led for example to techniques introduced in [5] for the first time to performmachine learning tasks on encrypted data, such as training models and using themfor prediction, and eventually to the CryptoNets project [6] which demonstratedneural net predictions on encrypted data.

Any new proposal for cryptosystems based on hard mathematical problemsmust be thoroughly studied and reviewed by the scientific community before thepublic can be expected to adopt and trust it to protect the privacy and securityof their data. New cryptographic proposals have typically seen at least a 10-yearlag before widespread adoption in the industry, as was the case for Elliptic CurveCryptography. Lattice-based cryptography was first introduced in the mid-1990s.There are no known efficient quantum attacks on general lattice-based schemes, solattice-based key exchange and signature schemes are currently leading candidatesin the ongoing 5-year National Institute of Standards and Technology (NIST) Post-Quantum Cryptography Standardization competition. But the parameters requiredfor Homomorphic Encryption applications are quite a bit larger than for keyexchange and signature schemes, and the protocols and applications are quite dif-ferent. The idea of forming a community to standardize Homomorphic Encryptioncame out of a meeting between Kristin Lauter, Shai Halevi, Kurt Rohloff, YuriyPolyakov, and Victor Shoup in New York City in April, 2015. Initial goals includeddeveloping common APIs to ensure interoperability of different implementations.

In 2017, Microsoft Research (MSR) Outreach funded the first HomomorphicEncryption Standardization Workshop, hosted at Microsoft in Redmond, WA, onJuly 13–14, 2017. The workshop was co-organized by Kristin Lauter and KimLaine from MSR, Roy Zimmermann from MSR Outreach, Lily Chen (NIST), JungHee Cheon (Seoul National University), Kurt Rohloff (NJIT/Duality), and VinodVaikuntanathan (MIT), with input from Shai Halevi (IBM/Algorand). This groupnow forms the Steering Committee for the Homomorphic Encryption.org opencommunity which grew out of this meeting. This first workshop was organizedas a collaboration meeting, with 36 invited participants divided into three workinggroups of 12. The groups were led by the workshop organizers, to work on writingthree whitepapers on Security, API design, and Applications over the course of2 days. The whitepapers were made available publicly several weeks after theworkshop, after some additional work and editing. The papers were posted on theworkshop webpage and on the Homomorphic Encryption.org website, which wasset up along with email lists and discussion groups to continue the conversation onstandardization of HE.

Preface vii

First Homomorphic Encryption Standardization Workshop July 13–14, 2017, Microsoft Research,Redmond WA, USA

After the first workshop, it was decided that the Security whitepaper couldform the basis of the first Homomorphic Encryption Standard, to assure basicagreement on secure parameter sets to be used for applications. Input from the widerinternational research community was solicited, and the revised Security whitepaperwas circulated. After some updates, it was approved by the community at the SecondHomomorphic Encryption Standardization Workshop, on March 15–16, 2018, atMIT, Cambridge MA, garnering more than 65 signatures from workshop attendees.The first two workshops both featured presentations of homomorphic encryptionsoftware by developers from all the leading HE libraries worldwide. The secondworkshop also included some research talks and panel discussions on the pathforward for standardizing common APIs and Applications.

viii Preface

Second Homomorphic Encryption Standardization Workshop March 15–16, 2018, MIT, Cam-bridge MA, USA

Following further expert input from the community and the addition of someco-authors, the final version of the first Homomorphic Encryption Standard [7] wasofficially approved at the Third Homomorphic Encryption Standardization Work-shop at the University of Toronto, October 20, 2018. The [7] Standard was postedonline on the HomomorphicEncryption.org website and on the IACR eprint archiveand appears here as Part II of this volume. The third workshop was co-locatedwith the 25th ACM Conference on Computer and Communications Security (CCS)and the affiliated Workshop on Applied Homomorphic Cryptography (WAHC) andfeatured a poster session for related results. Stated goals were to build upon theAPI discussion from the second workshop and to present a draft API standard.The third workshop also included presentations from American and Canadiangovernment agencies, including the Canadian Security Establishment (CSE), NIST,and the National Science Foundation (NSF). The second and third workshops alsoincluded reports on the Homomorphic Encryption track of the Annual iDASHSecure Genome Analysis Competition, co-funded by the National Institutes ofHealth (NIH).

Preface ix

Third Homomorphic Encryption Standardization Workshop October 20, 2018, Univ. of Toronto,Toronto, Canada

What started as a largely academic community of experts has grown to includemany researchers and developers from industry. The Fourth Homomorphic Encryp-tion Standardization Workshop was hosted by Intel in Santa Clara, CA, on August17, 2019, co-located with the USENIX Security 2019 conference. In addition tosponsorship from Microsoft, Intel, Duality, and Samsung, the workshops haveincluded participants, panelists, or organizers from IBM, Galois, SAP, Google,Intuit, Inpher, CryptoExperts, and CryptoLabs. The fourth workshop focused onintroducing scheme-specific white papers and discussing protocol standardizationfor applications.

Homomorphic Encryption Standardization Workshop, August 17, 2019, Santa Clara CA, USA

The next two Homomorphic Encryption Standardization Workshops had alreadybeen planned: one for May 7—8, 2020, in Geneva, Switzerland, co-hosted by EPFL,Inpher and ITU and co-located with the UN AI for Good conference at the GenevaInternational Conference Centre; the second one was planned for December 2020

x Preface

in Seoul, co-hosted by Seoul National University and Samsung and co-located withAsiaCrypt 2020. Both events had to be postponed due to the global pandemic.

In an effort to train more PhD students to work on and do research on HE,Microsoft Research hosted a Private AI Bootcamp in December 2019. Morethan 100 students and a few postdoctoral researchers applied, and more than30 participants were supported to attend the workshop and work in 6 teams todevelop novel privacy-preserving applications of Homomorphic Encryption. The sixwhitepapers written by the six teams are published here as Part IV of this volume.

Private AI Bootcamp – Microsoft Research, December 2–4, 2019

In February 2020, Microsoft Research again hosted a Strategic Planning meetingin Redmond to accelerate progress towards documenting schemes and specifyingapplication protocols. Part I of this volume was written by the participants ofthe Schemes track at the February 2020 workshop. It contains an introduction toHomomorphic Encryption and descriptions of the main HE schemes in widespreaduse today. Part III of this volume was written by participants in the Applicationstrack at the workshop and contains four whitepapers describing protocols forapplications of HE, including data sharing, network traffic monitoring, private setintersection, and a trusted monitoring service. Parts III and IV should be of broadinterest across many industries, as they contain 10 chapters presenting novel waysto protect privacy in applications using Homomorphic Encryption.

Preface xi

Homomorphic Encryption Strategic Planning Workshop February 6–7, 2020

The current volume is the result of these six workshops and the ongoing workof the HomomorphicEncryption.org community. The editors would like to thank allthe organizers, participants, authors, and community members who have helped tomake this volume possible through their contributions. We hope that the volume willserve as an accessible introduction to HE, providing guidance on how to use HE topreserve privacy in numerous ways.

References

1. Craig Gentry. A fully homomorphic encryption scheme. Thesis, Stanford Uni-versity, 2009.

2.. Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryp-tion from (standard) LWE. In 2011 IEEE 52nd Annual Symposium on Founda-tions of Computer Science, pages 97–106, Oct 2011.

3. Zvika Brakerski, Craig Gentry, and Vinod Vaikuntanathan. (Leveled) fullyhomomorphic encryption without bootstrapping. In Proc. of ITCS, pages 309–325. ACM, 2012.

4. Kristin Lauter, Michael Naehrig, and Vinod Vaikuntanathan. Can homomorphicencryption be practical? In Proceedings of the 3rd ACM Workshop on Cloud

xii Preface

Computing Security Workshop, CCSW ’11, pages 113–124, New York, NY,USA, 2011. ACM.

5. Thore Graepel, Kristin Lauter, and Michael Naehrig. ML confidential: Machinelearning on encrypted data. In International Conference on Information Securityand Cryptology, pages 1–21. Springer, 2012.

6. Ran Gilad-Bachrach, Nathan Dowlin, Kim Laine, Kristin Lauter, MichaelNaehrig, and John Wernsing. Cryptonets: Applying neural networks to encrypteddata with high throughput and accuracy. In International Conference on MachineLearning, pages 201–210, 2016.

7. Martin Albrecht, Melissa Chase, Hao Chen, Jintai Ding, Shafi Goldwasser,Sergey Gorbunov, Shai Halevi, Jeffrey Hoffstein, Kim Laine, Kristin Lauter,Satya Lokam, Daniele Micciancio, Dustin Moody, Travis Morrison, Amit Sahai,Vinod Vaikuntanathan, Homomorphic Encryption Standard, November 21, 2018.https://eprint.iacr.org/2019/939.pdf Published as Part 2 of this volume.

Abstract

With the explosion of the Internet and AI technologies, privacy protection hasbecome a critical problem in society today. We need to inject our technologieswith responsible measures for protecting privacy to better serve individuals. Newlegislation impedes collaboration between companies and governments even withthe best intentions. Homomorphic encryption is one of the leading candidates forbuilding privacy-preserving services. It allows processing protected data withoutaccess to the raw data. For example, a patient’s health record or diagnostic imagescan be analyzed in encrypted form without decryption, and the result is onlyreadable by the patient. To most people and policymakers, homomorphic encryptionstill sounds magical and impractical.

This book summarizes recent inventions, provides guidelines and recommenda-tions, and demonstrates many practical applications of homomorphic encryption.This collection of papers represents the combined wisdom of the community ofleading experts on Homomorphic Encryption. In the past 3 years, a global com-munity consisting of researchers in academia, industry, and government has beenworking closely to standardize homomorphic encryption. This is the first publicationof whitepapers created by these experts that comprehensively describes the scientificinventions, presents a concrete security analysis, and broadly discusses applicableuse scenarios and markets. This book also features a collection of privacy-preservingmachine learning applications powered by homomorphic encryption designed bygroups of top graduate students worldwide at the Private AI Bootcamp hosted byMicrosoft Research.

The book aims to connect non-expert readers with this important new crypto-graphic technology in an accessible and actionable way. Readers who have heardgood things about homomorphic encryption but are not familiar with the details willfind this book full of inspiration. Readers who have preconceived biases based onout-of-date knowledge will see the recent progress made by industrial and academicpioneers on optimizing and standardizing this technology. A clear picture of howhomomorphic encryption works, how to use it to solve real-world problems, andhow to efficiently strengthen privacy protection will naturally become clear.

xiii

Contents

Part I Introduction to Homomorphic Encryption

Introduction to Homomorphic Encryption and Schemes . . . . . . . . . . . . . . . . . . . 3Jung Hee Cheon, Anamaria Costache, Radames Cruz Moreno,Wei Dai, Nicolas Gama, Mariya Georgieva, Shai Halevi, Miran Kim,Sunwoong Kim, Kim Laine, Yuriy Polyakov, and Yongsoo Song

Part II Homomorphic Encryption Security Standard

Homomorphic Encryption Standard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31Martin Albrecht, Melissa Chase, Hao Chen, Jintai Ding, Shafi Goldwasser,Sergey Gorbunov, Shai Halevi, Jeffrey Hoffstein, Kim Laine,Kristin Lauter, Satya Lokam, Daniele Micciancio, Dustin Moody,Travis Morrison, Amit Sahai, and Vinod Vaikuntanathan

Part III Applications of Homomorphic Encryption

Privacy-Preserving Data Sharing and Computation AcrossMultiple Data Providers with Homomorphic Encryption . . . . . . . . . . . . . . . . . . . 65Juan Troncoso-Pastoriza, David Froelicher, Peizhao Hu, Asma Aloufi,and Jean-Pierre Hubaux

Secure and Confidential Rule Matching for Network Traffic Analysis . . . . 81Dimitar Jetchev and Alistair Muir

Trusted Monitoring Service (TMS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87Xiaoqian Jiang, Miran Kim, Kristin Lauter, Tim Scott, and Shayan Shams

Private Set Intersection and Compute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97Flavio Bergamaschi, Tancrède Lepoint, Peter Leihn,and Sreekanth Kannepalli

xv

xvi Contents

Part IV Applications of Homomorphic Encryption

Private Outsourced Translation for Medical Data . . . . . . . . . . . . . . . . . . . . . . . . . . . 107Travis Morrison, Sarah Scheffler, Bijeeta Pal, and Alexander Viand

HappyKidz: Privacy Preserving Phone Usage Tracking. . . . . . . . . . . . . . . . . . . . . 117Benjamin M. Case, Marcella Hastings, Siam Hussain,and Monika Trimoska

i-SEAL2: Identifying Spam EmAiL with SEAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129I. Demertzis, D. Froelicher, N. Luo, and M. Norberg Hovd

PRIORIS: Enabling Secure Detection of Suicidal Ideation fromSpeech Using Homomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133Deepika Natarajan, Anders Dalskov, Daniel Kales, and Shabnam Khanna

Gimme That Model!: A Trusted ML Model Trading Protocol. . . . . . . . . . . . . . 147Laia Amorós, Syed Mahbub Hafiz, Keewoo Lee, and M. Caner Tol

HEalth: Privately Computing on Shared Healthcare Data . . . . . . . . . . . . . . . . . . 157Leo de Castro, Erin Hales, and Mimee Xu

Private Movie Recommendations for Children . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 163Anh Pham, Mohammad Samragh, Sameer Wagh, and Emily Wenger

Privacy-Preserving Prescription Drug Management Using FullyHomomorphic Encryption . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Aria Shahverdi, Ni Trieu, Chenkai Weng, and William Youmans

Correction to: Introduction to Homomorphic Encryption and Schemes . . C1