Upload
others
View
7
Download
0
Embed Size (px)
Citation preview
Chloé Hébant
Decentralized Computing over Encrypted Data
Decentralization
Fully Homomorphic Encryption Gentry 2009
Decentralized Computing over Encrypted Data 3
𝑥𝑥1, … , 𝑥𝑥𝑛𝑛
𝐸𝐸ℎ𝑜𝑜𝑜𝑜(𝑥𝑥1), … ,𝐸𝐸ℎ𝑜𝑜𝑜𝑜(𝑥𝑥𝑛𝑛)
𝑓𝑓
𝐸𝐸ℎ𝑜𝑜𝑜𝑜 𝑓𝑓(𝑥𝑥1, … , 𝑥𝑥𝑛𝑛)
𝑓𝑓(𝑥𝑥1, … , 𝑥𝑥𝑛𝑛)
Fully Homomorphic Encryption
Decentralized Computing over Encrypted Data 4
𝑥𝑥1, … , 𝑥𝑥𝑛𝑛
𝐸𝐸ℎ𝑜𝑜𝑜𝑜𝑝𝑝𝑝𝑝 (𝑥𝑥1), … ,𝐸𝐸ℎ𝑜𝑜𝑜𝑜
𝑝𝑝𝑝𝑝 (𝑥𝑥𝑛𝑛)
𝐸𝐸ℎ𝑜𝑜𝑜𝑜𝑝𝑝𝑝𝑝 𝑓𝑓(𝑥𝑥1, … , 𝑥𝑥𝑛𝑛)
𝑓𝑓(𝑥𝑥1, … , 𝑥𝑥𝑛𝑛)
Re-encryptionDistributedController
𝐸𝐸ℎ𝑜𝑜𝑜𝑜𝑝𝑝𝑝𝑝𝑈𝑈 𝑓𝑓(𝑥𝑥1, … , 𝑥𝑥𝑛𝑛)
Distribution
+
No authority
Decentralization
Decentralized Computing over Encrypted Data 5
Decentralization
⇒ Efficient decentralized key generation
This talk :
Decentralized Re-encryption for a Quadratic Scheme
1. Example of application
2. Encryption scheme for quadratic multivariate polynomials
3. Decentralized scheme
Outline
Decentralized Computing over Encrypted Data 6
Group Testing
Motivation: Group Testing
8
OR
1 1 00 1 0
1 0 10 1 1
…
1011
Decentralized Computing over Encrypted Data
Motivation: Group Testing
9
1 1 00 1 0
1 0 10 1 1
…
OR
1011
Decentralized Computing over Encrypted Data
Motivation: Group Testing
10
1011
1 0 1 1 0 0
1 1 00 1 0
1 0 10 1 1
…
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
11
1011
1 0 1 1 0 0
1 1 00 1 0
1 0 10 1 1
…
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
12
𝑦𝑦1𝑦𝑦2…𝑦𝑦𝑜𝑜
�𝐹𝐹𝑗𝑗 = �𝑖𝑖
(𝑥𝑥𝑖𝑖𝑗𝑗⋀�𝑦𝑦𝑖𝑖)
𝑥𝑥11 𝑥𝑥12 … 𝑥𝑥1𝑛𝑛…
𝑥𝑥𝑜𝑜1 𝑥𝑥𝑜𝑜2 … 𝑥𝑥𝑜𝑜𝑛𝑛
OR
Decentralized Computing over Encrypted Data
Motivation: Group Testing
13
�𝐹𝐹𝑗𝑗 = �𝑖𝑖
(𝑥𝑥𝑖𝑖𝑗𝑗 ⋅ (1 − 𝑦𝑦𝑖𝑖))
𝑥𝑥11 𝑥𝑥12 … 𝑥𝑥1𝑛𝑛…
𝑥𝑥𝑜𝑜1 𝑥𝑥𝑜𝑜2 … 𝑥𝑥𝑜𝑜𝑛𝑛
OR
𝑦𝑦1𝑦𝑦2…𝑦𝑦𝑜𝑜
Decentralized Computing over Encrypted Data
2-DNF on Encrypted Data
Decentralized Computing over Encrypted Data 14
𝑥𝑥1, … , 𝑥𝑥𝑛𝑛 ∈ {0,1}
�𝑖𝑖=1
𝑜𝑜
(ℓ𝑖𝑖,1 ∧ ℓ𝑖𝑖,2) ℓ𝑖𝑖,1 ∧ ℓ𝑖𝑖,2 ∈ {𝑥𝑥1, … , 𝑥𝑥𝑛𝑛} ∪ {𝑥𝑥1, … , 𝑥𝑥𝑛𝑛}
�𝑖𝑖=1
𝑜𝑜
(𝑦𝑦𝑖𝑖,1 ⋅ 𝑦𝑦𝑖𝑖,2) 𝑦𝑦𝑖𝑖,𝑗𝑗 = ℓ𝑖𝑖,𝑗𝑗𝑦𝑦𝑖𝑖,𝑗𝑗 = 1 − ℓ𝑖𝑖,𝑗𝑗
if ℓ𝑖𝑖,𝑗𝑗 ∈ 𝑥𝑥1, … , 𝑥𝑥𝑛𝑛if ℓ𝑖𝑖,𝑗𝑗 ∈ {𝑥𝑥1, … , 𝑥𝑥𝑛𝑛}�
2-DNF:
Multivariate polynomial degree 2:
Encryption Scheme
• BGN 2005
• Freeman 2010
• Our Scheme
• Multi-user setting
• Efficient distributed decryption
• Efficient distributed re-encryption
• Decentralized key generation
The Encryption Scheme
Decentralized Computing over Encrypted Data 16
Notations
Decentralized Computing over Encrypted Data 17
𝑎𝑎 ∈ ℤ𝑝𝑝, 𝑎𝑎 𝑠𝑠 = 𝑔𝑔𝑠𝑠𝑎𝑎𝔾𝔾𝑠𝑠 = < 𝑔𝑔𝑠𝑠 >
𝑒𝑒:𝔾𝔾1 × 𝔾𝔾2 → 𝔾𝔾𝑇𝑇
𝒙𝒙 = 𝑥𝑥1, … , 𝑥𝑥𝑛𝑛 ∈ ℤ𝑝𝑝𝑛𝑛, 𝒙𝒙 𝑠𝑠 = (𝑔𝑔𝑠𝑠𝑥𝑥1 , … ,𝑔𝑔𝑠𝑠
𝑥𝑥𝑛𝑛)
𝑎𝑎11 𝑎𝑎12𝑎𝑎21 𝑎𝑎22 ⨂𝑩𝑩 = 𝑎𝑎11 ⋅ 𝑩𝑩 𝑎𝑎12 ⋅ 𝑩𝑩
𝑎𝑎21 ⋅ 𝑩𝑩 𝑎𝑎22 ⋅ 𝑩𝑩
𝑎𝑎 1 • 𝑏𝑏 2 = 𝑎𝑎⨂𝑏𝑏 𝑇𝑇
The Encryption Scheme
18
Keygen
Decentralized Computing over Encrypted Data
0 00 1
0 00 1
0 00 1
The Encryption Scheme
19
𝑼𝑼20 00 1
Projection
𝒑𝒑𝑠𝑠 ∈ ker 𝑷𝑷𝑠𝑠 = {𝒙𝒙:𝒙𝒙 � 𝑷𝑷𝑠𝑠 = 0 0 }
∈ GL2(ℤ𝑝𝑝)
sk𝑠𝑠
pk𝑠𝑠 = 𝒑𝒑𝑠𝑠 𝑠𝑠 ⇒ 𝒑𝒑𝑠𝑠 𝑠𝑠 � 𝑷𝑷𝑠𝑠 = 0 0 𝑠𝑠
𝑩𝑩𝑠𝑠−1 𝑩𝑩𝑠𝑠𝑷𝑷𝑠𝑠 =
Keygen
𝒑𝒑𝑠𝑠 ∈ ker 𝑷𝑷𝑠𝑠 = {𝒙𝒙:𝒙𝒙 � 𝑷𝑷𝑠𝑠 = 0 0 }
pk𝑠𝑠 = 𝒑𝒑𝑠𝑠 𝑠𝑠 ⇒ 𝒑𝒑𝑠𝑠 𝑠𝑠 � 𝑷𝑷𝑠𝑠 = 0 0 𝑠𝑠
Decentralized Computing over Encrypted Data
• Keygen:
sk𝑠𝑠 = 𝑷𝑷𝒔𝒔 = 0 00 1
0 00 1
0 00 1 sk𝑇𝑇 = (sk1, sk2)
pk𝑠𝑠 = 𝒑𝒑𝑠𝑠 𝑠𝑠 ⇒ 𝒑𝒑𝑠𝑠 𝑠𝑠 � 𝑷𝑷𝑠𝑠 = 𝟎𝟎 𝑠𝑠 pk𝑇𝑇 = (pk1, pk2)
• Encrypt:
• 𝐶𝐶𝑠𝑠 = ( 𝒄𝒄𝑠𝑠,1 𝑠𝑠, 𝒄𝒄𝑠𝑠,2 𝑠𝑠) = (𝑚𝑚 � 𝑎𝑎𝑠𝑠 𝑠𝑠 + 𝑟𝑟 � 𝒑𝒑𝑠𝑠 𝑠𝑠, 𝑎𝑎𝑠𝑠 𝑠𝑠) 𝑟𝑟 ∈$ ℤ𝑝𝑝
• 𝐶𝐶𝑇𝑇 = ( 𝒄𝒄𝑇𝑇,1 𝑇𝑇 , 𝒄𝒄𝑇𝑇,2 𝑇𝑇) = (𝑚𝑚 � 𝑎𝑎1 1 • 𝑎𝑎2 2 + 𝒑𝒑1 1 • 𝒓𝒓2 2 + 𝒓𝒓1 1 • 𝒑𝒑2 2,
𝑎𝑎1 1 • 𝑎𝑎2 2) 𝒓𝒓1 1 ∈$ 𝔾𝔾12, 𝒓𝒓2 2 ∈$ 𝔾𝔾22
• Decrypt:
• 𝐶𝐶𝑠𝑠 � 𝑷𝑷𝒔𝒔 = (𝑚𝑚 � 𝑎𝑎𝑠𝑠 𝑠𝑠 � 𝑷𝑷𝒔𝒔 + 𝟎𝟎 s, 𝑎𝑎𝑠𝑠 𝑠𝑠 � 𝑷𝑷𝒔𝒔)
• 𝐶𝐶𝑇𝑇 � (𝑷𝑷𝟏𝟏⨂𝑷𝑷𝟐𝟐) = (𝑚𝑚 � 𝑎𝑎1 1 • 𝑎𝑎2 2 � (𝑷𝑷𝟏𝟏⨂𝑷𝑷𝟐𝟐) + 𝟎𝟎 T, 𝑎𝑎1 1 • 𝑎𝑎2 2 � (𝑷𝑷𝟏𝟏⨂𝑷𝑷𝟐𝟐))
The Encryption Scheme
Decentralized Computing over Encrypted Data 20
𝑼𝑼2 𝑩𝑩𝑠𝑠𝑩𝑩𝑠𝑠−1
∈ ker(𝑷𝑷1⨂𝑷𝑷2)
∈ ker(𝑷𝑷𝑠𝑠)
• Add: Many times
• 𝒄𝒄𝑠𝑠 𝑠𝑠 + 𝒄𝒄𝒄𝑠𝑠 𝑠𝑠 = (𝑚𝑚 + 𝑚𝑚′) � 𝒂𝒂𝑠𝑠 𝑠𝑠 + (𝑟𝑟 + 𝑟𝑟′) � 𝒑𝒑𝑠𝑠 𝑠𝑠
• 𝒄𝒄𝑇𝑇 𝑇𝑇 + 𝒄𝒄𝑇𝑇 𝑇𝑇 = 𝑚𝑚 + 𝑚𝑚′ � 𝒂𝒂1 1 • 𝒂𝒂2 2 + 𝒑𝒑1 1 • 𝒓𝒓2 + 𝒓𝒓′2 2 +
𝒓𝒓1 + 𝒓𝒓𝒄1 1 • 𝒑𝒑2 2
• Multiply: Once
• 𝒄𝒄1 1 • 𝒄𝒄2 2 = 𝑚𝑚1 � 𝑚𝑚2 � 𝒂𝒂1 1 • 𝒂𝒂2 2 + 𝒑𝒑1 1 • 𝒓𝒓′ 2 + 𝒓𝒓 1 • 𝒑𝒑2 2
with 𝒓𝒓 1 = 𝑚𝑚1𝑟𝑟2𝒂𝒂1
𝒓𝒓𝒄 2 = 𝑚𝑚2𝑟𝑟1𝒂𝒂2 + 𝑟𝑟1𝑟𝑟2𝒑𝒑2
The Homomorphic Properties
Decentralized Computing over Encrypted Data 21
Re-Encryption
22
sk𝑎𝑎
rk𝑎𝑎→𝑏𝑏
rk𝑎𝑎→𝑏𝑏
pk𝑎𝑎
sk𝑏𝑏
pk𝑏𝑏
Decentralized Computing over Encrypted Data
𝑷𝑷 = 𝑩𝑩−1𝑼𝑼2𝑩𝑩 𝑷𝑷𝒄 = 𝑩𝑩′−1𝑼𝑼2𝑩𝑩𝒄
𝑹𝑹 = 𝑩𝑩−1𝑩𝑩𝒄
Problem
• Distributed decryption and re-encryption ?
• Yes, with distributed keys
• Decentralized key generation ?
• No …
Problem
Decentralized Computing over Encrypted Data 24
0 00 1
0 00 1 𝑼𝑼2
0 00 1𝑩𝑩𝑠𝑠
−1 𝑩𝑩𝑠𝑠𝑷𝑷𝑠𝑠 =
Simplification
Decentralized Computing over Encrypted Data 25
𝑷𝑷𝑠𝑠 = 1 0𝑥𝑥 0
𝒑𝒑𝑠𝑠 𝑠𝑠 = −𝑥𝑥 1 𝑠𝑠
sk𝑠𝑠 = 𝑥𝑥
pk𝑠𝑠 = −𝑥𝑥 𝑠𝑠
● Size of the keys:
● Size of the ciphertexts:
𝒂𝒂𝑠𝑠 𝑠𝑠 = 1 0 𝑠𝑠𝐶𝐶𝑠𝑠 ∈ 𝔾𝔾𝑠𝑠
2 × 𝔾𝔾𝑠𝑠2 ⇒ 𝐶𝐶𝑠𝑠 ∈ 𝔾𝔾𝑠𝑠
2
𝐶𝐶𝑇𝑇 ∈ 𝔾𝔾𝑇𝑇4 × 𝔾𝔾𝑇𝑇
4 ⇒ 𝐶𝐶𝑇𝑇 ∈ 𝔾𝔾𝑇𝑇4
• Keygen:sk𝑠𝑠 = 𝑥𝑥 sk𝑇𝑇 = (sk1, sk2)pk𝑠𝑠 = −𝑥𝑥 𝑠𝑠 pk𝑇𝑇 = (pk1, pk2)
• Encrypt:• 𝐶𝐶𝑠𝑠 = 𝑔𝑔𝑠𝑠𝑜𝑜 � pk𝑠𝑠𝑟𝑟 ,𝑔𝑔𝑠𝑠𝑟𝑟 𝑟𝑟 ∈$ ℤ𝑝𝑝
• 𝐶𝐶𝑇𝑇 =
𝑐𝑐𝑇𝑇,1 = 𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑜𝑜 � 𝑒𝑒 𝑔𝑔1, pk2 𝑟𝑟11 � 𝑒𝑒 pk1,𝑔𝑔2 𝑟𝑟21
𝑐𝑐𝑇𝑇,2 = 𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑟𝑟11 � 𝑒𝑒 pk1,𝑔𝑔2 𝑟𝑟22 ��� 𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑜𝑜
𝑐𝑐𝑇𝑇,3 = 𝑒𝑒 𝑔𝑔1, pk2 𝑟𝑟12 � 𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑟𝑟21 ��� 𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑜𝑜
𝑐𝑐𝑇𝑇,4 = 𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑟𝑟12+𝑟𝑟22 ��� 𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑜𝑜𝑒𝑒 𝑔𝑔1,𝑔𝑔2 𝑜𝑜
𝑟𝑟11, 𝑟𝑟12, 𝑟𝑟21, 𝑟𝑟22 ∈$ ℤ𝑝𝑝4
• Decrypt:
• 𝑐𝑐𝑠𝑠,1 � 𝑐𝑐𝑠𝑠,2sk𝑠𝑠
• 𝑐𝑐𝑇𝑇,1 � 𝑐𝑐𝑇𝑇,2sk2 � 𝑐𝑐𝑇𝑇,3
sk1 � 𝑐𝑐𝑇𝑇,4sk1�sk2
The Optimized Encryption Scheme
Decentralized Computing over Encrypted Data 26
Decentralization
Decentralization:1) Decentratized Key Generation
• 𝑘𝑘 points 𝑥𝑥1,𝑦𝑦1 , … , (𝑥𝑥𝑝𝑝 ,𝑦𝑦𝑝𝑝) with distinct abscissa
• Theorem (Lagrange interpolation):
∃!𝑃𝑃 𝑋𝑋 s.t. deg 𝑃𝑃 = 𝑘𝑘 − 1 and 𝑃𝑃 𝑥𝑥𝑖𝑖 = 𝑦𝑦𝑖𝑖
• Shamir Secret Sharing:
• 𝑠𝑠𝑘𝑘 = 𝑥𝑥 = 𝑃𝑃(0), 𝑝𝑝𝑘𝑘 = 𝑔𝑔𝑥𝑥
• sk𝑖𝑖 = 𝑃𝑃 𝑖𝑖 for 𝑖𝑖 = 1 …𝑛𝑛
• For any subset 𝑆𝑆 of 𝑘𝑘 indices:
𝑥𝑥 = �𝑗𝑗∈𝑆𝑆
𝜆𝜆𝑆𝑆,𝑗𝑗𝑠𝑠𝑘𝑘𝑗𝑗
𝑦𝑦 = ∏𝑗𝑗∈𝑆𝑆 𝑣𝑣𝑗𝑗𝜆𝜆𝑆𝑆,𝑗𝑗 for 𝑣𝑣𝑗𝑗 = 𝑔𝑔𝑠𝑠𝑝𝑝𝑗𝑗
Shamir Secret Sharing 1979
Decentralized Computing over Encrypted Data 29
Decentralization:2) Distributed Re-Encryption
• 𝑐𝑐𝑠𝑠 = 𝑐𝑐𝑠𝑠,1, 𝑐𝑐𝑠𝑠,2 under 𝑝𝑝𝑘𝑘𝑠𝑠 → 𝐶𝐶𝑠𝑠 = 𝐶𝐶𝑠𝑠,1,𝐶𝐶𝑠𝑠,2 under 𝑃𝑃𝑃𝑃𝑠𝑠
• Shamir Secret Sharing: 𝑠𝑠𝑘𝑘𝑠𝑠 = ∑𝑖𝑖 𝜆𝜆𝑖𝑖 � 𝑠𝑠𝑘𝑘𝑠𝑠,𝑖𝑖
• Player 𝑖𝑖 computes:
𝑟𝑟𝑖𝑖′ ∈𝑅𝑅 ℤ𝑝𝑝,𝛼𝛼𝑖𝑖 = 𝑐𝑐𝑠𝑠,2𝑠𝑠𝑝𝑝𝑠𝑠,𝑖𝑖 � 𝑃𝑃𝑃𝑃𝑠𝑠
𝑟𝑟𝑖𝑖′,𝛽𝛽𝑖𝑖 = 𝑔𝑔𝑠𝑠
𝑟𝑟𝑖𝑖′
• Anybody can compute:
𝐶𝐶𝑠𝑠 = (𝑐𝑐𝑠𝑠,1 × �𝑖𝑖
𝛼𝛼𝑖𝑖𝜆𝜆𝑖𝑖 ,�
𝑖𝑖
𝛽𝛽𝑖𝑖𝜆𝜆𝑖𝑖)
= (𝑔𝑔𝑠𝑠𝑜𝑜 � 𝑃𝑃𝑃𝑃𝑠𝑠𝑟𝑟′ ,𝑔𝑔𝑠𝑠𝑟𝑟
′) 𝑟𝑟′ = ∑𝑖𝑖 𝜆𝜆𝑖𝑖 � 𝑟𝑟𝑖𝑖′
Distributed Re-encryption
Decentralized Computing over Encrypted Data 31
Solution: Group Testing
32
𝐶𝐶𝑗𝑗 = RandT(Add𝑖𝑖(Multiply(𝐶𝐶𝑥𝑥𝑖𝑖𝑗𝑗 ,𝐶𝐶𝑦𝑦𝑖𝑖)))
𝑗𝑗
𝐶𝐶𝑥𝑥𝑖𝑖𝑗𝑗 𝐶𝐶𝑦𝑦𝑖𝑖
Decentralized Computing over Encrypted Data
Conclusion
• Efficient scheme to evaluate quadratic multivariate polynomials
• Distributed decryption
• Distributed re-encryption
• Decentralized key generation
• Open problem:
Decentralized FHE
Conclusion
Decentralized Computing over Encrypted Data 34
Thank you
ia.cr/2018/1019
Joined work with David Pointcheval and Duong-Hieu Phan