Homomorphic encryption on Blockchain Principles

Homomorphic encryption

Secure Multiparty Computation on the Blockchain?


The “holy grail” of cryptography

Its cryptographic magic Voodoo

Process data without “seeing” it

Image processor in the darkroom 25.04.2017

Johann Höchtl, Centre for E-Governance Danube University Krems

Homomorphism?

• H1 and H2 have a different “shape” • They are not easily comparable • Yet they share the same expressive power

r

p

q s

t

r p

q s

t

H1 H2

25.04.2017 Johann Höchtl, Centre for E-Governance Danube

University Krems


Form of encryption which allows specific types of computations to be carried out on ciphertext and obtain an encrypted result, which decrypted, matches the result of operations performed on the plaintext


University Krems


Discovered as a “by-product” of RSA-Encryption:

has the property:

Partially homomorphic as only defined for multiplication


University Krems

Fully homomorphic encryption

Supports a minimal set of mathematical operations upon all other operations can be derived

Proof: Addition ⊕ and Multiplication ⊙ are sufficient to construct arbitrary “circuits” (in mod2 mathematics that’s XOR and AND)


University Krems

Real-world Analogy


University Krems

Example of a FHE Scheme: Craig Gentie’s Integer scheme

2. To Encrypt a bit b:

– pick a random “large” multiple of p, say q·p

– pick a random “small” even number 2·r

– Ciphertext c = q·p+2·r+b introduce “noise” otherwise same input would result in same encrypted output with adversary giving the possibility to learn from patterns

1. KeyGen Secret key: an n2-bit odd number p

3. To Decrypt a ciphertext c:

– c (mod p) = 2·r+b (mod p) = 2·r+b


University Krems

Integer addition example • 4+4 (4=bitwise 100)

– CT(100):

• CT(1) = 1 + 2*3 + 5*3 = 22

• CT(0) = 0 + 2*3 + 5*3 = 21

• CT(0) = 0 + 2*3 + 5*3 = 21

– D(44 42 42):

• D(44) = 44 mod 3 = 2

• D(42) = 42 mod 3 = 0

• D(42) = 42 mod 3 = 0

22 21 21 +22 21 21

44 42 42

1000 = 8 = 4+4


University Krems

Real-world Analogy

Eval

[KeyGen, Enc, Dec]


University Krems

Symptoms of FHE Problem with noise • Accumulates with every operation • Eventually makes result indecipherable

EVAL: Limited amount of operations allowed until decryption becomes impossible due to accumulated error. Solution: De-crypt intermediary results using an intermediary key


University Krems

Re-fresh Keys

1. Operate on problem, until error accumulates preventing decryption 2. Put partly assembled solution into another “box” 3. Use the key within the box#2 to open box#1 4. Continue working on the solution 5. Re-iterate until problem is solved


University Krems

Parallelizing Eval Why? 1. FHC is computationally heavy 2. Secret Sharing increases security How • Split analysis problem into sub-problems and distribute computation onto

(many) nodes • Problem: Detect whether the participating nodes behave correct and

honest


University Krems

Secure Multiparty Computations (sMPC)

Divide a Secret into slices, requiring n parties to assemble the secret eg. SSS – Shamir Secret Sharing In case you want to protect your login password with a set of ten shares in such a way that any three of them can reconstruct the password, you simply run the command

ssss-split -t 3 -n 10 -w passwd

http://point-at-infinity.org/ssss/


University Krems









SPDZ (speedz)

an sMPC Protocol including bytecode specification and VM

supports distributed computation

• addition (linear)

• multiplication requiring input data pre-processing and inter-node communication

using MAC-based approach to guarantee integrity


University Krems

SPDZ Architecture Overview

Compiler Bytecode

Program

VM (online)

Inputs Prep

Output

optim.

http://www.cs.bris.ac.uk/Research/CryptographySecurity/TPMPC/Slides2017/SPDZ.pdf


University Krems



sMPC Challenges

Branching?

a = if b != 0:

c

else

d

Impossible to decide as value of ‘b’ is only visible to data owner

Solution: Rewrite conditionals to eagerly evaluate each branch a = (b & c) | ((!b) & d)

Cond. Loops?

while a < 5:

b *= 2


University Krems

Blockchain coordinated sMPC

• Data sharing among participating parties?

• nodes performing computations (addition, multiplication) on encrypted, secretly shared data

• Guaranteeing correctness through public ledger consensus


University Krems

Downsides of the classical Blockchain approach

• Data sharing? Blockchain bad as a database not designed for transaction speed

• Distributed computing? Blockchain is a bad execution environment every node performs every computation

• by default not privacy-preserving


University Krems

Enigma concept 1. A data owner O off-loads data analytics tasks to the

Enigma network. He sets up / obtains an Enigma script which analytically describes the computation and

2. Uploads input data to the DHT. This is done seamlessly by splitting input data into shares that are distributed to the network.

3. The Engima interpreter distributes computational work to Enigma nodes and uses the public ledger (blockchain) to announce computations and pointers to encrypted data.

4. Node A is selected to perform the computation and 5. generates a result which he 6. stores on the public ledger. 7. The data owner can read out the encrypted

intermediary results and distribute them to other nodes or assemble the final result.


University Krems

Enigma concept Complexity reduction and optimization

input [x1] input [x2]

sub [x2], [x1]open

openy1

y2

mul y1, y2

input [x1] input [x2]

sub [x2], [x1]

open

y1 y2

mul y1, y2

IInput #1

Input #2

Input #3

Input #4

Input #5

Output

Additionlayer1

Mult.layer1

Additionlayer2

Mult.layer2

Outputlayer

Parameter Analysis and result re-use Program layout analysis and load distribution


University Krems

Enigma concept - Incentives

General Blockchain network

Enigma network

• Operations on the Enigma network are still computing-intense and require coordination.

• Nodes are encouraged to participate by receiving Bitcoins/any other cryptocurrency for performed operations.

• In order to participate as an Enigma node, currency has to be deposited, which in case of other nodes detecting malicious operations such as correctness breaches, will be withdrawn and shared among the benign nodes.


University Krems

sMPC roles

I … Input Party, R … Result Party, C … Computing Party

I C R SMC Millionaires Problem: Who of two millionaires is richer?

I R SMC C Outsourcing computation to the cloud

I SMC R

C

Statistics office wants to get aggregated results from personal data coming from different ministries


University Krems

MPC use cases

• Secure cloud computing

• Joining distributed containing personnel data sets

• Identify patterns in genetic databases

• Identify colliding survey-satelites


University Krems

ShareMind – a working implementation

• Used in Estonia to analyze personal data from Ministry of Finance and Ministry of Education

• Generally available, free for personal/education purpose

https://sharemind.cyber.ee/privacy-preserving-policy-decisions/ 25.04.2017 Johann Höchtl, Centre for E-Governance Danube

University Krems

https://sharemind.cyber.ee/privacy-preserving-policy-decisions/








Enigma • In development at

MIT since 2015

• Blockchain-supported

• Not generally available


University Krems

Applications in Austria?

https://datamarket.at/ 25.04.2017 Johann Höchtl, Centre for E-Governance Danube

University Krems

https://datamarket.at/

https://datamarket.at/

Reading • Enigma Design Paper http://www.enigma.co/enigma_full.pdf • SPDZ Design and Implementation

– https://bristolcrypto.blogspot.co.at/2016/10/what-is-spdz-part-1-mpc-circuit.html – https://eprint.iacr.org/2012/642.pdf – https://www.youtube.com/watch?v=N80DV3Brds0 – http://www.cs.bris.ac.uk/Research/CryptographySecurity/TPMPC/Slides2017/SPDZ.pdf

• Craig Gentry: FHE Integer Scheme https://cs.au.dk/~stm/local-cache/gentry-thesis.pdf • Cohen, Gil, et al. ”Efficient multiparty protocols via log-depth threshold formulae.” Advances in

CryptologyCRYPTO 2013. Springer Berlin Heidelberg, 2013. 185-202.

• A Math Primer for Gentry's Fully Homomorphic Encryption https://community.embarcadero.com/blogs/entry/a-math-primer-for-gentrys-fully-homomorphic-encryption-38577

• Kamm, Liina. ‘Privacy-Preserving Statistical Analysis Using Secure Multi-Party Computation’. Tartu, 2015. Google Scholar. Web. 25 Apr. 2017. https://cyber.ee/uploads/2013/04/kamm_liina_PhD.pdf


University Krems

http://www.enigma.co/enigma_full.pdf

http://www.enigma.co/enigma_full.pdf

https://bristolcrypto.blogspot.co.at/2016/10/what-is-spdz-part-1-mpc-circuit.html















https://eprint.iacr.org/2012/642.pdf



https://www.youtube.com/watch?v=N80DV3Brds0

https://www.youtube.com/watch?v=N80DV3Brds0



https://cs.au.dk/~stm/local-cache/gentry-thesis.pdf






https://community.embarcadero.com/blogs/entry/a-math-primer-for-gentrys-fully-homomorphic-encryption-38577


















https://cyber.ee/uploads/2013/04/kamm_liina_PhD.pdf

https://cyber.ee/uploads/2013/04/kamm_liina_PhD.pdf

25.04.2017

Johann Höchtl, Centre for E-Governance Danube University Krems

http://www.slideshare.net/jhoechtl/

http://at.linkedin.com/in/johannhoechtl/

Dr. Johann Höchtl [email protected]

https://twitter.com/myprivate42

http://www.slideshare.net/jhoechtl/

http://at.linkedin.com/in/johannhoechtl/



Real World Analogy Theme taken from the original slides of Craig Gentry

http://www.di.ens.fr/~pnguyen/LCD/LCD_Gentry.pdf

25.04.2017 Johann Höchtl, Centre for E-Governance

Danube University Krems



Technology

Homomorphic encryption on Blockchain Principles