Upload
johann-hoechtl
View
773
Download
1
Embed Size (px)
Citation preview
Homomorphic encryption
Secure Multiparty Computation on the Blockchain?
Homomorphic encryption
The “holy grail” of cryptography
Its cryptographic magic Voodoo
Process data without “seeing” it
Image processor in the darkroom 25.04.2017
Johann Höchtl, Centre for E-Governance Danube University Krems
Homomorphism?
• H1 and H2 have a different “shape” • They are not easily comparable • Yet they share the same expressive power
r
p
q s
t
r p
q s
t
H1 H2
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Homomorphic encryption
Form of encryption which allows specific types of computations to be carried out on ciphertext and obtain an encrypted result, which decrypted, matches the result of operations performed on the plaintext
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Homomorphic encryption
Discovered as a “by-product” of RSA-Encryption:
has the property:
Partially homomorphic as only defined for multiplication
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Fully homomorphic encryption
Supports a minimal set of mathematical operations upon all other operations can be derived
Proof: Addition ⊕ and Multiplication ⊙ are sufficient to construct arbitrary “circuits” (in mod2 mathematics that’s XOR and AND)
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Real-world Analogy
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Example of a FHE Scheme: Craig Gentie’s Integer scheme
2. To Encrypt a bit b:
– pick a random “large” multiple of p, say q·p
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b introduce “noise” otherwise same input would result in same encrypted output with adversary giving the possibility to learn from patterns
1. KeyGen Secret key: an n2-bit odd number p
3. To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Integer addition example • 4+4 (4=bitwise 100)
– CT(100):
• CT(1) = 1 + 2*3 + 5*3 = 22
• CT(0) = 0 + 2*3 + 5*3 = 21
• CT(0) = 0 + 2*3 + 5*3 = 21
– D(44 42 42):
• D(44) = 44 mod 3 = 2
• D(42) = 42 mod 3 = 0
• D(42) = 42 mod 3 = 0
22 21 21 +22 21 21
44 42 42
1000 = 8 = 4+4
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Real-world Analogy
Eval
[KeyGen, Enc, Dec]
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Symptoms of FHE Problem with noise • Accumulates with every operation • Eventually makes result indecipherable
EVAL: Limited amount of operations allowed until decryption becomes impossible due to accumulated error. Solution: De-crypt intermediary results using an intermediary key
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Re-fresh Keys
1. Operate on problem, until error accumulates preventing decryption 2. Put partly assembled solution into another “box” 3. Use the key within the box#2 to open box#1 4. Continue working on the solution 5. Re-iterate until problem is solved
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Parallelizing Eval Why? 1. FHC is computationally heavy 2. Secret Sharing increases security How • Split analysis problem into sub-problems and distribute computation onto
(many) nodes • Problem: Detect whether the participating nodes behave correct and
honest
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Secure Multiparty Computations (sMPC)
Divide a Secret into slices, requiring n parties to assemble the secret eg. SSS – Shamir Secret Sharing In case you want to protect your login password with a set of ten shares in such a way that any three of them can reconstruct the password, you simply run the command
ssss-split -t 3 -n 10 -w passwd
http://point-at-infinity.org/ssss/
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
SPDZ (speedz)
an sMPC Protocol including bytecode specification and VM
supports distributed computation
• addition (linear)
• multiplication requiring input data pre-processing and inter-node communication
using MAC-based approach to guarantee integrity
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
SPDZ Architecture Overview
Compiler Bytecode
Program
VM (online)
Inputs Prep
Output
optim.
http://www.cs.bris.ac.uk/Research/CryptographySecurity/TPMPC/Slides2017/SPDZ.pdf
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
sMPC Challenges
Branching?
a = if b != 0:
c
else
d
Impossible to decide as value of ‘b’ is only visible to data owner
Solution: Rewrite conditionals to eagerly evaluate each branch a = (b & c) | ((!b) & d)
Cond. Loops?
while a < 5:
b *= 2
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Blockchain coordinated sMPC
• Data sharing among participating parties?
• nodes performing computations (addition, multiplication) on encrypted, secretly shared data
• Guaranteeing correctness through public ledger consensus
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Downsides of the classical Blockchain approach
• Data sharing? Blockchain bad as a database not designed for transaction speed
• Distributed computing? Blockchain is a bad execution environment every node performs every computation
• by default not privacy-preserving
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Enigma concept 1. A data owner O off-loads data analytics tasks to the
Enigma network. He sets up / obtains an Enigma script which analytically describes the computation and
2. Uploads input data to the DHT. This is done seamlessly by splitting input data into shares that are distributed to the network.
3. The Engima interpreter distributes computational work to Enigma nodes and uses the public ledger (blockchain) to announce computations and pointers to encrypted data.
4. Node A is selected to perform the computation and 5. generates a result which he 6. stores on the public ledger. 7. The data owner can read out the encrypted
intermediary results and distribute them to other nodes or assemble the final result.
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Enigma concept Complexity reduction and optimization
input [x1] input [x2]
sub [x2], [x1]open
openy1
y2
mul y1, y2
input [x1] input [x2]
sub [x2], [x1]
open
y1 y2
mul y1, y2
IInput #1
Input #2
Input #3
Input #4
Input #5
Output
Additionlayer1
Mult.layer1
Additionlayer2
Mult.layer2
Outputlayer
Parameter Analysis and result re-use Program layout analysis and load distribution
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Enigma concept - Incentives
General Blockchain network
Enigma network
• Operations on the Enigma network are still computing-intense and require coordination.
• Nodes are encouraged to participate by receiving Bitcoins/any other cryptocurrency for performed operations.
• In order to participate as an Enigma node, currency has to be deposited, which in case of other nodes detecting malicious operations such as correctness breaches, will be withdrawn and shared among the benign nodes.
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
sMPC roles
I … Input Party, R … Result Party, C … Computing Party
I C R SMC Millionaires Problem: Who of two millionaires is richer?
I R SMC C Outsourcing computation to the cloud
I SMC R
C
Statistics office wants to get aggregated results from personal data coming from different ministries
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
MPC use cases
• Secure cloud computing
• Joining distributed containing personnel data sets
• Identify patterns in genetic databases
• Identify colliding survey-satelites
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
ShareMind – a working implementation
• Used in Estonia to analyze personal data from Ministry of Finance and Ministry of Education
• Generally available, free for personal/education purpose
https://sharemind.cyber.ee/privacy-preserving-policy-decisions/ 25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Enigma • In development at
MIT since 2015
• Blockchain-supported
• Not generally available
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Applications in Austria?
https://datamarket.at/ 25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
Reading • Enigma Design Paper http://www.enigma.co/enigma_full.pdf • SPDZ Design and Implementation
– https://bristolcrypto.blogspot.co.at/2016/10/what-is-spdz-part-1-mpc-circuit.html – https://eprint.iacr.org/2012/642.pdf – https://www.youtube.com/watch?v=N80DV3Brds0 – http://www.cs.bris.ac.uk/Research/CryptographySecurity/TPMPC/Slides2017/SPDZ.pdf
• Craig Gentry: FHE Integer Scheme https://cs.au.dk/~stm/local-cache/gentry-thesis.pdf • Cohen, Gil, et al. ”Efficient multiparty protocols via log-depth threshold formulae.” Advances in
CryptologyCRYPTO 2013. Springer Berlin Heidelberg, 2013. 185-202.
• A Math Primer for Gentry's Fully Homomorphic Encryption https://community.embarcadero.com/blogs/entry/a-math-primer-for-gentrys-fully-homomorphic-encryption-38577
• Kamm, Liina. ‘Privacy-Preserving Statistical Analysis Using Secure Multi-Party Computation’. Tartu, 2015. Google Scholar. Web. 25 Apr. 2017. https://cyber.ee/uploads/2013/04/kamm_liina_PhD.pdf
25.04.2017 Johann Höchtl, Centre for E-Governance Danube
University Krems
25.04.2017
Johann Höchtl, Centre for E-Governance Danube University Krems
http://www.slideshare.net/jhoechtl/
http://at.linkedin.com/in/johannhoechtl/
Dr. Johann Höchtl [email protected]
https://twitter.com/myprivate42
Real World Analogy Theme taken from the original slides of Craig Gentry
http://www.di.ens.fr/~pnguyen/LCD/LCD_Gentry.pdf
25.04.2017 Johann Höchtl, Centre for E-Governance
Danube University Krems