Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Efficient Two-level Homomorphic
Encryption in Prime-order Bilinear
Groups and A Fast Implementation in
WebAssembly
Nuttapo...
Our result
• Efficient two-level homomorphic encryption
• Many times add. and one-time mult. on encrypted data
• Based on ...
Benchmarks
• Calculation times in msec
• BN254 (𝔾1: 256 bits, around 100-bit security)
• Uses lookup tables for decryption...
Comparison of Size
• Fre10: Freemen’s scheme (EUROCRYPT 2010)
• Compare bit size on a 462-bit Barreto-Naehrig
(BN) curve
2...
Comparison of Time
• CT: Ciphertext
• Fre10: Freemen’s scheme in EUROCRYPT 2010
• Compare calculation time on a 462-bit BN...
Outline
• Background
• Our proposed two-level homomorphic encryption
• Security
• Implementation
• Conclusion
2018/06/08 A...
Background
2018/06/08 AsiaCCS 2018 7
Computing on encrypted data
• Data analysis with taking care of sensitive data
• Homomorphic Encryption (HE)
• Allows comp...
Pros and Cons
• Add. HE, Mult. HE
• Applications are restricted
• Fully HE (FHE)
• Any computations possible, but ineffici...
Two-level HE
• HE that allows one homomorphic multiplication
• Allows degree-2 polynomial homomorphic evaluations
• Allows...
Previous two-level HE
• Boneh, Goh, Nissim (TCC 2005)
• Based on Composite-order pairings, hence much less efficient
• Fre...
Our proposed
two-level HE
2018/06/08 AsiaCCS 2018 12
Our proposal
• Combine lifted-ElGamal encryption scheme with
Type 3 pairings
• Level-1 (L1) ciphertext (CT) is same as lif...
Setup and Key generation
• Setup
• Elliptic curve group 𝔾𝑖 = ⟨𝑃𝑖⟩ with prime order 𝑝 for
𝑖 = 1, 2
• 𝔾T = 𝑔T , where 𝑔T = 𝑒...
Level-1 CT and Enc./Dec.
• Encrypt
• Plaintext 𝑚 with randomness 𝑟
• Enc 𝔾 𝑖
𝑚 = (𝑚𝑃𝑖 + 𝑟𝑠𝑖 𝑃𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2
• Duplic...
Homomorphic addition on L1 CT
• For 𝑖 = 1, 2,
Enc 𝔾 𝑖
𝑚1 + Enc 𝔾 𝑖
𝑚2
= 𝑚1 𝑃𝑖 + 𝑟1 𝑠𝑖 𝑃𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑠𝑖 𝑃𝑖, 𝑟2 𝑃𝑖
...
Homomorphic multiplication
• 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2
= 𝑧1
𝑚1 𝑚2 𝑧4
𝜏′, 𝑧2
𝜎′, 𝑧3
𝜌′, 𝑧1
𝜎′+𝜌′−...
Homomorphic addition on L2 CT
• Enc2 𝑚1 + Enc2 𝑚2
= 𝑧1
𝑚1 𝑧4
𝜏1, 𝑧2
𝜎1, 𝑧3
𝜌1, 𝑧1
𝜎1+𝜌1−𝜏1
+ 𝑧1
𝑚2 𝑧4
𝜏2, 𝑧2
𝜎2, 𝑧3
𝜌2, 𝑧1...
Decryption for level-2 CT
• Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4
Dec2 c1, c2, 𝑐3, 𝑐4 ≔
𝑐1 𝑐4
𝑠1 𝑠2
𝑐2
𝑠2
𝑐3
𝑠1
...
Proving the knowledge of plaintexts
• ZK protocols can be applied to ours
• While dedicated construction is needed for the...
Security
2018/06/08 AsiaCCS 2018 21
Confidentiality
• Our scheme is IND-CPA secure under the SXDH
assumption
• Standard security level
• See the proceedings f...
Circuit privacy
• Circuit private if ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 )
• Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0)
• ReRand𝑖 𝑐 remo...
Implementation
2018/06/08 AsiaCCS 2018 24
Our Implementation
• Available in “mcl”: A library for pairings
• C++: https://github.com/herumi/mcl
• web browser/Node.js...
(Again) Benchmarks
• Calculation times in msec
• BN254 (𝔾1: 256 bits, around 100-bit security)
• Uses lookup tables for de...
Demonstration of wasm
• Let’s moving on to demo!
https://herumi.github.io/she-wasm/she-
demo.html
2018/06/08 AsiaCCS 2018 ...
Conclusion
• We proposed efficient two-level HE
• Combine the lifted-ElGamal encryption on Type 3
pairings
• L1 CTs have a...
Upcoming SlideShare
Loading in …5
×

Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and A Fast Implementation in WebAssembly

1,208 views

Published on

ASIACCS2018
http://asiaccs2018.org/?page_id=632

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and A Fast Implementation in WebAssembly

  1. 1. Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and A Fast Implementation in WebAssembly Nuttapong Attrapadung*1, Goichiro Hanaoka*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Kana Shimizu*3, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs, *3 Waseda Univ. Partially supported by JST CREST JPMJCR1688 2018/06/08 AsiaCCS 2018 1
  2. 2. Our result • Efficient two-level homomorphic encryption • Many times add. and one-time mult. on encrypted data • Based on Type 3 (asymmetric) pairing • Combine the lifted-ElGamal encryption scheme • Faster than Freeman’s scheme (EUROCRYPT 2010) • High-performance implementation • C++/asm/WebAssembly • https://github.com/herumi/mcl • https://github.com/herumi/she-wasm • Open source: BSD 3-clause 2018/06/08 AsiaCCS 2018 2
  3. 3. Benchmarks • Calculation times in msec • BN254 (𝔾1: 256 bits, around 100-bit security) • Uses lookup tables for decryption (20-bit plaintext) 2018/06/08 AsiaCCS 2018 3 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
  4. 4. Comparison of Size • Fre10: Freemen’s scheme (EUROCRYPT 2010) • Compare bit size on a 462-bit Barreto-Naehrig (BN) curve 2018/06/08 AsiaCCS 2018 4
  5. 5. Comparison of Time • CT: Ciphertext • Fre10: Freemen’s scheme in EUROCRYPT 2010 • Compare calculation time on a 462-bit BN curve 2018/06/08 AsiaCCS 2018 5
  6. 6. Outline • Background • Our proposed two-level homomorphic encryption • Security • Implementation • Conclusion 2018/06/08 AsiaCCS 2018 6
  7. 7. Background 2018/06/08 AsiaCCS 2018 7
  8. 8. Computing on encrypted data • Data analysis with taking care of sensitive data • Homomorphic Encryption (HE) • Allows computation on encrypted data • Many applications related to privacy-preserving schemes • Types of HE • Additively HE (ex. Okamoto-Uchiyama, Paillier, Lifted-ElGamal) • Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′) • Multiplicatively HE (ex. RSA, ElGamal) • Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′ • Fully HE (ex. Gentry, BGV, BV, GSW, …) • Can do homomorphic add. and mult. 2018/06/08 AsiaCCS 2018 8
  9. 9. Pros and Cons • Add. HE, Mult. HE • Applications are restricted • Fully HE (FHE) • Any computations possible, but inefficient • Security relies on less standard assumptions • Leveled HE • The number of homomorphic mult. is restricted. • An intermediate notion between Add. HE and FHE. 2018/06/08 AsiaCCS 2018 9 Add. HE Leveled HE FHE Efficiency very good medium bad Functionality medium good very good
  10. 10. Two-level HE • HE that allows one homomorphic multiplication • Allows degree-2 polynomial homomorphic evaluations • Allows inner product of two vectors • 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, … • σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖 2018/06/08 AsiaCCS 2018 10 ×1 2 3 3 4 12 12 13 25 ++ : Level-1 : Level-2
  11. 11. Previous two-level HE • Boneh, Goh, Nissim (TCC 2005) • Based on Composite-order pairings, hence much less efficient • Freeman (EUROCRYPTO 2010) • Composite-to-prime-order transformation framework, applied to BGN • Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014) • Improving Freeman’s frameworks • Only Type 1 pairings, inefficient • Catalano, Fiore (ACM CCS 2015) • Transformation from d-Level HE to (2d)-level • Instantiations are not necessarily efficient • Memo • Decryption in all these schemes requires discrete log (DL) • Hence plaintext space should be sufficiently small (up to 30-bit) 2018/06/08 AsiaCCS 2018 11
  12. 12. Our proposed two-level HE 2018/06/08 AsiaCCS 2018 12
  13. 13. Our proposal • Combine lifted-ElGamal encryption scheme with Type 3 pairings • Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal • Format of level-2 (L2) CT is same as Freeman’s scheme • Note: Type 3 pairings • Cyclic groups 𝔾1, 𝔾2, 𝔾 𝑇 of order prime 𝑝 with bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T • 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2 • 𝔾1 ≠ 𝔾2 and no efficient map from 𝔾1 to 𝔾2 2018/06/08 AsiaCCS 2018 13
  14. 14. Setup and Key generation • Setup • Elliptic curve group 𝔾𝑖 = ⟨𝑃𝑖⟩ with prime order 𝑝 for 𝑖 = 1, 2 • 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2 • Key generation • Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random • Public key 𝑠1 𝑃1, 𝑠2 𝑃2, (and optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2) • Note: Colors • Green: Public part • Blue: Secret and hidden part 2018/06/08 AsiaCCS 2018 14
  15. 15. Level-1 CT and Enc./Dec. • Encrypt • Plaintext 𝑚 with randomness 𝑟 • Enc 𝔾 𝑖 𝑚 = (𝑚𝑃𝑖 + 𝑟𝑠𝑖 𝑃𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2 • Duplicated form: Enc1 𝑚 ≔ Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚 • Decrypt • For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖 𝑚 = (𝑆, 𝑇) by 𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑠𝑖 𝑃𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖 and then, to obtain 𝑚, solve DL • Almost same as lifted-ElGamal 2018/06/08 AsiaCCS 2018 15
  16. 16. Homomorphic addition on L1 CT • For 𝑖 = 1, 2, Enc 𝔾 𝑖 𝑚1 + Enc 𝔾 𝑖 𝑚2 = 𝑚1 𝑃𝑖 + 𝑟1 𝑠𝑖 𝑃𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑠𝑖 𝑃𝑖, 𝑟2 𝑃𝑖 = 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑠𝑖 𝑃𝑖, 𝑟1 + 𝑟2 𝑃𝑖 = Enc 𝔾 𝑖 (𝑚1 + 𝑚2) • Also, almost same as lifted-ElGamal • Scalar multiplication of ciphertext is easy 𝑛𝐸𝑛𝑐 𝔾 𝑖 𝑚 = (𝑛𝑚𝑖 𝑃𝑖 + (𝑛𝑟)𝑠𝑖 𝑃𝑖, (𝑛𝑟)𝑃𝑖)) 2018/06/08 AsiaCCS 2018 16 1 2 3 + : Level-1
  17. 17. Homomorphic multiplication • 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 = 𝑧1 𝑚1 𝑚2 𝑧4 𝜏′, 𝑧2 𝜎′, 𝑧3 𝜌′, 𝑧1 𝜎′+𝜌′−𝜏′ ∈ 𝔾T 4 • 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑠1 𝑃1, 𝑟1 𝑃1 = Enc 𝔾1 𝑚1 ∈ 𝔾1 2 • 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑠2 𝑃2, 𝑟2 𝑃2 = Enc 𝔾2 𝑚2 ∈ 𝔾2 2 • 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 • Tensor product of 𝐶1, 𝐶2 • Its result is level-2 ciphertext 2018/06/08 AsiaCCS 2018 17 ×3 4 12 : Level-1 : Level-2
  18. 18. Homomorphic addition on L2 CT • Enc2 𝑚1 + Enc2 𝑚2 = 𝑧1 𝑚1 𝑧4 𝜏1, 𝑧2 𝜎1, 𝑧3 𝜌1, 𝑧1 𝜎1+𝜌1−𝜏1 + 𝑧1 𝑚2 𝑧4 𝜏2, 𝑧2 𝜎2, 𝑧3 𝜌2, 𝑧1 𝜎2+𝜌2−𝜏2 = ( 𝑧1 𝑚1+𝑚2 𝑧4 𝜏1+𝜏2, 𝑧2 𝜎1+𝜎2, ൯𝑧3 𝜌1+𝜌2, 𝑧1 (𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2) 2018/06/08 AsiaCCS 2018 18 12 13 25 + : Level-2
  19. 19. Decryption for level-2 CT • Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4 Dec2 c1, c2, 𝑐3, 𝑐4 ≔ 𝑐1 𝑐4 𝑠1 𝑠2 𝑐2 𝑠2 𝑐3 𝑠1 = 𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2 𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2 = 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2 = 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2 𝑚𝑚′ then solve DLP to obtain 𝑚𝑚′ • Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 = 𝑧1 𝑚𝑚′ 𝑧4 𝜏, 𝑧2 𝜎, 𝑧3 𝜌, 𝑧1 𝜎+𝜌−𝜏 ∈ 𝔾T 4 , where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 2018/06/08 AsiaCCS 2018 19
  20. 20. Proving the knowledge of plaintexts • ZK protocols can be applied to ours • While dedicated construction is needed for the schemes of Freeman’s and others • Because lifted-ElGamal based construction • Example 1: Duplicated form of L1 CT • Dup. L1 CT is Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ • Attach a proof of “𝑚 = 𝑚′” • Example 2: Proving a CT encrypts a bit • Attach a proof of “encrypted plaintext is 0 or 1” • Applications: Voting, two-party computation 2018/06/08 AsiaCCS 2018 20
  21. 21. Security 2018/06/08 AsiaCCS 2018 21
  22. 22. Confidentiality • Our scheme is IND-CPA secure under the SXDH assumption • Standard security level • See the proceedings for the proof • Note: SXDH (Symmetric eXternal Diffie-Hellman) assumption • 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾, 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2 2018/06/08 AsiaCCS 2018 22
  23. 23. Circuit privacy • Circuit private if ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 ) • Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0) • ReRand𝑖 𝑐 removes a trace of circuit from 𝑐 • See the proceedings for the proof • Note: Sometimes, arithmetic circuit depends on secret • E.g., for 𝑖 = 1, 2, 𝑛 × Enc𝑖 𝑚 = ෍ 𝑗=1 𝑛 Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚 • Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′ • Note: It is obvious that CTs are in which group 𝔾1, 𝔾2, 𝔾T 2018/06/08 AsiaCCS 2018 23
  24. 24. Implementation 2018/06/08 AsiaCCS 2018 24
  25. 25. Our Implementation • Available in “mcl”: A library for pairings • C++: https://github.com/herumi/mcl • web browser/Node.js: https://github.com/herumi/she-wasm • Optimized for x64/ARM64 • WebAssembly (wasm) • Runs on Microsoft Edge, Firefox, Chrome, Safari without any plug-ins • Demo: https://herumi.github.io/she-wasm/she- demo.html • Open source: BSD 3-clause 2018/06/08 AsiaCCS 2018 25
  26. 26. (Again) Benchmarks • Calculation times in msec • BN254 (𝔾1: 256 bits, around 100-bit security) • Uses lookup tables for decryption (20-bit plaintext) 2018/06/08 AsiaCCS 2018 26 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
  27. 27. Demonstration of wasm • Let’s moving on to demo! https://herumi.github.io/she-wasm/she- demo.html 2018/06/08 AsiaCCS 2018 27
  28. 28. Conclusion • We proposed efficient two-level HE • Combine the lifted-ElGamal encryption on Type 3 pairings • L1 CTs have a exactly same form as lifted-ElGamal • Our high-performance implementation • C++/asm/WebAssembly • Optimized for x64/ARM64 • Supports Win/Mac/Linux/web browsers • Available under open source license: https://github.com/herumi/mcl, https://github.com/herumi/she-wasm 2018/06/08 AsiaCCS 2018 28 Thank you!

×