Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

182 views

Published on

a slide of Hanaoka's talk in ECC2018(https://cy2sec.comm.eng.osaka-u.ac.jp/ecc2018/program.html)

Published in: Technology
  • Be the first to comment

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

  1. 1. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 1
  2. 2. Outline • Background • Two-level Homomorphic encryption • An efficient construction • Security • Implementation • Conclusion 2018/11/21 ECC 2018 2
  3. 3. Background 2018/11/21 ECC 2018 3
  4. 4. 2018/11/21 ECC 2018 4 Computing on encrypted data • Data analysis with taking care of sensitive data Disease Risk 70% If X2>∑Y then ◯◯70% F : Diagnosis Y : Database
  5. 5. Homomorphic Encryption (HE) • Allows computation on encrypted data • Many applications related to privacy-preserving schemes • Types of HE • Additively HE (ex. Goldwasser-Micali, Okamoto- Uchiyama, Paillier, Lifted-ElGamal) • Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′) • Multiplicatively HE (ex. RSA, ElGamal) • Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′ • Fully HE (ex. Gentry, BGV, BV, GSW, …) • Can do homomorphic add. and mult. 2018/11/21 ECC 2018 5
  6. 6. Pros and Cons • Add. HE, Mult. HE • Applications are restricted • Fully HE (FHE) • Any computations possible, but inefficient • Security relies on less standard assumptions • Leveled HE • The number of homomorphic mult. is restricted. • An intermediate notion between A/M HE and FHE. 2018/11/21 ECC 2018 6 A/M HE Leveled HE FHE Efficiency very good medium bad Functionality medium good very good
  7. 7. Two-level HE • HE that allows one homomorphic multiplication • Allows degree-2 polynomial homomorphic evaluations • Allows inner product of two vectors • 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, … • σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖 2018/11/21 ECC 2018 7 ×1 2 3 3 4 12 12 13 25 ++ : Level-1 : Level-2
  8. 8. Applications • Secure 2-DNF formula evaluation • Delegated secure inner-product on encrypted data • Efficient (symmetric) private information retrieval • Cross tabulation on encrypted data • Efficient election protocol • … 2018/11/21 ECC 2018 8
  9. 9. Existing Two-level HE • Boneh, Goh, Nissim (TCC 2005) • Based on Composite-order pairings, hence much less efficient • Freeman (EUROCRYPT 2010) • Composite-to-prime-order transformation framework, applied to BGN • Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014) • Improving Freeman’s frameworks • Only Type 1 pairings, inefficient • Catalano, Fiore (ACM CCS 2015) • Transformation from d-Level HE to (2d)-level • Instantiations are not necessarily efficient • AHM+ (AsiaCCS 2018): This talk • Efficient construction based on the lifted-ElGamal encryption • Portable high-speed implementations • Note: • Decryption in all these schemes requires discrete log (DL) • Hence plaintext space should be sufficiently small (up to 32-bit) 2018/11/21 ECC 2018 9
  10. 10. An Efficient Construction of Two-level HE 2018/11/21 ECC 2018 10
  11. 11. Basic Idea •Existing schemes • Establish a “broader fundamental & theoretical framework” • Then, construct L2HE as an “application” •Our scheme • Concentrate on “L2HE-dedicated design” • Start from “promising tools” for fast HE, i.e. Type-3 pairing and ElGamal • Not general but fully tuned for L2HE 2018/11/21 ECC 2018 11
  12. 12. An Efficient Construction • Combine the lifted-ElGamal encryption scheme with Type 3 pairings • First, straightforwardly construct two-level HE • Then, consider “simpler” construction • While Freeman considered a conversion of composite-to- prime order • Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal • Format of level-2 (L2) CT is same as Freeman’s scheme • Note: Type 3 pairings • Cyclic groups 𝔾1, 𝔾2, 𝔾T of order prime 𝑝 with bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T • 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2 • 𝔾1 ≠ 𝔾2 and no efficient map between 𝔾1 and 𝔾22018/11/21 ECC 2018 12
  13. 13. Summary of Constructions 2018/11/21 ECC 2018 13 Freeman (EUROCRYPT 2018) AHM+ (AsiaCCS 2018, this talk) BGN scheme based on composite order BGN (Freeman) scheme based on prime order (includes 2-level HE) Construction by converting Lifted-ElGamal Enc 𝑚 = 𝑔 𝑚ℎ 𝑟, 𝑔 𝑟 Type 3 pairing 𝑒 𝑎𝑃1, 𝑏𝑃2 = 𝑔T 𝑎𝑏 AHM+ 2-level HE scheme Construction by combining algebraic structures
  14. 14. Setup and Key Generation • Setup • Cyclic group 𝔾𝑖 = ⟨𝑃𝑖⟩ over an elliptic curve with prime order 𝑝 for 𝑖 = 1, 2 • 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2 • Key generation • Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random • Public key 𝑄1 = 𝑠1 𝑃1, 𝑄2 = 𝑠2 𝑃2 (with optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2) • Note: Colors • Green: Public part • Blue: Secret and hidden part 2018/11/21 ECC 2018 14
  15. 15. Level-1 CT and Enc./Dec. • Encrypt • Plaintext 𝑚 and randomness 𝑟 • Enc 𝔾 𝑖 𝑚 = (𝑚𝑃𝑖 + 𝑟𝑄𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2 • Duplicated form: Enc1 𝑚 ≔ Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚 • Note: 𝔾1 can be mult. with 𝔾2 only, vice versa, so that duplicated form is needed for general usage • Decrypt • For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖 𝑚 = (𝑆, 𝑇) by 𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑄𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖 and then, to obtain 𝑚, solve DL • Almost same as lifted-ElGamal 2018/11/21 ECC 2018 15
  16. 16. Homomorphic Addition on L1 CT • For 𝑖 = 1, 2, Enc 𝔾 𝑖 𝑚1 + Enc 𝔾 𝑖 𝑚2 = 𝑚1 𝑃𝑖 + 𝑟1 𝑄𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑄𝑖, 𝑟2 𝑃𝑖 = 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑄𝑖, 𝑟1 + 𝑟2 𝑃𝑖 = Enc 𝔾 𝑖 (𝑚1 + 𝑚2) • Also, same as lifted-ElGamal 2018/11/21 ECC 2018 16 1 2 3 + : Level-1
  17. 17. Homomorphic Multiplication • 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑄1, 𝑟1 𝑃1 = Enc 𝔾1 𝑚1 ∈ 𝔾1 2 • 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑄2, 𝑟2 𝑃2 = Enc 𝔾2 𝑚2 ∈ 𝔾2 2 • 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 = 𝑧1 𝑚1 𝑚2 𝑧4 𝜏′, 𝑧2 𝜎′, 𝑧3 𝜌′, 𝑧1 𝜎′+𝜌′−𝜏′ = Enc2 𝑚1 𝑚2 ∈ 𝔾T 4 • 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 • Tensor product of 𝐶1, 𝐶2 • Its result is an level-2 ciphertext 2018/11/21 ECC 2018 17 ×3 4 12 : Level-1 : Level-2
  18. 18. Homomorphic Addition on L2 CT • Enc2 𝑚1 + Enc2 𝑚2 = 𝑧1 𝑚1 𝑧4 𝜏1, 𝑧2 𝜎1, 𝑧3 𝜌1, 𝑧1 𝜎1+𝜌1−𝜏1 + 𝑧1 𝑚2 𝑧4 𝜏2, 𝑧2 𝜎2, 𝑧3 𝜌2, 𝑧1 𝜎2+𝜌2−𝜏2 = ( 𝑧1 𝑚1+𝑚2 𝑧4 𝜏1+𝜏2, 𝑧2 𝜎1+𝜎2, ൯𝑧3 𝜌1+𝜌2, 𝑧1 (𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2) = Enc2(𝑚1 + 𝑚2) • Usual vector addition 2018/11/21 ECC 2018 18 12 13 25 + : Level-2
  19. 19. Decryption for Level-2 CT • Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4 Dec2 c1, c2, 𝑐3, 𝑐4 ≔ 𝑐1 𝑐4 𝑠1 𝑠2 𝑐2 𝑠2 𝑐3 𝑠1 = 𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2 𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2 = 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2 = 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2 𝑚𝑚′ then solve DLP to obtain 𝑚𝑚′ • Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 = 𝑧1 𝑚𝑚′ 𝑧4 𝜏 , 𝑧2 𝜎 , 𝑧3 𝜌 , 𝑧1 𝜎+𝜌−𝜏 ∈ 𝔾T 4 , where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 2018/11/21 ECC 2018 19
  20. 20. Size and Benchmark on BN462 • Note: • Use x64 Linux on Core i7-6700 • Without compressed form • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 20 Calc. time in msec Enc1 0.452 Enc2 1.14 Dec1 9.01 Dec2 10.01 ReRand1 0.447 ReRand2 1.14 Add1 0.0109 Add2 0.0231 Mult 8.47 Bit size Secret key 924 Public key 27720 Dup. L1 CT 5544 L2 CT 22176
  21. 21. Comparison of Size • Fre10: Freemen’s scheme (EUROCRYPT 2010) • Compare bit size on a 462-bit Barreto-Naehrig (BN) curve 2018/11/21 ECC 2018 21
  22. 22. Comparison of Time • CT: Ciphertext • Fre10: Freemen’s scheme in EUROCRYPT 2010 • Compare calculation time on a 462-bit BN curve 2018/11/21 ECC 2018 22
  23. 23. Proving the Knowledge of Plaintexts • Zero-knowledge proof protocols can be applied • Example 1: Duplicated form of L1 CT • Dup. L1 CT is Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ • Attach a proof of “𝑚 = 𝑚′” • Example 2: Proving a CT encrypts a bit • Attach a proof of “encrypted plaintext is 0 or 1” • Applications: Voting, two-party computation 2018/11/21 ECC 2018 23
  24. 24. Proof of Equality • Duplicated L1 CT: • Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ = 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) where 𝜌, 𝜎 ← ℤ 𝑝 are randomly chosen • Should be “𝑚 = 𝑚′” • Equality can be proved in the same way of NIZK DH-tuple proof 2018/11/21 ECC 2018 24
  25. 25. NIZK Proof of Equality • L1 CT: 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) • Prove: • Randomly choose: 𝑟𝜌, 𝑟𝜎, 𝑟 𝑚 ← ℤ 𝑝 • 𝑅1, 𝑅2, 𝑅3, 𝑅4 ← 𝑟 𝑚 𝑃1 + 𝑟𝜌 𝑄1, 𝑟𝜌 𝑃1, 𝑟 𝑚 𝑃2 + 𝑟𝜎 𝑄2, 𝑟𝜎 𝑃2 • 𝑐 ← 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1, 𝑅2, 𝑅3, 𝑅4 • 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 ← 𝑟𝜌 + 𝑐𝜌, 𝑟𝜎 + 𝑐𝜎, 𝑟 𝑚 + 𝑐𝑚 • Proof 𝜋 = 𝑐, 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 • Verify: • 𝑐 = 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ where 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ ← 𝑠 𝑚 𝑃1 + 𝑠𝜌 𝑄1 − 𝑐𝐶1, 𝑠𝜌 𝑃1 − 𝑐𝐶2, 𝑠 𝑚 𝑃2 + 𝑠 𝜎 𝑄2 − 𝑐𝐶3, 𝑠 𝜎 𝑃2 − 𝑐𝐶4 2018/11/21 ECC 2018 25
  26. 26. Security 2018/11/21 ECC 2018 26
  27. 27. Confidentiality • Shown scheme is IND-CPA secure under the SXDH assumption • Note1: IND-CPA (INDistinguishability against Chosen Plaintext Attack) • Hidden plaintext from ciphertext • Standard base-line security notion • Note2: SXDH (Symmetric eXternal Diffie-Hellman) assumption • 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾, 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2 are computationally indistinguishable 2018/11/21 ECC 2018 27
  28. 28. Circuit Privacy • Shown scheme is circuit private • Namely, ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 ) • Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0) • ReRand𝑖 𝑐 removes a trace of circuit from 𝑐 • Note: Arithmetic circuit depends on secret • E.g., for 𝑖 = 1, 2, and for a secret integer 𝑛, 𝑛 × Enc𝑖 𝑚 = ෍ 𝑗=1 𝑛 Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚 • Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′ • Note: It is obvious that CTs are in which group 𝔾1, 𝔾2, 𝔾T 2018/11/21 ECC 2018 28
  29. 29. Implementation 2018/11/21 ECC 2018 29
  30. 30. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 30
  31. 31. Our Implementation • Available in “mcl”: A library for pairings • BN254, 381, 462, BLS12-381 • C++: https://github.com/herumi/mcl • Web browser/Node.js: https://github.com/herumi/she-wasm • High-performance implementation for x64/ARM64 • WebAssembly (wasm) • Runs on Microsoft Edge, Firefox, Chrome, Safari without any plug-ins • Open source: BSD 3-clause 2018/11/21 ECC 2018 31
  32. 32. Benchmarks on wasm • Calculation times in msec • Use BN254 • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 32 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
  33. 33. Demo 2018/11/21 ECC 2018 33
  34. 34. Importance of WebAssembly (wasm) Implementation • Large deployment advantages • wasm is a portable and fast binary instruction format • Runs on many modern browser • Microsoft Edge, Safari, Google Chrome, and Mozilla Firefox on Windows, Linux, macOS, iPhone, Android, and so on… • Requires no plugins • Being developed as a web standard via the W3C • Distribution is easy 2018/11/21 ECC 2018 34
  35. 35. Demonstrations of wasm • Inner product: https://herumi.github.i o/she-wasm/she- demo.html • Oblivious transfer: https://ppdm.jp/ot/ 2018/11/21 ECC 2018 35
  36. 36. Conclusion • Practical efficient two-level homomorphic encryption • Many times add. and one-time mult. on encrypted data • Based on Type 3 (asymmetric) pairing • Combine the lifted-ElGamal encryption scheme • Faster than Freeman’s scheme (EUROCRYPT 2010) • Portable high-performance implementation • C++/asm/WebAssembly • https://github.com/herumi/mcl • https://github.com/herumi/she-wasm • Open source: BSD 3-clause 2018/11/21 ECC 2018 36 Thank you!

×