DOCSLIB.ORG

Alchemy: a Language and Compiler for Homomorphic Encryption Made Easy

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Alchemy: a Language and Compiler for Homomorphic Encryption Made Easy Alchemy: A Language and Compiler for Homomorphic Encryption Made easY Eric Crockett Chris Peikert Chad Sharp University of Michigan and University of Michigan University of Michigan Georgia Institute of Technology ABSTRACT ACM Reference Format: Fully Homomorphic Encryption (FHE) is a cryptographic “holy Eric Crockett, Chris Peikert, and Chad Sharp. 2018. Alchemy: A Language and Compiler for, Homomorphic Encryption Made easY. In CCS ’18: 2018 grail” that allows a worker to perform arbitrary computations on ACM SIGSAC Conference on Computer & Communications Security Oct. 15– client-encrypted data, without learning anything about the data 19, 2018, Toronto, ON, Canada. ACM, New York, NY, USA, 18 pages. https: itself. Since the first plausible construction in 2009, a variety of //doi.org/10.1145/3243734.3243828 FHE implementations have been given and used for particular ap- plications of interest. Unfortunately, using FHE is currently very complicated, and a great deal of expertise is required to properly 1 INTRODUCTION implement nontrivial homomorphic computations. Fully Homomorphic Encryption (FHE) is a powerful cryptographic This work introduces Alchemy, a modular and extensible system concept that allows a worker to perform arbitrary computations on that simplifies and accelerates the use of FHE. Alchemy compiles client-encrypted data, without learning anything about the data it- “in-the-clear” computations on plaintexts, written in a modular self. Although first envisioned 40 years ago [49] as a cryptographic domain-specific language (DSL), into corresponding homomorphic “holy grail,” no plausible candidate FHE scheme was known until computations on ciphertexts—with no special knowledge of FHE Gentry’s seminal work in 2009 [26, 27]. Motivated by FHE’s po- required of the programmer. The compiler automatically chooses tential to enable new privacy-sensitive applications and enhance (most of the) parameters by statically inferring ciphertext noise existing ones, a flurry of research activity has led to FHE schemes rates, generates keys and “key-switching hints,” schedules appro- with better efficiency, stronger security assurances, and specialized priate ciphertext “maintenance” operations, and more. In addition, features. (See [3, 4, 11–15, 18–20, 30–32, 51, 52] for a sampling.) In its components can be combined modularly to provide other useful addition, there are a variety of real-world FHE implementations functionality, such logging the empirical noise rates of ciphertexts which have been used for particular applications of interest (see, throughout a computation, without requiring any changes to the e.g., [17, 22, 25, 29, 33, 38, 46]). original DSL code. Unfortunately, using current FHE implementations for non-trivial As a testbed application, we demonstrate fast homomorphic homomorphic computations is quite complicated: First, one must evaluation of a pseudorandom function (PRF) based on Ring-LWR, express the desired “in the clear” computation (on plaintexts) in whose entire implementation is only a few dozen lines of simple terms of the FHE scheme’s “instruction set,” i.e., the basic homo- DSL code. For a single (non-batched) evaluation, our unoptimized morphic operations it natively supports. This is non-trivial because implementation takes only about 10 seconds on a commodity PC, the operations (which can vary based on the scheme) are typically which is more than an order of magnitude faster than state-of- algebraic ones like addition and multiplication on finite fields, and the-art homomorphic evaluations of other PRFs, including some sometimes other functions like permutations on fixed-sized arrays specifically designed for amenability to homomorphic evaluation. of field elements. Thus, one needs to “arithmetize” the desired com- putation in terms of these operations, as efficiently as possible for CCS CONCEPTS the instruction set at hand. (Moreover, the instruction set can some- • Security and privacy → Public key encryption; • Software and times depend on the choice of plaintext and ciphertext rings, which its engineering → Software design techniques; can also affect the third step below.) Second, FHE ciphertexts accumulate “errors” or “noise” under KEYWORDS homomorphic operations, and too much noise causes the result to decrypt incorrectly—so proper noise management is essential. In fully homomorphic encryption; domain-specific languages; compil- addition, the ciphertext “degree” increases under certain operations, ers but can be brought back down using other means. So along with homomorphic operations that perform meaningful work on the Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed plaintext, one must also carefully schedule appropriate “mainte- for profit or commercial advantage and that copies bear this notice and the full citation nance” operations, such as linearization and other forms of key on the first page. Copyrights for components of this work owned by others than the switching, and rescaling (also known as modulus switching) to keep author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission the ciphertext noise and size under control. and/or a fee. Request permissions from [email protected]. Third, one must choose appropriate ciphertext parameters for CCS ’18, October 15–19, 2018, Toronto, ON, Canada the desired level of security, i.e., dimensions and moduli that are © 2018 Copyright held by the owner/author(s). Publication rights licensed to ACM. ACM ISBN 978-1-4503-5693-0/18/10...$15.00 compatible with the noise rates at the various stages of the compu- https://doi.org/10.1145/3243734.3243828 tation (and also consistent with any restrictions inherited from the first step). Importantly, the choice of parameters itself affects the implementation of the “plaintext” PRF computation is only a few noise growth incurred by the homomorphic operations, so one may dozen lines of very simple and transparent code; Alchemy handles need several cycles of trial and error until the parameters stabilize. everything else. Lastly, one also needs to generate all the needed keys and aux- It has long been understood that homomorphic evaluation of iliary key-switching “hints” that are needed for the maintenance symmetric-key primitives like PRFs is a very useful tool in the the- operations, and to encrypt the input plaintexts under the appropri- ory and practice of FHE (see, e.g., [26, 28, 33]). For example, it allows ate keys. a client to encrypt its data using symmetric-key encryption—which In summary, the above process requires a great deal of expertise is much faster and more compact than FHE encryption—while still in both the theory of FHE and the quirks of its particular imple- allowing a worker to compute on the data homomorphically. The mentation, in addition to a lot of manual programming and trial- worker first homomorphically evaluates the symmetric decryption and-error. Perhaps for this reason, most applications of FHE to date circuit on an FHE encryption of the user’s secret key, resulting in have been ad-hoc, one-off implementations, with complex code that an FHE encryption of the user’s data. From there the worker can is hard to debug and which obscures the nature of the underlying homomorphically evaluate the actual function of interest. computation. Prior work has homomorphically evaluated PRFs like the AES block cipher [18, 24, 33, 45] and the “LowMC” cipher [1], which was 1.1 Contributions specially designed to have low multiplicative depth for amenability This work introduces Alchemy, a system that greatly simplifies and to FHE and multi-party computation (MPC). On standard laptop- accelerates the implementation of homomorphic computations.1 In class hardware, highly optimized state-of-the-art implementations short, Alchemy automatically and safely transforms “in-the-clear” require a few minutes (or much more) for a single AES or LowMC computations on plaintexts into corresponding homomorphic com- evaluation. They can also use SIMD techniques to compute scores putations on ciphertexts. Crucially, this requires no detailed knowl- of evaluations at once, resulting in amortized rates of a few seconds edge of particular FHE schemes on the part of the programmer. One per block, or even sub-second rates for LowMC amortized over simply writes (and runs, and debugs) a program that describes a hundreds of blocks. However, the latency remains in the several desired plaintext computation, and then obtains a matching homo- minutes, which makes its unsuitable for many scenarios. morphic computation with very little additional effort. By constrast, our homomorphic evaluation of a Ring-LWR PRF At a more technical level, Alchemy consists of two main pieces: takes only about twelve seconds for a single evaluation on com- 2 (1) domain-specific languages (DSLs) for expressing plaintext and modity hardware. This is primarily due to its use of rich natively ciphertext computations, including both “native” operations and a supported FHE operations like “ring switching” [22, 30] and SIMD library of higher-level functions built out of them; and (2) a compiler operations on “slots” [51], its small number of such operations, and that transforms plaintext programs into corresponding homomor- its low multiplicative depth (over a large ring). This good “algebraic phic ones. The
Load more

Recommended publications
  • Fundamentals of Fully Homomorphic Encryption – a Survey
    Electronic Colloquium on Computational Complexity, Report No. 125 (2018) Fundamentals of Fully Homomorphic Encryption { A Survey Zvika Brakerski∗ Abstract A homomorphic encryption scheme is one that allows computing on encrypted data without decrypting it first. In fully homomorphic encryption it is possible to apply any efficiently com- putable function to encrypted data. We provide a survey on the origins, definitions, properties, constructions and uses of fully homomorphic encryption. 1 Homomorphic Encryption: Good, Bad or Ugly? In the seminal RSA cryptosystem [RSA78], the public key consists of a product of two primes ∗ N = p · q as well as an integer e, and the message space is the set of elements in ZN . Encrypting a message m involved simply raising it to the power e and taking the result modulo N, i.e. c = me (mod N). For the purpose of the current discussion we ignore the decryption process. It is not hard to see that the product of two ciphertexts c1 and c2 encrypting messages m1 and m2 allows e to compute the value c1 · c2 (mod N) = (m1m2) (mod N), i.e. to compute an encryption of m1 · m2 without knowledge of the secret private key. Rabin's cryptosystem [Rab79] exhibited similar behavior, where a product of ciphertexts corresponded to an encryption of their respective plaintexts. This behavior can be expressed in formal terms by saying that the ciphertext space and the plaintext space are homomorphic (multiplicative) groups. The decryption process defines the homomorphism by mapping a ciphertext to its image plaintext. Rivest, Adleman and Dertouzos [RAD78] realized the potential advantage of this property.
    [Show full text]
  • Lecture Notes in Computer Science 6223 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan Van Leeuwen
    Lecture Notes in Computer Science 6223 Commenced Publication in 1973 Founding and Former Series Editors: Gerhard Goos, Juris Hartmanis, and Jan van Leeuwen Editorial Board David Hutchison Lancaster University, UK Takeo Kanade Carnegie Mellon University, Pittsburgh, PA, USA Josef Kittler University of Surrey, Guildford, UK Jon M. Kleinberg Cornell University, Ithaca, NY, USA Alfred Kobsa University of California, Irvine, CA, USA Friedemann Mattern ETH Zurich, Switzerland John C. Mitchell Stanford University, CA, USA Moni Naor Weizmann Institute of Science, Rehovot, Israel Oscar Nierstrasz University of Bern, Switzerland C. Pandu Rangan Indian Institute of Technology, Madras, India Bernhard Steffen TU Dortmund University, Germany Madhu Sudan Microsoft Research, Cambridge, MA, USA Demetri Terzopoulos University of California, Los Angeles, CA, USA Doug Tygar University of California, Berkeley, CA, USA Gerhard Weikum Max-Planck Institute of Computer Science, Saarbruecken, Germany Tal Rabin (Ed.) Advances in Cryptology – CRYPTO 2010 30th Annual Cryptology Conference Santa Barbara, CA, USA, August 15-19, 2010 Proceedings 13 Volume Editor Tal Rabin IBM T.J.Watson Research Center Hawthorne, NY, USA E-mail: [email protected] Library of Congress Control Number: 2010931385 CR Subject Classification (1998): E.3, G.2.1, F.2.1-2, D.4.6, K.6.5, C.2, J.1 LNCS Sublibrary: SL 4 – Security and Cryptology ISSN 0302-9743 ISBN-10 3-642-14622-8 Springer Berlin Heidelberg New York ISBN-13 978-3-642-14622-0 Springer Berlin Heidelberg New York This work is subject to copyright. All rights are reserved, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, re-use of illustrations, recitation, broadcasting, reproduction on microfilms or in any other way, and storage in data banks.
    [Show full text]
  • Indistinguishability Obfuscation from Functional Encryption
    Indistinguishability Obfuscation from Functional Encryption The MIT Faculty has made this article openly available. Please share how this access benefits you. Your story matters. Citation Bitansky, Nir, and Vinod Vaikuntanathan. "Indistinguishability Obfuscation from Functional Encryption." 2015 IEEE 56th Annual Symposium on Foundations of Computer Science (FOCS), 17-20 October 2015, Berkeley, CA, 2015, pp. 171–90. As Published http://dx.doi.org/10.1109/FOCS.2015.20 Publisher Institute of Electrical and Electronics Engineers (IEEE) Version Original manuscript Citable link http://hdl.handle.net/1721.1/113077 Terms of Use Creative Commons Attribution-Noncommercial-Share Alike Detailed Terms http://creativecommons.org/licenses/by-nc-sa/4.0/ Indistinguishability Obfuscation from Functional Encryption∗ Nir Bitanskyy Vinod Vaikuntanathanz Abstract Indistinguishability obfuscation (IO) is a tremendous notion, powerful enough to give rise to almost any known cryptographic object. Prior candidate IO constructions were based on specific assumptions on algebraic objects called multi-linear graded encodings. We present a generic construction of indistinguishability obfuscation from public-key functional encryption with succinct encryption circuits and subexponential security. This shows the equivalence of indistinguishability obfuscation and public-key functional en- cryption, a primitive that has so far seemed to be much weaker, lacking the power and the staggering range of applications of indistinguishability obfuscation. Our main construction can be based on functional encryption schemes that support a single function key, and where the encryption circuit grows sub-linearly in the circuit-size of the function. We further show that sublinear succinctness in circuit-size for single-key schemes can be traded with sublinear succinctness in the number of keys (also known as the collusion-size) for multi-key schemes.
    [Show full text]
  • Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics
    This is a repository copy of Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics. White Rose Research Online URL for this paper: https://eprints.whiterose.ac.uk/151333/ Version: Accepted Version Article: Kahrobaei, Delaram orcid.org/0000-0001-5467-7832, Wood, Alexander and Najarian, Kayvan (2020) Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics. ACM Comput. Surv.. ISSN 0360-0300 Reuse Items deposited in White Rose Research Online are protected by copyright, with all rights reserved unless indicated otherwise. They may be downloaded and/or printed for private study, or other acts as permitted by national copyright laws. The publisher or other rights holders may allow further reproduction and re-use of the full text version. This is indicated by the licence information on the White Rose Research Online record for the item. Takedown If you consider content in White Rose Research Online to be in breach of UK law, please notify us by emailing [email protected] including the URL of the record and the reason for the withdrawal request. [email protected] https://eprints.whiterose.ac.uk/ Homomorphic Encryption for Machine Learning in Medicine and Bioinformatics ALEXANDER WOOD∗, University of Michigan, United States KAYVAN NAJARIAN, University of Michigan, United States DELARAM KAHROBAEI, University of York, United Kingdom Machine learning and statistical techniques are powerful tools for analyzing large amounts of medical and genomic data. On the other hand, ethical concerns and privacy regulations prevent free sharing of this data. Encryption techniques such as fully homomorphic encryption (FHE) enable evaluation over encrypted data. Using FHE, machine learning models such as deep learning, decision trees, and naive Bayes have been implemented for privacy-preserving applications using medical data.
    [Show full text]
  • Short Signatures from Weaker Assumptions
    Short Signatures From Weaker Assumptions Dennis Hofheinz1, Tibor Jager2, and Eike Kiltz2 1 Institut f¨urKryptographie und Sicherheit, Karlsruhe Institute of Technology, Germany. [email protected] 2 Horst-G¨ortzInstitute for IT Security, Ruhr-University Bochum, Germany. ftibor.jager,[email protected] Abstract. We provide constructions of (m; 1)-programmable hash functions (PHFs) for m ≥ 2. Mim- icking certain programmability properties of random oracles, PHFs can, e.g., be plugged into the generic constructions by Hofheinz and Kiltz (J. Cryptol. 2011) to yield digital signature schemes from the strong RSA and strong q-Diffie-Hellman assumptions. As another application of PHFs, we propose new and efficient constructions of digital signature schemes from weaker assumptions, i.e., from the (standard, non-strong) RSA and the (standard, non-strong) q-Diffie-Hellman assumptions. The resulting signature schemes offer interesting tradeoffs between efficiency/signature length and the size of the public-keys. For example, our q-Diffie-Hellman signatures can be as short as 200 bits; the signing algorithm of our Strong RSA signature scheme can be as efficient as the one in RSA full domain hash; compared to previous constructions, our RSA signatures are shorter (by a factor of roughly 2) and we obtain a considerable efficiency improvement (by an even larger factor). All our constructions are in the standard model, i.e., without random oracles. Keywords: digital signatures, RSA assumption, q-DH assumption, programmable hash functions. 1 Introduction Digital Signatures are one of the most fundamental cryptographic primitives. They are used as a building block in numerous high-level cryptographic protocols.
    [Show full text]
  • Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free
    Proceedings on Privacy Enhancing Technologies ; 2019 (3):87–107 Adi Akavia*, Craig Gentry, Shai Halevi, and Max Leibovich Setup-Free Secure Search on Encrypted Data: Faster and Post-Processing Free Abstract: We present a novel secure search protocol Keywords: Secure search, Fully homomorphic encryp- on data and queries encrypted with Fully Homomor- tion, Randomized algorithms, Universal hash functions phic Encryption (FHE). Our protocol enables organiza- DOI 10.2478/popets-2019-0038 tions (client) to (1) securely upload an unsorted data Received 2018-11-30; revised 2019-03-15; accepted 2019-03-16. array x = (x[1], . , x[n]) to an untrusted honest-but- curious sever, where data may be uploaded over time 1 Introduction and from multiple data-sources; and (2) securely is- Following the rapid advancement and widespread avail- sue repeated search queries q for retrieving the first ability of cloud computing it is a common practice ∗ ∗ element (i , x[i ]) satisfying an agreed matching crite- to outsource data storage and computations to cloud ∗ rion i = min {i ∈ [n] | IsMatch(x[i], q) = 1}, as well as providers. Placing cleartext (i.e unencrypted) data on fetching the next matching elements with further inter- the cloud compromises data security. To regain data action. For security, the client encrypts the data and privacy one could encrypt the data prior to upload- queries with FHE prior to uploading, and the server ing to the cloud. However, if using standard encryp- processes the ciphertexts to produce the result cipher- tion (e.g. AES), this solution nullifies the benefits of text for the client to decrypt.
    [Show full text]
  • K-Anonymously Private Search Over Encrypted Data
    k-Anonymously Private Search over Encrypted Data Shiyu Ji, Kun Wan {shiyu, kun}@cs.ucsb.edu Abstract In this paper we compare the performance of various homomorphic encryption methods on a private search scheme that can achieve k-anonymity privacy. To make our benchmarking fair, we use open sourced cryptographic libraries which are written by experts and well scrutinized. We find that Goldwasser-Micali encryption achieves good enough performance for practical use, whereas fully homomorphic encryptions are much slower than partial ones like Goldwasser-Micali and Paillier. 1 Introduction How to securely and privately search over encrypted dataset has been popular in research community for the past decade [27, 28, 32, 33, 11, 10, 1]. A private search scheme should allow the client to have access to one of the posting lists in the inverted index, while the server hosting the index cannot tell which posting is accessed by the client. Also for privacy concern, the client should not know any other posting except the legally requested one. To address this problem, one possible way is to leverage Homomorphic Encryption [21, 22, 37, 38, 19, 4, 5]. Recently there is some debate over the question whether such a homomorphic encryption based private search scheme can be practically used [40, 36, 1]. We note that it is important which encryption method is used, since the involved operations may be very different, e.g., there are many modular exponential operations in Paillier [37, 38], while Goldwasser-Micali only requires quadratic exponentiation; some lattice based HEs (e.g. [6, 4]) require noise management techniques such as bootstrapping [16], re- linearization [6] and approximate eigenvector [20], which need more time.
    [Show full text]
  • Techniques for Computing on Encrypted Data in a Practical System*
    Techniques for computing on encrypted data in a practical system* Raluca Ada Popa September 2014 In this document, we survey various techniques for computing on encrypted data that might be useful when designing a practical security system. These tools or methods provide an interesting spectrum over three coordinates: functionality, security, and performance. Unfortunately, none of these tools alone suffices to enable running the systems we have today over encrypted data. They typically fail to achieve a desired goal with respect to at least one of these three coordinates. Nevertheless, understanding the tradeoffs these tools provide in functionality, security, and performance, coupled with an understanding of the targeted system, has enabled building systems that are practical for a class of applications and provide a meaningful level of security. Some examples of such systems are [PRZB11, PSV+14, ABE+13, AEK+13, TKMZ13, TLMM13, KGM+14, SSSE14, TSCS13, HHCW12, KKM+13]. Hence, below we describe each tool or method from a functionality, security and performance standpoint, describing the tradeoff it strikes in this space, and the settings in which it might be practical. Since our focus is this tradeoff, we keep the cryptographic presentation of each tool informal, and instead reference outside formal presentations. We divide these tools and methods in two categories: tools that leak (virtually) nothing about the data and tools that reveal a well-defined function of the data. Many times, the information revealed in the second category helps improve performance drastically. 2 1 Tools with no leakage ◇ 1.1 Fully homomorphic encryption Functionality. FHE [Gen09] is a public-key encryption scheme [Gol04].
    [Show full text]
  • Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data
    City University of New York (CUNY) CUNY Academic Works All Dissertations, Theses, and Capstone Projects Dissertations, Theses, and Capstone Projects 9-2018 Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data Alexander N. Wood The Graduate Center, City University of New York How does access to this work benefit ou?y Let us know! More information about this work at: https://academicworks.cuny.edu/gc_etds/2888 Discover additional works at: https://academicworks.cuny.edu This work is made publicly available by the City University of New York (CUNY). Contact: [email protected] Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data by Alexander Nicolas Wood A dissertation submitted to the Graduate Faculty in Computer Science in partial fulfillment of the requirements for the degree of Doctor of Philosophy, The City University of New York 2018 ii c 2018 Alexander Nicolas Wood All Rights Reserved iii Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data by Alexander Nicolas Wood This manuscript has been read and accepted by the Graduate Faculty in Computer Science in satisfaction of the dissertation requirement for the degree of Doctor of Philosophy. Date Delaram Kahrobaei Chair of Examining Committee Date Robert M. Haralick Executive Officer Supervisory Committee: Robert M. Haralick Delaram Kahrobaei Ali Mostashari Kayvan Najarian Vladimir Shpilrain The City University of New York iv Abstract Private-Key Fully Homomorphic Encryption for Private Classification of Medical Data by Alexander Nicolas Wood Advisor: Professor Delaram Kahrobaei A wealth of medical data is inaccessible to researchers and clinicians due to privacy restrictions such as HIPAA.
    [Show full text]
  • Security and Privacy on Blockchain 1:3 Scientists and Engineers to Uncover Suitable Blockchain Models and Techniques for Many Domain Specific Application Scenarios
    1 Security and Privacy on Blockchain RUI ZHANG and RUI XUE, State Key Laboratory of Information Security, Institute of Information Engi- neering, Chinese Academy of Sciences, China and School of Cyber Security, University of Chinese Academy of Sciences, China LING LIU, School of Computer Science, Georgia Institute of Technology, USA, USA Blockchain offers an innovative approach to storing information, executing transactions, performing func- tions, and establishing trust in an open environment. Many consider blockchain as a technology breakthrough for cryptography and cybersecurity, with use cases ranging from globally deployed cryptocurrency systems like Bitcoin, to smart contracts, smart grids over the Internet of Things, and so forth. Although blockchain has received growing interests in both academia and industry in the recent years, the security and privacy of blockchains continue to be at the center of the debate when deploying blockchain in different applications. This paper presents a comprehensive overview of the security and privacy of blockchain. To facilitate the discussion, we first introduce the notion of blockchains and its utility in the context of Bitcoin like online transactions. Then we describe the basic security properties that are supported as the essential requirements and building blocks for Bitcoin like cryptocurrency systems, followed by presenting the additional security and privacy properties that are desired in many blockchain applications. Finally, we review the security and privacy techniques for achieving these security properties in blockchain-based systems, including represen- tative consensus algorithms, hash chained storage, mixing protocols, anonymous signatures, non-interactive zero-knowledge proof, and so forth. We conjecture that this survey can help readers to gain an in-depth understanding of the security and privacy of blockchain with respect to concept, attributes, techniques and systems.
    [Show full text]
  • Practical Secure Two-Party Computation
    Practical Secure Two-Party Computation: Techniques, Tools, and Applications David Evans (PI), Aaron Mackey, abhi shelat (University of Virginia) Michael Hicks, Jonathan Katz (University of Maryland); Steven Myers (Indiana University) Project Summary Many compelling applications involve computations that require sensitive data from two or more individuals. As an example, consider the myriad genetics applications soon to be within reach of individuals as the cost of personal genome sequencing rapidly plummets. An individual may wish to compare her genome with the genomes of different groups of participants in a study to determine which treatment is likely to be most effective for her. Such comparisons could have tremendous value, but are infeasible because of the privacy concerns both for the individual and study participants. What is needed is a way to compute the output of the comparison without exposing either party’s private inputs. Theoretical solutions to this problem, known as secure multi-party computation, have been known for several decades, including a general solution developed by Andrew Yao based on garbled circuits. Because of its extensive memory use and computational cost, however, the garbled circuits approach has traditionally been considered more of a theoretical curiosity than a practical mechanism for building privacy-preserving applications. Recent developments in cryptographic techniques and new implementation approaches are beginning to change this, however, and admit the possibility of scalable, practical secure computation. Building on this work, we propose to develop techniques and tools to enable practical secure two-party computations and to evaluate these tools by building several scalable privacy-preserving applications. We will develop methods for avoiding the memory bottleneck associated with garbled circuit evaluation by aggressively pipelining circuit generation and evaluation.
    [Show full text]
  • Online-Offline Functional Encryption for Bounded Collusions
    Online-Offline Functional Encryption for Bounded Collusions Shweta Agrawal∗ Alon Roseny Abstract We give a new construction of bounded key functional encryption. Our scheme is well suited for optimization in an online-offline model that allows for preparation in an offline phase, where a majority of the computation is done before the data becomes available. This is followed by an efficient online phase, which is performed when the data becomes known. Such a model has been considered in the context of Attribute-Based Encryption by Hohenberger and Waters (PKC'14). The online component of our scheme significantly outperforms the best previously known construction of bounded key functional encryption by Gorbunov, Vaikuntanathan and Wee (CRYPTO'12), and in fact quasi-linearly depends only on the message size in contrast to the GVW12 ciphertext, which additionally grows as O(q4) for q queries. Security of our scheme is based on the Ring LWE assumption, which is comparable to the assumption underlying the GVW scheme and is well-established compared to those underlying known constructions of unbounded key functional encryption (based on multilinear maps and/or obfuscation). To prove security of our scheme, we introduce a new proof technique, which we call noisy functional encryption. Arguing security via this technique requires the encryptor to artificially add noise to the decryption equation, providing an intriguing tradeoff between correctness and security. This technique appears to be quite general and we believe it is likely to have other applications. ∗IIT Delhi, India. Email: [email protected]. Work done (in part) while visiting IDC Herzliya, supported by the ERC under the EU's Seventh Framework Programme (FP/2007-2013) ERC Grant Agreement n.
    [Show full text]