3. Process data without “seeing” it
Image processor in the darkroom
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
4. Homomorphism?
• H1 and H2 have a different “shape”
• They are not easily comparable
• Yet they share the same expressive power
r
p
q
s
t
rp
q
s
t
H1 H2
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
5. Homomorphic encryption
Form of encryption which allows specific types
of computations to be carried out
on ciphertext and obtain an encrypted result,
which decrypted, matches the result of
operations performed on the plaintext
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
6. Homomorphic encryption
Discovered as a “by-product” of RSA-Encryption:
has the property:
Partially homomorphic as only defined for multiplication
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
7. Fully homomorphic encryption
Supports a minimal set of mathematical
operations upon all other operations can be
derived
Proof: Addition ⊕ and Multiplication ⊙ are
sufficient to construct arbitrary “circuits”
(in mod2 mathematics that’s XOR and AND)
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
9. Example of a FHE Scheme:
Craig Gentie’s Integer scheme
2. To Encrypt a bit b:
– pick a random “large” multiple of p, say q·p
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b introduce “noise”
otherwise same input would
result in same encrypted
output with adversary giving
the possibility to learn from
patterns
1. KeyGen Secret key: an n2-bit odd number p
3. To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
12. Symptoms of FHE
Problem with noise
• Accumulates with every operation
• Eventually makes result indecipherable
EVAL: Limited amount of operations allowed until
decryption becomes impossible due to accumulated error.
Solution: De-crypt intermediary results using an intermediary
key
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
13. Re-fresh Keys
1. Operate on problem, until error accumulates preventing decryption
2. Put partly assembled solution into another “box”
3. Use the key within the box#2 to open box#1
4. Continue working on the solution
5. Re-iterate until problem is solved
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
14. Parallelizing Eval
Why?
1. FHC is computationally heavy
2. Secret Sharing increases security
How
• Split analysis problem into sub-problems and distribute computation onto
(many) nodes
• Problem: Detect whether the participating nodes behave correct and
honest
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
15. Secure Multiparty Computations (sMPC)
Divide a Secret into slices, requiring n parties to assemble
the secret
eg. SSS – Shamir Secret Sharing
In case you want to protect your login password with a set of ten shares in such a
way that any three of them can reconstruct the password, you simply run the
command
ssss-split -t 3 -n 10 -w passwd
http://point-at-infinity.org/ssss/
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
16. SPDZ (speedz)
an sMPC Protocol including bytecode specification and VM
supports distributed computation
• addition (linear)
• multiplication requiring input data pre-processing and inter-node
communication
using MAC-based approach to guarantee integrity
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
17. SPDZ Architecture Overview
Compiler Bytecode
Program
VM (online)
Inputs Prep
Output
optim.
http://www.cs.bris.ac.uk/Research/CryptographySecurity/TPMPC/Slides2017/SPDZ.pdf
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
18. sMPC Challenges
Branching?
a = if b != 0:
c
else
d
Impossible to decide
as value of ‘b’
is only visible to data owner
Solution: Rewrite conditionals to
eagerly evaluate each branch
a = (b & c) | ((!b) & d)
Cond. Loops?
while a < 5:
b *= 2
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
19. Blockchain coordinated sMPC
• Data sharing among participating parties?
• nodes performing computations (addition,
multiplication) on encrypted, secretly shared
data
• Guaranteeing correctness through public
ledger consensus
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
20. Downsides of the classical Blockchain approach
• Data sharing? Blockchain bad as a database
not designed for transaction speed
• Distributed computing? Blockchain is a bad
execution environment
every node performs every computation
• by default not privacy-preserving
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
21. Enigma concept
1. A data owner O off-loads data analytics tasks to the
Enigma network. He sets up / obtains an Enigma
script which analytically describes the computation
and
2. Uploads input data to the DHT. This is done
seamlessly by splitting input data into shares that
are distributed to the network.
3. The Engima interpreter distributes computational
work to Enigma nodes and uses the public ledger
(blockchain) to announce computations and
pointers to encrypted data.
4. Node A is selected to perform the computation and
5. generates a result which he
6. stores on the public ledger.
7. The data owner can read out the encrypted
intermediary results and distribute them to other
nodes or assemble the final result.
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
22. Enigma concept
Complexity reduction and optimization
input [x1] input [x2]
sub [x2], [x1]open
openy1
y2
mul y1, y2
input [x1] input [x2]
sub [x2], [x1]
open
y1 y2
mul y1, y2
I
Input #1
Input #2
Input #3
Input #4
Input #5
Output
Addition
layer1
Mult.
layer1
Addition
layer2
Mult.
layer2
Output
layer
Parameter Analysis and result re-useProgram layout analysis and load distribution
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
23. Enigma concept - Incentives
General Blockchain network
Enigma network
• Operations on the Enigma network are
still computing-intense and require
coordination.
• Nodes are encouraged to participate by
receiving Bitcoins/any other
cryptocurrency for performed
operations.
• In order to participate as an Enigma
node, currency has to be deposited,
which in case of other nodes detecting
malicious operations such as
correctness breaches, will be
withdrawn and shared among the
benign nodes.
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
24. sMPC roles
I … Input Party, R … Result Party, C … Computing Party
I C R SMC Millionaires Problem: Who of two millionaires is richer?
I R SMC C Outsourcing computation to the cloud
I SMC R
C
Statistics office wants to get aggregated results
from personal data coming from different ministries
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
25. MPC use cases
• Secure cloud computing
• Joining distributed containing personnel data sets
• Identify patterns in genetic databases
• Identify colliding survey-satelites
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
26. ShareMind – a working implementation
• Used in Estonia to analyze
personal data from
Ministry of Finance and
Ministry of Education
• Generally available, free for
personal/education
purpose
https://sharemind.cyber.ee/privacy-preserving-policy-decisions/25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
27. Enigma
• In development at
MIT since 2015
• Blockchain-
supported
• Not generally
available
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
29. Reading
• Enigma Design Paper http://www.enigma.co/enigma_full.pdf
• SPDZ Design and Implementation
– https://bristolcrypto.blogspot.co.at/2016/10/what-is-spdz-part-1-mpc-circuit.html
– https://eprint.iacr.org/2012/642.pdf
– https://www.youtube.com/watch?v=N80DV3Brds0
– http://www.cs.bris.ac.uk/Research/CryptographySecurity/TPMPC/Slides2017/SPDZ.pdf
• Craig Gentry: FHE Integer Scheme https://cs.au.dk/~stm/local-cache/gentry-thesis.pdf
• Cohen, Gil, et al. ”Efficient multiparty protocols via log-depth threshold formulae.” Advances in
CryptologyCRYPTO 2013. Springer Berlin Heidelberg, 2013. 185-202.
• A Math Primer for Gentry's Fully Homomorphic Encryption
https://community.embarcadero.com/blogs/entry/a-math-primer-for-gentrys-fully-
homomorphic-encryption-38577
• Kamm, Liina. ‘Privacy-Preserving Statistical Analysis Using Secure Multi-Party Computation’.
Tartu, 2015. Google Scholar. Web. 25 Apr. 2017.
https://cyber.ee/uploads/2013/04/kamm_liina_PhD.pdf
25.04.2017
Johann Höchtl, Centre for E-Governance Danube
University Krems
30. 25.04.2017
Johann Höchtl, Centre for E-Governance
Danube University Krems
http://www.slideshare.net/jhoechtl/
http://at.linkedin.com/in/johannhoechtl/
Dr. Johann Höchtl
johann.hoechtl@donau-uni.ac.at
https://twitter.com/myprivate42
31. Real World Analogy Theme taken from the original slides of Craig Gentry
http://www.di.ens.fr/~pnguyen/LCD/LCD_Gentry.pdf
25.04.2017
Johann Höchtl, Centre for E-Governance
Danube University Krems