このページは https://speakerdeck.com/tarcieri/frontiers-in-cryptography の内容を掲載しています。

掲載を希望されないスライド著者の方は、こちらよりご連絡下さい。

bytarcieri

約1ヶ月前 (2016/09/17)にアップロードinテクノロジー

A gentle introduction to techniques for operating on encrypted data without requiring a key, incl...

A gentle introduction to techniques for operating on encrypted data without requiring a key, including property preserving encryption, functional encryption, and homomorphic encryption.

- Frontiers in

CRYPTOGRAPHY

Tony Arcieri

Strange Loop

September 17th, 2016 - Today’s Talk

The Past

Brief history of modern cryptography

The Future

Where cryptography is heading - Disclaimer
- The Past

Brief history of modern cryptography - How would aliens encrypt?
- I CAN’T BELIEVE THESE STUPID

ALIENS ARE STILL USING MS-CHAPv2 - Diffie-Hellman (1976)
- Merkle

Diffie-Hellman (1976)

^ - Rivest-Shamir-Adleman (1977)
- Public-Key Cryptography

Diffie-Hellman(-Merkle)

Discrete Logarithm Problem

(1976)

Rivest-Shamir-Adleman (RSA)

Factoring

(1977) - “Non-Secret Encryption”

James H. Ellis

Existence Proof (1969)

Clifford Cocks

“RSA Algorithm” (1973)

Malcolm Williamson

“Diffie-Hellman Algorithm” (1974) - Group Homomorphisms

Factoring

Discrete Log

Shor’s Algorithm

(1994)

Elliptic Curve DLP

Lenstra’s Method

(1987)

Pollard’s Rho

Pollard’s Rho for Logarithms

(1975)

(1978) - Symmetric Encryption
- How would aliens encrypt?
- The Future

Where cryptography is going - Search!

Analyze!

SSL/TLS

Organize! - Search!

Analyze!

Organize! - Search!

Analyze!

Organize! - DANGER!!!

DANGER!!!

DANGER!!! - Indistinguishability

A

B

A

B - Encrypted Databases

• Navajo Systems BROKEN!

• CryptDB BROKEN!

• SEEED BROKEN!

• Google Encrypted BigQuery ?

• Cipherbase ? - Please consult

a cryptographer - Example

Encrypted Email - “Encrypted E-mail” Service

• Ordering

• Search

• Spam detection

• Filters/Prioritization - Property-Preserving

Encryption

• EN!

Order-preserving encryption (OPE): plaintext

OK

BR ordering can be determined without knowledge of

the key, but leaks additional information

• Order-revealing encryption (ORE): ciphertexts are

numbers that can be sorted to reveal original order

using a public function which outputs “<” or “≥”

• Provides efficient range queries - Order-Revealing Encryption: New Constructions,

Applications, and Lower Bounds

(Extended Version)

Kevin Lewi

David J. Wu

Stanford University

Stanford University

klewi@cs.stanford.edu

dwu4@cs.stanford.edu

Abstract

In the last few years, there has been significant interest in developing methods to search over

encrypted data. In the case of range queries, a simple solution is to encrypt the contents of

the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme

that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently

showed that OPE-encrypted databases are extremely vulnerable to “inference attacks.”

In this work, we consider a related primitive called order-revealing encryption (ORE), which

is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE

scheme for small message spaces which achieves the “best-possible” notion of security for ORE.

Next, we introduce a “domain-extension” technique and apply it to our small-message-space

ORE. While our domain-extension technique does incur a loss in security, the resulting ORE

scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE

schemes which are practical. All of our constructions rely only on symmetric primitives. As

part of our analysis, we also give a tight lower bound for OPE and show that no efficient OPE

scheme can satisfy best-possible security if the message space contains just three messages. Thus,

achieving strong notions of security for even small message spaces requires moving beyond OPE.

Finally, we examine the properties of our new ORE scheme and show how to use it to

construct an efficient range query protocol that is robust against the inference attacks of Naveed

et al. We also give a full implementation of our new ORE scheme, and show that not only is

our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer

requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes.

1

Introduction

Today, large corporations and governments collect and store more personal information about

us than ever before. And as high-profile data breaches on companies and organizations (such as

Anthem [AC15], eBay [Kel14], and the U.S. Voter Database [FV15]) become startlingly common, it

is imperative that we develop practical means for securing our personal data in the cloud.

One way to mitigate the damage caused by a database breach is to encrypt the data before

storing it in the cloud. This, however, comes at the price of functionality: once data is encrypted, it

is more difficult to execute searches over the data without first decrypting the data. As a result,

This is the extended version of a paper by the same name that appeared in ACM Conference on Computer and

Communications Security in October, 2016.

1 - Searchable Symmetric

Encryption (SSE)

• Full-text search on encrypted documents

• Many implementation methods, some better than

others

• Many schemes have been broken (resulting in full

plaintext recovery in some cases) - EN!

OK

BR Deterministic Encryption

Encrypted Index

Document Store - EN!

OK

BR Deterministic Encryption

Encrypted Index

Document Store - EN!

OK

BR Deterministic Encryption

• Build encrypted inverted index, where ciphertexts

point to encrypted documents

• Create deterministic search query “tokens” to look

up documents in the index

• Several potential attacks due to lack of ciphertext

indistinguishability - We need more tools…
- Oblivious RAM (ORAM)

• Masks data access patterns by making them

appear random

• Can be used as the basis for higher-level

primitives, including SSE

• Reduces performance due to spurious data

accesses - Functional Encryption
- Lattices
- Lattices

A lattice L is a (maximal) discrete subgroup of

Rn, or equivalently,

L={a1v1+···+anvn :a1,...,an ∈Z}

for some R-basis v1,...,vn of Rn. - Functional Encryption
- spam_score(msg)
- spam_score(msg)
- Homomorphic Encryption

f (x) = x - Homomorphic Encryption

• Partially homomorphic: homomorphic property

holds for certain operations, e.g. addition,

multiplication

• Fully homomorphic: provides arbitrary

computations on ciphertexts - “The latest speed reports for fully homomorphic

encryption are… let me use precise technical

terminology here, since I'm a big fan of careful

benchmarking… ludicrously slow”

— djb - Fully Homomorphic Encryption without Bootstrapping

Zvika Brakerski

Craig Gentry⇤

Weizmann Institute of Science

IBM T.J. Watson Research Center

Vinod Vaikuntanathan†

University of Toronto

Abstract

We present a radically new approach to fully homomorphic encryption (FHE) that dramatically im-

proves performance and bases security on weaker assumptions. A central conceptual contribution in our

work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating

arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure.

Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE

(RLWE) problems that have 2 security against known attacks. For RLWE, we have:

• A leveled FHE scheme that can evaluate L-level arithmetic circuits with ˜

O( · L3) per-gate com-

putation – i.e., computation quasi-linear in the security parameter. Security is based on RLWE

for an approximation factor exponential in L. This construction does not use the bootstrapping

procedure.

• A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation

(which includes the bootstrapping procedure) is ˜

O( 2), independent of L. Security is based on the

hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed

in previous schemes).

We obtain similar results for LWE, but with worse performance. We introduce a number of further

optimizations to our schemes. As an example, for circuits of large width – e.g., where a constant fraction

of levels have width at least – we can reduce the per-gate computation of the bootstrapped version to

˜

O( ), independent of L, by batching the bootstrapping operation. Previous FHE schemes all required

˜

⌦( 3.5) computation per gate.

At the core of our construction is a much more effective approach for managing the noise level of

lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently

introduced by Brakerski and Vaikuntanathan (FOCS 2011).

⇤Sponsored by the Air Force Research Laboratory (AFRL). Disclaimer: This material is based on research sponsored by DARPA

under agreement number FA8750-11-C-0096 and FA8750-11-2-0225. The U.S. Government is authorized to reproduce and dis-

tribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained

herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either

expressed or implied, of DARPA or the U.S. Government. Approved for Public Release, Distribution Unlimited.

†This material is based on research sponsored by DARPA under Agreement number FA8750-11-2-0225. All disclaimers as

above apply. - Candidate Indistinguishability Obfuscation

and Functional Encryption for all circuits

Sanjam Garg

Craig Gentry

Shai Halevi

UCLA

IBM Research

IBM Research

sanjamg@cs.ucla.edu

craigbgentry@gmail.com

shaih@alum.mit.edu

Mariana Raykova

Amit Sahai

Brent Waters

IBM Research

UCLA

University of Texas at Austin

mariana@cs.columbia.edu

sahai@cs.ucla.edu

bwaters@cs.utexas.edu

July 21, 2013

Abstract

In this work, we study indistinguishability obfuscation and functional encryption for general circuits:

Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar

size, the obfuscations of C0 and C1 should be computationally indistinguishable.

In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C. Using the

key SKC to decrypt a ciphertext CTx = Enc(x), yields the value C(x) but does not reveal anything else

about x. Furthermore, no collusion of secret key holders should be able to learn anything more than the

union of what they can each learn individually.

We give constructions for indistinguishability obfuscation and functional encryption that supports all

polynomial-size circuits. We accomplish this goal in three steps:

• We describe a candidate construction for indistinguishability obfuscation for NC1 circuits. The

security of this construction is based on a new algebraic hardness assumption. The candidate and

assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles.

• We show how to use indistinguishability obfuscation for NC1 together with Fully Homomorphic

Encryption (with decryption in NC1) to achieve indistinguishability obfuscation for all circuits.

• Finally, we show how to use indistinguishability obfuscation for circuits, public-key encryption,

and non-interactive zero knowledge to achieve functional encryption for all circuits. The func-

tional encryption scheme we construct also enjoys succinct ciphertexts, which enables several other

applications.

The first and fifth authors were supported in part from NSF grants 1228984, 1136174, 1118096, 1065276, 0916574 and 0830803,

a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation

Research Grant. The views expressed are those of the author and do not reflect the official policy or position of the National

Science Foundation, or the U.S. Government.

The second and third authors were supported by the Intelligence Advanced Research Projects Activity (IARPA) via

Department of Interior National Business Center (DoI/NBC) contract number D11PC20202. The U.S. Government is authorized

to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer:

The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing

the official policies or endorsements, either expressed or implied, of IARPA, DoI/NBC, or the U.S. Government.

The fourth author is supported by NSF Grant No.1017660.

The sixth author is supported by NSF CNS-0915361 and CNS-0952692, CNS-1228599, DARPA N11AP20006, Google

Faculty Research award, the Alfred P. Sloan Fellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship.

i - Simple Encrypted Arithmetic Library - SEAL (v2.0)

Kim Laine1 and Rachel Player2

1 Microsoft Research, USA

kim.laine@microsoft.com

2 Royal Holloway, University of London, UK??

rachel.player.2013@live.rhul.ac.uk

1

Introduction

Traditional encryption schemes, both symmetric and asymmetric, were not designed to respect

the algebraic structure of the plaintext and ciphertext spaces. Many schemes, such as Elgamal

(resp. e.g. Paillier), are multiplicatively homomorphic (resp. additively homomorphic), so that

one can perform certain limited types of computations directly on the encrypted data and have

them pass through the encryption to the underlying plaintext data, without requiring access to

any secret key(s). The restriction to a one particular type of operation is very strong, however,

and instead a much more powerful fully homomorphic encryption scheme, that respects two

algebraic operations between the plaintext and ciphertext spaces, would be needed for most

applications. The first such encryption scheme was presented by Craig Gentry in his famous

work [14], and since then researchers have introduced a number of new and more efficient fully

homomorphic encryption schemes.

Despite the promising theoretical power of homomorphic encryption, the practical side

still remains somewhat underdeveloped. Recently new implementations, new data encoding

techniques, and new applications have started to improve the situation, but much remains to

be done. In 2015 we released the Simple Encrypted Arithmetic Library - SEAL with the goal of

providing a well engineered and documented homomorphic encryption library, with no external

dependencies, that would be easy to use both by experts and by non-experts with little or

no cryptographic background. The library is available at http://sealcrypto.codeplex.com,

and is licensed under the MSR License Agreement.

Recently a large number of major changes were implemented in SEAL, and the new version

was released as SEAL v2.0. In this document we describe in detail this new release, and hope

to provide a practical guide to using homomorphic encryption for a wide audience. The reader

is also advised to go over the code examples that come with the library, and to read through

the detailed comments. For users of previous versions of SEAL we hope to provide clear

instructions for how to port old code to use SEAL v2.0. An introductory paper to an older

version of SEAL was given in [10], which the user new to SEAL v2.0 may also find helpful as

large parts of the API have remained unchanged.

1.1

Roadmap

In Section 1.2 we briefly discuss the major changes to SEAL, which are expanded upon in

the other sections of this document. In Section 2 we define notation and parameters we will

use throughout the document. In Section 3 we give the description of the Fan-Vercauteren

homomorphic encryption scheme (FV) – as originally specified in [13] – and in Section 4 we

describe how SEAL di↵ers from this original description. In Section 5 we discuss the expected

?? Much of this work was done during an internship at Microsoft Research, Redmond. - CryptoNets: Applying Neural Networks to Encrypted Data

with High Throughput and Accuracy

Nathan Dowlin1

NDOWLIN@PRINCETON.EDU

Department of Mathematics, Princeton University

Ran Gilad-Bachrach

RANG@MICROSOFT.COM

Kim Laine

KIM.LAINE@MICROSOFT.COM

Kristin Lauter

KLAUTER@MICROSOFT.COM

Michael Naehrig

MNAEHRIG@MICROSOFT.COM

John Wernsing

JOHN.WERNSING@MICROSOFT.COM

Microsoft Research, Redmond

Abstract

1. Introduction

Applying machine learning to a problem which

Consider a hospital that would like to use a cloud service

involves medical, financial, or other types of sen-

to predict the probability of readmission of a patient within

sitive data, not only requires accurate predic-

the next 30 days, in order to improve the quality of care and

tions but also careful attention to maintaining

to reduce costs. Due to ethical and legal requirements re-

data privacy and security. Legal and ethical re-

garding the confidentiality of patient information, the hos-

quirements may prevent the use of cloud-based

pital might be prohibited from using such a service. In

machine learning solutions for such tasks. In

this work we present a way by which the hospital can use

this work, we will present a method to convert

this valuable service without sacrificing patient privacy. In

learned neural networks to CryptoNets, neural

the proposed protocol, the hospital encrypts the private in-

networks that can be applied to encrypted data.

formation and sends it in encrypted form to the prediction

This allows a data owner to send their data in an

provider, referred to as the cloud in our discussion below.

encrypted form to a cloud service that hosts the

The cloud is able to compute the prediction over the en-

network. The encryption ensures that the data re-

crypted data records and sends back the results that the hos-

mains confidential since the cloud does not have

pital can decrypt and read. The encryption scheme uses a

access to the keys needed to decrypt it. Never-

public key for encryption and a secret key (private key) for

theless, we will show that the cloud service is

decryption. It is important to note that the cloud does not

capable of applying the neural network to the en-

have access to the secret key, so it cannot decrypt the data

crypted data to make encrypted predictions, and

nor can it decrypt the prediction. The only information it

also return them in encrypted form. These en-

obtains during the process is that it did perform a prediction

crypted predictions can be sent back to the owner

on behalf of the hospital. Hence, the cloud can charge the

of the secret key who can decrypt them. There-

hospital for its services, but does not learn anything about

fore, the cloud service does not gain any infor-

the patient’s medical files or the predicted outcomes. This

mation about the raw data nor about the predic-

procedure allows for private and secure predictions without

tion it made. We demonstrate CryptoNets on

requiring the establishment of trust between the data owner

the MNIST optical character recognition tasks.

and the service provider. This may have applications in

CryptoNets achieve 99% accuracy and can make

fields such as health, finance, business, and possibly oth-

around 59000 predictions per hour on a single

ers.

PC. Therefore, they allow high throughput, ac-

curate, and private predictions.

It is important to note that this work focuses on the infer-

ence stage. We make the assumption that the cloud already

has a model. In our case it would be a neural network that

Proceedings of the 33 rd International Conference on Machine

1This work was done while the first author was at Microsoft

Learning, New York, NY, USA, 2016. JMLR: W&CP volume

Research, Redmond

48. Copyright 2016 by the author(s). - Encrypted Programs

Using Trusted Hardware - Intel SGX and AMD SEV

• Encrypted enclaves in main memory which run

encrypted programs

• Available on Intel Skylake CPUs

• Attestation protocol to ensure a CPU is running the

program you intend it to

• Microsoft VC3: Encrypted Map-Reduce - Technical Report MSR-TR-2014-39

February 28, 2014 (Updated March 19, 2015)

VC3: Trustworthy Data Analytics in the Cloud

Felix Schuster*, Manuel Costa, C´edric Fournet, Christos Gkantsidis, Marcus Peinado,

Gloria Mainar-Ruiz, and Mark Russinovich

Microsoft Research

Abstract

We present VC3, the first system that allows users to run distributed MapReduce computations in the cloud while

keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on

unmodified Hadoop, but crucially keeps Hadoop, the operating system and the hypervisor out of the TCB; thus,

confidentiality and integrity are preserved even if these large components are compromised. VC3 relies on SGX

processors to isolate memory regions on individual computers, and to deploy new protocols that secure distributed

MapReduce computations. VC3 optionally enforces region self-integrity invariants for all MapReduce code running

within isolated regions, to prevent attacks due to unsafe memory reads and writes. Experimental results on common

benchmarks show that VC3 performs well compared with unprotected Hadoop: VC3’s average runtime overhead is

negligible for its base security guarantees, 4.5% with write integrity and 8% with read/write integrity.

*Work done while interning at Microsoft Research;

affiliated with Ruhr-Universit¨at Bochum. - Post-Quantum

Cryptography - Group Homomorphisms

Factoring

Discrete Log

Shor’s Algorithm

(1994)

Elliptic Curve DLP - Shor’s Algorithm

• Requires large quantum computers (1000s of

qubits)

• Could be used to solve factoring and (EC)DLP

much faster than classical computers

• Fortunately large quantum computers are 10+

years off - Post-Quantum Public Key

Encryption Algorithms

• Lattices: Ring-LWE (NewHope), NTRU

• Isogenies: Supersingular Isogeny Diffie-Hellman

• Codes: McElice/McBits - That’s it!