This commit is contained in:
Alexander Munch-Hansen 2019-12-29 22:05:49 +01:00
parent 760fb008ac
commit 0cfd7781ba

View File

@ -448,3 +448,59 @@ Security:
+ Is passively secure, as the simulator for a corrupted Bob would set $U = E(0)$ and it will be indistinguishable due to semantic security of Pailler. For corrupted Alice the simulator would encrypt $V = E(s_A)$ and this is distributed like $V$ in the real protocol. + Is passively secure, as the simulator for a corrupted Bob would set $U = E(0)$ and it will be indistinguishable due to semantic security of Pailler. For corrupted Alice the simulator would encrypt $V = E(s_A)$ and this is distributed like $V$ in the real protocol.
+ Bob learns nothing about $x_A$ from $U$, unless he breaks security of Pailler. Alice learns nothing about $y_B$ because given that $s_B$ is uniformly random, $s_A$ is uniformly distributed in $Z_n$, in Alice's view. + Bob learns nothing about $x_A$ from $U$, unless he breaks security of Pailler. Alice learns nothing about $y_B$ because given that $s_B$ is uniformly random, $s_A$ is uniformly distributed in $Z_n$, in Alice's view.
+ The protocol can be compilted to active security via ZK proofs in multiplication protocol and MACs to ensure authenticitiy. + The protocol can be compilted to active security via ZK proofs in multiplication protocol and MACs to ensure authenticitiy.
** Fully Homomorphic Encryption Scheme
*** Defining FHE
- A FHE scheme is defined with four algorithms: Gen, Enc, Dec and Eval. As such, it is defined like a normal PKE scheme, but with an additional algo Eval.
- Eval takes a vector of ciphertexts and a function $f$ and outputs an encryption of the function applied to the plaintexts.
+ Let $(pk, sk) <- Gen(1^k)$, then correctness states: $Dec_{sk}(Eval(f, Enc_{pk}(x_1), ..., Enc_{pk}(x_n))) = f(x_1, ..., x_n)$
- Pailler is homomorphic with respect to any function $(f_{a,b}(x)$ of the form $ax+b \mod n$.
- A FHE scheme is homomorphic for any function $f$ defined as a circuit.
- We also define $d-HE$ scheme, which is allows to evaluate any function which can be expressed by a circuit of depth $d$.
- We require a property called "*compactness*"
+ This states that the algorithm Eval should be performing the computation of the function $f$, otherwise the following can happen
+ We simply let Eval append the function defined as a circuit, to the ciphertext. Then when we decrypt, we decrypt the ciphertext and then apply the function.
- The naive scheme has some issues though, which is not just the efficiency of it.
- If we want to use an FHE scheme to build a secure computation protocol, we tend to need Eval to hide as much info as possible about which function was computer.
+ This is apparent in the multiplication subprotocol used in BeDOZa above, where Alice must not learn the function applied by Bob on her input $(a,b)$.
+ This property is called *circuit privacy*.
- *Circuit privacy* states that: An encryption scheme $(Gen, Enc, Dec, Eval)$ has *circuit privacy* w.r.t a function family $F$, if for all $(pk, sk) <- Gen(1^k)$, plaintext $x$ and function $f \in F$, it holds that: $(sk, Enc_{pk}(f(x))) \approx_c (sk, Eval_{pk}(f, Enc_{pk}(x)))$
+ This essentially means that it should be easily distinguishable if the function is applied before encryption or after encryption.
- Yao's garbled circuits with a 2-message OT essentially gives FHE encryption with a reasonable level of privacy. This makes sense I guess, since we can compute any function on any input, we do however get a bit back. Hmm.
+ These do not satisfy *compactness* however
*** Bootstrapping
- Central idea of FHE is bootstrapping.
- Let's assume we are given a d-HE scheme $(Gen, Enc, Dec, Eval)$, where Eval can evaluate any circuit of depth at most $d$. Then, if we try to evaluate a circuit of depth $> 0 $, then the $Dec$ algorithm is not guaranteed to work. Furthermore, assume Dec can be described a circuit of depth $d'$ such that $d' < d$, then we can construct FHE schemes in which we can evaluate circuits of any polynomial depth.
- We need to introduce *level* of a ciphertext. A ciphertext has level 0 if it is the output of the $Enc$ function. A ciphertext obtained using Eval a single time $c' = Eval_{pk}(f,c)$ has level $0 + j$ where $j$ is the depth of the circuit $f$, and in general $c'' = Eval_{pk}(f,c')$ has level $i+j$ where $i$ is the level of $c'$.
- We can finally construct an FHE scheme: $(Gen, Enc, Dec, Eval)$, $Gen$ runs $(pk, sk) <- Gen(1^k)$, $SK = sk$, $PK = (pk, Enc_{pk}(sk))$ so we publish an encryption of the secret key. If this is secure, this is known as a "circular secure encryption scheme", not all semantic security schemes have this though
+ Imagine if we take an IND-CPA scheme but modify the Enc algo such that should you ever try to encrypt the secret key, it should just output this. We now have a scheme which is in all general purposes semantically secure, but is very much not circular secure.
- Enc and Dec behaves the exact same way as in the original scheme, if we can define Eval in such a way that it follows the technique of "refreshing". Take a ciphertext $C$ at some level $i$. Assume $i \leq d$, and therefore $C$ can be correctly decrypted to $m = Dec_{sk}(C)$. Now consider $f(x) = dec_{x}(C)$, which is the circuit that decrypts the ciphertext $c$ using input $x$. We have already assumed the decryption circuit has depth $d' < d$. Note that $C$ is not actually an argument to the circuit $f$ (since it only uses $x$), we can consider $C$ a part of the description of the circuit. Now, since $PK$ contains an encryption of $sk$, we can compute $C' = Eval(f, Enc_{pk}(sk))$, resulting in a ciphertext $C'$ of level $d' = 0 + d'$, since $Enc(sk)$ has level $0$ and $f$ has depth $d'$. So the level of $C'$ does not depend on the level of the original ciphertext $C$, which is $i$ (As assumed to begin with), thus if $d' < i$, then $C'$ is even a lower level than the original $C$. Now given that $d' < d$, we can decrypt $C'$: $Dec_{sk}(C') = f(sk) = Dec_{sk}(C) = m$, which holds since $i$ is assumed to be a lower level than $d$. So now we started with an encryption of $m$, $C$, and ended up with an encryption of $m$, $C'$. We have however decreased the level of it!
- Thus, we can construct an Eval function which takes any two encryptions of level less than or equal to $d$, containing two bits $a,b$ and outputs an encryption of the value $\not(ab)$ at level $d'$ (so the NAND function). Since the output of this Eval function has level $<= d$ as described above, the output can itself be fed into the Eval function, which means any boolean circuit can be evaluated in this way, as we can build boolean circuits of NAND gates computing any function.
- This Eval algo takes as input ciphers $C_1$ s.t. $Dec_{sk}(C_1) = a$ and $C_2$ s.t. $Dec_{sk}(C2) = b$ and it outputs a $C_3$ s.t. $Dec_{sk}(C_3) = \not(ab)$. The algo Eval is evaluated by applying the circuit: $f(x) = \not(Dec_x(C_1) \cdot Dec_x(C_2))$ on the encryption of the secret key using Eval. Now the depth of $f$ is $d' + 1 \leq d$, so the decryption is still correct, and we can evaluate any circuit gate by gate.
- Thus, we need to build a d-HE scheme!
*** Building a d-HE scheme
- Can be used as is. We might not need fully homomorphic schemes, if we know the circuits we want to evaluate always will be of depth $<= d$.
KeyGen:
- Choose a big secret odd integer $p$. Choose big random integers $q_1, ..., q_n$ and small integers $r_1, ..., r_n$. The secret key is $p$, the public key is $(y_1, ..., y_n)$, where $y_i = p * q_i + 2r_i$.
Encryption:
- To encrypt $m$, choose random subset $S \subseteq [1,n]$ and compute over these integers $c = m + \sum_{i \in S} y_i$
Decrypt:
- Compute $m = ((c \mod p) \mod 2)$
Correctness:
- $c \mod p = m + 2(\sum_{i \in S} r_i) + p(\sum_{i \in S} q_i) = m + 2(\sum_{i \in S} r_i) \mod p$
- If we have then set the parameters properly, s.t. $2(\sum_{i \in S} r_i)$ is less than $p$, it will not get removed from the mod, then: $(m + 2(\sum_{i \in S} r_i) \mod p) \mod 2 = m$.
Security:
- Related to the assumption that it is hard to recover $p$ from the public key. Without the error terms $r_i$, it would be trivial to compute $p$, bu simply computing the $gcd$ of all the $y_i$'s (as we multiply all of them with $p$ and the $q_i$'s are supposed to be big, it is very likely that the $p$ will be the smallest number that they all reduce to). It is however believed to make the problem difficult that the noise is added, since these are all supposed to be smaller than $p$, they are likely to be the result of the gcd. After noise is added, this becomes the approximate GCD problem, which no polynomial time algos exist for.
Homomorphism:
- The scheme is homomorphic as: If $C_1 = Enc_{pk}(m_1, S_1)$ and $C_2 = Enc_{pk}(m_2, S_2)$, then $C_1 + C_2 \mod p = (m_1 + m_2) + 2(\sum_{i \in S_1} r_i + \sum_{j \in S_2} r_j)$ and $C_1 * C_2 \mod p = (C_1 \cdot C_2) + 2(m_1 \cdot \sum_{i \in S_1} r_i + m_2 \cdot \sum_{j \in S_2) r_j + \sum_{i \in S_1, j \in S_2} r_i r_j)$, where the second term will just get removed by the mod 2 in the decryption.
- One issue with this however, is that every single homomorphic operation will make this noise grow, which is not exactly ideal.
Conclusion:
- This scheme is very simple. However, it is also not very secure unless the parameters are very large. In fact, to get approximately 60-bits worth of security (equivalent to an encryption of DES-60), we have to require that $p$ is roughly $2000$ bits long, that the $q_i$'s are $10^7$ bits long (1Mb), that the $r_i$'s are roughly 60 bits long and that there are roughly $2000$ values $y_i$ in the public key.
- Furthermore, asfter one encryption, the noise is approximately $2^{70}$ and so after just $4$ multiplications, the noise will be greater than $p$. This was however enough to implement the Blood Type handin!