SlideShare uma empresa Scribd logo

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

MITSUNARI Shigeo
MITSUNARI Shigeo

a slide of Hanaoka's talk in ECC2018(https://cy2sec.comm.eng.osaka-u.ac.jp/ecc2018/program.html)

Tecnologia
1 de 36
Baixar para ler offline
Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 1
Outline • Background • Two-level Homomorphic encryption • An efficient construction • Security • Implementation • Conclusion 2018/11/21 ECC 2018 2
Background 2018/11/21 ECC 2018 3
2018/11/21 ECC 2018 4 Computing on encrypted data • Data analysis with taking care of sensitive data Disease Risk 70% If X2>∑Y then ◯◯70% F : Diagnosis Y : Database
Homomorphic Encryption (HE) • Allows computation on encrypted data • Many applications related to privacy-preserving schemes • Types of HE • Additively HE (ex. Goldwasser-Micali, Okamoto- Uchiyama, Paillier, Lifted-ElGamal) • Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′) • Multiplicatively HE (ex. RSA, ElGamal) • Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′ • Fully HE (ex. Gentry, BGV, BV, GSW, …) • Can do homomorphic add. and mult. 2018/11/21 ECC 2018 5
Pros and Cons • Add. HE, Mult. HE • Applications are restricted • Fully HE (FHE) • Any computations possible, but inefficient • Security relies on less standard assumptions • Leveled HE • The number of homomorphic mult. is restricted. • An intermediate notion between A/M HE and FHE. 2018/11/21 ECC 2018 6 A/M HE Leveled HE FHE Efficiency very good medium bad Functionality medium good very good
Two-level HE • HE that allows one homomorphic multiplication • Allows degree-2 polynomial homomorphic evaluations • Allows inner product of two vectors • 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, … • σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖 2018/11/21 ECC 2018 7 ×1 2 3 3 4 12 12 13 25 ++ : Level-1 : Level-2
Applications • Secure 2-DNF formula evaluation • Delegated secure inner-product on encrypted data • Efficient (symmetric) private information retrieval • Cross tabulation on encrypted data • Efficient election protocol • … 2018/11/21 ECC 2018 8
Existing Two-level HE • Boneh, Goh, Nissim (TCC 2005) • Based on Composite-order pairings, hence much less efficient • Freeman (EUROCRYPT 2010) • Composite-to-prime-order transformation framework, applied to BGN • Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014) • Improving Freeman’s frameworks • Only Type 1 pairings, inefficient • Catalano, Fiore (ACM CCS 2015) • Transformation from d-Level HE to (2d)-level • Instantiations are not necessarily efficient • AHM+ (AsiaCCS 2018): This talk • Efficient construction based on the lifted-ElGamal encryption • Portable high-speed implementations • Note: • Decryption in all these schemes requires discrete log (DL) • Hence plaintext space should be sufficiently small (up to 32-bit) 2018/11/21 ECC 2018 9
An Efficient Construction of Two-level HE 2018/11/21 ECC 2018 10
Basic Idea •Existing schemes • Establish a “broader fundamental & theoretical framework” • Then, construct L2HE as an “application” •Our scheme • Concentrate on “L2HE-dedicated design” • Start from “promising tools” for fast HE, i.e. Type-3 pairing and ElGamal • Not general but fully tuned for L2HE 2018/11/21 ECC 2018 11
An Efficient Construction • Combine the lifted-ElGamal encryption scheme with Type 3 pairings • First, straightforwardly construct two-level HE • Then, consider “simpler” construction • While Freeman considered a conversion of composite-to- prime order • Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal • Format of level-2 (L2) CT is same as Freeman’s scheme • Note: Type 3 pairings • Cyclic groups 𝔾1, 𝔾2, 𝔾T of order prime 𝑝 with bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T • 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2 • 𝔾1 ≠ 𝔾2 and no efficient map between 𝔾1 and 𝔾22018/11/21 ECC 2018 12
Summary of Constructions 2018/11/21 ECC 2018 13 Freeman (EUROCRYPT 2018) AHM+ (AsiaCCS 2018, this talk) BGN scheme based on composite order BGN (Freeman) scheme based on prime order (includes 2-level HE) Construction by converting Lifted-ElGamal Enc 𝑚 = 𝑔 𝑚ℎ 𝑟, 𝑔 𝑟 Type 3 pairing 𝑒 𝑎𝑃1, 𝑏𝑃2 = 𝑔T 𝑎𝑏 AHM+ 2-level HE scheme Construction by combining algebraic structures
Setup and Key Generation • Setup • Cyclic group 𝔾𝑖 = ⟨𝑃𝑖⟩ over an elliptic curve with prime order 𝑝 for 𝑖 = 1, 2 • 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2 • Key generation • Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random • Public key 𝑄1 = 𝑠1 𝑃1, 𝑄2 = 𝑠2 𝑃2 (with optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2) • Note: Colors • Green: Public part • Blue: Secret and hidden part 2018/11/21 ECC 2018 14
Level-1 CT and Enc./Dec. • Encrypt • Plaintext 𝑚 and randomness 𝑟 • Enc 𝔾 𝑖 𝑚 = (𝑚𝑃𝑖 + 𝑟𝑄𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2 • Duplicated form: Enc1 𝑚 ≔ Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚 • Note: 𝔾1 can be mult. with 𝔾2 only, vice versa, so that duplicated form is needed for general usage • Decrypt • For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖 𝑚 = (𝑆, 𝑇) by 𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑄𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖 and then, to obtain 𝑚, solve DL • Almost same as lifted-ElGamal 2018/11/21 ECC 2018 15
Homomorphic Addition on L1 CT • For 𝑖 = 1, 2, Enc 𝔾 𝑖 𝑚1 + Enc 𝔾 𝑖 𝑚2 = 𝑚1 𝑃𝑖 + 𝑟1 𝑄𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑄𝑖, 𝑟2 𝑃𝑖 = 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑄𝑖, 𝑟1 + 𝑟2 𝑃𝑖 = Enc 𝔾 𝑖 (𝑚1 + 𝑚2) • Also, same as lifted-ElGamal 2018/11/21 ECC 2018 16 1 2 3 + : Level-1
Homomorphic Multiplication • 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑄1, 𝑟1 𝑃1 = Enc 𝔾1 𝑚1 ∈ 𝔾1 2 • 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑄2, 𝑟2 𝑃2 = Enc 𝔾2 𝑚2 ∈ 𝔾2 2 • 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 = 𝑧1 𝑚1 𝑚2 𝑧4 𝜏′, 𝑧2 𝜎′, 𝑧3 𝜌′, 𝑧1 𝜎′+𝜌′−𝜏′ = Enc2 𝑚1 𝑚2 ∈ 𝔾T 4 • 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 • Tensor product of 𝐶1, 𝐶2 • Its result is an level-2 ciphertext 2018/11/21 ECC 2018 17 ×3 4 12 : Level-1 : Level-2
Homomorphic Addition on L2 CT • Enc2 𝑚1 + Enc2 𝑚2 = 𝑧1 𝑚1 𝑧4 𝜏1, 𝑧2 𝜎1, 𝑧3 𝜌1, 𝑧1 𝜎1+𝜌1−𝜏1 + 𝑧1 𝑚2 𝑧4 𝜏2, 𝑧2 𝜎2, 𝑧3 𝜌2, 𝑧1 𝜎2+𝜌2−𝜏2 = ( 𝑧1 𝑚1+𝑚2 𝑧4 𝜏1+𝜏2, 𝑧2 𝜎1+𝜎2, ൯𝑧3 𝜌1+𝜌2, 𝑧1 (𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2) = Enc2(𝑚1 + 𝑚2) • Usual vector addition 2018/11/21 ECC 2018 18 12 13 25 + : Level-2
Decryption for Level-2 CT • Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4 Dec2 c1, c2, 𝑐3, 𝑐4 ≔ 𝑐1 𝑐4 𝑠1 𝑠2 𝑐2 𝑠2 𝑐3 𝑠1 = 𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2 𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2 = 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2 = 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2 𝑚𝑚′ then solve DLP to obtain 𝑚𝑚′ • Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 = 𝑧1 𝑚𝑚′ 𝑧4 𝜏 , 𝑧2 𝜎 , 𝑧3 𝜌 , 𝑧1 𝜎+𝜌−𝜏 ∈ 𝔾T 4 , where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 2018/11/21 ECC 2018 19
Size and Benchmark on BN462 • Note: • Use x64 Linux on Core i7-6700 • Without compressed form • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 20 Calc. time in msec Enc1 0.452 Enc2 1.14 Dec1 9.01 Dec2 10.01 ReRand1 0.447 ReRand2 1.14 Add1 0.0109 Add2 0.0231 Mult 8.47 Bit size Secret key 924 Public key 27720 Dup. L1 CT 5544 L2 CT 22176
Comparison of Size • Fre10: Freemen’s scheme (EUROCRYPT 2010) • Compare bit size on a 462-bit Barreto-Naehrig (BN) curve 2018/11/21 ECC 2018 21
Comparison of Time • CT: Ciphertext • Fre10: Freemen’s scheme in EUROCRYPT 2010 • Compare calculation time on a 462-bit BN curve 2018/11/21 ECC 2018 22
Proving the Knowledge of Plaintexts • Zero-knowledge proof protocols can be applied • Example 1: Duplicated form of L1 CT • Dup. L1 CT is Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ • Attach a proof of “𝑚 = 𝑚′” • Example 2: Proving a CT encrypts a bit • Attach a proof of “encrypted plaintext is 0 or 1” • Applications: Voting, two-party computation 2018/11/21 ECC 2018 23
Proof of Equality • Duplicated L1 CT: • Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ = 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) where 𝜌, 𝜎 ← ℤ 𝑝 are randomly chosen • Should be “𝑚 = 𝑚′” • Equality can be proved in the same way of NIZK DH-tuple proof 2018/11/21 ECC 2018 24
NIZK Proof of Equality • L1 CT: 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) • Prove: • Randomly choose: 𝑟𝜌, 𝑟𝜎, 𝑟 𝑚 ← ℤ 𝑝 • 𝑅1, 𝑅2, 𝑅3, 𝑅4 ← 𝑟 𝑚 𝑃1 + 𝑟𝜌 𝑄1, 𝑟𝜌 𝑃1, 𝑟 𝑚 𝑃2 + 𝑟𝜎 𝑄2, 𝑟𝜎 𝑃2 • 𝑐 ← 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1, 𝑅2, 𝑅3, 𝑅4 • 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 ← 𝑟𝜌 + 𝑐𝜌, 𝑟𝜎 + 𝑐𝜎, 𝑟 𝑚 + 𝑐𝑚 • Proof 𝜋 = 𝑐, 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 • Verify: • 𝑐 = 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ where 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ ← 𝑠 𝑚 𝑃1 + 𝑠𝜌 𝑄1 − 𝑐𝐶1, 𝑠𝜌 𝑃1 − 𝑐𝐶2, 𝑠 𝑚 𝑃2 + 𝑠 𝜎 𝑄2 − 𝑐𝐶3, 𝑠 𝜎 𝑃2 − 𝑐𝐶4 2018/11/21 ECC 2018 25
Security 2018/11/21 ECC 2018 26
Confidentiality • Shown scheme is IND-CPA secure under the SXDH assumption • Note1: IND-CPA (INDistinguishability against Chosen Plaintext Attack) • Hidden plaintext from ciphertext • Standard base-line security notion • Note2: SXDH (Symmetric eXternal Diffie-Hellman) assumption • 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾, 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2 are computationally indistinguishable 2018/11/21 ECC 2018 27
Circuit Privacy • Shown scheme is circuit private • Namely, ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 ) • Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0) • ReRand𝑖 𝑐 removes a trace of circuit from 𝑐 • Note: Arithmetic circuit depends on secret • E.g., for 𝑖 = 1, 2, and for a secret integer 𝑛, 𝑛 × Enc𝑖 𝑚 = ෍ 𝑗=1 𝑛 Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚 • Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′ • Note: It is obvious that CTs are in which group 𝔾1, 𝔾2, 𝔾T 2018/11/21 ECC 2018 28
Implementation 2018/11/21 ECC 2018 29
Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 30
Our Implementation • Available in “mcl”: A library for pairings • BN254, 381, 462, BLS12-381 • C++: https://github.com/herumi/mcl • Web browser/Node.js: https://github.com/herumi/she-wasm • High-performance implementation for x64/ARM64 • WebAssembly (wasm) • Runs on Microsoft Edge, Firefox, Chrome, Safari without any plug-ins • Open source: BSD 3-clause 2018/11/21 ECC 2018 31
Benchmarks on wasm • Calculation times in msec • Use BN254 • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 32 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
Demo 2018/11/21 ECC 2018 33
Importance of WebAssembly (wasm) Implementation • Large deployment advantages • wasm is a portable and fast binary instruction format • Runs on many modern browser • Microsoft Edge, Safari, Google Chrome, and Mozilla Firefox on Windows, Linux, macOS, iPhone, Android, and so on… • Requires no plugins • Being developed as a web standard via the W3C • Distribution is easy 2018/11/21 ECC 2018 34
Demonstrations of wasm • Inner product: https://herumi.github.i o/she-wasm/she- demo.html • Oblivious transfer: https://ppdm.jp/ot/ 2018/11/21 ECC 2018 35
Conclusion • Practical efficient two-level homomorphic encryption • Many times add. and one-time mult. on encrypted data • Based on Type 3 (asymmetric) pairing • Combine the lifted-ElGamal encryption scheme • Faster than Freeman’s scheme (EUROCRYPT 2010) • Portable high-performance implementation • C++/asm/WebAssembly • https://github.com/herumi/mcl • https://github.com/herumi/she-wasm • Open source: BSD 3-clause 2018/11/21 ECC 2018 36 Thank you!

Recomendados

Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...MITSUNARI Shigeo
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...MITSUNARI Shigeo
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11MITSUNARI Shigeo
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6MITSUNARI Shigeo
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted DataNew York Technology Council
 
Rsa in CTF
Rsa in CTFRsa in CTF
Rsa in CTFSoL ymx
 

Recomendados

Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...
Efficient Two-level Homomorphic Encryption in Prime-order Bilinear Groups and...MITSUNARI Shigeo
 
A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...A compact zero knowledge proof to restrict message space in homomorphic encry...
A compact zero knowledge proof to restrict message space in homomorphic encry...MITSUNARI Shigeo
 
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化
Lifted-ElGamal暗号を用いた任意関数演算の二者間秘密計算プロトコルのmaliciousモデルにおける効率化MITSUNARI Shigeo
 
暗認本読書会11
暗認本読書会11暗認本読書会11
暗認本読書会11MITSUNARI Shigeo
 
暗認本読書会6
暗認本読書会6暗認本読書会6
暗認本読書会6MITSUNARI Shigeo
 
zk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてzk-SNARKsの仕組みについて
zk-SNARKsの仕組みについてts21
 
Computing on Encrypted Data
Computing on Encrypted DataComputing on Encrypted Data
Computing on Encrypted DataNew York Technology Council
 
Rsa in CTF
Rsa in CTFRsa in CTF
Rsa in CTFSoL ymx
 
Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 
Engineering fast indexes
Engineering fast indexesEngineering fast indexes
Engineering fast indexesDaniel Lemire
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Daniel Lemire
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesGuido Chari
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
CPM2013-tabei201306
CPM2013-tabei201306CPM2013-tabei201306
CPM2013-tabei201306Yasuo Tabei
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonAMD Developer Central
 
Probabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyProbabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyAndrii Gakhov
 
Probabilistic data structures
Probabilistic data structuresProbabilistic data structures
Probabilistic data structuresshrinivasvasala
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMDWei-Ta Wang
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsAlex Pruden
 
Deep Learning meetup
Deep Learning meetupDeep Learning meetup
Deep Learning meetupIvan Goloskokovic
 
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Andrii Gakhov
 
Hubba Deep Learning
Hubba Deep LearningHubba Deep Learning
Hubba Deep LearningIvan Goloskokovic
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
SciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilitySciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilityESUG
 
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksPaper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksChenYiHuang5
 
DTLC-GAN
DTLC-GANDTLC-GAN
DTLC-GANShinagawa Seitaro
 

Mais conteúdo relacionado

Mais procurados

Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionChristoph Matthies
 
Engineering fast indexes
Engineering fast indexesEngineering fast indexes
Engineering fast indexesDaniel Lemire
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionVictor Pereira
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryptionsecurityxploded
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic EncryptionGöktuğ Serez
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Daniel Lemire
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryptioniosrjce
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesGuido Chari
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...DefCamp
 
CPM2013-tabei201306
CPM2013-tabei201306CPM2013-tabei201306
CPM2013-tabei201306Yasuo Tabei
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonAMD Developer Central
 
Probabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyProbabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyAndrii Gakhov
 
Probabilistic data structures
Probabilistic data structuresProbabilistic data structures
Probabilistic data structuresshrinivasvasala
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMDWei-Ta Wang
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsAlex Pruden
 
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Andrii Gakhov
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...Alex Pruden
 
SciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilitySciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilityESUG
 

Mais procurados (20)

Introduction to Homomorphic Encryption
Introduction to Homomorphic EncryptionIntroduction to Homomorphic Encryption
Introduction to Homomorphic Encryption
 
Engineering fast indexes
Engineering fast indexesEngineering fast indexes
Engineering fast indexes
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Partial Homomorphic Encryption
Partial Homomorphic EncryptionPartial Homomorphic Encryption
Partial Homomorphic Encryption
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)Next Generation Indexes For Big Data Engineering (ODSC East 2018)
Next Generation Indexes For Big Data Engineering (ODSC East 2018)
 
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic EncryptionA survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
 
Building Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual MachinesBuilding Efficient and Highly Run-Time Adaptable Virtual Machines
Building Efficient and Highly Run-Time Adaptable Virtual Machines
 
Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...Secure and privacy-preserving data transmission and processing using homomorp...
Secure and privacy-preserving data transmission and processing using homomorp...
 
CPM2013-tabei201306
CPM2013-tabei201306CPM2013-tabei201306
CPM2013-tabei201306
 
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil PerssonLow-level Shader Optimization for Next-Gen and DX11 by Emil Persson
Low-level Shader Optimization for Next-Gen and DX11 by Emil Persson
 
Probabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. FrequencyProbabilistic data structures. Part 3. Frequency
Probabilistic data structures. Part 3. Frequency
 
Probabilistic data structures
Probabilistic data structuresProbabilistic data structures
Probabilistic data structures
 
Happy To Use SIMD
Happy To Use SIMDHappy To Use SIMD
Happy To Use SIMD
 
ZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their ApplicationsZK Study Club: Sumcheck Arguments and Their Applications
ZK Study Club: Sumcheck Arguments and Their Applications
 
Deep Learning meetup
Deep Learning meetupDeep Learning meetup
Deep Learning meetup
 
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
Exceeding Classical: Probabilistic Data Structures in Data Intensive Applicat...
 
Hubba Deep Learning
Hubba Deep LearningHubba Deep Learning
Hubba Deep Learning
 
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
 
SciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with AgilitySciSmalltalk: Doing Science with Agility
SciSmalltalk: Doing Science with Agility
 

Semelhante a Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksPaper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksChenYiHuang5
 
Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!ChenYiHuang5
 
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)Alex Pruden
 
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...ssuser4b1f48
 
Recurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRURecurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRUananth
 
Efficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketchingEfficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketchingHsing-chuan Hsieh
 
Hardware Acceleration for Machine Learning
Hardware Acceleration for Machine LearningHardware Acceleration for Machine Learning
Hardware Acceleration for Machine LearningCastLabKAIST
 
SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15Hao Zhuang
 
Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...Universität Rostock
 
A CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural NetworksA CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural NetworksShinya Takamaeda-Y
 
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...Tu Nguyen
 
Paper study: Learning to solve circuit sat
Paper study: Learning to solve circuit satPaper study: Learning to solve circuit sat
Paper study: Learning to solve circuit satChenYiHuang5
 
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020NECST Lab @ Politecnico di Milano
 
Seq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) modelSeq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) model佳蓉 倪
 
Dueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learningDueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learningTaehoon Kim
 
1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.ppt1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.pptssuser0cd7c9
 
ODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identificationODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identificationKuldeep Jiwani
 

Semelhante a Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups (20)

Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural NetworksPaper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
Paper Study: OptNet: Differentiable Optimization as a Layer in Neural Networks
 
DTLC-GAN
DTLC-GANDTLC-GAN
DTLC-GAN
 
Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!Paper study: Attention, learn to solve routing problems!
Paper study: Attention, learn to solve routing problems!
 
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
zkStudyClub - zkSaaS (Sruthi Sekar, UCB)
 
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
NS-CUK Seminar: H.E.Lee, Review on "Gated Graph Sequence Neural Networks", I...
 
Recurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRURecurrent Neural Networks, LSTM and GRU
Recurrent Neural Networks, LSTM and GRU
 
Efficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketchingEfficient anomaly detection via matrix sketching
Efficient anomaly detection via matrix sketching
 
Hardware Acceleration for Machine Learning
Hardware Acceleration for Machine LearningHardware Acceleration for Machine Learning
Hardware Acceleration for Machine Learning
 
SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15SPICE-MATEX @ DAC15
SPICE-MATEX @ DAC15
 
Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...Inside LoLA - Experiences from building a state space tool for place transiti...
Inside LoLA - Experiences from building a state space tool for place transiti...
 
A CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural NetworksA CGRA-based Approach for Accelerating Convolutional Neural Networks
A CGRA-based Approach for Accelerating Convolutional Neural Networks
 
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
Noise Contrastive Estimation-based Matching Framework for Low-Resource Securi...
 
Paper study: Learning to solve circuit sat
Paper study: Learning to solve circuit satPaper study: Learning to solve circuit sat
Paper study: Learning to solve circuit sat
 
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
A Methodology for Automatic GPU Kernel Optimization - NECSTTechTalk 4/06/2020
 
QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...
QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...
QMC: Operator Splitting Workshop, Projective Splitting with Forward Steps and...
 
Classification of indoor actions through deep neural networks
Classification of indoor actions through deep neural networksClassification of indoor actions through deep neural networks
Classification of indoor actions through deep neural networks
 
Seq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) modelSeq2Seq (encoder decoder) model
Seq2Seq (encoder decoder) model
 
Dueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learningDueling network architectures for deep reinforcement learning
Dueling network architectures for deep reinforcement learning
 
1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.ppt1 Cryptography Introduction_shared.ppt
1 Cryptography Introduction_shared.ppt
 
ODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identificationODSC 2019: Sessionisation via stochastic periods for root event identification
ODSC 2019: Sessionisation via stochastic periods for root event identification
 

Mais de MITSUNARI Shigeo

暗号技術の実装と数学
暗号技術の実装と数学暗号技術の実装と数学
暗号技術の実装と数学MITSUNARI Shigeo
 
範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコルMITSUNARI Shigeo
 
暗認本読書会13 advanced
暗認本読書会13 advanced暗認本読書会13 advanced
暗認本読書会13 advancedMITSUNARI Shigeo
 
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenIntel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenMITSUNARI Shigeo
 
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法MITSUNARI Shigeo
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装MITSUNARI Shigeo
 
BLS署名の実装とその応用
BLS署名の実装とその応用BLS署名の実装とその応用
BLS署名の実装とその応用MITSUNARI Shigeo
 
LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介MITSUNARI Shigeo
 
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたIntro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたMITSUNARI Shigeo
 

Mais de MITSUNARI Shigeo (20)

暗号技術の実装と数学
暗号技術の実装と数学暗号技術の実装と数学
暗号技術の実装と数学
 
範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル範囲証明つき準同型暗号とその対話的プロトコル
範囲証明つき準同型暗号とその対話的プロトコル
 
暗認本読書会13 advanced
暗認本読書会13 advanced暗認本読書会13 advanced
暗認本読書会13 advanced
 
暗認本読書会12
暗認本読書会12暗認本読書会12
暗認本読書会12
 
暗認本読書会10
暗認本読書会10暗認本読書会10
暗認本読書会10
 
暗認本読書会9
暗認本読書会9暗認本読書会9
暗認本読書会9
 
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgenIntel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
Intel AVX-512/富岳SVE用SIMDコード生成ライブラリsimdgen
 
暗認本読書会8
暗認本読書会8暗認本読書会8
暗認本読書会8
 
暗認本読書会7
暗認本読書会7暗認本読書会7
暗認本読書会7
 
暗認本読書会5
暗認本読書会5暗認本読書会5
暗認本読書会5
 
暗認本読書会4
暗認本読書会4暗認本読書会4
暗認本読書会4
 
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
深層学習フレームワークにおけるIntel CPU/富岳向け最適化法
 
私とOSSの25年
私とOSSの25年私とOSSの25年
私とOSSの25年
 
WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装WebAssembly向け多倍長演算の実装
WebAssembly向け多倍長演算の実装
 
楕円曲線と暗号
楕円曲線と暗号楕円曲線と暗号
楕円曲線と暗号
 
HPC Phys-20201203
HPC Phys-20201203HPC Phys-20201203
HPC Phys-20201203
 
BLS署名の実装とその応用
BLS署名の実装とその応用BLS署名の実装とその応用
BLS署名の実装とその応用
 
LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介LazyFP vulnerabilityの紹介
LazyFP vulnerabilityの紹介
 
Intro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみたIntro to SVE 富岳のA64FXを触ってみた
Intro to SVE 富岳のA64FXを触ってみた
 
ゆるバグ
ゆるバグゆるバグ
ゆるバグ
 

Último

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsMiki Katsuragi
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piececharlottematthew16
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DaySri Ambati
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 

Último (20)

Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Vertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering TipsVertex AI Gemini Prompt Engineering Tips
Vertex AI Gemini Prompt Engineering Tips
 
Story boards and shot lists for my a level piece
Story boards and shot lists for my a level pieceStory boards and shot lists for my a level piece
Story boards and shot lists for my a level piece
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo DayH2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
H2O.ai CEO/Founder: Sri Ambati Keynote at Wells Fargo Day
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 

Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups

  • 1. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 1
  • 2. Outline • Background • Two-level Homomorphic encryption • An efficient construction • Security • Implementation • Conclusion 2018/11/21 ECC 2018 2
  • 4. 2018/11/21 ECC 2018 4 Computing on encrypted data • Data analysis with taking care of sensitive data Disease Risk 70% If X2>∑Y then ◯◯70% F : Diagnosis Y : Database
  • 5. Homomorphic Encryption (HE) • Allows computation on encrypted data • Many applications related to privacy-preserving schemes • Types of HE • Additively HE (ex. Goldwasser-Micali, Okamoto- Uchiyama, Paillier, Lifted-ElGamal) • Enc 𝑚 + Enc 𝑚′ = Enc(𝑚 + 𝑚′) • Multiplicatively HE (ex. RSA, ElGamal) • Enc 𝑚 × Enc 𝑚′ = Enc 𝑚𝑚′ • Fully HE (ex. Gentry, BGV, BV, GSW, …) • Can do homomorphic add. and mult. 2018/11/21 ECC 2018 5
  • 6. Pros and Cons • Add. HE, Mult. HE • Applications are restricted • Fully HE (FHE) • Any computations possible, but inefficient • Security relies on less standard assumptions • Leveled HE • The number of homomorphic mult. is restricted. • An intermediate notion between A/M HE and FHE. 2018/11/21 ECC 2018 6 A/M HE Leveled HE FHE Efficiency very good medium bad Functionality medium good very good
  • 7. Two-level HE • HE that allows one homomorphic multiplication • Allows degree-2 polynomial homomorphic evaluations • Allows inner product of two vectors • 𝑥 = 𝑥1, 𝑥2, … , 𝑦 = 𝑦1, 𝑦2, … • σ𝑖 Enc1 𝑥𝑖 × Enc1 𝑦𝑖 = Enc2 σ𝑖 𝑥𝑖 × 𝑦𝑖 2018/11/21 ECC 2018 7 ×1 2 3 3 4 12 12 13 25 ++ : Level-1 : Level-2
  • 8. Applications • Secure 2-DNF formula evaluation • Delegated secure inner-product on encrypted data • Efficient (symmetric) private information retrieval • Cross tabulation on encrypted data • Efficient election protocol • … 2018/11/21 ECC 2018 8
  • 9. Existing Two-level HE • Boneh, Goh, Nissim (TCC 2005) • Based on Composite-order pairings, hence much less efficient • Freeman (EUROCRYPT 2010) • Composite-to-prime-order transformation framework, applied to BGN • Herold, Hesse, Hofheinz, Rafols, Rupp (CRYPTO 2014) • Improving Freeman’s frameworks • Only Type 1 pairings, inefficient • Catalano, Fiore (ACM CCS 2015) • Transformation from d-Level HE to (2d)-level • Instantiations are not necessarily efficient • AHM+ (AsiaCCS 2018): This talk • Efficient construction based on the lifted-ElGamal encryption • Portable high-speed implementations • Note: • Decryption in all these schemes requires discrete log (DL) • Hence plaintext space should be sufficiently small (up to 32-bit) 2018/11/21 ECC 2018 9
  • 10. An Efficient Construction of Two-level HE 2018/11/21 ECC 2018 10
  • 11. Basic Idea •Existing schemes • Establish a “broader fundamental & theoretical framework” • Then, construct L2HE as an “application” •Our scheme • Concentrate on “L2HE-dedicated design” • Start from “promising tools” for fast HE, i.e. Type-3 pairing and ElGamal • Not general but fully tuned for L2HE 2018/11/21 ECC 2018 11
  • 12. An Efficient Construction • Combine the lifted-ElGamal encryption scheme with Type 3 pairings • First, straightforwardly construct two-level HE • Then, consider “simpler” construction • While Freeman considered a conversion of composite-to- prime order • Level-1 (L1) ciphertext (CT) is same as lifted-ElGamal • Format of level-2 (L2) CT is same as Freeman’s scheme • Note: Type 3 pairings • Cyclic groups 𝔾1, 𝔾2, 𝔾T of order prime 𝑝 with bilinear map 𝑒: 𝔾1 × 𝔾2 → 𝔾T • 𝑒 𝑎𝑃, 𝑏𝑄 = 𝑒 𝑃, 𝑄 𝑎𝑏 for 𝑎, 𝑏 ∈ ℤ 𝑝, 𝑃 ∈ 𝔾1, 𝑄 ∈ 𝔾2 • 𝔾1 ≠ 𝔾2 and no efficient map between 𝔾1 and 𝔾22018/11/21 ECC 2018 12
  • 13. Summary of Constructions 2018/11/21 ECC 2018 13 Freeman (EUROCRYPT 2018) AHM+ (AsiaCCS 2018, this talk) BGN scheme based on composite order BGN (Freeman) scheme based on prime order (includes 2-level HE) Construction by converting Lifted-ElGamal Enc 𝑚 = 𝑔 𝑚ℎ 𝑟, 𝑔 𝑟 Type 3 pairing 𝑒 𝑎𝑃1, 𝑏𝑃2 = 𝑔T 𝑎𝑏 AHM+ 2-level HE scheme Construction by combining algebraic structures
  • 14. Setup and Key Generation • Setup • Cyclic group 𝔾𝑖 = ⟨𝑃𝑖⟩ over an elliptic curve with prime order 𝑝 for 𝑖 = 1, 2 • 𝔾T = 𝑔T , where 𝑔T = 𝑒 𝑃1, 𝑃2 • Key generation • Secret key 𝑠1, 𝑠2 ∈ ℤ 𝑝 is generated at random • Public key 𝑄1 = 𝑠1 𝑃1, 𝑄2 = 𝑠2 𝑃2 (with optional precomputation 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2) • Note: Colors • Green: Public part • Blue: Secret and hidden part 2018/11/21 ECC 2018 14
  • 15. Level-1 CT and Enc./Dec. • Encrypt • Plaintext 𝑚 and randomness 𝑟 • Enc 𝔾 𝑖 𝑚 = (𝑚𝑃𝑖 + 𝑟𝑄𝑖, 𝑟𝑃𝑖) for 𝑖 = 1, 2 • Duplicated form: Enc1 𝑚 ≔ Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚 • Note: 𝔾1 can be mult. with 𝔾2 only, vice versa, so that duplicated form is needed for general usage • Decrypt • For 𝑖 = 1, 2, decrypt Enc 𝔾 𝑖 𝑚 = (𝑆, 𝑇) by 𝑆 − 𝑠𝑖 𝑇 = 𝑚𝑃𝑖 + 𝑟𝑄𝑖 − 𝑠𝑖 𝑟𝑃𝑖 = 𝑚𝑃𝑖 and then, to obtain 𝑚, solve DL • Almost same as lifted-ElGamal 2018/11/21 ECC 2018 15
  • 16. Homomorphic Addition on L1 CT • For 𝑖 = 1, 2, Enc 𝔾 𝑖 𝑚1 + Enc 𝔾 𝑖 𝑚2 = 𝑚1 𝑃𝑖 + 𝑟1 𝑄𝑖, 𝑟1 𝑃𝑖 + 𝑚2 𝑃𝑖 + 𝑟2 𝑄𝑖, 𝑟2 𝑃𝑖 = 𝑚1 + 𝑚2 𝑃𝑖 + 𝑟1 + 𝑟2 𝑄𝑖, 𝑟1 + 𝑟2 𝑃𝑖 = Enc 𝔾 𝑖 (𝑚1 + 𝑚2) • Also, same as lifted-ElGamal 2018/11/21 ECC 2018 16 1 2 3 + : Level-1
  • 17. Homomorphic Multiplication • 𝐶1 = 𝑆1, 𝑇1 = 𝑚1 𝑃1 + 𝑟1 𝑄1, 𝑟1 𝑃1 = Enc 𝔾1 𝑚1 ∈ 𝔾1 2 • 𝐶2 = 𝑆2, 𝑇2 = 𝑚2 𝑃2 + 𝑟2 𝑄2, 𝑟2 𝑃2 = Enc 𝔾2 𝑚2 ∈ 𝔾2 2 • 𝐶1 × 𝐶2 ≔ 𝑒 𝑆1, 𝑆2 , 𝑒 𝑆1, 𝑇2 , 𝑒 𝑇1, 𝑆2 , 𝑒 𝑇1, 𝑇2 = 𝑧1 𝑚1 𝑚2 𝑧4 𝜏′, 𝑧2 𝜎′, 𝑧3 𝜌′, 𝑧1 𝜎′+𝜌′−𝜏′ = Enc2 𝑚1 𝑚2 ∈ 𝔾T 4 • 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 • Tensor product of 𝐶1, 𝐶2 • Its result is an level-2 ciphertext 2018/11/21 ECC 2018 17 ×3 4 12 : Level-1 : Level-2
  • 18. Homomorphic Addition on L2 CT • Enc2 𝑚1 + Enc2 𝑚2 = 𝑧1 𝑚1 𝑧4 𝜏1, 𝑧2 𝜎1, 𝑧3 𝜌1, 𝑧1 𝜎1+𝜌1−𝜏1 + 𝑧1 𝑚2 𝑧4 𝜏2, 𝑧2 𝜎2, 𝑧3 𝜌2, 𝑧1 𝜎2+𝜌2−𝜏2 = ( 𝑧1 𝑚1+𝑚2 𝑧4 𝜏1+𝜏2, 𝑧2 𝜎1+𝜎2, ൯𝑧3 𝜌1+𝜌2, 𝑧1 (𝜎1+𝜎2)+(𝜌1+𝜌2)−(𝜏1+𝜏2) = Enc2(𝑚1 + 𝑚2) • Usual vector addition 2018/11/21 ECC 2018 18 12 13 25 + : Level-2
  • 19. Decryption for Level-2 CT • Decrypting an level-2 ciphertext 𝑐1, 𝑐2, 𝑐3, 𝑐4 Dec2 c1, c2, 𝑐3, 𝑐4 ≔ 𝑐1 𝑐4 𝑠1 𝑠2 𝑐2 𝑠2 𝑐3 𝑠1 = 𝑒 𝑆1, 𝑆2 𝑒 𝑠1 𝑇1, 𝑠2 𝑇2 𝑒 𝑆1, 𝑠2 𝑇2 𝑒 𝑠1 𝑇1, 𝑆2 = 𝑒 𝑆1 − 𝑠1 𝑇1, 𝑆2 − 𝑠2 𝑇2 = 𝑒 𝑚𝑃1 , 𝑚′ 𝑃2 = 𝑒 𝑃1, 𝑃2 𝑚𝑚′ then solve DLP to obtain 𝑚𝑚′ • Note: 𝑐1, 𝑐2, 𝑐3, 𝑐4 = 𝑧1 𝑚𝑚′ 𝑧4 𝜏 , 𝑧2 𝜎 , 𝑧3 𝜌 , 𝑧1 𝜎+𝜌−𝜏 ∈ 𝔾T 4 , where 𝑧1 = 𝑔T, 𝑧2 = 𝑔T 𝑠1, 𝑧3 = 𝑔T 𝑠2, 𝑧4 = 𝑔T 𝑠1 𝑠2 2018/11/21 ECC 2018 19
  • 20. Size and Benchmark on BN462 • Note: • Use x64 Linux on Core i7-6700 • Without compressed form • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 20 Calc. time in msec Enc1 0.452 Enc2 1.14 Dec1 9.01 Dec2 10.01 ReRand1 0.447 ReRand2 1.14 Add1 0.0109 Add2 0.0231 Mult 8.47 Bit size Secret key 924 Public key 27720 Dup. L1 CT 5544 L2 CT 22176
  • 21. Comparison of Size • Fre10: Freemen’s scheme (EUROCRYPT 2010) • Compare bit size on a 462-bit Barreto-Naehrig (BN) curve 2018/11/21 ECC 2018 21
  • 22. Comparison of Time • CT: Ciphertext • Fre10: Freemen’s scheme in EUROCRYPT 2010 • Compare calculation time on a 462-bit BN curve 2018/11/21 ECC 2018 22
  • 23. Proving the Knowledge of Plaintexts • Zero-knowledge proof protocols can be applied • Example 1: Duplicated form of L1 CT • Dup. L1 CT is Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ • Attach a proof of “𝑚 = 𝑚′” • Example 2: Proving a CT encrypts a bit • Attach a proof of “encrypted plaintext is 0 or 1” • Applications: Voting, two-party computation 2018/11/21 ECC 2018 23
  • 24. Proof of Equality • Duplicated L1 CT: • Enc 𝔾1 𝑚 , Enc 𝔾2 𝑚′ = 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) where 𝜌, 𝜎 ← ℤ 𝑝 are randomly chosen • Should be “𝑚 = 𝑚′” • Equality can be proved in the same way of NIZK DH-tuple proof 2018/11/21 ECC 2018 24
  • 25. NIZK Proof of Equality • L1 CT: 𝐶1, 𝐶2 , 𝐶3, 𝐶4 = (𝑚𝑃1 + 𝜌𝑄1, 𝜌𝑃1), (𝑚′𝑃2 + 𝜎𝑄2, 𝜎𝑃2) • Prove: • Randomly choose: 𝑟𝜌, 𝑟𝜎, 𝑟 𝑚 ← ℤ 𝑝 • 𝑅1, 𝑅2, 𝑅3, 𝑅4 ← 𝑟 𝑚 𝑃1 + 𝑟𝜌 𝑄1, 𝑟𝜌 𝑃1, 𝑟 𝑚 𝑃2 + 𝑟𝜎 𝑄2, 𝑟𝜎 𝑃2 • 𝑐 ← 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1, 𝑅2, 𝑅3, 𝑅4 • 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 ← 𝑟𝜌 + 𝑐𝜌, 𝑟𝜎 + 𝑐𝜎, 𝑟 𝑚 + 𝑐𝑚 • Proof 𝜋 = 𝑐, 𝑠𝜌, 𝑠 𝜎, 𝑠 𝑚 • Verify: • 𝑐 = 𝐻 public param, 𝐶1, 𝐶2, 𝐶3, 𝐶4, 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ where 𝑅1 ′ , 𝑅2 ′ , 𝑅3 ′ , 𝑅4 ′ ← 𝑠 𝑚 𝑃1 + 𝑠𝜌 𝑄1 − 𝑐𝐶1, 𝑠𝜌 𝑃1 − 𝑐𝐶2, 𝑠 𝑚 𝑃2 + 𝑠 𝜎 𝑄2 − 𝑐𝐶3, 𝑠 𝜎 𝑃2 − 𝑐𝐶4 2018/11/21 ECC 2018 25
  • 27. Confidentiality • Shown scheme is IND-CPA secure under the SXDH assumption • Note1: IND-CPA (INDistinguishability against Chosen Plaintext Attack) • Hidden plaintext from ciphertext • Standard base-line security notion • Note2: SXDH (Symmetric eXternal Diffie-Hellman) assumption • 𝑃1 ∈ 𝔾1, 𝑃2 ∈ 𝔾2, for random 𝛼, 𝛽, 𝛾, 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛼𝛽𝑃1 ≈ 𝑃1, 𝛼𝑃1, 𝛽𝑃1, 𝛾𝑃1 and 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛼𝛽𝑃2 ≈ 𝑃2, 𝛼𝑃2, 𝛽𝑃2, 𝛾𝑃2 are computationally indistinguishable 2018/11/21 ECC 2018 27
  • 28. Circuit Privacy • Shown scheme is circuit private • Namely, ReRand𝑖 𝑐 ≈ Enc𝑖(Dec𝑖 𝑐 ) • Rerandomization: ReRand𝑖 𝑐 ≔ 𝑐 + Enc𝑖(0) • ReRand𝑖 𝑐 removes a trace of circuit from 𝑐 • Note: Arithmetic circuit depends on secret • E.g., for 𝑖 = 1, 2, and for a secret integer 𝑛, 𝑛 × Enc𝑖 𝑚 = ෍ 𝑗=1 𝑛 Enc𝑖 𝑚 = Enc𝑖 𝑛𝑚 • Should be Enc𝑖 𝑚 + Enc𝑖 𝑚′ ≈ Enc𝑖 𝑚 + 𝑚′ and Enc1 𝑚 × Enc1 𝑚′ ≈ Enc2 𝑚𝑚′ • Note: It is obvious that CTs are in which group 𝔾1, 𝔾2, 𝔾T 2018/11/21 ECC 2018 28
  • 30. Practical Two-level Homomorphic Encryption in Prime-order Bilinear Groups Goichiro Hanaoka*1 Joint-work-with: Nuttapong Attrapadung*1, Shigeo Mitsunari*2, Yusuke Sakai*1, Tadanori Teruya*1 *1 AIST, *2 Cybozu labs 2018/11/21 ECC 2018 30
  • 31. Our Implementation • Available in “mcl”: A library for pairings • BN254, 381, 462, BLS12-381 • C++: https://github.com/herumi/mcl • Web browser/Node.js: https://github.com/herumi/she-wasm • High-performance implementation for x64/ARM64 • WebAssembly (wasm) • Runs on Microsoft Edge, Firefox, Chrome, Safari without any plug-ins • Open source: BSD 3-clause 2018/11/21 ECC 2018 31
  • 32. Benchmarks on wasm • Calculation times in msec • Use BN254 • Use lookup tables for decryption (20-bit plaintext) 2018/11/21 ECC 2018 32 Native (x64) JavaScritpt with wasm x64 Linux on Core i7-7700 Firefox on Core i7-7700 Safari on iPhone 7 Enc 𝔾1 0.018 0.3 0.96 Enc 𝔾2 0.048 0.82 1.72 Add 𝔾1 0.00062 0.016 0.016 Add 𝔾2 0.002 0.036 0.048 Mult 1.17 15.6 24.3 Dec2 0.66 7.8 12.6
  • 34. Importance of WebAssembly (wasm) Implementation • Large deployment advantages • wasm is a portable and fast binary instruction format • Runs on many modern browser • Microsoft Edge, Safari, Google Chrome, and Mozilla Firefox on Windows, Linux, macOS, iPhone, Android, and so on… • Requires no plugins • Being developed as a web standard via the W3C • Distribution is easy 2018/11/21 ECC 2018 34
  • 35. Demonstrations of wasm • Inner product: https://herumi.github.i o/she-wasm/she- demo.html • Oblivious transfer: https://ppdm.jp/ot/ 2018/11/21 ECC 2018 35
  • 36. Conclusion • Practical efficient two-level homomorphic encryption • Many times add. and one-time mult. on encrypted data • Based on Type 3 (asymmetric) pairing • Combine the lifted-ElGamal encryption scheme • Faster than Freeman’s scheme (EUROCRYPT 2010) • Portable high-performance implementation • C++/asm/WebAssembly • https://github.com/herumi/mcl • https://github.com/herumi/she-wasm • Open source: BSD 3-clause 2018/11/21 ECC 2018 36 Thank you!