510 likes | 839 Views
Tree Homomorphic Encryption with Scalable Decryption. Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut. Outline. The “computing server model” and scalability. Tree homomorphic encryption with scalable decryption. The onion-decryption case.
E N D
Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut
Outline • The “computing server model” and scalability. • Tree homomorphic encryption with scalable decryption. • The onion-decryption case. • Application to E-voting. • Conclusions.
Outline • The “computing server model” and scalability. • Tree homomorphic encryption with scalable decryption. • The onion-decryption case. • Application to E-voting. • Conclusions.
Homomorphic Encryption Basic Aggregation Operation : a “bush”
The computing server model for Secure Multiparty Computation Computing server is a (perhaps distributed) party in the protocol that manages the contributions and delivery of results. This model has been applied in voting, auctions and other specialized secure multiparty computations. Contributors provide (encrypted) input under the specifications of the protocol (Access control allows them to write a on a bulletin board – Role specification). Processing / Aggregation of encrypted contributions by computing server. Delivery of results / output decryption.
Computing Server Model: Correctness Aspect All valid contributions are included. No unauthorized contributions are permitted. Contribution Processing is done according to specifications. Auditing & Replication is added to cope with various faults and failures.
Computing Server Model:Privacy Aspect The computation / processing does not leak any information about contributions, beyond what trivially inferred from the public-output. Computing servers are honest w.r.t. privacy. Or, threshold techniques: Share decryption capabilities. Split contribution.
The Large Scale Setting • The “Bush” model insufficient for the large scale: • Load Balancing Issues. • Remote Geographic Locations. • Overlay networks in P2P. Non-bush approach is needed:
Aggregation over Trees : Scalability Each node Implements a gate for ciphertext processing Structure: Imposed by Geographic Load balancing parameters Contributions: • Bush aggregation of homomorphic encryption consistent with tree deployment: every node is a bush for its children. • Aggregation complexity linear in the number of children nodes
Connection to Elections Top-Level Regional Level (micro-) Precinct Level
Correctness Aspect across the Tree • Scaling over tree structure: Each node is comprised by set of agents that Collectively ensure the Correctness aspect of the local Node operation Scales well over the tree hierarchical structure.
Privacy Aspect Decryption Agents
The BIGGEST brother problem • Inner nodes in the tree are assuring correctness – no decryption capability. • Decryption capability shared at the root? • Possible, but all kinds of privacy advocates, known election experts and election non-experts will protest: • why should the little guy put his privacy at • the end of the BIGGEST brother?
Does old solutions work? • Sharing decryption capability to decipher the result at the root among all tree nodes using threshold techniques does not scale. • But scalability is our primary objective to begin with!
Outline • The “computing server model” and scalability. • Tree homomorphic encryption with scalable decryption. • The onion-decryption case. • Application to E-voting. • Conclusions.
Idea. • To solve the BIGGEST brother problem : distribute decryption capability along the tree structure. • Since aggregation along the tree structure scales – enforce decryption capability to follow the same pattern.
User Perspective nodes that user trusts for correctness So: the same nodes must share Decryption Capability w.r.t. that user’s privacy. User trust path User
Our Solution: Tree homomorphic encryption with Scalable Decryption • Tree is suggested by network architecture, load-balancing parameters, geography, network overlay, etc. • Spreading Decryption capability across the paths of the tree so that user privacy is not violated unless the whole user trust path is corrupt.
Homomorphic Encryption and Aggregation. Groups: Homomorphic over randomness is useful for constructing generic proofs of knowledge. Embedding of a Z-interval within Capacity: length of the Z-interval. Inputs to the computation belong to set of integer Values:
Homomorphic Encryption and Aggregation, II EXAMPLE: Voting among c candidates # of votes won by j-th candidate.
Proofs of Knowledge EXAMPLE: Voting among c candidates, II Voter contributes the encryption and a proof Of knowledge. Proof possible for generic Homomorphic encryption scheme. Length = linear in c
Three steps • Key generation across the tree. • Encryption of inputs at leaves. • <Aggregation + decryption> along tree paths.
Key Generation and distribution across user trust paths • Each node generates a key (independently) Can be threshold of agents within the Node. Public Keys Are Propa- Gated Down To the User level across all trust paths
Blind-and-Share operation l = # of levels Encryption functions of levels for user j j-th user selects: Encryptions of shares: Capacity Condition:
consistency • Encryptions in general are over different domains (each node has independent public-key). • We need consistency checks to ensure correct blind-and-sharing of the input (independent of the individual domains).
Proof of consistency Each of the ciphertexts Is accompanied by a commitment to the plaintext – over the same domain. • Together with a proof of knowledge that ensures: • Each ciphertext and commitment hide the same value. • The aggregation of the commitments hides a value of the form such that:
Proof of consistency, II • It follows that an encrypted contribution Contains an additive sharing of a value So that
Tree Aggregation Lowest level: … … … Encrypted contributions
Tree Aggregation, II Lowest level node obtains the aggregated ciphertext: Where are the users assigned to the node V. …
Tree Aggregation + Partial Decryption. Lowest level: Lowest Level node Decrypts the Last entry And apply modulo operation: … the block is propagated to the upper level
Tree Aggregation + Partial Decryption, II j-th level: j … The j-th level Receives partially decrypted entries From its children That are of the form: …
Tree Aggregation + Partial Decryption, III • The j-th level node aggregate as follows: … … And decrypt The j-th Level. … …
Tree Aggregation + Partial Decryption, IV • Top level agents, after aggregation and decryption of the top level entry obtain: The totally decrypted Sum of shares: …
Output recovery • THEN: Top level agents recover the results as follows: This operation Reveals the result Of the procedure In the form: …
Output Recovery, II • This works because: = … …
Tree Homomorphic Encryption with Scalable Decryption: implementations • Generic based on any additive homomorphic encryption: Paillier or (modified) ElGamal. • Size of encrypted contribution equals length of user trust path.
Implementations, II • Modified ElGamal accepts more efficient implementation of scalable decryption: • Constant size of contribution: independent of the length of the user trust path. • Onion style decryption.
Outline • The “computing server model” and scalability. • Tree homomorphic encryption with scalable decryption. • The onion-decryption case. • Application to E-voting. • Conclusions.
Tree Homomorphic Encryption with Onion decryption • ElGamal-specific case. • Shortening of contribution encryption size. • Based on: Composition of public-key across user trust paths.
Initialization/SetupAdditive ElGamal Specific Global Parameters: G, g, f, h generators of G multiplicative group of prime order q. Setup Each node creates local public key pk=ga. Each node computes its local combined_pk by multiplying its local pk with the combined_pk of the parent node.
Submission of Contributions Additive ElGamal Specific Each user makes a selection vÎ{1, M, M2, ..., Mc-1} and publishes < g r, (combined_pk)r f v> combined_pk is the combined public-key local to the lowest level node, i.e. combined_pk=h0 h1 h2 ... hk where h0 , h1, h2,... , hkare the local pk’s of the nodesin the user trust path. r<q is selected at random.
Submission of Contributions, II Additive ElGamal Specific the user proves that the Encryption <B1, B2> , is formed according to the specifications. The voter publishes: NIZK[ r : (B1 = gr) ( vÎC (B2 = (combined_pk)rf v )]
<P B1 , P B2 > å v is a valid ElGamal encryption of f (due to the homomorphic property) under the public-key of all nodes in the user trust path. Tree Aggregation + Decryption by “Onion Peeling” The low level node multiplies all encrypted contributions point-wise: THEN: The node “peels-off” its layer of encryption (by doing ElGamal Decryption w.r.t. its local private-key. < gr, (h0 h1 h2 ... hk)r f v> < gr, (h1 h2 ... hk)r f v> The process continues recursively up to the top-level node.
Output å v The top node receives the tally T = f Recovery of output: The space of all possible values for å v is of size O(nc-1) and as a result it can be found in time O(nc-1). Using the baby-step giant-step method this can be improved to O(n(c-1)/2)
Outline • The “computing server model” and scalability. • Tree homomorphic encryption with scalable decryption. • The onion-decryption case. • Application to E-voting. • Conclusions.
Application To E-Voting:“Scalable” Secret Ballot Elections • Arbitrary elections’ structure, size and distributions • Security properties scale in parallel to the electionsstructure
Voter Distribution Smallest Administrative Unit: Microprecinct
Results Setup SecurityHorizon Secure Subelections Ballot-Casting The Election Tree
Outline • The “computing server model” and scalability. • Tree homomorphic encryption with scalable decryption. • The onion-decryption case. • Application to E-voting. • Conclusions.
Conclusions • Tree Homomorphic Encryption with Scalable Decryption. • motivated by load-balancing / network topology geography constraints / overlay P2P networks. • Assuming multi-level trust can eliminate big brother presence. • Further increase of security possible by employing “paranoid security” or “multi-path election” • Future applications?