1 / 41

Algebraic Lower Bounds for Computing on Encrypted Data

Algebraic Lower Bounds for Computing on Encrypted Data. Rafail Ostrovsky William E. Skeith III. Non-Interactive Crypto-Computing. A wants to distribute computation of f to B. f,g. A. B. X. Y. E(X). g(E(X),Y). = E(f(X,Y)). Homomorphic Encryption and CC.

yetta-benjamin
Download Presentation

Algebraic Lower Bounds for Computing on Encrypted Data

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Algebraic Lower Bounds for Computing on Encrypted Data Rafail Ostrovsky William E. Skeith III

  2. Non-Interactive Crypto-Computing A wants to distribute computation of f to B f,g A B X Y E(X) g(E(X),Y) = E(f(X,Y))

  3. Homomorphic Encryption and CC • Homomorphic encryption is a very natural starting point, and the primary tool for many CC protocols: • Let f be a function, and A some algebraic structure. • If f can be computed by the algebra of A and A is preserved via homomorphic encryption, • Then we have non-interactive CC of f

  4. Algebraic Non-Interactive CC • For a given algebraic structure, what can be accomplished with algebraic computation? • Main question: which crypto-computing functions can we implement using known homomorphic cryptosystems?

  5. Examples We’ll Study • In an algebraic setting, we address the following: • Private Database Modification • Homomorphic PIR Protocols • Private Keyword Search

  6. Algebraic Private Database Modification [BKOS] U Mi=(g1,…,gm) DB g1, g2,…, gm X = X’ = F(x1,…,xn,g1,…gm ,h1,…hr) All gj, xi, hk2 A, and F is some “algebraic” function

  7. Homomorphic PIR Protocols [BGN,KO] U DB Qi=(g1,…,gm) g1, g2,…, gm X = (xj1,…,xil)=FX(g1,…gm ,h1,…hr) FX(g1,…gm ,h1,…hr) All gj, hk2 A, and FX is some “algebraic” function determined by the database X 2 An

  8. Manuscript (2002) of Sander, et al. • Result uses techniques of Ben-Or. • Cryptosystem from manuscript was broken… however, an interesting question is asked: “ “

  9. Two Results • A positive result: • Homomorphic encryption over any simple non-abelian group is equivalent to fully homomorphic encryption (preserving a ring). • Homomorphic encryption over any simple non-abelian group is equivalent to non-interactive CC. • A family of negative results (i.e., lower bounds): • Using the algebras preserved by existing cryptosystems, we can show lower bounds for homomorphic PIR, database modification, characteristic vectors…

  10. Our First Result: • For any non-abelian simple group, the following holds: Any circuit with N gates can be replaced by a circuit of size O(N) that uses only the group operation to simulate gates (wires will carry group elements). • Example: for A5, we can represent a NAND gate ¼ 50 group operations (this may not be minimal…).

  11. More Formally:

  12. Our Second Result: Overview • We’ll make an abstract algebraic observation • From the observation, we’ll derive: • (n) bounds (over an abelian group) • algebraic private database modification • homomorphic PIR • Bounds on conjunctive queries in the keyword search of [OS,BSW] • First, a few definitions...

  13. Characteristic Vectors over a Group • Let G be a group. We’ll call v2 Gn a characteristic vector if v is non-identity in precisely one position: • v=(idG,idG,...,x  idG,idG,…,idG) • Let V={vi}i2[n] be a complete set of such vectors.

  14. Question • What is the inherent communication involved in “algebraic” functions that generate characteristic vectors? • We’ll reduce all of our algebraic crypto-computing protocols to this basic functionality.

  15. Idea: Generating Char. Vectors 9 F:Gm! Gn, an “algebraic” function s.t. For each i 2 [n], 9 wi = (g1,…,gm) with F(wi) = vi

  16. An Algebraic Observation • Let A and G be abelian groups. • Let F:A ! Gn be an “affine” group map, i.e., F=f+c, where f 2 HomZ(A,Gn) and c 2 Gn. • Then if V ½ F(A), we have log(|A|) 2(n)

  17. Difficulties • Can’t we use linear algebra to immediately prove the theorem? • The most naturally occurring instance (in cryptography) is the case of A=Gm • If G were a field, this would be an easy linear-algebra dimension argument, but this is not generally the case (G is only assumed to be an abelian group). • Even with G cyclic, we could successfully implement even with m=1. (I.e., we can specify characteristic vectors by communicating only a single group element.)

  18. Example: m=1

  19. Other Non-productive Ideas: Affine to Linear • Recall that F=f+c is “affine”, and let m denote the number of group elements communicated. • One might think that the problem could be rephrased as linear by just incrementing m to account for c 2 Gn. • However, to model the affine map, you in general need to increase m by a non-constant amount (consider non-cyclic G). • Certainly, it doesn’t seem to be the “right” approach.

  20. The “Right” Approach: • Stay abstract. • Dimension is irrelevant • Will give a stronger result. • Takes care of typical cases nicely, but will actually be quite a bit more general (rules out End(G), etc…)

  21. Lemma

  22. Proof of Lemma

  23. Proof of Theorem (Idea) • Idea: show that h V i is a Z|A|-module, and apply the Lemma. • Recall that in an abelian group • ord(a+b)|lcm(ord(a),ord(b)) • And in any group, • ord((a,b)) = lcm(ord(a),ord(b)) • ord(f(a))|ord(a)

  24. Proof of Theorem (1 of 2) • Let F=f+c be affine, from A ! Gn, define V as before, and let c=(c1,…,cn). • Define V’={vi-c}i2[n]. (Note: V’ ½ f(A)) • All elements of V’ have order | |A| • ) all ci and therefore c have order | |A|. • Since A,G abelian, we have that all of V has elts of order | |A|.

  25. Proof of Theorem (2 of 2) • Since all elements of h V i, h V’ i have order dividing |A|, they are in fact Z|A|-modules. • Set R=Z|A| and M=h V [ V’ i and apply the lemma to yield: 2n· |h V’ i||A| · |A|2, and hence log(|A|) 2(n)

  26. Consequences • Over an abelian group, • Algebraic private modification of an encrypted database  (n) • Homomorphic PIR protocols  (n) • Impossibility of conjunctive queries in the keyword search of [OS,BSW] • Using poly’s of total degree t, bounds become (n1/t)

  27. Algebraic Private Database Modification [BKOS] U Mi=(g1,…,gm) DB g1, g2,…, gm X = X’ = F(x1,…,xn,g1,…gm ,h1,…hr) All gj, xi, hk2 A, and F is some “algebraic” function

  28. Algebraic Database Modification Implies Characteristic Vectors • Let X be a database consisting of idG in all locations. • Apply F(X,Mi,H)  X’ • X’ = vi will be a characteristic vector.

  29. Homomorphic PIR Protocols [BGN,KO] U DB Qi=(g1,…,gm) g1, g2,…, gm X = (xj1,…,xil)=FX(g1,…gm ,h1,…hr) FX(g1,…gm ,h1,…hr) All gj, hk2 A, and FX is some “algebraic” function determined by the database X2An

  30. Homomorphic PIR Implies Characteristic Vectors • For a moment, suppose the protocol returns an encryption of a single element. • Let V={vi}i=1n be a complete set of characteristic vectors over Gn. • Define databases Xi = vi for i 2 [n]. • If Qi queries position i, then (FX1(Qi,H),…, FXn(Qi,H)) will be non-identity exactly in position i.

  31. Non-singleton Query Returns • It may be the case that a PIR query returns many database values, as long as the right value is at a predictable location in the result (e.g. [KO]). • More generally, we can prove the following algebraic claim:

  32. Claim • Let V={vi}i=1n be a complete collection of characteristic type vectors, except… • Then if V ½ F(A), we have that: log(|A|) 2(n/w(n)) • vi can be non-identity in up to w(n) locations for any positive function w.

  33. General Case: Homomorphic PIR Implies Characteristic Vectors • Suppose that the query returns k values. • Define fi(g1,...gm)=j=1k (FXi(g1,…,hr))j • (f1(g1,…,gm),…fn(g1,…,gm)) will be non-identity in at most k positions • ) user communication is (n/k(n)) • Server communication is clearly at least k(n), so we are done.

  34. Other Types of Cryptosystems • Recently there has been a lot of attention on bilinear maps in cryptography. • The work of [BGN] demonstrates a cryptosystem that allows polynomials of total degree 2 to be evaluated on ciphertext.

  35. Polynomials of Bounded Total Degree • We can prove an extension of our original algebraic result, which will give similar bounds on the utility of total degree t polynomials. (even for t>2)

  36. Corollary

  37. Proof Idea • The number of monomials in an m-variable polynomial of total degree t is O(mt). • Simulate such a polynomial with a total degree 1 polynomial in O(mt) variables. • Apply initial theorem to the abelian group (R,+).

  38. More General Results • If given the ability of computation of polynomials of total degree t, we obtain similar bounds, only n  n1/t • In particular, this corollary gives (n1/2) bounds when applied to algebraic protocols based on the cryptosystem of [BGN] (this matches the upper bound for database modification seen in [BKOS]).

  39. Generality of Results • The algebraic assumptions may seem quite rigid, but are often appropriate in crypto-computing settings. • From an algebraic point of view however, they are very general: • Incorporates all algebraic formulas, but also many other types of maps (formulas with End(G), changing representations, etc…). • Covers most all algebraic structures preserved by known cryptosystems

  40. Perspective • Help researchers determine the feasibility of various new protocols. • Especially useful when such protocols are needed as a subroutine in a larger crypto-computing function. • Protocol may need output with algebraic value to continue the computation • Simple Non-abelian group-homomorphic encryption: • Seems pretty hard. • Equivalent to fully-homomorphic encryption (/ring).

  41. Thank You

More Related