Transcript scws2 6656

Algebraic Lower Bounds for
Computing on Encrypted Data
Rafail Ostrovsky
William E. Skeith III
Non-Interactive Crypto-Computing
A wants to distribute computation of f to B
f,g
E(X)
A
X
B
Y
g(E(X),Y)
= E(f(X,Y))
Homomorphic Encryption and CC
• Homomorphic encryption is a very natural
starting point, and the primary tool for
many CC protocols:
• Let f be a function, and A some algebraic
structure.
– If f can be computed by the algebra of A and A
is preserved via homomorphic encryption,
– Then we have non-interactive CC of f
Algebraic Non-Interactive CC
•Main question: which crypto-computing functions
can we implement using known homomorphic
cryptosystems?
• For a given algebraic structure, what can
be accomplished with algebraic
computation?
Examples We’ll Study
• In an algebraic setting, we address the
following:
– Private Database Modification
– Homomorphic PIR Protocols
– Private Keyword Search
Algebraic Private Database
Modification [BKOS]
U
Mi=(g1,…,gm)
g1, g2,…, gm
DB
X=
X1
X2
X3
…
…
…
…
…
…
..
…
…
…
…
…
…
…
…
…
…
…
…
…
…
Xn
X’ = F(x1,…,xn,g1,…gm ,h1,…hr)
All gj, xi, hk 2 A, and F is some “algebraic” function
Homomorphic PIR Protocols
[BGN,KO]
U
g1, g2,…, gm
Qi=(g1,…,gm)
(xj1,…,xil)=FX(g1,…gm ,h1,…hr)
DB
X=
X1
X2
X3
…
…
…
…
…
…
..
…
…
…
…
…
…
…
…
…
…
…
…
…
…
Xn
FX(g1,…gm ,h1,…hr)
All gj, hk 2 A, and FX is some “algebraic” function
determined by the database X 2 An
Manuscript (2002) of Sander, et al.
• Result uses techniques of Ben-Or.
• Cryptosystem from manuscript was broken… however, an interesting
question is asked:
“
“
Two Results
• A positive result:
– Homomorphic encryption over any simple non-abelian
group is equivalent to fully homomorphic encryption
(preserving a ring).
– Homomorphic encryption over any simple non-abelian
group is equivalent to non-interactive CC.
• A family of negative results (i.e., lower bounds):
– Using the algebras preserved by existing
cryptosystems, we can show lower bounds for
homomorphic PIR, database modification,
characteristic vectors…
Our First Result:
• For any non-abelian simple group, the
following holds: Any circuit with N gates
can be replaced by a circuit of size O(N)
that uses only the group operation to
simulate gates (wires will carry group
elements).
• Example: for A5, we can represent a NAND gate ¼ 50
group operations (this may not be minimal…).
More Formally:
Our Second Result: Overview
• We’ll make an abstract algebraic observation
• From the observation, we’ll derive:
• (n) bounds (over an abelian group)
– algebraic private database modification
– homomorphic PIR
• Bounds on conjunctive queries in the keyword
search of [OS,BSW]
• First, a few definitions...
Characteristic Vectors over a
Group
• Let G be a group. We’ll call v2 Gn a
characteristic vector if v is non-identity in
precisely one position:
• v=(idG,idG,...,x  idG,idG,…,idG)
• Let V={vi}i2[n] be a complete set of such
vectors.
Question
• What is the inherent communication
involved in “algebraic” functions that
generate characteristic vectors?
• We’ll reduce all of our algebraic cryptocomputing protocols to this basic
functionality.
Idea: Generating Char. Vectors
9 F:Gm ! Gn, an “algebraic” function s.t.
For each i 2 [n],
9 wi = (g1,…,gm) with F(wi) = vi
An Algebraic Observation
• Let A and G be abelian groups.
• Let F:A ! Gn be an “affine” group map,
i.e.,
F=f+c, where
f 2 HomZ(A,Gn) and c 2 Gn.
• Then if V ½ F(A), we have
log(|A|) 2 (n)
Difficulties
• Can’t we use linear algebra to immediately
prove the theorem?
• The most naturally occurring instance (in
cryptography) is the case of A=Gm
• If G were a field, this would be an easy linearalgebra dimension argument, but this is not
generally the case (G is only assumed to be an
abelian group).
• Even with G cyclic, we could successfully
implement even with m=1. (I.e., we can specify
characteristic vectors by communicating only a
single group element.)
Example: m=1
Other Non-productive Ideas: Affine
to Linear
• Recall that F=f+c is “affine”, and let m denote the
number of group elements communicated.
• One might think that the problem could be
rephrased as linear by just incrementing m to
account for c 2 Gn.
• However, to model the affine map, you in
general need to increase m by a non-constant
amount (consider non-cyclic G).
• Certainly, it doesn’t seem to be the “right”
approach.
The “Right” Approach:
• Stay abstract.
– Dimension is irrelevant
– Will give a stronger result.
– Takes care of typical cases nicely, but will
actually be quite a bit more general (rules out
End(G), etc…)
Lemma
Proof of Lemma
Proof of Theorem (Idea)
• Idea: show that h V i is a Z|A|-module, and
apply the Lemma.
• Recall that in an abelian group
– ord(a+b)|lcm(ord(a),ord(b))
• And in any group,
– ord((a,b)) = lcm(ord(a),ord(b))
– ord(f(a))|ord(a)
Proof of Theorem (1 of 2)
• Let F=f+c be affine, from A ! Gn, define V
as before, and let c=(c1,…,cn).
• Define V’={vi-c}i2[n]. (Note: V’ ½ f(A))
• All elements of V’ have order | |A|
• ) all ci and therefore c have order | |A|.
• Since A,G abelian, we have that all of V
has elts of order | |A|.
Proof of Theorem (2 of 2)
• Since all elements of h V i, h V’ i have
order dividing |A|, they are in fact Z|A|modules.
• Set R=Z|A| and M=h V [ V’ i and apply the
lemma to yield:
2n · |h V’ i||A| · |A|2, and hence
log(|A|) 2 (n)
Consequences
• Over an abelian group,
– Algebraic private modification of an encrypted
database  (n)
– Homomorphic PIR protocols  (n)
– Impossibility of conjunctive queries in the
keyword search of [OS,BSW]
• Using poly’s of total degree t, bounds
become (n1/t)
Algebraic Private Database
Modification [BKOS]
U
Mi=(g1,…,gm)
g1, g2,…, gm
DB
X=
X1
X2
X3
…
…
…
…
…
…
..
…
…
…
…
…
…
…
…
…
…
…
…
…
…
Xn
X’ = F(x1,…,xn,g1,…gm ,h1,…hr)
All gj, xi, hk 2 A, and F is some “algebraic” function
Algebraic Database Modification
Implies Characteristic Vectors
• Let X be a database consisting of idG in all
locations.
• Apply F(X,Mi,H)  X’
• X’ = vi will be a characteristic vector.
Homomorphic PIR Protocols
[BGN,KO]
U
g1, g2,…, gm
Qi=(g1,…,gm)
(xj1,…,xil)=FX(g1,…gm ,h1,…hr)
DB
X=
X1
X2
X3
…
…
…
…
…
…
..
…
…
…
…
…
…
…
…
…
…
…
…
…
…
Xn
FX(g1,…gm ,h1,…hr)
All gj, hk 2 A, and FX is some “algebraic” function
determined by the database X2An
Homomorphic PIR Implies
Characteristic Vectors
• For a moment, suppose the protocol
returns an encryption of a single element.
• Let V={vi}i=1n be a complete set of
characteristic vectors over Gn.
• Define databases Xi = vi for i 2 [n].
• If Qi queries position i, then
(FX1(Qi,H),…, FXn(Qi,H))
will be non-identity exactly in position i.
Non-singleton Query Returns
• It may be the case that a PIR query
returns many database values, as long as
the right value is at a predictable location
in the result (e.g. [KO]).
• More generally, we can prove the following
algebraic claim:
Claim
• Let V={vi}i=1n be a complete collection of
characteristic type vectors, except…
vi can be non-identity in up to w(n) locations for
any positive function w.
• Then if V ½ F(A), we have that:
log(|A|) 2 (n/w(n))
General Case: Homomorphic PIR
Implies Characteristic Vectors
• Suppose that the query returns k values.
• Define fi(g1,...gm)=j=1k (FXi(g1,…,hr))j
• (f1(g1,…,gm),…fn(g1,…,gm)) will be nonidentity in at most k positions
• ) user communication is (n/k(n))
• Server communication is clearly at least
k(n), so we are done.
Other Types of Cryptosystems
• Recently there has been a lot of attention
on bilinear maps in cryptography.
• The work of [BGN] demonstrates a
cryptosystem that allows polynomials of
total degree 2 to be evaluated on
ciphertext.
Polynomials of Bounded Total
Degree
• We can prove an extension of our original
algebraic result, which will give similar
bounds on the utility of total degree t
polynomials. (even for t>2)
Corollary
Proof Idea
• The number of monomials in an mvariable polynomial of total degree t is
O(mt).
• Simulate such a polynomial with a total
degree 1 polynomial in O(mt) variables.
• Apply initial theorem to the abelian group
(R,+).
More General Results
• If given the ability of computation of
polynomials of total degree t, we obtain
similar bounds, only n  n1/t
• In particular, this corollary gives (n1/2)
bounds when applied to algebraic
protocols based on the cryptosystem of
[BGN] (this matches the upper bound for
database modification seen in [BKOS]).
Generality of Results
• The algebraic assumptions may seem
quite rigid, but are often appropriate in
crypto-computing settings.
• From an algebraic point of view however, they
are very general:
– Incorporates all algebraic formulas, but also
many other types of maps (formulas with
End(G), changing representations, etc…).
– Covers most all algebraic structures
preserved by known cryptosystems
Perspective
• Help researchers determine the feasibility of
various new protocols.
• Especially useful when such protocols are needed as a
subroutine in a larger crypto-computing function.
– Protocol may need output with algebraic value to
continue the computation
• Simple Non-abelian group-homomorphic
encryption:
– Seems pretty hard.
– Equivalent to fully-homomorphic encryption (/ring).
Thank You