Tree Homomorphic Encryption with Scalable Decryption Moti Yung Columbia University Joint work with Aggelos Kiayias University of Connecticut
Dec 20, 2015
Tree Homomorphic Encryption with Scalable Decryption
Moti YungColumbia University
Joint work with
Aggelos KiayiasUniversity of Connecticut
Outline
• The “computing server model” and scalability.
• Tree homomorphic encryption with scalable decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Outline
• The “computing server model” and scalability.
• Tree homomorphic encryption with scalable decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Homomorphic Encryption
)()()( yxEncyEncxEnc
)( vEnc
)(vEnc)(vEnc )(vEnc )(vEnc )(vEnc
Basic Aggregation Operation : a “bush”
The computing server model for Secure Multiparty Computation
• Computing server is a (perhaps distributed) party in the protocol that manages the contributions and delivery of results.
• This model has been applied in voting, auctions and other specialized secure multiparty computations.
• Contributors provide (encrypted) input under the specifications of the protocol (Access control allows them to write a on a bulletin board – Role specification).
• Processing / Aggregation of encrypted contributions by computing server.
• Delivery of results / output decryption.
Computing Server Model: Correctness Aspect
• All valid contributions are included.• No unauthorized contributions are permitted.• Contribution Processing is done according to
specifications.• Auditing & Replication is added to cope with
various faults and failures.
Computing Server Model:Privacy Aspect
• The computation / processing does not leak any information about contributions, beyond what trivially inferred from the public-output.
• Computing servers are honest w.r.t. privacy.• Or, threshold techniques:
– Share decryption capabilities.
– Split contribution.
The Large Scale Setting
)( vEnc
)(vEnc)(vEnc )(vEnc )(vEnc )(vEnc
The “Bush” model insufficient for the large scale:• Load Balancing Issues.• Remote Geographic Locations.• Overlay networks in P2P.
Non-bush approach is needed:
Aggregation over Trees : Scalability
Each nodeImplements a gate forciphertextprocessing
Structure:Imposed by GeographicLoadbalancingparameters
Contributions:
• Bush aggregation of homomorphic encryption consistent with tree deployment: every node is a bush for its children.•Aggregation complexity linear in the number of children nodes
Correctness Aspect across the Tree
• Scaling over tree structure:
Each node is comprisedby set of agents that Collectively ensure theCorrectness aspect of the localNode operation
Scales well over the tree hierarchical structure.
Privacy Aspect
Decryption Agents
)( 1aE
)( 21 aaE
)( 3aE)( 2aE )( 4aE
)( 43 aaE
)( 4321 aaaaE
(...)E
)(... 4321 aaaaE
The BIGGEST brother problem
• Inner nodes in the tree are assuring correctness – no decryption capability.
• Decryption capability shared at the root?– Possible, but all kinds of privacy advocates,
known election experts and election non-experts will protest:
–why should the little guy put his privacy at
the end of the BIGGEST brother?
Does old solutions work?
• Sharing decryption capability to decipher the result at the root among all tree nodes using threshold techniques does not scale.
• But scalability is our primary objective to begin with!
Outline
• The “computing server model” and scalability.
• Tree homomorphic encryption with scalable decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Idea.
• To solve the BIGGEST brother problem : distribute decryption capability along the tree structure.
• Since aggregation along the tree structure scales – enforce decryption capability to follow the same pattern.
User trustpath
User Perspective
User
nodesthat usertrusts forcorrectness
So: the samenodes must shareDecryptionCapabilityw.r.t.that user’sprivacy.
Our Solution: Tree homomorphic encryption with Scalable Decryption
• Tree is suggested by network architecture, load-balancing parameters, geography, network overlay, etc.
• Spreading Decryption capability across the paths of the tree so that user privacy is not violated unless the whole user trust path is corrupt.
Homomorphic Encryption and Aggregation.
CPREnc : ,,,,, CPRGroups:
)','(),()','( xrEncxrEncxxrrEnc
Embedding of a Z-interval within ,P
Inputs to the computation belong to set of integerValues:
Capacity: length of the Z-interval.
Choices
Homomorphic over randomness is useful for constructinggeneric proofs of knowledge.
Homomorphic Encryption and Aggregation, II
EXAMPLE: Voting among c candidates
},...,,,1{ 12 cMMMChoices
NvotersM #
11
10,...,1
...
cc
Njjj dMMddvChoicesv
jd # of votes won by j-th candidate.
Proofs of Knowledge
ChoicesvvrEnc ,),(
Voter contributes the encryption and a proofOf knowledge.
EXAMPLE: Voting among c candidates, II
Proof possible for genericHomomorphic encryption scheme.
Length = linear in c
Three steps
• Key generation across the tree.
• Encryption of inputs at leaves.
• <Aggregation + decryption> along tree paths.
Key Generation and distribution across user trust paths
• Each node
generates a key
(independently)
Can be threshold
of agents within the
Node.
PublicKeysArePropa-GatedDownTo theUser levelacrossall trustpaths
Blind-and-Share operation
2mod...21 jlj vsssChoicesv lZs ,...,1,
2
l = # of levels
)(),...,(),( 222111 lll sEncsEncsEnc Encryptions of shares:
Capacity Condition: Nccapacity 2
(.)(.),...,(.), 21 lEncEncEnc
Encryption functions of levels for user j
j-th user selects:
consistency
• Encryptions in general are over different domains (each node has independent public-key).
• We need consistency checks to ensure correct blind-and-sharing of the input (independent of the individual domains).
Proof of consistencyEach of the ciphertexts Is accompanied by a commitmentto the plaintext – over the same domain.
l ...21
l ,...,1
l ,...,, 21
Together with a proof of knowledge that ensures:1. Each ciphertext and commitment
hide the same value.2. The aggregation of the commitments
hides a value of the form such that:
2vS},...,0{, cChoicesv
Proof of consistency, II
• It follows that an encrypted contribution
Contains an additive sharing of a value
So that
l ,...,1
2vS
ChoicesS 2mod
Tree Aggregation, II
• Lowest level node obtains the aggregated ciphertext:
…
][...][ 111 VNuu ][...][ 212 VNuu
][...][ 1 VNll uu
VNuu ,...,1
Where
are the usersassigned to thenode V.
Tree Aggregation + Partial Decryption.
…
][...][ 111 VNuu ][...][ 212 VNuu
2mod][,..,1
iNi
l usV
LowestLevel nodeDecrypts theLast entryAnd apply modulooperation:
Lowest level:
the block is propagated to the upper level
Tree Aggregation + Partial Decryption, II
j-th level:
…
][ ...... uj
2mod......
2mod......
…
The j-th level Receives partiallydecrypted entriesFrom its childrenThat are of the form:
j
][ ...1... u
Tree Aggregation + Partial Decryption, III
• The j-th level node aggregate as follows:
…
][ ...... uj
2mod......
2mod......
…
][ ...1... u
…
][ ...... uj
2mod......
2mod......
…
][ ...1... u
2mod
2mod
And decryptThe j-thLevel.
Tree Aggregation + Partial Decryption, IV
• Top level agents, after aggregation and decryption of the top level entry obtain:
…
2mod......
2mod......
2mod......The totally decrypted
Sum of shares:
Output recovery
• THEN: Top level agents recover the results as follows:
…
2mod......
2mod......
2mod......
2mod
This operationReveals the resultOf the procedureIn the form:
2mod][,..,1
iNi
ushares
onscontributi
alliiv
Output Recovery, II• This works because:
…
2mod......
2mod......
2mod......
=
…
][...][][ 1,21,11, 21 Nuuu usususN
][...][][ 2,22,12, 21 Nuuu usususN
][...][][ ,2,1, 21 Nlululu usususN
1uv
2uv Nuv
Tree Homomorphic Encryption with Scalable Decryption:
implementations
• Generic based on any additive homomorphic encryption: Paillier or (modified) ElGamal.– Size of encrypted contribution equals length of
user trust path.
Implementations, II
• Modified ElGamal accepts more efficient implementation of scalable decryption:– Constant size of contribution: independent of
the length of the user trust path.– Onion style decryption.
Outline
• The “computing server model” and scalability.
• Tree homomorphic encryption with scalable decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Tree Homomorphic Encryption with Onion decryption
• ElGamal-specific case.
• Shortening of contribution encryption size.– Based on: Composition of public-key across
user trust paths.
Initialization/SetupAdditive ElGamal Specific
Setup
Each node creates localpublic key pk=ga.
Global Parameters: G, g, f, h generators of G multiplicative group of prime order q.
Each node computes its local combined_pk by multiplying its local pk with the combined_pk of the parent node.
Submission of Contributions Additive ElGamal Specific
Each user makes a selection v{1, M, M2, ..., Mc-1}and publishes
< g r, (combined_pk)r f v
>
combined_pk is the combined public-key local tothe lowest level node, i.e.
combined_pk=h0 h1 h2 ... hk
where h0 , h1, h2, ... , hk are the local pk’s of the nodesin the user trust path.
r<q is selected at random.
Submission of Contributions, II Additive ElGamal Specific
the user proves that theEncryption <B1, B2> , is formed according to the specifications.
The voter publishes:NIZK[ r : (B1 = gr) ( vC (B2 = (combined_pk)r
f v )]
Tree Aggregation + Decryption by “Onion Peeling”
The low level node multiplies all encrypted contributions point-wise:
is a valid ElGamal encryption of f v
(due to the homomorphic property)under the public-key of all nodesin the user trust path.
THEN: The node “peels-off” its layer of encryption (by doingElGamal Decryption w.r.t. its local private-key.
The process continues recursively up to the top-level node.
< gr, (h0 h1 h2 ... hk)r f v> < gr, (h1 h2 ... hk)r f v>
Output
The top node receives the tally T = f v
The space of all possible values for v is of sizeO(nc-1) and as a result it can be found in timeO(nc-1). Using the baby-step giant-step methodthis can be improved to O(n(c-1)/2)
Recovery of output:
Outline
• The “computing server model” and scalability.
• Tree homomorphic encryption with scalable decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Application To E-Voting:“Scalable” Secret Ballot Elections
• Arbitrary elections’ structure, size and distributions• Security properties scale in parallel to the electionsstructure
Outline
• The “computing server model” and scalability.
• Tree homomorphic encryption with scalable decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.
Conclusions• Tree Homomorphic Encryption with Scalable Decryption.
• motivated by load-balancing / network topology geography constraints / overlay P2P networks.
• Assuming multi-level trust can eliminate big brother presence.
• Further increase of security possible by employing “paranoid security” or “multi-path election”
• Future applications?