Cloud Security for Real This Time: Homomorphic Encryption and the Future of Data Privacy

Transcript

1. View Slide

2. View Slide

3. View Slide

4. What If?
   

   View Slide

5. {
   Cloud Security for Real This Time:
   Homomorphic Encryption and the
   Future of Data Privacy
   Craig Stuntz
   Improving Enterprises
   

   View Slide

6. https://speakerdeck.com/craigstuntz
   

   View Slide

7. TLS Changed the Internet
   

   View Slide

8. Browser
   Server Application
   TLS: Safe (mostly!), but
   must decrypt to do business
   

   View Slide

9. What if it’s stolen?
   

   View Slide

10. Consumer
    “I don’t want my
    personal information
    stolen.”
    “I’d rather not have
    to install software to
    manage my
    finances.”
    Cloud Service
    Provider
    “I don’t want the
    data I store to make
    me a target.”
    “I can protect my
    business methods by
    not redistributing
    my code.”
    

    View Slide

11. Homomorphic Encryption
    In a Nutshell
    Client
    Server
    Data Cyphertext
    Result Cyphertext
    Computation
    Homomorphic
    Data
    Plaintext
    Result
    Plaintext
    

    View Slide

12. Rot-13!
    

    View Slide

13. Awesoma Powa!
    

    View Slide

14. Let’s launch a startup!
    concatenatr
    Join us!
    

    View Slide

15. (Using Goldwasser and
    Micali’s algorithm developed
    20 years earlier)
    

    View Slide

16. Unpadded RSA
    = mod
    1
    ∙ 2
    = 1
    mod ∙ (2
    mod )
    = (1
    ∙ 2
    ) mod
    = 1
    ∙ 2
    mod
    = E(1
    ∙ 2
    )
    

    View Slide

17. Pivot!
    multiplir
    We make products
    Awesome!
    Now add.
    Uhhh….
    

    View Slide

18.  Multiply
     Add, subtract, exponents, etc.
     Doesn’t have to be (quite) Turing complete
     Conditional branching and loops, of a sort
     Cannot perform conditional jumps based on
    (encrypted) user input
    Fully Homomorphic
    Encryption
    

    View Slide

19. Functional Completeness
    and Universal Gates
     NAND
     NOR
     AND and NOT
     XOR and AND
    

    View Slide

20. Addition, Multiplication
    Over GF(2)
    + 0 1
    0 0 1
    1 1 0
    * 0 1
    0 0 0
    1 0 1
    

    View Slide

21. > def choose(first, second, choose_first):
    .. return first if choose_first else second
    ..
    > choose(True, False, True)
    => True
    > choose(True, False, False)
    => False
    first
    choose_first
    second
    

    View Slide

22. > def my_factorial(n):
    .. result = 1
    .. while n > 1:
    .. result *= n
    .. n -= 1
    .. return result
    > def my_factorial_less_than_20(n):
    .. result = 1;
    .. for i in range(2, 20):
    .. result *= 1 if i > n else i
    .. return result
    > my_factorial_less_than_20(4)
    => 24
    > my_factorial_less_than_20(100)
    => 121645100408832000L
    > my_factorial_less_than_20(1000)
    => 121645100408832000L
    

    View Slide

23. Fast!
    Turing
    Complete*
    Strong Encryption
    Practical Homomorphic
    Encryption
    

    View Slide

24. View Slide

25. Craig Gentry
    IBM Research
    

    View Slide

26. Result
    Cyphertext
    Output
    Homomorphic
    reencryption
    algorithm
    Bootstrap
    Lossy
    Multiply
    Lossless
    Add
    Data
    Cyphertext
    Input
    

    View Slide

27. E(E(E(plaintext)))
    E(E(plaintext))
    E(plaintext)
    Plaintext
    Bootstrappable Encryption
    

    View Slide

28.  “Nevertheless, the authors of this method to concede that making
    this scheme practical remains an open problem.”
     “There exist well known solutions for secure computation of any
    function… It seems hard to apply these methods to complete
    continuous functions or represent Real numbers, since the methods
    inherently work over finite fields.”
     “An encryption scheme with these two properties is called a
    homomorphic encryption scheme. The Paillier system is one
    homomorphic encryption scheme, but more ones [sic] exist.”
    Patent Encumbrance
    

    View Slide

29. Limitations
     Server doesn’t have data to, e.g. hand off to third parties
     Some fully homomorphic cryptosystems are relatively untested
    and security not proven. (Both in terms of algorithms and
    implementation.)
     Space issues
     Algorithms which operate on homomorphically encrypted data are,
    for now, anyway, computationally expensive
     Client complexity and deployment
     Not always clear when to choose fully homomorphic algorithms.
     Not a cure-all. Metadata and side-channels still a problem
     Moving target!
     Patent encumbered
    

    View Slide

30. CryptDB
     Query-based encryption
     Requires no changes to DB server
     Tested on phpBB, OpenEMR, TPC-C, etc.
     Only 14-26% slower than unmodified apps.
    

    View Slide

31. Zero Knowledge Proof
    Image: Wikimedia Commons / User:Dake
    

    View Slide

32. 2 Party Secure Computation
    Sends c = E(x) to Bob
    Computes and sends c’ = E(f(x,y)),
    ZKP of c’ correctness to Alice
    Decrypt c’, compute ZKP of valid
    decryption, and return both to Bob
    HELLO
    M y N ame I s
    Alice
    HELLO
    M y N ame I s
    Bob
    

    View Slide

33. The Future?
    

    View Slide

34.  Computing Arbitrary Functions of Encrypted
    Data, by Craig Gentry. Communications of the
    ACM, Vol. 53, No.3
     Building the Swiss Army Knife, by Boaz Barak
    and Zvika Brakerski
     HElib (source code)
     CryptDB: Processing Queries on an Encrypted
    Database, by Raluca Ada Popa, Catherine M.S.
    Redfield, Nickolai Zeldovich, and Hari
    Balakrishnan
    Further reading
    

    View Slide