Tweet
Tweet

Slide 1

Slide 1 text

Cloud Security, for Real This Time Homomorphic Encryption and the Future of Data Privacy Need to get a sense of experience in audience. Define HE? (Explain how it works? Implemented?) Will explain 1) Def 2) Why important 3) Implementation details 4) Real world.

Slide 2

Slide 2 text

Slides https://speakerdeck.com/craigstuntz

Slide 3

Slide 3 text

TLS Changed the Internet Remember? Define SSL/TLS? Changed everything.

Slide 4

Slide 4 text

Browser Server Application TLS: Safe (mostly!), but must decrypt to do business TLS gives you 1) Some assurance you’re connecting to the right server, 2) some protection from MITM Good enough for shopping?

Slide 5

Slide 5 text

What if it’s stolen? The card isn’t the end of the world. Your PII? Snowden?

Slide 6

Slide 6 text

My New Business Ask for income, SSNs of your children, what you spend on health care, bank account passwords, etc., give you pretty charts.

Slide 7

Slide 7 text

My New Business Ask for income, SSNs of your children, what you spend on health care, bank account passwords, etc., give you pretty charts.

Slide 8

Slide 8 text

Threat Model

Slide 9

Slide 9 text

Advanced Persistent Threats? Asking for PII. Have to consider threat model.

Slide 10

Slide 10 text

Criminals? However… (click)

Slide 11

Slide 11 text

Idiots? Most dangerous?

Slide 12

Slide 12 text

Uh Oh. Is it even possible to build this kind of business? Home Depot did a lot wrong, sure, but banks who ran pretty clean shops have also suffered major data exfiltration. Need a way out.

Slide 13

Slide 13 text

Symmetry Consumer Protect PII Zero Install Cloud Service Provider Nothing to Steal Frequent Site Visits Look at what customer wants, you want. Note symmetry Symmetry in software = Opportunity!

Slide 14

Slide 14 text

What if? How can I prepare your taxes without asking for the data, at least not in readable form? You could encrypt and not give me the key, but then how do I perform useful computations?

Slide 15

Slide 15 text

Homomorphic Encryption In a Nutshell Client Server Computation Data Plaintext Define plaintext, cyphertext, computation. (hand waving) Secure! No key exchange! Keys stay on client Cyphertext should be indistinguishable from random bits Considered maybe impossible for a long time. Changed in 2009. How? Stop me now if terms don’t make sense.

Slide 16

Slide 16 text

Homomorphic Encryption In a Nutshell Client Server Data Cyphertext Computation Data Plaintext Define plaintext, cyphertext, computation. (hand waving) Secure! No key exchange! Keys stay on client Cyphertext should be indistinguishable from random bits Considered maybe impossible for a long time. Changed in 2009. How? Stop me now if terms don’t make sense.

Slide 17

Slide 17 text

Homomorphic Encryption In a Nutshell Client Server Data Cyphertext Result Cyphertext Computation Data Plaintext Define plaintext, cyphertext, computation. (hand waving) Secure! No key exchange! Keys stay on client Cyphertext should be indistinguishable from random bits Considered maybe impossible for a long time. Changed in 2009. How? Stop me now if terms don’t make sense.

Slide 18

Slide 18 text

Homomorphic Encryption In a Nutshell Client Server Data Cyphertext Result Cyphertext Computation Data Plaintext Result Plaintext Define plaintext, cyphertext, computation. (hand waving) Secure! No key exchange! Keys stay on client Cyphertext should be indistinguishable from random bits Considered maybe impossible for a long time. Changed in 2009. How? Stop me now if terms don’t make sense.

Slide 19

Slide 19 text

Rot-13! How can this possibly work? Warm up

Slide 20

Slide 20 text

Awesoma Powa! Plaintext top row. Cyphertext middle. Note symmetries Homomorphic operation doesn’t have to be the same as corresponding non-homomorphic operation, but in this case it is. We’ll look at stronger choices later, but first…

Slide 21

Slide 21 text

Let’s launch a startup! concatenatr! Join us! New business: Cloud-based, privacy preserving concatenation of strings. Get the VC $$$$, foosball table… But there’s a problem with this idea. Why won’t this work? You’ll never guess…

Slide 22

Slide 22 text

(Using Goldwasser and Micali’s algorithm developed 20 years earlier) Stupidly enough, it’s patented (by SAP). Cryptographers have been working on HE for a long time.Goldwasser and Micali won Turing award, but for semantic security, not HE. Chose concat example as simple/joke, found the patent later. Security industry may or may not have noticed HE, but patent lawyers have!

Slide 23

Slide 23 text

Unpadded RSA Back to drawing board. Need a different algorithm. NB: Unpadded RSA is insecure! Simple, but insecure. Cryptosystem security is an end to end pipeline, not a single algorithm. Feel free to ignore the algebra, point is

Slide 24

Slide 24 text

Pivot! multiplir! We make products Cloud-based, privacy preserving multiplication. Get the VC $$$, front page of Hacker News, then… Click Click. Can we do better? What do we really need?

Slide 25

Slide 25 text

Pivot! multiplir! We make products Awesome! Now add. Cloud-based, privacy preserving multiplication. Get the VC $$$, front page of Hacker News, then… Click Click. Can we do better? What do we really need?

Slide 26

Slide 26 text

Pivot! multiplir! We make products Awesome! Now add. Uhhh…. Cloud-based, privacy preserving multiplication. Get the VC $$$, front page of Hacker News, then… Click Click. Can we do better? What do we really need?

Slide 27

Slide 27 text

Fully Homomorphic Encryption What are the operations I really need? Must be able to write any program, but not necessarily execute arbitrary programs. Customer and service provider agree on service in advance. What operations give me all of the above? (Cannot perform conditional…) => Branch prediction won’t work!

Slide 28

Slide 28 text

Fully Homomorphic Encryption • Multiply What are the operations I really need? Must be able to write any program, but not necessarily execute arbitrary programs. Customer and service provider agree on service in advance. What operations give me all of the above? (Cannot perform conditional…) => Branch prediction won’t work!

Slide 29

Slide 29 text

Fully Homomorphic Encryption • Multiply • Add, subtract, exponents, etc. What are the operations I really need? Must be able to write any program, but not necessarily execute arbitrary programs. Customer and service provider agree on service in advance. What operations give me all of the above? (Cannot perform conditional…) => Branch prediction won’t work!

Slide 30

Slide 30 text

Fully Homomorphic Encryption • Multiply • Add, subtract, exponents, etc. • Doesn’t have to be (quite) Turing complete What are the operations I really need? Must be able to write any program, but not necessarily execute arbitrary programs. Customer and service provider agree on service in advance. What operations give me all of the above? (Cannot perform conditional…) => Branch prediction won’t work!

Slide 31

Slide 31 text

Fully Homomorphic Encryption • Multiply • Add, subtract, exponents, etc. • Doesn’t have to be (quite) Turing complete • Conditional branching and loops, of a sort What are the operations I really need? Must be able to write any program, but not necessarily execute arbitrary programs. Customer and service provider agree on service in advance. What operations give me all of the above? (Cannot perform conditional…) => Branch prediction won’t work!

Slide 32

Slide 32 text

Fully Homomorphic Encryption • Multiply • Add, subtract, exponents, etc. • Doesn’t have to be (quite) Turing complete • Conditional branching and loops, of a sort • Cannot perform conditional jumps based on (encrypted) user input What are the operations I really need? Must be able to write any program, but not necessarily execute arbitrary programs. Customer and service provider agree on service in advance. What operations give me all of the above? (Cannot perform conditional…) => Branch prediction won’t work!

Slide 33

Slide 33 text

Functional Completeness and Universal Gates Need a new kind of computer. Want to compute anything, not just *! Let’s start from the basics. Logic gates! If we have homomorphic logic gates we can do what we need. Homomorphic * insufficient. Homomorphic NAND would be OK.What gates do I need to perform any computation? Define NOR. NOR via NANDS. De Morgan’s Laws. What does any of this mean?

Slide 34

Slide 34 text

Functional Completeness and Universal Gates • NAND • NOR • AND and NOT • XOR and AND Need a new kind of computer. Want to compute anything, not just *! Let’s start from the basics. Logic gates! If we have homomorphic logic gates we can do what we need. Homomorphic * insufficient. Homomorphic NAND would be OK.What gates do I need to perform any computation? Define NOR. NOR via NANDS. De Morgan’s Laws. What does any of this mean?

Slide 35

Slide 35 text

Addition, Multiplication Over GF(2) + 0 1 0 0 1 1 1 0 * 0 1 0 0 0 1 0 1 Adding + multiplying a bit very simple. So are computers. Need building blocks which can work homomorphically but be built into anything we need. Start with bits. + looks like XOR. * looks like AND. Can grow from there.

Slide 36

Slide 36 text

> def choose(first, second, choose_first): ! .. return first if choose_first else second ! .. ! > choose(True, False, True)! => True! > choose(True, False, False)! => False Branching hard, but: Here’s a program I wrote. Normal computers eval condition, execute selected path. …so if I have a homomorphic and, or, and not… or just nand, now I can write logic. Branching becomes a truth table. click. As a circuit. Circuits easy.

Slide 37

Slide 37 text

> def choose(first, second, choose_first): ! .. return first if choose_first else second ! .. ! > choose(True, False, True)! => True! > choose(True, False, False)! => False first choose_first second Branching hard, but: Here’s a program I wrote. Normal computers eval condition, execute selected path. …so if I have a homomorphic and, or, and not… or just nand, now I can write logic. Branching becomes a truth table. click. As a circuit. Circuits easy.

Slide 38

Slide 38 text

> def my_factorial(n): ! .. result = 1 ! .. while n > 1: ! .. result *= n ! .. n -= 1 ! .. return result Here’s another program I wrote. Explain factorial. Click. Here’s a really strange version. Why? Note n Program has interesting properties. Bounded loops are decidable! Security vs. efficiency.

Slide 39

Slide 39 text

> def my_factorial(n): ! .. result = 1 ! .. while n > 1: ! .. result *= n ! .. n -= 1 ! .. return result > def my_factorial_less_than_20(n): ! .. result = 1; ! .. for i in range(2, 20): ! .. result *= 1 if i > n else i ! .. return result ! > my_factorial_less_than_20(4)! => 24! > my_factorial_less_than_20(100)! => 121645100408832000L! > my_factorial_less_than_20(1000)! => 121645100408832000L Here’s another program I wrote. Explain factorial. Click. Here’s a really strange version. Why? Note n Program has interesting properties. Bounded loops are decidable! Security vs. efficiency.

Slide 40

Slide 40 text

! Fast! Turing Complete* Strong Encryption Practical Homomorphic Encryption Would be awesome, but where could I find such a thing?

Slide 41

Slide 41 text

There’s one on GitHub. But how?

Slide 42

Slide 42 text

Craig Gentry 
 IBM Research Thesis. Refined by himself and others.

Slide 43

Slide 43 text

Input Data Cyphertext Add (Lossless) Multiply (Lossy) Bootstrappable Reencryption Result Cyphertext Multiply (Lossy) Found strong encryption scheme with homomorphic + and lossy homomorphic *. Too many *s and can’t decrypt. We will look at bootstrapping in more detail on next slide Explain lossy multiplication here.

Slide 44

Slide 44 text

E(E(E(plaintext), key), key2), key 3 E(E(plaintext), key), key2 E(plaintext) Plaintext Bootstrappable Encryption Every time you decrypt, you “reset” errors. Only a student with a thesis deadline could have thought of this. Works, but inefficient in time and space. Maybe work around? PKE is slow, but combine with SE for performance.

Slide 45

Slide 45 text

CryptDB http://css.csail.mit.edu/cryptdb/

Slide 46

Slide 46 text

CryptDB ❖ Query-based encryption ❖ Requires no changes to DB server ❖ Tested on phpBB, OpenEMR, TPC-C, etc. ❖ Only 14-26% slower than unmodified apps. http://css.csail.mit.edu/cryptdb/

Slide 47

Slide 47 text

Encrypted BigQuery Client https://code.google.com/p/encrypted-bigquery-client/

Slide 48

Slide 48 text

Zero Knowledge Proof Image: Wikimedia Commons / User:Dake Applications! I want to talk about 2 party secure computation, but… It’s often the case you want to talk about f(alice_value, bob_value) without revealing either arg. ZKPs do exist, but can be tricky.

Slide 49

Slide 49 text

Zero Knowledge Proof Image: Wikimedia Commons / User:Dake Applications! I want to talk about 2 party secure computation, but… It’s often the case you want to talk about f(alice_value, bob_value) without revealing either arg. ZKPs do exist, but can be tricky.

Slide 50

Slide 50 text

Zero Knowledge Proof Image: Wikimedia Commons / User:Dake Applications! I want to talk about 2 party secure computation, but… It’s often the case you want to talk about f(alice_value, bob_value) without revealing either arg. ZKPs do exist, but can be tricky.

Slide 51

Slide 51 text

2 Party Secure Computation Sends c = E(x) to Bob Computes and sends c’ = E(f(x,y)), ZKP of c’ correctness to Alice Decrypt c’, compute ZKP of valid decryption, and return both to Bob HELLO My Name Is Alice HELLO My Name Is Bob Want to compute f(aliceData, bobData). How does Alice know Bob used correct input? How does Bob know Alice didn’t lie about result?

Slide 52

Slide 52 text

Limitations “New” -> (Both in terms of algorithms and implementation.)

Slide 53

Slide 53 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties “New” -> (Both in terms of algorithms and implementation.)

Slide 54

Slide 54 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. “New” -> (Both in terms of algorithms and implementation.)

Slide 55

Slide 55 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. ! Space issues “New” -> (Both in terms of algorithms and implementation.)

Slide 56

Slide 56 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. ! Space issues ! Often computationally expensive “New” -> (Both in terms of algorithms and implementation.)

Slide 57

Slide 57 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. ! Space issues ! Often computationally expensive ! Client complexity and deployment “New” -> (Both in terms of algorithms and implementation.)

Slide 58

Slide 58 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. ! Space issues ! Often computationally expensive ! Client complexity and deployment ! Not always clear when to choose fully homomorphic algorithms. “New” -> (Both in terms of algorithms and implementation.)

Slide 59

Slide 59 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. ! Space issues ! Often computationally expensive ! Client complexity and deployment ! Not always clear when to choose fully homomorphic algorithms. ! Not a cure-all. Metadata and side-channels still a problem “New” -> (Both in terms of algorithms and implementation.)

Slide 60

Slide 60 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. ! Space issues ! Often computationally expensive ! Client complexity and deployment ! Not always clear when to choose fully homomorphic algorithms. ! Not a cure-all. Metadata and side-channels still a problem ! Moving target! “New” -> (Both in terms of algorithms and implementation.)

Slide 61

Slide 61 text

Limitations ! Server doesn’t have data to, e.g. hand off to third parties ! All “new” cryptosystems are relatively untested and security not proven. ! Space issues ! Often computationally expensive ! Client complexity and deployment ! Not always clear when to choose fully homomorphic algorithms. ! Not a cure-all. Metadata and side-channels still a problem ! Moving target! ! Patent encumbered “New” -> (Both in terms of algorithms and implementation.)

Slide 62

Slide 62 text

Patent Encumbrance • “Nevertheless, the authors of this method to concede that making this scheme practical remains an open problem.” • “There exist well known solutions for secure computation of any function… It seems hard to apply these methods to complete continuous functions or represent Real numbers, since the methods inherently work over finite fields.” • “An encryption scheme with these two properties is called a homomorphic encryption scheme. The Paillier system is one homomorphic encryption scheme, but more ones [sic] exist.” Hand-waving which wouldn’t be allowed in a freshman term paper