Frontiers in Tony Arcieri Strange Loop September 17th, 2016 CRYPTOGRAPHY

Today’s Talk The Past Brief history of modern cryptography The Future Where cryptography is heading

Disclaimer

The Past Brief history of modern cryptography

How would aliens encrypt?

I CAN’T BELIEVE THESE STUPID ALIENS ARE STILL USING MS-CHAPv2

Diffie-Hellman (1976)

Diffie-Hellman (1976) ^ Merkle

Rivest-Shamir-Adleman (1977)

Public-Key Cryptography Diffie-Hellman(-Merkle) Rivest-Shamir-Adleman (RSA) Discrete Logarithm Problem (1976) Factoring (1977)

“Non-Secret Encryption” James H. Ellis Existence Proof (1969) Clifford Cocks “RSA Algorithm” (1973) Malcolm Williamson “Diffie-Hellman Algorithm” (1974)

No content

Group Homomorphisms Factoring Discrete Log Elliptic Curve DLP Pollard’s Rho (1975) Pollard’s Rho for Logarithms (1978) Lenstra’s Method (1987) Shor’s Algorithm (1994)

Symmetric Encryption

How would aliens encrypt?

The Future Where cryptography is going

Search! Analyze! Organize! SSL/TLS

No content

Search! Analyze! Organize!

Search! Analyze! Organize!

No content

DANGER!!! DANGER!!! DANGER!!!

Indistinguishability A B A B

Encrypted Databases • Navajo Systems • CryptDB • SEEED • Google Encrypted BigQuery • Cipherbase? BROKEN! BROKEN! BROKEN! ?

No content

Please consult a cryptographer

Example Encrypted Email

“Encrypted E-mail” Service • Ordering • Search • Spam detection • Filters/Prioritization

Property-Preserving Encryption • Order-preserving encryption (OPE): plaintext ordering can be determined without knowledge of the key, but leaks additional information • Order-revealing encryption (ORE): ciphertexts are numbers that can be sorted to reveal original order using a public function which outputs “<” or “≥” • Provides efficient range queries BROKEN!

Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds (Extended Version) Kevin Lewi Stanford University [email protected] David J. Wu Stanford University [email protected] Abstract In the last few years, there has been significant interest in developing methods to search over encrypted data. In the case of range queries, a simple solution is to encrypt the contents of the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently showed that OPE-encrypted databases are extremely vulnerable to “inference attacks.” In this work, we consider a related primitive called order-revealing encryption (ORE), which is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE scheme for small message spaces which achieves the “best-possible” notion of security for ORE. Next, we introduce a “domain-extension” technique and apply it to our small-message-space ORE. While our domain-extension technique does incur a loss in security, the resulting ORE scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE schemes which are practical. All of our constructions rely only on symmetric primitives. As part of our analysis, we also give a tight lower bound for OPE and show that no e cient OPE scheme can satisfy best-possible security if the message space contains just three messages. Thus, achieving strong notions of security for even small message spaces requires moving beyond OPE. Finally, we examine the properties of our new ORE scheme and show how to use it to construct an e cient range query protocol that is robust against the inference attacks of Naveed et al. We also give a full implementation of our new ORE scheme, and show that not only is our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes. 1 Introduction Today, large corporations and governments collect and store more personal information about us than ever before. And as high-profile data breaches on companies and organizations (such as Anthem [AC15], eBay [Kel14], and the U.S. Voter Database [FV15]) become startlingly common, it is imperative that we develop practical means for securing our personal data in the cloud. One way to mitigate the damage caused by a database breach is to encrypt the data before storing it in the cloud. This, however, comes at the price of functionality: once data is encrypted, it is more di cult to execute searches over the data without first decrypting the data. As a result, This is the extended version of a paper by the same name that appeared in ACM Conference on Computer and Communications Security in October, 2016. 1

Searchable Symmetric Encryption (SSE) • Full-text search on encrypted documents • Many implementation methods, some better than others • Many schemes have been broken (resulting in full plaintext recovery in some cases)

Encrypted Index Document Store Deterministic Encryption BROKEN!

Encrypted Index Document Store Deterministic Encryption BROKEN!

Deterministic Encryption • Build encrypted inverted index, where ciphertexts point to encrypted documents • Create deterministic search query “tokens” to look up documents in the index • Several potential attacks due to lack of ciphertext indistinguishability BROKEN!

We need more tools…

Oblivious RAM (ORAM) • Masks data access patterns by making them appear random • Can be used as the basis for higher-level primitives, including SSE • Reduces performance due to spurious data accesses

Functional Encryption

Lattices

No content

No content

Lattices A lattice L is a (maximal) discrete subgroup of Rn, or equivalently, L={a1v1+···+anvn :a1,...,an ∈Z}
 for some R-basis v1,...,vn of Rn.

Functional Encryption

spam_score(msg)

spam_score(msg)

Homomorphic Encryption f(x) = x

Homomorphic Encryption • Partially homomorphic: homomorphic property holds for certain operations, e.g. addition, multiplication • Fully homomorphic: provides arbitrary computations on ciphertexts

“The latest speed reports for fully homomorphic encryption are… let me use precise technical terminology here, since I'm a big fan of careful benchmarking… ludicrously slow” — djb

Fully Homomorphic Encryption without Bootstrapping Zvika Brakerski Weizmann Institute of Science Craig Gentry⇤ IBM T.J. Watson Research Center Vinod Vaikuntanathan† University of Toronto Abstract We present a radically new approach to fully homomorphic encryption (FHE) that dramatically im- proves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure. Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have 2 security against known attacks. For RLWE, we have: • A leveled FHE scheme that can evaluate L-level arithmetic circuits with ˜ O ( · L3 ) per-gate com- putation – i.e., computation quasi-linear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure. • A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is ˜ O ( 2 ) , independent of L. Security is based on the hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes). We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width – e.g., where a constant fraction of levels have width at least – we can reduce the per-gate computation of the bootstrapped version to ˜ O ( ) , independent of L, by batching the bootstrapping operation. Previous FHE schemes all required ˜ ⌦( 3.5 ) computation per gate. At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011). ⇤Sponsored by the Air Force Research Laboratory (AFRL). Disclaimer: This material is based on research sponsored by DARPA under agreement number FA8750-11-C-0096 and FA8750-11-2-0225. The U.S. Government is authorized to reproduce and dis- tribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S. Government. Approved for Public Release, Distribution Unlimited. †This material is based on research sponsored by DARPA under Agreement number FA8750-11-2-0225. All disclaimers as above apply.

Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits Sanjam Garg UCLA [email protected] Craig Gentry IBM Research [email protected] Shai Halevi IBM Research [email protected] Mariana Raykova IBM Research [email protected] Amit Sahai UCLA [email protected] Brent Waters University of Texas at Austin [email protected] July 21, 2013 Abstract In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar size, the obfuscations of C0 and C1 should be computationally indistinguishable. In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C . Using the key SKC to decrypt a ciphertext CTx = Enc( x ), yields the value C ( x ) but does not reveal anything else about x . Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually. We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits. We accomplish this goal in three steps: • We describe a candidate construction for indistinguishability obfuscation for NC1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles . • We show how to use indistinguishability obfuscation for NC1 together with Fully Homomorphic Encryption (with decryption in NC1) to achieve indistinguishability obfuscation for all circuits. • Finally, we show how to use indistinguishability obfuscation for circuits, public-key encryption, and non-interactive zero knowledge to achieve functional encryption for all circuits. The func- tional encryption scheme we construct also enjoys succinct ciphertexts, which enables several other applications. The first and fifth authors were supported in part from NSF grants 1228984, 1136174, 1118096, 1065276, 0916574 and 0830803, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. The views expressed are those of the author and do not reflect the o cial policy or position of the National Science Foundation, or the U.S. Government. The second and third authors were supported by the Intelligence Advanced Research Projects Activity (IARPA) via Department of Interior National Business Center (DoI/NBC) contract number D11PC20202. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the o cial policies or endorsements, either expressed or implied, of IARPA, DoI/NBC, or the U.S. Government. The fourth author is supported by NSF Grant No.1017660. The sixth author is supported by NSF CNS-0915361 and CNS-0952692, CNS-1228599, DARPA N11AP20006, Google Faculty Research award, the Alfred P. Sloan Fellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship. i

Simple Encrypted Arithmetic Library - SEAL (v2.0) Kim Laine1 and Rachel Player2 1 Microsoft Research, USA [email protected] 2 Royal Holloway, University of London, UK?? [email protected] 1 Introduction Traditional encryption schemes, both symmetric and asymmetric, were not designed to respect the algebraic structure of the plaintext and ciphertext spaces. Many schemes, such as Elgamal (resp. e.g. Paillier), are multiplicatively homomorphic (resp. additively homomorphic), so that one can perform certain limited types of computations directly on the encrypted data and have them pass through the encryption to the underlying plaintext data, without requiring access to any secret key(s). The restriction to a one particular type of operation is very strong, however, and instead a much more powerful fully homomorphic encryption scheme, that respects two algebraic operations between the plaintext and ciphertext spaces, would be needed for most applications. The first such encryption scheme was presented by Craig Gentry in his famous work [14], and since then researchers have introduced a number of new and more e cient fully homomorphic encryption schemes. Despite the promising theoretical power of homomorphic encryption, the practical side still remains somewhat underdeveloped. Recently new implementations, new data encoding techniques, and new applications have started to improve the situation, but much remains to be done. In 2015 we released the Simple Encrypted Arithmetic Library - SEAL with the goal of providing a well engineered and documented homomorphic encryption library, with no external dependencies, that would be easy to use both by experts and by non-experts with little or no cryptographic background. The library is available at http://sealcrypto.codeplex.com, and is licensed under the MSR License Agreement. Recently a large number of major changes were implemented in SEAL, and the new version was released as SEAL v2 . 0. In this document we describe in detail this new release, and hope to provide a practical guide to using homomorphic encryption for a wide audience. The reader is also advised to go over the code examples that come with the library, and to read through the detailed comments. For users of previous versions of SEAL we hope to provide clear instructions for how to port old code to use SEAL v2 . 0. An introductory paper to an older version of SEAL was given in [10], which the user new to SEAL v2 . 0 may also find helpful as large parts of the API have remained unchanged. 1.1 Roadmap In Section 1.2 we briefly discuss the major changes to SEAL, which are expanded upon in the other sections of this document. In Section 2 we define notation and parameters we will use throughout the document. In Section 3 we give the description of the Fan-Vercauteren homomorphic encryption scheme (FV) – as originally specified in [13] – and in Section 4 we describe how SEAL di↵ers from this original description. In Section 5 we discuss the expected ?? Much of this work was done during an internship at Microsoft Research, Redmond.

CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy Nathan Dowlin1 [email protected] Department of Mathematics, Princeton University Ran Gilad-Bachrach [email protected] Kim Laine [email protected] Kristin Lauter [email protected] Michael Naehrig [email protected] John Wernsing [email protected] Microsoft Research, Redmond Abstract Applying machine learning to a problem which involves medical, financial, or other types of sen- sitive data, not only requires accurate predic- tions but also careful attention to maintaining data privacy and security. Legal and ethical re- quirements may prevent the use of cloud-based machine learning solutions for such tasks. In this work, we will present a method to convert learned neural networks to CryptoNets, neural networks that can be applied to encrypted data. This allows a data owner to send their data in an encrypted form to a cloud service that hosts the network. The encryption ensures that the data re- mains confidential since the cloud does not have access to the keys needed to decrypt it. Never- theless, we will show that the cloud service is capable of applying the neural network to the en- crypted data to make encrypted predictions, and also return them in encrypted form. These en- crypted predictions can be sent back to the owner of the secret key who can decrypt them. There- fore, the cloud service does not gain any infor- mation about the raw data nor about the predic- tion it made. We demonstrate CryptoNets on the MNIST optical character recognition tasks. CryptoNets achieve 99% accuracy and can make around 59000 predictions per hour on a single PC. Therefore, they allow high throughput, ac- curate, and private predictions. Proceedings of the 33rd International Conference on Machine Learning, New York, NY, USA, 2016. JMLR: W&CP volume 48. Copyright 2016 by the author(s). 1. Introduction Consider a hospital that would like to use a cloud service to predict the probability of readmission of a patient within the next 30 days, in order to improve the quality of care and to reduce costs. Due to ethical and legal requirements re- garding the confidentiality of patient information, the hos- pital might be prohibited from using such a service. In this work we present a way by which the hospital can use this valuable service without sacrificing patient privacy. In the proposed protocol, the hospital encrypts the private in- formation and sends it in encrypted form to the prediction provider, referred to as the cloud in our discussion below. The cloud is able to compute the prediction over the en- crypted data records and sends back the results that the hos- pital can decrypt and read. The encryption scheme uses a public key for encryption and a secret key (private key) for decryption. It is important to note that the cloud does not have access to the secret key, so it cannot decrypt the data nor can it decrypt the prediction. The only information it obtains during the process is that it did perform a prediction on behalf of the hospital. Hence, the cloud can charge the hospital for its services, but does not learn anything about the patient’s medical files or the predicted outcomes. This procedure allows for private and secure predictions without requiring the establishment of trust between the data owner and the service provider. This may have applications in fields such as health, finance, business, and possibly oth- ers. It is important to note that this work focuses on the infer- ence stage. We make the assumption that the cloud already has a model. In our case it would be a neural network that 1This work was done while the first author was at Microsoft Research, Redmond

Encrypted Programs Using Trusted Hardware

Intel SGX and AMD SEV • Encrypted enclaves in main memory which run encrypted programs • Available on Intel Skylake CPUs • Attestation protocol to ensure a CPU is running the program you intend it to • Microsoft VC3: Encrypted Map-Reduce

Technical Report MSR-TR-2014-39 February 28, 2014 (Updated March 19, 2015) VC3 : Trustworthy Data Analytics in the Cloud Felix Schuster*, Manuel Costa, C´ edric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich Microsoft Research Abstract We present VC3, the first system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodified Hadoop, but crucially keeps Hadoop, the operating system and the hypervisor out of the TCB; thus, confidentiality and integrity are preserved even if these large components are compromised. VC3 relies on SGX processors to isolate memory regions on individual computers, and to deploy new protocols that secure distributed MapReduce computations. VC3 optionally enforces region self-integrity invariants for all MapReduce code running within isolated regions, to prevent attacks due to unsafe memory reads and writes. Experimental results on common benchmarks show that VC3 performs well compared with unprotected Hadoop: VC3’s average runtime overhead is negligible for its base security guarantees, 4.5% with write integrity and 8% with read/write integrity. *Work done while interning at Microsoft Research; affiliated with Ruhr-Universit¨ at Bochum.

Post-Quantum Cryptography

Group Homomorphisms Factoring Discrete Log Elliptic Curve DLP Shor’s Algorithm (1994)

Shor’s Algorithm • Requires large quantum computers (1000s of qubits) • Could be used to solve factoring and (EC)DLP much faster than classical computers • Fortunately large quantum computers are 10+ years off

Post-Quantum Public Key Encryption Algorithms • Lattices: Ring-LWE (NewHope), NTRU • Isogenies: Supersingular Isogeny Diffie-Hellman • Codes: McElice/McBits

No content

That’s it!

Thanks! • Twitter: @bascule • Blog: https://tonyarcieri.com