Slide 1

Slide 1 text

Frontiers in Tony Arcieri Strange Loop September 17th, 2016 CRYPTOGRAPHY

Slide 2

Slide 2 text

Today’s Talk The Past Brief history of modern cryptography The Future Where cryptography is heading

Slide 3

Slide 3 text

Disclaimer

Slide 4

Slide 4 text

The Past Brief history of modern cryptography

Slide 5

Slide 5 text

How would aliens encrypt?

Slide 6

Slide 6 text

I CAN’T BELIEVE THESE STUPID ALIENS ARE STILL USING MS-CHAPv2

Slide 7

Slide 7 text

Diffie-Hellman (1976)

Slide 8

Slide 8 text

Diffie-Hellman (1976) ^ Merkle

Slide 9

Slide 9 text

Rivest-Shamir-Adleman (1977)

Slide 10

Slide 10 text

Public-Key Cryptography Diffie-Hellman(-Merkle) Rivest-Shamir-Adleman (RSA) Discrete Logarithm Problem (1976) Factoring (1977)

Slide 11

Slide 11 text

“Non-Secret Encryption” James H. Ellis Existence Proof (1969) Clifford Cocks “RSA Algorithm” (1973) Malcolm Williamson “Diffie-Hellman Algorithm” (1974)

Slide 12

Slide 12 text

No content

Slide 13

Slide 13 text

Group Homomorphisms Factoring Discrete Log Elliptic Curve DLP Pollard’s Rho (1975) Pollard’s Rho for Logarithms (1978) Lenstra’s Method (1987) Shor’s Algorithm (1994)

Slide 14

Slide 14 text

Symmetric Encryption

Slide 15

Slide 15 text

How would aliens encrypt?

Slide 16

Slide 16 text

The Future Where cryptography is going

Slide 17

Slide 17 text

Search! Analyze! Organize! SSL/TLS

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Search! Analyze! Organize!

Slide 20

Slide 20 text

Search! Analyze! Organize!

Slide 21

Slide 21 text

No content

Slide 22

Slide 22 text

DANGER!!! DANGER!!! DANGER!!!

Slide 23

Slide 23 text

Indistinguishability A B A B

Slide 24

Slide 24 text

Encrypted Databases • Navajo Systems • CryptDB • SEEED • Google Encrypted BigQuery • Cipherbase? BROKEN! BROKEN! BROKEN! ?

Slide 25

Slide 25 text

No content

Slide 26

Slide 26 text

Please consult a cryptographer

Slide 27

Slide 27 text

Example Encrypted Email

Slide 28

Slide 28 text

“Encrypted E-mail” Service • Ordering • Search • Spam detection • Filters/Prioritization

Slide 29

Slide 29 text

Property-Preserving Encryption • Order-preserving encryption (OPE): plaintext ordering can be determined without knowledge of the key, but leaks additional information • Order-revealing encryption (ORE): ciphertexts are numbers that can be sorted to reveal original order using a public function which outputs “<” or “≥” • Provides efficient range queries BROKEN!

Slide 30

Slide 30 text

Order-Revealing Encryption: New Constructions, Applications, and Lower Bounds (Extended Version) Kevin Lewi Stanford University [email protected] David J. Wu Stanford University [email protected] Abstract In the last few years, there has been significant interest in developing methods to search over encrypted data. In the case of range queries, a simple solution is to encrypt the contents of the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently showed that OPE-encrypted databases are extremely vulnerable to “inference attacks.” In this work, we consider a related primitive called order-revealing encryption (ORE), which is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE scheme for small message spaces which achieves the “best-possible” notion of security for ORE. Next, we introduce a “domain-extension” technique and apply it to our small-message-space ORE. While our domain-extension technique does incur a loss in security, the resulting ORE scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE schemes which are practical. All of our constructions rely only on symmetric primitives. As part of our analysis, we also give a tight lower bound for OPE and show that no e cient OPE scheme can satisfy best-possible security if the message space contains just three messages. Thus, achieving strong notions of security for even small message spaces requires moving beyond OPE. Finally, we examine the properties of our new ORE scheme and show how to use it to construct an e cient range query protocol that is robust against the inference attacks of Naveed et al. We also give a full implementation of our new ORE scheme, and show that not only is our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes. 1 Introduction Today, large corporations and governments collect and store more personal information about us than ever before. And as high-profile data breaches on companies and organizations (such as Anthem [AC15], eBay [Kel14], and the U.S. Voter Database [FV15]) become startlingly common, it is imperative that we develop practical means for securing our personal data in the cloud. One way to mitigate the damage caused by a database breach is to encrypt the data before storing it in the cloud. This, however, comes at the price of functionality: once data is encrypted, it is more di cult to execute searches over the data without first decrypting the data. As a result, This is the extended version of a paper by the same name that appeared in ACM Conference on Computer and Communications Security in October, 2016. 1

Slide 31

Slide 31 text

Searchable Symmetric Encryption (SSE) • Full-text search on encrypted documents • Many implementation methods, some better than others • Many schemes have been broken (resulting in full plaintext recovery in some cases)

Slide 32

Slide 32 text

Encrypted Index Document Store Deterministic Encryption BROKEN!

Slide 33

Slide 33 text

Encrypted Index Document Store Deterministic Encryption BROKEN!

Slide 34

Slide 34 text

Deterministic Encryption • Build encrypted inverted index, where ciphertexts point to encrypted documents • Create deterministic search query “tokens” to look up documents in the index • Several potential attacks due to lack of ciphertext indistinguishability BROKEN!

Slide 35

Slide 35 text

We need more tools…

Slide 36

Slide 36 text

Oblivious RAM (ORAM) • Masks data access patterns by making them appear random • Can be used as the basis for higher-level primitives, including SSE • Reduces performance due to spurious data accesses

Slide 37

Slide 37 text

Functional Encryption

Slide 38

Slide 38 text

Lattices

Slide 39

Slide 39 text

No content

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

Lattices A lattice L is a (maximal) discrete subgroup of Rn, or equivalently, L={a1v1+···+anvn :a1,...,an ∈Z}
 for some R-basis v1,...,vn of Rn.

Slide 42

Slide 42 text

Functional Encryption

Slide 43

Slide 43 text

spam_score(msg)

Slide 44

Slide 44 text

spam_score(msg)

Slide 45

Slide 45 text

Homomorphic Encryption f(x) = x

Slide 46

Slide 46 text

Homomorphic Encryption • Partially homomorphic: homomorphic property holds for certain operations, e.g. addition, multiplication • Fully homomorphic: provides arbitrary computations on ciphertexts

Slide 47

Slide 47 text

“The latest speed reports for fully homomorphic encryption are… let me use precise technical terminology here, since I'm a big fan of careful benchmarking… ludicrously slow” — djb

Slide 48

Slide 48 text

Fully Homomorphic Encryption without Bootstrapping Zvika Brakerski Weizmann Institute of Science Craig Gentry⇤ IBM T.J. Watson Research Center Vinod Vaikuntanathan† University of Toronto Abstract We present a radically new approach to fully homomorphic encryption (FHE) that dramatically im- proves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure. Specifically, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have 2 security against known attacks. For RLWE, we have: • A leveled FHE scheme that can evaluate L-level arithmetic circuits with ˜ O ( · L3 ) per-gate com- putation – i.e., computation quasi-linear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure. • A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is ˜ O ( 2 ) , independent of L. Security is based on the hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes). We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width – e.g., where a constant fraction of levels have width at least – we can reduce the per-gate computation of the bootstrapped version to ˜ O ( ) , independent of L, by batching the bootstrapping operation. Previous FHE schemes all required ˜ ⌦( 3.5 ) computation per gate. At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011). ⇤Sponsored by the Air Force Research Laboratory (AFRL). Disclaimer: This material is based on research sponsored by DARPA under agreement number FA8750-11-C-0096 and FA8750-11-2-0225. The U.S. Government is authorized to reproduce and dis- tribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the official policies or endorsements, either expressed or implied, of DARPA or the U.S. Government. Approved for Public Release, Distribution Unlimited. †This material is based on research sponsored by DARPA under Agreement number FA8750-11-2-0225. All disclaimers as above apply.

Slide 49

Slide 49 text

Candidate Indistinguishability Obfuscation and Functional Encryption for all circuits Sanjam Garg UCLA [email protected] Craig Gentry IBM Research [email protected] Shai Halevi IBM Research [email protected] Mariana Raykova IBM Research [email protected] Amit Sahai UCLA [email protected] Brent Waters University of Texas at Austin [email protected] July 21, 2013 Abstract In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar size, the obfuscations of C0 and C1 should be computationally indistinguishable. In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C . Using the key SKC to decrypt a ciphertext CTx = Enc( x ), yields the value C ( x ) but does not reveal anything else about x . Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually. We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits. We accomplish this goal in three steps: • We describe a candidate construction for indistinguishability obfuscation for NC1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simplified variant of multilinear maps, which we call Multilinear Jigsaw Puzzles . • We show how to use indistinguishability obfuscation for NC1 together with Fully Homomorphic Encryption (with decryption in NC1) to achieve indistinguishability obfuscation for all circuits. • Finally, we show how to use indistinguishability obfuscation for circuits, public-key encryption, and non-interactive zero knowledge to achieve functional encryption for all circuits. The func- tional encryption scheme we construct also enjoys succinct ciphertexts, which enables several other applications. The first and fifth authors were supported in part from NSF grants 1228984, 1136174, 1118096, 1065276, 0916574 and 0830803, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. The views expressed are those of the author and do not reflect the o cial policy or position of the National Science Foundation, or the U.S. Government. The second and third authors were supported by the Intelligence Advanced Research Projects Activity (IARPA) via Department of Interior National Business Center (DoI/NBC) contract number D11PC20202. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the o cial policies or endorsements, either expressed or implied, of IARPA, DoI/NBC, or the U.S. Government. The fourth author is supported by NSF Grant No.1017660. The sixth author is supported by NSF CNS-0915361 and CNS-0952692, CNS-1228599, DARPA N11AP20006, Google Faculty Research award, the Alfred P. Sloan Fellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship. i

Slide 50

Slide 50 text

Simple Encrypted Arithmetic Library - SEAL (v2.0) Kim Laine1 and Rachel Player2 1 Microsoft Research, USA [email protected] 2 Royal Holloway, University of London, UK?? [email protected] 1 Introduction Traditional encryption schemes, both symmetric and asymmetric, were not designed to respect the algebraic structure of the plaintext and ciphertext spaces. Many schemes, such as Elgamal (resp. e.g. Paillier), are multiplicatively homomorphic (resp. additively homomorphic), so that one can perform certain limited types of computations directly on the encrypted data and have them pass through the encryption to the underlying plaintext data, without requiring access to any secret key(s). The restriction to a one particular type of operation is very strong, however, and instead a much more powerful fully homomorphic encryption scheme, that respects two algebraic operations between the plaintext and ciphertext spaces, would be needed for most applications. The first such encryption scheme was presented by Craig Gentry in his famous work [14], and since then researchers have introduced a number of new and more e cient fully homomorphic encryption schemes. Despite the promising theoretical power of homomorphic encryption, the practical side still remains somewhat underdeveloped. Recently new implementations, new data encoding techniques, and new applications have started to improve the situation, but much remains to be done. In 2015 we released the Simple Encrypted Arithmetic Library - SEAL with the goal of providing a well engineered and documented homomorphic encryption library, with no external dependencies, that would be easy to use both by experts and by non-experts with little or no cryptographic background. The library is available at http://sealcrypto.codeplex.com, and is licensed under the MSR License Agreement. Recently a large number of major changes were implemented in SEAL, and the new version was released as SEAL v2 . 0. In this document we describe in detail this new release, and hope to provide a practical guide to using homomorphic encryption for a wide audience. The reader is also advised to go over the code examples that come with the library, and to read through the detailed comments. For users of previous versions of SEAL we hope to provide clear instructions for how to port old code to use SEAL v2 . 0. An introductory paper to an older version of SEAL was given in [10], which the user new to SEAL v2 . 0 may also find helpful as large parts of the API have remained unchanged. 1.1 Roadmap In Section 1.2 we briefly discuss the major changes to SEAL, which are expanded upon in the other sections of this document. In Section 2 we define notation and parameters we will use throughout the document. In Section 3 we give the description of the Fan-Vercauteren homomorphic encryption scheme (FV) – as originally specified in [13] – and in Section 4 we describe how SEAL di↵ers from this original description. In Section 5 we discuss the expected ?? Much of this work was done during an internship at Microsoft Research, Redmond.

Slide 51

Slide 51 text

CryptoNets: Applying Neural Networks to Encrypted Data with High Throughput and Accuracy Nathan Dowlin1 [email protected] Department of Mathematics, Princeton University Ran Gilad-Bachrach [email protected] Kim Laine [email protected] Kristin Lauter [email protected] Michael Naehrig [email protected] John Wernsing [email protected] Microsoft Research, Redmond Abstract Applying machine learning to a problem which involves medical, financial, or other types of sen- sitive data, not only requires accurate predic- tions but also careful attention to maintaining data privacy and security. Legal and ethical re- quirements may prevent the use of cloud-based machine learning solutions for such tasks. In this work, we will present a method to convert learned neural networks to CryptoNets, neural networks that can be applied to encrypted data. This allows a data owner to send their data in an encrypted form to a cloud service that hosts the network. The encryption ensures that the data re- mains confidential since the cloud does not have access to the keys needed to decrypt it. Never- theless, we will show that the cloud service is capable of applying the neural network to the en- crypted data to make encrypted predictions, and also return them in encrypted form. These en- crypted predictions can be sent back to the owner of the secret key who can decrypt them. There- fore, the cloud service does not gain any infor- mation about the raw data nor about the predic- tion it made. We demonstrate CryptoNets on the MNIST optical character recognition tasks. CryptoNets achieve 99% accuracy and can make around 59000 predictions per hour on a single PC. Therefore, they allow high throughput, ac- curate, and private predictions. Proceedings of the 33rd International Conference on Machine Learning, New York, NY, USA, 2016. JMLR: W&CP volume 48. Copyright 2016 by the author(s). 1. Introduction Consider a hospital that would like to use a cloud service to predict the probability of readmission of a patient within the next 30 days, in order to improve the quality of care and to reduce costs. Due to ethical and legal requirements re- garding the confidentiality of patient information, the hos- pital might be prohibited from using such a service. In this work we present a way by which the hospital can use this valuable service without sacrificing patient privacy. In the proposed protocol, the hospital encrypts the private in- formation and sends it in encrypted form to the prediction provider, referred to as the cloud in our discussion below. The cloud is able to compute the prediction over the en- crypted data records and sends back the results that the hos- pital can decrypt and read. The encryption scheme uses a public key for encryption and a secret key (private key) for decryption. It is important to note that the cloud does not have access to the secret key, so it cannot decrypt the data nor can it decrypt the prediction. The only information it obtains during the process is that it did perform a prediction on behalf of the hospital. Hence, the cloud can charge the hospital for its services, but does not learn anything about the patient’s medical files or the predicted outcomes. This procedure allows for private and secure predictions without requiring the establishment of trust between the data owner and the service provider. This may have applications in fields such as health, finance, business, and possibly oth- ers. It is important to note that this work focuses on the infer- ence stage. We make the assumption that the cloud already has a model. In our case it would be a neural network that 1This work was done while the first author was at Microsoft Research, Redmond

Slide 52

Slide 52 text

Encrypted Programs Using Trusted Hardware

Slide 53

Slide 53 text

Intel SGX and AMD SEV • Encrypted enclaves in main memory which run encrypted programs • Available on Intel Skylake CPUs • Attestation protocol to ensure a CPU is running the program you intend it to • Microsoft VC3: Encrypted Map-Reduce

Slide 54

Slide 54 text

Technical Report MSR-TR-2014-39 February 28, 2014 (Updated March 19, 2015) VC3 : Trustworthy Data Analytics in the Cloud Felix Schuster*, Manuel Costa, C´ edric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich Microsoft Research Abstract We present VC3, the first system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodified Hadoop, but crucially keeps Hadoop, the operating system and the hypervisor out of the TCB; thus, confidentiality and integrity are preserved even if these large components are compromised. VC3 relies on SGX processors to isolate memory regions on individual computers, and to deploy new protocols that secure distributed MapReduce computations. VC3 optionally enforces region self-integrity invariants for all MapReduce code running within isolated regions, to prevent attacks due to unsafe memory reads and writes. Experimental results on common benchmarks show that VC3 performs well compared with unprotected Hadoop: VC3’s average runtime overhead is negligible for its base security guarantees, 4.5% with write integrity and 8% with read/write integrity. *Work done while interning at Microsoft Research; affiliated with Ruhr-Universit¨ at Bochum.

Slide 55

Slide 55 text

Post-Quantum Cryptography

Slide 56

Slide 56 text

Group Homomorphisms Factoring Discrete Log Elliptic Curve DLP Shor’s Algorithm (1994)

Slide 57

Slide 57 text

Shor’s Algorithm • Requires large quantum computers (1000s of qubits) • Could be used to solve factoring and (EC)DLP much faster than classical computers • Fortunately large quantum computers are 10+ years off

Slide 58

Slide 58 text

Post-Quantum Public Key Encryption Algorithms • Lattices: Ring-LWE (NewHope), NTRU • Isogenies: Supersingular Isogeny Diffie-Hellman • Codes: McElice/McBits

Slide 59

Slide 59 text

No content

Slide 60

Slide 60 text

That’s it!

Slide 61

Slide 61 text

Thanks! • Twitter: @bascule • Blog: https://tonyarcieri.com