determined without knowledge of the key, but leaks additional information • Order-revealing encryption (ORE): ciphertexts are numbers that can be sorted to reveal original order using a public function which outputs “<” or “≥” • Provides efﬁcient range queries BROKEN!
Kevin Lewi Stanford University firstname.lastname@example.org David J. Wu Stanford University email@example.com Abstract In the last few years, there has been signiﬁcant interest in developing methods to search over encrypted data. In the case of range queries, a simple solution is to encrypt the contents of the database using an order-preserving encryption (OPE) scheme (i.e., an encryption scheme that supports comparisons over encrypted values). However, Naveed et al. (CCS 2015) recently showed that OPE-encrypted databases are extremely vulnerable to “inference attacks.” In this work, we consider a related primitive called order-revealing encryption (ORE), which is a generalization of OPE that allows for stronger security. We begin by constructing a new ORE scheme for small message spaces which achieves the “best-possible” notion of security for ORE. Next, we introduce a “domain-extension” technique and apply it to our small-message-space ORE. While our domain-extension technique does incur a loss in security, the resulting ORE scheme we obtain is more secure than all existing (stateless and non-interactive) OPE and ORE schemes which are practical. All of our constructions rely only on symmetric primitives. As part of our analysis, we also give a tight lower bound for OPE and show that no e cient OPE scheme can satisfy best-possible security if the message space contains just three messages. Thus, achieving strong notions of security for even small message spaces requires moving beyond OPE. Finally, we examine the properties of our new ORE scheme and show how to use it to construct an e cient range query protocol that is robust against the inference attacks of Naveed et al. We also give a full implementation of our new ORE scheme, and show that not only is our scheme more secure than existing OPE schemes, it is also faster: encrypting a 32-bit integer requires just 55 microseconds, which is more than 65 times faster than existing OPE schemes. 1 Introduction Today, large corporations and governments collect and store more personal information about us than ever before. And as high-proﬁle data breaches on companies and organizations (such as Anthem [AC15], eBay [Kel14], and the U.S. Voter Database [FV15]) become startlingly common, it is imperative that we develop practical means for securing our personal data in the cloud. One way to mitigate the damage caused by a database breach is to encrypt the data before storing it in the cloud. This, however, comes at the price of functionality: once data is encrypted, it is more di cult to execute searches over the data without ﬁrst decrypting the data. As a result, This is the extended version of a paper by the same name that appeared in ACM Conference on Computer and Communications Security in October, 2016. 1
Science Craig Gentry⇤ IBM T.J. Watson Research Center Vinod Vaikuntanathan† University of Toronto Abstract We present a radically new approach to fully homomorphic encryption (FHE) that dramatically im- proves performance and bases security on weaker assumptions. A central conceptual contribution in our work is a new way of constructing leveled fully homomorphic encryption schemes (capable of evaluating arbitrary polynomial-size circuits), without Gentry’s bootstrapping procedure. Speciﬁcally, we offer a choice of FHE schemes based on the learning with error (LWE) or ring-LWE (RLWE) problems that have 2 security against known attacks. For RLWE, we have: • A leveled FHE scheme that can evaluate L-level arithmetic circuits with ˜ O ( · L3 ) per-gate com- putation – i.e., computation quasi-linear in the security parameter. Security is based on RLWE for an approximation factor exponential in L. This construction does not use the bootstrapping procedure. • A leveled FHE scheme that uses bootstrapping as an optimization, where the per-gate computation (which includes the bootstrapping procedure) is ˜ O ( 2 ) , independent of L. Security is based on the hardness of RLWE for quasi-polynomial factors (as opposed to the sub-exponential factors needed in previous schemes). We obtain similar results for LWE, but with worse performance. We introduce a number of further optimizations to our schemes. As an example, for circuits of large width – e.g., where a constant fraction of levels have width at least – we can reduce the per-gate computation of the bootstrapped version to ˜ O ( ) , independent of L, by batching the bootstrapping operation. Previous FHE schemes all required ˜ ⌦( 3.5 ) computation per gate. At the core of our construction is a much more effective approach for managing the noise level of lattice-based ciphertexts as homomorphic operations are performed, using some new techniques recently introduced by Brakerski and Vaikuntanathan (FOCS 2011). ⇤Sponsored by the Air Force Research Laboratory (AFRL). Disclaimer: This material is based on research sponsored by DARPA under agreement number FA8750-11-C-0096 and FA8750-11-2-0225. The U.S. Government is authorized to reproduce and dis- tribute reprints for Governmental purposes notwithstanding any copyright notation thereon. The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the ofﬁcial policies or endorsements, either expressed or implied, of DARPA or the U.S. Government. Approved for Public Release, Distribution Unlimited. †This material is based on research sponsored by DARPA under Agreement number FA8750-11-2-0225. All disclaimers as above apply.
Garg UCLA firstname.lastname@example.org Craig Gentry IBM Research email@example.com Shai Halevi IBM Research firstname.lastname@example.org Mariana Raykova IBM Research email@example.com Amit Sahai UCLA firstname.lastname@example.org Brent Waters University of Texas at Austin email@example.com July 21, 2013 Abstract In this work, we study indistinguishability obfuscation and functional encryption for general circuits: Indistinguishability obfuscation requires that given any two equivalent circuits C0 and C1 of similar size, the obfuscations of C0 and C1 should be computationally indistinguishable. In functional encryption, ciphertexts encrypt inputs x and keys are issued for circuits C . Using the key SKC to decrypt a ciphertext CTx = Enc( x ), yields the value C ( x ) but does not reveal anything else about x . Furthermore, no collusion of secret key holders should be able to learn anything more than the union of what they can each learn individually. We give constructions for indistinguishability obfuscation and functional encryption that supports all polynomial-size circuits. We accomplish this goal in three steps: • We describe a candidate construction for indistinguishability obfuscation for NC1 circuits. The security of this construction is based on a new algebraic hardness assumption. The candidate and assumption use a simpliﬁed variant of multilinear maps, which we call Multilinear Jigsaw Puzzles . • We show how to use indistinguishability obfuscation for NC1 together with Fully Homomorphic Encryption (with decryption in NC1) to achieve indistinguishability obfuscation for all circuits. • Finally, we show how to use indistinguishability obfuscation for circuits, public-key encryption, and non-interactive zero knowledge to achieve functional encryption for all circuits. The func- tional encryption scheme we construct also enjoys succinct ciphertexts, which enables several other applications. The ﬁrst and ﬁfth authors were supported in part from NSF grants 1228984, 1136174, 1118096, 1065276, 0916574 and 0830803, a Xerox Faculty Research Award, a Google Faculty Research Award, an equipment grant from Intel, and an Okawa Foundation Research Grant. The views expressed are those of the author and do not reﬂect the o cial policy or position of the National Science Foundation, or the U.S. Government. The second and third authors were supported by the Intelligence Advanced Research Projects Activity (IARPA) via Department of Interior National Business Center (DoI/NBC) contract number D11PC20202. The U.S. Government is authorized to reproduce and distribute reprints for Governmental purposes notwithstanding any copyright annotation thereon. Disclaimer: The views and conclusions contained herein are those of the authors and should not be interpreted as necessarily representing the o cial policies or endorsements, either expressed or implied, of IARPA, DoI/NBC, or the U.S. Government. The fourth author is supported by NSF Grant No.1017660. The sixth author is supported by NSF CNS-0915361 and CNS-0952692, CNS-1228599, DARPA N11AP20006, Google Faculty Research award, the Alfred P. Sloan Fellowship, Microsoft Faculty Fellowship, and Packard Foundation Fellowship. i
Rachel Player2 1 Microsoft Research, USA firstname.lastname@example.org 2 Royal Holloway, University of London, UK?? email@example.com 1 Introduction Traditional encryption schemes, both symmetric and asymmetric, were not designed to respect the algebraic structure of the plaintext and ciphertext spaces. Many schemes, such as Elgamal (resp. e.g. Paillier), are multiplicatively homomorphic (resp. additively homomorphic), so that one can perform certain limited types of computations directly on the encrypted data and have them pass through the encryption to the underlying plaintext data, without requiring access to any secret key(s). The restriction to a one particular type of operation is very strong, however, and instead a much more powerful fully homomorphic encryption scheme, that respects two algebraic operations between the plaintext and ciphertext spaces, would be needed for most applications. The ﬁrst such encryption scheme was presented by Craig Gentry in his famous work , and since then researchers have introduced a number of new and more e cient fully homomorphic encryption schemes. Despite the promising theoretical power of homomorphic encryption, the practical side still remains somewhat underdeveloped. Recently new implementations, new data encoding techniques, and new applications have started to improve the situation, but much remains to be done. In 2015 we released the Simple Encrypted Arithmetic Library - SEAL with the goal of providing a well engineered and documented homomorphic encryption library, with no external dependencies, that would be easy to use both by experts and by non-experts with little or no cryptographic background. The library is available at http://sealcrypto.codeplex.com, and is licensed under the MSR License Agreement. Recently a large number of major changes were implemented in SEAL, and the new version was released as SEAL v2 . 0. In this document we describe in detail this new release, and hope to provide a practical guide to using homomorphic encryption for a wide audience. The reader is also advised to go over the code examples that come with the library, and to read through the detailed comments. For users of previous versions of SEAL we hope to provide clear instructions for how to port old code to use SEAL v2 . 0. An introductory paper to an older version of SEAL was given in , which the user new to SEAL v2 . 0 may also ﬁnd helpful as large parts of the API have remained unchanged. 1.1 Roadmap In Section 1.2 we brieﬂy discuss the major changes to SEAL, which are expanded upon in the other sections of this document. In Section 2 we deﬁne notation and parameters we will use throughout the document. In Section 3 we give the description of the Fan-Vercauteren homomorphic encryption scheme (FV) – as originally speciﬁed in  – and in Section 4 we describe how SEAL di↵ers from this original description. In Section 5 we discuss the expected ?? Much of this work was done during an internship at Microsoft Research, Redmond.
and Accuracy Nathan Dowlin1 NDOWLIN@PRINCETON.EDU Department of Mathematics, Princeton University Ran Gilad-Bachrach RANG@MICROSOFT.COM Kim Laine KIM.LAINE@MICROSOFT.COM Kristin Lauter KLAUTER@MICROSOFT.COM Michael Naehrig MNAEHRIG@MICROSOFT.COM John Wernsing JOHN.WERNSING@MICROSOFT.COM Microsoft Research, Redmond Abstract Applying machine learning to a problem which involves medical, ﬁnancial, or other types of sen- sitive data, not only requires accurate predic- tions but also careful attention to maintaining data privacy and security. Legal and ethical re- quirements may prevent the use of cloud-based machine learning solutions for such tasks. In this work, we will present a method to convert learned neural networks to CryptoNets, neural networks that can be applied to encrypted data. This allows a data owner to send their data in an encrypted form to a cloud service that hosts the network. The encryption ensures that the data re- mains conﬁdential since the cloud does not have access to the keys needed to decrypt it. Never- theless, we will show that the cloud service is capable of applying the neural network to the en- crypted data to make encrypted predictions, and also return them in encrypted form. These en- crypted predictions can be sent back to the owner of the secret key who can decrypt them. There- fore, the cloud service does not gain any infor- mation about the raw data nor about the predic- tion it made. We demonstrate CryptoNets on the MNIST optical character recognition tasks. CryptoNets achieve 99% accuracy and can make around 59000 predictions per hour on a single PC. Therefore, they allow high throughput, ac- curate, and private predictions. Proceedings of the 33rd International Conference on Machine Learning, New York, NY, USA, 2016. JMLR: W&CP volume 48. Copyright 2016 by the author(s). 1. Introduction Consider a hospital that would like to use a cloud service to predict the probability of readmission of a patient within the next 30 days, in order to improve the quality of care and to reduce costs. Due to ethical and legal requirements re- garding the conﬁdentiality of patient information, the hos- pital might be prohibited from using such a service. In this work we present a way by which the hospital can use this valuable service without sacriﬁcing patient privacy. In the proposed protocol, the hospital encrypts the private in- formation and sends it in encrypted form to the prediction provider, referred to as the cloud in our discussion below. The cloud is able to compute the prediction over the en- crypted data records and sends back the results that the hos- pital can decrypt and read. The encryption scheme uses a public key for encryption and a secret key (private key) for decryption. It is important to note that the cloud does not have access to the secret key, so it cannot decrypt the data nor can it decrypt the prediction. The only information it obtains during the process is that it did perform a prediction on behalf of the hospital. Hence, the cloud can charge the hospital for its services, but does not learn anything about the patient’s medical ﬁles or the predicted outcomes. This procedure allows for private and secure predictions without requiring the establishment of trust between the data owner and the service provider. This may have applications in ﬁelds such as health, ﬁnance, business, and possibly oth- ers. It is important to note that this work focuses on the infer- ence stage. We make the assumption that the cloud already has a model. In our case it would be a neural network that 1This work was done while the ﬁrst author was at Microsoft Research, Redmond
VC3 : Trustworthy Data Analytics in the Cloud Felix Schuster*, Manuel Costa, C´ edric Fournet, Christos Gkantsidis, Marcus Peinado, Gloria Mainar-Ruiz, and Mark Russinovich Microsoft Research Abstract We present VC3, the ﬁrst system that allows users to run distributed MapReduce computations in the cloud while keeping their code and data secret, and ensuring the correctness and completeness of their results. VC3 runs on unmodiﬁed Hadoop, but crucially keeps Hadoop, the operating system and the hypervisor out of the TCB; thus, conﬁdentiality and integrity are preserved even if these large components are compromised. VC3 relies on SGX processors to isolate memory regions on individual computers, and to deploy new protocols that secure distributed MapReduce computations. VC3 optionally enforces region self-integrity invariants for all MapReduce code running within isolated regions, to prevent attacks due to unsafe memory reads and writes. Experimental results on common benchmarks show that VC3 performs well compared with unprotected Hadoop: VC3’s average runtime overhead is negligible for its base security guarantees, 4.5% with write integrity and 8% with read/write integrity. *Work done while interning at Microsoft Research; afﬁliated with Ruhr-Universit¨ at Bochum.