algebraic lower bounds for computing on encrypted data
DESCRIPTION
Algebraic Lower Bounds for Computing on Encrypted Data. Rafail Ostrovsky William E. Skeith III. Non-Interactive Crypto-Computing. A wants to distribute computation of f to B. f,g. A. B. X. Y. E(X). g(E(X),Y). = E(f(X,Y)). Homomorphic Encryption and CC. - PowerPoint PPT PresentationTRANSCRIPT
Algebraic Lower Bounds for Computing on Encrypted Data
Rafail Ostrovsky William E. Skeith III
Non-Interactive Crypto-Computing
X Y
E(X)
= E(f(X,Y))
A wants to distribute computation of f to B
f,g
g(E(X),Y)
A B
Homomorphic Encryption and CC
• Homomorphic encryption is a very natural starting point, and the primary tool for many CC protocols:
• Let f be a function, and A some algebraic structure.– If f can be computed by the algebra of A and
A is preserved via homomorphic encryption,– Then we have non-interactive CC of f
Algebraic Non-Interactive CC
• For a given algebraic structure, what can be accomplished with algebraic computation?
•Main question: which crypto-computing functions can we implement using known homomorphic cryptosystems?
Examples We’ll Study
• In an algebraic setting, we address the following:– Private Database Modification– Homomorphic PIR Protocols– Private Keyword Search
Algebraic Private Database Modification [BKOS]
Mi=(g1,…,gm)g1, g2,…, gm
X’ = F(x1,…,xn,g1,…gm ,h1,…hr)
X1 X2 X3 … …
… … … … ..
… … … … …
… … … … …
… … … … Xn
All gj, xi, hk 2 A, and F is some “algebraic” function
X =
U DB
Homomorphic PIR Protocols [BGN,KO]
Qi=(g1,…,gm)
g1, g2,…, gm
FX(g1,…gm ,h1,…hr)
X1 X2 X3 … …
… … … … ..
… … … … …
… … … … …
… … … … Xn
All gj, hk 2 A, and FX is some “algebraic” function determined by the database X 2 An
X =(xj1
,…,xil)=FX(g1,…gm ,h1,…hr)
U DB
Manuscript (2002) of Sander, et al.
• Result uses techniques of Ben-Or.
• Cryptosystem from manuscript was broken… however, an interesting question is asked:
““
Two Results
• A positive result:– Homomorphic encryption over any simple non-abelian
group is equivalent to fully homomorphic encryption (preserving a ring).
– Homomorphic encryption over any simple non-abelian group is equivalent to non-interactive CC.
• A family of negative results (i.e., lower bounds):– Using the algebras preserved by existing
cryptosystems, we can show lower bounds for homomorphic PIR, database modification, characteristic vectors…
Our First Result:
• For any non-abelian simple group, the following holds: Any circuit with N gates can be replaced by a circuit of size O(N) that uses only the group operation to simulate gates (wires will carry group elements).
• Example: for A5, we can represent a NAND gate ¼ 50 group operations (this may not be minimal…).
More Formally:
Our Second Result: Overview
• We’ll make an abstract algebraic observation• From the observation, we’ll derive:• (n) bounds (over an abelian group)
– algebraic private database modification– homomorphic PIR
• Bounds on conjunctive queries in the keyword search of [OS,BSW]
• First, a few definitions...
Characteristic Vectors over a Group
• Let G be a group. We’ll call v2 Gn a characteristic vector if v is non-identity in precisely one position:
• v=(idG,idG,...,x idG,idG,…,idG)
• Let V={vi}i2[n] be a complete set of such vectors.
Question
• What is the inherent communication involved in “algebraic” functions that generate characteristic vectors?
• We’ll reduce all of our algebraic crypto-computing protocols to this basic functionality.
Idea: Generating Char. Vectors
9 F:Gm ! Gn, an “algebraic” function s.t.
For each i 2 [n],
9 wi = (g1,…,gm) with F(wi) = vi
An Algebraic Observation
• Let A and G be abelian groups.
• Let F:A ! Gn be an “affine” group map, i.e.,
F=f+c, where
f 2 HomZ(A,Gn) and c 2 Gn.
• Then if V ½ F(A), we have
log(|A|) 2 (n)
Difficulties
• Can’t we use linear algebra to immediately prove the theorem?
• The most naturally occurring instance (in cryptography) is the case of A=Gm
• If G were a field, this would be an easy linear-algebra dimension argument, but this is not generally the case (G is only assumed to be an abelian group).
• Even with G cyclic, we could successfully implement even with m=1. (I.e., we can specify characteristic vectors by communicating only a single group element.)
Example: m=1
Other Non-productive Ideas: Affine to Linear
• Recall that F=f+c is “affine”, and let m denote the number of group elements communicated.
• One might think that the problem could be rephrased as linear by just incrementing m to account for c 2 Gn.
• However, to model the affine map, you in general need to increase m by a non-constant amount (consider non-cyclic G).
• Certainly, it doesn’t seem to be the “right” approach.
The “Right” Approach:
• Stay abstract.– Dimension is irrelevant– Will give a stronger result.– Takes care of typical cases nicely, but will
actually be quite a bit more general (rules out End(G), etc…)
Lemma
Proof of Lemma
Proof of Theorem (Idea)
• Idea: show that h V i is a Z|A|-module, and apply the Lemma.
• Recall that in an abelian group– ord(a+b)|lcm(ord(a),ord(b))
• And in any group,– ord((a,b)) = lcm(ord(a),ord(b))– ord(f(a))|ord(a)
Proof of Theorem (1 of 2)
• Let F=f+c be affine, from A ! Gn, define V as before, and let c=(c1,…,cn).
• Define V’={vi-c}i2[n]. (Note: V’ ½ f(A))
• All elements of V’ have order | |A|
• ) all ci and therefore c have order | |A|.
• Since A,G abelian, we have that all of V
has elts of order | |A|.
Proof of Theorem (2 of 2)
• Since all elements of h V i, h V’ i have order dividing |A|, they are in fact Z|A|-modules.
• Set R=Z|A| and M=h V [ V’ i and apply the lemma to yield:
2n · |h V’ i||A| · |A|2, and hence
log(|A|) 2 (n)
Consequences
• Over an abelian group,– Algebraic private modification of an encrypted
database (n)– Homomorphic PIR protocols (n)– Impossibility of conjunctive queries in the
keyword search of [OS,BSW]
• Using poly’s of total degree t, bounds become (n1/t)
Algebraic Private Database Modification [BKOS]
Mi=(g1,…,gm)g1, g2,…, gm
X’ = F(x1,…,xn,g1,…gm ,h1,…hr)
X1 X2 X3 … …
… … … … ..
… … … … …
… … … … …
… … … … Xn
All gj, xi, hk 2 A, and F is some “algebraic” function
X =
U DB
Algebraic Database Modification Implies Characteristic Vectors
• Let X be a database consisting of idG in all locations.
• Apply F(X,Mi,H) X’
• X’ = vi will be a characteristic vector.
Homomorphic PIR Protocols [BGN,KO]
Qi=(g1,…,gm)
g1, g2,…, gm
FX(g1,…gm ,h1,…hr)
X1 X2 X3 … …
… … … … ..
… … … … …
… … … … …
… … … … Xn
All gj, hk 2 A, and FX is some “algebraic” function determined by the database X2An
X =(xj1
,…,xil)=FX(g1,…gm ,h1,…hr)
U DB
Homomorphic PIR Implies Characteristic Vectors
• For a moment, suppose the protocol returns an encryption of a single element.
• Let V={vi}i=1n be a complete set of
characteristic vectors over Gn.
• Define databases Xi = vi for i 2 [n].
• If Qi queries position i, then
(FX1(Qi,H),…, FXn
(Qi,H))
will be non-identity exactly in position i.
Non-singleton Query Returns
• It may be the case that a PIR query returns many database values, as long as the right value is at a predictable location in the result (e.g. [KO]).
• More generally, we can prove the following algebraic claim:
Claim
• Let V={vi}i=1n be a complete collection of
characteristic type vectors, except…
• Then if V ½ F(A), we have that:
log(|A|) 2 (n/w(n))
vi can be non-identity in up to w(n) locations for any positive function w.
General Case: Homomorphic PIR Implies Characteristic Vectors
• Suppose that the query returns k values.
• Define fi(g1,...gm)=j=1k (FXi
(g1,…,hr))j
• (f1(g1,…,gm),…fn(g1,…,gm)) will be non-identity in at most k positions
• ) user communication is (n/k(n))
• Server communication is clearly at least k(n), so we are done.
Other Types of Cryptosystems
• Recently there has been a lot of attention on bilinear maps in cryptography.
• The work of [BGN] demonstrates a cryptosystem that allows polynomials of total degree 2 to be evaluated on ciphertext.
Polynomials of Bounded Total Degree
• We can prove an extension of our original algebraic result, which will give similar bounds on the utility of total degree t polynomials. (even for t>2)
Corollary
Proof Idea
• The number of monomials in an m-variable polynomial of total degree t is O(mt).
• Simulate such a polynomial with a total degree 1 polynomial in O(mt) variables.
• Apply initial theorem to the abelian group (R,+).
More General Results
• If given the ability of computation of polynomials of total degree t, we obtain similar bounds, only n n1/t
• In particular, this corollary gives (n1/2) bounds when applied to algebraic protocols based on the cryptosystem of [BGN] (this matches the upper bound for database modification seen in [BKOS]).
Generality of Results
• The algebraic assumptions may seem quite rigid, but are often appropriate in crypto-computing settings.
• From an algebraic point of view however, they are very general:– Incorporates all algebraic formulas, but also
many other types of maps (formulas with End(G), changing representations, etc…).
– Covers most all algebraic structures preserved by known cryptosystems
Perspective
• Help researchers determine the feasibility of various new protocols.
• Especially useful when such protocols are needed as a subroutine in a larger crypto-computing function.– Protocol may need output with algebraic value to
continue the computation• Simple Non-abelian group-homomorphic
encryption: – Seems pretty hard.– Equivalent to fully-homomorphic encryption (/ring).
Thank You