410 likes | 528 Views
Algebraic Lower Bounds for Computing on Encrypted Data. Rafail Ostrovsky William E. Skeith III. Non-Interactive Crypto-Computing. A wants to distribute computation of f to B. f,g. A. B. X. Y. E(X). g(E(X),Y). = E(f(X,Y)). Homomorphic Encryption and CC.
E N D
Algebraic Lower Bounds for Computing on Encrypted Data Rafail Ostrovsky William E. Skeith III
Non-Interactive Crypto-Computing A wants to distribute computation of f to B f,g A B X Y E(X) g(E(X),Y) = E(f(X,Y))
Homomorphic Encryption and CC • Homomorphic encryption is a very natural starting point, and the primary tool for many CC protocols: • Let f be a function, and A some algebraic structure. • If f can be computed by the algebra of A and A is preserved via homomorphic encryption, • Then we have non-interactive CC of f
Algebraic Non-Interactive CC • For a given algebraic structure, what can be accomplished with algebraic computation? • Main question: which crypto-computing functions can we implement using known homomorphic cryptosystems?
Examples We’ll Study • In an algebraic setting, we address the following: • Private Database Modification • Homomorphic PIR Protocols • Private Keyword Search
Algebraic Private Database Modification [BKOS] U Mi=(g1,…,gm) DB g1, g2,…, gm X = X’ = F(x1,…,xn,g1,…gm ,h1,…hr) All gj, xi, hk2 A, and F is some “algebraic” function
Homomorphic PIR Protocols [BGN,KO] U DB Qi=(g1,…,gm) g1, g2,…, gm X = (xj1,…,xil)=FX(g1,…gm ,h1,…hr) FX(g1,…gm ,h1,…hr) All gj, hk2 A, and FX is some “algebraic” function determined by the database X 2 An
Manuscript (2002) of Sander, et al. • Result uses techniques of Ben-Or. • Cryptosystem from manuscript was broken… however, an interesting question is asked: “ “
Two Results • A positive result: • Homomorphic encryption over any simple non-abelian group is equivalent to fully homomorphic encryption (preserving a ring). • Homomorphic encryption over any simple non-abelian group is equivalent to non-interactive CC. • A family of negative results (i.e., lower bounds): • Using the algebras preserved by existing cryptosystems, we can show lower bounds for homomorphic PIR, database modification, characteristic vectors…
Our First Result: • For any non-abelian simple group, the following holds: Any circuit with N gates can be replaced by a circuit of size O(N) that uses only the group operation to simulate gates (wires will carry group elements). • Example: for A5, we can represent a NAND gate ¼ 50 group operations (this may not be minimal…).
Our Second Result: Overview • We’ll make an abstract algebraic observation • From the observation, we’ll derive: • (n) bounds (over an abelian group) • algebraic private database modification • homomorphic PIR • Bounds on conjunctive queries in the keyword search of [OS,BSW] • First, a few definitions...
Characteristic Vectors over a Group • Let G be a group. We’ll call v2 Gn a characteristic vector if v is non-identity in precisely one position: • v=(idG,idG,...,x idG,idG,…,idG) • Let V={vi}i2[n] be a complete set of such vectors.
Question • What is the inherent communication involved in “algebraic” functions that generate characteristic vectors? • We’ll reduce all of our algebraic crypto-computing protocols to this basic functionality.
Idea: Generating Char. Vectors 9 F:Gm! Gn, an “algebraic” function s.t. For each i 2 [n], 9 wi = (g1,…,gm) with F(wi) = vi
An Algebraic Observation • Let A and G be abelian groups. • Let F:A ! Gn be an “affine” group map, i.e., F=f+c, where f 2 HomZ(A,Gn) and c 2 Gn. • Then if V ½ F(A), we have log(|A|) 2(n)
Difficulties • Can’t we use linear algebra to immediately prove the theorem? • The most naturally occurring instance (in cryptography) is the case of A=Gm • If G were a field, this would be an easy linear-algebra dimension argument, but this is not generally the case (G is only assumed to be an abelian group). • Even with G cyclic, we could successfully implement even with m=1. (I.e., we can specify characteristic vectors by communicating only a single group element.)
Other Non-productive Ideas: Affine to Linear • Recall that F=f+c is “affine”, and let m denote the number of group elements communicated. • One might think that the problem could be rephrased as linear by just incrementing m to account for c 2 Gn. • However, to model the affine map, you in general need to increase m by a non-constant amount (consider non-cyclic G). • Certainly, it doesn’t seem to be the “right” approach.
The “Right” Approach: • Stay abstract. • Dimension is irrelevant • Will give a stronger result. • Takes care of typical cases nicely, but will actually be quite a bit more general (rules out End(G), etc…)
Proof of Theorem (Idea) • Idea: show that h V i is a Z|A|-module, and apply the Lemma. • Recall that in an abelian group • ord(a+b)|lcm(ord(a),ord(b)) • And in any group, • ord((a,b)) = lcm(ord(a),ord(b)) • ord(f(a))|ord(a)
Proof of Theorem (1 of 2) • Let F=f+c be affine, from A ! Gn, define V as before, and let c=(c1,…,cn). • Define V’={vi-c}i2[n]. (Note: V’ ½ f(A)) • All elements of V’ have order | |A| • ) all ci and therefore c have order | |A|. • Since A,G abelian, we have that all of V has elts of order | |A|.
Proof of Theorem (2 of 2) • Since all elements of h V i, h V’ i have order dividing |A|, they are in fact Z|A|-modules. • Set R=Z|A| and M=h V [ V’ i and apply the lemma to yield: 2n· |h V’ i||A| · |A|2, and hence log(|A|) 2(n)
Consequences • Over an abelian group, • Algebraic private modification of an encrypted database (n) • Homomorphic PIR protocols (n) • Impossibility of conjunctive queries in the keyword search of [OS,BSW] • Using poly’s of total degree t, bounds become (n1/t)
Algebraic Private Database Modification [BKOS] U Mi=(g1,…,gm) DB g1, g2,…, gm X = X’ = F(x1,…,xn,g1,…gm ,h1,…hr) All gj, xi, hk2 A, and F is some “algebraic” function
Algebraic Database Modification Implies Characteristic Vectors • Let X be a database consisting of idG in all locations. • Apply F(X,Mi,H) X’ • X’ = vi will be a characteristic vector.
Homomorphic PIR Protocols [BGN,KO] U DB Qi=(g1,…,gm) g1, g2,…, gm X = (xj1,…,xil)=FX(g1,…gm ,h1,…hr) FX(g1,…gm ,h1,…hr) All gj, hk2 A, and FX is some “algebraic” function determined by the database X2An
Homomorphic PIR Implies Characteristic Vectors • For a moment, suppose the protocol returns an encryption of a single element. • Let V={vi}i=1n be a complete set of characteristic vectors over Gn. • Define databases Xi = vi for i 2 [n]. • If Qi queries position i, then (FX1(Qi,H),…, FXn(Qi,H)) will be non-identity exactly in position i.
Non-singleton Query Returns • It may be the case that a PIR query returns many database values, as long as the right value is at a predictable location in the result (e.g. [KO]). • More generally, we can prove the following algebraic claim:
Claim • Let V={vi}i=1n be a complete collection of characteristic type vectors, except… • Then if V ½ F(A), we have that: log(|A|) 2(n/w(n)) • vi can be non-identity in up to w(n) locations for any positive function w.
General Case: Homomorphic PIR Implies Characteristic Vectors • Suppose that the query returns k values. • Define fi(g1,...gm)=j=1k (FXi(g1,…,hr))j • (f1(g1,…,gm),…fn(g1,…,gm)) will be non-identity in at most k positions • ) user communication is (n/k(n)) • Server communication is clearly at least k(n), so we are done.
Other Types of Cryptosystems • Recently there has been a lot of attention on bilinear maps in cryptography. • The work of [BGN] demonstrates a cryptosystem that allows polynomials of total degree 2 to be evaluated on ciphertext.
Polynomials of Bounded Total Degree • We can prove an extension of our original algebraic result, which will give similar bounds on the utility of total degree t polynomials. (even for t>2)
Proof Idea • The number of monomials in an m-variable polynomial of total degree t is O(mt). • Simulate such a polynomial with a total degree 1 polynomial in O(mt) variables. • Apply initial theorem to the abelian group (R,+).
More General Results • If given the ability of computation of polynomials of total degree t, we obtain similar bounds, only n n1/t • In particular, this corollary gives (n1/2) bounds when applied to algebraic protocols based on the cryptosystem of [BGN] (this matches the upper bound for database modification seen in [BKOS]).
Generality of Results • The algebraic assumptions may seem quite rigid, but are often appropriate in crypto-computing settings. • From an algebraic point of view however, they are very general: • Incorporates all algebraic formulas, but also many other types of maps (formulas with End(G), changing representations, etc…). • Covers most all algebraic structures preserved by known cryptosystems
Perspective • Help researchers determine the feasibility of various new protocols. • Especially useful when such protocols are needed as a subroutine in a larger crypto-computing function. • Protocol may need output with algebraic value to continue the computation • Simple Non-abelian group-homomorphic encryption: • Seems pretty hard. • Equivalent to fully-homomorphic encryption (/ring).