Verifiable Encodings for Secure Homomorphic Analytics

Homomorphic encryption, which enables the execution of arithmetic operations directly on ciphertexts, is a promising solution for protecting privacy of cloud-delegated computations on sensitive data. However, the correctness of the computation result is not ensured. We propose two error detection encodings and build authenticators that enable practical client-verification of cloud-based homomorphic computations under different trade-offs and without compromising on the features of the encryption algorithm. Our authenticators operate on top of trending ring learning with errors based fully homomorphic encryption schemes over the integers. We implement our solution in VERITAS, a ready-to-use system for verification of outsourced computations executed over encrypted data. We show that contrary to prior work VERITAS supports verification of any homomorphic operation and we demonstrate its practicality for various applications, such as ride-hailing, genomic-data analysis, encrypted search, and machine-learning training and inference.Comment: update authors, typos corrected, scheme update

Information-Theoretic Privacy in Verifiable Outsourced Computation

Today, it is common practice to outsource time-consuming computations to the cloud. Using the cloud allows anyone to process large quantities of data without having to invest in the necessary hardware, significantly lowering cost requirements. In this thesis we will consider the following work flow for outsourced computations: A data owner uploads data to a server. The server then computes some function on the data and sends the result to a third entity, which we call verifier. In this scenario, two fundamental security challenges arise. A malicious server may not perform the computation correctly, leading to an incorrect result. Verifiability allows for the detection of such results. In order for this to be practical, the verification procedure needs to be efficient. The other major challenge is privacy. If sensitive data, for example medical data is processed it is important to prevent unauthorized access to such sensitive information. Particularly sensitive data has to be kept confidential even in the long term. The field of verifiable computing provides solutions for the first challenge. In this scenario, the verifier can check that the result that was given was computed correctly. However, simultaneously addressing privacy leads to new challenges. In the scenario of outsourced computation, privacy comes in different flavors. One is privacy with respect to the server, where the goal is to prevent the server from learning about the data processed. The other is privacy with respect to the verifier. Without using verifiable computation the verifier obviously has less information about the original data than the data owner - it only knows the output of the computation but not the input to the computation. If this third party verifier however, is given additional cryptographic data to verify the result of the computation, it might use this additional information to learn information about the inputs. To prevent that a different privacy property we call privacy with respect to the verifier is required. Finally, particularly sensitive data has to be kept confidential even in the long term, when computational privacy is not suitable any more. Thus, information-theoretic measures are required. These measures offer protection even against computationally unbounded adversaries. Two well-known approaches to these challenges are homomorphic commitments and homomorphic authenticators. Homomorphic commitments can provide even information-theoretic privacy, thus addressing long-term security, but verification is computationally expensive. Homomorphic authenticators on the other hand can provide efficient verification, but do not provide information-theoretic privacy. This thesis provides solutions to these research challenges -- efficient verifiability, input-output privacy and in particular information-theoretic privacy. We introduce a new classification for privacy properties in verifiable computing. We propose function-dependent commitment, a novel framework which combines the advantages of homomorphic commitments and authenticators with respect to verifiability and privacy. We present several novel homomorphic signature schemes that can be used to solve verifiability and already address privacy with respect to the verifier. In particular we construct one such scheme fine-tailored towards multivariate polynomials of degree two as well as another fine-tailored towards linear functions over multi-sourced data. The latter solution provides efficient verifiability even for computations over data authenticated by different cryptographic keys. Furthermore, we provide transformations for homomorphic signatures that add privacy. We first show how to add computational privacy and later on even information-theoretic privacy. In this way, we turn homomorphic signatures into function-dependent commitments. By applying this transformation to our homomorphic signature schemes we construct verifiable computing schemes with information-theoretic privacy

Bounded Fully Homomorphic Signature Schemes

Homomorphic signatures enable anyone to publicly perform computations on signed data and produce a compact tag to authenticate the results. In this paper, we construct two bounded fully homomorphic signature schemes, as follows. \begin{itemize} \item For any two polynomials $d=d(\lambda), s=s(\lambda)$, where $\lambda$ is the security parameter. Our first scheme is able to evaluate any circuit on the signatures, as long as the depth and size of the circuit are bounded by $d$ and $s$, respectively. The construction relies on indistinguishability obfuscation and injective (or polynomially bounded pre-image size) one-way functions. \medskip \item The second scheme, removing the restriction on the size of the circuits, is an extension of the first one, with succinct verification and evaluation keys. More specifically, for an a-prior polynomial $d=d(\lambda)$, the scheme allows to evaluate any circuit on the signatures, as long as the depth of the circuit is bounded by $d$. This scheme is based on differing-inputs obfuscation and collision-resistant hash functions and relies on a technique called recording hash of circuits. \end{itemize} Both schemes enjoy the composition property. Namely, outputs of previously derived signatures can be re-used as inputs for new computations. The length of derived signatures in both schemes is independent of the size of the data set. Moreover, both constructions satisfy a strong privacy notion, we call {\em semi-strong context hiding}, which requires that the derived signatures of evaluating any circuit on the signatures of two data sets are {\em identical} as long as the evaluations of the circuit on these two data sets are the same

A practical validation of Homomorphic Message Authentication schemes

Dissertação de mestrado em Engenharia InformáticaCurrently, cloud computing is very appealing because it allows the user to outsource his data so it can later be accessed from multiple devices. The user can also delegate to the cloud computing service provider some, possibly complex, operations on the outsourced data. Since this service provider may not always be trusted, it is necessary to not only preserve the privacy but also to enforce the authenticity of the outsourced data. Lately, a lot of work was put on solving the first problem, specially after the introduction of the first Fully Homomorphic Encryption scheme. In this work we will focus on the latter, namely on the use of Homomorphic Message Authentication primitives. We will evaluate the current available solutions, their functionality and their security. Finally, we will provide an implementation of one of these schemes in order to verify if they are indeed practical

On the Security Notions for Homomorphic Signatures

Homomorphic signature schemes allow anyone to perform computation on signed data in such a way that the correctness of computation’s results is publicly certified. In this work we analyze the security notions for this powerful primitive considered in previous work, with a special focus on adaptive security. Motivated by the complications of existing security models in the adaptive setting, we consider a simpler and (at the same time) stronger security definition inspired to that proposed by Gennaro and Wichs (ASIACRYPT’13) for homomorphic MACs. In addition to strength and simplicity, this definition has the advantage to enable the adoption of homomorphic signatures in dynamic data outsourcing scenarios, such as delegation of computation on data streams. Then, since no existing homomorphic signature satisfies this stronger notion, our main technical contribution are general compilers which turn a homomorphic signature scheme secure under a weak definition into one secure under the new stronger notion. Our compilers are totally generic with respect to the underlying scheme. Moreover, they preserve two important properties of homomorphic signatures: context-hiding (i.e. signatures on computation’s output do not reveal information about the input) and efficient verification (i.e. verifying a signature against a program P can be made faster, in an amortized, asymptotic sense, than recomputing P from scratch)

ADSNARK: Nearly practical and privacy-preserving proofs on authenticated data

We study the problem of privacy-preserving proofs on authenticated data, where a party receives data from a trusted source and is requested to prove computations over the data to third parties in a correct and private way, i.e., the third party learns no information on the data but is still assured that the claimed proof is valid. Our work particularly focuses on the challenging requirement that the third party should be able to verify the validity with respect to the specific data authenticated by the source — even without having access to that source. This problem is motivated by various scenarios emerging from several application areas such as wearable computing, smart metering, or general business-to-business interactions. Furthermore, these applications also demand any meaningful solution to satisfy additional properties related to usability and scalability. In this paper, we formalize the above three-party model, discuss concrete application scenarios, and then we design, build, and evaluate ADSNARK, a nearly practical system for proving arbitrary computations over authenticated data in a privacy-preserving manner. ADSNARK improves significantly over state-of-the-art solutions for this model. For instance, compared to corresponding solutions based on Pinocchio (Oakland’13), ADSNARK achieves up to 25× improvement in proof-computation time and a 20× reduction in prover storage space

A framework for implementing outsourcing schemes

En esta tesis se aborda el problema de la externalización segura de servicios de datos y computación. El escenario de interés es aquel en el que el usuario posee datos y quiere subcontratar un servidor en la nube (“Cloud”). Además, el usuario puede querer también delegar el cálculo de un subconjunto de sus datos al servidor. Se presentan dos aspectos de seguridad relacionados con este escenario, en concreto, la integridad y la privacidad y se analizan las posibles soluciones a dichas cuestiones, aprovechando herramientas criptográficas avanzadas, como el Autentificador de Mensajes Homomórfico (“Homomorphic Message Authenticators”) y el Cifrado Totalmente Homomórfico (“Fully Homomorphic Encryption”). La contribución de este trabajo es tanto teórica como práctica. Desde el punto de vista de la contribución teórica, se define un nuevo esquema de externalización (en lo siguiente, denominado con su término inglés Outsourcing), usando como punto de partida los artículos de [3] y [12], con el objetivo de realizar un modelo muy genérico y flexible que podría emplearse para representar varios esquemas de ”outsourcing” seguro. Dicho modelo puede utilizarse para representar esquemas de “outsourcing” seguro proporcionando únicamente integridad, únicamente privacidad o, curiosamente, integridad con privacidad. Utilizando este nuevo modelo también se redefine un esquema altamente eficiente, construido en [12] y que se ha denominado Outsourcinglin. Este esquema permite calcular polinomios multivariados de grado 1 sobre el anillo Z2k . Desde el punto de vista de la contribución práctica, se ha construido una infraestructura marco (“Framework”) para aplicar el esquema de “outsourcing”. Seguidamente, se ha testado dicho “Framework” con varias implementaciones, en concreto la implementación del criptosistema Joye-Libert ([18]) y la implementación del esquema propio Outsourcinglin. En el contexto de este trabajo práctico, la tesis también ha dado lugar a algunas contribuciones innovadoras: el diseño y la implementación de un nuevo algoritmo de descifrado para el esquema de cifrado Joye-Libert, en colaboración con Darío Fiore. Presenta un mejor comportamiento frente a los algoritmos propuestos por los autores de [18];la implementación de la función eficiente pseudo-aleatoria de forma amortizada cerrada (“amortized-closed-form efficient pseudorandom function”) de [12]. Esta función no se había implementado con anterioridad y no supone un problema trivial, por lo que este trabajo puede llegar a ser útil en otros contextos. Finalmente se han usado las implementaciones durante varias pruebas para medir tiempos de ejecución de los principales algoritmos.---ABSTRACT---In this thesis we tackle the problem of secure outsourcing of data and computation. The scenario we are interested in is that in which a user owns some data and wants to “outsource” it to a Cloud server. Furthermore, the user may want also to delegate the computation over a subset of its data to the server. We present the security issues related to this scenario, namely integrity and privacy and we analyse some possible solutions to these two issues, exploiting advanced cryptographic tools, such as Homomorphic Message Authenticators and Fully Homomorphic Encryption. Our contribution is both theoretical and practical. Considering our theoretical contribution, using as starting points the articles of [3] and [12], we introduce a new cryptographic primitive, called Outsourcing with the aim of realizing a very generic and flexible model that might be employed to represent several secure outsourcing schemes. Such model can be used to represent secure outsourcing schemes that provide only integrity, only privacy or, interestingly, integrity with privacy. Using our new model we also re-define an highly efficient scheme constructed in [12], that we called Outsourcinglin and that is a scheme for computing multi-variate polynomials of degree 1 over the ring Z2k. Considering our practical contribution, we build a Framework to implement the Outsourcing scheme. Then, we test such Framework to realize several implementations, specifically the implementation of the Joye-Libert cryptosystem ([18]) and the implementation of our Outsourcinglin scheme. In the context of this practical work, the thesis also led to some novel contributions: the design and the implementation, in collaboration with Dario Fiore, of a new decryption algorithm for the Joye-Libert encryption scheme, that performs better than the algorithms proposed by the authors in [18]; the implementation of the amortized-closed-form efficient pseudorandom function of [12]. There was no prior implementation of this function and it represented a non trivial work, which can become useful in other contexts. Finally we test the implementations to execute several experiments for measuring the timing performances of the main algorithms

Homomorphic Proxy Re-Authenticators and Applications to Verifiable Multi-User Data Aggregation

We introduce the notion of homomorphic proxy re-authenticators, a tool that adds security and verifiability guarantees to multi-user data aggregation scenarios. It allows distinct sources to authenticate their data under their own keys, and a proxy can transform these single signatures or message authentication codes (MACs) to a MAC under a receiver\u27s key without having access to it. In addition, the proxy can evaluate arithmetic circuits (functions) on the inputs so that the resulting MAC corresponds to the evaluation of the respective function. As the messages authenticated by the sources may represent sensitive information, we also consider hiding them from the proxy and other parties in the system, except from the receiver. We provide a general model and two modular constructions of our novel primitive, supporting the class of linear functions. On our way, we establish various novel building blocks. Most interestingly, we formally define the notion and present a construction of homomorphic proxy re-encryption, which may be of independent interest. The latter allows users to encrypt messages under their own public keys, and a proxy can re-encrypt them to a receiver\u27s public key (without knowing any secret key), while also being able to evaluate functions on the ciphertexts. The resulting re-encrypted ciphertext then holds an evaluation of the function on the input messages