Tree Homomorphic Encryption with Scalable Decryption

1
Tree Homomorphic Encryption with Scalable
Decryption

• Moti Yung
• Columbia University
• Joint work with
• Aggelos Kiayias
• University of Connecticut

2
Outline

• The computing server model and scalability.
• Tree homomorphic encryption with scalable
  decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.

3
Outline

• The computing server model and scalability.
• Tree homomorphic encryption with scalable
  decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.

4
Homomorphic Encryption
Basic Aggregation Operation a bush
5
The computing server model for Secure Multiparty
Computation

• Computing server is a (perhaps distributed) party
  in the protocol that manages the contributions
  and delivery of results.
• This model has been applied in voting, auctions
  and other specialized secure multiparty
  computations.
• Contributors provide (encrypted) input under the
  specifications of the protocol (Access control
  allows them to write a on a bulletin board
  Role specification).
• Processing / Aggregation of encrypted
  contributions by computing server.
• Delivery of results / output decryption.

6
Computing Server Model Correctness Aspect

• All valid contributions are included.
• No unauthorized contributions are permitted.
• Contribution Processing is done according to
  specifications.
• Auditing Replication is added to cope with
  various faults and failures.

7
Computing Server ModelPrivacy Aspect

• The computation / processing does not leak any
  information about contributions, beyond what
  trivially inferred from the public-output.
• Computing servers are honest w.r.t. privacy.
• Or, threshold techniques
• Share decryption capabilities.
• Split contribution.

8
The Large Scale Setting

• The Bush model insufficient for the large
  scale
• Load Balancing Issues.
• Remote Geographic Locations.
• Overlay networks in P2P.

Non-bush approach is needed
9
Aggregation over Trees Scalability
Each node Implements a gate
for ciphertext processing
Structure Imposed by Geographic Load balancing p
arameters
Contributions

• Bush aggregation of homomorphic encryption
  consistent with tree deployment every node is a
  bush for its children.
• Aggregation complexity linear in the number of
  children nodes

10
Connection to Elections
Top-Level
Regional Level
(micro-) Precinct Level
11
Correctness Aspect across the Tree

• Scaling over tree structure

Each node is comprised by set of agents that
Collectively ensure the Correctness aspect of
the local Node operation
Scales well over the tree hierarchical structure.
12
Privacy Aspect
Decryption Agents
13
The BIGGEST brother problem

• Inner nodes in the tree are assuring correctness
  no decryption capability.
• Decryption capability shared at the root?
• Possible, but all kinds of privacy advocates,
  known election experts and election non-experts
  will protest

• why should the little guy put his privacy at
• the end of the BIGGEST brother?

14
Does old solutions work?

• Sharing decryption capability to decipher the
  result at the root among all tree nodes using
  threshold techniques does not scale.
• But scalability is our primary objective to begin
  with!

15
Outline

• The computing server model and scalability.
• Tree homomorphic encryption with scalable
  decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.

16
Idea.

• To solve the BIGGEST brother problem distribute
  decryption capability along the tree structure.
• Since aggregation along the tree structure scales
  enforce decryption capability to follow the
  same pattern.

17
User Perspective
nodes that user trusts for correctness
So the same nodes must share Decryption Capabili
ty w.r.t. that users privacy.
User trust path
User
18
Our Solution Tree homomorphic encryption with
Scalable Decryption

• Tree is suggested by network architecture,
  load-balancing parameters, geography, network
  overlay, etc.
• Spreading Decryption capability across the paths
  of the tree so that user privacy is not violated
  unless the whole user trust path is corrupt.

19
Homomorphic Encryption and Aggregation.
Groups
Homomorphic over randomness is useful for
constructing generic proofs of knowledge.
Embedding of a Z-interval within
Capacity length of the Z-interval.
Inputs to the computation belong to set of
integer Values
20
Homomorphic Encryption and Aggregation, II
EXAMPLE Voting among c candidates
of votes won by j-th candidate.
21
Proofs of Knowledge
EXAMPLE Voting among c candidates, II
Voter contributes the encryption and a proof Of
knowledge.
Proof possible for generic Homomorphic encryption
scheme.
Length linear in c
22
Three steps

• Key generation across the tree.
• Encryption of inputs at leaves.
• ltAggregation decryptiongt along tree paths.

23
Key Generation and distribution across user trust
paths

• Each node
• generates a key
• (independently)
• Can be threshold
• of agents within the
• Node.

Public Keys Are Propa- Gated Down To the User
level across all trust paths
24
Blind-and-Share operation
l of levels
Encryption functions of levels for user j
j-th user selects
Encryptions of shares
Capacity Condition
25
consistency

• Encryptions in general are over different domains
  (each node has independent public-key).
• We need consistency checks to ensure correct
  blind-and-sharing of the input (independent of
  the individual domains).

26
Proof of consistency
Each of the ciphertexts Is accompanied by a
commitment to the plaintext over the same
domain.

• Together with a proof of knowledge that ensures
• Each ciphertext and commitment hide the
  same value.
• The aggregation of the commitments hides a
  value of the form such that

27
Proof of consistency, II

• It follows that an encrypted contribution
• Contains an additive sharing of a value
• So that

28
Tree Aggregation
Lowest level



Encrypted contributions
29
Tree Aggregation, II

• Lowest level node obtains the aggregated
  ciphertext

Where
are the users assigned to the node V.

30
Tree Aggregation Partial Decryption.
Lowest level
Lowest Level node Decrypts the Last entry And
apply modulo operation

the block is propagated to the upper level
31
Tree Aggregation Partial Decryption, II
j-th level
j

The j-th level Receives partially decrypted
entries From its children That are of the form

32
Tree Aggregation Partial Decryption, III

• The j-th level node aggregate as follows

And decrypt The j-th Level.


33
Tree Aggregation Partial Decryption, IV

• Top level agents, after aggregation and
  decryption of the top level entry obtain

The totally decrypted Sum of shares

34
Output recovery

• THEN Top level agents recover the results as
  follows

This operation Reveals the result Of the
procedure In the form

35
Output Recovery, II

• This works because

36
Tree Homomorphic Encryption with Scalable
Decryption implementations

• Generic based on any additive homomorphic
  encryption Paillier or (modified) ElGamal.
• Size of encrypted contribution equals length of
  user trust path.

37
Implementations, II

• Modified ElGamal accepts more efficient
  implementation of scalable decryption
• Constant size of contribution independent of the
  length of the user trust path.
• Onion style decryption.

38
Outline

• The computing server model and scalability.
• Tree homomorphic encryption with scalable
  decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.

39
Tree Homomorphic Encryption with Onion decryption

• ElGamal-specific case.
• Shortening of contribution encryption size.
• Based on Composition of public-key across user
  trust paths.

40
Initialization/SetupAdditive ElGamal Specific
Global Parameters G, g, f, h generators of G
multiplicative group of prime order q.
Setup
Each node creates local public key pkga.
Each node computes its local combined_pk by
multiplying its local pk with the combined_pk of
the parent node.
41
Submission of Contributions Additive ElGamal
Specific
Each user makes a selection vÎ1, M, M2, ...,
Mc-1 and publishes lt g r, (combined_pk)r f v gt
combined_pk is the combined public-key local
to the lowest level node, i.e. combined_pkh0 h1
h2 ... hk where h0 , h1, h2, ... , hk are the
local pks of the nodesin the user trust
path. rltq is selected at random.
42
Submission of Contributions, II Additive ElGamal
Specific
the user proves that the Encryption ltB1, B2gt ,
is formed according to the specifications.
The voter publishes NIZK r (B1 gr) (
vÎC (B2 (combined_pk)r f v )
43
Tree Aggregation Decryption by Onion Peeling
The low level node multiplies all encrypted
contributions point-wise
THEN The node peels-off its layer of
encryption (by doing ElGamal Decryption w.r.t.
its local private-key.
lt gr, (h0 h1 h2 ... hk)r f vgt ? lt gr, (h1 h2 ...
hk)r f vgt
The process continues recursively up to the
top-level node.
44
Output
å v
The top node receives the tally T f
Recovery of output
The space of all possible values for å v is of
size O(nc-1) and as a result it can be found in
time O(nc-1). Using the baby-step giant-step
method this can be improved to O(n(c-1)/2)
45
Outline

• The computing server model and scalability.
• Tree homomorphic encryption with scalable
  decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.

46
Application To E-VotingScalable Secret Ballot
Elections

• Arbitrary elections structure, size and
  distributions
• Security properties scale in parallel to the
  electionsstructure

47
Voter Distribution
Smallest Administrative Unit Microprecinct
48
The Election Tree
49
Outline

• The computing server model and scalability.
• Tree homomorphic encryption with scalable
  decryption.
• The onion-decryption case.
• Application to E-voting.
• Conclusions.

50
Conclusions

• Tree Homomorphic Encryption with Scalable
  Decryption.
• motivated by load-balancing / network topology
  geography constraints / overlay P2P networks.
• Assuming multi-level trust can eliminate big
  brother presence.
• Further increase of security possible by
  employing paranoid security or multi-path
  election
• Future applications?