\(\mathsf {HIKE}\): Walking the Privacy Trail

Abstract

We consider the problem of privacy-preserving processing of outsourced data in the context of user-customised services. Clients store their data on a server. In order to provide user-dependent services, service providers may ask the server to compute functions on the users’ data. We propose a new solution to this problem that guarantees data privacy (i.e., an honest-but-curious server cannot access plaintexts), as well as that service providers can correctly decrypt only –functions on– the data the user gave them access to (i.e., service providers learn nothing more than the result of user-selected computations).

Our solution has as base point a new secure labelled homomorphic encryption scheme (\(\mathsf {LEEG}\)). \(\mathsf {LEEG}\) supports additional algorithms (\(\mathsf {FEET}\)) that enhance the scheme’s functionalities with extra privacy-oriented features. Equipped with \(\mathsf {LEEG}\) and \(\mathsf {FEET}\), we define \(\mathsf {HIKE}\): a lightweight protocol for private and secure storage, computation and disclosure of users’ data. Finally, we implement \(\mathsf {HIKE}\) and benchmark its performances demonstrating its succinctness and efficiency.

This work was partially supported by the Swedish Research Council (Vetenskapsrådet) through the grants PolUser (2015-04154) and PRECIS (621-2014-4845).

Appendices

Appendix

A Detailed Proofs

Semantic Security of \(\mathsf {LEEG}\). We want to prove that our \(\mathsf {LEEG}\) scheme is semantically secure according to Barbosa et al.’s definition [2] (Definition 4).

Proof

Let \(Q_\mathsf{prf}(\lambda )\) be a bound on the total number of encryption queries performed by \(\mathcal {A}\) during the security experiment. Let Game 0 be the semantic security experiment in Definition 4 where, for consistency with our definition of \(\mathsf {LEEG}\), the challenger runs \(\mathsf {SetUp}(1^\lambda )\rightarrow \mathsf {pp}\) to obtain the public parameters of the scheme, then it runs \(\mathsf {KeyGen}(\mathsf {pp})\rightarrow \mathsf {sk}=(sk, \mathsf {k})\) and computes \(\mathsf {pk}= sk\cdot P\). In addition, \(\mathcal {C}\) ignores any query with label \(\ell =(Q', Q, \tau )\) where \(Q'\ne \mathsf {pk}\).

Let Game 1 be the same as Game 0 except that the challenger replaces every \( {\mathsf {PRF}} _{\mathsf {k}}(\cdot )\) instance with the evaluation of a truly random function \(\mathsf{rand}: \mathbb {G}\times \mathbb {G}\times \mathcal {T}\rightarrow [0..q-1]\). It is quite easy to see that the difference between Game 1 and Game 0 is solely in the generation of the values \(r\). Therefore the probability of \(\mathcal {A}\) winning is the same in the two games, a part from a \(Q_\mathsf{prf}(\lambda )\) factor that comes from distinguishing the PRF instance from a truly random function. Thus

$$ | \mathsf {Prob}[\mathsf {G}_0(\mathcal {A})] - \mathsf {Prob}[\mathsf {G}_1(\mathcal {A})]| \le Q_\mathsf{prf}(\lambda )\cdot \mathtt {Adv}_{\mathcal {\mathcal {A}}}^{ {\mathsf {PRF}} } (\lambda ).$$

At this point, we observe that for any given ciphertext \(\mathsf {ct}\) and label-message pair \((\ell , {m})\) there is exactly one value \(r\in [0..q-1]\) for which \(\mathsf {ct}\) is an encryption of \({m}\) for label \(\ell \). In particular, for every triple \((\mathsf {ct}, \ell , {m})\) it holds that

$$ \mathsf {Prob}[\mathsf {Enc}(\mathsf {sk}, \ell , {m})=\mathsf {ct}]= \frac{|r\in [0..q-1] : {M}+ r\cdot sk\cdot Q = \mathsf {ct}|}{|[0..q-1]|} =\frac{1}{q},$$

where the probability is taken over all the possible values \(r\leftarrow ^{\!\!\!\!\$}[0..q-1]\). Since the above probability holds also for the challenge ciphertext \(\mathsf {ct}^*\) we have that \( \mathsf {Prob}[\mathsf {Enc}(\mathsf {sk}, \ell _0, {m}_0)=\mathsf {ct}^*] = \mathsf {Prob}[\mathsf {Enc}(\mathsf {sk}, \ell _1, {m}_1)=\mathsf {ct}^*]\) (semantic security) and implies \(\mathsf {Prob}[\mathsf {G}_1(\mathcal {A})]=\frac{1}{2}.\) Therefore:

$$\begin{aligned} \mathsf {Prob}[\mathsf {G}_0(\mathcal {A})]&\le | \mathsf {Prob}[\mathsf {G}_0(\mathcal {A})] - \mathsf {Prob}[\mathsf {G}_1(\mathcal {A})] | + \mathsf {Prob}[\mathsf {G}_1(\mathcal {A})] \\&\le Q_\mathsf{prf}(\lambda )\cdot \mathtt {Adv}_{\mathcal {A}}^{ {\mathsf {PRF}} } (\lambda ) + \frac{1}{2} \end{aligned}$$

which proves the semantic security of \(\mathsf {LEEG}\), given that \(Q_\mathsf{prf}(\lambda )\) is polynomial and \(\mathtt {Adv}_{\mathcal {A}}^{ {\mathsf {PRF}} } \) is negligible (by our security assumption on the PRF family).    \(\square \)

Proof of Theorem 2. We want to prove our \(\mathsf {HIKE}\) protocol achieves token secrecy, i.e., that \(\mathtt {Adv}_{\mathsf {HIKE}, \mathcal {A}}^{\mathsf {token.sec}} (\lambda ) \le {Q_\mathsf{id}} \cdot \mathtt {Adv}_{\mathsf {LEEG}, \mathcal {A}}^{\mathsf {sem.sec}} (\lambda ) \).

Proof

We exhibit a reduction \(\mathcal {B}\) that uses \(\mathcal {A}\) to win the semantic-security experiment for the \(\mathsf {LEEG}\) scheme. The reduction works exactly as the one in the proof of Theorem 1 a part for a couple of exceptions. First, this reduction holds an additional (private) list \({L_\mathsf{rand}} \), that is empty at the beginning of the simulation. Second, \(\mathcal {B}\) behaves differently (only) in the following cases:

Encryption Queries: \(\mathcal {B}\) forwards the queries to the \(O\mathsf {Encrypt}'\) oracle, unless \(\ell =( \mathsf {pk}^\star , \mathsf {pk}, \tau )\). In case \(\ell =( \mathsf {pk}^\star , \mathsf {pk}, \tau )\), the reduction does not have the secret key for encryption and token generation. In order to simulate the encryption and be consistent with future token-generation queries, \(\mathcal {B}\) checks if \((\ell , r)\in {L_\mathsf{rand}} \) for some value \(r\in [0..q-1]\). If so, \(\mathcal {B}\) uses the existing values r to compute the ciphertext \(\mathsf {ct}=({m}\cdot P+ r\cdot \mathsf {pk})\). Otherwise, \(\mathcal {B}\) picks a random value \(r\leftarrow ^{\!\!\!\!\$}[0..q-1]\), updates \({L_\mathsf{rand}} \leftarrow {L_\mathsf{rand}} \cup (\ell , r)\), and computes \(\mathsf {ct}=({m}\cdot P+ r\cdot \mathsf {pk})\). In any case, \(\mathcal {B}\) updates the list of queried labels \({L_\mathsf{lab}}\leftarrow {L_\mathsf{lab}}\cup \ell \), and returns \(\mathsf {ct}\) to \(\mathcal {A}\). Note that \(\mathsf {ct}\) has the same distribution as the output of \(\mathsf {Enc}(\mathsf {sk}^\star , \ell , {m})\), indeed for any r chosen by the reduction there exists a value \(r'\in [0..q-1]\) such that \(r=r' \cdot sk^\star \mod q\) and thus \(\mathsf {ct}= {m}\cdot P+ r\cdot \mathsf {pk}= {m}\cdot P+ r'\cdot \mathsf {sk}^\star \cdot \mathsf {pk}\). The latter series of equalities shows that \(\mathcal {B}\)’s simulation is still perfect.

Disclose Queries: \(\mathcal {B}\) forwards to the \(O\mathsf {Disclose}\) oracle all the queries \(\mathcal {P}=(f, \ell _1\, \ldots , \ell _n)\) with \(f(x_1,\ldots , x_n)= a_0+\sum _{i\in [n]}a_ix_i\), \(\ell _i=(\mathsf {pk}, \mathsf {pk}', \tau _i)\) and \(\mathsf {pk}\ne \mathsf {pk}^\star \). Otherwise, \(\mathcal {P}\) contains labels of the form \(\ell _i=( \mathsf {pk}^\star , \mathsf {pk}', \tau _i)\). The reduction performs the same checks as the \(O\mathsf {Disclose}\) oracle, if any check fails \(\mathcal {B}\) returns \( \mathtt {error}\). In case all conditions are met, \(\mathcal {B}\) proceeds by checking if \((\ell _i,\cdot )\in {L_\mathsf{rand}} \) for all \(i\in [n]\), in which case the reduction uses the randomness stored in \({L_\mathsf{rand}} \) to compute the token \({\mathsf {tok}} =(\sum _{i\in [n]}a_ir_i )\cdot \mathsf {pk}^\star \). Otherwise, for all those labels \(\ell _j\) not present in \({L_\mathsf{rand}} \), \(\mathcal {B}\) samples a random element \(r \leftarrow ^{\!\!\!\!\$}[0..q-1]\) and updates the private list \({L_\mathsf{rand}} \leftarrow {L_\mathsf{rand}} \cup (\ell _j, r)\). At this point \((\ell _i, r_i)\in {L_\mathsf{rand}} \) for all the labels in the queried \(\mathcal {P}\) and \(\mathcal {B}\) can compute \({\mathsf {tok}} =(\sum _{i\in [n]}a_ir_i)\cdot \mathsf {pk}^\star \). In either case, \(\mathcal {B}\) updates the list of queried token-labels, i.e., \({L_\mathsf{tok}}\leftarrow {L_\mathsf{tok}}\cup (\ell _1, \ldots , \ell _n)\), and returns \({\mathsf {tok}} \) to \(\mathcal {A}\).

Let \((\ell ^*, {m}_0, {m}_1)\) be \(\mathcal {A}\)’s input to the challenge phase. If \(\ell ^*\ne (\mathsf {pk}^\star , \cdot , \cdot )\) the reduction aborts (\(\mathcal {A}\) chose to challenge a different client than the one \(\mathcal {B}\) bet on). This event happens with probability \((1-\frac{1}{Q_\mathsf{id}})\).

Otherwise \(\ell ^*=(\mathsf {pk}^\star , Q, \tau )\), \(\mathcal {B}\) updates the list of queried labels \({L_\mathsf{lab}}\leftarrow {L_\mathsf{lab}}\cup \ell ^*\) and sends \((\ell ^*, {m}_0, {m}_1)\) to its challenger \(\mathcal {C}\) for the semantic security game. Let \(\mathsf {ct}\) denote \(\mathcal {C}\)’s reply, \(\mathcal {B}\) forwards \(\mathsf {ct}\) to \(\mathcal {A}\).

In the subsequent query phase \(\mathcal {B}\) behaves as described above.

At the end of the experiment, \(\mathcal {B}\) outputs the same bit \(b^*\) returned by \(\mathcal {A}\) for the \(\mathsf {token.sec}\) experiment. Note that since \(\mathcal {A}\) is given exactly the same challenge as in the \(\mathsf {sem.sec}\) experiment, if \(\mathcal {A}\) has a non-negligible advantage in winning the \(\mathsf {token.sec}\) experiment, then \(\mathcal {B}\) has the same non-negligible advantage in breaking the semantic-security of \(\mathsf {LEEG}\), unless \(\mathcal {B}\) aborts its simulation. Therefore we conclude that:

\(\mathtt {Adv}_{\mathsf {LEEG},\mathcal {B}}^{\mathsf {sem.sec}} (\lambda ) \ge \Big (\frac{1}{Q_\mathsf{id}}\Big )\cdot \mathtt {Adv}_{\mathsf {HIKE},\mathcal {A}}^{\mathsf {token.sec}} (\lambda ).\)    \(\square \)

B Token Composability in \(\mathsf {FEET}\)

In this appendix we show token composability for two labelled programs. The general case follows immediately.

Consider two labelled programs \(\mathcal {P}_1=(f_1, \ell _1, \ldots , \ell _n) \) and \(\mathcal {P}_2=(f_2, \ell '_1, \ldots , \ell '_{n'}) \). For consistency, token composability requires that all the labels involved in \(\mathcal {P}_1\) and \(\mathcal {P}_2\) are of the form \(\ell =(sk\cdot P, Q, \tau )\) for some opportune value of \(\tau \). Without loss of generality, we can set \(f_1=a_0+\sum _{i\in [n]}a_ix_i\) and \(f_2=a_0'+\sum _{j\in [n']}a_j'x_{\sigma (j)}\) for opportune coefficients \(a_i, a'_j\in \mathcal {M}\), and an index-mapping function \(\sigma :\mathbb {N}\rightarrow \mathbb {N}\) used to model the fact that the functions may be defined on a different set of variables. Let \(I\subseteq \mathbb {N}\) be the set of indexes of common variables, formally:

$$\begin{aligned} I=\{i\in [n] such that \sigma (j)=i for some j\in [n'] \}. \end{aligned}$$

(5)

The composed labelled program \(\mathcal {P}= b_1 \mathcal {P}_1 + b_2\mathcal {P}_2\) is defined as \(\mathcal {P}=(f, \tilde{\ell }_1,\ldots , \tilde{\ell }_{\tilde{n}})\) with \(f= b_1f_1+b_2f_2\), \(f(x_1, \ldots , x_{\tilde{n}})= (b_1a_0+b_2a_0') + \sum _{i\in I} (b_1a_i + b_2a'_i) x_i + \sum _{i\in [n]\setminus I} b_1 a_i x_i + \sum _{j\in [n']\setminus \sigma (I)} b_2a'_j x_j\) for any \(b_1,b_2 \in \mathcal {M}\). We show that the combined token \({\mathsf {tok}} =b_1{\mathsf {tok}} _1+b_2{\mathsf {tok}} _2\) is a valid decryption token for the composed labelled program \(\mathcal {P}\), actually \({\mathsf {tok}} =\mathsf {TokenGen}(\mathsf {sk},\mathcal {P})\). In details:

$$\begin{aligned} {\mathsf {tok}}&= b_1{\mathsf {tok}} _1 + b_2{\mathsf {tok}} _2 \\&= sk\; \Big ( \sum _{i\in [n]}b_1a_ir_i + \sum _{j\in [n']}b_2a_j'r'_{\sigma (j)} \Big )\cdot P\\&= sk\; \Big (\sum _{i\in I} (b_1a_i + b_2a'_i)r_i + \sum _{i\in [n]\setminus I} b_1 a_ir_i + \sum _{j\in [n']\setminus \sigma (I)} b_2a'_j r'_j\Big ) \cdot P\\&= \mathsf {TokenGen}(\mathsf {sk},\mathcal {P}) \end{aligned}$$

The set I in the second last equality is the one defined in (5), that is \(\ell _i=\ell '_{i=\sigma (j)} \) for all \(i\in I\) and therefore \(r_i=r'_i= {\mathsf {PRF}} _{\mathsf {k}}(\ell _i)\). By the correctness of the \(\mathsf {TokenGen}\)-\(\mathsf {TokenDec}\) algorithms, we derive that \({\mathsf {tok}} \) is a valid decryption token for \(\mathsf {sk}_2\), \(\mathsf {ct}=\mathsf {Eval}(f, \mathsf {ct}_1,\ldots , \mathsf {ct}_{\tilde{n}})\). It is straightforward to generalise this reasoning to multiple labelled programs \(\mathcal {P}_1, \ldots \mathcal {P}_t\) as long as all the labels coincide on the first two entries.