Presentation is loading. Please wait.

Presentation is loading. Please wait.

FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan.

Similar presentations


Presentation on theme: "FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan."— Presentation transcript:

1 FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan (IBM T J Watson)

2 Computing on Encrypted Data ClientServer/Cloud (Input: x)(Program: P) I want to delegate the computation to the cloud I want to delegate the computation to the cloud, but the cloud shouldnt see my input Enc [ P(x) ] Enc(x) P (An Example)

3 Enc [ P(x) ] Enc(x) P Definition: [ KeyGen, Enc, Dec, Eval ] (as in regular encryption) Compactness: Size of Evaled ciphertext independent of P Fully Homomorphic Encryption (FHE) = Security: Semantic Security [GM82] Definition: [ KeyGen, Enc, Dec ] Eval

4 – BGN05 & GHV10a: quadratic formulas Fully Homomorphic Encryption First Defined: Privacy homomorphism [RAD78] Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data NON-COMPACT homomorphic encryption [CCKM00, SYY99, IP07,MGH08,GHV10b,…]

5 Fully Homomorphic Encryption First Defined: Privacy homomorphism [RAD78] – using just integer addition and multiplication – their motivation: searching encrypted data Is there an elementary Construction of FHE? Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory / ideal lattices – easier to understand, implement and improve No ideal lattices

6 OUR RESULT Theorem [DGHV10]: We have a fully homomorphic public-key encryption scheme – which uses only add and mult over the integers, – which is secure based on the approximate GCD problem & the sparse subset sum problem.

7 Construction

8 A Roadmap 1. Secret-key Somewhat Homomorphic Encryption (under the approximate GCD assumption) 2. Public-key Somewhat Homomorphic Encryption (under the approximate GCD assumption) 3. Public-key FULLY Homomorphic Encryption (under approx GCD + sparse subset sum) (a simple transformation) (borrows from Gentrys techniques)

9 Secret-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Encrypt a bit b: – pick a random large multiple of p, say q·p – pick a random small even number 2·r – Ciphertext c = q·p+2·r+b To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) noise (sec. param = n)

10 Secret-key Homomorphic Encryption How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2

11 Two Issues Ciphertext grows with each operation Noise grows with each operation Useless for many applications (cloud computing, searching encrypted e-mail) – Consider c = qp+2r+b Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r 2r+b r

12 Two Issues Ciphertext grows with each operation Useless for many applications (cloud computing, searching encrypted e-mail) After some operations, the ciphertext becomes undecryptable Noise grows with each operation

13 Solving the Two Issues Ciphertext grows with each operation – Publish x 0 = q 0 p (*) – Take ciphertext (mod x 0 ) after each op (Add/Mult) (*) More complex way using x 0 = a near-multiple of p

14 Solving the Two Issues Ciphertext grows with each operation – Publish x 0 = q 0 p – Take ciphertext (mod x 0 ) after each op (Add/Mult) Ciphertext stays less than x 0 always The encrypted bit remains same Noise does not increase at all

15 Solving the Two Issues Ciphertext grows with each operation Can perform limited number of hom. operations (Somewhat Homomorphic Encryption) – Somewhat Fully: (A variant of) Squashing + Bootstrapping [G09] Noise grows with each operation – Publish x 0 = q 0 p – Take ciphertext (mod x 0 ) after each op (Add/Mult) *

16 Security (of the secret-key somewhat homomorphic scheme)

17 The Approximate GCD Assumption q0pq0p p? p q 0 [0…Q] odd p [0…P] (q 0 p,q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R q [0…Q] r [-R…R] q 1 p+r 1 (name coined by Howgrave-Graham)

18 p? p Assumption: no PPT adversary can guess the number p Semantic Security : no PPT adversary can guess the bit b (q 0 p,q 1 p+2r 1 +b,…,q k p+2r k +b) = (proof of security) (q 0 p,q 1 p+r 1,…, q t p+r t )

19 A Taste of the Security Proof Encryption breaker Adv A lsb(q) q 0 p,{q i p+r i } p c=qp+r Claim: On every c=qp+r, A predicts lsb(q) correctly w.p. 1-1/poly Proof: Lots of details ( Worst-case to average case over c, computing lsb(q) = computing lsb(r), a hybrid argument.) Approx GCD solver Adv B q p c=qp+r q 0 p,{q i p+r i }

20 A Taste of the Security Proof Main Idea: Use lsb(q) to make q successively smaller – If lsb(q) = 0, c [c/2] ( new-c = q/2*p+[r/2] ) – If lsb(q) = 1, c [(c-p)/2] ( new-c = (q-1)/2*p+[r/2] ) Adv A lsb(q) q 0 p,{q i p+r i } p c=qp+r Adv B q p c=qp+r q 0 p,{q i p+r i } First Try:

21 A Taste of the Security Proof Main Idea: Use lsb(q) to make q successively smaller – If lsb(q) = 0, c [c/2] ( new-c = q/2*p+[r/2] ) – If lsb(q) = 1, c [(c-p)/2] ( new-c = (q-1)/2*p+[r/2] ) Lemma: Given two near-multiples z 1 =q 1 p+r 1 and z 2 =q 2 p+r 2 (+lsb oracle), can compute z=gcd(q 1,q 2 ) · p+r for small r W.h.p. gcd(q 1,q 2 )=1 – If lsb(q) = 1, c [(c-z)/2] ( new-c = (q-1)/2*p+[(r-r)/2] ) – Learn q bit by bit

22 A Taste of the Security Proof Main Idea: Use lsb(q) to make q successively smaller Lemma: Given two near-multiples z 1 =q 1 p+r 1 and z 2 =q 2 p+r 2 (+lsb oracle), can compute z=gcd(q 1,q 2 ) · p+r for small r Observation: the Binary GCD algo. is noise-tolerant, given lsb oracle. (similar to the RSA hardcore bit proof of [ACGS88])

23 – Lagarias algorithm Studied by [HG01]; also [Lag82,Cop97,NS01] (equivalent to simultaneous Diophantine approximation) Lattice-based Attacks – Coppersmiths algo. for finding small polynomial roots – Nguyen/Stern and Regevs orthogonal lattice method All run out of steam when log Q > (log P) 2 (our setting of parameters: log Q = n 5, log P = n 2 ) How Hard is Approximate GCD?

24 Future Directions Efficient fully homomorphic encryption (Currently: n 5 size ciphertexts; n 10 running-time blowup) Security of the approx GCD assumption (e.g., a worst-case to average-case reduction to regular – non-ideal – lattice problems?) Some recent improvements [SV10,SS10]

25 Questions?

26 Delegate computation on data without giving away access to it The Goal

27 Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) = t+1 random encryptions of 0 Δ

28 c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ

29 Parameter Regimes R log Q/(log P) 2 (very rough diagram) min=0max=P

30 Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 encryptions of 0 – W.l.o.g., x 0 = q 0 p+2r 0 is the largest Δ

31 c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (small even noise) + b

32 c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult

33 A Roadmap Secret-key Somewhat Homomorphic Encryption Public-key Somewhat Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption

34 How Somewhat Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x t-d+1 ·x t-d+2 ·x t Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or

35 Somewhat HEBootstrappable From Somewhat to Fully FHE = Can eval all fns. Theorem [Gentry09]: Convert bootstrappable FHE. Augmented Decryption ckt. Dec NAND c1c1 sk c2c2

36 Is our Scheme Bootstrappable? What functions can the scheme EVAL? Complexity of the (aug.) Decryption Circuit (?) Can be made bootstrappable – Similar to Gentry09 Caveat: Assume Hardness of Sparse Subset Sum (polynomials of degree < n) (degree ~ n 1.73 polynomial)


Download ppt "FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi (IBM T J Watson) Vinod Vaikuntanathan."

Similar presentations


Ads by Google