Presentation is loading. Please wait.

Presentation is loading. Please wait.

FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in.

Similar presentations


Presentation on theme: "FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in."— Presentation transcript:

1 FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in

2 Outsourcing Computation Weak Client Powerful Server (“Cloud”) Function f x f(x)f(x)

3 Outsourcing Computation Function f x search query Google search Search results x f(x)f(x) It’s everywhere!

4 Outsourcing Computation Function f x medical records analysis risk factors x f(x)f(x) It’s everywhere!

5 Outsourcing Computation Function f x Client Cloud Two Problems:  Privacy: Cloud should not learn anything about x  Verifiability: Cloud cannot cheat (i.e., return incorrect answer without being detected)

6 Outsourcing Computation – Privately Function f x Enc(x) Knows nothing of x. Eval: f, Enc(x)  Enc(f(x)) homomorphic evaluation

7 Fully Homomorphic Encryption Function f x Enc(x) Knows nothing of x. [Rivest-Adleman-Dertouzos’78] Eval: f, Enc(x)  Enc(f(x)) homomorphic evaluation

8 Fully Homomorphic Encryption Function f x 1,…,x n Enc(x 1 ),…,Enc(x n ) Knows nothing of x. [Rivest-Adleman-Dertouzos’78] Eval: f, Enc(x 1 ),…,Enc(x n )  Enc(f(x 1,…,x n )) homomorphic evaluation (more generally)

9 Fully Homomorphic Encryption Function f x evk, c = Enc sk (x) [Rivest-Adleman-Dertouzos’78] sk, pk, evk y = Eval evk ( f, c ) Dec sk (y)=f(x) Privacy (semantic security [GM82] ): (evk, Enc(x))  (evk, Enc(0)) Correctness: Compactness: |y| = poly(|f(x)|, n) Knows nothing of x. sk, evk Most of this talk: secret key homomorphic schemes

10 FHE 101: Add & Mult Are Universal Arith. Circuit (+,  ) over GF(2). +  Enc(x 1 ) If we had: Eval(+, Enc(x 1 ), Enc(x 2 ))  Enc(x 1 +x 2 ) Eval( , Enc(x 1 ), Enc(x 2 ))  Enc(x 1 ∙x 2 ) then we are done. Enc(x 2 ) Enc(x 3 ) Enc(x 1 +x 2 ) Enc((x 1 +x 2 )∙x 3 ) f(x 1,x 2,x 3 )=(x 1 +x 2 )∙x 3 x1x1 x2x2 x3x3 (+,  ) over GF(2)  Boolean ( XOR,AND ) = Universal set

11 Early History ( )  Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…] Goldwasser-Micali’82 Public key: N, y: non-square mod N Enc(0): r 2 mod N, Enc(1): y * r 2 mod N Secret key: factorization of N (Additively) homomorphic over Z 2

12 Early History ( )  Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]  Multiplicatively Homomorphic [ElG’85,…]  Add + One Mult [BGN’05,GHV’09]

13 Early History ( )  Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]  Multiplicatively Homomorphic [ElG’85,…]  Add + One Mult [BGN’05,GHV’09]  A Negative Result [Boneh-Lipton’97,DHI’03] – Any deterministic FHE can be broken in sub-exponential (or, quantum poly) time.

14 Gentry (2009) FIRST Fully Homomorphic Encryption!

15 New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] – asymptotic efficiency: nearly linear-time* algorithms – practical efficiency: 3-4 orders of magnitude faster compared to [Gen09, GH10] *linear-time in the security parameter

16 New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] – e.g., worst-case hardness of shortest vectors on lattices

17 New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] Best Known Theorem [BGV11]: (Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices *leveled = public key grows with the depth of the circuit for f

18 New Developments in FHE ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11] Best Known Theorem [BGV11]: (Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices *leveled = public key grows with the depth of the circuit for f “circular security” → Fully Homomorphic Encryption

19 New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] ► Complex → Simple constructions/proofs [BV11b, BGV11, LTV12, B12]

20 PLAN for TODAY  PART 1 – a complete construction of an FHE scheme – Auxiliary Theorems: Secret key to Public key – Applications: PIR, MPC  PART 2 – Open Problems

21 1. Zvika Brakerski, V.V., Efficient Fully Homomorphic Encryption from Standard Learning with Errors, FOCS Zvika Brakerski, Craig Gentry, V.V., (Leveled) Fully Homomorphic Encryption without Bootstrapping, ITCS Craig Gentry, Stanford Ph.D. Thesis, This talk is based on:

22 How to Construct an FHE Scheme

23 The Big Picture IDEA 1 “Somewhat Homomorphic” (SwHE) Encryption Evaluate Boolean circuits of depth d = ε log n * [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] * (0 < ε < 1 is a constant, and n is the security parameter) d = ε log n C EVAL

24 The Big Picture “Bootstrapping” Theorem [Gen09] (Qualitative) IDEA 2 “Homomorphic enough” Encryption  * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) Dec CT sk msg Decryption Circuit C EVAL

25 The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate Boolean circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] IDEA 1 “Bootstrapping” Theorem [Gen09] (Qualitative) IDEA 2 “Homomorphic enough” Encryption  * FHE SwHE = Homomorphic Enough? NO, for all known constructions!

26 The Big Picture Problem: Dec Decryption Circuit C EVAL Solution a. “Squash” the decryption circuit [Gen09] – Relies on a new assumption: “sparse subset sum” Solution b. Make EVAL larger [BV11b, simplified by BGV12] – Fairly General, Needs no new assumptions – Exponential improvement: Can eval n ε depth circuits Solution c. Use Special Properties of Dec. Circuit [GH11] Less general

27 The Big Picture “Somewhat Homomorphic” (SwHE) Encryption Evaluate Boolean circuits of depth d = ε log n [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] IDEA 1 “Bootstrapping” Theorem [Gen09] (Qualitative) IDEA 2 “Homomorphic enough” Encryption  FHE “Modulus Reduction” [BV11b, simplified by BGV12] Evaluate Boolean circuits of depth d = n ε IDEA 3

28 IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = n ε ) IDEA 2: “Bootstrapping” (FHE: Evaluate any poly(n)-size Boolean circuit) d-Leveled FHE: Given any d, set n = d 1/ε

29 Many Instantiations All based on Integer Lattices (Ajtai’96)  Ideal Lattices  Surprisingly, Arbitrary Lattices [BV’11b] – Gentry’09 (based on Goldreich-Goldwasser-Halevi’98) – DGHV’10 (based on Ajtai-Dwork’97, Regev’04) – BV’11a (based on Lyubaskevsky-Peikert-Regev’10) – LTV’11 (based on NTRU:Hofstein-Pipher-Silverman’96) – Lattices (like vector spaces) have no native mult BUT: you don’t need to know what lattices are for this talk!

30 Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]

31 LWE n,q,B : For random secret s  Z q n Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] ( a 1, b 1 =  a 1, s  + e 1 )  O s O rand ( a 1, u 1 ) ( a 2, b 2 =  a 2, s  + e 2 ) … ( a m, b m =  a m, s  + e m ) ( a 2, u 2 ) … ( a m, u m ) “noisy” random linear equation random in Z q Uniformly random in Z q n “Small” error |e 1 | < B

32 LWE n,q,B : For random secret s  Z q n, and any m=poly(n), Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] ( a i, b i =  a i, s  + e i )  O s O rand ( a i, u i ) i=1 m m Worst-Case Connection ( [R05, P09] ): Qualitative: Solve LWE (on average)  Short-vector approximation on lattices (in the worst-case) Quantitative:Solve LWE n,q,B  O(nq/B)-approx shortest vector on lattices

33 LWE n,q,B : For random secret s  Z q n, and any m=poly(n), Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] ( a i, b i =  a i, s  + e i )  O s O rand ( a i, u i ) i=1 m m Worst-Case Connection ( [R05, P09] ): Solve LWE n,q,B  O(nq/B)-approx shortest vector 1. SCALE INVARIANCE: hardness depends only on ratio between q and B 2. OUR PARAMETERS: We will set q = n O(log n) and B = poly(n). Best known algorithm for LWE with these parameters runs in 2 Otilde(n) time.

34 LWE n,q,B : For random secret s  Z q n, and any m=poly(n), Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] ( a i, b i =  a i, s  + e i )  O s O rand ( a i, u i ) i=1 m m Facts: LWE (with short secret s) = LWE [ACPS09,GKPV10] LWE with short even error (2e) = LWE with short error e

35 Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b -  a, s  ) (mod 2). –Correctness: b -  a, s  = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ).  decryption succeeds if e < q/4. (omitting public-key encryption) KeyGen: –Sample random “short” vector t  Z q n and set sk = t

36 Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b -  a, s  ) (mod 2). –Correctness: b -  a, s  = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ).  decryption succeeds if e < q/4. (omitting public-key encryption) KeyGen: –Sample random “short” vector t  Z q n and set sk = t Bit Encryption Enc sk (m): –Sample uniformly random a  Z q n, “short” noise e  Z q –The ciphertext CT = (a, b =  a, t  + 2e + m)  Z q n X Z q Semantic Security from LWE

37 Secret-key Encryption from LWE Decryption: Dec s (a,b) = ( b -  a, s  ) (mod 2). –Correctness: b -  a, s  = b - ∑a [ i ] ∙s [ i ] = m + 2e (over Z q ).  decryption succeeds if e < q/4. (omitting public-key encryption) KeyGen: –Sample random “short” vector t  Z q n and set sk = t Bit Encryption Enc sk (m): –Sample uniformly random a  Z q n, “short” noise e  Z q –The ciphertext CT = (a, b =  a, t  + 2e + m)  Z q n X Z q Decryption Dec sk (CT): Output (b −  a, t  mod q) mod 2. –Correctness: b −  a, t  mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2)

38 CT = (a,b) Additive Homomorphism CT’ = (a’, b’) Look at Ciphertexts through the Decryption Lens b −  a, t  = 2e + m b ’ −  a’, t  = 2e’ + m’

39 CT = (a,b) Additive Homomorphism CT’ = (a’, b’) b −  a, t  = 2e + mb ’ −  a’, t  = 2e’ + m’ Let c = (a,b) and s = (-t, 1) Let c’ = (a’,b’) and s = (-t, 1)  c, s  = 2e + m  c’, s  = 2e’ + m’

40 CT = c Additive Homomorphism CT’ = c’ Claim: c add = c+c’  c, s  = 2e + m  c’, s  = 2e’ + m’  c, s  = 2e + m  c’, s  = 2e’ + m’  c+c’, s  = 2(e+e’) + (m+m’)  Dec s (c add ) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) + E Proof: C add

41 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = ?  c, s  = 2e + m  c’, s  = 2e’ + m’  c, s  ∙  c’, s  = (2e+m) ∙ (2e’+m’) X

42 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = ?  c, s  = 2e + m  c’, s  = 2e’ + m’  c, s  ∙  c’, s  = mm’ + 2(em’+e’m+2ee’) X Quadratic equation in the variables s[i] E

43 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = ?  c, s  = 2e + m  c’, s  = 2e’ + m’  c  c’, s  s  = mm’ + 2(em’+e’m+2ee’) X E Tensor Product: c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c, c’ live in (n+1) dim → c  c’ lives in (n+1) 2 -dim KEY FACT:  c, s  ∙  c’, s  =  c  c’, s  s 

44 Multiplicative Homomorphism CT = cCT’ = c’  c, s  = 2e + m  c’, s  = 2e’ + m’ Claim: c mult = c  c’  c, s  = 2e + m  c’, s  = 2e’ + m’  c  c’, s  s  = mm’ + 2(em’+e’m+2ee’) X  Dec(s  s, c mult ) = 2E + mm’ (mod 2) = mm’ (mod 2) E Problem: Ciphertext size blows up! ( Z q n+1 → Z q (n+1)^2 )

45 Multiplicative Homomorphism New Technique [BV’11b] : Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’  c mult, s  s  = 2E + mm’

46 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j. Enc t’ ( s [ i ] s [ j ] )

47 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk : sample A i,j, E i,j  i,j. ( A i,j, B i,j =  A i,j, t’  + 2E i,j + s [ i ] s [ j ] ) LWE  Security still holds.

48 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk : sample A i,j, E i,j  i,j. B i,j −  A i,j, t’  = 2E i,j + s [ i ] s [ j ]

49 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j.  C i,j, s’  ≈ s [ i ] s [ j ] (denoting s’ = (-t’, 1) and C i,j = (A i,j, B i,j ) as before)

50 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j.  C i,j, s’  ≈ s [ i ] s [ j ] Linear fn (in s’) Quadratic fn (in s) Plug back into quadratic equation:   c mult [i,j] ∙ C i,j, s’  ≈ mm’+2*Error Linear in s’. Cheating Alert

51 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Plug back into quadratic equation:   c mult [i,j] ∙ C i,j, s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: 1.First compute c mult = c  c’ 2.Compute and output  c mult [i,j] ∙ C i,j (where C i,j are from the evaluation key)

52 c mult.  C i,j, s’  ≈ c mult. s [ i ] s [ j ]  i,j.  C i,j, s’  ≈ s [ i ] s [ j ] Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Linear fn (in s’) Quadratic fn (in s) Cheating Alert PROBLEM: c mult has large entries BUT SOLUTION: Binary Decomposition Trick

53 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j. k in [0… log q]: Enc t’ ( 2 k s [ i ] s [ j ] )

54 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk : sample A i,j,k, E i,j,k  i,j. ( A i,j,k, B i,j,k =  A i,j,k, t’  + 2E i,j,k + 2 k s [ i ] s [ j ] )

55 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j.  C i,j,k, s’  ≈ 2 k s [ i ] s [ j ] (denoting s’ = (-t’, 1) and C i,j = (A i,j, B i,j ) as before)

56 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j.  C i,j,k, s’  ≈ 2 k s [ i ] s [ j ] Linear fn (in s’) Quadratic fn (in s) Plug back into quadratic equation: Let c mult [i,j,k] be the k th bit of c mult [i,j]   c mult [i,j,k] ∙ C i,j,k, s’  ≈ mm’+2*Error Linear in s’. Un-Cheating Alert

57 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ New Technique [BV’11b] : Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’  Z q n and set sk = (t,t’). Evaluation key evk :  i,j.  C i,j,k, s’  ≈ 2 k s [ i ] s [ j ] Linear fn (in s’) Quadratic fn (in s) Plug back into quadratic equation: Let c mult [i,j,k] be the k th bit of c mult [i,j]   c mult [i,j,k] ∙ C i,j,k, s’  = mm’+2*Error+2*Error relin Error relin = O(n 2. log q. B) Un-Cheating Alert

58 Multiplicative Homomorphism  c mult, s  s  = 2E + mm’ Plug back into quadratic equation:   c mult [i,j,k] ∙ C i,j,k, s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: 1.First compute c mult = c  c’ 2.Compute and output  c mult [i,j,k] ∙ C i,j,k (where C i,j,k are from the evaluation key)

59 The Reservoir Analogy noise=0 noise=q/2 Additive Homomorphism: ξ → 2 ξ initial noise= ξ Mult. Homomorphism: ξ → ξ 2 + n 2 B log q 2ξ2ξ ~ ξ 2 AFTER d LEVELS: noise B → (worst case) Correctness Breaking = Solving 2 n^ε - approx. shortest vectors [Reg05,LPR10] (How homomorphic is this?)

60 The Reservoir Analogy noise=0 noise=q/2 Additive Homomorphism: ξ → 2 ξ initial noise= ξ Mult. Homomorphism: ξ → ξ 2 + n 2 B log q ~ ξ 2 AFTER d LEVELS: noise B → (worst case) (How homomorphic is this?)

61 Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption Evaluate Boolean circuits of mult. depth D = ε log n [BV11b] IDEA 1 EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: Tensor and Relinearize Mult depth D Decrypt using sk D

62 Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption IDEA 1 – a number of other SwHE schemes: [DGHV10,SV10,BV11a,LTV12] [BV11b] Evaluate Boolean circuits of mult. depth D = ε log n – [DGHV10]: based on hardness of approximate gcd – [SV10]: principal ideal problem – [BV11a]: Ring LWE – [LTV12]: NTRU

63 IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = n ε ) IDEA 2: “Bootstrapping” (“homomorphic enough” to fully homomorphic) d-Leveled FHE: Given any d, set n = d 1/ε

64 Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d  * FHE Homomorphic Encryption for any depth d circuit

65 Bootstrapping “Homomorphic enough” Encryption  FHE Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d  * FHE Bootstrapping = “Valve” at a fixed height noise=0 noise=q/2 (that depends on decryption depth) noise=B dec Say n(B dec ) 2 < q/2

66 Bootstrapping “Homomorphic enough” Encryption  FHE Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d  * FHE Bootstrapping = “Valve” at a fixed height noise=0 noise=q/2 (that depends on decryption depth) noise=B dec Say (B dec ) 2 < q/2

67 Bootstrapping: How “Best Possible” Noise Reduction= Decryption! Dec CT SK m Decryption Circuit “Very Noisy” ciphertext “Noiseless ciphertext” But the evaluator does not have SK!

68 Bootstrapping, Concretely Next Best= Homomorphic Decryption! Enc SK (m) Dec CT Enc SK (SK) Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) * Noise = B input Noise = B dec B dec Independent of B input

69 g Assume Circular Security: Wrap Up: Bootstrapping Function f Eval key contains Enc SK (SK)

70 g Each Gate g → Gadget G: g Assume Circular Security: Dec g caca skcbcb ab g(a,b) sk ab g(a,b) Wrap Up: Bootstrapping Function f Eval key contains Enc SK (SK)

71 Each Gate g → Gadget G: g Assume Circular Security: Dec g Enc(SK) ab g(a,b) Enc(SK) Enc(g(a,b)) Wrap Up: Bootstrapping Eval key contains Enc SK (SK) g Function f caca cbcb

72 Wrap Up: Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d  (leveled) FHE circular-secure d-HE with dec. depth < d  FHE – publish Enc PK (SK) – publish Enc PK2 (SK1), Enc PK3 (SK2),…, Enc PKd (SK d-1 )

73 SwHE = Homomorphic Enough? Decryption Circuit: Compute lsb( mod q) Seems to need (multiplicative) depth ≥ log n Can handle multiplicative depth = ε log n < log n = inner products mod q mod 2. Our scheme is homomorphic over GF(2). Homomorphisms: Write inner product mod q as a GF(2)-arithmetic circuit? Can be done in depth polylog(n)

74 IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = n ε ) IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)

75 Modulus Reduction “Homomorphic enough” Encryption  FHE Modulus Reduction Theorem [BV11b,BGV12] SwHE that evaluates Boolean circuits of depth d = n ε (under the same assumption as before) Corollary: For every depth d, set the security parameter n=d 1/ε to get a d-leveled FHE. Corollary: modulus reduction + bootstrapping = FHE (assuming circular security)

76 Modulus Reduction “Homomorphic enough” Encryption  FHE Modulus Reduction Theorem [BV11b,BGV12] Wishful thinking q=B 10 noise=B 8 q’=B 3 noise’=B Shrink Noise and Noise Ceiling by same factor SwHE that evaluates Boolean circuits of depth d = n ε NO MULT CT CT’ ONE MULT noise’=B+p(n)

77 Modulus Reduction Wishful thinking q=B 10 noise=B 8 q’=B 3 Can we do this? noise’=B+p(n) – Cannot arbitrarily reduce noise (because of the p(n) factor) – Hardness depends only on q/B.

78 Modulus Reduction noise=0 Homomorphism: (q, ξ) → (q, ≈ ξ 2 ) initial noise= ξ ξ2ξ2 AFTER d LEVELS: (q, B) → (q/(nB log q) O(d), B) LEVEL i → LEVEL i+1 : Modulus Reduction: (q, ξ 2 ) → (q/ξ, ξ) d ≤ log q/log (nB) ≤ n ε /log n q q/ξ Final noise= ξ

79 Modulus Reduction: Details “Homomorphic enough” Encryption  FHE Modulus Reduction Algorithm [BV11b,BGV12] Transform a (q,B 2 ) ciphertext into a (q’ ≈ q/nB, B) one Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2  c, s  = 2e + m (mod q) Let c be a ciphertext s.t. Assume that the secret key s has entries bounded by B. (ok by fact 2)

80 Modulus Reduction: Details  q’/q c, s  = (q’/q)* (2e + m) + q’Z Proof:  c, s  = 2e + m + qZ  c’, s  = (q’/q)* (2e + m) + E round (mod q’) New Error = q’/q * (Old Error) + (E round ≤ Bn), as promised! c’ decrypts to m, since c’=c mod 2, and  c’, s  =  c, s  mod 2 (original dec eqn) (scaled) Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2  c, s  = 2e + m (mod q) Let c be a ciphertext s.t.

81 Putting Together: Leveled FHE EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: 1)Tensor, 2)Relinearize using evk i, 3)Reduce modulus Mult depth D Decrypt using sk D This works for depth D ≤ n ε

82 Putting Together: Leveled FHE EVK = (evk 1,…,evk D ), where D is the max mult depth C Enc(sk D, C(x)) Enc(sk 1, x) Encrypt using sk 1 SK = (sk 1,…,sk D ) Each Mult Level: 1)Tensor, 2)Relinearize using evk i, 3)Reduce modulus Mult depth D Decrypt using sk D Bootstrapping + Circular Security => FHE.

83 Putting Everything Together IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = n ε ) IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE) (this is “homomorphic enough”) (assuming “circular security”)

84 A Simpler Alternative: doing away with changing moduli [Brakerski’12]

85 Break

86 From Secret Key to Public Key [Ron Rothblum’11] THEOREM: Given any C-homomorphic secret key encryption scheme, construct a C’-homomorphic public key scheme for a “slightly smaller” C’. C’ Public key C’ Secret key ++ + C =

87 From Secret Key to Public Key [Ron Rothblum’11] THEOREM: Given any C-homomorphic secret key encryption scheme, construct a C’-homomorphic public key scheme for a “slightly smaller” C’. IDEA: Let the public key be a bunch of encryptions of random bits c i. PK = { (c i, Enc SK (c i )) } To encrypt a bit b using the public key, pick a random subset sum of c i ’s that sum to b. Namely pick r i s.t. Σ r i c i = b. Output Σ r i Enc SK (c i ) as the ciphertext.

88 An Application: Optimal Private Information Retrieval

89 Single-Server PIR [CGKS95,KO97,CMS99] Database DB |DB|=N  2 n Index x  [N] Enc(x) sk pk y = Eval ( DB, Enc(x) ) Communication complexity: cc=|Enc(x)|+|y| FHE  PIR Use our FHE naïvely: encrypt each bit of x separately cc = n·log(q)·log(N)  Õ(log 2 N)

90 Single-Server PIR [CGKS95,KO97,CMS99] Database DB |DB|=N  2 n Index x  [N] Enc(x) sk pk y = Eval ( DB, Enc(x) ) Reducing comm. complexity: Enc(x) using different, more efficient, scheme. Hom. decrypt efficient ciphertext and use as before. Using known efficient schemes: cc = n log q + O(log N) = Õ(log N)., sym Enc(sym), Enc sym (x) Enc sym (x)+Enc(sym)  Enc(x) y = Eval(DB, Enc(x)) y

91 Fully Homomorphic Encryption Open Problems

92 Circular Security Bootstrapping: Publish Enc SK (SK). (OK assuming the scheme is “circular secure”) *  Leveled FHE from “standard” assumptions  “Real” FHE: requires “bootstrapping” – e.g., the Learning with errors assumption – Evaluate bounded depth circuits – The size of CT and/or PK grows with the depth

93 Circular Security Bootstrapping: Publish the encryptions of bits of SK, namely Enc SK (SK[1]),…, Enc SK (SK[n]) (OK assuming the scheme is “circular secure”) *  “Real” FHE: requires “bootstrapping” Two definitions: −Strong circular security: there is a simulator that, given nothing, produces Enc SK (SK). −Weak circular security: the encryption scheme is semantically secure given Enc SK (SK). weakly Bootstrapping: Publish Enc SK (SK). (OK assuming the scheme is “weakly circular secure”)

94 Circular Security  There are (even bit-wise) circular secure encryption schemes – [BHHO’08]: based on DDH  There are semantically secure schemes that are NOT circular-secure. – Proof: Simple Exercise. – [ACPS’09, BG’10, BHHI’10, …]

95 Circular Security How about circular security for the FHE scheme? − NEED: “safe to publish” lweEnc(s[i]. s[j]) − CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all quadratic monomials in the s[i]) (encryptions of all linear monomials s[i])

96 Circular Security − CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all linear monomials s[i]) (a,  a, s  + 2e + s[i] mod q) (a,  a, s  + 2e +  u i, s  mod q) u i : i th unit vector (0,…,1,…0) =

97 Circular Security − CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all linear monomials s[i]) (a,  a, s  + 2e + s[i] mod q) = ≈ (a,  a+u i, s  + 2e mod q) (a’-u i,  a’, s  + 2e mod q) This can be generated efficiently from an encryption of 0

98 Q: “Real” FHE from Standard Assumptions? 2) Come up with an alternative to bootstrapping. 1) Prove the circular security for quadratic monomials, or

99 Complexity Assumptions for FHE

100 Many FHE Instantiations But all of them are based on Integer Lattices (Ajtai’96) Q: FHE from other assumptions? (say, elliptic curves) Q: … or a black-box separation? (say, in a generic group model)

101 General Assumptions: PIR and FHE  FHE → PIR – PIR: Special case of FHE where f = Database Access.  PIR → FHE – Think of the truth table of f as a “database” and do PIR – Catch: “Eval” is inefficient (runs in time 2 n )  PIR → (inefficient) FHE

102 Q: Efficient Homomorphic Encryption from PIR? – [Ishai-Paskin’05]: Homomorphic Encryption for Branching Programs from any (optimal) PIR scheme – Perhaps for restricted classes of computations? General Assumptions: PIR and FHE

103 Selective Homomorphisms

104 Selective Homomorphism Fully Homomorphic Encryption (can evaluate all functions) Non-Malleable Encryption [DDN’91] (cannot evaluate any function) WANT: selective homomorphism! (see recent work: BSW’12)

105 What we did not Cover… Efficient Constructions –Build on the ring LWE variant of today’s scheme –Gentry-Halevi-Smart series of works –a number of algebraic optimizations Verifiability –CS proofs [Kil92,Mic94] –A number of recent works in various settings [GKR08,GGP10,CKV10,AIK10,…] –The central problem remains open Circuit Privacy –[Gentry-Halevi-V’10]: “Circuit privacy for free” theorem

106 Conclusion FHE is not so complicated any more –Well-defined guidelines for construction –Under relatively standard security assumptions FHE is not so inefficient any more –Case in point: Ring LWE, NTRU… LOTS of questions still to be answered … – FHE without “Circular Security” – FHE from number theory, general assumptions… NEW directions: selective homomorphism, functional encryption,…

107 Thank You!


Download ppt "FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in."

Similar presentations


Ads by Google