# FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

## Presentation on theme: "FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S."— Presentation transcript:

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM)

= Modern Application: Computing on Encrypted Data Public-key Encryption ClientServer/Cloud (Input: x)(Program: P) Enc(P(x)) Enc(x)

= Modern Application: Computing on Encrypted Data Public-key Encryption ClientServer/Cloud (Input: x)(Program: P) Enc(P(x)) Enc(x) Fully Homomorphic Encryption (FHE) =

= Definition: (KeyGen, Enc, Dec) Fully Homomorphic Encryption (FHE) = (as in regular public-key encryption) Eval(c,F) = c’ – If c = Enc(x), then Dec(c’) = F(x) Definition: (KeyGen, Enc, Dec, Eval) AND XOR AND

= Fully Homomorphic Encryption (FHE) = Two Important Properties Definition: (KeyGen, Enc, Dec, Eval)  Compactness: Length of c’ is independent of the size of F  Circuit/Function Privacy: c’ does not reveal “any more information about F than the output F(x)” Theorem [GHV’10]: “Circuit privacy comes for free”. Any (compact) FHE → (Compact) circuit-private FHE FHE = Compact FHE

Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data

– BGN’05 & GHV’10: quadratic formulas Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N ► NON-COMPACT homomorphic encryption: – SYY’99 & MGH’08: c* grows exp. with degree/depth – IP’07 works for branching programs

Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ► Is there an elementary Construction of FHE? Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” – easier to understand, implement and improve

Our Result Theorem [DGHV’10]: There exists a fully homomorphic public-key encryption scheme – which uses only add and mult over the integers, – which is secure based on the approximate GCD problem & the sparse subset sum problem.

Construction

A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption 2. Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption (fairly generic transformation) (borrows from Gentry’s techniques)

Secret-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Encrypt a bit b: – pick a random “large” multiple of p, say q·p – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) “noise” (sec. param = n)

Secret-key Homomorphic Encryption  How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2

Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail) – Consider c = qp+2r+b ← Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r’ ≠ 2r+b r’ – lsb(r’) ≠ b

Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail)  Can perform “limited” number of hom. operations  What we have: “Somewhat Homomorphic” Encryption

Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 “near-multiples” of p, with even noise – W.l.o.g., x 0 = q 0 p+2r 0 is the largest Δ

c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t )  To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (“small” even noise) + b

c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval: Reduce mod x 0 after each operation  To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult

A Roadmap  Secret-key “Somewhat” Homomorphic Encryption  Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption

How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x t-d+1 ·x t-d+2 ·x t Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or

“Somewhat” HE“Bootstrappable” From “Somewhat” to “Fully” FHE = Can eval all fns. Theorem [Gentry’09]: Convert “bootstrappable” → FHE. Augmented Decryption ckt. Dec NAND c1c1 sk c2c2

Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? Complexity of the (aug.) Decryption Circuit (?)  Can be made bootstrappable – Similar to Gentry’09  Caveat: Assume Hardness of “Sparse Subset Sum” (polynomials of degree < n) (degree ~ n 2 polynomial)

Security (of the “somewhat” homomorphic scheme)

The Approximate GCD Assumption q 1 p+r 1 p? p q 1 ← [0…Q] r 1 ← [-R…R] odd p ← [0…P] (q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R (coined by Howgrave-Graham)

p? p Assumption: no PPT adversary can guess the number p Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q 0 p+2r 0,{q i p+r i }) Enc(b) =(qp+2r+b) = (proof of security) (q 1 p+r 1,…, q t p+r t )

A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A PK, Enc(b) b Encryption breaker (w.p. 1/2+ε) p – PK = {q i p+2r i }, – Enc(b) = qp+r, where lsb(r)=b

A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker (w.p. 1/2+ε) p Technical Details: – Random noise vs. even noise {q i p+r i } p c=qp+r – Distribution of ciphertext: qp+r vs. c = + b (mod x 0 ) (statistically close distributions by Leftover Hash Lemma)

A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker p Success Amplification – Boost from 1/2+ε to 1-1/poly(n) {q i p+r i } p c=qp+r (w.p. 1/2+ε)

A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker p Computing lsb(q) and lsb(r) are equivalent {q i p+r i } p c=qp+r – lsb(q) = lsb(r) lsb(c), since p is odd lsb(q)

A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A Encryption breaker p Computing q and p are equivalent {q i p+r i } p c=qp+r – lsb(q) c=qp+r q

A “Taste” of the Security Proof Adv B {q i p+r i } Approx GCD solver Adv A Encryption breaker p The Idea: Use lsb(q) to make q successively smaller {q i p+r i } p c=qp+r lsb(q) c=qp+r q – If lsb(q) = 0, c ← [c/2] ( new-c = q/2*p+[r/2] ) – If lsb(q) = 1, c ← [(c-p)/2] ( new-c = (q-1)/2*p+[r/2] )

A “Taste” of the Security Proof Adv B {q i p+r i } Approx GCD solver Adv A Encryption breaker p The Idea: Use lsb(q) to make q successively smaller {q i p+r i } p c=qp+r lsb(q) c=qp+r q A New Trick: inspired by the binary GCD algorithm

A “Taste” of the Security Proof  Given two near-multiples z 1 =q 1 p+r 1 and z 2 =q 2 p+r 2 –Get b i := lsb(q i ); if z 1 { "@context": "http://schema.org", "@type": "ImageObject", "contentUrl": "http://images.slideplayer.com/14/4352112/slides/slide_33.jpg", "name": "A Taste of the Security Proof  Given two near-multiples z 1 =q 1 p+r 1 and z 2 =q 2 p+r 2 –Get b i := lsb(q i ); if z 1

– Lagarias’ algorithm  Studied by [Lag82,Cop97,HG01,NS01] (equivalent to “simultaneous Diophantine approximation”)  Lattice-based Attacks – Coppersmith’s algo. for finding small polynomial roots – Nguyen/Stern and Regev’s orthogonal lattice method  All run out of steam when log Q > (log P) 2 (our setting of parameters: log Q = n 5, log P = n 2 ) How Hard is Approximate GCD? Caveat: In Crypto, we need average-case hardness

Algorithms for Approx GCD: A Template B =B = R x 1 x 2 … x t -x 0 -x 0 … -x 0 b1b1 b2b2 b3b3 b t+1 (follows Lagarias’82)  Create a Lattice basis – Rows of B span a (t+1)-dimensional lattice

Algorithms for Approx GCD: A Template R x 1 x 2 … x t -x 0 -x 0 … -x 0 (follows Lagarias’82)  Create a Lattice basis – Length of the basis vectors ~ QP (or more) – (q 0,q 1,…,q t ) B is a short lattice vector 1 st entry = q 0 R < QR i th entry (i>1) = q 0 (q i p+r i ) – q i (q 0 p+r 0 ) = q 0 r i – q i r 0 < QR (in abs. value)

Algorithms for Approx GCD: A Template R x 1 x 2 … x t -x 0 -x 0 … -x 0 (follows Lagarias’82)  Create a Lattice basis – Length of the basis vectors ~ QP (or more) – || (q 0,q 1,…,q t ) B || 2 < QR  Try to find this short vector using (say) LLL

When will this Algorithm Succeed?  Need t to be large (> log Q/log P) – If t is small, then (q 0,q 1,…,q t ) is not the shortest vector – Need [(QP t )R] 1/t+1 > QR, or t > log Q/log P  If t is large, LLL (&co.) perform badly – Minkowski: lattice vector shorter than (exponentially many vectors shorter than )  Set log Q = ω(log 2 P). Then, t = ω(log P) – Only finds vectors of size 2 O(t) det(B) 1/t+1 >> QR – Contemporary lattice reduction is not strong enough R x 1 x 2 … x t -x 0 -x 0 … -x 0

Future Directions Efficient fully homomorphic encryption (Currently: n 8 factor blow-up in running time)(Currently:1000000000000000000000000 factor blowup) Efficiency for special-purpose tasks

Questions? [1] “Fully Homomorphic Encryption from the Integers”, http://eprint.iacr.org/2009/616, To Appear in Eurocrypt 2010.

Parameter Regimes t logQ/logP size (log scale) the solution we are seeking auxiliary solutions (Minkowski’s bound) converges to ~ logQ+logP What LLL can find min(blue,purple)+t blue line remains above purple line log Q

Download ppt "FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S."

Similar presentations