A Brief Story of Computing on Private Data Ten H Lai Ohio State University

Agenda Computing on private data Fully homomorphic encryption (FHE) Gentry’s bootstrapping theorem Our result

FHE: The Holy Grail of Cryptography

Cloud Computing ServersStoragesNetworksApplications

天上有多少星星 城裡有多少姑娘 但人間只有一個妳 天上只有一顆月亮

Cloud Computing 6 Cloud server Internet Encrypt

Computing on private data 7 Cloud server Internet Encrypt

Computing on private data Cloud 8  A question proposed by Rivest, Aldeman, Dertouzos in 1978 (one year after RSA was invented).

C-Homomorphism

C-homomorphic

RSA is multiplicatively homomorphic

Fully Homomorphic Encryption (FHE)

15

16

17

18 Bootstrapping

19 m m sk A Decrypt m encrypted under a pink key pk A Evaluate Decrypt m

m m sk A m m Decrypt Evaluate Decrypt 20 Encrypt under a blue key pk B Evaluate Decrypt

sk A NAND m 1 NAND m 2 NAND-augmented Decrypt circuit: 21 m1m1 m2m2

Decrypt sk A c 1 sk A c 2 NAND m 1 NAND m 2 Evaluate 22 fresh m1m1 m2m2

23 m 1 NAND m 2 23 fresh m1m1 m2m2 sk A Under a pink key PK A Under a blue key PK B

24 m1m1 m2m2 m 1 NAND m 2 Increased noise

25

sk A m 1 m 2 m 1 NAND m 2 Evaluate Decrypt-NAND sk A m 3 m 4 m 3 NAND m 4 Evaluate Decrypt-NAND m 1 NAND m 2 m 3 NAND m 4 Evaluate Decrypt-NAND sk B (m 1 NAND m 2 ) NAND (m 3 NAND m 4 ) 26

sk A m 1 m 2 m 1 NAND m 2 Evaluate Decrypt-NAND sk A m 3 m 4 m 3 NAND m 4 Evaluate Decrypt-NAND m 1 NAND m 2 m 3 NAND m 4 Evaluate Decrypt-NAND sk B (m 1 NAND m 2 ) NAND (m 3 NAND m 4 ) 27

28 Decrypt NAND

29

30 Encryption key Decryption key Evaluation key

31 Decrypt

32

33 Encryption key Decryption key Evaluation key

34

35

… level d level 1 36

… Decrypt circuits level d level 1 37

Decrypt circuits … 38

39

40

41 Encryption key Decryption key Evaluation key

42

43

44 Decrypt NAND

45

46 Secret-key independent, Computationally intensive, Done with encryption Secret-key dependent Decryption algorithm

47

48 FHE is still in its infantry

Multi-Key/Multi-Scheme FHE

Single-key FHE 50

Is Multi-key FHE Possible? 51

Is Multi-scheme FHE Possible? 52

53

54

55

56

Evaluate circuit C Evaluate(C) Problem

Eval(C) If under pk 1 C

Eval(C) Eval( Eval(C) ) Under pk 2 C

Evaluate(C) ? C

?

62

Trivial encryptions

Eval(C) Eval( Eval(C) ) Summary of ideas C

65 C

69