fully homomorphic encryption
DESCRIPTION
FULLY HOMOMORPHIC ENCRYPTION. from the Integers. Vinod Vaikuntanathan. IBM T. J. Watson. Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM). Client. Server/Cloud. (Input: x). (Program: P). Public-key Encryption. =. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/1.jpg)
FULLY HOMOMORPHIC ENCRYPTION
IBM T. J. Watson
Vinod Vaikuntanathan
from the Integers
Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM)
![Page 2: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/2.jpg)
= Modern Application: Computing on Encrypted Data
Public-key Encryption
Client Server/Cloud
(Input: x) (Program: P)
Enc(P(x))
Enc(x)
![Page 3: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/3.jpg)
= Modern Application: Computing on Encrypted Data
Public-key Encryption
Client Server/Cloud
(Input: x) (Program: P)
Enc(P(x))
Enc(x)
Fully HomomorphicEncryption (FHE) =
![Page 4: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/4.jpg)
=Definition: (KeyGen, Enc, Dec)
Fully HomomorphicEncryption (FHE) =
(as in regular public-key encryption)Eval(c,F) = c’
– If c = Enc(x), then Dec(c’) = F(x)
Definition: (KeyGen, Enc, Dec, Eval)
ANDXOR
AND
![Page 5: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/5.jpg)
= Fully HomomorphicEncryption (FHE) =
Two Important Properties
Definition: (KeyGen, Enc, Dec, Eval)
Compactness: Length of c’ is independent of the size of F
Circuit/Function Privacy: c’ does not reveal “any more information about F than the output F(x)”
Theorem [GHV’10]: “Circuit privacy comes for free”.Any (compact) FHE → (Compact) circuit-private FHE
FHE = Compact FHE
![Page 6: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/6.jpg)
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– their motivation: searching encrypted data
![Page 7: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/7.jpg)
– BGN’05 & GHV’10: quadratic formulas
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
► Limited Variants:
– GM & Paillier: additively homomorphic
– RSA & El Gamal: multiplicatively homomorphic
– their motivation: searching encrypted data
c1 = m1e c2 = m2
e cn = mne
Xc* = c1c2…cn = (m1m2…mn)e mod N
► NON-COMPACT homomorphic encryption:
– SYY’99 & MGH’08: c* grows exp. with degree/depth
– IP’07 works for branching programs
![Page 8: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/8.jpg)
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– using just integer addition and multiplication
– their motivation: searching encrypted data
► Is there an elementary Construction of FHE?
Big Breakthrough: [Gentry09]
First Construction of Fully Homomorphic Encryption
using algebraic number theory & “ideal lattices”
– easier to understand, implement and improve
![Page 9: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/9.jpg)
Our Result
Theorem [DGHV’10]: There exists a fully homomorphic public-key encryption scheme
– which uses only add and mult over the integers,
– which is secure based on the approximate GCD problem & the sparse subset sum problem.
![Page 10: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/10.jpg)
Construction
![Page 11: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/11.jpg)
A Roadmap
1. Secret-key “Somewhat” Homomorphic Encryption
2. Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption
(fairly generic transformation)
(borrows from Gentry’s techniques)
![Page 12: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/12.jpg)
Secret-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Encrypt a bit b:
– pick a random “large” multiple of p, say q·p
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
(q ~ n5 bits)
(r ~ n bits)
“noise”
(sec. param = n)
![Page 13: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/13.jpg)
Secret-key Homomorphic Encryption
How to Add and Multiply Encrypted Bits:
– Add/Mult two near-multiples of p gives a near-multiple of p.
– c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p
LSB = b1 XOR b2
LSB = b1 AND b2
![Page 14: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/14.jpg)
Problems
Ciphertext grows with each operation
Noise grows with each operation
Useless for many applications (cloud computing, searching encrypted e-mail)
– Consider c = qp+2r+b ← Enc(b)
(q-1)p qp (q+1)p (q+2)p
2r+b
– c (mod p) = r’ ≠ 2r+b
r’– lsb(r’) ≠ b
![Page 15: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/15.jpg)
Problems
Ciphertext grows with each operation
Noise grows with each operation
Useless for many applications (cloud computing, searching encrypted e-mail)
Can perform “limited” number of hom. operations
What we have: “Somewhat Homomorphic” Encryption
![Page 16: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/16.jpg)
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
– t+1 “near-multiples” of p, with even noise
– W.l.o.g., x0 = q0p+2r0 is the largest
Δ
![Page 17: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/17.jpg)
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
c = p[ ] + 2[ ] + b (mod x0) Si
iq
Siirrc = p[ ] + 2[ ] + b – kx0 (for a small k)
Siiq
Siirr
= p[ ] + 2[ ] + b 0kqqSi
i
0krrrSii
(mult. of p) + (“small” even noise) + b
![Page 18: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/18.jpg)
c = + b (mod x0)rxSi
i 2
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval: Reduce mod x0 after each operation
To Encrypt a bit b: pick random subset S [1…t]
Ciphertext Size Reduction
– Resulting ciphertext < x0
– Underlying bit is the same (since x0 has even noise)
– Noise does not increase by much(*)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)Δ
(*) additional tricks for mult
![Page 19: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/19.jpg)
A Roadmap
Secret-key “Somewhat” Homomorphic Encryption
Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption
![Page 20: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/20.jpg)
How “Somewhat” Homomorphic is this?
Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if:
f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt
Final Noise ~ (2n)d+…+(2n)d = m•(2n)d
Say, noise in Enc(xi) < 2n
2/22/22nnd pm or nd ~
![Page 21: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/21.jpg)
“Somewhat” HE“Bootstrappable”
From “Somewhat” to “Fully”
FHE = Can eval all fns.
Theorem [Gentry’09]: Convert “bootstrappable” → FHE.
Augmented Decryption ckt.
Dec Dec
NAND
c1 sk skc2
![Page 22: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/22.jpg)
Is our Scheme “Bootstrappable”?
What functions can the scheme EVAL?
Complexity of the (aug.) Decryption Circuit
(?)
Can be made bootstrappable– Similar to Gentry’09
Caveat: Assume Hardness of “Sparse Subset Sum”
(polynomials of degree < n)
(degree ~ n2 polynomial)
![Page 23: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/23.jpg)
Security(of the “somewhat” homomorphic scheme)
![Page 24: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/24.jpg)
The Approximate GCD Assumption
q1p+r1
p?
p
q1 ← [0…Q]r1 ← [-R…R]
odd p ← [0…P]
(q1p+r1,…, qtp+rt)
Assumption: no PPT adversary can guess the number p
Parameters of the Problem: Three numbers P,Q and R
(coined by Howgrave-Graham)
![Page 25: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/25.jpg)
p?
p
Assumption: no PPT adversary can guess the number p
Semantic Security [GM’82]: no PPT adversary can guess the bit b
PK =(q0p+2r0,{qip+ri})
Enc(b) =(qp+2r+b)
=(proof of security)
(q1p+r1,…, qtp+rt)
![Page 26: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/26.jpg)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
A
PK, Enc(b)
b
Encryption breaker
(w.p. 1/2+ε)
p
– PK = {qip+2ri},
– Enc(b) = qp+r, where lsb(r)=b
![Page 27: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/27.jpg)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
Alsb(r)
Encryption breaker
(w.p. 1/2+ε)
p
Technical Details:– Random noise vs. even noise
{qip+ri}pc=qp+r
– Distribution of ciphertext: qp+r vs. c = + b (mod x0)rxSi
i 2
(statistically close distributions by Leftover Hash Lemma)
![Page 28: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/28.jpg)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
Alsb(r)
Encryption breaker
p
Success Amplification– Boost from 1/2+ε to 1-1/poly(n)
{qip+ri}pc=qp+r
(w.p. 1/2+ε)
![Page 29: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/29.jpg)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
Alsb(r)
Encryption breaker
p
Computing lsb(q) and lsb(r) are equivalent
{qip+ri}pc=qp+r
– lsb(q) = lsb(r) lsb(c), since p is odd
lsb(q)
![Page 30: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/30.jpg)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
A
Encryption breaker
p
Computing q and p are equivalent
{qip+ri}pc=qp+r
–
lsb(q)
c=qp+r
q
cp
q
![Page 31: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/31.jpg)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
Approx GCD solver
Adv
A
Encryption breaker
p
The Idea: Use lsb(q) to make q successively smaller
{qip+ri}pc=qp+r
lsb(q)
c=qp+r
q
– If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2])– If lsb(q) = 1, c ← [(c-p)/2]
(new-c =
(q-1)/2*p+[r/2])
![Page 32: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/32.jpg)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
Approx GCD solver
Adv
A
Encryption breaker
p
The Idea: Use lsb(q) to make q successively smaller
{qip+ri}pc=qp+r
lsb(q)
c=qp+r
q
A New Trick: inspired by the binary GCD algorithm
![Page 33: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/33.jpg)
A “Taste” of the Security Proof
Given two near-multiples z1=q1p+r1 and z2=q2p+r2
– Get bi := lsb(qi); if z1<z2 swap them
– If b1=b2=1, set z1←z1-z2 and b1=b1-b2 (mod 2)
(At least one of the bi’s must be zero now!)
– For any bi=0, set zi←[zi/2]
(The new qi is half the old qi!)
– Repeat until one zi is zero, and let z* be the other
At the end, z*= gcd(q1,q2)·p+r* = 1·p+r*
Bin
ary
-GC
D
(for random q1 and q2, gcd(q1,q2)=1 with constant prob.) Run Binary-gcd(z*,zi); the intermediate bits spell out the qi
![Page 34: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/34.jpg)
– Lagarias’ algorithm
Studied by [Lag82,Cop97,HG01,NS01](equivalent to “simultaneous Diophantine approximation”)
Lattice-based Attacks
– Coppersmith’s algo. for finding small polynomial roots
– Nguyen/Stern and Regev’s orthogonal lattice method
All run out of steam when log Q > (log P)2
(our setting of parameters: log Q = n5, log P = n2)
How Hard is Approximate GCD?
Caveat: In Crypto, we need average-case hardness
![Page 35: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/35.jpg)
Algorithms for Approx GCD: A Template
B =
R x1 x2 … xt
-x0
-x0
… -x0
b1
b2
b3
bt+1
(follows Lagarias’82)
Create a Lattice basis
– Rows of B span a (t+1)-dimensional lattice 1)( tZBL
![Page 36: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/36.jpg)
Algorithms for Approx GCD: A Template
R x1 x2 … xt
-x0
-x0
… -x0
(follows Lagarias’82)
Create a Lattice basis
– Length of the basis vectors ~ QP (or more)
– (q0,q1,…,qt) • B is a short lattice vector
1st entry = q0R < QR
ith entry (i>1) = q0(qip+ri) – qi(q0p+r0) = q0ri – qir0
< QR (in abs. value)
![Page 37: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/37.jpg)
Algorithms for Approx GCD: A Template
R x1 x2 … xt
-x0
-x0
… -x0
(follows Lagarias’82)
Create a Lattice basis
– Length of the basis vectors ~ QP (or more)
– ||(q0,q1,…,qt) • B||2 < QR t
Try to find this short vector using (say) LLL
![Page 38: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/38.jpg)
When will this Algorithm Succeed?
Need t to be large (> log Q/log P) – If t is small, then (q0,q1,…,qt) is not the shortest vector
– Need [(QPt)R]1/t+1 > QR, or t > log Q/log P
If t is large, LLL (&co.) perform badly
– Minkowski: lattice vector shorter than 1/1)det( tBt
(exponentially many vectors shorter than ) 1/1)det()( tBtpoly
Set log Q = ω(log2 P). Then, t = ω(log P)
– Only finds vectors of size 2O(t)•det(B)1/t+1 >> QR
– Contemporary lattice reduction is not strong enough
R x1 x2 … xt
-x0
-x0
…
-x0
![Page 39: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/39.jpg)
Future Directions
Efficient fully homomorphic encryption
(Currently: n8 factor blow-up in running time)(Currently: 1000000000000000000000000 factorblowup)
Efficiency for special-purpose tasks
![Page 40: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/40.jpg)
Questions?
[1] “Fully Homomorphic Encryption from the Integers”,http://eprint.iacr.org/2009/616, To Appear in Eurocrypt 2010.
![Page 41: FULLY HOMOMORPHIC ENCRYPTION](https://reader033.vdocuments.site/reader033/viewer/2022061410/56814336550346895dafaa23/html5/thumbnails/41.jpg)
Parameter Regimes
tlogQ/logP
size
(lo
g s
cale
)
the solution weare seeking
auxiliary solutions(Minkowski’s bound)converges to ~ logQ+logP
What LLL can findmin(blue,purple)+t
blue lineremains abovepurple line
log Q