nigel smart avoncrypt 2015. homomorphic encryption some encryption schemes are multiplicative...
TRANSCRIPT
FHE IntroductionNigel Smart
Avoncrypt 2015
Homomorphic EncryptionSome encryption schemes are multiplicative
homomorphic(M1 M2)e = (M1
e) * (M2e)
Some encryption schemes are additively homomorphic
(Gm+n * Hr+s ) = (Gm * Hr ) * (Gn * Hs )
Problem is to come up with schemes which are both
Additively Homomorphic SchemesSchemes which support addition
e.g. Paillier, ElGamal in exponent, ElGamal in Paillier group etc
have wide application Electronic voting protocols Key splitting protocols
These are practical and deployed in various situations.
Mult+AddEvery function can be represented by a
sequence of additions and multiplications over a ring RSo called arithmetic circuit description
+*
** *
* +
++
+x
y
Mult+AddSuppose we have an encryption scheme
which can support homomorphic encryption and multiplication
Denote encryption via a box [x], then we have the equations
[x +y] = [x] + [y][x * y] = [x] * [y]
We could then evaluate the circuit
Mult + AddAssume data, x, is in some finite ring RA ciphertext, [x], also lives in a ring CThe plaintext operations + and * are on
elements in R.The ciphertext operations + and * are on
elements in C.
Big Idea: If we could do this we could compute on encrypted data and outsource computation.
DataOwner
Server
ab
F(X,Y)
[a]
[b]
F(X,Y)
[F(a,b)]DECRYPTF(a,b)
We want the computation of F(a,b) to be done on the server without interation• Require Fully Homomorphic Encryption (FHE)• i.e. the encryption algorithm supports operations and • This is very slow!
Data is placed on the serverServer performs some computationCiphertext returned to the data ownerData owner then decrypts.
The process of given [a] and [b] and F and producing [F(a,b)] we call Eval.
So if F is a function with one input we would have
Eval(F,[x]) = [F(x)]
We require that the size of the output ciphertext [F(x)] does not depend on F.
• Otherwise trivial solution is output (F,[x])
The only thing which depends on F is the complexity of performing the Eval operation
Practical InstantiationsAll encryption schemes supporting addition AND
multiplications are based on lattices.
All systems have the following propertyA ciphertext has an implicit noise quantity N.A fresh (newly encrypted ciphertext) has a small value
of N.Adding ciphertexts with noise N and N’ produces one
with noise N+N’Multiplying ciphertexts with noise N and N’ produces
one with noise M(N,N’) for some function M. Exact M depends on the scheme
Somewhat Homomorphic Encryption
When noise gets too big a ciphertext will not decrypt correctly.
This implies a bound on the complexity of the circuit a scheme can evaluate.
Such schemes are called “Somewhat” homomorphic as opposed to “Fully” homomorphic.SHE vs FHE
We can (sometimes) produce a FHE scheme from an SHE scheme using a process called bootstrapping.
BootstrappingLet D(s,c) be the decryption function of the
scheme.Now think of D(s,c) as a function of the secret
key s only.So for each c we define a new function Dc(s)
Suppose Dc(s) is simple enough to be evaluated by the SHE scheme (with a little more room afterwards).
Publish an encryption of s, i.e. Output [s]
BootstrappingRecall
Eval(F, [x]) = [F(x)]
Take a ciphertext c=[m] encrypting a message m.
So take F(x)= Dc(x) then and use the encrypted secret key [s] to obtain
Eval(Dc(.), [s]) = [Dc(s)] = [m] = c’So Eval produces a new encryption of m.We “gain” if the noise in c’ is less than the
noise in c.
BootstrappingThis works when the “circuit” for decryption
is simple.Most lattice schemes have low decryption
circuit complexity.Thus this is where we find FHE schemes
livingAlso lattices allow easy creation of SHE
schemes to start with as well.
Example Scheme (BGV)We keep a high level view, and hide many
detailsLet R be a ring of polynomials over the
integersR=Z[X]/F(X)
Let Rq denote the same ring but also reduced mod q, for a prime q.
Rq =Zq [X]/F(X)
Let plaintext space be Rp for a prime p ≠ q
Let secret key be a small element s in Rq
Example Scheme (BGV)To encrypt we
Pick a small “noise” value e in Rq
Pick a random element a in Rq
Set b = m + p*e + a*sAs described this is a symmetric key scheme,
but we are keeping things simple.
To decrypt we computeb-a*s mod q = m + p*e
and then take the result modulo p.
Example Scheme (BGV)Take two ciphertexts (a,b) and (a’,b’)
b=a*s+p*e+mb’=a’*s+p*e’+m’
Clearly additively homomorphic:A=a+a’B=b+b’
B-A*s = p*(e+e’) + (m+m’)
Noise is additive e+e’
Example Scheme (BGV)Multiplication more complex, basically take
tensors of ciphertexts and decrypt under the tensor secret key
A=a*a’B=a*b’+a’*b
C=b*b’Then
C – B*s + A*s2 = (b-a*s)*(b’-a’*s)
= m*m’ + p* noise
Noise is multiplicative noise ≈ e*e’
Example Scheme (BGV)
C – B*s + A*s2 = (b-a*s)*(b’-a’*s)
We can “relinearize” (A,B,C) to get back a two element ciphertext (A’,B’) such that
B- A *s = m*m’ + p * noise
This is a process called “key switching”Details not given here
In PracticeWe have practical and efficient SHE schemes
for reasonable size values of plaintext moduli p.
Depth is limited really to small values(<10)Mainly focused on multiplicative depth as this
is where the main noise comes from
Making efficient bootstrapping impossible.
In Practice
Some application can be enabled using low depth SHEStatistical calculations : std-dev.Fourier Transforms + Masking.Preprocessing for MPC (SPDZ protocol).
EU project HEAT looking into practical use-cases for low depth SHE based systems.
Questions?