FHE IntroductionNigel Smart

Avoncrypt 2015

Homomorphic EncryptionSome encryption schemes are multiplicative

homomorphic(M1 M2)e = (M1

e) * (M2e)

Some encryption schemes are additively homomorphic

(Gm+n * Hr+s ) = (Gm * Hr ) * (Gn * Hs )

Problem is to come up with schemes which are both

Additively Homomorphic SchemesSchemes which support addition

e.g. Paillier, ElGamal in exponent, ElGamal in Paillier group etc

have wide application Electronic voting protocols Key splitting protocols

These are practical and deployed in various situations.

Mult+AddEvery function can be represented by a

sequence of additions and multiplications over a ring RSo called arithmetic circuit description

+*

** *

* +

++

+x

y

Mult+AddSuppose we have an encryption scheme

which can support homomorphic encryption and multiplication

Denote encryption via a box [x], then we have the equations

[x +y] = [x] + [y][x * y] = [x] * [y]

We could then evaluate the circuit

Mult + AddAssume data, x, is in some finite ring RA ciphertext, [x], also lives in a ring CThe plaintext operations + and * are on

elements in R.The ciphertext operations + and * are on

elements in C.

Big Idea: If we could do this we could compute on encrypted data and outsource computation.

DataOwner

Server

ab

F(X,Y)

[a]

[b]

F(X,Y)

[F(a,b)]DECRYPTF(a,b)

We want the computation of F(a,b) to be done on the server without interation• Require Fully Homomorphic Encryption (FHE)• i.e. the encryption algorithm supports operations and • This is very slow!

Data is placed on the serverServer performs some computationCiphertext returned to the data ownerData owner then decrypts.

The process of given [a] and [b] and F and producing [F(a,b)] we call Eval.

So if F is a function with one input we would have

Eval(F,[x]) = [F(x)]

We require that the size of the output ciphertext [F(x)] does not depend on F.

• Otherwise trivial solution is output (F,[x])

The only thing which depends on F is the complexity of performing the Eval operation

Practical InstantiationsAll encryption schemes supporting addition AND

multiplications are based on lattices.

All systems have the following propertyA ciphertext has an implicit noise quantity N.A fresh (newly encrypted ciphertext) has a small value

of N.Adding ciphertexts with noise N and N’ produces one

with noise N+N’Multiplying ciphertexts with noise N and N’ produces

one with noise M(N,N’) for some function M. Exact M depends on the scheme

Somewhat Homomorphic Encryption

When noise gets too big a ciphertext will not decrypt correctly.

This implies a bound on the complexity of the circuit a scheme can evaluate.

Such schemes are called “Somewhat” homomorphic as opposed to “Fully” homomorphic.SHE vs FHE

We can (sometimes) produce a FHE scheme from an SHE scheme using a process called bootstrapping.

BootstrappingLet D(s,c) be the decryption function of the

scheme.Now think of D(s,c) as a function of the secret

key s only.So for each c we define a new function Dc(s)

Suppose Dc(s) is simple enough to be evaluated by the SHE scheme (with a little more room afterwards).

Publish an encryption of s, i.e. Output [s]

BootstrappingRecall

Eval(F, [x]) = [F(x)]

Take a ciphertext c=[m] encrypting a message m.

So take F(x)= Dc(x) then and use the encrypted secret key [s] to obtain

Eval(Dc(.), [s]) = [Dc(s)] = [m] = c’So Eval produces a new encryption of m.We “gain” if the noise in c’ is less than the

noise in c.

BootstrappingThis works when the “circuit” for decryption

is simple.Most lattice schemes have low decryption

circuit complexity.Thus this is where we find FHE schemes

livingAlso lattices allow easy creation of SHE

schemes to start with as well.

Example Scheme (BGV)We keep a high level view, and hide many

detailsLet R be a ring of polynomials over the

integersR=Z[X]/F(X)

Let Rq denote the same ring but also reduced mod q, for a prime q.

Rq =Zq [X]/F(X)

Let plaintext space be Rp for a prime p ≠ q

Let secret key be a small element s in Rq

Example Scheme (BGV)To encrypt we

Pick a small “noise” value e in Rq

Pick a random element a in Rq

Set b = m + p*e + a*sAs described this is a symmetric key scheme,

but we are keeping things simple.

To decrypt we computeb-a*s mod q = m + p*e

and then take the result modulo p.

Example Scheme (BGV)Take two ciphertexts (a,b) and (a’,b’)

b=a*s+p*e+mb’=a’*s+p*e’+m’

Clearly additively homomorphic:A=a+a’B=b+b’

B-A*s = p*(e+e’) + (m+m’)

Noise is additive e+e’

Example Scheme (BGV)Multiplication more complex, basically take

tensors of ciphertexts and decrypt under the tensor secret key

A=a*a’B=a*b’+a’*b

C=b*b’Then

C – B*s + A*s2 = (b-a*s)*(b’-a’*s)

= m*m’ + p* noise

Noise is multiplicative noise ≈ e*e’

Example Scheme (BGV)

C – B*s + A*s2 = (b-a*s)*(b’-a’*s)

We can “relinearize” (A,B,C) to get back a two element ciphertext (A’,B’) such that

B- A *s = m*m’ + p * noise

This is a process called “key switching”Details not given here

In PracticeWe have practical and efficient SHE schemes

for reasonable size values of plaintext moduli p.

Depth is limited really to small values(<10)Mainly focused on multiplicative depth as this

is where the main noise comes from

Making efficient bootstrapping impossible.

In Practice

Some application can be enabled using low depth SHEStatistical calculations : std-dev.Fourier Transforms + Masking.Preprocessing for MPC (SPDZ protocol).

EU project HEAT looking into practical use-cases for low depth SHE based systems.

Questions?