1 / 41

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION. from the Integers. Vinod Vaikuntanathan. IBM T. J. Watson. Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM). Client. Server/Cloud. (Input: x). (Program: P). Public-key Encryption. =.

aman
Download Presentation

FULLY HOMOMORPHIC ENCRYPTION

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. FULLY HOMOMORPHIC ENCRYPTION from the Integers Vinod Vaikuntanathan IBM T. J. Watson Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM)

  2. Client Server/Cloud (Input: x) (Program: P) Public-key Encryption = Modern Application: Computing on Encrypted Data Enc(x) Enc(P(x))

  3. Client Server/Cloud (Input: x) (Program: P) Fully HomomorphicEncryption (FHE) Public-key Encryption = = Modern Application: Computing on Encrypted Data Enc(x) Enc(P(x))

  4. XOR AND AND Fully HomomorphicEncryption (FHE) = = Definition: (KeyGen, Enc, Dec) Definition: (KeyGen, Enc, Dec, Eval) (as in regular public-key encryption) Eval(c,F) = c’ • If c = Enc(x), then Dec(c’) = F(x)

  5. Fully HomomorphicEncryption (FHE) = = Definition: (KeyGen, Enc, Dec, Eval) Two Important Properties  Compactness:Length of c’ is independent of the size of F • Circuit/Function Privacy:c’ does not reveal “any more information about F than the output F(x)” FHE = Compact FHE Theorem [GHV’10]: “Circuit privacy comes for free”.Any (compact) FHE → (Compact) circuit-private FHE

  6. Fully Homomorphic Encryption • First Defined: “Privacy homomorphism” [RAD’78] • their motivation: searching encrypted data

  7. c* = c1c2…cn= (m1m2…mn)e mod N • NON-COMPACT homomorphic encryption: X • SYY’99 & MGH’08: c* grows exp. with degree/depth • IP’07 works for branching programs cn = mne c1 = m1e c2 = m2e Fully Homomorphic Encryption • First Defined: “Privacy homomorphism” [RAD’78] • their motivation: searching encrypted data • Limited Variants: • RSA & El Gamal: multiplicatively homomorphic • GM & Paillier: additively homomorphic • BGN’05 & GHV’10: quadratic formulas

  8. Big Breakthrough: [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” Fully Homomorphic Encryption • First Defined: “Privacy homomorphism” [RAD’78] • their motivation: searching encrypted data • Is there an elementary Construction of FHE? • using just integer addition and multiplication • easier to understand, implement and improve

  9. Our Result Theorem [DGHV’10]: There exists a fully homomorphic public-key encryption scheme • which uses only add and mult over the integers, • which is secure based on the approximate GCD problem & the sparse subset sum problem.

  10. Construction

  11. A Roadmap 1. Secret-key“Somewhat” Homomorphic Encryption (fairly generic transformation) 2. Public-key“Somewhat” Homomorphic Encryption (borrows from Gentry’s techniques) 3. Public-key FULLY Homomorphic Encryption

  12. Secret-key Homomorphic Encryption • Secret key: an n2-bit odd number p (sec. param = n) • To Encrypt a bit b: • pick a random “large” multiple of p, say q·p (q ~ n5 bits) (r ~ n bits) • pick a random “small” even number 2·r • Ciphertext c =q·p+2·r+b “noise” • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit

  13. LSB = b1 XOR b2 LSB = b1 AND b2 Secret-key Homomorphic Encryption • How to Add and Multiply Encrypted Bits: • Add/Mult two near-multiples of p gives a near-multiple of p. • c1 = q1·p + (2·r1 + b1), c2= q2·p + (2·r2 + b2) • c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p • c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p

  14. (q-1)p qp (q+1)p (q+2)p Problems • Ciphertext grows with each operation • Useless for many applications (cloud computing, searching encrypted e-mail) • Noise grows with each operation • Consider c = qp+2r+b ← Enc(b) • c (mod p) = r’ ≠ 2r+b • lsb(r’) ≠ b 2r+b r’

  15. Problems • Ciphertext grows with each operation • Useless for many applications (cloud computing, searching encrypted e-mail) • Noise grows with each operation • Can perform “limited” number of hom. operations • What we have: “Somewhat Homomorphic” Encryption

  16. Public-key Homomorphic Encryption • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) • t+1 “near-multiples” of p, with even noise • W.l.o.g., x0 = q0p+2r0 is the largest • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval (as before)

  17. c = p[ ]+ 2[ ] + b (mod x0) c = p[ ]+ 2[ ] + b – kx0 (for a small k) = p[ ]+ 2[ ] + b Public-key Homomorphic Encryption • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt]= (x0,x1,…,xt) • To Encrypt a bit b: pick random subset S [1…t] c = + b (mod x0) • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval (as before) (mult. of p) +(“small” even noise) + b

  18. Public-key Homomorphic Encryption Ciphertext Size Reduction • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt]= (x0,x1,…,xt) • To Encrypt a bit b: pick random subset S [1…t] • Resulting ciphertext < x0 c = + b (mod x0) • Underlying bit is the same (since x0 has even noise) • To Decrypt a ciphertext c: • Noise does not increase by much(*) • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval: Reduce mod x0 after each operation (*) additional tricks for mult

  19. A Roadmap • Secret-key“Somewhat” Homomorphic Encryption • Public-key“Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption

  20. How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: or f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt Say, noise in Enc(xi) < 2n Final Noise ~ (2n)d+…+(2n)d = m•(2n)d

  21. NAND Dec Dec c1 sk c2 sk From “Somewhat” to “Fully” Theorem [Gentry’09]: Convert “bootstrappable” → FHE. FHE = Can eval all fns. Augmented Decryption ckt. “Somewhat” HE “Bootstrappable”

  22. Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? (polynomials of degree < n) (?) Complexity of the (aug.) Decryption Circuit (degree ~ n2 polynomial) • Can be made bootstrappable • Similar to Gentry’09 • Caveat: Assume Hardness of “Sparse Subset Sum”

  23. Security (of the “somewhat” homomorphic scheme)

  24. p The Approximate GCD Assumption (coined by Howgrave-Graham) Parameters of the Problem: Three numbers P,Q and R p? (q1p+r1,…, qtp+rt) q1p+r1 q1← [0…Q] r1← [-R…R] Assumption: no PPT adversary can guess the number p odd p ← [0…P]

  25. p (q1p+r1,…, qtp+rt) p? Assumption: no PPT adversary can guess the number p = (proof of security) Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q0p+2r0,{qip+ri}) Enc(b) =(qp+2r+b)

  26. p A “Taste” of the Security Proof {qip+ri} PK, Enc(b) AdvB AdvA p b (w.p. 1/2+ε) Approx GCD solver Encryption breaker • PK ={qip+2ri}, • Enc(b) = qp+r, where lsb(r)=b

  27. p p A “Taste” of the Security Proof {qip+ri} {qip+ri} AdvB AdvA c=qp+r p lsb(r) (w.p. 1/2+ε) Approx GCD solver Encryption breaker Technical Details: • Random noise vs. even noise c = + b (mod x0) • Distribution of ciphertext: qp+r vs. (statistically close distributions by Leftover Hash Lemma)

  28. p p A “Taste” of the Security Proof {qip+ri} {qip+ri} AdvB AdvA c=qp+r p lsb(r) (w.p. 1/2+ε) Approx GCD solver Encryption breaker Success Amplification • Boost from 1/2+ε to 1-1/poly(n)

  29. p p A “Taste” of the Security Proof {qip+ri} {qip+ri} AdvB AdvA c=qp+r p lsb(r) lsb(q) Approx GCD solver Encryption breaker Computing lsb(q) and lsb(r) are equivalent • lsb(q) = lsb(r) lsb(c), since p is odd

  30. p p A “Taste” of the Security Proof {qip+ri} {qip+ri} AdvB AdvA c=qp+r c=qp+r p q lsb(q) Approx GCD solver Encryption breaker Computing q and p are equivalent

  31. p p A “Taste” of the Security Proof {qip+ri} {qip+ri} AdvB AdvA c=qp+r c=qp+r q lsb(q) Approx GCD solver Encryption breaker The Idea: Use lsb(q) to make q successively smaller • If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2]) (new-c = (q-1)/2*p+[r/2]) • If lsb(q) = 1, c ← [(c-p)/2]

  32. p p A “Taste” of the Security Proof {qip+ri} {qip+ri} AdvB AdvA c=qp+r c=qp+r q lsb(q) Approx GCD solver Encryption breaker The Idea: Use lsb(q) to make q successively smaller A New Trick: inspired by the binary GCD algorithm

  33. A “Taste” of the Security Proof • Given two near-multiples z1=q1p+r1 and z2=q2p+r2 • Get bi := lsb(qi); if z1<z2 swap them • If b1=b2=1, set z1←z1-z2 and b1=b1-b2 (mod 2) (At least one of the bi’s must be zero now!) Binary-GCD • For any bi=0, set zi←[zi/2] (The new qi is half the old qi!) • Repeat until one zi is zero, and let z* be the other • At the end, z*= gcd(q1,q2)·p+r* = 1·p+r* (for random q1 and q2, gcd(q1,q2)=1 with constant prob.) • Run Binary-gcd(z*,zi); the intermediate bits spell out the qi

  34. How Hard is Approximate GCD? • Studied by [Lag82,Cop97,HG01,NS01] (equivalent to “simultaneous Diophantine approximation”) • Lattice-based Attacks • Lagarias’ algorithm • Coppersmith’s algo. for finding small polynomial roots • Nguyen/Stern and Regev’s orthogonal lattice method • All run out of steam when log Q > (log P)2 (our setting of parameters: log Q = n5, log P = n2) Caveat: In Crypto, we need average-case hardness

  35. Algorithms for Approx GCD: A Template (follows Lagarias’82) • Create a Lattice basis R x1 x2 … xt -x0 -x0 …-x0 b1 b2 B= b3 bt+1 • Rows of B span a (t+1)-dimensional lattice

  36. Algorithms for Approx GCD: A Template (follows Lagarias’82) • Create a Lattice basis R x1 x2 … xt -x0 -x0 …-x0 • Length of the basis vectors ~ QP (or more) • (q0,q1,…,qt) • B is a short lattice vector 1st entry = q0R < QR ith entry (i>1) = q0(qip+ri) – qi(q0p+r0) = q0ri – qir0 < QR (in abs. value)

  37. Algorithms for Approx GCD: A Template (follows Lagarias’82) • Create a Lattice basis R x1 x2 … xt -x0 -x0 …-x0 • Length of the basis vectors ~ QP (or more) • ||(q0,q1,…,qt) • B||2< QR • Try to find this short vector using (say) LLL

  38. R x1 x2 … xt -x0 -x0 … -x0 • Minkowski: lattice vector shorter than (exponentially many vectors shorter than ) When will this Algorithm Succeed? • Need t to belarge (> log Q/log P) • If t is small, then (q0,q1,…,qt) is not the shortest vector • Need [(QPt)R]1/t+1 > QR, or t > log Q/log P • Setlog Q = ω(log2 P).Then, t = ω(log P) • If t is large, LLL (&co.) perform badly • Only finds vectors of size 2O(t)•det(B)1/t+1 >> QR • Contemporary lattice reduction is not strong enough

  39. Future Directions Efficient fully homomorphic encryption factor (Currently: n8 factor blow-up in running time) (Currently: 1 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 blowup) Efficiency for special-purpose tasks

  40. Questions? [1] “Fully Homomorphic Encryption from the Integers”,http://eprint.iacr.org/2009/616, To Appear in Eurocrypt 2010.

  41. Parameter Regimes What LLL can find min(blue,purple)+et size (log scale) log Q auxiliary solutions(Minkowski’s bound)converges to ~ logQ+logP the solution weare seeking blue lineremains abovepurple line t logQ/logP

More Related