300 likes | 462 Views
Andrej Bogdanov Chinese University of Hong Kong. HOMOMORPHIC ENCRYPTION FROM CODES. with Chin Ho Lee Chinese University of Hong Kong. Post-Quantum Cryptography | 9 Feb 2012. Fully homomorphic encryption. Enc ( C ( x )). C ( x ). Hom ( C ). C. x 1. x 2. x 3. x 4. Enc ( x 3 ).
E N D
Andrej Bogdanov Chinese University of Hong Kong HOMOMORPHIC ENCRYPTIONFROM CODES with Chin Ho Lee Chinese University of Hong Kong Post-Quantum Cryptography | 9 Feb 2012
Fully homomorphic encryption Enc(C(x)) C(x) Hom(C ) C x1 x2 x3 x4 Enc(x3) Enc(x4) Enc(x1) Enc(x2) [Rivest, Adleman, Dertouzos 1978]
Secure outsourcing of computation cloud program C x Enc() data Enc() C(x) user
What we do Known homomorphic schemes are based on “decoding” from lattices We propose a new construction of homomorphic encryption from codes
Decoding lattices vs codes the problem is the same given a noisy code/lattice element, find out where it came from only the noise model is different lattice noise code noise
Our original motivation • We wanted to understand if the complexity of known homomorphic schemes is necessary • We found it hard to work with lattice-based examples, as they use (large) integers • In contrast, good codes exist even over bits more later…
Encryption EncP(m) = r P + m 1 + e over GF(q), q = 2k randomness public key noise Public key P is a scrambled version of the matrix M Reed-Solomon encoding matrices F 0
Decryption Let’s pretend we are in GF(2) = 0 M sk Enc(0) P 00111011101010100110101010011 1 0 0 0 1 1 Dec := = 0 001110111 Dec(1) analogous, as long as sk has odd weight
Security intuition M functionality F 0 security Mhidden inside P by permuting columns andscrambling rows at random MandF similar in distribution and aspect ratio to guard from “linear algebra” attacks
Parameters and security M s = na/4 noise rate n-1+a/4 P n1-a/8 3s na field size q≈ 2 n Security conjecture ng (P, EncP(0)) is pseudorandom with hardness 2 For some a, g > 0 and n sufficiently large
On the parameters Parameters chosen to foil obvious attacks … look for linear dependencies in encryption search the nullspace of P … some less obvious ones … exploit rank-deficiency of M normalize P(Sidelnikov-Shestakov attack) … and with homomorphism in mind
In a world without noise Encryptions are additive… Enc(m) • = r P + m 1 Enc(m’) • = r’P + m’1 Enc(m + m’) • = (r + r’)P + (m + m’)1 Enc(m) + Enc(m’) ⊆ Enc(m + m’) …and somewhat multiplicative Enc(m) ⋅ Enc(m’) ⊆ Dec(m⋅m’)
Encryption spaces Dec(0) Enc(1) Enc(0) Dec(1) {0, 1}n EncPK(m): possible encryptions of m assuming no noise DecSK(m): ciphertexts that decrypt to m
Encryption spaces and homomorphism Enc(m) + Enc(m’) ⊆ Enc(m + m’) If we had Enc(m) ⋅ Enc(m’) ⊆ Enc(m⋅m’) and C(x) Enc(C(x)) × × + + + + x1 x2 x3 x4 Enc(x3) Enc(x4) Enc(x1) Enc(x2)
Reencryption (bootstrapping) We only have Enc(m)⋅Enc(m’) ⊆ Dec(m⋅m’) So we need to convertDec(m) into Enc(m) Enc(Decsk(c)) Decsk(c) = Enc(m) = m Dec Hom • ReEnc sk1 sk2 sk3 sk4 Enc(sk3) Enc(sk1) Enc(sk2) Enc(sk4)
Reencryption c ∈Decsk(m): 0 1 1 1 0 1 1 1 sk= 1 1 1 0 0 0 0 0 • Decsk(c) = c1sk1 + … + cnsknso • ReEnc(c) = c1Enc(sk1) + … + cnEnc(sk1)
Reencryption sk= 1 1 1 0 0 0 0 0 1 1 00 1 0 1 0 0 0 11 0 0 0 1 1 1 10 0 1 0 0 1 0 1 0 0 0 1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 0 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 0 1 1 1 1 1 0 1 0 0 1 Enc(ski): • ReEnc(c) = c1Enc(sk1) + … + cnEnc(skn)
Enter noise sk= 1 1 1 0 0 0 0 0 1 1 10 1 0 1 0 0 0 1 00 0 0 1 101011 01 1 0 1 0 0 0 1 0 0 111 1 0 0 1 0000 0 0 0 0 0 1 1 0 01 01 11 0 1 1 0 1 1 1 01 0 1 10 1 Enc(ski): Linear combinations of Enc(ski) are extremely noisy
Noise reduction techniques Homomorphic encryption for small depth Reencrypt under larger and larger keys From small depth to small size Reduce key length Eliminate all restrictions Reduce error rate
Reencryption under larger keys M s = na/4 noise rate n-1+a/4 P n1-a/8 3s na field size q≈ 2 n Encryption scheme Kq(n) Idea: ReencryptKq(n) underKq(n1+a)
Reencryption sk= 1 1 0 1 1 0 0 0 1 1 1 1 101 0 1 0 1 0 1 11 1 0 1 0 1 11 Enc(ski): Noise unlikely to affect relevant parts of Enc(ski) • ReEnc(c) = c1Enc(sk1) + … + cnEnc(skn)
Homomorphism for small depth Applying a chain of keys Kq(n) →Kq(n1+a)→… →Kq(n(1+a) ) d we can handle up to dreencryptions and so we can evaluate circuits of depth d (and sufficiently small size)
Noise reduction techniques Homomorphic encryption for small depth Reencrypt under larger and larger keys From small depth to small size Reduce key length Eliminate all restrictions Reduce error rate
The error correction circuit y E G(xy) = 1 + xy G G G G G G G G G G G G G G G d x1 x2 d m with prob 1 - h d Pr[y ≠ m] ≈ h1.4 xi = 1 - m with probh
Error correction of encryptions sk= 10010110101101010110010 0 1 0 1 0 0 11 1 1 10 1 1 00 0 0 0 1 0 01 0 0 1 0 1 0 0 1 1 0 0 0 1 2d independent encryptions of ski Hom(E) Enc(1) … Dec(1) Dec(0) Dec(1) Dec(1) E 1 d • h1.4 error rate h
Parameters d Kq(n) →… →Kq(n(1+a) ) length ofencryptions d n n(1+a) d h1.4 h= n-1+a/4 noise rate For small a, all errors can be corrected
Circular security? To prove security, we must use fresh (independent) keys for every circuit layer key length ≈ ndlog d Is the scheme secure under circular key encryptions? We don’t know, but we suspect it may not be.
Complexity of encryptions Initially we wanted to study the complexity of homomorphic encryption… …but we ended up with a new scheme Our scheme was inspired by the ABW [Applebaum, Barak, Wigderson]cryptosystem
Complexity of encryptions In forthcoming work we show Homomorphic evaluation cannot be done in constant depth under some (reasonable) restrictions in contrast, in the ABW cryptosystem all operations can be done in constant depth