fully homomorphic encryption
DESCRIPTION
FULLY HOMOMORPHIC ENCRYPTION. from the Integers. Vinod Vaikuntanathan. IBM T. J. Watson. Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM). Client. Server/Cloud. (Input: x). (Program: P). Public-key Encryption. =. - PowerPoint PPT PresentationTRANSCRIPT
FULLY HOMOMORPHIC ENCRYPTION
IBM T. J. Watson
Vinod Vaikuntanathan
from the Integers
Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM)
= Modern Application: Computing on Encrypted Data
Public-key Encryption
Client Server/Cloud
(Input: x) (Program: P)
Enc(P(x))
Enc(x)
= Modern Application: Computing on Encrypted Data
Public-key Encryption
Client Server/Cloud
(Input: x) (Program: P)
Enc(P(x))
Enc(x)
Fully HomomorphicEncryption (FHE) =
=Definition: (KeyGen, Enc, Dec)
Fully HomomorphicEncryption (FHE) =
(as in regular public-key encryption)Eval(c,F) = c’
– If c = Enc(x), then Dec(c’) = F(x)
Definition: (KeyGen, Enc, Dec, Eval)
ANDXOR
AND
= Fully HomomorphicEncryption (FHE) =
Two Important Properties
Definition: (KeyGen, Enc, Dec, Eval)
Compactness: Length of c’ is independent of the size of F
Circuit/Function Privacy: c’ does not reveal “any more information about F than the output F(x)”
Theorem [GHV’10]: “Circuit privacy comes for free”.Any (compact) FHE → (Compact) circuit-private FHE
FHE = Compact FHE
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– their motivation: searching encrypted data
– BGN’05 & GHV’10: quadratic formulas
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
► Limited Variants:
– GM & Paillier: additively homomorphic
– RSA & El Gamal: multiplicatively homomorphic
– their motivation: searching encrypted data
c1 = m1e c2 = m2
e cn = mne
Xc* = c1c2…cn = (m1m2…mn)e mod N
► NON-COMPACT homomorphic encryption:
– SYY’99 & MGH’08: c* grows exp. with degree/depth
– IP’07 works for branching programs
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– using just integer addition and multiplication
– their motivation: searching encrypted data
► Is there an elementary Construction of FHE?
Big Breakthrough: [Gentry09]
First Construction of Fully Homomorphic Encryption
using algebraic number theory & “ideal lattices”
– easier to understand, implement and improve
Our Result
Theorem [DGHV’10]: There exists a fully homomorphic public-key encryption scheme
– which uses only add and mult over the integers,
– which is secure based on the approximate GCD problem & the sparse subset sum problem.
Construction
A Roadmap
1. Secret-key “Somewhat” Homomorphic Encryption
2. Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption
(fairly generic transformation)
(borrows from Gentry’s techniques)
Secret-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Encrypt a bit b:
– pick a random “large” multiple of p, say q·p
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
(q ~ n5 bits)
(r ~ n bits)
“noise”
(sec. param = n)
Secret-key Homomorphic Encryption
How to Add and Multiply Encrypted Bits:
– Add/Mult two near-multiples of p gives a near-multiple of p.
– c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p
LSB = b1 XOR b2
LSB = b1 AND b2
Problems
Ciphertext grows with each operation
Noise grows with each operation
Useless for many applications (cloud computing, searching encrypted e-mail)
– Consider c = qp+2r+b ← Enc(b)
(q-1)p qp (q+1)p (q+2)p
2r+b
– c (mod p) = r’ ≠ 2r+b
r’– lsb(r’) ≠ b
Problems
Ciphertext grows with each operation
Noise grows with each operation
Useless for many applications (cloud computing, searching encrypted e-mail)
Can perform “limited” number of hom. operations
What we have: “Somewhat Homomorphic” Encryption
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
– t+1 “near-multiples” of p, with even noise
– W.l.o.g., x0 = q0p+2r0 is the largest
Δ
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
c = p[ ] + 2[ ] + b (mod x0) Si
iq
Siirrc = p[ ] + 2[ ] + b – kx0 (for a small k)
Siiq
Siirr
= p[ ] + 2[ ] + b 0kqqSi
i
0krrrSii
(mult. of p) + (“small” even noise) + b
c = + b (mod x0)rxSi
i 2
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval: Reduce mod x0 after each operation
To Encrypt a bit b: pick random subset S [1…t]
Ciphertext Size Reduction
– Resulting ciphertext < x0
– Underlying bit is the same (since x0 has even noise)
– Noise does not increase by much(*)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)Δ
(*) additional tricks for mult
A Roadmap
Secret-key “Somewhat” Homomorphic Encryption
Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption
How “Somewhat” Homomorphic is this?
Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if:
f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt
Final Noise ~ (2n)d+…+(2n)d = m•(2n)d
Say, noise in Enc(xi) < 2n
2/22/22nnd pm or nd ~
“Somewhat” HE“Bootstrappable”
From “Somewhat” to “Fully”
FHE = Can eval all fns.
Theorem [Gentry’09]: Convert “bootstrappable” → FHE.
Augmented Decryption ckt.
Dec Dec
NAND
c1 sk skc2
Is our Scheme “Bootstrappable”?
What functions can the scheme EVAL?
Complexity of the (aug.) Decryption Circuit
(?)
Can be made bootstrappable– Similar to Gentry’09
Caveat: Assume Hardness of “Sparse Subset Sum”
(polynomials of degree < n)
(degree ~ n2 polynomial)
Security(of the “somewhat” homomorphic scheme)
The Approximate GCD Assumption
q1p+r1
p?
p
q1 ← [0…Q]r1 ← [-R…R]
odd p ← [0…P]
(q1p+r1,…, qtp+rt)
Assumption: no PPT adversary can guess the number p
Parameters of the Problem: Three numbers P,Q and R
(coined by Howgrave-Graham)
p?
p
Assumption: no PPT adversary can guess the number p
Semantic Security [GM’82]: no PPT adversary can guess the bit b
PK =(q0p+2r0,{qip+ri})
Enc(b) =(qp+2r+b)
=(proof of security)
(q1p+r1,…, qtp+rt)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
A
PK, Enc(b)
b
Encryption breaker
(w.p. 1/2+ε)
p
– PK = {qip+2ri},
– Enc(b) = qp+r, where lsb(r)=b
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
Alsb(r)
Encryption breaker
(w.p. 1/2+ε)
p
Technical Details:– Random noise vs. even noise
{qip+ri}pc=qp+r
– Distribution of ciphertext: qp+r vs. c = + b (mod x0)rxSi
i 2
(statistically close distributions by Leftover Hash Lemma)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
Alsb(r)
Encryption breaker
p
Success Amplification– Boost from 1/2+ε to 1-1/poly(n)
{qip+ri}pc=qp+r
(w.p. 1/2+ε)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
Alsb(r)
Encryption breaker
p
Computing lsb(q) and lsb(r) are equivalent
{qip+ri}pc=qp+r
– lsb(q) = lsb(r) lsb(c), since p is odd
lsb(q)
A “Taste” of the Security Proof
Adv
B
{qip+ri}
p
Approx GCD solver
Adv
A
Encryption breaker
p
Computing q and p are equivalent
{qip+ri}pc=qp+r
–
lsb(q)
c=qp+r
q
cp
q
A “Taste” of the Security Proof
Adv
B
{qip+ri}
Approx GCD solver
Adv
A
Encryption breaker
p
The Idea: Use lsb(q) to make q successively smaller
{qip+ri}pc=qp+r
lsb(q)
c=qp+r
q
– If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2])– If lsb(q) = 1, c ← [(c-p)/2]
(new-c =
(q-1)/2*p+[r/2])
A “Taste” of the Security Proof
Adv
B
{qip+ri}
Approx GCD solver
Adv
A
Encryption breaker
p
The Idea: Use lsb(q) to make q successively smaller
{qip+ri}pc=qp+r
lsb(q)
c=qp+r
q
A New Trick: inspired by the binary GCD algorithm
A “Taste” of the Security Proof
Given two near-multiples z1=q1p+r1 and z2=q2p+r2
– Get bi := lsb(qi); if z1<z2 swap them
– If b1=b2=1, set z1←z1-z2 and b1=b1-b2 (mod 2)
(At least one of the bi’s must be zero now!)
– For any bi=0, set zi←[zi/2]
(The new qi is half the old qi!)
– Repeat until one zi is zero, and let z* be the other
At the end, z*= gcd(q1,q2)·p+r* = 1·p+r*
Bin
ary
-GC
D
(for random q1 and q2, gcd(q1,q2)=1 with constant prob.) Run Binary-gcd(z*,zi); the intermediate bits spell out the qi
– Lagarias’ algorithm
Studied by [Lag82,Cop97,HG01,NS01](equivalent to “simultaneous Diophantine approximation”)
Lattice-based Attacks
– Coppersmith’s algo. for finding small polynomial roots
– Nguyen/Stern and Regev’s orthogonal lattice method
All run out of steam when log Q > (log P)2
(our setting of parameters: log Q = n5, log P = n2)
How Hard is Approximate GCD?
Caveat: In Crypto, we need average-case hardness
Algorithms for Approx GCD: A Template
B =
R x1 x2 … xt
-x0
-x0
… -x0
b1
b2
b3
bt+1
(follows Lagarias’82)
Create a Lattice basis
– Rows of B span a (t+1)-dimensional lattice 1)( tZBL
Algorithms for Approx GCD: A Template
R x1 x2 … xt
-x0
-x0
… -x0
(follows Lagarias’82)
Create a Lattice basis
– Length of the basis vectors ~ QP (or more)
– (q0,q1,…,qt) • B is a short lattice vector
1st entry = q0R < QR
ith entry (i>1) = q0(qip+ri) – qi(q0p+r0) = q0ri – qir0
< QR (in abs. value)
Algorithms for Approx GCD: A Template
R x1 x2 … xt
-x0
-x0
… -x0
(follows Lagarias’82)
Create a Lattice basis
– Length of the basis vectors ~ QP (or more)
– ||(q0,q1,…,qt) • B||2 < QR t
Try to find this short vector using (say) LLL
When will this Algorithm Succeed?
Need t to be large (> log Q/log P) – If t is small, then (q0,q1,…,qt) is not the shortest vector
– Need [(QPt)R]1/t+1 > QR, or t > log Q/log P
If t is large, LLL (&co.) perform badly
– Minkowski: lattice vector shorter than 1/1)det( tBt
(exponentially many vectors shorter than ) 1/1)det()( tBtpoly
Set log Q = ω(log2 P). Then, t = ω(log P)
– Only finds vectors of size 2O(t)•det(B)1/t+1 >> QR
– Contemporary lattice reduction is not strong enough
R x1 x2 … xt
-x0
-x0
…
-x0
Future Directions
Efficient fully homomorphic encryption
(Currently: n8 factor blow-up in running time)(Currently: 1000000000000000000000000 factorblowup)
Efficiency for special-purpose tasks
Questions?
[1] “Fully Homomorphic Encryption from the Integers”,http://eprint.iacr.org/2009/616, To Appear in Eurocrypt 2010.
Parameter Regimes
tlogQ/logP
size
(lo
g s
cale
)
the solution weare seeking
auxiliary solutions(Minkowski’s bound)converges to ~ logQ+logP
What LLL can findmin(blue,purple)+t
blue lineremains abovepurple line
log Q