fully homomorphic encryption_2

8/13/2019 Fully Homomorphic Encryption_2

1/80

FULLY HOMOMORPHIC ENCRYPTION:

CURRENT STATE OF THE ART

Africacrypt 2012

Craig Gentry, IBM Research


2/80

Homomorphic Encryption

I want 1) the cloud to process my data2) even though it is encrypted.

RunEval[ f, Enck(x) ]

= Enck[f(x)]

The special sauce! For securityparameter k, Evals runningshould be Time(f)poly(k)

Alice

Server(Cloud)

(Input: data x, key k)

Enck[f(x)]

Enck(x)

function f

f(x)

This could beencrypted too.

Delegation: Should cost less forAlice to encrypt x and decrypt f(x)

than to compute f(x) herself.


3/80


()()


4/80


()

()


5/80

Fully Homomorphic Encryption:

Current State of the Art

The Good: We have FHE with low asymptotic overhead For security parameter k (i.e., best attack takes time 2k),

Time(Eval(f))/Time(f) = polylog(k). Only polylog overhead!

The Bad: FHE is still very slow in practice.

The Ugly:

We implemented the best current SWHE scheme. For f = the AES block cipher, Time(Eval(f)) 1 day. Time(Eval(f)) 37 minutes amortized (for multiple AES blocks).

Compare: Yao garbled circuit for AES evaluated in < 1 second.

Our implementation of the best asymptotic FHE scheme is ongoing


6/80

Overview of This Talk Current state of the art:

Background on somewhat homomorphic encryption (SWHE)Managing the noise inside ciphertexts

Packin man laintexts into each ci hertext

Homomorphic evaluation of the AES function with SWHE

Using bootstrapping to evaluate AES with FHE, and whywe think it may speed up the evaluation of AES

Next steps


7/80

with an overview of a couple of SWHE schemesSomewhat Homomorphic Encryption


8/80

Performance

For many simple functions, the overhead of SWHE is muchless than overhead of FHE. Time(Eval(f))/Time(f) is small in practice for simple f.

Why Do We Care about Somewhat HE?

Rule of Thumb: If your function f can be expressed as a low-degree polynomial, SWHE might be sufficient.

Stepping-stone to FHEMost FHE schemes are built on top of a SWHE scheme with

special properties.


9/80

How To Construct a SWHE Scheme?

Most Natural ApproachCiphertexts live in a ring.ADDing ciphertexts implicitly ADDs underlying plaintexts.

Any function that youwant to evaluate canbe expressed as a

sequence of ADDsand MULTs.

Examples of rings: integers Z, polynomials Z[x,y,],

Unnatural homomorphic encryption schemes: RSA and Elgamal: Multiplying ciphertextsdoes multiply the

plaintexts, but this is not true for addition.

Paillier: Multiplying ciphertexts implicitly adds the plaintexts.

.ADD and MULT are acomplete set of

operations.


10/80

Polly Cracker: An Early Attempt at SWHE

[Fellows-Koblitz 93]

Main IdeaEncryptions of 0 evaluate to 0 at the secret key.

:1, ,

n

q.

Public key: Polynomials {ai(x1,,xn)} s.t. ai(s)=0 mod q.

Encrypt: From {ai}, generate a random polynomial b(x)such that b(s) = 0 mod q. For m in {0,1}, ciphertext is:

c(x) = m + b(x) mod q.

Decrypt: Evaluate ciphertext at secret: c(s)=m mod q.

ADD and MULT: Output sum or product of ciphertexts.


11/80

An Attack:

Collect lots of encryptions {ci} of 0. If the challenge ciphertext also encrypts 0, it will likely be in

linear span of the given encryptions of 0.

Polly Cracker Cryptanalysis [see AFFP11]

Use Gaussian elimination (linear algebra).


12/80

NoisyPolly Cracker: A Framework for

Most Current SWHE Schemes

Main Idea

Encryptions of 0 evaluate to something small and even(smeven) at the secret key.

: 1, , n q . , .Public key: Polynomials {ai(x1,,xn)} s.t. ai(s)=2ei mod q, |ei| q.

Encrypt: From {ai}, generate a random polynomial b(x) such thatb(s) = smeven mod q. For m in {0,1}, ciphertext is:

c(x) = m + b(x) mod q. Decrypt: Evaluate ciphertext at secret: c(s)=m+smeven mod q.

Then, reduce mod 2 to get m.



13/80

NoisyPolly Cracker: A Framework for

Most Current SWHE Schemes

Main Idea

Encryptions of 0 evaluate to something small and even(smeven) at the secret key.

: 1, , n q . , .Public key: Polynomials {ai(x1,,xn)} s.t. ai(s)=2ei mod q, |ei| q.

Encrypt: From {ai}, generate a random polynomial b(x) such thatb(s) = smeven mod q. For m in {0,1}, ciphertext is:

c(x) = m + b(x) mod q. Decrypt: Evaluate ciphertext at secret: c(s)=m+smeven mod q.

Then, reduce mod 2 to get m.


We call [c(s) mod q] thenoise of the ciphertext.ADDs and MULTs

make the noisegrow.


14/80

Each ciphertext has some noise that hides the message.

Noisy Ciphertexts

If error is small, Alice can use knowledge of hiddencode to remove the noise.

If noise is large, decryption becomes hopeless even for

Alice.


15/80

Ke Gen: Secret ke = lar e odd inte er n.

SWHE with Integers [vDGHV10]Main Idea

Encryptions of 0 are something small and even(smeven) modulo a secret integer.

Public key: Large integers {a1,,at} such that [ai mod n] = 2ei,where |ei| n. (ais are encryptions of 0.)

Encrypt: From {ai}, generate random b with b = smeven mod n.(Roughly, b = random-subset-sum{ai}.) For message m in {0,1}, set

c = m + b.

Decrypt: Evaluate ciphertext at secret: Compute[c mod n] = m+smeven. Then, reduce mod 2 to get m.



16/80


17/80

Encrypting More than Bits So far, our plaintext space is {0,1}: we encrypt bits.

Can we have a bigger plaintext space? Say, m {0, , 14}: a mod-15 plaintext space?


18/80


SWHE with Integers (Mod-2)Main Idea


Public key: Large integers {a1,,at} such that [ai mod n]= 2ei,where |ei| n. (ais are encryptions of 0.)


c = m + b.

Decrypt: Evaluate ciphertext at secret: Compute[c mod n] = m+smeven. Then, reduce mod 2 to get m.



19/80

Ke Gen: Secret ke = lar e inte er n with cd n 15 =1.

SWHE with Integers (Mod-15)Main Idea


Divisible by 15.smifteen

Public key: Large integers {a1,,at} such that [ai mod n]= 15ei,where |ei| n. (ais are encryptions of 0.)

Encrypt: From {ai}, generate random b with b = smifteen mod n.(Roughly, b=random-subset-sum{ai}.) For message m in {0,,14}, set

c = m + b.

Decrypt: Evaluate ciphertext at secret: Compute[c mod n] = m+smifteen. Then, reduce mod 15 to get m.



20/80

A More Complicated SWHE Scheme Sadly, we proceed to a more complicated SWHE

scheme

Instead of Z (the integers), we will use a more

complicated ring: the polynomial ring R = Z[x]/N(x)

Why?

Smaller parameters (better efficiency). Pack many plaintexts into each ciphertext.


21/80


22/80

SWHE over Cyclotomic Rings

[Brakerski-Vaikuntanathan 11]Main Idea

Encryptions of 0 have a small and even (smeven)dot product with the secret key.

KeyGen: Secret = some point s Rq = Zq[x]/N(x). gcd(q,2)=1.d m is an R-element with

Public key: Linearpolys ai(y) = ai0+ai1y R[y] s.t. ai(s)=2ei mod q,where ei is an element of R with small coefficients: |ei| q.

Encrypt: From {ai}, generate a random linear polynomial b(y) suchthat b(s) = smeven mod q (via subset sum). For m in R2, ciphertext is:

c(y) = m + b(y) mod q (a linear polynomial). Decrypt: Evaluate ciphertext at secret key:

c(y) = c0+c1s = m+smeven mod q. Reduce mod 2.

ADD and MULT: Output sum or product of ciphertexts. Relinearize.

coefficients in {0,1}.m is (N) bits, big!!!


23/80

Security of SWHE over Cyclotomic Rings The Ring Learning-with-Errors (RLWE) Problem

Let B q. Choose s randomly from Rq. Given many(linear) polynomials ai(y) = ai0+ai1y R[y] such that

ai(s) = ei (an Rq-element whose coefficients are smaller than B)

output s.

How hard is the RLWE Problem? [LPR10]: As hard as solving the (q/B)-approximate

shortest vector problem (SVP) on ideal lattices in R. As q/B increases, RLWE becomes easier (unless n grows). For B ~ poly(k), best known attacks for require 2k time when

n (the ring dimension) ~ k log(q/B).


24/80


25/80

Managing Ciphertext Noise


26/80

Our fantasy:

Noise doesnt grow exponentially with degree. There is some simple trick to reduce noise after MULTs.

We get better noise management, hence shorter ciphertexts

Better Noise Management?

and SWHE for bounded depth.


27/80

Crazy Idea [BV11b, BGV12]:

Suppose c encrypts m that is, m = [[c(s)]q]2. Lets pick p


28/80

To evaluate a circuit of depth L

Start with a large modulus qL and noise of size qL. After first MULT, noise grows to size 2. Switch the modulus to qL-1 qL/.

2

How Does Modulus Switching Help? [BGV12]

.

After next MULT, noise again grows to2. Switch to qL-2 qL-1/ to reduce the noise to.

Keep switching moduli after each layer.

Setting qi-1 qi/. (Ladder of decreasing moduli.) Until the last modulus just barely satisfies q0 > .


29/80

Example: q8 9 with/without modulus reduction.

Noise Modulus

Fresh ciphertexts q8 = 9

- = = 8


With Without

7/13/2012

,

Level-2, Degree=4 q6 = 7






Level-8, Degree=256 q0 =


30/80

Noise Modulus Noise Modulus

Fresh ciphertexts q8 = 9 q8 =

9

- = = 8 2 = 9


With Without

Example: q8 9 with/without modulus reduction.

7/13/2012

,

Level-2, Degree=4 q6 = 7 4 q8 = 9

Level-3, Degree=8 q5 = 6 8 q8 =

9

Level-4, Degree=16 q4 = 5 16 q8 =

9

Level-5, Degree=32 q3 = 4 32





31/80

Where Are We? (The Good News) We have efficient SWHE for circuits of polynomially

bounded depth. To evaluate circuit of depth L: Largest modulus is qL q0

L L.

Largest ciphertext is O(kpoly(L)) bits for security param k. Efficient in the sense of being polynomial size.


32/80


33/80

Packing Plaintexts into Ciphertexts


34/80

Weird Plaintext Spaces SWHE with integers, using a mod-15 message space Recall: c is decrypted as [c mod n] mod 15.

Message space is Z15 Z15 = Z3 Z5. Chinese Remainder Theorem (CRT).

From one big plaintext space we get 2 independent smallplaintext spaces. We call them 2 plaintext slots.

Suppose two ciphertexts c and c have (r3,r5) and (r3,r5)in their respective mod-3 and mod-5 plaintext slots cADD = ADD(c,c) has (r3+r3, r5+r5) in its slots. cMULT = MULT(c,c) has (r3r3, r5r5) in its slots. Homomorphic ops act component-wise, in parallel, on slots.


35/80

Our Weird Cyclotomic Plaintext Space

SWHE based on RLWE [BV11,BGV12]

Plaintext space is R2 = Z2[x]/N(x). m(x) is a polynomial in R = Z[x]/N(x), with coefficients in {0,1}.

m has n bits, where n is the degree of N(x).

Ciphertext c(y) = c0+c1y decrypted as (c(s) mod q) mod 2.

Can we get many plaintext slots out of R2?

Sure


36/80

Our Weird Cyclotomic Plaintext Space

Via CRT R decom oses into about N lo N laintext slots of

Main Point

The plaintext space R2 = Z2[x]/N(x) has amazingproperties! Much better than a mod-15 plaintext space!

about log(N) bits apiece (for well-chosen N). ADD and MULT work in parallel across the slots.

Via ring automorphisms, encrypted data can be movedbetween slots. We have ADD, MULT, and PERMUTE.

Can evaluate boolean circuits with ciphertexts packed. Reduces overhead.


37/80

SIMD (Single Instruction Multiple

Data): Working on Data Arrays

Array of length n

8 2 0 9 3 8 0 1 4 4

2 1 9 5 0 7 3 6 1 2

n-ADD

10 3 9 14 3 15 3 7 5 6


38/80



Array of length n

16 2 0 45 0 56 0 6 4 8

8 2 0 9 3 8 0 1 4 4

2 1 9 5 0 7 3 6 1 2

n-MULT

S M (S l M l l


39/80



2 1 9 5 0 7 3 6 1 2

Function F

Array of length n

3 6 3 3 4 1 7 8 8 5

% % % % % % % % % %

Great for computing same function F on ndifferent input strings.

We can do SIMD homomorphically.

8 2 0 9 3 8 0 1 4 4


40/80

PERMUTE

Array of length n

25 7 2 19 35 5 16 13 25 3 51

7 5 3 25 13 51 16 2 19 25 35

n-PERMUTE()

With n-ADD, n-MULT, and n-PERMUTE, we can evaluatearbitrary circuits without unpacking ciphertexts.


41/80

A Taste of Cyclotomic Rings Choose N so that N(x) factors mod 2 into t factors.

N

(x) = fi

(x) mod 2. Degrees of f1

, , ft

are d=(N)/t.

Chinese Remainder Theorem (CRT) polynomial version Z2[x]/N(x) = Z2[x]/f1(x) Z2[x]/ft(x)

If ciphertexts c and c have (r1(x),,rt(x)) and (r1(x),,rt(x)) intheir respective plaintext slots cADD = ADD(c,c) has (r1(x)+r1(x), , rt(x)+rt(x)).

cMULT = MULT(c,c) has (r1(x)r1(x) mod f1(x), , rt(x)rt(x) mod ft(x)). Homomorphic ops act component-wise, in parallel, on slots.


42/80

A Taste of Cyclotomic Rings II

Ring automorphisms m(x) + 2e(x) = c0(x) + c1(x)s(x) mod (q,x

N-1) m(xk) + 2e(xk) = c0(xk) + c1(xk)s(xk) mod (q,xkN-1) m(xk) + 2e(xk) = c0(x

k) + c1(xk)s(xk) mod (q,xN-1).

That is, we get ciphertext (c0(xk), c1(x

k)) encrypts m(xk) under key s(xk), for free

se ey-sw tc ng to return to ey s x .

How is the new message m(xk) related to the original message m(x)? Suppose k is a power of 2

m(x)2i= m(x2

i) mod 2. (Frobenius automorphism)

We can exponentiate, in parallel, the plaintext slots by a power of 2 for free. For certain other values of k

Map (xxk): m(1k), , m(t

k) is a permutation of m(1), , m(t). We can rotate the slots.

More tricks are needed for general permutations of the slots.


43/80

What Is Our Overhead Now?

A ciphertext is still O(kpoly(L)) bits

Recall: k is the security parameter, and L is the numberof levels in the circuit we are evaluating

But ciphertext is packed with about k/log(k) slots

The overhead is now only polylog(k)poly(L)


44/80

Homomorphic Evaluation of AES


45/80

AES (Advanced Encryption Standard)

AES-128 block cipher: 10 applications of a round function.

The round function operates on a 44 matrix of bytes,where each byte may be viewed as an element of F28.

-

AddKey: XOR current state with 16 byte key. SubBytes: First, an inversion in F28.

Next, a fixed F2-linear map on the bits of the element. ShiftRows: rotates the bytes within each row.

MixColumns: a linear mixing operation within each column.

The only non-linearstep in AES.


46/80

Our Plaintext Space for AES

We make our plaintext slots are isomorphic to F28.

More accurately, to F2d where 8 divides d, and d is thedegree of the polynomials fi(x) that divide N(x).

Each slot holds a byte of the AES state.


47/80


48/80

Parameter Sizes

Ladder of odd moduli q0 < q1 < < qL.

For AES, L=60 Example qi = q0

i+1, where q0 = poly(k).

For security, ring dimension N k log(qL/B) = O(kL)

Ciphertext size = O(N log q) bits (k L2) bits.


49/80

Parameter Sizes

L (levels) N n = (N) (slot size,

#slots)

log(qL)

10 11441 10752 (48,224) 177

20 34323 21504 (48,448) 368

,

40 54485 40960 (64,640) 76250 59527 51840 (72,720) 962

60 68561 62208 (72,864) 1163

70 82603 75264 (56,1344) 1366

80 92837 84672 (56,1512) 1570

For L=60, ciphertext size is about

2n log q = 2622081163 14 million bits.


50/80

Running Times

Run a one-core machine with lots of RAM (256GB)

Number of Levels Needed 60

Key Generation 43 minutes

Encrypt AES State 2 minutes

Encrypt AES Key Schedule 23 minutesEvaluate AES Round 1 7 hours

Evaluate AES Round 9 2 hours

Evaluate AES Round 10 28 minutes

Evaluate AES total 34 hours

Number of SIMD Blocks 54

Time Per Block 37 minutes


51/80


52/80

Bootstrapping: Whats the Motivation?

So far, the overhead grows polynomially with L.

For example, ciphertext size grows with L2

.

Want overhead to be independent on L.

To only depend on the security parameter k.

Achievable!

We can make the overhead polylog(k) asymptotically. But the overhead is still very large in practice.


53/80

Bootstrapping: What Is It?

F(x1, x2 ,, xt)

x1

x2

xt

F

So far, we can evaluate bounded depth funcs F:

c

We have a noisy evaluated ciphertext c. We want to get a less noisy c that encrypts the same

value, but with less noise.

Bootstrapping refreshes ciphertexts, using theencrypted secret key.


54/80

For ciphertext c, consider Dc(sk) = Decryptsk(c) Suppose Dc() is a low-depth polynomial in sk.

Include in the public key also Encpk(sk).

Bootstrapping: What Is It?

yc

Dcsk1

sk2

skn

Dc(sk) = Decryptsk(c) = yc

sk1

sk2

skn


55/80

Set L > 1+depth needed to evaluate DC.

Decryption depth is only logarithmic in security parameter. We now have pure FHE.

Bootstrapping in [BGV12]

level down.

A l i B i AES


56/80

Applying Bootstrapping to AES

For AES, L=60 (very large)

We think we can evaluate the decryption functionusing fewer levels e.g., 10

every 1 or 2 rounds of AES evaluation.


57/80

Summary

S


58/80

Summary

In 3 years, we have collected a big bag of tricks SWHE schemes that allow ADD and MULT Tricks to prevent ciphertext noisiness from growing too fast Embedding many plaintext slots into each ciphertext And ways of moving data around within the slots

And our last (best?) resort: bootstrapping

We can evaluate AES homomorphically in time that isonly moderatedly ridiculous.

For simpler functions, SWHE may actually be practical.


59/80

Next Steps

SWHE for Simple F nctions


60/80

Can SWHE Be Practical? [LNV11] Implementation of [BV11a] SWHE scheme, limited to

evaluation of functions with very low degree e.g., 2. For ring dimension 2048, Mult takes 43 msec.

SWHE for Simple Functions

They use Intel Core 2 Duo Processor at 2.1 GHz. Shows lattice-based SWHE can compute quadratic functions

more efficiently than [BGN05] (pairing-based)

Another possibility: tailoring the SWHE scheme for the

particular function being evaluated We did this for AES to a small extent.

Open Problem A Fast Refresh Procedure


61/80

Open Problem: A Fast Refresh Procedure

Bootstrapping is one way to reduce ciphertext noise

Unlike modulus reduction, it can be used repeatedly

Can we find a better reusable noise-reduction trick?

There is no (known) inherent reason why noise-reductionmust involve homomorphic evaluation of the decryptionfunction.

Thank You! Questions?


62/80

Thank You! Questions?



63/80


()

()

Building FHE from SWHE [Gen09]:Requires a bootstrappingCurrently requires a

computationally expensive step called

bootstrapping or recryption.



64/80


()

()

[Gen09]: First FHE scheme. Overhead of FHE: Time(Eval(f))/Time(f) = poly(k)

k is the security parameter (best attack takes time 2k).

SWHE with Integers [vDGHV10]


65/80


SWHE with Integers [vDGHV10]

Main Idea


Divisible by 15.

smifteen

Public key: Large integers {a

1,,a

t} such that [a

imod n]= 2e

i,

where |ei| n. (ais are encryptions of 0.)


c = m + b. Decrypt: Evaluate ciphertext at secret: Compute

[c mod n] = m+smeven. Then, reduce mod 2 to get m.



66/80

Relinearizing and Key Switching


67/80

Relinearizing and Key Switching

Normal ciphertext is a linear polynomial c(y) = c0+c1y.

MULT outputs a quadratic ciphertext MULT(c(y),c(y)) c(y). c(y) = (c0+c1y)(c0+c1y) = c1c1y

2 + Decryption works: m = mm= (c(s) mod q) mod 2

.

Relinearize: Evaluator can use aux to transform c(y) to a linear ciphertext c(y) that

encrypts m under s. Augment public key with certain auxiliary material aux.

Key Switching More generally, augment pk with aux(s1,s2) for keys s1 and s2. Evaluator can transform ciphertext c(y) under s1 to c(y) under s2. Like proxy re-encryption.

Security of LWE-Based SWHE


68/80

Security of LWE Based SWHE

Reduction: If learning with errors (LWE) problem is hard, then the

scheme is semantically secure

Given many linear polys fi(x) with [fi(s)]q = ei (small),output s = (s1, , sn).

Example params: n ~ k log q, ei ~ poly(n), where k is thesecurity parameter Best known attacks for these params (lattices) require 2k time But relinearization step is expensive!: (n3).

Basic PERMUTEs (Rotations)


69/80

Basic PERMUTEs (Rotations)

Array of length n

i i+1 i+2 i+3 i+4 i+5 i+6 i+7 i-2 i-1

0 1 2 3 4 5 6 7 n-2 n-1

n-ROTATE(i)

n-PERMUTE: How do we do it?


70/80

The Basic Permutations (b(y) = a(yi)): Ring automorphism a(y) a(yi) give us basic permutations

like rotations Rotations: n-ROTATE(i), which rotates the n plaintext slots i stepsclockwise, like a dial.

Benes network

n PERMUTE: How do we do it?

A Benes network consists of 2 conjoined butterfly networks Use a Benes network to allow evaluate complicatedpermutations from the basic ones.


71/80

n-PERMUTE() from n-ADD, n-MULT, and


72/80

n-ROTATE(i). (Sketch) 8-SWAP(2,0110)

1 2 3 4 5 6 7 8 Actual Swaps

-

1 23 4 5 6 7 8 8-ROTATE(-2)



73/80


1 2 3 4 5 6 7 8 Actual Swaps

1 23 4 5 6 7 8

-

8-ROTATE(-2)



74/80


1 2 3 4 5 6 7 81 0 1 0 0 1 0 1

n-MULT

1 23 4 5 6 7 8



75/80


1 0 3 0 0 6 0 8

1 23 4 5 6 7 8



76/80


1 0 3 0 0 6 0 80 0 0 1 0 0 1 0

n-MULT

1 23 4 5 6 7 8



77/80


1 0 3 0 0 6 0 8

1 23 4 5 6 7 8



78/80


1 0 3 0 0 6 0 8

1 23 4 5 6 7 80 1 0 0 1 0 0 0 n-MULT


79/80



80/80


1 0 3 0 0 6 0 8

0 00 4 0 0 7 0

5 81 4 3 2 7 6

fully homomorphic encryption_2

Documents