Post on 16-Dec-2015
FULLY HOMOMORPHIC ENCRYPTION
University of TorontoVinod Vaikuntanathan
Penn State Summer School on Cryptography
New Developments in
Outsourcing Computation
Weak Client Powerful Server (“Cloud”)
Function
fx
f(x)
Outsourcing Computation
Function
fx
searchquery Google
searchSearch results
x
f(x)
It’s everywhere!
Outsourcing Computation
Function
fx
medical records analysis
risk factors
x
f(x)
It’s everywhere!
Outsourcing Computation
Function fx
Client Cloud
Two Problems:
Privacy:
Cloud should not learn anything about x
Verifiability:
Cloud cannot cheat (i.e., return incorrect answer without being detected)
Outsourcing Computation – Privately
Function
fx
Enc(x)
Knows nothing of x.
Eval: f, Enc(x) Enc(f(x))homomorphic evaluation
Fully Homomorphic Encryption
Function
fx
Enc(x)
Knows nothing of x.
[Rivest-Adleman-Dertouzos’78]
Eval: f, Enc(x) Enc(f(x))homomorphic evaluation
Fully Homomorphic Encryption
Function
fx1,…,xn
Enc(x1),…,Enc(xn)
Knows nothing of x.
[Rivest-Adleman-Dertouzos’78]
Eval: f, Enc(x1),…,Enc(xn) Enc(f(x1,…,xn))homomorphic evaluation
(more generally)
Fully Homomorphic Encryption
Function
fx
evk, c = Encsk(x)
[Rivest-Adleman-Dertouzos’78]
sk , pk, evk
y = Evalevk(f, c)
Decsk(y)=f(x)Privacy (semantic security [GM82]):
(evk, Enc(x)) (evk, Enc(0))Correctness:
Compactness:
|y| = poly(|f(x)|, n)
Knows nothing of x.sk, evk
Most of this talk: secret key homomorphic schemes
FHE 101: Add & Mult Are UniversalArith. Circuit (+,) over GF(2).
+
Enc(x1)
If we had:
• Eval(+, Enc(x1), Enc(x2)) Enc(x1+x2)
• Eval(, Enc(x1), Enc(x2)) Enc(x1∙x2)
then we are done.
Enc(x2)
Enc(x3)
Enc(x1+x2)
Enc((x1+x2)∙x3)
f(x1,x2,x3)=(x1+x2)∙x3
x1 x2
x3
(+,) over GF(2) Boolean (XOR,AND)
= Universal set
Early History (1978-2009)
Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
Goldwasser-Micali’82
Public key: N, y: non-square mod N
Enc(0): r2 mod N, Enc(1): y * r2 mod N
Secret key: factorization of N
(Additively) homomorphic over Z2
Early History (1978-2009)
Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
Multiplicatively Homomorphic [ElG’85,…]
Add + One Mult [BGN’05,GHV’09]
Gentry (2009)
FIRST Fully Homomorphic Encryption!
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
– asymptotic efficiency: nearly linear-time* algorithms
– practical efficiency: 3-4 orders of magnitude faster compared to [Gen09, GH10]
*linear-time in the security parameter
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12]
– e.g., worst-case hardness of shortest vectors on lattices
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12]
Best Known Theorem [BGV11]:
•(Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices*leveled = public key grows with the depth of the circuit for f
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12]
► Complex → Simple constructions/proofs [BV11b, BGV11, LTV12, B12]
1. Zvika Brakerski, V.V., Efficient Fully Homomorphic Encryption from Standard Learning with Errors, FOCS 2011.
2. Zvika Brakerski, Craig Gentry, V.V., (Leveled) Fully Homomorphic Encryption without Bootstrapping, ITCS 2012.
3. Craig Gentry, Stanford Ph.D. Thesis, 2009.
This talk is based on:
How to Construct an FHE Scheme
The Big PictureID
EA 1
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of depth d = ε log n *
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
* (0 < ε < 1 is a constant, and n is the security parameter)
d =
ε lo
g n
C
EVAL
The Big Picture
“Bootstrapping” Theorem [Gen09] (Qualitative)
IDEA 2
“Homomorphic enough” Encryption * FHE
Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
Dec
CT sk
msg
Decryption Circuit
C
EVAL
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
IDEA 1
“Bootstrapping” Theorem [Gen09] (Qualitative)
IDEA 2
“Homomorphic enough” Encryption * FHE
SwHE = Homomorphic Enough?
NO, for all known constructions!
The Big PictureProblem:
Dec
Decryption Circuit
C
EVAL
Solution a. “Squash” the decryption circuit [Gen09]
– Relies on a new assumption: “sparse subset sum”
Solution b. Make EVAL larger [BV11b, simplified by BGV12]
– Fairly General, Needs no new assumptions
– Exponential improvement: Can eval nε depth circuits
Solution c. Use Special Properties of Dec. Circuit [GH11]
Les
s g
ener
al
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
IDEA 1
“Bootstrapping” Theorem [Gen09] (Qualitative)
IDEA 2
“Homomorphic enough” Encryption FHE
“Modulus Reduction” [BV11b, simplified by BGV12]
Evaluate Boolean circuits of depth d = nε
IDEA 3
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 2: “Bootstrapping” (FHE: Evaluate any poly(n)-size Boolean circuit)
d-Leveled FHE: Given any d, set n = d1/ε
Many InstantiationsAll based on Integer Lattices (Ajtai’96)
Ideal Lattices
Surprisingly, Arbitrary Lattices [BV’11b]
– Gentry’09 (based on Goldreich-Goldwasser-Halevi’98)
– DGHV’10 (based on Ajtai-Dwork’97, Regev’04)
– BV’11a (based on Lyubaskevsky-Peikert-Regev’10)
– LTV’11 (based on NTRU:Hofstein-Pipher-Silverman’96)
– Lattices (like vector spaces) have no native mult
BUT: you don’t need to know what lattices are
for this talk!
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
LWEn,q,B : For random secret s Zqn
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( a1 , b1 = a1 , s + e1 )
O sO rand
( a1 , u1 )
( a2 , b2 = a2 , s + e2 ) …
( am , bm =am , s + em )
( a2 , u2 ) … ( am , um)
“noisy” random linear equation random in Zq
Uniformly random in Zq
n
“Small” error |e1| < B
LWEn,q,B : For random secret s Zqn, and any m=poly(n),
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( ai , bi = ai , s + ei )
O s
O rand
( ai , ui )i=1
m
i=1
m
Worst-Case Connection ([R05, P09]):
Qualitative: Solve LWE (on average) Short-vector approximation on lattices (in the worst-case)
Quantitative: Solve LWEn,q,B O(nq/B)-approx shortest vector on lattices
LWEn,q,B : For random secret s Zqn, and any m=poly(n),
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( ai , bi = ai , s + ei )
O s
O rand
( ai , ui )i=1
m
i=1
m
Worst-Case Connection ([R05, P09]):
Solve LWEn,q,B O(nq/B)-approx shortest vector
1. SCALE INVARIANCE: hardness depends only on ratio between q and B
2. OUR PARAMETERS: We will set q = nO(log n) and B = poly(n). Best known algorithm for LWE with these parameters runs in 2Otilde(n) time.
LWEn,q,B : For random secret s Zqn, and any m=poly(n),
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( ai , bi = ai , s + ei )
O s
O rand
( ai , ui )i=1
m
i=1
m
Facts:
LWE (with short secret s) = LWE [ACPS09,GKPV10]
LWE with short even error (2e) = LWE with short error e
Secret-key Encryption from LWE
•Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
(omitting public-key encryption)
•KeyGen:– Sample random “short” vector t Zq
n and set sk = t
Secret-key Encryption from LWE
•Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
(omitting public-key encryption)
•KeyGen:– Sample random “short” vector t Zq
n and set sk = t
•Bit Encryption Encsk(m):
– Sample uniformly random a Zqn, “short” noise e Zq
– The ciphertext CT = (a, b = a, t + 2e + m) Zq
n X Zq
Semantic Security from LWE
Secret-key Encryption from LWE
•Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
(omitting public-key encryption)
•KeyGen:– Sample random “short” vector t Zq
n and set sk = t
•Bit Encryption Encsk(m):
– Sample uniformly random a Zqn, “short” noise e Zq
– The ciphertext CT = (a, b = a, t + 2e + m) Zq
n X Zq
•Decryption Decsk(CT): Output (b − a, t mod q) mod 2.
–Correctness: b − a, t mod q = 2e + m mod q = 2e + m
(as long as |2e+m| < q/2)
CT = (a ,b)
Additive Homomorphism
CT’ = (a’, b’)
Look at Ciphertexts through the Decryption Lens
b − a, t = 2e + m b’ − a’, t = 2e’ + m’
CT = (a ,b)
Additive Homomorphism
CT’ = (a’, b’)
b − a, t = 2e + m b’ − a’, t = 2e’ + m’
Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1)
c, s = 2e + m c’, s = 2e’ + m’
CT = c
Additive Homomorphism
CT’ = c’
Claim: cadd = c+c’
c, s = 2e + m c’, s = 2e’ + m’
c, s = 2e + m
c’, s = 2e’ + m’
c+c’, s = 2(e+e’) + (m+m’)
Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)
+
E
Proof:
Cadd
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = (2e+m) ∙ (2e’+m’)
X
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’)
X
Quadratic equation in the variables s[i]
E
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c c’, s s = mm’ + 2(em’+e’m+2ee’)
X
E
Tensor Product:
•c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])
•c, c’ live in (n+1) dim → c c’ lives in (n+1)2-dim
•KEY FACT: c, s ∙ c’, s = c c’, s s
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = c c’
c, s = 2e + m
c’, s = 2e’ + m’
c c’, s s = mm’ + 2(em’+e’m+2ee’)
X
Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)
E
Problem: Ciphertext size blows up!
(Zqn+1 → Zq
(n+1)^2)
Multiplicative Homomorphism
New Technique [BV’11b]: RelinearizationFind linear functions of s that represents these quadratic func.
or, of new secret s’
cmult, s s = 2E + mm’
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :i,j. Enct’ ( s[ i ]s[ j ] )
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j. (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ])
LWE Security still
holds.
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j. Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
Linear fn(in s’)
Quadratic fn(in s)
Plug back into quadratic equation:
cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error
Linear in s’.
Cheat
ing
Alert
Multiplicative Homomorphismcmult, s s = 2E + mm’
Plug back into quadratic equation:
cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1.First compute cmult = c c’
2.Compute and output cmult[i,j] ∙ Ci,j
(where Ci,j are from the evaluation key)
cmult .Ci,j , s’ ≈ cmult . s[ i ]s[ j ]
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
Multiplicative Homomorphismcmult, s s = 2E + mm’
Linear fn(in s’)
Quadratic fn(in s)
Cheat
ing
Alert
PROBLEM: cmult has large entries
BUT
SOLUTION: Binary Decomposition Trick
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :i,j. k in [0… log q]: Enct’ ( 2k s[ i ]s[ j ] )
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j,k , Ei,j,k
i,j. (Ai,j,k , Bi,j,k = Ai,j,k , t’ + 2Ei,j,k + 2k s[ i ]s[ j ])
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]
Linear fn(in s’)
Quadratic fn(in s)
Plug back into quadratic equation:
Let cmult[i,j,k] be the kth bit of cmult[i,j]
cmult[i,j,k] ∙ Ci,j,k , s’ ≈ mm’+2*Error
Linear in s’.
Un-Che
ating
Alert
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]
Linear fn(in s’)
Quadratic fn(in s)
Plug back into quadratic equation:
Let cmult[i,j,k] be the kth bit of cmult[i,j]
cmult[i,j,k] ∙ Ci,j,k , s’ = mm’+2*Error+2*Errorrelin
Errorrelin = O(n2 . log q . B)
Un-Che
ating
Alert
Multiplicative Homomorphismcmult, s s = 2E + mm’
Plug back into quadratic equation:
cmult[i,j,k] ∙ Ci,j ,k , s’ ≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1.First compute cmult = c c’
2.Compute and output cmult[i,j,k] ∙ Ci,j,k
(where Ci,j,k are from the evaluation key)
The Reservoir Analogy
noise=0
noise=q/2Additive Homomorphism: ξ → 2 ξ
initial noise= ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
2ξ
~ ξ2
AFTER d LEVELS:
noise B → (worst case)
CorrectnessBreaking = Solving 2n^ε-approx. shortest vectors
[Reg05,LPR10]
(How homomorphic is this?)
The Reservoir Analogy
noise=0
noise=q/2Additive Homomorphism: ξ → 2 ξ
initial noise= ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
~ ξ2
AFTER d LEVELS:
noise B → (worst case)
(How homomorphic is this?)
Wrap Up: Somewhat Homomorphism
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of mult. depth D = ε log n
[BV11b]
IDEA 1
EVK = (evk1,…,evkD), where D is the max mult depth
C
Enc(skD, C(x))
Enc(sk1, x) Encrypt using sk1
SK = (sk1,…,skD)
Each Mult Level: Tensor and Relinearize
Mul
t de
pth
D
Decrypt using skD
Wrap Up: Somewhat Homomorphism
“Somewhat Homomorphic” (SwHE) Encryption
IDEA 1
– a number of other SwHE schemes: [DGHV10,SV10,BV11a,LTV12]
[BV11b]
Evaluate Boolean circuits of mult. depth D = ε log n
– [DGHV10]: based on hardness of approximate gcd
– [SV10]: principal ideal problem
– [BV11a]: Ring LWE
– [LTV12]: NTRU
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 2: “Bootstrapping” (“homomorphic enough” to fully homomorphic)
d-Leveled FHE: Given any d, set n = d1/ε
Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d * FHE
Homomorphic Encryption for any depth d circuit
Bootstrapping
“Homomorphic enough” Encryption FHE
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d * FHE
Bootstrapping = “Valve” at a fixed height
noise=0
noise=q/2
(that depends on decryption depth)
noise=Bdec
Say n(Bdec)2 < q/2
Bootstrapping
“Homomorphic enough” Encryption FHE
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d * FHE
Bootstrapping = “Valve” at a fixed height
noise=0
noise=q/2
(that depends on decryption depth)
noise=Bdec
Say (Bdec)2 < q/2
Bootstrapping: How
“Best Possible” Noise Reduction = Decryption!
Dec
CT SK
m
Decryption Circuit
“Very Noisy” ciphertext
“Noiseless ciphertext”
But the evaluatordoes not have SK!
Bootstrapping, Concretely
Next Best = Homomorphic Decryption!
EncSK(m)
Dec
CT EncSK(SK)
Assume Enc(SK) is public.
(OK assuming the scheme is “circular secure”)
*
Noise = Binput
Noise = Bdec
Bdec Independent of Binput
g
Assume Circular Security:
Wrap Up: BootstrappingFunction f
Eval key contains EncSK(SK)
g
Each Gate g → Gadget G:
g
Assume Circular Security:
Dec Dec
g
ca skcb
a b
g(a,b)
sk
a b
g(a,b)
Wrap Up: BootstrappingFunction f
Eval key contains EncSK(SK)
Each Gate g → Gadget G:
g
Assume Circular Security:
Dec Dec
g
Enc(SK)a b
g(a,b)
Enc(SK)
Enc(g(a,b))
Wrap Up: Bootstrapping
Eval key contains EncSK(SK)
g
Function f
ca cb
Wrap Up: Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d (leveled) FHE
circular-secure d-HE with dec. depth < d FHE
– publish EncPK(SK)
– publish EncPK2(SK1), EncPK3(SK2),…, EncPKd(SKd-1)
SwHE = Homomorphic Enough?
Decryption Circuit:
• Compute lsb(<SK,C> mod q)
• Seems to need (multiplicative) depth ≥ log n
• Can handle multiplicative depth = ε log n < log n
= inner products mod q mod 2.
• Our scheme is homomorphic over GF(2).
Homomorphisms:
Write inner product mod q as a GF(2)-arithmetic circuit?
• Can be done in depth polylog(n)
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)
Modulus Reduction
“Homomorphic enough” Encryption FHE
Modulus Reduction Theorem [BV11b,BGV12]
SwHE that evaluates Boolean circuits of depth d = nε (under the same assumption as before)
Corollary: For every depth d, set the security parameter n=d1/ε to get a d-leveled FHE.
Corollary: modulus reduction + bootstrapping = FHE (assuming circular security)
Modulus Reduction
“Homomorphic enough” Encryption FHE
Modulus Reduction Theorem [BV11b,BGV12]
Wishful thinking
q=B10
noise=B8q’=B3
noise’=B
Shrink Noise and Noise Ceiling by same factor
SwHE that evaluates Boolean circuits of depth d = nε
NO MULT
CTCT’
ONE MULT
noise’=B+p(n)
Modulus Reduction
Wishful thinking
q=B10
noise=B8q’=B3
Can we do this?
noise’=B+p(n)
– Cannot arbitrarily reduce noise (because of the p(n) factor)
– Hardness depends only on q/B.
Modulus Reduction
noise=0
Homomorphism: (q, ξ) → (q, ≈ ξ2)
initial noise= ξ
ξ2
AFTER d LEVELS:
(q, B) → (q/(nB log q)O(d), B)
LEVELi → LEVELi+1:
Modulus Reduction: (q, ξ2) → (q/ξ, ξ)
d ≤ log q/log (nB)
≤ nε/log n
q
q/ξ
Final noise= ξ
Modulus Reduction: Details
“Homomorphic enough” Encryption FHE
Modulus Reduction Algorithm [BV11b,BGV12]
Transform a (q,B2) ciphertext into a (q’ ≈ q/nB, B) one
Modulus Reduction Algorithm:
•Compute (q’/q) c
•Round to the closest integer vector c’ such that c’=c mod 2
c, s = 2e + m (mod q)
Let c be a ciphertext s.t.
Assume that the secret key shas entries bounded by B.
(ok by fact 2)
Modulus Reduction: Details
q’/q c, s = (q’/q)* (2e + m) + q’Z
Proof: c, s = 2e + m + qZ
c’, s = (q’/q)* (2e + m) + Eround (mod q’)
•New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised!
•c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2
(original dec eqn)
(scaled)
Modulus Reduction Algorithm:
•Compute (q’/q) c
•Round to the closest integer vector c’ such that c’=c mod 2
c, s = 2e + m (mod q)
Let c be a ciphertext s.t.
Putting Together: Leveled FHEEVK = (evk1,…,evkD), where D is the max mult depth
C
Enc(skD, C(x))
Enc(sk1, x) Encrypt using sk1
SK = (sk1,…,skD)
Each Mult Level: 1)Tensor , 2)Relinearize using evki,3)Reduce modulus
Mul
t de
pth
D
Decrypt using skD
This works for depth D ≤ nε
Putting Together: Leveled FHEEVK = (evk1,…,evkD), where D is the max mult depth
C
Enc(skD, C(x))
Enc(sk1, x) Encrypt using sk1
SK = (sk1,…,skD)
Each Mult Level: 1)Tensor , 2)Relinearize using evki,3)Reduce modulus
Mul
t de
pth
D
Decrypt using skD
Bootstrapping + Circular Security => FHE.
Putting Everything Together
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)
(this is “homomorphic enough”)
(assuming “circular security”)
A Simpler Alternative: doing away with changing moduli
[Brakerski’12]
Fully Homomorphic Encryption
Open Problems
Circular Security
Bootstrapping: Publish EncSK(SK).
(OK assuming the scheme is “circular secure”)
*
Leveled FHE from “standard” assumptions
“Real” FHE: requires “bootstrapping”
– e.g., the Learning with errors assumption
– Evaluate bounded depth circuits
– The size of CT and/or PK grows with the depth
Circular Security
Bootstrapping: Publish the encryptions of bits
of SK, namely EncSK(SK[1]),…, EncSK(SK[n])
(OK assuming the scheme is “circular secure”)
*
“Real” FHE: requires “bootstrapping”
Two definitions:
− Strong circular security: there is a simulator that, given nothing, produces EncSK(SK).
− Weak circular security: the encryption scheme is semantically secure given EncSK(SK).
Bootstrapping: Publish EncSK(SK).
(OK assuming the scheme is “weakly circular secure”)
Circular Security
There are (even bit-wise) circular secure encryption schemes
– [BHHO’08]: based on DDH
There are semantically secure schemes that are NOT circular-secure.
– Proof: Simple Exercise.
– [ACPS’09, BG’10, BHHI’10, …]
Circular Security
How about circular security for the FHE scheme?
− NEED: “safe to publish” lweEnc(s[i].s[j])
− CAN PROVE: “safe to publish” lweEnc(s[i])
(encryptions of all quadratic monomials in the s[i])
(encryptions of all linear monomials s[i])
Circular Security
− CAN PROVE: “safe to publish” lweEnc(s[i])(encryptions of all linear monomials s[i])
(a, a, s + 2e + s[i] mod q)
(a, a, s + 2e + ui, s mod q)
ui : ith unit vector (0,…,1,…0)
=
Circular Security
− CAN PROVE: “safe to publish” lweEnc(s[i])(encryptions of all linear monomials s[i])
(a, a, s + 2e + s[i] mod q)
=
≈
(a, a+ui, s + 2e mod q)
(a’-ui, a’, s + 2e mod q)
This can be generated efficiently from an encryption of 0
Q: “Real” FHE from Standard Assumptions?
2) Come up with an alternative to bootstrapping.
1) Prove the circular security for quadratic monomials, or
What we did not Cover…• Efficient Constructions
– Build on the ring LWE variant of today’s scheme– Gentry-Halevi-Smart series of works– a number of algebraic optimizations
• Verifiability– CS proofs [Kil92,Mic94]– A number of recent works in various settings
[GKR08,GGP10,CKV10,AIK10,…]– The central problem remains open
• Circuit Privacy– [Gentry-Halevi-V’10]: “Circuit privacy for free” theorem
Conclusion• FHE is not so complicated any more
– Well-defined guidelines for construction– Under relatively standard security assumptions
• FHE is not so inefficient any more– Case in point: Ring LWE, NTRU…
• LOTS of questions still to be answered …– FHE without “Circular Security”– FHE from number theory, general assumptions…
• NEW directions: selective homomorphism, functional encryption,…
Thank You!