HOMOMORPHIC ENCRYPTION FROM CODES
description
Transcript of HOMOMORPHIC ENCRYPTION FROM CODES
HOMOMORPHIC ENCRYPTIONFROM CODES
Andrej BogdanovChinese University of Hong Kong
with Chin Ho LeeChinese University of Hong Kong
Post-Quantum Cryptography | 9 Feb 2012
Fully homomorphic encryption
C
x1 x2 x3 x4
C(x)
Hom(C )
Enc(x1)Enc(x2)
Enc(C(x))
Enc(x3)Enc(x4)
[Rivest, Adleman, Dertouzos 1978]
Secure outsourcing of computation
user
cloudprogramdata
CxEnc( )
C(x)Enc( )
What we do
Known homomorphic schemes arebased on “decoding” from lattices
We propose a new construction ofhomomorphic encryption from codes
Decoding lattices vs codes
the problem is the samegiven a noisy code/lattice element, find out where it came from
only the noise model is differentlattice noise code noise
•We wanted to understand if the complexity of known homomorphic schemes is necessary
•We found it hard to work with lattice-based examples, as they use (large) integers
• In contrast, good codes exist even over bits
Our original motivation
more later…
Encryption
EncP(m) = r P + m 1 + epublic key
randomness noise
over GF(q), q = 2k
Public key P is a scrambled version of the matrix
MF
0
Reed-Solomonencoding matrices
001110111
Decryption
PEnc(0)
00111011101010100110101010011
Let’s pretend we are in GF(2)
0 1 01 0 1
M = 0 sk
Dec := = 0
Dec(1) analogous, as long as sk has odd weight
Security intuition
MF
0
functionality
security
M and F similar in distribution and aspect ratioto guard from “linear algebra” attacks
M hidden inside P by permuting columns andscrambling rows at random
Parameters and security
MP3s
n
s = na/4
n1-a/8noise rate n-1+a/4
field size q ≈ 2na
(P, EncP(0)) is pseudorandom with hardness 2ng
Security conjecture
For some a, g > 0 and n sufficiently large
On the parameters
Parameters chosen to foil obvious attacks …look for linear dependencies in encryption
search the nullspace of P
… some less obvious ones …exploit rank-deficiency of M
normalize P (Sidelnikov-Shestakov attack)
… and with homomorphism in mind
In a world without noise
Encryptions are additive…Enc(m)
Enc(m’)= r P + m 1= r’ P + m’ 1
Enc(m + m’)
= (r + r’) P + (m + m’) 1
…and somewhat multiplicativeEnc(m) ⋅ Enc(m’) ⊆ Dec(m⋅m’)
Enc(m) + Enc(m’) ⊆ Enc(m + m’)
Encryption spaces
Dec(0)
Dec(1)Enc(0)
Enc(1)
{0, 1}n
EncPK(m): possible encryptions of m
DecSK(m): ciphertexts that decrypt to massuming no noise
Encryption spaces and homomorphism
If we hadEnc(m) ⋅ Enc(m’) ⊆ Enc(m⋅m’)
Enc(m) + Enc(m’) ⊆ Enc(m + m’)and
x1 x2 x3 x4
+×
+
Enc(x1)Enc(x2)Enc(x3)Enc(x4)
Enc(C(x))
+×
+
C(x)
Reencryption (bootstrapping)
We only have Enc(m)⋅Enc(m’) ⊆ Dec(m⋅m’)
So we need to convert Dec(m) into Enc(m)
Dec
sk1 sk2 sk3 sk4
Decsk(c)= m = Enc(m)
Hom
Enc(Decsk(c))
Enc(sk1)Enc(sk2)Enc(sk3)Enc(sk4)
ReEnc
Reencryption
0 1 1 1 0 1 1 1c ∈ Decsk(m):sk = 1 1 1 0 0 0 0 0
Decsk(c) = c1sk1 + … + cnskn so
ReEnc(c) = c1Enc(sk1) + … + cnEnc(sk1)
Reencryption
sk = 1 1 1 0 0 0 0 0
Enc(ski):
1 1 0 0 1 0 1 00 0 1 1 0 0 0 11 1 1 0 0 1 0 01 0 1 0 0 0 1 00 1 0 1 1 0 0 11 0 1 0 0 0 0 00 1 1 0 1 1 0 00 1 0 1 1 0 1 11 1 1 0 1 0 0 1
ReEnc(c) = c1Enc(sk1) + … + cnEnc(skn)
Enter noise
sk = 1 1 1 0 0 0 0 0
Enc(ski):
1 1 1 0 1 0 1 00 0 1 0 0 0 0 11 0 1 0 1 1 0 11 0 1 0 0 0 1 00 1 1 1 1 0 0 10 0 0 0 0 0 0 00 1 1 0 0 1 0 11 1 0 1 1 0 1 11 0 1 0 1 1 0 1
Linear combinations of Enc(ski) are extremely noisy
Noise reduction techniques
Homomorphic encryption for small depthReencrypt under larger and larger keys
From small depth to small sizeReduce key length
Eliminate all restrictionsReduce error rate
Reencryption under larger keys
MP3s
n
s = na/4
n1-a/8noise rate n-1+a/4
field size q ≈ 2na
Encryption scheme Kq(n)
Reencrypt Kq(n) under Kq(n1+a) Idea:
Reencryption
sk = 1 1 0
Enc(ski):
1 1 00 0 11 1 11 0 10 1 01 0 11 1 10 1 01 1 1
ReEnc(c) = c1Enc(sk1) + … + cnEnc(skn)
Noise unlikely to affectrelevant parts of Enc(ski)
Homomorphism for small depth
Applying a chain of keys
Kq(n) → Kq(n1+a) → … → Kq(n(1+a) )d
we can handle up to d reencryptions
and so we can evaluate circuits of depth d(and sufficiently small size)
Noise reduction techniques
Homomorphic encryption for small depthReencrypt under larger and larger keys
From small depth to small sizeReduce key length
Eliminate all restrictionsReduce error rate
The error correction circuit
G
G
G G
G
G
G
G
G
G G
G
G
G
G
G(xy) = 1 + xy
m with prob 1 - h 1 - m with prob h xi = Pr[y ≠ m] ≈
h1.4
d
y
x1 x2d
d
E
Error correction of encryptions
sk = 100101101011010101100102d independentencryptions of
ski010100111
110110000
010010010
100110001
…
Dec(1)Dec(0)Dec(1) Dec(1)1E
error rate h h1.4d
Hom(E) Enc(1)
Parameters
Kq(n) → … → Kq(n(1+a) )d
length of encryptions n n(1+a)d
noise rate h = n-1+a/4 h1.4d
For small a, all errors can be corrected
Circular security?
To prove security, we must use fresh (independent) keys for every circuit layer
Is the scheme secure under circular key encryptions?We don’t know, but we suspect it may not be.
key length ≈ nd log d
Complexity of encryptions
Initially we wanted to study the complexityof homomorphic encryption…
…but we ended up with a new scheme
Our scheme was inspired by the ABW[Applebaum, Barak, Wigderson] cryptosystem
Complexity of encryptions
In forthcoming work we show
Homomorphic evaluation cannot be done in constant depth
under some (reasonable) restrictions
in contrast, in the ABW cryptosystem alloperations can be done in constant depth