A Brief Story of Computing on Private Data

Ten H LaiOhio State University

Agenda

• Computing on private data• Fully homomorphic encryption (FHE)• Gentry’s bootstrapping theorem• Our result

FHE: The Holy Grail of Cryptography

Cloud Computing

Servers Storages Networks Applications

天上有多少星星城裡有多少姑娘但人間只有一個妳天上只有一顆月亮

Cloud Computing

6

Cloud server

Internet

Encrypt

Computing on private data

7

Cloud server

Internet

Encrypt

Computing on private data

Cloud

8

A question proposed by Rivest, Aldeman, Dertouzos in 1978 (one year after RSA was invented).

Adleman

C-Homomorphism

1 1

1 1

Encrypt

Decrypt

, , , ,

( , ,

Plaintext Ciphertext

) ( , , )

t t

t t

pk

sk

x x x x

C x x C x x

K K

K

Evaluate( )C: a circuitC

1 2

: a circuit (algorithm, function).

Input of : , , , .

An encryption scheme is -homomorphic if

t

C

C x x

C

x

1 Enc( ) Enc( )t

x

x 1( ,E ( )nc ), tC x x

C-homomorphic

Evaluate( )C

RSA is multiplicatively homomorphic

RSA

1 2 1 2

multiplicat

RSA encryption:

RSA is hom

mod

RS

ivel

A

omorphic:

( ) RSA( ) RSA

y

( )

em m n

m m m m

1

2

RSA( )RSA( )

mm

1 2RSA ( )m mEvaluate( )

1 Enc( ) Enc( )t

x

x 1( ,E ( )nc ), tC x x

Fully Homomorphic Encryption (FHE)

homomorphic -homomorphic .

alled privacy homomorphi by Rivest

Origi, Aldeman, Dertouzosin 19

nally c

Fully

7

.

8

sm

C C

Evaluate( )

C

C

1 2

1 2

Multiplicatively

Addit

homomorphic: RSA, ElGammal, etc.

homomorphic: Goldwasser-Micali, Paillier, etc.

ivel

Boneh-

y

Quadratic poly Gnomial

os

:

In Search of FHE (1978-2008)

x x

x x

2 2 21 2 1 2 1 3 2 3

1

3

h-Nissim

Sanders-Young-Yungof bounded fan-in AND, OR, and NOTci grcui ates

depth (log

NC circuitsts

:

)

size poly( ),

x x x x x x x x x

nn O

1 Enc( ) Enc( )t

x

x 1( ,E ( )nc ), tC x x

Those encryption schemes are homomorphic. -homomorphic for

somewhat some circuits .

full Far away from being homom phi .y or c

Somewhat Homomorphic

C C

g

For some 's

Evaluate( )

C

C

decrypt

decrypt

Why

AND, XOR = ,

AND, XOR is a compl

Enc(

ete s

e

)

t

Enc( ) Enc(

of gate

s.

)

-homomorphic fully homomn orphic?ot,

Why doesn't Somewhat H imply Fully H?

x y x y x y

x y

2 2decrypt2 2 2 2

Enc( ) Enc( ) Enc( )

Enc( ) Enc( ) Enc( )

x y x y

x y x y x y

15

Each ciphertext contains a .

with operations on ciphertexts.

When the noise becomes too large the c

noise (error)

Noise gro

iphertext is no

ws

t

Reason -- Why doesn't SH imply FH?

decryptable.

16

encryptx

encrypty

or

1 211 1

// 2 is a

Key:

rando

a large od

m noise /

d integer .

Plaintext:

Encryption:

Decryption: mod mod 2.

If

/

// if

0, 1

2

2 .

an

d

//

2

Example

c pq r m

c pq m

p

r

r pm

r

m

c p

c p

2 2

1 2 1 2

1 2 1 2

2

1 2

1 2 1 2 1 2

, then is a ciphertext of , with noise

is a ciph

22( ).

2(2 )

What if the noise becomes t

The noise grows

ertext of ,

!

with noise .

oo large, sa

y

q mc c m mc c m m

rr r

r r rm m r

2 ?r p17

Can we have a -homomorphic encryption scheme ?

Such a scheme will b

without growing the noise

fully home .

In 2009, Craig Ge

,

ntry proposed a simple yet powe

omorphi

rful

c

Challenge for FHE

strategy to achieve that goal:

18

Bootstrapping

In a nut shell, bootstrapping is to (augmented)

hoeval

momorphicuate

ally.

Bootstrapping

Decrypt

19

mm

skADecrypt

m encrypted under a pink key pkA

Evaluate Decrypt

m

mm

skA

m

skA

m

Decrypt

EvaluateDecrypt

Evaluate homomorphicallyDecrypt

20

Encrypt under a blue key pkB

Evaluate Decrypt

Decrypt

Decrypt

skA

skA

NAND

m1 NAND m2

Descryption circuits + another gate

Augmented decryption circuit

NAND-augmented Decrypt circuit:

21

m1

m2

Decrypt

Decrypt

skA

c1

skA

c2

NAND

m1 NAND m2

B

1 2

Encrypt all input using pk (figuratively, put them in a Decrypt-NAND

blue box). Evaluate homomorphically. We obtain a "fresh" ciphertext of NA

ND

Bootstrapping: evaluate augmented-Decrypt

m m

Bunder key pk .

Evaluate

22

fresh

m1

m2

withEvaluate NAND Bootstrapping

23

m1 NAND m2

23

fresh

m1

m2

skA

Under a pink key PKA Under a blue key PKB

without Evaluate NAND bootstrapping

2424

m1

m2

m1 NAND m2

Increased noise

1 2 3 4

A

with , , , encrypted under pk .

Suppose we want to evaluate this circuit homomorphically, m m m m

1

2

3

4

mm

mm

25

skA

m1

m2

m1 N

AND m

2

Evaluate Decrypt-N

AND

skA

m3

m4

m3 N

AND m

4

Evaluate Decrypt-N

AND

m1 N

AND m

2m

3 NAN

D m4

Evaluate Decrypt-N

AND

skB

(m1 N

AND m

2 ) NAN

D (m3 N

AND m

4 )

26

skA

m1

m2

m1 N

AND m

2

Evaluate Decrypt-N

AND

skA

m3

m4

m3 N

AND m

4

Evaluate Decrypt-N

AND

m1 N

AND m

2m

3 NAN

D m4

Evaluate Decrypt-N

AND

skB

(m1 N

AND m

2 ) NAN

D (m3 N

AND m

4 )

27

The ciphertexts are always .

If an encryption scheme is w.r.t. the c

"fresh"

loud can evaluate

bootstrappableany circuit of NAND g

can evaluate

ates

Bootstrappable encryption schemes

NAND

fully homomorphic

T

any boolean f

rue conceptua

uncti

lly, but ...

o

n

28

Decrypt

Decrypt

NAND

Evaluating a circuit of levels needs pairs of ke s.y

Unfortunately

dd

29

1 01

1 1 0

d

d d

d pk pkpk

sk s

pk

k k sks

30

Keys for encryption & decryption & evaluation

Encryption key

Decryption key

Evaluation key

fully homomorphic encryption Leveled scheme

31

bootstrappable

-leveled FHE

( ) d

d

Decrypt

DecryptL levelsd

Leveled fully homomorphic encryption scheme

32

bootstrappable

-leveled FHE

( ) d

d

( )

( )

( )

d

d

d

KeyGenKeyGenEncrypt EncryptDecrypt DecryptEvaluate Evalua ( )dte

1 01

1 1 0

d

d d

d pk pkpk

sk s

pk

k k sks

33

( )KeyGen d

Encryption key

Decryption key

Evaluation key

( )

( )

(

0

)

:

:

Rema

, .

, .

is assumed to be an output of

What if was produced

rk: .

by

d

d

d

d

pk

sk

Encrypt

Decrypt

Evalu

Encrypt

Decrypt

ate

Encrypt( ) ?d

34

( ) ( )

( ) ( )

Recursive procudure:

has exactly levels; gates at level are connected

, , :

,

to gates at level 1. (Any circuit of dep

t

.

h

,

d

d dd d

d dd d

C

pk C

pk C

d ii

Evaluate

Evaluate

can be converted to such a circuit by inserting identity gates.)

is a tuple of ciphertexts under .d d

d

pk

35

… ciphertextsunder

d

dpk

dC

( ) ( ) , ,d dd dpk C Evaluate

level d level 1

36

…

1

encryptedunder

,

d

d

d

d dsk

pk

sk

augmented with decryption circuits dC

Decrypt circuits

level d level 1

37

1

1

1

underencrypted under

, d

d

dd

d

d dskpk

pk

sk

Decrypt circuits

…

1dC

level 1 level 1d

( 1)d Evaluate Recursively Evaluate

38

0C

0

0 0

(0) (0)0 0

0, ,When simply return which is under and can be decrypted with .

, ,

pk skd

pk C

Evaluate

0

0 0

under

pk

39

( )

Theorem. If is semantically secure, then

is semantically secure.

Security

d

40

bootstrappable

-leveled FHE

( ) d

d

1 01

1 1 0

d

d d

d pk pkpk

sk s

pk

k k sks

41

Encryption key

Decryption key

Evaluation key

When is large long keys

d

0 0 0

1 01

1

If is KDM-secure, then we can shorten the key

to , , independently of ,

and th FHE scheme

KDM: Key-D

en we have an .

epend

ent Message

If is KDM-secure

d d

d d

pk sk sk d

pk pkpk

s

pk

sk k

0 0 0

1 0 0

0

0 00

pk ppk

sk

k pk

sk sk sk sk sk

42

43

If is bootstrappable, then then we can convert to a leveled FHE scheme.

If is bootstrappable and KDM-secure (or weakly circular

secure), then we can

co

n

Gentry's Theorems

vert to an FHE scheme.

All that we need is a (KDM-secure) bootstrappable encryption scheme

44

Decrypt

Decrypt

NAND

In 2009, Gentry proposed the first bootstrappable scheme.

Two steps:

Building a homomo

rphic encryption scheme which unfortunately i

somewhat

s

Gentry's bootstrappable encryption scheme

the decryption circuit is too deep

Squashing th

not bootstra

e decryption

ppable

ci it rcu

45

to lower the complexity Purpose:

Basic idea:

of the decryption circuit.

Squashing the decryption circuit

46

Secret-key independent ,

Computationally intensive,

Done with encryption

Secret-key dependent

Decryption algorithm

47

More efficient FHE schemes Without squashing (STOC-11) Without bootrstra

pping (Crypto-13) Without noise?

Since Gentry's first FHE scheme

48

FHE is still in its infantry

Multi-Key/Multi-Scheme FHE

Single-key FHE

50

Is Multi-key FHE Possible?

51

Is Multi-scheme FHE Possible?

52

53

1

RSA1 1

RSA2 2

RSA2 1 2

RSA1 1

R

multiplicativSA is homomorphic:

RSA is multiplicatively homom

ely

not

mod

mod

( ) mo

orphim c:ul t

d

i-key

Example

e

e

e

e

m m

m m

m m m

m m

n

n

nm

1

2RS2

1

A2 2

mo

d

o m dem m

n

n

54

RSA1 1

ElGammal2

aRSA n

d are multiplicatively homomorphic.

If

mod

( mod , mod )

ElGamma

l

Example

e

k k

m m n

m p y m p

55

Any FHE can be converted into a FHE.Any FHEs can be converted into

multi- FHE

keymulti-scheme

Our results a

: Yes!

.

Is Multi- key or Multi-scheme FHE Possible?

56

1 1

1

An ordinary FHE scheme with evaluation algorithm . , , ,

Giv

an

en:

, evaluates , ,

for provided , ,

y E

Basic idea: Single-key FHE Multi-key FHE

t t

tC

C pk C x x

EvalEval

1

1

1

nc , , .

Objective

: , , , , ,

pk

t

t

tpk p

x x

C k

Evaluate

1

2

x

xy

Evaluate circuit C

Evaluate(C)

Problem

1

2

x

xy

Eval(C)

If under pk1

C

1

2

x

x

y

Eval(C)

Eval(Eval(C))

Under pk2

C

1

2

x

x

1

2

x

x

y

Evaluate(C)

?C

?xx

2 4 3 2 1Enc ( ) Enc Enc Enc Enc ( )pk pk pk pk pkx x

62

is a valid ciphertext of itself. Decrypt ( ) for all , al

Trivial encryption property:

Le

l .

Any FHE with message space {0,1} can be converted

mmaint

o.

Trivial encryption

sk

mm m sk m

an FHE with the trivial encryption property without degrading its security.

xx

2 4 3 2 1Enc ( ) Enc Enc Enc Enc ( )pk pk pk pk pkx x

Trivial encryptions

1

2

x

x

y

Eval(C)

Eval(Eval(C))1

2

x

x

Summary of ideas

C

65

4 3 2 1

4 3 2 1

ciphertexts: Enc Enc Enc Enc ( )

circuits: Eval Eval Eval Eval (

Nested

Nested

)

Non-trivial to formalize the ideas

pk pk pk pk

pk pk pk pk

x

C

x C

2 1

Use a to represent a nested cipher

text

Examp Enc Enle

tree

: c ( )

Nested ciphertexts

pk pk b

1

01

1 0

1

Recursively define:

// , , is the given circuit to evaluate//

Eval

Eval

with nested input ciphert

e

Enc

x s

t

Nested circuits

t

t

t

pk

t tpk

t

pk

C C C x x

C C

C C

C

2 1

1 1 is the desired

Enc Enc ( )

.

1

, , , ,,

pk pk i

t t

x i t

pk pC k

Evaluate

1x

Any FHE can be converted multi-keyinto a FHE.

A FHEny FHEs can be converted into a multi-sche .me

Summary: Multi-key/Multi-scheme FHE is possible

2x

69

Design more efficient FHE schemes

How to make use of FHE?

Research problems