FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J...
-
Upload
jenna-daley -
Category
Documents
-
view
235 -
download
0
Transcript of FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J...
FULLY HOMOMORPHIC ENCRYPTION
from the Integers
Marten van Dijk(RSA labs)
Craig Gentry(IBM T J Watson)
Shai Halevi(IBM T J Watson)
Vinod Vaikuntanathan(IBM T J Watson)
Computing on Encrypted Data
Client Server/Cloud(Input: x) (Program: P)
“I want to delegate the computation to the cloud”“I want to delegate the computation to the cloud,
but the cloud shouldn’t see my input”
Enc[P(x)]
Enc(x) P
(An Example)
Enc[P(x)]
Enc(x)
P
Definition: [KeyGen, Enc, Dec, Eval](as in regular encryption)
Compactness: Size of Eval’ed ciphertext independent of P
Fully HomomorphicEncryption (FHE) =
Security: Semantic Security [GM’82]
Definition: [KeyGen, Enc, Dec]
Eval
– BGN’05 & GHV’10a: quadratic formulas
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
► Limited Variants:
– GM & Paillier: additively homomorphic
– RSA & El Gamal: multiplicatively homomorphic
– their motivation: searching encrypted data
► NON-COMPACT homomorphic encryption
[CCKM00, SYY99, IP07,MGH08,GHV10b,…]
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– using just integer addition and multiplication
– their motivation: searching encrypted data
► Is there an elementary Construction of FHE?
Big Breakthrough: [Gentry09]
First Construction of Fully Homomorphic Encryption
using algebraic number theory / “ideal lattices”
– easier to understand, implement and improve
No ideal lattices
OUR RESULT
Theorem [DGHV’10]: We have a fully homomorphic public-key encryption scheme
– which uses only add and mult over the integers,
– which is secure based on the approximate GCD problem & the sparse subset sum problem.
Construction
A Roadmap
1. Secret-key “Somewhat” Homomorphic Encryption(under the approximate GCD assumption)
2. Public-key “Somewhat” Homomorphic Encryption(under the approximate GCD assumption)
3. Public-key FULLY Homomorphic Encryption(under approx GCD + sparse subset sum)
(a simple transformation)
(borrows from Gentry’s techniques)
Secret-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Encrypt a bit b:
– pick a random “large” multiple of p, say q·p
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
(q ~ n5 bits)
(r ~ n bits)
“noise”
(sec. param = n)
Secret-key Homomorphic Encryption
How to Add and Multiply Encrypted Bits:
– Add/Mult two near-multiples of p gives a near-multiple of p.
– c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p
LSB = b1 XOR b2
LSB = b1 AND b2
Two Issues
Ciphertext grows with each operation
Noise grows with each operation
→ Useless for many applications (cloud computing, searching encrypted e-mail)
– Consider c = qp+2r+b ← Enc(b)
(q-1)p qp (q+1)p (q+2)p
2r+b
– c (mod p) = r’ ≠ 2r+b
r’
Two Issues
Ciphertext grows with each operation
→ Useless for many applications (cloud computing, searching encrypted e-mail)
→ After some operations, the ciphertext becomes “undecryptable”
Noise grows with each operation
Solving the Two Issues
Ciphertext grows with each operation
– Publish x0 = q0p (*)
– Take ciphertext (mod x0) after each op (Add/Mult)
(*) More complex way using x0 = a near-multiple of p
Solving the Two Issues
Ciphertext grows with each operation
– Publish x0 = q0p
– Take ciphertext (mod x0) after each op (Add/Mult)
Ciphertext stays less than x0 always
The encrypted bit remains same
Noise does not increase at all
Solving the Two Issues
Ciphertext grows with each operation
Can perform “limited” number of hom. operations
(“Somewhat Homomorphic” Encryption)
– Somewhat → Fully: (A variant of) Squashing + Bootstrapping [G’09]
Noise grows with each operation
– Publish x0 = q0p
– Take ciphertext (mod x0) after each op (Add/Mult)*
Security(of the secret-key “somewhat” homomorphic scheme)
The Approximate GCD Assumption
q0p
p?
p
q0 ← [0…Q]
odd p ← [0…P]
(q0p,q1p+r1,…, qtp+rt)
Assumption: no PPT adversary can guess the number p
Parameters of the Problem: Three numbers P,Q and R
q ← [0…Q]r ← [-R…R]
q1p+r1
(name coined by Howgrave-Graham)
p?
p
Assumption: no PPT adversary can guess the number p
Semantic Security: no PPT adversary can guess the bit b
(q0p,q1p+2r1+b,…,qkp+2rk+b)
=(proof of security)
(q0p,q1p+r1,…, qtp+rt)
A “Taste” of the Security Proof
Encryption breaker
Adv
Alsb(q)
q0p,{qip+ri}p
c=qp+r
Claim: On every c=qp+r, A predicts lsb(q) correctly w.p. 1-1/poly
“Proof”: Lots of details (Worst-case to average case over c, computing lsb(q) = computing lsb(r), a hybrid argument.)
Approx GCD solver
Adv
Bq
p
c=qp+r
q0p,{qip+ri}
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
– If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2])– If lsb(q) = 1, c ← [(c-p)/2]
(new-c =
(q-1)/2*p+[r/2])
Adv
Alsb(q)
q0p,{qip+ri}p
c=qp+r Adv
Bq
p
c=qp+r
q0p,{qip+ri}
First Try:
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
– If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2])– If lsb(q) = 1, c ← [(c-p)/2]
(new-c =
(q-1)/2*p+[r/2])
Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2
(+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’
W.h.p. gcd(q1,q2)=1
– If lsb(q) = 1, c ← [(c-z’)/2] (new-c = (q-1)/2*p+[(r-r’)/2])
– Learn q bit by bit
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2
(+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’
Observation: the Binary GCD algo. is “noise-tolerant”, given lsb oracle.(similar to the RSA hardcore bit proof of [ACGS’88])
– Lagarias’ algorithm
Studied by [HG01]; also [Lag82,Cop97,NS01](equivalent to “simultaneous Diophantine approximation”)
Lattice-based Attacks
– Coppersmith’s algo. for finding small polynomial roots
– Nguyen/Stern and Regev’s orthogonal lattice method
All run out of steam when log Q > (log P)2
(our setting of parameters: log Q = n5, log P = n2)
How Hard is Approximate GCD?
Future Directions
Efficient fully homomorphic encryption(Currently: n5 size ciphertexts; n10 running-time blowup)
Security of the approx GCD assumption(e.g., a worst-case to average-case reduction to regular – non-ideal – lattice problems?)
Some recent improvements [SV’10,SS’10]
Questions?
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
= t+1 random encryptions of 0
Δ
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
Parameter Regimes
R
log
Q/(
log
P)2
(very rough diagram)
min=0 max=P
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
– t+1 encryptions of 0
– W.l.o.g., x0 = q0p+2r0 is the largest
Δ
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
c = p[ ] + 2[ ] + b (mod x0) Si
iq
Siirrc = p[ ] + 2[ ] + b – kx0 (for a small k)
Siiq
Siirr
= p[ ] + 2[ ] + b 0kqqSi
i
0krrrSii
(mult. of p) + (“small” even noise) + b
c = + b (mod x0)rxSi
i 2
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval: Reduce mod x0 after each operation
To Encrypt a bit b: pick random subset S [1…t]
Ciphertext Size Reduction
– Resulting ciphertext < x0
– Underlying bit is the same (since x0 has even noise)
– Noise does not increase by much(*)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)Δ
(*) additional tricks for mult
A Roadmap
Secret-key “Somewhat” Homomorphic Encryption
Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption
How “Somewhat” Homomorphic is this?
Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if:
f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt
Final Noise ~ (2n)d+…+(2n)d = m•(2n)d
Say, noise in Enc(xi) < 2n
2/22/22nnd pm or nd ~
“Somewhat” HE“Bootstrappable”
From “Somewhat” to “Fully”
FHE = Can eval all fns.
Theorem [Gentry’09]: Convert “bootstrappable” → FHE.
Augmented Decryption ckt.
Dec Dec
NAND
c1 sk skc2
Is our Scheme “Bootstrappable”?
What functions can the scheme EVAL?
Complexity of the (aug.) Decryption Circuit
(?)
Can be made bootstrappable– Similar to Gentry’09
Caveat: Assume Hardness of “Sparse Subset Sum”
(polynomials of degree < n)
(degree ~ n1.73 polynomial)