Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of - - PowerPoint PPT Presentation
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October 2013 Outsourcing Computation () Email, web- search, navigation, social networking Search query, location, business
Zvika Brakerski Weizmann Institute of Science
ASCrypto, October 2013
Email, web-search, navigation, social networkingβ¦
π¦ π π(π¦) π¦
Search query, location, business information, medical informationβ¦
We promise we wont look at your data. Honest! We want real protection.
WANT NTED ED Homomorphic Evaluation function: πΉπ€ππ: π, πΉππ π¦ β πΉππ(π π¦ )
π¦ π π§ πΉππ(π¦) πΈππ π§ = π(π¦)
Learns nothing on π¦.
π¦ π π§ = πΉπ€ππππ€π(π, πΉππ π¦ ) πΉππ(π¦) πΈπππ‘π π§ = π(π¦) π‘π , ππ ππ€π
Correctness:
πΉππ(π¦) β πΉππ(0)
Input privacy:
π§ πΈππ π§ = π(π¦)
πΉππππ(π¦)
Fully Homomorphic = Correctness for any efficient π = Correctness for universal set
πΊπΌπΉ (π, π) β π(πΈπππ‘π(π))
NOT what we were looking forβ¦
All work is relayed to receiver.
Compact FHE: πΈππ time does not depend on ciphertext. β ciphertext length is globally bounded.
In this talk (and in literature) FHE β Compact-FHE
πΉππ (π¦)
= π πΈπππ‘π πΉππ π¦ = π(π¦)
πΊπΌπΉ (π, π) β π(πΈπππ‘π(π))
This βschemeβ also completely reveals π to the receiver. Can be a problem. Circuit Privacy: Receiver learns nothing about π (except output). In this talk: Only care about compactness, no more circuit privacy. Circuit private FHE is not trivial to achieve β even non-compact. Compactness β Circuit Privacy (by complicated reduction) [GHV10]
In the cloud:
Secure multiparty computation:
Primitives:
Can send wrong value of π(π¦) .
π¦ π π(π¦) π¦
, π
Pre-FHE solutions: multiple rounds [K92] or random oracles [M94].
assumptions: [GGP10, CKV10].
SNARGs/SNARKs [DCL08,BCCT11,β¦] (uses FHE or PIR).
π¦ π π‘π , ππ ππ€π ππ¦ = πΉππ π¦ , π0 π§π¦, π§0 Check π§0 = π¨0?
Yes β output πΈππ(π§π¦) No β output β₯ Preprocessing: π0 = πΉππ(0) π¨0 = πΉπ€ππ(π, π0)
Verification:
Idea: βCut and chooseβ
ππ¦, π0 look the same β cheating server will be caught w.p. Β½
(easily amplifiable)
But preprocessing is as hard as computation!
Server executes π§ = πΉπ€ππ(π, π)
π¦ π π‘π , ππ ππ€π (ππ€πβ²β², πΉππβ²β² ππ¦ ), (ππ€πβ², πΉππβ² π0 ) π§β²β²π¦, π§β²0 Check πΈππβ²(π§β²0) = π¨0?
Yes β output πΈππβ²β²(πΈππ π§π¦ ) No β output β₯ Preprocessing: π0 = πΉππ(0) π¨0 = πΉπ€ππ(π, π0)
Verification:
Idea: Outer layer keeps server βobliviousβ of π¨0.
β Can recycle π¨0 for future computations.
Server executes π§β² = πΉπ€ππβ²(πΉπ€ππ π,β , πβ²) π§β²β² = πΉπ€ππβ²β²(πΉπ€ππ π,β , πβ²β²) Server is not allowed to know if we accept/reject!
30 years of hardly scratching the surface:
G84, P99, R05].
[BGN05, GHV10].
MGH10].
β¦ is it even possible?
Basic scheme: Ideal cosets in polynomial rings.
β Bounded-depth homomorphism.
vector in ideal lattice.
Bootstrapping: bounded-depth HE β full HE.
But bootstrapping doesnβt apply to basic scheme...
subset-sum.
Optimizations [SV10,SS10,GH10]
Simplified basic scheme [vDGHV10,BV11a]
?
Assumption: Apx. short vector in arbitrary lattices (via LWE).
Fundamental algorithmic problem β extensively studied.
[LLL82,K86,A97,M98,AKS03,MR04,MV10]
Shortest-vector Problem (SVP):
Assumption: Apx. short vector in arbitrary lattices (via LWE).
β Ciphertext is a linear function π(π¦) s.t. π π‘π β π . β Add/multiply functions for homomorphism. β Multiplication raises degree β use relinearization.
ciphertexts.
Concurrently [GH11]: Ideal lattice based scheme without squashing.
Follow-ups:
β Even better security. β Improved efficiency in ring setting using βbatchingβ. β Batching without ideals in [BGH13].
β Security based on classical lattice assumptions. β Explained in blog post [BB12].
Various optimizations, applications and implementations:
[LNV11, GHS12a, GHS12b, GHS12c, GHPS12, AJLTVW12, LTV12, DSPZ12, FV12, GLN12, BGHWW12,HW13 β¦]
β Ciphertext is a matrix π· s.t. π· β π‘π β π β π‘π . β Add/multiply matrices for homomorphism*.
Ciphertexts = Matrix
Same assumption and keys as before β ciphertexts are different
What is the best way to evaluate a product of π numbers? X X X X
X X
Parallel Sequential c1 c2 c3 c4 c1 c2 c3 c4
Conventional wisdom Actually better
(if done right)
Barringtonβs Theorem [B86]: Every depth π computation can be transformed into a width-5 depth 4π branching program.
A sequential model of computation
hardness assumption as non homomorphic encryption.
Standard benchmark: AES128 circuit Implementations of [BGV12] by [GHS12c,CCKLLTY13] β5 min/input
β To be practical, we need to improve the theory.
2-years ago it was 3 min/gate [GH10]
New works [GSW13,BV13] address some of these issues, but have other drawbacks
See also HElib https://github.com/shaih/HElib
π¦ π π§ = πΉπ€ππππ€π(π, πΉππ π¦ ) πΉππππ(π¦) πΈπππ‘π π§ = π(π¦) π‘π , ππ ππ€π
Best of both worlds?
π¦ π πΈπππ‘π π§ = π(π¦) π‘π , ππ ππ€π π‘π§π c=πΉπππ‘π§π(π¦) πΉππππ(π‘π§π)
Easy to encrypt, ciphertext is short⦠But how to do Eval?
Define: π π¨ = πππ_πΈπππ¨(π) Server Computes: π§β² = πΉπ€ππππ€π(π, πΉππππ(π‘π§π))
= πΉππ πππ_πΈπππ‘π§π π = πΉππππ(π¦) π§ = πΉπ€ππππ€π(π, π§β²)
Observation: Let π·1, π·2 be matrices with the same eigenvector π‘ , and let π1, π2 be their respective eigenvalues w.r.t π‘ . Then:
.
. Idea: π‘ = secret key, π· = ciphertext, and π = message.
Insecure! Eigenvectors are easy to find. What about approximate eigenvectors?
β Homomorphism for addition and multiplication. β Full homomorphism!
Say over β€π
How to decrypt? Must have restriction on π Suppose π‘ [1] = π/2 , and π β *0,1+
)[1] =
π 2 π + π
[1] Find π by rounding
π·1 β π‘ = π1π‘ + π 1 π 1 βͺ π π·2 β π‘ = π2π‘ + π 2 π 2 βͺ π π·πππ = π·1 + π·2: (π·1+π·2) β π‘ = π·1π‘ + π·2π‘ = π1π‘ + π 1 + π2π‘ + π 2 = (π1+π2)π‘ + (π 1+π 2) π πππ Goal: π·1, π·2 β π·πππ = πΉππ(π1 + π2) , π·ππ£ππ’ = πΉππ(π1π2).
Noise grows a little
π·1 β π‘ = π1π‘ + π 1 π 1 βͺ π π·2 β π‘ = π2π‘ + π 2 π 2 βͺ π π·ππ£ππ’ = π·1 β π·2: (π·1β π·2) β π‘ = π·1 π2π‘ + π 2 = π2π·1π‘ + π·1π 2 = π2 π1π‘ + π 1 + π·1π 2 π ππ£ππ’
Noise grows. But by how much? Can also use π·2 β π·1
= π2π1π‘ + π2π 1 + π·1π 2 Goal: π·1, π·2 β π·πππ = πΉππ(π1 + π2) , π·ππ£ππ’ = πΉππ(π1π2).
Random noisy linear equations β uniform
π =
π+
uniform matrix β β€π
πΓπ
secret vector β β€π
π
small noise β β€π
π
ππ β€ π½π
β€π
π
π
LWE assumption
As hard as π/π½ -apx. short vector in worst case π-dim. lattices
[R05, P09]
π π π
π
=
π =
π+
public key
+
π
0,1 π uniform
π
π
1
secret key
=
π β π + π β π‘
βencryptionβ of π β π (without knowing π‘ ) [ACPS09] small βnoiseβ
Looks jointly uniform
π π π·π» =
π =
π+ +
π»
0,1 πΓπ uniform
1
= ππ + π»π‘ π·π»
= π small βnoiseβ β€π
πΓ(π+1)
Goal: Encrypt message π β *0,1+ Idea: πΉππ π = π·πβ π½ β π·πβ π½ β π‘ = π + ππ½π‘ = π β π‘ + π As we saw: π·1 β π·2 β π‘ = π·1 β π 2 + π2π‘ = π·1 β π 2 + π2 β π·1 β π‘ = π·1 β π 2 + π2π 1 + π1π2π‘
desired
small noise HUGE noise
Break each entry in π· to its binary representation
π· = 3 5 1 4 (πππ 8) πππ’π‘ π· = 0 1 1 1 1 1 1 0 (πππ 8)
Small entries like we wanted! But product with π‘ now meaningless
Consider the βreverseβ operation: πππ’π‘ π· β 4 2 1 4 2 1 = π·
π»
π· β π‘ = πππ’π‘(π·) β π» β π‘ = πππ’π‘(π·) β π‘ β π‘ β = π» β π‘ βpowers of 2β vector Contains π/2 as an element
πΉππ π = π·πβ π» β β€π
( π+1 log π)Γ(π+1)
β π·πβ π» β π‘ = π + π β π» β π‘
πππ’π‘(π·1) β π·2 β π‘ = πππ’π‘(π·1) β π 2 + π2π»π‘ = πππ’π‘ (π·1) β π 2 + π2 β πππ’π‘(π·1) β π» β π‘ = πππ’π‘ (π·1) β π 2 + π2 β π·1 β π‘ = πππ’π‘ (π·1) β π 2 + π2 β π 1 + π1 β π2 β π» β π‘
desired output small small-ish
π ππ£ππ’ β€ π β π 2 + π2 β π 1 β€ π + 1 β max* π 1 , π 2 +
π
π·ππ£ππ’ = πππ’π‘ π·1 β π·2
πππ’π‘(π·1) β π·2 β π‘
π·ππππ = π» β πππ’π‘ π·1 β π·2
π ππππ β€ π β π 2 + π2 β π 1 β€ π + 1 β max* π 1 , π 2 +
π ππ£π’ππ£π’ β€ π + 1 π β ππ½π β πππ½π π ππππ£π’ β€ ππ½π
π ππππ£π’ π ππ£π’ππ£π’
Noise grows during homomorphic evaluation
Depth π
π π+1 β€ (π + 1) π π
β Decryption succeeds if π½ βͺ 1/ππ.
π½ β€ πβπ πβππ β log 1/π½
Set π β₯ π2 ; π½ = 2β π β log 1/π½ = π
Undesirable:
Leveled FHE: Parameters (ππ€π) grow with π.
Homomorphic β fully homomorphic when ππππ < πβππ
In our scheme: ππππ = log π β FHE if π½ < πβ log π
Quasi-polynomial approximation for short vector problems (same factor as [BGV12,B12]) Non-homomorphic schemes only need ππ 1 approximation (Proof to come)
Additional condition, to be discussed.
π ππ£ππ’ = πππ’π‘ (π·1) β π 2 + π2 β π 1 Asymmetric! Important observations:
1 gets multiplied by 0/1 ; π 2 can get multiplied by π.
1 has no effect! Conclusion: The order of multiplication matters. Want to multiply π·
π΅, π·πΆ s.t. π
π΅ β« π πΆ . Which is better: πππ’π‘ π·π΅ β π·πΆ or πππ’π‘ π·πΆ β π·
π΅ ?
π ππ£ππ’ = πππ’π‘ (π·1) β π 2 + π2 β π 1 Task: Multiply 4 ciphertexts π·1, β¦ , π·4 Multiplication Tree X X X
c1 c2 c3 c4 π = πΉ0 π = πΉ0(π + 1) π = πΉ0 π + 1 2
X X X
c1 c2 c3 c4 π = πΉ0 πΉ0(π + 1) πΉ0 πΉ0 πΉ0(2π + 1) πΉ0(3π + 1)
Sequential Multiplier
Winner!
Homomorphic β fully homomorphic when ππππ < πβππ
Given scheme with bounded πβππ How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ2, π‘π2) (ππ3, π‘π3) (ππ1, π‘π1)
Switch keys
βcostβ in homomorphism
π¦ π πΈπππ‘π π§ = π(π¦) π‘π , ππ ππ€π π‘π§π c=πΉπππ‘π§π(π¦) πΉππππ(π‘π§π) Define: π π¨ = πππ_πΈπππ¨(π) Server Computes: π§β² = πΉπ€ππππ€π(π, πΉππππ(π‘π§π))
= πΉππ πππ_πΈπππ‘π§π π = πΉππππ(π¦) π§ = πΉπ€ππππ€π(π, π§β²)
πΈπππ‘π(β ) πΈππ β (π) π π‘π π π Decryption circuit: Dual view: β‘ ππ β ππ π‘π = πΈπππ‘π π = π
Key switching procedure π‘π1, ππ1 β π‘π2, ππ2 :
Input: π = πΉππππ1(π) Server aux info: ππ£π¦ = πΉππππ2(π‘π1) (ahead of time) Output: πΉπ€ππππ2(ππ, ππ£π¦) πΉπ€ππππ2 ππ, ππ£π¦ = πΉπ€ππππ2 ππ, πΉππππ2 π‘π1 = πΉππππ2 ππ π‘π1 = πΉππππ2 πΈπππ‘π1 π = πΉππππ2(π) Eval depth = ππππ
Given scheme with bounded πβππ. How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ2, π‘π2) (ππ3, π‘π3) (ππ1, π‘π1)
Switch keys
βcostβ of ππππ
Need to generate many keysβ¦
Given scheme with bounded πβππ. How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ , π‘π ) (ππ , π‘π ) (ππ , π‘π )
Switch from the key to itself! Key switching works Server aux info: ππ£π¦ = πΉππππ (π‘π )
Intuitively: Yes, encryption hides the message. Formally: Security does not extend.
What can we do about it?
Option 1: Assume itβs secure β no attack is known. Option 2: Use a sequence of keys. β No. of keys proportional to computation depth (leveled FHE).
Is it secure to publish ππ£π¦ = πΉππππ(π‘π)
[BV11a]: Circular secure βsomewhatβ homomorphic scheme.
But all are lattice based
[B13]: Homomorphicly βclean upβ the noise β break security. β βToo muchβ homomorphism is a bad sign.
method.