Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of - - PowerPoint PPT Presentation
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY, December 2015 What Are You Searching For? We know Medical information, navigation, email, business information, other personal information Want
Zvika Brakerski Weizmann Institute of Science
Technion CRYPTODAY, December 2015
We know Medical information, navigation, email, business information, other personal informationβ¦
π¦ π π(π¦) π¦
search query google web index search results medical records medical analysis diagnosis location, destination routing navigation route
We promise we wont look at your data. Honest! We want real protection.
WANT NTED Homomorphic Evaluation function: π, πΉππ π¦ β πΉππ(π π¦ )
π¦ π π§ πΉππ(π¦) πΈππ π§ = π(π¦)
Learns nothing about π¦.
π§ = πΉπ€ππ π, πΉππ π¦
Fully Homomorphic = Homomorphism for any efficient π
computational model: π given as circuit Goal: πΉπ€ππ for universal set of gates (NAND(x,y)=1-xy)
Bit-by-bit randomized encryption
In the cloud:
Secure multiparty computation:
Primitives:
30 years of hardly scratching the surface:
G84, P99, R05].
[BGN05, GHV10].
MGH10].
β¦ is it even possible?
Basic Idea: Find scheme s.t. π β π
ciphertext message secret algebraic equivalence
Add/multiply ciphertexts β Add/multiply messages
e.g. (mod p) for secret p
small (even) noise
Noise grows with homomorphic evaluation β must not grow βtoo muchβ! In the example above: |πππ£ππ’| β πππ 2
Security?
|πππ£π’| β€ πΉ2π |πππ| β€ πΉ
πππ πππ£π’
Noise grows during homomorphic evaluation
Depth π
ππ+1 β€ ππ 2
[BV11b,BGV12,BV14]. β As secure as any other encryption scheme.
β πππ£π’ β€ ππ β πΉ (instead of πΉ2π).
β βLeveledβ FHE.
[G09,SV10,BV11a,BGV12,GHS12a,GHS12b,GHS12c,GHPS13,AP13].
[SV10,BGV12,GHS12a,GHS12b,GHS12c,HS15].
Given scheme with bounded πβππ How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ2, π‘π2) (ππ3, π‘π3) (ππ1, π‘π1)
Switch keys
βcostβ in homomorphism
πΈπππ‘π(β ) πΈππ β (π) π π‘π π¦ π¦ Decryption circuit: Dual view: β‘ βπ β βπ π‘π = πΈπππ‘π π = π¦ given π, server can compute circuit for βπ β Apply βπ(β ) homomorphicly on π‘π ! πΉπ€ππππβ² βπ, ππ£π¦ = πΉπ€ππππβ² βπ, πΉππππβ² π‘π = πΉππππβ² βπ π‘π = πΉππππβ² πΈπππ‘π π = πΉππππβ²(π¦) ππ£π¦ = πΉππππβ²(π‘π)
πβππ β πβπ = πβππ β ππππ
Given scheme with bounded πβππ. How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ2, π‘π2) (ππ3, π‘π3) (ππ1, π‘π1)
Switch keys
βcostβ of ππππ
for switch
β Bootstrapping if πβππ β₯ ππππ + 1
Downside: Need to generate many keysβ¦
ππ£π¦1β2 = πΉππππ2(π‘π1) ππ£π¦2β3 = πΉππππ3(π‘π2) secure?
Given scheme with bounded πβππ. How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ , π‘π ) (ππ , π‘π ) (ππ , π‘π )
ππ£π¦ = πΉππππ (π‘π )
switch from key to itself! functionality of switching works
circular security required
β Ring-LWE (ideal-lattice) scheme of [BGV12], optimizations of [GHS12a] β https://github.com/shaih/HElib
β LWE scheme of [B12] with optimizations β http://cs.stanford.edu/~dwu4/fhe.html
β Ring-LWE scheme of [DM14], built upon approximate eigenvector approach of [GSW13,BV14,AP14] β No batching but very fast bootstrapping β https://github.com/lducas/FHEW
β Inherent? Need to touch all elements to not leak.
β No known alternative for deep computations.
β Large ciphertexts, long keys. β Can βbatchβ to reduce overhead.