Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of - - PowerPoint PPT Presentation

Fully Homomorphic Encryption

Zvika Brakerski Weizmann Institute of Science

AWSCS, March 2015

Outsourcing Computation

Email, web-search, ¡navigation, ¡social ¡networking…

𝑦 𝑔 𝑔(𝑦) 𝑦

What if 𝑦 is private?

Search query, location, business information, ¡medical ¡information…

The Situation Today

We promise we wont look at your data. Honest! We want real protection.

Outsourcing Computation – Privately

WANT NTED Homomorphic Evaluation function: 𝐹𝑤𝑏𝑚: 𝑔, 𝐹𝑜𝑑 𝑦 → 𝐹𝑜𝑑(𝑔 𝑦 )

𝑦 𝑔 𝑧 𝐹𝑜𝑑(𝑦) 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦)

Learns nothing on 𝑦.

Fully Homomorphic Encryption (FHE)

𝑦 𝑔 𝑧 = 𝐹𝑤𝑏𝑚(𝑔, 𝐹𝑜𝑑 𝑦 ) 𝐹𝑜𝑑(𝑦) 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦) 𝑡𝑙 , 𝑞𝑙 𝑓𝑤𝑙

Correctness:

𝐹𝑜𝑑(𝑦) ≅ 𝐹𝑜𝑑(0)

Input privacy:

𝑧 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦)

• NAND.
• (+,×) over ℤ (= binary 𝑌𝑃𝑆, 𝐵𝑂𝐸 )

𝐹𝑜𝑑(𝑦)

Fully Homomorphic = Correctness for any efficient 𝑔 = Correctness for universal set

Trivial FHE?

PKE ⇒ ¡“FHE”:

• 𝐿𝑓𝑧𝑕𝑓𝑜 and 𝐹𝑜𝑑: Same as PKE.
• 𝐹𝑤𝑏𝑚 𝑔, 𝑑 ≜ (𝑔, 𝑑)
• 𝐸𝑓𝑑

(𝑔, 𝑑) ≜ 𝑔(𝐸𝑓𝑑(𝑑))

NOT ¡what ¡we ¡were ¡looking ¡for…

All work is relayed to receiver.

Compact FHE: 𝐸𝑓𝑑 time does not depend on ciphertext. ⇒ ciphertext length is globally bounded.

In this talk (and in literature) FHE ≜ Compact-FHE

𝐹𝑜𝑑 (𝑦)

= 𝑔 𝐸𝑓𝑑 𝐹𝑜𝑑 𝑦 = 𝑔(𝑦)

Trivial FHE?

PKE ⇒ ¡“FHE”:

• 𝐿𝑓𝑧𝑕𝑓𝑜 and 𝐹𝑜𝑑: Same as PKE.
• 𝐹𝑤𝑏𝑚 𝑔, 𝑑 ≜ (𝑔, 𝑑)
• 𝐸𝑓𝑑

(𝑔, 𝑑) ≜ 𝑔(𝐸𝑓𝑑(𝑑))

This ¡“scheme” ¡also ¡completely ¡ reveals 𝑔 to the receiver. Can be a problem. Circuit Privacy: Receiver learns nothing about 𝑔 (except output). In this talk: Only care about compactness, no more circuit privacy. Circuit private FHE is not trivial to achieve – even non-compact. Compactness ⇒ Circuit Privacy (by complicated reduction) [GHV10]

Applications

In the cloud:

• Private outsourcing of computation.
• Near-optimal private outsourcing of storage (single-server PIR). [G09,BV11b]
• Verifiable outsourcing (delegation). [GGP11,CKV11,KRR13,KRR14]
• Private machine learning in the cloud. [GLN12,HW13]

Secure multiparty computation:

• Low-communication multiparty computation. [AJLTVW12,LTV12]
• More efficient MPC. [BDOZ11,DPSZ12,DKLPSS12]

Primitives:

• Succinct argument systems. ¡[GLR11,DFH11,BCCT11,BC12,BCCT12,BCGT13,…]
• General functional encryption. [GKPVZ12]
• Indistinguishability obfuscation ¡for ¡all ¡circuits. ¡[GGHRSW13,…]

Verifiable Outsourcing (Delegation)

Can send wrong value of 𝑔(𝑦) .

𝑦 𝑔 𝑔(𝑦) 𝑦

What if the server is cheating? Need proof!

, 𝜌

FHE ⇒ Verifiable Outsourcing

FHE ⇒ Verifiability and Privacy.

Pre-FHE solutions: multiple rounds [K92] or random oracles [M94].

• 1. Verifiability ¡with ¡preprocessing ¡under ¡“standard” ¡

assumptions: [GGP10, CKV10,KRR13,KRR14].

• 2. Less standard assumptions but without preprocessing via

SNARGs/SNARKs [DCL08,BCCT11,…] (uses FHE or PIR).

FHE ⇒ Verifiable Outsourcing [CKV10]

𝑦 𝑔 𝑡𝑙 , 𝑞𝑙 𝑓𝑤𝑙 𝑑 = 𝐹𝑜𝑑 𝑦 , 𝑑 𝑧, 𝑧 Check 𝑧 = 𝑨?

Yes ⇒ output 𝐸𝑓𝑑(𝑧) No ⇒ output ⊥ Preprocessing: 𝑑 = 𝐹𝑜𝑑(0) 𝑨 = 𝐹𝑤𝑏𝑚(𝑔, 𝑑)

Verification:

Idea: “Cut ¡and ¡choose”

𝑑, 𝑑 look the same ⇒ ¡cheating server will be caught w.p. ½

(easily amplifiable)

But preprocessing is as hard as computation!

Server executes 𝑧 = 𝐹𝑤𝑏𝑚(𝑔, 𝑑)

FHE ⇒ Verifiable Outsourcing [CKV10]

𝑦 𝑔 𝑡𝑙 , 𝑞𝑙 𝑓𝑤𝑙 (𝑓𝑤𝑙, 𝐹𝑜𝑑 𝑑 ), (𝑓𝑤𝑙, 𝐹𝑜𝑑 𝑑 ) 𝑧′′, 𝑧′ Check 𝐸𝑓𝑑′(𝑧′) = 𝑨?

Yes ⇒ output 𝐸𝑓𝑑′′(𝐸𝑓𝑑 𝑧 ) No ⇒ output ⊥ Preprocessing: 𝑑 = 𝐹𝑜𝑑(0) 𝑨 = 𝐹𝑤𝑏𝑚(𝑔, 𝑑)

Verification:

Idea: Outer ¡layer ¡keeps ¡server ¡“oblivious” ¡of ¡𝑨.

⇒ ¡Can recycle 𝑨 for future computations.

Server executes 𝑧′ = 𝐹𝑤𝑏𝑚′(𝐹𝑤𝑏𝑚 𝑔,⋅ , 𝑑) 𝑧′′ = 𝐹𝑤𝑏𝑚′′(𝐹𝑤𝑏𝑚 𝑔,⋅ , 𝑑) Server is not allowed to know if we accept/reject!

FHE Timeline

30 years of hardly scratching the surface:

• Only-addition [RSA78, R79, GM82,

G84, P99, R05].

• Addition + 1 multiplication

[BGN05, GHV10].

• Other variants [SYY99, IP07,

MGH10].

… ¡is ¡it ¡even ¡possible?

Basic scheme: Ideal cosets in polynomial rings.

⇒ ¡Bounded-depth homomorphism.

• Assumption: hardness of (quantum) apx. short

vector in ideal lattice.

Bootstrapping: bounded-depth HE ⇒ full HE.

But ¡bootstrapping ¡doesn’t ¡apply ¡to ¡basic ¡scheme...

• Need additional assumption: hardness of sparse

subset-sum.

The FHE Challenge

Make it more secure. Make it simpler. Make it practical.

Optimizations [SV10,SS10,GH10]

Simplified basic scheme [vDGHV10,BV11a]

• Under similar assumptions.

?

FHE without Ideals [BV11b]

Linear algebra instead of polynomial rings

Assumption: Apx. short vector in arbitrary lattices (via LWE).

Fundamental algorithmic problem – extensively studied.

[LLL82,K86,A97,M98,AKS03,MR04,MV10]

Shortest-vector Problem (SVP):

FHE without Ideals [BV11b]

• Simpler: straightforward presentation.
• More secure: based on a standard assumption.
• Efficiency improvements.

Linear algebra instead of polynomial rings

Assumption: Apx. short vector in arbitrary lattices (via LWE).

• Basic scheme: noisy linear equations over ℤ.

– Ciphertext is a linear function 𝑑(𝑦) s.t. 𝑑 𝑡𝑙 ≈ 𝑛 . – Add/multiply functions for homomorphism. – Multiplication raises degree ⇒ use relinearization.

• Bootstrapping: Use dimension-modulus reduction to shrink

ciphertexts.

Concurrently [GH11]: Ideal lattice based scheme without squashing.

FHE without Ideals

Follow-ups:

• [BGV12]: Improved parameters.

– Even better security. – Improved ¡efficiency ¡in ¡ring ¡setting ¡using ¡“batching”. – Batching without ideals in [BGH13].

• [B12]: Improved security.

– Security based on classical lattice assumptions. – Explained in blog post [BB12].

Various optimizations, applications and implementations:

[LNV11, GHS12a, GHS12b, GHS12c, GHPS12, AJLTVW12, LTV12, DSPZ12, ¡FV12, ¡GLN12, ¡BGHWW12,HW13 ¡…]

The ¡“Approximate ¡Eigenvector” ¡ Method [GSW13]

• Basic scheme: Approximate eigenvector over ℤ.

– Ciphertext is a matrix 𝐷 s.t. 𝐷 ⋅ 𝑡𝑙 ≈ 𝑛 ⋅ 𝑡𝑙 . – Add/multiply matrices for homomorphism*.

• Bootstrapping: Same as previous schemes.

Ciphertexts = Matrix

Same assumption and keys as before – ciphertexts are different

• Simpler: straightforward presentation.
• New ¡and ¡exciting ¡applications ¡“for ¡free”! ¡IB-FHE, AB-FHE.
• Same security as [BGV12, B12].
• Unclear about efficiency: some advantages, some drawbacks.

Sequentialization [BV14]

What is the best way to evaluate a product of 𝑙 numbers? X X X X

vs.

X X

Parallel Sequential c1 c2 c3 c4 c1 c2 c3 c4

Conventional wisdom Actually better

(if done right)

Sequentialization [BV14]

Barrington’s ¡Theorem ¡[B86]: Every depth 𝑒 computation can be transformed into a width-5 depth 4 branching program.

A sequential model of computation

• Better security – breaks barrier of [BGV12, B12,GSW13].
• Using dimension-modulus reduction (from [BV11b]) ⇒ same

hardness assumption as non homomorphic encryption.

• Short ciphertexts.

FHE Over the Integers

[DGHV09,CMNT11,CNT12,CCKLLTY13,CLT14]

“Approximate ¡GCD” ¡Problem:

Parallel line of work: Similar construction using different assumptions.

≅

similar to 1D lattice

Ciphertexts = Number

• Basic operations more straightforward
• Analogues ¡for ¡“batching”, ¡“scale ¡invariance”.
• Noise control more complicated.
• Assumption less standard.

details will not be discussed in this course

Implementations

• HElib (IBM/NYU)

– Ring-LWE (ideal-lattice) scheme of [BGV12], optimizations of [GHS12a] – Most recent results [HS14a,HS14b] – https://github.com/shaih/HElib

• hcrypt project

– FHE over the integers [DGHV09] – https://hcrypt.com

• “Stanford ¡FHE”

– LWE scheme of [B12] with optimizations – http://cs.stanford.edu/~dwu4/fhe.html

• Unpublished code

– Ring-LWE implementation of [GHS12b]. – Over the integers implementation of [CCKLLTY13].

Efficiency

Standard benchmark: AES128 circuit Implementations of [BGV12] by [GHS12c] ≈5 sec/input

Limiting factors:

• Circuit representation.
• Bootstrapping.
• Key size.

⇒ ¡To be practical, we need to improve the theory.

2-years ago it was 5 min/input, and in 2010 it was 5 min/gate [GH10]

Hybrid FHE

• In known FHE encryption is slow and ciphertexts are long.
• In symmetric encryption (e.g. AES) these are better.

𝑦 𝑔 𝑧 = 𝐹𝑤𝑏𝑚(𝑔, 𝐹𝑜𝑑 𝑦 ) 𝐹𝑜𝑑(𝑦) 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦) 𝑡𝑙 , 𝑞𝑙 𝑓𝑤𝑙

Best of both worlds?

Hybrid FHE

𝑦 𝑔 𝑧 = 𝐹𝑤𝑏𝑚(𝑔, 𝐹𝑜𝑑 𝑦 ) 𝐹𝑜𝑑(𝑦) 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦) 𝑡𝑙 , 𝑞𝑙 𝑓𝑤𝑙 𝑡𝑧𝑛 c=𝐹𝑜𝑑(𝑦) 𝐹𝑜𝑑(𝑡𝑧𝑛) Generate FHE keys and symmetric key. Encrypt 𝑦 using 𝑡𝑧𝑛.

Easy to encrypt, ciphertext is ¡short… ¡But ¡how ¡to ¡do ¡Eval?

Give encryption of 𝑡𝑧𝑛 to server. Define: ℎ 𝑨 = 𝑇𝑍𝑁_𝐸𝑓𝑑(𝑑) Server Computes: 𝑧 = 𝐹𝑤𝑏𝑚(ℎ, 𝐹𝑜𝑑(𝑡𝑧𝑛))

⇒ 𝑧 = 𝐹𝑜𝑑 ℎ 𝑡𝑧𝑛

= 𝐹𝑜𝑑 𝑇𝑍𝑁_𝐸𝑓𝑑 𝑑 = 𝐹𝑜𝑑(𝑦) 𝑧 = 𝐹𝑤𝑏𝑚(𝑔, 𝑧′)

Approximate Eigenvector Method [GSW13]

Observation: Let 𝐷, 𝐷 be matrices with the same eigenvector ⃗ 𝑡, and let 𝑛, 𝑛 be their respective eigenvalues w.r.t ⃗ 𝑡. Then:

• 1. 𝐷 + 𝐷 has eigenvalue (𝑛+𝑛) w.r.t ⃗

𝑡.

• 2. 𝐷 ⋅ 𝐷 (and also 𝐷 ⋅ 𝐷) has eigenvalue 𝑛𝑛 w.r.t ⃗

𝑡 . Idea: ⃗ 𝑡 = secret key, 𝐷 = ciphertext, and 𝑛 = message.

Insecure! Eigenvectors are easy to find. What about approximate eigenvectors?

⇒ ¡Homomorphism for addition and multiplication. ⇒ ¡Full homomorphism!

Say over ℤ

Approximate Eigenvector Method [GSW13]

𝐷 ⋅ ⃗ 𝑡 = 𝑛⃗ 𝑡 + ⃗ 𝑓 ≈ 𝑛⃗ 𝑡

How to decrypt? Must have restriction on 𝑓 Suppose ⃗ 𝑡[1] = 𝑟/2 , and 𝑛 ∈ {0,1}

⇒ (𝐷 ⋅ ⃗

𝑡)[1] =

• 𝑛 + ⃗

𝑓[1] Find 𝑛 by rounding

Condition for correct decryption: ⃗ 𝑓 < 𝑟/4 .

Approximate Eigenvector Method [GSW13]

𝐷 ⋅ ⃗ 𝑡 = 𝑛⃗ 𝑡 + ⃗ 𝑓 ⃗ 𝑓 ≪ 𝑟 𝐷 ⋅ ⃗ 𝑡 = 𝑛 ⃗ 𝑡 + ⃗ 𝑓 ⃗ 𝑓 ≪ 𝑟 𝐷 = 𝐷 + 𝐷: (𝐷+𝐷) ⋅ ⃗ 𝑡 = 𝐷 ⃗ 𝑡 + 𝐷 ⃗ 𝑡 = 𝑛⃗ 𝑡 + ⃗ 𝑓 + 𝑛⃗ 𝑡 + ⃗ 𝑓 = (𝑛+𝑛)⃗ 𝑡 + (⃗ 𝑓+⃗ 𝑓) ⃗ 𝑓 Goal: 𝐷, 𝐷 ⇒ 𝐷 = 𝐹𝑜𝑑(𝑛 + 𝑛) , 𝐷 = 𝐹𝑜𝑑(𝑛𝑛).

Noise grows a little

Approximate Eigenvector Method [GSW13]

𝐷 ⋅ ⃗ 𝑡 = 𝑛⃗ 𝑡 + ⃗ 𝑓 ⃗ 𝑓 ≪ 𝑟 𝐷 ⋅ ⃗ 𝑡 = 𝑛 ⃗ 𝑡 + ⃗ 𝑓 ⃗ 𝑓 ≪ 𝑟 𝐷 = 𝐷 ⋅ 𝐷: (𝐷⋅ 𝐷) ⋅ ⃗ 𝑡 = 𝐷 𝑛⃗ 𝑡 + ⃗ 𝑓 = 𝑛𝐷 ⃗ 𝑡 + 𝐷 ⃗ 𝑓 = 𝑛 𝑛 ⃗ 𝑡 + ⃗ 𝑓 + 𝐷 ⃗ 𝑓 ⃗ 𝑓

Noise grows. But by how much? Can also use 𝐷 ⋅ 𝐷

= 𝑛𝑛 ⃗ 𝑡 + 𝑛 ⃗ 𝑓 + 𝐷 ⃗ 𝑓 Goal: 𝐷, 𝐷 ⇒ 𝐷 = 𝐹𝑜𝑑(𝑛 + 𝑛) , 𝐷 = 𝐹𝑜𝑑(𝑛𝑛).

Plan for Technical Part

• 1. Constructing approximate eigenvector scheme.
• 2. Sequentialization.
• 3. Bootstrapping.
• 4. Open problems and limits on FHE.

Learning with Errors (LWE) [R05]

Random noisy linear equations ≈ uniform

𝐵

⃗ 𝑡

𝑐 =

⃗ 𝜃

+

uniform matrix ∈ ℤ

×

secret vector ∈ ℤ

• small noise ∈ ℤ
• 𝜃 ≤ 𝛽𝑟

ℤ

• 𝐵

𝑐

• stat. far from uniform!

≈ 𝑉

LWE assumption

As hard as 𝑜/𝛽 -apx. short vector in worst case 𝑜-dim. lattices

[R05, P09]

Learning with Errors (LWE) [R05]

(Rearranging Notation)

𝐵

⃗ 𝑡

𝑐 =

⃗ 𝜃

+

uniform matrix ∈ ℤ

×

secret vector ∈ ℤ

• small noise ∈ ℤ
• 𝜃 ≤ 𝛽𝑟

ℤ

• 𝐵

𝑐

⃗ 𝑡

1

=

⃗ 𝜃

“new” ¡matrix A ∈ ℤ

×()

“new” ¡secret vector ⃗

𝑡 ∈ ℤ

Learning with Errors (LWE) [R05]

(Rearranging Notation)

𝐵

⃗ 𝑡

=

⃗ 𝜃

Indistinguishable from uniform matrix ∈ ℤ

×()

Encryption Scheme from LWE

[R05,ACPS09] 𝐵

⃗ 𝑡

=

⃗ 𝜃

⃗ 𝑑 = +

⃗ 𝑕

“approximation” ¡of ¡ ¡ ¡𝒉 ⋅ 𝒕 (without knowing ⃗ 𝑡) [ACPS09]

Looks jointly uniform

⃗ 𝑠

0,1 uniform

𝐵

⃗ 𝑡

⃗ 𝑑

secret key

=

𝑠 ⋅ 𝜃 + 𝑕 ⋅ 𝑡

small “noise” public key

Generalize to matrices!

Encryption Scheme from LWE

[R05,ACPS09] 𝐵

⃗ 𝑡

=

⃗ 𝜃

𝐵

secret key public key

𝑆 𝐷 = +

𝐻

0,1 × uniform ℤ

×()

⃗ 𝑡

=

𝑆𝜃

+ 𝐻𝑡 𝐷

= ⃗ 𝑓 small ¡“noise”

• Approx. Eigenvector Encryption

Goal: Encrypt message 𝑛 ∈ {0,1} Idea: 𝐹𝑜𝑑 𝑛 = 𝐷⋅ ⇒ 𝐷⋅ ⋅ ⃗ 𝑡 = ⃗ 𝑓 + 𝑛𝐽⃗ 𝑡 = 𝑛 ⋅ ⃗ 𝑡 + ⃗ 𝑓 As we saw: 𝐷 ⋅ 𝐷 ⋅ ⃗ 𝑡 = 𝐷 ⋅ ⃗ 𝑓 + 𝑛 ⃗ 𝑡 = 𝐷 ⋅ ⃗ 𝑓 + 𝑛 ⋅ 𝐷 ⋅ ⃗ 𝑡 = 𝐷 ⋅ ⃗ 𝑓 + 𝑛 ⃗ 𝑓 + 𝑛𝑛 ⃗ 𝑡

desired

• utput

small noise HUGE noise

Need to reduce the norm of 𝐷 Solution: binary decomposition

Binary Decomposition

Break each entry in 𝐷 to its binary representation

𝐷 = 3 5 1 4 (𝑛𝑝𝑒 8) 𝑐𝑗𝑢𝑡 𝐷 = 0 1 1 1 1 1 1 (𝑛𝑝𝑒 8)

⇒

Small entries like we wanted! But product with ⃗ 𝑡 now meaningless

Consider ¡the ¡“reverse” ¡operation: 𝑐𝑗𝑢𝑡 𝐷 ⋅ 4 2 1 4 2 1 = 𝐷

𝐻

⇒

𝐷 ⋅ ⃗ 𝑡 = 𝑐𝑗𝑢𝑡(𝐷) ⋅ 𝐻 ⋅ ⃗ 𝑡 = 𝑐𝑗𝑢𝑡(𝐷) ⋅ ⃗ 𝑡∗ ⃗ 𝑡∗ = 𝐻 ⋅ ⃗ 𝑡 “powers ¡of ¡2” ¡vector Contains 𝑟/2 as an element

• Approx. Eigenvector Encryption

𝐹𝑜𝑑 𝑛 = 𝐷⋅ ∈ ℤ

( )×()

⇒ 𝐷⋅ ⋅ ⃗ 𝑡 = ⃗ 𝑓 + 𝑛 ⋅ 𝐻 ⋅ ⃗ 𝑡

𝑐𝑗𝑢𝑡(𝐷) ⋅ 𝐷 ⋅ ⃗ 𝑡 = 𝑐𝑗𝑢𝑡(𝐷) ⋅ ⃗ 𝑓 + 𝑛𝐻 ⃗ 𝑡 = 𝑐𝑗𝑢𝑡 (𝐷) ⋅ ⃗ 𝑓 + 𝑛 ⋅ 𝑐𝑗𝑢𝑡(𝐷) ⋅ 𝐻 ⋅ ⃗ 𝑡 = 𝑐𝑗𝑢𝑡 (𝐷) ⋅ ⃗ 𝑓 + 𝑛 ⋅ 𝐷 ⋅ ⃗ 𝑡 = 𝑐𝑗𝑢𝑡 (𝐷) ⋅ ⃗ 𝑓 + 𝑛 ⋅ ⃗ 𝑓 + 𝑛 ⋅ 𝑛 ⋅ 𝐻 ⋅ ⃗ 𝑡

desired output small small-ish

⃗ 𝑓 ≤ 𝑂 ⋅ ⃗ 𝑓 + 𝑛 ⋅ ⃗ 𝑓 ≤ 𝑂 + 1 ⋅ max{ ⃗ 𝑓 , ⃗ 𝑓 }

𝑂

𝐷 = 𝑐𝑗𝑢𝑡 𝐷 ⋅ 𝐷

𝑐𝑗𝑢𝑡(𝐷) ⋅ 𝐷 ⋅ ⃗ 𝑡

𝐷 = 𝐻 − 𝑐𝑗𝑢𝑡 𝐷 ⋅ 𝐷

⃗ 𝑓 ≤ 𝑂 ⋅ ⃗ 𝑓 + 𝑛 ⋅ ⃗ 𝑓 ≤ 𝑂 + 1 ⋅ max{ ⃗ 𝑓 , ⃗ 𝑓 }

.

=

Homomorphic Circuit Evaluation

⃗ 𝑓 ≤ 𝑂 + 1 ⋅ 𝑁𝛽𝑟 ≈ 𝑂𝛽𝑟 ⃗ 𝑓 ≤ 𝑁𝛽𝑟

⃗ 𝑓 ⃗ 𝑓

Noise grows during homomorphic evaluation

Depth 𝑒

⃗ 𝑓 ≤ (𝑂 + 1) ⃗ 𝑓

…

⇒ ¡Decryption succeeds if 𝛽 ≪ 1/𝑂.

Full Homomorphism

𝛽 ≤ 𝑂 𝑒 ≈ log 1/𝛽

• 1. If depth upper-bound is known ahead of time.
• 2. Single scheme for any poly depth.

Set 𝑂 ≥ 𝑒 ; 𝛽 = 2 ⇒ log 1/𝛽 = 𝑒

Undesirable:

• Huge parameters.
• Low security.
• Inflexible.

Leveled FHE: Parameters (𝑓𝑤𝑙) grow with 𝑒.

Bootstrap!

The Bootstrapping Theorem

Homomorphic ⇒ fully homomorphic when 𝑒 < 𝑒

• 𝑒 = depth of the decryption circuit.
• 𝑒 = maximal homomorphic depth.

In our scheme: 𝑒 = log 𝑂 ⇒ ¡ ¡FHE if 𝛽 < 𝑂

Quasi-polynomial approximation for short vector problems (same factor as [BGV12,B12]) Non-homomorphic schemes only need 𝑂 approximation (Proof to come)

Additional condition, to be discussed.

A Taste of Sequentialization [BV13]

⃗ 𝑓 = 𝑐𝑗𝑢𝑡 (𝐷) ⋅ ⃗ 𝑓 + 𝑛 ⋅ ⃗ 𝑓 Asymmetric! Important observations:

• 1. ⃗

𝑓 gets multiplied by 0/1 ; ⃗ 𝑓 can get multiplied by 𝑂.

• 2. 𝑛 = 0 ⇒ ⃗

𝑓 has no effect! Conclusion: The order of multiplication matters. Want to multiply 𝐷

, 𝐷 s.t. ⃗

𝑓 ≫ ⃗ 𝑓 . Which is better: 𝑐𝑗𝑢𝑡 𝐷

⋅ 𝐷 or 𝑐𝑗𝑢𝑡 𝐷 ⋅ 𝐷 ?

A Taste of Sequentialization [BV14]

⃗ 𝑓 = 𝑐𝑗𝑢𝑡 (𝐷) ⋅ ⃗ 𝑓 + 𝑛 ⋅ ⃗ 𝑓 Task: Multiply 4 ciphertexts 𝐷, … , 𝐷 Multiplication Tree X X X

c1 c2 c3 c4 ⃗ 𝑓 = 𝐹 ⃗ 𝑓 = 𝐹(𝑂 + 1) ⃗ 𝑓 = 𝐹 𝑂 + 1

X X X

c1 c2 c3 c4 ⃗ 𝑓 = 𝐹 𝐹(𝑂 + 1) 𝐹 𝐹 𝐹(2𝑂 + 1) 𝐹(3𝑂 + 1)

Sequential Multiplier

Winner!

A Taste of Sequentialization [BV14]

⃗ 𝑓 = 𝑐𝑗𝑢𝑡 (𝐷) ⋅ ⃗ 𝑓 + 𝑛 ⋅ ⃗ 𝑓 Multiplexer (MUX): 𝑛 ⋅ 𝑛 + 1 − 𝑛 ⋅ 𝑛 X

+

X

c1 c2 1-c1 c3 𝐹𝑂 + 𝑛𝐹 𝐹 + 2𝐹 𝐹 𝐹 𝐹 𝐹 𝐹𝑂 + (1 − 𝑛)𝐹 Additive noise increase!

Bootstrapping

Homomorphic ⇒ fully homomorphic when 𝑒 < 𝑒

• 𝑒 = depth of the decryption circuit.
• 𝑒 = maximal homomorphic depth.

Bootstrapping

Given scheme with bounded 𝑒 How to extend its homomorphic capability?

Idea: Do ¡a ¡few ¡operations, ¡then ¡“switch” ¡to ¡a ¡new ¡instance

(𝑞𝑙, 𝑡𝑙) (𝑞𝑙, 𝑡𝑙) (𝑞𝑙, 𝑡𝑙)

Switch keys

“cost” ¡in ¡homomorphism

How to Switch Keys

We have seen this before! Hybrid FHE

Hybrid FHE

𝑦 𝑔 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦) 𝑡𝑙 , 𝑞𝑙 𝑓𝑤𝑙 𝑡𝑧𝑛 c=𝐹𝑜𝑑(𝑦) 𝐹𝑜𝑑(𝑡𝑧𝑛) Define: ℎ 𝑨 = 𝑇𝑍𝑁_𝐸𝑓𝑑(𝑑) Server Computes: 𝑧 = 𝐹𝑤𝑏𝑚(ℎ, 𝐹𝑜𝑑(𝑡𝑧𝑛))

⇒ 𝑧 = 𝐹𝑜𝑑 ℎ 𝑡𝑧𝑛

= 𝐹𝑜𝑑 𝑇𝑍𝑁_𝐸𝑓𝑑 𝑑 = 𝐹𝑜𝑑(𝑦) 𝑧 = 𝐹𝑤𝑏𝑚(𝑔, 𝑧′)

How to Switch Keys

𝐸𝑓𝑑(⋅) 𝐸𝑓𝑑 ⋅ (𝑑) 𝑑 𝑡𝑙 𝑛 𝑛 Decryption circuit: Dual view: ≡ ℎ ⋅ ℎ 𝑡𝑙 = 𝐸𝑓𝑑 𝑑 = 𝑛

Key switching procedure 𝑡𝑙, 𝑞𝑙 → 𝑡𝑙, 𝑞𝑙 :

Input: 𝑑 = 𝐹𝑜𝑑(𝑛) Server aux info: 𝑏𝑣𝑦 = 𝐹𝑜𝑑(𝑡𝑙) (ahead of time) Output: 𝐹𝑤𝑏𝑚(ℎ, 𝑏𝑣𝑦) 𝐹𝑤𝑏𝑚 ℎ, 𝑏𝑣𝑦 = 𝐹𝑤𝑏𝑚 ℎ, 𝐹𝑜𝑑 𝑡𝑙 = 𝐹𝑜𝑑 ℎ 𝑡𝑙 = 𝐹𝑜𝑑 𝐸𝑓𝑑 𝑑 = 𝐹𝑜𝑑(𝑛) Eval depth = 𝑒

Bootstrapping

Given scheme with bounded 𝑒. How to extend its homomorphic capability?

Idea: Do ¡a ¡few ¡operations, ¡then ¡“switch” ¡to ¡a ¡new ¡instance

(𝑞𝑙, 𝑡𝑙) (𝑞𝑙, 𝑡𝑙) (𝑞𝑙, 𝑡𝑙)

Switch keys

“cost” ¡of ¡𝑒

• hom. operations

Conclusion: Bootstrapping if 𝑒 ≥ 𝑒 + 1

Need to generate many ¡keys…

Bootstrapping

Given scheme with bounded 𝑒. How to extend its homomorphic capability?

Idea: Do ¡a ¡few ¡operations, ¡then ¡“switch” ¡to ¡a ¡new ¡instance

(𝑞𝑙 , 𝑡𝑙 ) (𝑞𝑙 , 𝑡𝑙 ) (𝑞𝑙 , 𝑡𝑙 )

Switch from the key to itself! Key switching works Server aux info: 𝑏𝑣𝑦 = 𝐹𝑜𝑑 (𝑡𝑙 )

Circular Security

Intuitively: Yes, encryption hides the message. Formally: Security does not extend.

What can we do about it?

Option 1: Assume ¡it’s ¡secure ¡– no attack is known. Option 2: Use a sequence of keys. ⇒ No. of keys proportional to computation depth (leveled FHE).

Is it secure to publish 𝑏𝑣𝑦 = 𝐹𝑜𝑑(𝑡𝑙)

[BV11a]: ¡Circular ¡secure ¡“somewhat” ¡homomorphic scheme.

Short keys without circular assumption ?

What We Saw Today

• Definition of FHE.
• Applications.
• Historical perspective and background.
• Constructing HE using the approximate eigenvector

method.

• Sequentialization.
• Bootstrapping.
• Limits on HE.

Open Problems

• Short keys without circular security.
• FHE from different assumptions.
• CCA1 secure FHE.
• Bounded malleability.
• Improved efficiency.

Thank You