[PPT] - Fully Homomorphic Encryption without Modulus Switching from PowerPoint Presentation

SLIDE 1

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Zvika Brakerski

Stanford University

CRYPTO 2012

SLIDE 2

Outsourcing Computation

Email, web-search, navigation, social networking…

𝑦 𝑔 𝑔(𝑦) 𝑦

What if 𝑦 is private?

Search query, location, business information, medical information…

SLIDE 3

Outsourcing Computation – Privately

Homomorphic Encryption 𝑔, 𝐹𝑜𝑑 𝑦1 , … , 𝐹𝑜𝑑 𝑦𝑜 → 𝐹𝑜𝑑(𝑔 𝑦1, … , 𝑦𝑜 )

We assume w.l.o.g 𝑔 ∈ *+,×+ (over ℤ2). 𝑦 𝑔 𝑧 𝐹𝑜𝑑(𝑦) 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦)

Learns nothing on 𝑦.

SLIDE 4

The Old Days of FHE

Gentry’s breakthrough [G09,G10] – first

candidate.

[vDGHV10, BV11a]: Similar outline, different

assumptions.

[GH11]: Chimeric-FHE.
Efficiency attempts [SV10,SS10,GH10,LNV11].

2009-2011

SLIDE 5

2nd Generation FHE

[BV11b]: LWE-based FHE (= apx. short vector in lattice).

– Better assumption. – Clean presentation: no ideals, no “squashing”. – Efficiency improvement.

[BGV12]: Improved performance via Modulus Switching.

– Quantitatively better assumption. – “Leveled” homomorphism without bootstrapping. – Efficiency improvements using ideals (“batching”).

[GHS11,GHS12a, GHS12b]: Efficiency improvements

and optimizations using ideals.

SLIDE 6

This work:

Modulus switching is a red herring

“Scale-independent encryption”

⇒ better performance with less headache

SLIDE 7

FHE 101 [BV11b]

Secret key: 𝑡 ∈ ℤ𝑟

𝑜

Ciphertext: 𝑑 ∈ ℤ𝑟

𝑜

Encryption algorithm: Doesn’t matter. Decryption algorithm: 𝑑

⋅ 𝑡 𝑛𝑝𝑒 𝑟 (𝑛𝑝𝑒 2). Security based on 𝑀𝑋𝐹𝑜,𝑟,𝛽

The Scheme: 𝑑 ⋅ 𝑡 = 𝑛 + 2𝑓 + 𝑟𝐽

small (initial) noise 𝑓 < 𝐶 = 𝛽𝑟

dec. if 𝑓 /𝑟 <

1 4

SLIDE 8

FHE 101 [BV11b]

Secret key: 𝑡 ∈ ℤ𝑟

𝑜

Ciphertext: 𝑑 ∈ ℤ𝑟

𝑜

The Scheme: 𝑑 ⋅ 𝑡 = 𝑛 + 2𝑓 + 𝑟𝐽

small (initial) noise 𝑓 < 𝐶 = 𝛽𝑟

dec. if 𝑓 /𝑟 <

1 4

Additive Homomorphism:

That again? Just add’em, dude… 𝑑 1, 𝑑 2 ⇒ 𝑑 1 + 𝑑 2 𝑛𝑝𝑒 𝑟

SLIDE 9

FHE 101 [BV11b]

Multiplicative Homomorphism:

𝑑 1, 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 𝑟 ∈ ℤ𝑟

𝑜2 vector of all cross terms 𝑑 1 𝑗 ⋅ 𝑑 2 𝑘 𝑗,𝑘

𝑑 1 ⊗ 𝑑 2 ⋅ 𝑡 ⊗ 𝑡 = 𝑑 1 ⋅ 𝑡 ⋅ 𝑑 2 ⋅ 𝑡 = 𝑛1 + 2𝑓1 ⋅ 𝑛2 + 2𝑓2 (𝑛𝑝𝑒 𝑟) = 𝑛1𝑛2 + 2 ⋅ 𝑃 𝑓1𝑓2 (𝑛𝑝𝑒 𝑟) 𝑡𝑙 changed… but we can bring it back

(we have the technology)

~𝐶2

noise blows up! 𝑪 → 𝑪𝟑 → ⋯ → 𝑪𝟑𝒆

dec. if 𝐶2𝑒/𝑟 <

1 4

Secret key: 𝑡 ∈ ℤ𝑟

𝑜

Ciphertext: 𝑑 ∈ ℤ𝑟

𝑜

The Scheme: 𝑑 ⋅ 𝑡 = 𝑛 + 2𝑓 + 𝑟𝐽

small (initial) noise 𝑓 < 𝐶 = 𝛽𝑟

dec. if 𝑓 /𝑟 <

1 4

SLIDE 10

Modulus Switching [BGV12]

Idea: Bring noise back down by dividing the entire ciphertext by 𝐶.

𝑑 ∈ ℤ𝑟

𝑜

with noise |𝑓| < 𝐶2

/𝐶

𝑑 /𝐶 ∈ ℤ𝑟/𝐶

𝑜

with noise |𝑓| < 𝐶

(make sure not to harm the message bit 𝑛)

(𝑪, 𝒓) → (𝑪, 𝒓/𝑪) → ⋯ → (𝑪, 𝒓/𝑪𝒆)

Noise/modulus evolution:

dec. if 𝐶𝑒+1 < 𝑟/4

SLIDE 11

My Problems with Modulus Switching

1. Modulus switching is scale-dependent.
Scaling 𝐶, 𝑟 changes performance:

Smaller 𝐶, 𝑟  smaller 𝐶𝑒+1/𝑟  better homomorphism.

2. What does modulus switching really do?
Same as a scaling factor in the tensoring process

( 𝑑 1, 𝑑 2 ⇒ 𝜐 ⋅ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 𝑟 ).

In a “correct” scale, this factor should be 1.

nothing…

SLIDE 12

Our Solution: Scale-Independent FHE

Compare with previous:

real numbers 𝑛𝑝𝑒 2 ≡ (−1,1]

Hardness assumption is the same 𝑀𝑋𝐹𝑜,𝑟,𝛽.

Secret key: 𝑡 ∈ ℤ𝑜 Ciphertext: 𝑑 ∈ ℝ2

𝑜

𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽

small (initial) noise 𝜗 < 2𝛽

dec. if 𝜗 <

1 2

SLIDE 13

Scale-Independent Multiplication

Multiplicative Homomorphism:

𝑑 1, 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 2 ∈ ℝ2

𝑜2

𝑑 1 ⊗ 𝑑 2 ⋅ 𝑡 ⊗ 𝑡 = 𝑑 1 ⋅ 𝑡 ⋅ 𝑑 2 ⋅ 𝑡 = 𝑛1 + 𝜗1 + 2𝐽1 ⋅ 𝑛2 + 𝜗2 + 2𝐽2 (𝑛𝑝𝑒 2) = 𝑛1𝑛2 + 𝜗1 ⋅ 𝑛2 + 2𝐽2 + 𝜗2 ⋅ 𝑛1 + 2𝐽1 + 𝜗1𝜗2 (𝑛𝑝𝑒 2) Careful!

1/2 𝑛𝑝𝑒 2 ⋅ 2 𝑛𝑝𝑒 2 ≠ 1 (𝑛𝑝𝑒 2)

~𝛽2= tiny! ~𝛽 ⋅ |𝑛 + 2𝐽|

𝑛 + 2𝐽 ≈ 𝑑 ⋅ 𝑡 ≤ 𝑡 1

≲ 𝛽 ⋅ 𝑡 1

real numbers 𝑛𝑝𝑒 2 ≡ (−1,1]

Secret key: 𝑡 ∈ ℤ𝑜 Ciphertext: 𝑑 ∈ ℝ2

𝑜

𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽

small (initial) noise 𝜗 < 2𝛽

dec. if 𝜗 <

1 2

Noise blowup: 𝜷 → 𝜷 ⋅ 𝒕 𝟐

SLIDE 14

Scale-Independent Multiplication

Multiplicative Homomorphism:

𝑑 1, 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 2 ∈ ℝ2

𝑜2

Noise blowup: 𝜷 → 𝜷 ⋅ 𝒕 𝟐

Not good enough: 𝑡 1 ≈ 𝑜𝑟

Solution: Decompose the elements of 𝑡 into 𝑜 log 𝑟 bits.

real numbers 𝑛𝑝𝑒 2 ≡ (−1,1]

Secret key: 𝑡 ∈ ℤ𝑜 Ciphertext: 𝑑 ∈ ℝ2

𝑜

𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽

small (initial) noise 𝜗 < 2𝛽

dec. if 𝜗 <

1 2

SLIDE 15

𝑡 = 𝑡 1 , 𝑡 2 , … 𝑑 = 𝑑 1 , 𝑑 2 , … 𝑡 ⋅ 𝑑 = 𝑡 1 ⋅ 𝑑 1 + 𝑡 2 ⋅ 𝑑 2 + ⋯ 𝑡 = 𝑡 1 0, … , 𝑡 1 log 𝑟, 𝑡 2 0, … , 𝑡 2 log 𝑟, … 𝑑 = 𝑑 1 , 2𝑑 1 , … , 2log 𝑟𝑑 1 , 𝑑 2 , 2𝑑 2 , … , 2log 𝑟𝑑 2 , … 𝑡 ⋅ 𝑑 = 𝑡 1 𝑗 ⋅ 2𝑗𝑑 1

𝑗

+ 𝑡 2 𝑗 ⋅ 2𝑗𝑑 2

𝑗

+ ⋯ = 𝑡 1 ⋅ 𝑑 1 + 𝑡 2 ⋅ 𝑑 2 + ⋯

Binary Decomposition

SLIDE 16

Scale-Independent Multiplication

𝑑 1, 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 2 ∈ ℝ2

𝑜2

Noise blowup: 𝜷 → 𝜷 ⋅ 𝒕 𝟐 𝑡 1 ≤ 𝑜 log 𝑟 Noise blowup: 𝜷 → 𝜷 ⋅ 𝒐 log 𝒓 ≤ 𝜷 ⋅ 𝒐𝟑 For depth 𝑒 circuit: 𝛽 → 𝛽 ⋅ 𝑜𝑃(𝑒) regardless of scale!

real numbers 𝑛𝑝𝑒 2 ≡ (−1,1]

Secret key: 𝑡 ∈ *0,1+𝑜 log 𝑟 Ciphertext: 𝑑 ∈ ℝ2

𝑜 log 𝑟

𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽

small (initial) noise 𝜗 < 2𝛽

dec. if 𝜗 <

1 2

Multiplicative Homomorphism:

SLIDE 17

Full Homomorphism via Bootstrapping

Evaluating depth 𝑒 circuit: 𝜷 → 𝜷 ⋅ 𝒐𝑷(𝒆)

For “bootstrapping”: 𝑒 = 𝑃(log 𝑜) ⇒ 𝜷 → 𝜷 ⋅ 𝒐𝑷(𝐦𝐩𝐡 𝒐) ⇒ dec. if 𝜷 ≈ 𝒐−𝑷(𝐦𝐩𝐡 𝒐) regardless of 𝑟!

(in *BGV12+ only for “small” odd 𝑟)

Using 𝑟 ≈ 2𝑜 ⇒ Hardness based on classical GapSVP.

SLIDE 18

Conclusion

Scale-independence  FHE without modulus switching.
Homomorphic properties independent of 𝑟.

– But 𝑟 still matters for security.

Properties of [BGV12] extend.
Bonuses:

– Our 𝑟 can be even (e.g. power of 2). – Security based on classical GapSVP (as opposed to quantum).

Simpler!

SLIDE 19

tiny.cc/fheblog1 ; tiny.cc/fheblog2

also see blog post with Boaz Barak:

SLIDE 20

Farewell CRYPTO ’12…

SLIDE 21