Homomorphic Secret Sharing & Applications from Lattice-Based - - PowerPoint PPT Presentation

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions

Elette Boyle

Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, & Peter Scholl

Fully Homomorphic Encryption (FHE)

• Supports “homomorphic” computation on encrypted data

f(x)

f(x)

Evalf

x

x

Enc

Dec

pk sk

Additive Secret Sharing

s0 s1 s

• Secrecy: si hides s
• Reconstruction: s0 + s1 = s (in G)

+

= s

Elements in commutative group G

Homomorphic Secret Sharing (HSS)

• Security: xi hides x
• Size: |xb| ~ |x|
• Correctness: EvalP(x0) + EvalP(x1) = P(x)

= P(x)

y0 y1 +

EvalP EvalP

x0 x1

x

Share

[Boyle-Gilboa-Ishai 16]

HSS vs Fully Homomorphic Encryption (FHE)

f(x)

y1 y2

Evalf Evalf

x1 x2

x

Share

• Assuming 2+ non-colluding parties

(sometimes not an issue!)

• No need for keys
• Additive reconstruction, broader assumptions, better efficiency

f(x)

f(x)

Evalf

x

x

Enc

Dec

pk sk

+

Special Case:

Linear Homomorphism

[Benolah86, Goldreich-Micali-Wigderson87]

Similarly: (m,t)-HSS for degree m/(t+1) functions, unconditionally Challenge: Support homomorphism for richer function classes

= Ax+B

y0 y1 +

EvalAX+B EvalAX+B

x0 x1

x

Share

Rough Landscape of HSS

All P/poly

Rough Landscape of HSS

“High-level” LWE+ Circuits [DHRW16, BGI15, BGILT18] “Mid-level” DDH, Paillier Branching Programs [BGI16, BCGIO17, DKK18, FGJS17] LWE [BKS19] “Low-level” OWF Simple functions [GI14, BGI15, BGI16b] “Algorithmica” None Linear Functions [Ben86]

Requires one-way functions [GI14,BGI15] Structured assumptions yielding PKE Builds atop specific FHE

“Lapland” LPN Low-deg polynomials [BCGIKS19] Weird PRGs…

This Talk

• Sample Applications of HSS
• Constructions
• Part I: Simple HSS for Branching Programs from Lattices (R/LWE)
• Part II: “Pseudorandom Correlation Generators” from LPN
• Conclusion & Open problems

Applications of HSS

• Low-Communication Secure Computation
• Private Database Queries (2-server setting)

Secure Computation

x x’ Such that Alice & Bob learn nothing but f(x,x’) f(x,x’) f(x,x’) Feasibility: If honest majority of parties, or based on computational assumptions [Yao86,GMW87,BenOrGoldwasserWigderson88,ChaumCrepauDamgard88] … [Yao86,Goldreich-Micali-Wigderson87]

Su Succinct Secure Computation

• Without security: ≤ |input| + |output| bits
• With security “2PC” (reveal nothing except output):
• For decades:

Ω( C ) bits

[Yao86, GMW87, BGW88, CCD88,…]

• Using Fully Homomorphic Encryption (FHE):

~|input|+|output| bits

[RAD77,Gen09]

How much communication is required to evaluate C(x,x’)?

Input x Output C(x,x’) small input small output huge circuit x x’

Circuit C

Succinct Secure Computation from HSS

HSS for [Class] ⇒ 2PC for [Class] with low communication

= C(w)

y0 y1 +

EvalC EvalC

w0 w1

w

Share

x x’

Succinct Secure Computation from HSS

HSS for [Class] ⇒ 2PC for [Class] with low communication

Comm ~ |inputs| * poly(λ) + |output|

Note: Compact

• utput shares suffice

= C(x,x’)

y0 y1

EvalC EvalC

w0 w1

w

Share

Securely compute Share(x,x’)

x x’

Exchange additive

• utput shares

+

Implications

• FHE: Succinct 2PC for circuits
• All rely on narrow set of assumptions (LWE / lattices)
• High concrete costs
• HSS for circuits: (relies anyway on FHE)
• HSS for Branching Programs: Succinct 2PC for BP
• New assumptions (“20th century” discrete log-style) [BGI16a]
• Better efficiency for certain regimes [BGI16a, BCGIO17, BKS19]

(2-Server) Private Information Retrieval (PIR)

• Correctness:

Recover 𝑗th entry

• Privacy (1 server):

∀ indices 𝑗, 𝑗* ∈ 𝑜 , ∀ server 𝑡 ∈ [𝑛],

• Non-triviality:

Communication < 𝑜 [Chor-Goldreich-Kushilevitz-Sudan98]

Wishes to access item 𝑗 without revealing 𝑗 2 non-communicating servers Each holds a copy of (same) 𝑜-entry DB

# Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101 # Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101

𝑤𝑗𝑓𝑥4 given index 𝑗 𝑤𝑗𝑓𝑥4 given index 𝑗′

≈

2-Server (Generalized) PIR from HSS

[GI14,BGI15]

# Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101 # Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101

Secret Input = Private query predicate P HSS-Share0(P) HSS-Share1(P) HSS-Eval(P0,DB) HSS-Eval(P1,DB)

• utput0
• utput1

Program DB(P) = # DB items satisfying P Example: “How many items in DB satisfy secret predicate P?” DB(P) =

• utput0 + output1

2-Server (Generalized) PIR from HSS

[GI14,BGI15]

# Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101 # Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101

HSS-Eval(P0,DB1) HSS-Eval(P0,DB2) … HSS-Eval(P0,DBn) HSS-Eval(P1,DB1) … Program DBi(P) = 1 if DB item i satisfies P Idea: Can split complex function “DB” into a sum of simpler “Dbi” functions

• ut1
• ut2

…

• utn
• ut1
• ut2

…

• utn

Compute

7

89: ;

(𝑝𝑣𝑢8

? + 𝑝𝑣𝑢8 :)

= 7

89: ;

𝑝𝑣𝑢8

?

+ 7

89: ;

𝑝𝑣𝑢8

:

7

89: ;

𝑝𝑣𝑢8

?

7

89: ;

𝑝𝑣𝑢8

:

2-Server (Generalized) PIR from HSS

[GI14,BGI15]

# Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101 # Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101

HSS-Eval(P0,DB1) HSS-Eval(P0,DB2) … HSS-Eval(P0,DBn) HSS-Eval(P1,DB1) … Program DBi(P) = 1 if DB item i satisfies P Compute

7

89: ;

𝑝𝑣𝑢8

?

+ 7

89: ;

𝑝𝑣𝑢8

:

7

89: ;

𝑝𝑣𝑢8

?

7

89: ;

𝑝𝑣𝑢8

:

• Small (client à server) communication (similar to FHE)
• Small (server à client) communication (= rate 1)
• For simple queries, very efficient!

PIR: What is Known

Statistical Privacy

• 2+ servers:

Slightly 𝑜B(:) [Yekh07,Efre09,DvirGopi15] Rather complex

• 1 server:

Requires public-key cryptography [DiCrescenzo-Malkin-Ostrovsky 00]

Computational Privacy (𝜇 = sec param)

• 2+ servers: (one-way functions)

(𝜇 + 2) log 𝑜 [Boyle-Gilboa-Ishai 16b]

• 1 server: (public-key assumptions)

poly(𝜇) logJ 𝑜 [KushilevitzOstrovsky00,…]

Impossible.

(Communication, n=|DB|)

Other HSS Applications & Developments

• Secure computation for RAM programs

[Doerner-Shelat’17, Gordon-Katz-Wang’18, Bunn-Katz-Kushilevitz-Ostrovsky’18]

• Proving statements split across verifiers

[Boneh-Boyle-CorriganGibbs-Gilboa-Ishai’19]

• Secure computation mixing Boolean & arithmetic operations

[Boyle-Gilboa-Ishai’19]

• Worst-case to average-case reductions in complexity theory

[Boyle-Gilboa-Ishai-Lin-Tessaro’18]

• Connection to locality-preserving hash [Boyle-Dinur-Gilboa-Ishai-Keller-Klein]
• (& more!)

Part I: HSS from Lattices (LWE / Ring-LWE)

2-party HSS from “Threshold” FHE

y0 y1

FHE-EvalC FHE-EvalC

w

FHE (pk,sk) w w

FHE-Encrypt

sk0 sk0 y y

Dec(sk1,y) Dec(sk0,y)

Ciphertext-ciphertext multiplications 1 Decryption

= C(w)

+ (Assuming necessary Threshold decryption Structure)

Previous work on HSS

Expressiveness Computational

• verhead

Point functions etc. Branching Programs All circuits PRG [GI14,BGI15,…] DDH [BGI16] specific FHE [DHRW16] 1/poly correctness error Only poly-size plaintext space Noise growth Costly ciphertext mult.

Q: Q: Can we build HSS from lattices, wi without FHE?

(R)-LWE [This work]

Yes.

2-party HSS “W “With thout S t S/FHE” E”

= C(w)

y0 y1 +

FHE-EvalC FHE-EvalC

w w

w

Encrypt

sk0 FHE (pk,sk) sk0 y y

Dec(sk1,y) Dec(sk0,y)

Ciphertext-ciphertext multiplications 1 Decryption

Cost of (restricted) multiplication ≈ cost of decryption

HSS for Branching Programs from lattices without FHE

[Boyle-Kohl-Scholl Eurocrypt’19]

Expressiveness of Branching Programs (BP)

Multiplication of n n-bit numbers Many numerical / statistical calculations FHE Decryption … Min L2-distance from list of length-n vectors Undirected graph connectivity Streaming algorithms Finite automata Captures NC1 (Log-depth) & Log-space

Useful Model: BPs via Restricted Multiplication

Supported Operations:

• Load Input
• Add Memory values
• Output Memory value
• Multiply Input x Memory value

(Missing: Multiply Memory x Memory)

Any (poly-size) Branching Program can be represented by (poly-many) of these operations

Learning With Errors (LWE) & Ring LWE

• Assumptions underlying FHE & most lattice-based public-key crypto

LWE

• 𝑞 > 2
• 𝑡 ← 𝑎O

;

• 𝑓 P is small

𝐵

𝑡 𝑓 + ≈ 𝑣 mod 𝑞

Given 𝐵 ∈ 𝑎O

T×;:

[Regev 05, Lyubashevsky-Peikert-Regev 13]

Ring-LWE:

Version over polynomial rings

(This talk: Only use encryption based on R/LWE, not its actual structure)

HSS for BPs from Lattices w/o FHE

• Bottom line:
• Cheaper multiplication ≈ cost of (ring)-LWE decryption
• Negligible correctness error
• Superpolynomial plaintext space
• Highlights:
• Tricks for using lattices in a distributed setting
• Optimizations: degree-2, batching etc.
• Concrete efficiency improvements in applications
• Secure 2-party computation
• 2-server private database queries

(contrasted to HSS From DDH) (contrasted to HSS From FHE)

[BGI16] (simplified): ØTypes of shares:

• Input values: 𝑦 “encryptions”
• Memory values: ( 𝑦 , 𝑦 ) “secret

ØTypes of computations:

• Add:

( 𝑦 , 𝑦 ), ( 𝑧 , 𝑧 ) → ( 𝑦 + 𝑧 , 𝑦 + 𝑧 )

• Mult:

𝑦 , ( 𝑧 , 𝑧 )→ ( 𝑦 ⋅ 𝑧 , 𝑦 ⋅ 𝑧 )

Previous work: HSS for BPs based on DDH

• Expensive
• Fails with pr. 1/poly
• Only poly-size plaintexts

[Boyle-Gilboa-Ishai 16]

shares”

Structure of most (ring)-LWE based encryption schemes:

• Nearly-linear decryption property:
• Linear function LinDec:

LinDec 𝑡𝑙, 𝑦 ≈ 𝑟 𝑞 ⋅ 𝑦 mod 𝑟 Ciphertexts: 𝑎c, plaintexts: 𝑎O (𝑞 < 𝑟 )

Important Property: Nearly-Linear Decryption

[Regev 05, Lyubashevsky-Peikert-Regev 13]

LinDec(𝑡𝑙, 1 ) E.g. 𝑞 = 2, 𝑦 = 1

≈ 𝑟 𝑞 ⋅ 𝑦

Multiplication: a first attempt

Given:

LinDec 𝑡𝑙, ≈ 𝑟 𝑞 ⋅ 𝑦 mod 𝑟

Main idea: multiplication via distributed decryption

if 𝑡𝑙 + 𝑡𝑙 = 𝑡𝑙 mod 𝑟, then

Problem 1: how to remove the noise?

𝑦

LinDec( 𝑡𝑙 , 𝑦 ) +LinDec 𝑡𝑙 , 𝑦 = LinDec( 𝑡𝑙 + 𝑡𝑙 , 𝑦 ) LinDec( 𝑧 ⋅ 𝑡𝑙 , 𝑦 ) +LinDec 𝑧 ⋅ 𝑡𝑙 , 𝑦 = 𝑧 ⋅ LinDec( 𝑡𝑙 + 𝑡𝑙 , 𝑦 )

linear in 𝑡𝑙 𝑧 𝑧 ⋅

Based on [Dodis Halevi Rothblum Wichs 16]

In general: Round + Round ≠ Round( + ) mod 𝑞 Rounding lemma: If ≈

c O ⋅ 𝑨, then:

Round + Round = Round( + ) mod 𝑞 Except with probability ≈ 𝑨 ⋅ 𝑞/𝑟 𝑨 𝑨

𝑨 𝑨 𝑨 𝑨

+ 𝑨 𝑨 𝑨 𝑨

𝑨 𝑨 𝑨 𝑨

Local rounding of shares

Negligible if 𝑞 ≪ 𝑟 (Needs 𝑟 superpolynomial)

Going beyond one multiplication

• What did we get so far?
• Next mult: need shares of 𝑦 ⋅ 𝑧 ⋅ sk mod 𝑟
• Problem: output shares are mod 𝑞, not 𝑟!
• To continue: need fresh ciphertext mod 𝑞, with message space 𝑞: ≪ 𝑞 ≪ 𝑟
• For ℓ multiplications, need 𝑞: ≪ 𝑞J ≪ ⋯ ≪ 𝑞ℓ ≪ 𝑟

𝑧 ⋅ sk 𝑧 ⋅ sk

𝑦

LinDec Round 𝑦 ⋅ 𝑧 𝑦 ⋅ 𝑧 𝑦 ⋅ 𝑧 ⋅ sk 𝑦 ⋅ 𝑧 ⋅ sk

𝑦 ⋅ sk

mod 𝑟 mod 𝑞 𝑟

Lifting the modulus

• In general: e.g. 2 + 2 mod 3

≠ 2 + 2 mod 4

• Lifting lemma: If + = 𝑨 mod 𝑞, then

+ = 𝑨 mod 𝑟 except with pr. 𝑨 /𝑞

(or: “do nothing” lemma)

𝑨 𝑨 𝑨 𝑨

𝑨 𝑨 𝑨

Recap of construction

• HSS Shares of 𝑦 :
• Main idea: distributed decryption ⇒ multiplication
• Allows: computing any branching program with magnitude 𝐶, for 𝐶 ≪ 𝑞 ≪ 𝑟/𝐶

𝑧 ⋅ sk LinDec Round 𝑦 ⋅ sk 𝑦 ⋅ 𝑧 ⋅ sk 𝑧 ⋅ sk Lift 𝑦 ⋅ 𝑧 ⋅ sk LinDec 𝑥 ⋅ sk round lift

𝑦 ⋅ sk sk sk

A Circular Security Problem?

• Need encryptions of 𝑦 ⋅ sk… still secure?
• Yes! Thanks to nearly linear decryption

[Applebaum-Cash-Peikert-Sahai’09, Brakerski-Vaikuntanathan’11]

• Bonus: can also generate encryptions given only pk

⇒ simple public-key setup

𝑦 ⋅ sk 𝑦 ⋅ sk 𝑦 pk

Application: Generalized 2-server PIR for Richer Queries (BPs)

• Private conjunctive keyword search, pattern matching etc.
• More efficient than PIR from Somewhat-Homomorphic Encryption:
• E.g. ≈3x smaller ciphertexts, ≈10x less computation

Private input: Query 𝑅 Output: 𝑅(DB)

# Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101 # Value 1 100101 2 100100 3 011011 4 101010 5 001001 6 110101

Summary of Part I

• Simpler HSS from lattices:
• Extensions:
• Optimized degree-2 and secret-key HSS
• HSS supporting batched operations
• Open questions:
• Beyond 2 parties
• Avoid superpolynomial modulus 𝑟
• More efficient batching

Rounding Lifting Nearly-linear decryption HSS for NC1