How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco - - PowerPoint PPT Presentation

How Ideal Lattices unlocked Fully Homomorphic Encryption

Francisco Jos´ e VIAL PRADO December 10, 2014 Ph.D. advisor : Louis GOUBIN

Introduction Gentry’s IL scheme Other FHE schemes Open questions

This talk

Introduction Gentry’s Ideal Lattices scheme Further advances, others schemes and open problems

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Fully Homomorphic Encryption

Question : “Is it possible to compute blindfolded?”

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Fully Homomorphic Encryption

Question : “Is it possible to compute blindfolded?” Example : A public-key cryptosystem E verifying : ∀a, b ∈ P(E), a + b = DE(EE(a) + EE(b)), a × b = DE(EE(a) × EE(b)).

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Formal definition

• Def. 1 :

A homomorphic scheme is a public-key scheme E with four PPT algorithms : KeyGen: λ → (sk, pk); Enc: (m, pk) → c; Dec: (c, sk) → m; Eval:(C, c1, . . . , cn, pk) → m.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Formal definition

• Def. 1 :

A homomorphic scheme is a public-key scheme E with four PPT algorithms : KeyGen: λ → (sk, pk); Enc: (m, pk) → c; Dec: (c, sk) → m; Eval:(C, c1, . . . , cn, pk) → m.

• Def. 2 :

A homomorphic scheme is correct for a set of circuits C if, for every circuit in C, ψ ← Eval(C, ψ1, . . . , ψn, pk) ⇒ Dec(ψ, sk) = C(π1, . . . , πn) where ψi = Enc(πi, pk), i = 1, . . . , n.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

A Fully Homomorphic Scheme is a homomorphic scheme that is correct for all circuits.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Starting point

Let I be an ideal of some ring R, m ∈ R the message.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Starting point

Let I be an ideal of some ring R, m ∈ R the message. Encryption : Enc(m) = m + xI for some x ∈ R.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Search an ideal I that allows Random sampling from α + I, α ∈ R.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Search an ideal I that allows Random sampling from α + I, α ∈ R. Noise annihilation m + xI → m.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Search an ideal I that allows Random sampling from α + I, α ∈ R. Noise annihilation m + xI → m. And strong security properties.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Ideals + lattices = Ideal lattices

Let R = Z[X]/(X n + 1) where n is a power of 2, and consider the mapping α : R → Zn, α(v0 + v1X + · · · + vn−1X n−1) = (v0, v1, · · · , vn−1) Let I = (P(X)) be a principal ideal of R :

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Ideals + lattices = Ideal lattices

Let R = Z[X]/(X n + 1) where n is a power of 2, and consider the mapping α : R → Zn, α(v0 + v1X + · · · + vn−1X n−1) = (v0, v1, · · · , vn−1) Let I = (P(X)) be a principal ideal of R : An ideal lattice is the image of a principal ideal of R by α, i.e. L = α(I).

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Ideals + lattices = Ideal lattices

Let R = Z[X]/(X n + 1) where n is a power of 2, and consider the mapping α : R → Zn, α(v0 + v1X + · · · + vn−1X n−1) = (v0, v1, · · · , vn−1) Let I = (P(X)) be a principal ideal of R : An ideal lattice is the image of a principal ideal of R by α, i.e. L = α(I). For instance, if n = 3, α((2 + X)) is generated by α(2 + X), α(X(2 + X)), α(X 2(2 + X)).

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Ideals + lattices = Ideal lattices

Let R = Z[X]/(X n + 1) where n is a power of 2, and consider the mapping α : R → Zn, α(v0 + v1X + · · · + vn−1X n−1) = (v0, v1, · · · , vn−1) Let I = (P(X)) be a principal ideal of R : An ideal lattice is the image of a principal ideal of R by α, i.e. L = α(I). For instance, if n = 3, α((2 + X)) is generated by α(2 + X), α(X(2 + X)), α(X 2(2 + X)). I.e., the columns of   2 −1 1 2 1 2   .

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Operations in an ideal lattice

Let L be an ideal lattice with base BL = {b1, . . . , bn}. Define P(BL) =   

• i≤n

xibi ∈ Rn ; xi ∈ [−1/2, 1/2)    .

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Operations in an ideal lattice

Let L be an ideal lattice with base BL = {b1, . . . , bn}. Define P(BL) =   

• i≤n

xibi ∈ Rn ; xi ∈ [−1/2, 1/2)    . Base reduction in Zn : x mod BL = x − BL⌊B−1

L x⌉ ∈ P(BL)

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Operations in an ideal lattice

Let L be an ideal lattice with base BL = {b1, . . . , bn}. Define P(BL) =   

• i≤n

xibi ∈ Rn ; xi ∈ [−1/2, 1/2)    . Base reduction in Zn : x mod BL = x − BL⌊B−1

L x⌉ ∈ P(BL)

Addition in Zn: (x, y) → x + y

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Operations in an ideal lattice

Let L be an ideal lattice with base BL = {b1, . . . , bn}. Define P(BL) =   

• i≤n

xibi ∈ Rn ; xi ∈ [−1/2, 1/2)    . Base reduction in Zn : x mod BL = x − BL⌊B−1

L x⌉ ∈ P(BL)

Addition in Zn: (x, y) → x + y Product in Zn : (x, y) → α(x(X) × y(X))

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Gentry’s solution

Let J be an ideal lattice, generated by two bases Bsk

J , Bpk J .

P ⊆ {0, 1}n, pk = {Bpk

J }, sk = {Bsk J }

Let Samp(π) be a (bounded) random algorithm that samples from π + 2Zn.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Gentry’s solution

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Gentry’s solution

Encryption :

• π Samp

− − − − → π+2 e

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Gentry’s solution

Encryption :

• π Samp

− − − − → π+2 e

modBpk

J

− − − − − − → π+2 e+

• i.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Gentry’s solution

Encryption :

• π Samp

− − − − → π+2 e

modBpk

J

− − − − − − → π+2 e+

• i.

Decryption :

• ψ

modBsk

J

− − − − − − → ψ−

• i′

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Gentry’s solution

Encryption :

• π Samp

− − − − → π+2 e

modBpk

J

− − − − − − → π+2 e+

• i.

Decryption :

• ψ

modBsk

J

− − − − − − → ψ−

• i′

mod 2

− − − → π−

• i′−

2e′.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Homomorphic properties

ψ = π + 2 e + i, ψ′ = π′ + 2 e′ + i′

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Homomorphic properties

ψ = π + 2 e + i, ψ′ = π′ + 2 e′ + i′ ψ + ψ′ = ( π + π′) + 2( e + e′) + i′′ ψ × ψ′ = ( π × π′) + 4 e × e′ + i′′′

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Homomorphic properties

ψ = π + 2 e + i, ψ′ = π′ + 2 e′ + i′ ψ + ψ′ = ( π + π′) + 2( e + e′) + i′′ ψ × ψ′ = ( π × π′) + 4 e × e′ + i′′′ Theorem : dmax = log log || vsk||2 − log log(√n · lSamp)

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Ground-breaking idea

Bootstrapping : Capability of refreshing a high-noise message.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Ground-breaking idea

Bootstrapping : Capability of refreshing a high-noise message. The scheme has to verify : DE ∈ CE.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Ground-breaking idea

Bootstrapping : Capability of refreshing a high-noise message. The scheme has to verify : DE ∈ CE. Introduces “circular security” issues.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Bootstrapping theorem : Let E be a homomorphic encryption scheme that is correct for circuits in C. If DecE ∈ C, then E is bootstrappable.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Bootstrapping theorem : Let E be a homomorphic encryption scheme that is correct for circuits in C. If DecE ∈ C, then E is bootstrappable. For reasonable parameters, the I.L. scheme as presented is not bootstrappable.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Bootstrapping theorem : Let E be a homomorphic encryption scheme that is correct for circuits in C. If DecE ∈ C, then E is bootstrappable. For reasonable parameters, the I.L. scheme as presented is not bootstrappable. Gentry reduces the degree of the decryption circuit and achieves bootstrapping.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

New security issues

Circular security : Is it safe to send Key-Dependent messages ? If so; is this provable ?

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

New security issues

Circular security : Is it safe to send Key-Dependent messages ? If so; is this provable ? The Sparse Subset Sum Vector Problem : Given an upper bound for θ, distinguish between { t1, . . . , tΘ} ⊂R Qn and { t1, . . . , tΘ ∈ Qn;

• i∈S
• ti = 0}.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Other FHE schemes

van Dijk, Gentry, Halevi, Vaikuntanathan.– A FHE scheme over Z. Brakerski, Vaikuntanathan.— (i) FHE from LWE (ii) FHE with proved circular security

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Multikey FHE

Ciphertexts are to be decrypted jointly by a set of secret-key holders Allows Multiparty Computation Protocols in the cloud

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Multikey FHE

Ciphertexts are to be decrypted jointly by a set of secret-key holders Allows Multiparty Computation Protocols in the cloud

Figure : Single Key FHE scenario

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

MPC on the cloud

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

MPC on the cloud

The cloud computes the homomorphic evaluation as for in the single key setting. The decryption is the joint computation of the function Dec(C, skA, skB).

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

MPC on the cloud

The cloud computes the homomorphic evaluation as for in the single key setting. The decryption is the joint computation of the function Dec(C, skA, skB). Reduction of general MPC to a particular MPC !

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Attribute-Based and Identity-Based FHE scheme

2013 : The approximate eigenvector problem :

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Attribute-Based and Identity-Based FHE scheme

2013 : The approximate eigenvector problem : C v = µ v + e Ciphertexts are matrices Security comes from LWE Assymptotically faster

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Attribute-Based and Identity-Based FHE scheme

2013 : The approximate eigenvector problem : C v = µ v + e Ciphertexts are matrices Security comes from LWE Assymptotically faster They provide a compiler to convert any LWE-FHE scheme into an attribute based scheme

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Attribute-Based and Identity-Based FHE scheme

2013 : The approximate eigenvector problem : C v = µ v + e Ciphertexts are matrices Security comes from LWE Assymptotically faster They provide a compiler to convert any LWE-FHE scheme into an attribute based scheme

• r into a (hierarchical) identity based scheme.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Hierarchical encryption

7 8 9 10 11 3 4 5 6 1 2

Figure : A polytree.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Hierarchical encryption

A high level user can “merge” all subordinate keys into a single one

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Hierarchical encryption

A high level user can “merge” all subordinate keys into a single one

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Hierarchical encryption

A high level user can “merge” all subordinate keys into a single one

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Hierarchical encryption

A high level user can “merge” all subordinate keys into a single one

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Hierarchical encryption

A high level user can “merge” all subordinate keys into a single one Changes can be done in the tree in real time Two distant users can collaborate regardless of the authority level (Work in progress...)

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Open questions

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Open questions

FHE + equality test ?

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Open questions

FHE + equality test ? “Targeted” FHE: allow only a class of public computations.

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Open questions

FHE + equality test ? “Targeted” FHE: allow only a class of public computations. Is it possible to exploit the “graph structure” on ciphertexts via C + E(0) or C × E(1)?

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE

Introduction Gentry’s IL scheme Other FHE schemes Open questions

Thank you!

Francisco Jos´ e VIAL PRADO How Ideal Lattices unlocked FHE