Shai Halevi IBM August 2013 I want to delegate processing of my - PowerPoint PPT Presentation

Shai Halevi ― IBM August 2013

I want to delegate processing of my data, without giving away access to it.

“I want to delegate the computation to the cloud, “I want to delegate the computation to the cloud” but the cloud shouldn’t see my input” Enc( x ) f Enc[ f ( x )] Client Server/Cloud (Input: x ) (Function: f )

• Rivest-Adelman-Dertouzos 1978 Plaintext space P Ciphertext space C c i  Enc( x i ) x 1 x 2 c 1 c 2 * # y  Dec( d ) y d Example: RSA_encrypt ( e , N ) ( x ) = x e mod N e x x 2 e = ( x 1 x x 2 ) e mod N x 1 “Somewhat Homomorphic ”: can compute some functions on encrypted data, but not all

Encryption for which we can compute arbitrary functions on the encrypted data Enc( x ) f Eval Enc( f ( x ))

An encryption scheme: (KeyGen, Enc, Dec) Plaintext-space = {0,1} ( pk,sk)  KeyGen($), c  Enc pk ( b ), b  Dec sk ( c ) Semantic security [GM’84]: ( pk , Enc pk ( 0 ))  ( pk , Enc pk ( 1 ))  means indistinguishable by efficient algorithms 6

H = { KeyGen, Enc, Dec, Eval } c *  Eval pk ( f , c ) c * Homomorphic: Dec sk (Eval pk ( f , Enc pk ( x ))) = f ( x ) c * may not look like a “fresh” ciphertext As long as it decrypts to f ( x ) Compact: Decrypting c * easier than computing f Otherwise we could use Eval pk ( f , c )=( f , c ) and Dec sk ( f , c ) = f (Dec sk ( c )) Technically, | c * | independent of the complexity of f 7

First plausible candidate in [Gen’09] Security from hard problems in ideal lattices Polynomially slower than computing in the clear Big polynomial though Many advances since Other hardness assumptions LWE, RLWE, NTRU, approximate-GCD More efficient Other “Advanced properties” Multi-key, Identity- based, … 8

Regev-like somewhat-homomorphic encryption Adding homomorphism to [Reg’05] cryptosystem Security based on LWE, Ring-LWE Based on [BV’11, BGV’12, B’12] Bootstrapping to get FHE [Gen’09] Packed ciphertexts for efficiency Based on [SV’11, BGV’12, GHS’12] Not in this talk: a new LWE-based scheme [Gentry-Sahai-Waters CRYPTO 2013] 9

Many equivalent forms, this is one of them: Parameters: 𝑟 (modulus), 𝑜 (dimension) 𝑜 Secret: a random short vector 𝒕 ∈ 𝑎 𝑟 Input: many pairs (𝒃 𝒋 , 𝑐 𝑗 ) 𝑜 is random, 𝑐 𝑗 = 𝒕, 𝒃 𝑗 + 𝑓 𝑗 (𝑛𝑝𝑒 𝑟) 𝒃 𝑗 ∈ 𝑎 𝑟 𝑓 𝑗 is short Goal: find the secret 𝒕 𝑜+1 Or distinguish (𝒃 𝑗 , 𝑐 𝑗 ) from random in 𝑎 𝑟 [Regev’05, Peikert’09]: As hard as some worst-case lattice problems in dim n (for certain range of params)

The shared-key variant (enough for us) Secret key: vector 𝒕′ , denote 𝒕 = 𝒕′, 𝟐 Encrypt 𝜏 ∈ {0,1} 𝑟 𝒅 = (𝒃, 𝑐) s.t. 𝑐 = 𝜏 2 − 𝒕′, 𝒃 + 𝑓 (𝑛𝑝𝑒 𝑟) 𝑟 Convenient to write 𝒕, 𝒅 = 𝜏 2 + 𝑓 (𝑛𝑝𝑒 𝑟) Decrypt( 𝒕, 𝒅 ) Output 0 if | 𝒕, 𝒅 mod q| ≤ 𝑟/4 , else output 1 Correct decryption as long as error < 𝑟/4 Security: If LWE is hard, cipehrtext is pseudorandom

𝑟 If 𝒕, 𝒅 𝑗 ≈ 𝜏 𝑗 2 (mod q) then 𝒕, 𝒅 𝟐 + 𝒅 2 ≈ (𝜏 1 ⊕ 𝜏 2 ) 𝑟 2 (mod q) Error doubles on addition Correct decryption as long as the error < 𝑟/4 12

Step 1: Tensor Product 𝑟 If 𝒕, 𝒅 𝑗 ≈ 𝜏 𝑗 2 (mod q) and s is small ( |𝒕| ≪ 𝑟 ) 𝑟 2 4 (mod 𝑟 2 ) then 𝒕 ⊗ 𝒕, 𝒅 1 ⊗ 𝒅 2 ≈ 𝜏 1 𝜏 2 Error has extra additive terms of size ≈ 𝑡 ⋅ 𝑟 ≪ 𝑟 2 So 𝒅 ∗ = 𝑠𝑝𝑣𝑜𝑒((𝒅 1 ⊗ 𝒅 2 )/ 𝑟 2 ) encrypts 𝜏 1 𝜏 2 relative to secret key 𝒕 ∗ = (𝒕 ⊗ 𝒕) Rounding adds another small additive error But the dimension squares on multiply

Step 2: Dimension Reduction Publish “key - switching gadget” to ranslate 𝒅 ∗ wrt 𝒕 ∗  𝒅 wrt 𝒕 Essentially an encryption of 𝒕 ∗ under 𝒕 𝑜 × 𝑜 2 rational matrix W s.t. 𝒕 𝑼 × 𝑋 ≈ 𝒕 ∗ (𝑛𝑝𝑒 𝑟) Given 𝒅 ∗ , compute 𝐝 ← Round 𝑋 × 𝒅 ∗ (𝑛𝑝𝑒 𝑟) 𝒕, 𝒅 ≈ 𝒕 𝑼 × 𝑋 × 𝒅 ∗ ≈ 𝒕 ∗ , 𝒅 ∗ ≈ 𝜏 𝑟 2 (𝑛𝑝𝑒 𝑟) Some extra work to keep error from growing too much Still secure under reasonable hardness assumptions

Error doubles on addition, grows by poly(n) factor on multiplication (e.g., 𝑜 2 factor) When computing a depth- 𝑒 circuit we have |output-error| ≤ |input-error| ⋅ 𝑜 2𝑒 Setting parameters: Start from |input-error| ≤ 𝑜 𝑒 (say) Set 𝑟 > 4𝑜 𝑒 ⋅ 𝑜 2𝑒 = 4𝑜 3𝑒 Set the dimension large enough to get security |output-error| < 𝑟/4 , so no decryption errors 15

So far, circuits of pre-determined depth C x 1 x 2 … C( x 1 , x 2 , … , x t ) x t 16

So far, circuits of pre-determined depth C x 1 x 2 … C( x 1 , x 2 , … , x t ) x t Can eval y = C ( x 1 ,x 2 …, x n ) when x i ’s are “fresh” But y is an “evaluated ciphertext ” Can still be decrypted But eval C’ ( y ) will increase noise too much 17

So far, circuits of pre-determined depth C x 1 x 2 … C( x 1 , x 2 , … , x t ) x t Bootstrapping to handle deeper circuits We have a noisy evaluated ciphertext y Want to get another y with less noise 18

For ciphertext c , consider D c ( sk ) = Dec sk ( c ) Hope: D c ( * ) is a low-depth circuit (on input sk ) Include in the public key also Enc pk ( sk ) c y Requires “ circular security ” D c sk 1 sk 1 sk 2 sk 2 c’ D c ( sk ) … … = Dec sk ( c ) = y sk n sk n Homomorphic computation applied only to the “fresh” encryption of sk 19

Similarly define M c 1 ,c 2 ( sk ) = Dec sk ( c 1 )∙ Dec sk ( c 1 ) y 1 y 2 c 1 c 2 M c 1 ,c 2 sk 1 sk 1 c’ sk 2 sk 2 M c 1 , c 2 ( sk ) … … = Dec sk ( c 1 ) x Dec sk ( c 2 ) = y 1 x y 2 sk n sk n Homomorphic computation applied only to the “fresh” encryption of sk 20

The LWE-based somewhat-homomorphic (log 𝑟𝑜) decryption circuit scheme has depth- 𝑃 To get FHE need modulus 𝑟 ≥ 2 𝑞𝑝𝑚𝑧𝑚𝑝𝑕(𝑙) and (𝑙) dimension n ≥ Ω 𝑙 is the security parameter (𝑙) bits The ciphertext-size is Ω (𝑙 3 ) bits Key-switching matrix is of size Ω (𝑙 3 ) times  Each multiplication takes at least Ω (𝑙 3 ) slowdown vs. computing in the clear  Ω 21

Replace Z by Z[X]/F(X) (𝑙) F is a degree-d polynomial with 𝑒 = Θ Can get security with lower dimension 𝑙/𝑒 , as low as 𝑜 = 2 𝑜 = Θ (𝑙) bits The ciphertext-size still Ω (𝑙) bits But key-switching matrix size only Θ It includes 𝑜 2 × 𝑜 = 8 ring elements (𝑙) slowdown vs. computing in the clear  Θ 22

(𝑙) Cannot reduce ciphertext size below Θ But we can pack more bits in each ciphertext Recall decryption: 𝑞𝑢𝑦𝑢 ← 𝑁𝑇𝐶(⟨𝒕, 𝒅⟩ 𝑛𝑝𝑒 𝑟) 𝑞𝑢𝑦𝑢 is a polynomial in R 2 = 𝑎 𝑌 /(𝐺 𝑌 , 2) Use cyclotomic rings, 𝐺 𝑌 = Φ 𝑛 𝑌 Use CRT in 𝑆 2 to pack many bits inside m The cryptosystem remains unchanged Encoding/decoding of bits inside plaintext polys 23

Φ 𝑛 (𝑌) irreducible over Z, but not mod 2 ℓ Φ 𝑛 𝑌 ≡ ∏ 𝑘=1 𝐺 𝑘 𝑌 (mod 2) F j ’s are irreducible, all have the same degree d ∗ degree d is the order of 2 in 𝑎 𝑛 𝜚 𝑛 m For some m’s we can get ℓ = = Ω( log m ) 𝑒 R 2 = 𝑎 2 𝑌 /Φ 𝑛 is a direct sum, R 2 = ⊕ 𝑘 𝑆 2,𝑘 𝑘 𝑌 ≅ 𝐻𝐺(2 𝑒 ) 𝑆 2,𝑘 = 𝑎 2 𝑌 /𝐺 1-1 mapping 𝑏 ∈ 𝑆 2 ↔ 𝛽 1 , … , 𝛽 ℓ ∈ 𝐻𝐺 2 𝑒 ℓ

Plaintext 𝑏 ∈ 𝑆 2 encodes ℓ values 𝛽 𝑘 ∈ 𝐻𝐺(2 𝑒 ) To embed plaintext bits, use 𝑏 j ∈ 𝐻𝐺 2 ⊂ 𝐻𝐺(2 𝑒 ) Ops +,  in 𝑆 2 work independently on the slots ℓ -ADD: 𝑏 + 𝑏 ′ ≅ 𝛽 1 + 𝛽 1 ′ ′ , … , 𝛽 ℓ + 𝛽 ℓ ℓ -MUL: 𝑏 × 𝑏 ′ ≅ 𝛽 1 × 𝛽 1 ′ ′ , … , 𝛽 ℓ × 𝛽 ℓ (𝑙) then our Θ (𝑙) -bit ciphertext can If ℓ = Ω (𝑙) plaintext bits hold Ω Ciphertext-expansion ratio only polylog( k )

x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 1 0 0 x 4 0 x 6 0 = x 1 0 0 1 0 1 0 + x 8 x 9 x 10 x 11 x 12 x 13 x 14 0 x 9 x 10 0 x 12 0 x 14 = x 0 1 1 0 1 0 1 x 1 x 9 x 10 x 4 x 12 x 6 x 14 We will use this later

SIMD = Single Instruction Multiple Data Computing the same function on ℓ inputs at the price of one computation Overhead only polylog(k) Pack the inputs into the slots Bit-slice, inputs to j’th instance go in j‘th slots Compute the function once After decryption, decode the ℓ output bits from the output plaintext polynomial

To reduce overhead for a single computation: Pack all input bits in just a few ciphertexts Compute while keeping everything packed How to do this? August 15, 2013 28

+ + + + + + + + + 1 × × × × × × × × × × × 1 + + + + + + + + + + + + + 1 Input 0 1 x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 bits

+ + + + + + + + + 1 × × × × × × × × × × × 1 + + + + + + + + + + + + + 1 Input 0 1 x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 bits x 1 x 2 x 3 x 4 x 5 x 7 x 8 x 9 x 10 x 11 x 12 x 14 x 22 x 23 x 24 x 25 x 26 x 15 x 16 x 17 x 18 x 19 x 21