Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts - - PowerPoint PPT Presentation

Towards Stream Ciphers for Efficient FHE with Low-Noise Ciphertexts

Pierrick MÉAUX

École normale supérieure, CNRS, INRIA, PSL Joint work with:

Anthony JOURNAULT, François-Xavier STANDAERT, and Claude CARLET

Eurocrypt 2016 — Vienna, Austria Monday May 9

1 / 14

Outsourcing Computation

Alice

Limited storage Limited power Store Compute ? ?

2 / 14

Outsourcing Computation

Alice

Limited storage Limited power Store Compute

• Claude

Huge storage Huge power

2 / 14

Outsourcing Computation

Alice

Limited storage Limited power Store Compute

• Claude

Huge storage Huge power Privacy ?

2 / 14

Outsourcing Computation

Alice

Limited storage Limited power Store Compute

• Claude

Huge storage Huge power

• Fully

Homomorphic

Encryption Privacy

2 / 14

FHE Framework

Alice

Claude

m H.Enc

3 / 14

FHE Framework

Alice

Claude

m H.Enc CH(m)

3 / 14

FHE Framework

Alice

Claude

m H.Enc CH(m) H.Eval(f)

3 / 14

FHE Framework

Alice

Claude

m H.Enc CH(m) H.Eval(f) Bootstrap

3 / 14

FHE Framework

Alice

Claude

m H.Enc CH(m) H.Eval(f) Bootstrap H.Compact

3 / 14

FHE Framework

Alice

Claude

m H.Enc CH(m) H.Eval(f) Bootstrap H.Compact cH(f(m))

3 / 14

FHE Framework

Alice

Claude

m H.Enc CH(m) H.Eval(f) Bootstrap H.Compact cH(f(m)) H.Dec f(m)

3 / 14

HE Framework

Alice

Claude

m H.Enc CH(m) H.Eval(f) Bootstrap H.Compact cH(f(m)) H.Dec f(m)

3 / 14

SE-HE Hybrid Framework

Alice

Claude

m H.Eval(f) H.Compact cH(f(m)) H.Dec f(m) S.Enc

3 / 14

SE-HE Hybrid Framework

Alice

Claude

m H.Eval(f) H.Compact cH(f(m)) H.Dec f(m) S.Enc CS(m)

3 / 14

SE-HE Hybrid Framework

Alice

Claude

m H.Eval(f) H.Compact cH(f(m)) H.Dec f(m) S.Enc CS(m) H.Eval(S.Dec) (CH(skS))

3 / 14

Performance Metric (Intuition) ⋄ Computational Cost ⋄ Noise Increase

4 / 14

Performance Metric (Intuition) ⋄ Computational Cost ≈ number of multiplications ⋄ Noise Increase

4 / 14

Performance Metric (Intuition) ⋄ Computational Cost ≈ number of multiplications ⋄ Noise Increase ciphertext noise

4 / 14

Performance Metric (Intuition) ⋄ Computational Cost ≈ number of multiplications ⋄ Noise Increase ≈ multiplicative depth ciphertext noise

4 / 14

State of the Art

Internal State

5 / 14

State of the Art

Internal State Start Enc Final CT

5 / 14

State of the Art: Block Ciphers

Internal State Start

5 / 14

State of the Art: Block Ciphers

Start Round 1

5 / 14

State of the Art: Block Ciphers

Start Round 1 Round r . . .

5 / 14

State of the Art: Block Ciphers

Start Round 1 Round r . . . Final CT . . .

5 / 14

State of the Art: Block Ciphers

Start Round 1 Round r . . . Final CT . . .

→ Constant but High Noise

AES[GHS12,CLT14], · · · , LowMC[ARS+15]

5 / 14

State of the Art: Stream Ciphers

Internal State Start

5 / 14

State of the Art: Stream Ciphers

Start Time 1

5 / 14

State of the Art: Stream Ciphers

Start Time 1 Time f . . . Output

5 / 14

State of the Art: Stream Ciphers

Start Time 1 Time f . . . Output Output Time f+r . . .

5 / 14

State of the Art: Stream Ciphers

Start Time 1 Time f . . . Output Output Time f+r . . .

→ Slowly Increasing Noise, Limited Output

Trivium, Kreyvium[CCF+15]

5 / 14

Our contributions ⋄ Best of both worlds: Constant and Low noise increase ⋄ Take advantage of 3rd generation FHE

6 / 14

Our contributions ⋄ Best of both worlds: Constant and Low noise increase → Filter Permutator ⋄ Take advantage of 3rd generation FHE

6 / 14

Our contributions ⋄ Best of both worlds: Constant and Low noise increase → Filter Permutator ⋄ Take advantage of 3rd generation FHE → FLIPF

6 / 14

Filter Permutator Error Increase

Time 0

7 / 14

Filter Permutator Error Increase

Time 0 Time 1 F Output

7 / 14

Filter Permutator Error Increase

Time 0 Time 1 F Output F Time r . . .

7 / 14

Filter Permutator Error Increase

Time 0 Time 1 F Output F Time r . . . F Time f . . .

7 / 14

Filter Permutator Error Increase

Time 0 Time 1 F Output F Time r . . . F Time f . . .

→ Constant and Low Noise

7 / 14

Filter Permutator Construction ⊲ Key Register K Pi

Filtering Function Plaintext Ciphertext PRNG Permutation Generator

8 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

9 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

n1 variables x1 ⊕ . . . ⊕ xn1

9 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

x1 ⊕ . . . ⊕ xn1 n2 variables y1y2 ⊕ . . . ⊕ y n2

2 −1y n2 2 9 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

x1 ⊕ . . . ⊕ xn1 y1y2 ⊕ . . . ⊕ y n2

2 −1y n2 2

z1 ⊕ z2z3 ⊕ z4z5z6 . . . ⊕ · · · z h(h+1)

2

⊕ · · · ⊕

9 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

x1 ⊕ . . . ⊕ xn1 y1y2 ⊕ . . . ⊕ y n2

2 −1y n2 2

z1 ⊕ z2z3 ⊕ z4z5z6 . . . ⊕ · · · z h(h+1)

2

⊕ · · · ⊕

h

9 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

x1 ⊕ . . . ⊕ xn1 y1y2 ⊕ . . . ⊕ y n2

2 −1y n2 2

z1 ⊕ z2z3 ⊕ z4z5z6 . . . ⊕ · · · z h(h+1)

2

⊕ · · · ⊕

h ℓ triangles

9 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

x1 ⊕ . . . ⊕ xn1 y1y2 ⊕ . . . ⊕ y n2

2 −1y n2 2

z1 ⊕ z2z3 ⊕ z4z5z6 . . . ⊕ · · · z h(h+1)

2

⊕ · · · ⊕

h ℓ triangles

• n1 + n2 + ℓ h(h+1)

2

variables

9 / 14

FLIPF Construction

Components

◮ PRNG: forward secure PRNG based on AES-128 ◮ Permutation Generator: Knuth Shuffle ◮ Filtering function F = (n1, n2, ℓ∆h)

x1 ⊕ . . . ⊕ xn1 y1y2 ⊕ . . . ⊕ y n2

2 −1y n2 2

z1 ⊕ z2z3 ⊕ z4z5z6 . . . ⊕ · · · z h(h+1)

2

⊕ · · · ⊕

h ℓ triangles

• n1 + n2 + ℓ h(h+1)

2

variables FLIP(42, 64, 8∆9) FLIP(82, 112, 8∆16)

9 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Ciphertexts (GSW)

sC = µs + e

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth

sC = µs + e

ciphertext (small) error (small) secret key ≈ eigenvector plaintext ≈ eigenvalue

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth

sC = µs + e

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth

sC = µs + e

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci → σ2

+ = k

• i=1

σ2

i

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth

sC = µs + e

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci → σ2

+ = k

• i=1

σ2

i

C1 · · · Ck σ2

× ≈ ylog kσ2

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth

sC = µs + e

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci → σ2

+ = k

• i=1

σ2

i

→ σ2

× ≈ yσ2k

C1 · · · Ck σ2

× ≈ ylog kσ2

C1 ... Ck σ2

× ≈ yσ2k

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth: H.Eval(F)

H.Eval(F) ≈ H.Mul

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci → σ2

+ = k

• i=1

σ2

i

→ σ2

× ≈ yσ2k

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth: H.Eval(F)

H.Eval(F) ≈ H.Mul

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci → σ2

+ = k

• i=1

σ2

i

→ σ2

× ≈ yσ2k 1∆h

k variables k = h(h+1)

2

C1 + C2C3 + C4C5C6 . . . + Ck−h+1· · · Ck

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth: H.Eval(F)

H.Eval(F) ≈ H.Mul

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci → σ2

+ = k

• i=1

σ2

i

→ σ2

× ≈ yσ2k 1∆h

k variables k = h(h+1)

2

C1 + C2C3 + C4C5C6 . . . + Ck−h+1· · · Ck yσ2 × 1 yσ2 × 2 yσ2 × . . . yσ2 × h

10 / 14

FLIPF Homomorphic Behavior

3rd generation FHE Noise Growth: H.Eval(F)

H.Eval(F) ≈ H.Mul

H.Add :

k

• i=1

Ci H.Mul :

k

• i=1

Ci → σ2

+ = k

• i=1

σ2

i

→ σ2

× ≈ yσ2k 1∆h

k variables k = h(h+1)

2

C1 + C2C3 + C4C5C6 . . . + Ck−h+1· · · Ck yσ2 × 1 yσ2 × 2 yσ2 × . . . yσ2 × h yσ2 × h(h+1)

2

= yσ2k

H.Eval(1∆h)

≈

H.Mul

10 / 14

FLIPF Symmetric Behavior

Cryptanalysis Angle

"good" PRNG + "good" Shuffle ≈ random Permutations; what about F?

11 / 14

FLIPF Symmetric Behavior

Cryptanalysis Angle

"good" PRNG + "good" Shuffle ≈ random Permutations; what about F?

Attacks on Filtering Function

◮ Algebraic ◮ Fast Algebraic ◮ Correlation ◮ High Order Correlation ◮ G & D Attack [DLR16] ◮ etc

11 / 14

FLIPF Symmetric Behavior

Cryptanalysis Angle

"good" PRNG + "good" Shuffle ≈ random Permutations; what about F?

Attacks on Filtering Function

◮ Algebraic ◮ Fast Algebraic ◮ Correlation ◮ High Order Correlation ◮ G & D Attack [DLR16] ◮ etc

Standard Criteria

◮ Algebraic Immunity ◮ Fast Algebraic Immunity ◮ Resiliency ◮ Non Linearity

11 / 14

FLIPF Symmetric Behavior

Cryptanalysis Angle

"good" PRNG + "good" Shuffle ≈ random Permutations; what about F?

Attacks on Filtering Function

◮ Algebraic ◮ Fast Algebraic ◮ Correlation ◮ High Order Correlation ◮ G & D Attack [DLR16] ◮ etc

Standard Criteria

◮ Algebraic Immunity ◮ Fast Algebraic Immunity ◮ Resiliency ◮ Non Linearity

Theorem (Triangular function and Algebraic Immunity)

∀ℓ ∈ N∗, ∀k ∈ N∗ AI(ℓ∆k) = k

11 / 14

Noise Increase Performances

⋄ Tests on Ring-GSW (efficiency) ⋄ Measure noise increase from fresh ciphertext to FLIP ciphertext: ⋄ Log of ciphertext error (log σ) ⋄ Homomorphic capacity already used (%).

12 / 14

Noise Increase Performances

⋄ Tests on Ring-GSW (efficiency) ⋄ Measure noise increase from fresh ciphertext to FLIP ciphertext: ⋄ Log of ciphertext error (log σ) ⋄ Homomorphic capacity already used (%).

Experimental error growth

Ring (n, ℓ) FLIP Fresh H.Mul H.Eval(FLIP) log σ % log σ % log σ % 256 80 42, 128, 8∆9 13, 07 17 % 19, 82 25% 24, 71 31% 512 120 82, 224, 8∆16 14, 68 12 % 23, 27 20% 28, 77 24%

12 / 14

Noise Increase Performances

⋄ Tests on Ring-GSW (efficiency) ⋄ Measure noise increase from fresh ciphertext to FLIP ciphertext: ⋄ Log of ciphertext error (log σ) ⋄ Homomorphic capacity already used (%).

Experimental error growth

Ring (n, ℓ) FLIP Fresh H.Mul H.Eval(FLIP) log σ % log σ % log σ % 256 80 42, 128, 8∆9 13, 07 17 % 19, 82 25% 24, 71 31% 512 120 82, 224, 8∆16 14, 68 12 % 23, 27 20% 28, 77 24%

→ FLIP evaluation ≈ multiplication → Practical SE-HE framework.

12 / 14

Performances Comparisons

Error Increase Comparisons

Algorithm Reference Multiplicative Depth AES-128 [GHS12] 40 SIMON-64/128 [LN14] 44 Prince [DSE+14] 24 Kreyvium-12 [CCF+15] 12 LowMc-128 [ARS+15] 12 FLIP(82, 112, 8∆16) This work ⌈log 16⌉ = 4

13 / 14

Performances Comparisons

Error Increase Comparisons

Algorithm Reference Multiplicative Depth AES-128 [GHS12] 40 SIMON-64/128 [LN14] 44 Prince [DSE+14] 24 Kreyvium-12 [CCF+15] 12 LowMc-128 [ARS+15] 12 FLIP(82, 112, 8∆16) This work ⌈log 16⌉ = 4

Timing Comparisons

λ Algorithm L+7 Latency Throughput (sec) (bits/min) 80 Trivium-13 20 11379.7 516.3 FLIP(42, 128, 8∆9) 12 17.39 2070.16 128 Kreyvium-12 19 4956.0 384.4 LowMC-128 20 9977.1 739.0 FLIP(82, 224, 8∆16) 13 124.97 345.68

13 / 14

Conclusion and Open Problems Filter Permutator

⋄ New stream cipher family adapted to FHE ⋄ Security of reduced degree and increased key size construction? ⋄ Impact of design tweaks: ⋄ Whitening? ⋄ XOR of parallel Filter Permutator?

14 / 14

Conclusion and Open Problems Filter Permutator

⋄ New stream cipher family adapted to FHE ⋄ Security of reduced degree and increased key size construction? ⋄ Impact of design tweaks: ⋄ Whitening? ⋄ XOR of parallel Filter Permutator?

FLIPF

⋄ Optimal noise increase for 3rd generation FHE ⋄ Efficient FHE framework ⋄ Optimization for 2nd generation FHE? ⋄ Refining security analysis: ⋄ Increasing/decreasing parameter sizes? ⋄ Boolean functions with fixed weight entries?

14 / 14

Conclusion and Open Problems Filter Permutator

⋄ New stream cipher family adapted to FHE ⋄ Security of reduced degree and increased key size construction? ⋄ Impact of design tweaks: ⋄ Whitening? ⋄ XOR of parallel Filter Permutator?

FLIPF

⋄ Optimal noise increase for 3rd generation FHE ⋄ Efficient FHE framework ⋄ Optimization for 2nd generation FHE? ⋄ Refining security analysis: ⋄ Increasing/decreasing parameter sizes? ⋄ Boolean functions with fixed weight entries? Thanks for your attention!

14 / 14