Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

Transcription

1 Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015

2 Outsourcing Computation x x f f(x) , web-search, navigation, social networking What if x is private? Search query, location, business information, medical information

3 The Situation Today We promise we wont look at your data. Honest! We want real protection.

4 Outsourcing Computation Privately Learns nothing on x. x Enc(x) f y Dec y = f(x) WANTED Homomorphic Evaluation function: Eval: f, Enc x Enc(f x )

5 Fully Homomorphic Encryption (FHE) sk, pk evk x Enc(x) (x) f Correctness: Dec y y = = f(x) f(x) Input privacy: Enc(x) Enc(0) y = Eval y (f, Enc x ) Fully Homomorphic = Correctness for any efficient f = Correctness for universal set NAND. (+, ) over Z (= binary XOR, AND )

6 PKE FHE : Trivial FHE? - Keygen and Enc: Same as PKE. - Eval f, c (f, c) - Dec (f, c) f(dec (c)) Enc (x) NOT what we were looking for All work is relayed to receiver. = f Dec Enc x = f(x) Compact FHE: Dec time does not depend on ciphertext. ciphertext length is globally bounded. In this talk (and in literature) FHE Compact-FHE

7 Trivial FHE? PKE FHE : - Keygen and Enc: Same as PKE. - Eval f, c (f, c) This scheme also completely reveals f to the receiver. Can be a problem. - Dec (f, c) f(dec (c)) Circuit Privacy: Receiver learns nothing about f (except output). Compactness Circuit Privacy (by complicated reduction) [GHV10] Circuit private FHE is not trivial to achieve even non-compact. In this talk: Only care about compactness, no more circuit privacy.

8 Applications In the cloud: Private outsourcing of computation. Near-optimal private outsourcing of storage (single-server PIR). [G09,BV11b] Verifiable outsourcing (delegation). [GGP11,CKV11,KRR13,KRR14] Private machine learning in the cloud. [GLN12,HW13] Secure multiparty computation: Low-communication multiparty computation. [AJLTVW12,LTV12] More efficient MPC. [BDOZ11,DPSZ12,DKLPSS12] Primitives: Succinct argument systems. [GLR11,DFH11,BCCT11,BC12,BCCT12,BCGT13, ] General functional encryption. [GKPVZ12] Indistinguishability obfuscation for all circuits. [GGHRSW13, ]

9 Verifiable Outsourcing (Delegation) x x f f(x), π What if the server is cheating? Can send wrong value of f(x). Need proof!

10 FHE Verifiable Outsourcing FHE Verifiability and Privacy. 1. Verifiability with preprocessing under standard assumptions: [GGP10, CKV10,KRR13,KRR14]. 2. Less standard assumptions but without preprocessing via SNARGs/SNARKs [DCL08,BCCT11, ] (uses FHE or PIR). Pre-FHE solutions: multiple rounds [K92] or random oracles [M94].

11 FHE Verifiable Outsourcing But preprocessing is [CKV10] as x sk, pk Preprocessing: c = Enc(0) z = Eval(f, c ) c = Enc x, c hard as computation! evk f Verification: y, y Check y = z? Yes output Dec(y ) No output Server executes y = Eval(f, c) Idea: Cut and choose c, c look the same cheating server will be caught w.p. ½ (easily amplifiable)

12 FHE Verifiable Outsourcing [CKV10] x sk, pk Preprocessing: c = Enc(0) z = Eval(f, c ) (evk, Enc c ), (evk, Enc c ) evk f Verification: y, y Check Dec (y ) = z? Yes output Dec (Dec y ) No output Server executes y = Eval (Eval f,, c ) y = Eval (Eval f,, c ) Idea: Outer layer keeps server oblivious of z. Can recycle z for future computations. Server is not allowed to know if we accept/reject!

13 FHE Timeline Basic scheme: Ideal cosets in polynomial rings. Bounded-depth homomorphism. - Assumption: hardness 30 years of (quantum) of hardly apx. scratching short vector in ideal lattice. the surface: Bootstrapping: bounded-depth HE full HE. Only-addition [RSA78, R79, GM82, But bootstrapping doesn t G84, P99, apply R05]. to basic scheme... Addition + 1 multiplication [BGN05, GHV10]. Other variants [SYY99, IP07, MGH10]. - Need additional assumption: hardness of sparse subset-sum. is it even possible?

14 The FHE Challenge Make it simpler. Simplified basic scheme [vdghv10,bv11a] - Under similar assumptions. Make it more secure.? Make it practical. Optimizations [SV10,SS10,GH10]

15 FHE without Ideals [BV11b] Linear algebra instead of polynomial rings Assumption: Apx. short vector in arbitrary lattices (via LWE). Shortest-vector Problem (SVP): Fundamental algorithmic problem extensively studied. [LLL82,K86,A97,M98,AKS03,MR04,MV10]

16 FHE without Ideals [BV11b] Linear algebra instead of polynomial rings Assumption: Apx. short vector in arbitrary lattices (via LWE). Basic scheme: noisy linear equations over Z. Ciphertext is a linear function c(x) s.t. c sk m. Add/multiply functions for homomorphism. Multiplication raises degree use relinearization. Bootstrapping: Use dimension-modulus reduction to shrink ciphertexts. Simpler: straightforward presentation. More secure: based on a standard assumption. Efficiency improvements. Concurrently [GH11]: Ideal lattice based scheme without squashing.

17 Follow-ups: FHE without Ideals [BGV12]: Improved parameters. Even better security. Improved efficiency in ring setting using batching. Batching without ideals in [BGH13]. [B12]: Improved security. Security based on classical lattice assumptions. Explained in blog post [BB12]. Various optimizations, applications and implementations: [LNV11, GHS12a, GHS12b, GHS12c, GHPS12, AJLTVW12, LTV12, DSPZ12, FV12, GLN12, BGHWW12,HW13 ]

18 The Approximate Eigenvector Method [GSW13] Ciphertexts = Matrix Same assumption and keys as before ciphertexts are different Basic scheme: Approximate eigenvector over Z. Ciphertext is a matrix C s.t. C sk m sk. Add/multiply matrices for homomorphism*. Bootstrapping: Same as previous schemes. Simpler: straightforward presentation. New and exciting applications for free! IB-FHE, AB-FHE. Same security as [BGV12, B12]. Unclear about efficiency: some advantages, some drawbacks.

19 Sequentialization [BV14] What is the best way to evaluate a product of k numbers? Parallel Sequential X X X X vs. c 1 c 2 X X c 1 c 2 c 3 c 4 Conventional wisdom c 3 c 4 Actually better (if done right)

20 Sequentialization [BV14] Barrington s Theorem [B86]: Every depth d computation can be transformed into a width-5 depth 4 branching program. A sequential model of computation Better security breaks barrier of [BGV12, B12,GSW13]. Using dimension-modulus reduction (from [BV11b]) same hardness assumption as non homomorphic encryption. Short ciphertexts.

21 FHE Over the Integers [DGHV09,CMNT11,CNT12,CCKLLTY13,CLT14] Parallel line of work: Similar construction using different assumptions. Approximate GCD Problem: Ciphertexts = Number similar to 1D lattice Basic operations more straightforward Analogues for batching, scale invariance. Noise control more complicated. Assumption less standard. details will not be discussed in this course

22 Implementations HElib (IBM/NYU) Ring-LWE (ideal-lattice) scheme of [BGV12], optimizations of [GHS12a] Most recent results [HS14a,HS14b] hcrypt project FHE over the integers [DGHV09] Stanford FHE LWE scheme of [B12] with optimizations Unpublished code Ring-LWE implementation of [GHS12b]. Over the integers implementation of [CCKLLTY13].

23 Efficiency Standard benchmark: AES128 circuit Implementations of [BGV12] by [GHS12c] 5 sec/input Limiting factors: Circuit representation. Bootstrapping. Key size. 2-years ago it was 5 min/input, and in 2010 it was 5 min/gate [GH10] To be practical, we need to improve the theory.

24 Hybrid FHE sk, pk evk x Enc (x) y = Eval (f, Enc x ) f Dec y = f(x) In known FHE encryption is slow and ciphertexts are long. In symmetric encryption (e.g. AES) these are better. Best of both worlds?

25 Generate FHE keys and symmetric Give encryption key. of Hybrid sym to FHE server. sym Enc (sym) sk, pk evk Encrypt x using sym. x c=enc (x) f y = y Eval = Eval (f, (f, Enc y ) x ) Dec y = f(x) Easy to encrypt, ciphertext is short But how to do Eval? Define: h z = SYM_Dec (c) Server Computes: y = Eval (h, Enc (sym)) y = Enc h sym = Enc SYM_Dec c = Enc (x)

26 Approximate Eigenvector Method [GSW13] Observation: Let C, C be matrices with the same eigenvector s, and let m, m be their respective eigenvalues w.r.t s. Then: 1. C + C has eigenvalue (m +m ) w.r.t s. 2. C C (and also C C ) has eigenvalue m m w.r.t s. Idea: s = secret key, C = ciphertext, and m = message. Homomorphism for addition and multiplication. Full homomorphism! Insecure! Eigenvectors are easy to find. What about approximate eigenvectors? Say over Z

27 Approximate Eigenvector Method [GSW13] C s = m s + e m s How to decrypt? Must have restriction on e Suppose s[1] = q/2, and m {0,1} (C s)[1] = m + e[1] Find m by rounding Condition for correct decryption: e < q/4.

28 Approximate Eigenvector Method [GSW13] C s = m s + e e q C s = m s + e e q Goal: C, C C = Enc(m + m ), C = Enc(m m ). C = C + C : (C +C ) s = C s + C s = m s + e + m s + e = (m +m ) s + ( e + e ) Noise grows a little e

29 Approximate Eigenvector Method [GSW13] C s = m s + e C s = m s + e e q e q Goal: C, C C = Enc(m + m ), C = Enc(m m ). C = C C : Can also use C C (C C ) s = C m s + e = m C s + C e = m m s + e + C e Noise grows. But by how much? = m m s + m e + C e e

30 Plan for Technical Part 1. Constructing approximate eigenvector scheme. 2. Sequentialization. 3. Bootstrapping. 4. Open problems and limits on FHE.

31 Learning with Errors (LWE) [R05] Random noisy linear equations uniform secret vector Z Z A s + η = b A b U LWE assumption uniform matrix Z small noise Z η αq stat. far from uniform! As hard as n/α -apx. short vector in worst case n-dim. lattices [R05, P09]

32 Learning with Errors (LWE) [R05] (Rearranging Notation) secret vector Z Z new secret vector s Z A s + η = b -A b s 1 = η uniform matrix Z small noise Z η αq new matrix A Z ( )

33 Learning with Errors (LWE) [R05] (Rearranging Notation) A s = η Indistinguishable from uniform matrix Z ( )

34 Encryption Scheme from LWE [R05,ACPS09] public key A s = η r 0,1 uniform A Looks jointly uniform c secret key s = r η + g s small noise Generalize to matrices! + g c = approximation of g s (without knowing s) [ACPS09]

35 Encryption Scheme from LWE [R05,ACPS09] public key A s = η R 0,1 uniform A secret key + G C s = Rη + Gs = e small noise Z ( ) C =

36 Approx. Eigenvector Encryption Goal: Encrypt message m {0,1} Idea: Enc m As we saw: = C C s = e + mi s = m s + e C C s = C e + m s = C e + m C s = C e + m e + m m s HUGE noise small noise desired output Need to reduce the norm of C Solution: binary decomposition

37 C = Binary Decomposition Break each entry in C to its binary representation (mod 8) bits C = Small entries like we wanted! But product with s now meaningless (mod 8) Consider the reverse operation: C s = bits(c) G s = bits(c) s 1 0 bits C = C 0 4 s = G s 0 2 powers of 2 vector 0 1 Contains q/2 as an element G

38 Approx. Eigenvector Encryption Enc m = C Z ( ) ( ) C = G bits C C C s = e + m G s. C = bits C C = bits(c )) C C s s = bits(c ) e + m G s = bits (C ) e + m bits(c ) G s = bits (C ) e + m C s = bits (C ) e + m e + m m G s small-ish small desired output e N e + m e N + 1 max{ e, e } N

39 Homomorphic Circuit Evaluation Noise grows during homomorphic evaluation Depth d e e N + 1 Mαq N αq Decryption succeeds if α 1/N. e (N + 1) e e e Mαq

40 Full Homomorphism α N d log 1/α Undesirable: 1. If depth upper-bound is known ahead of time. Huge parameters. Set N d ; α = 2 log 1/α = d Low security. Inflexible. Leveled FHE: Parameters (evk) grow with d. 2. Single scheme for any poly depth. Bootstrap!

41 The Bootstrapping Theorem (Proof to come) Homomorphic fully homomorphic when d < d d = depth of the decryption circuit. d = maximal homomorphic depth. Additional condition, to be discussed. In our scheme: d = log N FHE if α < N Quasi-polynomial approximation for short vector problems (same factor as [BGV12,B12]) Non-homomorphic schemes only need N approximation

42 A Taste of Sequentialization [BV13] e = bits (C ) e + m e Important observations: Asymmetric! 1. e gets multiplied by 0/1 ; e can get multiplied by N. 2. m = 0 e has no effect! Conclusion: The order of multiplication matters. Want to multiply C, C s.t. e e. Which is better: bits C C or bits C C?

43 e A Taste of Sequentialization [BV14] e = bits (C ) e + m e Task: Multiply 4 ciphertexts C,, C Multiplication Tree Sequential Multiplier e = E N + 1 X X e = E (N + 1) X X = E c 1 c 2 c 3 c 4 c 1 E c 2 e X Winner! E (3N + 1) E E (2N + 1) E (N + 1) X = E c 3 c 4

44 A Taste of Sequentialization [BV14] e = bits (C ) e + m e Multiplexer (MUX): m m + 1 m m E + 2E Additive noise increase! E N + m E X + E N + (1 m )E X c 1 c 2 1-c 1 c 3 E E E E

45 Bootstrapping Homomorphic fully homomorphic when d < d d = depth of the decryption circuit. d = maximal homomorphic depth.

46 Bootstrapping Given scheme with bounded d How to extend its homomorphic capability? Idea: Do a few operations, then switch to a new instance (pk, sk ) Switch keys cost in homomorphism (pk, sk ) (pk, sk )

47 How to Switch Keys We have seen this before! Hybrid FHE

48 sym sk, pk Hybrid FHE Enc (sym) evk x c=enc (x) y = Eval (f, y ) f Dec y = f(x) Define: h z = SYM_Dec (c) Server Computes: y = Eval (h, Enc (sym)) y = Enc h sym = Enc SYM_Dec c = Enc (x)

49 How to Switch Keys Decryption circuit: m Dual view: m Dec ( ) c Dec (c) h sk h sk = Dec c = m Key switching procedure sk, pk sk, pk : Input: c = Enc (m) Server aux info: aux = Enc (sk ) (ahead of time) Output: Eval (h, aux) Eval depth = d Eval h, aux = Eval h, Enc sk = Enc h sk = Enc Dec c = Enc (m)

50 Bootstrapping Given scheme with bounded d. How to extend its homomorphic capability? Idea: Do a few operations, then switch to a new instance (pk, sk ) Need to generate many keys Switch keys cost of d hom. operations (pk, sk ) (pk, sk ) Conclusion: Bootstrapping if d d + 1

51 Bootstrapping Given scheme with bounded d. How to extend its homomorphic capability? Idea: Do a few operations, then switch to a new instance Server aux info: aux = Enc (sk ) (pk, sk ) Switch from the key to itself! Key switching works (pk, sk ) (pk, sk )

52 Circular Security Is it secure to publish aux = Enc (sk) Intuitively: Yes, encryption hides the message. Formally: Security does not extend. What can we do about it? Option 1: Assume it s secure no attack is known. Option 2: Use a sequence of keys. No. of keys proportional to computation depth (leveled FHE). Short keys without circular assumption? [BV11a]: Circular secure somewhat homomorphic scheme.

53 What We Saw Today Definition of FHE. Applications. Historical perspective and background. Constructing HE using the approximate eigenvector method. Sequentialization. Bootstrapping. Limits on HE.

54 Open Problems Short keys without circular security. FHE from different assumptions. CCA1 secure FHE. Bounded malleability. Improved efficiency.

55 Thank You