Gentry s Fully Homomorphic Encryption Scheme

Transcription

1 Gentry s Fully Homomorphic Encryption Scheme Under Guidance of Prof. Manindra Agrawal Rishabh Gupta rishabh@cse.iitk.ac.in Sanjari Srivastava sanjari@cse.iitk.ac.in Abstract This report presents a description and analysis of the fully homomorphic scheme proposed by Craig Gentry in his Ph.D thesis, Fully Homomorphic Encryption Using Ideal Lattices [1]. We hope that others can find it useful if they want an introduction to Gentry s first FHE scheme. I. INTRODUCTION Craig Gentry proposed the first solution to the open probem of generating a fully homomorphic encryption. The aim is to create a scheme ε with a function, Evaluate ε which, for a circuit C, a key pair (pk, ), an m-tuple of valid ciphertexts (ψ 1,..., ψ m ) where ψ i Encrypt ε (pk, π i ), satisfies Decrypt ε (, Evaluate ε (pk, C, ψ 1,..., ψ m )) = C(π 1,...π m ) Basically, Evaluate ε allows us to compute a circuit C directly on ciphertexts and returns the encryption of what would have been the output had we applied C on the corresponding plaintexts. This is useful when we want, say, a server to perform an operation on encrypted data, without giving it the secret key. Let Evaluate ε satisfy the above property for all C belonging to a set of circuit C ε. Scheme ε is said to be fully homomorphic, when C ε contains all possible circuits. Basic RSA is only a multiplicatively homomorphic scheme. Clearly, the first step to building a fully homomorphic scheme is that it should be homomorphic to both addition and multiplication atleast. How then, to make it work for all possible circuits C from there, is what was shown in the following theorem. II. BOOTSTRAPPABILITY THEOREM A fully homomorphic scheme is problematic to generate for the following reason: Say we have an encryption scheme that is homomorphic over addition and multiplication. Since any circuit would be composed of only these two types of gates, this would have been enough for full homomorphism. But, let us assume the ciphertext associated with Encrypt ɛ has a small error which gets obliterated during decryption. If we apply Evaluate ε on these ciphertexts, the associated error gets larger. For a d-level circuit, the error might get so large that applying Decrypt ε results in a decryption error. As the implicit error becomes large during evaluation, we would like to refresh the ciphertext, so that it encrypts the same thing but the error gets reduced. Decrypting the ciphertext using the secret key and encrypting it again using another public key is a way of refreshing. However, to do the decryption homomorphically without providing the secret key explicitly, is what the idea behind bootstrapping is. By including Decrypt ε (D ɛ ) in C ε, we would be able to achieve the following. For keys (pk 1, 1 ), another public key pk 2 and plaintext π, encrypt the bits of the secret key itself, and do, ψ 1 Encrypt ε (pk 1, π) Output, 1 Encrypt ε (pk 2, 1 ) ψ 1 Encrypt ε (pk 2, ψ1) ψ 2 Evaluate ε (pk 2, D ɛ, ( 1, ψ 1 )) In other words, we obtain a new refreshed ciphertext that encrypts the same π but under pk 2 instead of pk 1. This is a motivation to begin by ensuring that D ε belongs to C ε to make ε fully homomorphic. But we want to perform operations and not just refresh the encryptions of the same plaintext. If we can also evaluate a NAND augmentation of the decryption circuit (D ɛ NAND D ɛ ), then we can generate an encryption of (π 1 NAND π 2 ) under pk 2 using the similar method as above and keep doing this recursively for all d-depth circuits. (explained in detail ahead). [ Note: For any gate g, a g-augmented decryption circuit will refer to two copies of D ε joined by gate g ] A. Definitions Definition 1: (Leveled Fully Hom. Encryption): A family of schemes ε (d) : d Z + is leveled fully homomorphic if they all use the same decryption circuit such that ε (d) is homomorphic for all circuits of depth at most d (consisting of NAND gates).[1] Definition 2: Bootstrappability: Let C ε be the set of circuits Evaluate ε can work on. If C ε contains just two circuits: D ε and NAND augmented D ε (i.e., a NAND gate connecting two copies of D ε ), where D ε is the circuit associated to the decryption algorithm, ε is said to be bootstrappable.[1] Theorem 1: : A leveled fully homomorphic encryption can be constructed from a bootstrappable encryption.

2 (a) m 1, m 2 are initially encrypted under pk A in input (figuratively, put inside pink box). Running Evaluate on input further encrypted under pk B (figuratively, put in blue box) generates fresh ciphertext of m 1 NAND m 2 under key pk B. Circuit Decrypt-NAND-Decrypt itself, would have taken (A, Encrypt(m1,pkA)) and (A, Encrypt(m2,pkA)) as input and returned m1 NAND m2. (b) Recursively running Evaluate on circuit (m 1 NAND m 2) NAND (m 3 NAND m 4) Fig. 1: Source: Lecture slides, 5359-aut13,Ten H. Lai,Ohio State University, Columbus [7] B. Bootstrappable Encryption Let Σ = (KeyGen, Encrypt, Decrypt, Evaluate) be an encryption scheme. Let τ be a set of gates including identity gate, with input/output in plaintext space P and D Σ (τ) be the set of g-augmented Decrypt circuits, g τ. Σ is said to be bootstrappable with respect to τ if D Σ (τ) C Σ. Given a Σ bootstrappable w.r.t. a set of gates τ, we construct Σ (d) = (KeyGen (d), Encrypt (d), Decrypt (d), Evaluate (d) ),where Σ (d) will be homomorphic for circuits of depth d 1) KeyGen (d) (λ, d): : Takes as input security parameter λ and integer d. Generate d+1 key pairs, using KeyGen, (pk i, i ) KeyGen(λ) for i {0..d} If i is represented as sequence of plaintext elements, i = ( i1,.., il ), ij Encrypt(pk i 1, ij ) for i {1..d}, j {1..l} Output, secret key (d) 0 and public key pk (d) { pk i 0 i d, ij 1 i d }. Else, Evaluate (δ) consists of two steps: Augment: Let s call the input receiving layer of C δ as layer δ and accordingly, there are layers till layer number 1. Augment decryption circuits D ε to the gates of level δ. Let s call this modified circuit C + δ 1. Input to C + δ 1 : Replace each input ψ Ψ δ, by δj, ψ j, (subscript j denotes bit-wise encryption), where ψ j Encrypt δ 1 (pk (δ 1), ψ). Note that this input is encrypted under pk δ 1 now. Reduce: To every sub-circuit C giving output in wire W between level δ and δ 1 of C + δ 1 (C : δ level gate augmented with D ɛ circuits), apply Evaluate(pk δ 1, C, ψ ), where ψ is the input to C and replace C with output of Evaluate. These steps reduce C δ to C δ 1. New input to C δ 1 is encrypted under pk δ 1. Recursively, call Evaluate (δ 1) (pk (δ 1), C δ 1, Ψ δ 1 ). (See, Figure (2)) For pk (δ) or (δ), δ d, range of i becomes 0 i δ. 2) Encrypt (d) (pk (d), π): : Takes input pk (d) and π P. Output ciphertext ψ Encrypt(pk d, π) 3) Decrypt (d) ( (d), ψ): : ψ must be an output of Evaluate (d) (which only returns ciphertext encrypted under pk 0 ). Output π Decrypt( 0, ψ) 4) Evaluate (δ) (pk (δ), C δ, Ψ δ ): : This is a recursive procedure and the first call will be Evaluate (d) (pk (d), C d, Ψ d ). C δ is a circuit with gates in τ and a depth δ. Any circuit of depth less than δ can be extended to depth δ by adding identity gates. Ψ δ is a sequence of ciphertext inputs to C δ which are encrypted under pk δ. Base Case: For δ = 0, return Ψ 0 (this is why input to Decrypt (δ) was encrypted under pk 0 ). C. Correctness Fig. 2: Evaluate (δ) (pk (δ), C δ, Ψ δ ). Since NAND is a universal gate, let us assume all the gates in circuit C δ are NAND gates. For correctness of Theorem 1, it is enough to look at what happens at a particular NAND gate at a level δ in C δ. Say input to this NAND would have been π 1 and π 2. Output of this gate would have been (π 1

3 NAND π 2 ). But we have with us ciphertexts ψ 1δ and ψ 2δ, which are encryptions of π 1 and π 2 under pk δ respectively. After augmentation step, this subcircuit becomes (D ɛ NAND D ɛ ). An input ( δ, ψ 1δ ) and ( δ, ψ 2δ ) to this modified subcircuit would still have given desired output π 1 NAND π 2. But since we want to execute the modified subcircuit under Evaluate, we encrypt ( δ, ψ 1δ ) and ( δ, ψ 2δ ) under pk δ 1 and receive as output of sub-circuit π 1 NAND π 2 encrypted under pk δ 1. In this way, bootstrappibility ensures that Evaluate works for modified subcircuit. (See, figure(1a)) III. GGH ENCRYPTION SCHEME We discuss the lattice based cryptosystem proposed by Goldreich-Goldwasser-Halev [2] on which Gentry s scheme was based. For an n-dimensional lattice, L, and its basis B = (b 1, b 2,..., b n ), say, we obtain B = (b 1, b 2,..., b n) after applying Gram-Schmidt Orthoganiation [5] on B. We define [3], ρ B = 1 2 min b i A good basis is fat with a large ρ while a bad basis is ewed with a small ρ. We choose two bases of the lattice B pk (bad) and B (good), as the public and secret key respectively with the property that ρ pk is much smaller than ρ. ρ will be large for nearly orthogonal bases. A. Encryption Scheme 1) KeyGen(L): : For lattice L, generate a good basis B. Set B pk = HNF(B ) [3], where HNF is the Hermite Normal Form of the basis. Hermite Normal Form gives ewed bases and it is not possible to retrieve B pk back from B. [3] Output (pk, ) (B pk, B ) 2) Encrypt(m,B pk )*: : To encrypt message m, encode it into a short vector e, such that e P (B ) where P (B) refers to the centered parallelepiped generate by a lattice basis B. (This can be ensured by ensuring that e < ρ, as a sphere of radius ρ will be the largest sphere inscribing P (B )) For any vector t, Output c e mod B pk t mod B = t B B 1 t, where denotes rounding off to the closest integer. (*modified by self) 3) Decrypt(c,B ): : To decrypt, do the following and retrieve m back from e, Output e c mod B B. Correctness For any vector t, t mod B can be written as t+x for some x lattice L, for a basis B of lattice L. Therefore we can write ciphertext c as e + x for some x L, or c = e + αb for some integer vector α. c mod B = c c B 1 B = αb + e αb B 1 + e B 1 B = αb + e α + e B 1 B = αb + e αb e B 1 B = e mod B Now, since e P (B ), e = n i=1 α i b i for some α i ( 1/2, 1/2) where B = (b 1, b 2,..., b n ). For all α i ( 1/2, 1/2), α i = 0, as 0 will be the closest integer. Therefore, e mod B = e e B 1 B = e 0 = e Hence, the scheme decrypts correctly. c mod B pk does not give back e because e can be greater than ρ pk which is smaller than ρ, that is, e might lie outside P (B pk ) and above argument won t hold then. IV. ABSTRACT CONSTRUCTION We now discuss the abstract construction of the encryption scheme. We begin by describing the assumptions taken for the construction as well as the mathematical constructs used for constructing the abstract scheme that will be defined later while discussing the concrete scheme. Then, we give the abstract encryption scheme and lastly we discuss the correctness of the abstract scheme. A part of this scheme is based on GGH s scheme, due to which GGH s scheme was discussed above. A. Assumptions and Definitions We use a ring R, a fixed basis B I of an ideal I R, an algorithm IdealGen(R, B I ) which outputs public and secret bases B pk and B of some ideal R and another algorithm Samp(x, B I, R, B ) that samples from the coset x + I. We use the notation R mod B M to denote the set of distinguished representatives of r + M over r R, with respect to the basis B M of ideal M (effectively, the coset representations). We also have a circuit C which is a mod-b I circuit which means that its gates perform operations modulo B I. Now we state few definitions that will be useful when we discuss the correctness of the abstract scheme. (Generalized Circuit): Let C be a mod-b I circuit. We form a generalized circuit g(c) by replacing C s Add BI and Mult BI operations with addition + and multiplication in the ring R. (X Enc and X Dec ): Let X Enc be the image (range) of algorithm Samp. Let X Dec equal R mod B, the distinguished representatives of cosets of w.r.t. secret basis B.

4 (Permitted Circuits): Let C ε = {C : (x 1,..., x t ) X t Enc, g(c)(x 1,..., x t ) X Dec } In other words, C ε is a set of permitted circuits for which the generalization circuit when provided with inputs that belong to X Enc, the output lies in X Dec. B. Encryption Scheme 1) KeyGen (R, B I ): We generate 2 bases B using the algorithm IdealGen(R, B I ). (B, B pk ) R IdealGen(R, B I ) Public Key, pk {R, B I, B pk, Samp} Secret Key, pk B Output : (pk, ) and Bpk 2) Encrypt (pk, π): The plaintext space P R mod B I. The input π P. ψ Samp(π, B I, R, B pk ) Output ψ ψ mod B pk 3) Decrypt (, ψ): ψ is a ciphertext. Output π (ψ mod B ) mod B I 4) Evaluate (pk,c, Ψ): Here, circuit C C ε. Also Ψ is a set of ciphertexts. For every gate Add BI and Mult BI in circuit C, the operation that Evaluate performs is ring addition modulo B pk (Add) and ring multiplication modulo (Mult) respectively for the set of inputs. B pk Add(ψ 1, ψ 2, B pk ) : Output is ψ 1 + ψ 2 mod B pk Mult(ψ 1, ψ 2, B pk ) : Output is ψ 1 ψ 2 mod B pk Therefore, effectively the output is g(c)(ψ) mod B pk. C. Correctness Proof: For Ψ = {ψ 1,..., ψ t } where ψ k = π k +i k +j k and π k P, i k I, j k and π k + i k X Enc, the encryption scheme is correct if Decrypt(, Evaluate(pk, C, Ψ)) = C(π 1,..., π t ) Decrypt(, Evaluate(pk, C, Ψ)) = ((g(c)(π 1 + i 1 + j 1,..., π t + i t + j t ) mod B pk ) mod B ) mod B I = (((g(c)(π 1 + i 1,..., π t + i t ) + j ) mod B pk ) mod B ) mod B I, for some j = ((g(c)(π 1 + i 1,..., π t + i t ) mod B pk ) mod B ) mod B I, as j mod B pk = 0 for j = ((g(c)(π 1 + i 1,..., π t + i t )) + j ) mod B ) mod B I, as x mod B pk = x + j (ɛ ) for any x R = (g(c)(π 1 + i 1,..., π t + i t ) mod B ) mod B I Since, C C ε for, (π 1 + i 1,..., π t + i t ) X t Enc = g(c)(π 1 + i 1,..., π t + i t ) X Dec = g(c)(π 1 + i 1,..., π t + i t ) R mod B If, x R mod B, x mod B = x Hence, g(c)(π 1 + i 1,..., π t + i t ) mod B = g(c)(π 1 + i 1,..., π t + i t ) Therefore, Decrypt(, Evaluate(pk, C, Ψ)) = g(c)(π 1 + i 1,..., π t + i t ) mod B I = (g(c)(π 1,..., π t ) + i ) mod B I, for some i I = g(c)(π 1,..., π t ) mod B I = C(π 1,..., π t ) Hence, the encryption scheme is correct. V. CONCRETE CONSTRUCTION The Ideal based encryption scheme is instantiated in the following way: Choose R = Z[x]/(f(x)), where f(x) is a monic n- degree polynomial. R is isomorphic to an n-dimensional integer lattice, i.e, a polynonial in R can be treated as an n-dimensional integer vector. (f(x)) = {f(x) g(x) : g(x) Z[x]} Choose vector s R, set I = (s) (principal ideal generated by s). Set B I = {s 0, s 1,.., s n 1 } to be rotation basis of I, s i = s x i mod f(x) Set f(x) = x n ± 1 so that B I is a nice rotated basis. Plaintext space P P (B I ) Range of Samp B(l Samp ), where B(r) denotes a sphere of radius r centered on origin. We know, X Enc = Samp(BI, P) and X Dec = R mod Bj Let r Enc = smallest radius s.t. XEnc B(r Enc ) and r Dec = largest radius s.t. B(rDec ) X Enc Then we have to ensure, x 1,..x t B(r Enc ), g(c)(x 1,..x t ) B(r Dec ) By triangle inequality, for vectors u,v R, where γ mult depends on R. u + v u + v u v γ mult u v

5 Lemma: If input vectors are in B(r), after 2-fan in multiplication or m-fan in addition, output vector will be in B(mr 2 ), where m = γ mult (R). After k levels of 2-fan in multiplication or m-fan in addition, output vector is in B(m 2k 1 renc 2k ) B((m r Enc) 2k ) Therefore, (m r Enc ) 2k r Dec = k loglog(r Dec ) loglog(mr Enc ) The proposed scheme works for circuits of depth k. We want to maximize k so that our scheme is large enough to encompass the decryption circuit and its augmentations. This is achieved in the following three sections [8]. A. Minimizing γ mult (R) For f(x) = x n ± 1 and R = Z[x]/(f(x)), γ mult (R) n (1) equal to t E by introducing an error vector whose modulus is less than some value l. Consider, B v 1 t E + B(l), where t 4nlγ mult (R) Let B = rotation basis of v 1 = (v 1,..., v n ) where v i = v 1 x i 1 mod f(x) z j = v j t e j Let z j = v j t e j = (v 1 t e 1 ) x j 1 γ mult (R) v 1 t e 1 x j 1 γ mult (R) l 1 z j l γ mult (R) Consider a point a on the surface of B, then a = ± 1 2 v i + j i a j v i, where a j 1 2 a a, e i B. Minimizing r Enc B I = {s 0, s 1,.., s n 1 } is the rotation basis of I. Let B I = max{ s i } where i = 0,..., n 1. Samp(B I, x) = x + I = x + r s, where r R = x + Samp 1 (R) s r Samp 1 (R) = r l Samp1 where Samp 1 (R) B(l Samp1 ) Samp(B I, x) = X Enc B(r Enc ) = r Enc = max{ x + r s : x P, r Samp 1 (R)} = r Enc n B I + n l Samp1 B I Since we want to minimize, we would like to minimize B I. So, we can choose s = e 1 but that would make the ideal I and ring R equal. So, we choose s = 2e 1. Therefore, B I = 2. Size of l Samp1 is a security constraint. It should be sufficiently large and is chosen to be equal to n. Also, a 1 2 v i, e i + j i a j v j, e i v i, e i = z i + t e i, e i = z i, e i + t v j, e i = z j + t e j, e i = z i, e i a 1 2 t z i, e i + j i a j z j, e i a t 4 substituting all a j = t z i, e i + j i t 2 n z j, e i t 2 n z j t 2 n l γ mult(r) t 2 t z j, e i C. Maximizing r Dec If we want large r Dec, P (B P (B t E = (t e 1,..., t e n ). = r Enc 2n + 2n 1.5 (2) B(r Dec ) X Dec = P (B ) ) will be fattest for a B ) should be as fat as possible. of the form But if we set B = t E, HNF(B ) = B which can t be chosen as the public key basis as we want it to be a ewed basis. So, we choose B to be very close to t E, but not = r Dec t 4, where t 4nlγ mult(r) (3) VI. SQUASHING Thus, we see that r Dec can be made as large as possible according to Equation(3). However r Dec r Enc must be subexponential for BDDP to be hard. Choosing values of l, t and r Dec accordingly to maximize k, the maximum depth of circuit permitted by scheme becomes c log(n) for some constant c < 1. However, during decryption, the computation involves the addition of n vectors atleast during the matrix multiplication steps, which can be performed by circuits of depth of O(log(n)) but the constant coefficient of log(n)

6 will be greater than 1. This makes the encryption fall just short of achieving bootstrappibility. To reduce complexity of the decryption circuit, Gentry introduced the idea of squashing the decryption circuit [1] the details of which aren t discussed in this report. Performing this step, leads to a bootstrappable scheme ultimately. REFERENCES [1] Gentry, Craig. A fully homomorphic encryption scheme. Diss. Stanford University, [2] Goldreich, Oded, Shafi Goldwasser, and Shai Halevi. Public-key cryptosystems from lattice reduction problems. Annual International Cryptology Conference. Springer Berlin Heidelberg, [3] Micciancio, Daniele. Improving lattice based cryptosystems using the Hermite normal form. Cryptography and Lattices. Springer Berlin Heidelberg, [4] FHE.pdf [5] lai/5359-aut13/03.lattices.pdf [6] SWHE.pdf [7] lai/5359-aut13/02.gentry-fhebootstrapping.pdf [8] lai/5359-aut13/05.gentry-fheconcrete-scheme.pdf