Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Size: px

Start display at page:

Download "Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers"

Moses Barker
5 years ago
Views:

1 Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS & NTT EUROCRYPT,

2 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

3 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

4 Fully homomorphic encryption Multiplicatively homomorphic: RSA. c 1 = m e 1 mod N c 2 = m2 e mod N c 1 c 2 = (m 1 m 2 ) e mod N Additively homomorphic: Paillier c 1 = g m 1 mod N 2 c 2 = g m 2 mod N 2 c 1 c 2 = g m 1+m 2 [N] mod N 2 Fully homomorphic: homomorphic for both addition and multiplication Open problem until Gentry s breakthrough in 2009.

5 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

6 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

7 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

8 Fully Homomorphic Encryption Schemes 1. Breakthrough scheme of Gentry [G09], based on ideal lattices. Some optimizations by [SV10]. Implementation [GH11]: PK size: 2.3 GB, recrypt: 30 min. 2. van Dijk, Gentry, Halevi and Vaikuntanathan s scheme over the integers [DGHV10]. Implementation [CMNT11]: PK size: 1 GB, recrypt: 15 min. 3. RLWE schemes [BV11a,BV11b]. FHE without bootstrapping [BGV11] Batch FHE (next talk!) Implementation with homomorphic evaluation of AES [GHS12] This talk: smaller PK for DGHV (10 MB) and improved attack against DGHV.

9 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits

10 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits

11 The DGHV Scheme Ciphertext for m {0, 1}: c = q p + 2r + m where p is the secret-key, q and r are randoms. Decryption: (c mod p) mod 2 = m Parameters: c = γ bits p : η 2700 bits r : ρ 71 bits

12 Homomorphic Properties of DGHV Addition: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 Noise becomes twice larger.

13 Homomorphic Properties of DGHV Addition: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 + c 2 = q p + 2r + m 1 + m 2 Multiplication: c 1 = q 1 p + 2r 1 + m 1 c 2 = q 2 p + 2r 2 + m 2 c 1 c 2 = q p + 2r + m 1 m 2 with r = 2r 1 r 2 + r 1 m 2 + r 2 m 1 Noise becomes twice larger.

14 Somewhat homomorphic scheme The number of multiplications is limited. Noise grows with the number of multiplications. Noise must remain < p for correct decryption. p ρ p 2ρ p 4ρ

15 Fully Homomorphic Encryption Gentry s breakthrough idea: refresh the ciphertext by evaluating the decryption circuit homomorphically: bootstrapping. Ciphertext bits Secret key bits Ciphertext bits Encryption of secret key bits ???? Decryption circuit + + Decryption circuit Plaintext bit? Encryption of plaintext bit = refreshed ciphertext

16 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

17 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

18 Public-key Encryption with DGHV Ciphertext c = q p + 2r + m Public-key: a set of τ encryptions of 0 s. x i = q i p + 2r i Public-key encryption: c = m + 2r + for random ε i {0, 1}. τ ε i x i i=1

19 Public Key Size γ bits x 1 = x 2 = τ 10 4 x i = x τ = Public-key size: τ γ = bits = 25 GB! In [CMNT11], with quadratic encryption, PK size of 1 GB.

20 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!

21 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!

22 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!

23 New: DGHV Ciphertext Compression Ciphertext: c = q p + 2r + m c = γ bits p : η 2700 bits r : ρ 71 bits Compute a pseudo-random χ = f (seed) of γ bits. χ = c = χ δ δ = χ 2r m mod p Only store seed and the small correction δ. Storage: bits instead of bits!

24 Compressed Public Key γ bits η bits x 1 = x 2 = δ 1 = δ 2 = τ 10 4 x i = δ i = x τ = δ τ =

25 Compressed Public Key γ bits η bits x 1 = x 2 = δ 1 = δ 2 = τ 10 4 x i = δ i = x τ = δ τ = Old PK: 25 GB New PK: 3.4 MB!

26 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd.

27 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd.

28 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd. PK Generation χ i = H(seed, i) δ i = [χ i ] p + λ i p r i x i = χ i δ i

29 Security of Compressed PK Original DGHV scheme is semantically secure, under the approximate-gcd assumption. Approximate-gcd problem: given a set of x i = q i p + r i, recover p. Compressed public key seed is part of the public-key, to recover the x i s, so we cannot argue that f (seed) is pseudo-random. Security in the random oracle model only, still based on approximate-gcd. PK Generation χ i = H(seed, i) δ i = [χ i ] p + λ i p r i x i = χ i δ i Simulation in ROM H(seed, i) x i + δ i δ i {0, 1} η+λ x i = q i p + r i

30 PK size and timings Instance λ ρ η γ pk size Recrypt Toy KB 0.41 s Small KB 4.5 s Medium MB 51 s Large MB 11 min Updated parameters to take into account the Chen-Nguyen attack. PK size: 10.3 MB instead of 1 GB in [CMNT11].

31 Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?

32 Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?

33 Hardness assumption for semantic security Original DGHV scheme: secure under the General Approximate Common Divisor (GACD) assumption. Given polynomially many x i = p q i + r i, find p. Efficient DGHV variant: secure under the Partial Approximate Common Divisor (PACD) assumption. Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. PACD is clearly easier than GACD. How much easier?

34 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

35 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

36 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

37 Solving PACD Given x 0 = p q 0 and polynomially many x i = p q i + r i, find p. Brute force attack: 2 ρ GCD computations. with x 0 = q 0 p and x 1 = q 1 p + r 1 and 0 r 1 < 2 ρ. Variant suggested by Phong Nguyen, still in O(2 ρ ): p = gcd ( x 0, ) (x 1 i) mod x 0 2 ρ 1 i=0 Improved attack in Õ(2 ρ/2 ) time and memory by Chen and Nguyen at Eurocrypt 2012.

38 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

39 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

40 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

41 Solving GACD Given polynomially many x i = p q i + r i, find p. Variant without x 0 = q 0 p. Brute force attack: 2 2ρ GCD computations. From x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 Using Chen-Nguyen attack: Õ(2 3ρ/2 ) time. Guess r 1 and apply Chen-Nguyen on r 2 O(2 ρ ) Õ(2 ρ/2 ) = Õ(2 3ρ/2 ) time and Õ(2 ρ/2 ) memory. New attack: Õ(2 ρ ) time and memory.

42 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

43 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

44 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

45 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

46 New Attack against GACD Given polynomially many x i = p q i + r i, find p. Variant of the previous equation with x 1 = p q 1 + r 1 and x 2 = p q 2 + r 2 ( 2 ) ρ 1 2 ρ 1 p gcd (x 1 i), (x 2 i) i=0 Product over Z can be computed in Õ(2 ρ ) time using a product tree. Õ(2 ρ ) time and memory Problem: many parasitic factors. Can be eliminated by taking the gcd with more products, and by dividing by B! for B 2 ρ. i=0

47 Source Code in SAGE def attackgacd(rho=12,gam=1000,eta=100): p=random_prime(2^eta) s=rho B=floor(2^(1.*rho*(s+1)/(s-1))) fa=factorial(b) for j in range(1,s): x=p*zz.random_element(2^(gam-eta))+ \ ZZ.random_element(2^rho) z=prod([x-i for i in range(2^rho)]) if j==1: g=z; continue g=gcd(g,z) g=prime_to_m_part(g,fa) if g.nbits()==p.nbits(): break

48 GACD Attack Running Time Instance ρ γ time time [CN12] Micro s Toy (Section 8) min Toy ([CN12]) h 3495 h (est.) Chen-Nguyen attack: O(2 3ρ/2 ) time and O(2 ρ/2 ) memory. Our attack: O(2 ρ ) time and memory Time-memory tradeoffs are possible.

49 Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].

50 Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].

51 Conclusion Smaller public key size for the DGHV fully homomorphic encryption scheme. 10 MB instead of 1 GB Better attack against approximate-gcd without x 0 = q 0 p Õ(2 ρ ) complexity instead of Õ(2 3ρ/2 ) In the proceedings: Generalization of [CMNT11] quadratic encryption technique to higher degrees. DGHV without bootstrapping: analogous to RLWE without bootstrapping [BGV11].

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers Jean-Sébastien Coron 1, David Naccache 2, and Mehdi Tibouchi 3 1 Université du Luxembourg jean-sebastien.coron@uni.lu