Fully Homomorphic Encryption from LWE

Transcription

1 Fully Homomorphic Encryption from LWE Based on joint works with: Zvika Brakerski (Stanford) Vinod Vaikuntanathan (University of Toronto) Craig Gentry (IBM) Post-Quantum Webinar, November 2011

2 Outsourcing Computation

3 Outsourcing Computation x f(x) Function f

4 Outsourcing Computation It's everywhere! x f(x) Function f

5 Outsourcing Computation It's everywhere! x search query f(x) Search results Function f Google search

6 x search query Outsourcing Computation It's everywhere! x f(x) Search results Function f Google search

7 x search query Outsourcing Computation It's everywhere! x f(x) Search results Function f Google search What if my query is embarrassing? What if I'm sending my medical records?

8 x medical records Outsourcing Computation It's everywhere! x f(x) risk factors Function f analysis What if my query is embarrassing? What if I'm sending my medical records?

9 x medical records Outsourcing Computation It's everywhere! x f(x) risk factors Function f analysis What if my query is embarrassing? What if I'm sending my medical records? Want Privacy!

10 Outsourcing Computation Privately x Function f

11 Outsourcing Computation Privately x Enc(x) Function f

12 Outsourcing Computation Privately x Enc(x) Knows nothing of x. Function f

13 Outsourcing Computation Privately x Enc(x) y Knows nothing of x. Function f Dec(y)=f(x)

14 Outsourcing Computation Privately x Enc(x) y Knows nothing of x. Function f Dec(y)=f(x) Eval: f, Enc(x) Enc(f(x)) homomorphic evaluation

15 Fully Homomorphic Encryption (FHE) [RAD78] x Enc(x) y Function f Dec(y)=f(x)

16 Fully Homomorphic Encryption (FHE) sk, pk x Dec(y)=f(x) [RAD78] Enc(x) y evk evaluation key Function f

17 Fully Homomorphic Encryption (FHE) sk, pk x Dec(y)=f(x) [RAD78] Enc(x) y evk evaluation key Function f

18 Fully Homomorphic Encryption (FHE) sk, pk x Correctness guarantee: Dec sk (y)=f(x) [RAD78] Enc(x) y = Eval evk (f, Enc(x)) evk evaluation key Function f

19 Fully Homomorphic Encryption (FHE) sk, pk x Correctness guarantee: Dec sk (y)=f(x) [RAD78] Enc(x) y = Eval evk (f, Enc(x)) Privacy guarantee (semantic security [GM82]): Enc(x) Enc(0) evk evaluation key Function f

20 Fully Homomorphic Encryption (FHE) sk, pk x Correctness guarantee: Dec sk (y)=f(x) [RAD78] Enc(x) y = Eval evk (f, Enc(x)) Privacy guarantee (semantic security [GM82]): Enc(x) Enc(0) Fully = Evaluate all (efficient) f evk evaluation key Function f

21 Add & Mult Are Universal (a la [BGW88]) Arith. Circuit (+, ) over GF(2). x 1 x 2 + x 3

22 Add & Mult Are Universal (a la [BGW88]) Arith. Circuit (+, ) over GF(2). f(x 1,x 2,x 3 )=(x 1 +x 2 ) x 3 x 1 x 2 + x 3

23 Add & Mult Are Universal (a la [BGW88]) (+, ) over GF(2) Boolean (XOR,AND) = Universal set Arith. Circuit (+, ) over GF(2). f(x 1,x 2,x 3 )=(x 1 +x 2 ) x 3 x 1 x 2 + x 3

24 Add & Mult Are Universal (a la [BGW88]) (+, ) over GF(2) Boolean (XOR,AND) = Universal set If we had: Eval(+, Enc(x 1 ), Enc(x 2 )) Enc(x 1 +x 2 ) Eval(, Enc(x 1 ), Enc(x 2 )) Enc(x 1 x 2 ) then we are done. Arith. Circuit (+, ) over GF(2). f(x 1,x 2,x 3 )=(x 1 +x 2 ) x 3 x 1 x 2 + x 3

25 Add & Mult Are Universal (a la [BGW88]) (+, ) over GF(2) Boolean (XOR,AND) = Universal set If we had: Eval(+, Enc(x 1 ), Enc(x 2 )) Enc(x 1 +x 2 ) Eval(, Enc(x 1 ), Enc(x 2 )) Enc(x 1 x 2 ) then we are done. Arith. Circuit (+, ) over GF(2). f(x 1,x 2,x 3 )=(x 1 +x 2 ) x 3 Enc(x 1 ) Enc(x 2 ) + Enc(x 3 )

26 Add & Mult Are Universal (a la [BGW88]) (+, ) over GF(2) Boolean (XOR,AND) = Universal set If we had: Eval(+, Enc(x 1 ), Enc(x 2 )) Enc(x 1 +x 2 ) Eval(, Enc(x 1 ), Enc(x 2 )) Enc(x 1 x 2 ) then we are done. Arith. Circuit (+, ) over GF(2). f(x 1,x 2,x 3 )=(x 1 +x 2 ) x 3 Enc(x 1 ) Enc(x 2 ) + Enc(x 3 ) Enc(x 1 +x 2 ) Enc((x 1 +x 2 ) x 3 )

27 Add & Mult Are Universal (a la [BGW88]) (+, ) over GF(2) Boolean (XOR,AND) = Universal set If we had: Eval(+, Enc(x 1 ), Enc(x 2 )) Enc(x 1 +x 2 ) Eval(, Enc(x 1 ), Enc(x 2 )) Enc(x 1 x 2 ) then we are done. Partial solutions: - Only add [GM82,P99,R05, ]. - Only mult [G84, ]. - Add + single mult [BGN05,GHV10]. - Add + mult (w/ ciphertext blowup) [SYY99,GHV10,MGH10]. Arith. Circuit (+, ) over GF(2). f(x 1,x 2,x 3 )=(x 1 +x 2 ) x 3 Enc(x 1 ) Enc(x 2 ) + Enc(x 1 +x 2 ) Enc(x 3 ) Enc((x 1 +x 2 ) x 3 )

28 Gentry's Breakthrough [G09,G10] First Candidate FHE

29 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: (Qualitative) Deep enough HE FHE

30 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: (Qualitative) Deep enough HE FHE Deep enough = Deeper than decryption circuit

31 Gentry's Breakthrough [G09,G10] First Candidate FHE

32 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d leveled FHE

33 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d evk grows with eval. depth leveled FHE

34 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d Eval for any depth d circuit (aka somewhat HE) evk grows with eval. depth leveled FHE

35 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d + circular security FHE evk grows with eval. depth leveled FHE

36 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d Gentry's construction: + circular security FHE evk grows with eval. depth leveled FHE

37 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d Gentry's construction: d-he with dec. depth > d + circular security FHE evk grows with eval. depth leveled FHE Ideal lattice assumption.

38 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d Gentry's construction: + circular security FHE evk grows with eval. depth leveled FHE d-he with dec. depth > d + Squash to dec. depth < d Ideal lattice assumption. Sparse Subset-Sum assumption.

39 Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09]: d-he + dec. depth < d Gentry's construction: + circular security FHE evk grows with eval. depth leveled FHE d-he with dec. depth > d + Squash to dec. depth < d + Circular security assumption Ideal lattice assumption. Sparse Subset-Sum assumption.

40 Since Gentry Additional candidate FHE schemes: [vdghv10]: Approx. GCD + sparse subset sum (via squashing). [BV11a]: Ring-LWE + sparse subset sum (via squashing) / sparse-ring-lwe. Circular secure d-he (not bootstrappable). Efficiency improvements of Gentry's scheme [SV10, SS10, GH11].

41 Q: Arbitrary Lattice?

42 Q: Arbitrary Lattice? Short-vectors in lattice: Fundamental algorithmic problem extensively studied. [LLL82,K86,A97,M98,AKS03,MR04,MV10]

43 Q: Arbitrary Lattice? Short-vectors in lattice: Short-vectors in ideal lattice: Algebraic structure: Point Polynomial. Vs. 2x+3 3x+2 Fundamental algorithmic problem extensively studied. [LLL82,K86,A97,M98,AKS03,MR04,MV10] Mostly studied in cryptographic context. [M04,PR07,LM07,LPR10]

44 Q: Arbitrary Lattice? Short-vectors in lattice: Short-vectors in ideal lattice: Algebraic structure: Point Polynomial. Vs. 2x+3 3x+2 Fundamental algorithmic problem extensively studied. [LLL82,K86,A97,M98,AKS03,MR04,MV10] Mostly studied in cryptographic context. [M04,PR07,LM07,LPR10] Useful but risky assumption

45 Q: Arbitrary Lattice? Short-vectors in lattice: Short-vectors in ideal lattice: Algebraic structure: Point Polynomial. Vs. 2x+3 3x+2 Fundamental algorithmic problem extensively studied. [LLL82,K86,A97,M98,AKS03,MR04,MV10] Mostly studied in cryptographic context. [M04,PR07,LM07,LPR10] Useful but risky assumption Base FHE on standard lattice assumptions?

46 Q: Arbitrary Lattice? Short-vectors in lattice: Short-vectors in ideal lattice: Algebraic structure: Point Polynomial. Vs. 2x+3 3x+2 Fundamental algorithmic problem extensively studied. [LLL82,K86,A97,M98,AKS03,MR04,MV10] Mostly studied in cryptographic context. [M04,PR07,LM07,LPR10] Useful but risky assumption Base FHE on standard lattice assumptions? (Are ideal assumptions inherent to FHE?)

47 Q: No Squashing?

48 Q: No Squashing? Sparse subset-sum assumption and the squashing method: Average case assumption, fairly untested. Forcing solution (that works!) to short blanket.

49 Q: No Squashing? Sparse subset-sum assumption and the squashing method: Average case assumption, fairly untested. Forcing solution (that works!) to short blanket. Do without squashing and additional assumption?

50 Q: No Squashing? Sparse subset-sum assumption and the squashing method: Average case assumption, fairly untested. Forcing solution (that works!) to short blanket. Do without squashing and additional assumption? Concurrently [GH11]: Remove squashing under ideal lattice assumption (using arith. representation of dec. circuit).

51

52 The Real World

53 The Real World People actually want to use these schemes

54 The Real World People actually want to use these schemes In known schemes: Key generation and Eval are exhausting.

55 The Real World People actually want to use these schemes In known schemes: Key generation and Eval are exhausting. Q: Implement FHE efficiently?

56 Q: Circular Security?

57 Q: Circular Security? Two roads to bootstrapping:

58 Q: Circular Security? Two roads to bootstrapping: I. No circular assumption evk grows with depth. leveled FHE

59 Q: Circular Security? Two roads to bootstrapping: I. No circular assumption evk grows with depth. leveled FHE II. Assume circular security Encryption of sk itself is secure. evk remains short.

60 Q: Circular Security? Two roads to bootstrapping: I. No circular assumption evk grows with depth. leveled FHE II. Assume circular security Encryption of sk itself is secure. evk remains short. Short eval. key without additional assumption?

61 Our Results: Fully Homomorphic Encryption

62 Our Results: Fully Homomorphic Encryption Short-vector is hard to approx in worst-case arbitrary lattice. LWE ( learning with errors ) assumption.

63 Our Results: Fully Homomorphic Encryption Short-vector is hard to approx in worst-case arbitrary lattice. LWE ( learning with errors ) assumption. No squashing. Direct d-he with decryption depth << d.

64 Our Results: Fully Homomorphic Encryption Short-vector is hard to approx in worst-case arbitrary lattice. LWE ( learning with errors ) assumption. No squashing. Direct d-he with decryption depth << d. Efficiency improvement. Short ciphertext efficient decryption (as efficient as non-hom. schemes). Trivial key generation: no structure required.

65 Our Results: Fully Homomorphic Encryption Short-vector is hard to approx in worst-case arbitrary lattice. LWE ( learning with errors ) assumption. No squashing. Direct d-he with decryption depth << d. Efficiency improvement. Short ciphertext efficient decryption (as efficient as non-hom. schemes). Trivial key generation: no structure required. Leveled FHE without bootstrapping. Conceptual contribution, although less efficient and worse parameters.

66 Our Results: Private Information Retrieval (PIR) PIR = Oblivious retrieval from huge DB of size N. [CGKS95,KO97,CMS99] Quality measure: Communication complexity. Our protocol: Õ(log(N))-communication. Trivial LB = log(n). We are nearly optimal! Previous best schemes [CMS99,L05,GR05,G09] ~log 3 (N).

67 New Ideas

68 New Ideas Re-linearization. Shallow multiplicative homomorphism. (Dimension-)Modulus reduction. Noise management for deep circuits. Short ciphertexts as by-product.

69 Talk Outline

70 Talk Outline The LWE assumption. Re-linearization and modulus reduction. FHE using bootstrapping. (Leveled) FHE without bootstrapping. PIR protocol. Conclusion and open problems.

71 Learning With Errors (LWE) [R05]

72 Learning With Errors (LWE) [R05] LWE n,q : For random secret s Z qn, for any m=poly(n): sample random a 1,,a m Z qn ; small noise e 1,,e m E ( e i T << q). ( a 1, b 1 = a 1, s + e 1 ) ( a 1, u 1 ) ( a 2, b 2 = a 2, s + e 2 ) ( a 2, u 2 ) ( a m, b m = a m, s + e m ) ( a m, u m )

73 Learning With Errors (LWE) [R05] LWE n,q : For random secret s Z qn, for any m=poly(n): sample random a 1,,a m Z qn ; small noise e 1,,e m E ( e i T << q). ( a 1, b 1 = a 1, s + e 1 ) ( a 1, u 1 ) ( a 2, b 2 = a 2, s + e 2 ) ( a 2, u 2 ) ( a m, b m = a m, s + e m ) ( a m, u m ) noisy random linear equation uniform in Z q

74 Learning With Errors (LWE) [R05] LWE n,q : For random secret s Z qn, for any m=poly(n): sample random a 1,,a m Z qn ; small noise e 1,,e m E ( e i T << q). ( a 1, b 1 = a 1, s + e 1 ) ( a 1, u 1 ) ( a 2, b 2 = a 2, s + e 2 ) ( a 2, u 2 ) ( a m, b m = a m, s + e m ) ( a m, u m ) noisy random linear equation uniform in Z q

75 Learning With Errors (LWE) [R05] E n Hermite normal form LWE n,q : For random secret s X Z qn, for any m=poly(n): sample random a 1,,a m Z qn ; small noise e 1,,e m E ( e i T << q). ( a 1, b 1 = a 1, s + e 1 ) ( a 1, u 1 ) ( a 2, b 2 = a 2, s + e 2 ) ( a 2, u 2 ) ( a m, b m = a m, s + e m ) ( a m, u m ) noisy random linear equation uniform in Z q

76 Learning With Errors (LWE) [R05] E n Hermite normal form LWE n,q : For random secret s X Z qn, for any m=poly(n): sample random a 1,,a m Z qn ; small noise e 1,,e m E ( e i T << q). ( a 1, b 1 = a 1, s + e 1 ) ( a 1, u 1 ) ( a 2, b 2 = a 2, s + e 2 ) ( a 2, u 2 ) ( a m, b m = a m, s + e m ) ( a m, u m ) noisy random linear equation uniform in Z q

77 Symmetric Encryption with LWE

78 Symmetric Encryption with LWE (omitting public-key part)

79 Symmetric Encryption with LWE KeyGen: Sample random s E n and set sk=s. Bit encryption Enc s (m) : Sample random a Z q n and noise e, output (a, b) Z q n Z q, Semantic security by LWE: (a,b) (a, u) (omitting public-key part) where b = a, s + 2e + m Z q. (odd modulus q 2 is invertible in Z q ) Decryption: Dec s (a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - a[ i ] s[ i ] = m + 2e (over Z q ). decryption succeeds if e < q/4.

80 Symmetric Encryption with LWE KeyGen: Sample random s E n and set sk=s. Bit encryption Enc s (m) : Sample random a Z q n and noise e, output (a, b) Z q n Z q, Semantic security by LWE: (a,b) (a, u) (omitting public-key part) where b = a, s + 2e + m Z q. (odd modulus q 2 is invertible in Z q ) Decryption: Dec s (a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - a[ i ] s[ i ] = m + 2e (over Z q ). decryption succeeds if e < q/4.

81 Symmetric Encryption with LWE KeyGen: Sample random s E n and set sk=s. Bit encryption Enc s (m) : Sample random a Z q n and noise e, output (a, b) Z q n Z q, Semantic security by LWE: (a,b) (a, u) (omitting public-key part) where b = a, s + 2e + m Z q. (odd modulus q 2 is invertible in Z q ) Decryption: Dec s (a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - a[ i ] s[ i ] = m + 2e (over Z q ). decryption succeeds if e < q/4.

82 Additive Homomorphism

83 Additive Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e'

84 Additive Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e' Add the ciphertexts: (a add, b add ) = ( a + a', b+b' ) b - a[ i ] s[ i ] = m + 2e b' - a'[ i ] s[ i ] = m' + 2e' (b+b') - (a[ i ] + a'[ i ]) s[ i ] = (m+m') + 2(e+e') Dec s (a add, b add ) = (m+m')+2e'' (mod 2) = (m+m') (mod 2)

85 Additive Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e' Add the ciphertexts: (a add, b add ) = ( a + a', b+b' ) + b - a[ i ] s[ i ] = m + 2e b' - a'[ i ] s[ i ] = m' + 2e' (b+b') - (a[ i ] + a'[ i ]) s[ i ] = (m+m') + 2(e+e') Dec s (a add, b add ) = (m+m')+2e'' (mod 2) = (m+m') (mod 2)

86 Additive Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e' Add the ciphertexts: (a add, b add ) = ( a + a', b+b' ) + b - a[ i ] s[ i ] = m + 2e b' - a'[ i ] s[ i ] = m' + 2e' (b+b') - (a[ i ] + a'[ i ]) s[ i ] = (m+m') + 2(e+e') Dec s (a add, b add ) = (m+m')+2e'' (mod 2) = (m+m') (mod 2) e''

87 Multiplicative Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e'

88 Multiplicative Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e' Multiply ciphertexts? b - a[ i ] s[ i ] = m + 2e b' - a'[ i ] s[ i ] = m' + 2e' (b- a[ i ] s[ i ]) (b' - a'[ i ] s[ i ]) = (m+2e) (m'+2e') h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm' + 2(2ee'+me'+m'e)

89 Multiplicative Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e' Multiply ciphertexts? b - a[ i ] s[ i ] = m + 2e b' - a'[ i ] s[ i ] = m' + 2e' (b- a[ i ] s[ i ]) (b' - a'[ i ] s[ i ]) = (m+2e) (m'+2e') h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm' + 2(2ee'+me'+m'e)

90 Multiplicative Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e' Multiply ciphertexts? b - a[ i ] s[ i ] = m + 2e b' - a'[ i ] s[ i ] = m' + 2e' (b- a[ i ] s[ i ]) (b' - a'[ i ] s[ i ]) = (m+2e) (m'+2e') h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm' + 2(2ee'+me'+m'e) e'' : e'' e 2 T 2

91 Multiplicative Homomorphism (a, b) b - a[ i ] s[ i ] = m + 2e (a', b') b' - a'[ i ] s[ i ] = m' + 2e' Multiply ciphertexts? b - a[ i ] s[ i ] = m + 2e b' - a'[ i ] s[ i ] = m' + 2e' (b- a[ i ] s[ i ]) (b' - a'[ i ] s[ i ]) = (m+2e) (m'+2e') h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm' + 2(2ee'+me'+m'e) The coefficients h i, h i,j are computable from input ciphertexts (a,b), (a',b'). e'' : e'' e 2 T 2 What's the output ciphertext?

92 Multiplicative Homomorphism What's the Ciphertext? h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' Ciphertext = Coefficients {h i }, {h i,j }? Decrypt with secret key s: h 0 + h i s[ i ] + h i,j s[ i ]s[ j ] (mod 2) = mm'+2e'' (mod 2) = mm' (mod 2). Problem: Ciphertext contains ~n 2 elements. Size blows up with number of multiplications. Find a more compact representation?

93 Re-Linearization h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e''

94 Re-Linearization h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' Find linear function of s that represents this quadratic func.

95 Re-Linearization h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' of new secret s' Find linear function of s that represents this quadratic func.

96 Re-Linearization of new secret s' Find linear function of s that represents this quadratic func. New KeyGen: h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' Sample s,s' Z q n and set sk = (s,s'). Evaluation key evk : sample A i,j, E i,j i,j. (A i,j, B i,j = A i,j, s' + 2E i,j + s[ i ]s[ j ]) i. (A i, B i = A i, s' + 2E i + s[ i ]) We get: s[ i ]s[ j ] B i,j - A i,j, s'

97 Re-Linearization of new secret s' Find linear function of s that represents this quadratic func. New KeyGen: h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' Sample s,s' Z q n and set sk = (s,s'). Evaluation key evk : sample A i,j, E i,j i,j. (A i,j, B i,j = A i,j, s' + 2E i,j + s[ i ]s[ j ]) i. (A i, B i = A i, s' + 2E i + s[ i ]) LWE Security still holds. We get: s[ i ]s[ j ] B i,j - A i,j, s'

98 Re-Linearization of new secret s' Find linear function of s that represents this quadratic func. New KeyGen: h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' Sample s,s' Z q n and set sk = (s,s'). Evaluation key evk : sample A i,j, E i,j i,j. (A i,j, B i,j = A i,j, s' + 2E i,j + s[ i ]s[ j ]) i. (A i, B i = A i, s' + 2E i + s[ i ]) LWE Security still holds. We get: s[ i ]s[ j ] B i,j - A i,j, s' Quadratic function (in s) Linear function (in s')

99 Re-Linearization of new secret s' Find linear function of s that represents this quadratic func. New KeyGen: h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' Sample s,s' Z q n and set sk = (s,s'). Evaluation key evk : sample A i,j, E i,j i,j. (A i,j, B i,j = A i,j, s' + 2E i,j + s[ i ]s[ j ]) i. (A i, B i = A i, s' + 2E i + s[ i ]) LWE Security still holds. We get: s[ i ]s[ j ] B i,j - A i,j, s' Quadratic function (in s) Linear function (in s')

100 Re-Linearization Plug back into of quadratic new secret equation: s' Find linear function of s that represents this quadratic func. New KeyGen: h 0 + h i s[ i ]+ h i,j s[ i ]s[ j ] = mm'+2e'' h 0 + h i (B i - A i, s' ) + h i,j (B i,j - A i,j, s' ) = mm'+2e''' Linear in s'. Sample s,s' Z q n and set sk = (s,s'). Evaluation key evk : sample A i,j, E i,j i,j. (A i,j, B i,j = A i,j, s' + 2E i,j + s[ i ]s[ j ]) i. (A i, B i = A i, s' + 2E i + s[ i ]) LWE Security still holds. We get: s[ i ]s[ j ] B i,j - A i,j, s' Quadratic function (in s) Linear function (in s')

101 Re-Linearization h 0 + h i (B i - A i, s' ) + h i,j (B i,j - A i,j, s' ) = mm'+2e'''

102 Re-Linearization h 0 + h i (B i - A i, s' ) + h i,j (B i,j - A i,j, s' ) = mm'+2e''' Regrouping, we can now define (a mult, b mult ): Correctness: a mult = h i A i + h i,j A i,j Z q n b mult = h 0 + h i B i + h i,j B i,j Z q Dec s' (a mult, b mult ) = (b mult - a mult, s' ) (mod 2) = (h 0 + h i B i + h i,j B i,j ) - ( h i A i + h i,j A i,j ), s' (mod 2) = h 0 + h i (B i - A i, s' ) + h i,j (B i,j - A i,j, s' ) (mod 2) = m m' (mod 2)

103 Re-Linearization h 0 + h i (B i - A i, s' ) + h i,j (B i,j - A i,j, s' ) = mm'+2e''' Single multiplication accomplished! For greater depth, repeat using new secrets s, s

104 Re-Linearization h 0 + h i (B i - A i, s' ) + h i,j (B i,j - A i,j, s' ) = mm'+2e''' Single multiplication accomplished! For greater depth, repeat using new secrets s, s Problem: Noise amplitude grows from T to T 2. (Actually, from nt to (nt) 2.)

105 Modulus Reduction: Reducing Noise Amplitude

106 Modulus Reduction: Reducing Noise Amplitude Naïve approach: Divide everything by nt.

107 Modulus Reduction: Reducing Noise Amplitude Naïve approach: Divide everything by nt. Can you believe that this actually works?

108 Modulus Reduction: Reducing Noise Amplitude Naïve approach: Divide everything by nt. Can you believe that this actually works? (a, b) Z q n x Z q a*[i] = a[i] / (nt) ; b*=b / (nt) (a*, b*) Z (q/nt) n x Z (q/nt)

109 Modulus Reduction: Reducing Noise Amplitude Naïve approach: Divide everything by nt. Can you believe that this actually works? (a, b) Z n q x Z q (a*, b*) Z n (q/nt) x Z (q/nt) a*[i] = a[i] / (nt) ; b*=b / (nt) Special rounding: Round so that LSB doesn t change.

110 Modulus Reduction: Reducing Noise Amplitude Naïve approach: Divide everything by nt. Can you believe that this actually works? (a, b) Z n q x Z q (a*, b*) Z n (q/nt) x Z (q/nt) a*[i] = a[i] / (nt) ; b*=b / (nt) Special rounding: Round so that LSB doesn t change. Why?

111 Modulus Reduction: Reducing Noise Amplitude Naïve approach: Divide everything by nt. Can you believe that this actually works? (a, b) Z q n x Z q (a*, b*) Z (q/nt) n x Z (q/nt) a*[i] = a[i] / (nt) ; b*=b / (nt) Special rounding: Round so that LSB doesn t change. Why? Rounding guarantees correct decryption: b* - a*[ i ] s[ i ] (mod 2) = b - a[ i ] s[ i ] (mod 2) = m

112 Modulus Reduction: Reducing Noise Amplitude Naïve approach: Divide everything by nt. Can you believe that this actually works? (a, b) Z q n x Z q (a*, b*) Z (q/nt) n x Z (q/nt) a*[i] = a[i] / (nt) ; b*=b / (nt) Special rounding: Round so that LSB doesn t change. Why? Rounding guarantees correct decryption: b* - a*[ i ] s[ i ] (mod 2) = b - a[ i ] s[ i ] (mod 2) = m Noise amplitude after modulus reduction: (nt) 2 /(nt) + nt = O(nT) scaled down original noise rounding error

113 Re-linearization and Modulus Reduction Recap

114 Re-linearization and Modulus Reduction Recap Eval for mult. depth = 1. Modulus reduced: q q/(nt). Noise amplitude at most nt. Deeper Circuit? Just repeat! Mult. depth = d. Modulus reduced: q q/(nt) d. Noise amplitude at most nt.

115 Re-linearization and Modulus Reduction Recap Eval for mult. depth = 1. Modulus reduced: q q/(nt). Noise amplitude at most nt. Deeper Circuit? Just repeat! Mult. depth = d. Modulus reduced: q q/(nt) d. Noise amplitude at most nt. Ciphertext decryptable if: nt < (q/(nt) d )/4 q > 4(nT) d+1 = n O(d)

116 Can We Bootstrap?

117 Can We Bootstrap? Need d-he scheme with decryption depth < d.

118 Can We Bootstrap? Need d-he scheme with decryption depth < d. Our decryption depth: d = log(n)+ loglog(nt) = O(log(n)) Independent of q!

119 Can We Bootstrap? Need d-he scheme with decryption depth < d. Our decryption depth: d = log(n)+ loglog(nt) = O(log(n)) Independent of q! We decrypt after the hom. eval., so q is already reduced all the way down to O(nT).

120 Can We Bootstrap? Need d-he scheme with decryption depth < d. Our decryption depth: d = log(n)+ loglog(nt) = O(log(n)) Independent of q! We decrypt after the hom. eval., so q is already reduced all the way down to O(nT). To bootstrap: q = n O(d) = no(log n)

121 Can We Bootstrap? Need d-he scheme with decryption depth < d. Our decryption depth: d = log(n)+ loglog(nt) = O(log(n)) Independent of q! We decrypt after the hom. eval., so q is already reduced all the way down to O(nT). To bootstrap: q = n O(d) = no(log n) Is this secure?

122 Can We Bootstrap? Need d-he scheme with decryption depth < d. Our decryption depth: d = log(n)+ loglog(nt) = O(log(n)) Independent of q! We decrypt after the hom. eval., so q is already reduced all the way down to O(nT). To bootstrap: q = n O(d) = no(log n) Is this secure?

123 FHE with Bootstrapping No squashing whatsoever. Ciphertext size: n log (nt). Post-bootstrapping size survives. Decryption depth: O(log(n)). Security: LWE n,q=n O(log n) quasy-poly apx. to short-vectors.

124 FHE with Bootstrapping No squashing whatsoever. Ciphertext size: n log (nt). Post-bootstrapping size survives. Decryption depth: O(log(n)). Security: LWE n,q=n O(log n) quasy-poly apx. to short-vectors. Assumption is too good Can we get more features from a (somewhat) stronger assumption?

125 FHE with Bootstrapping No squashing whatsoever. Ciphertext size: n log (nt). Post-bootstrapping size survives. Decryption depth: O(log(n)). Security: LWE n,q=n O(log n) quasy-poly apx. to short-vectors. Assumption is too good Can we get more features from a (somewhat) stronger assumption? Yes

126 (Leveled) FHE without Bootstrapping

127 (Leveled) FHE without Bootstrapping Recall: q = n O(d)

128 (Leveled) FHE without Bootstrapping Recall: q = n O(d) Bigger q deeper circuits. So how big can q get (securely)?

129 (Leveled) FHE without Bootstrapping Recall: q = n O(d) Bigger q deeper circuits. So how big can q get (securely)?

130 (Leveled) FHE without Bootstrapping Recall: q = n O(d) Bigger q deeper circuits. So how big can q get (securely)? Let s look at it backwards:

131 (Leveled) FHE without Bootstrapping Recall: q = n O(d) Bigger q deeper circuits. So how big can q get (securely)? Let s look at it backwards:

132 (Leveled) FHE without Bootstrapping Recall: q = n O(d) Bigger q deeper circuits. So how big can q get (securely)? Let s look at it backwards: Post-processing can reduce ciphertext length.

133 (Leveled) FHE without Bootstrapping Recall: q = n O(d) Bigger q deeper circuits. So how big can q get (securely)? Let s look at it backwards: Post-processing can reduce ciphertext length. No bootstrapping whatsoever!

134 Talk Outline The LWE assumption. Re-linearization and modulus reduction. FHE using bootstrapping. (Leveled) FHE without bootstrapping. PIR protocol. Conclusion and open problems.

135 Single-Server PIR [CGKS95,KO97,CMS99] Index x [N] Database DB DB =N 2 n

136 Single-Server PIR [CGKS95,KO97,CMS99] sk evk eval. key Index x [N] Database DB DB =N 2 n

137 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Enc (x) evk eval. key Database DB DB =N 2 n

138 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Enc (x) y = Eval (DB, Enc (x)) evk eval. key Database DB DB =N 2 n

139 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Dec(y)=DB[x] Enc (x) y = Eval (DB, Enc (x)) evk eval. key Database DB DB =N 2 n

140 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Correctness guarantee: Dec(y)=DB[x] Enc (x) y = Eval (DB, Enc (x)) evk eval. key Database DB DB =N 2 n

141 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Correctness guarantee: Dec(y)=DB[x] Enc (x) y = Eval (DB, Enc (x)) evk eval. key Database DB DB =N 2 n Privacy guarantee: Enc (x) Enc (0)

142 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Correctness guarantee: Dec(y)=DB[x] Enc (x) y = Eval (DB, Enc (x)) evk eval. key Database DB DB =N 2 n Privacy guarantee: Enc (x) Enc (0) Communication complexity: cc= Enc (x) + y

143 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Correctness guarantee: Dec(y)=DB[x] Enc (x) y = Eval (DB, Enc (x)) evk eval. key Database DB DB =N 2 n Privacy guarantee: Enc (x) Enc (0) Communication complexity: cc= Enc (x) + y FHE PIR Use our FHE naïvely: cc = n log(nt) log(n) Õ(log 2 N)

144 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Enc (x) y = Eval (DB, Enc (x)) evk Database DB DB =N 2 n

145 Single-Server PIR [CGKS95,KO97,CMS99] sk Index x [N] Enc (x) y = Eval (DB, Enc (x)) evk Database DB DB =N 2 n Reducing comm. complexity: Enc(x) using different, more efficient, scheme. Hom. decrypt efficient ciphertext and use as before. Using known efficient schemes: cc = Õ(log N).

146 Single-Server PIR [CGKS95,KO97,CMS99] sk, sym Enc(sym), evk Index x [N] Enc sym (x) y = Eval (DB, Enc (x)) Database DB DB =N 2 n Reducing comm. complexity: Enc(x) using different, more efficient, scheme. Hom. decrypt efficient ciphertext and use as before. Using known efficient schemes: cc = Õ(log N).

147 Single-Server PIR [CGKS95,KO97,CMS99] sk, sym Enc(sym), evk Index x [N] Enc sym (x) y Database DB DB =N 2 n Reducing comm. complexity: Enc(x) using different, more efficient, scheme. Hom. decrypt efficient ciphertext and use as before. Using known efficient schemes: cc = Õ(log N).

148 Single-Server PIR [CGKS95,KO97,CMS99] sk, sym Enc(sym), evk Index x [N] Enc sym (x) Reducing comm. complexity: Enc(x) using different, more efficient, scheme. Hom. decrypt efficient ciphertext and use as before. Using known efficient schemes: cc = Õ(log N). y Enc sym (x)+enc(sym) Enc(x) y = Eval(DB, Enc(x)) Database DB DB =N 2 n

149 Conclusion FHE is not so complicated anymore No ideals. No squashing or sparse subset sum assumption. Efficiency! Short ciphertexts, keys are easy to generate and are fairly unstructured. Can't lose: Don't care about homomorpism? Use our scheme anyway same efficiency and security. Private Information Retrieval. Don't pay more than Õ(log(N)).

150 Open Problems Remove circular security assumption. Go from quasi-polynomial to strictly polynomial LWE modulus. Improve efficiency, possibly using ideals [BGV11, LNV11, GHS11]. New notions of security [BSW11].

151 Questions?