Fully Homomorphic Encryption and Bootstrapping

Similar documents
Fully Homomorphic Encryption over the Integers

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

Packing Messages and Optimizing Bootstrapping in GSW-FHE

Fully Homomorphic Encryption from LWE

Classical hardness of Learning with Errors

Fully Homomorphic Encryption over the Integers

Shai Halevi IBM August 2013

16 Fully homomorphic encryption : Construction

Classical hardness of the Learning with Errors problem

Background: Lattices and the Learning-with-Errors problem

Some security bounds for the DGHV scheme

Faster Bootstrapping with Polynomial Error

On Homomorphic Encryption and Secure Computation

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Computing with Encrypted Data Lecture 26

Manipulating Data while It Is Encrypted

Gentry s Fully Homomorphic Encryption Scheme

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Ideal Lattices and NTRU

Report Fully Homomorphic Encryption

Faster Fully Homomorphic Encryption

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

Gentry s SWHE Scheme

Fully Homomorphic Encryption

FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Practical Bootstrapping in Quasilinear Time

Fully Homomorphic Encryption

Multi-key fully homomorphic encryption report

Fully Homomorphic Encryption - Part II

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Increased efficiency and functionality through lattice-based cryptography

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Cryptology. Scribe: Fabrice Mouhartem M2IF

Homomorphic Evaluation of the AES Circuit

Better Bootstrapping in Fully Homomorphic Encryption

Classical hardness of Learning with Errors

Lattice Based Crypto: Answering Questions You Don't Understand

ENEE 457: Computer Systems Security 10/3/16. Lecture 9 RSA Encryption and Diffie-Helmann Key Exchange

Master of Logic Project Report: Lattice Based Cryptography and Fully Homomorphic Encryption

Open problems in lattice-based cryptography

A Comment on Gu Map-1

6.892 Computing on Encrypted Data September 16, Lecture 2

CPSC 467b: Cryptography and Computer Security

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Multi-Key FHE from LWE, Revisited

Riding on Asymmetry: Efficient ABE for Branching Programs

An RNS variant of fully homomorphic encryption over integers

Weaknesses in Ring-LWE

6.892 Computing on Encrypted Data October 28, Lecture 7

Fully Homomorphic Encryption

TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION

Lecture 4 Chiu Yuen Koo Nikolai Yakovenko. 1 Summary. 2 Hybrid Encryption. CMSC 858K Advanced Topics in Cryptography February 5, 2004

QUANTUM HOMOMORPHIC ENCRYPTION FOR POLYNOMIAL-SIZED CIRCUITS

Better Bootstrapping in Fully Homomorphic Encryption

ORDERS OF ELEMENTS IN A GROUP

Lattice-Based Non-Interactive Arugment Systems

High-Precision Arithmetic in Homomorphic Encryption

Computing on Encrypted Data

COMP4109 : Applied Cryptography

Practical Analysis of Key Recovery Attack against Search-LWE Problem

Fully Key-Homomorphic Encryption and its Applications

Bootstrapping for HElib

New and Improved Key-Homomorphic Pseudorandom Functions

Attribute-based Encryption & Delegation of Computation

FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime

Notes for Lecture 16

General Impossibility of Group Homomorphic Encryption in the Quantum World

Towards Tightly Secure Lattice Short Signature and Id-Based Encryption

Evaluating 2-DNF Formulas on Ciphertexts

Mathematical Foundations of Public-Key Cryptography

Practical Fully Homomorphic Encryption without Noise Reduction

Efficient and Secure Delegation of Linear Algebra

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Multikey Homomorphic Encryption from NTRU

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Somewhat Practical Fully Homomorphic Encryption

Ideal Lattices and Ring-LWE: Overview and Open Problems. Chris Peikert Georgia Institute of Technology. ICERM 23 April 2015

CIS 551 / TCOM 401 Computer and Network Security

Lemma 1.2. (1) If p is prime, then ϕ(p) = p 1. (2) If p q are two primes, then ϕ(pq) = (p 1)(q 1).

Notes for Lecture Decision Diffie Hellman and Quadratic Residues

An Overview of Homomorphic Encryption

CPSC 467b: Cryptography and Computer Security

An Improved RNS Variant of the BFV Homomorphic Encryption Scheme

Parameter selection in Ring-LWE-based cryptography

1 Number Theory Basics

Homomorphic Encryption. Liam Morris

Lattice-Based Cryptography. Chris Peikert University of Michigan. QCrypt 2016

Converting Pairing-Based Cryptosystems from Composite-Order Groups to Prime-Order Groups

Introduction to Cybersecurity Cryptography (Part 5)

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

Pseudorandomness of Ring-LWE for Any Ring and Modulus. Chris Peikert University of Michigan

The RSA Cipher and its Algorithmic Foundations

Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes

UNIVERSITY OF CONNECTICUT. CSE (15626) & ECE (15284) Secure Computation and Storage: Spring 2016.

Multilinear Maps over the Integers From Design to Security. The Mathematics of Modern Cryptography Workshop, July 10th 2015

Private Puncturable PRFs From Standard Lattice Assumptions

Carmen s Core Concepts (Math 135)

Obfuscation without Multilinear Maps

Transcription:

Fully Homomorphic Encryption and Bootstrapping Craig Gentry and Shai Halevi June 3, 2014 China Summer School on Lattices and Cryptography

Fully Homomorphic Encryption (FHE) A FHE scheme can evaluate unbounded depth circuits Not limited by bound specified at Setup Parameters (like size of ciphertext) do not depend on evaluated depth So far, GSW scheme can evaluate only depth log N+1 q How do we make it fully homomorphic? Bootstrapping: A way to get FHE

Self-Referential Encrypted Computation

A Digression into Philosophy Can the human mind understand itself? Or, as a mind becomes more complex, does the task of understanding also become more complex, so that selfunderstanding it always just out of reach? Self-reference often causes problems, even in mathematics and CS Godel s incompleteness theorem Turing s Halting Problem

Philosophy Meets Cryptography Can a homomorphic encryption scheme decrypt itself? We can try to plug the decryption function Dec(, ) into Eval. If we run Eval pk (Dec(, ), c 1,, c t ), does it work? Suppose our HE scheme can Eval depth-d circuits: Is it always true that HE s Dec function has depth > d? Is Dec(, ) always just beyond the Eval capacity of the HE scheme? Bootstrapping = the process of running Eval on Dec(, ).

Bootstrapping: Assuming we can do it, why is it useful?

Bootstrapping: Refreshing a Ciphertext So far, we can evaluate bounded-depth circuits f: μ 1 f μ 2 f(μ 1, μ 2,, μ t ) μ t We have a noisy evaluated ciphertext y We want to get another y with less noise Bootstrapping refreshes ciphertexts, using the encrypted secret key.

Bootstrapping: Refreshing a Ciphertext For ciphertext c, consider the function D c ( ) = Dec(,c) Suppose we can Eval depth d, but D c ( ) has depth d-1. Include in the public key also Enc pk (sk) c y sk 1 D c sk 2 c' = sk n D c (sk) = Dec(sk,c) = y

Bootstrapping Theorem (Informal) Suppose Ɛ is a HE scheme that can evaluate arithmetic circuits of depth d whose decryption algorithm is a circuit of depth d-1 Call Ɛ a bootstrappable HE scheme Thm: From a bootstrappable somewhat homomorphic scheme, we can construct a fully homomorphic scheme. Technique: Refresh noisy ciphertexts by evaluating the decryption circuit homomorphically

Bootstrapping: Can we do it?

Let s Look at the Decryption Circuit Typically in LWE-based encryption schemes, if c encrypts μ under secret key vector s, then: where [ ] q denotes reduction modulo q into the range (-q/2,q/2].

Decryption in GSW GSW fits the template: ( )

How Complex Is Decryption? If q is polynomial (in the security parameter λ) then decryption is in NC1 (log-depth circuits). But wait isn t q really large? q depends on the Eval capacity of the scheme Ideally, we would like the complexity of Dec to be independent of the Eval capacity.

Modulus Reduction Magic Trick Suppose c encrypts μ that is, μ = [[<c,t>] q ] 2. Let s pick p<q and set c* = (p/q) c, rounded. Crazy idea: Maybe it is true that: c* encrypts μ : μ = [[<c*,t>] p ] 2 (new inner modulus). Surprisingly, this works! After modulus reduction (and dimension reduction), the size of the ciphertext is independent of the complexity of the function that was evaluated!!

Modulus Reduction Magic Trick, Details Scaling lemma: Let p<q be odd moduli. Suppose μ = [[<c,t>] q ] 2 and [<c,t>] q < q/2 - (q/p) l 1 (t). Set c = (p/q)c and set c to be the integer vector closest to c such that c = c mod 2. Then μ = [[<c,t>] p ] 2. Annotated Proof: 1. For some k, [<c,t>] q = <c,t> - kq. 2. (p/q) [<c,t>] q = <c,t> - kp. 3. <c -c,t> < l 1 (t). 1. Imagine <c,t> is close to kq. 2. Then <c,t> is close to kp. 3. <c,t> also close to kp if s small. 4. Thus, <c,t>-kp < (p/q) [<c,t>] q + l 1 (t) < p/2. 5. So, [<c,t>] p = <c,t> kp. 6. Since c = c mod 2 and p = q mod 2, we get [<c,t>] p ] 2 = [<c,t>] q ] 2.

Modulus Reduction Magic Trick, Notes [ACPS 2009] proved LWE hard even if t is small: t chosen from the same distribution as the noise e With coefficients of size poly in the security parameter. For t of polynomial size, we can modulus reduce to a modulus p of polynomial size, before bootstrapping. Bottom Line: After some processing, decryption for LWE-based encryption schemes (like GSW) is in NC1. Complexity of Dec is independent of Eval capacity.

Evaluating NC1 Circuits in GSW Naïve way: Just to log levels of NAND Each level multiplies noise by polynomial factor. Log levels multiplies noise by quasi-polynomial factor. Bad consequence = weak security: Based on LWE for quasi-polynomial approximation factors.

Part II: Bootstrapping and Barrington s Theorem Focusing on Brakerski and Vaikuntanathan s method to bootstrap the Gentry-Sahai-Waters scheme

Better Way to Evaluate NC1 Circuits? Goal: Base security of FHE on LWE with poly factors. Evaluate NC1 circuits in a more noise-friendly way so that there is only polynomial noise blowup. Barrington s Theorem If f is computable by a d-depth Boolean circuit, then it is computable by a width-5 permutation branching program of length 4 d. Corollary: every function in NC1 has a polynomial-length BP.

Width-5 Permutation Branching Programs BP for function f: Consists of labeled permutations in the permutation group S 5 (which we represent as 5x5 permutation matrices) S 5 is a non-abelian group: maybe ab ba. To evaluate BP (hence f) on input X: Map X to a subset S X of the matrices (using labels) Compute product of the matrices in S X Output 1 if the product is the identity matrix, 0 otherwise

Width-5 Permutation Branching Programs A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 6,0 A 7,0 A 8,0 A 9,0 A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 7,1 A 8,1 A 9,1 0 Each A i,b is a 5x5 permutation matrix. This BP takes 4-bit inputs and has length 9

Width-5 Permutation Branching Programs A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 6,0 A 7,0 A 8,0 A 9,0 A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 7,1 A 8,1 A 9,1 0 1 Each A i,b is a 5x5 permutation matrix. This BP takes 4-bit inputs and has length 9

Width-5 Permutation Branching Programs A 1,0 A 2,0 A 3,0 A 4,0 A 5,0 A 6,0 A 7,0 A 8,0 A 9,0 A 1,1 A 2,1 A 3,1 A 4,1 A 5,1 A 6,1 A 7,1 A 8,1 A 9,1 0 1 1 0 Each A i,b is a 5x5 permutation matrix. This BP takes 4-bit inputs and has length 9 Multiply the chosen 9 matrices together If product is I, output 1. Otherwise, output 0.

Brakerski and Vaikuntanathan s Insight Multiplications in GSW increase noise asymmetrically. Moreover, this asymmetry is useful. Can exploit it to evaluate permutation BPs with surprisingly little noise growth.

Warm Up: High Fan-in AND Gates Binary Tree approach: AND t ciphertexts using a (log t)- depth binary tree. Noise grows by (N+1) log t factor. Left-to-right approach: AND t ciphertexts by multiplying sequentially from left to right The i-th multiplication only adds C i e i+1 to the error. C i {0,1} NxN is the aggregate-so-far e i+1 is the (small) error of the (i+1)-th ciphertext. Noise grows by t(n+1) factor. Right-to-left approach: horrible!

Multiplying Permutation Matrices Given kxk permutation matrices encrypted entry-wise, multiplying them left-to-right is best. Multiplying in the (i+1)-th permutation matrix adds about k(n+1) times the error of fresh ciphertexts. Essential fact used in analysis: In a permutation matrix, only one entry per column is nonzero.

Lattice-Based FHE as Secure as PKE [BV14] Bottom line: GSW decryption can be computed homomorphically while increasing noise by a poly factor. FHE can be based on LWE with poly approx factors. The exponent can be made ε-close to that of current LWEbased PKE schemes.

Part IV: FHE from Non-Abelian Groups? A somewhat promising framework for FHE inspired by Barrington s Theorem

Goal: Totally Different Approach to FHE FHE without noise? Might also make (expensive) bootstrapping unnecessary How about FHE based on non-abelian groups? Might avoid linear algebra attacks for ring-based schemes Another chance to apply Barrington. Framework investigated by Nuida eprint 2014/07: A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special Class of Non-commutative Groups

Perfect Group Pairs Groups (G, H) such that: H is a (proper, nontrivial) normal subgroup of G H = {ghg -1 : g G, h H} G and H are perfect groups Commutator subgroup [G,G] = <g 1 g 2 g 1-1 g 2-1 : g 1,g 2 G> G is perfect when G = [G,G]

Efficient Group Operations Randomization: Given a group (say, G) represented by some generators, output n random G- elements that generate the group.

Hardness Assumption Subgroup Decision Assumption (for perfect group pairs): Given n elements that generate either G or H, hard to distinguish which.

FHE Construction Public key: An encryption of 0: n elements that generate G An encryption of 1: n elements that generate H Secret key: Trapdoor to distinguish G from H (represented by generators). Encryption: Randomize the encryption of 0 or 1. AND gate: Given generators of groups K1, K2, output generators of the union of K1,K2. (Use union of generators.) OR gate: Given generators of groups K1,K2, output generators of intersection of K1,K2. (Use commutator.) G = [G,G], H = [H,H], H = [G,H].

Existence? Need perfect group pairs with hard distinguishing problem (and efficient operations and a trapdoor) Example of perfect group pair with easy dist. problem: Direct product: G = H K, where H and K are perfect

Failed Attempt Form of G elements Form of H elements Linear algebra attack: Encryptions of 0 in proper subspace Is there a patch? Can we use non-abelian groups without fatally embedding them in a ring? (representation theory)

Thank You! Questions?

Barrington and Non-Abelian Groups NC1 circuits to a product of permutations On each circuit wire w: 0 is represented by the identity permutation ε 1 is represented by some non-identity permutation π w AND(w1,w2) = π w1 π w2 π w1-1 π w2-1 Equals ε ( 0 ) if either w1 or w2 is ε ( 0 ) Equals a non-identity permutation if the inputs are noncommuting non-identity permutations π w1 and π w2.

The Noise Problem Revisited Ciphertext noise grows exponentially with depth d. Hence log q and dimension of ciphertext matrices grow linearly with d. Want overhead to be independent of d. To only depend on the security parameter λ. Achievable! Via a technique called bootstrapping [Gentry 09].

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback