Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24
Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 2 / 24
Introduction 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 3 / 24
Introduction Privacy Homomorphism Raised in 1978 by Rivest, Adleman and Dertouzos To evaluate arbitrary number of ciphertext, without knowing corresponding plaintext. Example m 0 = 1 with c 0 = Enc(m0) = (01111111). m 1 = 0 with c 1 = Enc(m1) = (11010111). m 2 = 1 with c 2 = Enc(m2) = (10011000). C(x 0, x 1, x 2, x 3 ) = x 0 x 1 x 3 + x 1 x 2 + x 0 + 1 mod 2. How Find c 3 = Enc(C(m 0, m 2, m 1, m 2 )) without knowing m 0, m 1, m 2. Plantard (UoW) FHE 4 / 24
Formal Definition Fully homomorphic encryption scheme (FHE) A scheme H f consists following four algorithms: KeyGen; Encrypt; Decrypt; Eval. H f is fully homomorphic if for any c i = Encrypt(pk, m i ) and any permitted circuit C n, the following holds: Decrypt(sk, Eval n (pk, C n, c 1, c 2,..., c n )) = C n (m 1, m 2,..., m n ) Plantard (UoW) FHE 5 / 24
Applications Features To bring privacy to cloud computing; Cloud processes users data without necessity of decrypting it. Applications Data is private, Algorithm is public; Example: a hospital outsources its patients information to a research institute for acquiring further analysis from the institute, as the institute has more computational power compared to the hospital; Data is private, Algorithm is private too; Example: a company outsources its financial status to an auditing company, however, the auditing algorithm is auditing the company s private property. Plantard (UoW) FHE 6 / 24
Timeline Fully Homomorphic Encryption Schemes 1978 - Rivest, Adleman and Dertouzos: Privacy Homomorphism. 2009 - Craig Gentry: First FHE based on ideal lattice. 2010 - van Dijk, Gentry, Halevi and Vaikuntanathan: First FHE based on integer (Approximate-GCD problem); 2011 - Gentry-Halevi: First implementation of Gentry09. 2011 - Brakerski-Vaikuntanathan: First based on Ring Learning With Error. 2011 - Brakerski-Vaikuntanathan: First based on Learning With Error. Plantard (UoW) FHE 7 / 24
Gentry Framework 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 8 / 24
A real world scenario Alice s Jewellery store Alice puts materials in locked glovebox, Alice keeps the key, Bob assembles jewellery in the box, Alice unlocks box to get results. Plantard (UoW) FHE 9 / 24
Somewhat Homomorphic Encryption 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 10 / 24
Somewhat homomorphic encryption scheme (SHE) A simple scheme p: an odd integer, (secret key) r i : a small integer, (noise) with r i << p. g i : a big integer, Encrypt: c i = m i + 2r i + g i p. Decrypt: m = (c mod p) mod 2. An example m = 1, p = 107, g = 11, r = 5 Encrypt: c = m + 2r + gp = 1 + 2 5 + 11 107 = 1188. Decrypt: m = (c mod p) mod 2 = (1188 mod 107) mod 2 = 11 mod 2 = 1. Plantard (UoW) FHE 11 / 24
This scheme is already homomorphic. c 1 = m 1 + 2r 1 + g 1 p, c 2 = m 2 + 2r 2 + g 2 p. c 0 = c 1 + c 2 = (m 1 + m 2 ) + 2(r 1 + r 2 ) + (g 1 + g 2 )p. c 0 = c 1 c 2 = (m 1 m 2 )+2(2r 1 r 2 +m 1 r 2 +m 2 r)+(c 2 g 1 +c 1 g 2 +g 1 +g 2 )p. A simple example: a multiplication p = 107, m 1 = 1, m 2 = 0, r 1 = 5, r 2 = 3, g 1 = 11, g 2 = 12; c 1 = 1 + 2 5 + 11 107 = 1188; c 2 = 0 + 2 3 + 12 107 = 1290; c 0 = c 1 c 2 = 1532520; m 0 = (c 0 mod 107) mod 2 = 66 mod 2 = 0 = m 1 m 2 ; Plantard (UoW) FHE 12 / 24
Limitation An example of limitation Finding c 0 = c 1 c 2 c 3 : p = 107; m 1 = 1, m 2 = 0, m 3 = 1; r 1 = 5, r 2 = 3, r 3 = 4, g 1 = 11, g 2 = 12, g 3 = 13; c 1 = 1 + 2 5 + 11 107 = 1188; c 2 = 0 + 2 3 + 12 107 = 1290; c 3 = 1 + 2 4 + 13 107 = 1400; c 1 c 2 c 3 = 2145528000; (c 1 c 2 c 3 mod p) mod 2 = 1 m 1 m 2 m 3. ERROR!!! Plantard (UoW) FHE 13 / 24
Formal Definition Somewhat homomorphic encryption scheme (SHE) H s is somewhat homomorphic if there exist E H such that Eq. 1 holds when the depth of C is smaller than E H. Decrypt(sk, Eval n (pk, C n, c 1, c 2,..., c n )) = C n (m 1, m 2,..., m n ) (1) E H is the evaluation depth and is bounded. Alice s Jewellery Store The process generates lots of rubbish; the glovebox last for only 2 minutes, the process takes 10 minutes. Plantard (UoW) FHE 14 / 24
Bootstrapping 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 15 / 24
Bootstrapping Alice s Jewellery Store The glovebox last for only 2 minutes before being full, the process takes 10 minutes. Alice cuts the process into 10 pieces; Alice places 10 pieces into 10 different glovebox; Alice puts the 1st key into 2nd box, 2nd key into 3rd box... Alice keeps the 10th key. Bob starts with the 1st glovebox; When first glovebox is full, Bob put it into 2nd glovebox, unlock 1st and keep on processing... Plantard (UoW) FHE 16 / 24
Bootstrappability H s : a homomorphic encryption scheme; E H : evaluation circuit depth; D H : decryption circuit depth; H is a bootstrappable homomorphic encryption scheme if D H < E H. SHE Alice encrypts her data with her secret key. Alice gives Bob her secret key encrypted bit by bit. Bob evaluate one operation (addition, multiplication): E H E H 1 Use the rest of your evaluation depth to evaluate homomorphicly Decrypt. Plantard (UoW) FHE 17 / 24
Bootstrapping Plantard (UoW) FHE 18 / 24
Security/Open Problems 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 19 / 24
Principal Ideal Lattice p, γ, n Z such that γ n ±1 mod p. Find f Z[x] of degree < n such that Example f(γ) = 0 mod p, f i << p. p = 19601, γ = 17465, n = 8 such that 17465 8 1 mod 19601. f (x) = 2x 6 + x 5 + 2x 4 2x 3 + x 2 + x + 2 is such that f (17465) 0 mod 19601. Security Unknown asymptotic complexity Small Challenge Parameters: γ, p 2 184320, n = 512. Serious Challenge Parameters: γ, p 2 737280, n = 2048. Plantard (UoW) FHE 20 / 24
Approximate Greatest Common Divisor A i Z. Find p Z such that i, r i = (A i mod p) r i << p. Example A 1 = 1188, A 2 = 1290, A 3 = 1400 p = 107. (1188 mod 107 = 11), (1290 mod 107 = 6),(1400 mod 107 = 9). Security Unknown asymptotic complexity ( Factorization). Old Parameters: A i 2 3.109, #{A i } 3.10 9. New Parameters: A i > 2 19.106, #{A i } = 7659. Plantard (UoW) FHE 21 / 24
Learning With Error Problem s (Z/pZ) n, v i = sa T i + e i. Find s from a i, v i. Example 2s 0 + 6s 1 + 7s 2 + s 3 2 mod 17 5s 0 + 9s 1 + 2s 2 + 11s 3 7 mod 17 4s 0 + 9s 1 + 8s 2 + 13s 3 13 mod 17 9s 0 + s 1 + s 2 + 2s 3 5 mod 17... Security Some complexity equivalence GapUSVP. Some complexity equivalence GapSVP on quantum computer. Plantard (UoW) FHE 22 / 24
Conclusion 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 23 / 24
Conclusion FHE is possible Construct a Somewhat Homomorphic Encryption (SHE) scheme; Bootstrap the squashed scheme; Requires the user to publish the encryption of its secret key; Major Problem: Efficiency In 2011, a 32-bits addition takes roughly 50 minutes with ideal lattice. In 2012, a 1-bit operation takes roughly 11 minutes with integer with 10MB keys. In 2012, a full AES utilization takes roughly 36 hours using 256GB of RAM based on RLWE. Plantard (UoW) FHE 24 / 24