380 likes | 532 Vues
FULLY HOMOMORPHIC ENCRYPTION. from the Integers. Marten van Dijk. Craig Gentry. (RSA labs). (IBM T J Watson). Shai Halevi. Vinod Vaikuntanathan. (IBM T J Watson). (IBM T J Watson). Computing on Encrypted Data. (An Example). “I want to delegate the computation to the cloud,
E N D
FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk Craig Gentry (RSA labs) (IBM T J Watson) Shai Halevi Vinod Vaikuntanathan (IBM T J Watson) (IBM T J Watson)
Computing on Encrypted Data (An Example) “I want to delegate the computation to the cloud, but the cloud shouldn’t see my input” “I want to delegate the computation to the cloud” Enc(x) P Enc[P(x)] Client Server/Cloud (Input: x) (Program: P)
P Enc(x) Enc[P(x)] Fully HomomorphicEncryption (FHE) = Eval Definition:[KeyGen, Enc, Dec, Eval] Definition:[KeyGen, Enc, Dec] (as in regular encryption) Compactness: Size of Eval’ed ciphertext independent of P Security: Semantic Security [GM’82]
Fully Homomorphic Encryption • First Defined: “Privacy homomorphism” [RAD’78] • their motivation: searching encrypted data • Limited Variants: • RSA & El Gamal: multiplicatively homomorphic • GM & Paillier: additively homomorphic • BGN’05 & GHV’10a: quadratic formulas • NON-COMPACT homomorphic encryption [CCKM00, SYY99, IP07,MGH08,GHV10b,…]
Big Breakthrough: [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory / “ideal lattices” Fully Homomorphic Encryption • First Defined: “Privacy homomorphism” [RAD’78] • their motivation: searching encrypted data No ideal lattices • Is there an elementary Construction of FHE? • using just integer addition and multiplication • easier to understand, implement and improve
OUR RESULT Theorem [DGHV’10]: We have a fully homomorphic public-key encryption scheme • which uses only add and mult over the integers, • which is secure based on the approximate GCD problem & the sparse subset sum problem.
A Roadmap 1. Secret-key“Somewhat” Homomorphic Encryption(under the approximate GCD assumption) (a simple transformation) 2. Public-key“Somewhat” Homomorphic Encryption(under the approximate GCD assumption) (borrows from Gentry’s techniques) 3. Public-key FULLY Homomorphic Encryption(under approx GCD + sparse subset sum)
Secret-key Homomorphic Encryption • Secret key: an n2-bit odd number p (sec. param = n) • To Encrypt a bit b: • pick a random “large” multiple of p, say q·p (q ~ n5 bits) (r ~ n bits) • pick a random “small” even number 2·r • Ciphertext c =q·p+2·r+b “noise” • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit
LSB = b1 XOR b2 LSB = b1 AND b2 Secret-key Homomorphic Encryption • How to Add and Multiply Encrypted Bits: • Add/Mult two near-multiples of p gives a near-multiple of p. • c1 = q1·p + (2·r1 + b1), c2= q2·p + (2·r2 + b2) • c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p • c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p
(q-1)p qp (q+1)p (q+2)p Two Issues • Ciphertext grows with each operation → Useless for many applications (cloud computing, searching encrypted e-mail) • Noise grows with each operation • Consider c = qp+2r+b ← Enc(b) • c (mod p) = r’ ≠ 2r+b 2r+b r’
Two Issues • Ciphertext grows with each operation → Useless for many applications (cloud computing, searching encrypted e-mail) • Noise grows with each operation → After some operations, the ciphertext becomes “undecryptable”
Solving the Two Issues • Ciphertext grows with each operation • Publish x0 = q0p (*) • Take ciphertext (mod x0) after each op (Add/Mult) (*) More complex way using x0 = a near-multiple of p
Solving the Two Issues • Ciphertext grows with each operation • Publish x0 = q0p • Take ciphertext (mod x0) after each op (Add/Mult) • Ciphertext stays less than x0 always • The encrypted bit remains same • Noise does not increase at all
Solving the Two Issues • Ciphertext grows with each operation • Publish x0 = q0p • Take ciphertext (mod x0) after each op (Add/Mult)* • Noise grows with each operation • Can perform “limited” number of hom. operations (“Somewhat Homomorphic” Encryption) • Somewhat → Fully: (A variant of) Squashing + Bootstrapping [G’09]
Security (of the secret-key “somewhat” homomorphic scheme)
p The Approximate GCD Assumption (name coined by Howgrave-Graham) Parameters of the Problem: Three numbers P,Q and R p? (q0p,q1p+r1,…, qtp+rt) q1p+r1 q0p q0← [0…Q] q ← [0…Q] r ← [-R…R] Assumption: no PPT adversary can guess the number p odd p ← [0…P]
p (q0p,q1p+r1,…, qtp+rt) p? Assumption: no PPT adversary can guess the number p = (proof of security) Semantic Security: no PPT adversary can guess the bit b (q0p,q1p+2r1+b,…,qkp+2rk+b)
q0p,{qip+ri} q0p,{qip+ri} AdvA AdvB c=qp+r c=qp+r q lsb(q) p p A “Taste” of the Security Proof Encryption breaker Approx GCD solver Claim:On every c=qp+r, A predicts lsb(q) correctly w.p. 1-1/poly “Proof”: Lots of details (Worst-case to average case over c, computing lsb(q) = computing lsb(r), a hybrid argument.)
q0p,{qip+ri} q0p,{qip+ri} AdvA AdvB c=qp+r c=qp+r q lsb(q) p p A “Taste” of the Security Proof Main Idea: Use lsb(q) to make q successively smaller First Try: • If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2]) (new-c = (q-1)/2*p+[r/2]) • If lsb(q) = 1, c ← [(c-p)/2]
A “Taste” of the Security Proof Main Idea: Use lsb(q) to make q successively smaller Lemma: Given two near-multiples z1=q1p+r1and z2=q2p+r2 (+lsb oracle),can compute z’=gcd(q1,q2)·p+r’for small r’ W.h.p. gcd(q1,q2)=1 • If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2]) (new-c = (q-1)/2*p+[r/2]) (new-c = (q-1)/2*p+[(r-r’)/2]) • If lsb(q) = 1, c ← [(c-p)/2] • If lsb(q) = 1, c ← [(c-z’)/2] • Learn q bit by bit
A “Taste” of the Security Proof Main Idea: Use lsb(q) to make q successively smaller Lemma: Given two near-multiples z1=q1p+r1and z2=q2p+r2 (+lsb oracle),can compute z’=gcd(q1,q2)·p+r’for small r’ Observation: the Binary GCD algo. is “noise-tolerant”, given lsb oracle.(similar to the RSA hardcore bit proof of [ACGS’88])
How Hard is Approximate GCD? • Studied by [HG01]; also [Lag82,Cop97,NS01] (equivalent to “simultaneous Diophantine approximation”) • Lattice-based Attacks • Lagarias’ algorithm • Coppersmith’s algo. for finding small polynomial roots • Nguyen/Stern and Regev’s orthogonal lattice method • All run out of steam when log Q > (log P)2 (our setting of parameters: log Q = n5, log P = n2)
Future Directions Efficient fully homomorphic encryption (Currently: n5 size ciphertexts; n10 running-time blowup) Some recent improvements [SV’10,SS’10] Securityof the approx GCD assumption (e.g., a worst-case to average-case reduction to regular – non-ideal – lattice problems?)
Public-key Homomorphic Encryption • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) = t+1 random encryptions of 0 • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval (as before)
Public-key Homomorphic Encryption • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt]= (x0,x1,…,xt) • To Encrypt a bit b: pick random subset S [1…t] c = + b (mod x0) • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval (as before)
Parameter Regimes (very rough diagram) log Q/(log P)2 min=0 max=P R
Public-key Homomorphic Encryption • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) • t+1 encryptions of 0 • W.l.o.g., x0 = q0p+2r0 is the largest • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval (as before)
c = p[ ]+ 2[ ] + b (mod x0) c = p[ ]+ 2[ ] + b – kx0 (for a small k) = p[ ]+ 2[ ] + b Public-key Homomorphic Encryption • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt]= (x0,x1,…,xt) • To Encrypt a bit b: pick random subset S [1…t] c = + b (mod x0) • To Decrypt a ciphertext c: • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval (as before) (mult. of p) +(“small” even noise) + b
Public-key Homomorphic Encryption Ciphertext Size Reduction • Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt]= (x0,x1,…,xt) • To Encrypt a bit b: pick random subset S [1…t] • Resulting ciphertext < x0 c = + b (mod x0) • Underlying bit is the same (since x0 has even noise) • To Decrypt a ciphertext c: • Noise does not increase by much(*) • c (mod p) = 2·r+b (mod p) = 2·r+b • read off the least significant bit • Eval: Reduce mod x0 after each operation (*) additional tricks for mult
A Roadmap • Secret-key“Somewhat” Homomorphic Encryption • Public-key“Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption
How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: or f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt Say, noise in Enc(xi) < 2n Final Noise ~ (2n)d+…+(2n)d = m•(2n)d
NAND Dec Dec c1 sk c2 sk From “Somewhat” to “Fully” Theorem [Gentry’09]: Convert “bootstrappable” → FHE. FHE = Can eval all fns. Augmented Decryption ckt. “Somewhat” HE “Bootstrappable”
Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? (polynomials of degree < n) (?) Complexity of the (aug.) Decryption Circuit (degree ~ n1.73 polynomial) Can be made bootstrappable • Similar to Gentry’09 Caveat: Assume Hardness of “Sparse Subset Sum”