FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk Craig Gentry (RSA labs) (IBM T J Watson) Shai Halevi Vinod Vaikuntanathan (IBM T J Watson) (IBM T J Watson)

Computing on Encrypted Data (An Example) “I want to delegate the computation to the cloud, but the cloud shouldn’t see my input” “I want to delegate the computation to the cloud” Enc(x) P Enc[P(x)] In this talk, I am interested in the problem of computing on encrypted data. Namely, consider a two-party setting with a client Alice, and a server or a cloud if you will. The client has an input x, and she wants some computation done on her input Assume that I have a piece of data, I want some computation to be performed on this data nad I want to get the result. But for some reason, I don’t want to do the computation myself. Perhaps because the computation is too expensive and I don’t simply have enough resou to do it myself. In other words, I want to delegate processing to someone else, I want them to do the computation for me, but I don’t want them to see what my data is. Client Server/Cloud (Input: x) (Program: P)

= Fully Homomorphic Encryption (FHE) Eval Enc[P(x)] Enc(x) P Definition: [KeyGen, Enc, Dec] Definition: [KeyGen, Enc, Dec, Eval] (as in regular encryption) Compactness: Size of Eval’ed ciphertext independent of P Assume that I have a piece of data, I want some computation to be performed on this data nad I want to get the result. But for some reason, I don’t want to do the computation myself. Perhaps because the computation is too expensive and I don’t simply have enough resou to do it myself. In other words, I want to delegate processing to someone else, I want them to do the computation for me, but I don’t want them to see what my data is. Security: Semantic Security [GM’82]

Fully Homomorphic Encryption First Defined: “Privacy homomorphism” [RAD’78] their motivation: searching encrypted data Limited Variants: RSA & El Gamal: multiplicatively homomorphic GM & Paillier: additively homomorphic Here: Bring in the picture with the functions, all functions, and then ADD and MULT and QFs. BGN’05 & GHV’10a: quadratic formulas NON-COMPACT homomorphic encryption [CCKM00, SYY99, IP07,MGH08,GHV10b,…]

Fully Homomorphic Encryption First Defined: “Privacy homomorphism” [RAD’78] their motivation: searching encrypted data Big Breakthrough: [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory / “ideal lattices” No lattices No ideal lattices Is there an elementary Construction of FHE? using just integer addition and multiplication easier to understand, implement and improve

OUR RESULT Theorem [DGHV’10]: We have a fully homomorphic public-key encryption scheme which uses only add and mult over the integers, which is secure based on the approximate GCD problem & the sparse subset sum problem. Say The rest of this talk here. Emphasize that this is the best venue to pose the problem, approximate gcd. Also say sparse subset sum problem

Construction

A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) (a simple transformation) 2. Public-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) (borrows from Gentry’s techniques) 3. Public-key FULLY Homomorphic Encryption (under approx GCD + sparse subset sum)

Secret-key Homomorphic Encryption Secret key: an n2-bit odd number p (sec. param = n) To Encrypt a bit b: pick a random “large” multiple of p, say q·p (q ~ n5 bits) (r ~ n bits) pick a random “small” even number 2·r Ciphertext c = q·p+2·r+b “noise” Noise term growing by how much? N^1/2 versus N/2 What is the sec parameter? What is the efficiency? Noise growing??? Random large!!! Introduce the term near-multiple here. To Decrypt a ciphertext c: c (mod p) = 2·r+b (mod p) = 2·r+b read off the least significant bit

Secret-key Homomorphic Encryption How to Add and Multiply Encrypted Bits: Add/Mult two near-multiples of p gives a near-multiple of p. c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2) c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p LSB = b1 XOR b2 c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p LSB = b1 AND b2

Two Issues Ciphertext grows with each operation → Useless for many applications (cloud computing, searching encrypted e-mail) Noise grows with each operation Consider c = qp+2r+b ← Enc(b) c (mod p) = r’ ≠ 2r+b 2r+b r’ (q-1)p qp (q+1)p (q+2)p

Two Issues Ciphertext grows with each operation → Useless for many applications (cloud computing, searching encrypted e-mail) Noise grows with each operation → After some operations, the ciphertext becomes “undecryptable”

Solving the Two Issues Ciphertext grows with each operation Publish x0 = q0p (*) Take ciphertext (mod x0) after each op (Add/Mult) (*) More complex way using x0 = a near-multiple of p

Solving the Two Issues Ciphertext grows with each operation Publish x0 = q0p Take ciphertext (mod x0) after each op (Add/Mult) Ciphertext stays less than x0 always The encrypted bit remains same Noise does not increase at all

Solving the Two Issues Ciphertext grows with each operation Publish x0 = q0p Take ciphertext (mod x0) after each op (Add/Mult)* Noise grows with each operation Can perform “limited” number of hom. operations (“Somewhat Homomorphic” Encryption) Somewhat → Fully: (A variant of) Squashing + Bootstrapping [G’09]

(of the secret-key “somewhat” homomorphic scheme) Security (of the secret-key “somewhat” homomorphic scheme)

The Approximate GCD Assumption (name coined by Howgrave-Graham) Parameters of the Problem: Three numbers P,Q and R p? p (q0p,q1p+r1,…, qtp+rt) q1p+r1 q0p q ← [0…Q] r ← [-R…R] q0 ← [0…Q] Assumption: no PPT adversary can guess the number p TODO!! odd p ← [0…P]

p (q0p,q1p+r1,…, qtp+rt) p? Assumption: no PPT adversary can guess the number p = (proof of security) Semantic Security: no PPT adversary can guess the bit b TODO!! (q0p,q1p+2r1+b,…,qkp+2rk+b)

A “Taste” of the Security Proof Encryption breaker Approx GCD solver AdvA lsb(q) q0p,{qip+ri} p c=qp+r AdvB q p c=qp+r q0p,{qip+ri} Single bit predictor Then bring that as focus Inverter (main thing) Claim: On every c=qp+r, A predicts lsb(q) correctly w.p. 1-1/poly “Proof”: Lots of details (Worst-case to average case over c, computing lsb(q) = computing lsb(r), a hybrid argument.)

A “Taste” of the Security Proof AdvA lsb(q) q0p,{qip+ri} p c=qp+r AdvB q p c=qp+r q0p,{qip+ri} Main Idea: Use lsb(q) to make q successively smaller Single bit predictor Then bring that as focus Inverter (main thing) First Try: If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2]) (new-c = (q-1)/2*p+[r/2]) If lsb(q) = 1, c ← [(c-p)/2]

A “Taste” of the Security Proof Main Idea: Use lsb(q) to make q successively smaller Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2 (+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’ W.h.p. gcd(q1,q2)=1 Single bit predictor Then bring that as focus Inverter (main thing) If lsb(q) = 0, c ← [c/2] (new-c = q/2*p+[r/2]) (new-c = (q-1)/2*p+[(r-r’)/2]) (new-c = (q-1)/2*p+[r/2]) If lsb(q) = 1, c ← [(c-z’)/2] If lsb(q) = 1, c ← [(c-p)/2] Learn q bit by bit

A “Taste” of the Security Proof Main Idea: Use lsb(q) to make q successively smaller Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2 (+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’ Observation: the Binary GCD algo. is “noise-tolerant”, given lsb oracle. (similar to the RSA hardcore bit proof of [ACGS’88]) Single bit predictor Then bring that as focus Inverter (main thing)

How Hard is Approximate GCD? Studied by [HG01]; also [Lag82,Cop97,NS01] (equivalent to “simultaneous Diophantine approximation”) Lattice-based Attacks Lagarias’ algorithm Coppersmith’s algo. for finding small polynomial roots Nguyen/Stern and Regev’s orthogonal lattice method HG01 is not The title of HG01 is approx gcd!! All run out of steam when log Q > (log P)2 (our setting of parameters: log Q = n5, log P = n2)

Future Directions Efficient fully homomorphic encryption (Currently: n5 size ciphertexts; n10 running-time blowup) Some recent improvements [SV’10,SS’10] Security of the approx GCD assumption (e.g., a worst-case to average-case reduction to regular – non-ideal – lattice problems?)

Questions?

Delegate computation on data The Goal Delegate computation on data without giving away access to it Assume that I have a piece of data, I want some computation to be performed on this data nad I want to get the result. But for some reason, I don’t want to do the computation myself. Perhaps because the computation is too expensive and I don’t simply have enough resou to do it myself. In other words, I want to delegate processing to someone else, I want them to do the computation for me, but I don’t want them to see what my data is.

Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) = t+1 random encryptions of 0 To Decrypt a ciphertext c: c (mod p) = 2·r+b (mod p) = 2·r+b read off the least significant bit Eval (as before)

Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) To Encrypt a bit b: pick random subset S [1…t] c = + b (mod x0) To Decrypt a ciphertext c: c (mod p) = 2·r+b (mod p) = 2·r+b read off the least significant bit Eval (as before)

Parameter Regimes (very rough diagram) log Q/(log P)2 min=0 max=P R

Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) t+1 encryptions of 0 W.l.o.g., x0 = q0p+2r0 is the largest To Decrypt a ciphertext c: c (mod p) = 2·r+b (mod p) = 2·r+b read off the least significant bit Eval (as before)

Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) To Encrypt a bit b: pick random subset S [1…t] c = + b (mod x0) To Decrypt a ciphertext c: c = p[ ] + 2[ ] + b – kx0 (for a small k) c = p[ ] + 2[ ] + b (mod x0) c (mod p) = 2·r+b (mod p) = 2·r+b read off the least significant bit = p[ ] + 2[ ] + b Eval (as before) (mult. of p) + (“small” even noise) + b

Public-key Homomorphic Encryption Ciphertext Size Reduction Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) To Encrypt a bit b: pick random subset S [1…t] Resulting ciphertext < x0 c = + b (mod x0) Underlying bit is the same (since x0 has even noise) To Decrypt a ciphertext c: Noise does not increase by much(*) c (mod p) = 2·r+b (mod p) = 2·r+b read off the least significant bit Eval: Reduce mod x0 after each operation (*) additional tricks for mult

3. Public-key FULLY Homomorphic Encryption A Roadmap Secret-key “Somewhat” Homomorphic Encryption Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption

How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: or f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt What happens to the noise? Does not increase by too much. Say, noise in Enc(xi) < 2n Final Noise ~ (2n)d+…+(2n)d = m•(2n)d

From “Somewhat” to “Fully” Theorem [Gentry’09]: Convert “bootstrappable” → FHE. FHE = Can eval all fns. Augmented Decryption ckt. “Bootstrappable” “Somewhat” HE Dec NAND c1 sk c2

Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? (polynomials of degree < n) (?) Complexity of the (aug.) Decryption Circuit (degree ~ n1.73 polynomial) Can be made bootstrappable Similar to Gentry’09 Caveat: Assume Hardness of “Sparse Subset Sum”