FULLY HOMOMORPHIC ENCRYPTION New Developments in FULLY HOMOMORPHIC ENCRYPTION Vinod Vaikuntanathan University of Toronto Penn State Summer School on Cryptography

Outsourcing Computation Weak Client Powerful Server (“Cloud”) x Function f f(x)

Outsourcing Computation It’s everywhere! x x Function f f(x) search query Google search Search results

Outsourcing Computation It’s everywhere! x x Function f f(x) medical records analysis risk factors

Outsourcing Computation Two Problems: Privacy: Client Cloud Cloud should not learn anything about x x Verifiability: Function f Cloud cannot cheat (i.e., return incorrect answer without being detected)

Outsourcing Computation – Privately Knows nothing of x. Enc(x) x Function f Eval: f, Enc(x) Enc(f(x)) homomorphic evaluation

Fully Homomorphic Encryption [Rivest-Adleman-Dertouzos’78] Knows nothing of x. Enc(x) x Function f Eval: f, Enc(x) Enc(f(x)) homomorphic evaluation

Fully Homomorphic Encryption [Rivest-Adleman-Dertouzos’78] Knows nothing of x. Enc(x1),…,Enc(xn) Function f x1,…,xn (more generally) Eval: f, Enc(x1),…,Enc(xn) Enc(f(x1,…,xn)) homomorphic evaluation

Fully Homomorphic Encryption Most of this talk: secret key homomorphic schemes [Rivest-Adleman-Dertouzos’78] Knows nothing of x. sk , pk, evk sk, evk evk, c = Encsk(x) x Function f y = Evalevk(f, c) Privacy (semantic security [GM82]): (evk, Enc(x))  (evk, Enc(0)) Correctness: Decsk(y)=f(x) Compactness: |y| = poly(|f(x)|, n)

FHE 101: Add & Mult Are Universal Arith. Circuit (+,) over GF(2). f(x1,x2,x3)=(x1+x2)∙x3 x1 x2 (+,) over GF(2)  Boolean (XOR,AND) = Universal set Enc(x1) Enc(x2) If we had: Eval(+, Enc(x1), Enc(x2))  Enc(x1+x2) Eval(, Enc(x1), Enc(x2))  Enc(x1∙x2) then we are done. x3 + Enc(x3) Enc(x1+x2)  Enc((x1+x2)∙x3)

Early History (1978-2009)  Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…] Goldwasser-Micali’82 Public key: N, y: non-square mod N Secret key: factorization of N Enc(0): r2 mod N, Enc(1): y * r2 mod N (Additively) homomorphic over Z2

Early History (1978-2009)  Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]  Multiplicatively Homomorphic [ElG’85,…]  Add + One Mult [BGN’05,GHV’09]

Early History (1978-2009)  Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]  Multiplicatively Homomorphic [ElG’85,…]  Add + One Mult [BGN’05,GHV’09]  A Negative Result [Boneh-Lipton’97,DHI’03] Any deterministic FHE can be broken in sub-exponential (or, quantum poly) time.

FIRST Fully Homomorphic Encryption! Gentry (2009) FIRST Fully Homomorphic Encryption!

New Developments in FHE “Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] asymptotic efficiency: nearly linear-time* algorithms practical efficiency: 3-4 orders of magnitude faster compared to [Gen09, GH10] *linear-time in the security parameter

New Developments in FHE “Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] e.g., worst-case hardness of shortest vectors on lattices

New Developments in FHE “Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] Best Known Theorem [BGV11]: (Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices *leveled = public key grows with the depth of the circuit for f

New Developments in FHE Strange assumptions → Mild assumptions [BV11b, GH11, BGV11] Best Known Theorem [BGV11]: (Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices *leveled = public key grows with the depth of the circuit for f “circular security” → Fully Homomorphic Encryption

New Developments in FHE “Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] Complex → Simple constructions/proofs [BV11b, BGV11, LTV12, B12]

PLAN for TODAY  PART 1  PART 2 a complete construction of an FHE scheme  PART 2 A complete description of an FHE Leveled FHE from the NTRU assumption FHE from NTRU + Circular security (Simplicity + multi-key FHE) Auxiliary Theorems: Secret key to Public key Applications: PIR, MPC Open Problems

This talk is based on: Zvika Brakerski, V.V., Efficient Fully Homomorphic Encryption from Standard Learning with Errors, FOCS 2011. Zvika Brakerski, Craig Gentry, V.V., (Leveled) Fully Homomorphic Encryption without Bootstrapping, ITCS 2012. Craig Gentry, Stanford Ph.D. Thesis, 2009. A complete description of an FHE Leveled FHE from the NTRU assumption FHE from NTRU + Circular security (Simplicity + multi-key FHE)

How to Construct an FHE Scheme n is a security parameter

The Big Picture “Somewhat Homomorphic” (SwHE) Encryption IDEA 1 [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] Evaluate Boolean circuits of depth d = ε log n * d = ε log n C EVAL n is a security parameter * (0 < ε < 1 is a constant, and n is the security parameter)

Homomorphic enough = Can evaluate its own Dec Circuit (plus some) The Big Picture “Bootstrapping” Theorem [Gen09] (Qualitative) IDEA 2 “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) Dec CT sk msg Decryption Circuit n is a security parameter C EVAL  

NO, for all known constructions! The Big Picture “Somewhat Homomorphic” (SwHE) Encryption IDEA 1 [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] Evaluate Boolean circuits of depth d = ε log n SwHE = Homomorphic Enough? NO, for all known constructions! n is a security parameter “Bootstrapping” Theorem [Gen09] (Qualitative) IDEA 2 “Homomorphic enough” Encryption * FHE

The Big Picture Problem: Dec Decryption Circuit C EVAL   Solution a. “Squash” the decryption circuit [Gen09] Relies on a new assumption: “sparse subset sum” Less general n is a security parameter GENERALITY??? Solution b. Make EVAL larger [BV11b, simplified by BGV12] Fairly General, Needs no new assumptions Exponential improvement: Can eval nε depth circuits Solution c. Use Special Properties of Dec. Circuit [GH11]

The Big Picture “Somewhat Homomorphic” (SwHE) Encryption IDEA 1 [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] Evaluate Boolean circuits of depth d = ε log n “Modulus Reduction” [BV11b, simplified by BGV12] IDEA 3 Evaluate Boolean circuits of depth d = nε n is a security parameter “Bootstrapping” Theorem [Gen09] (Qualitative) IDEA 2 “Homomorphic enough” Encryption  FHE

IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) d-Leveled FHE: Given any d, set n = d1/ε n is a security parameter IDEA 2: “Bootstrapping” (FHE: Evaluate any poly(n)-size Boolean circuit)

BUT: you don’t need to know what lattices are for this talk! Many Instantiations All based on Integer Lattices (Ajtai’96) BUT: you don’t need to know what lattices are for this talk!  Ideal Lattices Gentry’09 (based on Goldreich-Goldwasser-Halevi’98) DGHV’10 (based on Ajtai-Dwork’97, Regev’04) BV’11a (based on Lyubaskevsky-Peikert-Regev’10) All schemes are based on lattices. Open Problem: based on factoring, discrete logs Also, a connection to PIR, constructions from general assumptions. LTV’11 (based on NTRU:Hofstein-Pipher-Silverman’96)  Surprisingly, Arbitrary Lattices [BV’11b] Lattices (like vector spaces) have no native mult

Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]

Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s  Zqn O s O rand ( a1 , u1 ) ( a1 , b1 = a1 , s + e1 )  ( a2 , u2 ) … ( am , um) ( a2 , b2 = a2 , s + e2 ) … ( am , bm =am , s + em ) random in Zq “noisy” random linear equation Uniformly random in Zqn “Small” error |e1| < B

Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s  Zqn, and any m=poly(n), O s O rand  m m ( ai , bi = ai , s + ei ) ( ai , ui ) i=1 i=1 Worst-Case Connection ([R05, P09]): Qualitative: Solve LWE (on average)  Short-vector approximation on lattices (in the worst-case) Quantitative: Solve LWEn,q,B  O(nq/B)-approx shortest vector on lattices

Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s  Zqn, and any m=poly(n), O s O rand  m m ( ai , bi = ai , s + ei ) ( ai , ui ) i=1 i=1 Worst-Case Connection ([R05, P09]): Solve LWEn,q,B  O(nq/B)-approx shortest vector 1. SCALE INVARIANCE: hardness depends only on ratio between q and B 2. OUR PARAMETERS: We will set q = nO(log n) and B = poly(n). Best known algorithm for LWE with these parameters runs in 2Otilde(n) time.

Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s  Zqn, and any m=poly(n), O s O rand  m m ( ai , bi = ai , s + ei ) ( ai , ui ) i=1 i=1 Facts: LWE (with short secret s) = LWE [ACPS09,GKPV10] LWE with short even error (2e) = LWE with short error e

Secret-key Encryption from LWE (omitting public-key encryption) KeyGen: Sample random “short” vector t  Zqn and set sk = t Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).  decryption succeeds if e < q/4.

Secret-key Encryption from LWE (omitting public-key encryption) KeyGen: Sample random “short” vector t  Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a  Zqn, “short” noise e  Zq The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq Semantic Security from LWE Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).  decryption succeeds if e < q/4.

Secret-key Encryption from LWE (omitting public-key encryption) KeyGen: Sample random “short” vector t  Zqn and set sk = t Bit Encryption Encsk(m): Sample uniformly random a  Zqn, “short” noise e  Zq The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq Decryption Decsk(CT): Output (b − a, t mod q) mod 2. Correctness: b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2) Decryption: Decs(a,b) = ( b - a, s ) (mod 2). Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).  decryption succeeds if e < q/4.

Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) b − a, t = 2e + m b’ − a’, t = 2e’ + m’ Look at Ciphertexts through the Decryption Lens

Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1) b − a, t = 2e + m c, s = 2e + m b’ − a’, t = 2e’ + m’ c’, s = 2e’ + m’

Additive Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cadd = c+c’ Proof: c, s = 2e + m c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’)  Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) + Cadd E

Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = (2e+m) ∙ (2e’+m’) X

Multiplicative Homomorphism Quadratic equation in the variables s[i] CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’) X E Quadratic equation in the variables s[i]

Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = ? c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) Tensor Product: c  c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c, c’ live in (n+1) dim → c  c’ lives in (n+1)2-dim KEY FACT: c, s ∙ c’, s = c  c’, s  s X E

Problem: Ciphertext size blows up! Multiplicative Homomorphism (Zqn+1 → Zq(n+1)^2) Multiplicative Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cmult = c c’ c, s = 2e + m c’, s = 2e’ + m’ c  c’, s  s = mm’ + 2(em’+e’m+2ee’) X E  Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Enct’ ( s[ i ]s[ j ] )

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j. (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ]) LWE  Security still holds.

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j , Ei,j i,j. Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Ci,j , s’ ≈ s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

Multiplicative Homomorphism Cheating Alert Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Plug back into quadratic equation:   cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error Linear in s’. Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Ci,j , s’ ≈ s[ i ]s[ j ] Linear fn (in s’) Quadratic fn (in s)

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Plug back into quadratic equation:   cmult[i,j] ∙ Ci,j , s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: First compute cmult = c c’ Compute and output  cmult[i,j] ∙ Ci,j (where Ci,j are from the evaluation key)

Multiplicative Homomorphism Cheating Alert Multiplicative Homomorphism cmult, s  s = 2E + mm’ PROBLEM: cmult has large entries i,j. Ci,j , s’ ≈ s[ i ]s[ j ] Linear fn (in s’) Quadratic fn (in s) BUT cmult .Ci,j , s’ ≈ cmult . s[ i ]s[ j ] SOLUTION: Binary Decomposition Trick

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. k in [0… log q]: Enct’ ( 2k s[ i ]s[ j ] )

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : sample Ai,j,k , Ei,j,k i,j. (Ai,j,k , Bi,j,k = Ai,j,k , t’ + 2Ei,j,k + 2k s[ i ]s[ j ])

Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)

Multiplicative Homomorphism Un-Cheating Alert Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Plug back into quadratic equation: Let cmult[i,j,k] be the kth bit of cmult[i,j]   cmult[i,j,k] ∙ Ci,j,k , s’  ≈ mm’+2*Error Linear in s’. Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ] Linear fn (in s’) Quadratic fn (in s)

Multiplicative Homomorphism Errorrelin = O(n2 . log q . B) Un-Cheating Alert Multiplicative Homomorphism cmult, s  s = 2E + mm’ New Technique [BV’11b]: Relinearization Plug back into quadratic equation: Let cmult[i,j,k] be the kth bit of cmult[i,j]   cmult[i,j,k] ∙ Ci,j,k , s’  = mm’+2*Error+2*Errorrelin Errorrelin = O(n2 . log q . B) Find linear functions of s’ that represent these quadratic func. New KeyGen: Sample t,t’Zqn and set sk = (t,t’). Evaluation key evk : i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ] Linear fn (in s’) Quadratic fn (in s)

Multiplicative Homomorphism cmult, s  s = 2E + mm’ Plug back into quadratic equation:   cmult[i,j,k] ∙ Ci,j ,k , s’  ≈ mm’+2*Error Linear in s’. Homomorphic Mult: First compute cmult = c c’ Compute and output  cmult[i,j,k] ∙ Ci,j,k (where Ci,j,k are from the evaluation key)

(How homomorphic is this?) The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2   noise B → (worst case)     2ξ initial noise= ξ Correctness Breaking = Solving 2n^ε-approx. shortest vectors [Reg05,LPR10] noise=0

(How homomorphic is this?) The Reservoir Analogy (How homomorphic is this?) Additive Homomorphism: ξ → 2 ξ noise=q/2 Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2   noise B → (worst case)     initial noise= ξ   noise=0  

Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption IDEA 1 [BV11b] Evaluate Boolean circuits of mult. depth D = ε log n EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor and Relinearize Mult depth D C Enc(sk1, x) Encrypt using sk1

Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption IDEA 1 [BV11b] Evaluate Boolean circuits of mult. depth D = ε log n a number of other SwHE schemes: [DGHV10,SV10,BV11a,LTV12] [DGHV10]: based on hardness of approximate gcd [SV10]: principal ideal problem [BV11a]: Ring LWE [LTV12]: NTRU

IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) d-Leveled FHE: Given any d, set n = d1/ε n is a security parameter IDEA 2: “Bootstrapping” (“homomorphic enough” to fully homomorphic)

Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d * FHE Homomorphic Encryption for any depth d circuit Very general theorem, independent of which enc scheme you use

Bootstrapping = “Valve” at a fixed height Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption  FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0

Bootstrapping = “Valve” at a fixed height Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d * FHE “Homomorphic enough” Encryption  FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say (Bdec)2 < q/2 noise=Bdec noise=0

“Noiseless ciphertext” “Very Noisy” ciphertext But the evaluator does not have SK! Bootstrapping: How “Best Possible” Noise Reduction = Decryption! Dec CT SK m Decryption Circuit “Noiseless ciphertext” “Very Noisy” ciphertext

Bootstrapping, Concretely Next Best = Homomorphic Decryption! Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) * EncSK(m) Noise = Bdec Dec CT EncSK(SK) Bdec Independent of Binput Noise = Binput

Wrap Up: Bootstrapping Function f Assume Circular Security: Eval key contains EncSK(SK) g

Wrap Up: Bootstrapping Function f Assume Circular Security: Eval key contains EncSK(SK) g Each Gate g → Gadget G: g(a,b) Dec g ca sk cb a b g(a,b) g a b sk

Wrap Up: Bootstrapping Function f Assume Circular Security: Eval key contains EncSK(SK) g Each Gate g → Gadget G: Enc(g(a,b)) g g(a,b) g Dec Dec a b ca Enc(SK) cb Enc(SK)

Wrap Up: Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) circular-secure d-HE with dec. depth < d  FHE publish EncPK(SK) d-HE with decryption depth < d  (leveled) FHE publish EncPK2(SK1), EncPK3(SK2),…, EncPKd(SKd-1)

SwHE = Homomorphic Enough? Decryption Circuit: Compute lsb(<SK,C> mod q) = inner products mod q mod 2. Homomorphisms: Our scheme is homomorphic over GF(2). Very general theorem, independent of which enc scheme you use Can handle multiplicative depth = ε log n < log n Write inner product mod q as a GF(2)-arithmetic circuit? Seems to need (multiplicative) depth ≥ log n Can be done in depth polylog(n)

IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) n is a security parameter IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)

Modulus Reduction Modulus Reduction Theorem [BV11b,BGV12] SwHE that evaluates Boolean circuits of depth d = nε (under the same assumption as before) “Homomorphic enough” Encryption  FHE Corollary: For every depth d, set the security parameter n=d1/ε to get a d-leveled FHE. Corollary: modulus reduction + bootstrapping = FHE (assuming circular security)

Shrink Noise and Noise Ceiling by same factor Modulus Reduction Modulus Reduction Theorem [BV11b,BGV12] SwHE that evaluates Boolean circuits of depth d = nε “Homomorphic enough” Encryption  FHE CT CT’ q=B10 q’=B3 noise=B8 Wishful thinking noise’=B+p(n) noise’=B ONE MULT NO MULT Shrink Noise and Noise Ceiling by same factor

Modulus Reduction Can we do this? Cannot arbitrarily reduce noise (because of the p(n) factor) Hardness depends only on q/B. q=B10 q’=B3 noise=B8 Wishful thinking -- B+poly(n) -- we are keeping the hardness the same noise’=B+p(n)

Modulus Reduction LEVELi → LEVELi+1: Homomorphism: (q, ξ) → (q, ≈ ξ2) Modulus Reduction: (q, ξ2) → (q/ξ, ξ) q/ξ AFTER d LEVELS: ξ2 (q, B) → (q/(nB log q)O(d), B) Final noise= ξ initial noise= ξ d ≤ log q/log (nB) ≤ nε/log n noise=0

Modulus Reduction: Details Modulus Reduction Algorithm [BV11b,BGV12] Transform a (q,B2) ciphertext into a (q’ ≈ q/nB, B) one “Homomorphic enough” Encryption  FHE Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) Assume that the secret key s has entries bounded by B. (ok by fact 2)

Modulus Reduction: Details Modulus Reduction Algorithm: Compute (q’/q) c Round to the closest integer vector c’ such that c’=c mod 2 Let c be a ciphertext s.t. c, s = 2e + m (mod q) c, s = 2e + m + qZ Proof: (original dec eqn) (scaled) q’/q c, s = (q’/q)* (2e + m) + q’Z c’, s = (q’/q)* (2e + m) + Eround (mod q’) New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised! c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2

Putting Together: Leveled FHE EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 This works for depth D ≤ nε

Putting Together: Leveled FHE EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Enc(skD, C(x)) Decrypt using skD Each Mult Level: Tensor , Relinearize using evki, Reduce modulus Mult depth D C n is a security parameter Enc(sk1, x) Encrypt using sk1 Bootstrapping + Circular Security => FHE.

Putting Everything Together IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) (this is “homomorphic enough”) n is a security parameter IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE) (assuming “circular security”)

A Simpler Alternative: doing away with changing moduli [Brakerski’12]

Break n is a security parameter

From Secret Key to Public Key [Ron Rothblum’11] THEOREM: Given any C-homomorphic secret key encryption scheme, construct a C’-homomorphic public key scheme for a “slightly smaller” C’. C’ Secret key + C = C’ Public key n is a security parameter

From Secret Key to Public Key [Ron Rothblum’11] THEOREM: Given any C-homomorphic secret key encryption scheme, construct a C’-homomorphic public key scheme for a “slightly smaller” C’. IDEA: Let the public key be a bunch of encryptions of random bits ci. PK = { (ci, EncSK(ci)) } n is a security parameter To encrypt a bit b using the public key, pick a random subset sum of ci’s that sum to b. Namely pick ri s.t. Σ ri ci = b. Output Σ ri EncSK(ci) as the ciphertext.

Optimal Private Information Retrieval An Application: Optimal Private Information Retrieval n is a security parameter

Single-Server PIR [CGKS95,KO97,CMS99] pk sk Enc(x) Database DB |DB|=N 2n Index x[N] y = Eval(DB, Enc(x)) FHE  PIR Use our FHE naïvely: encrypt each bit of x separately cc = n·log(q)·log(N)Õ(log2N) Communication complexity: cc=|Enc(x)|+|y|

Single-Server PIR [CGKS95,KO97,CMS99] Enc(sym), pk sk , sym Enc(x) Encsym(x) Database DB |DB|=N 2n Index x[N] y = Eval(DB, Enc(x)) y Encsym(x)+Enc(sym)  Enc(x) y = Eval(DB, Enc(x)) Reducing comm. complexity: Enc(x) using different, more efficient, scheme. Hom. decrypt efficient ciphertext and use as before. Using known efficient schemes: cc = n log q + O(log N) = Õ(log N).

Fully Homomorphic Encryption Open Problems

* Circular Security  Leveled FHE from “standard” assumptions e.g., the Learning with errors assumption Evaluate bounded depth circuits The size of CT and/or PK grows with the depth Construct hom enc from PIR?  “Real” FHE: requires “bootstrapping” Bootstrapping: Publish EncSK(SK). (OK assuming the scheme is “circular secure”) *

* Circular Security  “Real” FHE: requires “bootstrapping” Bootstrapping: Publish EncSK(SK). Bootstrapping: Publish the encryptions of bits of SK, namely EncSK(SK[1]),…, EncSK(SK[n]) weakly (OK assuming the scheme is “weakly circular secure”) (OK assuming the scheme is “circular secure”) Two definitions: Construct hom enc from PIR? Strong circular security: there is a simulator that, given nothing, produces EncSK(SK). Weak circular security: the encryption scheme is semantically secure given EncSK(SK).

Circular Security  There are semantically secure schemes that are NOT circular-secure. Proof: Simple Exercise.  There are (even bit-wise) circular secure encryption schemes Construct hom enc from PIR? [BHHO’08]: based on DDH [ACPS’09, BG’10, BHHI’10, …]

Circular Security How about circular security for the FHE scheme? NEED: “safe to publish” lweEnc(s[i].s[j]) (encryptions of all quadratic monomials in the s[i]) CAN PROVE: “safe to publish” lweEnc(s[i]) Construct hom enc from PIR? (encryptions of all linear monomials s[i])

= Circular Security CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all linear monomials s[i]) (a, a, s + 2e + s[i] mod q) = Construct hom enc from PIR? (a, a, s + 2e + ui, s mod q) ui : ith unit vector (0,…,1,…0)

= ≈ Circular Security CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all linear monomials s[i]) (a, a, s + 2e + s[i] mod q) = Construct hom enc from PIR? (a, a+ui, s + 2e mod q) ≈ This can be generated efficiently from an encryption of 0 (a’-ui, a’, s + 2e mod q)

Q: “Real” FHE from Standard Assumptions? 1) Prove the circular security for quadratic monomials, or 2) Come up with an alternative to bootstrapping. Many server, unconditional FHE

Complexity Assumptions for FHE n is a security parameter

Many FHE Instantiations But all of them are based on Integer Lattices (Ajtai’96) Q: FHE from other assumptions? (say, elliptic curves) All schemes are based on lattices. Open Problem: based on factoring, discrete logs Also, a connection to PIR, constructions from general assumptions. Q: … or a black-box separation? (say, in a generic group model)

General Assumptions: PIR and FHE  FHE → PIR PIR: Special case of FHE where f = Database Access.  PIR → (inefficient) FHE  PIR → FHE Think of the truth table of f as a “database” and do PIR Catch: “Eval” is inefficient (runs in time 2n)

General Assumptions: PIR and FHE Q: Efficient Homomorphic Encryption from PIR? Perhaps for restricted classes of computations? [Ishai-Paskin’05]: Homomorphic Encryption for Branching Programs from any (optimal) PIR scheme Many server, unconditional FHE

Selective Homomorphisms n is a security parameter

Selective Homomorphism Fully Homomorphic Encryption (can evaluate all functions) WANT: selective homomorphism! (see recent work: BSW’12) Best Possible theorem! Non-Malleable Encryption [DDN’91] (cannot evaluate any function)

What we did not Cover… Efficient Constructions Verifiability Build on the ring LWE variant of today’s scheme Gentry-Halevi-Smart series of works a number of algebraic optimizations Verifiability CS proofs [Kil92,Mic94] A number of recent works in various settings [GKR08,GGP10,CKV10,AIK10,…] The central problem remains open Circuit Privacy [Gentry-Halevi-V’10]: “Circuit privacy for free” theorem

Conclusion FHE is not so complicated any more Well-defined guidelines for construction Under relatively standard security assumptions FHE is not so inefficient any more Case in point: Ring LWE, NTRU… LOTS of questions still to be answered … FHE without “Circular Security” FHE from number theory, general assumptions… NEW directions: selective homomorphism, functional encryption,…

Thank You!