FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM)
= Modern Application: Computing on Encrypted Data Public-key Encryption ClientServer/Cloud (Input: x)(Program: P) Enc(P(x)) Enc(x)
= Modern Application: Computing on Encrypted Data Public-key Encryption ClientServer/Cloud (Input: x)(Program: P) Enc(P(x)) Enc(x) Fully Homomorphic Encryption (FHE) =
= Definition: (KeyGen, Enc, Dec) Fully Homomorphic Encryption (FHE) = (as in regular public-key encryption) Eval(c,F) = c’ – If c = Enc(x), then Dec(c’) = F(x) Definition: (KeyGen, Enc, Dec, Eval) AND XOR AND
= Fully Homomorphic Encryption (FHE) = Two Important Properties Definition: (KeyGen, Enc, Dec, Eval) Compactness: Length of c’ is independent of the size of F Circuit/Function Privacy: c’ does not reveal “any more information about F than the output F(x)” Theorem [GHV’10]: “Circuit privacy comes for free”. Any (compact) FHE → (Compact) circuit-private FHE FHE = Compact FHE
Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data
– BGN’05 & GHV’10: quadratic formulas Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N ► NON-COMPACT homomorphic encryption: – SYY’99 & MGH’08: c* grows exp. with degree/depth – IP’07 works for branching programs
Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ► Is there an elementary Construction of FHE? Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” – easier to understand, implement and improve
Our Result Theorem [DGHV’10]: There exists a fully homomorphic public-key encryption scheme – which uses only add and mult over the integers, – which is secure based on the approximate GCD problem & the sparse subset sum problem.
Construction
A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption 2. Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption (fairly generic transformation) (borrows from Gentry’s techniques)
Secret-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Encrypt a bit b: – pick a random “large” multiple of p, say q·p – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) “noise” (sec. param = n)
Secret-key Homomorphic Encryption How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2
Problems Ciphertext grows with each operation Noise grows with each operation Useless for many applications (cloud computing, searching encrypted ) – Consider c = qp+2r+b ← Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r’ ≠ 2r+b r’ – lsb(r’) ≠ b
Problems Ciphertext grows with each operation Noise grows with each operation Useless for many applications (cloud computing, searching encrypted ) Can perform “limited” number of hom. operations What we have: “Somewhat Homomorphic” Encryption
Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 “near-multiples” of p, with even noise – W.l.o.g., x 0 = q 0 p+2r 0 is the largest Δ
c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (“small” even noise) + b
c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult
A Roadmap Secret-key “Somewhat” Homomorphic Encryption Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption
How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x t-d+1 ·x t-d+2 ·x t Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or
“Somewhat” HE“Bootstrappable” From “Somewhat” to “Fully” FHE = Can eval all fns. Theorem [Gentry’09]: Convert “bootstrappable” → FHE. Augmented Decryption ckt. Dec NAND c1c1 sk c2c2
Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? Complexity of the (aug.) Decryption Circuit (?) Can be made bootstrappable – Similar to Gentry’09 Caveat: Assume Hardness of “Sparse Subset Sum” (polynomials of degree < n) (degree ~ n 2 polynomial)
Security (of the “somewhat” homomorphic scheme)
The Approximate GCD Assumption q 1 p+r 1 p? p q 1 ← [0…Q] r 1 ← [-R…R] odd p ← [0…P] (q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R (coined by Howgrave-Graham)
p? p Assumption: no PPT adversary can guess the number p Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q 0 p+2r 0,{q i p+r i }) Enc(b) =(qp+2r+b) = (proof of security) (q 1 p+r 1,…, q t p+r t )
A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A PK, Enc(b) b Encryption breaker (w.p. 1/2+ε) p – PK = {q i p+2r i }, – Enc(b) = qp+r, where lsb(r)=b
A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker (w.p. 1/2+ε) p Technical Details: – Random noise vs. even noise {q i p+r i } p c=qp+r – Distribution of ciphertext: qp+r vs. c = + b (mod x 0 ) (statistically close distributions by Leftover Hash Lemma)
A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker p Success Amplification – Boost from 1/2+ε to 1-1/poly(n) {q i p+r i } p c=qp+r (w.p. 1/2+ε)
A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker p Computing lsb(q) and lsb(r) are equivalent {q i p+r i } p c=qp+r – lsb(q) = lsb(r) lsb(c), since p is odd lsb(q)
A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A Encryption breaker p Computing q and p are equivalent {q i p+r i } p c=qp+r – lsb(q) c=qp+r q
A “Taste” of the Security Proof Adv B {q i p+r i } Approx GCD solver Adv A Encryption breaker p The Idea: Use lsb(q) to make q successively smaller {q i p+r i } p c=qp+r lsb(q) c=qp+r q – If lsb(q) = 0, c ← [c/2] ( new-c = q/2*p+[r/2] ) – If lsb(q) = 1, c ← [(c-p)/2] ( new-c = (q-1)/2*p+[r/2] )
A “Taste” of the Security Proof Adv B {q i p+r i } Approx GCD solver Adv A Encryption breaker p The Idea: Use lsb(q) to make q successively smaller {q i p+r i } p c=qp+r lsb(q) c=qp+r q A New Trick: inspired by the binary GCD algorithm
A “Taste” of the Security Proof Given two near-multiples z 1 =q 1 p+r 1 and z 2 =q 2 p+r 2 –Get b i := lsb(q i ); if z 1 <z 2 swap them –If b 1 =b 2 =1, set z 1 ←z 1 -z 2 and b 1 =b 1 -b 2 (mod 2) (At least one of the b i ’s must be zero now!) –For any b i =0, set z i ←[z i /2] (The new q i is half the old q i !) –Repeat until one z i is zero, and let z* be the other At the end, z*= gcd(q 1,q 2 )·p+r* = 1·p+r* Binary-GCD (for random q 1 and q 2, gcd(q 1,q 2 )=1 with constant prob.) Run Binary-gcd(z*,z i ); the intermediate bits spell out the q i
– Lagarias’ algorithm Studied by [Lag82,Cop97,HG01,NS01] (equivalent to “simultaneous Diophantine approximation”) Lattice-based Attacks – Coppersmith’s algo. for finding small polynomial roots – Nguyen/Stern and Regev’s orthogonal lattice method All run out of steam when log Q > (log P) 2 (our setting of parameters: log Q = n 5, log P = n 2 ) How Hard is Approximate GCD? Caveat: In Crypto, we need average-case hardness
Algorithms for Approx GCD: A Template B =B = R x 1 x 2 … x t -x 0 -x 0 … -x 0 b1b1 b2b2 b3b3 b t+1 (follows Lagarias’82) Create a Lattice basis – Rows of B span a (t+1)-dimensional lattice
Algorithms for Approx GCD: A Template R x 1 x 2 … x t -x 0 -x 0 … -x 0 (follows Lagarias’82) Create a Lattice basis – Length of the basis vectors ~ QP (or more) – (q 0,q 1,…,q t ) B is a short lattice vector 1 st entry = q 0 R < QR i th entry (i>1) = q 0 (q i p+r i ) – q i (q 0 p+r 0 ) = q 0 r i – q i r 0 < QR (in abs. value)
Algorithms for Approx GCD: A Template R x 1 x 2 … x t -x 0 -x 0 … -x 0 (follows Lagarias’82) Create a Lattice basis – Length of the basis vectors ~ QP (or more) – || (q 0,q 1,…,q t ) B || 2 < QR Try to find this short vector using (say) LLL
When will this Algorithm Succeed? Need t to be large (> log Q/log P) – If t is small, then (q 0,q 1,…,q t ) is not the shortest vector – Need [(QP t )R] 1/t+1 > QR, or t > log Q/log P If t is large, LLL (&co.) perform badly – Minkowski: lattice vector shorter than (exponentially many vectors shorter than ) Set log Q = ω(log 2 P). Then, t = ω(log P) – Only finds vectors of size 2 O(t) det(B) 1/t+1 >> QR – Contemporary lattice reduction is not strong enough R x 1 x 2 … x t -x 0 -x 0 … -x 0
Future Directions Efficient fully homomorphic encryption (Currently: n 8 factor blow-up in running time)(Currently: factor blowup) Efficiency for special-purpose tasks
Questions? [1] “Fully Homomorphic Encryption from the Integers”, To Appear in Eurocrypt 2010.
Parameter Regimes t logQ/logP size (log scale) the solution we are seeking auxiliary solutions (Minkowski’s bound) converges to ~ logQ+logP What LLL can find min(blue,purple)+t blue line remains above purple line log Q