1 Information Security – Theory vs. Reality , Winter Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer

2 Garbled circuits 2

3 Garbled circuits: construction (summary of whiteboard discussion) The garbled circuits Choose random keys for each value for each wire. Output: Gate tables (double-encryption of output keys under input keys, permuted) Keys of output wires The garbled inputs Keys for chosen values in input wires Evaluation Gate-by-gate, using double decryption.

4 Garbled circuits: variants of functionality Offline-online evaluation for public circuits –Circuit C is public, Alice chooses x, Bob learns C(x) and nothing else. Offline-online evaluation for secret circuits –Alice chooses circuit D and x, Bob learns D(x) and nothing else. –Obtained from previous by making C a universal circuit and plugging in the description of D. Secure two-party evaluation –Bob provides input, gets input keys from Alice using oblivious transfer Secret outputs –Compute in each direction, omitting sharing of result –Encrypt part of output intended for Alice

5 Fully Homomorphic Encryption

The goal Delegate processing of data without giving away access to it 6 of 32

Example 1: Private Search Delegate PROCESSING of data without giving away ACCESS to it ► You:Encrypt the query, send to Google (Google does not know the key, cannot “see” the query) ► Google:Encrypted query → Encrypted results (You decrypt and recover the search results) 7 of 32

Example 2: Private Cloud Computing Delegate PROCESSING of data without giving away ACCESS to it (Input: x)(Program: P) (Enc(x), P) → Enc(P(x)) Encrypt x 8 of 32

Fully Homomorphic Encryption Encrypted x, Program P → Encrypted P(x) Definition: ( KeyGen, Enc, Dec, Eval ) (as in regular public/private-key encryption) – If c = Enc ( PK, x ) and c′ = Eval ( PK, c, P ),  Compactness: Length of c′ independent of size of P  Security = Semantic Security [GM82]  Correctness of Eval: For every input x, program P then Dec ( SK, c’ ) = P(x). 9 of 32

Fully Homomorphic Encryption Function f x Enc(x) Eval: f, Enc(x)  Enc(f(x)) homomorphic evaluation Knows nothing of x. [Rivest-Adleman-Dertouzos’78] 10 of 32

Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data 11 of 32

– BGN’05 & GHV’10: quadratic formulas Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N ► NON-COMPACT homomorphic encryption: – SYY’99 & MGH’08: c* grows exp. with degree/depth – IP’07 works for branching programs – Based on Yao garbled circuits 12 of 32

Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ►Full-semester course ►Today: an alternative construction [DGHV’10]: Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” – easier to understand, implement and improve 13 of 32

Constructing fully-homomoprhic encryption assuming hardness of approximate GCD 14 of 32

A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 2. Public-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 3. Public-key FULLY Homomorphic Encryption (under approx GCD + sparse subset sum) (a simple transformation) (borrows from Gentry’s techniques) 15

Secret-key Homomorphic Encryption  Secret key: a large n 2 -bit odd number p  To Encrypt a bit b: – pick a random “large” multiple of p, say q·p – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) “noise” (sec. param = n) 16

Secret-key Homomorphic Encryption  How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2 17

Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted ) – Consider c = qp+2r+b ← Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r’ ≠ 2r+b r’ – lsb(r’) ≠ b 18

Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted )  Can perform “limited” number of hom. operations  What we have: “Somewhat Homomorphic” Encryption 19

Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 encryptions of 0 Δ – Wlog, assume that x 0 is the largest of them 20

c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t )  To Encrypt a bit b: pick random subset S [1…t] Δ 21

c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t )  To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (“small” even noise) + b 22

c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval: Reduce mod x 0 after each operation  To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 23

c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval: Reduce mod x 0 after each operation  To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 24

A Roadmap  Secret-key “Somewhat” Homomorphic Encryption  Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption 25

How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if d << n. f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x 2 ·x 5 ·x d-2 Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or m terms 26

“Somewhat” HE“Bootstrappable” From “Somewhat” to “Fully” FHE = Can eval all fns. Theorem [Gentry’09]: Convert “bootstrappable” → FHE. Augmented Decryption ckt. Dec NAND c1c1 sk c2c2 27

Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? Complexity of the (aug.) Decryption Circuit (?) Can be made bootstrappable – Similar to Gentry’09 Caveat: Assume Hardness of “Sparse Subset Sum” (polynomials of degree < n) (degree ~ n 1.73 polynomial) 28

Security (of the “somewhat” homomorphic scheme) 29

The Approximate GCD Assumption q 1 p+r 1 p? p q 1 ← [0…Q] r 1 ← [-R…R] odd p ← [0…P] (q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R 30

p? p Assumption: no PPT adversary can guess the number p Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q 0 p+2r 0,{q i p+2r i }) Enc(b) =(qp+2r+b) = (proof of security) (q 1 p+r 1,…, q t p+r t ) 31

Progress in FHE ►“Galactic” → Efficient – asymptotically: nearly linear-time* algorithms ► Strange assumptions → Mild assumptions – practically: – a few milliseconds for Enc, Dec [ LNV11,GHS11 ] – a few minutes for evaluating an AES block (amortized) [GHS12] *linear-time in the security parameter – Best Known [BGV11]: (leveled) FHE from worst-case hardness of n O(log n) -approx short vectors on lattices 32

Multi-key FHE Function f x1x1 c 1 = Enc(pk 1,x 1 ) x2x2 c 2 = Enc(pk 2,x 2 ) sk 1, pk 1 sk 2, pk 2 33

Multi-key FHE Function f x1x1 y = Eval(f,c 1,c 2 ) Dec(sk 1,sk 2 y)=f(x 1,x 2 ) Correctness: x2x2 sk 1, pk 1 sk 2, pk 2 Dec 34