FULLY HOMOMORPHIC ENCRYPTION WITH POLYLOG OVERHEAD Craig Gentry and Shai Halevi IBM Watson Nigel Smart Univ. Of Bristol

Homomorphic Encryption Usual procedures (KeyGen,Enc,Dec) Say, encrypting bits Usual semantic-security requirement (pk, Enc pk (0)) ~ (pk, Enc pk (1)) Additional Eval procedure Evaluate arithmetic circuits on ciphertexts Result decrypted to the evaluation of the same circuit on the underlying plaintext bits Ciphertext does not grow with circuit complexity This work: asymptotically efficient Eval

Contemporary HE Schemes

Our Result # of levelstime per level

Our Approach Use HE over polynomial rings Pack an array of bits in each ciphertext Use ring-automorphisms to move bits around in the arrays Efficient data-movement schemes Using Beneš/Waksman networks and extensions

BACKGROUND Homomorphic Encryption over Polynomials Rings Evaluation representation, plaintext slots Homomorphic SIMD operations

HE Over Polynomial Rings

Plaintext Algebra (1)

Plaintext Algebra (2) 32T: T: T: T: T: T:

Plaintext Slots

Homomorphic SIMD [SV’11]

We will use this later x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 13 x x1x1 00x4x4 0x6x6 0 0x9x9 x 10 0x 12 0x 14 x x = = + x1x1 x9x9 x 10 x4x4 x 12 x6x6 x 14

COMPUTING ON DATA ARRAYS Forget about encryption for the moment…

So you want to compute some function… x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 ADD and MUL are a complete set of operations. Input bits

x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 x 15 x 16 x 17 x 18 x 19 x 21 x8x8 x9x9 x 10 x 11 x 12 x 14 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x 22 x 23 x 24 x 25 x 26 Input bits ××××××××××× So you want to compute some function using SIMD…

Routing Values Between Levels We need to map this Into that x 15 x 16 x 17 x 18 x 19 1x 21 x8x8 x9x9 x 10 x 11 x 12 1x 14 x1x1 x2x2 x3x3 x4x4 x5x5 0x7x7 x 22 x 23 x 24 x 25 x 26 x 15 x 17 x 19 x 21 x 23 x 25 x2x2 x4x4 0x8x8 x 10 x 12 x 14 x1x1 x3x3 x5x5 x7x7 x9x9 x 11 1 x 16 x 18 1x 22 x 24 x

x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x1x1 x3x3 x5x5 **** x1x1 x2x2 x3x3 x4x4 x5x x1x1 x3x3 x5x5 0000x2x2 x4x x2x2 x4x4 *****

0 x1x1 x2x2 x3x3 x4x4 x5x5 x1x1 x3x3 x5x5 0000x2x2 x4x x1+x2x1+x2 x3+x4x3+x4 x5x5 0000

01 1 x1x1 x2x2 x3x3 x4x4 x5x5 x7x7 x8x8 x9x9 x 10 x 11 x 12 x 14 x 15 x 16 x 17 x 18 x 19 x 21 x 22 x 23 x 24 x 25 x 26 Input bits ××××××××××× Not quite obvious

Routing Values Between Levels: Three Problems to Solve

Moving Values Between Slots 32T: T: T: T: T: T:

Moving Values Between Slots

Homomorphic Automorphisms

From Shifts to Arbitrary Permutations

Use Beneš/Walksman Permutation Networks: Two back-to-back butterflies Every exchange is controlled by a bit Values sent on either straight edges or cross edges Every permutation can be realized by appropriate setting of the control bits

Realizing Permutation Networks Claim: every butterfly level can be realized by two shifts and two SELECTs Example: Control bits:

Realizing Permutation Networks shift(-2) shift(2) input output a1a1 a2a2 a3a

Realizing Permutation Networks shift(-2) shift(2) input output a1a1 a2a2 a3a SELECT(a 1,a 2 ) SELECT(a 3,a 4 ) a4a4 a5a5

Realizing Permutation Networks Claim: every level of the Benes network can be realized by two shifts and two SELECTs Proof : In every level, all the exchanges are between nodes at the same distance Distance 2 i for some i Can implement all these exchanges using shift(2 i ), shift(-2 i ), and two SELECTs

Realizing Permutation Networks

Routing Values Between Levels see paper

Handling Large Permutations

Decomposing Permutations ?

Decomposing Permutations ?

Decomposing Permutations ?

Decomposing Permutations ?

Decomposing Permutations ?

? Decomposing Permutations

Handling Large Permutations

Permuting The Columns         Implement a Beneš network over each column

Permuting The Columns         First level in all the networks        

Permuting The Columns Second level in all the networks                , etc.

Handling Large Permutations

Routing Values Between Levels see paper

Low Overhead Homomorphic Encryption

QUESTIONS?

Fan-Out and Cloning x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x x 15 x 16 x 17 x 18 x 19 x 20 x x8x8 x9x9 x 10 x 11 x 12 x 13 x 14 variables intended multiplicity

Fan-Out and Cloning x1x1 x2x2 x3x3 x4x4 x5x5 x6x6 x7x x 15 x 16 x 17 x 18 x 19 x 20 x x8x8 x9x9 x 10 x 11 x 12 x 13 x x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x x7x7 x8x8 x 12 x 14 x 16 x 18 x x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 Sort by intended multiplicity:

Fan-Out and Cloning x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x x7x7 x8x8 x 12 x 14 x 16 x 18 x x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 433 x 11 x2x2 x x 11 x2x2 x 17 Replicate Replicate and shift

Fan-Out and Cloning x 11 x2x2 x 17 x 11 x2x2 x x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x x7x7 x8x8 x 12 x 14 x 16 x 18 x x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 Merge

Fan-Out and Cloning x 11 x2x2 x 17 x 11 x2x2 x 17 x1x x5x5 x6x6 x9x9 x 10 x 13 x 15 x 19 2 x x 11 x2x2 x 17 x 11 x2x2 x 17 x1x x5x5 x6x6 x9x9 x 10 x 13 x 15 x x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x x7x7 x8x8 x 12 x 14 x 16 x 18 x x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 2 Replicate, shift, merge Replicate, shift

Fan-Out and Cloning x 11 x2x2 x 17 x 11 x2x2 x 17 x1x x5x5 x6x6 x9x9 x 10 x 13 x 15 x x x 11 x2x2 x 17 x 11 x2x2 x 17 x1x x5x5 x6x6 x9x9 x 10 x 13 x 15 x x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x x7x7 x8x8 x 12 x 14 x 16 x 18 x x 10 x 13 x 15 x 19 x 21 x3x3 x4x4 Merge

Fan-Out and Cloning x 11 x2x2 x 17 x 11 x2x2 x 17 x1x x5x5 x6x6 x9x9 x 10 x 13 x 15 x x 11 x2x2 x 17 x 11 x2x2 x 17 x1x x5x5 x6x6 x9x9 x 10 x 13 x 15 x x 11 x2x2 x 17 x1x1 x5x5 x6x6 x9x x7x7 x8x8 x 12 x 14 x 16 x 18 x x 10 x 13 x 15 x 19 x 21 x3x3 x4x x3x3 x4x x7x7 x8x8 x 12 x 14 x 16 x 18 x 20 Copy, merge Copy Each variable appears at least as much as needed