FHE Introduction Nigel Smart Avoncrypt 2015

Homomorphic Encryption Some encryption schemes are multiplicative homomorphic (M1 M2)e = (M1e) * (M2e) Some encryption schemes are additively homomorphic (Gm+n * Hr+s ) = (Gm * Hr ) * (Gn * Hs ) Problem is to come up with schemes which are both

Additively Homomorphic Schemes Schemes which support addition e.g. Paillier, ElGamal in exponent, ElGamal in Paillier group etc have wide application Electronic voting protocols Key splitting protocols These are practical and deployed in various situations.

Mult+Add + + + + + * x * y * * * Every function can be represented by a sequence of additions and multiplications over a ring R So called arithmetic circuit description * + + + x * + + y * * *

Mult+Add Suppose we have an encryption scheme which can support homomorphic encryption and multiplication Denote encryption via a box [x], then we have the equations [x +y] = [x] + [y] [x * y] = [x] * [y] We could then evaluate the circuit

Mult + Add Assume data, x, is in some finite ring R A ciphertext, [x], also lives in a ring C The plaintext operations + and * are on elements in R. The ciphertext operations + and * are on elements in C. Big Idea: If we could do this we could compute on encrypted data and outsource computation.

Require Fully Homomorphic Encryption (FHE) Data Owner Server a b F(X,Y) [a] [b] F(X,Y) DECRYPT [F(a,b)] F(a,b) We want the computation of F(a,b) to be done on the server without interation Require Fully Homomorphic Encryption (FHE) i.e. the encryption algorithm supports operations ⊕ and ⊗ This is very slow! Data is placed on the server Server performs some computation Ciphertext returned to the data owner Data owner then decrypts.

The process of given [a] and [b] and F and producing [F(a,b)] we call Eval. So if F is a function with one input we would have Eval(F,[x]) = [F(x)] We require that the size of the output ciphertext [F(x)] does not depend on F. Otherwise trivial solution is output (F,[x]) The only thing which depends on F is the complexity of performing the Eval operation

Practical Instantiations All encryption schemes supporting addition AND multiplications are based on lattices. All systems have the following property A ciphertext has an implicit noise quantity N. A fresh (newly encrypted ciphertext) has a small value of N. Adding ciphertexts with noise N and N’ produces one with noise N+N’ Multiplying ciphertexts with noise N and N’ produces one with noise M(N,N’) for some function M. Exact M depends on the scheme

Somewhat Homomorphic Encryption When noise gets too big a ciphertext will not decrypt correctly. This implies a bound on the complexity of the circuit a scheme can evaluate. Such schemes are called “Somewhat” homomorphic as opposed to “Fully” homomorphic. SHE vs FHE We can (sometimes) produce a FHE scheme from an SHE scheme using a process called bootstrapping.

Bootstrapping Let D(s,c) be the decryption function of the scheme. Now think of D(s,c) as a function of the secret key s only. So for each c we define a new function Dc(s) Suppose Dc(s) is simple enough to be evaluated by the SHE scheme (with a little more room afterwards). Publish an encryption of s, i.e. Output [s]

Eval(Dc(.), [s]) = [Dc(s)] = [m] = c’ Bootstrapping Recall Eval(F, [x]) = [F(x)] Take a ciphertext c=[m] encrypting a message m. So take F(x)= Dc(x) then and use the encrypted secret key [s] to obtain Eval(Dc(.), [s]) = [Dc(s)] = [m] = c’ So Eval produces a new encryption of m. We “gain” if the noise in c’ is less than the noise in c.

Bootstrapping This works when the “circuit” for decryption is simple. Most lattice schemes have low decryption circuit complexity. Thus this is where we find FHE schemes living Also lattices allow easy creation of SHE schemes to start with as well.

Example Scheme (BGV) We keep a high level view, and hide many details Let R be a ring of polynomials over the integers R=Z[X]/F(X) Let Rq denote the same ring but also reduced mod q, for a prime q. Rq =Zq [X]/F(X) Let plaintext space be Rp for a prime p ≠ q Let secret key be a small element s in Rq

Example Scheme (BGV) To encrypt we Pick a small “noise” value e in Rq Pick a random element a in Rq Set b = m + p*e + a*s As described this is a symmetric key scheme, but we are keeping things simple. To decrypt we compute b-a*s mod q = m + p*e and then take the result modulo p.

B-A*s = p*(e+e’) + (m+m’) Example Scheme (BGV) Take two ciphertexts (a,b) and (a’,b’) b=a*s+p*e+m b’=a’*s+p*e’+m’ Clearly additively homomorphic: A=a+a’ B=b+b’ B-A*s = p*(e+e’) + (m+m’) Noise is additive e+e’

C – B*s + A*s2 = (b-a*s)*(b’-a’*s) Example Scheme (BGV) Multiplication more complex, basically take tensors of ciphertexts and decrypt under the tensor secret key A=a*a’ B=a*b’+a’*b C=b*b’ Then C – B*s + A*s2 = (b-a*s)*(b’-a’*s) = m*m’ + p* noise Noise is multiplicative noise ≈ e*e’

C – B*s + A*s2 = (b-a*s)*(b’-a’*s) Example Scheme (BGV) C – B*s + A*s2 = (b-a*s)*(b’-a’*s) We can “relinearize” (A,B,C) to get back a two element ciphertext (A’,B’) such that B- A *s = m*m’ + p * noise This is a process called “key switching” Details not given here

In Practice We have practical and efficient SHE schemes for reasonable size values of plaintext moduli p. Depth is limited really to small values(<10) Mainly focused on multiplicative depth as this is where the main noise comes from Making efficient bootstrapping impossible.

In Practice Some application can be enabled using low depth SHE Statistical calculations : std-dev. Fourier Transforms + Masking. Preprocessing for MPC (SPDZ protocol). EU project HEAT looking into practical use-cases for low depth SHE based systems.

Questions?