Algebraic Lower Bounds for Computing on Encrypted Data Rafail Ostrovsky William E. Skeith III

Non-Interactive Crypto-Computing XY E(X) = E(f(X,Y)) A wants to distribute computation of f to B f,g g(E(X),Y) AB

Homomorphic Encryption and CC Homomorphic encryption is a very natural starting point, and the primary tool for many CC protocols: Let f be a function, and A some algebraic structure. –If f can be computed by the algebra of A and A is preserved via homomorphic encryption, –Then we have non-interactive CC of f

Algebraic Non-Interactive CC For a given algebraic structure, what can be accomplished with algebraic computation? Main question: which crypto-computing functions can we implement using known homomorphic cryptosystems?

Examples We’ll Study In an algebraic setting, we address the following: –Private Database Modification –Homomorphic PIR Protocols –Private Keyword Search

Algebraic Private Database Modification [BKOS] M i =(g 1,…,g m ) g 1, g 2,…, g m X’ = F(x 1,…,x n,g 1,…g m,h 1,…h r ) X1X1 X2X2 X3X3 …… ………….. …………… …………… …………XnXn All g j, x i, h k 2 A, and F is some “algebraic” function X = U DB

Homomorphic PIR Protocols [BGN,KO] Q i =(g 1,…,g m ) g 1, g 2,…, g m F X (g 1,…g m,h 1,…h r ) X1X1 X2X2 X3X3 …… ………….. …………… …………… …………XnXn All g j, h k 2 A, and F X is some “algebraic” function determined by the database X 2 A n X = (x j 1,…,x i l )=F X (g 1,…g m,h 1,…h r ) UDB

Manuscript (2002) of Sander, et al. Result uses techniques of Ben-Or. Cryptosystem from manuscript was broken… however, an interesting question is asked: “ “

Two Results A positive result: –Homomorphic encryption over any simple non-abelian group is equivalent to fully homomorphic encryption (preserving a ring). –Homomorphic encryption over any simple non-abelian group is equivalent to non-interactive CC. A family of negative results (i.e., lower bounds): –Using the algebras preserved by existing cryptosystems, we can show lower bounds for homomorphic PIR, database modification, characteristic vectors…

Our First Result: For any non-abelian simple group, the following holds: Any circuit with N gates can be replaced by a circuit of size O(N) that uses only the group operation to simulate gates (wires will carry group elements). Example: for A 5, we can represent a NAND gate ¼ 50 group operations (this may not be minimal…).

More Formally:

Our Second Result: Overview We’ll make an abstract algebraic observation From the observation, we’ll derive:  (n) bounds (over an abelian group) –algebraic private database modification –homomorphic PIR Bounds on conjunctive queries in the keyword search of [OS,BSW] First, a few definitions...

Characteristic Vectors over a Group Let G be a group. We’ll call v 2 G n a characteristic vector if v is non-identity in precisely one position: v=(id G,id G,...,x  id G,id G,…,id G ) Let V={v i } i 2 [n] be a complete set of such vectors.

Question What is the inherent communication involved in “algebraic” functions that generate characteristic vectors? We’ll reduce all of our algebraic crypto- computing protocols to this basic functionality.

Idea: Generating Char. Vectors 9 F:G m ! G n, an “algebraic” function s.t. For each i 2 [n], 9 w i = (g 1,…,g m ) with F(w i ) = v i

An Algebraic Observation Let A and G be abelian groups. Let F:A ! G n be an “affine” group map, i.e., F=f+c, where f 2 Hom Z (A,G n ) and c 2 G n. Then if V ½ F(A), we have log(|A|) 2  (n)

Difficulties Can’t we use linear algebra to immediately prove the theorem? The most naturally occurring instance (in cryptography) is the case of A=G m If G were a field, this would be an easy linear- algebra dimension argument, but this is not generally the case (G is only assumed to be an abelian group). Even with G cyclic, we could successfully implement even with m=1. (I.e., we can specify characteristic vectors by communicating only a single group element.)

Example: m=1

Other Non-productive Ideas: Affine to Linear Recall that F=f+c is “affine”, and let m denote the number of group elements communicated. One might think that the problem could be rephrased as linear by just incrementing m to account for c 2 G n. However, to model the affine map, you in general need to increase m by a non-constant amount (consider non-cyclic G). Certainly, it doesn’t seem to be the “right” approach.

The “Right” Approach: Stay abstract. –Dimension is irrelevant –Will give a stronger result. –Takes care of typical cases nicely, but will actually be quite a bit more general (rules out End(G), etc…)

Lemma

Proof of Lemma

Proof of Theorem (Idea) Idea: show that h V i is a Z |A| -module, and apply the Lemma. Recall that in an abelian group –ord(a+b)|lcm(ord(a),ord(b)) And in any group, –ord((a,b)) = lcm(ord(a),ord(b)) –ord(f(a))|ord(a)

Proof of Theorem (1 of 2) Let F=f+c be affine, from A ! G n, define V as before, and let c=(c 1,…,c n ). Define V’={v i -c} i 2 [n]. (Note: V’ ½ f(A)) All elements of V’ have order | |A| ) all c i and therefore c have order | |A|. Since A,G abelian, we have that all of V has elts of order | |A|.

Proof of Theorem (2 of 2) Since all elements of h V i, h V’ i have order dividing |A|, they are in fact Z |A| - modules. Set R=Z |A| and M= h V [ V’ i and apply the lemma to yield: 2 n · | h V’ i ||A| · |A| 2, and hence log(|A|) 2  (n)

Consequences Over an abelian group, –Algebraic private modification of an encrypted database   (n) –Homomorphic PIR protocols   (n) –Impossibility of conjunctive queries in the keyword search of [OS,BSW] Using poly’s of total degree t, bounds become  (n 1/t )

Algebraic Private Database Modification [BKOS] M i =(g 1,…,g m ) g 1, g 2,…, g m X’ = F(x 1,…,x n,g 1,…g m,h 1,…h r ) X1X1 X2X2 X3X3 …… ………….. …………… …………… …………XnXn All g j, x i, h k 2 A, and F is some “algebraic” function X = U DB

Algebraic Database Modification Implies Characteristic Vectors Let X be a database consisting of id G in all locations. Apply F(X,M i,H)  X’ X’ = v i will be a characteristic vector.

Homomorphic PIR Protocols [BGN,KO] Q i =(g 1,…,g m ) g 1, g 2,…, g m F X (g 1,…g m,h 1,…h r ) X1X1 X2X2 X3X3 …… ………….. …………… …………… …………XnXn All g j, h k 2 A, and F X is some “algebraic” function determined by the database X 2 A n X = (x j 1,…,x i l )=F X (g 1,…g m,h 1,…h r ) UDB

Homomorphic PIR Implies Characteristic Vectors For a moment, suppose the protocol returns an encryption of a single element. Let V={v i } i=1 n be a complete set of characteristic vectors over G n. Define databases X i = v i for i 2 [n]. If Q i queries position i, then (F X 1 (Q i,H),…, F X n (Q i,H)) will be non-identity exactly in position i.

Non-singleton Query Returns It may be the case that a PIR query returns many database values, as long as the right value is at a predictable location in the result (e.g. [KO]). More generally, we can prove the following algebraic claim:

Claim Let V={v i } i=1 n be a complete collection of characteristic type vectors, except… Then if V ½ F(A), we have that: log(|A|) 2  (n/w(n)) v i can be non-identity in up to w(n) locations for any positive function w.

General Case: Homomorphic PIR Implies Characteristic Vectors Suppose that the query returns k values. Define f i (g 1,...g m )=  j=1 k (F X i (g 1,…,h r )) j (f 1 (g 1,…,g m ),…f n (g 1,…,g m )) will be non- identity in at most k positions ) user communication is  (n/k(n)) Server communication is clearly at least k(n), so we are done.

Other Types of Cryptosystems Recently there has been a lot of attention on bilinear maps in cryptography. The work of [BGN] demonstrates a cryptosystem that allows polynomials of total degree 2 to be evaluated on ciphertext.

Polynomials of Bounded Total Degree We can prove an extension of our original algebraic result, which will give similar bounds on the utility of total degree t polynomials. (even for t>2)

Corollary

Proof Idea The number of monomials in an m- variable polynomial of total degree t is O(m t ). Simulate such a polynomial with a total degree 1 polynomial in O(m t ) variables. Apply initial theorem to the abelian group (R,+).

More General Results If given the ability of computation of polynomials of total degree t, we obtain similar bounds, only n  n 1/t In particular, this corollary gives  (n 1/2 ) bounds when applied to algebraic protocols based on the cryptosystem of [BGN] (this matches the upper bound for database modification seen in [BKOS]).

Generality of Results The algebraic assumptions may seem quite rigid, but are often appropriate in crypto-computing settings. From an algebraic point of view however, they are very general: –Incorporates all algebraic formulas, but also many other types of maps (formulas with End(G), changing representations, etc…). –Covers most all algebraic structures preserved by known cryptosystems

Perspective Help researchers determine the feasibility of various new protocols. Especially useful when such protocols are needed as a subroutine in a larger crypto-computing function. –Protocol may need output with algebraic value to continue the computation Simple Non-abelian group-homomorphic encryption: –Seems pretty hard. –Equivalent to fully-homomorphic encryption (/ring).

Thank You