Presentation is loading. Please wait.

Presentation is loading. Please wait.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

Published byBennett Watson Modified over 9 years ago

Similar presentations

Presentation on theme: "FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S."— Presentation transcript:

1 FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S. Halevi (IBM)

2 = Modern Application: Computing on Encrypted Data Public-key Encryption ClientServer/Cloud (Input: x)(Program: P) Enc(P(x)) Enc(x)

3 = Modern Application: Computing on Encrypted Data Public-key Encryption ClientServer/Cloud (Input: x)(Program: P) Enc(P(x)) Enc(x) Fully Homomorphic Encryption (FHE) =

4 = Definition: (KeyGen, Enc, Dec) Fully Homomorphic Encryption (FHE) = (as in regular public-key encryption) Eval(c,F) = c’ – If c = Enc(x), then Dec(c’) = F(x) Definition: (KeyGen, Enc, Dec, Eval) AND XOR AND

5 = Fully Homomorphic Encryption (FHE) = Two Important Properties Definition: (KeyGen, Enc, Dec, Eval)  Compactness: Length of c’ is independent of the size of F  Circuit/Function Privacy: c’ does not reveal “any more information about F than the output F(x)” Theorem [GHV’10]: “Circuit privacy comes for free”. Any (compact) FHE → (Compact) circuit-private FHE FHE = Compact FHE

6 Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data

7 – BGN’05 & GHV’10: quadratic formulas Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N ► NON-COMPACT homomorphic encryption: – SYY’99 & MGH’08: c* grows exp. with degree/depth – IP’07 works for branching programs

8 Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ► Is there an elementary Construction of FHE? Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” – easier to understand, implement and improve

9 Our Result Theorem [DGHV’10]: There exists a fully homomorphic public-key encryption scheme – which uses only add and mult over the integers, – which is secure based on the approximate GCD problem & the sparse subset sum problem.

10 Construction

11 A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption 2. Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption (fairly generic transformation) (borrows from Gentry’s techniques)

12 Secret-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Encrypt a bit b: – pick a random “large” multiple of p, say q·p – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) “noise” (sec. param = n)

13 Secret-key Homomorphic Encryption  How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2

14 Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail) – Consider c = qp+2r+b ← Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r’ ≠ 2r+b r’ – lsb(r’) ≠ b

15 Problems  Ciphertext grows with each operation  Noise grows with each operation  Useless for many applications (cloud computing, searching encrypted e-mail)  Can perform “limited” number of hom. operations  What we have: “Somewhat Homomorphic” Encryption

16 Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 “near-multiples” of p, with even noise – W.l.o.g., x 0 = q 0 p+2r 0 is the largest Δ

17 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t )  To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (“small” even noise) + b

18 c = + b (mod x 0 ) Public-key Homomorphic Encryption  Secret key: an n 2 -bit odd number p  To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit  Eval: Reduce mod x 0 after each operation  To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult

19 A Roadmap  Secret-key “Somewhat” Homomorphic Encryption  Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption

20 How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x t-d+1 ·x t-d+2 ·x t Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or

21 “Somewhat” HE“Bootstrappable” From “Somewhat” to “Fully” FHE = Can eval all fns. Theorem [Gentry’09]: Convert “bootstrappable” → FHE. Augmented Decryption ckt. Dec NAND c1c1 sk c2c2

22 Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? Complexity of the (aug.) Decryption Circuit (?)  Can be made bootstrappable – Similar to Gentry’09  Caveat: Assume Hardness of “Sparse Subset Sum” (polynomials of degree < n) (degree ~ n 2 polynomial)

23 Security (of the “somewhat” homomorphic scheme)

24 The Approximate GCD Assumption q 1 p+r 1 p? p q 1 ← [0…Q] r 1 ← [-R…R] odd p ← [0…P] (q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R (coined by Howgrave-Graham)

25 p? p Assumption: no PPT adversary can guess the number p Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q 0 p+2r 0,{q i p+r i }) Enc(b) =(qp+2r+b) = (proof of security) (q 1 p+r 1,…, q t p+r t )

26 A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A PK, Enc(b) b Encryption breaker (w.p. 1/2+ε) p – PK = {q i p+2r i }, – Enc(b) = qp+r, where lsb(r)=b

27 A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker (w.p. 1/2+ε) p Technical Details: – Random noise vs. even noise {q i p+r i } p c=qp+r – Distribution of ciphertext: qp+r vs. c = + b (mod x 0 ) (statistically close distributions by Leftover Hash Lemma)

28 A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker p Success Amplification – Boost from 1/2+ε to 1-1/poly(n) {q i p+r i } p c=qp+r (w.p. 1/2+ε)

29 A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A lsb(r) Encryption breaker p Computing lsb(q) and lsb(r) are equivalent {q i p+r i } p c=qp+r – lsb(q) = lsb(r) lsb(c), since p is odd lsb(q)

30 A “Taste” of the Security Proof Adv B {q i p+r i } p Approx GCD solver Adv A Encryption breaker p Computing q and p are equivalent {q i p+r i } p c=qp+r – lsb(q) c=qp+r q

31 A “Taste” of the Security Proof Adv B {q i p+r i } Approx GCD solver Adv A Encryption breaker p The Idea: Use lsb(q) to make q successively smaller {q i p+r i } p c=qp+r lsb(q) c=qp+r q – If lsb(q) = 0, c ← [c/2] ( new-c = q/2*p+[r/2] ) – If lsb(q) = 1, c ← [(c-p)/2] ( new-c = (q-1)/2*p+[r/2] )

32 A “Taste” of the Security Proof Adv B {q i p+r i } Approx GCD solver Adv A Encryption breaker p The Idea: Use lsb(q) to make q successively smaller {q i p+r i } p c=qp+r lsb(q) c=qp+r q A New Trick: inspired by the binary GCD algorithm

33 A “Taste” of the Security Proof  Given two near-multiples z 1 =q 1 p+r 1 and z 2 =q 2 p+r 2 –Get b i := lsb(q i ); if z 1 <z 2 swap them –If b 1 =b 2 =1, set z 1 ←z 1 -z 2 and b 1 =b 1 -b 2 (mod 2) (At least one of the b i ’s must be zero now!) –For any b i =0, set z i ←[z i /2] (The new q i is half the old q i !) –Repeat until one z i is zero, and let z* be the other  At the end, z*= gcd(q 1,q 2 )·p+r* = 1·p+r* Binary-GCD (for random q 1 and q 2, gcd(q 1,q 2 )=1 with constant prob.)  Run Binary-gcd(z*,z i ); the intermediate bits spell out the q i

34 – Lagarias’ algorithm  Studied by [Lag82,Cop97,HG01,NS01] (equivalent to “simultaneous Diophantine approximation”)  Lattice-based Attacks – Coppersmith’s algo. for finding small polynomial roots – Nguyen/Stern and Regev’s orthogonal lattice method  All run out of steam when log Q > (log P) 2 (our setting of parameters: log Q = n 5, log P = n 2 ) How Hard is Approximate GCD? Caveat: In Crypto, we need average-case hardness

35 Algorithms for Approx GCD: A Template B =B = R x 1 x 2 … x t -x 0 -x 0 … -x 0 b1b1 b2b2 b3b3 b t+1 (follows Lagarias’82)  Create a Lattice basis – Rows of B span a (t+1)-dimensional lattice

36 Algorithms for Approx GCD: A Template R x 1 x 2 … x t -x 0 -x 0 … -x 0 (follows Lagarias’82)  Create a Lattice basis – Length of the basis vectors ~ QP (or more) – (q 0,q 1,…,q t ) B is a short lattice vector 1 st entry = q 0 R < QR i th entry (i>1) = q 0 (q i p+r i ) – q i (q 0 p+r 0 ) = q 0 r i – q i r 0 < QR (in abs. value)

37 Algorithms for Approx GCD: A Template R x 1 x 2 … x t -x 0 -x 0 … -x 0 (follows Lagarias’82)  Create a Lattice basis – Length of the basis vectors ~ QP (or more) – || (q 0,q 1,…,q t ) B || 2 < QR  Try to find this short vector using (say) LLL

38 When will this Algorithm Succeed?  Need t to be large (> log Q/log P) – If t is small, then (q 0,q 1,…,q t ) is not the shortest vector – Need [(QP t )R] 1/t+1 > QR, or t > log Q/log P  If t is large, LLL (&co.) perform badly – Minkowski: lattice vector shorter than (exponentially many vectors shorter than )  Set log Q = ω(log 2 P). Then, t = ω(log P) – Only finds vectors of size 2 O(t) det(B) 1/t+1 >> QR – Contemporary lattice reduction is not strong enough R x 1 x 2 … x t -x 0 -x 0 … -x 0

39 Future Directions Efficient fully homomorphic encryption (Currently: n 8 factor blow-up in running time)(Currently:1000000000000000000000000 factor blowup) Efficiency for special-purpose tasks

40 Questions? [1] “Fully Homomorphic Encryption from the Integers”, http://eprint.iacr.org/2009/616, To Appear in Eurocrypt 2010.

41 Parameter Regimes t logQ/logP size (log scale) the solution we are seeking auxiliary solutions (Minkowski’s bound) converges to ~ logQ+logP What LLL can find min(blue,purple)+t blue line remains above purple line log Q

Download ppt "FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S."

Similar presentations

FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?

Fearful Symmetry: Can We Solve Ideal Lattice Problems Efficiently?
Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)

Approximate List- Decoding and Hardness Amplification Valentine Kabanets (SFU) joint work with Russell Impagliazzo and Ragesh Jaiswal (UCSD)
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Secure Evaluation of Multivariate Polynomials

Secure Evaluation of Multivariate Polynomials
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.

Discrete Gaussian Leftover Hash Lemma Shweta Agrawal IIT Delhi With Craig Gentry, Shai Halevi, Amit Sahai.
CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.

CS555Topic 191 Cryptography CS 555 Topic 19: Formalization of Public Key Encrpytion.
Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.

Foundations of Cryptography Lecture 13 Lecturer: Moni Naor.
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.
Notation Intro. Number Theory Online Cryptography Course Dan Boneh

Notation Intro. Number Theory Online Cryptography Course Dan Boneh
1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.

1 The RSA Algorithm Supplementary Notes Prepared by Raymond Wong Presented by Raymond Wong.
ENGG2013 Unit 11 Row-Rank Feb, 2011..

ENGG2013 Unit 11 Row-Rank Feb,
Lattice-Based Cryptography

Lattice-Based Cryptography
The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.

The RSA Cryptosystem and Factoring Integers (II) Rong-Jaye Chen.
Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.

Co-operative Private Equality Test(CPET) Ronghua Li and Chuan-Kun Wu (received June 21, 2005; revised and accepted July 4, 2005) International Journal.
Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.

Oded Regev Tel-Aviv University On Lattices, Learning with Errors, Learning with Errors, Random Linear Codes, Random Linear Codes, and Cryptography and.
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

Similar presentations

Ads by Google