1. Bar-Ilan University Dept. of Computer Science Shai Halevi – IBM Research Based Mostly on [van-Dijk, Gentry, Halevi, Vaikuntanathan, EC 2010] 1 Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011

2. Bar-Ilan University Dept. of Computer Science  Homomorphic encryption: Can evaluate some functions on encrypted data ◦ E.g., from Enc(x), Enc(y) compute Enc(x+y)  Fully-homomorphic encryption: Can evaluate any function on encrypted data ◦ E.g., from Enc(x), Enc(y) compute Enc(x 3 y-y 7 +xy) 2 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

3. Bar-Ilan University Dept. of Computer Science Secure Computation and Efficiency Bar-Ilan University, Israel 2011 Evaluate low-degree polynomials on encrypted data 3 Part I

4. Bar-Ilan University Dept. of Computer Science  Storing an encrypted file F on a remote server  Later send keyword w to server, get answer, determine whether F contains w ◦ Trivially: server returns the entire encrypted file ◦ We want: answer length independent of |F| Claim: to do this, sufficient to evaluate low-degree polynomials on encrypted data ◦ degree ~ security parameter 4 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

5. Bar-Ilan University Dept. of Computer Science  File is encrypted bit by bit, E(F 1 ) … E(F t )  Word has s bits w 1 w 2 …w s  For i=1,2,…,t-s+1, server computes the bit c i = ◦ c i =1 if w=F i F i+1 …F i+s-1 (w found in position i) else c i =0 ◦ Each c i is a degree-s polynomial in the F i ’s  Trick from [Smolansky’93] to get degree-n polynomials, error-probability 2 -n  Return n random subset-sums of the c i ’s (mod 2) to client ◦ Still degree-n, another 2 -n error 5 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

6. Bar-Ilan University Dept. of Computer Science  Want an encryption scheme (Gen, Enc, Dec) ◦ Say, symmetric bit-by-bit encryption ◦ Semantically secure, E(0)  E(1)  Another procedure: C*=Eval(f, C 1,…C t ) ◦ f is a binary polynomial in t variables, degree  n  Represented as arithmetic circuit ◦ The C i ’s are ciphertexts  For any such f, and any C i =Enc(x i ) it holds that Dec( Eval(f, C 1,…C t ) ) = f(x 1,…,x t ) ◦ Also |Eval(f,…)| does not depend on the “size” of f (i.e., # of vars or # of monomials, circuit-size) ◦ That’s called “compactness” 6 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

7. Bar-Ilan University Dept. of Computer Science  Shared secret key: odd number p  To encrypt a bit m: ◦ Choose at random small r, large q ◦ Output c = pq + 2r + m  Ciphertext is close to a multiple of p  m = LSB of distance to nearest multiple of p  To decrypt c: ◦ Output m = (c mod p) mod 2 = c – p [[c/p]] mod 2 = c – [[c/p]] mod 2 = LSB(c) XOR LSB([[c/p]]) 7 [[c/p]] is rounding of the rational c/p to nearest integer Noise much smaller than p The “noise” Secure Computation and Efficiency Bar-Ilan University, Israel 2011

8. Bar-Ilan University Dept. of Computer Science  Basically because: ◦ If you add or multiply two near-multiples of p, you get another near multiple of p… Secure Computation and Efficiency Bar-Ilan University, Israel 2011 8

9. Bar-Ilan University Dept. of Computer Science  c 1 =q 1 p+2r 1 +m 1, c 2 =q 2 p+2r 2 +m 2  c 1 +c 2 = (q 1 +q 2 )p + 2(r 1 +r 2 ) + (m 1 +m 2 ) ◦ 2(r 1 +r 2 )+(m 1 +m 2 ) still much smaller than p  c 1 +c 2 mod p = 2(r 1 +r 2 ) + (m 1 +m 2 )  c 1 x c 2 = (c 1 q 2 +q 1 c 2  q 1 q 2 p)p + 2(2r 1 r 2 +r 1 m 2 +m 1 r 2 ) + m 1 m 2 ◦ 2(2r 1 r 2 +…) still smaller than p  c 1 xc 2 mod p = 2(2r 1 r 2 +…)+m 1 m 2 Distance to nearest multiple of p Secure Computation and Efficiency Bar-Ilan University, Israel 2011 9

10. Bar-Ilan University Dept. of Computer Science Secure Computation and Efficiency Bar-Ilan University, Israel 2011 Why is this homomorphic?  c 1 =q 1 p+2r 1 +m 1, …, c t =q t p+2r t +m t  Let f be a multivariate poly with integer coefficients (sequence of +’s and x’s)  Let c = Eval(f, c 1, …, c t ) = f(c 1, …, c t ) ◦ f(c 1, …, c t ) = f(m 1 +2r 1, …, m t +2r t ) + qp = f(m 1, …, m t ) + 2r + qp  (c mod p) mod 2 = f(m 1, …, m t ) Suppose this noise is much smaller than p That’s what we want! 10

11. Bar-Ilan University Dept. of Computer Science  Can keep adding and multiplying until the “noise term” grows larger than p/2 ◦ Noise doubles on addition, squares on multiplication ◦ Initial noise of size ~ 2 n ◦ Multiplying d ciphertexts  noise of size ~2 dn  We choose r ~ 2 n, p ~ 2 n (and q ~ 2 n ) ◦ Can compute polynomials of degree ~n before the noise grows too large 25 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 11

12. Bar-Ilan University Dept. of Computer Science  Ciphertext size grows with degree of f ◦ Also (slowly) with # of terms  Instead, publish one “noiseless integer” N=pq ◦ For symmetric encryption, include N with the secret key and with every ciphertext ◦ For technical reasons: q is odd, the q i ’s are chosen from [q] rather than from [2 n ]  Ciphertext arithmetic mod N  Ciphertext-size remains always the same 12 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 5

13. Bar-Ilan University Dept. of Computer Science Used to prove security Rothblum’11: Any homomorphic and compact symmetric encryption (wrt class C including linear functions), can be turned into public key ◦ Still homomorphic and compact wrt essentially the same class of functions C  Public key: t random bits m=(m 1 …m t ) and their symmetric encryption c i =Enc sk (m i ) ◦ t larger than size of evaluated ciphertext  NewEnc pk (b): Choose random s s.t. =b, use Eval to get c*=Enc sk ( ) ◦ Note that s  c* is shrinking 13 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

14. Bar-Ilan University Dept. of Computer Science  The approximate-GCD problem: ◦ Input: integers w 0, w 1,…, w t,  Chosen as w 0 =q 0 p, w i =q i p + r i (p and q 0 are odd)  p  $ [0,P], q i  $ [0,Q], r i  $ [0,R] (with R << P << Q) ◦ Task: find p  Thm: If we can distinguish Enc(0)/Enc(1) for some p, then we can find that p ◦ Roughly: the LSB of r i is a “hard core bit”  If approx-GCD is hard then scheme is secure  (Later: Is approx-GCD hard?) Secure Computation and Efficiency Bar-Ilan University, Israel 2011 14

15. Bar-Ilan University Dept. of Computer Science A. The approximate-GCD problem: ◦ Input: w 0 =q 0 p, {w i =q i p+r i }  p  $ [0,P], q i  $ [0,Q], r i  $ [0,R] (with R << P << Q) ◦ Task: find p B. The cryptosystem ◦ Input: : N=q 0 p, {m j, c j =q j p+2  j +m j }, c=qp+2  +m  p  $ [0,P], q i  $ [0,Q],  i  $ [0,R’] (with R’ << P << Q) ◦ Task: distinguish m=0 from m=1 Thm: Solving B  solving A ◦ small caveat: R smaller than R’ Secure Computation and Efficiency Bar-Ilan University, Israel 2011 15 labeled examples challenge ciphertext

16. Bar-Ilan University Dept. of Computer Science  Input: w 0 =q 0 p, {w i = q i p + r i }  Use the w i ’s to form the c j ’s and c  Amplify the distinguishing advantage ◦ From any noticeable  to almost 1 ◦ This is where we need R’>R  Use reliable distinguisher to learn q 0 ◦ Using the binary GCD procedure  Finally p = w 0 /q 0 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 16

17. Bar-Ilan University Dept. of Computer Science  We have w i =q i p+r i, need x i =q i ’p+2  i ◦ Then we can add the LSBs to get c j = x j + m j  Set N=w 0, x i =2w i mod N ◦ Actually x i =2(w i +  i ) mod N with  i random < R’  Correctness: ◦ The multipliers q i, noise r i, behave independently  As long as noise remain below p/2 ◦ r i +  j distributed almost as  j  R’>R by a super-polynomial factor ◦ 2  q i mod q 0 is random in [q 0 ] Secure Computation and Efficiency Bar-Ilan University, Israel 2011 17

18. Bar-Ilan University Dept. of Computer Science  Given any integer z=qp+r, with r<R: Set c = [z+ m+2(  + subsetSum{w i })] mod N ◦ For random  <R’, random bit m  For every z (with small noise), c is a nearly random ciphertext for m+LSB(r) ◦ subsetSum(q i ’s) mod q 0 almost uniform in [q 0 ] ◦ subsetSum(r i ’s)+  distributed almost identically to   For every z=qp+r, generate random ciphertexts for bits related to LSB(r) Secure Computation and Efficiency Bar-Ilan University, Israel 2011 18

19. Bar-Ilan University Dept. of Computer Science  Given any integer z=qp+r, with r<R: Set c = [z+ m+2(  + subsetSum{w i })] mod N ◦ For random  <R’, random bit m  For every z (with small noise), c is a nearly random ciphertext for m+LSB(r) ◦ A guess for c mod p mod 2  vote for r mod 2  Choose many random c’s, take majority Noticeable advantage for random c’s  Reliably computing r mod 2 for every z with small noise Secure Computation and Efficiency Bar-Ilan University, Israel 2011 19

20. Bar-Ilan University Dept. of Computer Science z = (2s)p + r  z/2=sp+r/2  floor(z/2) = sp+floor(r/2)  From any z=qp+r (r<R’) can get r mod 2 ◦ Note: z = q+r mod 2 (since p is odd) ◦ So (q mod 2) = (r mod 2)  (z mod 2)  Given z 1, z 2, both near multiples of p ◦ Get b i := q i mod 2, if z 1 <z 2 swap them ◦ If b 1 =b 2 =1, set z 1 :=z 1  z 2, b 1 :=b 1  b 2  At least one of the b i ’s must be zero now ◦ For any b i =0 set z i := floor(z i /2)  new-q i = old-q i /2 ◦ Repeat until one z i is zero, output the other Binary-GCD Secure Computation and Efficiency Bar-Ilan University, Israel 2011 20

21. Bar-Ilan University Dept. of Computer Science  z 1 = 99 = 5x19 + 4 (b 1 =1) z 2 = 54 = 3x19 – 3 (b 2 =1) ◦ z 1 ’ = z 1 -z 2 = 45 = 2x19 + 7 (b 1 ’=0) z 1 ’’= floor(z 1 ’/2) = 22 = 1x19 + 3  z 1 = 54 = 3x19 – 3 (b 1 =1) z 2 = 22 = 1x19 + 3 (b 2 =1) ◦ z 1 ’ = z 1 -z 2 = 32 = 2x19 – 6 (b 1 ’=0) z 1 ’’= z 1 ’/2 = 16 = 1x19 – 3  z 1 = 22 = 1x19 + 3 (b 1 =1) z 2 = 16 = 1x19 – 3 (b 2 =1) ◦ z 1 ’ = z 1 -z 2 = 6 = 0x19 + 6 z 1 ’’= z 1 ’/2 = 3 = 0x19 + 3 21 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

22. Bar-Ilan University Dept. of Computer Science  z 1 = 16 = 1x19 – 3 (b 1 =1) z 2 = 3 = 0x19 + 3 (b 2 =0) ◦ z 2 ’’ = floor(z 2 /2) = 1 = 0x19 + 1  z 1 = 16 = 1x19 – 3 (b 1 =1) z 2 = 1 = 0x19 + 1 (b 2 =0) ◦ z 2 ’’ = floor(z 2 /2) = 0  Output 16 = 1x19 – 3 ◦ Indeed 1=GCD(5,3) 22 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

23. Bar-Ilan University Dept. of Computer Science The odd part of the GCD  z i =q i p+r i, i=1,2, z’:=OurBinaryGCD(z 1,z 2 ) ◦ Then z’ = GCD*(q 1,q 2 )·p + r’ ◦ For random q,q’, Pr[GCD(q,q’)=1] ~ 0.6 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 23

24. Bar-Ilan University Dept. of Computer Science  Try (say) z’:= OurBinaryGCD(w 0,w 1 ) ◦ Hope that z’=1·p+r  Else try again with OurBinaryGCD(z’,w 2 ), etc.  One you have z’=1·p+r, run OurBinaryGCD(w 0,z’) ◦ GCD(q 0,1)=1, but the b 1 bits along the way spell out the binary representation of q 0  Once you learn q 0, p=w 0 /q 0 QED Secure Computation and Efficiency Bar-Ilan University, Israel 2011 24

25. Bar-Ilan University Dept. of Computer Science  We proved: If approximate-GCD is hard then the scheme is secure  Next: is approximate-GCD really hard? 25 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

26. Bar-Ilan University Dept. of Computer Science  Several lattice-based approaches for solving approximate-GCD ◦ Approximate-GCD is related to Simultaneous Diophantine Approximation (SDA)  Can use Lagarias’es algorithm to attack it ◦ Studied in [Hawgrave-Graham01]  We considered some extensions of his attacks  These attacks run out of steam when |q i |>|p| 2 ◦ In our case |p|~n 2, |q i |~n 5 >> |p| 2 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 26

27. Bar-Ilan University Dept. of Computer Science  Consider the rows of this matrix B: ◦ They span dim-(t+1) lattice  (q 0,q 1,…,q t )  B is short ◦ 1 st entry: q 0 R < Q · R ◦ i th entry (i>1): q 0 (q i p+r i )-q i (q 0 p)=q 0 r i  Less than Q · R in absolute value  Total size less than Q · R ·  t  vs. size ~Q ·P (or more) for basis vectors  Hopefully we can find it with a lattice-reduction algorithm (LLL or variants) R w 1 w 2 … w t -w 0 -w 0 … -w 0 B= Secure Computation and Efficiency Bar-Ilan University, Israel 2011 27

28. Bar-Ilan University Dept. of Computer Science  Is (q 0,q 1,…,q t )  B the shortest in the lattice? ◦ Is it shorter than  t · det(B) 1/t+1 ?  det(B) is small-ish (due to R in the corner) ◦ Need ((QP) t R) 1/t+1 > QR  t+1 > (log Q + log P – log R) / (log P – log R) ~ log Q/log P  log Q =  (log 2 P)  need t=  (log P)  Quality of LLL & co. degrades with t ◦ Find vectors of size ~ 2  t · shortest ◦ t=  (log P)  2  t · QR > det(B) 1/t+1 ◦ Contemporary lattice reduction not strong enough Minkowski bound R w 1 w 2 …w t -w 0 -w 0 … -w 0 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 28

29. Bar-Ilan University Dept. of Computer Science t logQ/logP size (log scale) the solution we are seeking auxiliary solutions (Minkowski) converges to ~ logQ+logP What LLL can find min(blue,purple)+  t blue line remains above purple line log Q Secure Computation and Efficiency Bar-Ilan University, Israel 2011 29

30. Bar-Ilan University Dept. of Computer Science  A Simple Scheme that supports computing low-degree polynomials on encrypted data ◦ Any fixed polynomial degree can be done ◦ To get degree-d, ciphertext size must be  (nd 2 )  Already can be used in applications ◦ E.g., the keyword-match example  Next we turn it into a fully-homomorphic scheme 30 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

31. Bar-Ilan University Dept. of Computer Science Secure Computation and Efficiency Bar-Ilan University, Israel 2011 Part II 31

32. Bar-Ilan University Dept. of Computer Science  So far, can evaluate low-degree polynomials f (x 1, x 2, …, x t ) f … x2x2 xtxt x1x1 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 32

33. Bar-Ilan University Dept. of Computer Science  So far, can evaluate low-degree polynomials  Can eval y = f(x 1,x 2 …,x n ) when x i ’s are “fresh”  But y is “evaluated ciphertext” ◦ Can still be decrypted ◦ But eval Q(y) has too much noise f Secure Computation and Efficiency Bar-Ilan University, Israel 2011 … x2x2 xtxt x1x1 f (x 1, x 2, …, x t ) 33

34. Bar-Ilan University Dept. of Computer Science  So far, can evaluate low-degree polynomials  Bootstrapping to handle higher degrees:  For a ciphertext c, consider D c (sk) = Dec sk ( c ) ◦ Hope: D c (  ) has a low degree in sk ◦ Then so are A c 1,c 2 (sk) = Dec sk ( c 1 ) + Dec sk ( c 2 ) and M c 1,c 2 (sk) = Dec sk ( c 1 ) x Dec sk ( c 2 ) f Secure Computation and Efficiency Bar-Ilan University, Israel 2011 f (x 1, x 2, …, x t ) 34 … x2x2 xtxt x1x1

35. Bar-Ilan University Dept. of Computer Science M c 1,c 2 sk 1 sk 2 sk n …  Include in the public key also Enc pk ( sk )  Homomorphic computation applied only to the “fresh” encryption of sk sk 1 sk 2 sk n … x1x1 x2x2 c1c1 c2c2 M c 1,c 2 (sk) = Dec sk (c 1 ) x Dec sk (c 2 ) = x 1 x x 2 c Requires “ circular security ” Secure Computation and Efficiency Bar-Ilan University, Israel 2011 35

36. Bar-Ilan University Dept. of Computer Science  Fix a scheme (Gen, Enc, Dec, Eval)  For a class F of functions, denote ◦ C F = { Eval(f, c 1,…,c t ) : f  F, c i  Enc(0/1) } ◦ Encrypt some t bits and evaluate on them some f  F  Scheme bootstrappable if exists F for which: ◦ Eval “works” for F   f  F, c i  Enc(x i ), Dec( Eval(f,c 1,…,c t ) ) = f(x 1,…,x t ) ◦ Decryption + add/mult in F   c 1,c 2  C F, A c 1,c 2 (sk), M c 1,c 2 (sk)  F Thm: Circular secure & Boostrappable  Homomorphic for any func. 36 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

37. Bar-Ilan University Dept. of Computer Science c/p, rounded to nearest integer  Dec p (c) = LSB(c)  LSB([[c/p]]) ◦ We have |c|~n 5, |p|~n 2  Naïvely computing [[c/p]] takes degree >n 5  Our scheme only supports degree ~ n  Need to “squash the decryption circuit” in order to get a bootstrappable scheme ◦ Similar techniques to [Gentry 09] Secure Computation and Efficiency Bar-Ilan University, Israel 2011 37

38. Bar-Ilan University Dept. of Computer Science  Add to public key another “hint” about sk ◦ Hint should not break secrecy of encryption  With hint, ciphertext can be publically post-processed, leaving less work for Dec  Idea is used in server-aided cryptography. Old decryption algorithm m c sk Dec Secure Computation and Efficiency Bar-Ilan University, Israel 2011 38

39. Bar-Ilan University Dept. of Computer Science Secure Computation and Efficiency Bar-Ilan University, Israel 2011 How to“simplify” decryption? Old decryption algorithm m c sk Dec c f(sk, r) Public Post- Processing sk* m Dec * c* Processed ciphertext New approach The hint about sk in public key Hint in pub key lets anyone post-process the ciphertext, leaving less work for Dec * 39

40. Bar-Ilan University Dept. of Computer Science  Old secret key is the integer p  Add to public key many “real numbers” ◦ d 1,d 2, …, d t  [0,2) (with precision of ~|c| bits) ◦ sparse S for which  i  S d i = 1/p mod 2  Post Processing:  i =c x d i mod 2, i=1,…,t ◦ New ciphertext is c* = (c,  1,  2,…,  i )  New secret key is char. vector of S (  1,…,  t ) ◦ i =1 if i  S,  i =0 otherwise ◦ c/p = c x(  i d i )=   i  i mod 2 Dec*(c*) = c – [[  i  i  i ]] mod 2 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 40

41. Bar-Ilan University Dept. of Computer Science  Dec*  (c*)= LSB(c)  LSB([[  i  i  i ]])  1,0  1,-1 …  1,1-p  1,-p  2,0  2,-1 …  2,1-p  2,-p  3,0  3,-1 …  3,1-p  3,-p …………  t,0  t,-1 …  t,1-p  t,-p Secure Computation and Efficiency Bar-Ilan University, Israel 2011 41 x  1 x  2 x  3 x  t b = LSB([[  i  i  i ]])

42. Bar-Ilan University Dept. of Computer Science  Dec*  (c*)= LSB(c)  LSB([[  i  i  i ]])  Use grade-school addition to compute b  …   …   …  …………  …  Secure Computation and Efficiency Bar-Ilan University, Israel 2011 42 x  1 x  2 x  3 x  t 11 11 …  11  22 … 22 22 33  … 33  …………  …  tt b

43. Bar-Ilan University Dept. of Computer Science  Dec*  (c*)= LSB(c)  LSB([[  i  i  i ]])  Grade-school addition ◦ What is the degree of b(  1,…,  t )? The a i ‘s in binary: each a i,j is either  i or 0 a i  [0,2) b  {0,1} a 1,0 a 1,-1 …a 1,1-p a 1,-p a 2,0 a 2,-1 …a 2,1-p a 2,-p a 3,0 a 3,-1 …a 3,1-p a 3,-p ………… a t,0 a t,-1 …a t,1-p a t,-p b Secure Computation and Efficiency Bar-Ilan University, Israel 2011 43

44. Bar-Ilan University Dept. of Computer Science c 1,0 c 1,-1 …c 1,1-p a 1,0 a 1,-1 …a 1,1-p a 1,-p a 2,0 a 2,-1 …a 2,1-p a 2,-p a 3,0 a 3,-1 …a 3,1-p a 3,-p ………… a t,0 a t,-1 …a t,1-p a t,-p Carry Bits b -p Result Bit c 1,0 c 1,-1 … c 1,1-p b -p = HammingWeight(Column -p ) mod 2 p+1 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 44

45. Bar-Ilan University Dept. of Computer Science c 2,0 c 2,-1 … c 1,0 c 1,-1 …c 1,1-p a 1,0 a 1,-1 …a 1,1-p a 1,-p a 2,0 a 2,-1 …a 2,1-p a 2,-p a 3,0 a 3,-1 …a 3,1-p a 3,-p ………… a t,0 a t,-1 …a t,1-p a t,-p b -p b 1-p c 2,0 c 2,-1 … c 2,2-p b 1-p = HammingWeight(Column 1-p ) mod 2 p Secure Computation and Efficiency Bar-Ilan University, Israel 2011 45

46. Bar-Ilan University Dept. of Computer Science c p,0 …… c 2,0 c 2,-1 … c 1,0 c 1,-1 …c 1,1-p a 1,0 a 1,-1 …a 1,1-p a 1,-p a 2,0 a 2,-1 …a 2,1-p a 2,-p a 3,0 a 3,-1 …a 3,1-p a 3,-p ………… a t,0 a t,-1 …a t,1-p a t,-p b -p b 1-p b -1 … c p,0 b -1 = HammingWgt(Col -1 ) mod 4 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 46

47. Bar-Ilan University Dept. of Computer Science c p,0 …… c 2,0 c 2,-1 … c 1,0 c 1,-1 …c 1,1-p a 1,0 a 1,-1 …a 1,1-p a 1,-p a 2,0 a 2,-1 …a 2,1-p a 2,-p a 3,0 a 3,-1 …a 3,1-p a 3,-p ………… a t,0 a t,-1 …a t,1-p a t,-p b -p b 1-p b -1 … b  Express c i,j ’s as polynomials in the a i,j ’s Secure Computation and Efficiency Bar-Ilan University, Israel 2011 47

48. Bar-Ilan University Dept. of Computer Science  Binary Vector x = (x 1, …, x u )  {0,1} u  e k (x) = deg-k elementary symmetric polynomial ◦ Sum of all products of k bits (u-choose-k terms)  Dynamic programming to evaluate in time O(ku) ◦ e i (x 1 …x j ) = e i-1 (x 1 …x j-1 )x j + e i (x 1 …x j-1 ) (for i  j) Secure Computation and Efficiency Bar-Ilan University, Israel 2011 48

49. Bar-Ilan University Dept. of Computer Science Thm: For a vector x = (x 1, …, x u )  {0,1} u, i’th bit of W=HW(x) is e 2 i (x) mod 2 ◦ Observe e 2 i (x) = (W choose 2 i ) ◦ Need to show: i’th bit of W=(W choose 2 i ) mod 2  Say 2 k  W<2 k+1 (bit k is MSB of W), W’=W-2 k ◦ For i<k, (W choose 2 i )=(W’ choose 2 i ) mod 2 ◦ For i=k, (W choose 2 k )=(W’ choose 2 k )+1 mod 2  Then by induction over W ◦ Clearly holds for W=0 ◦ By above, if holds for W’=W-2 k then holds also for W 49 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

50. Bar-Ilan University Dept. of Computer Science  Use identity (  ) ◦ For r=0 or r=2 k we have (2 k choose r) = 1 ◦ For 0<r<2 k we have (2 k choose r) = 0 mod 2  i<k: The only nonzero term in (  ) is j=2 i  i=k: The only nonzero terms in (  ) are j=0 and j=2 k 50 Secure Computation and Efficiency Bar-Ilan University, Israel 2011 integer Numerator has more powers of 2 than denominator QED

51. Bar-Ilan University Dept. of Computer Science c 4,0 c 3,0 c 3,-1 c 2,0 c 2,-1 c 2,-2 c 1,0 c 1,-1 c 1,-2 c 1,-3 a 1,0 a 1,-1 a 1,-2 a 1,-3 a 1,-4 a 2,0 a 2,-1 a 2,-2 a 2,-3 a 2,-4 …………… a t,0 a t,-1 a t,-2 a t,-3 a t,-4 b Goal: compute the degree of the polynomial b(a i,j ’s) Carry Bits Input Bits Secure Computation and Efficiency Bar-Ilan University, Israel 2011 51

52. Bar-Ilan University Dept. of Computer Science deg=1 …………… e 16 (…) e 8 (…) e 4 (…) e 2 (…) Secure Computation and Efficiency Bar-Ilan University, Israel 2011 52

53. Bar-Ilan University Dept. of Computer Science deg=16deg=8deg=4deg=2 deg=1 …………… e 8 (…) e 4 (…) e 2 (…) Secure Computation and Efficiency Bar-Ilan University, Israel 2011 53

54. Bar-Ilan University Dept. of Computer Science deg=9deg=5deg=3 deg=16deg=8deg=4deg=2 deg=1 …………… e 4 (…) e 2 (…) Secure Computation and Efficiency Bar-Ilan University, Israel 2011 54

55. Bar-Ilan University Dept. of Computer Science deg=9deg=7 deg=9deg=5deg=3 deg=16deg=8deg=4deg=2 deg=1 …………… e 2 (…) Secure Computation and Efficiency Bar-Ilan University, Israel 2011 55

56. Bar-Ilan University Dept. of Computer Science deg=15 deg=9deg=7 deg=9deg=5deg=3 deg=16deg=8deg=4deg=2 deg=1 …………… b deg() = 16 Claim: with p bits of precision, deg( b(a i,j ) )  2 p Secure Computation and Efficiency Bar-Ilan University, Israel 2011 56

57. Bar-Ilan University Dept. of Computer Science  Dec*  (c*)= LSB(c)  LSB([[  i  i  i ]])  degree(b) = 2 p ◦ We can only handle degree ~ n ◦ Need to work with low precision, p ~ log n The a i ‘s in binary: each a i,j is either  i or 0 a i  [0,2] b  {0,1} a 1,0 a 1,-1 …a 1,1-p a 1,-p a 2,0 a 2,-1 …a 2,1-p a 2,-p a 3,0 a 3,-1 …a 3,1-p a 3,-p ………… a t,0 a t,-1 …a t,1-p a t,-p b Secure Computation and Efficiency Bar-Ilan University, Israel 2011 57

58. Bar-Ilan University Dept. of Computer Science  Current parameters ensure “noise” < p/2 ◦ For degree-2n polynomials with < 2 n terms (say) ◦ With |r|=n, need |p|~3n 2  What if we want a somewhat smaller noise? ◦ Say that we want the noise to be < p/2n ◦ Instead of |p|~3n 2, set |p|~3n 2 +log n  Makes essentially no difference Claim: c has noise < p/2n & sparse subset size  n-1  enough to keep precision of log n bits for the  i ’s 58 2 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

59. Bar-Ilan University Dept. of Computer Science Claim: |S|  n-1 & c/p within 1/2n from integer  enough to keep log n bits for the  i ’s Proof:  i = rounding of  i to log n bits ◦ |  i -  i |  1/2n   i  i =  i  i if  i   i  i  1/2n if  i   |  i  i -  i  i |  |S|/2n  (n-1)/2n   i  i =c/p, within 1/2n of an integer   i  i within 1/2n+(n-1)/2n=1/2 of the same integer  [[  i  i ]] = [[  i  i ]] QED 59 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

60. Bar-Ilan University Dept. of Computer Science  Dec*  (c*)= LSB(c)  LSB([[  i  i  i ]])  degree( Dec * c* (  ) )  n  degree( M c 1 *c 2 * (  ) )  2n  Our scheme can do this!!! a 1,0 a 1,-1 …a 1,-log n a 2,0 a 2,-1 …a 2,-log n a 3,0 a 3,-1 …a 3,-log n ………… a t,0 a t,-1 …a t,-log n The a i ‘s in binary: each a i,j is either  i or 0 a i  [0,2] b Secure Computation and Efficiency Bar-Ilan University, Israel 2011 60

61. Bar-Ilan University Dept. of Computer Science  Add to public key d 1,d 2, …, d t  [0,2) ◦ sparse S for which  i  S d i = 1/p mod 2  New secret key is (  1,…,  t ), char. vector of S  Also add to public key u i = Enc(  i ), i=1,2,…,t  Hopefully, scheme remains secure ◦ Security with d i ’s relies on hardness of “sparse subset sum”  Same arguments of hardness as for the approximate-GCD problem ◦ Security with u i ’s relies on “circular security” (just praying, really) 61 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

62. Bar-Ilan University Dept. of Computer Science  To “multiply” c 1, c 2 (both with noise < p/2n) ◦ Evaluate M c 1,c 2 (*) on the ciphertexts u 1,u 2,…,u t ◦ This is a degree-2n polynomial ◦ Result is new c, with noise <p/2n ◦ Can keep computing on it  Same thing for “adding” c 1, c 2  Can evaluate any function 62 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

63. Bar-Ilan University Dept. of Computer Science  May want evaluated ciphertexts to have the same distribution as freshly encrypted ones ◦ Currently they have more noise  To do this, make p larger by n bits ◦ “Raw evaluated ciphertext” have noise < p/2 n  After encryption/evaluation, add noise ~ p/2n ◦ Note: DOES NOT add noise to Enc(  ) in public key  Evaluated, fresh ciphertexts now have the same noise ◦ Can show that distributions are statistically close 63 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

64. Bar-Ilan University Dept. of Computer Science  Constructed a fully-homomorphic (public key) encryption scheme  Underlying somewhat-homomorphic scheme relies on hardness of approximate-GCD  Resulting scheme relies also on hardness of sparse-subset-sum and circular security  Ciphertext size is ~ n 5 bits  Public key has ~ n 10 bits ◦ Doesn’t quite fit the “efficient” title of the winter school… 64 Secure Computation and Efficiency Bar-Ilan University, Israel 2011

65. Bar-Ilan University Dept. of Computer Science 65 Secure Computation and Efficiency Bar-Ilan University, Israel 2011