Download presentation
Presentation is loading. Please wait.
1
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2013-2014 Lecture 10: Garbled circuits (cont.), fully homomorphic encryption Eran Tromer
2
2 Garbled circuits 2
3
3 Garbled circuits: construction (summary of whiteboard discussion) The garbled circuits Choose random keys for each value for each wire. Output: Gate tables (double-encryption of output keys under input keys, permuted) Keys of output wires The garbled inputs Keys for chosen values in input wires Evaluation Gate-by-gate, using double decryption.
4
4 Garbled circuits: variants of functionality Offline-online evaluation for public circuits –Circuit C is public, Alice chooses x, Bob learns C(x) and nothing else. Offline-online evaluation for secret circuits –Alice chooses circuit D and x, Bob learns D(x) and nothing else. –Obtained from previous by making C a universal circuit and plugging in the description of D. Secure two-party evaluation –Bob provides input, gets input keys from Alice using oblivious transfer Secret outputs –Compute in each direction, omitting sharing of result –Encrypt part of output intended for Alice
5
5 Fully Homomorphic Encryption
6
The goal Delegate processing of data without giving away access to it 6 of 32
7
Example 1: Private Search Delegate PROCESSING of data without giving away ACCESS to it ► You:Encrypt the query, send to Google (Google does not know the key, cannot “see” the query) ► Google:Encrypted query → Encrypted results (You decrypt and recover the search results) 7 of 32
8
Example 2: Private Cloud Computing Delegate PROCESSING of data without giving away ACCESS to it (Input: x)(Program: P) (Enc(x), P) → Enc(P(x)) Encrypt x 8 of 32
9
Fully Homomorphic Encryption Encrypted x, Program P → Encrypted P(x) Definition: ( KeyGen, Enc, Dec, Eval ) (as in regular public/private-key encryption) – If c = Enc ( PK, x ) and c′ = Eval ( PK, c, P ), Compactness: Length of c′ independent of size of P Security = Semantic Security [GM82] Correctness of Eval: For every input x, program P then Dec ( SK, c’ ) = P(x). 9 of 32
![Fully Homomorphic Encryption Encrypted x, Program P → Encrypted P(x) Definition: ( KeyGen, Enc, Dec, Eval ) (as in regular public/private-key encryption) – If c = Enc ( PK, x ) and c′ = Eval ( PK, c, P ), Compactness: Length of c′ independent of size of P Security = Semantic Security [GM82] Correctness of Eval: For every input x, program P then Dec ( SK, c’ ) = P(x).](http://images.slideplayer.com./25/7820186/slides/slide_9.jpg "9 of 32.")
10
Fully Homomorphic Encryption Function f x Enc(x) Eval: f, Enc(x) Enc(f(x)) homomorphic evaluation Knows nothing of x. [Rivest-Adleman-Dertouzos’78] 10 of 32
11
Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data 11 of 32
![Fully Homomorphic Encryption ► First Defined: Privacy homomorphism [RAD’78] – their motivation: searching encrypted data 11 of 32](http://images.slideplayer.com./25/7820186/slides/slide_11.jpg "Fully Homomorphic Encryption ► First Defined: Privacy homomorphism [RAD’78] – their motivation: searching encrypted data 11 of 32")
12
– BGN’05 & GHV’10: quadratic formulas Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N ► NON-COMPACT homomorphic encryption: – SYY’99 & MGH’08: c* grows exp. with degree/depth – IP’07 works for branching programs – Based on Yao garbled circuits 12 of 32
![– BGN’05 & GHV’10: quadratic formulas Fully Homomorphic Encryption ► First Defined: Privacy homomorphism [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N ► NON-COMPACT homomorphic encryption: – SYY’99 & MGH’08: c* grows exp.](http://images.slideplayer.com./25/7820186/slides/slide_12.jpg "with degree/depth – IP’07 works for branching programs – Based on Yao garbled circuits 12 of 32.")
13
Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ►Full-semester course ►Today: an alternative construction [DGHV’10]: Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & “ideal lattices” – easier to understand, implement and improve 13 of 32
![Fully Homomorphic Encryption ► First Defined: Privacy homomorphism [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ►Full-semester course ►Today: an alternative construction [DGHV’10]: Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & ideal lattices – easier to understand, implement and improve 13 of 32](http://images.slideplayer.com./25/7820186/slides/slide_13.jpg "Fully Homomorphic Encryption ► First Defined: Privacy homomorphism [RAD’78] – using just integer addition and multiplication – their motivation: searching encrypted data ►Full-semester course ►Today: an alternative construction [DGHV’10]: Big Breakthrough : [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory & ideal lattices – easier to understand, implement and improve 13 of 32")
14
Constructing fully-homomoprhic encryption assuming hardness of approximate GCD 14 of 32
15
A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 2. Public-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) 3. Public-key FULLY Homomorphic Encryption (under approx GCD + sparse subset sum) (a simple transformation) (borrows from Gentry’s techniques) 15
16
Secret-key Homomorphic Encryption Secret key: a large n 2 -bit odd number p To Encrypt a bit b: – pick a random “large” multiple of p, say q·p – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit (q ~ n 5 bits) (r ~ n bits) “noise” (sec. param = n) 16
17
Secret-key Homomorphic Encryption How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p. – c 1 = q 1 ·p + (2·r 1 + b 1 ), c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 )« p – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2 « p LSB = b 1 XOR b 2 LSB = b 1 AND b 2 17
18
Problems Ciphertext grows with each operation Noise grows with each operation Useless for many applications (cloud computing, searching encrypted e-mail) – Consider c = qp+2r+b ← Enc(b) (q-1)pqp(q+1)p(q+2)p 2r+b – c (mod p) = r’ ≠ 2r+b r’ – lsb(r’) ≠ b 18
19
Problems Ciphertext grows with each operation Noise grows with each operation Useless for many applications (cloud computing, searching encrypted e-mail) Can perform “limited” number of hom. operations What we have: “Somewhat Homomorphic” Encryption 19
20
Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 encryptions of 0 Δ – Wlog, assume that x 0 is the largest of them 20
![Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 encryptions of 0 Δ – Wlog, assume that x 0 is the largest of them 20](http://images.slideplayer.com./25/7820186/slides/slide_20.jpg "Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) – t+1 encryptions of 0 Δ – Wlog, assume that x 0 is the largest of them 20")
21
c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ 21
![c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ 21](http://images.slideplayer.com./25/7820186/slides/slide_21.jpg "c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ 21")
22
c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult. of p) + (“small” even noise) + b 22
![c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) To Encrypt a bit b: pick random subset S [1…t] Δ c = p[ ] + 2[ ] + b (mod x 0 ) c = p[ ] + 2[ ] + b – kx 0 (for a small k) = p[ ] + 2[ ] + b (mult.](http://images.slideplayer.com./25/7820186/slides/slide_22.jpg "of p) + ( small even noise) + b 22.")
23
c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 23
![c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 23](http://images.slideplayer.com./25/7820186/slides/slide_23.jpg "c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 23")
24
c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 24
![c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 24](http://images.slideplayer.com./25/7820186/slides/slide_24.jpg "c = + b (mod x 0 ) Public-key Homomorphic Encryption Secret key: an n 2 -bit odd number p To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x 0 after each operation To Encrypt a bit b: pick random subset S [1…t] Ciphertext Size Reduction – Resulting ciphertext < x 0 – Underlying bit is the same (since x 0 has even noise) – Noise does not increase by much (*) Public key: [ q 0 p+2r 0,q 1 p+2r 1,…,q t p+2r t ] = (x 0,x 1,…,x t ) Δ (*) additional tricks for mult 24")
25
A Roadmap Secret-key “Somewhat” Homomorphic Encryption Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption 25
26
How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if d << n. f(x 1, …, x t ) = x 1 ·x 2 ·x d + … + x 2 ·x 5 ·x d-2 Final Noise ~ (2 n ) d +…+(2 n ) d = m(2 n ) d Say, noise in Enc(x i ) < 2 n or m terms 26
27
“Somewhat” HE“Bootstrappable” From “Somewhat” to “Fully” FHE = Can eval all fns. Theorem [Gentry’09]: Convert “bootstrappable” → FHE. Augmented Decryption ckt. Dec NAND c1c1 sk c2c2 27
28
Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? Complexity of the (aug.) Decryption Circuit (?) Can be made bootstrappable – Similar to Gentry’09 Caveat: Assume Hardness of “Sparse Subset Sum” (polynomials of degree < n) (degree ~ n 1.73 polynomial) 28
29
Security (of the “somewhat” homomorphic scheme) 29
30
The Approximate GCD Assumption q 1 p+r 1 p? p q 1 ← [0…Q] r 1 ← [-R…R] odd p ← [0…P] (q 1 p+r 1,…, q t p+r t ) Assumption: no PPT adversary can guess the number p Parameters of the Problem: Three numbers P,Q and R 30
31
p? p Assumption: no PPT adversary can guess the number p Semantic Security [GM’82]: no PPT adversary can guess the bit b PK =(q 0 p+2r 0,{q i p+2r i }) Enc(b) =(qp+2r+b) = (proof of security) (q 1 p+r 1,…, q t p+r t ) 31
32
Progress in FHE ►“Galactic” → Efficient – asymptotically: nearly linear-time* algorithms ► Strange assumptions → Mild assumptions – practically: – a few milliseconds for Enc, Dec [ LNV11,GHS11 ] – a few minutes for evaluating an AES block (amortized) [GHS12] *linear-time in the security parameter – Best Known [BGV11]: (leveled) FHE from worst-case hardness of n O(log n) -approx short vectors on lattices 32
![Progress in FHE ► Galactic → Efficient – asymptotically: nearly linear-time* algorithms ► Strange assumptions → Mild assumptions – practically: – a few milliseconds for Enc, Dec [ LNV11,GHS11 ] – a few minutes for evaluating an AES block (amortized) [GHS12] *linear-time in the security parameter – Best Known [BGV11]: (leveled) FHE from worst-case hardness of n O(log n) -approx short vectors on lattices 32](http://images.slideplayer.com./25/7820186/slides/slide_32.jpg "Progress in FHE ► Galactic → Efficient – asymptotically: nearly linear-time* algorithms ► Strange assumptions → Mild assumptions – practically: – a few milliseconds for Enc, Dec [ LNV11,GHS11 ] – a few minutes for evaluating an AES block (amortized) [GHS12] *linear-time in the security parameter – Best Known [BGV11]: (leveled) FHE from worst-case hardness of n O(log n) -approx short vectors on lattices 32")
33
Multi-key FHE Function f x1x1 c 1 = Enc(pk 1,x 1 ) x2x2 c 2 = Enc(pk 2,x 2 ) sk 1, pk 1 sk 2, pk 2 33
34
Multi-key FHE Function f x1x1 y = Eval(f,c 1,c 2 ) Dec(sk 1,sk 2 y)=f(x 1,x 2 ) Correctness: x2x2 sk 1, pk 1 sk 2, pk 2 Dec 34
Similar presentations
