fully homomorphic encryption university of toronto vinod vaikuntanathan penn state summer school on...
TRANSCRIPT
![Page 1: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/1.jpg)
FULLY HOMOMORPHIC ENCRYPTION
University of TorontoVinod Vaikuntanathan
Penn State Summer School on Cryptography
New Developments in
![Page 2: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/2.jpg)
Outsourcing Computation
Weak Client Powerful Server (“Cloud”)
Function
fx
f(x)
![Page 3: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/3.jpg)
Outsourcing Computation
Function
fx
searchquery Google
searchSearch results
x
f(x)
It’s everywhere!
![Page 4: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/4.jpg)
Outsourcing Computation
Function
fx
medical records analysis
risk factors
x
f(x)
It’s everywhere!
![Page 5: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/5.jpg)
Outsourcing Computation
Function fx
Client Cloud
Two Problems:
Privacy:
Cloud should not learn anything about x
Verifiability:
Cloud cannot cheat (i.e., return incorrect answer without being detected)
![Page 6: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/6.jpg)
Outsourcing Computation – Privately
Function
fx
Enc(x)
Knows nothing of x.
Eval: f, Enc(x) Enc(f(x))homomorphic evaluation
![Page 7: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/7.jpg)
Fully Homomorphic Encryption
Function
fx
Enc(x)
Knows nothing of x.
[Rivest-Adleman-Dertouzos’78]
Eval: f, Enc(x) Enc(f(x))homomorphic evaluation
![Page 8: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/8.jpg)
Fully Homomorphic Encryption
Function
fx1,…,xn
Enc(x1),…,Enc(xn)
Knows nothing of x.
[Rivest-Adleman-Dertouzos’78]
Eval: f, Enc(x1),…,Enc(xn) Enc(f(x1,…,xn))homomorphic evaluation
(more generally)
![Page 9: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/9.jpg)
Fully Homomorphic Encryption
Function
fx
evk, c = Encsk(x)
[Rivest-Adleman-Dertouzos’78]
sk , pk, evk
y = Evalevk(f, c)
Decsk(y)=f(x)Privacy (semantic security [GM82]):
(evk, Enc(x)) (evk, Enc(0))Correctness:
Compactness:
|y| = poly(|f(x)|, n)
Knows nothing of x.sk, evk
Most of this talk: secret key homomorphic schemes
![Page 10: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/10.jpg)
FHE 101: Add & Mult Are UniversalArith. Circuit (+,) over GF(2).
+
Enc(x1)
If we had:
• Eval(+, Enc(x1), Enc(x2)) Enc(x1+x2)
• Eval(, Enc(x1), Enc(x2)) Enc(x1∙x2)
then we are done.
Enc(x2)
Enc(x3)
Enc(x1+x2)
Enc((x1+x2)∙x3)
f(x1,x2,x3)=(x1+x2)∙x3
x1 x2
x3
(+,) over GF(2) Boolean (XOR,AND)
= Universal set
![Page 11: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/11.jpg)
Early History (1978-2009)
Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
Goldwasser-Micali’82
Public key: N, y: non-square mod N
Enc(0): r2 mod N, Enc(1): y * r2 mod N
Secret key: factorization of N
(Additively) homomorphic over Z2
![Page 12: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/12.jpg)
Early History (1978-2009)
Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
Multiplicatively Homomorphic [ElG’85,…]
Add + One Mult [BGN’05,GHV’09]
![Page 13: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/13.jpg)
Gentry (2009)
FIRST Fully Homomorphic Encryption!
![Page 14: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/14.jpg)
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
– asymptotic efficiency: nearly linear-time* algorithms
– practical efficiency: 3-4 orders of magnitude faster compared to [Gen09, GH10]
*linear-time in the security parameter
![Page 15: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/15.jpg)
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12]
– e.g., worst-case hardness of shortest vectors on lattices
![Page 16: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/16.jpg)
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12]
Best Known Theorem [BGV11]:
•(Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices*leveled = public key grows with the depth of the circuit for f
![Page 17: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/17.jpg)
New Developments in FHE
►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12]
► Complex → Simple constructions/proofs [BV11b, BGV11, LTV12, B12]
![Page 18: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/18.jpg)
1. Zvika Brakerski, V.V., Efficient Fully Homomorphic Encryption from Standard Learning with Errors, FOCS 2011.
2. Zvika Brakerski, Craig Gentry, V.V., (Leveled) Fully Homomorphic Encryption without Bootstrapping, ITCS 2012.
3. Craig Gentry, Stanford Ph.D. Thesis, 2009.
This talk is based on:
![Page 19: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/19.jpg)
How to Construct an FHE Scheme
![Page 20: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/20.jpg)
The Big PictureID
EA 1
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of depth d = ε log n *
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
* (0 < ε < 1 is a constant, and n is the security parameter)
d =
ε lo
g n
C
EVAL
![Page 21: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/21.jpg)
The Big Picture
“Bootstrapping” Theorem [Gen09] (Qualitative)
IDEA 2
“Homomorphic enough” Encryption * FHE
Homomorphic enough = Can evaluate its own Dec Circuit (plus some)
Dec
CT sk
msg
Decryption Circuit
C
EVAL
![Page 22: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/22.jpg)
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
IDEA 1
“Bootstrapping” Theorem [Gen09] (Qualitative)
IDEA 2
“Homomorphic enough” Encryption * FHE
SwHE = Homomorphic Enough?
NO, for all known constructions!
![Page 23: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/23.jpg)
The Big PictureProblem:
Dec
Decryption Circuit
C
EVAL
Solution a. “Squash” the decryption circuit [Gen09]
– Relies on a new assumption: “sparse subset sum”
Solution b. Make EVAL larger [BV11b, simplified by BGV12]
– Fairly General, Needs no new assumptions
– Exponential improvement: Can eval nε depth circuits
Solution c. Use Special Properties of Dec. Circuit [GH11]
Les
s g
ener
al
![Page 24: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/24.jpg)
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of depth d = ε log n
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
IDEA 1
“Bootstrapping” Theorem [Gen09] (Qualitative)
IDEA 2
“Homomorphic enough” Encryption FHE
“Modulus Reduction” [BV11b, simplified by BGV12]
Evaluate Boolean circuits of depth d = nε
IDEA 3
![Page 25: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/25.jpg)
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 2: “Bootstrapping” (FHE: Evaluate any poly(n)-size Boolean circuit)
d-Leveled FHE: Given any d, set n = d1/ε
![Page 26: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/26.jpg)
Many InstantiationsAll based on Integer Lattices (Ajtai’96)
Ideal Lattices
Surprisingly, Arbitrary Lattices [BV’11b]
– Gentry’09 (based on Goldreich-Goldwasser-Halevi’98)
– DGHV’10 (based on Ajtai-Dwork’97, Regev’04)
– BV’11a (based on Lyubaskevsky-Peikert-Regev’10)
– LTV’11 (based on NTRU:Hofstein-Pipher-Silverman’96)
– Lattices (like vector spaces) have no native mult
BUT: you don’t need to know what lattices are
for this talk!
![Page 27: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/27.jpg)
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
![Page 28: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/28.jpg)
LWEn,q,B : For random secret s Zqn
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( a1 , b1 = a1 , s + e1 )
O sO rand
( a1 , u1 )
( a2 , b2 = a2 , s + e2 ) …
( am , bm =am , s + em )
( a2 , u2 ) … ( am , um)
“noisy” random linear equation random in Zq
Uniformly random in Zq
n
“Small” error |e1| < B
![Page 29: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/29.jpg)
LWEn,q,B : For random secret s Zqn, and any m=poly(n),
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( ai , bi = ai , s + ei )
O s
O rand
( ai , ui )i=1
m
i=1
m
Worst-Case Connection ([R05, P09]):
Qualitative: Solve LWE (on average) Short-vector approximation on lattices (in the worst-case)
Quantitative: Solve LWEn,q,B O(nq/B)-approx shortest vector on lattices
![Page 30: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/30.jpg)
LWEn,q,B : For random secret s Zqn, and any m=poly(n),
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( ai , bi = ai , s + ei )
O s
O rand
( ai , ui )i=1
m
i=1
m
Worst-Case Connection ([R05, P09]):
Solve LWEn,q,B O(nq/B)-approx shortest vector
1. SCALE INVARIANCE: hardness depends only on ratio between q and B
2. OUR PARAMETERS: We will set q = nO(log n) and B = poly(n). Best known algorithm for LWE with these parameters runs in 2Otilde(n) time.
![Page 31: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/31.jpg)
LWEn,q,B : For random secret s Zqn, and any m=poly(n),
Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]
¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e
¢¼
¡~a;u
¢
( ai , bi = ai , s + ei )
O s
O rand
( ai , ui )i=1
m
i=1
m
Facts:
LWE (with short secret s) = LWE [ACPS09,GKPV10]
LWE with short even error (2e) = LWE with short error e
![Page 32: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/32.jpg)
Secret-key Encryption from LWE
•Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
(omitting public-key encryption)
•KeyGen:– Sample random “short” vector t Zq
n and set sk = t
![Page 33: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/33.jpg)
Secret-key Encryption from LWE
•Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
(omitting public-key encryption)
•KeyGen:– Sample random “short” vector t Zq
n and set sk = t
•Bit Encryption Encsk(m):
– Sample uniformly random a Zqn, “short” noise e Zq
– The ciphertext CT = (a, b = a, t + 2e + m) Zq
n X Zq
Semantic Security from LWE
![Page 34: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/34.jpg)
Secret-key Encryption from LWE
•Decryption: Decs(a,b) = ( b - a, s ) (mod 2).
– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).
decryption succeeds if e < q/4.
(omitting public-key encryption)
•KeyGen:– Sample random “short” vector t Zq
n and set sk = t
•Bit Encryption Encsk(m):
– Sample uniformly random a Zqn, “short” noise e Zq
– The ciphertext CT = (a, b = a, t + 2e + m) Zq
n X Zq
•Decryption Decsk(CT): Output (b − a, t mod q) mod 2.
–Correctness: b − a, t mod q = 2e + m mod q = 2e + m
(as long as |2e+m| < q/2)
![Page 35: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/35.jpg)
CT = (a ,b)
Additive Homomorphism
CT’ = (a’, b’)
Look at Ciphertexts through the Decryption Lens
b − a, t = 2e + m b’ − a’, t = 2e’ + m’
![Page 36: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/36.jpg)
CT = (a ,b)
Additive Homomorphism
CT’ = (a’, b’)
b − a, t = 2e + m b’ − a’, t = 2e’ + m’
Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1)
c, s = 2e + m c’, s = 2e’ + m’
![Page 37: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/37.jpg)
CT = c
Additive Homomorphism
CT’ = c’
Claim: cadd = c+c’
c, s = 2e + m c’, s = 2e’ + m’
c, s = 2e + m
c’, s = 2e’ + m’
c+c’, s = 2(e+e’) + (m+m’)
Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)
+
E
Proof:
Cadd
![Page 38: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/38.jpg)
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = (2e+m) ∙ (2e’+m’)
X
![Page 39: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/39.jpg)
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’)
X
Quadratic equation in the variables s[i]
E
![Page 40: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/40.jpg)
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = ?
c, s = 2e + m
c’, s = 2e’ + m’
c c’, s s = mm’ + 2(em’+e’m+2ee’)
X
E
Tensor Product:
•c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])
•c, c’ live in (n+1) dim → c c’ lives in (n+1)2-dim
•KEY FACT: c, s ∙ c’, s = c c’, s s
![Page 41: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/41.jpg)
Multiplicative Homomorphism
CT = c CT’ = c’
c, s = 2e + m c’, s = 2e’ + m’
Claim: cmult = c c’
c, s = 2e + m
c’, s = 2e’ + m’
c c’, s s = mm’ + 2(em’+e’m+2ee’)
X
Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)
E
Problem: Ciphertext size blows up!
(Zqn+1 → Zq
(n+1)^2)
![Page 42: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/42.jpg)
Multiplicative Homomorphism
New Technique [BV’11b]: RelinearizationFind linear functions of s that represents these quadratic func.
or, of new secret s’
cmult, s s = 2E + mm’
![Page 43: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/43.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :i,j. Enct’ ( s[ i ]s[ j ] )
![Page 44: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/44.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j. (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ])
LWE Security still
holds.
![Page 45: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/45.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j. Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]
![Page 46: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/46.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
![Page 47: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/47.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
Linear fn(in s’)
Quadratic fn(in s)
Plug back into quadratic equation:
cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error
Linear in s’.
Cheat
ing
Alert
![Page 48: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/48.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
Plug back into quadratic equation:
cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1.First compute cmult = c c’
2.Compute and output cmult[i,j] ∙ Ci,j
(where Ci,j are from the evaluation key)
![Page 49: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/49.jpg)
cmult .Ci,j , s’ ≈ cmult . s[ i ]s[ j ]
i,j. Ci,j , s’ ≈ s[ i ]s[ j ]
Multiplicative Homomorphismcmult, s s = 2E + mm’
Linear fn(in s’)
Quadratic fn(in s)
Cheat
ing
Alert
PROBLEM: cmult has large entries
BUT
SOLUTION: Binary Decomposition Trick
![Page 50: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/50.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :i,j. k in [0… log q]: Enct’ ( 2k s[ i ]s[ j ] )
![Page 51: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/51.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j,k , Ei,j,k
i,j. (Ai,j,k , Bi,j,k = Ai,j,k , t’ + 2Ei,j,k + 2k s[ i ]s[ j ])
![Page 52: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/52.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
![Page 53: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/53.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]
Linear fn(in s’)
Quadratic fn(in s)
Plug back into quadratic equation:
Let cmult[i,j,k] be the kth bit of cmult[i,j]
cmult[i,j,k] ∙ Ci,j,k , s’ ≈ mm’+2*Error
Linear in s’.
Un-Che
ating
Alert
![Page 54: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/54.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]
Linear fn(in s’)
Quadratic fn(in s)
Plug back into quadratic equation:
Let cmult[i,j,k] be the kth bit of cmult[i,j]
cmult[i,j,k] ∙ Ci,j,k , s’ = mm’+2*Error+2*Errorrelin
Errorrelin = O(n2 . log q . B)
Un-Che
ating
Alert
![Page 55: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/55.jpg)
Multiplicative Homomorphismcmult, s s = 2E + mm’
Plug back into quadratic equation:
cmult[i,j,k] ∙ Ci,j ,k , s’ ≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1.First compute cmult = c c’
2.Compute and output cmult[i,j,k] ∙ Ci,j,k
(where Ci,j,k are from the evaluation key)
![Page 56: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/56.jpg)
The Reservoir Analogy
noise=0
noise=q/2Additive Homomorphism: ξ → 2 ξ
initial noise= ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
2ξ
~ ξ2
AFTER d LEVELS:
noise B → (worst case)
CorrectnessBreaking = Solving 2n^ε-approx. shortest vectors
[Reg05,LPR10]
(How homomorphic is this?)
![Page 57: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/57.jpg)
The Reservoir Analogy
noise=0
noise=q/2Additive Homomorphism: ξ → 2 ξ
initial noise= ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
~ ξ2
AFTER d LEVELS:
noise B → (worst case)
(How homomorphic is this?)
![Page 58: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/58.jpg)
Wrap Up: Somewhat Homomorphism
“Somewhat Homomorphic” (SwHE) Encryption
Evaluate Boolean circuits of mult. depth D = ε log n
[BV11b]
IDEA 1
EVK = (evk1,…,evkD), where D is the max mult depth
C
Enc(skD, C(x))
Enc(sk1, x) Encrypt using sk1
SK = (sk1,…,skD)
Each Mult Level: Tensor and Relinearize
Mul
t de
pth
D
Decrypt using skD
![Page 59: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/59.jpg)
Wrap Up: Somewhat Homomorphism
“Somewhat Homomorphic” (SwHE) Encryption
IDEA 1
– a number of other SwHE schemes: [DGHV10,SV10,BV11a,LTV12]
[BV11b]
Evaluate Boolean circuits of mult. depth D = ε log n
– [DGHV10]: based on hardness of approximate gcd
– [SV10]: principal ideal problem
– [BV11a]: Ring LWE
– [LTV12]: NTRU
![Page 60: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/60.jpg)
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 2: “Bootstrapping” (“homomorphic enough” to fully homomorphic)
d-Leveled FHE: Given any d, set n = d1/ε
![Page 61: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/61.jpg)
Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d * FHE
Homomorphic Encryption for any depth d circuit
![Page 62: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/62.jpg)
Bootstrapping
“Homomorphic enough” Encryption FHE
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d * FHE
Bootstrapping = “Valve” at a fixed height
noise=0
noise=q/2
(that depends on decryption depth)
noise=Bdec
Say n(Bdec)2 < q/2
![Page 63: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/63.jpg)
Bootstrapping
“Homomorphic enough” Encryption FHE
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d * FHE
Bootstrapping = “Valve” at a fixed height
noise=0
noise=q/2
(that depends on decryption depth)
noise=Bdec
Say (Bdec)2 < q/2
![Page 64: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/64.jpg)
Bootstrapping: How
“Best Possible” Noise Reduction = Decryption!
Dec
CT SK
m
Decryption Circuit
“Very Noisy” ciphertext
“Noiseless ciphertext”
But the evaluatordoes not have SK!
![Page 65: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/65.jpg)
Bootstrapping, Concretely
Next Best = Homomorphic Decryption!
EncSK(m)
Dec
CT EncSK(SK)
Assume Enc(SK) is public.
(OK assuming the scheme is “circular secure”)
*
Noise = Binput
Noise = Bdec
Bdec Independent of Binput
![Page 66: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/66.jpg)
g
Assume Circular Security:
Wrap Up: BootstrappingFunction f
Eval key contains EncSK(SK)
![Page 67: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/67.jpg)
g
Each Gate g → Gadget G:
g
Assume Circular Security:
Dec Dec
g
ca skcb
a b
g(a,b)
sk
a b
g(a,b)
Wrap Up: BootstrappingFunction f
Eval key contains EncSK(SK)
![Page 68: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/68.jpg)
Each Gate g → Gadget G:
g
Assume Circular Security:
Dec Dec
g
Enc(SK)a b
g(a,b)
Enc(SK)
Enc(g(a,b))
Wrap Up: Bootstrapping
Eval key contains EncSK(SK)
g
Function f
ca cb
![Page 69: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/69.jpg)
Wrap Up: Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d (leveled) FHE
circular-secure d-HE with dec. depth < d FHE
– publish EncPK(SK)
– publish EncPK2(SK1), EncPK3(SK2),…, EncPKd(SKd-1)
![Page 70: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/70.jpg)
SwHE = Homomorphic Enough?
Decryption Circuit:
• Compute lsb(<SK,C> mod q)
• Seems to need (multiplicative) depth ≥ log n
• Can handle multiplicative depth = ε log n < log n
= inner products mod q mod 2.
• Our scheme is homomorphic over GF(2).
Homomorphisms:
Write inner product mod q as a GF(2)-arithmetic circuit?
• Can be done in depth polylog(n)
![Page 71: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/71.jpg)
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)
![Page 72: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/72.jpg)
Modulus Reduction
“Homomorphic enough” Encryption FHE
Modulus Reduction Theorem [BV11b,BGV12]
SwHE that evaluates Boolean circuits of depth d = nε (under the same assumption as before)
Corollary: For every depth d, set the security parameter n=d1/ε to get a d-leveled FHE.
Corollary: modulus reduction + bootstrapping = FHE (assuming circular security)
![Page 73: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/73.jpg)
Modulus Reduction
“Homomorphic enough” Encryption FHE
Modulus Reduction Theorem [BV11b,BGV12]
Wishful thinking
q=B10
noise=B8q’=B3
noise’=B
Shrink Noise and Noise Ceiling by same factor
SwHE that evaluates Boolean circuits of depth d = nε
NO MULT
CTCT’
ONE MULT
noise’=B+p(n)
![Page 74: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/74.jpg)
Modulus Reduction
Wishful thinking
q=B10
noise=B8q’=B3
Can we do this?
noise’=B+p(n)
– Cannot arbitrarily reduce noise (because of the p(n) factor)
– Hardness depends only on q/B.
![Page 75: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/75.jpg)
Modulus Reduction
noise=0
Homomorphism: (q, ξ) → (q, ≈ ξ2)
initial noise= ξ
ξ2
AFTER d LEVELS:
(q, B) → (q/(nB log q)O(d), B)
LEVELi → LEVELi+1:
Modulus Reduction: (q, ξ2) → (q/ξ, ξ)
d ≤ log q/log (nB)
≤ nε/log n
q
q/ξ
Final noise= ξ
![Page 76: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/76.jpg)
Modulus Reduction: Details
“Homomorphic enough” Encryption FHE
Modulus Reduction Algorithm [BV11b,BGV12]
Transform a (q,B2) ciphertext into a (q’ ≈ q/nB, B) one
Modulus Reduction Algorithm:
•Compute (q’/q) c
•Round to the closest integer vector c’ such that c’=c mod 2
c, s = 2e + m (mod q)
Let c be a ciphertext s.t.
Assume that the secret key shas entries bounded by B.
(ok by fact 2)
![Page 77: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/77.jpg)
Modulus Reduction: Details
q’/q c, s = (q’/q)* (2e + m) + q’Z
Proof: c, s = 2e + m + qZ
c’, s = (q’/q)* (2e + m) + Eround (mod q’)
•New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised!
•c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2
(original dec eqn)
(scaled)
Modulus Reduction Algorithm:
•Compute (q’/q) c
•Round to the closest integer vector c’ such that c’=c mod 2
c, s = 2e + m (mod q)
Let c be a ciphertext s.t.
![Page 78: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/78.jpg)
Putting Together: Leveled FHEEVK = (evk1,…,evkD), where D is the max mult depth
C
Enc(skD, C(x))
Enc(sk1, x) Encrypt using sk1
SK = (sk1,…,skD)
Each Mult Level: 1)Tensor , 2)Relinearize using evki,3)Reduce modulus
Mul
t de
pth
D
Decrypt using skD
This works for depth D ≤ nε
![Page 79: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/79.jpg)
Putting Together: Leveled FHEEVK = (evk1,…,evkD), where D is the max mult depth
C
Enc(skD, C(x))
Enc(sk1, x) Encrypt using sk1
SK = (sk1,…,skD)
Each Mult Level: 1)Tensor , 2)Relinearize using evki,3)Reduce modulus
Mul
t de
pth
D
Decrypt using skD
Bootstrapping + Circular Security => FHE.
![Page 80: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/80.jpg)
Putting Everything Together
IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)
IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)
IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)
(this is “homomorphic enough”)
(assuming “circular security”)
![Page 81: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/81.jpg)
A Simpler Alternative: doing away with changing moduli
[Brakerski’12]
![Page 82: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/82.jpg)
Fully Homomorphic Encryption
Open Problems
![Page 83: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/83.jpg)
Circular Security
Bootstrapping: Publish EncSK(SK).
(OK assuming the scheme is “circular secure”)
*
Leveled FHE from “standard” assumptions
“Real” FHE: requires “bootstrapping”
– e.g., the Learning with errors assumption
– Evaluate bounded depth circuits
– The size of CT and/or PK grows with the depth
![Page 84: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/84.jpg)
Circular Security
Bootstrapping: Publish the encryptions of bits
of SK, namely EncSK(SK[1]),…, EncSK(SK[n])
(OK assuming the scheme is “circular secure”)
*
“Real” FHE: requires “bootstrapping”
Two definitions:
− Strong circular security: there is a simulator that, given nothing, produces EncSK(SK).
− Weak circular security: the encryption scheme is semantically secure given EncSK(SK).
Bootstrapping: Publish EncSK(SK).
(OK assuming the scheme is “weakly circular secure”)
![Page 85: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/85.jpg)
Circular Security
There are (even bit-wise) circular secure encryption schemes
– [BHHO’08]: based on DDH
There are semantically secure schemes that are NOT circular-secure.
– Proof: Simple Exercise.
– [ACPS’09, BG’10, BHHI’10, …]
![Page 86: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/86.jpg)
Circular Security
How about circular security for the FHE scheme?
− NEED: “safe to publish” lweEnc(s[i].s[j])
− CAN PROVE: “safe to publish” lweEnc(s[i])
(encryptions of all quadratic monomials in the s[i])
(encryptions of all linear monomials s[i])
![Page 87: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/87.jpg)
Circular Security
− CAN PROVE: “safe to publish” lweEnc(s[i])(encryptions of all linear monomials s[i])
(a, a, s + 2e + s[i] mod q)
(a, a, s + 2e + ui, s mod q)
ui : ith unit vector (0,…,1,…0)
=
![Page 88: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/88.jpg)
Circular Security
− CAN PROVE: “safe to publish” lweEnc(s[i])(encryptions of all linear monomials s[i])
(a, a, s + 2e + s[i] mod q)
=
≈
(a, a+ui, s + 2e mod q)
(a’-ui, a’, s + 2e mod q)
This can be generated efficiently from an encryption of 0
![Page 89: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/89.jpg)
Q: “Real” FHE from Standard Assumptions?
2) Come up with an alternative to bootstrapping.
1) Prove the circular security for quadratic monomials, or
![Page 90: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/90.jpg)
What we did not Cover…• Efficient Constructions
– Build on the ring LWE variant of today’s scheme– Gentry-Halevi-Smart series of works– a number of algebraic optimizations
• Verifiability– CS proofs [Kil92,Mic94]– A number of recent works in various settings
[GKR08,GGP10,CKV10,AIK10,…]– The central problem remains open
• Circuit Privacy– [Gentry-Halevi-V’10]: “Circuit privacy for free” theorem
![Page 91: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/91.jpg)
Conclusion• FHE is not so complicated any more
– Well-defined guidelines for construction– Under relatively standard security assumptions
• FHE is not so inefficient any more– Case in point: Ring LWE, NTRU…
• LOTS of questions still to be answered …– FHE without “Circular Security”– FHE from number theory, general assumptions…
• NEW directions: selective homomorphism, functional encryption,…
![Page 92: FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on Cryptography New Developments in](https://reader030.vdocument.in/reader030/viewer/2022032721/56649cd85503460f949a0f6f/html5/thumbnails/92.jpg)
Thank You!