Fully Homomorphic Encryption from Ring-LWE and Security for Key - PowerPoint PPT Presentation

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski Vinod Vaikuntanathan (Weizmann) (University of Toronto) CRYPTO 2011

Outsourcing Computation x Function x f f ( x ) medical records analysis risk factors Want Privacy!

Outsourcing Computation – Privately Knows nothing of x . Enc( x ) Function x f y Dec( y )= f ( x ) Eval : f, Enc (x)   Enc (f(x)) homomorphic evaluation

Fully Homomorphic Encryption (FHE) [RAD78] pk sk Enc( x ) Function x f y = Eval pk ( f , Enc( x ) ) y Correctness guarantee: Dec sk ( y )= f ( x ) Dec( y )= f ( x ) Privacy guarantee (semantic security [GM82] ): Enc( x )  Enc(0) “ Fully ” = Evaluate all (efficient) f Evaluating binary +,× is sufficient.

Gentry's Breakthrough [G09,G10] First Candidate FHE Bootstrapping Theorem [G09] : d -HE + dec. depth < d + circular security  FHE =key dependent message security Eval for any depth d circuit (aka “somewhat” HE) Adversary sees 𝐹𝑜𝑑(𝑡𝑙) . Gentry's construction: ( more generally: 𝐹𝑜𝑑(𝑔 𝑡𝑙 ) ) “ Squash ” to dec. Explicit circular d -HE with dec. security assumption depth > d depth < d Novel use of ideal lattices! Previous works (e.g. [NTRU, + + MR04, LM06, M07] ) used for efficiency, here used for functionality. Ideal lattice Sparse Subset-Sum assumption. assumption.

Since Gentry • Another candidate [vDGHV10] : “ Squash ” to dec. Explicit circular d -HE with dec. security assumption depth > d depth < d + + approx. GCD Sparse Subset-Sum assumption. assumption. • Efficiency improvements of Gentry's scheme [SV10, SS10, GH11] .

Our Scheme Simple “ Squash ” to dec. Explicit circular d -HE with dec. security assumption depth > d depth < d + + Ring-LWE [LPR10] Sparse Subset-Sum assumption. assumption. • First circular secure “somewhat” HE. – Circular security extends to polynomials of key (a la [MTY11] ). People are – Caveat: circular scheme is not bootstrappable. implementing! • Simple construction! Simple key generation. – Combine the “two callings” of ideal lattices: efficiency and functionality.

Ring-LWE [LPR10] (simplified) Ring of polynomials: 𝑦 𝑜 + 1 𝑆 𝑟 = ℤ 𝑟 𝑦 Degree (𝑜 − 1) polynomials with coefficients in ℤ 𝑟 ( 𝑟 large odd prime). 𝑺𝑴𝑿𝑭 𝒐,𝒓 assumption: For random 𝑡 ∈ 𝑆 𝑟 , any coefficient 𝑏 𝑗 , 𝑐 𝑗 = 𝑏 𝑗 𝑡 + 2 𝑓 𝑗 ≈ 𝑏 𝑗 , 𝑣 𝑗 For uniform 𝑏 𝑗 , 𝑣 𝑗 and for “small” 𝑓 𝑗 . Distinguish 𝑆𝑀𝑋𝐹 𝑜,𝑟 ⇒ quant. short vectors in ideal lattice [LPR10]

Toy Example: “Ring - LWOE” Ring “learning without errors” on ring 𝑺 : 𝑏 𝑗 , 𝑐 𝑗 = 𝑏 𝑗 𝑡 ≈ 𝑏 𝑗 , 𝑣 𝑗 (obviously insecure in our ring) Circular security: 𝐹𝑜𝑑 𝑡 𝑡 = 𝑏, −𝑏𝑡 + 𝑡 = 𝑏, − 𝑏 − 1 𝑡 Ring-LWOE based (symmetric) encryption scheme: 𝑏 ′ + 1 , −𝑏 ′ 𝑡 = = 𝐹𝑜𝑑 𝑡 0 + (1,0) • Key generation: uniformly sample sk = 𝑡 . • Encrypt 𝒏 ∈ {𝟏, 𝟐} : 𝑑 = (𝑏, 𝑐 = −𝑏𝑡 + 𝑛) . • Decrypt 𝒅 = (𝒃, 𝒄) : 𝑛 = 𝑏𝑡 + 𝑐 (𝑛𝑝𝑒 2) . modular operation needed for actual scheme

Toy Example: Homomorphic Add. 𝑑 = 𝑏, 𝑐 𝑑′ = 𝑏′, 𝑐′ + s.t. 𝑏 ′ 𝑡 + 𝑐 ′ = 𝑛′ s.t. 𝑏𝑡 + 𝑐 = 𝑛 ⇒ 𝑑 𝑏𝑒𝑒 = 𝑏 + 𝑏 ′ , 𝑐 + 𝑐′ Correctness: 𝑏𝑡 + 𝑐 = 𝑛 + 𝑏 ′ 𝑡 + 𝑐 ′ = 𝑛 ′ 𝑏 + 𝑏 ′ 𝑡 + 𝑐 + 𝑐 ′ = 𝑛 + 𝑛′

Toy Example: Homomorphic Mult. 𝑑 = 𝑏, 𝑐 𝑑′ = 𝑏′, 𝑐′ × s.t. 𝑏 ′ 𝑡 + 𝑐 ′ = 𝑛′ s.t. 𝑏𝑡 + 𝑐 = 𝑛 ⇒ 𝑑 𝑛𝑣𝑚𝑢 = ? (ℎ 2 , ℎ 1 , ℎ 0 ) 𝑏𝑡 + 𝑐 = 𝑛 × 𝑏 ′ 𝑡 + 𝑐 ′ = 𝑛 ′ 𝑏𝑡 + 𝑐 ⋅ 𝑏 ′ 𝑡 + 𝑐 ′ = 𝑛 ⋅ 𝑛 ′ ℎ 2 𝑡 2 + ℎ 1 𝑡 + ℎ 0 = 𝑛 ⋅ 𝑛′ 𝑬𝒇𝒅 𝒕 ℎ 2 , ℎ 1 , ℎ 0 = ℎ 2 𝑡 2 + ℎ 1 𝑡 + ℎ 0 𝑛𝑝𝑒 2 = 𝑛 ⋅ 𝑛 ′ (𝑛𝑝𝑒 2)

The Actual Scheme Just add noise… • Key generation: uniformly sample sk = 𝑡 . • Encrypt 𝑛 ∈ {0,1} : 𝑑 = (𝑏, 𝑐 = −𝑏𝑡 + 2𝑓 + 𝑛) . 𝑛 = ∑ℎ 𝑗 𝑡 𝑗 (𝑛𝑝𝑒 2) • Decrypt 𝑑 = (ℎ 𝑒 , … , ℎ 1 , ℎ 0 ) : = ℎ , 𝑡 (𝑛𝑝𝑒 2) . After hom. eval. of deg. 𝑒 function = (𝑡 𝑒 , … , 𝑡, 1) . ) ( where 𝑡 Noise grows exponentially with 𝑒 ⇒ 𝑒 < log 𝑟 ≈ 𝑜 𝜗 . Squashing: Represent 𝑡 as sparse subset sum a la Gentry.

Follow-Up Works • FHE from standard LWE without squashing [BV11b] . – Techniques apply for RLWE as well. • Better noise management and further efficiency improvements [BGV11] . • Implementation of (“somewhat homomorphic ”) scheme [LNV11] .

Conclusion • We showed circular secure somewhat homomorphic encryption. – Q: Circular secure bootstrappable encryption? • Our scheme is basis for implementations (combined with follow-up) – hope for more efficient schemes.

Thank you