Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY, December 2015
What Are You Searching For? We know Medical information, navigation, email, business information, other personal information β¦ Want privacy!
Outsourcing Computation medical search location, google web medical routing records query destination analysis index π¦ π¦ π π(π¦) search results navigation diagnosis route What if π¦ is private?
How to Keep Private From the Cloud We promise we wont look at your data. Honest! We want real protection.
Fully Homomorphic Encryption (FHE) Outsourcing Computation β Privately Bit-by-bit randomized Learns nothing about π¦ . encryption πΉππ(π¦) π¦ π π§ = πΉπ€ππ π, πΉππ π¦ π§ πΈππ π§ = π(π¦) Fully Homomorphic = Homomorphism for any efficient π WANT NTED Homomorphic Evaluation function: computational model: π given as circuit π, πΉππ π¦ β πΉππ(π π¦ ) Goal: πΉπ€ππ for universal set of gates (NAND(x,y)=1-xy)
Some Applications In the cloud: β’ Private outsourcing of computation. β’ Near-optimal private outsourcing of storage (single-server PIR). [G09,BV11b] β’ Verifiable outsourcing (delegation). [GGP11,CKV11,KRR13,KRR15] β’ Private machine learning in the cloud. [GLN12,HW13] Secure multiparty computation: β’ Low-communication multiparty computation. [AJLTVW12,LTV12] β’ More efficient MPC. [BDOZ11,DPSZ12,DKLPSS12] Primitives: β’ Succinct argument systems. [GLR11,DFH11,BCCT11,BC12,BCCT12,BCGT13, β¦ ] β’ General functional encryption. [GKPVZ12] β’ Indistinguishability obfuscation for all circuits. [GGHRSW13]
Making Crypto History 30 years of hardly scratching the surface: β’ Only-addition [RSA78, R79, GM82, G84, P99, R05] . β’ Addition + 1 multiplication [BGN05, GHV10] . β’ Other variants [SYY99, IP07, MGH10] . β¦ is it even possible?
FHE Challenges Understanding. Security. β’ Cryptographic assumptions. β’ Security notions. Efficiency. β’ Size of keys/ciphertexts. β’ Time overhead for Eval. β’ Computational model.
Constructing (Somewhat) Homomorphic Encryption secret algebraic equivalence e.g. (mod p) for secret p Basic Idea: Find scheme s.t. π β π + 2π message ciphertext small (even) noise Add/multiply ciphertexts β Add/multiply messages Security? Noise grows with homomorphic evaluation β must not grow β too much β ! In the example above: |π ππ£ππ’ | β π ππ 2
Noise in Homomorphic Evaluation Noise grows during homomorphic evaluation Depth π π ππ£π’ |π ππ£π’ | β€ πΉ 2 π β¦ π π+1 β€ π π 2 |π ππ | β€ πΉ π ππ
Some of the Progress Since 2009 β’ From ad-hoc assumption to worst-case lattice assumption [BV11b,BGV12,BV14] . β As secure as any other encryption scheme. β’ Noise is down to π ππ£ππ’ β π β π ππ [BGV12,B12,GSW13,BV14] . π ππ£π’ β€ π π β πΉ (instead of πΉ 2 π ). β β β Leveled β FHE. β’ Using polynomial rings to improve efficiency [G09,SV10,BV11a,BGV12,GHS12a,GHS12b,GHS12c,GHPS13,AP13] . β’ β Batching β many messages in single ciphertext [SV10,BGV12,GHS12a,GHS12b,GHS12c,HS15] . β’ But still need β bootstrapping β to get full homomorphism β¦
Bootstrapping [G09] Given scheme with bounded π βππ How to extend its homomorphic capability? Idea: Do a few operations, then β switch β to a new instance (ππ 3 , π‘π 3 ) Switch keys (ππ 2 , π‘π 2 ) β cost β in homomorphism (ππ 1 , π‘π 1 )
How to Switch Keys Decryption circuit: π¦ Dual view: π¦ πΈππ π‘π (β ) πΈππ β (π) β‘ β π β π π‘π β π π‘π = πΈππ π‘π π = π¦ given π , server can compute circuit for β π β ππ£π¦ = πΉππ ππ β² (π‘π) Apply β π (β ) homomorphicly on π‘π ! πΉπ€ππ ππβ² β π , ππ£π¦ = πΉπ€ππ ππβ² β π , πΉππ ππβ² π‘π = πΉππ ππβ² β π π‘π = πΉππ ππβ² πΈππ π‘π π = πΉππ ππβ² (π¦) hom. capacity of output: π βππ β π β π = π βππ β π πππ
Bootstrapping [G09] Given scheme with bounded π βππ . How to extend its homomorphic capability? Downside: Need to generate many keys β¦ Idea: Do a few operations, then β switch β to a new instance (ππ 3 , π‘π 3 ) ππ£π¦ 2β3 = πΉππ ππ 3 (π‘π 2 ) Switch keys (ππ 2 , π‘π 2 ) β cost β of π πππ secure? ππ£π¦ 1β2 = πΉππ ππ 2 (π‘π 1 ) hom. operations for switch (ππ 1 , π‘π 1 ) β Bootstrapping if π βππ β₯ π πππ + 1
Bootstrapping [G09] Given scheme with bounded π βππ . How to extend its homomorphic capability? Idea: Do a few operations, then β switch β to a new instance ππ£π¦ = πΉππ ππ (π‘π ) (ππ , π‘π ) switch from key to itself! functionality of (ππ , π‘π ) switching works (ππ , π‘π ) circular security required
(Some) Public Implementations of FHE β’ HElib (IBM/NYU) β Ring-LWE (ideal-lattice) scheme of [BGV12], optimizations of [GHS12a] β https://github.com/shaih/HElib β’ β Stanford FHE β β LWE scheme of [B12] with optimizations β http://cs.stanford.edu/~dwu4/fhe.html β’ FHEW (UCSD) β Ring-LWE scheme of [DM14], built upon approximate eigenvector approach of [GSW13,BV14,AP14] β No batching but very fast bootstrapping β https://github.com/lducas/FHEW
So Where is That Homomorphic Google Search? β’ Circuit model = huge overhead. β Inherent? Need to touch all elements to not leak. β’ Bootstrapping is expensive. β No known alternative for deep computations. β’ Memory requirements are huge (GBs). β Large ciphertexts, long keys. β Can β batch β to reduce overhead.
Thank You!
Recommend
More recommend
