fully homomorphic encryption
play

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of - PowerPoint PPT Presentation

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY, December 2015 What Are You Searching For? We know Medical information, navigation, email, business information, other personal information Want


  1. Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY, December 2015

  2. What Are You Searching For? We know Medical information, navigation, email, business information, other personal information … Want privacy!

  3. Outsourcing Computation medical search location, google web medical routing records query destination analysis index 𝑦 𝑦 𝑔 𝑔(𝑦) search results navigation diagnosis route What if 𝑦 is private?

  4. How to Keep Private From the Cloud We promise we wont look at your data. Honest! We want real protection.

  5. Fully Homomorphic Encryption (FHE) Outsourcing Computation – Privately Bit-by-bit randomized Learns nothing about 𝑦 . encryption πΉπ‘œπ‘‘(𝑦) 𝑦 𝑔 𝑧 = πΉπ‘€π‘π‘š 𝑔, πΉπ‘œπ‘‘ 𝑦 𝑧 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦) Fully Homomorphic = Homomorphism for any efficient 𝑔 WANT NTED Homomorphic Evaluation function: computational model: 𝑔 given as circuit 𝑔, πΉπ‘œπ‘‘ 𝑦 β†’ πΉπ‘œπ‘‘(𝑔 𝑦 ) Goal: πΉπ‘€π‘π‘š for universal set of gates (NAND(x,y)=1-xy)

  6. Some Applications In the cloud: β€’ Private outsourcing of computation. β€’ Near-optimal private outsourcing of storage (single-server PIR). [G09,BV11b] β€’ Verifiable outsourcing (delegation). [GGP11,CKV11,KRR13,KRR15] β€’ Private machine learning in the cloud. [GLN12,HW13] Secure multiparty computation: β€’ Low-communication multiparty computation. [AJLTVW12,LTV12] β€’ More efficient MPC. [BDOZ11,DPSZ12,DKLPSS12] Primitives: β€’ Succinct argument systems. [GLR11,DFH11,BCCT11,BC12,BCCT12,BCGT13, … ] β€’ General functional encryption. [GKPVZ12] β€’ Indistinguishability obfuscation for all circuits. [GGHRSW13]

  7. Making Crypto History 30 years of hardly scratching the surface: β€’ Only-addition [RSA78, R79, GM82, G84, P99, R05] . β€’ Addition + 1 multiplication [BGN05, GHV10] . β€’ Other variants [SYY99, IP07, MGH10] . … is it even possible?

  8. FHE Challenges Understanding. Security. β€’ Cryptographic assumptions. β€’ Security notions. Efficiency. β€’ Size of keys/ciphertexts. β€’ Time overhead for Eval. β€’ Computational model.

  9. Constructing (Somewhat) Homomorphic Encryption secret algebraic equivalence e.g. (mod p) for secret p Basic Idea: Find scheme s.t. 𝑑 β‰ˆ 𝑛 + 2𝑓 message ciphertext small (even) noise Add/multiply ciphertexts β‡’ Add/multiply messages Security? Noise grows with homomorphic evaluation – must not grow β€œ too much ” ! In the example above: |𝑓 π‘›π‘£π‘šπ‘’ | β‰ˆ 𝑓 π‘—π‘œ 2

  10. Noise in Homomorphic Evaluation Noise grows during homomorphic evaluation Depth 𝑒 𝑓 𝑝𝑣𝑒 |𝑓 𝑝𝑣𝑒 | ≀ 𝐹 2 𝑒 … 𝑓 𝑗+1 ≀ 𝑓 𝑗 2 |𝑓 π‘—π‘œ | ≀ 𝐹 𝑓 π‘—π‘œ

  11. Some of the Progress Since 2009 β€’ From ad-hoc assumption to worst-case lattice assumption [BV11b,BGV12,BV14] . – As secure as any other encryption scheme. β€’ Noise is down to 𝑓 π‘›π‘£π‘šπ‘’ β‰ˆ 𝑙 β‹… 𝑓 π‘—π‘œ [BGV12,B12,GSW13,BV14] . 𝑓 𝑝𝑣𝑒 ≀ 𝑙 𝑒 β‹… 𝐹 (instead of 𝐹 2 𝑒 ). – – β€œ Leveled ” FHE. β€’ Using polynomial rings to improve efficiency [G09,SV10,BV11a,BGV12,GHS12a,GHS12b,GHS12c,GHPS13,AP13] . β€’ β€œ Batching ” many messages in single ciphertext [SV10,BGV12,GHS12a,GHS12b,GHS12c,HS15] . β€’ But still need β€œ bootstrapping ” to get full homomorphism …

  12. Bootstrapping [G09] Given scheme with bounded 𝑒 β„Žπ‘π‘› How to extend its homomorphic capability? Idea: Do a few operations, then β€œ switch ” to a new instance (π‘žπ‘™ 3 , 𝑑𝑙 3 ) Switch keys (π‘žπ‘™ 2 , 𝑑𝑙 2 ) β€œ cost ” in homomorphism (π‘žπ‘™ 1 , 𝑑𝑙 1 )

  13. How to Switch Keys Decryption circuit: 𝑦 Dual view: 𝑦 𝐸𝑓𝑑 𝑑𝑙 (β‹…) 𝐸𝑓𝑑 β‹… (𝑑) ≑ β„Ž 𝑑 β‹… 𝑑 𝑑𝑙 β„Ž 𝑑 𝑑𝑙 = 𝐸𝑓𝑑 𝑑𝑙 𝑑 = 𝑦 given 𝑑 , server can compute circuit for β„Ž 𝑑 β‹… 𝑏𝑣𝑦 = πΉπ‘œπ‘‘ π‘žπ‘™ β€² (𝑑𝑙) Apply β„Ž 𝑑 (β‹…) homomorphicly on 𝑑𝑙 ! πΉπ‘€π‘π‘š π‘žπ‘™β€² β„Ž 𝑑 , 𝑏𝑣𝑦 = πΉπ‘€π‘π‘š π‘žπ‘™β€² β„Ž 𝑑 , πΉπ‘œπ‘‘ π‘žπ‘™β€² 𝑑𝑙 = πΉπ‘œπ‘‘ π‘žπ‘™β€² β„Ž 𝑑 𝑑𝑙 = πΉπ‘œπ‘‘ π‘žπ‘™β€² 𝐸𝑓𝑑 𝑑𝑙 𝑑 = πΉπ‘œπ‘‘ π‘žπ‘™β€² (𝑦) hom. capacity of output: 𝑒 β„Žπ‘π‘› βˆ’ 𝑒 β„Ž 𝑑 = 𝑒 β„Žπ‘π‘› βˆ’ 𝑒 𝑒𝑓𝑑

  14. Bootstrapping [G09] Given scheme with bounded 𝑒 β„Žπ‘π‘› . How to extend its homomorphic capability? Downside: Need to generate many keys … Idea: Do a few operations, then β€œ switch ” to a new instance (π‘žπ‘™ 3 , 𝑑𝑙 3 ) 𝑏𝑣𝑦 2β†’3 = πΉπ‘œπ‘‘ π‘žπ‘™ 3 (𝑑𝑙 2 ) Switch keys (π‘žπ‘™ 2 , 𝑑𝑙 2 ) β€œ cost ” of 𝑒 𝑒𝑓𝑑 secure? 𝑏𝑣𝑦 1β†’2 = πΉπ‘œπ‘‘ π‘žπ‘™ 2 (𝑑𝑙 1 ) hom. operations for switch (π‘žπ‘™ 1 , 𝑑𝑙 1 ) β‡’ Bootstrapping if 𝑒 β„Žπ‘π‘› β‰₯ 𝑒 𝑒𝑓𝑑 + 1

  15. Bootstrapping [G09] Given scheme with bounded 𝑒 β„Žπ‘π‘› . How to extend its homomorphic capability? Idea: Do a few operations, then β€œ switch ” to a new instance 𝑏𝑣𝑦 = πΉπ‘œπ‘‘ π‘žπ‘™ (𝑑𝑙 ) (π‘žπ‘™ , 𝑑𝑙 ) switch from key to itself! functionality of (π‘žπ‘™ , 𝑑𝑙 ) switching works (π‘žπ‘™ , 𝑑𝑙 ) circular security required

  16. (Some) Public Implementations of FHE β€’ HElib (IBM/NYU) – Ring-LWE (ideal-lattice) scheme of [BGV12], optimizations of [GHS12a] – https://github.com/shaih/HElib β€’ β€œ Stanford FHE ” – LWE scheme of [B12] with optimizations – http://cs.stanford.edu/~dwu4/fhe.html β€’ FHEW (UCSD) – Ring-LWE scheme of [DM14], built upon approximate eigenvector approach of [GSW13,BV14,AP14] – No batching but very fast bootstrapping – https://github.com/lducas/FHEW

  17. So Where is That Homomorphic Google Search? β€’ Circuit model = huge overhead. – Inherent? Need to touch all elements to not leak. β€’ Bootstrapping is expensive. – No known alternative for deep computations. β€’ Memory requirements are huge (GBs). – Large ciphertexts, long keys. – Can β€œ batch ” to reduce overhead.

  18. Thank You!

Recommend


More recommend