Fully Homomorphic Encryption without Modulus Switching from - PowerPoint PPT Presentation

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University CRYPTO 2012

Outsourcing Computation 𝑦 𝑦 𝑔 𝑔(𝑦) Email, web- search, navigation, social networking… Search query, location, business information, medical information… What if 𝑦 is private?

Outsourcing Computation – Privately Learns nothing on 𝑦 . 𝐹𝑜𝑑(𝑦) 𝑦 𝑔 𝑧 𝐸𝑓𝑑 𝑧 = 𝑔(𝑦) Homomorphic Encryption 𝑔, 𝐹𝑜𝑑 𝑦 1 , … , 𝐹𝑜𝑑 𝑦 𝑜 → 𝐹𝑜𝑑(𝑔 𝑦 1 , … , 𝑦 𝑜 ) We assume w.l.o.g 𝑔 ∈ *+,×+ (over ℤ 2 ).

The Old Days of FHE 2009-2011 • Gentry’s breakthrough [G09,G10] – first candidate. • [vDGHV10, BV11a] : Similar outline, different assumptions. • [GH11] : Chimeric-FHE. • Efficiency attempts [SV10,SS10,GH10,LNV11] .

2 nd Generation FHE • [BV11b] : LWE-based FHE (= apx. short vector in lattice). – Better assumption. – Clean presentation: no ideals, no “squashing”. – Efficiency improvement. • [BGV12] : Improved performance via Modulus Switching. – Quantitatively better assumption. – “Leveled” homomorphism without bootstrapping. – Efficiency improvements using ideals (“batching”). [GHS11,GHS12a, GHS12b] : Efficiency improvements and optimizations using ideals.

This work: Modulus switching is a red herring “Scale - independent encryption” ⇒ better performance with less headache

FHE 101 [BV11b] Security based on 𝑀𝑋𝐹 𝑜,𝑟,𝛽 The Scheme: 𝑑 ⋅ 𝑡 = 𝑛 + 2𝑓 + 𝑟𝐽 𝑜 Secret key: 𝑡 ∈ ℤ 𝑟 𝑜 small (initial) noise 𝑓 < 𝐶 = 𝛽𝑟 Ciphertext: 𝑑 ∈ ℤ 𝑟 1 dec. if 𝑓 /𝑟 < 4 Encryption algorithm: Doesn’t matter. Decryption algorithm: 𝑑 ⋅ 𝑡 𝑛𝑝𝑒 𝑟 (𝑛𝑝𝑒 2) .

FHE 101 [BV11b] The Scheme: 𝑑 ⋅ 𝑡 = 𝑛 + 2𝑓 + 𝑟𝐽 𝑜 Secret key: 𝑡 ∈ ℤ 𝑟 𝑜 small (initial) noise 𝑓 < 𝐶 = 𝛽𝑟 Ciphertext: 𝑑 ∈ ℤ 𝑟 1 dec. if 𝑓 /𝑟 < 4 That again? Just add’em, dude… Additive Homomorphism: 𝑑 1 , 𝑑 2 ⇒ 𝑑 1 + 𝑑 2 𝑛𝑝𝑒 𝑟

FHE 101 [BV11b] The Scheme: 𝑑 ⋅ 𝑡 = 𝑛 + 2𝑓 + 𝑟𝐽 𝑜 Secret key: 𝑡 ∈ ℤ 𝑟 𝑜 small (initial) noise 𝑓 < 𝐶 = 𝛽𝑟 Ciphertext: 𝑑 ∈ ℤ 𝑟 1 dec. if 𝑓 /𝑟 < 4 Multiplicative Homomorphism: 𝑜 2 𝑡𝑙 changed… 𝑑 1 , 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 𝑟 ∈ ℤ 𝑟 noise blows up! 𝑪 → 𝑪 𝟑 → ⋯ → 𝑪 𝟑 𝒆 but we can bring it back vector of all cross terms 𝑑 1 𝑗 ⋅ 𝑑 2 𝑘 𝑗,𝑘 (we have the technology) 1 dec. if 𝐶 2 𝑒 /𝑟 < 4 𝑑 1 ⊗ 𝑑 2 ⋅ 𝑡 ⊗ 𝑡 = 𝑑 1 ⋅ 𝑡 ⋅ 𝑑 2 ⋅ 𝑡 = 𝑛 1 + 2𝑓 1 ⋅ 𝑛 2 + 2𝑓 2 (𝑛𝑝𝑒 𝑟) = 𝑛 1 𝑛 2 + 2 ⋅ 𝑃 𝑓 1 𝑓 2 (𝑛𝑝𝑒 𝑟) ~𝐶 2

Modulus Switching [BGV12] Idea: Bring noise back down by dividing the entire ciphertext by 𝐶 . 𝑜 𝑜 𝑑 /𝐶 ∈ ℤ 𝑟/𝐶 𝑑 ∈ ℤ 𝑟 /𝐶 with noise |𝑓| < 𝐶 2 with noise |𝑓| < 𝐶 (make sure not to harm the message bit 𝑛 ) Noise/modulus evolution: (𝑪, 𝒓) → (𝑪, 𝒓/𝑪) → ⋯ → (𝑪, 𝒓/𝑪 𝒆 ) dec. if 𝐶 𝑒+1 < 𝑟/4

My Problems with Modulus Switching 1. Modulus switching is scale-dependent. Scaling 𝐶, 𝑟 changes performance: - Smaller 𝐶, 𝑟  smaller 𝐶 𝑒+1 /𝑟  better homomorphism. 2. What does modulus switching really do? n othing… - Same as a scaling factor in the tensoring process ( 𝑑 1 , 𝑑 2 ⇒ 𝜐 ⋅ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 𝑟 ). - In a “correct” scale, this factor should be 1.

Our Solution: Scale-Independent FHE 𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽 ∈ ℤ 𝑜 Secret key: 𝑡 𝑜 small (initial) noise 𝜗 < 2𝛽 Ciphertext: 𝑑 ∈ ℝ 2 1 dec. if 𝜗 < 2 real numbers 𝑛𝑝𝑒 2 ≡ (−1,1] Compare with previous: Hardness assumption is the same 𝑀𝑋𝐹 𝑜,𝑟,𝛽 .

Scale-Independent Multiplication 𝑛 + 2𝐽 ≈ 𝑑 ⋅ 𝑡 ≤ 𝑡 1 𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽 ∈ ℤ 𝑜 Secret key: 𝑡 𝑜 small (initial) noise 𝜗 < 2𝛽 Ciphertext: 𝑑 ∈ ℝ 2 1 dec. if 𝜗 < 2 real numbers 𝑛𝑝𝑒 2 ≡ (−1,1] Multiplicative Homomorphism: 𝑜 2 𝑑 1 , 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 2 ∈ ℝ 2 Careful! 1/2 𝑛𝑝𝑒 2 ⋅ 2 𝑛𝑝𝑒 2 ≠ 1 (𝑛𝑝𝑒 2) 𝑑 1 ⊗ 𝑑 2 ⋅ 𝑡 ⊗ 𝑡 = 𝑑 Noise blowup: 𝜷 → 𝜷 ⋅ 𝒕 𝟐 1 ⋅ 𝑡 ⋅ 𝑑 2 ⋅ 𝑡 = 𝑛 1 + 𝜗 1 + 2𝐽 1 ⋅ 𝑛 2 + 𝜗 2 + 2𝐽 2 (𝑛𝑝𝑒 2) = 𝑛 1 𝑛 2 + 𝜗 1 ⋅ 𝑛 2 + 2𝐽 2 + 𝜗 2 ⋅ 𝑛 1 + 2𝐽 1 + 𝜗 1 𝜗 2 (𝑛𝑝𝑒 2) ~𝛽 2 = tiny! ~𝛽 ⋅ |𝑛 + 2𝐽| ≲ 𝛽 ⋅ 𝑡 1

Scale-Independent Multiplication 𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽 ∈ ℤ 𝑜 Secret key: 𝑡 𝑜 small (initial) noise 𝜗 < 2𝛽 Ciphertext: 𝑑 ∈ ℝ 2 1 dec. if 𝜗 < 2 real numbers 𝑛𝑝𝑒 2 ≡ (−1,1] Multiplicative Homomorphism: 𝑜 2 𝑑 1 , 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 2 ∈ ℝ 2 Noise blowup: 𝜷 → 𝜷 ⋅ 𝒕 𝟐 Not good enough: 𝑡 1 ≈ 𝑜𝑟 Solution: Decompose the elements of 𝑡 into 𝑜 log 𝑟 bits.

Binary Decomposition 𝑡 = 𝑡 1 , 𝑡 2 , … 𝑑 = 𝑑 1 , 𝑑 2 , … 𝑡 ⋅ 𝑑 = 𝑡 1 ⋅ 𝑑 1 + 𝑡 2 ⋅ 𝑑 2 + ⋯ 𝑡 = 𝑡 1 0 , … , 𝑡 1 log 𝑟 , 𝑡 2 0 , … , 𝑡 2 log 𝑟 , … = 𝑑 1 , 2𝑑 1 , … , 2 log 𝑟 𝑑 1 , 𝑑 2 , 2𝑑 2 , … , 2 log 𝑟 𝑑 2 , … 𝑑 = 𝑡 1 𝑗 ⋅ 2 𝑗 𝑑 1 + 𝑡 2 𝑗 ⋅ 2 𝑗 𝑑 2 𝑡 ⋅ 𝑑 + ⋯ 𝑗 𝑗 = 𝑡 1 ⋅ 𝑑 1 + 𝑡 2 ⋅ 𝑑 2 + ⋯

Scale-Independent Multiplication 𝑡 1 ≤ 𝑜 log 𝑟 𝑑 ⋅ 𝑡 = 𝑛 + 𝜗 + 2𝐽 ∈ *0,1+ 𝑜 log 𝑟 Secret key: 𝑡 small (initial) noise 𝜗 < 2𝛽 𝑜 log 𝑟 Ciphertext: 𝑑 ∈ ℝ 2 1 dec. if 𝜗 < 2 real numbers 𝑛𝑝𝑒 2 ≡ (−1,1] Multiplicative Homomorphism: 𝑜 2 𝑑 1 , 𝑑 2 ⇒ 𝑑 1 ⊗ 𝑑 2 𝑛𝑝𝑒 2 ∈ ℝ 2 Noise blowup: 𝜷 → 𝜷 ⋅ 𝒐 log 𝒓 ≤ 𝜷 ⋅ 𝒐 𝟑 Noise blowup: 𝜷 → 𝜷 ⋅ 𝒕 𝟐 For depth 𝑒 circuit: 𝛽 → 𝛽 ⋅ 𝑜 𝑃(𝑒) regardless of scale!

Full Homomorphism via Bootstrapping Evaluating depth 𝑒 circuit: 𝜷 → 𝜷 ⋅ 𝒐 𝑷(𝒆) For “bootstrapping”: 𝑒 = 𝑃(log 𝑜) ⇒ 𝜷 → 𝜷 ⋅ 𝒐 𝑷(𝐦𝐩𝐡 𝒐) ⇒ dec. if 𝜷 ≈ 𝒐 −𝑷(𝐦𝐩𝐡 𝒐) regardless of 𝑟 ! (in *BGV12+ only for “small” odd 𝑟 ) Using 𝑟 ≈ 2 𝑜 ⇒ Hardness based on classical GapSVP.

Conclusion • Scale-independence  FHE without modulus switching. • Homomorphic properties independent of 𝑟 . – But 𝑟 still matters for security. • Properties of [BGV12] extend. • Bonuses: – Our 𝑟 can be even (e.g. power of 2). – Security based on classical GapSVP (as opposed to quantum). • Simpler!

also see blog post with Boaz Barak: tiny.cc/fheblog1 ; tiny.cc/fheblog2

Farewell CRYPTO ’12…

also see blog post with Boaz Barak: tiny.cc/fheblog1 ; tiny.cc/fheblog2