Homomorphic Secret Sharing & Applications from Lattice-Based - PowerPoint PPT Presentation

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, & Peter Scholl

Fully Homomorphic Encryption (FHE) • Supports “homomorphic” computation on encrypted data Enc Dec Eval f x f(x) x f(x) pk sk

Additive Secret Sharing Elements in commutative group G s 0 s = s + s 1 • Secrecy : s i hides s • Reconstruction : s 0 + s 1 = s (in G)

[Boyle-Gilboa-Ishai 16] Homomorphic Secret Sharing (HSS) Eval P Share x 0 y 0 x + = P(x) x 1 y 1 Eval P • Security : x i hides x • Size : | x b | ~ | x | • Correctness : Eval P (x 0 ) + Eval P (x 1 ) = P (x)

HSS vs Fully Homomorphic Encryption (FHE) Enc Dec Eval f x f(x) x f(x) pk sk Eval f Share x 1 y 1 + x f(x) x 2 y 2 Eval f • Assuming 2+ non-colluding parties (sometimes not an issue!) • No need for keys • Additive reconstruction, broader assumptions, better efficiency

[Benolah86, Goldreich-Micali-Wigderson87] Special Case: Linear Homomorphism Eval AX+B Share y 0 x 0 = Ax+B x + x 1 y 1 Eval AX+B Similarly: (m,t)-HSS for degree m/(t+1) functions, unconditionally Challenge : Support homomorphism for richer function classes

Rough Landscape of HSS All P/poly

Rough Landscape of HSS “High-level” LWE+ Circuits [DHRW16, BGI15, BGILT18] Builds atop specific FHE “Mid-level” DDH, Paillier Branching Programs [BGI16, BCGIO17, DKK18, FGJS17] LWE [BKS19] Structured assumptions “Lapland” yielding PKE LPN Low-deg polynomials [BCGIKS19] Requires one-way Weird PRGs… functions [GI14,BGI15] “Low-level” OWF Simple functions [GI14, BGI15, BGI16b] “Algorithmica” None Linear Functions [Ben86]

This Talk • Sample Applications of HSS • Constructions • Part I: Simple HSS for Branching Programs from Lattices (R/LWE) • Part II: “Pseudorandom Correlation Generators” from LPN • Conclusion & Open problems

Applications of HSS • Low-Communication Secure Computation • Private Database Queries (2-server setting)

[Yao86,Goldreich-Micali-Wigderson87] Secure Computation x x’ … f(x,x’) f(x,x’) Such that Alice & Bob learn nothing but f(x,x’) Feasibility: If honest majority of parties, or based on computational assumptions [Yao86,GMW87,BenOrGoldwasserWigderson88,ChaumCrepauDamgard88]

Succinct Secure Computation Su How much communication is required to evaluate C(x,x’)? Input x small input Circuit C huge circuit x x’ Output small output C(x,x’) • Without security: ≤ |input| + |output| bits • With security “2PC” (reveal nothing except output): • For decades: Ω( C ) bits [Yao86, GMW87, BGW88, CCD88,…] • Using Fully Homomorphic Encryption (FHE): ~|input|+|output| bits [RAD77,Gen09]

Succinct Secure Computation from HSS HSS for [ Class] ⇒ 2PC for [ Class] with low communication x Eval C Share y 0 w 0 = C(w) w + w 1 y 1 Eval C x’

Succinct Secure Computation from HSS HSS for [ Class] ⇒ 2PC for [ Class] with low communication x Exchange additive Eval C Share output shares y 0 w 0 = C(x,x’) w + w 1 y 1 Eval C x’ Securely compute Note: Compact Share(x,x’) output shares suffice Comm ~ |inputs| * poly(λ) + |output|

Implications • FHE : Succinct 2PC for circuits • All rely on narrow set of assumptions (LWE / lattices) • High concrete costs • HSS for circuits: (relies anyway on FHE) • HSS for Branching Programs : Succinct 2PC for BP • New assumptions (“20 th century” discrete log-style) [BGI16a] • Better efficiency for certain regimes [BGI16a, BCGIO17, BKS19]

(2-Server) Private Information Retrieval (PIR) [ Chor-Goldreich-Kushilevitz-Sudan98 ] • Correctness : # Value Recover 𝑗 th entry 1 100101 Wishes to access item 𝑗 2 100100 without revealing 𝑗 3 011011 • Privacy (1 server) : 4 101010 ∀ indices 𝑗, 𝑗 * ∈ 𝑜 , 5 001001 6 110101 ∀ server 𝑡 ∈ [𝑛] , # Value 𝑤𝑗𝑓𝑥 4 given 𝑤𝑗𝑓𝑥 4 given 1 100101 ≈ 2 100100 index 𝑗 index 𝑗′ 3 011011 4 101010 5 001001 • Non-triviality: 6 110101 Communication < 𝑜 2 non-communicating servers Each holds a copy of (same) 𝑜 -entry DB

2-Server (Generalized) PIR from HSS [GI14,BGI15] # Value HSS-Share 0 (P) 1 100101 HSS-Eval(P 0 ,DB) 2 100100 Secret Input = 3 011011 4 101010 Private query output 0 5 001001 6 110101 predicate P output 1 # Value 1 100101 HSS-Eval(P 1 ,DB) 2 100100 HSS-Share 1 (P) 3 011011 4 101010 DB(P) = 5 001001 output 0 + output 1 6 110101 Program DB(P) = Example : “How many items # DB items satisfying P in DB satisfy secret predicate P?”

2-Server (Generalized) PIR from HSS out 1 [GI14,BGI15] out 2 # Value HSS-Eval(P 0 , DB 1 ) … ; 1 100101 ? 7 𝑝𝑣𝑢 8 out n HSS-Eval(P 0 , DB 2 ) 2 100100 Compute 3 011011 89: … 4 101010 ; 5 001001 HSS-Eval(P 0 , DB n ) ? + 𝑝𝑣𝑢 8 : ) 6 110101 7 (𝑝𝑣𝑢 8 # Value 89: HSS-Eval(P 1 , DB 1 ) 1 100101 ; ; ; … 2 100100 ? : : out 1 7 𝑝𝑣𝑢 8 3 011011 = 7 𝑝𝑣𝑢 8 + 7 𝑝𝑣𝑢 8 4 101010 out 2 89: 89: 89: 5 001001 … 6 110101 out n Program DB i (P) = 1 if DB item i satisfies P Idea : Can split complex function “DB” into a sum of simpler “Db i ” functions

2-Server (Generalized) PIR from HSS [GI14,BGI15] # Value HSS-Eval(P 0 , DB 1 ) ; 1 100101 ? 7 𝑝𝑣𝑢 8 HSS-Eval(P 0 , DB 2 ) 2 100100 Compute 3 011011 89: … 4 101010 ; ; 5 001001 HSS-Eval(P 0 , DB n ) ? : 7 𝑝𝑣𝑢 8 + 7 𝑝𝑣𝑢 8 6 110101 89: 89: # Value HSS-Eval(P 1 , DB 1 ) 1 100101 ; … 2 100100 : 7 𝑝𝑣𝑢 8 3 011011 4 101010 89: 5 001001 6 110101 Small (client à server) communication (similar to FHE) • Program DB i (P) = Small (server à client) communication (= rate 1) • 1 if DB item i satisfies P For simple queries, very efficient ! •

PIR: What is Known (Communication, n=|DB|) Statistical Privacy Computational Privacy ( 𝜇 = sec param) • 2+ servers : • 2+ servers : (one-way functions) Slightly 𝑜 B(:) [Yekh07,Efre09,DvirGopi15] (𝜇 + 2) log 𝑜 [Boyle-Gilboa-Ishai 16b] Rather complex • 1 server : Impossible. • 1 server : (public-key assumptions) poly(𝜇) log J 𝑜 [KushilevitzOstrovsky00,…] Requires public-key cryptography [DiCrescenzo-Malkin-Ostrovsky 00]

Other HSS Applications & Developments • Secure computation for RAM programs [Doerner-Shelat’17, Gordon-Katz-Wang’18, Bunn-Katz-Kushilevitz-Ostrovsky’18] • Proving statements split across verifiers [Boneh-Boyle-CorriganGibbs-Gilboa-Ishai’19] • Secure computation mixing Boolean & arithmetic operations [Boyle-Gilboa-Ishai’19] • Worst-case to average-case reductions in complexity theory [Boyle-Gilboa-Ishai-Lin-Tessaro’18] • Connection to locality-preserving hash [Boyle-Dinur-Gilboa-Ishai-Keller-Klein] • (& more!)

Part I: HSS from Lattices (LWE / Ring-LWE)

2-party HSS from “Threshold” FHE (Assuming necessary Threshold decryption sk 0 Structure) FHE-Eval C Dec(sk 0 ,y) FHE-Encrypt y y 0 w FHE = C(w) w + (pk,sk) w y y 1 FHE-Eval C Dec(sk 1 ,y) sk 0 Ciphertext-ciphertext 1 Decryption multiplications

1/poly correctness error Noise growth Previous work on HSS Only poly-size plaintext space Costly ciphertext mult. Computational specific FHE DDH overhead [DHRW16] [BGI16] (R)-LWE [This work] PRG [GI14,BGI15,…] Expressiveness Point functions etc. Branching Programs All circuits Yes. Q: Q: Can we build HSS from lattices, wi without FHE?

2-party HSS “W “With thout S t S/FHE” E” Cost of (restricted) multiplication ≈ cost of decryption sk 0 FHE-Eval C Dec(sk 0 ,y) Encrypt y y 0 w FHE = C(w) w + (pk,sk) w y y 1 FHE-Eval C Dec(sk 1 ,y) sk 0 Ciphertext-ciphertext 1 Decryption multiplications

HSS for Branching Programs from lattices without FHE [Boyle-Kohl-Scholl Eurocrypt’19]

Expressiveness of Branching Programs (BP) Captures NC 1 (Log-depth) & Log-space Multiplication of n n -bit numbers Streaming algorithms Min L 2 -distance from list of length- n vectors Many numerical / statistical calculations Finite automata Undirected graph connectivity FHE Decryption …

Useful Model: BPs via Restricted Multiplication Any (poly-size) Branching Program can be represented by (poly-many) of these operations Supported Operations: • Load Input • Add Memory values • Output Memory value • Multiply Input x Memory value (Missing: Multiply Memory x Memory)

Learning With Errors (LWE) & Ring LWE [Regev 05, Lyubashevsky-Peikert-Regev 13] • Assumptions underlying FHE & most lattice-based public-key crypto T×; : Given 𝐵 ∈ 𝑎 O LWE • 𝑞 > 2 ; • 𝑡 ← 𝑎 O 𝑡 𝐵 mod 𝑞 + 𝑓 ≈ 𝑣 𝑓 P is small • Ring-LWE: Version over polynomial rings (This talk: Only use encryption based on R/LWE, not its actual structure)

HSS for BPs from Lattices w/o FHE • Bottom line: (contrasted to HSS • Cheaper multiplication ≈ cost of (ring)-LWE decryption From FHE ) • Negligible correctness error (contrasted to HSS • Superpolynomial plaintext space From DDH ) • Highlights: • Tricks for using lattices in a distributed setting • Optimizations: degree-2, batching etc. • Concrete efficiency improvements in applications • Secure 2-party computation • 2-server private database queries