MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture - PowerPoint PPT Presentation

MIT 6.875 & Berkeley CS276 Foundations of Cryptography Lecture 21

TODAY: Homomorphic Encryption

1. Secure Outsourcing Input: x Program: P Enc (x) x Enc (P(x)) P(x) Client Server (the Cloud) A Special Case: Encrypted Database Lookup – also called “private information retrieval” (next lec)

2. Secure Collaboration (also called Secure Computation) Hospital ID Genome ID Phenotype “Parties learn the genotype-phenotype correlations and nothing else”

Homomorphic Encryption: Syntax (can be either secret-key or public-key enc) 4-tuple of PPT algorithms (𝐻𝑓𝑜, 𝐹𝑜𝑑, 𝐸𝑓𝑑, 𝐹𝑤𝑏𝑚) s.t. 𝑡𝑙, 𝑓𝑙 ← 𝐻𝑓𝑜 1 ! . • PPT Key generation algorithm generates a secret key as well as a (public) evaluation key. 𝑑 ← 𝐹𝑜𝑑 𝑡𝑙, 𝑛 . • Encryption algorithm uses the secret key to encrypt message 𝑛 . 𝑑′ ← 𝐹𝑤𝑏𝑚 𝑓𝑙, 𝑔, 𝑑 . • Homomorphic evaluation algorithm uses the evaluation key to produce an “evaluated ciphertext” 𝑑′ . 𝑛 ← 𝐸𝑓𝑑 𝑡𝑙, 𝑑 . • Decryption algorithm uses the secret key to decrypt ciphertext 𝑑 .

Homomorphic Encryption: Correctness 𝐸𝑓𝑑(𝑡𝑙, 𝐹𝑤𝑏𝑚 𝑓𝑙, 𝑔, 𝐹𝑜𝑑(𝑦)) = 𝑔(𝑦). 𝑔(𝑦) 𝑦 𝑭𝒐𝒅 𝑬𝒇𝒅 𝑑 𝑑′ 𝑭𝒘𝒃𝒎(?, 𝒈,?)

Homomorphic Encryption: Security Input: x Function: f Enc (sk,x) 𝑦 Enc (f(x)) Client Server (the Cloud) Security against the curious cloud = standard IND- security of secret-key encryption Key Point : Eval is an entirely public algorithm with public inputs.

Here is a homomorphic encryption scheme… 𝑡𝑙, − ← 𝐻𝑓𝑜 1 ! . • Use any old secret key enc scheme. 𝑑 ← 𝐹𝑜𝑑 𝑡𝑙, 𝑛 . • Just the secret key encryption algorithm… 𝑑′ ← 𝐹𝑤𝑏𝑚 𝑓𝑙, 𝑔, 𝑑 . • Output 𝑑′ = 𝑑 || 𝑔 . So Eval is basically the identity function!! 𝑛 ← 𝐸𝑓𝑑 𝑡𝑙, 𝑑′ . • Parse 𝑑 ! = 𝑑||𝑔 as a ciphertext concatenated with a function description. Decrypt 𝑑 and compute the function 𝑔 . This is correct and it is IND-secure.

Homomorphic Encryption: Compactness The size (bit-length) of the evaluated ciphertext and the runtime of the decryption is independent of the complexity of the evaluated function. A Relaxation: The size (bit-length) of the evaluated ciphertext and the runtime of the decryption depends sublinearly on the complexity of the evaluated function.

Big Picture: Two Steps to FHE Leveled Secret-key Homomorphic Encryption: Evaluate circuits of a-priori bounded depth d “you give me a depth bound d, I will give you a homomorphic scheme that handles depth-d circuits…” Bootstrapping Theorem: From “circular secure” Leveled FHE to Pure FHE (at the cost of an additional assumption) “I will give you homomorphic scheme that handles circuits of ANY size/depth”

How to Compute Arbitrary Functions For us, programs = functions = Boolean circuits with XOR ( + 𝑛𝑝𝑒 2 ) and AND ( × 𝑛𝑝𝑒 2 ) gates. 𝐹𝑜𝑑((𝑦 ! + 𝑦 " )𝑦 # 𝑦 $ ) X 𝐹𝑜𝑑(𝑦 # 𝑦 $ ) 𝐹𝑜𝑑(𝑦 ! + 𝑦 " ) X + 𝐹𝑜𝑑(𝑦 # ) 𝐹𝑜𝑑(𝑦 $ ) 𝐹𝑜𝑑(𝑦 ! ) 𝐹𝑜𝑑(𝑦 " ) Takeaway : If you can compute XOR and AND on encrypted bits, you can compute everything.

Learning with Errors (LWE) s and e A Given : A + GOAL : Find s. Parameters: dimensions 𝒐 and 𝑛 , modulus 𝒓 , error distribution 𝜓 = uniform in some interval [−𝑪, … , 𝑪] . *×! , s from ℤ ) ! A is chosen at random from ℤ ) and e from 𝜓 * .

Setting Parameters Put together, we are safe with: 𝑜 = security parameter (≈ 1 − 10K) 𝑛 = arbitrary poly in 𝑜 𝐶 = small poly in 𝑜, say 𝑜 𝑟 = poly in 𝑜 , larger than 𝐶 , and could be as large as sub-exponential , say 2 ! !.## even from quantum computers, AFAWK!

Decisional LWE Can you distinguish between : s + and , e A A , b A Theorem: “Decisional LWE is as hard as LWE”.

Basic (Secret-key) Encryption [Regev05] n = security parameter, q = “small” modulus # • Secret key sk = Uniformly random vector s Î 𝑎 " • Encryption Enc s ( 𝜈 ): // 𝜈 Î {0,1} # , “small” noise e Î 𝑎 – Sample uniformly random a Î 𝑎 " – The ciphertext c = ( a , b = á a, s ñ + e + 𝜈 𝑟/2 ) • Decryption Dec sk ( c ): Output Round q/2 (b − á a, s ñ mod q) // correctness as long as |e| < q/4

New (Secret-key) Encryption: Take 1 𝒐 • Private key: a vector s ∈ 𝒂 𝒓 • Private-key Encryption of a bit 𝑛 ∈ {𝟏, 𝟐} : 𝑩 𝒕𝑩 + 𝑛 𝑱 C = ( 𝑩 is random (n+1) X n matrix) • Decryption: [s || -1] C = m [s || -1] (mod q) Message = Eigenvalue Ciphertext matrix = Eigenvector Priv key 🙂 INSECURE! Easy to solve linear equations.

New (Secret-key) Encryption: Take 1 t . C = m . t (mod q) t = [s || -1] ►Homomorphic addition: C 1 + C 2 – t is an eigenvector of C 1 +C 2 with eigenvalue m 1 +m 2 ►Homomorphic multiplication: C 1 C 2 – t is an eigenvector of C 1 C 2 with eigenvalue m 1 m 2 Proof: t . C 1 C 2 = (m 1 . t ) . C 2 = m 1 . m 2 . t But, remember, the scheme is insecure? Key idea: fix insecurity while retaining homomorphism.

New (Secret-key) Encryption: Take 2 𝒐 • Private key: a vector s ∈ 𝒂 𝒓 • Private-key Encryption of a bit 𝑛 ∈ {𝟏, 𝟐} : 𝑩 ( 𝑩 is random (n+1) X n matrix) 𝒕𝑩 + 𝒇 + 𝑛 𝑱 C = • Decryption: [s || -1] C ≈ m [s || -1] (mod q) Message = Approx Ciphertext matrix Priv key = Approx Eigenvalue Eigenvector 🙃 CPA-secure by LWE.

New (Secret-key) Encryption: Take 2 t . C = m . t + e (mod q) t = [s || -1] ►Homomorphic addition: C 1 + C 2 = ⃗ 𝑢𝐷 & + ⃗ ⃗ 𝑢 ⋅ (𝐷 & + 𝐷 ' ) 𝑢𝐷 ' = 𝑛 & ⃗ 𝑓 & + 𝑛 ' ⃗ 𝑢 + ⃗ 𝑢 + ⃗ 𝑓 ' Noise grows a little = (𝑛 & +𝑛 ' )⃗ 𝑢 + (⃗ 𝑓 & +⃗ 𝑓 ' ) ≈ (𝑛 & +𝑛 ' )⃗ 𝑢

New (Secret-key) Encryption: Take 2 t . C = m . t + e (mod q) t = [s || -1] ►Homomorphic multiplication: C 1 C 2 Can also u se 𝐷 " 𝐷 ! 𝑢 ⋅ (𝐷 & ⋅ 𝐷 ' ) = 𝑛 & ⃗ ⃗ 𝑢 + ⃗ 𝑓 & 𝐷 ' Noise grows. = 𝑛 & ⃗ Need 𝑫 𝟑 to be 𝑢𝐷 ' + ⃗ 𝑓 & 𝐷 ' small! How?! = 𝑛 & 𝑛 ' ⃗ 𝑢 + ⃗ 𝑓 ' + ⃗ 𝑓 & 𝐷 ' = 𝑛 & 𝑛 ' ⃗ 𝑢 + 𝑛 & ⃗ 𝑓 ' + ⃗ 𝑓 & 𝐷 ' 𝑓 ()*+ ⃗

Aside: Binary Decomposition Break each entry in 𝐷 into its binary representation 0 1 1 0 𝐷 = 3 5 ⇒ 1 1 (𝑛𝑝𝑒 8) 𝑐𝑗𝑢𝑡 𝐷 = (𝑛𝑝𝑒 8) 1 4 0 1 0 0 1 0 Small entries like we wanted! Consider the “reverse” operation: 𝑙 log 𝑟 ⇒ 4 2 1 0 0 0 𝑢 ⋅ 𝐷 = ⃗ ⃗ 𝑢 ⋅ 𝐻 ⋅ 𝐻 !" (𝐷) 4 2 1 ⋅ 𝑐𝑗𝑢𝑡 𝐷 = 𝐷 𝑙 0 0 0 Denote: 𝐻 ,& 𝐷 which has “small” entries 𝐻

New (Secret-key) Encryption: Take 3 𝒐 • Private key: a vector s ∈ 𝒂 𝒓 • Private-key Encryption of a bit 𝑛 ∈ {𝟏, 𝟐} : 𝑩 ( 𝑩 is random (n+1) X n log q matrix) 𝒕𝑩 + 𝒇 + 𝑛 𝐻 C = • Decryption: [s || -1] C ≈ m [s || -1] G (mod q) Ciphertext matrix Message = Approx Priv key = Approx “Eigenvalue” Eigenvector 🙃 Still CPA-secure by LWE.

New (Secret-key) Encryption: Take 3 t . C = m . t . G + e (mod q) t = [s || -1] 𝐷 *123 = 𝐷 4 ⋅ 𝐻 54 (𝐷 6 ) ►Homomorphic multiplication: 𝑡 ⋅ 𝐷 & ⋅ 𝐻 ,& 𝐷 ' 𝑡 ⋅ 𝐻) ⋅ 𝐻 ,& 𝐷 ' ⃗ = (⃗ 𝑓 & + 𝑛 & ⋅ ⃗ 𝑓 & ⋅ 𝐻 ,& 𝐷 ' + 𝑛 & ⋅ ⃗ 𝑡 ⋅ 𝐻 ⋅ 𝐻 ,& 𝐷 ' = ⃗ 𝑓 & ⋅ 𝐻 ,& 𝐷 ' + 𝑛 & ⋅ ⃗ = ⃗ 𝑡 ⋅ 𝐷 ' 𝑓 & ⋅ 𝐻 ,& 𝐷 ' + 𝑛 & ⋅ (⃗ = ⃗ 𝑓 ' + 𝑛 ' ⋅ ⃗ 𝑡 ⋅ 𝐻) 𝑓 & ⋅ 𝐻 ,& 𝐷 ' + 𝑛 & ⋅ ⃗ = ⃗ 𝑓 ' + 𝑛 & 𝑛 ' ⋅ ⃗ 𝑡 ⋅ 𝐻 𝑓 &'() ⃗ 𝑓 &'() ⃗ ≤ 𝑜 log 𝑟 ⋅ 𝑓 * + 𝑛 * ⋅ ⃗ 𝑓 + ⃗ ≤ 𝑜 log 𝑟 + 1 ⋅ max{ ⃗ 𝑓 * , 𝑓 + } ⃗

𝑀𝑓𝑢 𝑂 = 𝑜 log 𝑟 Homomorphic Circuit Evaluation Noise grows during homomorphic eval Depth 𝑒 ≤ 𝑂 + 1 / ⋅ 𝐶 0 ≈ 𝑂 / 𝐶 0 𝑓 -'),') ⃗ 𝑓 -)+.)+ ⃗ ⇒ Decryptable if 𝑟 ≫ 𝑂 . 𝐶 / . (for security: 𝑟 ≪ 2 + ) … So this can support 𝒆 ≈ 𝒐 𝟏.𝟘𝟘 𝑓 12& ⃗ ≤ (𝑂 + 1) ⃗ 𝑓 1 𝑓 1#.)+ ⃗ ≤ 𝐶 0 𝑓 *+,') ⃗

Big Picture: Two Steps to FHE Leveled Secret-key Homomorphic Encryption: Evaluate circuits of a-priori bounded depth d “you give me a depth bound d, I will give you a homomorphic scheme that handles depth-d circuits…” Bootstrapping Theorem: From “circular secure” Leveled FHE to Pure FHE (at the cost of an additional assumption) “I will give you homomorphic scheme that handles circuits of ANY size/depth”

From Leveled to Fully Homomorphic Input: x Function: f Enc (sk,x) 𝑦 Client Server (the Cloud) The cloud keeps homomorphically computing, but after a certain depth, the ciphertext is too noisy to be useful. What to do? Idea: “Bootstrapping”!