On Homomorphic Encryption
and Secure Computation
challenge
response
Shai Halevi
June 16, 2011
Computing on Encrypted Data
Wouldn’t it be nice to be able to…
o Encrypt my data in the cloud
o While still allowing the cloud to search/sort/edit/…
this data on my behalf
o Keeping the data in the cloud in encrypted form
 Without needing to ship it back and forth to be
decrypted
June 16, 2011
2
Computing on Encrypted Data
Wouldn’t it be nice to be able to…
o Encrypt my queries to the cloud
o While still allowing the cloud to process them
o Cloud returns encrypted answers
 that I can decrypt
June 16, 2011
3
Computing on Encrypted Data
Directions
• From: Tel-Aviv University,
Tel-Aviv, Israel
• To: Technion, Haifa, Israel
June 16, 2011
$skj#hS28ksytA@ …
4
Computing on Encrypted Data
$kjh9*mslt@na0
&maXxjq02bflx
m^00a2nm5,A4.
pE.abxp3m58bsa
(3saM%w,snanba
nq~mD=3akm2,A
Z,ltnhde83|3mz{n
dewiunb4]gnbTa*
kjew^bwJ^mdns0
June 16, 2011
5
Constructing
Homomorphic Encryption
Privacy Homomorphisms [RAD78]
Plaintext space P
x1
x2
ci  Enc(xi)
Ciphertext space C
c1
*
y
c2
#
y  Dec(d)
d
Some examples:
o “Raw RSA”: c  xe mod N (x  cd mod N)
 x1e x x2e = (x1 x x2)e mod N
o GM84: Enc(0)R QR, Enc(1)R QNR (in ZN*)
 Enc(x1) x Enc(x2) = Enc(x1x2) mod N
June 16, 2011
7
More Privacy Homomorphisms
o Mult-mod-p [ElGamal’84]
o Add-mod-N [Pallier’98]
o Quadratic-polys mod p [BGN’06]
o Branching programs [IP’07]
o Later, a “different type of solution” for any
circuit [Yao’82,…]
Also NC1 circuits [SYY’00]
June 16, 2011
8
(x,+)-Homomorphic Encryption
It will be really nice to have…
o Plaintext space Z2 (w/ ops +,x)
o Ciphertexts live in an algebraic ring R (w/ ops +,x)
o Homomorphic for both + and x
 Enc(x1) + Enc(x2) in R = Enc(x1+ x2 mod 2)
 Enc(x1) x Enc(x2) in R = Enc(x1 x x2 mod 2)
o Then we can compute any function on the encryptions
 Since every binary function is a polynomial
o We won’t get exactly this, but it’s a good motivation
June 16, 2011
9
Some Notations
o An encryption scheme: (KeyGen, Enc, Dec)
Plaintext-space = {0,1}
(pk,sk) KeyGen($), cEncpk(b), bDecsk(c)
o Semantic security [GM’84]:
(pk, Encpk(0))  (pk, Encpk(1))
 means indistinguishable by efficient algorithms
June 16, 2011
10
Homomorphic Encryption
o H = {KeyGen, Enc, Dec, Eval}
c*  Evalpk(f, c)
c*
o Homomorphic: Decsk(Evalpk( f, Encpk(x))) = f(x)
 c* may not look like a “fresh” ciphertext
 As long as it decrypts to f(x)
o Function-private: c* hides f
o Compact: Decrypting c* easier than computing f
 |c*| independent of the complexity of f
June 16, 2011
11
(x,+)-Homomorphic Encryption,
the [Gentry09] blueprint
Evaluate any function in four “easy” steps
o Step 1: Encryption from linear ECCs
 Additive homomorphism
o Step 2: ECC lives inside a ring
 Also multiplicative homomorphism
 But only for a few operations (i.e., low-degree poly’s)
o Step 3: Bootstrapping
 Few ops (but not too few)  any number of ops
o Step 4: Everything else
June 16, 2011
12
Step One:
Encryption from Linear ECCs
o For “random looking” codes, hard to
distinguish close/far from code
o Many cryptosystems built on this hardness
E.g., [McEliece’78, AD’97, GGH’97, R’03,…]
June 16, 2011
13
Encryption from linear ECCs
o KeyGen: choose a “random” code C
Secret key: “good representation” of C
 Allows correction of “large” errors
Public key: “bad representation” of C
o Enc(0): a word close to C
o Enc(1): a random word
Far from C (with high probability)
June 16, 2011
14
An Example: Integers mod p
(similar to [Regev’03])
p
N
o Code determined by an integer p
Codewords: multiples of p
o Good representation: p itself
o Bad representation:
ri << p
N = pq, and also many many xi = pqi + ri
o Enc(0): subset-sum(xi’s)+r mod N
o Enc(1): random integer mod N
June 16, 2011
15
A Different Input Encoding
o Both Enc(0), Enc(1) close to the code
Enc(0): distance to code is even
Enc(1): distance to code is odd
o In our example of integers mod p:
Enc(b) = 2(subset-sum(xi’s)+r) +b mod N
Dec(c) = (c mod p) mod 2
June 16, 2011
16
Additive Homomorphism
o c1+c2 = (codeword1+codeword2)
+2(r1+r2)+b1+b2
codeword1+codeword2  Code
If 2(r1+r2)+b1+b2 < min-dist/2, then it is the
dist(c1+c2, Code) = 2(r1+r2)+b1+b2
 dist(c1+c2, Code) mod 2 = b1+b2
o Additively-homomorphic while close to Code
June 16, 2011
17
Step 2: ECC Lives in a Ring R
o What happens when multiplying in R:
c1c2 = (codeword1+2r1+b1) x (codeword2+2r2+b2)
= codeword1 X + Y codeword2
+ (2r1+b1)(2r2+b2)
o If:
Code is an ideal
codeword1 X + Y codeword2  Code
 (2r1+b1)(2r2+b2) < min-dist/2
Product in R of small
o Then
elements is small
dist(c1c2, Code) = (2r1+b1)(2r2+b2) = b1b2 mod 2
June 16, 2011
18
Instantiations
o [Gentry ‘09] Polynomial Rings
Security based on hardness of “Bounded-Distance
Decoding” in ideal lattices
o [vDGHV ‘10] Integer Ring
Security based on hardness of the “approximateGCD” problem
o [GHV ‘10] Matrix Rings*
Only degree-2 polynomials, security based on
hardness of “Learning with Errors”
o [BV ‘11a] Polynomial Rings
Security based on “ring LWE”
June 16, 2011
19
Step 3: Bootstrapping [G’09]
o So far, can evaluate low-degree polynomials
x1
x2
…
P
P(x1, x2 ,…, xt)
xt
June 16, 2011
26
Step 3: Bootstrapping [G’09]
o So far, can evaluate low-degree polynomials
x1
x2
…
P
P(x1, x2 ,…, xt)
xt
o Can eval y=P(x1,x2…,xn) when xi’s are “fresh”
o But y is an “evaluated ciphertext”
Can still be decrypted
But eval Q(y) will increase noise too much
June 16, 2011
27
Step 3: Bootstrapping [G’09]
o So far, can evaluate low-degree polynomials
x1
x2
…
P
P(x1, x2 ,…, xt)
xt
o Bootstrapping to handle higher degrees:
o For ciphertext c, consider Dc(sk) = Decsk(c)
Hope: Dc(*) is a low-degree polynomial in sk
Then so are Ac1,c2(sk) = Decsk(c1) + Decsk(c2)
and
Mc1,c2(sk) = Decsk(c1) x Decsk(c2)
June 16, 2011
28
Step 3: Bootstrapping [G’09]
o Include in the public key also Encpk(sk)
x1
c1
sk1
sk2
…
skn
June 16, 2011
x2
c2
Requires
“circular
security”
Mc1,c2
c
Mc1,c2(sk)
= Decsk(c1) x Decsk(c2) = x1 x x2
29
Step 3: Bootstrapping [G’09]
o Include in the public key also Encpk(sk)
x1
c1
sk1
sk2
…
skn
x2
c2
Requires
“circular
security”
Mc1,c2
c
Mc1,c2(sk)
= Decsk(c1) x Decsk(c2) = x1 x x2
o Homomorphic computation applied only to
the “fresh” encryption of sk
June 16, 2011
30
Step 4: Everything Else
o Cryptosystems from [G’09, vDGHV’10,
BG’11a] cannot handle their own decryption
o Tricks to “squash” the decryption procedure,
making it low-degree
June 16, 2011
31
Performance
o Evaluating only low-degree polynomials
may be reasonable
o But bootstrapping is inherently inefficient
Homomorphic decryption for each multiplication
o Best implementation so far is [GH’11a]
Public key size ~ 2GB
Evaluating a multiplication takes 30 minutes
June 16, 2011
32
Beyond the [G’09] Blueprint
o [GH’11b] no “squashing”, still very inefficient
o [BV’11b] no underlying ring, only vectors
Also no “squashing”, but still inefficient
o [G’11] no bootstrapping
Builds heavily on [BV’11b]
Reduces noise “cheaply” after each multiplication
Should be at least 2-3 orders of magnitude better
than [GV’11a]
June 16, 2011
33
Homomorphic Encryption
vs. Secure Computation
Secure Function Evaluation (SFE)
Client Alice has data x
Server Bob has function f
Alice wants to learn f(x)
1. Without telling Bob what x is
2. Bob may not want Alice to know f
3. Client Alice may also want server Bob
to do most of the work computing f(x)
June 16, 2011
35
Two-Message SFE [Yao’82,…]
Alice(x)
(c,s)SFE1(x)
y SFE3(s,r)
Bob(f)
c
r
r SFE2(f,c)
o Many different instantiations are available
 Based on hardness of factoring/DL/lattices/…
o Alice’s x and Bob’s f are kept private
o But Alice does as much work as Bob
 Bob’s reply of size poly(n) x (|f|+|x|)
June 16, 2011
36
Recall:
Homomorphic Encryption
o H = {KeyGen, Enc, Dec, Eval}
o Semantic security: (pk, Encpk(0))  (pk, Encpk(1))
c*
o Homomorphic: Decsk(Evalpk( f, Encpk(x))) = f(x)
 c* may not look like a “fresh” ciphertext
 As long as it decrypts to f(x)
o Function-private: c* hides f
o Compact: Decrypting c* easier than computing f
 |c*| independent of the complexity of f
June 16, 2011
37
Aside: a Trivial Solution
o Eval(f,c) = <f,c>, Dec*(<f,c>) = f (Dec(c))
o Neither function-private, nor compact
o Not very useful in applications
June 16, 2011
38
HE  Two-Message SFE
o Alice encrypts data x
sends to Bob c  Enc(x)
o Bob computes on encrypted data
sets c*  Eval(f, c)
c* is supposed to be an encryption of f(x)
Hopefully it hides f (function-private scheme)
o Alice decrypts, recovers y  Dec(c*)
June 16, 2011
39
Two-Message SFE  HE
o Roughly:
Alice’s message c  SFE1(x) is Enc(x)
Bob’s reply r  SFE2(f,c) is Eval(f,c)
o Not quite public-key encryption yet
Where are (pk, sk)?
Can be fixed with an auxiliary PKE scheme
June 16, 2011
40
Two-Message SFE  HE
Alice(pk,
Alice(x)x)
(c,s)SFE1(x)
y SFE3(s,r)
Bob(f)
Dora(sk)
c
r
r SFE2(f,c)
o Add an auxiliary encryption scheme
with (pk,sk)
June 16, 2011
41
Two-Message SFE  HE
Alice(pk, x)
(c,s)SFE1(x)
c’Encpk(s)
Bob(f)
Dora(sk)
c, c’
Enc’pk(x)
r SFE2(f,c)
Evalpk(f,c,c’)
r, c’
s Decsk(c’)
y SFE3(s,r)
Decsk(r,c’)
o Recall: |r| could be as large as poly(n)(|f|+|x|)
 Not compact
June 16, 2011
42
A More Complex Setting:
i-Hop HE [GHV’10b]
Alice(x)
c0Enc(x)
Bob(f)
c0
Charlie(g)
c1Eval(f,c0)
c1
c2Eval(g,c1)
Dora(sk)
c2
yDec(c2)
2-Hop Homomorphic Encryption
o c1 is not a fresh ciphertext
 May look completely different
o Can Charlie process it at all?
 What about security?
June 16, 2011
43
Multi-Hop Homomorphic Encryption
o H = {KeyGen, Enc, Eval, Dec} as before
o i-Hop Homomorphic (i is a parameter)
x
Encpk(x)
c0
Evalpk(f1,c0)
c1
Evalpk(f2,c1)
c2
…
cj
Decsk(x)
y
Any number ji hops
 y = fj(fj-1(… f1(x) …)) for any x, f1,…,fj
o Similarly for i-Hop function-privacy, compactness
o Multi-Hop: i-Hop for any i
June 16, 2011
44
1-Hop  multi-Hop HE
o (KeyGen,Enc,Eval,Dec) is 1-Hop HE
Can evaluate any single function on ctxt
o We have c1=Evalpk(f1,c0), and some other f2
Bootstrapping:
o Include with pk also c*=Encpk(sk)
o Consider Fc , f (sk) = f2( Decsk(c1) )
1
2
Let c2=Evalpk(Fc , f , c*)
1
June 16, 2011
2
45
1-Hop  multi-Hop HE
c*
fi
ci-1
sk
xi-1
Fci-1, fi
ci+1
Fc , f (sk)
= fi( Decsk(ci-1) ) = fi(xi-1)
i-1
i
o Drawback: |ci| grows exponentially with i:
 |Fc , f |  |ci-1|+| fi|
 |ci|= |Evalpk(Fc , f , c*)|  poly(n)(|ci-1|+| fi|)
i-1
i
i-1
i
o Does not happen if underlying scheme is compact
Or even |Evalpk(Fc
June 16, 2011
i-1, fi
, c*)| = |ci-1|+poly(n)| fi|
46
Other Constructions
o Private 1-hop HE + Compact 1-hop HE
 Compact, Private 1-hop HE
 Compact, Private multi-hop HE
o A direct construction of multi-hop HE
from Yao’s protocol
June 16, 2011
47
Summary
o Homomorphic Encryption is useful
Especially multi-hop HE
o A method for constructing HE schemes
from linear ECCs in rings
Two (+e) known instances so far
o Connection to two-message protocols for
secure computation
June 16, 2011
48
Thank You