Fully Homomorphic Encryption: current State of the Art

advertisement
CRYPTOGRAPHIC MULTILINEAR MAPS:
APPLICATIONS, CONSTRUCTION, CRYPTANALYSIS
Craig Gentry, IBM
Joint with Sanjam Garg (UCLA) and Shai Halevi (IBM)
Diamant Symposium, Doorn Netherlands
Cryptographic Bilinear Maps
(Weil and Tate Pairings)
Bilinear Maps in Cryptography

Cryptographic bilinear map
 Groups
G1, G2, GT of order l with canonical generators
g1, g2, gT and a bilinear map
e : G1 × G2 → GT where
 e(g1a,g2b)
= gTab for all a,b 2 Z/lZ.
 At least, “discrete log” problems in G1,G2 are “hard”.
 Given


g1, g1a for random a 2 [l], output a.
Symmetric bilinear map: G1 = G2. (Call these “G”.)
Instantiation: Weil or Tate pairings over elliptic curves.
Bilinear Maps: “Hard” Problems

Bilinear Diffie-Hellman: Given g, ga, gb, gc 2 G and
g’2GT, distinguish whether g’ = e(g,g)abc.
A
“tripartite” extension of classical Diffie-Hellman problem:
Given g, ga, gb, g’ 2 G, distinguish whether g’ = gab.
 Easy
Application: Tripartite key agreement [Joux00]:
Bob, Carol generate a,b,c and broadcast ga, gb, gc.
 They each separately compute the key K = e(g,g)abc.
 Alice,
Other Apps of Bilinear Maps: IBE

Identity-Based Encryption [Boneh-Franklin ‘01]
 Setup(1λ):
H : {0,1}* → G be a hash function that maps ID’s to G.
 Authority generates secret a. MSK = a and MPK = ga.
 Let
 KeyGen(MSK,ID):
Set gID = H(ID) 2 G. SKID = gIDa.
Generate random c. Set K=e(ga,gID)c.
Send CT = (gc, SymEncK(m)).
 Encrypt(MPK,ID,m):
 Decrypt(SKID,CT):
Compute K = e(SKID,gc).
Other Apps of Bilinear Maps:
Predicate Encryption

Predicate Encryption: a generalization of IBE.
 Setup(1λ,
predicate function F): Authority generates MSK,MPK.

x2{0,1}s): Authority uses MSK to generate key
SKx for string x. (x could represent user’s “attributes”)
 KeyGen(MSK,
 Encrypt(MPK,y2{0,1}t,
m): Encrypter generates ciphertext Cy
for string y. (y could represent an “access policy”)
 Decrypt(SKx,Cy):
Decrypt works (recovers m) iff F(x,y)=1.
Predicate Encryption schemes using bilinear maps are “weak”.
They can only enforce simple predicates computable by low-depth circuits.
Cryptographic Multilinear Maps
Definition/Functionality and Applications
Multilinear Maps: Definition/Functionality

Cryptographic n-multilinear map (for groups)
 Groups
G1, …, Gn of order l with generators g1, …, gn
 Family of maps:
ei,k : Gi × Gk → Gi+k for i+k ≤ n, where

 ei,k(gia,gkb)
= gi+kab for all a,b 2 Z/lZ.
 At least, the “discrete log” problems in {Gi} are “hard”.
 Notation
Simplification: e(gj1, …, gjt) = gj1+...+jt.
Multilinear Maps over Sets

Cryptographic n-multilinear map (for sets)
 Finite
ring R and sets Ei for all i 2 [n]: “level-i encodings”
 Each
set Ei is partitioned into Ei(a) for a 2 R: “level-i encodings of a”.
 Sampling:
It should be efficient to sample a “level-0” encoding
such that the distribution over R is uniform.
Note: In the “group”
 Equality testing: It should be efficient to distinguish
whether
setting, there
is onlytwo
encodings encode the same thing at the same
level.encoding
one level-i
Note:
the “group”
of a –Innamely,
gia.
setting, a level-0
Note: In the “group”
encoding is just a
setting, equality testing is
number in [l].
trivial, since the encodings
are literally the same.
Multilinear Maps over Sets (cont’d)

Cryptographic n-multilinear map (for sets)
 Addition/Subtraction:
There are ops + and – such that:
every i 2 [n], every a1, a2 2 R, every u1 2 Ei(a1), u2 2 Ei(a2):
 We have u1+u2 2 Ei(a1+a2) and u1-u2 2 Ei(a -a ).
 For
1
2
There is an op × such that:
Analogous to
(a1), u 2 E (a2):
 For every i+k ≤ n, every a1, a2 2 R, every u1 2 Eimultiplication
2
k
and division
 We have u1×u2 2 Ei+k(a ∙a ).
within a group.
 At least, the “discrete log” problems in {Sj} are “hard”.
Analogous to
 Given level-j encoding of a, hard to compute level-0
encoding of a.
the multilinear
map function
for groups
 Multiplication:
1
2
Multilinear Maps: Hard Problems



n-Multilinear DH (for sets): Given level-1 encodings of 1,
a1, …, an+1, and level-n encoding u, distinguish whether u
encodes a1∙∙∙an+1.
n-Multilinear DH (for groups): Given g1, g1a1,…, g1an+1 2
G1, and g’2Gn, distinguish whether g’ = gna1…an+1.
Easy Application: (n+1)-partite key agreement [BonehSilverberg ‘03]:
Party i generates level-0 encoding of ai, and broadcasts
level-1 encoding of ai.
 Each party separately computes K = e(g1, …, g1) a1…an+1.

Big Application: Predicate Encryption
for Circuits


Let F(x,y) be an arbitrarily complex boolean
predicate function, computable in time Tf.
There is a boolean circuit C(x,y) of size O(Tf log Tf)
that computes F.
 Circuits

have (say) AND, OR, and NOT gates
Using a O(|C|)-linear map, we can construct a
predicate encryption scheme for F whose
performance is O(|C|) group operations.
 [Garg-Gentry-Halevi-2012,
Sahai-Waters-2012]
Multilinear Maps: Do They Exist?

Boneh and Silverberg say it’s unlikely cryptographic
m-maps can be constructed from abelian varieties:
 “We
also give evidence that such maps might have to
either come from outside the realm of algebraic
geometry, or occur as ‘unnatural’ computable maps
arising from geometry.”
Whirlwind Tour of Lattice Crypto
Focusing on NTRU and Homomorphic Encryption
Lattices, and “Hard” Problems
0
A lattice is just an additive subgroup of Rn.
Lattices, and “Hard” Problems
v2’
v2
0
v1’
v1
In other words, any rank-n lattice L consists of all integer
linear combinations of a rank-n set of basis vectors.
Lattices, and “Hard” Problems
v2’
v2
0
v1’
v1
Given some basis of L, it may be hard to find a good basis of
L, to solve the (approximate) shortest/closest vector problems.
Lattice Reduction


[Lenstra,Lenstra,Lovász ‘82]: Given a rank-n lattice L,
the LLL algorithm runs in time poly(n) and outputs a
2n-approximation of the shortest vector in L.
[Schnorr’93]: Roughly, it 2k-approximates SVP in 2n/k
time.
NTRU [HPS98]

Parameters:

Integers N, p, q with p « q, gcd(p,q)=1.



(Example: N=257, q=127, p=3.)
Polynomial rings R = Z[x]/(xN-1), Rp = R/pR, and Rq = R/qR.
Secret key sk: Polynomials f, g 2 R, where:


f and g are “small”. Their coefficients are « q.
f = 1 mod p and g = 0 mod p.

Public key pk: Set h ← g/f 2 Rq.

Encrypt(pk, m2Rp with coefficients in (-p/2,p/2)):



Sample random “small” r from R.
Ciphertext c ← m + rh.
Decrypt(sk, c): Set e ← fc = fm+rg. Output m ← (e mod p).
NTRU: Where are the Lattices?
h = g/f 2 Rq
→ f(x)∙h(x) - q∙c(x) = g(x) mod (xN-1)
1
0
0
h0
h1
hN-1
f1
0
1
0
hN-1
h0
hN-2
fN-1
0
0
1
h1
h2
h0
c0
0
0
0
q
0
0
c1
0
0
0
0
q
0
0
0
0
0
0
q
f0
f1
g0
g1
…
f0
…
cN-1
… fN-1
…
gN-1
NTRU Security


NTRU can be broken via lattice reduction (eventually)
NTRU is semantically secure if ratios g/f 2 Rq of
“small” elements are hard to distinguish from random
elements of Rq.
NTRU

Parameters:

Integers N, p, q with p « q, gcd(p,q)=1.



(Example: N=257, q=127, p=3.)
Polynomial rings R = Z[x]/(xN-1), Rp = R/pR, and Rq = R/qR.
Secret key sk: Polynomials f, g 2 R, where:


f and g are “small”. Their coefficients are « q.
f = 1 mod p and g = 0 mod p.

Public key pk: Set h ← g/f 2 Rq.

Encrypt(pk, m2Rp with coefficients in (-p/2,p/2)):



Sample random “small” r from R.
Ciphertext c ← m + rh.
Decrypt(sk, c): Set e ← fc = fm+rg. Output m ← (e mod p).
NTRU

Parameters:

Integers N, p, q with p « q, gcd(p,q)=1.



(Example: N=512, q=127, p=3.)
Polynomial rings R = Z[x]/(ΦN(x)), Rp = R/pR, and Rq = R/qR.
Secret key sk: Polynomials f, g 2 R, where:


f and g are “small”. Their coefficients are « q.
f = 1 mod p and g = 0 mod p.

Public key pk: Set h ← g/f 2 Rq.

Encrypt(pk, m2Rp with coefficients in (-p/2,p/2)):



Sample random “small” r from R.
Ciphertext c ← m + rh.
Decrypt(sk, c): Set e ← fc = fm+rg. Output m ← (e mod p).
NTRU

Parameters:

Integers N, q. “Small” p 2 R, with ideal I = (p) relative prime to (q).



(Example: N=512, q=127)
Polynomial rings R = Z[x]/(ΦN(x)), Rp = R/I, and Rq = R/qR.
Secret key sk: Polynomials f, g 2 R, where:


f and g are “small”. Their coefficients are « q.
f 2 1+I and g 2 I. (g is a small multiple of p.)

Public key pk: Set h ← g/f 2 Rq.

Encrypt(pk, m2Rp with small coefficients):



Sample random “small” r from R.
Ciphertext c ← m + rh.
Decrypt(sk, c): Set e ← fc = fm+rg. Output m ← (e mod I).
NTRU

Parameters:

Integers N, q. “Small” p 2 R, with ideal I = (p) relative prime to (q).



(Example: N=512, q=127)
Polynomial rings R = Z[x]/(ΦN(x)), Rp = R/I, and Rq = R/qR.
Secret key sk: Polynomials f, g 2 R, where:


f and g are “small”. Their coefficients are « q.
f 2 1+I and g 2 I. (g is a small multiple of p.)

Public key pk: Set h0 ← g/f 2 Rq and h1 ← f/f 2 Rq.

Encrypt(pk, m2Rp with small coefficients):



Sample random “small” r from R.
Ciphertext c ← mh1 + rh0.
Decrypt(sk, c): Set e ← fc = fm+rg. Output m ← (e mod I).
NTRU

Parameters:

Integers N, q. “Small” p 2 R, with ideal I = (p) relative prime to (q).



(Example: N=512, q=127)
Polynomial rings R = Z[x]/(ΦN(x)), Rp = R/I, and Rq = R/qR.
Secret key sk: Random z 2 Rq. Polynomials f, g 2 R, where:


f and g are “small”. Their coefficients are « q.
f 2 1+I and g 2 I. (g is a small multiple of p.)

Public key pk: Set h0 ← g/z 2 Rq and h1 ← f/z 2 Rq.

Encrypt(pk, m2Rp with small coefficients):



Sample random “small” r from R.
Ciphertext c ← mh1 + rh0.
Decrypt(sk, c): Set e ← zc = fm+rg. Output m ← (e mod I).
NTRU
NTRU Summary
A ciphertext that encrypts m 2 Rp has the form e/z 2 Rq,
where e is “small” (coefficients « q) and e 2 m+I.
To decrypt, multiply z to get e. Then reduce e mod I.
The public key contains encryptions of 0 and 1 (h0 and h1).
To encrypt m, multiply m with h1 and add “random” encryption of 0.
NTRU: Additive Homomorphism

Given: Ciphertexts c1, c2 that encrypt m1, m2 2 Rp.
 ci

= ei/z 2 Rq where ei is small and ei = mi mod p.
Claim: Set c = c1+c2 2 Rq and m = m1+m2 2 Rp.
Then c encrypts m.
c
= (e1+e2)/z where e1+e2=m mod p and e1+e2 is
“sort of small”. It works if |ei| « q.
NTRU: Multiplicative Homomorphism

Given: Ciphertexts c1, c2 that encrypt m1, m2 2 Rp.
 ci

= ei/z 2 Rq where ei is small and ei = mi mod p.
Claim: Set c = c1∙c2 2 Rq and m = m1∙m2 2 Rp.
Then c encrypts m under z2 (rather than under z).
= (e1∙e2)/z2 where e1∙e2=m mod p and e1∙e2 is
“sort of small”. It works if |ei| « √q.
c
NTRU: Any Homogeneous Polynomial

Given: Ciphertexts c1, …, ct encrypting m1,…, mt.
 ci

= ei/z 2 Rq where ei is small and ei = mi mod p.
Claim: Let f be a degree-d homogeneous poly.
Set c = f(c1, …, ct) 2 Rq and m = f(m1, …, mt) 2 Rp.
Then c encrypts m under zd.
= f(e1, …, et)/zd where f(e1, …, et)=m mod p and
f(e1, …, et) is “sort of small”. It works if |ei| « q1/d.
c
Homomorphic Encryption
The special sauce! For security
parameter k, Eval’s running
should be Time(f)∙poly(λ)
“I want 1) the cloud to process my data
2) even though it is encrypted.
Run
Eval[ f, Enck(x) ]
= Enck[f(x)]
Enck(x)
function f
This could be
encrypted too.
Alice
(Input: data x, key k)
f(x)
Enck[f(x)]
Server
(Cloud)
Delegation: Should cost less for
Alice to encrypt x and decrypt f(x)
than to compute f(x) herself.
Homomorphic Encryption from NTRU
Homorphic NTRU Summary
A level-d encryption of m 2 Rp has the form e/zd 2 Rq,
where e is “small” (coefficients « q) and e 2 m+I.
Given level-1 encryptions c1, …, ct of m1, …, mt, we can
“homomorphically” compute a level-d encryption of f(m1, …, mt) for
any degree-d polynomial f, if the initial ei’s are small enough.
The “noise” – i.e., size of the numerator – grows exp. with degree.
Noise control techniques: bootstrapping [Gen09], modulus reduction [BV12,BGV12].
Big open problem: Fast reusable way to contain the noise.
“Noisy” Multilinear Maps
(Similar to NTRU-Based HE, but with Equality Testing)
Adding an Equality Test



Given level-d encodings c1 = e1/zd and c2 = e2/zd, how
do we test whether they encode the same m?
Fact: If they encode same thing, then e1-e2 2 I.
Moreover, (e1-e2)/p is a “small” polynomial.
Zero-Testing parameter:
aZT = b∙zd/p for “somewhat small b”
 Multiply the zero-testing parameter with (c1-c2).
 aZT(c1-c2) = b(e1-e2)/p has coefficients < q.


If c1 and c2 encode different things, the denominator p ensures
that the result does not have small coefficients.
Example Application: (n+1)-partite DH

Parameters:

Rings R = Z[x]/(ΦN(x)), Rp = R/I, and Rq = R/qR, where p is
“small” and I = (p) relative prime to (q).


We don’t give out p.
Level-1 encodings h0, h1 of 0 and 1.
 hi

= ei/z, where ei = i mod I and is “small”.
Party i samples a random level-0 encoding ai.
Samples “small” ai 2 R via Gaussian distribution
 The coset of ai in Rp will be statistically uniform.



Party i sends level-1 encoding of ai: aih1+rih0 2 Rq.
Each party computes level-n encoding of a1∙∙∙an+1.

Note: Noisiness of encoding is exponential in n.
Example Application: (n+1)-partite DH

Each party i has a level-n ei/zn encoding of a1∙∙∙an+1.

Party i sets Ki’ = azt (ei/zn), and key Ki = MSBs(Ki’).

Claim: Each party computes the same key.
– Kj’ = azt (ei-ej)/zn = b(ei-ej)/p
 But ei, ej are “small” and both are in a1∙∙∙an+1+I.
 Ki ’
 So,
 So,
(ei-ej)/p is some “small” polynomial Eij. Ki’–Kj’ = b∙Eij, small.
Ki’-Kj’ have the same most significant bits, with high
probability.
Big Application: Predicate Encryption
for Arbitrarily Complex Functions

Our “noisy” n-multilinear map permits predicate
encryption for circuits of size up to n-1.
 Noisiness
that is ok.
of encodings grows exponentially with n, but
Cryptanalysis: “Trivial” Attacks
For example, can an eavesdropper “trivially”
generate a level-n encoding of a (n+1)-partite
Diffie-Hellman key?
Trivial “Attacks”

Eavesdropper in (n+1)-partite DH gets:
 Parameters:
 Level-1
encodings h0, h1 of 0 and 1. hi = ei/z, where ei = i
mod I and is “small”.
 Zero-testing parameter: azt = bzn/p.
 Party

i’s constribution: level-1 encoding ci/z of ai.
Weighting of variables
 Set
w(ei) = w(z) = w(p) = w(ci) = 1 and w(b) = 1-n.
 w(ei/z) = 0. Weight of all terms above is 0.
Trivial “Attacks”

Straight-line program (SLP)
 Only
allowed to (iteratively) add, subtract, multiply, or
divide pairs of elements that it has already computed.
 A SLP that is given weight 0 terms can only compute more
weight 0 terms.
 The DH key is of the form K = e/zn, where e 2 a1∙∙∙an+1+I.
 The key cannot be expressed as a weight 0 term.
Cryptanalysis: Nontrivial Attacks
Algebraic and Lattice Attacks
Attack Landscape

All attacks on NTRU apply to our n-linear maps.

Additional attacks:
 The
principal ideal I = (p) is not hidden.
azt = bzn/p, h0 = e0/z and h1 = e1/z with e0 = c0p.
 The terms azt∙h0i∙ h1n-i = b∙c0i∙pi-1∙e1n-I likely generate the
ideal I.
 Recall
 An
attacker that finds a good basis of I can break our
scheme.
 There are better attacks on principal ideal lattices than
on general ideal lattices. (But still inefficient.)
Using a Good Basis of I


Player i’s DH contribution: a level-1 encoding of ai.
Easy to compute ai’s coset of I. (Notice: this is different
from finding a “small” representative of ai’s coset, a level0 encoding of ai.)
Compute level-(n-1) encodings of 1 and ai: e/zn-1, e’/zn-1.
 Multiply each of them with azt and h0 = c0p/z.




We get bec0 and be’c0.
Compute be’c0/bec0 = e’/e in Rp to get ai’s coset.
Spoofing Player i: If we have a good basis of I, player i’s
coset gives a level-0 encoding of ai. The attacker can
spoof player i.
Dimension-Halving for Principal Ideal
Lattices

[GS’02]: Given
a
basis of I = (u) for u(x) 2 R and
 u’s relative norm u(x)ū(x) in the index-2 subfield
Q(ζN+ ζN-1),
we can compute u(x) in poly-time.

Corollary: Set v(x) = u(x)/ū(x). We can compute v(x)
given a basis of J = (v).
 We
know v(x)’s relative norm equal 1.
Dimension-Halving for Principal Ideal
Lattices

Attack given a basis of I = (u):
 First,
compute v(x) = u(x)/ū(x).
 Given a basis {u(x)ri(x)} of I, multiply by 1+1/v(x) to get
a basis {(u(x)+ ū(x))ri(x)} of K = (u(x)+ū(x)) over R.
 Intersect K’s lattice with subring R’ = Z[ζN+ ζN-1] to get a
basis {(u(x)+ ū(x))si(x) : si(x) 2 R’} of K over R’.
 Apply lattice reduction to lattice {u(x)si(x) : si(x) 2 R’},
which has half the usual dimension.
Summary





We have a “noisy” cryptographic multilinear map
that can be used to construct, for example,
predicate encryption for arbitrarily complex circuits.
Construction is similar to NTRU-based homomorphic
encryption, but with an equality-testing parameter.
Security is based on somewhat stronger
computational assumptions than NTRU.
But more cryptanalysis needs to be done!
And more applications need to be found!
Thank You! Questions?


Getting rid of principal ideals?
Maybe present attacks and then say we can use
general ideals.
Obfuscation

Obfuscation:
I give the cloud an “encrypted” program E(P).
 For any input x, cloud can compute E(P)(x) = P(x).
 Cloud learns “nothing” about P, except {xi,P(xi)}.


Barak et al: “On the (Im)possibility of Obfuscating Programs”

Difference between obfuscation and FHE:

In FHE, cloud computes E(P(x)), and it can’t decrypt to get P(x).
Other Apps of Bilinear Maps: ABE

Attribute-Based Encryption for Simple Functions
[Sahai-Waters ‘05]: a generalization of IBE.
 Setup(1λ):
Authority generates MSK, MPK.
 KeyGen(MSK, attr2{0,1}s): Authority uses MSK to
generate a key SKattr for user who has attributes attr.
 Encrypt(MPK,policy2{0,1}s, m): Generate ciphertext CT
that can only be decrypted by SKattr’s such that attr
satisfies policy.
 Decrypt(SKattr,policy,CT): Decrypt if attr satisfies policy.
ABE schemes using bilinear maps are “weak”.
They can only enforce simple policies that can be described by low-depth circuits.
Predicate Encryption for Circuits:
Sketch of Sahai-Waters Construction


Picture of Yao garbled circuit
Mention that Yao GC is a predicate encryption
scheme, except that it doesn’t offer any resistance
against collusions, which is a serious shortcoming in
typical multi-user settings.
Predicate Encryption for Circuits:
Sketch of Sahai-Waters Construction

Now describe Sahai Waters as a gate-by-gate
garbling, where the value for ‘1’ is a function of the
encrypter’s randomness s, and randomness rw for
the wire that is embedded in the user’s key.
Semantic Security of NTRU
Download