New Developments in
FULLY HOMOMORPHIC ENCRYPTION
Vinod Vaikuntanathan
University of Toronto
Penn State Summer School on Cryptography
Outsourcing Computation
Powerful Server (“Cloud”)
Weak Client
Function
x
f(x)
f
Outsourcing Computation
It’s everywhere!
x
Function
x
search
query
f(x)
Search results
f
Google
search
Outsourcing Computation
It’s everywhere!
x
Function
x
medical
records
f(x)
f
analysis
risk factors
Outsourcing Computation
Two Problems:
Client
Cloud
 Privacy:
Cloud should not learn
anything about x
x
Function f
 Verifiability:
Cloud cannot cheat
(i.e., return incorrect answer
without being detected)
Outsourcing Computation – Privately
Knows
nothing of x.
Enc(x)
Function
x
f
Eval: f, Enc(x)  Enc(f(x))
homomorphic evaluation
Fully Homomorphic Encryption
[Rivest-Adleman-Dertouzos’78]
Knows
nothing of x.
Enc(x)
Function
x
f
Eval: f, Enc(x)  Enc(f(x))
homomorphic evaluation
Fully Homomorphic Encryption
[Rivest-Adleman-Dertouzos’78]
Knows
nothing of x.
Enc(x1),…,Enc(xn)
x1,…,xn
Function
(more generally)
Eval: f, Enc(x1),…,Enc(xn)  Enc(f(x1,…,xn))
homomorphic evaluation
f
Fully Homomorphic
Encryption
Most of this talk:
secret key
homomorphic schemes
[Rivest-Adleman-Dertouzos’78]
Knows
nothing of x.
sk
sk,, evk
pk, evk
evk, c = Encsk(x)
Function
x
f
y = Evalevk(f, c)
Privacy (semantic security [GM82]):
(evk, Enc(x))  (evk, Enc(0))
Compactness:
|y| = poly(|f(x)|, n)
Correctness:
Decsk(y)=f(x)
FHE 101: Add & Mult Are Universal
Arith. Circuit (+, ) over GF(2).
f(x1,x2,x3)=(x1+x2)∙x3
(+,) over GF(2)  Boolean (XOR,AND)
= Universal set
If we had:
• Eval(+, Enc(x1), Enc(x2))  Enc(x1+x2)
• Eval(, Enc(x1), Enc(x2))  Enc(x1∙x2)
then we are done.
x1
x2
Enc(x1)
Enc(x2)
x
3
Enc(x
3)
+
Enc(x1+x2)

Enc((x1+x2)∙x3)
Early History (1978-2009)
 Additively Homomorphic
[GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
Goldwasser-Micali’82
Public key: N, y: non-square mod N
Secret key: factorization of N
Enc(0): r2 mod N,
Enc(1): y * r2 mod N
(Additively) homomorphic over Z2
Early History (1978-2009)
 Additively Homomorphic
[GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]
 Multiplicatively Homomorphic [ElG’85,…]
 Add + One Mult [BGN’05,GHV’09]
Gentry (2009)
FIRST Fully Homomorphic Encryption!
New Developments in FHE
►“Galactic” → Efficient
[BV11a, BV11b, BGV11, GHS11, LTV11, B12]
– asymptotic efficiency: nearly linear-time* algorithms
– practical efficiency: 3-4 orders of magnitude faster
compared to [Gen09, GH10]
*linear-time in the security parameter
New Developments in FHE
►“Galactic” → Efficient
[BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions
[BV11b, GH11, BGV11, B12]
– e.g., worst-case hardness of shortest vectors on
lattices
New Developments in FHE
►“Galactic” → Efficient
[BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions
[BV11b, GH11, BGV11, B12]
Best Known Theorem [BGV11]:
• (Leveled) fully homomorphic encryption (FHE),
assuming the worst-case hardness of shortest
vectors on lattices
*leveled = public key grows with the depth of the circuit for f
New Developments in FHE
►“Galactic” → Efficient
[BV11a, BV11b, BGV11, GHS11, LTV11, B12]
► Strange assumptions → Mild assumptions
[BV11b, GH11, BGV11, B12]
► Complex → Simple constructions/proofs
[BV11b, BGV11, LTV12, B12]
This talk is based on:
1. Zvika Brakerski, V.V., Efficient Fully
Homomorphic Encryption from Standard
Learning with Errors, FOCS 2011.
2. Zvika Brakerski, Craig Gentry, V.V., (Leveled)
Fully Homomorphic Encryption without
Bootstrapping, ITCS 2012.
3. Craig Gentry, Stanford Ph.D. Thesis, 2009.
How to Construct
an FHE Scheme
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
C
d = ε log n
Evaluate Boolean circuits of depth d = ε log n *
EVAL
* (0 < ε < 1 is a constant, and n is the security parameter)
The Big Picture
“Bootstrapping” Theorem [Gen09] (Qualitative)
“Homomorphic enough” Encryption * FHE
Homomorphic enough =
Can evaluate its own Dec Circuit (plus some)
msg
Dec
CT
C
sk
Decryption Circuit
EVAL
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
Evaluate Boolean circuits of depth d = ε log n
SwHE = Homomorphic Enough?
NO, for all known constructions!
“Bootstrapping” Theorem [Gen09] (Qualitative)
“Homomorphic enough” Encryption * FHE
The Big Picture
Problem:
Dec
C
Decryption Circuit
EVAL
Solution a. “Squash” the decryption circuit [Gen09]
Less general
– Relies on a new assumption: “sparse subset sum”
Solution b. Make EVAL larger [BV11b, simplified by BGV12]
– Fairly General, Needs no new assumptions
– Exponential improvement: Can eval nε depth circuits
Solution c. Use Special Properties of Dec. Circuit [GH11]
The Big Picture
“Somewhat Homomorphic” (SwHE) Encryption
[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]
Evaluate Boolean circuits of depth d = ε log n
“Modulus Reduction” [BV11b, simplified by BGV12]
Evaluate Boolean circuits of depth d = nε
“Bootstrapping” Theorem [Gen09] (Qualitative)
“Homomorphic enough” Encryption  FHE
IDEA 1: “Somewhat Homomorphic” Encryption
(Evaluate Boolean circuits of depth d = ε log n)
IDEA 3: “Modulus Reduction”
(Evaluate Boolean circuits of depth d = nε)
d-Leveled FHE: Given any d, set n = d1/ε
IDEA 2: “Bootstrapping”
(FHE: Evaluate any poly(n)-size Boolean circuit)
Many Instantiations
All based on Integer Lattices (Ajtai’96)
 Ideal Lattices
BUT: you don’t need to
know what lattices are
DGHV’10 (based on Ajtai-Dwork’97, Regev’04)
for this talk!
– Gentry’09 (based on Goldreich-Goldwasser-Halevi’98)
–
– BV’11a (based on Lyubaskevsky-Peikert-Regev’10)
– LTV’11 (based on NTRU:Hofstein-Pipher-Silverman’96)
 Surprisingly, Arbitrary Lattices [BV’11b]
– Lattices (like vector spaces) have no native mult
Learning With Errors (LWE)
[Regev05, following BFKL93, Ale03]
Learning With Errors (LWE)
[Regev05, following BFKL93, Ale03]
LWEn,q,B : For random secret s  Zqn
O rand
Os
( a1 , b1 = a1 , s + e1 )
( a2 “noisy”
, b2 =random
a2 , linear
s +equation
e2 )
Uniformly
“Small” error
… |e1| < B
random in Zqn
( am , bm =am , s + em )

( a1 , u1 )
( a2random
, u2 )in Z
…
( am , um)
q
Learning With Errors (LWE)
[Regev05, following BFKL93, Ale03]
LWEn,q,B : For random secret s  Zqn, and any m=poly(n),
Os
( ai , bi = ai , s + ei )
m

O rand
m
( ai , ui )
i=1
Worst-Case Connection ([R05, P09]):
Qualitative: Solve LWE (on average) 
Short-vector approximation on lattices (in the worst-case)
Quantitative: Solve LWEn,q,B  O(nq/B)-approx shortest
vector on lattices
i=1
Learning With Errors (LWE)
[Regev05, following BFKL93, Ale03]
LWEn,q,B : For random secret s  Zqn, and any m=poly(n),
Os
( ai , bi = ai , s + ei )
m

O rand
m
( ai , ui )
i=1
i=1
Worst-Case Connection ([R05, P09]):
Solve LWEn,q,B  O(nq/B)-approx shortest vector
1. SCALE INVARIANCE: hardness depends only on ratio between q and B
2. OUR PARAMETERS: We will set q = nO(log n) and B = poly(n). Best
known algorithm for LWE with these parameters runs in 2Otilde(n) time.
Learning With Errors (LWE)
[Regev05, following BFKL93, Ale03]
LWEn,q,B : For random secret s  Zqn, and any m=poly(n),
Os
( ai , bi = ai , s + ei )
m

O rand
m
( ai , ui )
i=1
i=1
Facts:
 LWE (with short secret s) = LWE [ACPS09,GKPV10]
 LWE with short even error (2e) = LWE with short error e
Secret-key Encryption from LWE
(omitting public-key encryption)
• KeyGen:
– Sample random “short” vector t  Zqn and set sk = t
Secret-key Encryption from LWE
(omitting public-key encryption)
• KeyGen:
– Sample random “short” vector t  Zqn and set sk = t
• Bit Encryption Encsk(m):
– Sample uniformly random a  Zqn, “short” noise e  Zq
– The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq
Semantic Security from LWE
Secret-key Encryption from LWE
(omitting public-key encryption)
• KeyGen:
– Sample random “short” vector t  Zqn and set sk = t
• Bit Encryption Encsk(m):
– Sample uniformly random a  Zqn, “short” noise e  Zq
– The ciphertext CT = (a, b = a, t + 2e + m)  Zqn X Zq
• Decryption Decsk(CT): Output (b − a, t mod q) mod 2.
– Correctness: b − a, t mod q = 2e + m mod q = 2e + m
(as long as |2e+m| < q/2)
Additive Homomorphism
CT = (a ,b)
b − a, t = 2e + m
CT’ = (a’, b’)
b’ − a’, t = 2e’ + m’
Look at Ciphertexts through the Decryption Lens
Additive Homomorphism
CT = (a ,b)
CT’ = (a’, b’)
Let c = (a ,b) and s = (-t, 1)
Let c’ = (a’ ,b’) and s = (-t, 1)
b c,
− a,
st= =2e2e+ +mm
b’ c’,
− a’,
s t= =2e’
2e’+ +m’m’
Additive Homomorphism
CT = c
CT’ = c’
c, s = 2e + m
c’, s = 2e’ + m’
Claim: cadd = c+c’
Proof:
c, s = 2e + m
+
c’, s = 2e’ + m’
c+c’, s = 2(e+e’) + (m+m’)
Cadd
E
 Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)
Multiplicative Homomorphism
CT = c
c, s = 2e + m
CT’ = c’
c’, s = 2e’ + m’
Claim: cmult = ?
X
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = (2e+m) ∙ (2e’+m’)
Multiplicative Homomorphism
CT = c
c, s = 2e + m
CT’ = c’
c’, s = 2e’ + m’
Claim: cmult = ?
X
c, s = 2e + m
c’, s = 2e’ + m’
c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’)
E
Quadratic equation in the variables s[i]
Multiplicative Homomorphism
CT = c
c, s = 2e + m
CT’ = c’
c’, s = 2e’ + m’
Claim: cmult = ?
Tensor Product:
X
c, s = 2e + m
= 2e’ + m’
• c  c’ = (c[1]∙c’[1], c’,
…, s
c[i]∙c’[j],…,
c[n+1]∙c’[n+1])
c in
 (n+1)
c’, s 
s →
= mm’
• c, c’ live
dim
c  +c’2(em’+e’m+2ee’)
lives in (n+1)2-dim
• KEY FACT: c, s ∙ c’, s = c  c’, sE s
Multiplicative Homomorphism
Problem: Ciphertext
CT’ = c’
size blows up!
c, s = 2e + m
c’, s = 2e’ + m’
(Zqn+1 → Zq(n+1)^2)
CT = c
Claim: cmult = c c’
X
c, s = 2e + m
c’, s = 2e’ + m’
c  c’, s  s = mm’ + 2(em’+e’m+2ee’)
E
 Dec(s  s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s that represents these quadratic func.
or, of new secret s’
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. Enct’ ( s[ i ]s[ j ] )
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j.
(Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ])
LWE 
Security still
holds.
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j , Ei,j
i,j.
Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j.
Ci,j , s’
≈
s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
back into quadratic
New Plug
Technique
[BV’11b]equation:
: Relinearization
Find linear functions of s’ that represent these quadratic func.
c
mult[i,j]
New KeyGen:
∙ Ci,j , s’

≈ mm’+2*Error
Linear in s’.
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j.
Ci,j , s’
Linear fn
(in s’)
≈
s[ i ]s[ j ]
Quadratic fn
(in s)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Plug back into quadratic equation:
c
mult[i,j]
∙ Ci,j , s’

≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1. First compute cmult = c c’
2. Compute and output
 cmult[i,j] ∙ Ci,j
(where Ci,j are from the evaluation key)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
PROBLEM: cmult has large entries
i,j.
Ci,j , s’
≈
Linear fn
(in s’)
s[ i ]s[ j ]
Quadratic fn
(in s)
BUT
cmult .Ci,j , s’
≈
cmult . s[ i ]s[ j ]
SOLUTION: Binary Decomposition Trick
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j. k in [0… log q]:
Enct’ ( 2k s[ i ]s[ j ] )
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk : sample Ai,j,k , Ei,j,k
i,j.
(Ai,j,k , Bi,j,k = Ai,j,k , t’ + 2Ei,j,k + 2k s[ i ]s[ j ])
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
New Technique [BV’11b]: Relinearization
Find linear functions of s’ that represent these quadratic func.
New KeyGen:
• Sample t,t’Zqn and set sk = (t,t’).
• Evaluation key evk :
i,j.
Ci,j,k , s’
≈
2k s[ i ]s[ j ]
(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
back into quadratic
New Plug
Technique
[BV’11b]equation:
: Relinearization
Let cmult[i,j,k]
be the
bit of cmultthese
[i,j]
Find linear functions
of s’
thatkth
represent
quadratic func.
  cmult[i,j,k] ∙ Ci,j,k , s’  ≈ mm’+2*Error
New KeyGen:
s’.
• Sample t,t’Zqn and setLinear
sk = in(t,t’).
• Evaluation key evk :
i,j.
Ci,j,k , s’
Linear fn
(in s’)
≈
2k s[ i ]s[ j ]
Quadratic fn
(in s)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
back into quadratic
New Plug
Technique
[BV’11b]equation:
: Relinearization
Let cmult[i,j,k]
be the
bit of cmultthese
[i,j]
Find linear functions
of s’
thatkth
represent
quadratic func.
  cmult[i,j,k] ∙ Ci,j,k , s’  = mm’+2*Error+2*Errorrelin
New KeyGen:
2 . log q . B)
Errorset
= O(n
• Sample t,t’Zqn and
= (t,t’).
relin sk
• Evaluation key evk :
i,j.
Ci,j,k , s’
Linear fn
(in s’)
≈
2k s[ i ]s[ j ]
Quadratic fn
(in s)
Multiplicative Homomorphism
cmult, s  s = 2E + mm’
Plug back into quadratic equation:
c
mult[i,j,k]
∙ Ci,j ,k , s’

≈ mm’+2*Error
Linear in s’.
Homomorphic Mult:
1. First compute cmult = c c’
2. Compute and output
 cmult[i,j,k] ∙ Ci,j,k
(where Ci,j,k are from the evaluation key)
The Reservoir Analogy
(How homomorphic is this?)
noise=q/2
Additive Homomorphism: ξ → 2 ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
AFTER d LEVELS:
~ ξ2
noise B →
(worst case)
2ξ
initial noise= ξ
noise=0
Correctness
Breaking = Solving 2n^εapprox. shortest vectors
[Reg05,LPR10]
The Reservoir Analogy
(How homomorphic is this?)
noise=q/2
Additive Homomorphism: ξ → 2 ξ
Mult. Homomorphism: ξ → ξ2 + n2B log q
AFTER d LEVELS:
~ ξ2
initial noise= ξ
noise=0
noise B →
(worst case)
Wrap Up: Somewhat Homomorphism
“Somewhat Homomorphic” (SwHE) Encryption
[BV11b]
Evaluate Boolean circuits of mult. depth D = ε log n
EVK = (evk1,…,evkD), where D is the max mult depth
SK = (sk1,…,skD)
Mult depth D
Enc(skD, C(x))
C
Enc(sk1, x)
Decrypt using skD
Each Mult Level:
Tensor and Relinearize
Encrypt using sk1
Wrap Up: Somewhat Homomorphism
“Somewhat Homomorphic” (SwHE) Encryption
[BV11b]
Evaluate Boolean circuits of mult. depth D = ε log n
– a number of other SwHE schemes:
[DGHV10,SV10,BV11a,LTV12]
– [DGHV10]: based on hardness of approximate gcd
– [SV10]: principal ideal problem
– [BV11a]: Ring LWE
– [LTV12]: NTRU
IDEA 1: “Somewhat Homomorphic” Encryption
(Evaluate Boolean circuits of depth d = ε log n)
IDEA 3: “Modulus Reduction”
(Evaluate Boolean circuits of depth d = nε)
d-Leveled FHE: Given any d, set n = d1/ε
IDEA 2: “Bootstrapping”
(“homomorphic enough” to fully homomorphic)
Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
d-HE with decryption depth < d * FHE
Homomorphic Encryption
for any depth d circuit
Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
“Homomorphic
enough”
Encryption
 FHE
d-HE with decryption
depth
< d * FHE
Bootstrapping = “Valve” at a fixed height
(that depends on decryption depth)
noise=q/2
Say n(Bdec)2 < q/2
noise=Bdec
noise=0
Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
“Homomorphic
enough”
Encryption
 FHE
d-HE with decryption
depth
< d * FHE
Bootstrapping = “Valve” at a fixed height
(that depends on decryption depth)
noise=q/2
Say (Bdec)2 < q/2
noise=Bdec
noise=0
Bootstrapping: How
But the evaluator
have SK!
“Best Possible”does
Noisenot
Reduction
= Decryption!
“Noiseless ciphertext”
m
Dec
“Very Noisy” ciphertext
CT
SK
Decryption Circuit
Bootstrapping, Concretely
Next Best = Homomorphic Decryption!
*
Assume Enc(SK) is public.
(OK assuming the scheme is “circular secure”)
EncSK(m)
Noise = Bdec
Bdec Independent of Binput
Dec
Noise = Binput
CT
EncSK(SK)
Wrap Up: Bootstrapping
Function f
Assume Circular Security:
Eval key contains EncSK(SK)
g
Wrap Up: Bootstrapping
Function f
Assume Circular Security:
Eval key contains EncSK(SK)
g
Each Gate g → Gadget G:
g(a,b)
g
a
g(a,b)
g
a
b
Dec
Dec
b
ca
sk
cb
sk
Wrap Up: Bootstrapping
Function f
Assume Circular Security:
Eval key contains EncSK(SK)
g
Each Gate g → Gadget G:
Enc(g(a,b))
g
g(a,b)
g
a
Dec
Dec
b
ca Enc(SK) cb
Enc(SK)
Wrap Up: Bootstrapping
Bootstrapping Theorem [Gen09] (Quantitative)
circular-secure d-HE with dec. depth < d  FHE
– publish EncPK(SK)
d-HE with decryption depth < d  (leveled) FHE
– publish EncPK2(SK1), EncPK3(SK2),…, EncPKd(SKd-1)
SwHE = Homomorphic Enough?
Decryption Circuit:
• Compute lsb(<SK,C> mod q)
= inner products mod q mod 2.
Homomorphisms:
• Our scheme is homomorphic over GF(2).
• Can handle multiplicative depth = ε log n < log n
Write inner product mod q as a GF(2)-arithmetic circuit?
• Seems to need (multiplicative) depth ≥ log n
• Can be done in depth polylog(n)
IDEA 1: “Somewhat Homomorphic” Encryption
(Evaluate Boolean circuits of depth d = ε log n)
IDEA 2: “Modulus Reduction”
(Evaluate Boolean circuits of depth d = nε)
IDEA 3: “Bootstrapping”
(“Homomorphic Enough” SwHE → FHE)
Modulus Reduction
Modulus Reduction Theorem [BV11b,BGV12]
SwHE
“Homomorphic
that evaluatesenough”
BooleanEncryption
circuits of depth
 FHE
d = nε
(under the same assumption as before)
Corollary: For every depth d, set the security parameter
n=d1/ε to get a d-leveled FHE.
Corollary: modulus reduction + bootstrapping = FHE
(assuming circular security)
Modulus Reduction
Modulus Reduction Theorem [BV11b,BGV12]
SwHE
“Homomorphic
that evaluatesenough”
BooleanEncryption
circuits of depth
 FHE
d = nε
CT
CT’
q=B10
q’=B3
noise=B8
Wishful thinking
NO MULT
noise’=B
noise’=B+p(n)
ONE MULT
Shrink Noise and Noise Ceiling by same factor
Modulus Reduction
Can we do this?
– Cannot arbitrarily reduce noise (because of the p(n) factor)
– Hardness depends only on q/B.
q=B10
q’=B3
noise=B8
Wishful thinking
noise’=B+p(n)
Modulus Reduction
LEVELi → LEVELi+1:
q
Homomorphism: (q, ξ) → (q, ≈ ξ2)
Modulus Reduction: (q, ξ2) → (q/ξ, ξ)
q/ξ
AFTER d LEVELS:
ξ2
(q, B) → (q/(nB log q)O(d), B)
Final
initial noise=
noise= ξξ
noise=0
d ≤ log q/log (nB)
≤ nε/log n
Modulus Reduction: Details
Modulus Reduction Algorithm [BV11b,BGV12]
Transform
“Homomorphic
a (q,B2) ciphertext
enough” Encryption
into a (q’ ≈ q/nB,
 FHE
B) one
Modulus Reduction Algorithm:
Let c be a ciphertext s.t.
c, s = 2e + m (mod q)
• Compute (q’/q) c
• Round to the closest integer
vector c’ such that c’=c mod 2
Assume that the secret key s
has entries bounded by B.
(ok by fact 2)
Modulus Reduction: Details
Modulus Reduction Algorithm:
Let c be a ciphertext s.t.
c, s = 2e + m (mod q)
Proof:
• Compute (q’/q) c
• Round to the closest integer
vector c’ such that c’=c mod 2
c, s = 2e + m + qZ
(original dec eqn)
q’/q c, s = (q’/q)* (2e + m) + q’Z
(scaled)
c’, s = (q’/q)* (2e + m) + Eround (mod q’)
• New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised!
• c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2
Putting Together: Leveled FHE
EVK = (evk1,…,evkD), where D is the max mult depth
SK = (sk1,…,skD)
Mult depth D
Enc(skD, C(x))
C
Enc(sk1, x)
Decrypt using skD
Each Mult Level:
1) Tensor ,
2) Relinearize using evki,
3) Reduce modulus
Encrypt using sk1
This works for depth D ≤ nε
Putting Together: Leveled FHE
EVK = (evk1,…,evkD), where D is the max mult depth
SK = (sk1,…,skD)
Mult depth D
Enc(skD, C(x))
C
Enc(sk1, x)
Decrypt using skD
Each Mult Level:
1) Tensor ,
2) Relinearize using evki,
3) Reduce modulus
Encrypt using sk1
Bootstrapping + Circular Security => FHE.
Putting Everything Together
IDEA 1: “Somewhat Homomorphic” Encryption
(Evaluate Boolean circuits of depth d = ε log n)
IDEA 2: “Modulus Reduction”
(Evaluate Boolean circuits of depth d = nε)
(this is “homomorphic enough”)
IDEA 3: “Bootstrapping”
(“Homomorphic Enough” SwHE → FHE)
(assuming “circular security”)
A Simpler Alternative:
doing away with changing moduli
[Brakerski’12]
Fully Homomorphic Encryption
Open Problems
Circular Security
 Leveled FHE from “standard” assumptions
– e.g., the Learning with errors assumption
– Evaluate bounded depth circuits
– The size of CT and/or PK grows with the depth
 “Real” FHE: requires “bootstrapping”
*
Bootstrapping: Publish EncSK(SK).
(OK assuming the scheme is “circular secure”)
Circular Security
 “Real” FHE: requires “bootstrapping”
*
of bits
Bootstrapping: Publish the
Encencryptions
SK(SK).
of SK, namely EncSK(SK[1]),…, EncSK(SK[n])
(OK assuming
the scheme
is “circular
(OK assuming
the scheme
is “weakly
circular secure”)
Two definitions:
− Strong circular security: there is a simulator that,
given nothing, produces EncSK(SK).
− Weak circular security: the encryption scheme is
semantically secure given EncSK(SK).
Circular Security
 There are semantically secure schemes that
are NOT circular-secure.
– Proof: Simple Exercise.
 There are (even bit-wise) circular secure
encryption schemes
– [BHHO’08]: based on DDH
– [ACPS’09, BG’10, BHHI’10, …]
Circular Security
How about circular security for the FHE scheme?
− NEED: “safe to publish” lweEnc(s[i].s[j])
(encryptions of all quadratic monomials in the s[i])
− CAN PROVE: “safe to publish” lweEnc(s[i])
(encryptions of all linear monomials s[i])
Circular Security
− CAN PROVE: “safe to publish” lweEnc(s[i])
(encryptions of all linear monomials s[i])
(a, a, s + 2e + s[i] mod q)
=
(a, a, s + 2e + ui, s mod q)
ui : ith unit vector (0,…,1,…0)
Circular Security
− CAN PROVE: “safe to publish” lweEnc(s[i])
(encryptions of all linear monomials s[i])
(a, a, s + 2e + s[i] mod q)
=
(a, a+ui, s + 2e mod q)
≈
This can be generated efficiently
from an encryption of 0
(a’-ui, a’, s + 2e mod q)
Q:
“Real” FHE from Standard Assumptions?
1) Prove the circular security for quadratic monomials, or
2) Come up with an alternative to bootstrapping.
What we did not Cover…
• Efficient Constructions
– Build on the ring LWE variant of today’s scheme
– Gentry-Halevi-Smart series of works
– a number of algebraic optimizations
• Verifiability
– CS proofs [Kil92,Mic94]
– A number of recent works in various settings
[GKR08,GGP10,CKV10,AIK10,…]
– The central problem remains open
• Circuit Privacy
– [Gentry-Halevi-V’10]: “Circuit privacy for free” theorem
Conclusion
• FHE is not so complicated any more
– Well-defined guidelines for construction
– Under relatively standard security assumptions
• FHE is not so inefficient any more
– Case in point: Ring LWE, NTRU…
• LOTS of questions still to be answered …
– FHE without “Circular Security”
– FHE from number theory, general assumptions…
• NEW directions:
selective homomorphism, functional encryption,…
Thank You!