New Developments in FULLY HOMOMORPHIC ENCRYPTION Vinod Vaikuntanathan University of Toronto Penn State Summer School on Cryptography Outsourcing Computation Powerful Server (“Cloud”) Weak Client Function x f(x) f Outsourcing Computation It’s everywhere! x Function x search query f(x) Search results f Google search Outsourcing Computation It’s everywhere! x Function x medical records f(x) f analysis risk factors Outsourcing Computation Two Problems: Client Cloud Privacy: Cloud should not learn anything about x x Function f Verifiability: Cloud cannot cheat (i.e., return incorrect answer without being detected) Outsourcing Computation – Privately Knows nothing of x. Enc(x) Function x f Eval: f, Enc(x) Enc(f(x)) homomorphic evaluation Fully Homomorphic Encryption [Rivest-Adleman-Dertouzos’78] Knows nothing of x. Enc(x) Function x f Eval: f, Enc(x) Enc(f(x)) homomorphic evaluation Fully Homomorphic Encryption [Rivest-Adleman-Dertouzos’78] Knows nothing of x. Enc(x1),…,Enc(xn) x1,…,xn Function (more generally) Eval: f, Enc(x1),…,Enc(xn) Enc(f(x1,…,xn)) homomorphic evaluation f Fully Homomorphic Encryption Most of this talk: secret key homomorphic schemes [Rivest-Adleman-Dertouzos’78] Knows nothing of x. sk sk,, evk pk, evk evk, c = Encsk(x) Function x f y = Evalevk(f, c) Privacy (semantic security [GM82]): (evk, Enc(x)) (evk, Enc(0)) Compactness: |y| = poly(|f(x)|, n) Correctness: Decsk(y)=f(x) FHE 101: Add & Mult Are Universal Arith. Circuit (+, ) over GF(2). f(x1,x2,x3)=(x1+x2)∙x3 (+,) over GF(2) Boolean (XOR,AND) = Universal set If we had: • Eval(+, Enc(x1), Enc(x2)) Enc(x1+x2) • Eval(, Enc(x1), Enc(x2)) Enc(x1∙x2) then we are done. x1 x2 Enc(x1) Enc(x2) x 3 Enc(x 3) + Enc(x1+x2) Enc((x1+x2)∙x3) Early History (1978-2009) Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…] Goldwasser-Micali’82 Public key: N, y: non-square mod N Secret key: factorization of N Enc(0): r2 mod N, Enc(1): y * r2 mod N (Additively) homomorphic over Z2 Early History (1978-2009) Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…] Multiplicatively Homomorphic [ElG’85,…] Add + One Mult [BGN’05,GHV’09] Gentry (2009) FIRST Fully Homomorphic Encryption! New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] – asymptotic efficiency: nearly linear-time* algorithms – practical efficiency: 3-4 orders of magnitude faster compared to [Gen09, GH10] *linear-time in the security parameter New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] – e.g., worst-case hardness of shortest vectors on lattices New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] Best Known Theorem [BGV11]: • (Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices *leveled = public key grows with the depth of the circuit for f New Developments in FHE ►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12] ► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12] ► Complex → Simple constructions/proofs [BV11b, BGV11, LTV12, B12] This talk is based on: 1. Zvika Brakerski, V.V., Efficient Fully Homomorphic Encryption from Standard Learning with Errors, FOCS 2011. 2. Zvika Brakerski, Craig Gentry, V.V., (Leveled) Fully Homomorphic Encryption without Bootstrapping, ITCS 2012. 3. Craig Gentry, Stanford Ph.D. Thesis, 2009. How to Construct an FHE Scheme The Big Picture “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] C d = ε log n Evaluate Boolean circuits of depth d = ε log n * EVAL * (0 < ε < 1 is a constant, and n is the security parameter) The Big Picture “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption * FHE Homomorphic enough = Can evaluate its own Dec Circuit (plus some) msg Dec CT C sk Decryption Circuit EVAL The Big Picture “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] Evaluate Boolean circuits of depth d = ε log n SwHE = Homomorphic Enough? NO, for all known constructions! “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption * FHE The Big Picture Problem: Dec C Decryption Circuit EVAL Solution a. “Squash” the decryption circuit [Gen09] Less general – Relies on a new assumption: “sparse subset sum” Solution b. Make EVAL larger [BV11b, simplified by BGV12] – Fairly General, Needs no new assumptions – Exponential improvement: Can eval nε depth circuits Solution c. Use Special Properties of Dec. Circuit [GH11] The Big Picture “Somewhat Homomorphic” (SwHE) Encryption [Gen09,DGHV10,SV10,BV11a,BV11b,LTV11] Evaluate Boolean circuits of depth d = ε log n “Modulus Reduction” [BV11b, simplified by BGV12] Evaluate Boolean circuits of depth d = nε “Bootstrapping” Theorem [Gen09] (Qualitative) “Homomorphic enough” Encryption FHE IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) d-Leveled FHE: Given any d, set n = d1/ε IDEA 2: “Bootstrapping” (FHE: Evaluate any poly(n)-size Boolean circuit) Many Instantiations All based on Integer Lattices (Ajtai’96) Ideal Lattices BUT: you don’t need to know what lattices are DGHV’10 (based on Ajtai-Dwork’97, Regev’04) for this talk! – Gentry’09 (based on Goldreich-Goldwasser-Halevi’98) – – BV’11a (based on Lyubaskevsky-Peikert-Regev’10) – LTV’11 (based on NTRU:Hofstein-Pipher-Silverman’96) Surprisingly, Arbitrary Lattices [BV’11b] – Lattices (like vector spaces) have no native mult Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s Zqn O rand Os ( a1 , b1 = a1 , s + e1 ) ( a2 “noisy” , b2 =random a2 , linear s +equation e2 ) Uniformly “Small” error … |e1| < B random in Zqn ( am , bm =am , s + em ) ( a1 , u1 ) ( a2random , u2 )in Z … ( am , um) q Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s Zqn, and any m=poly(n), Os ( ai , bi = ai , s + ei ) m O rand m ( ai , ui ) i=1 Worst-Case Connection ([R05, P09]): Qualitative: Solve LWE (on average) Short-vector approximation on lattices (in the worst-case) Quantitative: Solve LWEn,q,B O(nq/B)-approx shortest vector on lattices i=1 Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s Zqn, and any m=poly(n), Os ( ai , bi = ai , s + ei ) m O rand m ( ai , ui ) i=1 i=1 Worst-Case Connection ([R05, P09]): Solve LWEn,q,B O(nq/B)-approx shortest vector 1. SCALE INVARIANCE: hardness depends only on ratio between q and B 2. OUR PARAMETERS: We will set q = nO(log n) and B = poly(n). Best known algorithm for LWE with these parameters runs in 2Otilde(n) time. Learning With Errors (LWE) [Regev05, following BFKL93, Ale03] LWEn,q,B : For random secret s Zqn, and any m=poly(n), Os ( ai , bi = ai , s + ei ) m O rand m ( ai , ui ) i=1 i=1 Facts: LWE (with short secret s) = LWE [ACPS09,GKPV10] LWE with short even error (2e) = LWE with short error e Secret-key Encryption from LWE (omitting public-key encryption) • KeyGen: – Sample random “short” vector t Zqn and set sk = t Secret-key Encryption from LWE (omitting public-key encryption) • KeyGen: – Sample random “short” vector t Zqn and set sk = t • Bit Encryption Encsk(m): – Sample uniformly random a Zqn, “short” noise e Zq – The ciphertext CT = (a, b = a, t + 2e + m) Zqn X Zq Semantic Security from LWE Secret-key Encryption from LWE (omitting public-key encryption) • KeyGen: – Sample random “short” vector t Zqn and set sk = t • Bit Encryption Encsk(m): – Sample uniformly random a Zqn, “short” noise e Zq – The ciphertext CT = (a, b = a, t + 2e + m) Zqn X Zq • Decryption Decsk(CT): Output (b − a, t mod q) mod 2. – Correctness: b − a, t mod q = 2e + m mod q = 2e + m (as long as |2e+m| < q/2) Additive Homomorphism CT = (a ,b) b − a, t = 2e + m CT’ = (a’, b’) b’ − a’, t = 2e’ + m’ Look at Ciphertexts through the Decryption Lens Additive Homomorphism CT = (a ,b) CT’ = (a’, b’) Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1) b c, − a, st= =2e2e+ +mm b’ c’, − a’, s t= =2e’ 2e’+ +m’m’ Additive Homomorphism CT = c CT’ = c’ c, s = 2e + m c’, s = 2e’ + m’ Claim: cadd = c+c’ Proof: c, s = 2e + m + c’, s = 2e’ + m’ c+c’, s = 2(e+e’) + (m+m’) Cadd E Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2) Multiplicative Homomorphism CT = c c, s = 2e + m CT’ = c’ c’, s = 2e’ + m’ Claim: cmult = ? X c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = (2e+m) ∙ (2e’+m’) Multiplicative Homomorphism CT = c c, s = 2e + m CT’ = c’ c’, s = 2e’ + m’ Claim: cmult = ? X c, s = 2e + m c’, s = 2e’ + m’ c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’) E Quadratic equation in the variables s[i] Multiplicative Homomorphism CT = c c, s = 2e + m CT’ = c’ c’, s = 2e’ + m’ Claim: cmult = ? Tensor Product: X c, s = 2e + m = 2e’ + m’ • c c’ = (c[1]∙c’[1], c’, …, s c[i]∙c’[j],…, c[n+1]∙c’[n+1]) c in (n+1) c’, s s → = mm’ • c, c’ live dim c +c’2(em’+e’m+2ee’) lives in (n+1)2-dim • KEY FACT: c, s ∙ c’, s = c c’, sE s Multiplicative Homomorphism Problem: Ciphertext CT’ = c’ size blows up! c, s = 2e + m c’, s = 2e’ + m’ (Zqn+1 → Zq(n+1)^2) CT = c Claim: cmult = c c’ X c, s = 2e + m c’, s = 2e’ + m’ c c’, s s = mm’ + 2(em’+e’m+2ee’) E Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2) Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s that represents these quadratic func. or, of new secret s’ Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j. Enct’ ( s[ i ]s[ j ] ) Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : sample Ai,j , Ei,j i,j. (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ]) LWE Security still holds. Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : sample Ai,j , Ei,j i,j. Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ] Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j. Ci,j , s’ ≈ s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before) Multiplicative Homomorphism cmult, s s = 2E + mm’ back into quadratic New Plug Technique [BV’11b]equation: : Relinearization Find linear functions of s’ that represent these quadratic func. c mult[i,j] New KeyGen: ∙ Ci,j , s’ ≈ mm’+2*Error Linear in s’. • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j. Ci,j , s’ Linear fn (in s’) ≈ s[ i ]s[ j ] Quadratic fn (in s) Multiplicative Homomorphism cmult, s s = 2E + mm’ Plug back into quadratic equation: c mult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error Linear in s’. Homomorphic Mult: 1. First compute cmult = c c’ 2. Compute and output cmult[i,j] ∙ Ci,j (where Ci,j are from the evaluation key) Multiplicative Homomorphism cmult, s s = 2E + mm’ PROBLEM: cmult has large entries i,j. Ci,j , s’ ≈ Linear fn (in s’) s[ i ]s[ j ] Quadratic fn (in s) BUT cmult .Ci,j , s’ ≈ cmult . s[ i ]s[ j ] SOLUTION: Binary Decomposition Trick Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j. k in [0… log q]: Enct’ ( 2k s[ i ]s[ j ] ) Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : sample Ai,j,k , Ei,j,k i,j. (Ai,j,k , Bi,j,k = Ai,j,k , t’ + 2Ei,j,k + 2k s[ i ]s[ j ]) Multiplicative Homomorphism cmult, s s = 2E + mm’ New Technique [BV’11b]: Relinearization Find linear functions of s’ that represent these quadratic func. New KeyGen: • Sample t,t’Zqn and set sk = (t,t’). • Evaluation key evk : i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ] (denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before) Multiplicative Homomorphism cmult, s s = 2E + mm’ back into quadratic New Plug Technique [BV’11b]equation: : Relinearization Let cmult[i,j,k] be the bit of cmultthese [i,j] Find linear functions of s’ thatkth represent quadratic func. cmult[i,j,k] ∙ Ci,j,k , s’ ≈ mm’+2*Error New KeyGen: s’. • Sample t,t’Zqn and setLinear sk = in(t,t’). • Evaluation key evk : i,j. Ci,j,k , s’ Linear fn (in s’) ≈ 2k s[ i ]s[ j ] Quadratic fn (in s) Multiplicative Homomorphism cmult, s s = 2E + mm’ back into quadratic New Plug Technique [BV’11b]equation: : Relinearization Let cmult[i,j,k] be the bit of cmultthese [i,j] Find linear functions of s’ thatkth represent quadratic func. cmult[i,j,k] ∙ Ci,j,k , s’ = mm’+2*Error+2*Errorrelin New KeyGen: 2 . log q . B) Errorset = O(n • Sample t,t’Zqn and = (t,t’). relin sk • Evaluation key evk : i,j. Ci,j,k , s’ Linear fn (in s’) ≈ 2k s[ i ]s[ j ] Quadratic fn (in s) Multiplicative Homomorphism cmult, s s = 2E + mm’ Plug back into quadratic equation: c mult[i,j,k] ∙ Ci,j ,k , s’ ≈ mm’+2*Error Linear in s’. Homomorphic Mult: 1. First compute cmult = c c’ 2. Compute and output cmult[i,j,k] ∙ Ci,j,k (where Ci,j,k are from the evaluation key) The Reservoir Analogy (How homomorphic is this?) noise=q/2 Additive Homomorphism: ξ → 2 ξ Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 noise B → (worst case) 2ξ initial noise= ξ noise=0 Correctness Breaking = Solving 2n^εapprox. shortest vectors [Reg05,LPR10] The Reservoir Analogy (How homomorphic is this?) noise=q/2 Additive Homomorphism: ξ → 2 ξ Mult. Homomorphism: ξ → ξ2 + n2B log q AFTER d LEVELS: ~ ξ2 initial noise= ξ noise=0 noise B → (worst case) Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption [BV11b] Evaluate Boolean circuits of mult. depth D = ε log n EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Mult depth D Enc(skD, C(x)) C Enc(sk1, x) Decrypt using skD Each Mult Level: Tensor and Relinearize Encrypt using sk1 Wrap Up: Somewhat Homomorphism “Somewhat Homomorphic” (SwHE) Encryption [BV11b] Evaluate Boolean circuits of mult. depth D = ε log n – a number of other SwHE schemes: [DGHV10,SV10,BV11a,LTV12] – [DGHV10]: based on hardness of approximate gcd – [SV10]: principal ideal problem – [BV11a]: Ring LWE – [LTV12]: NTRU IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) d-Leveled FHE: Given any d, set n = d1/ε IDEA 2: “Bootstrapping” (“homomorphic enough” to fully homomorphic) Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) d-HE with decryption depth < d * FHE Homomorphic Encryption for any depth d circuit Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) “Homomorphic enough” Encryption FHE d-HE with decryption depth < d * FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say n(Bdec)2 < q/2 noise=Bdec noise=0 Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) “Homomorphic enough” Encryption FHE d-HE with decryption depth < d * FHE Bootstrapping = “Valve” at a fixed height (that depends on decryption depth) noise=q/2 Say (Bdec)2 < q/2 noise=Bdec noise=0 Bootstrapping: How But the evaluator have SK! “Best Possible”does Noisenot Reduction = Decryption! “Noiseless ciphertext” m Dec “Very Noisy” ciphertext CT SK Decryption Circuit Bootstrapping, Concretely Next Best = Homomorphic Decryption! * Assume Enc(SK) is public. (OK assuming the scheme is “circular secure”) EncSK(m) Noise = Bdec Bdec Independent of Binput Dec Noise = Binput CT EncSK(SK) Wrap Up: Bootstrapping Function f Assume Circular Security: Eval key contains EncSK(SK) g Wrap Up: Bootstrapping Function f Assume Circular Security: Eval key contains EncSK(SK) g Each Gate g → Gadget G: g(a,b) g a g(a,b) g a b Dec Dec b ca sk cb sk Wrap Up: Bootstrapping Function f Assume Circular Security: Eval key contains EncSK(SK) g Each Gate g → Gadget G: Enc(g(a,b)) g g(a,b) g a Dec Dec b ca Enc(SK) cb Enc(SK) Wrap Up: Bootstrapping Bootstrapping Theorem [Gen09] (Quantitative) circular-secure d-HE with dec. depth < d FHE – publish EncPK(SK) d-HE with decryption depth < d (leveled) FHE – publish EncPK2(SK1), EncPK3(SK2),…, EncPKd(SKd-1) SwHE = Homomorphic Enough? Decryption Circuit: • Compute lsb(<SK,C> mod q) = inner products mod q mod 2. Homomorphisms: • Our scheme is homomorphic over GF(2). • Can handle multiplicative depth = ε log n < log n Write inner product mod q as a GF(2)-arithmetic circuit? • Seems to need (multiplicative) depth ≥ log n • Can be done in depth polylog(n) IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE) Modulus Reduction Modulus Reduction Theorem [BV11b,BGV12] SwHE “Homomorphic that evaluatesenough” BooleanEncryption circuits of depth FHE d = nε (under the same assumption as before) Corollary: For every depth d, set the security parameter n=d1/ε to get a d-leveled FHE. Corollary: modulus reduction + bootstrapping = FHE (assuming circular security) Modulus Reduction Modulus Reduction Theorem [BV11b,BGV12] SwHE “Homomorphic that evaluatesenough” BooleanEncryption circuits of depth FHE d = nε CT CT’ q=B10 q’=B3 noise=B8 Wishful thinking NO MULT noise’=B noise’=B+p(n) ONE MULT Shrink Noise and Noise Ceiling by same factor Modulus Reduction Can we do this? – Cannot arbitrarily reduce noise (because of the p(n) factor) – Hardness depends only on q/B. q=B10 q’=B3 noise=B8 Wishful thinking noise’=B+p(n) Modulus Reduction LEVELi → LEVELi+1: q Homomorphism: (q, ξ) → (q, ≈ ξ2) Modulus Reduction: (q, ξ2) → (q/ξ, ξ) q/ξ AFTER d LEVELS: ξ2 (q, B) → (q/(nB log q)O(d), B) Final initial noise= noise= ξξ noise=0 d ≤ log q/log (nB) ≤ nε/log n Modulus Reduction: Details Modulus Reduction Algorithm [BV11b,BGV12] Transform “Homomorphic a (q,B2) ciphertext enough” Encryption into a (q’ ≈ q/nB, FHE B) one Modulus Reduction Algorithm: Let c be a ciphertext s.t. c, s = 2e + m (mod q) • Compute (q’/q) c • Round to the closest integer vector c’ such that c’=c mod 2 Assume that the secret key s has entries bounded by B. (ok by fact 2) Modulus Reduction: Details Modulus Reduction Algorithm: Let c be a ciphertext s.t. c, s = 2e + m (mod q) Proof: • Compute (q’/q) c • Round to the closest integer vector c’ such that c’=c mod 2 c, s = 2e + m + qZ (original dec eqn) q’/q c, s = (q’/q)* (2e + m) + q’Z (scaled) c’, s = (q’/q)* (2e + m) + Eround (mod q’) • New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised! • c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2 Putting Together: Leveled FHE EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Mult depth D Enc(skD, C(x)) C Enc(sk1, x) Decrypt using skD Each Mult Level: 1) Tensor , 2) Relinearize using evki, 3) Reduce modulus Encrypt using sk1 This works for depth D ≤ nε Putting Together: Leveled FHE EVK = (evk1,…,evkD), where D is the max mult depth SK = (sk1,…,skD) Mult depth D Enc(skD, C(x)) C Enc(sk1, x) Decrypt using skD Each Mult Level: 1) Tensor , 2) Relinearize using evki, 3) Reduce modulus Encrypt using sk1 Bootstrapping + Circular Security => FHE. Putting Everything Together IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n) IDEA 2: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε) (this is “homomorphic enough”) IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE) (assuming “circular security”) A Simpler Alternative: doing away with changing moduli [Brakerski’12] Fully Homomorphic Encryption Open Problems Circular Security Leveled FHE from “standard” assumptions – e.g., the Learning with errors assumption – Evaluate bounded depth circuits – The size of CT and/or PK grows with the depth “Real” FHE: requires “bootstrapping” * Bootstrapping: Publish EncSK(SK). (OK assuming the scheme is “circular secure”) Circular Security “Real” FHE: requires “bootstrapping” * of bits Bootstrapping: Publish the Encencryptions SK(SK). of SK, namely EncSK(SK[1]),…, EncSK(SK[n]) (OK assuming the scheme is “circular (OK assuming the scheme is “weakly circular secure”) Two definitions: − Strong circular security: there is a simulator that, given nothing, produces EncSK(SK). − Weak circular security: the encryption scheme is semantically secure given EncSK(SK). Circular Security There are semantically secure schemes that are NOT circular-secure. – Proof: Simple Exercise. There are (even bit-wise) circular secure encryption schemes – [BHHO’08]: based on DDH – [ACPS’09, BG’10, BHHI’10, …] Circular Security How about circular security for the FHE scheme? − NEED: “safe to publish” lweEnc(s[i].s[j]) (encryptions of all quadratic monomials in the s[i]) − CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all linear monomials s[i]) Circular Security − CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all linear monomials s[i]) (a, a, s + 2e + s[i] mod q) = (a, a, s + 2e + ui, s mod q) ui : ith unit vector (0,…,1,…0) Circular Security − CAN PROVE: “safe to publish” lweEnc(s[i]) (encryptions of all linear monomials s[i]) (a, a, s + 2e + s[i] mod q) = (a, a+ui, s + 2e mod q) ≈ This can be generated efficiently from an encryption of 0 (a’-ui, a’, s + 2e mod q) Q: “Real” FHE from Standard Assumptions? 1) Prove the circular security for quadratic monomials, or 2) Come up with an alternative to bootstrapping. What we did not Cover… • Efficient Constructions – Build on the ring LWE variant of today’s scheme – Gentry-Halevi-Smart series of works – a number of algebraic optimizations • Verifiability – CS proofs [Kil92,Mic94] – A number of recent works in various settings [GKR08,GGP10,CKV10,AIK10,…] – The central problem remains open • Circuit Privacy – [Gentry-Halevi-V’10]: “Circuit privacy for free” theorem Conclusion • FHE is not so complicated any more – Well-defined guidelines for construction – Under relatively standard security assumptions • FHE is not so inefficient any more – Case in point: Ring LWE, NTRU… • LOTS of questions still to be answered … – FHE without “Circular Security” – FHE from number theory, general assumptions… • NEW directions: selective homomorphism, functional encryption,… Thank You!