FULLY HOMOMORPHIC ENCRYPTION from the Integers Marten van Dijk (RSA labs) Craig Gentry (IBM T J Watson) Shai Halevi Vinod Vaikuntanathan (IBM T J Watson) (IBM T J Watson) Computing on Encrypted Data (An Example) “I want to delegate the computation to the cloud, the cloudthe shouldn’t see mytoinput” “I wantbut to delegate computation the cloud” Enc(x) P Enc[P(x)] Client (Input: x) Server/Cloud (Program: P) Fully Homomorphic Encryption (FHE) = Eval P Enc(x) Definition: [KeyGen, Enc, Dec Dec,] Eval] (as in regular encryption) Enc[P(x)] Compactness: Size of Eval’ed ciphertext independent of P Security: Semantic Security [GM’82] Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data ► Limited Variants: – RSA & El Gamal: multiplicatively homomorphic – GM & Paillier: additively homomorphic – BGN’05 & GHV’10a: quadratic formulas ► NON-COMPACT homomorphic encryption [CCKM00, SYY99, IP07,MGH08,GHV10b,…] Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data Big Breakthrough: [Gentry09] First Construction of Fully Homomorphic Encryption using algebraic number theory / “ideal lattices” No ideal lattices ► Is there an elementary Construction of FHE? – using just integer addition and multiplication – easier to understand, implement and improve OUR RESULT Theorem [DGHV’10]: We have a fully homomorphic public-key encryption scheme – which uses only add and mult over the integers, – which is secure based on the approximate GCD problem & the sparse subset sum problem. Construction A Roadmap 1. Secret-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) (a simple transformation) 2. Public-key “Somewhat” Homomorphic Encryption (under the approximate GCD assumption) (borrows from Gentry’s techniques) 3. Public-key FULLY Homomorphic Encryption (under approx GCD + sparse subset sum) Secret-key Homomorphic Encryption Secret key: an n2-bit odd number p (sec. param = n) To Encrypt a bit b: – pick a random “large” multiple of p, say q·p (q ~ n5 bits) (r ~ n bits) – pick a random “small” even number 2·r – Ciphertext c = q·p+2·r+b “noise” To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Secret-key Homomorphic Encryption How to Add and Multiply Encrypted Bits: – Add/Mult two near-multiples of p gives a near-multiple of p – c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2) – c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) «p LSB = b1 XOR b2 – c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p LSB = b1 AND b2 Two Issues Ciphertext grows with each operation → Useless for many applications (cloud computing, searching encrypted e-mail) Noise grows with each operation – Consider c = qp+2r+b ← Enc(b) – c (mod p) = r’ ≠ 2r+b 2r+b (q-1)p qp r’ (q+1)p (q+2)p Two Issues Ciphertext grows with each operation → Useless for many applications (cloud computing, searching encrypted e-mail) Noise grows with each operation → After some operations, the ciphertext becomes “undecryptable” Solving the Two Issues Ciphertext grows with each operation – Publish x0 = q0p (*) – Take ciphertext (mod x0) after each op (Add/Mult) (*) More complex way using x0 = a near-multiple of p Solving the Two Issues Ciphertext grows with each operation – Publish x0 = q0p – Take ciphertext (mod x0) after each op (Add/Mult) Ciphertext stays less than x0 always The encrypted bit remains same Noise does not increase at all Solving the Two Issues Ciphertext grows with each operation – Publish x0 = q0p – Take ciphertext (mod x0) after each op (Add/Mult)* Noise grows with each operation Can perform “limited” number of hom. operations (“Somewhat Homomorphic” Encryption) – Somewhat → Fully: (A variant of) Squashing + Bootstrapping [G’09] Security (of the secret-key “somewhat” homomorphic scheme) The Approximate GCD Assumption (name coined by Howgrave-Graham) Parameters of the Problem: Three numbers P,Q and R p? (q0p,q1q p+r ,…, q p+rt) q1p+r 01p 1 t p qq0 ← ← [0…Q] [0…Q] Assumption: no PPT adversary can guess the number p r ← [-R…R] odd p ← [0…P] (q0p,q1p+r1,…, qtp+rt) p? p Assumption: no PPT adversary can guess the number p (proof of security) = Semantic Security: no PPT adversary can guess the bit b (q0p,q1p+2r1+b,…,qkp+2rk+b) A “Taste” of the Security Proof Encryption breaker p q0p,{qip+ri} Approx GCD solver p c=qp+r Adv lsb(q) A q0p,{qip+ri} c=qp+r q Adv B Claim: On every c=qp+r, A predicts lsb(q) correctly w.p. 1-1/poly “Proof”: Lots of details (Worst-case to average case over c, computing lsb(q) = computing lsb(r), a hybrid argument.) A “Taste” of the Security Proof p q0p,{qip+ri} p c=qp+r Adv lsb(q) A q0p,{qip+ri} c=qp+r q Adv B Main Idea: Use lsb(q) to make q successively smaller First Try: – If lsb(q) = 0, c ← [c/2] – If lsb(q) = 1, c ← [(c-p)/2] (new-c = q/2*p+[r/2]) (new-c = (q-1)/2*p+[r/2]) A “Taste” of the Security Proof Main Idea: Use lsb(q) to make q successively smaller Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2 (+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’ W.h.p. gcd(q1,q2)=1 – If lsb(q) = 0, c ← [c/2] – If lsb(q) = 1, c ← [(c-z’)/2] [(c-p)/2] – Learn q bit by bit (new-c = q/2*p+[r/2]) (new-c = (q-1)/2*p+[(r-r’)/2] (q-1)/2*p+[r/2]) ) A “Taste” of the Security Proof Main Idea: Use lsb(q) to make q successively smaller Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2 (+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’ Observation: the Binary GCD algo. is “noise-tolerant”, given lsb oracle. (similar to the RSA hardcore bit proof of [ACGS’88]) How Hard is Approximate GCD? Studied by [HG01]; also [Lag82,Cop97,NS01] (equivalent to “simultaneous Diophantine approximation”) Lattice-based Attacks – Lagarias’ algorithm – Coppersmith’s algo. for finding small polynomial roots – Nguyen/Stern and Regev’s orthogonal lattice method All run out of steam when log Q > (log P)2 (our setting of parameters: log Q = n5, log P = n2) Future Directions Efficient fully homomorphic encryption (Currently: n5 size ciphertexts; n10 running-time blowup) Some recent improvements [SV’10,SS’10] Security of the approx GCD assumption (e.g., a worst-case to average-case reduction to regular – non-ideal – lattice problems?) Questions? Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) = t+1 random encryptions of 0 To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) To Encrypt a bit b: pick random subset S [1…t] c= x 2r + b (mod x0) iS i To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Parameter Regimes log Q/(log P)2 (very rough diagram) min=0 max=P R Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) – t+1 encryptions of 0 – W.l.o.g., x0 = q0p+2r0 is the largest To Decrypt a ciphertext c: – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval (as before) Public-key Homomorphic Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) To Encrypt a bit b: pick random subset S [1…t] c= x 2r + b (mod x0) iS i To Decrypt a ciphertext c: qi ] + 2[ r ri ] + b – c = p[ (mod x0) a small k) kx0 (for – c (mod p) = 2·r+b (mod p) = 2·r+b iS iS – read= off bit ri kr0 p[ the ] + 2[ r qleast i kq0significant iS iS ]+b of p) + (“small” even noise) + b Eval (as (mult. before) Public-key Ciphertext Homomorphic Size Reduction Encryption Secret key: an n2-bit odd number p Δ Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt) To Encrypt a bit b: pick random subset S [1…t] – Resulting ciphertext < x0 c = xi 2r + b (mod x0) iS – Underlying bit is the same (since x0 has even noise) –ToNoise Decrypt a ciphertext c: by much(*) does not increase – c (mod p) = 2·r+b (mod p) = 2·r+b – read off the least significant bit Eval: Reduce mod x0 after each operation (*) additional tricks for mult A Roadmap Secret-key “Somewhat” Homomorphic Encryption Public-key “Somewhat” Homomorphic Encryption 3. Public-key FULLY Homomorphic Encryption How “Somewhat” Homomorphic is this? Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if: m 2 p / 2 2 / 2 or nd n2 d~n f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt Say, noise in Enc(xi) < 2n Final Noise ~ (2n)d+…+(2n)d = m•(2n)d From “Somewhat” to “Fully” Theorem [Gentry’09]: Convert “bootstrappable” → FHE. FHE = Can eval all fns. Augmented Decryption ckt. “Somewhat” HE “Bootstrappable” NAND Dec c1 sk Dec c2 sk Is our Scheme “Bootstrappable”? What functions can the scheme EVAL? (polynomials of degree < n) (?) Complexity of the (aug.) Decryption Circuit (degree ~ n1.73 polynomial) Can be made bootstrappable – Similar to Gentry’09 Caveat: Assume Hardness of “Sparse Subset Sum”