FULLY HOMOMORPHIC ENCRYPTION
from the Integers
Marten van Dijk
(RSA labs)
Craig Gentry
(IBM T J Watson)
Shai Halevi
Vinod Vaikuntanathan
(IBM T J Watson)
(IBM T J Watson)
Computing on Encrypted Data
(An Example)
“I want to delegate the computation to the cloud,
the cloudthe
shouldn’t
see mytoinput”
“I wantbut
to delegate
computation
the cloud”
Enc(x)
P
Enc[P(x)]
Client
(Input: x)
Server/Cloud
(Program: P)
Fully Homomorphic
Encryption (FHE)
=
Eval
P
Enc(x)
Definition: [KeyGen, Enc, Dec
Dec,] Eval]
(as in regular encryption)
Enc[P(x)]
Compactness: Size of Eval’ed ciphertext independent of P
Security: Semantic Security [GM’82]
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– their motivation: searching encrypted data
► Limited Variants:
– RSA & El Gamal: multiplicatively homomorphic
– GM & Paillier: additively homomorphic
– BGN’05 & GHV’10a: quadratic formulas
► NON-COMPACT homomorphic encryption
[CCKM00, SYY99, IP07,MGH08,GHV10b,…]
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– their motivation: searching encrypted data
Big Breakthrough: [Gentry09]
First Construction of Fully Homomorphic Encryption
using algebraic number theory / “ideal lattices”
No ideal lattices
► Is there an elementary Construction of FHE?
– using just integer addition and multiplication
– easier to understand, implement and improve
OUR RESULT
Theorem [DGHV’10]: We have a fully homomorphic
public-key encryption scheme
– which uses only add and mult over the integers,
– which is secure based on the approximate GCD problem
& the sparse subset sum problem.
Construction
A Roadmap
1. Secret-key “Somewhat” Homomorphic Encryption
(under the approximate GCD assumption)
(a simple transformation)
2. Public-key “Somewhat” Homomorphic Encryption
(under the approximate GCD assumption)
(borrows from Gentry’s techniques)
3. Public-key FULLY Homomorphic Encryption
(under approx GCD + sparse subset sum)
Secret-key Homomorphic Encryption
 Secret key: an n2-bit odd number p
(sec. param = n)
 To Encrypt a bit b:
– pick a random “large” multiple of p, say q·p (q ~ n5 bits)
(r ~ n bits)
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b
“noise”
 To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Secret-key Homomorphic Encryption
 How to Add and Multiply Encrypted Bits:
– Add/Mult two near-multiples of p gives a near-multiple of p
– c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
«p
LSB = b1 XOR b2
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p
LSB = b1 AND b2
Two Issues
 Ciphertext grows with each operation
→ Useless for many applications (cloud computing,
searching encrypted e-mail)
 Noise grows with each operation
– Consider c = qp+2r+b ← Enc(b)
– c (mod p) = r’ ≠ 2r+b
2r+b
(q-1)p
qp
r’
(q+1)p
(q+2)p
Two Issues
 Ciphertext grows with each operation
→ Useless for many applications (cloud computing,
searching encrypted e-mail)
 Noise grows with each operation
→ After some operations, the ciphertext becomes
“undecryptable”
Solving the Two Issues
 Ciphertext grows with each operation
– Publish x0 = q0p (*)
– Take ciphertext (mod x0) after each op (Add/Mult)
(*) More
complex way using x0 = a near-multiple of p
Solving the Two Issues
 Ciphertext grows with each operation
– Publish x0 = q0p
– Take ciphertext (mod x0) after each op (Add/Mult)
 Ciphertext stays less than x0 always
 The encrypted bit remains same
 Noise does not increase at all
Solving the Two Issues
 Ciphertext grows with each operation
– Publish x0 = q0p
– Take ciphertext (mod x0) after each op (Add/Mult)*
 Noise grows with each operation
 Can perform “limited” number of hom. operations
(“Somewhat Homomorphic” Encryption)
– Somewhat → Fully: (A variant of) Squashing +
Bootstrapping [G’09]
Security
(of the secret-key “somewhat” homomorphic scheme)
The Approximate GCD Assumption
(name coined by Howgrave-Graham)
Parameters of the Problem: Three numbers P,Q and R
p?
(q0p,q1q
p+r
,…, q p+rt)
q1p+r
01p 1 t
p
qq0 ←
← [0…Q]
[0…Q]
Assumption: no PPT adversary
can guess the number p
r ← [-R…R]
odd p ← [0…P]
(q0p,q1p+r1,…, qtp+rt)
p?
p
Assumption: no PPT adversary can guess the number p
(proof of security)
=
Semantic Security: no PPT adversary can guess the bit b
(q0p,q1p+2r1+b,…,qkp+2rk+b)
A “Taste” of the Security Proof
Encryption breaker
p
q0p,{qip+ri}
Approx GCD solver
p
c=qp+r
Adv
lsb(q)
A
q0p,{qip+ri}
c=qp+r
q
Adv
B
Claim: On every c=qp+r, A predicts lsb(q) correctly w.p. 1-1/poly
“Proof”: Lots of details (Worst-case to average case over c, computing
lsb(q) = computing lsb(r), a hybrid argument.)
A “Taste” of the Security Proof
p
q0p,{qip+ri}
p
c=qp+r
Adv
lsb(q)
A
q0p,{qip+ri}
c=qp+r
q
Adv
B
Main Idea: Use lsb(q) to make q successively smaller
First Try:
– If lsb(q) = 0, c ← [c/2]
– If lsb(q) = 1, c ← [(c-p)/2]
(new-c = q/2*p+[r/2])
(new-c = (q-1)/2*p+[r/2])
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2
(+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’
W.h.p. gcd(q1,q2)=1
– If lsb(q) = 0, c ← [c/2]
– If lsb(q) = 1, c ← [(c-z’)/2]
[(c-p)/2]
– Learn q bit by bit
(new-c = q/2*p+[r/2])
(new-c = (q-1)/2*p+[(r-r’)/2]
(q-1)/2*p+[r/2]) )
A “Taste” of the Security Proof
Main Idea: Use lsb(q) to make q successively smaller
Lemma: Given two near-multiples z1=q1p+r1 and z2=q2p+r2
(+lsb oracle), can compute z’=gcd(q1,q2)·p+r’ for small r’
Observation: the Binary GCD algo. is “noise-tolerant”,
given lsb oracle.
(similar to the RSA hardcore bit proof of [ACGS’88])
How Hard is Approximate GCD?
 Studied by [HG01]; also [Lag82,Cop97,NS01]
(equivalent to “simultaneous Diophantine approximation”)
 Lattice-based Attacks
– Lagarias’ algorithm
– Coppersmith’s algo. for finding small polynomial roots
– Nguyen/Stern and Regev’s orthogonal lattice method
 All run out of steam when log Q > (log P)2
(our setting of parameters: log Q = n5, log P = n2)
Future Directions
Efficient fully homomorphic encryption
(Currently: n5 size ciphertexts; n10 running-time blowup)
Some recent improvements [SV’10,SS’10]
Security of the approx GCD assumption
(e.g., a worst-case to average-case reduction to regular
– non-ideal – lattice problems?)
Questions?
Public-key Homomorphic Encryption
 Secret key: an n2-bit odd number p
Δ
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
= t+1 random encryptions of 0
 To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
 Eval (as before)
Public-key Homomorphic Encryption
 Secret key: an n2-bit odd number p
Δ
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
 To Encrypt a bit b: pick random subset S  [1…t]
c=
 x  2r + b (mod x0)
iS
i
 To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
 Eval (as before)
Parameter Regimes
log Q/(log P)2
(very rough diagram)
min=0
max=P
R
Public-key Homomorphic Encryption
 Secret key: an n2-bit odd number p
Δ
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
– t+1 encryptions of 0
– W.l.o.g., x0 = q0p+2r0 is the largest
 To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
 Eval (as before)
Public-key Homomorphic Encryption
 Secret key: an n2-bit odd number p
Δ
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
 To Encrypt a bit b: pick random subset S  [1…t]
c=
 x  2r + b (mod x0)
iS
i
 To Decrypt a ciphertext c:
qi ] + 2[ r   ri ] + b –
c
=
p[
(mod
x0) a small k)
kx0 (for

– c (mod p) = 2·r+b (mod p) = 2·r+b
iS
iS
– read= off
bit ri  kr0
p[ the
] + 2[ r  
 qleast
i  kq0significant
iS
iS
]+b
of p) + (“small” even noise) + b
 Eval (as (mult.
before)
Public-key
Ciphertext
Homomorphic
Size Reduction
Encryption
 Secret key: an n2-bit odd number p
Δ
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
 To Encrypt a bit b: pick random subset S  [1…t]
– Resulting ciphertext < x0
c =  xi  2r + b (mod x0)
iS
– Underlying bit is the same (since x0 has even noise)
 –ToNoise
Decrypt
a ciphertext
c: by much(*)
does
not increase
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
 Eval: Reduce mod x0 after each operation
(*) additional tricks for mult
A Roadmap
 Secret-key “Somewhat” Homomorphic Encryption
 Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption
How “Somewhat” Homomorphic is this?
Can evaluate (multi-variate) polynomials with m terms,
and maximum degree d if:
m  2  p / 2  2 / 2 or
nd
n2
d~n
f(x1, …, xt) = x1·x2·xd + … + xt-d+1·xt-d+2·xt
Say, noise in Enc(xi) < 2n
Final Noise ~ (2n)d+…+(2n)d = m•(2n)d
From “Somewhat” to “Fully”
Theorem [Gentry’09]: Convert “bootstrappable” → FHE.
FHE = Can eval all fns.
Augmented
Decryption ckt.
“Somewhat” HE
“Bootstrappable”
NAND
Dec
c1
sk
Dec
c2
sk
Is our Scheme “Bootstrappable”?
What functions can the scheme EVAL?
(polynomials of degree < n)

(?)
Complexity of the (aug.) Decryption Circuit
(degree ~ n1.73 polynomial)
Can be made bootstrappable
– Similar to Gentry’09
Caveat: Assume Hardness of “Sparse Subset Sum”