Homomorphic Encryption from RLWE Schemes and Parameters Joppe W. Bos Microsoft Research Contains joint work with Kristin Lauter, Jake Loftus and Michael Naehrig Computing on Encrypted Data Motivation Outsource data and computation to an external computing service. Applications • Spam filter for encrypted mail • Searching on encrypted data • Building block in crypto protocols Homomorphic Encryption RSA ─ multiplicatively homomorphic 𝑒 𝑒 • 𝑐1 = 𝑚1 mod 𝑛, 𝑐2 = 𝑚2 mod 𝑛 𝑐1 ∙ 𝑐2 = 𝑚1𝑒 ∙ 𝑚2𝑒 = 𝑚1 ∙ 𝑚2 𝑒 mod 𝑛 • Multiplying 𝑐1 , 𝑐2 gives encryption of 𝑚1 ∙ 𝑚2 Benaloh ─ additively homomorphic • 𝑐1 = 𝑔𝑚1 𝑢1𝑟 mod 𝑛, 𝑐2 = 𝑔𝑚2 𝑢2𝑟 mod 𝑛 𝑐1 ∙ 𝑐2 = 𝑔𝑚1+𝑚2 𝑢1 𝑢2 𝑟 mod 𝑛 • Multiplying 𝑐1 , 𝑐2 gives encryption of 𝑚1 + 𝑚2 Fully Homomorphic Encryption (FHE) Enables unlimited computation on encrypted data Need scheme with unlimited add and mult capability • Idea: Rivest, Adleman, Dertouzos (1978) • Boneh-Goh-Nissim (2005): unlimited add + 1 mult • Breakthrough: Gentry (2009) showed such schemes exist • A lot of progress since then • Gentry, Halevi, Smart (2012): homomorphic evaluation of AES 5 minutes per block (16 bytes) Ring Learning With Errors (RLWE) (Lyubashevsky, Peikert, Regev 2010) Ring (𝑅, +,∙), modulus 𝑞, 𝑅𝑞 = 𝑅/𝑞𝑅, probability distribution χ on 𝑅 (for sampling small elts) Problem: distinguish between two distributions 1. Uniform distribution (𝑎, 𝑏) ∈ 𝑅𝑞2 2. The distribution that for a fixed 𝑠 ← χ samples 𝑎 ← 𝑅𝑞 uniformly, error e ← χ and outputs (𝑎, 𝑎 ∙ 𝑠 + 𝑒) Assumption: The RLWE problem is hard, i.e. 𝑎, 𝑎 ∙ 𝑠 + 𝑒 ~ 𝑎, 𝑏 looks random (Symmetric) Encryption from RLWE Message 𝑚 ∈ 0,1 𝑠 ← χ secret key BV (Brakerski, Vaikuntanathan 2010) encryption: Sample 𝑎 ← 𝑅𝑞 uniform, 𝑒 ← χ error/noise b = 𝑚 + 𝑎 ∙ 𝑠 + 2𝑒 mod 𝑞, ciphertext c = a, b decrypt: 𝑏 − 𝑎 ∙ 𝑠 mod 2 = (𝑚 + 2𝑒) mod 2 = 𝑚 𝑞 decrypts correctly if 𝑒 < 2 m 2e q Homomorphic Properties c1 = a1 , 𝑚1 + 𝑎1 ∙ 𝑠 + 2𝑒1 , c2 = a2 , 𝑚2 + 𝑎2 ∙ 𝑠 + 2𝑒2 Addition: 𝑐1 + 𝑐2 = (𝑎1 + 𝑎2 , 𝑚1 + 𝑚2 + (𝑎1 + 𝑎2 ) ∙ 𝑠 + 2(𝑒1 + 𝑒2 )) Multiplication (BV): 𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 = (𝑚1 +2𝑒1 ) (𝑚2 +2𝑒2 ) = 𝑚1 𝑚2 + 2(𝑚1 𝑒2 + 𝑚2 𝑒1 + 2𝑒1 𝑒2 ) 𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 = 𝑏1 𝑏2 − 𝑏1 𝑎2 + 𝑏2 𝑎1 𝑠 + 𝑎1 𝑎2 𝑠 2 New ciphertext: (𝑎1 𝑎2 , 𝑏1 𝑎2 + 𝑏2 𝑎1 , 𝑏1 𝑏2 ) now 3 elements! Noise Growth • Initial noise: 𝐵 • Addition: noise terms add up, 𝐵 → 2𝐵 • Multiplication: noise terms are multiplied, 𝐵 → 𝐵2 𝑚1 𝑚2 𝑚3 𝑚4 𝑚3 𝑚4 𝑚1 𝑚2 𝑚1 2 4 𝑚2 4 𝑚3 8 • 𝐵 →𝐵 ,𝐵 →𝐵 ,…,𝐵 𝑚4 2𝐿−1 →𝐵 2𝐿 𝐵4 𝑞 𝐵4 >2 𝐵2 𝑞 𝐵2 >2 𝐵 𝑞 𝐵 >2 (L levels of mult) Exponential Improvement Brakerski, Gentry, Vaikuntanathan (BGV, 2010) Modulus Switching: Switch to a smaller modulus after each mult 𝑞𝑖−1 • Need a chain of moduli 𝑞 = 𝑞0 , 𝑞𝑖 ≈ 𝐵 𝑚1 𝑚2 𝑚3 𝑚4 𝑚3 𝑚4 𝑚1 𝑚2 𝑚1 𝑚2 𝑚3 𝑚4 𝐵 𝑞 𝐵3 𝐵 𝑞 𝐵2 𝐵 𝑞 𝐵 • 𝐵2 → 𝐵3 → 𝐵4 , … , → 𝐵𝐿 (L levels of mult) • Leveled fully-homomorphic encryption = 𝑞2 𝐵 >2 = 𝑞1 𝐵 >2 = 𝑞0 𝐵 >2 Annoying Things in BGV • Ciphertexts expand upon multiplication Need a complicated relinearization step (key switching) • Need modulus switching to get reasonably small noise growth • Can we do without modulus switching? • Can we avoid ciphertext expansion? • Can we achieve both at the same time? Avoiding Modulus Switching Message 𝑚 ∈ 0,1 𝑠 ← χ secret key Regev (2005) encryption: Sample 𝑎 ← 𝑅𝑞 uniform, 𝑒 ← χ error or noise 𝑏= 𝑞 2 𝑚 + 𝑎 ∙ 𝑠 + 𝑒 mod 𝑞, ciphertext c = a, b 𝑏−𝑎∙𝑠 = 𝑞 2 𝑚 + 𝑒, decrypt: decrypts correctly if 𝑒 < 𝑞 . 4 2 (𝑏 q − 𝑎 ∙ 𝑠) (q/2)m e q Scale-invariant Multiplication Multiplication (Regev’05): 𝑞 2 𝑞 2 𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 = ( 𝑚1 + 𝑒1 ) ( 𝑚2 + 𝑒2 ) 𝑞2 𝑞 = 𝑚1 𝑚2 + (𝑚1 𝑒2 + 𝑚2 𝑒1 ) + 𝑒1 𝑒2 2 2 𝑞 −1 𝑞 • 𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 = 𝑚1 𝑚2 2 2 𝑞 −1 + 𝑚1 𝑒2 + 𝑚2 𝑒1 + 𝑒1 𝑒2 2 • New noise term is of size 𝐶 ∙ 𝐵, after 𝐿 levels 𝐶 𝐿 ∙ 𝐵 𝐶 independent of 𝐵 • Keeping Ciphertexts at One Element Message 𝑚 ∈ 0,1 (asymmetric scheme) 2𝑔 ′ Sample 𝑓 , 𝑔 ← χkey , 𝑓 = 1 + 2𝑓′ secret key, public key ℎ = 𝑓 NTRU-like encryption (Stehlé, Steinfeld 2011): Encryption: Sample s, 𝑒 ← χerr Decryption: 𝑞 c= 𝑚 + ℎ ∙ 𝑠 + 𝑒 mod 𝑞 2 2 𝑚 = 𝑓 ∙ 𝑐 mod 2, since q 𝑞 𝑓∙𝑐 = 𝑚 + 𝑣, 2 𝑞 decrypts correctly if 𝑣 < . 2 New Leveled Homomorphic Scheme What we have been doing over the summer • • • • • No modulus switching: only one modulus Ciphertexts have only one element (half the size of BGV) No ciphertext expansion after homomorphic multiplication Still secure under RLWE (good security properties) Parameters comparable to BGV Parameters • Correctness via noise bounds • Security via estimating runtime of attack on scheme in time 280 • 𝑅 = 𝑍 𝑋 /ϕ𝑑 𝑋 , 𝑡 = 2, 𝑛 = φ(𝑑) of the polynomial ϕ𝑑 𝑋 Thank you! Questions?