Homomorphic Encryption from RLWE Schemes and

advertisement
Homomorphic Encryption from RLWE
Schemes and Parameters
Joppe W. Bos
Microsoft Research
Contains joint work with Kristin Lauter, Jake Loftus and Michael Naehrig
Computing on Encrypted Data
Motivation
Outsource data and computation
to an external computing service.
Applications
• Spam filter for encrypted mail
• Searching on encrypted data
• Building block in crypto protocols
Homomorphic Encryption
RSA ─ multiplicatively homomorphic
𝑒
𝑒
• 𝑐1 = 𝑚1 mod 𝑛, 𝑐2 = 𝑚2 mod 𝑛
𝑐1 ∙ 𝑐2 = 𝑚1𝑒 ∙ 𝑚2𝑒 = 𝑚1 ∙ 𝑚2 𝑒 mod 𝑛
• Multiplying 𝑐1 , 𝑐2 gives encryption of 𝑚1 ∙ 𝑚2
Benaloh ─ additively homomorphic
• 𝑐1 = 𝑔𝑚1 𝑢1𝑟 mod 𝑛, 𝑐2 = 𝑔𝑚2 𝑢2𝑟 mod 𝑛
𝑐1 ∙ 𝑐2 = 𝑔𝑚1+𝑚2 𝑢1 𝑢2 𝑟 mod 𝑛
• Multiplying 𝑐1 , 𝑐2 gives encryption of 𝑚1 + 𝑚2
Fully Homomorphic Encryption (FHE)
Enables unlimited computation on encrypted data
Need scheme with unlimited add and mult capability
• Idea: Rivest, Adleman, Dertouzos (1978)
• Boneh-Goh-Nissim (2005): unlimited add + 1 mult
• Breakthrough: Gentry (2009) showed
such schemes exist
• A lot of progress since then
• Gentry, Halevi, Smart (2012): homomorphic evaluation of AES
5 minutes per block (16 bytes)
Ring Learning With Errors (RLWE)
(Lyubashevsky, Peikert, Regev 2010)
Ring (𝑅, +,∙), modulus 𝑞, 𝑅𝑞 = 𝑅/𝑞𝑅,
probability distribution χ on 𝑅 (for sampling small elts)
Problem: distinguish between two distributions
1. Uniform distribution (𝑎, 𝑏) ∈ 𝑅𝑞2
2. The distribution that for a fixed 𝑠 ← χ
samples 𝑎 ← 𝑅𝑞 uniformly, error e ← χ
and outputs (𝑎, 𝑎 ∙ 𝑠 + 𝑒)
Assumption: The RLWE problem is hard, i.e.
𝑎, 𝑎 ∙ 𝑠 + 𝑒 ~ 𝑎, 𝑏 looks random
(Symmetric) Encryption from RLWE
Message 𝑚 ∈ 0,1
𝑠 ← χ secret key
BV (Brakerski, Vaikuntanathan 2010) encryption:
Sample 𝑎 ← 𝑅𝑞 uniform, 𝑒 ← χ error/noise
b = 𝑚 + 𝑎 ∙ 𝑠 + 2𝑒 mod 𝑞, ciphertext c = a, b
decrypt: 𝑏 − 𝑎 ∙ 𝑠 mod 2 =
(𝑚 + 2𝑒) mod 2 = 𝑚
𝑞
decrypts correctly if 𝑒 <
2
m
2e
q
Homomorphic Properties
c1 = a1 , 𝑚1 + 𝑎1 ∙ 𝑠 + 2𝑒1 , c2 = a2 , 𝑚2 + 𝑎2 ∙ 𝑠 + 2𝑒2
Addition:
𝑐1 + 𝑐2 = (𝑎1 + 𝑎2 , 𝑚1 + 𝑚2 + (𝑎1 + 𝑎2 ) ∙ 𝑠 + 2(𝑒1 + 𝑒2 ))
Multiplication (BV):
𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 = (𝑚1 +2𝑒1 ) (𝑚2 +2𝑒2 )
= 𝑚1 𝑚2 + 2(𝑚1 𝑒2 + 𝑚2 𝑒1 + 2𝑒1 𝑒2 )
𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 = 𝑏1 𝑏2 − 𝑏1 𝑎2 + 𝑏2 𝑎1 𝑠 + 𝑎1 𝑎2 𝑠 2
New ciphertext: (𝑎1 𝑎2 , 𝑏1 𝑎2 + 𝑏2 𝑎1 , 𝑏1 𝑏2 ) now 3 elements!
Noise Growth
• Initial noise: 𝐵
• Addition: noise terms add up, 𝐵 → 2𝐵
• Multiplication: noise terms are multiplied, 𝐵 → 𝐵2
𝑚1 𝑚2 𝑚3 𝑚4
𝑚3 𝑚4
𝑚1 𝑚2
𝑚1
2
4
𝑚2
4
𝑚3
8
• 𝐵 →𝐵 ,𝐵 →𝐵 ,…,𝐵
𝑚4
2𝐿−1
→𝐵
2𝐿
𝐵4
𝑞
𝐵4
>2
𝐵2
𝑞
𝐵2
>2
𝐵
𝑞
𝐵
>2
(L levels of mult)
Exponential Improvement
Brakerski, Gentry, Vaikuntanathan (BGV, 2010)
Modulus Switching: Switch to a smaller modulus after each mult
𝑞𝑖−1
• Need a chain of moduli 𝑞 = 𝑞0 , 𝑞𝑖 ≈
𝐵
𝑚1 𝑚2 𝑚3 𝑚4
𝑚3 𝑚4
𝑚1 𝑚2
𝑚1
𝑚2
𝑚3
𝑚4
𝐵
𝑞
𝐵3
𝐵
𝑞
𝐵2
𝐵
𝑞
𝐵
• 𝐵2 → 𝐵3 → 𝐵4 , … , → 𝐵𝐿 (L levels of mult)
• Leveled fully-homomorphic encryption
=
𝑞2
𝐵
>2
=
𝑞1
𝐵
>2
=
𝑞0
𝐵
>2
Annoying Things in BGV
• Ciphertexts expand upon multiplication
Need a complicated relinearization step (key switching)
• Need modulus switching to get reasonably small
noise growth
• Can we do without modulus switching?
• Can we avoid ciphertext expansion?
• Can we achieve both at the same time?
Avoiding Modulus Switching
Message 𝑚 ∈ 0,1
𝑠 ← χ secret key
Regev (2005) encryption:
Sample 𝑎 ← 𝑅𝑞 uniform, 𝑒 ← χ error or noise
𝑏=
𝑞
2
𝑚 + 𝑎 ∙ 𝑠 + 𝑒 mod 𝑞, ciphertext c = a, b
𝑏−𝑎∙𝑠 =
𝑞
2
𝑚 + 𝑒, decrypt:
decrypts correctly if 𝑒 <
𝑞
.
4
2
(𝑏
q
− 𝑎 ∙ 𝑠)
(q/2)m
e
q
Scale-invariant Multiplication
Multiplication (Regev’05):
𝑞
2
𝑞
2
𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 = ( 𝑚1 + 𝑒1 ) ( 𝑚2 + 𝑒2 )
𝑞2
𝑞
=
𝑚1 𝑚2 +
(𝑚1 𝑒2 + 𝑚2 𝑒1 ) + 𝑒1 𝑒2
2
2
𝑞 −1
𝑞
•
𝑏1 − 𝑎1 ∙ 𝑠 𝑏2 − 𝑎2 ∙ 𝑠 =
𝑚1 𝑚2
2
2
𝑞 −1
+ 𝑚1 𝑒2 + 𝑚2 𝑒1 +
𝑒1 𝑒2
2
• New noise term is of size 𝐶 ∙ 𝐵, after 𝐿 levels 𝐶 𝐿 ∙ 𝐵
𝐶 independent of 𝐵
•
Keeping Ciphertexts at One Element
Message 𝑚 ∈ 0,1
(asymmetric scheme)
2𝑔
′
Sample 𝑓 , 𝑔 ← χkey , 𝑓 = 1 + 2𝑓′ secret key, public key ℎ =
𝑓
NTRU-like encryption (Stehlé, Steinfeld 2011):
Encryption:
Sample s, 𝑒 ← χerr
Decryption:
𝑞
c=
𝑚 + ℎ ∙ 𝑠 + 𝑒 mod 𝑞
2
2
𝑚 = 𝑓 ∙ 𝑐 mod 2, since
q
𝑞
𝑓∙𝑐 =
𝑚 + 𝑣,
2
𝑞
decrypts correctly if 𝑣 < .
2
New Leveled Homomorphic Scheme
What we have been doing over the summer
•
•
•
•
•
No modulus switching: only one modulus
Ciphertexts have only one element (half the size of BGV)
No ciphertext expansion after homomorphic multiplication
Still secure under RLWE (good security properties)
Parameters comparable to BGV
Parameters
• Correctness via noise bounds
• Security via estimating runtime of attack on scheme in time 280
• 𝑅 = 𝑍 𝑋 /ϕ𝑑 𝑋 , 𝑡 = 2, 𝑛 = φ(𝑑) of the polynomial ϕ𝑑 𝑋
Thank you! Questions?
Download