Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of - PowerPoint PPT Presentation
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY, December 2015 What Are You Searching For? We know Medical information, navigation, email, business information, other personal information Want
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY, December 2015
What Are You Searching For? We know Medical information, navigation, email, business information, other personal information β¦ Want privacy!
Outsourcing Computation medical search location, google web medical routing records query destination analysis index π¦ π¦ π π(π¦) search results navigation diagnosis route What if π¦ is private?
How to Keep Private From the Cloud We promise we wont look at your data. Honest! We want real protection.
Fully Homomorphic Encryption (FHE) Outsourcing Computation β Privately Bit-by-bit randomized Learns nothing about π¦ . encryption πΉππ(π¦) π¦ π π§ = πΉπ€ππ π, πΉππ π¦ π§ πΈππ π§ = π(π¦) Fully Homomorphic = Homomorphism for any efficient π WANT NTED Homomorphic Evaluation function: computational model: π given as circuit π, πΉππ π¦ β πΉππ(π π¦ ) Goal: πΉπ€ππ for universal set of gates (NAND(x,y)=1-xy)
Some Applications In the cloud: β’ Private outsourcing of computation. β’ Near-optimal private outsourcing of storage (single-server PIR). [G09,BV11b] β’ Verifiable outsourcing (delegation). [GGP11,CKV11,KRR13,KRR15] β’ Private machine learning in the cloud. [GLN12,HW13] Secure multiparty computation: β’ Low-communication multiparty computation. [AJLTVW12,LTV12] β’ More efficient MPC. [BDOZ11,DPSZ12,DKLPSS12] Primitives: β’ Succinct argument systems. [GLR11,DFH11,BCCT11,BC12,BCCT12,BCGT13, β¦ ] β’ General functional encryption. [GKPVZ12] β’ Indistinguishability obfuscation for all circuits. [GGHRSW13]
Making Crypto History 30 years of hardly scratching the surface: β’ Only-addition [RSA78, R79, GM82, G84, P99, R05] . β’ Addition + 1 multiplication [BGN05, GHV10] . β’ Other variants [SYY99, IP07, MGH10] . β¦ is it even possible?
FHE Challenges Understanding. Security. β’ Cryptographic assumptions. β’ Security notions. Efficiency. β’ Size of keys/ciphertexts. β’ Time overhead for Eval. β’ Computational model.
Constructing (Somewhat) Homomorphic Encryption secret algebraic equivalence e.g. (mod p) for secret p Basic Idea: Find scheme s.t. π β π + 2π message ciphertext small (even) noise Add/multiply ciphertexts β Add/multiply messages Security? Noise grows with homomorphic evaluation β must not grow β too much β ! In the example above: |π ππ£ππ’ | β π ππ 2
Noise in Homomorphic Evaluation Noise grows during homomorphic evaluation Depth π π ππ£π’ |π ππ£π’ | β€ πΉ 2 π β¦ π π+1 β€ π π 2 |π ππ | β€ πΉ π ππ
Some of the Progress Since 2009 β’ From ad-hoc assumption to worst-case lattice assumption [BV11b,BGV12,BV14] . β As secure as any other encryption scheme. β’ Noise is down to π ππ£ππ’ β π β π ππ [BGV12,B12,GSW13,BV14] . π ππ£π’ β€ π π β πΉ (instead of πΉ 2 π ). β β β Leveled β FHE. β’ Using polynomial rings to improve efficiency [G09,SV10,BV11a,BGV12,GHS12a,GHS12b,GHS12c,GHPS13,AP13] . β’ β Batching β many messages in single ciphertext [SV10,BGV12,GHS12a,GHS12b,GHS12c,HS15] . β’ But still need β bootstrapping β to get full homomorphism β¦
Bootstrapping [G09] Given scheme with bounded π βππ How to extend its homomorphic capability? Idea: Do a few operations, then β switch β to a new instance (ππ 3 , π‘π 3 ) Switch keys (ππ 2 , π‘π 2 ) β cost β in homomorphism (ππ 1 , π‘π 1 )
How to Switch Keys Decryption circuit: π¦ Dual view: π¦ πΈππ π‘π (β ) πΈππ β (π) β‘ β π β π π‘π β π π‘π = πΈππ π‘π π = π¦ given π , server can compute circuit for β π β ππ£π¦ = πΉππ ππ β² (π‘π) Apply β π (β ) homomorphicly on π‘π ! πΉπ€ππ ππβ² β π , ππ£π¦ = πΉπ€ππ ππβ² β π , πΉππ ππβ² π‘π = πΉππ ππβ² β π π‘π = πΉππ ππβ² πΈππ π‘π π = πΉππ ππβ² (π¦) hom. capacity of output: π βππ β π β π = π βππ β π πππ
Bootstrapping [G09] Given scheme with bounded π βππ . How to extend its homomorphic capability? Downside: Need to generate many keys β¦ Idea: Do a few operations, then β switch β to a new instance (ππ 3 , π‘π 3 ) ππ£π¦ 2β3 = πΉππ ππ 3 (π‘π 2 ) Switch keys (ππ 2 , π‘π 2 ) β cost β of π πππ secure? ππ£π¦ 1β2 = πΉππ ππ 2 (π‘π 1 ) hom. operations for switch (ππ 1 , π‘π 1 ) β Bootstrapping if π βππ β₯ π πππ + 1
Bootstrapping [G09] Given scheme with bounded π βππ . How to extend its homomorphic capability? Idea: Do a few operations, then β switch β to a new instance ππ£π¦ = πΉππ ππ (π‘π ) (ππ , π‘π ) switch from key to itself! functionality of (ππ , π‘π ) switching works (ππ , π‘π ) circular security required
(Some) Public Implementations of FHE β’ HElib (IBM/NYU) β Ring-LWE (ideal-lattice) scheme of [BGV12], optimizations of [GHS12a] β https://github.com/shaih/HElib β’ β Stanford FHE β β LWE scheme of [B12] with optimizations β http://cs.stanford.edu/~dwu4/fhe.html β’ FHEW (UCSD) β Ring-LWE scheme of [DM14], built upon approximate eigenvector approach of [GSW13,BV14,AP14] β No batching but very fast bootstrapping β https://github.com/lducas/FHEW
So Where is That Homomorphic Google Search? β’ Circuit model = huge overhead. β Inherent? Need to touch all elements to not leak. β’ Bootstrapping is expensive. β No known alternative for deep computations. β’ Memory requirements are huge (GBs). β Large ciphertexts, long keys. β Can β batch β to reduce overhead.
Thank You!
Recommend
More recommend
Explore More Topics
Stay informed with curated content and fresh updates.
Sambuz