References Gentry, C., A fully homomorphic encryption scheme , Ph.D. - - PowerPoint PPT Presentation

Fully Homomorphic Encryption

Jim Royer

CIS 428/628: Introduction to Cryptography

November 29, 2018

Jim Royer Fully Homomorphic Encryption 1 / 21

References

1

Gentry, C., A fully homomorphic encryption scheme, Ph.D. Thesis, Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf

2

Gentry, C., Computing arbitrary functions of encrypted data, Communications of the ACM 53 (2010) 97–105. http://dl.acm.org/citation.cfm?id=1666444

3

Acar, C., Aksu, H., Uluagac, A., and Conti, M., A Survey on Homomorphic Encryption Schemes: Theory and Implementation, 2017. https://arxiv.org/abs/1704.03578

4

Armknecht, F., et al, A Guide to Fully Homomorphic Encryption, 2015 https://eprint.iacr.org/2015/1192.pdf

Jim Royer Fully Homomorphic Encryption 2 / 21

Craig Gentry’s Thesis

Craig Gentry’s 2009 Stanford Ph.D. thesis constructed the first fully homomorphic encryption (FHE) scheme. Under a FHE scheme:

You send a program f and encrypted data E(m) to a compute server. The compute server returns E(f(m)) (without learning m or f(m)). You decrypt E(f(m)) to obtain f(m).

For this work he won the ACM’s 2009 Doctoral Dissertation Award, received a Grace Murray Hopper award, ... His thesis gave cryptography a who parcel of new ideas and tools to play with. If you know academic research, you’ll know what happened next.

Jim Royer Fully Homomorphic Encryption 3 / 21

Feeding Frenzy

Jim Royer Fully Homomorphic Encryption 4 / 21

Partial Homomorphic Encryption: RSA, 1

RSA Setup for User U

1

Picks two large primes pU & qU.

2

Computes nU = pU · qU and ϕ(nU) = (pU − 1) · (qU − 1).

3

Picks eU

ran

∈ { 1, . . . , ϕ(nU) − 1 } with gcd(eU, ϕ(nU)) = 1.

4

Computes dU ∈ { 1, . . . , ϕ(nU) − 1 } with dU · eU ≡ 1 (mod ϕ(nU)).

5

Public: eU and nU. Private: dU, pU, qU, and ϕ(nU). Bob wants to send a message m ∈ { 0, . . . , n − 1 } to Alice Bob:

1

Computes c = meA mod nA.

2

Sends c to Alice. Alice:

1

Receives c.

2

Computes m′ = cdA mod nA. Lemma m = m′ Proof. Appeal to Euler’s Theorem (1736).

Jim Royer Fully Homomorphic Encryption 5 / 21

Partial Homomorphic Encryption: RSA, 2

Alice’s encryption/decryption functions EA(m) = meA mod nA DA(c) = cdA mod nA Hence, DA( EA(m1) × EA(m2) ) = DA( (meA

1 × meA 2 ) )

= DA( (m1 × m2)eA ) = DA( EA(m1 × m2) ) = m1 × m2        (modnA)

Jim Royer Fully Homomorphic Encryption 6 / 21

Partial Homomorphic Encryption, Other Operations

Paillier: E(m) = gmrn mod n2 (g ∈ Z∗

n2 with n|ord(g))

D(E(m1) × E(m2)) = D((gm1rn

1) × (gm2rn 2))

= D(g(m1+m2) mod n(r1r2)n) = (m1 + m2) mod n Goldwasser-Micali: E(b) = r2ab mod n, a is a pseudo-residue for n D(E(b1) × E(b2)) = D((r2

1ab1) × (r2 2ab2))

= D((r1r2)2ab1+b2) = D((r1r2)2ab1⊕b2)

Why? See next slide

= b1 ⊕ b2 For a fuller list, see:

http://en.wikipedia.org/wiki/Homomorphic_encryption#Partially_ homomorphic_cryptosystems

Jim Royer Fully Homomorphic Encryption 7 / 21

Partial Homomorphic Encryption, Other Operations

Paillier: E(m) = gmrn mod n2 (g ∈ Z∗

D(E(m1) × E(m2)) = D((gm1rn

= D(g(m1+m2) mod n(r1r2)n) = (m1 + m2) mod n Goldwasser-Micali: E(b) = r2ab mod n, a is a pseudo-residue for n D(E(b1) × E(b2)) = D((r2

= D((r1r2)2ab1+b2) = D((r1r2)2ab1⊕b2) Why? See next slide = b1 ⊕ b2 For a fuller list, see:

http://en.wikipedia.org/wiki/Homomorphic_encryption#Partially_ homomorphic_cryptosystems

2018-11-29

Fully Homomorphic Encryption 7 / 21[width=8cm] Partial Homomorphic Encryption, Other Operations

• r, always an integer/string chosen randomly from some set

Brief Digression: Randomized Encryption, 1

QR(m) = { v2 mod n v ∈ Z∗

m }

(quadratic residues) Fact: QR(pq) = { u ∈ Z∗

m

(u mod p) ∈ QR(p) & (u mod q) ∈ QR(q) } Fact: QR(pq) = { u ∈ Z∗

m

(u mod p) / ∈ QR(p) & (u mod q) / ∈ QR(q) } (pseudo-residues) Fact: Knowing how to factor pq ≡ knowing how to find sq. roots mod pq Fact: a ∈ QR(pq) & u ∈ QR(pq) = ⇒ (au mod pq) ∈ QR(pq).

Goldwasser-Micali: Setup p and q, distinct primes priv. n = p · q and a ∈ QR(n) pub. b ∈ P = { 0, 1 } Plaintexts r ∈ R = Z∗

n

Randomizers c ∈ C = Z∗

n.

Ciphertexts Encrypting and Decrypting ek(b, r) = abr2 (mod n). dk(y) =

• 0,

if y ∈ QR(n); 1, if y ∈ QR(n).

Jim Royer Fully Homomorphic Encryption 8 / 21

Brief Digression: Randomized Encryption, 2

The distinguishability game for cryptosystem S and security parameter λ The house, H, generates a key pair (Kpub, Kpriv) based on λ. The opponent, O, picks two messages m0 and m1. H picks b

ran

∈ { 0, 1 } sends c = E(Kpub, mb) to the opponent. O tries to guess if c = E(Kpub, m0) or c = E(Kpub, m1). O is ǫ-successful if O’s fraction of wins is > ( 1

2 + ǫ).

Computationally indistinguishability (≡ semantic security) For each (i) probabilistic polytime opponent O and each (ii) negligible function ǫ(λ): O fails to be ǫ(λ)-successful against S for sufficiently large λ. Fact: If the QR- QR-problem is “hard”, then GM is computationally indistinguishable.

Jim Royer Fully Homomorphic Encryption 9 / 21

Aside: ǫ(λ) being a negligible function means

(∀k)(∃λk)(∀λ ≥ λk)

• |ǫ(λ)| <

1 λ k I.e., ǫ(λ) ∈ o( ( 1

λ)O(1) ).

Jim Royer Fully Homomorphic Encryption 10 / 21

Homomorphic Encryption

A Standard Cryptosystem S (symmetric or asymmetric) For a given security parameter λ, we have algorithms K(. . . ) for key generation E(. . . ) for encryption D(. . . ) for decryption These need to run in time poly(λ). A Homomorphic Cryptosystem S (symmetric or asymmetric) For a given security parameter λ, we have algorithms K, E, D, and Eval(key, f, c1, . . . , cn), where

f is a program each ci = E(key, mi) for some mi c = Eval(key, f, c1, . . . , cn) is of size ≤ the size of the ci’s (compactness) D(key′, c) = f(m1, . . . , mn) Eval is “efficient” (details forthcoming)

Jim Royer Fully Homomorphic Encryption 11 / 21

Homomorphic Encryption

A Standard Cryptosystem S (symmetric or asymmetric) For a given security parameter λ, we have algorithms K(. . . ) for key generation E(. . . ) for encryption D(. . . ) for decryption These need to run in time poly(λ). A Homomorphic Cryptosystem S (symmetric or asymmetric) For a given security parameter λ, we have algorithms K, E, D, and Eval(key, f, c1, . . . , cn), where f is a program each ci = E(key, mi) for some mi c = Eval(key, f, c1, . . . , cn) is of size ≤ the size of the ci’s (compactness) D(key′, c) = f(m1, . . . , mn) Eval is “efficient” (details forthcoming)

2018-11-29

Fully Homomorphic Encryption 11 / 21[width=8cm] Homomorphic Encryption

• The compactness requirement avoids checking by moving the

computation off to D.

• If f’s output is a k-tuple (c′

1, . . . , c′ k),

then each c′

i is of size ≤ the sizes of the cj’s

D(key′, Eval(key, f, c1, . . . , cn)) = f(m1, . . . , mn)

the program f is a boolean or arithmetic circuit Why a circuit? It breaks the computation into simple steps. Eval is “efficient”, i.e., time ≤ (the size of the circuit f) × poly(λ) Eval cannot be very efficient in other regards. Example: Answering “Is x in table T?” by binary search What is the input? x and T Binary search runs in O((size of x) × log2(size of T)) time ... but not when Eval runs it!! Semantic security dictates that Eval’s output must be sensitive to all the input bits.

∴ O((size of x) × (size of T)) run time at best.

Now promote T to a big fat data base.

Jim Royer Fully Homomorphic Encryption 12 / 21

D(key′, Eval(key, f, c1, . . . , cn)) = f(m1, . . . , mn)

the program f is a boolean or arithmetic circuit Why a circuit? It breaks the computation into simple steps. Eval is “efficient”, i.e., time ≤ (the size of the circuit f) × poly(λ) Eval cannot be very efficient in other regards. Example: Answering “Is x in table T?” by binary search What is the input? x and T Binary search runs in O((size of x) × log2(size of T)) time ... but not when Eval runs it!! Semantic security dictates that Eval’s output must be sensitive to all the input bits.

∴ O((size of x) × (size of T)) run time at best.

Now promote T to a big fat data base.

2018-11-29

Fully Homomorphic Encryption 12 / 21[width=8cm] D(key′, Eval(key, f, c1, . . . , cn)) = f(m1, . . . , mn)

• “Binary search” is a bit of a red herring . . .
• Since your program is a circuit, it can be very parallel.
• So there are other reasonable techniques to use for a search.

A Somewhat Homomorphic Scheme, 1

A symmetric version.

(Don’t worry, there is a picture on the next slide.)

For security parameter λ:

K(λ) = p, a random λ2-bit odd integer > 0 E(p, b) = p · q + (2r + b) a near multiple of p where q = a random λ5-bit number r = a random (λ − 1)-bit number b ∈ { 0, 1 } the secret bit D(p, c) = (c mod ′ p) mod 2, where − p

2 < (c mod ′ p) < p 2

and (c − (c mod ′ p)) = p · u for some integer u. Eval(p, f, c1, . . . , cn) = f ‡(c1, . . . , cn) where f is a boolean circuit using XOR and AND gates f ‡ = f[XOR → +, AND → ∗] = a poly over c1, . . . , cn

Jim Royer Fully Homomorphic Encryption 13 / 21

A Somewhat Homomorphic Scheme, 2

• kpq +

noise

(2r + b)

• ✠
• (k + 1)pq
• kpq

Ciphertexts are near multiples of p. The displacements from the multiples of p are noise. The parity of the noise carries the secret bit. + (for XOR) and ∗ (for AND) produce the right parities in results. Eventually the noise becomes NOISE and D fails. The collection of functions we can correctly compute is fair sized. THE APPROXIMATE GCD PROBLEM Given: a large sample of near multiples of p. Infer: p. (Appears hard) How to go from “somewhat” to “fully”?

Jim Royer Fully Homomorphic Encryption 14 / 21

A Somewhat Homomorphic Scheme, 2

• kpq +

(2r + b)

• ✠
• (k + 1)pq
• kpq

Ciphertexts are near multiples of p. The displacements from the multiples of p are noise. The parity of the noise carries the secret bit. + (for XOR) and ∗ (for AND) produce the right parities in results. Eventually the noise becomes NOISE and D fails. The collection of functions we can correctly compute is fair sized. THE APPROXIMATE GCD PROBLEM Given: a large sample of near multiples of p. Infer: p. (Appears hard) How to go from “somewhat” to “fully”?

2018-11-29

Fully Homomorphic Encryption 14 / 21[width=8cm] A Somewhat Homomorphic Scheme, 2

• There is a asymmetric version that is a little more complex.
• What f can it handle?
• Require: for all a1, . . . , an of λ-bits or less, |f ‡(a1, . . . , an)| < p

2

• How hard is the APPROXIMATE GCD PROBLEM?

All known attacks for arbitrary sized samples of satisfying our parameters (λ, λ2, λ5) take exponential time.

Somewhat → Fully

Idea 1: Cut down the NOISE in the noise by hand

encrypted computation encrypted computation

✲ ✲

• ✠
• ✲•

✲• ❅ ❅ ❅ ■

D E

Idea 2: Have Eval put this trick internally.

Bootstrapping. Circular security.

Jim Royer Fully Homomorphic Encryption 15 / 21

Bootstrapping

Suppose a particular “somewhat” scheme can handle its own decryption function (and a bit more). E.g., Dadd(Kpriv., c1, c2) = D(Kpriv., c1) ⊕ D(Kpriv., c2). Let c = Eval(K2

pub, Dadd, K1 priv, c1, c2)

where K1

priv is the sequence of K2 pub-encryptions of the bits of K1 priv

ci is the sequence of K2

pub-encryptions of the bits of ci, i = 1, 2

Then D(K2

priv, c) = m1 ⊕ m2.

∴ We need a public-private key pair for each level of the circuit we

want to compute.

Jim Royer Fully Homomorphic Encryption 16 / 21

Circular Security

The Circular Security Assumption It is “safe” to reveal the encryption of a secret key Kpriv under its own associated public key Kpriv. Under this assumption, one public-private key pair suffices. Under existing systems, there are no known attacks on this

• assumption. However

...it is typically difficult to prove that an encryption scheme is circular-secure. — Craig Gentry

Jim Royer Fully Homomorphic Encryption 17 / 21

Can We Bootstrap The “Near Multiplies” System?

Answer 1: Not Clear.

Recall D(Kpriv, c) = ((c mod ′p) mod 2) = Parity(c) ⊕ Parity(⌊c/p⌉

hard

) (by a little math) where ⌊c/p⌉ = c/p rounded to the nearest integer c mod ′p = c − p · ⌊c/p⌉

Jim Royer Fully Homomorphic Encryption 18 / 21

Can We Bootstrap The “Near Multiplies” System?

Answer 1: Not Clear. Recall D(Kpriv, c) = ((c mod ′p) mod 2) = Parity(c) ⊕ Parity(⌊c/p⌉

) (by a little math) where ⌊c/p⌉ = c/p rounded to the nearest integer c mod ′p = c − p · ⌊c/p⌉

2018-11-29

Fully Homomorphic Encryption 18 / 21[width=8cm] Can We Bootstrap The “Near Multiplies” System?

• Since p is odd. Let p = 2p′ + 1. Then

(c mod ′p) mod 2 = (c − p · ⌊c/p⌉) mod 2 = (c − (2p′ + 1)⌊c/p⌉) mod 2 = (c − 1 · ⌊c/p⌉) mod 2 = Parity(c) ⊕ Parity(⌊c/p⌉)

Can We Bootstrap The “Near Multiplies” System?

Answer 2: Yes, provided we modify the scheme a little.

Idea Add a hint of p to the key. This hint permits a low degree polynomial approximation to p−1 mod 2 which the “near multiple” scheme can handle. The hint is weak enough to preserve semantic security (under a stronger, but reasonable hardness assumption). For details (which are not too bad) see Gentry’s CACM paper.

Jim Royer Fully Homomorphic Encryption 19 / 21

Prospects for Fully Homomorphic Encryption, 1

First recall: Practicality?

One estimate is that Gentry’s 2009 system gives you a 1, 000, 000, 000, 000× slow-down. The near multiple system is likely worse. Runtimes have gotten better, but these system are still very slow.

Security properties ...

Jim Royer Fully Homomorphic Encryption 20 / 21

Prospects for Fully Homomorphic Encryption, 2

Trusting the pieces of the system. Trusting the entire system. Trusting circular secruity. Trusting implementations. So, lots of work for cryptographers.

Jim Royer Fully Homomorphic Encryption 21 / 21