On Homomorphic Encryption and Secure Computation

On Homomorphic Encryption and Secure Computation

challengeresponse

Shai HaleviJune 16, 2011

June 16, 2011 2

Computing on Encrypted Data

Wouldn’t it be nice to be able to…o Encrypt my data in the cloudo While still allowing the cloud to

search/sort/edit/… this data on my behalfo Keeping the data in the cloud in encrypted

formWithout needing to ship it back and forth to be

decrypted

June 16, 2011 3

Computing on Encrypted Data

Wouldn’t it be nice to be able to…o Encrypt my queries to the cloudo While still allowing the cloud to process

themo Cloud returns encrypted answers

that I can decrypt

June 16, 2011 4

$skj#hS28ksytA@ …

Computing on Encrypted Data

Directions• From: Tel-Aviv University,

Tel-Aviv, Israel• To: Technion, Haifa, Israel

June 16, 2011 5

Computing on Encrypted Data$kjh9*mslt@na0&maXxjq02bflxm^00a2nm5,A4.pE.abxp3m58bsa(3saM%w,snanbanq~mD=3akm2,AZ,ltnhde83|3mz{ndewiunb4]gnbTa*kjew^bwJ^mdns0

Constructing Homomorphic Encryption

June 16, 2011 7

Privacy Homomorphisms [RAD78]

Some examples:o “Raw RSA”: c xe mod N (x cd mod N)

x1e x x2

e = (x1 x x2)e mod No GM84: Enc(0)R QR, Enc(1)R QNR (in ZN*)

Enc(x1) x Enc(x2) = Enc(x1x2) mod N

Plaintext space P Ciphertext space Cx1 x2

ci Enc(xi) c1 c2

* #

y dy Dec(d)

June 16, 2011 8

More Privacy Homomorphisms

o Mult-mod-p [ElGamal’84]o Add-mod-N [Pallier’98]o Quadratic-polys mod p [BGN’06]o Branching programs [IP’07]o Later, a “different type of solution” for

any circuit [Yao’82,…]Also NC1 circuits [SYY’00]

June 16, 2011 9

(x,+)-Homomorphic Encryption

It will be really nice to have…o Plaintext space Z2 (w/ ops +,x)o Ciphertexts live in an algebraic ring R (w/ ops +,x)o Homomorphic for both + and x

Enc(x1) + Enc(x2) in R = Enc(x1+ x2 mod 2) Enc(x1) x Enc(x2) in R = Enc(x1 x x2 mod 2)

o Then we can compute any function on the encryptions Since every binary function is a polynomial

o We won’t get exactly this, but it’s a good motivation

June 16, 2011 10

Some Notationso An encryption scheme: (KeyGen, Enc,

Dec)Plaintext-space = {0,1}(pk,sk) KeyGen($), cEncpk(b), bDecsk(c)

o Semantic security [GM’84]: (pk, Encpk(0)) (pk, Encpk(1)) means indistinguishable by efficient

algorithms

June 16, 2011 11

o H = {KeyGen, Enc, Dec, Eval} c* Evalpk(f, c)

o Homomorphic: Decsk(Evalpk( f, Encpk(x))) = f(x) c* may not look like a “fresh” ciphertextAs long as it decrypts to f(x)

o Function-private: c* hides fo Compact: Decrypting c* easier than

computing f |c*| independent of the complexity of f

Homomorphic Encryption

c*

June 16, 2011 12

(x,+)-Homomorphic Encryption, the [Gentry09] blueprint

Evaluate any function in four “easy” steps

o Step 1: Encryption from linear ECCsAdditive homomorphism

o Step 2: ECC lives inside a ringAlso multiplicative homomorphismBut only for a few operations (i.e., low-degree

poly’s)o Step 3: Bootstrapping

Few ops (but not too few) any number of opso Step 4: Everything else

June 16, 2011 13

Step One:Encryption from Linear ECCso For “random looking” codes, hard to

distinguish close/far from code

o Many cryptosystems built on this hardnessE.g., [McEliece’78, AD’97, GGH’97, R’03,

…]

June 16, 2011 14

Encryption from linear ECCso KeyGen: choose a “random” code C

Secret key: “good representation” of C Allows correction of “large” errors

Public key: “bad representation” of Co Enc(0): a word close to Co Enc(1): a random word

Far from C (with high probability)

June 16, 2011 15

An Example: Integers mod p (similar to [Regev’03])

o Code determined by an integer pCodewords: multiples of p

o Good representation: p itselfo Bad representation:

N = pq, and also many many xi = pqi + ri

o Enc(0): subset-sum(xi’s)+r mod No Enc(1): random integer mod N

ri << p

p N

A Different Input Encodingo Both Enc(0), Enc(1) close to the code

Enc(0): distance to code is evenEnc(1): distance to code is odd

o In our example of integers mod p:Enc(b) = 2(subset-sum(xi’s)+r) +b mod NDec(c) = (c mod p) mod 2

June 16, 2011 16

June 16, 2011 17

Additive Homomorphism

o c1+c2 = (codeword1+codeword2) +2(r1+r2)+b1+b2

codeword1+codeword2 CodeIf 2(r1+r2)+b1+b2 < min-dist/2, then it is the

dist(c1+c2, Code) = 2(r1+r2)+b1+b2 dist(c1+c2, Code) mod 2 = b1+b2

o Additively-homomorphic while close to Code

June 16, 2011 18

Step 2: ECC Lives in a Ring Ro What happens when multiplying in R:

c1c2 = (codeword1+2r1+b1) x (codeword2+2r2+b2)= codeword1 X + Y codeword2

+ (2r1+b1)(2r2+b2)o If:

codeword1 X + Y codeword2 Code (2r1+b1)(2r2+b2) < min-dist/2

o Thendist(c1c2, Code) = (2r1+b1)(2r2+b2) = b1b2 mod

2

Code is an ideal

Product in R of small elements is small

Instantiationso [Gentry ‘09] Polynomial Rings

Security based on hardness of “Bounded-Distance Decoding” in ideal lattices

o [vDGHV ‘10] Integer RingSecurity based on hardness of the “approximate-

GCD” problemo [GHV ‘10] Matrix Rings*

Only degree-2 polynomials, security based on hardness of “Learning with Errors”

o [BV ‘11a] Polynomial RingsSecurity based on “ring LWE”

June 16, 2011 19

June 16, 2011 26

Step 3: Bootstrapping [G’09]o So far, can evaluate low-degree

polynomialsP(x1, x2 ,…, xt)

x1

…x2

xt

P

June 16, 2011 27

Step 3: Bootstrapping [G’09]o So far, can evaluate low-degree

polynomials

o Can eval y=P(x1,x2…,xn) when xi’s are “fresh”

o But y is an “evaluated ciphertext”Can still be decryptedBut eval Q(y) will increase noise too much

P(x1, x2 ,…, xt)

x1

…x2

xt

P

June 16, 2011 28

Step 3: Bootstrapping [G’09]o So far, can evaluate low-degree

polynomials

o Bootstrapping to handle higher degrees:

o For ciphertext c, consider Dc(sk) = Decsk(c)Hope: Dc(*) is a low-degree polynomial in

skThen so are Ac1,c2(sk) = Decsk(c1) + Decsk(c2)

and Mc1,c2(sk) = Decsk(c1) x Decsk(c2)

x1

…x2

xt

P

P(x1, x2 ,…, xt)

June 16, 2011 29

Mc1,c2

Step 3: Bootstrapping [G’09]o Include in the public key also Encpk(sk)

x1 x2

sk1

sk2

skn

…

c1 c2

Mc1,c2(sk)

= Decsk(c1) x Decsk(c2) = x1 x x2

c

Requires “circular security”

June 16, 2011 30

Mc1,c2

Step 3: Bootstrapping [G’09]o Include in the public key also Encpk(sk)

o Homomorphic computation applied only to the “fresh” encryption of sk

x1 x2

sk1

sk2

skn

…

c1 c2

Mc1,c2(sk)

= Decsk(c1) x Decsk(c2) = x1 x x2

c

Requires “circular security”

June 16, 2011 31

Step 4: Everything Elseo Cryptosystems from [G’09, vDGHV’10,

BG’11a] cannot handle their own decryption

o Tricks to “squash” the decryption procedure, making it low-degree

Performanceo Evaluating only low-degree

polynomials may be reasonable

o But bootstrapping is inherently inefficientHomomorphic decryption for each

multiplication o Best implementation so far is [GH’11a]

Public key size ~ 2GBEvaluating a multiplication takes 30

minutesJune 16, 2011 32

Beyond the [G’09] Blueprinto [GH’11b] no “squashing”, still very inefficiento [BV’11b] no underlying ring, only vectors

Also no “squashing”, but still inefficiento [G’11] no bootstrapping

Builds heavily on [BV’11b]Reduces noise “cheaply” after each multiplicationShould be at least 2-3 orders of magnitude better

than [GV’11a]

June 16, 2011 33

Homomorphic Encryptionvs. Secure Computation

June 16, 2011 35

Client Alice has data x Server Bob has function fAlice wants to learn f(x)1. Without telling Bob what x is2. Bob may not want Alice to know f3. Client Alice may also want server

Bob to do most of the work computing f(x)

Secure Function Evaluation (SFE)

June 16, 2011 36

Two-Message SFE [Yao’82,…]

o Many different instantiations are availableBased on hardness of factoring/DL/lattices/…

o Alice’s x and Bob’s f are kept privateo But Alice does as much work as Bob

Bob’s reply of size poly(n) x (|f|+|x|)

(c,s)SFE1(x)r SFE2(f,c)

ry SFE3(s,r)

c

Alice(x) Bob(f)

June 16, 2011 37

o H = {KeyGen, Enc, Dec, Eval}o Semantic security: (pk, Encpk(0)) (pk,

Encpk(1))

o Homomorphic: Decsk(Evalpk( f, Encpk(x))) = f(x) c* may not look like a “fresh” ciphertextAs long as it decrypts to f(x)

o Function-private: c* hides fo Compact: Decrypting c* easier than

computing f |c*| independent of the complexity of f

Recall:Homomorphic Encryption

c*

June 16, 2011 38

Aside: a Trivial Solution

o Eval(f,c) = <f,c>, Dec*(<f,c>) = f

(Dec(c))o Neither function-private, nor compacto Not very useful in applications

June 16, 2011 39

HE Two-Message SFEo Alice encrypts data x

sends to Bob c Enc(x)o Bob computes on encrypted data

sets c* Eval(f, c)c* is supposed to be an encryption of f(x)Hopefully it hides f (function-private

scheme)o Alice decrypts, recovers y Dec(c*)

June 16, 2011 40

Two-Message SFE HEo Roughly:

Alice’s message c SFE1(x) is Enc(x)Bob’s reply r SFE2(f,c) is Eval(f,c)

o Not quite public-key encryption yetWhere are (pk, sk)?Can be fixed with an auxiliary PKE scheme

June 16, 2011 41

Alice(x)

Two-Message SFE HE

o Add an auxiliary encryption schemewith (pk,sk)

Alice(pk, x) Bob(f)(c,s)SFE1(x)

r SFE2(f,c)r

y SFE3(s,r)

cDora(sk)

June 16, 2011 42

Two-Message SFE HE

o Recall: |r| could be as large as poly(n)(|f|+|x|)Not compact

Alice(pk, x) Bob(f) Dora(sk)

Decsk(r,c’)Evalpk(f,c,c’)Enc’pk(x)

c, c’

r, c’(c,s)SFE1(x)

c’Encpk(s) r SFE2(f,c)s Decsk(c’)y SFE3(s,r)

June 16, 2011 43

A More Complex Setting: i-Hop HE [GHV’10b]

o c1 is not a fresh ciphertextMay look completely different

o Can Charlie process it at all?What about security?

Alice(x) Bob(f) Charlie(g) Dora(sk)c0Enc(x) c1Eval(f,c0) c2Eval(g,c1) yDec(c2)

c0 c1 c2

2-Hop Homomorphic Encryption

June 16, 2011 44

Multi-Hop Homomorphic Encryption

o H = {KeyGen, Enc, Eval, Dec} as beforeo i-Hop Homomorphic (i is a parameter)

y = fj(fj-1(… f1(x) …)) for any x, f1,…,fj

o Similarly for i-Hop function-privacy, compactness

o Multi-Hop: i-Hop for any i

Evalpk(f1,c0)Encpk(x) Evalpk(f2,c1) Decsk(x)c0 c1 c2 cj yx …Any number ji hops

June 16, 2011 45

1-Hop multi-Hop HEo (KeyGen,Enc,Eval,Dec) is 1-Hop HE

Can evaluate any single function on ctxto We have c1=Evalpk(f1,c0), and some other

f2

Bootstrapping: o Include with pk also c*=Encpk(sk)o Consider Fc1, f2(sk) = f2( Decsk(c1) )

Let c2=Evalpk(Fc1, f2 , c*)

June 16, 2011 46

Fci-1, fi

1-Hop multi-Hop HE

o Drawback: |ci| grows exponentially with i: |Fci-1, fi| |ci-1|+| fi| |ci|= |Evalpk(Fci-1, fi , c*)| poly(n)(|ci-1|+| fi|)

o Does not happen if underlying scheme is compact

Or even |Evalpk(Fci-1, fi , c*)| = |ci-1|+poly(n)| fi|

xi-1sk

ci-1fi

Fci-1, fi(sk)

ci+1

= fi( Decsk(ci-1) ) = fi(xi-1)

c*

June 16, 2011 47

Other Constructionso Private 1-hop HE + Compact 1-hop HE

Compact, Private 1-hop HE Compact, Private multi-hop HE

o A direct construction of multi-hop HE from Yao’s protocol

June 16, 2011 48

Summaryo Homomorphic Encryption is useful

Especially multi-hop HEo A method for constructing HE schemes

from linear ECCs in ringsTwo (+e) known instances so far

o Connection to two-message protocols for secure computation

Thank You