A Brief Story of Computing on Private Data Ten H Lai Ohio State University
Feb 25, 2016
A Brief Story of Computing on Private Data
Ten H LaiOhio State University
Agenda
• Computing on private data• Fully homomorphic encryption (FHE)• Gentry’s bootstrapping theorem• Our result
FHE: The Holy Grail of Cryptography
Cloud Computing
Servers Storages Networks Applications
天上有多少星星城裡有多少姑娘但人間只有一個妳天上只有一顆月亮
Cloud Computing
6
Cloud server
Internet
Encrypt
Computing on private data
7
Cloud server
Internet
Encrypt
Computing on private data
Cloud
8
A question proposed by Rivest, Aldeman, Dertouzos in 1978 (one year after RSA was invented).
Adleman
C-Homomorphism
1 1
1 1
Encrypt
Decrypt
, , , ,
( , ,
Plaintext Ciphertext
) ( , , )
t t
t t
pk
sk
x x x x
C x x C x x
K K
K
Evaluate( )C: a circuitC
1 2
: a circuit (algorithm, function).
Input of : , , , .
An encryption scheme is -homomorphic if
t
C
C x x
C
x
1 Enc( ) Enc( )t
x
x 1( ,E ( )nc ), tC x x
C-homomorphic
Evaluate( )C
RSA is multiplicatively homomorphic
RSA
1 2 1 2
multiplicat
RSA encryption:
RSA is hom
mod
RS
ivel
A
omorphic:
( ) RSA( ) RSA
y
( )
em m n
m m m m
1
2
RSA( )RSA( )
mm
1 2RSA ( )m mEvaluate( )
1 Enc( ) Enc( )t
x
x 1( ,E ( )nc ), tC x x
Fully Homomorphic Encryption (FHE)
homomorphic -homomorphic .
alled privacy homomorphi by Rivest
Origi, Aldeman, Dertouzosin 19
nally c
Fully
7
.
8
sm
C C
Evaluate( )
C
C
1 2
1 2
Multiplicatively
Addit
homomorphic: RSA, ElGammal, etc.
homomorphic: Goldwasser-Micali, Paillier, etc.
ivel
Boneh-
y
Quadratic poly Gnomial
os
:
In Search of FHE (1978-2008)
x x
x x
2 2 21 2 1 2 1 3 2 3
1
3
h-Nissim
Sanders-Young-Yungof bounded fan-in AND, OR, and NOTci grcui ates
depth (log
NC circuitsts
:
)
size poly( ),
x x x x x x x x x
nn O
1 Enc( ) Enc( )t
x
x 1( ,E ( )nc ), tC x x
Those encryption schemes are homomorphic. -homomorphic for
somewhat some circuits .
full Far away from being homom phi .y or c
Somewhat Homomorphic
C C
g
For some 's
Evaluate( )
C
C
decrypt
decrypt
Why
AND, XOR = ,
AND, XOR is a compl
Enc(
ete s
e
)
t
Enc( ) Enc(
of gate
s.
)
-homomorphic fully homomn orphic?ot,
Why doesn't Somewhat H imply Fully H?
x y x y x y
x y
2 2decrypt2 2 2 2
Enc( ) Enc( ) Enc( )
Enc( ) Enc( ) Enc( )
x y x y
x y x y x y
15
Each ciphertext contains a .
with operations on ciphertexts.
When the noise becomes too large the c
noise (error)
Noise gro
iphertext is no
ws
t
Reason -- Why doesn't SH imply FH?
decryptable.
16
encryptx
encrypty
or
1 211 1
// 2 is a
Key:
rando
a large od
m noise /
d integer .
Plaintext:
Encryption:
Decryption: mod mod 2.
If
/
// if
0, 1
2
2 .
an
d
//
2
Example
c pq r m
c pq m
p
r
r pm
r
m
c p
c p
2 2
1 2 1 2
1 2 1 2
2
1 2
1 2 1 2 1 2
, then is a ciphertext of , with noise
is a ciph
22( ).
2(2 )
What if the noise becomes t
The noise grows
ertext of ,
!
with noise .
oo large, sa
y
q mc c m mc c m m
rr r
r r rm m r
2 ?r p17
Can we have a -homomorphic encryption scheme ?
Such a scheme will b
without growing the noise
fully home .
In 2009, Craig Ge
,
ntry proposed a simple yet powe
omorphi
rful
c
Challenge for FHE
strategy to achieve that goal:
18
Bootstrapping
In a nut shell, bootstrapping is to (augmented)
hoeval
momorphicuate
ally.
Bootstrapping
Decrypt
19
mm
skADecrypt
m encrypted under a pink key pkA
Evaluate Decrypt
m
mm
skA
m
skA
m
Decrypt
EvaluateDecrypt
Evaluate homomorphicallyDecrypt
20
Encrypt under a blue key pkB
Evaluate Decrypt
Decrypt
Decrypt
skA
skA
NAND
m1 NAND m2
Descryption circuits + another gate
Augmented decryption circuit
NAND-augmented Decrypt circuit:
21
m1
m2
Decrypt
Decrypt
skA
c1
skA
c2
NAND
m1 NAND m2
B
1 2
Encrypt all input using pk (figuratively, put them in a Decrypt-NAND
blue box). Evaluate homomorphically. We obtain a "fresh" ciphertext of NA
ND
Bootstrapping: evaluate augmented-Decrypt
m m
Bunder key pk .
Evaluate
22
fresh
m1
m2
withEvaluate NAND Bootstrapping
23
m1 NAND m2
23
fresh
m1
m2
skA
Under a pink key PKA Under a blue key PKB
without Evaluate NAND bootstrapping
2424
m1
m2
m1 NAND m2
Increased noise
1 2 3 4
A
with , , , encrypted under pk .
Suppose we want to evaluate this circuit homomorphically, m m m m
1
2
3
4
mm
mm
25
skA
m1
m2
m1 N
AND m
2
Evaluate Decrypt-N
AND
skA
m3
m4
m3 N
AND m
4
Evaluate Decrypt-N
AND
m1 N
AND m
2m
3 NAN
D m4
Evaluate Decrypt-N
AND
skB
(m1 N
AND m
2 ) NAN
D (m3 N
AND m
4 )
26
skA
m1
m2
m1 N
AND m
2
Evaluate Decrypt-N
AND
skA
m3
m4
m3 N
AND m
4
Evaluate Decrypt-N
AND
m1 N
AND m
2m
3 NAN
D m4
Evaluate Decrypt-N
AND
skB
(m1 N
AND m
2 ) NAN
D (m3 N
AND m
4 )
27
The ciphertexts are always .
If an encryption scheme is w.r.t. the c
"fresh"
loud can evaluate
bootstrappableany circuit of NAND g
can evaluate
ates
Bootstrappable encryption schemes
NAND
fully homomorphic
T
any boolean f
rue conceptua
uncti
lly, but ...
o
n
28
Decrypt
Decrypt
NAND
Evaluating a circuit of levels needs pairs of ke s.y
Unfortunately
dd
29
1 01
1 1 0
d
d d
d pk pkpk
sk s
pk
k k sks
30
Keys for encryption & decryption & evaluation
Encryption key
Decryption key
Evaluation key
fully homomorphic encryption Leveled scheme
31
bootstrappable
-leveled FHE
( ) d
d
Decrypt
DecryptL levelsd
Leveled fully homomorphic encryption scheme
32
bootstrappable
-leveled FHE
( ) d
d
( )
( )
( )
d
d
d
KeyGenKeyGenEncrypt EncryptDecrypt DecryptEvaluate Evalua ( )dte
1 01
1 1 0
d
d d
d pk pkpk
sk s
pk
k k sks
33
( )KeyGen d
Encryption key
Decryption key
Evaluation key
( )
( )
(
0
)
:
:
Rema
, .
, .
is assumed to be an output of
What if was produced
rk: .
by
d
d
d
d
pk
sk
Encrypt
Decrypt
Evalu
Encrypt
Decrypt
ate
Encrypt( ) ?d
34
( ) ( )
( ) ( )
Recursive procudure:
has exactly levels; gates at level are connected
, , :
,
to gates at level 1. (Any circuit of dep
t
.
h
,
d
d dd d
d dd d
C
pk C
pk C
d ii
Evaluate
Evaluate
can be converted to such a circuit by inserting identity gates.)
is a tuple of ciphertexts under .d d
d
pk
35
… ciphertextsunder
d
dpk
dC
( ) ( ) , ,d dd dpk C Evaluate
level d level 1
36
…
1
encryptedunder
,
d
d
d
d dsk
pk
sk
augmented with decryption circuits dC
Decrypt circuits
level d level 1
37
1
1
1
underencrypted under
, d
d
dd
d
d dskpk
pk
sk
Decrypt circuits
…
1dC
level 1 level 1d
( 1)d Evaluate Recursively Evaluate
38
0C
0
0 0
(0) (0)0 0
0, ,When simply return which is under and can be decrypted with .
, ,
pk skd
pk C
Evaluate
0
0 0
under
pk
39
( )
Theorem. If is semantically secure, then
is semantically secure.
Security
d
40
bootstrappable
-leveled FHE
( ) d
d
1 01
1 1 0
d
d d
d pk pkpk
sk s
pk
k k sks
41
Encryption key
Decryption key
Evaluation key
When is large long keys
d
0 0 0
1 01
1
If is KDM-secure, then we can shorten the key
to , , independently of ,
and th FHE scheme
KDM: Key-D
en we have an .
epend
ent Message
If is KDM-secure
d d
d d
pk sk sk d
pk pkpk
s
pk
sk k
0 0 0
1 0 0
0
0 00
pk ppk
sk
k pk
sk sk sk sk sk
42
43
If is bootstrappable, then then we can convert to a leveled FHE scheme.
If is bootstrappable and KDM-secure (or weakly circular
secure), then we can
co
n
Gentry's Theorems
vert to an FHE scheme.
All that we need is a (KDM-secure) bootstrappable encryption scheme
44
Decrypt
Decrypt
NAND
In 2009, Gentry proposed the first bootstrappable scheme.
Two steps:
Building a homomo
rphic encryption scheme which unfortunately i
somewhat
s
Gentry's bootstrappable encryption scheme
the decryption circuit is too deep
Squashing th
not bootstra
e decryption
ppable
ci it rcu
45
to lower the complexity Purpose:
Basic idea:
of the decryption circuit.
Squashing the decryption circuit
46
Secret-key independent ,
Computationally intensive,
Done with encryption
Secret-key dependent
Decryption algorithm
47
More efficient FHE schemes Without squashing (STOC-11) Without bootrstra
pping (Crypto-13) Without noise?
Since Gentry's first FHE scheme
48
FHE is still in its infantry
Multi-Key/Multi-Scheme FHE
Single-key FHE
50
Is Multi-key FHE Possible?
51
Is Multi-scheme FHE Possible?
52
53
1
RSA1 1
RSA2 2
RSA2 1 2
RSA1 1
R
multiplicativSA is homomorphic:
RSA is multiplicatively homom
ely
not
mod
mod
( ) mo
orphim c:ul t
d
i-key
Example
e
e
e
e
m m
m m
m m m
m m
n
n
nm
1
2RS2
1
A2 2
mo
d
o m dem m
n
n
54
RSA1 1
ElGammal2
aRSA n
d are multiplicatively homomorphic.
If
mod
( mod , mod )
ElGamma
l
Example
e
k k
m m n
m p y m p
55
Any FHE can be converted into a FHE.Any FHEs can be converted into
multi- FHE
keymulti-scheme
Our results a
: Yes!
.
Is Multi- key or Multi-scheme FHE Possible?
56
1 1
1
An ordinary FHE scheme with evaluation algorithm . , , ,
Giv
an
en:
, evaluates , ,
for provided , ,
y E
Basic idea: Single-key FHE Multi-key FHE
t t
tC
C pk C x x
EvalEval
1
1
1
nc , , .
Objective
: , , , , ,
pk
t
t
tpk p
x x
C k
Evaluate
1
2
x
xy
Evaluate circuit C
Evaluate(C)
Problem
1
2
x
xy
Eval(C)
If under pk1
C
1
2
x
x
y
Eval(C)
Eval(Eval(C))
Under pk2
C
1
2
x
x
1
2
x
x
y
Evaluate(C)
?C
?xx
2 4 3 2 1Enc ( ) Enc Enc Enc Enc ( )pk pk pk pk pkx x
62
is a valid ciphertext of itself. Decrypt ( ) for all , al
Trivial encryption property:
Le
l .
Any FHE with message space {0,1} can be converted
mmaint
o.
Trivial encryption
sk
mm m sk m
an FHE with the trivial encryption property without degrading its security.
xx
2 4 3 2 1Enc ( ) Enc Enc Enc Enc ( )pk pk pk pk pkx x
Trivial encryptions
1
2
x
x
y
Eval(C)
Eval(Eval(C))1
2
x
x
Summary of ideas
C
65
4 3 2 1
4 3 2 1
ciphertexts: Enc Enc Enc Enc ( )
circuits: Eval Eval Eval Eval (
Nested
Nested
)
Non-trivial to formalize the ideas
pk pk pk pk
pk pk pk pk
x
C
x C
2 1
Use a to represent a nested cipher
text
Examp Enc Enle
tree
: c ( )
Nested ciphertexts
pk pk b
1
01
1 0
1
Recursively define:
// , , is the given circuit to evaluate//
Eval
Eval
with nested input ciphert
e
Enc
x s
t
Nested circuits
t
t
t
pk
t tpk
t
pk
C C C x x
C C
C C
C
2 1
1 1 is the desired
Enc Enc ( )
.
1
, , , ,,
pk pk i
t t
x i t
pk pC k
Evaluate
1x
Any FHE can be converted multi-keyinto a FHE.
A FHEny FHEs can be converted into a multi-sche .me
Summary: Multi-key/Multi-scheme FHE is possible
2x
69
Design more efficient FHE schemes
How to make use of FHE?
Research problems