On Homomorphic Encryption and Secure Computation challenge response Shai Halevi June 16, 2011
Feb 24, 2016
On Homomorphic Encryption and Secure Computation
challengeresponse
Shai HaleviJune 16, 2011
June 16, 2011 2
Computing on Encrypted Data
Wouldn’t it be nice to be able to…o Encrypt my data in the cloudo While still allowing the cloud to
search/sort/edit/… this data on my behalfo Keeping the data in the cloud in encrypted
formWithout needing to ship it back and forth to be
decrypted
June 16, 2011 3
Computing on Encrypted Data
Wouldn’t it be nice to be able to…o Encrypt my queries to the cloudo While still allowing the cloud to process
themo Cloud returns encrypted answers
that I can decrypt
June 16, 2011 4
$skj#hS28ksytA@ …
Computing on Encrypted Data
Directions• From: Tel-Aviv University,
Tel-Aviv, Israel• To: Technion, Haifa, Israel
June 16, 2011 5
Computing on Encrypted Data$kjh9*mslt@na0&maXxjq02bflxm^00a2nm5,A4.pE.abxp3m58bsa(3saM%w,snanbanq~mD=3akm2,AZ,ltnhde83|3mz{ndewiunb4]gnbTa*kjew^bwJ^mdns0
Constructing Homomorphic Encryption
June 16, 2011 7
Privacy Homomorphisms [RAD78]
Some examples:o “Raw RSA”: c xe mod N (x cd mod N)
x1e x x2
e = (x1 x x2)e mod No GM84: Enc(0)R QR, Enc(1)R QNR (in ZN*)
Enc(x1) x Enc(x2) = Enc(x1x2) mod N
Plaintext space P Ciphertext space Cx1 x2
ci Enc(xi) c1 c2
* #
y dy Dec(d)
June 16, 2011 8
More Privacy Homomorphisms
o Mult-mod-p [ElGamal’84]o Add-mod-N [Pallier’98]o Quadratic-polys mod p [BGN’06]o Branching programs [IP’07]o Later, a “different type of solution” for
any circuit [Yao’82,…]Also NC1 circuits [SYY’00]
June 16, 2011 9
(x,+)-Homomorphic Encryption
It will be really nice to have…o Plaintext space Z2 (w/ ops +,x)o Ciphertexts live in an algebraic ring R (w/ ops +,x)o Homomorphic for both + and x
Enc(x1) + Enc(x2) in R = Enc(x1+ x2 mod 2) Enc(x1) x Enc(x2) in R = Enc(x1 x x2 mod 2)
o Then we can compute any function on the encryptions Since every binary function is a polynomial
o We won’t get exactly this, but it’s a good motivation
June 16, 2011 10
Some Notationso An encryption scheme: (KeyGen, Enc,
Dec)Plaintext-space = {0,1}(pk,sk) KeyGen($), cEncpk(b), bDecsk(c)
o Semantic security [GM’84]: (pk, Encpk(0)) (pk, Encpk(1)) means indistinguishable by efficient
algorithms
June 16, 2011 11
o H = {KeyGen, Enc, Dec, Eval} c* Evalpk(f, c)
o Homomorphic: Decsk(Evalpk( f, Encpk(x))) = f(x) c* may not look like a “fresh” ciphertextAs long as it decrypts to f(x)
o Function-private: c* hides fo Compact: Decrypting c* easier than
computing f |c*| independent of the complexity of f
Homomorphic Encryption
c*
June 16, 2011 12
(x,+)-Homomorphic Encryption, the [Gentry09] blueprint
Evaluate any function in four “easy” steps
o Step 1: Encryption from linear ECCsAdditive homomorphism
o Step 2: ECC lives inside a ringAlso multiplicative homomorphismBut only for a few operations (i.e., low-degree
poly’s)o Step 3: Bootstrapping
Few ops (but not too few) any number of opso Step 4: Everything else
June 16, 2011 13
Step One:Encryption from Linear ECCso For “random looking” codes, hard to
distinguish close/far from code
o Many cryptosystems built on this hardnessE.g., [McEliece’78, AD’97, GGH’97, R’03,
…]
June 16, 2011 14
Encryption from linear ECCso KeyGen: choose a “random” code C
Secret key: “good representation” of C Allows correction of “large” errors
Public key: “bad representation” of Co Enc(0): a word close to Co Enc(1): a random word
Far from C (with high probability)
June 16, 2011 15
An Example: Integers mod p (similar to [Regev’03])
o Code determined by an integer pCodewords: multiples of p
o Good representation: p itselfo Bad representation:
N = pq, and also many many xi = pqi + ri
o Enc(0): subset-sum(xi’s)+r mod No Enc(1): random integer mod N
ri << p
p N
A Different Input Encodingo Both Enc(0), Enc(1) close to the code
Enc(0): distance to code is evenEnc(1): distance to code is odd
o In our example of integers mod p:Enc(b) = 2(subset-sum(xi’s)+r) +b mod NDec(c) = (c mod p) mod 2
June 16, 2011 16
June 16, 2011 17
Additive Homomorphism
o c1+c2 = (codeword1+codeword2) +2(r1+r2)+b1+b2
codeword1+codeword2 CodeIf 2(r1+r2)+b1+b2 < min-dist/2, then it is the
dist(c1+c2, Code) = 2(r1+r2)+b1+b2 dist(c1+c2, Code) mod 2 = b1+b2
o Additively-homomorphic while close to Code
June 16, 2011 18
Step 2: ECC Lives in a Ring Ro What happens when multiplying in R:
c1c2 = (codeword1+2r1+b1) x (codeword2+2r2+b2)= codeword1 X + Y codeword2
+ (2r1+b1)(2r2+b2)o If:
codeword1 X + Y codeword2 Code (2r1+b1)(2r2+b2) < min-dist/2
o Thendist(c1c2, Code) = (2r1+b1)(2r2+b2) = b1b2 mod
2
Code is an ideal
Product in R of small elements is small
Instantiationso [Gentry ‘09] Polynomial Rings
Security based on hardness of “Bounded-Distance Decoding” in ideal lattices
o [vDGHV ‘10] Integer RingSecurity based on hardness of the “approximate-
GCD” problemo [GHV ‘10] Matrix Rings*
Only degree-2 polynomials, security based on hardness of “Learning with Errors”
o [BV ‘11a] Polynomial RingsSecurity based on “ring LWE”
June 16, 2011 19
June 16, 2011 26
Step 3: Bootstrapping [G’09]o So far, can evaluate low-degree
polynomialsP(x1, x2 ,…, xt)
x1
…x2
xt
P
June 16, 2011 27
Step 3: Bootstrapping [G’09]o So far, can evaluate low-degree
polynomials
o Can eval y=P(x1,x2…,xn) when xi’s are “fresh”
o But y is an “evaluated ciphertext”Can still be decryptedBut eval Q(y) will increase noise too much
P(x1, x2 ,…, xt)
x1
…x2
xt
P
June 16, 2011 28
Step 3: Bootstrapping [G’09]o So far, can evaluate low-degree
polynomials
o Bootstrapping to handle higher degrees:
o For ciphertext c, consider Dc(sk) = Decsk(c)Hope: Dc(*) is a low-degree polynomial in
skThen so are Ac1,c2(sk) = Decsk(c1) + Decsk(c2)
and Mc1,c2(sk) = Decsk(c1) x Decsk(c2)
x1
…x2
xt
P
P(x1, x2 ,…, xt)
June 16, 2011 29
Mc1,c2
Step 3: Bootstrapping [G’09]o Include in the public key also Encpk(sk)
x1 x2
sk1
sk2
skn
…
c1 c2
Mc1,c2(sk)
= Decsk(c1) x Decsk(c2) = x1 x x2
c
Requires “circular security”
June 16, 2011 30
Mc1,c2
Step 3: Bootstrapping [G’09]o Include in the public key also Encpk(sk)
o Homomorphic computation applied only to the “fresh” encryption of sk
x1 x2
sk1
sk2
skn
…
c1 c2
Mc1,c2(sk)
= Decsk(c1) x Decsk(c2) = x1 x x2
c
Requires “circular security”
June 16, 2011 31
Step 4: Everything Elseo Cryptosystems from [G’09, vDGHV’10,
BG’11a] cannot handle their own decryption
o Tricks to “squash” the decryption procedure, making it low-degree
Performanceo Evaluating only low-degree
polynomials may be reasonable
o But bootstrapping is inherently inefficientHomomorphic decryption for each
multiplication o Best implementation so far is [GH’11a]
Public key size ~ 2GBEvaluating a multiplication takes 30
minutesJune 16, 2011 32
Beyond the [G’09] Blueprinto [GH’11b] no “squashing”, still very inefficiento [BV’11b] no underlying ring, only vectors
Also no “squashing”, but still inefficiento [G’11] no bootstrapping
Builds heavily on [BV’11b]Reduces noise “cheaply” after each multiplicationShould be at least 2-3 orders of magnitude better
than [GV’11a]
June 16, 2011 33
Homomorphic Encryptionvs. Secure Computation
June 16, 2011 35
Client Alice has data x Server Bob has function fAlice wants to learn f(x)1. Without telling Bob what x is2. Bob may not want Alice to know f3. Client Alice may also want server
Bob to do most of the work computing f(x)
Secure Function Evaluation (SFE)
June 16, 2011 36
Two-Message SFE [Yao’82,…]
o Many different instantiations are availableBased on hardness of factoring/DL/lattices/…
o Alice’s x and Bob’s f are kept privateo But Alice does as much work as Bob
Bob’s reply of size poly(n) x (|f|+|x|)
(c,s)SFE1(x)r SFE2(f,c)
ry SFE3(s,r)
c
Alice(x) Bob(f)
June 16, 2011 37
o H = {KeyGen, Enc, Dec, Eval}o Semantic security: (pk, Encpk(0)) (pk,
Encpk(1))
o Homomorphic: Decsk(Evalpk( f, Encpk(x))) = f(x) c* may not look like a “fresh” ciphertextAs long as it decrypts to f(x)
o Function-private: c* hides fo Compact: Decrypting c* easier than
computing f |c*| independent of the complexity of f
Recall:Homomorphic Encryption
c*
June 16, 2011 38
Aside: a Trivial Solution
o Eval(f,c) = <f,c>, Dec*(<f,c>) = f
(Dec(c))o Neither function-private, nor compacto Not very useful in applications
June 16, 2011 39
HE Two-Message SFEo Alice encrypts data x
sends to Bob c Enc(x)o Bob computes on encrypted data
sets c* Eval(f, c)c* is supposed to be an encryption of f(x)Hopefully it hides f (function-private
scheme)o Alice decrypts, recovers y Dec(c*)
June 16, 2011 40
Two-Message SFE HEo Roughly:
Alice’s message c SFE1(x) is Enc(x)Bob’s reply r SFE2(f,c) is Eval(f,c)
o Not quite public-key encryption yetWhere are (pk, sk)?Can be fixed with an auxiliary PKE scheme
June 16, 2011 41
Alice(x)
Two-Message SFE HE
o Add an auxiliary encryption schemewith (pk,sk)
Alice(pk, x) Bob(f)(c,s)SFE1(x)
r SFE2(f,c)r
y SFE3(s,r)
cDora(sk)
June 16, 2011 42
Two-Message SFE HE
o Recall: |r| could be as large as poly(n)(|f|+|x|)Not compact
Alice(pk, x) Bob(f) Dora(sk)
Decsk(r,c’)Evalpk(f,c,c’)Enc’pk(x)
c, c’
r, c’(c,s)SFE1(x)
c’Encpk(s) r SFE2(f,c)s Decsk(c’)y SFE3(s,r)
June 16, 2011 43
A More Complex Setting: i-Hop HE [GHV’10b]
o c1 is not a fresh ciphertextMay look completely different
o Can Charlie process it at all?What about security?
Alice(x) Bob(f) Charlie(g) Dora(sk)c0Enc(x) c1Eval(f,c0) c2Eval(g,c1) yDec(c2)
c0 c1 c2
2-Hop Homomorphic Encryption
June 16, 2011 44
Multi-Hop Homomorphic Encryption
o H = {KeyGen, Enc, Eval, Dec} as beforeo i-Hop Homomorphic (i is a parameter)
y = fj(fj-1(… f1(x) …)) for any x, f1,…,fj
o Similarly for i-Hop function-privacy, compactness
o Multi-Hop: i-Hop for any i
Evalpk(f1,c0)Encpk(x) Evalpk(f2,c1) Decsk(x)c0 c1 c2 cj yx …Any number ji hops
June 16, 2011 45
1-Hop multi-Hop HEo (KeyGen,Enc,Eval,Dec) is 1-Hop HE
Can evaluate any single function on ctxto We have c1=Evalpk(f1,c0), and some other
f2
Bootstrapping: o Include with pk also c*=Encpk(sk)o Consider Fc1, f2(sk) = f2( Decsk(c1) )
Let c2=Evalpk(Fc1, f2 , c*)
June 16, 2011 46
Fci-1, fi
1-Hop multi-Hop HE
o Drawback: |ci| grows exponentially with i: |Fci-1, fi| |ci-1|+| fi| |ci|= |Evalpk(Fci-1, fi , c*)| poly(n)(|ci-1|+| fi|)
o Does not happen if underlying scheme is compact
Or even |Evalpk(Fci-1, fi , c*)| = |ci-1|+poly(n)| fi|
xi-1sk
ci-1fi
Fci-1, fi(sk)
ci+1
= fi( Decsk(ci-1) ) = fi(xi-1)
c*
June 16, 2011 47
Other Constructionso Private 1-hop HE + Compact 1-hop HE
Compact, Private 1-hop HE Compact, Private multi-hop HE
o A direct construction of multi-hop HE from Yao’s protocol
June 16, 2011 48
Summaryo Homomorphic Encryption is useful
Especially multi-hop HEo A method for constructing HE schemes
from linear ECCs in ringsTwo (+e) known instances so far
o Connection to two-message protocols for secure computation
Thank You