Fully homomorphic encryption scheme using ideal...
Transcript of Fully homomorphic encryption scheme using ideal...
Fully homomorphic encryption scheme using ideal lattices
Gentry’s STOC’09 paper - Part I
1
( ) : On input 1 , outputs a pair of keys, , .
: On input a public key and a plaintext ,
outputs a ciphertext . We write ( , ). T
(
Homomorphic encryption
pk
pk sk
pk Mpk
λ
π
ψ ψ π
∈
←
•
•
KeyGen
Encrypt
Encrypthe plaintext space may depend on .)
: On input a secret key and a ciphertext , outputs a plaintext . We write ( , ).
: On input a circuit , public key
pkM pk
sksk
C pk
ψπ π ψ
•
•
←Decrypt
Decrypt
Evaluate
( )1
1
, ciphertexts ( , , ), outputs a ciphertext. We write , , , , .
t
tpk Cψ ψ
ψ ψ ψ…
← …Evaluate
2
( )
( )1 1
, , . The scheme is if for ancorrect for circuit y
plaintexts , , and any ciphertexts ( , , ) with ( , ), it holds th
t
a
Correctness
t t
i i
C
pkπ π ψ ψ
ψ π
•
•
Σ =
Σ
… …
←
KeyGen Encrypt, Decrypt Evaluate
Encrypt
( )( ) ( )
1
1
: , , , ,
, , , t
t
pk C
C sk
ψ ψ ψ
π π ψ
←
… =⇒
…Evaluate
Decrypt
3
( ) , , .
The scheme is if the output ciphertext of is independent (in le
compactngth) of the input circuit ; more specificly,
ca
Compactness
C
•
•
Σ =
Σ
KeyGen Encrypt, Decrypt Evaluate
Evaluate
Decrypt
( )( )
( )
1
1
n be expressed as a circuit of size poly( ).
This is to avoid trivial solutions such as: , , , , simply returns
: , , , as the ciphertext.
, decrypts
t
t
pk C
C
sk
λ
ψ ψ
ψ ψ ψ
ψ
…
= …
•
Evaluate
Decrypt
( )1
each to and computes
, , .i i
tC
ψ π
π π…
4
( ) , , .
: a class of circuits (including the identity circuit).
is if is correct and compact for every circu
-homomorphiit i
c
Fully homomorphic encryption
Σ =
Σ Σ
•
•
•
KeyGen Encrypt, Decrypt Evaluate
C
C
somewhat homomorphic
fully h
n .
is if it is -homomorphic for set of circuits .
is if it is homomorphic for circuits (i.e., -homomorphic for the set of all circui
s
omomorphic
o e
t
m
all
Σ
Σ
•
•
C
CC
C s ).C
5
( )
{ }
( ) ( ) ( ) ( ) ( )
( )
( )
, , .
A family of schemes : is said to be
iff: all
leveled fully homo schemes u
morp
se hie
cth s
Leveled fully homomorphic encryptiond d d d d
d
d
d +
•
•
Σ =
Σ ∈
Σ
KeyGen Encrypt , Decrypt Evaluate
( )
( )
ame decryption circuit, is homomorphic for all circuits of depth up to (that use some specified set of gates), the computational complexity of 's algorithms is polynomia
d
d
dΣ
Σ
( )l in , , and (in the case of ) the size of .
ddC
λ Evaluate
6
The concept of fully homomorphic encryption, originally called was proposed by Rivest, Adleman and Dertouzos in 1978 (one yea
pri
r after vacy homomorph
ism,
Homomorphic encryption before Gentry•
RSA was published).
Homomorphic encryption schemes before 2009: Multiplicatively homomorphic:
AdditivelRSA, ElGammal, etc.
Goldwasser-Micali, Paillier, etc.y homo
morphic:Quadratic p
•
1
Boneh-Goh-Nissim but with "Polly Craker" by Fellows and Koblit
olynomials:Arbitrary circuits exponential ciph
z (poly-size, depth
ertext-size:
NC (log ), using bounded fan circu iits -O n
n AND, OR, and NOT gates): Sanders-Young-Yung
7
In 2009, Gentry proposed the first FHE scheme.
Three steps: Building a somewhat homomorphic encry
ption scheme using ideal lattices a
Squ
Gentry's fully homomorphic encryption scheme•
•
shing the Decryption Circuit Bootstrapping
8
Bootstrapping
9
{ } { }
{ }
AND, XOR , i.e., , , is a complete set of gates, from which any Boo
Fa If an encryption scheme is -homomorphic, then
lean function can be constructed.
,i
lse:
Why does SH not imply FH?
+ ×
• + ×
•
t is fully homomorphic.
Ciphertexts typically contain an "error" or "noise". When operations are performed on ciphertexts, errors grow. When the error becomes too large, the c
Rea
iph
son:
x
erte
•
t cannot be correctly decrypted.
10
{ }
( )
1 1
Key: a large odd integer .
Encryp( , ): To encrypt a bit wh
0,1 , let 2 ,2 . 2 is the no
ere , are random with 0
Decryp( , ): let mod mod 2.
is
e.
If
Examplep
c pq r mr p
c
p m mq r
p c m
r
c
pq
p
•
• ∈
≤
=
= + +
= +
•
•
1 1 2 2 2 2
1 2 1 2 1 2
1 2 1 2 1 2 1 2 1 2
2 2 , then is a ciphertext of , with noise 2( ), and
is a ciphertext of , with n
What if the no
and
oise 2(2 ).
The no ise gro
i
ws!
c s be e
r m c pq r mc c m m r rc c m m r r r m m r
+ = + ++ + +
+
•
+
•
omes too large, say 2 ?r p>11
{ } Can we have a -homomorphic encryption scheme ?
That is, the ciphertexts output by is a
s
without noises growin
fresh as those output by (in terms of amount o
g
f
,
Challenge
ו
•
+
EvaluateEncrypt noise).
Such a scheme will automatically be fully homomorphic.
Gentry proposed a simple yet powerful strategy to achieve that (no noise gro Boot
wi sng tr): ap
ping!
•
•
12
In a nut shell, bootstrapping is to perform (augmented) homomorph y
icall .
Bootstrapping•
Decrypt
13
m m
skA
m
skA m
Decrypt
EvaluateDecrypt
Pink box: encrypted under pkA. Blue box: encrypted under pkB.
A
B
We can allow anyone to convert a ciphertext under key pk into a ciphertext under key pk w/o revealing the message.
If we can evaluate homomorphically•
decrypt
14
fresh May use WeakEncrypt
Decrypt
Decrypt
skA c1 skA c2
NAND
m1 NAND m2
c1, c2 are ciphertexts of m1, m2 under key pkA
: a gate (with input and output in the plaintext space). -augmented decryption circuit: illustrated below.
-augumented decryption circuitgg
g••
NAND-augmented Decrypt:
15
Decrypt
Decrypt
skA c1 skA c2
NAND
m1 NAND m2
B
1 2
Encrypt all input using pk (figuratively, put them
N
in a blue box). Evaluat AND-Decrye We obtain a "fresh" ciphertext of NAND under key
pt. p
If we can evaluate NAND-Decrypt homomorphically
m m
••• Bk .
Evaluate
16
fresh
m1
m2
m1
m2
1 2
1 2
then from the ciphertexts of and under , we can obtain a "fresh" ciphertext of under key , provided that the encryptio
NAND
If we can evaluate NAND-Decrypt homomorphically...
A
B
m m pkm m pk
•
1 2 N
n of
AND
under is given.
That is, we can perform homomorphically without increasing the noi e
s .
A Bs
m m
k pk
•
17
( )
1
1 2 3 4
2 3 4
AA
with , , , encrypted under pk , pk , , .. , ,
Suppose we want to evaluate this circuit homomorphically, m m m
Cm
ψ ψ ψ ψEvaluate
1
2
3
4
mm
mm
18
skA m1 m2
m1 N
AN
D m2
Evaluate D
ecrypt-NA
ND
skA m3 m4
m3 N
AN
D m4
Evaluate D
ecrypt-NA
ND
m1 N
AN
D m2
m3 N
AN
D m4
Evaluate D
ecrypt-NA
ND
skB
(m1 N
AN
D m2 ) N
AN
D (m3 N
AN
D m4 )
19
( ) , , .
: a set of gates (with input/output in the plaintext
space).
( ) : the set of -augmented , .
: a class of circuit
Bootstrappable encryption
D g gΣ
•
•
•
Σ =
Γ
Γ ∈Γ
•
KeyGen Encrypt, Decrypt Evaluate
Decrypt
C
bootstrappable with respect to
s (including the identity circuit).
Suppose is -homomorphic.
is said to be if ( ) .
If is bootstrappable w.r.t. a complete
set of gates (including th
DΣΓ
Σ
Σ Γ
•
⊆
Γ
•
• Σ
C
C
{ }( )
e identity gate), then we can construct a leveled fully homomorphic
family of schemes : (for circuits with gates in ).d d +Σ ∈ Γ20
( )
( ) ( ) ( ) ( )
( )
Assume , , is bootstrappable w.r.t. a set of gates . We construct from
, ,
: homomorphic for circuits of depth
d d d d
d d
Σ =
Γ
Σ =
•
Σ
Σ ≤
KeyGen Encrypt, Decrypt Evaluate
KeyGen Encrypt , Decrypt E( )( )
(
( )
1
)
.
//The same algorithm for all .// Use to generate 1 key pairs ( , ), 0 . Represent as a sequence o
, :
f plaintexts: ( , , ).
d
d
i i
i i i i
dd sk pk i d
sk s k sk
d
k s
λ•
+ ≤ ≤=
val
Key
uate
Key
Ge
Ge
n
n
( )
{ }
1
( )0
( )0 1
Encrypt (each element of) , .
Secret key: .
Public key: , .
i i i i
d
di ii d i d
sk sk pk sk
sk sk
pk pk sk
−
≤ ≤ ≤ ≤
←
=
=
: Encrypt
21
1 01
1 1 0
d
d d
d pk pkpk
sk s
pk
k k sks
−
−
22
Decryption key
Encryption key
The rest are the evaluation key
( )
(
)
)
(
( )
( )
Input: a public key and a plaintext . Output: cipher
:
:
text , .
Input: a secret key and a ciphertext . Output: cip e
r
h t
d
d
d
d
d
pkpk
sk
πψ π
ψ
←
•
•
Encry
Encrypt
Decrypt
pt
( )
(
0
( )
)
ext , .
Remark: is assumed to be an output of What if was pr
.od ?uced by
d
d
skπ ψ
ψ
ψ
←
Decryp
Evaluate
Encrypt
t
23
( )
( )
( ) ( )
( ) ( )
Recursive procudure:
has exactly levels; gates at level are connected to gates at level 1. (
, ,
Any circui
:
t o
, , .
f d pth
e
d dd d
C
pk C
pk C
ii
δ
δ
δ δδ
δ
Ψ
−
Ψ
•
Evaluate
Evaluate
( )( ) ( )
can be converted to such a circuit by inserting identity gates.)
is a tuple of ciphertexts under
Initial call: , , .
.
d dd d
p
k C
k
p
δ δ
δ≤
Ψ
Ψ
Evaluate
24
… under
pk
δ
δΨ ⇒
Cδ
( )( ) ( ) , , pk Cδ δδ δΨEvaluate
level δ level 1
25
…
1
encryptedunder
, sk
pk
sk
δ
δ
δ
δ δ
−
Ψ
Ψ ⇒
augmented with decryption circuits Cδ
( )( ) ( ) , , pk Cδ δδ δΨEvaluate
Decrypt circuits
level δ level 1
26
1
1
1
underencrypted under
, skpk
pk
sk
δ
δ
δδ
δ
δ δ
−
−
−
Ψ
Ψ ⇒ ⇒Ψ
Decrypt circuits
…
1Cδ −
level 1 level 1δ −
( )( ) ( ) , , pk Cδ δδ δΨEvaluate
27
…
1Cδ −
( )( 1) ( 1)1 1Call , , pk Cδ δ
δ δ− −
− −Ψ Evaluate
level 1 level 1δ −
1
1
under
pk
δ
δ
−
−Ψ ⇒
28
Cδ
( )( )
0 0
0
(0) (0)0 0
When simply return
which is under and can be dec
0,
rypted w .
,
ith
, ,
dpk sk sk
pk Cδ = Ψ
=
ΨEvaluate
under
pk
δ
δ δΨ ⇒ ⇒Ψ
29
{ }( )
Theorem. If is bootstrappable w.r.t. a complete set of gates (including the identity gate), then the family
: constructed above is leveled fully homomorphic
(for
Correctness
d d +
ΣΓ
Σ ∈
•
( )
circuits with gates in ).
That is, correctly evaluate any circuit (composed of gates in ) of depth at most
.
d
d
Γ
Γ• Decrypt
30
Theorem. For a circuit of and (the number of wires), the time complexity of evaluating is dominated by ( ) applications of
depth si
and ( ) applications
ze Complexity
CC
O s l O s
d s•
⋅ Encryptof to ( )-augmented decryption circuits,
where ( ) is the number of "bits" of each ciphertext and sk.
Remark: If the given circuit has depth and size s, it can be converted
g
C d
λ
•
∈Γ=
<
Evaluate
into a circuit of depth and size at most .
Theorem. For a circuit of and (the number of wires), the time complexity of evaluating is dominated by
depth si
( ) applica
ze
tio
d sd
CC
O s l d
d s
⋅ ⋅
≤•
ns of and ( ) applications of to ( )-augmented decryption circuits.
O s dg
⋅∈Γ
EncryptEvaluate
31
( )
Theorem. If is semantically secure, then is semantically secure for each .
Two questions:
What's the meaning of semantic security fo
r homomorphic
Security
d d• Σ
Σ
•
encryption schemes?
How to prove the theorem
?
32
33
Challenger: on input the security parameter , generates a key pair ( , ),
sends to the adversary.
Adversary: produces two me
Semantic security game for public-key encryption
pk skpk
λ•
•
0 1ssages , , and sends them to the challenger.
Challenger: chooses a random bit {0, 1} and sends Enc ( ) to the adversary.
Adversary: determines whether 0 o
Question:
r
D es
.
o
1
pk b
m m
bc m
b b
←←
= =
•
•
this model apply to homomorphic encryption?
Is it different from that for ordinary public-key encryption? We will argue that it is the same.
Since ciphertexts may be produced by
,
Semantic security for homomorphic encryption •
• Evaluate
0 01 0
1 11 1
a natural modification to the model is to let the adversary provide a circuit and two inputs ( , , ), ( , , ).
The challenger chooses {0,1}, encrypts as , r ns u
t
t
b
C m mm m
bψ
•
…= …
←←
=mm
m ψEva , and gives to the
adversary as the challenge ciphertext.
The challenger may simply give as the challenge ciphertext, since the adversary can
(pk, , )
(pk, run
t, ) i s
C
Cψ
ψ
•←
ψ
ψψ
luate
Evaluate elf.34
So, the semantic security game for homomorphic encryption is the same as the semantic security game for ordinary pub
lic-key encryption.
It has been shown t
multi-ciph
hat an alg
e
o
rt
ri
ext
thm
•
• A that breaks the semantic security of the game with multiple ciphertexts can be used to construct an algorithm B that breaks the semantic security of the ordinry game. That is, break ing s
.
Therefore, to prove semantic se
ingle-ciphertext semantic secu
curity of a homomorphic encry
rity breaking mult
ption scheme, we c
i-cipher
an just
text semantic s
use the semanti
ecur
c ga
m
i y
fo
t
e
≤
•r
ordinary public-key encryption.
35
( )
1 01
1 1 0
Theorem. If is semantically secure (and bootstrappable), then is semantically secure for each .
These encrypted
Why is it not trivial?
d
d
d d
d
d
pk pkpk
sk
pk
sksk sk
−
−
• Σ
Σ
keys might leak information about the ciphertext (under ), unless we prove otherwise.
i
d
skpk
36
( ) Game is the same as the game for except that each ,
1, is replaced by some unrelated to :
( , ) (1 )
encry
p
Semantic Security Game , 0.d
i
i i
i i
i
k sk
d i sk pksk pk
sk
k d k
λ
Σ
′≥ ≥
′ ′ ←
′
•
←
≥ ≥
KeyGen
1
( )
01
1 0
tion of under
Game game for . Game 0 game for .
i
d
k
d k
d
sk pk
d
pk pkpk
sk s
pk
sk kk s
−′
= Σ = Σ
′
•
′
37
( )
To prove the theorem, assume the existence of an adversary that has a non-negligible advantage against (Game 0). We construct an algorithm that breaks (Game ) with a non-negligib
dA
B dΣ
•
Σ
1 0
le advantage. ( will use as a "subroutine".) Let ( ) 's advantage in Game .
Apparently, ( ) ( ) ( ). Two cases:
( ) is non-negligible ( breaks and we are d
o
ne
k
d d
d
B AA k
A
ε λε λ ε λ ε λ
ε λ
−
=≤ ≤ ≤
Σ
•
•
1
). ( ) is negligible.
Assume ( ) is negligible. There must exist a 0 such that ( ) is non-negligible and ( ) is negligible.
Fix this and con
sider Games an d 1.
d
d
k k
d k
k k k
ε λε λε λ ε λ+
> ≥
• +
•
38
1
1 0
01
( ) is non-negligible and ( ) is negligible.
insecure against , but
k
k k
d k k
d k
pk pk pk pk
sk skA
k sks
ε λ ε λ+
+
+
′
•
1 1
1 1
Game against
So, can help us distinguish betw
Three players, tw
secure if is
o games:
(c
een and .
hallenger)
replaced b
(adv
y .
ersary) (cha
k
k
k
k
A s
sk sk
C
k
B
sk+
+
+
+
Σ
′
•
′
( )Game against
llenger) (adversary)
Remark: between and is a multi-ciphertext game.
d
A
B C
Σ
•
39
1
1 0
0
1
( ) is non-negligible and ( ) is negligible.
insecur e if
secure
i
k k
d k
d k
k
pk pk pk
sk sk sk
k
pk
s
ε λ
ψ
ε λ
ψ
+
+
+
′
•
=
1
1 1 can help us distinguish betw
f
een and .
.k
k kA sk sk
skψ +
+ +
′=
′
40
0 1 1 1
Game against
(challenger) 1. generate , ; send , to ;2. send to ; ( is t
(adversary)5.8. o
k k
Cpk sk sk sk C
pk
B
B Bπ π+ +
Σ
′= =
Game aga
guess , with 's help);6. choose ; if then 0 else 1;7. sen
14.15
(challenger)
d ( ) to ; . send to .
(adversary)
pk b
b Ab b b
E B b C
AB
β βψ π
′ ′ ′= = =′←
( )
0 1
1
inst
set up the game with ; 11. send plaintexts , to ; replace by ; 13. send its guess to ;
3.4.
9
rep. lace by ; s0 1 .
d
k
k
A Bpk pk B
sk
π πβ
ψ+
Σ
′ ′
′
end the "keys" to ; choose and send ( ) to ;12.
dpk
AE Aββ ψ π′ ′← 41
( )In summary, if has a non-negligible advantage against , then has a non-negligible advantage against the multi-ciphertext version of , from which one can construct an algorithm ' a
g
dAB
B
Σ
Σ
•
( )
ainst (the single-ciphertext version of) with a non-negligible advantage. This proves the theorem.
Theorem. If is semantically secure (and bootstrappable), then is semantically secu
d
Σ
Σ
Σ
•
re for each .d
42
( ) The public key of (including the evaluation key) contains 1 -public keys and a chain of encrypted -secre
Question: why don't w
t keys.
e use j
ust
Can we use just one pair of keys? d
d dΣ•
•
+ ΣΣ
0
0 0
1 0 0 0 01
1 1 0 0 0
one pair o
f
keys?
d
d d
d pk pk pk pk pkpk
sk sk
pk pk
sk sksk sksk sk
−
−
⇒
43
?
{ } ( )
( )
( )0 0 0 0 0
Theorem. If is KDM-secure, then we can shorten to
, , with , . Then, all
are the same and we have
FHE schan
Leveled FHE becomes FHE if is KDM-secured
d
pk
pk sk sk pk sk
Σ
← Σ
•
Σ
Encrypt
1 0 0 0 00
0 0
1
1 1 0 0 0
eme.
d
d
d
d
pk pk
s
pk pk pk pk pkpk
sk sk sk sk kk sks sk
−
−
⇒
44
KDM-Security
(KDM: Key-Dependent Message)
45
46
[ ] ( )
[ ]
0 1
0 1
In the IND-CPA game,
1 , , , ( ) : Pr wins Pr .
(1 ), {0,1}, ,
Define the to be Pr wins 1 2 .
adve
An enc
rsar
y's advantag
r
e
Recall: IND- CPA (semantic security)
kk
u A
EbA m m E
Ak G b m
m b
m M
A
λ
λ
= ← ← ←
−
•
•
•
negligibleyption scheme is IND-CPA if all polynomial-time
adversaries have advantages.
Remark: The game for asymmetric encryption is sim . ilar•
Semantic security assumes that the messages to be encrypted are independent of the secret key.
Suppose ( , , ) is semantically secure (IND-CPA). Suppose we modify the encryption algorit
G E D
•
• Σ =hm such that
0 ( ) if ( )
1 otherwise
Q: Is ( , , ) semantically sec
is apparently insecure if it is used to encrypt the
ure?
, and potentially in
key is
l
tse f
kk
E m m kE m
k
G E D
≠′ =
′ ′Σ =•
• ′Σ
ecure if used to encrypt key-dependent messages.
This suggests the notion of KDM security.•47
48
Parameters: security parameter , an integer 0, a class of functions that map secret keys to a message.
Setup. The challenger chooses a ran
KDM-security game (for asymmetric encryption)n
C nλ•
•
>
1 1
1
dom bit {0, 1}, generates key pairs ( , ), , ( , ), and sends public keys ( , , ) to the adversary.
Queries. The adversary issues queries of the form ( , ) with
1 a
n n
n
bn pk sk pk sk
pk pk
i fi n
•
←…
≤ ≤
1
nd . The challenger responds with( , ) if 0
where ( , , ).( , 0 ) f 1
Finish. The adv ersary guesses whether 0 or 1.
inm
i
f CE pk m b
c m f sk skE pk i b
b b•
∈
=← =
=
= =
49
A public-key encryption scheme is if all polynomial-time adversaries have negligible advantages in
-way KDM-securewith re
the KDM-security gamespect
.
B
to
oneh et al (Crypto'
KDM-securityn
C•
•
1
1
08) proposed a KDM-secure encryption scheme w.r.t. the following class of functions: all constant functions: ( , , ) for . all selector functions ( , , ) for 1 .
m n
i n i
f x x m m Mf x x x i n
= ∈= ≤ ≤
KDM-security for this class of functions implies semantic security as well as circular security. (In circular security, we have a cycle of key pairs, and we are allowed to encrypt ch
ean
•
( mod ) 1 , 1 , under ). i i nsk i n pk +≤ ≤
50
The KDM-security needed to convert leveled FHE to FHE is circular security for some 0.
Since the underlying SHE is bootstra
ppable, using multiple key-pairs
The KDM-security needed for FHE
n
•
>•
( 1) does not seem to be more secure than using just one pair ( 1). Why?
nn
>=