Algebraic Lower Bounds for Computing on Encrypted Data

Rafail Ostrovsky William E. Skeith III

Non-Interactive Crypto-Computing

X Y

E(X)

= E(f(X,Y))

A wants to distribute computation of f to B

f,g

g(E(X),Y)

A B

Homomorphic Encryption and CC

• Homomorphic encryption is a very natural starting point, and the primary tool for many CC protocols:

• Let f be a function, and A some algebraic structure.– If f can be computed by the algebra of A and

A is preserved via homomorphic encryption,– Then we have non-interactive CC of f

Algebraic Non-Interactive CC

• For a given algebraic structure, what can be accomplished with algebraic computation?

•Main question: which crypto-computing functions can we implement using known homomorphic cryptosystems?

Examples We’ll Study

• In an algebraic setting, we address the following:– Private Database Modification– Homomorphic PIR Protocols– Private Keyword Search

Algebraic Private Database Modification [BKOS]

Mi=(g1,…,gm)g1, g2,…, gm

X’ = F(x1,…,xn,g1,…gm ,h1,…hr)

X1 X2 X3 … …

… … … … ..

… … … … …

… … … … …

… … … … Xn

All gj, xi, hk 2 A, and F is some “algebraic” function

X =

U DB

Homomorphic PIR Protocols [BGN,KO]

Qi=(g1,…,gm)

g1, g2,…, gm

FX(g1,…gm ,h1,…hr)

X1 X2 X3 … …

… … … … ..

… … … … …

… … … … …

… … … … Xn

All gj, hk 2 A, and FX is some “algebraic” function determined by the database X 2 An

X =(xj1

,…,xil)=FX(g1,…gm ,h1,…hr)

U DB

Manuscript (2002) of Sander, et al.

• Result uses techniques of Ben-Or.

• Cryptosystem from manuscript was broken… however, an interesting question is asked:

““

Two Results

• A positive result:– Homomorphic encryption over any simple non-abelian

group is equivalent to fully homomorphic encryption (preserving a ring).

– Homomorphic encryption over any simple non-abelian group is equivalent to non-interactive CC.

• A family of negative results (i.e., lower bounds):– Using the algebras preserved by existing

cryptosystems, we can show lower bounds for homomorphic PIR, database modification, characteristic vectors…

Our First Result:

• For any non-abelian simple group, the following holds: Any circuit with N gates can be replaced by a circuit of size O(N) that uses only the group operation to simulate gates (wires will carry group elements).

• Example: for A5, we can represent a NAND gate ¼ 50 group operations (this may not be minimal…).

More Formally:

Our Second Result: Overview

• We’ll make an abstract algebraic observation• From the observation, we’ll derive:• (n) bounds (over an abelian group)

– algebraic private database modification– homomorphic PIR

• Bounds on conjunctive queries in the keyword search of [OS,BSW]

• First, a few definitions...

Characteristic Vectors over a Group

• Let G be a group. We’ll call v2 Gn a characteristic vector if v is non-identity in precisely one position:

• v=(idG,idG,...,x idG,idG,…,idG)

• Let V={vi}i2[n] be a complete set of such vectors.

Question

• What is the inherent communication involved in “algebraic” functions that generate characteristic vectors?

• We’ll reduce all of our algebraic crypto-computing protocols to this basic functionality.

Idea: Generating Char. Vectors

9 F:Gm ! Gn, an “algebraic” function s.t.

For each i 2 [n],

9 wi = (g1,…,gm) with F(wi) = vi

An Algebraic Observation

• Let A and G be abelian groups.

• Let F:A ! Gn be an “affine” group map, i.e.,

F=f+c, where

f 2 HomZ(A,Gn) and c 2 Gn.

• Then if V ½ F(A), we have

log(|A|) 2 (n)

Difficulties

• Can’t we use linear algebra to immediately prove the theorem?

• The most naturally occurring instance (in cryptography) is the case of A=Gm

• If G were a field, this would be an easy linear-algebra dimension argument, but this is not generally the case (G is only assumed to be an abelian group).

• Even with G cyclic, we could successfully implement even with m=1. (I.e., we can specify characteristic vectors by communicating only a single group element.)

Example: m=1

Other Non-productive Ideas: Affine to Linear

• Recall that F=f+c is “affine”, and let m denote the number of group elements communicated.

• One might think that the problem could be rephrased as linear by just incrementing m to account for c 2 Gn.

• However, to model the affine map, you in general need to increase m by a non-constant amount (consider non-cyclic G).

• Certainly, it doesn’t seem to be the “right” approach.

The “Right” Approach:

• Stay abstract.– Dimension is irrelevant– Will give a stronger result.– Takes care of typical cases nicely, but will

actually be quite a bit more general (rules out End(G), etc…)

Lemma

Proof of Lemma

Proof of Theorem (Idea)

• Idea: show that h V i is a Z|A|-module, and apply the Lemma.

• Recall that in an abelian group– ord(a+b)|lcm(ord(a),ord(b))

• And in any group,– ord((a,b)) = lcm(ord(a),ord(b))– ord(f(a))|ord(a)

Proof of Theorem (1 of 2)

• Let F=f+c be affine, from A ! Gn, define V as before, and let c=(c1,…,cn).

• Define V’={vi-c}i2[n]. (Note: V’ ½ f(A))

• All elements of V’ have order | |A|

• ) all ci and therefore c have order | |A|.

• Since A,G abelian, we have that all of V

has elts of order | |A|.

Proof of Theorem (2 of 2)

• Since all elements of h V i, h V’ i have order dividing |A|, they are in fact Z|A|-modules.

• Set R=Z|A| and M=h V [ V’ i and apply the lemma to yield:

2n · |h V’ i||A| · |A|2, and hence

log(|A|) 2 (n)

Consequences

• Over an abelian group,– Algebraic private modification of an encrypted

database (n)– Homomorphic PIR protocols (n)– Impossibility of conjunctive queries in the

keyword search of [OS,BSW]

• Using poly’s of total degree t, bounds become (n1/t)

Algebraic Private Database Modification [BKOS]

Mi=(g1,…,gm)g1, g2,…, gm

X’ = F(x1,…,xn,g1,…gm ,h1,…hr)

X1 X2 X3 … …

… … … … ..

… … … … …

… … … … …

… … … … Xn

All gj, xi, hk 2 A, and F is some “algebraic” function

X =

U DB

Algebraic Database Modification Implies Characteristic Vectors

• Let X be a database consisting of idG in all locations.

• Apply F(X,Mi,H) X’

• X’ = vi will be a characteristic vector.

Homomorphic PIR Protocols [BGN,KO]

Qi=(g1,…,gm)

g1, g2,…, gm

FX(g1,…gm ,h1,…hr)

X1 X2 X3 … …

… … … … ..

… … … … …

… … … … …

… … … … Xn

All gj, hk 2 A, and FX is some “algebraic” function determined by the database X2An

X =(xj1

,…,xil)=FX(g1,…gm ,h1,…hr)

U DB

Homomorphic PIR Implies Characteristic Vectors

• For a moment, suppose the protocol returns an encryption of a single element.

• Let V={vi}i=1n be a complete set of

characteristic vectors over Gn.

• Define databases Xi = vi for i 2 [n].

• If Qi queries position i, then

(FX1(Qi,H),…, FXn

(Qi,H))

will be non-identity exactly in position i.

Non-singleton Query Returns

• It may be the case that a PIR query returns many database values, as long as the right value is at a predictable location in the result (e.g. [KO]).

• More generally, we can prove the following algebraic claim:

Claim

• Let V={vi}i=1n be a complete collection of

characteristic type vectors, except…

• Then if V ½ F(A), we have that:

log(|A|) 2 (n/w(n))

vi can be non-identity in up to w(n) locations for any positive function w.

General Case: Homomorphic PIR Implies Characteristic Vectors

• Suppose that the query returns k values.

• Define fi(g1,...gm)=j=1k (FXi

(g1,…,hr))j

• (f1(g1,…,gm),…fn(g1,…,gm)) will be non-identity in at most k positions

• ) user communication is (n/k(n))

• Server communication is clearly at least k(n), so we are done.

Other Types of Cryptosystems

• Recently there has been a lot of attention on bilinear maps in cryptography.

• The work of [BGN] demonstrates a cryptosystem that allows polynomials of total degree 2 to be evaluated on ciphertext.

Polynomials of Bounded Total Degree

• We can prove an extension of our original algebraic result, which will give similar bounds on the utility of total degree t polynomials. (even for t>2)

Corollary

Proof Idea

• The number of monomials in an m-variable polynomial of total degree t is O(mt).

• Simulate such a polynomial with a total degree 1 polynomial in O(mt) variables.

• Apply initial theorem to the abelian group (R,+).

More General Results

• If given the ability of computation of polynomials of total degree t, we obtain similar bounds, only n n1/t

• In particular, this corollary gives (n1/2) bounds when applied to algebraic protocols based on the cryptosystem of [BGN] (this matches the upper bound for database modification seen in [BKOS]).

Generality of Results

• The algebraic assumptions may seem quite rigid, but are often appropriate in crypto-computing settings.

• From an algebraic point of view however, they are very general:– Incorporates all algebraic formulas, but also

many other types of maps (formulas with End(G), changing representations, etc…).

– Covers most all algebraic structures preserved by known cryptosystems

Perspective

• Help researchers determine the feasibility of various new protocols.

• Especially useful when such protocols are needed as a subroutine in a larger crypto-computing function.– Protocol may need output with algebraic value to

continue the computation• Simple Non-abelian group-homomorphic

encryption: – Seems pretty hard.– Equivalent to fully-homomorphic encryption (/ring).

Thank You