Upload
nguyenkhanh
View
234
Download
3
Embed Size (px)
Citation preview
Fully Homomorphic Encryption without Modulus Switching
from Classical GapSVP
Zvika Brakerski
Stanford University
CRYPTO 2012
Outsourcing Computation
Email, web-search, navigation, social networkingโฆ
๐ฅ ๐
๐(๐ฅ)
๐ฅ
What if ๐ฅ is private?
Search query, location, business information, medical informationโฆ
Outsourcing Computation โ Privately
Homomorphic Encryption
๐, ๐ธ๐๐ ๐ฅ1 , โฆ , ๐ธ๐๐ ๐ฅ๐ โ ๐ธ๐๐(๐ ๐ฅ1, โฆ , ๐ฅ๐ )
We assume w.l.o.g ๐ โ *+,ร+ (over โค2).
๐ฅ ๐
๐ฆ
๐ธ๐๐(๐ฅ)
๐ท๐๐ ๐ฆ = ๐(๐ฅ)
Learns nothing on ๐ฅ.
The Old Days of FHE
โข Gentryโs breakthrough [G09,G10] โ first candidate.
โข [vDGHV10, BV11a]: Similar outline, different assumptions.
โข [GH11]: Chimeric-FHE.
โข Efficiency attempts [SV10,SS10,GH10,LNV11].
2009-2011
2nd Generation FHE
โข [BV11b]: LWE-based FHE (= apx. short vector in lattice).
โ Better assumption.
โ Clean presentation: no ideals, no โsquashingโ.
โ Efficiency improvement.
โข [BGV12]: Improved performance via Modulus Switching.
โ Quantitatively better assumption.
โ โLeveledโ homomorphism without bootstrapping.
โ Efficiency improvements using ideals (โbatchingโ).
[GHS11,GHS12a, GHS12b]: Efficiency improvements and optimizations using ideals.
This work:
Modulus switching is a red herring
โScale-independent encryptionโ
โ better performance with less headache
FHE 101 [BV11b]
Secret key: ๐ โ โค๐๐
Ciphertext: ๐ โ โค๐๐
Encryption algorithm: Doesnโt matter.
Decryption algorithm: ๐ โ ๐ ๐๐๐ ๐ (๐๐๐ 2).
Security based on ๐ฟ๐๐ธ๐,๐,๐ผ The Scheme:
๐ โ ๐ = ๐ + 2๐ + ๐๐ผ
small (initial) noise ๐ < ๐ต = ๐ผ๐
dec. if ๐ /๐ <1
4
FHE 101 [BV11b]
Secret key: ๐ โ โค๐๐
Ciphertext: ๐ โ โค๐๐
The Scheme:
๐ โ ๐ = ๐ + 2๐ + ๐๐ผ
small (initial) noise ๐ < ๐ต = ๐ผ๐
dec. if ๐ /๐ <1
4
Additive Homomorphism: That again? Just addโem, dudeโฆ
๐ 1, ๐ 2 โ ๐ 1 + ๐ 2 ๐๐๐ ๐
FHE 101 [BV11b]
Multiplicative Homomorphism:
๐ 1, ๐ 2 โ ๐ 1 โ ๐ 2 ๐๐๐ ๐ โ โค๐๐2
vector of all cross terms ๐ 1 ๐ โ ๐ 2 ๐ ๐,๐
๐ 1 โ ๐ 2 โ ๐ โ ๐ = ๐ 1 โ ๐ โ ๐ 2 โ ๐ = ๐1 + 2๐1 โ ๐2 + 2๐2 (๐๐๐ ๐)
= ๐1๐2 + 2 โ ๐ ๐1๐2 (๐๐๐ ๐)
๐ ๐ changedโฆ but we can bring it back
(we have the technology)
~๐ต2
noise blows up!
๐ฉ โ ๐ฉ๐ โ โฏ โ ๐ฉ๐๐
dec. if ๐ต2๐/๐ <
1
4
Secret key: ๐ โ โค๐๐
Ciphertext: ๐ โ โค๐๐
The Scheme:
๐ โ ๐ = ๐ + 2๐ + ๐๐ผ
small (initial) noise ๐ < ๐ต = ๐ผ๐
dec. if ๐ /๐ <1
4
Modulus Switching [BGV12]
Idea: Bring noise back down by dividing the entire ciphertext by ๐ต.
๐ โ โค๐๐
with noise |๐| < ๐ต2 /๐ต
๐ /๐ต โ โค๐/๐ต๐
with noise |๐| < ๐ต
(make sure not to harm the message bit ๐)
(๐ฉ, ๐) โ (๐ฉ, ๐/๐ฉ) โ โฏ โ (๐ฉ, ๐/๐ฉ๐ )
Noise/modulus evolution:
dec. if ๐ต๐+1 < ๐/4
My Problems with Modulus Switching
1. Modulus switching is scale-dependent. - Scaling ๐ต, ๐ changes performance:
Smaller ๐ต, ๐ smaller ๐ต๐+1/๐ better homomorphism.
2. What does modulus switching really do?
- Same as a scaling factor in the tensoring process ( ๐ 1, ๐ 2 โ ๐ โ ๐ 1 โ ๐ 2 ๐๐๐ ๐ ).
- In a โcorrectโ scale, this factor should be 1.
nothingโฆ
Our Solution: Scale-Independent FHE
Compare with previous:
real numbers ๐๐๐ 2 โก (โ1,1]
Hardness assumption is the same ๐ฟ๐๐ธ๐,๐,๐ผ.
Secret key: ๐ โ โค๐
Ciphertext: ๐ โ โ2๐
๐ โ ๐ = ๐ + ๐ + 2๐ผ
small (initial) noise ๐ < 2๐ผ
dec. if ๐ <1
2
Scale-Independent Multiplication
Multiplicative Homomorphism:
๐ 1, ๐ 2 โ ๐ 1 โ ๐ 2 ๐๐๐ 2 โ โ2๐2
๐ 1 โ ๐ 2 โ ๐ โ ๐ = ๐ 1 โ ๐ โ ๐ 2 โ ๐
= ๐1 + ๐1 + 2๐ผ1 โ ๐2 + ๐2 + 2๐ผ2 (๐๐๐ 2)
= ๐1๐2 + ๐1 โ ๐2 + 2๐ผ2 + ๐2 โ ๐1 + 2๐ผ1 + ๐1๐2 (๐๐๐ 2)
Careful!
1/2 ๐๐๐ 2 โ 2 ๐๐๐ 2 โ 1 (๐๐๐ 2)
~๐ผ2= tiny! ~๐ผ โ |๐ + 2๐ผ|
๐ + 2๐ผ โ ๐ โ ๐ โค ๐ 1
โฒ ๐ผ โ ๐ 1
real numbers ๐๐๐ 2 โก (โ1,1]
Secret key: ๐ โ โค๐
Ciphertext: ๐ โ โ2๐
๐ โ ๐ = ๐ + ๐ + 2๐ผ
small (initial) noise ๐ < 2๐ผ
dec. if ๐ <1
2
Noise blowup: ๐ถ โ ๐ถ โ ๐ ๐
Scale-Independent Multiplication
Multiplicative Homomorphism:
๐ 1, ๐ 2 โ ๐ 1 โ ๐ 2 ๐๐๐ 2 โ โ2๐2
Noise blowup: ๐ถ โ ๐ถ โ ๐ ๐
Not good enough: ๐ 1 โ ๐๐
Solution: Decompose the elements of ๐ into ๐ log ๐ bits.
real numbers ๐๐๐ 2 โก (โ1,1]
Secret key: ๐ โ โค๐
Ciphertext: ๐ โ โ2๐
๐ โ ๐ = ๐ + ๐ + 2๐ผ
small (initial) noise ๐ < 2๐ผ
dec. if ๐ <1
2
๐ = ๐ 1 , ๐ 2 , โฆ
๐ = ๐ 1 , ๐ 2 , โฆ
๐ โ ๐ = ๐ 1 โ ๐ 1 + ๐ 2 โ ๐ 2 + โฏ
๐ = ๐ 1 0, โฆ , ๐ 1 log ๐ , ๐ 2 0, โฆ , ๐ 2 log ๐ , โฆ
๐ = ๐ 1 , 2๐ 1 , โฆ , 2log ๐๐ 1 , ๐ 2 , 2๐ 2 , โฆ , 2log ๐๐ 2 , โฆ
๐ โ ๐ = ๐ 1 ๐ โ 2๐๐ 1๐ + ๐ 2 ๐ โ 2๐๐ 2๐ + โฏ
= ๐ 1 โ ๐ 1 + ๐ 2 โ ๐ 2 + โฏ
Binary Decomposition
Scale-Independent Multiplication
๐ 1, ๐ 2 โ ๐ 1 โ ๐ 2 ๐๐๐ 2 โ โ2๐2
Noise blowup: ๐ถ โ ๐ถ โ ๐ ๐
๐ 1 โค ๐ log ๐
Noise blowup: ๐ถ โ ๐ถ โ ๐ log ๐ โค ๐ถ โ ๐๐
For depth ๐ circuit: ๐ผ โ ๐ผ โ ๐๐(๐) regardless of scale!
real numbers ๐๐๐ 2 โก (โ1,1]
Secret key: ๐ โ *0,1+๐ log ๐
Ciphertext: ๐ โ โ2๐ log ๐
๐ โ ๐ = ๐ + ๐ + 2๐ผ
small (initial) noise ๐ < 2๐ผ
dec. if ๐ <1
2
Multiplicative Homomorphism:
Full Homomorphism via Bootstrapping
Evaluating depth ๐ circuit: ๐ถ โ ๐ถ โ ๐๐ถ(๐ )
For โbootstrappingโ: ๐ = ๐(log ๐) โ ๐ถ โ ๐ถ โ ๐๐ถ(๐ฅ๐จ๐ ๐)
โ dec. if ๐ถ โ ๐โ๐ถ(๐ฅ๐จ๐ ๐) regardless of ๐!
(in *BGV12+ only for โsmallโ odd ๐)
Using ๐ โ 2๐ โ Hardness based on classical GapSVP.
Conclusion
โข Scale-independence FHE without modulus switching.
โข Homomorphic properties independent of ๐. โ But ๐ still matters for security.
โข Properties of [BGV12] extend.
โข Bonuses: โ Our ๐ can be even (e.g. power of 2). โ Security based on classical GapSVP (as opposed to quantum).
โข Simpler!
tiny.cc/fheblog1 ; tiny.cc/fheblog2
also see blog post with Boaz Barak:
Farewell CRYPTO โ12โฆ
tiny.cc/fheblog1 ; tiny.cc/fheblog2
also see blog post with Boaz Barak: