Outsourcing Computation
Email, web-search, navigation, social networkingβ¦
π₯ π
π(π₯)
π₯
What if π₯ is private?
Search query, location, business information, medical informationβ¦
Outsourcing Computation β Privately
WANTED
Homomorphic Evaluation function:
πΈπ£ππ: π, πΈππ π₯ β πΈππ(π π₯ )
π₯ π
π¦
πΈππ(π₯)
π·ππ π¦ = π(π₯)
Learns nothing on π₯.
Fully Homomorphic Encryption (FHE)
π₯ π
π¦ = πΈπ£ππππ£π(π, πΈππ π₯ )
πΈππ(π₯)
π·πππ π π¦ = π(π₯)
π π , ππ ππ£π
Correctness:
πΈππ(π₯) β πΈππ(0) Input privacy:
π¦
π·ππ π¦ = π(π₯)
β’ NAND. β’ (+,Γ) over β€2 (= binary πππ , π΄ππ· )
πΈππππ(π₯)
Fully Homomorphic = Correctness for any efficient π
= Correctness for universal set
Trivial FHE?
PKE β βFHEβ:
- πΎππ¦πππ and πΈππ: Same as PKE.
- πΈπ£πππΉπ»πΈ π, π β (π, π)
- π·πππ ππΉπ»πΈ (π, π) β π(π·πππ π(π))
NOT what we were looking forβ¦
All work is relayed to receiver.
Compact FHE: π·ππ time does not depend on ciphertext.
β ciphertext length is globally bounded.
In this talk (and in literature) FHE β Compact-FHE
πΈππ (π₯)
= π π·πππ π πΈππ π₯ = π(π₯)
Trivial FHE?
PKE β βFHEβ:
- πΎππ¦πππ and πΈππ: Same as PKE.
- πΈπ£πππΉπ»πΈ π, π β (π, π)
- π·πππ ππΉπ»πΈ (π, π) β π(π·πππ π(π))
This βschemeβ also completely reveals π to the receiver.
Can be a problem.
Circuit Privacy: Receiver learns nothing about π (except output).
In this talk: Only care about compactness, no more circuit privacy.
Circuit private FHE is not trivial to achieve β even non-compact.
Compactness β Circuit Privacy (by complicated reduction) [GHV10]
Applications
In the cloud:
β’ Private outsourcing of computation.
β’ Near-optimal private outsourcing of storage (single-server PIR). [G09,BV11b]
β’ Verifiable outsourcing (delegation). [GGP11,CKV11]
β’ Private machine learning in the cloud. [GLN12,HW13]
Secure multiparty computation:
β’ Low-communication multiparty computation. [AJLTVW12,LTV12]
β’ More efficient MPC. [BDOZ11,DPSZ12,DKLPSS12]
Primitives:
β’ Succinct argument systems. [GLR11,DFH11,BCCT11,BC12,BCCT12,BCGT13,β¦]
β’ General functional encryption. [GKPVZ12]
β’ Indistinguishability obfuscation for all circuits. [GGHRSW13]
Verifiable Outsourcing (Delegation)
Can send wrong value of π(π₯) .
π₯ π
π(π₯)
π₯
What if the server is cheating?
Need proof!
, π
FHE β Verifiable Outsourcing
FHE β Verifiability and Privacy.
Pre-FHE solutions: multiple rounds [K92] or random oracles [M94].
1. Verifiability with preprocessing under βstandardβ assumptions: [GGP10, CKV10].
2. Less standard assumptions but without preprocessing via
SNARGs/SNARKs [DCL08,BCCT11,β¦] (uses FHE or PIR).
FHE β Verifiable Outsourcing [CKV10]
π₯ π
π π , ππ ππ£π
ππ₯ = πΈππ π₯ , π0
π¦π₯ , π¦0
Check π¦0 = π§0?
Yes β output π·ππ(π¦π₯) No β output β₯
Preprocessing:
π0 = πΈππ(0) π§0 = πΈπ£ππ(π, π0)
Verification:
Idea: βCut and chooseβ
ππ₯, π0 look the same β cheating server will be caught w.p. Β½ (easily amplifiable)
But preprocessing is as hard as computation!
Server executes π¦ = πΈπ£ππ(π, π)
FHE β Verifiable Outsourcing [CKV10]
π₯ π
π π , ππ ππ£π
(ππ£πβ²β², πΈππβ²β² ππ₯ ), (ππ£πβ², πΈππβ² π0 )
π¦β²β²π₯, π¦β²0
Check π·ππβ²(π¦β²0) = π§0?
Yes β output π·ππβ²β²(π·ππ π¦π₯ ) No β output β₯
Preprocessing:
π0 = πΈππ(0) π§0 = πΈπ£ππ(π, π0)
Verification:
Idea: Outer layer keeps server βobliviousβ of π§0.
β Can recycle π§0 for future computations.
Server executes π¦β² = πΈπ£ππβ²(πΈπ£ππ π,β , πβ²) π¦β²β² = πΈπ£ππβ²β²(πΈπ£ππ π,β , πβ²β²)
Server is not allowed to know if we accept/reject!
FHE Timeline
30 years of hardly scratching the surface:
β’ Only-addition [RSA78, R79, GM82,
G84, P99, R05]. β’ Addition + 1 multiplication
[BGN05, GHV10]. β’ Other variants [SYY99, IP07,
MGH10].
β¦ is it even possible?
Basic scheme: Ideal cosets in polynomial rings.
β Bounded-depth homomorphism.
- Assumption: hardness of (quantum) apx. short vector in ideal lattice.
Bootstrapping: bounded-depth HE β full HE.
But bootstrapping doesnβt apply to basic scheme...
- Need additional assumption: hardness of sparse subset-sum.
The FHE Challenge
Make it more secure.
Make it simpler.
Make it practical. Optimizations [SV10,SS10,GH10]
Simplified basic scheme [vDGHV10,BV11a] - Under similar assumptions.
?
FHE without Ideals [BV11b]
Linear algebra instead of polynomial rings
Assumption: Apx. short vector in arbitrary lattices (via LWE).
Fundamental algorithmic problem β
extensively studied.
[LLL82,K86,A97,M98,AKS03,MR04,MV10]
Shortest-vector Problem (SVP):
FHE without Ideals [BV11b]
β’ Simpler: straightforward presentation.
β’ More secure: based on a standard assumption.
β’ Efficiency improvements.
Linear algebra instead of polynomial rings
Assumption: Apx. short vector in arbitrary lattices (via LWE).
β’ Basic scheme: noisy linear equations over β€π.
β Ciphertext is a linear function π(π₯) s.t. π π π β π .
β Add/multiply functions for homomorphism.
β Multiplication raises degree β use relinearization.
β’ Bootstrapping: Use dimension-modulus reduction to shrink ciphertexts.
Concurrently [GH11]: Ideal lattice based scheme without squashing.
FHE without Ideals Follow-ups:
β’ [BGV12]: Improved parameters.
β Even better security.
β Improved efficiency in ring setting using βbatchingβ.
β Batching without ideals in [BGH13].
β’ [B12]: Improved security.
β Security based on classical lattice assumptions.
β Explained in blog post [BB12].
Various optimizations, applications and implementations:
[LNV11, GHS12a, GHS12b, GHS12c, GHPS12, AJLTVW12, LTV12,
DSPZ12, FV12, GLN12, BGHWW12,HW13 β¦]
The βApproximate Eigenvectorβ Method [GSW13]
β’ Basic scheme: Approximate eigenvector over β€π.
β Ciphertext is a matrix πΆ s.t. πΆ β π π β π β π π .
β Add/multiply matrices for homomorphism*.
β’ Bootstrapping: Same as previous schemes.
Ciphertexts = Matrix
Same assumption and keys as before β ciphertexts are different
β’ Simpler: straightforward presentation.
β’ New and exciting applications βfor freeβ! IB-FHE, AB-FHE.
β’ Same security as [BGV12, B12].
β’ Unclear about efficiency: some advantages, some drawbacks.
Sequentialization [BV13] What is the best way to evaluate a product of π numbers?
X
X
X
X
vs. X
X
Parallel Sequential
c1 c2 c3 c4
c1
c2
c3 c4
Conventional wisdom Actually better (if done right)
Sequentialization [BV13]
Barringtonβs Theorem [B86]: Every depth π computation can be transformed into a width-5 depth 4π branching program.
A sequential model of computation
β’ Better security β breaks barrier of [BGV12, B12,GSW13].
β’ Using dimension-modulus reduction (from [BV11b]) β same hardness assumption as non homomorphic encryption.
β’ Short ciphertexts.
Efficiency
Standard benchmark: AES128 circuit
Implementations of [BGV12] by [GHS12c,CCKLLTY13] β5 min/input
Limiting factors:
β’ Circuit representation.
β’ Bootstrapping.
β’ Key size.
β To be practical, we need to improve the theory.
2-years ago it was 3 min/gate [GH10]
New works [GSW13,BV13] address some of these issues, but have other drawbacks
See also HElib
https://github.com/shaih/HElib
Hybrid FHE
β’ In known FHE encryption is slow and ciphertexts are long.
β’ In symmetric encryption (e.g. AES) these are better.
π₯ π
π¦ = πΈπ£ππππ£π(π, πΈππ π₯ )
πΈππππ(π₯)
π·πππ π π¦ = π(π₯)
π π , ππ ππ£π
Best of both worlds?
Hybrid FHE
π₯ π
π·πππ π π¦ = π(π₯)
π π , ππ ππ£π
π π¦π
c=πΈπππ π¦π(π₯)
πΈππππ(π π¦π)
Easy to encrypt, ciphertext is short⦠But how to do Eval?
Define: π π§ = πππ_π·πππ§(π)
Server Computes: π¦β² = πΈπ£ππππ£π(π, πΈππππ(π π¦π))
β π¦β² = πΈππ π π π¦π = πΈππ πππ_π·πππ π¦π π = πΈππππ(π₯)
π¦ = πΈπ£ππππ£π(π, π¦β²)
Approximate Eigenvector Method [GSW13]
Observation: Let πΆ1, πΆ2 be matrices with the same eigenvector π , and let π1,π2 be their respective eigenvalues w.r.t π . Then:
1. πΆ1 + πΆ2 has eigenvalue (π1+π2) w.r.t π . 2. πΆ1 β πΆ2 (and also πΆ2 β πΆ1) has eigenvalue π1π2 w.r.t π .
Idea: π = secret key, πΆ = ciphertext, and π = message.
Insecure! Eigenvectors are easy to find.
What about approximate eigenvectors?
β Homomorphism for addition and multiplication.
β Full homomorphism!
Say over β€π
Approximate Eigenvector Method [GSW13]
πΆ β π = ππ + π β ππ
How to decrypt? Must have restriction on π
Suppose π [1] = π/2 , and π β *0,1+
β (πΆ β π )[1] =π
2π + π [1] Find π by rounding
Condition for correct decryption: π < π/4 .
Approximate Eigenvector Method [GSW13]
πΆ1 β π = π1π + π 1
π 1 βͺ π
πΆ2 β π = π2π + π 2
π 2 βͺ π
πΆπππ = πΆ1 + πΆ2:
(πΆ1+πΆ2) β π = πΆ1π + πΆ2π
= π1π + π 1 + π2π + π 2
= (π1+π2)π + (π 1+π 2)
π πππ
Goal: πΆ1, πΆ2 β πΆπππ = πΈππ(π1 + π2) , πΆππ’ππ‘ = πΈππ(π1π2).
Noise grows a little
Approximate Eigenvector Method [GSW13]
πΆ1 β π = π1π + π 1
π 1 βͺ π
πΆ2 β π = π2π + π 2
π 2 βͺ π
πΆππ’ππ‘ = πΆ1 β πΆ2:
(πΆ1β πΆ2) β π = πΆ1 π2π + π 2
= π2πΆ1π + πΆ1π 2
= π2 π1π + π 1 + πΆ1π 2
π ππ’ππ‘
Noise grows. But by how much?
Can also use πΆ2 β πΆ1
= π2π1π + π2π 1 + πΆ1π 2
Goal: πΆ1, πΆ2 β πΆπππ = πΈππ(π1 + π2) , πΆππ’ππ‘ = πΈππ(π1π2).
Plan for Technical Part
1. Constructing approximate eigenvector scheme.
2. Sequentialization.
3. Bootstrapping.
4. Open problems and limits on FHE.
Learning with Errors (LWE) [R05] Random noisy linear equations β uniform
π΄
π
π
=
π
+
uniform matrix β β€ππΓπ
secret vector β β€ππ
small noise β β€ππ
ππ β€ πΌπ
β€ππ
π΄
π
stat. far from uniform!
β π LWE
assumption
As hard as π/πΌ -apx. short vector in worst case π-dim. lattices [R05, P09]
Encryption Scheme from LWE [R05,ACPS09]
βπ΄
π
π
π π =
π΄
π
π
=
π
+
public key
+ π
0,1 π uniform
π π π
1
secret key
= π β π + π β π
βencryptionβ of π β π (without knowing π ) [ACPS09]
small βnoiseβ
Looks jointly uniform
Encryption Scheme from LWE [R05,ACPS09]
βπ΄
π
π
πΆπΊ
=
π΄
π
π
=
π
+
+
πΊ
0,1 πΓπ uniform
π 1
= π π + πΊπ πΆπΊ
= π small βnoiseβ
β€ππΓ(π+1)
Approx. Eigenvector Encryption Goal: Encrypt message π β *0,1+
Idea: πΈππ π = πΆπβ πΌ
β πΆπβ πΌ β π = π + ππΌπ = π β π + π As we saw:
πΆ1 β πΆ2 β π = πΆ1 β π 2 + π2π
= πΆ1 β π 2 + π2 β πΆ1 β π
= πΆ1 β π 2 + π2π 1 + π1π2π desired output
small noise
HUGE noise
Need to reduce the norm of πΆ1
Solution: binary decomposition
Binary Decomposition
Break each entry in πΆ to its binary representation
πΆ =3 51 4
(πππ 8) πππ‘π πΆ =0 1 1 1 0 10 0 1 1 0 0
(πππ 8) β Small entries like we wanted!
But product with π now meaningless
Consider the βreverseβ operation:
πππ‘π πΆ β
4 02 01000
0421
= πΆ
πΊ
β πΆ β π = πππ‘π (πΆ) β πΊ β π = πππ‘π (πΆ) β π β
π β = πΊ β π
βpowers of 2β vector
Contains π/2 as an element
Approx. Eigenvector Encryption
πΈππ π = πΆπβ πΊ β β€π( π+1 log π)Γ(π+1)
β πΆπβ πΊ β π = π + π β πΊ β π
πππ‘π (πΆ1) β πΆ2 β π = πππ‘π (πΆ1) β π 2 + π2πΊπ
= πππ‘π (πΆ1) β π 2 + π2 β πππ‘π (πΆ1) β πΊ β π
= πππ‘π (πΆ1) β π 2 + π2 β πΆ1 β π
= πππ‘π (πΆ1) β π 2 + π2 β π 1 + π1 β π2 β πΊ β π desired output small small-ish
π ππ’ππ‘ β€ π β π 2 + π2 β π 1 β€ π + 1 β max* π 1 , π 2 +
π
πΆππ’ππ‘ = πππ‘π πΆ1 β πΆ2
πππ‘π (πΆ1) β πΆ2 β π
πΆππππ = πΊ β πππ‘π πΆ1 β πΆ2
π ππππ β€ π β π 2 + π2 β π 1 β€ π + 1 β max* π 1 , π 2 +
. =
Homomorphic Circuit Evaluation
π ππ’π‘ππ’π‘ β€ π + 1 π β ππΌπ β πππΌπ
π ππππ’π‘ β€ ππΌπ π ππππ’π‘
π ππ’π‘ππ’π‘
Noise grows during homomorphic evaluation
Depth π
π π+1 β€ (π + 1) π π
β¦
β Decryption succeeds if πΌ βͺ 1/ππ.
Full Homomorphism
πΌ β€ πβπ
πβππ β log 1/πΌ
1. If depth upper-bound is known ahead of time.
2. Single scheme for any poly depth.
Set π β₯ π2 ; πΌ = 2β π β log 1/πΌ = π
Undesirable:
β’ Huge parameters. β’ Low security. β’ Inflexible.
Leveled FHE: Parameters (ππ£π) grow with π.
Bootstrap!
The Bootstrapping Theorem
Homomorphic β fully homomorphic
when ππππ < πβππ
β’ ππππ = depth of the decryption circuit. β’ πβππ = maximal homomorphic depth.
In our scheme: ππππ = logπ β FHE if πΌ < πβ log π
Quasi-polynomial approximation for short vector problems (same factor as [BGV12,B12])
Non-homomorphic schemes only need ππ 1 approximation
(Proof to come)
Additional condition, to be discussed.
A Taste of Sequentialization [BV13] π ππ’ππ‘ = πππ‘π (πΆ1) β π 2 + π2 β π 1
Asymmetric!
Important observations:
1. π 1 gets multiplied by 0/1 ; π 2 can get multiplied by π.
2. π2 = 0 β π 1 has no effect!
Conclusion: The order of multiplication matters.
Want to multiply πΆπ΄, πΆπ΅ s.t. π π΄ β« π π΅ .
Which is better: πππ‘π πΆπ΄ β πΆπ΅ or πππ‘π πΆπ΅ β πΆπ΄ ?
A Taste of Sequentialization [BV13] π ππ’ππ‘ = πππ‘π (πΆ1) β π 2 + π2 β π 1
Task: Multiply 4 ciphertexts πΆ1, β¦ , πΆ4
Multiplication Tree
X
X
X
c1 c2 c3 c4
π = πΈ0
π = πΈ0(π + 1)
π = πΈ0 π + 1 2
X
X
X
c1
c2
c3 c4
π = πΈ0
πΈ0(π + 1) πΈ0
πΈ0 πΈ0(2π + 1)
πΈ0(3π + 1)
Sequential Multiplier
Winner!
Bootstrapping
Homomorphic β fully homomorphic when
ππππ < πβππ
β’ ππππ = depth of the decryption circuit. β’ πβππ = maximal homomorphic depth.
Bootstrapping
Given scheme with bounded πβππ How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ2, π π2)
(ππ3, π π3)
(ππ1, π π1)
Switch keys
βcostβ in homomorphism
Hybrid FHE
π₯ π
π·πππ π π¦ = π(π₯)
π π , ππ ππ£π
π π¦π
c=πΈπππ π¦π(π₯)
πΈππππ(π π¦π)
Define: π π§ = πππ_π·πππ§(π)
Server Computes: π¦β² = πΈπ£ππππ£π(π, πΈππππ(π π¦π))
β π¦β² = πΈππ π π π¦π = πΈππ πππ_π·πππ π¦π π = πΈππππ(π₯)
π¦ = πΈπ£ππππ£π(π, π¦β²)
How to Switch Keys
π·πππ π(β ) π·ππ β (π)
π π π
π π Decryption circuit: Dual view:
β‘ ππ β
ππ π π = π·πππ π π = π
Key switching procedure π π1, ππ1 β π π2, ππ2 :
Input: π = πΈππππ1(π)
Server aux info: ππ’π₯ = πΈππππ2(π π1) (ahead of time)
Output: πΈπ£ππππ2(ππ , ππ’π₯)
πΈπ£ππππ2ππ , ππ’π₯ = πΈπ£ππππ2
ππ , πΈππππ2π π1
= πΈππππ2ππ π π1 = πΈππππ2
π·πππ π1π
= πΈππππ2(π)
Eval depth = ππππ
Bootstrapping
Given scheme with bounded πβππ. How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ2, π π2)
(ππ3, π π3)
(ππ1, π π1)
Switch keys
βcostβ of ππππ hom. operations
Conclusion: Bootstrapping if πβππ β₯ ππππ + 1
Need to generate many keysβ¦
Bootstrapping
Given scheme with bounded πβππ. How to extend its homomorphic capability?
Idea: Do a few operations, then βswitchβ to a new instance
(ππ , π π )
(ππ , π π )
(ππ , π π )
Switch from the key to itself!
Key switching works
Server aux info: ππ’π₯ = πΈππππ (π π )
Circular Security
Intuitively: Yes, encryption hides the message.
Formally: Security does not extend.
What can we do about it?
Option 1: Assume itβs secure β no attack is known.
Option 2: Use a sequence of keys.
β No. of keys proportional to computation depth (leveled FHE).
Is it secure to publish ππ’π₯ = πΈππππ(π π)
[BV11a]: Circular secure βsomewhatβ homomorphic scheme.
Short keys without circular assumption ?
Diversity
β’ Other (older) schemes with similar properties [AD97, GGH97, R03, R05, β¦] β homomorphism
But all are lattice based
β’ [BL11] FHE from a noisy decoding problem.
[B13]: Homomorphicly βclean upβ the noise β break security.
β βToo muchβ homomorphism is a bad sign.
What We Saw Today
β’ Definition of FHE.
β’ Applications.
β’ Historical perspective and background.
β’ Constructing HE using the approximate eigenvector
method.
β’ Sequentialization.
β’ Bootstrapping.
β’ Limits on HE.
Open Problems
β’ Short keys without circular security.
β’ FHE from different assumptions.
β’ CCA1 secure FHE.
β’ Bounded malleability.
β’ Improved efficiency.