information security theory vs....
TRANSCRIPT
![Page 1: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/1.jpg)
1
Information Security – Theory vs. Reality
0368-4474-01, Winter 2012-2013
Lecture 5: Fully Homomorphic Encryption
Eran Tromer
Slides credit: Vinod Vaikuntanathan (U. Toronto)
![Page 2: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/2.jpg)
2
Fully Homomorphic Encryption
![Page 3: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/3.jpg)
The goal
Delegate processing of data
without giving away access to it
3 of 32
![Page 4: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/4.jpg)
Example 1: Private Search
Delegate PROCESSING of datawithout giving away ACCESS to it
► You: Encrypt the query,send to Google
(Google does not know the key,cannot “see” the query)
► Google: Encrypted query →Encrypted results
(You decrypt and recover thesearch results)
4 of 32
![Page 5: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/5.jpg)
Example 2: Private Cloud Computing
Delegate PROCESSING of datawithout giving away ACCESS to it
(Input: x) (Program: P)Enc(x), P → Enc(P(x))
Encrypt x
5 of 32
![Page 6: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/6.jpg)
Fully Homomorphic Encryption
Encrypted x, Program P → Encrypted P(x)
Definition: (KeyGen, Enc, Dec, Eval)(as in regular public/private-key encryption)
– If c = Enc(PK, x) and c′ = Eval (PK, c, P),
Compactness: Length of c′ independent of size of P
Security = Semantic Security [GM82]
Correctness of Eval: For every input x, program P
then Dec (SK, c) = P(x).
6 of 32
![Page 7: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/7.jpg)
Fully Homomorphic Encryption
Functionf
xEnc(x)
Eval: f, Enc(x) Enc(f(x))homomorphic evaluation
Knows nothing
of x.
[Rivest-Adleman-Dertouzos’78]
7 of 32
![Page 8: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/8.jpg)
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– their motivation: searching encrypted data
8 of 32
![Page 9: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/9.jpg)
– BGN’05 & GHV’10: quadratic formulas
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
► Limited Variants:
– GM & Paillier: additively homomorphic
– RSA & El Gamal: multiplicatively homomorphic
– their motivation: searching encrypted data
c1 = m1e c2 = m2
e cn = mne
Xc* = c1c2…cn= (m1m2…mn)e mod N► NON-COMPACT homomorphic encryption:
– SYY’99 & MGH’08: c* grows exp. with degree/depth– IP’07 works for branching programs
– Based on Yao garbled circuits
9 of 32
![Page 10: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/10.jpg)
Fully Homomorphic Encryption
► First Defined: “Privacy homomorphism” [RAD’78]
– using just integer addition and multiplication
– their motivation: searching encrypted data
►Full-semester course►Today: an alternative construction [DGHV’10]:
Big Breakthrough: [Gentry09]
First Construction of Fully Homomorphic Encryptionusing algebraic number theory & “ideal lattices”
– easier to understand, implement and improve 10 of 32
![Page 11: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/11.jpg)
Constructing
fully-homomoprhic encryptionassuming
hardness of approximate GCD
11 of 32
![Page 12: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/12.jpg)
A Roadmap
1. Secret-key “Somewhat” Homomorphic Encryption(under the approximate GCD assumption)
2. Public-key “Somewhat” Homomorphic Encryption(under the approximate GCD assumption)
3. Public-key FULLY Homomorphic Encryption(under approx GCD + sparse subset sum)
(a simple transformation)
(borrows from Gentry’s techniques)
12
![Page 13: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/13.jpg)
Secret-key Homomorphic Encryption
Secret key: a large n2-bit odd number p
To Encrypt a bit b:– pick a random “large” multiple of p, say q·p
– pick a random “small” even number 2·r
– Ciphertext c = q·p+2·r+b
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
(q ~ n5 bits)(r ~ n bits)
“noise”
(sec. param = n)
13
![Page 14: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/14.jpg)
Secret-key Homomorphic Encryption
How to Add and Multiply Encrypted Bits:
– Add/Mult two near-multiples of p gives a near-multiple of p.
– c1 = q1·p + (2·r1 + b1), c2 = q2·p + (2·r2 + b2)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2) « p
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2 « p
LSB = b1 XOR b2
LSB = b1 AND b2
14
![Page 15: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/15.jpg)
Problems
Ciphertext grows with each operation
Noise grows with each operation
Useless for many applications (cloud computing, searching encrypted e-mail)
– Consider c = qp+2r+b ← Enc(b)
(q-1)p qp (q+1)p (q+2)p
2r+b– c (mod p) = r’ ≠ 2r+b
r’– lsb(r’) ≠ b
15
![Page 16: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/16.jpg)
Problems
Ciphertext grows with each operation
Noise grows with each operation
Useless for many applications (cloud computing, searching encrypted e-mail)
Can perform “limited” number of hom. operations
What we have: “Somewhat Homomorphic” Encryption
16
![Page 17: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/17.jpg)
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
– t+1 encryptions of 0
Δ
– Wlog, assume that x0 is the largest of them
17
![Page 18: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/18.jpg)
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval (as before)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
18
![Page 19: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/19.jpg)
c = + b (mod x0)
Public-key Homomorphic Encryption
rxSi
i 2
Secret key: an n2-bit odd number p
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)
To Encrypt a bit b: pick random subset S [1…t]
Δ
c = p[ ] + 2[ ] + b (mod x0) Si
iq
Si
irrc = p[ ] + 2[ ] + b – kx0 (for a small k) Si
iq
Si
irr
= p[ ] + 2[ ] + b 0kqqSi
i
0krrrSi
i
(mult. of p) + (“small” even noise) + b 19
![Page 20: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/20.jpg)
c = + b (mod x0)rxSi
i 2
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval: Reduce mod x0 after each operation
To Encrypt a bit b: pick random subset S [1…t]
Ciphertext Size Reduction
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)Δ
(*) additional tricks for mult20
![Page 21: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/21.jpg)
c = + b (mod x0)rxSi
i 2
Public-key Homomorphic Encryption
Secret key: an n2-bit odd number p
To Decrypt a ciphertext c:
– c (mod p) = 2·r+b (mod p) = 2·r+b
– read off the least significant bit
Eval: Reduce mod x0 after each operation
To Encrypt a bit b: pick random subset S [1…t]
Ciphertext Size Reduction
– Resulting ciphertext < x0
– Underlying bit is the same (since x0 has even noise)
– Noise does not increase by much(*)
Public key: [q0p+2r0,q1p+2r1,…,qtp+2rt] = (x0,x1,…,xt)Δ
(*) additional tricks for mult21
![Page 22: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/22.jpg)
A Roadmap
Secret-key “Somewhat” Homomorphic Encryption
Public-key “Somewhat” Homomorphic Encryption
3. Public-key FULLY Homomorphic Encryption22
![Page 23: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/23.jpg)
How “Somewhat” Homomorphic is this?
Can evaluate (multi-variate) polynomials with m terms, and maximum degree d if d << n.
f(x1, …, xt) = x1·x2·xd + … + x2·x5·xd-2
Final Noise ~ (2n)d+…+(2n)d = m•(2n)d
Say, noise in Enc(xi) < 2n
2/22/22nnd pm or nd ~
m terms
23
![Page 24: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/24.jpg)
“Somewhat” HE“Bootstrappable”
From “Somewhat” to “Fully”
FHE = Can eval all fns.
Theorem [Gentry’09]: Convert “bootstrappable” → FHE.
Augmented Decryption ckt.
Dec Dec
NAND
c1 sk skc2 24
![Page 25: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/25.jpg)
Is our Scheme “Bootstrappable”?
What functions can the scheme EVAL?
Complexity of the (aug.) Decryption Circuit
(?)
Can be made bootstrappable– Similar to Gentry’09
Caveat: Assume Hardness of “Sparse Subset Sum”
(polynomials of degree < n)
(degree ~ n1.73 polynomial)
25
![Page 26: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/26.jpg)
Security(of the “somewhat” homomorphic scheme)
26
![Page 27: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/27.jpg)
The Approximate GCD Assumption
q1p+r1
p?
pq1 ← [0…Q]r1 ← [-R…R]
odd p ← [0…P]
(q1p+r1,…, qtp+rt)
Assumption: no PPT adversary can guess the number p
Parameters of the Problem: Three numbers P,Q and R
27
![Page 28: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/28.jpg)
p?p
Assumption: no PPT adversary can guess the number p
Semantic Security [GM’82]: no PPT adversary can guess the bit b
PK =(q0p+2r0,{qip+2ri})
Enc(b) =(qp+2r+b)
=(proof of security)
(q1p+r1,…, qtp+rt)
28
![Page 29: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/29.jpg)
Progress in FHE
►“Galactic” → Efficient
– asymptotically: nearly linear-time* algorithms
► Strange assumptions → Mild assumptions
– practically:– a few milliseconds for Enc, Dec [LNV11,GHS11]– a few minutes for evaluating an AES block (amortized)
[GHS12]
*linear-time in the security parameter
– Best Known [BGV11]: (leveled) FHE from worst-case hardness of nO(log n)-approx short vectors on lattices
29
![Page 30: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/30.jpg)
Multi-key FHE
Functionf
x1
x2
sk1, pk1
sk2, pk2
30
![Page 31: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/31.jpg)
Multi-key FHE
Functionf
x1
y = Eval(f,c1,c2)
Dec(sk1,sk2 y)=f(x1,x2)Correctness:
x2
sk1, pk1
sk2, pk2
Dec
31
![Page 32: Information Security Theory vs. Realitycourse.cs.tau.ac.il/istvr1213/sites/drupal-courses.cs.tau.ac.il.istvr... · 1 Information Security Theory vs. Reality 0368-4474-01, Winter 2012-2013](https://reader035.vdocuments.net/reader035/viewer/2022071013/5fcbf18e9ec25344f1153a4f/html5/thumbnails/32.jpg)
Fully homomorphic encryption: discussion
• Assumptions– Mathematical– Adversarial model
• Applicability– Decryption? Keys?
• Alternative: multiparty computation– When interaction is free
• What about integrity?– Computationally-sound proofs, proof-carrying data
32