Transcript Homomorphic Encryption from RLWE Schemes and
Homomorphic Encryption from RLWE Schemes and Parameters
Joppe W. Bos Microsoft Research Contains joint work with Kristin Lauter, Jake Loftus and Michael Naehrig
Computing on Encrypted Data
Motivation
Outsource data and computation to an external computing service.
• • •
Applications
Spam filter for encrypted mail Searching on encrypted data Building block in crypto protocols
Homomorphic Encryption
• • RSA ─ multiplicatively homomorphic 𝑐 1 = 𝑚 1 𝑐 𝑒 1 mod 𝑛, 𝑐 2 ∙ 𝑐 2 = 𝑚 1 𝑒 = 𝑚 𝑒 2 ∙ 𝑚 𝑒 2 mod = 𝑚 1 𝑛 ∙ 𝑚 2 Multiplying 𝑐 1 , 𝑐 2 gives encryption of 𝑒 mod 𝑚 1 ∙ 𝑚 𝑛 2 • • Benaloh ─ additively homomorphic 𝑐 1 = 𝑔 𝑚 1 𝑢 1 𝑟 mod 𝑐 1 ∙ 𝑐 2 𝑛, 𝑐 2 = 𝑔 𝑚 2 𝑢 𝑟 2 = 𝑔 𝑚 1 +𝑚 2 mod 𝑢 1 𝑢 2 𝑟 Multiplying 𝑐 1 , 𝑐 2 gives encryption of 𝑚 1 𝑛 mod 𝑛 + 𝑚 2
Fully Homomorphic Encryption (FHE)
• • Enables unlimited computation on encrypted data • • • Need scheme with unlimited add and mult capability Idea: Rivest, Adleman, Dertouzos (1978) Boneh-Goh-Nissim (2005): unlimited add + 1 mult Breakthrough: Gentry (2009) showed such schemes exist A lot of progress since then Gentry, Halevi, Smart (2012): homomorphic evaluation of AES 5 minutes per block (16 bytes)
Ring Learning With Errors (RLWE)
(Lyubashevsky, Peikert, Regev 2010) Ring (𝑅, +,∙) , modulus 𝑞 , 𝑅 𝑞 probability distribution χ on 𝑅 = 𝑅/𝑞𝑅 , (for sampling small elts) Problem: distinguish between two distributions 1. Uniform distribution (𝑎, 𝑏) ∈ 𝑅 2 𝑞 2. The distribution that for a fixed 𝑠 ← χ samples 𝑎 ← 𝑅 𝑞 uniformly, error and outputs (𝑎, 𝑎 ∙ 𝑠 + 𝑒) e ← χ Assumption: The RLWE problem is hard, i.e.
𝑎, 𝑎 ∙ 𝑠 + 𝑒 ~ 𝑎, 𝑏 looks random
(Symmetric) Encryption from RLWE
Message 𝑚 ∈ 0,1 𝑠 ← χ secret key BV (Brakerski, Vaikuntanathan 2010) encryption: Sample 𝑎 ← 𝑅 𝑞 uniform, b = 𝑚 + 𝑎 ∙ 𝑠 + 2𝑒 mod 𝑒 ← 𝑞 χ error/noise , ciphertext c = a, b decrypt: 𝑏 − 𝑎 ∙ 𝑠 mod 2 = (𝑚 + 2𝑒) mod 2 = 𝑚 𝑞 decrypts correctly if 𝑒 < 2 m 2e q
Homomorphic Properties
c 1 = a 1 , 𝑚 1 + 𝑎 1 ∙ 𝑠 + 2𝑒 1 , c 2 = a 2 , 𝑚 2 + 𝑎 2 ∙ 𝑠 + 2𝑒 2 Addition: 𝑐 1 + 𝑐 2 = (𝑎 1 + 𝑎 2 , 𝑚 1 + 𝑚 2 + (𝑎 1 + 𝑎 2 ) ∙ 𝑠 + 2(𝑒 1 + 𝑒 2 )) Multiplication (BV): 𝑏 1 − 𝑎 𝑏 1 1 − 𝑎 1 ∙ 𝑠 𝑏 2 = 𝑚 1 𝑚 2 − 𝑎 2 ∙ 𝑠 = (𝑚 + 2(𝑚 1 𝑒 2 + 𝑚 2 1 𝑒 +2𝑒 1 1 ) (𝑚 + 2𝑒 1 𝑒 2 2 ) +2𝑒 2 ) ∙ 𝑠 𝑏 2 − 𝑎 2 ∙ 𝑠 = 𝑏 1 𝑏 2 − 𝑏 1 𝑎 2 + 𝑏 2 𝑎 1 𝑠 + 𝑎 1 𝑎 2 𝑠 2 New ciphertext: ( 𝑎 1 𝑎 2 , 𝑏 1 𝑎 2 + 𝑏 2 𝑎 1 , 𝑏 1 𝑏 2 ) now 3 elements!
• • •
Noise Growth
Initial noise: 𝐵 Addition: noise terms add up, 𝐵 → 2𝐵 Multiplication: noise terms are multiplied, 𝐵 → 𝐵 2 𝑚 1 𝑚 1 𝑚 2 𝑚 1 𝑚 2 𝑚 3 𝑚 4 𝑚 2 𝑚 3 𝑚 3 𝑚 4 𝑚 4 𝐵 4 𝐵 2 𝐵 𝑞 𝐵 4 > 2 𝑞 𝐵 2 > 2 𝑞 𝐵 > 2 • 𝐵 2 → 𝐵 4 , 𝐵 4 → 𝐵 8 , … , 𝐵 2 𝐿−1 → 𝐵 2 𝐿 (L levels of mult)
Exponential Improvement
Brakerski, Gentry, Vaikuntanathan (BGV, 2010) • Modulus Switching: Switch to a smaller modulus after each mult Need a chain of moduli 𝑞 = 𝑞 0 , 𝑞 𝑖 ≈ 𝑞 𝑖−1 𝐵 𝑚 1 𝑚 2 𝑚 3 𝑚 4 𝐵 𝑞 𝐵 3 = 𝑞 2 𝐵 > 2 𝑚 1 𝑚 1 𝑚 2 𝑚 2 𝑚 3 𝑚 3 𝑚 4 𝑚 4 𝐵 𝐵 𝑞 𝐵 2 = 𝑞 1 𝐵 > 2 𝑞 𝐵 = 𝑞 0 𝐵 > 2 • • 𝐵 2 → 𝐵 3 → 𝐵 4 , … , → 𝐵 𝐿 (L levels of mult) Leveled fully-homomorphic encryption
Annoying Things in BGV
• • Ciphertexts expand upon multiplication Need a complicated relinearization step (key switching) Need modulus switching to get reasonably small noise growth • • • Can we do without modulus switching? Can we avoid ciphertext expansion?
Can we achieve both at the same time?
Avoiding Modulus Switching
Message 𝑚 ∈ 0,1 𝑠 ← χ secret key Regev (2005) encryption: Sample 𝑎 ← 𝑅 𝑞 𝑞 𝑏 = 2 uniform, 𝑚 + 𝑎 ∙ 𝑠 + 𝑒 𝑒 ← mod 𝑞, χ error or noise ciphertext c = a, b 𝑏 − 𝑎 ∙ 𝑠 = 𝑞 2 2 𝑚 + 𝑒 , decrypt: q 𝑞 decrypts correctly if 𝑒 < .
4 (𝑏 − 𝑎 ∙ 𝑠) (q/2)m e q
Scale-invariant Multiplication
• • • Multiplication (Regev’05): 𝑏 1 − 𝑎 1 ∙ 𝑠 𝑏 = 𝑞 2 2 2 − 𝑎 𝑚 1 2 𝑚 ∙ 𝑠 𝑏 2 2 ∙ 𝑠 = ( + − 𝑎 2 𝑞 2 𝑞 2 (𝑚 1 ∙ 𝑠 = 𝑚 1 𝑒 2 𝑞 + 𝑒 + 𝑚 2 𝑒 1 ) + 𝑒 1 𝑒 2 𝑚 1 1 ) ( 𝑚 2 𝑞 2 𝑚 2 + 𝑒 2 ) −1 𝑒 1 𝑒 2 levels 𝐶 𝐿 ∙ 𝐵 𝐶 independent of 𝐵
Keeping Ciphertexts at One Element
Message 𝑚 ∈ 0,1 (asymmetric scheme) Sample 𝑓 ′ , 𝑔 ← χ key , 𝑓 = 1 + 2𝑓′ secret key, public key NTRU-like encryption (Stehlé, Steinfeld 2011): ℎ = Encryption: Decryption: Sample 𝑞 c = 2 2 𝑚 = q s, 𝑒 ← 𝑚 + ℎ ∙ 𝑠 + 𝑒 𝑓 ∙ 𝑐 χ err mod 2, 𝑞 𝑓 ∙ 𝑐 = 𝑚 + 𝑣 , 2 mod since decrypts correctly if 𝑣 < 𝑞 2 .
𝑞 2𝑔 𝑓
New Leveled Homomorphic Scheme
What we have been doing over the summer • • • • • No modulus switching: only one modulus Ciphertexts have only one element (half the size of BGV) No ciphertext expansion after homomorphic multiplication Still secure under RLWE (good security properties) Parameters comparable to BGV
• • •
Parameters
Correctness via noise bounds Security via estimating runtime of attack on scheme in time 2 80 𝑅 = 𝑍 𝑋 /ϕ 𝑑 𝑋 , 𝑡 = 2, 𝑛 = φ(𝑑) of the polynomial ϕ 𝑑 𝑋