![Keep Good Parts of Previous Schemes
Leveled FHE without bootstrapping [BGV12]
Security: Based on LWE for quasi-polynomial
factors (if you use bootstrapping) [BGV12]](https://image.slidesharecdn.com/slidesasimpleleveledfullyhomomorphicencryptionschemeandthoughtsonbootstrapping2013-250608235121-1a016211/85/Slides-A-simple-leveled-fully-homomorphic-encryption-scheme-and-thoughts-on-bootstrapping-2013-pdf-3-320.jpg)
![Ciphertext Size Reduction
Modulus reduction [BV11b, BGV12]:
Suppose c encrypts m – that is, m = [[<c,v>]q]2.
Let’s pick p<q and set c* = (p/q)¢c, rounded.
Maybe it is true that:
c* encrypts m: m = [[<c*,v>]p]2 (new inner modulus).
|[<c,v>]p| ≈ (p/q) ¢ |[<c,v>]q| (noise is smaller).
This really shouldn’t work… but it does…
Also, dimension reduction: won’t go over this.](https://image.slidesharecdn.com/slidesasimpleleveledfullyhomomorphicencryptionschemeandthoughtsonbootstrapping2013-250608235121-1a016211/85/Slides-A-simple-leveled-fully-homomorphic-encryption-scheme-and-thoughts-on-bootstrapping-2013-pdf-16-320.jpg)
![ Scaling lemma: Let p < q be odd moduli.
Given c with m = [[<c,s>]q]2. Set c’ = (p/q)c. Set c” to be
the integer vector closest to c’, such that c” = c mod 2.
If |[<c,s>]q| < q/2 - (q/p)¢ l1(s), then:
c” is a valid encryption of m with possibly much less noise!
m = [[<c”,s>]p]2, and |[<c”,s>]p| < (p/q) ¢ |[<c,s>]q| + l1(s)
Annotated Proof
1. For some k, [<c,s>]q = <c,s>-kq.
2. (p/q)|[<c,s>]q| = <c’,s> - kp.
3. |<c”-c’,s>| < l1(s).
4. Thus, |<c”,s>-kp|< (p/q) |[<c,s>]q| + l1(s) < p/2.
5. So, [<c”,s>]p = <c”,s> – kp.
6. Since c’ = c and p = q mod 2, we have [<c’’,s>]p]2, = [<c,s>]q]2.
1. Imagine <c,s> is close to kq.
2. Then <c’,s> is close to kp.
3. <c”,s> also close to kp if s is small.
Modulus Reduction Magic Trick](https://image.slidesharecdn.com/slidesasimpleleveledfullyhomomorphicencryptionschemeandthoughtsonbootstrapping2013-250608235121-1a016211/85/Slides-A-simple-leveled-fully-homomorphic-encryption-scheme-and-thoughts-on-bootstrapping-2013-pdf-17-320.jpg)
![“Polly Cracker”: An Attempt at No-Noise
FHE [Fellows-Koblitz ‘93]
Main Idea
Encryptions of 0 evaluate to 0 at the secret key.
KeyGen: Secret = some point s = (s1, …,sn) 2 Zq
n.
Public key: Polynomials {ai(x1,…,xn)} s.t. ai(s)=0 mod q.
Encrypt: From {ai}, generate a random polynomial b(x)
such that b(s) = 0 mod q. For m in {0,1}, ciphertext is:
c(x) = m + b(x) mod q.
Decrypt: Evaluate ciphertext at secret: c(s)=m mod q.
ADD and MULT: Output sum or product of ciphertexts.](https://image.slidesharecdn.com/slidesasimpleleveledfullyhomomorphicencryptionschemeandthoughtsonbootstrapping2013-250608235121-1a016211/85/Slides-A-simple-leveled-fully-homomorphic-encryption-scheme-and-thoughts-on-bootstrapping-2013-pdf-26-320.jpg)
![ KeyGen: Secret = some point s = (s1, …,sn) 2 Zq
n. gcd(q,2)=1.
Public key: Polynomials {ai(x1,…,xn)} s.t. ai(s)=2ei mod q, |ei| ¿ q.
Encrypt: From {ai}, generate a random polynomial b(x) such that
b(s) = smeven mod q. For m in {0,1}, ciphertext is:
c(x) = m + b(x) mod q.
Decrypt: Evaluate ciphertext at secret: c(s)=m+smeven mod q.
Then, reduce mod 2 to get m.
ADD and MULT: Output sum or product of ciphertexts.
Noisy Polly Cracker: A Framework for
Most Somewhat Homomorphic Schemes
We call [c(s) mod q] the
“noise” of the ciphertext.
ADDs and MULTs
make the “noise”
grow.
Main Idea
Encryptions of 0 evaluate to something small and even
(smeven) at the secret key.](https://image.slidesharecdn.com/slidesasimpleleveledfullyhomomorphicencryptionschemeandthoughtsonbootstrapping2013-250608235121-1a016211/85/Slides-A-simple-leveled-fully-homomorphic-encryption-scheme-and-thoughts-on-bootstrapping-2013-pdf-29-320.jpg)
![Confining Noise to Tight Orbits
An Obstacle?
(Cohen, Shpilka, Tal): Other than linear polynomials, the
min degree of a polynomial f : [1,n] → [1,n] is n-o(n).
Suggests perhaps fADD and fMULT must have very high
degree – not a “simple” transformation.
But is this really an obstacle?
Bootstrapping uses a polynomial of very high degree
for free:
It decomposes a ciphertext into bits (mod 2) – this is a high-
degree transformation viewed modulo p ≠ 2.
Modulus reduction is also a “free” high-degree
transformation.](https://image.slidesharecdn.com/slidesasimpleleveledfullyhomomorphicencryptionschemeandthoughtsonbootstrapping2013-250608235121-1a016211/85/Slides-A-simple-leveled-fully-homomorphic-encryption-scheme-and-thoughts-on-bootstrapping-2013-pdf-31-320.jpg)
[Slides] A simple (leveled) fully homomorphic encryption scheme and thoughts on bootstrapping (2013).pdf
- 1. Workshop on Lattices with Symmetry The FHE scheme is joint work with Amit Sahai (UCLA) and Brent Waters (UT Austin) Supported by IARPA contract number D11PC20202 August 15, 2013 A Simple (Leveled) Fully Homomorphic Encryption Scheme And Thoughts on Bootstrapping
- 2. Our Results “Leveled” FHE from LWE, with nice properties: “Leveled” FHE: Can’t go an unbounded # of levels. Can set params to enable any poly(λ) # of levels. Conceptual Simplicity: Ciphertexts are matrices. To add or multiply, just add or multiply matrices. Asymptotic Advantage: nω computation per mult ω < 2.3727 is the matrix multiplication constant Previous schemes: “Relinearization” takes n3 computation
- 3. Keep Good Parts of Previous Schemes Leveled FHE without bootstrapping [BGV12] Security: Based on LWE for quasi-polynomial factors (if you use bootstrapping) [BGV12]
- 4. Main Idea: Warm-Up (Toy Scheme) Matrix Eigenvalue Eigenvector Ciphertext Message Secret key
- 5. Insecurity of Toy Scheme
- 6. Patching the Toy Scheme
- 8. Controlling the Noise New Noise
- 9. How to Flatten Ciphertexts
- 10. How to Flatten Ciphertexts II
- 11. KeyGen, Encrypt, and Decrypt
- 13. Reduction to LWE
- 14. Review of the Scheme
- 15. Noisiness of Ciphertexts Ciphertext noise grows exponentially with depth. Hence log q and dimension of ciphertext matrices grow linearly with depth.
- 16. Ciphertext Size Reduction Modulus reduction [BV11b, BGV12]: Suppose c encrypts m – that is, m = [[<c,v>]q]2. Let’s pick p<q and set c* = (p/q)¢c, rounded. Maybe it is true that: c* encrypts m: m = [[<c*,v>]p]2 (new inner modulus). |[<c,v>]p| ≈ (p/q) ¢ |[<c,v>]q| (noise is smaller). This really shouldn’t work… but it does… Also, dimension reduction: won’t go over this.
- 17. Scaling lemma: Let p < q be odd moduli. Given c with m = [[<c,s>]q]2. Set c’ = (p/q)c. Set c” to be the integer vector closest to c’, such that c” = c mod 2. If |[<c,s>]q| < q/2 - (q/p)¢ l1(s), then: c” is a valid encryption of m with possibly much less noise! m = [[<c”,s>]p]2, and |[<c”,s>]p| < (p/q) ¢ |[<c,s>]q| + l1(s) Annotated Proof 1. For some k, [<c,s>]q = <c,s>-kq. 2. (p/q)|[<c,s>]q| = <c’,s> - kp. 3. |<c”-c’,s>| < l1(s). 4. Thus, |<c”,s>-kp|< (p/q) |[<c,s>]q| + l1(s) < p/2. 5. So, [<c”,s>]p = <c”,s> – kp. 6. Since c’ = c and p = q mod 2, we have [<c’’,s>]p]2, = [<c,s>]q]2. 1. Imagine <c,s> is close to kq. 2. Then <c’,s> is close to kp. 3. <c”,s> also close to kp if s is small. Modulus Reduction Magic Trick
- 18. Modulus Reduction: Shortcomings Reduces size of modulus (q to p) and size of ciphertext Does not reduce ratio of modulus to noise.
- 20. Bootstrapping: What Is It? F(x1, x2 ,…, xt) x1 … x2 xt F So far, we can evaluate bounded depth funcs F: We have a noisy evaluated ciphertext c. We want to get a less noisy c’ that encrypts the same value, but with less noise. Modulus reduction is not enough… Bootstrapping refreshes ciphertexts, using the encrypted secret key. c
- 21. For ciphertext c, consider Dc(sk) = Decryptsk(c) Suppose Dc(∙) is a low-depth polynomial in sk. Include in the public key also Encpk(sk). Bootstrapping: What Is It? Dc y sk1 sk2 skn … c Dc(sk) = Decryptsk(c) = y c’ sk1 sk2 skn …
- 22. Bootstrapping: A Mixed Blessing Good news: Gives us unbounded depth Bad news: Computationally very expensive! Involves running Decrypt circuit homomorphically. Decrypt is rather expensive already. Why? Decryption formula must have high (polynomial) degree (log depth). Decrypting with the overhead of homomorphic encryption is too much.
- 23. 23 Gentry-Halevi Implementation(Eurocrypt ’11): The Somewhat Homomorphic Scheme Dimension KeyGen Enc (amortized) Dec 512 200,000-bit integers 0.16 sec 4 millisec 4 millisec 2048 800,000-bit integers 1.25 sec 60 millisec 23 millisec 8192 3,200,000-bit integers 10 sec 0.7 sec 0.12 sec 32728 13,000,000-bit integers 95 sec 5.3 sec 0.6 sec
- 24. 24 Gentry-Halevi Implementation(Eurocrypt ’11): The FHE Scheme Dimension KeyGen PK size Re-Crypt 512 200,000-bit integers 2.4 sec 17 MByte 6 sec 2048 800,000-bit integers 40 sec 70 MByte 31 sec 8192 3,200,000-bit integers 8 min 285 MByte 3 min 32728 13,000,000-bit integers 2 hours 2.3 GByte 30 min
- 25. We Want a New Approach for FHE Do we really need “noisy” ciphertexts? Can we “refresh” ciphertexts (reduce their noise) without “bootstrapping”, or a radically streamlined version of it? Can we at least allow q to be only polynomial in the security parameter (rather than quasi- polynomial)?
- 26. “Polly Cracker”: An Attempt at No-Noise FHE [Fellows-Koblitz ‘93] Main Idea Encryptions of 0 evaluate to 0 at the secret key. KeyGen: Secret = some point s = (s1, …,sn) 2 Zq n. Public key: Polynomials {ai(x1,…,xn)} s.t. ai(s)=0 mod q. Encrypt: From {ai}, generate a random polynomial b(x) such that b(s) = 0 mod q. For m in {0,1}, ciphertext is: c(x) = m + b(x) mod q. Decrypt: Evaluate ciphertext at secret: c(s)=m mod q. ADD and MULT: Output sum or product of ciphertexts.
- 27. An Attack if # of monomials in ciphertexts is small: Collect lots of encryptions {ci} of 0. If the challenge ciphertext also encrypts 0, it will likely be in linear span of the given encryptions of 0. Use Gaussian elimination (linear algebra). Avoiding the attack: Can # of monomials in ciphertext be exponential? But ciphertext can be efficiently represented? Without introducing other attacks? Polly Cracker Cryptanalysis
- 28. Noisy Polly Cracker: A Framework for Most Somewhat Homomorphic Schemes Main Idea Encryptions of 0 evaluate to something small and even (smeven) at the secret key. KeyGen: Secret = some point s = (s1, …,sn) 2 Zq n. gcd(q,2)=1. Public key: Polynomials {ai(x1,…,xn)} s.t. ai(s)=2ei mod q, |ei| ¿ q. Encrypt: From {ai}, generate a random polynomial b(x) such that b(s) = smeven mod q. For m in {0,1}, ciphertext is: c(x) = m + b(x) mod q. Decrypt: Evaluate ciphertext at secret: c(s)=m+smeven mod q. Then, reduce mod 2 to get m. ADD and MULT: Output sum or product of ciphertexts.
- 29. KeyGen: Secret = some point s = (s1, …,sn) 2 Zq n. gcd(q,2)=1. Public key: Polynomials {ai(x1,…,xn)} s.t. ai(s)=2ei mod q, |ei| ¿ q. Encrypt: From {ai}, generate a random polynomial b(x) such that b(s) = smeven mod q. For m in {0,1}, ciphertext is: c(x) = m + b(x) mod q. Decrypt: Evaluate ciphertext at secret: c(s)=m+smeven mod q. Then, reduce mod 2 to get m. ADD and MULT: Output sum or product of ciphertexts. Noisy Polly Cracker: A Framework for Most Somewhat Homomorphic Schemes We call [c(s) mod q] the “noise” of the ciphertext. ADDs and MULTs make the “noise” grow. Main Idea Encryptions of 0 evaluate to something small and even (smeven) at the secret key.
- 30. Confining Noise to Tight Orbits Ciphertexts have “noise” But want that noise doesn’t grow with # of operations Noise remains always in one of two distinct orbits O0 and O1, depending on which bit is encrypted. Noise maintains high entropy, without growing larger. Can we find make the following maps efficiently computable, even when the orbits have high entropy, and when distinguishing elements of the two orbits is hard? fADD : Om1 × Om2 → Om1+m2 fMULT : Om1 × Om2 → Om1×m2
- 31. Confining Noise to Tight Orbits An Obstacle? (Cohen, Shpilka, Tal): Other than linear polynomials, the min degree of a polynomial f : [1,n] → [1,n] is n-o(n). Suggests perhaps fADD and fMULT must have very high degree – not a “simple” transformation. But is this really an obstacle? Bootstrapping uses a polynomial of very high degree for free: It decomposes a ciphertext into bits (mod 2) – this is a high- degree transformation viewed modulo p ≠ 2. Modulus reduction is also a “free” high-degree transformation.