Date post: | 20-Feb-2018 |
Category: |
Documents |
Upload: | nguyenkhanh |
View: | 230 times |
Download: | 3 times |
Fully Homomorphic Encryption without Modulus Switching
from Classical GapSVP
Zvika Brakerski
Stanford University
CRYPTO 2012
Outsourcing Computation
Email, web-search, navigation, social networkingβ¦
π₯ π
π(π₯)
π₯
What if π₯ is private?
Search query, location, business information, medical informationβ¦
Outsourcing Computation β Privately
Homomorphic Encryption
π, πΈππ π₯1 , β¦ , πΈππ π₯π β πΈππ(π π₯1, β¦ , π₯π )
We assume w.l.o.g π β *+,Γ+ (over β€2).
π₯ π
π¦
πΈππ(π₯)
π·ππ π¦ = π(π₯)
Learns nothing on π₯.
The Old Days of FHE
β’ Gentryβs breakthrough [G09,G10] β first candidate.
β’ [vDGHV10, BV11a]: Similar outline, different assumptions.
β’ [GH11]: Chimeric-FHE.
β’ Efficiency attempts [SV10,SS10,GH10,LNV11].
2009-2011
2nd Generation FHE
β’ [BV11b]: LWE-based FHE (= apx. short vector in lattice).
β Better assumption.
β Clean presentation: no ideals, no βsquashingβ.
β Efficiency improvement.
β’ [BGV12]: Improved performance via Modulus Switching.
β Quantitatively better assumption.
β βLeveledβ homomorphism without bootstrapping.
β Efficiency improvements using ideals (βbatchingβ).
[GHS11,GHS12a, GHS12b]: Efficiency improvements and optimizations using ideals.
This work:
Modulus switching is a red herring
βScale-independent encryptionβ
β better performance with less headache
FHE 101 [BV11b]
Secret key: π β β€ππ
Ciphertext: π β β€ππ
Encryption algorithm: Doesnβt matter.
Decryption algorithm: π β π πππ π (πππ 2).
Security based on πΏππΈπ,π,πΌ The Scheme:
π β π = π + 2π + ππΌ
small (initial) noise π < π΅ = πΌπ
dec. if π /π <1
4
FHE 101 [BV11b]
Secret key: π β β€ππ
Ciphertext: π β β€ππ
The Scheme:
π β π = π + 2π + ππΌ
small (initial) noise π < π΅ = πΌπ
dec. if π /π <1
4
Additive Homomorphism: That again? Just addβem, dudeβ¦
π 1, π 2 β π 1 + π 2 πππ π
FHE 101 [BV11b]
Multiplicative Homomorphism:
π 1, π 2 β π 1 β π 2 πππ π β β€ππ2
vector of all cross terms π 1 π β π 2 π π,π
π 1 β π 2 β π β π = π 1 β π β π 2 β π = π1 + 2π1 β π2 + 2π2 (πππ π)
= π1π2 + 2 β π π1π2 (πππ π)
π π changedβ¦ but we can bring it back
(we have the technology)
~π΅2
noise blows up!
π© β π©π β β― β π©ππ
dec. if π΅2π/π <
1
4
Secret key: π β β€ππ
Ciphertext: π β β€ππ
The Scheme:
π β π = π + 2π + ππΌ
small (initial) noise π < π΅ = πΌπ
dec. if π /π <1
4
Modulus Switching [BGV12]
Idea: Bring noise back down by dividing the entire ciphertext by π΅.
π β β€ππ
with noise |π| < π΅2 /π΅
π /π΅ β β€π/π΅π
with noise |π| < π΅
(make sure not to harm the message bit π)
(π©, π) β (π©, π/π©) β β― β (π©, π/π©π )
Noise/modulus evolution:
dec. if π΅π+1 < π/4
My Problems with Modulus Switching
1. Modulus switching is scale-dependent. - Scaling π΅, π changes performance:
Smaller π΅, π smaller π΅π+1/π better homomorphism.
2. What does modulus switching really do?
- Same as a scaling factor in the tensoring process ( π 1, π 2 β π β π 1 β π 2 πππ π ).
- In a βcorrectβ scale, this factor should be 1.
nothingβ¦
Our Solution: Scale-Independent FHE
Compare with previous:
real numbers πππ 2 β‘ (β1,1]
Hardness assumption is the same πΏππΈπ,π,πΌ.
Secret key: π β β€π
Ciphertext: π β β2π
π β π = π + π + 2πΌ
small (initial) noise π < 2πΌ
dec. if π <1
2
Scale-Independent Multiplication
Multiplicative Homomorphism:
π 1, π 2 β π 1 β π 2 πππ 2 β β2π2
π 1 β π 2 β π β π = π 1 β π β π 2 β π
= π1 + π1 + 2πΌ1 β π2 + π2 + 2πΌ2 (πππ 2)
= π1π2 + π1 β π2 + 2πΌ2 + π2 β π1 + 2πΌ1 + π1π2 (πππ 2)
Careful!
1/2 πππ 2 β 2 πππ 2 β 1 (πππ 2)
~πΌ2= tiny! ~πΌ β |π + 2πΌ|
π + 2πΌ β π β π β€ π 1
β² πΌ β π 1
real numbers πππ 2 β‘ (β1,1]
Secret key: π β β€π
Ciphertext: π β β2π
π β π = π + π + 2πΌ
small (initial) noise π < 2πΌ
dec. if π <1
2
Noise blowup: πΆ β πΆ β π π
Scale-Independent Multiplication
Multiplicative Homomorphism:
π 1, π 2 β π 1 β π 2 πππ 2 β β2π2
Noise blowup: πΆ β πΆ β π π
Not good enough: π 1 β ππ
Solution: Decompose the elements of π into π log π bits.
real numbers πππ 2 β‘ (β1,1]
Secret key: π β β€π
Ciphertext: π β β2π
π β π = π + π + 2πΌ
small (initial) noise π < 2πΌ
dec. if π <1
2
π = π 1 , π 2 , β¦
π = π 1 , π 2 , β¦
π β π = π 1 β π 1 + π 2 β π 2 + β―
π = π 1 0, β¦ , π 1 log π , π 2 0, β¦ , π 2 log π , β¦
π = π 1 , 2π 1 , β¦ , 2log ππ 1 , π 2 , 2π 2 , β¦ , 2log ππ 2 , β¦
π β π = π 1 π β 2ππ 1π + π 2 π β 2ππ 2π + β―
= π 1 β π 1 + π 2 β π 2 + β―
Binary Decomposition
Scale-Independent Multiplication
π 1, π 2 β π 1 β π 2 πππ 2 β β2π2
Noise blowup: πΆ β πΆ β π π
π 1 β€ π log π
Noise blowup: πΆ β πΆ β π log π β€ πΆ β ππ
For depth π circuit: πΌ β πΌ β ππ(π) regardless of scale!
real numbers πππ 2 β‘ (β1,1]
Secret key: π β *0,1+π log π
Ciphertext: π β β2π log π
π β π = π + π + 2πΌ
small (initial) noise π < 2πΌ
dec. if π <1
2
Multiplicative Homomorphism:
Full Homomorphism via Bootstrapping
Evaluating depth π circuit: πΆ β πΆ β ππΆ(π )
For βbootstrappingβ: π = π(log π) β πΆ β πΆ β ππΆ(π₯π¨π π)
β dec. if πΆ β πβπΆ(π₯π¨π π) regardless of π!
(in *BGV12+ only for βsmallβ odd π)
Using π β 2π β Hardness based on classical GapSVP.
Conclusion
β’ Scale-independence FHE without modulus switching.
β’ Homomorphic properties independent of π. β But π still matters for security.
β’ Properties of [BGV12] extend.
β’ Bonuses: β Our π can be even (e.g. power of 2). β Security based on classical GapSVP (as opposed to quantum).
β’ Simpler!
tiny.cc/fheblog1 ; tiny.cc/fheblog2
also see blog post with Boaz Barak:
Farewell CRYPTO β12β¦
tiny.cc/fheblog1 ; tiny.cc/fheblog2
also see blog post with Boaz Barak: