Homomorphic Encryption from RLWE Schemes and

Report
Homomorphic Encryption from RLWE
Schemes and Parameters
Joppe W. Bos
Microsoft Research
Contains joint work with Kristin Lauter, Jake Loftus and Michael Naehrig
Computing on Encrypted Data
Motivation
Outsource data and computation
to an external computing service.
Applications
• Spam filter for encrypted mail
• Searching on encrypted data
• Building block in crypto protocols
Homomorphic Encryption
RSA ─ multiplicatively homomorphic


• 1 = 1 mod , 2 = 2 mod 
1 ∙ 2 = 1 ∙ 2 = 1 ∙ 2  mod 
• Multiplying 1 , 2 gives encryption of 1 ∙ 2
Benaloh ─ additively homomorphic
• 1 = 1 1 mod , 2 = 2 2 mod 
1 ∙ 2 = 1+2 1 2  mod 
• Multiplying 1 , 2 gives encryption of 1 + 2
Fully Homomorphic Encryption (FHE)
Enables unlimited computation on encrypted data
Need scheme with unlimited add and mult capability
• Idea: Rivest, Adleman, Dertouzos (1978)
• Boneh-Goh-Nissim (2005): unlimited add + 1 mult
• Breakthrough: Gentry (2009) showed
such schemes exist
• A lot of progress since then
• Gentry, Halevi, Smart (2012): homomorphic evaluation of AES
5 minutes per block (16 bytes)
Ring Learning With Errors (RLWE)
(Lyubashevsky, Peikert, Regev 2010)
Ring (, +,∙), modulus ,  = /,
probability distribution χ on  (for sampling small elts)
Problem: distinguish between two distributions
1. Uniform distribution (, ) ∈ 2
2. The distribution that for a fixed  ← χ
samples  ←  uniformly, error e ← χ
and outputs (,  ∙  + )
Assumption: The RLWE problem is hard, i.e.
,  ∙  +  ~ ,  looks random
(Symmetric) Encryption from RLWE
Message  ∈ 0,1
 ← χ secret key
BV (Brakerski, Vaikuntanathan 2010) encryption:
Sample  ←  uniform,  ← χ error/noise
b =  +  ∙  + 2 mod , ciphertext c = a, b
decrypt:  −  ∙  mod 2 =
( + 2) mod 2 = 

decrypts correctly if  <
2
m
2e
q
Homomorphic Properties
c1 = a1 , 1 + 1 ∙  + 21 , c2 = a2 , 2 + 2 ∙  + 22
Addition:
1 + 2 = (1 + 2 , 1 + 2 + (1 + 2 ) ∙  + 2(1 + 2 ))
Multiplication (BV):
1 − 1 ∙  2 − 2 ∙  = (1 +21 ) (2 +22 )
= 1 2 + 2(1 2 + 2 1 + 21 2 )
1 − 1 ∙  2 − 2 ∙  = 1 2 − 1 2 + 2 1  + 1 2  2
New ciphertext: (1 2 , 1 2 + 2 1 , 1 2 ) now 3 elements!
Noise Growth
• Initial noise: 
• Addition: noise terms add up,  → 2
• Multiplication: noise terms are multiplied,  → 2
1 2 3 4
3 4
1 2
1
2
4
2
4
3
8
•  → , → ,…,
4
2−1
→
2
4

4
>2
2

2
>2



>2
(L levels of mult)
Exponential Improvement
Brakerski, Gentry, Vaikuntanathan (BGV, 2010)
Modulus Switching: Switch to a smaller modulus after each mult
−1
• Need a chain of moduli  = 0 ,  ≈

1 2 3 4
3 4
1 2
1
2
3
4


3


2



• 2 → 3 → 4 , … , →  (L levels of mult)
• Leveled fully-homomorphic encryption
=
2

>2
=
1

>2
=
0

>2
Annoying Things in BGV
• Ciphertexts expand upon multiplication
Need a complicated relinearization step (key switching)
• Need modulus switching to get reasonably small
noise growth
• Can we do without modulus switching?
• Can we avoid ciphertext expansion?
• Can we achieve both at the same time?
Avoiding Modulus Switching
Message  ∈ 0,1
 ← χ secret key
Regev (2005) encryption:
Sample  ←  uniform,  ← χ error or noise
=

2
 +  ∙  +  mod , ciphertext c = a, b
−∙ =

2
 + , decrypt:
decrypts correctly if  <

.
4
2
(
q
−  ∙ )
(q/2)m
e
q
Scale-invariant Multiplication
Multiplication (Regev’05):

2

2
1 − 1 ∙  2 − 2 ∙  = ( 1 + 1 ) ( 2 + 2 )
2

=
1 2 +
(1 2 + 2 1 ) + 1 2
2
2
 −1

•
1 − 1 ∙  2 − 2 ∙  =
1 2
2
2
 −1
+ 1 2 + 2 1 +
1 2
2
• New noise term is of size  ∙ , after  levels   ∙ 
 independent of 
•
Keeping Ciphertexts at One Element
Message  ∈ 0,1
(asymmetric scheme)
2
′
Sample  ,  ← χkey ,  = 1 + 2′ secret key, public key ℎ =

NTRU-like encryption (Stehlé, Steinfeld 2011):
Encryption:
Sample s,  ← χerr
Decryption:

c=
 + ℎ ∙  +  mod 
2
2
 =  ∙  mod 2, since
q

∙ =
 + ,
2

decrypts correctly if  < .
2
New Leveled Homomorphic Scheme
What we have been doing over the summer
•
•
•
•
•
No modulus switching: only one modulus
Ciphertexts have only one element (half the size of BGV)
No ciphertext expansion after homomorphic multiplication
Still secure under RLWE (good security properties)
Parameters comparable to BGV
Parameters
• Correctness via noise bounds
• Security via estimating runtime of attack on scheme in time 280
•  =   /ϕ  ,  = 2,  = φ() of the polynomial ϕ 
Thank you! Questions?

similar documents