Difference between revisions of "FHE over the Integers"
(Created page with "This is a fully homomorphic encryption relying only on modular arithmetic. The authors first create an somewhat homomorphic scheme which is bootstrappable and then app...") |
|||
(27 intermediate revisions by the same user not shown) | |||
Line 1: | Line 1: | ||
− | This is a fully homomorphic encryption relying only on modular arithmetic. The authors first create | + | This is a fully homomorphic encryption relying only on modular arithmetic introduced by van Dijk et al <ref name = vDGHV10> M. van Dijk, C. Gentry, S. Halevi, V. Vaikuntanathan. Fully Homomorphic Encryption over the Integers. In "Advances in Cryptology – EUROCRYPT 2010", 2010.</ref>. The authors first create a somewhat homomorphic scheme which is bootstrappable and then apply Gentry's technique to construct a fully homomorphic scheme. We refer to Gentry's article <ref name = G10> C. Gentry. Computing arbitrary functions of encrypted data. In "Communications of the ACM", 2010.</ref> for the precise definitions of "somewhat homomorphic" and "bootstrappable" schemme. |
+ | |||
+ | One of the main advantages of this scheme represents its conceptual simplicity. The security of the scheme is reduced to the [https://martinralbrecht.wordpress.com/2020/03/21/the-approximate-gcd-problem/ approximate gcd problem] over the integers, that is, given a list of integers that are near-multiples of an unknown integer <b>d</b>, find <b>d</b>. | ||
+ | |||
+ | == A somewhat homomorphic encryption scheme == | ||
+ | |||
+ | Using a theorem of Gentry, the authors are able to construct a homomorphic encryption scheme that can handle circuits of any depth from a scheme that is capable of evaluating just a little more than its own decryption circuit. | ||
+ | |||
+ | Let us first construct a somewhat homomorphic encryption scheme. | ||
+ | |||
+ | <b> Definition. </b> Let <math> \mathcal E = (Keygen, Encrypt, Decrypt, Evaluate) </math> be an encryption scheme where <math> Decrypt </math> is implemented by a circuit that depends only on the security parameter. For a given value <math> \lambda </math> of the security parameter, the set of <b> augmented decryption circuits</b> consists of two circuits, both take as input a secret key and two ciphertexts. One circuit decrypts both ciphertexts and adds the resulting plaintext bits modulo <math> 2</math>, the other decrypts both ciphertexts and multiplies the resulting plaintext bits modulo <math>2 </math>. The authors denote this set by <math>D_{\mathcal E}(\lambda) </math>. | ||
+ | |||
+ | A homomorphic encyption scheme <math> \mathcal E = </math> is called <b> bootstrappable </b> if for every value of the security parameter, the scheme can handle all the circuits in <math> D_{\lambda} </math>. | ||
+ | |||
+ | Given such a scheme <math> \mathcal E </math> and a paramater <math>d=d(\lambda) </math>, there is an efficient transformation that outputs the description of another encryption scheme <math> \mathcal E^{(d)}</math> which is compact, has the same <math> Decryption</math> circuit as <math>\mathcal E</math>, and is homomorphic for all circuits of depth up to <math>d</math>. | ||
+ | |||
+ | |||
+ | If we assume that the initial bootstrappable scheme <math>\mathcal E</math> is circular secure then it can be converted into a single compact fully-homomorphic encryption scheme <math>\mathcal E'</math>. | ||
+ | |||
+ | We refer to Gentry's article [2] for the precise definition of "compact", "bootstrappable" and "circular security". | ||
+ | |||
+ | |||
+ | ''' The construction of the scheme''' | ||
+ | |||
+ | The construction has many parameters controlling the number of integers in the public key and the bit-length of various integers. We choose omit most of them in this presentation, but we refer the interested reader to <b>M. van Dijk et al.</b> for their precise description. | ||
+ | |||
+ | <math>Keygen(\lambda) </math>: The secret key is an odd <math> \eta </math> bit integer. For the public key <math>p_k</math>, integers <math>x_0, x_1, \dots, x_{\tau} </math> are sampled uniformly from a given set of near-multiples of <math> p </math>. As previously mentioned, finding the secret key <math> p </math> would require force an attacker to give a resolution for an approximate gcd problem in the integers. The latter is known to be very difficult. | ||
+ | |||
+ | <math>Encrypt(p_k, m \in \{0,1 \})</math>: Choose a random subset <math> S \subseteq \{1,2, \dots, \tau \} </math> and a random integer <math> r </math> in a specified range, and <b>output</b> <math>c \leftarrow \left(m+2r+2 \sum_{i \in S} x_i \right) \pmod{x_0} </math>. | ||
+ | |||
+ | <math>Evaluate(p_k,C,c_1,\dots, c_t) </math>: Given the (binary) circuit <math> C</math> with <math>t </math> inputs and ciphertexts <math>c_1, \dots, c_t </math>, apply the integer addition and multiplication gates of <math> C</math> to the ciphertexts, performing all the operations over the integers and <b> output </b> the result, an integer. | ||
+ | |||
+ | <math>Decrypt(s_k,c)</math>: Output <math> m' \leftarrow </math> (<math>c </math> mod <math>p </math>) mod 2. | ||
+ | |||
+ | <i>Remark.</i> The encryption can be viewed as adding the underlying message <math> m</math> to a random subset sum of encryptions of zero. Indeed, notice that each <math> w_i =2x_i \pmod x_0 </math> and also <math>x_0</math> is essentially an encryption of zero; its noise is even. Moreover, <math> c = m +2r + \sum_{i \in S} w_i -k \cdot x_0</math> for some integer <math>k </math>. | ||
+ | |||
+ | The proposers of the scheme prove that <math> \mathcal E </math> can handle circuits if these can be represented by multivariate polynomials with degree smaller than some given, explicit bound. | ||
+ | |||
+ | == Ciphertext compression == | ||
+ | |||
+ | The authors of the scheme describe various optimisations in order to keep the evaluated ciphertexts of the same length as the original "fresh" ciphertexts. However, the size of the evaluated ciphertexts is still very large large for applications. | ||
+ | |||
+ | To solve this problem, the authors propose a compression of these ciphertexts down to the size of an [https://en.wikipedia.org/wiki/RSA_(cryptosystem) RSA] modulus. This reduces the communication complexity of the scheme dramatically. | ||
+ | |||
+ | The price of this optimisation is that the compressed ciphertexts cannot be further evaluated and hence this compression can be used only on the final output ciphertexts, after all the desired evaluations were completed. | ||
+ | |||
+ | == Making the scheme fully homomorphic == | ||
+ | |||
+ | In order to successfully transform <math> \mathcal E </math> into a bootstrappable scheme, the authors slightly modify the decryption circuit of <math> \mathcal E </math>. | ||
+ | The problem with <math> \mathcal E </math> is that its decryption equation <math> m' \leftarrow (c - \lfloor c/p \rfloor) </math> mod 2, requires Boolean circuits that are deeper than what <math> \mathcal E </math> can handle. | ||
+ | |||
+ | An idea of Gentry is used to “squash”, i.e. to simplify, the decryption circuit. In this transformation, one adds to the public key some extra information about the secret key. This extra information is then used to “post process” the ciphertext such that the latter can be decrypted more efficiently. | ||
+ | |||
+ | This is paid for by introducing another so called “hardness assumption”, basically assuming that the extra information in the public key does not help an attacker break the scheme. | ||
+ | |||
+ | In the modified scheme, we add to the public key from the original <math> \mathcal E</math> a set <math> \mathcal y = \{y_1, \dots, y_{\theta} \}</math> of <math> \theta </math> rational numbers belonging to <math> [0,2) </math> such that there is a sparse (in a precise sense) subset <math> S \subset \{1,\dots, \theta \}</math> with <math> \sum_{I \in S} y_i \approx 1/p </math> (mod 2). The secret key is replaced by the indicator vector of the subset <math> S</math>. | ||
+ | |||
+ | The new key generation procedure will output the aforementioned public and secret keys. | ||
+ | |||
+ | To encrypt or evaluate, one generates a ciphertext <math>c* </math> as in the scheme <math> \mathcal E </math>. Then for each <math> I \in S </math>, set <math> z_i \leftarrow c* \cdot y_i </math> (mod 2) (of course, these operations are done with a bounded number of bits of precision). The procedure outputs <math>c* </math> and the vector <math> z= <z_1, \dots, z_{\theta}></math>. | ||
+ | |||
+ | To decrypt, one just has to output <math>m' \leftarrow c*- \lfloor s_iz_i \rfloor </math> (mod 2). | ||
+ | |||
+ | It can be easily shown that the modified scheme is correct for all the circuits that the original scheme <math> \mathcal E </math> could handle. | ||
+ | |||
+ | On the other hand, the authors prove (see Theorem 3 of loc. cit.) that new scheme can handle its decryption circuit, hence it can be bootstrapped and transformed into a fully homomorphic encryption scheme. | ||
+ | |||
+ | ==References== |
Latest revision as of 09:56, 30 December 2020
This is a fully homomorphic encryption relying only on modular arithmetic introduced by van Dijk et al [1]. The authors first create a somewhat homomorphic scheme which is bootstrappable and then apply Gentry's technique to construct a fully homomorphic scheme. We refer to Gentry's article [2] for the precise definitions of "somewhat homomorphic" and "bootstrappable" schemme.
One of the main advantages of this scheme represents its conceptual simplicity. The security of the scheme is reduced to the approximate gcd problem over the integers, that is, given a list of integers that are near-multiples of an unknown integer d, find d.
Contents
A somewhat homomorphic encryption scheme
Using a theorem of Gentry, the authors are able to construct a homomorphic encryption scheme that can handle circuits of any depth from a scheme that is capable of evaluating just a little more than its own decryption circuit.
Let us first construct a somewhat homomorphic encryption scheme.
Definition. Let be an encryption scheme where is implemented by a circuit that depends only on the security parameter. For a given value of the security parameter, the set of augmented decryption circuits consists of two circuits, both take as input a secret key and two ciphertexts. One circuit decrypts both ciphertexts and adds the resulting plaintext bits modulo , the other decrypts both ciphertexts and multiplies the resulting plaintext bits modulo . The authors denote this set by .
A homomorphic encyption scheme is called bootstrappable if for every value of the security parameter, the scheme can handle all the circuits in .
Given such a scheme and a paramater , there is an efficient transformation that outputs the description of another encryption scheme which is compact, has the same circuit as , and is homomorphic for all circuits of depth up to .
If we assume that the initial bootstrappable scheme is circular secure then it can be converted into a single compact fully-homomorphic encryption scheme .
We refer to Gentry's article [2] for the precise definition of "compact", "bootstrappable" and "circular security".
The construction of the scheme
The construction has many parameters controlling the number of integers in the public key and the bit-length of various integers. We choose omit most of them in this presentation, but we refer the interested reader to M. van Dijk et al. for their precise description.
: The secret key is an odd bit integer. For the public key , integers are sampled uniformly from a given set of near-multiples of . As previously mentioned, finding the secret key would require force an attacker to give a resolution for an approximate gcd problem in the integers. The latter is known to be very difficult.
: Choose a random subset and a random integer in a specified range, and output .
: Given the (binary) circuit with inputs and ciphertexts , apply the integer addition and multiplication gates of to the ciphertexts, performing all the operations over the integers and output the result, an integer.
: Output ( mod ) mod 2.
Remark. The encryption can be viewed as adding the underlying message to a random subset sum of encryptions of zero. Indeed, notice that each and also is essentially an encryption of zero; its noise is even. Moreover, for some integer .
The proposers of the scheme prove that can handle circuits if these can be represented by multivariate polynomials with degree smaller than some given, explicit bound.
Ciphertext compression
The authors of the scheme describe various optimisations in order to keep the evaluated ciphertexts of the same length as the original "fresh" ciphertexts. However, the size of the evaluated ciphertexts is still very large large for applications.
To solve this problem, the authors propose a compression of these ciphertexts down to the size of an RSA modulus. This reduces the communication complexity of the scheme dramatically.
The price of this optimisation is that the compressed ciphertexts cannot be further evaluated and hence this compression can be used only on the final output ciphertexts, after all the desired evaluations were completed.
Making the scheme fully homomorphic
In order to successfully transform into a bootstrappable scheme, the authors slightly modify the decryption circuit of . The problem with is that its decryption equation mod 2, requires Boolean circuits that are deeper than what can handle.
An idea of Gentry is used to “squash”, i.e. to simplify, the decryption circuit. In this transformation, one adds to the public key some extra information about the secret key. This extra information is then used to “post process” the ciphertext such that the latter can be decrypted more efficiently.
This is paid for by introducing another so called “hardness assumption”, basically assuming that the extra information in the public key does not help an attacker break the scheme.
In the modified scheme, we add to the public key from the original a set of rational numbers belonging to such that there is a sparse (in a precise sense) subset with (mod 2). The secret key is replaced by the indicator vector of the subset .
The new key generation procedure will output the aforementioned public and secret keys.
To encrypt or evaluate, one generates a ciphertext as in the scheme . Then for each , set (mod 2) (of course, these operations are done with a bounded number of bits of precision). The procedure outputs and the vector .
To decrypt, one just has to output (mod 2).
It can be easily shown that the modified scheme is correct for all the circuits that the original scheme could handle.
On the other hand, the authors prove (see Theorem 3 of loc. cit.) that new scheme can handle its decryption circuit, hence it can be bootstrapped and transformed into a fully homomorphic encryption scheme.