Difference between revisions of "FHE over the Integers"
| Line 34: | Line 34: | ||
== Ciphertext compression == | == Ciphertext compression == | ||
| + | |||
| + | The authors of the scheme describe various optimisations in order to keep the evaluated ciphertexts at of the same length as the original "fresh" ciphertexts. However, the size of the evaluated ciphertexts is still very large large for applications. | ||
| + | |||
| + | To solve this problem, the authors propose a compression of these ciphertexts down to the size of an [[RSA]] modulus. This reduces the communication complexity of the scheme dramatically. | ||
| + | |||
| + | The price of this optimisation is that the compressed ciphertexts cannot be further evaluated and hence this compression can be used only on the final output ciphertexts, after all the desired evaluations were completed. | ||
Revision as of 19:59, 24 March 2020
This is a fully homomorphic encryption relying only on modular arithmetic. The authors first create an somewhat homomorphic scheme which is bootstrappable and then apply Gentry's technique to construct a fully homomorphic scheme.
One of the main advantages of this scheme represents its conceptual simplicity. The security of the scheme is reduced to the approximate gcd problem over the integers, that is, given a list of integers that are near-multiples of an unknown integer d , find d .
The bootstrappable encryption scheme
Using a theorem of Gentry, the authors are able to construct a homomorphic encryption scheme that can handle circuits of any depth from a scheme that is capable of evaluating just a little more than its own decryption circuit.
Definition. Let Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal E = (Keygen, Encrypt, Decrypt, Evaluate) } be an encryption scheme where Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Decrypt } is implemented by a circuit that depends only on the security parameter. For a given value Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \lambda } of the security parameter, the set of augmented decryption circuits consists of two circuits, both take as input a secret key and two ciphertexts. One circuit decrypts both ciphertexts and adds the resulting plaintext bits modulo Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle 2} , the other decrypts both ciphertexts and multiplies the resulting plaintext bits modulo Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle 2 } . The authors denote this set by Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle D_{\mathcal E}(\lambda) } .
A homomorphic encyption scheme Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal E = } is called bootstrappable if for every value of the security parameter, the scheme can handle all the circuits in Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle D_{\lambda} } .
Given such a scheme and a paramater Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle d=d(\lambda) } , there is an efficient transformation that outputs the description of another encryption scheme Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal E^{(d)}} which is compact, has the same Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Decryption} circuit as Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal E} , and is homomorphic for all circuits of depth up to Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle d} .
If we assume that the initial bootstrappable scheme Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal E}
is circular secure then it can be converted into a single compact fully-homomorphic encryption scheme Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal E'}
.
The construction of the scheme
The construction has many parameters controlling the number of integers in the public key and the bit-length of various integers. We choose omit most of them in this presentation, but we refer the interested reader to M. van Dijk et al. for their precise description.
Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Keygen(\lambda) } : The secret key is an odd Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \eta } bit integer. For the public key Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle p_k} , integers Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x_0, x_1, \dots, x_{\tau} } are sampled uniformly from a given set of near-multiples of Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle p } . As previously mentioned, finding the secret key Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle p } would require force an attacker to give a resolution for an approximate gcd problem in the integers. The latter is known to be very difficult.
Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Encrypt(p_k, m \in \{0,1 \})} : Choose a random subset Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle S \subseteq \{1,2, \dots, \tau \} } and a random integer Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle r } in a specified range, and output Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c \leftarrow \left(m+2r+2 \sum_{i \in S} x_i \right) \pmod{x_0} } .
Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Evaluate(p_k,C,c_1,\dots, c_t) } : Given the (binary) circuit Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle C} with Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle t } inputs and ciphertexts Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c_1, \dots, c_t } , apply the integer addition and multiplication gates of Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle C} to the ciphertexts, performing all the operations over the integers and output the result, an integer.
Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle Decrypt(s_k,c)} : Output Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle m' \leftarrow } (Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c } mod Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle p } ) mod 2.
Remark. The encryption can be viewed as adding the underlying message Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle m} to a random subset sum of encryptions of zero. Indeed, notice that each Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle w_i =2x_i \pmod x_0 } and also Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle x_0} is essentially an encryption of zero; its noise is even. Moreover, Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle c = m +2r + \sum_{i \in S} w_i -k \cdot x_0} for some integer Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle k } .
The proposers of the scheme prove that Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "https://en.wikipedia.org/api/rest_v1/":): {\displaystyle \mathcal E } can handle circuits if these can be represented by multivariate polynomials with degree smaller than some given, explicit bound.
Ciphertext compression
The authors of the scheme describe various optimisations in order to keep the evaluated ciphertexts at of the same length as the original "fresh" ciphertexts. However, the size of the evaluated ciphertexts is still very large large for applications.
To solve this problem, the authors propose a compression of these ciphertexts down to the size of an RSA modulus. This reduces the communication complexity of the scheme dramatically.
The price of this optimisation is that the compressed ciphertexts cannot be further evaluated and hence this compression can be used only on the final output ciphertexts, after all the desired evaluations were completed.
