全同态加密算法

Bar-Ilan University Dept. of Computer Science
◦ Say, symmetric bit-by-bit encryption ◦ Semantically secure, E(0)E(1)

◦ f is a binary polynomial in t variables, degreen
◦ degree ~ security parameter
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
4

File is encrypted bit by bit, E(F1) … E(Ft) Word has s bits w1w2…ws For i=1,2,…,t-s+1, server computes the bit s ci = (1 w j Fi j 1 ) mod 2
5

Ciphertext arithmetic mod N Ciphertext-size remains always the same
12
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
Bar-Ilan University Dept. of Computer Science
◦ Choose at random small r, large q The “noise” ◦ Output c = pq + 2r + m
Noise much smaller than p

To decrypt c:
Ciphertext is close to a multiple of p m = LSB of distance to nearest multiple of p
Trick from [Smolansky‟93] to get degree-n polynomials, error-probability 2-n

Return n random subset-sums of the ci‟s (mod 2) to client
◦ Still degree-n, another 2-n error
j 1
Bar-Ilan University Dept. of Computer Science
◦ ci=1 if w=FiFi+1…Fi+s-1 (w found in position i) else ci=0
◦ Each ci is a degree-s polynomial in the Fi‟s
Bar-Ilan University Dept. of Computer Science
c1+c2 = (q1+q2)p + 2(r1+r2) + (m1+m2)
Distance to nearest multiple of p

c1 x c2 = (c1q2+q1c2q1q2p)p + 2(2r1r2+r1m2+m1r2) + m1m2
Based Mostly on [van-Dijk, Gentry, Halevi, Vaikuntanathan, EC 2010]
1
Bar-Ilan University Dept. of Computer Science

Homomorphic encryption: Can evaluate some functions on encrypted data

c1=q1p+2r1+m1, …, ct=qtp+2rt+mt Let f be a multivariate poly with integer coefficients (sequence of +‟s and x‟s) Let c = Eval(f, c1, …, ct) = f(c1, …, ct)
◦ The Ci‟s are ciphertexts

For any such f, and any Ci=Enc(xi) it holds that Dec( Eval(f, C1,…Ct) ) = f(x1,…,xt)
◦ Also |Eval(f,…)| does not depend on the “size” of f (i.e., # of vars or # of monomials, circuit-size) ◦ That‟s called “compactness”
11
Bar-Ilan University Dept. of Computer Science

Ciphertext size grows with degree of f
◦ Also (slowly) with # of terms

Instead, publish one “noiseless integer” N=pq
Winter School on Secure Computation and Efficiency Bar-Ilan University, Israel 30/1/2011-1/2/2011
Bar-Ilan University Dept. of Computer Science
Shai Halevi – IBM Research
5
Secure Computation and Efficiency Bar-Ilan University, Israel 2011

Want an encryption scheme (Gen, Enc, Dec) Another procedure: C*=Eval(f, C1,…Ct)
Represented as arithmetic circuit
n2 2
(and q ~
ห้องสมุดไป่ตู้
n5) 2
◦ Can compute polynomials of degree ~n before the noise grows too large
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
2
Part I
Bar-Ilan University Dept. of Computer Science
Evaluate low-degree polynomials on encrypted data
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
7
Bar-Ilan University Dept. of Computer Science

Basically because:
◦ If you add or multiply two near-multiples of p, you get another near multiple of p…
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
3
Bar-Ilan University Dept. of Computer Science


Storing an encrypted file F on a remote server Later send keyword w to server, get answer, determine whether F contains w
◦ 2(2r1r2+…) still smaller than p c1xc2 mod p = 2(2r1r2+…)+m1m2
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
9
Bar-Ilan University Dept. of Computer Science
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
10
Bar-Ilan University Dept. of Computer Science

Can keep adding and multiplying until the “noise term” grows larger than p/2
Suppose this noise is much smaller than p

◦ f(c1, …, ct) = f(m1+2r1, …, mt+2rt) + qp = f(m1, …, mt) + 2r + qp (c mod p) mod 2 = f(m1, …, mt)
That‟s what we want!
◦ E.g., from Enc(x), Enc(y) compute Enc(x+y)

Fully-homomorphic encryption: Can evaluate any function on encrypted data
◦ E.g., from Enc(x), Enc(y) compute Enc(x3y-y7+xy)
Rothblum‟11: Any homomorphic and compact symmetric encryption (wrt class C including linear functions), can be turned into public key Public key: t random bits m=(m1…mt) and their symmetric encryption ci=Encsk(mi)
6
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
Bar-Ilan University Dept. of Computer Science

Shared secret key: odd number p To encrypt a bit m:
Secure Computation and Efficiency Bar-Ilan University, Israel 2011
8

c1=q1p+2r1+m1, c2=q2p+2r2+m2
◦ 2(r1+r2)+(m1+m2) still much smaller than p c1+c2 mod p = 2(r1+r2) + (m1+m2)
◦ Noise doubles on addition, squares on multiplication
◦ Initial noise of size ~ 2n ◦ Multiplying d ciphertexts noise of size ~2dn

We choose r ~
2 n,
p~
◦ Trivially: server returns the entire encrypted file ◦ We want: answer length independent of |F|
Claim: to do this, sufficient to evaluate low-degree polynomials on encrypted data
◦ Output m = (c mod p) mod 2
= c – p • [[c/p]] mod 2 = c – [[c/p]] mod 2 = LSB(c) XOR LSB([[c/p]])
[[c/p]] is rounding of the rational c/p to nearest integer
◦ For symmetric encryption, include N with the secret key and with every ciphertext ◦ For technical reasons: q is odd, the qi‟s are chosen from [q] rather than from [2n ]