1 / 29

HOMOMORPHIC ENCRYPTION FROM CODES

Andrej Bogdanov Chinese University of Hong Kong. HOMOMORPHIC ENCRYPTION FROM CODES. with Chin Ho Lee Chinese University of Hong Kong. Post-Quantum Cryptography | 9 Feb 2012. Fully homomorphic encryption. Enc ( C ( x )). C ( x ). Hom ( C ). C. x 1. x 2. x 3. x 4. Enc ( x 3 ).

turner
Download Presentation

HOMOMORPHIC ENCRYPTION FROM CODES

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Andrej Bogdanov Chinese University of Hong Kong HOMOMORPHIC ENCRYPTIONFROM CODES with Chin Ho Lee Chinese University of Hong Kong Post-Quantum Cryptography | 9 Feb 2012

  2. Fully homomorphic encryption Enc(C(x)) C(x) Hom(C ) C x1 x2 x3 x4 Enc(x3) Enc(x4) Enc(x1) Enc(x2) [Rivest, Adleman, Dertouzos 1978]

  3. Secure outsourcing of computation cloud program C x Enc() data Enc() C(x) user

  4. What we do Known homomorphic schemes are based on “decoding” from lattices We propose a new construction of homomorphic encryption from codes

  5. Decoding lattices vs codes the problem is the same given a noisy code/lattice element, find out where it came from only the noise model is different lattice noise code noise

  6. Our original motivation • We wanted to understand if the complexity of known homomorphic schemes is necessary • We found it hard to work with lattice-based examples, as they use (large) integers • In contrast, good codes exist even over bits more later…

  7. Encryption EncP(m) = r P + m 1 + e over GF(q), q = 2k randomness public key noise Public key P is a scrambled version of the matrix M Reed-Solomon encoding matrices F 0

  8. Decryption Let’s pretend we are in GF(2) = 0 M sk Enc(0) P 00111011101010100110101010011 1 0 0 0 1 1 Dec := = 0 001110111 Dec(1) analogous, as long as sk has odd weight

  9. Security intuition M functionality F 0 security Mhidden inside P by permuting columns andscrambling rows at random MandF similar in distribution and aspect ratio to guard from “linear algebra” attacks

  10. Parameters and security M s = na/4 noise rate n-1+a/4 P n1-a/8 3s na field size q≈ 2 n Security conjecture ng (P, EncP(0)) is pseudorandom with hardness 2 For some a, g > 0 and n sufficiently large

  11. On the parameters Parameters chosen to foil obvious attacks … look for linear dependencies in encryption search the nullspace of P … some less obvious ones … exploit rank-deficiency of M normalize P(Sidelnikov-Shestakov attack) … and with homomorphism in mind

  12. In a world without noise Encryptions are additive… Enc(m) • = r P + m 1 Enc(m’) • = r’P + m’1 Enc(m + m’) • = (r + r’)P + (m + m’)1 Enc(m) + Enc(m’) ⊆ Enc(m + m’) …and somewhat multiplicative Enc(m) ⋅ Enc(m’) ⊆ Dec(m⋅m’)

  13. Encryption spaces Dec(0) Enc(1) Enc(0) Dec(1) {0, 1}n EncPK(m): possible encryptions of m assuming no noise DecSK(m): ciphertexts that decrypt to m

  14. Encryption spaces and homomorphism Enc(m) + Enc(m’) ⊆ Enc(m + m’) If we had Enc(m) ⋅ Enc(m’) ⊆ Enc(m⋅m’) and C(x) Enc(C(x)) × × + + + + x1 x2 x3 x4 Enc(x3) Enc(x4) Enc(x1) Enc(x2)

  15. Reencryption (bootstrapping) We only have Enc(m)⋅Enc(m’) ⊆ Dec(m⋅m’) So we need to convertDec(m) into Enc(m) Enc(Decsk(c)) Decsk(c) = Enc(m) = m Dec Hom • ReEnc sk1 sk2 sk3 sk4 Enc(sk3) Enc(sk1) Enc(sk2) Enc(sk4)

  16. Reencryption c ∈Decsk(m): 0 1 1 1 0 1 1 1 sk= 1 1 1 0 0 0 0 0 • Decsk(c) = c1sk1 + … + cnsknso • ReEnc(c) = c1Enc(sk1) + … + cnEnc(sk1)

  17. Reencryption sk= 1 1 1 0 0 0 0 0 1 1 00 1 0 1 0 0 0 11 0 0 0 1 1 1 10 0 1 0 0 1 0 1 0 0 0 1 0 0 1 0 1 1 0 0 1 1 0 1 0 0 0 0 0 0 1 1 0 1 1 0 0 0 1 0 1 1 0 1 1 1 1 1 0 1 0 0 1 Enc(ski): • ReEnc(c) = c1Enc(sk1) + … + cnEnc(skn)

  18. Enter noise sk= 1 1 1 0 0 0 0 0 1 1 10 1 0 1 0 0 0 1 00 0 0 1 101011 01 1 0 1 0 0 0 1 0 0 111 1 0 0 1 0000 0 0 0 0 0 1 1 0 01 01 11 0 1 1 0 1 1 1 01 0 1 10 1 Enc(ski): Linear combinations of Enc(ski) are extremely noisy

  19. Noise reduction techniques Homomorphic encryption for small depth Reencrypt under larger and larger keys From small depth to small size Reduce key length Eliminate all restrictions Reduce error rate

  20. Reencryption under larger keys M s = na/4 noise rate n-1+a/4 P n1-a/8 3s na field size q≈ 2 n Encryption scheme Kq(n) Idea: ReencryptKq(n) underKq(n1+a)

  21. Reencryption sk= 1 1 0 1 1 0 0 0 1 1 1 1 101 0 1 0 1 0 1 11 1 0 1 0 1 11 Enc(ski): Noise unlikely to affect relevant parts of Enc(ski) • ReEnc(c) = c1Enc(sk1) + … + cnEnc(skn)

  22. Homomorphism for small depth Applying a chain of keys Kq(n) →Kq(n1+a)→… →Kq(n(1+a) ) d we can handle up to dreencryptions and so we can evaluate circuits of depth d (and sufficiently small size)

  23. Noise reduction techniques Homomorphic encryption for small depth Reencrypt under larger and larger keys From small depth to small size Reduce key length Eliminate all restrictions Reduce error rate

  24. The error correction circuit y E G(xy) = 1 + xy G G G G G G G G G G G G G G G d x1 x2 d m with prob 1 - h d Pr[y ≠ m] ≈ h1.4 xi = 1 - m with probh

  25. Error correction of encryptions sk= 10010110101101010110010 0 1 0 1 0 0 11 1 1 10 1 1 00 0 0 0 1 0 01 0 0 1 0 1 0 0 1 1 0 0 0 1 2d independent encryptions of ski Hom(E) Enc(1) … Dec(1) Dec(0) Dec(1) Dec(1) E 1 d • h1.4 error rate h

  26. Parameters d Kq(n) →… →Kq(n(1+a) ) length ofencryptions d n n(1+a) d h1.4 h= n-1+a/4 noise rate For small a, all errors can be corrected

  27. Circular security? To prove security, we must use fresh (independent) keys for every circuit layer key length ≈ ndlog d Is the scheme secure under circular key encryptions? We don’t know, but we suspect it may not be.

  28. Complexity of encryptions Initially we wanted to study the complexity of homomorphic encryption… …but we ended up with a new scheme Our scheme was inspired by the ABW [Applebaum, Barak, Wigderson]cryptosystem

  29. Complexity of encryptions In forthcoming work we show Homomorphic evaluation cannot be done in constant depth under some (reasonable) restrictions in contrast, in the ABW cryptosystem all operations can be done in constant depth

More Related