A Symmetric FHE Scheme Based on Linear Algebra

Transcription

1 A Symmetric FHE Scheme Based on Linear Algebra Iti Sharma University College of Engineering, Comuter Science Deartment. Abstract FHE is considered to be Holy Grail of cloud comuting. Many alications of cloud comuting inherently need symmetric keys while very few FHE schemes have been roosed with symmetric keys. Even with the schemes based on ublic key crytograhy a major hurdle has been the accumulation of noise in cihertexts leading to limited size of circuits that can be evaluated using the scheme homomorhically. Noise is eliminated through refresh rocedure, which has been made essentially ossible with ublic keys containing rivate keys as a art. Moreover, refreshing of cihertext is time consuming. We roose here a method of refreshing the cihertext while not disclosing the secret key, that is, in a symmetric crytosystem. Also, our scheme doesn t need any evaluation key thus enabling secure delegation of data rocessing using such scheme. Keywords symmetric FHE, fully homomorhic encrytion, cloud comuting I. INTRODUCTION Emerging alications of cloud comuting and mobile devices involve heavy comutations which instead of running on the lightweight device, are delegated to the cloud, working as a service rovider. The goal in this setting is to utilize the resources of a single owerful service rovider for the work that comutationally weak clients need to erform on their data. This concet of comutation-as-a-service accounts for oularity of cloud comuting, but has many challenges yet to overcome. A major issue concerns the rivacy of user data or user function or both. If the clients inut data is sensitive, we need mechanisms that allow the server to rocess the data while maintaining its rivacy. Crytograhic rimitives with homomorhic roerties have been roosed to ensure this, but ractical Fully Homomorhic Encrytion schemes are very few. If the function to be erformed over data is a rivate function (belongs to certain user or cloud), we need mechanisms to revent other arties from learning anything about the function from the results only. Moreover, it needs symmetric Fully Homomorhic Encrytion schemes. This area has gained recent attention and yet an oen roblem. Homomorhic encrytion has largely been studied in context of ublic key crytosystems. But there are alications which inherently would require symmetric keys. A symmetric FHE and its alications like rivate data rocessing have been roosed in [1] using matrix oerations. Alications like rivate data rocessing and secure delegation of comutation require caabilities of FHE crytosystems, but a major concern could arise from the fact that while delegating comutation to an untrusted arty data can be secured but an evaluation key must be shared so that worker can erform comutations homomorhically. Generation and distribution of the evaluation keys is a roblem. It is more severe in case of ublic crytosystems which involve generation and distribution of ublic keys also. Our Contribution: Poular FHE rimitives are either based on Gentry s bluerint [] like [3, 4 and 5] or on learning with errors roblem like [6 and 7]. The basic construction follows a method of refreshing long cihertexts after certain amount of homomorhic comutations so that the cihertext can be decryted roerly. This construction accounts for most of the execution time and is also resonsible for large key length. We roose a method to develo symmetric key encrytion scheme with fully homomorhic evaluation caabilities based on linear algebra. We roose in this aer a construction for refreshing cihertext, which is easy and efficient. It derives its security from hardness of factorizing a large integer, which is basis of many ublic key crytosystems. Also, the scheme doesn t require an evaluation key. II. RELATED WORK Notion of rivacy homomorhisms was introduced by Rivest, Adleman and Dertouzos [8]. But it was only in 009, when Gentry ublished the first fully homomorhic scheme []. Desite the ractical limitation of high comutational comlexity, it ended the long search for the rivacy homomorhisms. Gentry s bluerint starts from a Somewhat Homomorhic Encrytion scheme which suorts limited number of oerations to be erformed on cihertext homomorhically due to accumulation of noise in cihertext at each ste of comutation. Gentry suggested a bootstraability condition by virtue of which decrytion olynomial is of such a lower degree that allows refreshing of cihertext. Refreshing of cihertext is in the form of re-encrytion, where in the decrytion of cihertext is erformed homomorhically (hence secretly) and it is then encryted under a new key, thus eliminating any noise. This makes the scheme to be fully homomorhic since it can now suort arbitrary number of oerations. Gentry and Halevi [3] described the first imlementation of Gentry's ISSN : Vol. 5 No. 05 May

2 scheme, establishing the unsuitability of FHE schemes for ractical use due to large size of keys and cihertexts. Van Dijk, Gentry, Halevi and Vaikuntanathan resented a fully homomorhic scheme over the integers [4]. The scheme is concetually simle in comarison to the original Gentry's scheme; all oerations are erformed over the integers instead of ideal lattices. However the ublic-key was too large for any ractical system. Coron et al [5] suggested methods to reduce this size of the ublic key down to Õ(λ 7 ) from Õ(λ 10 ). Gentry s scheme erforms encrytion and decrytion on laintext of 1-bit length. Hence, it is intuitive to think that certain oerations could be erformed on several bits in arallel to reduce runtime. Smart and Vercauteren [9] found that the scheme can be imlemented on SIMD(single instruction, multile data) architecture. Smart and Vercauteren [9] resented methods for selecting arameters for Gentry and Halevi s imlementation [3] which use SIMD oerations for the somewhat homomorhic scheme. Ways for constructing a fully homomorhic scheme erforming re-encrytions in arallel and making SIMD oerations useful in ractice were also suggested. The arallel version is.4 times faster than the standard FHE scheme and the cihertext size is reduced by a factor of 1/7. Thus, exloiting arallelism in the constituent algorithms can increase efficiency of a scheme. Major bottleneck in ractical deloyment of FHE schemes based on Gentry s blue rint are large size of keys and high er-gate evaluation time. Brakerski and Vaikuntanathan [6] showed that (leveled) FHE can be based on the hardness of the much more standard learning with error (LWE) roblem. Brakerski, Gentry and Vaikuntanathan [7] refined the main technique in [6] to construct an FHE scheme with asymtotically linear efficiency. Guta and Sharma [1] resented an FHE scheme for symmetric encrytion based on hardness of factorization of large integer, with oerations involving matrix comutations. The key size and comutation time were reduced enough for ractical deloyment. III. GENTRY S BLUEPRINT AND DGHV SCHEME Gentry roosed not only the first fully homomorhic encrytion scheme, but also a general method to construct fully homomorhic systems [3]. Gentry s construction roceeds in successive stes: first a somewhat homomorhic scheme is used. Secondly Gentry shows how to squash the decrytion rocedure so that it can be exressed as a low degree olynomial in the bits of the cihertext and the secret key (equivalently a circuit of small deth). Then the breakthrough idea consists in evaluating this decrytion olynomial not on the bits of the cihertext and the secret key (as in regular decrytion), but homomorhically on the encrytion of those bits. Then instead of recovering the bit laintext, one gets an encrytion of this bit laintext, i.e. yet another cihertext for the same laintext. Now if the degree of the decrytion olynomial is small enough, the resulting noise in this new cihertext can be smaller than in the original cihertext; this is called the cihertext refresh rocedure. Given two refreshed cihertexts one can aly again the homomorhic oeration (either addition or multilication), which was not necessarily ossible on the original cihertexts because of the noise threshold. Using this cihertext refresh rocedure the number of ermissible homomorhic oerations becomes unlimited and we get a fully homomorhic encrytion scheme. The rerequisite for the cihertext refresh rocedure is that the degree of the olynomial that can be evaluated on cihertexts exceeds the degree of the decrytion olynomial (times two, since one must allow for a subsequent addition or multilication of refreshed cihertexts); this is called the bootstraability condition. Once the scheme becomes bootstraable it can be converted into a fully homomorhic encrytion scheme by roviding the encrytion of the secret key bits inside the ublic key. To gain a deeer understanding, we describe below the scheme due to van Dijk et al [4]. The first ste is to describe a Somewhat Homomorhic Encrytion scheme. It uses the following four arameters (all olynomial in the security arameter λ): γ is the bit-length of the integers in the ublic key, η is the bit-length of the secret key (which is the hidden aroximate-gcd of all the ublic-key integers), ρ is the bit-length of the noise (i.e., the distance between the ublic key elements and the nearest multiles of the secret key), and τ is the number of integers in the ublic key. Also there is a secondary noise arameter ρ = ρ + ω(log λ). $ KeyGen(λ). The secret key is an odd η-bit integer: ( + 1) [η 1, η). $ For the ublic key, samle xi Dγ, ρ( ) for i = 0,, τ. Relabel so that x 0 is the largest. Restart unless x0 is odd and r (x 0 ) is even. The ublic key is k = (x 0, x 1,, x τ ). Encryt(k, m {0, 1}). Choose a random subset S {1,,, τ} and a random integer r in ( ρ, ρ ), and outut ISSN : Vol. 5 No. 05 May

3 c m+ r+ xi i S x0 Evaluate(k,C, c 1,, c t ). Given the (binary) circuit C with t inuts, and t cihertexts c i, aly the (integer) addition and multilication gates of C to the cihertexts, erforming all the oerations over the integers, and return the resulting integer. Decryt(sk, c). Outut m (c mod ) mod. The next ste is to squash the decrytion circuit of the above scheme, namely transform the scheme into one with the same homomorhic caacity but a decrytion circuit that is simle enough to allow bootstraing. For this we need few more arameters κ, θ, Θ, articularly κ =, γη/ρ θ = λ, and Θ= ω(κ log λ). The modified algorithms are as follows. KeyGen. Generate sk * = and k as before. Set x κ/, choose at random a Θ -bit vector with Hamming weight θ, s s,..., s, and let S = {i : s i = 1}. κ Choose at random integers u i [0, ), i = 1,,Θ, subject to the condition that (mod κ + u ) i = x. i S Set y i = u i / κ and y y,..., y Hence each yi is a ositive number smaller than two, with κ bits of recision after the binary oint. Also, κ yi = (1 ) for some <. i S Outut the secret key sk = s and ublic key k = (k, y ). Encryt and Evaluate. Generate a cihertext c as before (i.e., an integer). Then for i {1,,Θ}, set zi [c y i ], keeing only n = log θ + 3 bits of recision after the binary oint for each z i. Outut both c and z z,..., z. Decryt. Outut m [c sz ] i i. i The scheme is now bootstraable and fully homomorhic. IV. PROPOSED SCHEME We roose a somewhat homomorhic encrytion scheme based on the idea from [4] and then roceed to make it fully homomorhic through a refresh rocedure which requires an extra key called the refresh key. Encrytion and decrytion uses symmetric keys while no key is required for evaluation of homomorhic functions over the cihertexts. The context used is symmetric crytograhy that is using only one secret key for both encrytion and decrytion. Another key called refresh key is used and made ublic for evaluation but does not reveal the secret key. A. Primitives Let λ be the security arameter in context of an equivalent comutational effort of λ cycles. Message sace is (0,1). The scheme consists of following rimitives: Key generation: Generate the secret key, a rime number of length λ bits. Select q as refresh key such that it is an even multile of, that is q = k, where k is an even number. Encrytion: Encrytion is robabilistic, a many-to-one maing Enc : Z, thus converting the message bit into an integer, and a message may have several encrytions. Encrytion involves following stes: 1. Choose m' such that m m' mod. Choose a random number r of length λ bits 3. Outut c = m' + r Decrytion: The decrytion needs to be inversion of the encrytion rocess, a maing Dec : Z. It is a very simle and efficient oeration roducing outut, the message as m = c mod mod. Homomorhic Oerations: Addition of two laintext bits, that is XOR oeration is homomorhic to direct addition of two cihertexts (integers). Multilication of two laintext bits, that is AND oeration is homomorhic to integer multilication of two cihertexts. ISSN : Vol. 5 No. 05 May

4 The above scheme is somewhat homomorhic due to the roblem of accumulation of noise. That is after a few oerations the noise in cihertext may exceed beyond the level making its decrytion incorrect. Hence we need a refresh rocedure to eliminate noise from cihertext without decryting. This is beneficial for delegating a comutation so that worker can reduce noise in cihertext in the absence of decrytion key. For this urose we need a refresh key q. Refresh rocedure: Deriving the basic concet of refreshing a cihertext to make a scheme fully homomorhic from Gentry s bluerint [CG], we design the refresh key so as to contain the secret key in art. But we do not emloy the concet of bootstraing here like in [CG], rather the refresh rocedure is very simle and efficient one-ste rocedure. The refreshed cihertext is oututted as c = c mod q. B. Comarison with existing schemes The factors uon which an FHE scheme can be comared with others are key size, cihertext size (exansion of laintext due to encrytion) and comutation overhead. The overhead is defined as the ratio of the time taken for a comutation homomorhically over cihertext to the time taken to comute on laintext. We resent this comarison of our roosed scheme with the existing oular schemes in Table 1. In context of our scheme, we see the secret key is of length λ bits and refresh key is of length O(λ log λ ) bits, which is very smaller as comared to the key sizes in many of the Gentry s blue-rint based FHE schemes. The cihertext size for a onebit laintext is dominated by the length of roduct of and r. This gives the length of O(λ ) bits. For comutation overhead, we take multilication oeration because it is costlier. Consider two laintexts of size 1 bit. The cost of AND oeration is O(1), while homomorhically it is erformed as multilication of two integers of size λ bits, imlying effort of O( λ 4 ). The XOR oeration erformed as addition of two integers is less 4 costly than multilication oeration, hence the comutation overhead is dominated by the effort of. TABLE I COMPARISON OF PROPOSED SCHEME WITH OTHER FHE SCHEMES Parameters Encrytion Key Size FHE Schemes DGHV BGV Proosed Scheme 10 Equal to laintext Comutation Overhead 3.5 Ω ( λ ) O λ ( ) 4 Plaintext Exansion O(log λ ) 3 Encrytion Key Size 10 Equal to laintext C. Security of the scheme Security is the first and foremost asect in crytograhy. When considering security of certain crytosystem we aim to find out the amount of effort required by an adversary to discover the key from some amount of other information. Security of the secret key can be based on the difficulty of factorization of the declared key q, which contains as factor. Thus, our scheme derives security from hardness of Integer Factorization, similar to many oular crytosystems. The brute-force security of our scheme deends on the length of key, hence which is considered sufficiently secure for λ =80. V. CONCLUSIONS AND FUTURE SCOPE Cloud comuting alications suffer from a major concern about security. This can be ensured through encrytion but it doesn t allow for secure delegation of data rocessing. Here, fully homomorhic encrytion is most useful since it allows rocessing of encryted data. There is dearth of ractically feasible FHE solutions. A few efficient FHE schemes available use ublic crytograhy, while many alications inherently require symmetric keys. Hence, we have roosed a symmetric FHE scheme which works with laintext bits to convert them into integers using linear algebra. We have roosed a novel method of refreshing cihertexts to reduce their length after certain number of oerations. The security of the roosed scheme is based on the difficulty of large integer factorization. The scheme can be more generalized to work on integers rather than bits. It would not only lead to an extended scheme rather an imroved scheme. Also, arallelization of oerations to work on several bits together ISSN : Vol. 5 No. 05 May

5 can also be a ossible extension. Such scheme cannot be directly aroached since the rimitives involve random numbers which are different for each laintext. Direct arallelization of oerations can only be imlemented when erforming homomorhic oerations. In this case, efficiency imrovement will deend on the comutation being erformed and cannot be considered as a factor of efficiency for the FHE scheme. REFERENCES [1] C.Guta and I. Sharma, A fully homomorhic encrytion scheme with symmetric keys with alication to rivate data rocessing in clouds, Proceedings of Networks of the Future (NOF), 013 Fourth International Conference..1-4, 3-5 Oct [] C. Gentry, A Fully Homomorhic Encrytion scheme, Dissertation. Se 009. Available at htts://cryto.stanford.edu/craig/craigthesis. [3] C. Gentry and S. Halevi, Imlementing Gentry's fully homomorhic encrytion scheme, EURO-CRYPT 011, LNCS, Sringer, K. Paterson (Ed.),011. [4] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, Fully homomorhic encrytion over the integers, Proceedings of Eurocryt-10, Lecture Notes in Comuter Science, vol 6110,. Sringer, 4-43, 010. [5] J.-S. Coron, A. Mandal, D. Naccache, and M. Tibouchi. Fully homomorhic encrytion over the integers with shorter ublic-keys, Advances in Crytology - Proc. CRYPTO 011, vol of Lecture Notes in Comuter Science. Sringer, 011. [6] Z. Brakerski and V. Vaikuntanathan, Efficient fully homomorhic encrytion from (standard) LWE, Foundations of Comuter Science, 011. Also available at Crytology eprint Archive, Reort 011/344. [7] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, Fully homomorhic encrytion without bootstraing, Crytology eprint Archive, Reort 011/77. [8] R. Rivest, L. Adleman, and M. Dertouzos, On data banks and rivacy homomorhisms, Foundations of Secure Comutation, , [9] N. P. Smart and F. Vercauteren, Fully homomorhic SIMD oerations, Crytology eprint Archive, Reort 011/133. ISSN : Vol. 5 No. 05 May