A Symmetric FHE Scheme Based on Linear Algebra

Similar documents
Privacy Preserving Moving KNN Queries

IEEE P /D1 Draft Standard for Identity-based Public-key Cryptography Using Pairings

Protecting Mobile Agents against Malicious Host Attacks Using Threat Diagnostic AND/OR Tree

A DEA-bases Approach for Multi-objective Design of Attribute Acceptance Sampling Plans

Leak Detection Modeling and Simulation for Oil Pipeline with Artificial Intelligence Method

AUTOMATIC GENERATION OF HIGH THROUGHPUT ENERGY EFFICIENT STREAMING ARCHITECTURES FOR ARBITRARY FIXED PERMUTATIONS. Ren Chen and Viktor K.

Efficient Processing of Top-k Dominating Queries on Multi-Dimensional Data

Sensitivity Analysis for an Optimal Routing Policy in an Ad Hoc Wireless Network

A Novel Iris Segmentation Method for Hand-Held Capture Device

An Efficient Coding Method for Coding Region-of-Interest Locations in AVS2

Lecture 18. Today, we will discuss developing algorithms for a basic model for parallel computing the Parallel Random Access Machine (PRAM) model.

Randomized algorithms: Two examples and Yao s Minimax Principle

The VEGA Moderately Parallel MIMD, Moderately Parallel SIMD, Architecture for High Performance Array Signal Processing

LMAC:A Lightweight Message Authentication Code for Wireless Sensor Network

A Study of Protocols for Low-Latency Video Transport over the Internet

HOMOMORPHIC ENCRYPTION: A SURVEY

An Efficient Video Program Delivery algorithm in Tree Networks*

Applying the fuzzy preference relation to the software selection

Skip List Based Authenticated Data Structure in DAS Paradigm

An Efficient VLSI Architecture for Adaptive Rank Order Filter for Image Noise Removal

A BICRITERION STEINER TREE PROBLEM ON GRAPH. Mirko VUJO[EVI], Milan STANOJEVI] 1. INTRODUCTION

IMS Network Deployment Cost Optimization Based on Flow-Based Traffic Model

Face Recognition Using Legendre Moments

Efficient Parallel Hierarchical Clustering

Public Key Cryptosystems RSA

SHE AND FHE. Hammad Mushtaq ENEE759L March 10, 2014

Stereo Disparity Estimation in Moment Space

Implementation of Evolvable Fuzzy Hardware for Packet Scheduling Through Online Context Switching

A Scalable Parallel Approach for Peptide Identification from Large-scale Mass Spectrometry Data

An Indexing Framework for Structured P2P Systems

Probabilistic Visual Cryptography Schemes

OMNI: An Efficient Overlay Multicast. Infrastructure for Real-time Applications

J. Parallel Distrib. Comput.

Ensemble Learning Based on Parametric Triangular Norms

Improved heuristics for the single machine scheduling problem with linear early and quadratic tardy penalties

search(i): Returns an element in the data structure associated with key i

SEARCH ENGINE MANAGEMENT

Vehicle Logo Recognition Using Modest AdaBoost and Radial Tchebichef Moments

Lecture 2: Fixed-Radius Near Neighbors and Geometric Basics

Matlab Virtual Reality Simulations for optimizations and rapid prototyping of flexible lines systems

Multipoint Filtering with Local Polynomial Approximation and Range Guidance

Fast Distributed Process Creation with the XMOS XS1 Architecture

CENTRAL AND PARALLEL PROJECTIONS OF REGULAR SURFACES: GEOMETRIC CONSTRUCTIONS USING 3D MODELING SOFTWARE

SpaceTwist: Managing the Trade-Offs Among Location Privacy, Query Performance, and Query Accuracy in Mobile Services

Cryptanalysis of Brenner et al. s Somewhat Homomorphic Encryption Scheme

Introduction to Parallel Algorithms

Patterned Wafer Segmentation

Process and Measurement System Capability Analysis

A Model-Adaptable MOSFET Parameter Extraction System

Improved Image Super-Resolution by Support Vector Regression

Somewhat Homomorphic Encryption

Sensitivity of multi-product two-stage economic lotsizing models and their dependency on change-over and product cost ratio s

I ACCEPT NO RESPONSIBILITY FOR ERRORS ON THIS SHEET. I assume that E = (V ).

Collective communication: theory, practice, and experience

Autonomic Physical Database Design - From Indexing to Multidimensional Clustering

arxiv: v1 [cs.mm] 18 Jan 2016

EE678 Application Presentation Content Based Image Retrieval Using Wavelets

Face Recognition Based on Wavelet Transform and Adaptive Local Binary Pattern

Parametric Optimization in WEDM of WC-Co Composite by Neuro-Genetic Technique

Submission. Verifying Properties Using Sequential ATPG

SPITFIRE: Scalable Parallel Algorithms for Test Set Partitioned Fault Simulation

Directed File Transfer Scheduling

Tools for Computing on Encrypted Data

A Morphological LiDAR Points Cloud Filtering Method based on GPGPU

Randomized Selection on the Hypercube 1

Source-to-Source Code Generation Based on Pattern Matching and Dynamic Programming

Application of Fuzzy X S Charts for Solder Paste Thickness

2-D Fir Filter Design And Its Applications In Removing Impulse Noise In Digital Image

RTL Fast Convolution using the Mersenne Number Transform

Signature File Hierarchies and Signature Graphs: a New Index Method for Object-Oriented Databases

Texture Mapping with Vector Graphics: A Nested Mipmapping Solution

521493S Computer Graphics Exercise 3 (Chapters 6-8)

RST(0) RST(1) RST(2) RST(3) RST(4) RST(5) P4 RSR(0) RSR(1) RSR(2) RSR(3) RSR(4) RSR(5) Processor 1X2 Switch 2X1 Switch

in Distributed Systems Department of Computer Science, Keio University into four forms according to asynchrony and real-time properties.

Lecture 8: Orthogonal Range Searching

Multicast in Wormhole-Switched Torus Networks using Edge-Disjoint Spanning Trees 1

10. Parallel Methods for Data Sorting

Tiling for Performance Tuning on Different Models of GPUs

Using Rational Numbers and Parallel Computing to Efficiently Avoid Round-off Errors on Map Simplification

PRO: a Model for Parallel Resource-Optimal Computation

An Efficient and Highly Accurate Technique for Periodic Planar Scanner Calibration with the Antenna Under Test in Situ

Improving Trust Estimates in Planning Domains with Rare Failure Events

Learning Robust Locality Preserving Projection via p-order Minimization

Space-efficient Region Filling in Raster Graphics

Simultaneous Tracking of Multiple Objects Using Fast Level Set-Like Algorithm

Wavelet Based Statistical Adapted Local Binary Patterns for Recognizing Avatar Faces

A GPU Heterogeneous Cluster Scheduling Model for Preventing Temperature Heat Island

Identity-sensitive Points-to Analysis for the Dynamic Behavior of JavaScript Objects

Collective Communication: Theory, Practice, and Experience. FLAME Working Note #22

An improved algorithm for Hausdorff Voronoi diagram for non-crossing sets

SafetyNets: Verifiable Execution of Deep Neural Networks on an Untrusted Cloud

Detection of Occluded Face Image using Mean Based Weight Matrix and Support Vector Machine

Vector sigma filters for noise detection and removal in color images

A CLASS OF STRUCTURED LDPC CODES WITH LARGE GIRTH

Brigham Young University Oregon State University. Abstract. In this paper we present a new parallel sorting algorithm which maximizes the overlap

Facial Expression Recognition using Image Processing and Neural Network

Reducing Structural Bias in Technology Mapping

Reaction Attack on Outsourced Computing with Fully Homomorphic Encryption Schemes

A Scalable Parallel Sorting Algorithm Using Exact Splitting

A NOVEL PROTOCOL FOR INDIRECT AUTHENTICATION IN MOBILE NETWORKS BASED ON ELLIPTIC CURVE CRYPTOGRAPHY

Transcription:

A Symmetric FHE Scheme Based on Linear Algebra Iti Sharma University College of Engineering, Comuter Science Deartment. itisharma.uce@gmail.com Abstract FHE is considered to be Holy Grail of cloud comuting. Many alications of cloud comuting inherently need symmetric keys while very few FHE schemes have been roosed with symmetric keys. Even with the schemes based on ublic key crytograhy a major hurdle has been the accumulation of noise in cihertexts leading to limited size of circuits that can be evaluated using the scheme homomorhically. Noise is eliminated through refresh rocedure, which has been made essentially ossible with ublic keys containing rivate keys as a art. Moreover, refreshing of cihertext is time consuming. We roose here a method of refreshing the cihertext while not disclosing the secret key, that is, in a symmetric crytosystem. Also, our scheme doesn t need any evaluation key thus enabling secure delegation of data rocessing using such scheme. Keywords symmetric FHE, fully homomorhic encrytion, cloud comuting I. INTRODUCTION Emerging alications of cloud comuting and mobile devices involve heavy comutations which instead of running on the lightweight device, are delegated to the cloud, working as a service rovider. The goal in this setting is to utilize the resources of a single owerful service rovider for the work that comutationally weak clients need to erform on their data. This concet of comutation-as-a-service accounts for oularity of cloud comuting, but has many challenges yet to overcome. A major issue concerns the rivacy of user data or user function or both. If the clients inut data is sensitive, we need mechanisms that allow the server to rocess the data while maintaining its rivacy. Crytograhic rimitives with homomorhic roerties have been roosed to ensure this, but ractical Fully Homomorhic Encrytion schemes are very few. If the function to be erformed over data is a rivate function (belongs to certain user or cloud), we need mechanisms to revent other arties from learning anything about the function from the results only. Moreover, it needs symmetric Fully Homomorhic Encrytion schemes. This area has gained recent attention and yet an oen roblem. Homomorhic encrytion has largely been studied in context of ublic key crytosystems. But there are alications which inherently would require symmetric keys. A symmetric FHE and its alications like rivate data rocessing have been roosed in [1] using matrix oerations. Alications like rivate data rocessing and secure delegation of comutation require caabilities of FHE crytosystems, but a major concern could arise from the fact that while delegating comutation to an untrusted arty data can be secured but an evaluation key must be shared so that worker can erform comutations homomorhically. Generation and distribution of the evaluation keys is a roblem. It is more severe in case of ublic crytosystems which involve generation and distribution of ublic keys also. Our Contribution: Poular FHE rimitives are either based on Gentry s bluerint [] like [3, 4 and 5] or on learning with errors roblem like [6 and 7]. The basic construction follows a method of refreshing long cihertexts after certain amount of homomorhic comutations so that the cihertext can be decryted roerly. This construction accounts for most of the execution time and is also resonsible for large key length. We roose a method to develo symmetric key encrytion scheme with fully homomorhic evaluation caabilities based on linear algebra. We roose in this aer a construction for refreshing cihertext, which is easy and efficient. It derives its security from hardness of factorizing a large integer, which is basis of many ublic key crytosystems. Also, the scheme doesn t require an evaluation key. II. RELATED WORK Notion of rivacy homomorhisms was introduced by Rivest, Adleman and Dertouzos [8]. But it was only in 009, when Gentry ublished the first fully homomorhic scheme []. Desite the ractical limitation of high comutational comlexity, it ended the long search for the rivacy homomorhisms. Gentry s bluerint starts from a Somewhat Homomorhic Encrytion scheme which suorts limited number of oerations to be erformed on cihertext homomorhically due to accumulation of noise in cihertext at each ste of comutation. Gentry suggested a bootstraability condition by virtue of which decrytion olynomial is of such a lower degree that allows refreshing of cihertext. Refreshing of cihertext is in the form of re-encrytion, where in the decrytion of cihertext is erformed homomorhically (hence secretly) and it is then encryted under a new key, thus eliminating any noise. This makes the scheme to be fully homomorhic since it can now suort arbitrary number of oerations. Gentry and Halevi [3] described the first imlementation of Gentry's ISSN : 9-3345 Vol. 5 No. 05 May 014 558

scheme, establishing the unsuitability of FHE schemes for ractical use due to large size of keys and cihertexts. Van Dijk, Gentry, Halevi and Vaikuntanathan resented a fully homomorhic scheme over the integers [4]. The scheme is concetually simle in comarison to the original Gentry's scheme; all oerations are erformed over the integers instead of ideal lattices. However the ublic-key was too large for any ractical system. Coron et al [5] suggested methods to reduce this size of the ublic key down to Õ(λ 7 ) from Õ(λ 10 ). Gentry s scheme erforms encrytion and decrytion on laintext of 1-bit length. Hence, it is intuitive to think that certain oerations could be erformed on several bits in arallel to reduce runtime. Smart and Vercauteren [9] found that the scheme can be imlemented on SIMD(single instruction, multile data) architecture. Smart and Vercauteren [9] resented methods for selecting arameters for Gentry and Halevi s imlementation [3] which use SIMD oerations for the somewhat homomorhic scheme. Ways for constructing a fully homomorhic scheme erforming re-encrytions in arallel and making SIMD oerations useful in ractice were also suggested. The arallel version is.4 times faster than the standard FHE scheme and the cihertext size is reduced by a factor of 1/7. Thus, exloiting arallelism in the constituent algorithms can increase efficiency of a scheme. Major bottleneck in ractical deloyment of FHE schemes based on Gentry s blue rint are large size of keys and high er-gate evaluation time. Brakerski and Vaikuntanathan [6] showed that (leveled) FHE can be based on the hardness of the much more standard learning with error (LWE) roblem. Brakerski, Gentry and Vaikuntanathan [7] refined the main technique in [6] to construct an FHE scheme with asymtotically linear efficiency. Guta and Sharma [1] resented an FHE scheme for symmetric encrytion based on hardness of factorization of large integer, with oerations involving matrix comutations. The key size and comutation time were reduced enough for ractical deloyment. III. GENTRY S BLUEPRINT AND DGHV SCHEME Gentry roosed not only the first fully homomorhic encrytion scheme, but also a general method to construct fully homomorhic systems [3]. Gentry s construction roceeds in successive stes: first a somewhat homomorhic scheme is used. Secondly Gentry shows how to squash the decrytion rocedure so that it can be exressed as a low degree olynomial in the bits of the cihertext and the secret key (equivalently a circuit of small deth). Then the breakthrough idea consists in evaluating this decrytion olynomial not on the bits of the cihertext and the secret key (as in regular decrytion), but homomorhically on the encrytion of those bits. Then instead of recovering the bit laintext, one gets an encrytion of this bit laintext, i.e. yet another cihertext for the same laintext. Now if the degree of the decrytion olynomial is small enough, the resulting noise in this new cihertext can be smaller than in the original cihertext; this is called the cihertext refresh rocedure. Given two refreshed cihertexts one can aly again the homomorhic oeration (either addition or multilication), which was not necessarily ossible on the original cihertexts because of the noise threshold. Using this cihertext refresh rocedure the number of ermissible homomorhic oerations becomes unlimited and we get a fully homomorhic encrytion scheme. The rerequisite for the cihertext refresh rocedure is that the degree of the olynomial that can be evaluated on cihertexts exceeds the degree of the decrytion olynomial (times two, since one must allow for a subsequent addition or multilication of refreshed cihertexts); this is called the bootstraability condition. Once the scheme becomes bootstraable it can be converted into a fully homomorhic encrytion scheme by roviding the encrytion of the secret key bits inside the ublic key. To gain a deeer understanding, we describe below the scheme due to van Dijk et al [4]. The first ste is to describe a Somewhat Homomorhic Encrytion scheme. It uses the following four arameters (all olynomial in the security arameter λ): γ is the bit-length of the integers in the ublic key, η is the bit-length of the secret key (which is the hidden aroximate-gcd of all the ublic-key integers), ρ is the bit-length of the noise (i.e., the distance between the ublic key elements and the nearest multiles of the secret key), and τ is the number of integers in the ublic key. Also there is a secondary noise arameter ρ = ρ + ω(log λ). $ KeyGen(λ). The secret key is an odd η-bit integer: ( + 1) [η 1, η). $ For the ublic key, samle xi Dγ, ρ( ) for i = 0,, τ. Relabel so that x 0 is the largest. Restart unless x0 is odd and r (x 0 ) is even. The ublic key is k = (x 0, x 1,, x τ ). Encryt(k, m {0, 1}). Choose a random subset S {1,,, τ} and a random integer r in ( ρ, ρ ), and outut ISSN : 9-3345 Vol. 5 No. 05 May 014 559

c m+ r+ xi i S x0 Evaluate(k,C, c 1,, c t ). Given the (binary) circuit C with t inuts, and t cihertexts c i, aly the (integer) addition and multilication gates of C to the cihertexts, erforming all the oerations over the integers, and return the resulting integer. Decryt(sk, c). Outut m (c mod ) mod. The next ste is to squash the decrytion circuit of the above scheme, namely transform the scheme into one with the same homomorhic caacity but a decrytion circuit that is simle enough to allow bootstraing. For this we need few more arameters κ, θ, Θ, articularly κ =, γη/ρ θ = λ, and Θ= ω(κ log λ). The modified algorithms are as follows. KeyGen. Generate sk * = and k as before. Set x κ/, choose at random a Θ -bit vector with Hamming weight θ, s s,..., s, and let S = {i : s i = 1}. κ + 1 1 Choose at random integers u i [0, ), i = 1,,Θ, subject to the condition that (mod κ + u ) i = x. i S Set y i = u i / κ and y y,..., y Hence each yi is a ositive number smaller than two, with κ bits of recision after the binary oint. Also, κ yi = (1 ) for some <. i S Outut the secret key sk = s and ublic key k = (k, y ). Encryt and Evaluate. Generate a cihertext c as before (i.e., an integer). Then for i {1,,Θ}, set zi [c y i ], keeing only n = log θ + 3 bits of recision after the binary oint for each z i. Outut both c and z z,..., z. Decryt. Outut m [c sz ] i i. i The scheme is now bootstraable and fully homomorhic. IV. PROPOSED SCHEME We roose a somewhat homomorhic encrytion scheme based on the idea from [4] and then roceed to make it fully homomorhic through a refresh rocedure which requires an extra key called the refresh key. Encrytion and decrytion uses symmetric keys while no key is required for evaluation of homomorhic functions over the cihertexts. The context used is symmetric crytograhy that is using only one secret key for both encrytion and decrytion. Another key called refresh key is used and made ublic for evaluation but does not reveal the secret key. A. Primitives Let λ be the security arameter in context of an equivalent comutational effort of λ cycles. Message sace is (0,1). The scheme consists of following rimitives: Key generation: Generate the secret key, a rime number of length λ bits. Select q as refresh key such that it is an even multile of, that is q = k, where k is an even number. Encrytion: Encrytion is robabilistic, a many-to-one maing Enc : Z, thus converting the message bit into an integer, and a message may have several encrytions. Encrytion involves following stes: 1. Choose m' such that m m' mod. Choose a random number r of length λ bits 3. Outut c = m' + r Decrytion: The decrytion needs to be inversion of the encrytion rocess, a maing Dec : Z. It is a very simle and efficient oeration roducing outut, the message as m = c mod mod. Homomorhic Oerations: Addition of two laintext bits, that is XOR oeration is homomorhic to direct addition of two cihertexts (integers). Multilication of two laintext bits, that is AND oeration is homomorhic to integer multilication of two cihertexts. ISSN : 9-3345 Vol. 5 No. 05 May 014 560

The above scheme is somewhat homomorhic due to the roblem of accumulation of noise. That is after a few oerations the noise in cihertext may exceed beyond the level making its decrytion incorrect. Hence we need a refresh rocedure to eliminate noise from cihertext without decryting. This is beneficial for delegating a comutation so that worker can reduce noise in cihertext in the absence of decrytion key. For this urose we need a refresh key q. Refresh rocedure: Deriving the basic concet of refreshing a cihertext to make a scheme fully homomorhic from Gentry s bluerint [CG], we design the refresh key so as to contain the secret key in art. But we do not emloy the concet of bootstraing here like in [CG], rather the refresh rocedure is very simle and efficient one-ste rocedure. The refreshed cihertext is oututted as c = c mod q. B. Comarison with existing schemes The factors uon which an FHE scheme can be comared with others are key size, cihertext size (exansion of laintext due to encrytion) and comutation overhead. The overhead is defined as the ratio of the time taken for a comutation homomorhically over cihertext to the time taken to comute on laintext. We resent this comarison of our roosed scheme with the existing oular schemes in Table 1. In context of our scheme, we see the secret key is of length λ bits and refresh key is of length O(λ log λ ) bits, which is very smaller as comared to the key sizes in many of the Gentry s blue-rint based FHE schemes. The cihertext size for a onebit laintext is dominated by the length of roduct of and r. This gives the length of O(λ ) bits. For comutation overhead, we take multilication oeration because it is costlier. Consider two laintexts of size 1 bit. The cost of AND oeration is O(1), while homomorhically it is erformed as multilication of two integers of size λ bits, imlying effort of O( λ 4 ). The XOR oeration erformed as addition of two integers is less 4 costly than multilication oeration, hence the comutation overhead is dominated by the effort of. TABLE I COMPARISON OF PROPOSED SCHEME WITH OTHER FHE SCHEMES Parameters Encrytion Key Size FHE Schemes DGHV BGV Proosed Scheme 10 Equal to laintext Comutation Overhead 3.5 Ω ( λ ) O λ ( ) 4 Plaintext Exansion O(log λ ) 3 Encrytion Key Size 10 Equal to laintext C. Security of the scheme Security is the first and foremost asect in crytograhy. When considering security of certain crytosystem we aim to find out the amount of effort required by an adversary to discover the key from some amount of other information. Security of the secret key can be based on the difficulty of factorization of the declared key q, which contains as factor. Thus, our scheme derives security from hardness of Integer Factorization, similar to many oular crytosystems. The brute-force security of our scheme deends on the length of key, hence which is considered sufficiently secure for λ =80. V. CONCLUSIONS AND FUTURE SCOPE Cloud comuting alications suffer from a major concern about security. This can be ensured through encrytion but it doesn t allow for secure delegation of data rocessing. Here, fully homomorhic encrytion is most useful since it allows rocessing of encryted data. There is dearth of ractically feasible FHE solutions. A few efficient FHE schemes available use ublic crytograhy, while many alications inherently require symmetric keys. Hence, we have roosed a symmetric FHE scheme which works with laintext bits to convert them into integers using linear algebra. We have roosed a novel method of refreshing cihertexts to reduce their length after certain number of oerations. The security of the roosed scheme is based on the difficulty of large integer factorization. The scheme can be more generalized to work on integers rather than bits. It would not only lead to an extended scheme rather an imroved scheme. Also, arallelization of oerations to work on several bits together ISSN : 9-3345 Vol. 5 No. 05 May 014 561

can also be a ossible extension. Such scheme cannot be directly aroached since the rimitives involve random numbers which are different for each laintext. Direct arallelization of oerations can only be imlemented when erforming homomorhic oerations. In this case, efficiency imrovement will deend on the comutation being erformed and cannot be considered as a factor of efficiency for the FHE scheme. REFERENCES [1] C.Guta and I. Sharma, A fully homomorhic encrytion scheme with symmetric keys with alication to rivate data rocessing in clouds, Proceedings of Networks of the Future (NOF), 013 Fourth International Conference..1-4, 3-5 Oct. 013. [] C. Gentry, A Fully Homomorhic Encrytion scheme, Dissertation. Se 009. Available at htts://cryto.stanford.edu/craig/craigthesis. [3] C. Gentry and S. Halevi, Imlementing Gentry's fully homomorhic encrytion scheme, EURO-CRYPT 011, LNCS, Sringer, K. Paterson (Ed.),011. [4] M. van Dijk, C. Gentry, S. Halevi, and V. Vaikuntanathan, Fully homomorhic encrytion over the integers, Proceedings of Eurocryt-10, Lecture Notes in Comuter Science, vol 6110,. Sringer, 4-43, 010. [5] J.-S. Coron, A. Mandal, D. Naccache, and M. Tibouchi. Fully homomorhic encrytion over the integers with shorter ublic-keys, Advances in Crytology - Proc. CRYPTO 011, vol. 6841 of Lecture Notes in Comuter Science. Sringer, 011. [6] Z. Brakerski and V. Vaikuntanathan, Efficient fully homomorhic encrytion from (standard) LWE, Foundations of Comuter Science, 011. Also available at Crytology eprint Archive, Reort 011/344. [7] Z. Brakerski, C. Gentry, and V. Vaikuntanathan, Fully homomorhic encrytion without bootstraing, Crytology eprint Archive, Reort 011/77. [8] R. Rivest, L. Adleman, and M. Dertouzos, On data banks and rivacy homomorhisms, Foundations of Secure Comutation, 169-180, 1978. [9] N. P. Smart and F. Vercauteren, Fully homomorhic SIMD oerations, Crytology eprint Archive, Reort 011/133. ISSN : 9-3345 Vol. 5 No. 05 May 014 56

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback