FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on...

FULLY HOMOMORPHIC ENCRYPTION

University of TorontoVinod Vaikuntanathan

Penn State Summer School on Cryptography

New Developments in

Outsourcing Computation

Weak Client Powerful Server (“Cloud”)

Function

fx

f(x)


Function

fx

searchquery Google

searchSearch results

x

f(x)

It’s everywhere!


Function

fx

medical records analysis

risk factors

x

f(x)

It’s everywhere!


Function fx

Client Cloud

Two Problems:

Privacy:

Cloud should not learn anything about x

Verifiability:

Cloud cannot cheat (i.e., return incorrect answer without being detected)

Outsourcing Computation – Privately

Function

fx

Enc(x)

Knows nothing of x.

Eval: f, Enc(x) Enc(f(x))homomorphic evaluation

Fully Homomorphic Encryption

Function

fx

Enc(x)

Knows nothing of x.

[Rivest-Adleman-Dertouzos’78]

Eval: f, Enc(x) Enc(f(x))homomorphic evaluation


Function

fx1,…,xn

Enc(x1),…,Enc(xn)

Knows nothing of x.


Eval: f, Enc(x1),…,Enc(xn) Enc(f(x1,…,xn))homomorphic evaluation

(more generally)


Function

fx

evk, c = Encsk(x)


sk , pk, evk

y = Evalevk(f, c)

Decsk(y)=f(x)Privacy (semantic security [GM82]):

(evk, Enc(x)) (evk, Enc(0))Correctness:

Compactness:

|y| = poly(|f(x)|, n)

Knows nothing of x.sk, evk

Most of this talk: secret key homomorphic schemes

FHE 101: Add & Mult Are UniversalArith. Circuit (+,) over GF(2).

+

Enc(x1)

If we had:

• Eval(+, Enc(x1), Enc(x2)) Enc(x1+x2)

• Eval(, Enc(x1), Enc(x2)) Enc(x1∙x2)

then we are done.

Enc(x2)

Enc(x3)

Enc(x1+x2)

Enc((x1+x2)∙x3)

f(x1,x2,x3)=(x1+x2)∙x3

x1 x2

x3

(+,) over GF(2) Boolean (XOR,AND)

= Universal set

Early History (1978-2009)

Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]

Goldwasser-Micali’82

Public key: N, y: non-square mod N

Enc(0): r2 mod N, Enc(1): y * r2 mod N

Secret key: factorization of N

(Additively) homomorphic over Z2

Early History (1978-2009)

Additively Homomorphic [GM’82,CF’85,AD’97,Pai’99,Reg’05,DJ’05…]

Multiplicatively Homomorphic [ElG’85,…]

Add + One Mult [BGN’05,GHV’09]

Gentry (2009)

FIRST Fully Homomorphic Encryption!

New Developments in FHE

►“Galactic” → Efficient [BV11a, BV11b, BGV11, GHS11, LTV11, B12]

– asymptotic efficiency: nearly linear-time* algorithms

– practical efficiency: 3-4 orders of magnitude faster compared to [Gen09, GH10]

*linear-time in the security parameter



► Strange assumptions → Mild assumptions [BV11b, GH11, BGV11, B12]

– e.g., worst-case hardness of shortest vectors on lattices




Best Known Theorem [BGV11]:

•(Leveled) fully homomorphic encryption (FHE), assuming the worst-case hardness of shortest vectors on lattices*leveled = public key grows with the depth of the circuit for f




► Complex → Simple constructions/proofs [BV11b, BGV11, LTV12, B12]

1. Zvika Brakerski, V.V., Efficient Fully Homomorphic Encryption from Standard Learning with Errors, FOCS 2011.

2. Zvika Brakerski, Craig Gentry, V.V., (Leveled) Fully Homomorphic Encryption without Bootstrapping, ITCS 2012.

3. Craig Gentry, Stanford Ph.D. Thesis, 2009.

This talk is based on:

How to Construct an FHE Scheme

The Big PictureID

EA 1

“Somewhat Homomorphic” (SwHE) Encryption

Evaluate Boolean circuits of depth d = ε log n *

[Gen09,DGHV10,SV10,BV11a,BV11b,LTV11]

* (0 < ε < 1 is a constant, and n is the security parameter)

d =

ε lo

g n

C

EVAL

The Big Picture

“Bootstrapping” Theorem [Gen09] (Qualitative)

IDEA 2

“Homomorphic enough” Encryption * FHE

Homomorphic enough = Can evaluate its own Dec Circuit (plus some)

Dec

CT sk

msg

Decryption Circuit

C

EVAL

The Big Picture


Evaluate Boolean circuits of depth d = ε log n


IDEA 1


IDEA 2

“Homomorphic enough” Encryption * FHE

SwHE = Homomorphic Enough?

NO, for all known constructions!

The Big PictureProblem:

Dec

Decryption Circuit

C

EVAL

Solution a. “Squash” the decryption circuit [Gen09]

– Relies on a new assumption: “sparse subset sum”

Solution b. Make EVAL larger [BV11b, simplified by BGV12]

– Fairly General, Needs no new assumptions

– Exponential improvement: Can eval nε depth circuits

Solution c. Use Special Properties of Dec. Circuit [GH11]

Les

s g

ener

al

The Big Picture


Evaluate Boolean circuits of depth d = ε log n


IDEA 1


IDEA 2

“Homomorphic enough” Encryption FHE

“Modulus Reduction” [BV11b, simplified by BGV12]

Evaluate Boolean circuits of depth d = nε

IDEA 3

IDEA 1: “Somewhat Homomorphic” Encryption (Evaluate Boolean circuits of depth d = ε log n)

IDEA 3: “Modulus Reduction” (Evaluate Boolean circuits of depth d = nε)

IDEA 2: “Bootstrapping” (FHE: Evaluate any poly(n)-size Boolean circuit)

d-Leveled FHE: Given any d, set n = d1/ε

Many InstantiationsAll based on Integer Lattices (Ajtai’96)

Ideal Lattices

Surprisingly, Arbitrary Lattices [BV’11b]

– Gentry’09 (based on Goldreich-Goldwasser-Halevi’98)

– DGHV’10 (based on Ajtai-Dwork’97, Regev’04)

– BV’11a (based on Lyubaskevsky-Peikert-Regev’10)

– LTV’11 (based on NTRU:Hofstein-Pipher-Silverman’96)

– Lattices (like vector spaces) have no native mult

BUT: you don’t need to know what lattices are

for this talk!

Learning With Errors (LWE) [Regev05, following BFKL93, Ale03]

LWEn,q,B : For random secret s Zqn


¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e

¢¼

¡~a;u

¢

( a1 , b1 = a1 , s + e1 )

O sO rand

( a1 , u1 )

( a2 , b2 = a2 , s + e2 ) …

( am , bm =am , s + em )

( a2 , u2 ) … ( am , um)

“noisy” random linear equation random in Zq

Uniformly random in Zq

n

“Small” error |e1| < B

LWEn,q,B : For random secret s Zqn, and any m=poly(n),


¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e

¢¼

¡~a;u

¢

( ai , bi = ai , s + ei )

O s

O rand

( ai , ui )i=1

m

i=1

m

Worst-Case Connection ([R05, P09]):

Qualitative: Solve LWE (on average) Short-vector approximation on lattices (in the worst-case)

Quantitative: Solve LWEn,q,B O(nq/B)-approx shortest vector on lattices



¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e

¢¼

¡~a;u

¢

( ai , bi = ai , s + ei )

O s

O rand

( ai , ui )i=1

m

i=1

m

Worst-Case Connection ([R05, P09]):

Solve LWEn,q,B O(nq/B)-approx shortest vector

1. SCALE INVARIANCE: hardness depends only on ratio between q and B

2. OUR PARAMETERS: We will set q = nO(log n) and B = poly(n). Best known algorithm for LWE with these parameters runs in 2Otilde(n) time.



¡~a = (a[1];: : : ;a[n]);b= h~a;~si + e

¢¼

¡~a;u

¢

( ai , bi = ai , s + ei )

O s

O rand

( ai , ui )i=1

m

i=1

m

Facts:

LWE (with short secret s) = LWE [ACPS09,GKPV10]

LWE with short even error (2e) = LWE with short error e

Secret-key Encryption from LWE

•Decryption: Decs(a,b) = ( b - a, s ) (mod 2).

– Correctness: b - a, s = b - ∑a[ i ]∙s[ i ] = m + 2e (over Zq).

decryption succeeds if e < q/4.

(omitting public-key encryption)

•KeyGen:– Sample random “short” vector t Zq

n and set sk = t







n and set sk = t

•Bit Encryption Encsk(m):

– Sample uniformly random a Zqn, “short” noise e Zq

– The ciphertext CT = (a, b = a, t + 2e + m) Zq

n X Zq

Semantic Security from LWE







n and set sk = t

•Bit Encryption Encsk(m):

– Sample uniformly random a Zqn, “short” noise e Zq

– The ciphertext CT = (a, b = a, t + 2e + m) Zq

n X Zq

•Decryption Decsk(CT): Output (b − a, t mod q) mod 2.

–Correctness: b − a, t mod q = 2e + m mod q = 2e + m

(as long as |2e+m| < q/2)

CT = (a ,b)

Additive Homomorphism

CT’ = (a’, b’)

Look at Ciphertexts through the Decryption Lens

b − a, t = 2e + m b’ − a’, t = 2e’ + m’

CT = (a ,b)


CT’ = (a’, b’)

b − a, t = 2e + m b’ − a’, t = 2e’ + m’

Let c = (a ,b) and s = (-t, 1) Let c’ = (a’ ,b’) and s = (-t, 1)

c, s = 2e + m c’, s = 2e’ + m’

CT = c


CT’ = c’

Claim: cadd = c+c’

c, s = 2e + m c’, s = 2e’ + m’

c, s = 2e + m

c’, s = 2e’ + m’

c+c’, s = 2(e+e’) + (m+m’)

Decs(cadd) = 2E + (m+m’) (mod 2) = (m+m’) (mod 2)

+

E

Proof:

Cadd

Multiplicative Homomorphism

CT = c CT’ = c’

c, s = 2e + m c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙ c’, s = (2e+m) ∙ (2e’+m’)

X


CT = c CT’ = c’

c, s = 2e + m c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c, s ∙ c’, s = mm’ + 2(em’+e’m+2ee’)

X

Quadratic equation in the variables s[i]

E


CT = c CT’ = c’

c, s = 2e + m c’, s = 2e’ + m’

Claim: cmult = ?

c, s = 2e + m

c’, s = 2e’ + m’

c c’, s s = mm’ + 2(em’+e’m+2ee’)

X

E

Tensor Product:

•c c’ = (c[1]∙c’[1], …, c[i]∙c’[j],…, c[n+1]∙c’[n+1])

•c, c’ live in (n+1) dim → c c’ lives in (n+1)2-dim

•KEY FACT: c, s ∙ c’, s = c c’, s s


CT = c CT’ = c’

c, s = 2e + m c’, s = 2e’ + m’

Claim: cmult = c c’

c, s = 2e + m

c’, s = 2e’ + m’

c c’, s s = mm’ + 2(em’+e’m+2ee’)

X

Dec(s s, cmult) = 2E + mm’ (mod 2) = mm’ (mod 2)

E

Problem: Ciphertext size blows up!

(Zqn+1 → Zq

(n+1)^2)


New Technique [BV’11b]: RelinearizationFind linear functions of s that represents these quadratic func.

or, of new secret s’

cmult, s s = 2E + mm’

Multiplicative Homomorphismcmult, s s = 2E + mm’

New Technique [BV’11b]: RelinearizationFind linear functions of s’ that represent these quadratic func.

New KeyGen:

• Sample t,t’Zqn and set sk = (t,t’).

• Evaluation key evk :i,j. Enct’ ( s[ i ]s[ j ] )



New KeyGen:


• Evaluation key evk : sample Ai,j , Ei,j

i,j. (Ai,j , Bi,j = Ai,j , t’ + 2Ei,j + s[ i ]s[ j ])

LWE Security still

holds.



New KeyGen:


• Evaluation key evk : sample Ai,j , Ei,j

i,j. Bi,j − Ai,j , t’ = 2Ei,j + s[ i ]s[ j ]



New KeyGen:


• Evaluation key evk :

i,j. Ci,j , s’ ≈ s[ i ]s[ j ]

(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)



New KeyGen:



i,j. Ci,j , s’ ≈ s[ i ]s[ j ]

Linear fn(in s’)

Quadratic fn(in s)

Plug back into quadratic equation:

cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error

Linear in s’.

Cheat

ing

Alert



cmult[i,j] ∙ Ci,j , s’ ≈ mm’+2*Error

Linear in s’.

Homomorphic Mult:

1.First compute cmult = c c’

2.Compute and output cmult[i,j] ∙ Ci,j

(where Ci,j are from the evaluation key)

cmult .Ci,j , s’ ≈ cmult . s[ i ]s[ j ]

i,j. Ci,j , s’ ≈ s[ i ]s[ j ]


Linear fn(in s’)

Quadratic fn(in s)

Cheat

ing

Alert

PROBLEM: cmult has large entries

BUT

SOLUTION: Binary Decomposition Trick



New KeyGen:


• Evaluation key evk :i,j. k in [0… log q]: Enct’ ( 2k s[ i ]s[ j ] )



New KeyGen:


• Evaluation key evk : sample Ai,j,k , Ei,j,k

i,j. (Ai,j,k , Bi,j,k = Ai,j,k , t’ + 2Ei,j,k + 2k s[ i ]s[ j ])



New KeyGen:



i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]

(denoting s’ = (-t’, 1) and Ci,j = (Ai,j, Bi,j) as before)



New KeyGen:



i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]

Linear fn(in s’)

Quadratic fn(in s)


Let cmult[i,j,k] be the kth bit of cmult[i,j]

cmult[i,j,k] ∙ Ci,j,k , s’ ≈ mm’+2*Error

Linear in s’.

Un-Che

ating

Alert



New KeyGen:



i,j. Ci,j,k , s’ ≈ 2k s[ i ]s[ j ]

Linear fn(in s’)

Quadratic fn(in s)


Let cmult[i,j,k] be the kth bit of cmult[i,j]

cmult[i,j,k] ∙ Ci,j,k , s’ = mm’+2*Error+2*Errorrelin

Errorrelin = O(n2 . log q . B)

Un-Che

ating

Alert



cmult[i,j,k] ∙ Ci,j ,k , s’ ≈ mm’+2*Error

Linear in s’.

Homomorphic Mult:

1.First compute cmult = c c’

2.Compute and output cmult[i,j,k] ∙ Ci,j,k

(where Ci,j,k are from the evaluation key)

The Reservoir Analogy

noise=0

noise=q/2Additive Homomorphism: ξ → 2 ξ

initial noise= ξ

Mult. Homomorphism: ξ → ξ2 + n2B log q

2ξ

~ ξ2

AFTER d LEVELS:

noise B → (worst case)

CorrectnessBreaking = Solving 2n^ε-approx. shortest vectors

[Reg05,LPR10]

(How homomorphic is this?)

The Reservoir Analogy

noise=0

noise=q/2Additive Homomorphism: ξ → 2 ξ

initial noise= ξ

Mult. Homomorphism: ξ → ξ2 + n2B log q

~ ξ2

AFTER d LEVELS:

noise B → (worst case)

(How homomorphic is this?)

Wrap Up: Somewhat Homomorphism


Evaluate Boolean circuits of mult. depth D = ε log n

[BV11b]

IDEA 1

EVK = (evk1,…,evkD), where D is the max mult depth

C

Enc(skD, C(x))

Enc(sk1, x) Encrypt using sk1

SK = (sk1,…,skD)

Each Mult Level: Tensor and Relinearize

Mul

t de

pth

D

Decrypt using skD

Wrap Up: Somewhat Homomorphism


IDEA 1

– a number of other SwHE schemes: [DGHV10,SV10,BV11a,LTV12]

[BV11b]

Evaluate Boolean circuits of mult. depth D = ε log n

– [DGHV10]: based on hardness of approximate gcd

– [SV10]: principal ideal problem

– [BV11a]: Ring LWE

– [LTV12]: NTRU



IDEA 2: “Bootstrapping” (“homomorphic enough” to fully homomorphic)

d-Leveled FHE: Given any d, set n = d1/ε

Bootstrapping

Bootstrapping Theorem [Gen09] (Quantitative)

d-HE with decryption depth < d * FHE

Homomorphic Encryption for any depth d circuit

Bootstrapping




Bootstrapping = “Valve” at a fixed height

noise=0

noise=q/2

(that depends on decryption depth)

noise=Bdec

Say n(Bdec)2 < q/2

Bootstrapping




Bootstrapping = “Valve” at a fixed height

noise=0

noise=q/2

(that depends on decryption depth)

noise=Bdec

Say (Bdec)2 < q/2

Bootstrapping: How

“Best Possible” Noise Reduction = Decryption!

Dec

CT SK

m

Decryption Circuit

“Very Noisy” ciphertext

“Noiseless ciphertext”

But the evaluatordoes not have SK!

Bootstrapping, Concretely

Next Best = Homomorphic Decryption!

EncSK(m)

Dec

CT EncSK(SK)

Assume Enc(SK) is public.

(OK assuming the scheme is “circular secure”)

*

Noise = Binput

Noise = Bdec

Bdec Independent of Binput

g

Assume Circular Security:

Wrap Up: BootstrappingFunction f

Eval key contains EncSK(SK)

g

Each Gate g → Gadget G:

g


Dec Dec

g

ca skcb

a b

g(a,b)

sk

a b

g(a,b)

Wrap Up: BootstrappingFunction f


Each Gate g → Gadget G:

g


Dec Dec

g

Enc(SK)a b

g(a,b)

Enc(SK)

Enc(g(a,b))

Wrap Up: Bootstrapping


g

Function f

ca cb

Wrap Up: Bootstrapping


d-HE with decryption depth < d (leveled) FHE

circular-secure d-HE with dec. depth < d FHE

– publish EncPK(SK)

– publish EncPK2(SK1), EncPK3(SK2),…, EncPKd(SKd-1)

SwHE = Homomorphic Enough?

Decryption Circuit:

• Compute lsb(<SK,C> mod q)

• Seems to need (multiplicative) depth ≥ log n

• Can handle multiplicative depth = ε log n < log n

= inner products mod q mod 2.

• Our scheme is homomorphic over GF(2).

Homomorphisms:

Write inner product mod q as a GF(2)-arithmetic circuit?

• Can be done in depth polylog(n)



IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)

Modulus Reduction


Modulus Reduction Theorem [BV11b,BGV12]

SwHE that evaluates Boolean circuits of depth d = nε (under the same assumption as before)

Corollary: For every depth d, set the security parameter n=d1/ε to get a d-leveled FHE.

Corollary: modulus reduction + bootstrapping = FHE (assuming circular security)

Modulus Reduction


Modulus Reduction Theorem [BV11b,BGV12]

Wishful thinking

q=B10

noise=B8q’=B3

noise’=B

Shrink Noise and Noise Ceiling by same factor

SwHE that evaluates Boolean circuits of depth d = nε

NO MULT

CTCT’

ONE MULT

noise’=B+p(n)

Modulus Reduction

Wishful thinking

q=B10

noise=B8q’=B3

Can we do this?

noise’=B+p(n)

– Cannot arbitrarily reduce noise (because of the p(n) factor)

– Hardness depends only on q/B.

Modulus Reduction

noise=0

Homomorphism: (q, ξ) → (q, ≈ ξ2)

initial noise= ξ

ξ2

AFTER d LEVELS:

(q, B) → (q/(nB log q)O(d), B)

LEVELi → LEVELi+1:

Modulus Reduction: (q, ξ2) → (q/ξ, ξ)

d ≤ log q/log (nB)

≤ nε/log n

q

q/ξ

Final noise= ξ

Modulus Reduction: Details


Modulus Reduction Algorithm [BV11b,BGV12]

Transform a (q,B2) ciphertext into a (q’ ≈ q/nB, B) one

Modulus Reduction Algorithm:

•Compute (q’/q) c

•Round to the closest integer vector c’ such that c’=c mod 2

c, s = 2e + m (mod q)

Let c be a ciphertext s.t.

Assume that the secret key shas entries bounded by B.

(ok by fact 2)

Modulus Reduction: Details

q’/q c, s = (q’/q)* (2e + m) + q’Z

Proof: c, s = 2e + m + qZ

c’, s = (q’/q)* (2e + m) + Eround (mod q’)

•New Error = q’/q * (Old Error) + (Eround ≤ Bn), as promised!

•c’ decrypts to m, since c’=c mod 2, and c’, s=c, s mod 2

(original dec eqn)

(scaled)

Modulus Reduction Algorithm:

•Compute (q’/q) c

•Round to the closest integer vector c’ such that c’=c mod 2

c, s = 2e + m (mod q)

Let c be a ciphertext s.t.

Putting Together: Leveled FHEEVK = (evk1,…,evkD), where D is the max mult depth

C

Enc(skD, C(x))


SK = (sk1,…,skD)

Each Mult Level: 1)Tensor , 2)Relinearize using evki,3)Reduce modulus

Mul

t de

pth

D

Decrypt using skD

This works for depth D ≤ nε

Putting Together: Leveled FHEEVK = (evk1,…,evkD), where D is the max mult depth

C

Enc(skD, C(x))


SK = (sk1,…,skD)

Each Mult Level: 1)Tensor , 2)Relinearize using evki,3)Reduce modulus

Mul

t de

pth

D

Decrypt using skD

Bootstrapping + Circular Security => FHE.

Putting Everything Together



IDEA 3: “Bootstrapping” (“Homomorphic Enough” SwHE → FHE)

(this is “homomorphic enough”)

(assuming “circular security”)

A Simpler Alternative: doing away with changing moduli

[Brakerski’12]


Open Problems

Circular Security

Bootstrapping: Publish EncSK(SK).


*

Leveled FHE from “standard” assumptions

“Real” FHE: requires “bootstrapping”

– e.g., the Learning with errors assumption

– Evaluate bounded depth circuits

– The size of CT and/or PK grows with the depth

Circular Security

Bootstrapping: Publish the encryptions of bits

of SK, namely EncSK(SK[1]),…, EncSK(SK[n])


*

“Real” FHE: requires “bootstrapping”

Two definitions:

− Strong circular security: there is a simulator that, given nothing, produces EncSK(SK).

− Weak circular security: the encryption scheme is semantically secure given EncSK(SK).

Bootstrapping: Publish EncSK(SK).

(OK assuming the scheme is “weakly circular secure”)

Circular Security

There are (even bit-wise) circular secure encryption schemes

– [BHHO’08]: based on DDH

There are semantically secure schemes that are NOT circular-secure.

– Proof: Simple Exercise.

– [ACPS’09, BG’10, BHHI’10, …]

Circular Security

How about circular security for the FHE scheme?

− NEED: “safe to publish” lweEnc(s[i].s[j])

− CAN PROVE: “safe to publish” lweEnc(s[i])

(encryptions of all quadratic monomials in the s[i])

(encryptions of all linear monomials s[i])

Circular Security

− CAN PROVE: “safe to publish” lweEnc(s[i])(encryptions of all linear monomials s[i])

(a, a, s + 2e + s[i] mod q)

(a, a, s + 2e + ui, s mod q)

ui : ith unit vector (0,…,1,…0)

=

Circular Security

− CAN PROVE: “safe to publish” lweEnc(s[i])(encryptions of all linear monomials s[i])

(a, a, s + 2e + s[i] mod q)

=

≈

(a, a+ui, s + 2e mod q)

(a’-ui, a’, s + 2e mod q)

This can be generated efficiently from an encryption of 0

Q: “Real” FHE from Standard Assumptions?

2) Come up with an alternative to bootstrapping.

1) Prove the circular security for quadratic monomials, or

What we did not Cover…• Efficient Constructions

– Build on the ring LWE variant of today’s scheme– Gentry-Halevi-Smart series of works– a number of algebraic optimizations

• Verifiability– CS proofs [Kil92,Mic94]– A number of recent works in various settings

[GKR08,GGP10,CKV10,AIK10,…]– The central problem remains open

• Circuit Privacy– [Gentry-Halevi-V’10]: “Circuit privacy for free” theorem

Conclusion• FHE is not so complicated any more

– Well-defined guidelines for construction– Under relatively standard security assumptions

• FHE is not so inefficient any more– Case in point: Ring LWE, NTRU…

• LOTS of questions still to be answered …– FHE without “Circular Security”– FHE from number theory, general assumptions…

• NEW directions: selective homomorphism, functional encryption,…

Thank You!

FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on...

Documents

Transcript of FULLY HOMOMORPHIC ENCRYPTION University of Toronto Vinod Vaikuntanathan Penn State Summer School on...