ObfuscatingMany-to-oneFunctionalRe-encryption,anditsConnectiontoFully- - PDF document

ObfuscatingMany-to-oneFunctionalRe-encryption,anditsConnectiontoFully-HomomorphicEncryptionStefanoTessaroMITCSAILDavidA.WilsonMITCSAILftessaro,dwilsong@mit.eduAbstractFollowinguponitsrstconstructionbyGentry(STOC2009),fully-homomorphicencryption(FHE)hasgeneratedamultitudeofdierentworks,seekingbothfornewtheoreticalapproachesaswellasformoreecientinstantiations.AllexistingFHEschemes,however,aretightlyconnectedtospecicassumptions,andnogenericconstructionsareknown.Inthispaper,weinvestigategenericconstructionsofFHE.Specically,weintroduceanewprimitive,calledMany-to-OneFunctionalRe-encryption,whichallows,givenmultiplemessagesencryptedunderapublickeyforoneencryptionscheme,toproduceanencryptionofafunc-tionofthesemessagesunderanotherkey|possiblyforadierentencryptionscheme.Weintroduceanewnotionofobfuscationformany-to-onefunctionalre-encryption,andshowthatsuchobfuscationyieldsagenerictransformationfromasemantically-secureencryptionschemetoleveledFHE.WefurtherdemonstratethatexistingFHEschemes(boththosethatemploybootstrappingandrelinearization)canbeviewedasinstantiationsofthisparadigm. 1IntroductionFully-HomomorphicEncryption.Thediscoveryoffully-homomorphicencryptionschemes(FHE)hasbeenakeydevelopmentinmoderncryptography.FHEschemesallowarbitrarycomputationonencrypteddatawithoutdecrypting.ThenotionwasrstproposedbyRivest,Adleman,andDertouzos[ RAD78 ],butittookmorethanthreedecadesfortherstschemestobedeveloped.SeveralFHEschemeshavenowbeendeveloped,rstundersomewhatnonstandardlatticeassump-tions[ Gen09 , SV10 ],thenunderhardnessassumptionsforapproximateGCD[ vDGHV10 , CMNT11 , CNT12 ],andnallyundervariousformsoftheLearningWithErrorsassumption[ BV11b , BV11a , BGV11 , Bra12 , GHS12b , GHS12a , GSW13 ]orotherlattice-basedassumptions[ GH11 ].Atthesametime,nogeneralconstructionisknownfromsmallerprimitives,evenforthecaseofleveledFHEschemes.Ad-leveledFHEschemeallowscomputationofdepth-dcircuitsonencrypteddata,allowingitspublickeysizetobeapolynomialfunctionind.Inthispaper,weaddressthequestionofndingaprimitivewhichallowsagenericconstructionofFHEontopofasuitableencryptionscheme,andrevisitexistingworksintermsofinstantiationsofthisblueprint.Obfuscatingre-encryption.Ourapproachreliesonthenotionofobfuscatedre-encryption,whichhasbeendevelopedinparalleltoFHE.Whileobfuscationofgeneralfunctionsisimpos-sible[ BGI+01 ],therehavebeenseveralpositiveresultsdetailingfunctionfamiliesthatcanbeobfuscated(e.g.[ Wee05 , DS05 , CRV10 ],amongmanyothers).Inparticular,therehasbeenalineofresearchonobfuscationthatissecureonaverage(thatis,forarandomfunctionfromafamily),ratherthanforanyfunctioninthefamily([ GK05 , AW07 ],andothers);thisdenitionisparticularlyrelevanttocryptographicapplicationsthatuserandomizedfunctions.Hohenbergeretal[ HRSV07 ]showamethodtoobfuscateare-encryptionfunctionality{thatis,afunctionalitywhichallowsfordecryptionunderonekeyandencryptionunderasecond{suchthatthere-encryptionprocedurecanbedelegatedtoathirdpartywhodoesnotlearnanythingaboutthere-encryptedmessages.Chandranetal[ CCV12 ]extendedthisworkevenfurther,andconsiderfunctionalre-encryption,inwhichthesecondencryptionkeyisafunctionoftheunderlyingmessage,inthecontextofobfus-cationofthefunction(andhidingthemessage).However,suchfunctionalitieshavegenerallyonlybeendenedforsingle-inputfunctions.Many-to-onefunctionalre-encryption.Ourrstcontributionistointroduceanddenethenotionofmany-to-onefunctionalre-encryptionanditsobfuscation.Morespecically,forafunctionf,thisfunctionalityallowsanevaluatortotakemultipleciphertextsc1;:::;cqencryptingmessagesm1;:::;mqunderthesamekeypkforsomepublic-keycryptosystemPKE,andcomputesanencryptionoff(m1;:::;mq)underadierentkeyforsomepossiblydierentcryptosystemPKE0.Clearly,thisfunctionalityisbyitselfuninteresting,asitcanbetriviallyrealizedbydecryptingtheinputmessages,computingthefunction,andencryptingtheresult.However,thisfunctionalitybecomesinterestingifitcanbeobfuscatedandhencedelegatedtoauserwithoutrevealingthecorrespondingsecretkey.Forthisreason,wealsodeneanotionofobfuscationforthisfunction-ality,whichissubstantiallydierentthantheoneproposedbypreviousworksonre-encryption,despiteitssimilar\average-case"perspective:Atahighlevel,ourrstdenitionstatesthatforarandomcircuitcomputingthere-encryptionandforanobserverwhoknowsthepublickeyofthesourcescheme,theobfuscationofthatcircuitandthepublickeyofthetargetschemeareindis-tinguishablefromtheoutputofasimulatorthatonlyknowsthepublic-keyofthesourcescheme.Wealsoconsiderastrongernotion,wherethesimulatordoesnotsimulatethepublickeyofthetargetscheme,butobtainsitexternally.Weshowthatthelatterdenitionisinfactimpliedby2 thedenitionfrom[ HRSV07 ].FHEfrommany-to-onefunctionalre-encryption.Asoneapplicationofmany-to-onefunc-tionalencryption,oursecondcontributionistoshowagenericconstructionofleveledFHEgivenasemantically-secureencryptionschemesuchthatthecorrespondingmulti-inputfunctionalre-encryptionfunctionalitiesforacompletesetofoperations(e.g.,fortheNANDoperation)canbeobfuscatedwithrespecttothenewnotionsintroducedinthispaper.Asanapplication,weshowthatRegev-styleencryption[ Reg05 ]admitssuchobfuscatedre-encryptionformultiplication,which,combinedwithourmainresultandtheexistingadditivehomomorphismoftheencryptionyieldsalevelFHEscheme.ThisschemecorrespondstotheonerecentlyproposedbyBrakerski[ Bra12 ],forwhichweprovideamoremodularabstraction.Wealsoreinterpretthetechniqueof\bootstrapping"([ Gen09 ]andfollowupwork)asspecicimplementa-tionsofourgenericconstruction.2Preliminaries2.1Public-KeyEncryptionandSemanticSecurityWestartbyintroducingournotationtodescribepublic-keyencryptionschemes.Specically,apublic-keyencryptionschemeisatripleofalgorithmsPKE=(Gen;Enc;Dec),where:-therandomizedalgorithmGenisthekeygenerationalgorithm,whichtakesasinputthesecurityparameter1k,andoutputsapublic-key/secret-keypair(pk;sk)$ Gen(1k).-Encistherandomizedencryptionalgorithm,andDecisthedeterministicdecryptionalgo-rithm.WeassumethatPKEiscorrectifforallvalidpublic-key/secret-keypairs(pk;sk),andallmessagesm,theprobability[Dec(sk;Enc(pk;m))=m]isnegligible,wheretheprobabilityistakenovertherandomcoinsoftheencryptionalgorithmEnc.Moreover,wesaythatPKEissemanticallysecureifforallPPTdistinguishersDandallmessagesm,wehaveh(pk;sk)$ Gen(1n):D(pk;Enc(pk;m)))=1ih(pk;sk)$ Gen(1n):D(pk;Enc(pk;0)))=1inegl(n):2.2Fully-HomomorphicEncryptionAfullyhomomorphicencryption(FHE)schemeisanencryptionschemewhichallowsforarbitrarycomputationonencrypteddata.Namely,itconsistsofatupleFHE=(Gen;Enc;Dec;Eval)suchthatGenoutputsatripleofkeys(pk;sk;evk),whereevkistheadditionalevaluationkey.Thecorrectnessrequirementsfor(Gen;Enc;Dec)areasintraditionalpublic-keyencryption.Moreover,Evalistheevaluationalgorithmandissuchthatforeverycircuitfwithqinputs,andmessagesm1;:::;mq,wehaveDec(sk;Eval(evk;f;Enc(pk;m1);:::;Enc(pk;mq)))=f(m1;:::;mq);where(pk;sk;evk)$ Gen.Informally,wesaythatFHEisleveled(withdlevels),ifitonlyevaluatescircuitsofdepthd(insomewelldenedcircuitmodel),andtheparametersareallowedtodepend3 ond.Finally,wesaythatFHEissemanticallysecure,ifforallPPTdistinguishersDandallmessagesm,wehaveh(pk;sk;evk)$ Gen(1n):D(pk;evk;Enc(pk;m)))=1ih(pk;sk;evk)$ Gen(1n):D(pk;evk;Enc(pk;0)))=1inegl(n):FHEconstructionsintheliteratureinclude[ Gen09 , SV10 , vDGHV10 , CMNT11 , BV11b , BV11a , GH11 , BGV11 , Bra12 , GHS12b , CNT12 , GHS12a , GSW13 ].3Many-to-oneFunctionalRe-encryptionanditsObfuscationInthissection,weintroducethenotionofmany-to-onefunctionalre-encryption,aswellasanewnotionofobfuscationforthisfunctionalitywhich,whiletailoredatourapplications,exhibitsnaturalconnectionstopreviousnotions.3.1Many-to-oneFunctionalRe-encryptionWestartbydeningcircuitsprovidingmany-to-onefunctionalre-encryption.Inthemostgen-eralcase,wearegiventwopublic-keyencryptionschemesPKEandPKE0(wherepotentially,butnotnecessarily,PKE=PKE0).Weareinterestedinfamiliesofcircuitsfsk;pk0indexedbyvalidsecretkeysskforPKEandvalidpublickeyspk0forPKE0which,givenencryptionsofmessagesm1;:::;mqunderPKE,produceanencryptionoff(m1;:::;mq)forPKE0.Ofcourse,acanonicalimplementationofsuchcircuitsimplydecryptsc1;:::;cq,andthenre-encryptsf(m1;:::;mq)withfreshrandomness.However,wewillnotmakeanyfurtherassumptionsonthesecircuits,i.e.,theymayberandomizedornot,andwerequirethemtoworkinamoregeneralsense,whereanyqciphertextsc1;:::;cqdecryptingtom1;:::;mqunderskwillresultinaciphertextdecryptingtof(m1;:::;mq).Denition.LetPKE=(Gen;Enc;Dec)andPKE0=(Gen0;Enc0;Dec0)bepublic-keyencryptionschemes.LetMandM0bethemessagespacesofPKEandPKE0,respectively,andletf:Mq!M0beafunction.Af-re-encryptionfunctionalityfromPKEtoPKE0isafamilyof(possiblyrandomized)circuitsf=nfsk;pk0o(sk;pk0)indexedbysecretkeysskofPKEandpublickeyspk0ofPKE0suchthatforallvalidciphertextsc1;:::;cqforPKE,Dec0(sk0;Rfsk;pk0(c1;:::;cq))=f(m1;:::;mq);withoverwhelmingprobabilityovertherandomchoicesof(pk;sk)$ Gen,(pk0;sk0)$ Gen0,andf,wheremi=Dec(sk;ci)fori=1;:::;q.Withoutlossofgenerality,itwillbeconvenienttoassumethatthedescriptionofthecircuitfsk;pk0allowsonetorecoverthevalueofskandpk0eciently.Notethatinthecasewhereq=1andfistheidentity,thisnotioncorrespondstothetraditionalsettingofre-encryptionintroducedbyHohenbergeretal[ HRSV07 ].Incontrast,themoregeneralsettingoffunctionalre-encryptionintroducedbyChandranetal[ CCV12 ]isdierent,inthatitconsidersmultiplerecipientswithdierentkeypairs,andafunctionappliedtoanattributeassociatedwiththeciphertextdeterminestherecipientoftheencryption.Intheirsetting,however,notransformationisappliedtotheplaintextitself.4 3.2ObfuscationforMany-to-oneFunctionalRe-encryptionWenowdeneournewnotionofsecureobfuscationasspecicallyappliedtothemany-to-onere-encryptionregime,i.e.,toaf-re-encryptionfunctionalityffromasourceschemePKEtoatargetschemePKE0.Followingearlierworkonobfuscation[ Wee05 , DS05 , AW07 , HRSV07 , CRV10 ],wewanttheobfuscatedcircuittoperformthesamecomputationastheoriginalcircuit.However,atthesametime,wewanttoarguethatanadversarydoesnotlearnanyusefulinformationfromtheobfuscatedcircuitbeyondwhatitwouldlearnbyevaluatingitsfunctionalityinpurelyblack-boxmanner.Thislatterrequirementisdenedusingasimulation-basedapproach,incontrasttoindistinguishability-basedobfuscationasine.g.[ AW07 ].Wenotethatforthecaseofone-argumentfunctions,ournotionwilldierfromtheoneproposedbyChaseetal[ CCV12 ],whilestillfollowingthesameaverage-caseviewpoint.Intuitively,ournotionattemptstocaptureatthesametimethefactthattheobfuscatedre-encryptionfunctionalitydoesnotrevealanyinformationbeyondblack-boxaccesstothefunctionalityandthefactthatblack-boxaccesstothefunctionalitydoesnotrevealanyinformationaboutthemessagesbeingencrypted.Still,ournotionisconnectedto(andinmanycasesimpliedby)thenotiondenedintheseearlierwork,asweexplainbelow.Fornow,moreconcretely,letObfbeaPPTalgorithmwhoseinputandoutputarebothcircuits.Obfisasecureobfuscatorforre-encryptioncircuitfamilyfifthefollowingdenitionissatised.Denition(Re-encryptionObfuscation).WesaythatObfsecurelyobfuscatesthef-re-encryptionfunctionalityffromPKEtoPKE0ifthefollowingtwopropertieshold:-Correctness:ForanyC=fsk;pk02Rf,thestatisticaldistance
(Obf(C)(x);C(x))isnegligibleforallinputsx.-Simulatability:ThereexistsaPPTsimulatorSsuchthatforallPPTdistinguishersDandsecurityparametern,j[(sk;pk)$ Gen(1n);(pk0;sk0)$ Gen0(1n):D(pk;pk0;Obf(fsk;pk0))=1][(sk;pk)$ Gen(1n):D(pk;S(pk))=1]jnegl(n)wheretheprobabilitiesaretakenoverthecoinsofGenandS.Thisnotionissomewhatdierentthanthosefoundintheexistingliteratureonobfuscation;letusdiscussthisnotionalittlebitfurther.Generally,onedenesobfuscatorsasbeingsecurewhenevertheresultingobfuscationdoesnothelpmoreincomputingthefunctionimplementedbytheunderlyingcircuitthanblack-boxaccesstothefunctionitself.Wenotethatthedenitionprovidesaverystrongguarantee,inthatitsaysthatanattacker,givenpk;pk0andtheobfuscationObf(fsk;pk0)doesnotlearnanythingbeyondthepublickeypkofthesourcescheme.Notethattheobfuscationmaybearandomizedcircuititself,andthatthecorrectnessrequirementsassumeshonestevaluationofthecircuit,i.e.,usinghonestlygeneratedrandomcoins.Westressthatthesimulatorisrequiredtosimulatethepublic-keypk0togetherwiththeobfusca-tionObf(fsk;pk).Wealsodiscussastrongernotionofobfuscationwherethesimulatorisrestrictedtouseanexternallygeneratepublickeypk0forthetargetscheme.Denition(StrongRe-encryptionObfuscation).WesaythatObfstronglysecurelyobfus-catesthef-re-encryptionfunctionalityffromPKEtoPKE0ifcorrectnessasaboveholds,andadditionally,thefollowingstrongersimulatabilityrequirementholds:5 -StrongSimulatability:ThereexistsaPPTsimulatorSsuchthatforallPPTdistinguishersDandsecurityparametern,j[(pk;sk)$ Gen(1n);(pk0;sk0)$ Gen0(1n):D(pk;pk0;Obf(fsk;pk0))=1][(pk;sk)$ Gen(1n);(pk0;sk0)$ Gen0(1n):D(pk;pk0;S(pk;pk0))=1]jnegl(n)wheretheprobabilitiesaretakenoverthecoinsofGenandS.Relationtoearlierdefinitions.Asmentionedabove,previousworksonre-encryption[ HRSV07 , CCV12 ]consideredadierentnotionofaverage-caseobfuscationwhichappearsatrstincompara-bletoours,inwhichthesimulatormustsimulateObf(fsk;pk0),givenblack-boxaccesstofsk;pk0andknowingthepublickeyspk;pk0.Formally,whentranslatedtooursettingofmulti-inputfunctionalre-encryption,therequirementoftheseearlierworksisasfollows:-VirtualBlack-boxness:ThereexistsaPPTsimulatorSsuchthatforallPPTdistinguish-ersDandsecurityparametern,j[(pk;sk)$ Gen(1n);(pk0;sk0)$ Gen0(1n):DRfsk;pk0(pk;pk0;Obf(fsk;pk0))=1][(pk;sk)$ Gen(1n);(pk0;sk0)$ Gen(1n):DRfsk;pk0(pk;pk0;SRfsk;pk0(pk;pk0)=1]jnegl(n)wheretheprobabilitiesaretakenoverthecoinsofGenandS.Wewillnowprovethatstrongvirtualblack-boxnessimpliesourstrongobfuscationnotionabovefornaturalre-encryptionfunctionalities,hencemakingitasomewhatstrongernotion.Moreconcretely,wesaythatthef-re-encryptionfunctionalityf=ffsk;pk0gissimulatableifthereexistsasimulatorS0suchthatforallPPTdistinguishersD,wehavej[(pk;sk)$ Gen(1n);(pk0;sk0)$ Gen0(1n):DRfsk;pk0(pk;pk0)=1][(pk;sk)$ Gen(1n);(pk0;sk0)$ Gen0(1n):DS0(pk;pk0)(pk;pk0)=1]jnegl(n):Forexample,thecanonicalre-encryptionfunctionalityissimulatablebysemanticsecurity,providedwecanecientlytestifaciphertextinputtothefunctionalityisdecryptablegivenpkonly.Then,wecanshowthefollowing:Lemma.Assumethattheobfuscatorsatisesthevirtualblack-boxnesspropertyandthef-reencryptionfunctionalityfisprivate.Then,theobfuscatorsatisesthestrongsimulatabilityproperty.Proof.Asournewsimulator^Sforthestrongsimulatabilityproperty,weusethesimulatorSforvirtualblack-boxness,takingpkandpk0asinputs,anduseS0guaranteedtoexistbysimulatabilityofthefunctionalityftoanswerS'squeries,i.e.,forshort,^S(
;
)=SS0(
;
).Then,ifthereexistsanattackerDviolatingstrongobfuscability,distinguishingwithnon-negligibleadvantage",thenDalsoviolatesthevirtualblack-boxnessproperty(withoutmakingoraclequeries)withdistinguishingadvantage"negl(n).Thisisbecausebythesimulatabilityoff,theprobabilitiesthatDoutputsonewheninteractingwitheitherof(pk;pk0;^S(pk;pk0))=(pk;pk0;SS0(pk;pk0))and(pk;pk0;SRfsk;pk(pk;pk0)))arenegligiblyclose. 6 4FullyHomomorphicEncryptionfromMany-to-oneFunctionalRe-encryptionInthissection,weconnectthenotionofobfuscatedmany-to-onefunctionalre-encryptionwithFHE,bypresentingagenericconstructionfromtheformertothelatter.Inparticular,weassumethepossibilityofobfuscatingfunctional-re-encryptionforspecicfamiliesoffunctions,whichwewilldiscussrst.4.1UniversalOperationsandCircuitsWedenethenotionofan(unobfuscated)re-encryptioncircuitthatappliesauniversaloperationtoitsinputs.Inparticular,foramessagespaceM=fMngn2N(e.g.,M=f0;1g),letF=fFngbeauniversalclassoffunctions,i.e.,suchthatFnissmallenough(i.e.,polynomialinn,thoughusuallyconstant)andsuchthateveryfunctionMqn!MncanbecomputedbycircuitshavinggatesimplementingfunctionsfromFn.Forexample,wecouldhaveMn=f0;1gforalln2N,andFnsimplycontainstheNANDfunction.Similarly,ifMn=Fqforsomeprimepowerqdependingonn,thenFcouldconsistsofadditionandmultiplicationinFq.Asusual,thegatesofthecircuitwithF-gatescanbedividedintolayers:anygatewhoseinputsconsistonlyofinputbitstotheentirecircuitisdenedtobeinlayer0,andanygatewhoseinputconsistsonlyofoutputsoflayer-igatesisinlayeri+1.Withoutlossofgenerality,wecanconsidercircuitswhereeachlayer-igateonlyoutputstolayeri+1.4.2MainConstructionFori2f0;1;:::;dg,letPKEi=(Geni;Enci;Deci)bepublic-keyencryptionschemes(latertobeassumedsemanticallysecure)withcommonmessagespaceM,andletFbeauniversalfamilyoffunctionsforM.Also,forallf2Fandi2f0;1;:::;d1g,letfi=ff;iski;pki+1gbetheaf-re-encryptionfunctionalityfromPKEitoPKEi+1.Moreover,assumewehaveanobfuscatorObffiforfi.Weconstructad-leveledFHEschemeFHE=(Gen;Enc;Dec;Eval)asfollows: -Gen(1n):RunGen(i)togenerate(pki;ski)$ Gen(i)foralli=0;1;:::;d.Letthepublickeypk=(pk0;:::pkd),andlettheevaluationkeyevk=(fObff0(f;0sk0;pk1);:::Obffd1(f;d1skd1;pkd)gf2F).Thesecretkeyissk=(sk0;:::skd).-Encpk(m):Returnc=Enc(0)pk0(m).-Decsk(c):RunDecskd(c).(Fordepthsilessthand,otherskimaybeused.)-Evalevk(B;c1;:::;cq),whereBisacircuitconsistingofFgatesofdepthatmostdandwithqinputs:Startwithc1;:::;cqasvaluesontheqinputwires,andforeach-arygatefwithinputsatlayeri=0;1;:::;d1withvaluec01;:::;c0rontheinputlayers,runObffi(f;iski1;pki+1)oninputsc01;:::;c0q,andassigntheresultingvaluec00totheoutputwire. 7 Remark.Inmanysituations,theencryptionschemesPKEimaypresentsomepartialhomomor-phismproperties,i.e.,itmayallowforcomputingsomefunctionf2F(e.g.,additioninFq)withoutresortingtore-encryption.Inthesesituations,theobviouseciencyimprovementscanbemadeforthescheme,avoidingtheuseofre-encryptiontocomputefgates.Wedispensewithaformalspecicationoftheconstructioninthiscase.4.3SecurityWewillprovethefollowingtheorems,whicharethemainresultofthissection.Theorem(SecurityoftheMainConstruction).AssumethatPKE0issemanticallysecure,andthatforalli2f0;:::;d1gandf2F,theobfuscatorsObffistronglysecurelyobfuscatethefre-encryptionfunctionalityfi.ThentheMainConstructionaboveisasemantically-secured-leveledFHEscheme.ThefollowingresultshowsthatifF=ffg,i.e.,onlyonefunctioniscontained,thenwecaninsteadusetheweakernotionof(non-strong)obfuscation. 1 Theorem(SecurityoftheMainConstruction{SingleFunctionCase).AssumethatPKE0issemanticallysecure,andthatforalli2f0;:::;d1g,theobfuscatorObffisecurelyobfuscatesthefre-encryptionfunctionalityfi.ThentheMainConstructionaboveisasemantically-secured-leveledFHEscheme.Forboththeorems,notethatcorrectnessisobviousbythedenitionofthere-encryptionfunc-tionalityandthecorrectnesspropertiesoftheobfuscators.Wearegoingtofocusonprovingthesecondtheorem,astheproofisinfactmorecomplicatedthanintherstcase.Therefore,asthecoreofourproof,wewishtoshowthattheaboveconstructionachievessemanticsecurity.Specically,weshowthatforallPPTD,j[(sk;pk;evk) Gen(1n):D(Encpk(m);pk;evk)=1[(sk;pk;evk) Gen(1n):D(Encpk(0);pk;evk)=1]jnegl(n)wheretheprobabilityistakenovertherandomcoinsofGenandoftheencryptions.Tothisend,werstproveausefullemmatoshowthatwecansecurelychaintogetherobfus-catorstoperformmultipleoperationsonanunderlyingmessage.Lemma.Forallm2M,thereexistsPPTsimulatorSsuchthatj[(pk;evk;sk)$ Gen(1n):D(Encpk(m);pk;evk)=1][(sk0;pk0)$ Gen(0)(1n):D(Enc(0)pk0(m);pk0;S(pk0))=1]jnegl(n)wheretheprobabilitiesaretakenoverthecoinsofGen,Gen(0),theencryptions,andthesimulatorS. 1TherearemultiplereasonswhyFmayonlycontainonefunction:EItherfistheNANDfunctionortheunderlyingschemealreadyprovidessomelevelofhomomorphism(e.g.additions).8 Proof.Therealdistribution(Encpk(m);pk;evk)canberewrittenexplicitlyas(Enc(0)pk0(m);pk0;Obff0(f;0sk0;pk1);pk1;Obff1(f;1sk1;pk2);pk2;:::;Obffd1(fd1skd1;pkd);pkd):Wenowuseahybridargumenttoshowthatthisdistributioniscomputationallyindistinguishablefromthesimulateddistribution(Enc(0)pk0(m);pk0;S(pk0));forasimulatorSwhichisgivenbelow.Todothis,weconstructaseriesofdistributions,andarguethatapolynomial-timedistinguishercannotnoticeadierenceateachstep,exceptwithnegligibleprobability.Distribution0:Thedistinguisherisgiventhe\real-worldview"(Encpk0(m);pk0;Obff0(f;0sk0;pk1);pk1;Obff1(f;1sk1;pk2);pk2;:::Obffd1(f;d1skd1;pkd);pkd):Distribution1:LetSd1bethesimulatorguaranteedbythesecurityofObffd1.Thedistin-guisherisgiven(Encpk0(m);pk0;Obff0(f;0sk0;pk1);pk1;Obf(f;1sk1;pk2);pk2;:::;Obffd1(f;d1skd2;pkd1);pkd1;Sd1(pkd1))Thatis,theonlychangefromDistribution0isthat(Obffd1(f;d1skd1;pkd);pkd)isreplacedbySd1(pkd1).Bydenition,weknowthat(pkd1;Obffd1(f;d1skd1;pkd);pkd)iscomputationallyindistinguishablefrom(pkd1;Sd1(pkd1)).Theonlyremainingelementofthesedistributionsthatdependsonthevalues(skd1;pkd1)isObff;d2(f;d2skd2;pkd1).Notethatthisvalueonlydependsonpkd1andnotskd1.Thus,sincewearealreadygivingpkd1intheclear,anadversarygainsnoadditionalinformationaboutskd1byseeingObffd2(f;d2skd2;pkd1).Theotherelementsofthedistributionareindependentofthekeysatindexd1andd,soweknowthattheDistribution0iscomputationallyindistinguishablefromDistribution1.Distribution2Again,letSd1bethesimulatorguaranteedbythesecurityofObffd1,andletS0d2bethesimulatorguaranteedbythesecurityofObffd2.DeneSd2asafunctionthatappliesS0d2toitsinputtogetapair,thenappliesSd1tothesecondelementofthatpairtogetanotherpair,andoutputsthe4-tuplethatconsistsofbothpairs.Thedistinguisherisgiven(Encpk0(m);pk0;Obff0(f;0sk0;pk1);pk1;Obff1(f;1sk1;pk2);pk2;:::pkd3;Obffd3(f;d3skd3;pkd2);pkd2;Sd2(pkd2))Thisstepisdierentfromthepreviousstepsincethe\pkd1"usedtogeneratethelasttwoelementsisnowitselfsimulatedinsteadofbeingoutputbyGen(d1)directly.However,ifanadversarycoulddistinguishDistribution2fromDistribution1,hecoulduseS0tobreakbreakthesecurityoftheobfuscatoritself(bygeneratingtheencryptionandpk0;:::;pkd3himself,usingthechallengeaspkd2;x;y,andrunningSd1(y)togeneratethenaltwoelements).Thus,Distribution2mustbecomputationallyindistinguishablefromDistribution1.Wecontinuereplacingpairswithasimulatorinthismanneruntilwereach:9 DistributiondInDistributiond,wehavereplacedd(obfuscatedcircuit,publickey)pairswithsimulatedvalues,yielding(Encpk0(m);pk0;S(pk0))asdesired.Byhybridargument,sinceeachadjacentpairofdistributionsarecomputationallyindistinguishable,Distribution0andDistributiondarecomputationallyindistinguishable. Wethereforeknowthatthesecurityoftheobfuscationalgorithmimpliesthatwecanusemanyobfuscatedre-encryptionalgorithmsinsuccessionwithoutbreakingsecurity.Fromhereon,provingthesemanticsecurityofthemainconstructionisstraightforward.Indeed,assumeanadversaryhasbothpkandevk.Weknowthat(Encpk0(m);m0;Obff0(f;0sk0;pk1);pk1;Obff1(f;1sk1;pk2);pk2;:::;Obffd1(f;d1skd1;pkd);pkd)(Encpk0(m);pk0;S(pk0))forsomeS.Furthermore,sinceSisecient,weknowthattheoutputofS(pk0)cangivenomoreinformationaboutsk0totheadversarythanpk0itselfcan(sincetheadversarycouldhavesimplyrunSonhisown).Sincetheoriginalencryptionschemeissemanticallysecure,wethusknowthat(Encpk0(m);pk0;S(pk0))(Encpk0(0);pk0;S(pk0))toanyPPTadversary.Thus,suchanadversarycanonlyhavenegligibleadvantageatdistinguishingencryptionsofmandof0,andtheFHEissemanticallysecure.5ExampleConstructionInthissection,weexerciseourframeworkbytakingthepublic-keysystemofRegev[ Reg05 ],whichissemanticallysecureundertheLearningWithErrorsassumption,andgiveasecureobfuscationalgorithmforthemultiplication-re-encryptionfunctionalityfromthisschemetoitself.Thisschemeisnaturallyadditivelyhomomorphic;thus,bythemaintheorem,thisimpliesa(leveled)fully-homomorphicencryptionscheme.Notethattheresultingconstructionisessentiallythatof[ Bra12 ];however,webelievethatviewingtheproblemasoneofobfuscatedre-encryptionprovidesacleanerapproach.5.1APublic-KeyEncryptionSchemeThebasicpublic-keyencryptionschemeisduetoRegev[ Reg05 ].Itisparameterizedbyn;m;q;fromtheLWEassumptionused.WewillrefertothisschemeasPKEn;q;. -Gen(1k):Choosevectors0$ Znq,matrix$ Zmnq,andvectore$ m.Compute=
s0+e.Outputsecretkeys=(s0;1)andpublickey(;).-Encpk(m):Givenm2f0;1g,choose$ f0;1gmandoutput(T;h;i+bq 2c
m).-Decsk(c):Compute(hs;ci(modq)).Output0ifthisvalueiscloserto0and1ifthisvalueisclosertobq 2c(modq). ThisencryptionschemeissemanticallysecureundertheLWEq;assumption[ Reg05 ].Fur-thermore,itisclearlyadditivelyhomomorphicoverGF[2](forappropriatechoiceof),since(hs;c1+c2i(modq))=bq 2c
(m1+m2)he;1+2i(modq).10 5.2Re-encryptionandObfuscationRe-encryptionfunctionality.Weconsiderthefamilyofcircuits,there-encryption-with-multiplicationcircuitsfromPKEn;q;toPKEn;q;0.(Thevaluesnandqcouldchangeaswell,ifdesired.)Acircuitsk;pk02Rcontainsthesecretkeysk=sofaschemeinPKEn;q;andthepublickeypk0=(0;0)ofaschemeinPKEn;q;0,hardwiredinside.IttakesasinputtwociphertextsandappliesDecsk(
)toeachofthemtoobtaintwobits.Itmultipliesthesetwobits(correspondingtoalogicaland),runsEncpk0(
)ontheresult,andoutputstheresultingciphertext.ConstructionofObfToconstructourobfuscator,werstdenetransformationsBitDecompandPowersOf2(usedpreviouslyin[ BV11a ],[ BGV11 ],[ Bra12 ],[ GSW13 ]).Ifv=(1;v2;:::v`)2Z`q,then:-BitDecompq(v)=(1;0;v1;1;:::v1;dlgqe;v2;0;:::v`;dlgqe),wherei;jisthej-thleastsignicantbitofi(thatis,i=Pj2ji;j).-PowersOf2q(v)=(1;21;41;:::2dlgqe
1;v2;22:::2dlgqe
`).Inthefollowing,wewillgenerallyomitthesubscriptq.Ofnoteisthatforany;v2Znq,h;vi=hBitDecomp();PowersOf2(v)i.WewilldescribethetransformationwewantObftoperformrst,andthendeneitscircuitoutput.Werstcompute~s=2 q(BitDecomp(s)\nBitDecomp(s)),arationalvectoroflength((n+1)dlgqe)2.Here\ndenotesthetensorproduct.Wethenusepk0=(0;0)to\encrypt" 2 eachelementofPowersOf2(~s).Thatis,wechooseR$ f0;1g((n+1)2dlgqe3)mandcomputeD=[0j0]T
R+q 2[0jPowersOf2(~s)]T,where0isanmnmatrixofzeroes.(NotethatDisanintegermatrix.)Dene~c=2 q(PowersOf2(c1)\nPowersOf2(c2)).Obfwillextractsand(0;0)fromitsinput.ThenitconstructsarandomizedcircuitthatchoosesarandomRasdenedaboveandcomputesthecorrespondingD.Thecircuittakesintwoinputciphertextsc1andc2,computesD
BitDecomp(b~ce),andoutputsthisvalue.Obfoutputsthiscircuitastheobfuscationofsk;pk0. 2Asin[ BV11a ],thisisnottrueencryption,sincetheencryptedvaluesarenotbits;thus,theycannotbedecryptedproperly.However,theoperationisthesame,andtheintuitionthatthesevaluesare\encrypted"maybeuseful.11 Correctness.ThecircuitObf(sk;pk0)calculatesD
BitDecomp(b~ce)=[0j0]T
R
BitDecomp(b~ce)+q 2[0jPowersOf2(~s)]T
BitDecomp(b~ce)=[0j0]T
0+q 2(0n;h~s;b~cei)=[0j0]T
0+(0n;hBitDecomp(s)\nBitDecomp(s);2 q(PowersOf2(c1)\nPowersOf2(c2)i))+e01=[0j0]T
0+2 q(0n;hs;c1i
hs;c2i)+e01=[0j0]T
0+2 q(0n;(he1;1i+q 2m1)(he2;2i+q 2m2))+e01=[0j0]T
0+q 2(0n;m1m2)+e01+e02Wewishtoshowthatthisisstatisticallyclosetotheoutputofsk;pk0(whichisafreshencryptionofm1m2).Therearetwodierences:thefactthat0isnotabinaryvector,andthepresenceofanadditionaladditiveerrorterm(e1+e2).Fortherstdierence,notethat[0j0]T
02Znq,andthatboth0andRarechosenrandomly.Thereare2mchoicesof002f0;1gm.Thus,foravaluem=\n(nlgq),withhighprobabilitythereexists002f0;1gmsuchthat[0j0]T
0=[0j0]T
00.Fortheseconddierence,wenotethatbothe01ande02are\small".Specically,e01comesfromroundingerror;eachelementisroundedbyatmost1/2,soitsmagnitudeisbounded 3 byjjBitDecomp(s)\nBitDecomp(s)jj1
1 2((n+1)(dlgqe+1))2=2.e02isduetothepresenceofe1andbfe2intheoriginalciphertexts;however,thepresenceofthe2 qcoecientmeansthatthistermisboundedbyO(m"),where"istheoriginalerrorboundof.Notethatthemagnitudeof(e1+e2)isindependentofqasidefromalogarithmicfactor;thus,wecanchoosetheLWEparameters(inparticular,qand0)suchthattheoutputdistributionsoftheobfuscatedandunobfuscatedcircuitsarestatisticallyclose.Simulatability.WeshowasimulatorSthatsatisesthestrongsimulatabilityconditionforthisconstruction,asdenedinsection3.2.RecallthatObf(sk;pk0)constructsacircuitthatonlydependsonthevalues(sk;pk0)throughamatrixD,denedas[0j0]T
R+q 2[0jPowersOf2(~s)]T.ThesimulatorSsimplychoosesR$ f0;1g((n+1)2dlgqe3)mandreturnsacircuitthatuses[0j0]T
RinplaceofD.NotethatthisissimplyaRegevencryptionof0underthekeypk0;indistinguishabilityholdsbythesemanticsecurityoftheoriginalRegevscheme.6BootstrappingManyexistingFHEschemes,startingwiththatofGentry[ Gen09 ],operateontheprincipleof\bootstrapping".Thatis,theyrstdenea\somewhathomomorphic"scheme,whichiscapable 3BoundingthiserroristhereasontointroduceBitDecompandPowersOf2{thisallowsthevectorBitDecomp(s)\nBitDecomp(s)tobebinary.12 ofhomomorphicallyevaluatingitsowndecryptioncircuitplusasingleoperationunderasinglekey.Theythenprovideachainofencryptedkeysunderthisscheme,wherethei-thdecryptionkeyisencryptedunderthe(i+1)stkey.Thisconstructionallowsfor(leveled)fully-homomorphicevaluation:givenaciphertextencryptedunderthei-thkey,theevaluatorencryptstheciphertextunderthe(i+1)stkeyandthenhomomorphicallyevaluatesthedecryptioncircuitonthenewciphertextandtheencryptedi-thkey,followedbyoneoperation.Thenetresultisanencryptionunderkeyi+1oftheoperationappliedtotheplaintextcorrespondingtotheinput.Thegeneralbootstrappingparadigmcanbeseenunderourframeworkasprovidinganobfus-catedre-encryption-with-operationfunctionality.Specically,giventhekeyspki+1;ski,onecanconstructacircuitthatencryptsitsinputunderpki+1,runsthedecryptionoperationhomomor-phicallyusingahardcodedvalueEncpki+1(ski),andthenhomomorphicallyperformsoneoperation.Thiscircuitperformsthesamecomputationasdecrypting,performingtheoperation,andencrypt-ing(bythecorrectnessoftheFHEscheme),anddoesnotleakanyinformationabouttheencrypteddata(bythesemanticsecurityoftheFHEscheme).Thus,atahighlevelitisanobfuscatedre-encryption-with-operationcircuitunderourdenition.However,ourdenitionismoregeneral,sincewedonotrequirestartingwitha\somewhathomomorphic"encryptionscheme,butanysemantically-secureencryptionschemewithasecurely-obfuscatablef-re-encryptionfunctionality.7AcknowledgementsTheauthorswouldliketothankShaGoldwasserforherhelpandguidance.References[AW07]BenAdidaandDouglasWikstrom.Howtoshueinpublic.InSalilP.Vadhan,editor,TCC2007:4thTheoryofCryptographyConference,volume4392ofLectureNotesinComputerScience,pages555{574.Springer,February2007.[BGI+01]BoazBarak,OdedGoldreich,RussellImpagliazzo,StevenRudich,AmitSahai,SalilP.Vadhan,andKeYang.Onthe(im)possibilityofobfuscatingprograms.InJoeKilian,editor,AdvancesinCryptology{CRYPTO2001,volume2139ofLectureNotesinComputerScience,pages1{18.Springer,August2001.[BGV11]ZvikaBrakerski,CraigGentry,andVinodVaikuntanathan.Fullyhomomorphicen-cryptionwithoutbootstrapping.CryptologyePrintArchive,Report2011/277,2011. http://eprint.iacr.org/ .[Bra12]ZvikaBrakerski.Fullyhomomorphicencryptionwithoutmodulusswitchingfromclas-sicalGapSVP.InReihanehSafavi-NainiandRanCanetti,editors,AdvancesinCryp-tology{CRYPTO2012,volume7417ofLectureNotesinComputerScience,pages868{886.Springer,August2012.[BV11a]ZvikaBrakerskiandVinodVaikuntanathan.Ecientfullyhomomorphicencryptionfrom(standard)LWE.InRafailOstrovsky,editor,52ndAnnualSymposiumonFoun-dationsofComputerScience,pages97{106.IEEEComputerSocietyPress,October2011.13 [BV11b]ZvikaBrakerskiandVinodVaikuntanathan.Fullyhomomorphicencryptionfromring-LWEandsecurityforkeydependentmessages.InPhillipRogaway,editor,AdvancesinCryptology{CRYPTO2011,volume6841ofLectureNotesinComputerScience,pages505{524.Springer,August2011.[CCV12]NishanthChandran,MelissaChase,andVinodVaikuntanathan.Functionalre-encryptionandcollusion-resistantobfuscation.InRonaldCramer,editor,TCC2012:9thTheoryofCryptographyConference,volume7194ofLectureNotesinComputerScience,pages404{421.Springer,March2012.[CMNT11]Jean-SebastienCoron,AvradipMandal,DavidNaccache,andMehdiTibouchi.Fullyhomomorphicencryptionovertheintegerswithshorterpublickeys.InPhillipRog-away,editor,AdvancesinCryptology{CRYPTO2011,volume6841ofLectureNotesinComputerScience,pages487{504.Springer,August2011.[CNT12]Jean-SebastienCoron,DavidNaccache,andMehdiTibouchi.Publickeycompres-sionandmodulusswitchingforfullyhomomorphicencryptionovertheintegers.InDavidPointchevalandThomasJohansson,editors,AdvancesinCryptology{EURO-CRYPT2012,volume7237ofLectureNotesinComputerScience,pages446{464.Springer,April2012.[CRV10]RanCanetti,GuyN.Rothblum,andMayankVaria.Obfuscationofhyperplanemem-bership.InDanieleMicciancio,editor,TCC2010:7thTheoryofCryptographyCon-ference,volume5978ofLectureNotesinComputerScience,pages72{89.Springer,February2010.[DS05]YevgeniyDodisandAdamSmith.Correctingerrorswithoutleakingpartialinforma-tion.InHaroldN.GabowandRonaldFagin,editors,37thAnnualACMSymposiumonTheoryofComputing,pages654{663.ACMPress,May2005.[Gen09]CraigGentry.Fullyhomomorphicencryptionusingideallattices.InMichaelMitzen-macher,editor,41stAnnualACMSymposiumonTheoryofComputing,pages169{178.ACMPress,May/June2009.[GH11]CraigGentryandShaiHalevi.Fullyhomomorphicencryptionwithoutsquashingusingdepth-3arithmeticcircuits.InRafailOstrovsky,editor,52ndAnnualSymposiumonFoundationsofComputerScience,pages107{109.IEEEComputerSocietyPress,October2011.[GHS12a]CraigGentry,ShaiHalevi,andNigelP.Smart.Fullyhomomorphicencryptionwithpolylogoverhead.InDavidPointchevalandThomasJohansson,editors,AdvancesinCryptology{EUROCRYPT2012,volume7237ofLectureNotesinComputerScience,pages465{482.Springer,April2012.[GHS12b]CraigGentry,ShaiHalevi,andNigelP.Smart.HomomorphicevaluationoftheAEScircuit.InReihanehSafavi-NainiandRanCanetti,editors,AdvancesinCryptology{CRYPTO2012,volume7417ofLectureNotesinComputerScience,pages850{867.Springer,August2012.14 [GK05]ShaGoldwasserandYaelTaumanKalai.Ontheimpossibilityofobfuscationwithauxiliaryinput.In46thAnnualSymposiumonFoundationsofComputerScience,pages553{562.IEEEComputerSocietyPress,October2005.[GSW13]CraigGentry,AmitSahai,andBrentWaters.Homomorphicencryptionfromlearningwitherrors:Conceptually-simpler,asymptotically-faster,attribute-based.CryptologyePrintArchive,Report2013/340,2013. http://eprint.iacr.org/ .[HRSV07]SusanHohenberger,GuyN.Rothblum,AbhiShelat,andVinodVaikuntanathan.Se-curelyobfuscatingre-encryption.InSalilP.Vadhan,editor,TCC2007:4thTheoryofCryptographyConference,volume4392ofLectureNotesinComputerScience,pages233{252.Springer,February2007.[RAD78]RonaldL.Rivest,LenAdleman,andMichaelL.Dertouzos.Ondatabanksandprivacyhomomorphisms.InRichardA.DeMillo,DavidP.Dobkin,AnitaK.Jones,andRichardJ.Lipton,editors,FoundationsofSecureComputation,pages165{179.AcademicPress,1978.[Reg05]OdedRegev.Onlattices,learningwitherrors,randomlinearcodes,andcryptography.InHaroldN.GabowandRonaldFagin,editors,37thAnnualACMSymposiumonTheoryofComputing,pages84{93.ACMPress,May2005.[SV10]NigelP.SmartandFrederikVercauteren.Fullyhomomorphicencryptionwithrela-tivelysmallkeyandciphertextsizes.InPhongQ.NguyenandDavidPointcheval,editors,PKC2010:13thInternationalConferenceonTheoryandPracticeofPublicKeyCryptography,volume6056ofLectureNotesinComputerScience,pages420{443.Springer,May2010.[vDGHV10]MartenvanDijk,CraigGentry,ShaiHalevi,andVinodVaikuntanathan.Fullyhomo-morphicencryptionovertheintegers.InHenriGilbert,editor,AdvancesinCryptology{EUROCRYPT2010,volume6110ofLectureNotesinComputerScience,pages24{43.Springer,May2010.[Wee05]HoeteckWee.Onobfuscatingpointfunctions.InHaroldN.GabowandRonaldFagin,editors,37thAnnualACMSymposiumonTheoryofComputing,pages523{532.ACMPress,May2005.15