\documentclass[11pt]{article}
\usepackage{amssymb,amsmath,amsthm,url}
\usepackage{graphicx}
%uncomment to get hyperlinks
%\usepackage{hyperref}
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%Some macros (you can ignore everything until "end of macros")
\def\class{0}
\topmargin 0pt \advance \topmargin by -\headheight \advance
\topmargin by -\headsep
\textheight 8.9in
\oddsidemargin 0pt \evensidemargin \oddsidemargin \marginparwidth
0.5in
\textwidth 6.5in
%%%%%%
\newcommand{\getsr}{\gets_{\mbox{\tiny R}}}
\newcommand{\bits}{\{0,1\}}
\newcommand{\Ex}{\mathbb{E}}
\newcommand{\To}{\rightarrow}
\newcommand{\e}{\epsilon}
\newcommand{\R}{\mathbb{R}}
\newcommand{\N}{\mathbb{N}}
\newcommand{\Z}{\mathbb{Z}}
\newcommand{\maxpr}{\text{\rm max-pr}}
\newenvironment{summary}{\begin{quote}\textbf{Summary.}}{\end{quote}}
\newtheorem{theorem}{Theorem}
\newtheorem{axiom}{Axiom}
\newtheorem{lemma}[theorem]{Lemma}
\newtheorem{claim}[theorem]{Claim}
\newtheorem{corollary}[theorem]{Corollary}
\theoremstyle{definition}
\newtheorem{exercise}{Exercise}
\newtheorem{definition}[theorem]{Definition}
\newcommand{\sstart}{\triangleright}
\newcommand{\send}{\triangleleft}
\newcommand{\cclass}[1]{\mathbf{#1}}
\renewcommand{\P}{\cclass{P}}
\newcommand{\NP}{\cclass{NP}}
\newcommand{\Time}{\cclass{Time}}
\newcommand{\BPP}{\cclass{BPP}}
\newcommand{\Size}{\cclass{Size}}
\newcommand{\Ppoly}{\cclass{P_{/poly}}}
\newcommand{\CSAT}{\ensuremath{\mathsf{CSAT}}}
\newcommand{\SAT}{\ensuremath{\mathsf{3SAT}}}
\newcommand{\IS}{\mathsf{INDSET}}
\newcommand{\poly}{\mathrm{poly}}
\newcommand{\inp}{\mathsf{in}}
\newcommand{\outp}{\mathsf{out}}
\newcommand{\Adv}{\mathsf{Adv}}
\newcommand{\Supp}{\mathsf{Supp}}
\newcommand{\dist}{\Delta}
\newcommand{\indist}{\approx}
\newcommand{\PRG}{\mathsf{G}}
\newcommand{\Gen}{\mathsf{Gen}}
\newcommand{\Enc}{\mathsf{Enc}}
\newcommand{\Dec}{\mathsf{Dec}}
\newcommand{\Com}{\mathsf{Com}}
\newcommand{\Sign}{\mathsf{Sign}}
\newcommand{\Ver}{\mathsf{Ver}}
\newcommand{\eqdef}{\stackrel{\text{\tiny def}}{=}}
\newcommand{\set}[1]{ \{ #1 \} }
\newcommand{\cF}{\mathcal{F}}
\newcommand{\angles}[1]{\langle #1 \rangle}
\newcommand{\iprod}[1]{\angles{#1}}
\newcommand{\floor}[1]{\lfloor #1 \rfloor}
\newcommand{\ceil}[1]{\lceil #1 \rceil}
\newcommand{\round}[1]{\lfloor #1 \rceil}
\newcommand{\view}{\mathsf{view}}
\newcommand{\trans}{\mathsf{trans}}
% end of macros
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
\title{Lecture 21 --- Homomorphic Encryption 2: Construction of ``mildly homomorphic'' encryption.}
\author{Boaz Barak}
\begin{document}
\maketitle
{ \ifnum\class=1 \fontsize{14pt}{16pt} \selectfont \fi
\begin{description}
\item[Reading:] Gentry's thesis, paper by van Dijk, Gentry, Halevi and Vaikuntanathan.
\item[Notation:] If $x\in\R$, then $\round{x}$ denotes the nearest integer to $x$ (say, breaking ties downward),
$\floor{x}$ denotes the nearest integer smaller than $x$ and $\ceil{x}$ denotes the nearest integer larger than
$x$.
\item[Constructing homomorphic encryption] We saw in the last couple of lectures that homomorphic encryptions can
be used to do wonderful things, but the same holds for perpetual motion machines, cold fusion, unicorns, etc...
So, the question whether we can actually construct such schemes. Since the question was raised in 1978, there
have been no significant candidate for a homomorphic encryption scheme. This was changed last year, when Gentry
gave the first such construction. The construction relies on somewhat non-standard, but still rather reasonable
assumptions. Also, as mentioned, it is still not practical, requiring at least $k^8$ operation to achieve $2^k$
security. Hopefully, with time we will see improved constructions, using more standard assumptions and more
efficient. We will see a close variant of Gentry's scheme now. We remark that all the applications we saw (zero
knowledge, multi-party computation, private information retrieval) have alternative constructions that utilize
much more standard assumptions.
\item[Plan] We'll start by showing a ``mildly'' homomorphic encryption scheme, and then modify it to boost it to a
fully homomorphic encryption next lecture. Since the definition of mildly homomorphic is somewhat unnatural,
I'll first show the encryption scheme, and only later discuss the definition it satisfies. I note that
initially we will construct a \emph{private key} encryption scheme. We will then note that a fully homomorphic
private key encryption easily gives rise to such a public key scheme (exercise!).
\item[Noisy gcd.] Consider the following question: you're given $X_1,\ldots,X_{\poly(n)}$ all $100n$ bit strings,
and told that either: \textbf{(I)} all of them are random and independent in $[N]=[2^{100n}]$ or \textbf{(II)}
for all $i$, $X_i = Q_iP$, where $P$ is chosen once at random in $[2^n]$ and $Q_i$ are chosen independently and
randomly in $\{1..\floor{N/P}\}$. How can you distinguish between the two cases?
Now suppose that we change case \textbf{(II} so that $X_i = Q_iP + E_i$ where $E_i$ is chosen independently at
random in $[2^{\sqrt{n}}]$.
The \emph{noisy gcd conjecture} is that now \textbf{(I)} and \textbf{(II)} are computationally
indistinguishable. I'll call this LDN for ``learning divisor with noise''.\footnote{I phrased LDN as a
decision problem, but in the paper van Dyck et al show this is equivalent to the search problem of actually
finding the divisor.} That is, in the LDN assumption, you are given either a box that gives you random numbers
in $[N]$ or numbers of the form $QP+E$ where $P$ is some secret random number in $[2^n]=N^{1/10}$ and $E$ is
random in $[2^{\sqrt{n}}]$.
\item[A useful variant.] It turns out that LDN is equivalent to the case that $P$ is odd and $E_i$ is even, in
which case we just write $X_i = Q_iP + 2E_i$. This is left as an exercise. One simple claim that is used is the
following:
\textbf{Shifting interval claim:} If $I$ is an interval, then $U_I$ is within $|a|/|I|$ statistical distance to
$U_{I+a}$ where $U_S$ denotes the uniform distribution on the set $S$, and $I+a$ denotes the interval shifted
by $a$.
Does LDN imply that \textbf{(I)} and \textbf{(II)} are indistinguishable even when both $P$ and $E_i$ are even?
\item[Increasing noise only helps] The following observation will be of use: if LDN is true with noise magnitude
$2^{\sqrt{n}}$, it's true with any magnitude in $[2^{\sqrt{n}},2^n]$. (In fact, in the latter case the two
distributions become \emph{statistically indistinguishable}.)
\item[Basic cryptosystem] We now construct a CPA-secure private key encryption $(\Enc,\Dec)$ based on LDN:
\begin{description}
\item[Key] $P \getsr [2^n]$. We denote $N=2^{100n}$.
\item[Encryption] To encrypt the bit $b\in\bits$, choose $Q \getsr \{1..\floor{N/Q}\}$, $E \getsr
[2^{\sqrt{n}}]$, output $X = QP+2E+b$.
\item[Decryption] To decrypt $X$, output $(X \pmod{P}) \pmod{2}$.
\end{description}
\item[Correctness] Since $E \ll P$, $QP+2E+b \pmod{P} = 2E+b$, and then taking $\pmod{2}$ we get $b$.
\item[Security] We need to show $\Enc(0) \indist \Enc(1)$, which will follow by showing in both cases they are
indistinguishable from $U_{[N]}$. Indeed, under our assumptions all the ciphertexts $X_1,\ldots,X_{\poly(n)}$
that the adversary obtains in a CPA attack are of the form $X_i = Q_iP + 2E_i$ or $X_i = Q_iP + 2E_i + 1$, but
since $Q_iP + 2E_i \indist U_{[N]}$, then also the same holds for $Q_iP+ 2E_i + 1$ via the shifting interval
claim.
\item[Homomorphic] In what sense is this system homomorphic? We claim that it satisfies the following: given $X,X'$
that are encryptions of $b,b'$ respectively, we can manufacture (without access to the secret key) ciphertexts
$X_{\oplus}$ and $X_{\times}$ such that $X_{\oplus}$ will decrypt to $b \oplus b'$ and $X_{\times}$ will
decrypt to $b\cdot b'$.
This is very simple--- just multiply or add the ciphertexts!
Write $X = QP + 2E + b$ and $X' = Q'P + 2E' + b'$ then
\[
X + X' = (Q+Q')P + 2(E+E') + (b+b')
\]
and so, since $E + E' \ll P$, it's clear that $(X+X' \pmod{P}) \pmod{2} = b+b' \pmod{2}$.
now
\[
X\cdot X' = QQ'P^2 + 2E'QP + b'QP + 2EQ'P + 4EE' + 2Eb' + bQ'P + 2bE' + bb'
\]
lets group together all the terms that are multiples of $P$, and then the remaining terms that are definitely
even, to get
\[
X \cdot X' = (QQ'P+2E'Q+b'Q+2EQ+bQ')P + 2(2EE'+Eb' + bE') + bb'
\]
now we have $2EE'+Eb'+bE' \leq 3\cdot 2^{2\sqrt{n}} \leq 2^{3\sqrt{n}} \ll P$ and so we get $(X\cdot X'
\pmod{P}) \pmod{2} = bb' \pmod{2}$.
\item[Are we there yet?] This encryption scheme guarantees that we can transform ciphertexts corresponding to $b$
and $b'$ into ciphertexts corresponding to $b\oplus b'$ or $bb'$ respectively, and by combining them one can
easily get a ciphertext corresponding to $\overline{b \wedge b'}$, so why isn't this a fully homomorphic
encryption scheme?
The answer is that while, for example, the ciphertext $X_{\times}$ will decrypt to $bb'$, it will not be
statistically close to a standard encryption of $bb'$. In fact, it will not even have the same length! Indeed,
$X_{\times}$ will be a number of size roughly $N^2$.
This also shows that there is a limit to how much we can continue applying these $\oplus$ and $\times$
operation. This limit comes into play in both the size of the ciphertexts and the magnitude of the noise, and
in both cases the $\times$ operation is much more expensive than the $\oplus$, and we can only compose it with
itself a logarithmic number of times:
\begin{itemize}
\item \emph{Size of ciphertext} If $X,X'$ were of $m$ bits size, then $X_{\oplus}$ will have size about
$m+1$, while $X_{\times}$ will have size $2m$.
\item \emph{Magnitude of noise} if $X,X'$ had magnitude of noise at most $E$, then $X_{\oplus}$ will have
magnitude of noise at most $2E$, while $X_{\times}$ will have magnitude of noise at most $3E^2