 오늘의 주인공은 정희철입니다. 이 주인공은 전문가에 대해 이야기합니다. 첫 주인공은 FHE 사이버 텍스트입니다. 레오 투카와 다미안 스텔레입니다. 레오입니다. 감사합니다. 정희철은 정희철의 사이버 텍스트의 세뇌에서 이야기합니다. 정희철은 정희철의 사이버 텍스트의 세뇌에서 어떻게 세척을 하는지, 어떻게 세척을 하기때문에 닦아주는지, 그래서 Alice는 Bob이 그를 지키고 싶어요 하지만她는 private를 지키고 싶어요 그래서 her data를 지키고 싶어요 Even though Bob이 그를 지키고 싶어요 She will send a bunch of ciphertext So encryption of several messages And Bob should apply a circuit C to those ciphertexts Let's say those ciphertexts are binary He needs to compute a binary circuit on the plaintext But only has a ciphertext And homomorphic encryption allows this So given the public key of a fully homomorphic encryption scheme You can evaluate this circuit homomorphically here So it means that you will apply transparently the circuit to the plaintext Even if you only know the ciphertext And when he's done doing this Well he sends back the ciphertext to Alice Alice decrypt and she must decrypt What would have been the direct application of the circuit C to messages Alright So in more involved scenario We might want both Alice and Bob to keep some privacy Because in the previous version We had no guarantee that the ciphertext that Bob was computing Would remain private And so in this scenario it's slightly different Well the protocol is pretty much the same But the circuit that Bob's evaluates is here circuits And he really wants to keep this private So why would we want this? Well we have several scenarios where it could be useful So for example if Bob is an online company And he has like a very good algorithm That you want to make profit off by selling Basically computation but it's computing on On data that are sensitive and that also needs to remain private So two examples are following For example a company that would want to optimize Pricing or supply chain strategies And Damien has also this very nice example That maybe he is actually Alice And Bob is this fiscal optimization consultant So here is the outline of my talk We're going to describe an efficient way To obtain this circuit privacy Out of existing fully homomorphic encryption scheme So I'll go over some definition I'll present very quickly the existing approach Which is called floating And then we will present our contribution Which is the better approach Which we call soak, spin and repeat And very quickly I will show you some application In practice for efficiency and conclude So what is precisely ciphertext sanitization Well we want that there exists an algorithm sanitize That when we apply to a ciphertext The first property that we want is correctness So we want that it doesn't modify the underlying plaintext So we want that the description of sanitize of c Be the same thing as the decryption of c And the second property is that If we want that two ciphertexts That actually decrypt to the same value So two ciphertexts that have the same underlying plaintext Are statistically indistinguishable And we want this even knowing the secret and the public key So that might be strange When you come from a public key cryptography Here we want a security property to hold Even with the knowledge of the secret key But you remark that here we define A notion that is statistical So we could have a variant of sanitization Where it is only guaranteed to happen computationally But for the way we know how to achieve this We can actually have this stronger notion Of statistical indistinguishability So the delta that you see here Just denotes the statistical distance Between those two distributions In this all talk I will only speak of a weak model In the honest but curious model So Alice is honest but curious It means that she does not deviate from the regular protocol And the way she will construct the public key and the ciphertext She will do that by the book She will not modify the protocol If you want to upgrade this to malicious To resistance to malicious adversary There are generic techniques to achieve that From honest but curious security So do we really need to do this? Do FHE as we know them Actually reveal some information about the circuit That was used to evaluate the ciphertext The final ciphertext Well this is the case Because those ciphertext have those noise components And depending on the type of operation That we perform inside FHE The noise will get larger So if we do a lot of operation The noise will get larger And especially multiplication So for example if one computation involves a lot of addition And another computation involves a lot of multiplication Then the noise at the end of the operation That used multiplication will be larger And not only this The noise components of the product of two ciphertexts Might actually depend on the underlying plaintext So the noise at the end of the computation Not only depend just on the shape of the circuit But might depend on intermediate values on the circuit So there is potential for leaking information there But it might be easy to construct a simple example Where some information leak So the current approach to tackle this issue Is called noise flooding So we start from a ciphertext That comes from a very small space Which we call c-in So the ciphertext space before flooding And what we're going to do Is that we're going to add some noise To this ciphertext Much more noise than what it already has So here I'm adding some blue noise To this point here on the bottom right And after this noise So the ciphertext might be anywhere In this blue area And if I do the same thing Now with yellow noise To the other point here I get this yellow region And the intersection is the green region And the argument to claim that this is secure Is to say that Well, after we add those noise Everything that falls in this green region Well, it could equally have come From the first ciphertext Or from the second one Or actually from any ciphertext Inside this region So, but if we need to fill in parameters Then we see that it's not exactly efficient Because for this argument to work We need the remaining area This blue portion that is not code By every ciphertext and this yellow portion We need this portion to be relatively negligible To the final To the green portion, actually And to do this We need that the final The final space Sorry, final ciphertext space See out We need it to be much larger Than the input ciphertext Actually exponentially larger If you want to resist any sub-exponential attacks And this has bad influence on the parameters So first In the security perspective You require a much more aggressive Learning with error assumption So you will more technically You would need learning with error assumption For sub-exponential approximation factor Which is not the vanilla polynomial Approximation factor LWU assumption But it also has effect on the concrete parameters Well, on the asymptotic parameters And even more on the concrete one It makes the asymptotic parameters very bad So typically for the best FHEs that we know The ciphertext size at the end Is quasi-linear in the security parameter lambda But if we want this noise-flooding technique inside our FHE Well, this makes the ciphertext space much larger And we need a cubic-sized ciphertext So if we have to picture this This strategy corresponds basically to You have this dirty clothing You have a lot of dirt in it And you want to get rid of it Or to make it very negligible And you would do so by flooding it Inside this ocean of noise And so the question is Can we have an alternative to this Where we use much less water So can we do laundry just inside a bucket Do we actually need the whole sea So let's try Can we try to wash our ciphertext in a smaller bucket So what if the output ciphertext space Is kind of the same size that the input ciphertext Let's say like polynomially larger Or just twice larger So if we try to argue That this is going to be secure How will it work Well, now this green portion Is does not take almost all the space Let's say that it takes only half of the space So with probability one-half Those two ciphertexts after the noise They will look indistinguishable In the sense that they could have come from either of them But some ciphertexts will remain distinguishable So if we have a probability one-half Of making this work Why can't we just retry Well, we've moved from this small ciphertext space From this big one So if we want to retry We have to bring our ciphertext back to the small space Before retrying So we need to send back this whole ciphertext space To this smaller one Without actually affecting also the inner print text So can we send this back This sea out space to the sea in Well, actually we can And this is how we've been building FHE for Seven years now It's called the bootstrapping strategy Or the refreshing function And this function is inherently present in all the FHEs That we know how to build today's So we can just rely on this More formally The strategy we call soak and spin Is the following So we have two polynomial time algorithm The refresh algorithm that's given to us by The FHE we're going to build upon Refresh sending sea out to sea in And this re-randomization procedure Just consisting of adding noise That sends sea in back to sea out And the only assumption that we need here Is that we have a soak That this re-randomization function Follows this soaking assumption So first we want this re-randomization function To not affect the underlying plaintext So the decryption after re-randomization Should still be equal to the original decryption And so this time instead of directly asking That the statistical distance between Two ciphertexts after re-randomization is negligible We just ask that the statistical distance Is less than one half or less than a constant And from this two function We're going to define a washing cycle So soak and spin So the soaking is the re-randomization And the spin is the refreshing So we're adding some water in our dirty laundry And then we remove that water And that's our cycle And what we can prove from this assumption Is that our wash function Will preserve ciphertext And decrease and make the statistical distance Go to less than one half And the amusing thing is that To make it work Well, you just have to repeat This wash function lambda times And well, by a simple induction You can easily prove that The sanitized function still preserves ciphertext So you're not still preserves plaintext, sorry So we're not making errors there And more importantly, once we've applied This sanitized function, the statistical distance Between any two ciphertexts That have the same underlying plaintext At the beginning, this statistical distance Will become exponentially negligible And the proof technique is really nothing very fancy You just have to work a little bit With splitting distributions And working with mixture of distributions So very quickly Is this approach actually meaningful in practice Because bootstrapping is already very expensive And we have to apply it lambda times Well, the fact that we have to apply it lambda times Is only theoretical And it's like because we just assumed This very weak property That each iteration of Or a remandemization was just introducing This one-half bond on the statistical distance But if you actually look at the parameters That are given for either HLIB Or the few fully amorphic encryption schemes You have actually much more room For remandemization here And you can decrease the statistical distance Much more than just one-half You can actually decrease it by 2 to the minus 50 For HLIB because they already have a very large bucket And in few you have a much smaller bucket But you can still go a bit further than just one-half So actually how many wash cycles Do you need to clean your ciphertext Well, with HLIB you're just gonna need two or three cycles And with refreshing or bootstrapping Taking five minutes It gives you about ten minutes to wash your ciphertext But in this case you can wash Like a thousand bits of plaintext at the same time Whereas for few, well, it's much faster But you're only doing this for one bit at the time So here we've done this for scheme without modification It's actually kind of slightly a lie Because those schemes don't guarantee correctness Probably with overwhelming probabilities So in fact you would have to modify them a little bit But we give those numbers as an estimation Of what it would cost in practice to adapt those schemes And probably you could try to optimize those schemes For this property as well But the conclusion of this quick analysis Is that sanitizing your ciphertext Is not so impractical It's not less practical than FHG operation themselves You just have to do a few extra bootstrapping At the end of your computation And you're already supposed to do a lot of bootstrapping Inside your computation So let me warp up So our main result is that noise floating is convenient It's very easy to apply But it leads to very inefficient schemes And instead we can apply an iterative strategy Where we add the noise little by little And this allows us to have much smaller parameters So we can keep the quasi-linear ciphertext size for FHG We don't have to affect our FHG asymptotically And we can rely on much less aggressive hardness assumption If you worry about those things Let me quickly mention some follow-up work Where circuit privacy is improved even further Where you don't need that many bootstrapping to make it work But it seems to be so far only restricted to certain types of FHG And also an open question that I think is interesting So one way of getting away from the Honest But Curious model Is to apply zero knowledge proof on the public keys But you know that FHG has huge public keys Like several gigabytes So can we upgrade to the malicious setting Using zero knowledge proofs? Well, in theory yes In practice that might still be problematic So the question would be Can you define, can you design Specialized zero knowledge proof For the correctness of public keys For fully homomorphic encryption scheme And if you don't have the time to read the paper Can be summarized very quickly So if you need to get a clean ciphertext You just put it in the water You wash it, you rinse it three times Thank you We have some time for comments and questions Can you give an intuition Why bootstrapping on its own Doesn't work for sanitization, pardon Can you give an intuition Why just bootstrapping doesn't work for sanitization So it's It's, how to say For in terms of functionality It seems that bootstrapping Give you exactly what you want But it's not the case Because the new ciphertext Might depend on the noise Of the previous ciphertext So actually the functionality of bootstrapping Only guarantees something about the plaintext Not about the shape of the ciphertext It does not remove relations between ciphertexts The distribution that you get at the end Is not independent of what you put inside Unless you use the new techniques In this follow-up paper More questions? So you said, I have one question You said the efficiency of this sanitization Is almost similar to the bootstrapping Can you say more about the efficiency of this sanitization? It would depend on the FHG scheme that you would use But the main cost in here is not re-randomization Re-randomization is not costly So the main cost is really bootstrapping So you really measure the efficiency of that procedure By how many bootstrapping it requires More questions and comments? Thanks to the speaker again