 So this is yet another talk about FHE but this time it's on the circuit privacy point of view So quick reminders first. What is FHE and what is it used for? So let's say you want to compute something on the cloud Let's say you want an online diagnostic because you are feeling symptoms and you don't know what they are You send your data, your medical data to a server, it runs some computation and returns the diagnosis The thing is you want your medical data to remain private and even the diagnosis you don't want it out on the internet So you encrypt your data and you want to encrypt it in a way that So that Algorithms can still be run on your data. That's what we call FHE An example of FHE which you might have seen a few times already at this conference is a gentry side Waters 2013 So the G Matrix here is not the way it is made is not really important What matters is how you encrypt and how you do operations so To encrypt you have a random part, which is the matrix A you multiply it by the secret S and you add a noise port so to Just quickly to do operations to do a sum you do just the sum of encryptions and the product is a bit more Intriguing in that to do a product you need to multiply by g minus one, which is not a matrix It's an algorithm Which is such that g times g minus one of something like g times g minus one of v is equal to v and G minus one has to be small So you're just some color coding orange means uniform and blue means small for the rest of the talk So that's gsw encryption. It was published in 2013 reworked a few times afterwards and The problem is that now you get FHE, but the error term this error terms is Modified during the operations. So by analyzing the outputs the user can guess or maybe at least get some information about the algorithm that was run on the on his data and Maybe the server is running some proprietary Algorithm and does not want it leaked. So the focus of this work is to See how we can hide the everything that's all the operations that were done on the data so Toy example to see how information is leaked. Let's say you have three Encryptions of zero. It's not very interesting But what you have three encryption of zero and the servers wants to sum two of them the plain text associated Would be zero because it's just the sum of zero plus zero But if he says let's say c1 and c2 the error term which the user will be able to recover Will be e1 plus e2 so he can know exactly which Cypher text the server has Summed and then he gains the information about the algorithm. He knows exactly what the user did So that's what we want to avoid We want that the evaluation of a function and on the bunch of suffer cypher text should reveal nothing But the odd part of the function on the associated plain text so this has been addressed not Not that many times but a few times already so in the seminar work of Gentry Let's say you have a ciphertext which is which is the result of an evaluation and the first solution proposed by Gentry was to add some noise Since the information is leaked in the noise if we add the amount of noise that is super polynomial in what already exists All the noise all the information will be destroyed So the advantage is that you destroy all the information That was leaked the disadvantage is that you need to add super polynomial amount of noise and since the noise needs to be smaller than Parameter q which is the modules the parameter q needs to be super exponential and Another problem is that you cannot do more operations on your ciphertext since you have already added a very high amount of noise More recent approach was by Duke and Staley in a Eurocrypt 2016 And it consisted in first adding some noise But this time it's only at the same size of the noise already in the ciphertext and Then doing a bootstrapping. So here it's a bit of a pedantic way to write it But you evaluate the decryption site the decryption circuit on an encryption of the secret key Which means that you get a new ciphertext of the same plain text, but with a known bounded amount of noise so This is not enough to hide the computations But we can repeat and each time we repeat this process We add some entropy to the noise and if we repeat it a number of time linear in the security parameter Then all the noise will be randomized So this works with polynomial modules since we don't have to add a to make too much noise We can do more operations. So this is multi-op And the problem is that it requires bootstrapping. So this requires a circular security Assumption since we have an encryption of secret key under itself this is an assumption that is not very well known and It requires a linear number of time to be strapped a linear number number of time But strapping can be quite expensive. So this adds a lot of computation Then there is our approach approach. So still same ciphertext We add a noise that is practically the same size at the previous noise and we do nothing else the trick here is that our noise is Not blue is green Which means that it's not just small. It's a small Gaussian. It has to come from a Gaussian distribution with appropriate parameters and What we did in our paper is to analyze in depth the growth of the noise to show that It's in fact just adding a small noise is enough to hide everything So as before we had a small noise. So we have a polynomial modulus We don't need any circular security here because we don't do bootstrapping and we can do multi-op The problem is that since this is for This applies to branching programs It only works for NC1 which in itself is not really an issue because there is no FHC for All circuits without bootstrapping So as long as we don't use bootstrapping. It's normal that we are only for NC1 circuits another issue that it only works for the Encryptions that I have shown previously. There are other FHC encryption schemes, but this one is a Taylor made for JSW encryption and It leaks the size of the function or at least a bound on the size of a function So now how do we do this exactly? So we will have to go a bit more in depth in the branching programs. So a branching programs is a succession of states state v0, v1, v2 And To progress from one state to the other there is we apply permutation According to choice variable Which is to say here if the variable x1 is equal to 1 we will go from this state to this one if x2 is equal to 0 we will go from this state to this one and at the end of the Branching program evaluation if the state we reach is the first one the right top rightmost one The branching program returns one otherwise it returns zero So how do we write this down? This is a multiplexer multiplexer So let's say that vt of i will be this state It will be equal to this one if x2 is equal to 1 and it will be equal to this one if x2 is equal to 0 We follow the Incoming arrows, which is to say that vt minus 1 is a multiplexer of the variable choice The choice variable and the two previous locations So this can be rewritten as an polynomial equation like xt times vt minus 1 plus 1 minus 60 times vt minus 1 and Now this is for branching programs on plaintext and we want to do the same thing on ciphertext And it's the exact same thing so instead of having plaintext States we have encryptions so we used to have like one zero zero here We will have an encryption of one year an encryption of zero and encryption of zero and We will have encrypted choice beats and to do the this operation we do the exact same thing on ciphertext So vt of i will be ct, which is the encrypted choice beats to multiply. We need to apply g minus one Times vt minus one of j plus g which is an encryption of one It's just a noise less encryption of one minus ct times g minus one Apply to vt minus one of k. So exact same thing as before but on ciphertext And this is what we want to analyze to show that it does not really leak any information So what do we do? We will rewrite the choice ciphertext to be equal to a matrix plus The choice bit times g Just how the ciphertext is formed and here you just have to trust me, but if we reorder the terms we get this So what does this correspond to exactly? This you can see is a previous step of computation. This is vt minus one. So the previous state Taken at the right place According to the choice bit So this will be the previous ciphertext and this will be an additional noise that comes from the operation we have made So if we should show that the additional noise does not leak any information about the operation that was made at this step We can just do an induction on each step and show that no Nothing no information is leaked at all during the branching program So that's what we will be intent on doing And to do this we I will show the core lemma of our paper, which is gsw re-randomization So let's say we have an encryption of zero So just a ciphertext of zero With an error vector e then we show that for any matrix v just any matrix if we do c times g minus one of v plus zero times z It is statisticallyinguishable from c prime. I will explain what everything is So first observe that g minus one is no longer blue. It's green, which means that g minus one now has to be a Gaussian so Previously all we wanted was that g times g minus one Of v it was equal to v now we want g minus one of v to be a Gaussian condition on this It's not hard to do it has been Done by a gen 3 breaker turn by kutuna turn and it's just sampling a Gaussian on a lattice And the second thing we do is we add a small Gaussian noise in the form of z And just by doing this We can show that re-randomizing a ciphertext like this gives a fresh encryption of zero So it gives a new ciphertext of zero, which has a Gaussian parameter norm of e So it leaks The norm of the previous error But it is completely independent of the on v. It does not matter at all what v is in this context So how do we modify our branching program evaluation? This is our branching program evaluation First we take the Gaussian g minus one. We replace the g minus one by the Gaussian one And then we add noise. So here we added two times because we have two times something times g minus one So if we reorder we have bt Which here is a ciphertext of an encryption of zero Since as we have seen before ct is called bt plus xg So this is an encryption of zero times g minus one of something Plus a small error and second time the same thing Which means that both of these can be replaced by ciphertext That's encrypt zero and are completely independent of vt minus one and Of j and vt minus one of k So everything that is leaked Is only the only leakage is dependent on the choice bit ct So we already hide all the prime mutations in the branching program And what we show is that it does not really matter that we leak some information about ct because we only leak We only some New ciphertext with which depends on ct. So let's see how the noise evolves So we have our first encrypted state which has noise zero We start with the noise less encryption Then we do one round of operations So the noise on the new Encrypted states will be the noise on the previous one plus something that depends on c1 So a Gaussian that depends on the error in c1 So it only depends on this Gaussian Then we add we do the second step. It will be the previous noise plus a Gaussian that depends on c2 So it will be the sum of two gaussians one that depends on c1 one that depends on c2 And then we just repeat this until the last step So at the last step We will get something that the noise in the final Cipher the final state will only be the sum of Of gaussians that depend on the all the choices bit So what we can simply do is Pad the branching program Just add use less steps a few like polynomial amount of them so that the Each choice bit would be the same use the same number of time This way we do not leak all all we leaked was the number of time each choice bit was used Now they are all used the same number of time. So all we leak is the size of the branching program And like this we have achieved Secret privacy since we do not no longer leak either the permutations nor the choice bits used at each step And that's it