Efficient Key-Rotatable and Security-Updatable Homomorphic Encryption

∗ Yoshinori Aono Takuya Hayashi Le Trieu Phong NICT, Japan NICT, Japan NICT, Japan [email protected] [email protected] [email protected] Lihua Wang NICT, Japan [email protected]

ABSTRACT during which they are used. As suggested in [19], cryptoperi- In this paper we presents the notion of key-rotatable and ods are in the order of 1-2 years depending on the considered security-updatable homomorphic encryption (KR-SU-HE) primitives. Therefore, after a few years, the old key should scheme, which is a class of public-key homomorphic encryp- be changed by a new one. tion in which the keys and the security of any ciphertext In this paper, we focus on the problem of key rotation can be rotated and updated while still keeping the under- and its close variant called security update over public key lying plaintext intact and unrevealed. We formalise syntax homomorphic encryption, as it is particularly relevant to and security notions for KR-SU-HE schemes and then build secure cloud computing. a concrete scheme based on the Learning With Errors as- sumption. We then perform testing implementation to show 1.2 Problem formalisation and naïve solution that our proposed scheme is efficiently practical. We first formalise the problem of key rotation and security update, and then present a na¨ıve solution. Keywords Problem formalisation. Let us consider a public key ho- Homomorphic encryption, Learning With Errors, key rota- momorphic encryption scheme. Suppose encryption under tion, security update. (pk1, sk1) has n1-bit security, while that under (pk2, sk2) has n2-bit security. The question is how to turn an n1-bit secu- rity ciphertext into a ciphertext having n2-bit security while 1. INTRODUCTION keeping the underlying plaintext the same. Moreover, ho- momorphic operations such as additions and multiplications 1.1 Background can be still performed after the transformation. Key rotation is an important practice for cryptosystems. Two possibly interesting cases of the above problem are Succinctly, it is the change of an old key by a new one, while as follows: keeping the plaintexts intact.

Key rotation is specified in several security standards. • Key rotation: when n1 = n2, the above is the known Indeed, on the industrial side, it is required by Payment problem in practice as the process of re-keying en- Card Industry Data Security Standard [22], and is consid- crypted data from an old key to a new one. ered as an obligation by Open Web Application Security Project [21], concretely specifying that • Security update: when n1 < n2, the problem can be described succinctly as turning security-weakened “key rotation is a must as all good keys do come to an end ciphertexts and the related secret key into ones with either through expiration or revocation. So a developer will higher security assurance. have to deal with rotating keys at some point – better to have a system in place now rather than scrambling later.” The na¨ıve solution: decrypt-then-encrypt. It is possi- On the federal side, it is recommended by NIST [19] via ble to solve the problem by the decrypt-then-encrypt method. the concept of cryptoperiods of keys, namely the time spans Specifically, use the secret key sk1 related to pk1 to decrypt ∗Corresponding author. the old ciphertext, and then encrypt the obtained plaintext under pk2. This approach has potential shortcomings: (1) Permission to make digital or hard copies of all or part of this work for personal or the plaintext is recovered, and (2) the secret sk1 must be classroom use is granted without fee provided that copies are not made or distributed used for decryption. Concretely, if the task of key rotation for profit or commercial advantage and that copies bear this notice and the full cita- is done by an outsourced server in cloud computing, then tion on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or re- either by (1) or (2), the server learns the data or the secret publish, to post on servers or to redistribute to lists, requires prior specific permission key. and/or a fee. Request permissions from [email protected]. SCC’17, April 2, 2017, Abu Dhabi, United Arab Emirates. Our goal. In this paper, we are interested in developing c 2017 ACM. ISBN 978-1-4503-4970-3/17/04. . . $15.00. an efficient solution without the above shortcomings of the

DOI: http://dx.doi.org/10.1145/3055259.3055260 na¨ıve solution.

35 Table 1: Usages of the dimension switching technique. Dimension switching Exploited in Main purpose

(high → low) n2 < n1 [9, 11] efficiency in FHE (equal) n2 = n1 [1, 12, 20] PRE, obfuscation (equal, low → high) n2 ≥ n1 this paper key rotation, security update

2. OUR CONTRIBUTIONS Testing implementation. Taking a concrete parameter We propose a primitive called key-rotatable and security- set, we implement our proposed scheme to show that it is updatable homomorphic encryption (KR-SU-HE) and for- efficient. Details are given in Section 4.3, including the tim- malise its security notions. We then construct a concrete ings for all algorithms in our proposed scheme. scheme based on the Learning With Errors (LWE) assump- tion. We finally show that our scheme is practical by imple- 3. PRELIMINARIES mentation. Details are given below. Let Z(0,s) be the discrete Gaussian distribution over the Conceptual proposal. We develop a solution to the above integers Z, with mean 0 and deviation s > 0. The mark ←g is for “sampling at random from a discrete Gaussian” problem where, given public/secret key pair (pk1, sk1) of n1- g set, so that x ← (0,s) means x appears with probability bit security and (pk2, sk2) of n2-bit security, Z proportional to exp(−πx2/s2). Below, ←$ means “sampling • An outsourced server is given an update key uk , n1→n2 uniformly at random”. Also, Zq ⊂ (−q/2, q/2] is the set of which is computed from sk1 and sk2, and yet ukn1→n2 integers centered modulus q. is computationally random from the server’s view. 3.1 Learning with Errors (LWE) • The server uses uk to update ciphertexts corre- n1→n2 Related to the decision LWE assumption LWE(n, s, q), sponding to (pk , sk ) into ciphertexts corresponding 1 1 where n, s, q depend on the security parameter, consider ma- to (pk , sk ), while underlying plaintexts are kept the 2 2 trix A ←$ m×n, vectors r ←$ m×1, x ←g n×1 , e ←g m×1. same. Zq Zq Z(0,s) Z(0,s) Then vector Ax + e is computed over Zq. Define the fol- • Only sk2 is needed in decryption of updated cipher- lowing advantage of a poly-time probabilistic algorithm D: texts. LWE(n,s,q) AdvD (λ) We call a homomorphic encryption scheme having above = Pr[D(A, Ax + e) → 1] − Pr[D(A, r) → 1] . transformation key-rotatable and security-updatable homo- morphic encryption. This type of homomorphic encryption The LWE assumption asserts that AdvLWE(n,s,q)(λ) is neg- needs new security definitions, because we want to ensure D ligible as a function of λ. Also note that, originally, x is that transformed ciphertexts not only can be decrypted by n×1 chosen randomly from q in [23]. However, as showed sk2, but also have n2-bit security. We therefore formalise Z g n×1 the notion of d-CPA security, where d is an integer spec- in [4, 18], one can take x ← Z(0,s) without weakening the ifying the number of updates so far. For example, if one assumption as we do here. goes from 80- to 128- then to 256-bit security, then d = 2 LWE dimension and security level. The length of se- (updates of security). Also, for key rotation purpose, if one cret vector x, namely n, is denoted as the LWE dimension. periodically switches 10 times among keys of identical bit For the same deviation s and modulus q, the hardness of security, then d = 10. LWE assumption increases with its dimension n as showed A concrete scheme. We then build a concrete and efficient in [10], which is the important fact we will exploit in design- KR-SU-HE scheme based on the LWE assumption. The tool ing our KR-SU-HE schemes. Therefore, “LWE dimension” for our construction is described below. and “security level” are sometimes used interchangeably in On a bird’s-eye view, increasing security is possible via an this manuscript. enlargement of dimension in the LWE assumption, where higher dimension ensures more security. The switch is ex- 3.2 Homomorphic encryption, key rotation, se- actly the dimension-switching technique original used in fully curity update homomorphic encryption (FHE) [11]. Historically, the paper [11] only considered dimension-reduction, namely n2 < n1 in Definition 1 (PHE). Public key homomorphic encryp- our notation, for efficiency issues in FHE. Then subsequent tion (PHE) schemes consist of the following (possibly prob- paper [9], while notified that the technique works for ar- abilistic) poly-time algorithms. bitrary dimensions n1 and n2, only made use of the case • ParamGen(1λ) → pp: λ is the security parameter and n2 < n1 as in [11]. The case n1 = n2 is considered in [1, 20] for proxy re-encryption and in [12] for obfuscation. To our the public parameter pp is implicitly fed in following algorithms. best knowledge, we are the first to exploit the case n1 < n2 for security enhancement. • KeyGen(1λ) → (pk, sk): pk is the public key, while sk Dimension switching however provides us only with cor- is the secret key. rectness in dimension n2, not yet security in that dimension. We solve that issue by a re-randomisation in the update pro- • Enc(pk, m) → c: probabilistic encryption algorithm pro- cess. Details are given in Section 4. duces c, the ciphertext of message m.

36 ∗ ∗ • Dec(sk, c) → m: decryption algorithm returns message • a series of update keys ukn0→n1 ,... , uknd−1→nd m encrypted in c. of predetermined sizes.

• Add(c, c0), AddM(c, c0): In Add, for ciphertexts c and A then submits them to the challenger, who in turn 0 ∗ c , the output is the encryption of plaintext addition takes b ∈ {0, 1} randomly, computes C0 as the en- ∗ cadd. Similarly, AddM adds two ciphertexts each was cryption of mb under pk0, namely C0 = Enc(pk0, mb). obtained by one multiplication (using Mul below). Then applying the update algorithm as follows:

0 0 ∗ ∗ ∗ • Mul(pp, c, c ): for ciphertexts c and c , the output is the C1 = Update(C0 , ukn0→n1 , pk1), encryption of plaintext multiplication cmul. . . • DecA(sk, cadd): decrypting cadd to obtain an addition ∗ ∗ ∗ C = Update(C , uk , pkd). of plaintexts. d d−1 nd−1→nd ∗ The final ciphertext Cd is returned to A. • DecM(sk, cmul): decrypting cmul to obtain a multipli- cation of plaintexts. 4. Additional update key queries: the same as step 2. Definition 2 (KR-SU-HE). A scheme as in Defini- 0 tion 1 is called a key-rotatable and security-updatable ho- 5. Finally, A returns a bit b as a guess of the hidden bit momorphic encryption scheme if it has additional algorithms b. as follows. A KR-SU-HE scheme is d-CPA-secure if the advantage • UKGen(pp, pk , sk , pk , sk ): generating an update key 1 1 2 2 d−cpa 0 1 Adv (λ) = Pr[b = b] − uk1→2 from the public/secret key pairs (pk1, sk1) (old) A 2 and (pk2, sk2) (new). is negligible as a function of λ. • Update(pp, c, uk1→2, pk2): outputting a new ciphertext Some comments on Definition 3 are in order. First, 0-CPA cnew from an old c. is exactly the standard CPA security under pk0, since there with the following requirements: is no key rotation or update. The fact that A gets secret keys sk0, . . . , skd−1 captures the extreme case in which keys a) Correctness of updated ciphertexts: succinctly, in security levels n0, . . . , nd−1 are insecure. This is generous to A since in practice we expect new keys are generated Dec(sk2, cnew) = Dec(sk1, c) and ciphertexts are updated before old keys are considered with overwhelming probability, namely the correctness is not insecure. Second, the fact A gets update keys in steps 2, affected by key rotation and security update. 4 and can challenge with malformed update keys at step 3 envisages that the keys are publicly transmitted to and b) Homomorphisms: are preserved as long as the cipher- permanently put in outsourced servers and hence may be texts in operations are under the same public key (either pk 1 modified. This differs from security notions for both public or pk ), regardless of whether they are (1) directly formed 2 key encryption (PKE) and proxy re-encryption (PRE) in by Enc, or (2) indirectly formed by Update. which the adversary only chooses two messages. Following security notion defines d-CPA security, namely Certainly we need also care about the CPA security of the CPA security of ciphertexts obtained via 1 time of orig- ciphertexts directly encrypted under the new public key, inal encryption and subsequent d key rotations or security which is captured by following notion. updates. Definition 4 (CPA security). With respect to a KR- SU-HE scheme as in Definition 2, consider the following Definition 3 (d-CPA security). With reference to a KR-SU-HE scheme as in Definition 2, consider the following game between an adversary A and a challenger: game between an adversary A and a challenger: 1. Setup: the same as in Definition 3.

1. Setup: the challenger creates following keys (pk0, sk0), 2. Update key queries: the same as in Definition 3. (pk1, sk1), ... , (pkd−1, skd−1) of security levels n0, ... , nd−1 respectively, and (pkd, skd) of level nd. Then 3. Challenge: A chooses two plaintexts m0, m1 of the (ski, pki)(∀ 0 ≤ i ≤ d − 1) and pkd are given to A. same length, then submits them to the challenger, who ∗ The key skd is kept secret to A. in turn takes b ∈ {0, 1} randomly and computes C = ∗ Enc(pkd, mb). The challenge ciphertext C is returned 2. Update key queries: A can ask for many update to A. 1 keys from any (pki, ski) for 0 ≤ i ≤ d−1 to (pkd, skd) . To each query, the challenger returns a freshly gener- 4. Additional update key queries: the same as in

ated update key ukni→nd . Definition 3. 3. Challenge: A chooses A KR-SU-HE scheme is CPA-secure if

• two plaintexts m , m of the same length, and cpa 0 1 0 1 Adv (λ) = Pr[b = b] − A 2 1A itself can generate update keys between lower dimensions ukni→nj for 0 ≤ i, j ≤ d − 1 since it has ski and skj . is negligible in λ.

37 1 n n random, A0 = p A Zq ⇥ is also random. Therefore, TABLE 1. USAGES OF THE DIMENSION SWITCHING TECHNIQUE. 1 n l 2 P 0 = p P ⇥ is random under the LWE assumption Zq Dimension switching Exploited in Main purpose 2 P which in turn means is random as claimed. (high low) n2

T 0 (n+l)×(n+l) Bits(v)Power2(W ) = vW ∈ 1×l. cmul = c c ∈ Zq Zq T (n+l)×1 1×(n+l) Intuitively, Bits(·) is used in Update to limit the noise in- where c ∈ Zq is the transpose of c ∈ Zq . crease, while Power2(·) is put in UKGen to ensure correctness 0 0 (n+l)×(n+l) of updated ciphertexts using above equation. The functions • AddM(cmul, cmul): Return cmul +cmul ∈ Zq Bits(·) and Power2(·) are originated in [9, 11] as part of the • DecA(sk, cadd): identical to Dec dimension switching technique.

38 4.1 Correctness and homomorphic properties • (old + old) or (new + new): this should be easily seen, as We informally check the correctness and homomorphisms vector addition of two ciphertexts in the same form e1[A|P ]+ 0 0 0 0 of our KR-SU-HE scheme, and then formally establish a p[e2|e3]+[0n|m] and e1[A|P ]+p[e2|e3]+[0n|m ] under identi- theorem for choosing parameters. cal public key [A|P ] (either old or new) gives us a ciphertext whose decryption will yield (m + m0) mod p. Correctness of directly-formed ciphertexts. We check that directly-formed ciphertexts can be decrypted correctly. • Update(old) + new: let c and c be the updated-from- Indeed, in the decryption Dec algorithm, ud nw old and under-new public-key ciphertexts correspondingly. c1S + c2 = (e1A + pe2)S + e1P + pe3 + m The decryption under the new secret key S2 is

= e1(AS + P ) + pe2S + pe3 + m 1×l Dec(S2, cud + cnw) = Dec(S2, cud) + Dec(S2, cnw) (mod p) = p(e1R + e2S + e3) + m ∈ Zq (1) will yield correct m in decryption if the noise p(e1R + e2S + as the noise increases linearly when doing cud + cnw. The e3) is small enough. decryption Dec(S2, cud) works as in (2) and Dec(S2, cnw) as 0 in (1), yielding corresponding messages mud and mnw as Correctness of updated ciphertexts. We have c = expected. 1×(n2+l) E0 + F ∈ Zq . As E0 is an encryption under pk2 of Like the above, one can do the multiplication of (old × length l vector (0,..., 0), its decryption under sk2 gives the old), (new × new), and (Update(old) × new) where × is the zero vector. The decryption of F under sk2 = S2 is outer product of vectors, justifying that formulas (3) and (4) hold even after key rotation or security update. m = Bits(c1)XS2 + Bits(c1)Y + c2 = Bits(c )(pE + Power2(S )) + c 1 1 2 We end this subsection by the following theorem on how 1×l = pBits(c1)E + c1S1 + c2 ∈ Zq (2) to set parameters for our scheme. which is equal to the decryption of c = (c1, c2) under sk1 = S1 as long as the added noise Bits(c1)E is small, which Theorem 1 (Parameters for correctness). Let pa- holds with high probability as matrix E containing small, rameters p, q, s be as in our KR-SU-HE scheme, and n1, ... , Gaussian-distributed elements. nh (h ≥ 1) are the dimensions in key rotation or security Homomorphic property. Directly, our KR-SU-HE scheme updates, and Nadd the number of additions over multiplied can evaluate the following formulas on ciphertexts ciphertexts as in (4) where all ciphertexts are with the same ni, then the correctness of (4) holds with overwhelming prob- Nadd X 1×(n+l) ability if CTi ∈ Zq (3) i=1 h h  X X  Nadd q = N · O p2s4 n + p2s2(log q) n X T 0 (n+l)×(n+l) add i 2 i CTi · CTi ∈ Zq (4) i=1 i=2 i=1 in which (3) is a special case of (4) and yet the noise added in which the hidden constant in the O(·) is small. is smaller. The decryption of (3) and (4) uses the algorithms DecA and DecM respectively, yielding To prove Theorem 1, we will use following lemmas, whose Nadd Nadd proofs can be derived from [5,6]. Below h·, ·i stands for inner X 1×l X T 0 l×l n mi ∈ and m · m ∈ Zp i i Zp product. Writing ||Z(0,s)|| is a short hand for taking a vector i=1 i=1 from the discrete Gaussian distribution of deviation s and 0 0 computing its Euclidean norm. where mi and mi are the plaintext vectors in CTi and CTi .

More multiplications. To get several ciphertext multi- 2 Lemma 1. Let c ≥ 1 and C = c · exp( 1−c ). Then for plications instead of one as above, one can take l = 1 in 2 our scheme and uses known techniques of noise reduction as any real s > 0 and any integer n ≥ 1, we have in [8, 9, 14].  √  n c · s n n Pr ||Z(0,s)|| ≥ √ ≤ C . Homomorphisms held even after key rotation or se- 2π curity update. Succinctly, formulas (3) and (4) hold even 0 if CTi, CTi (1 ≤ i ≤ Nadd) are altogether encrypted under the same public key, regardless of whether they are directly Lemma 2. For any real s > 0 and T > 0, and any x ∈ n formed by the Enc algorithm or are indirectly transformed R , we have by Update (Figure 1) from old ciphertexts. Intuitively, this  n  2 is because (i) the zero encryption E0 part in updated cipher- Pr ||hx, Z(0,s)i|| ≥ T s||x|| < 2 exp(−πT ). texts does not interfere with homomorphisms, and (ii) the F part can be correctly decrypted as in (2). Proof (of Theorem 1). For now suppose h = 2, we More precisely, consider following cases, where“old”stands check the decryption by secret key S2 in dimension n2 of for a ciphertext under pk1 and “new” for a ciphertext under updated ciphertexts. Using the notations as in Figure 1, 1×n2 pk2, and Update(old) for an updated ciphertext from pk1 to let E0 = [E1|E2] and F = [F1|F2] for E1,F1 ∈ Zq , and 1×l 0 pk2: E2,F2 ∈ Zq , so c = E0 + F = [E1 + F1|E2 + F2], and the

39 0 decryption of c by S2 becomes probability of

2 Ph n −40 (E1 + F1)S2 + E2 + F2 1 − C i=1 i (≥ 1 − 2 for all choices of parameters) = f A + pf + Bits(c )X
S + f P + pf 1 2 2 1 2 1 2 3 we have + Bits(c1)Y + c2 q v Ph h c · s 2 ni u = f1A2S2 + pf2S2 + Bits(c1)XS2 + f1(pR2 − A2S2) i=1 u X ||x|| ≤ √ + tκ ni + h. + pf3 + Bits(c1)Y + c2 2π i=2 = pf2S2 + Bits(c1)XS2 + pf1R2 + pf3 We now use Lemma 2 with vectors x and e. Let ρ be the er-
2 + Bits(c1) − XS2 + pE + Power2(S1) + c2 ror per message symbol in decryption, we set 2 exp(−πT ) = p √ = pf2S2 + pf1R2 + pf3 ρ, so T = ln(2/ρ)/ π. The bound on the noise becomes pT s||x||, which is not greater than + pBits(c1)E + Bits(c1)Power2(S1) + c2 1×l  q h v  = p(f2S2 + f1R2 + f3 + Bits(c1)E) +c1S1 + c2 ∈ Zq . p c · s 2 P n u h ps ln(2/ρ) i=1 i u X | {z } √  √ + tκ ni + h noise incurred after one Update π 2π i=2

In the worst case, Bits(c1) contains all 1’s, so that the def noise added after one update is = B(ρ, h, s, n1, . . . , nh, p, q). (5)

p(f1R2 + f2S2 + f3 + 11×n1κ · E). No update (h = 1): (5) becomes √ Generally, the noise added after h updates corresponding p   2p ps ln(2/ρ) c · s 2n1 pcs ln(2/ρ) · n1 to key dimension ni (2 ≤ i ≤ h) is a sum of form √ √ = . π 2π π h X  (i) (i) (i) (i) (i) (i) which is the upper-bound of noise in each original ciphertext. p f1 R2 + f2 S2 + f3 + 11×niκ · E . i=2 If original ciphertexts are multiplied and added as in (4), the corresponding noise bound is set below q/2 for correctness 1×l Each component in Zq of the total noise in Zq , namely N n p2c2s4 ln(2/ρ) q including the noise in the original ciphertext, can be written add 1 ≤ . (6) as the inner product of two vectors of form π2 2

(2) (2) (2) (h) (h) (h) e = (f1 , f2 , f3 , . . . , f1 , f2 , f3 , With update (h ≥ 2): Now we consider (5) with h ≥ 2. (2) (h) As in (6) we set e , . . . , e , e1, e2, e3) (2) (2) (h) (h) 2 q x = (r2 , s2 , 0101×l, . . . , r2 , s2 , 0101×l, Nadd · B(ρ, h, s, n1, . . . , nh, p, q) ≤ (7) 0 2 11×niκ , r, r , 0101×l) | {z } becomes the condition for correctness stated in the state- 2≤i≤h ment of the theorem, ending the proof. where, for all 2 ≤ i ≤ h, 4.2 Security analyses (i) (i) g 1×ni (i) g 1×l We first provide the intuition and then continue with for- • Vectors f1 , f2 ← Z(0,s) , and f3 ← Z(0,s). mal proofs. • Vectors e(i) ←g 1×niκ represents one column in matrix Z(0,s) Security intuition on updated ciphertexts. Suppose (i) E . keys and ciphertexts in dimension n1 is considered insecure, so that the ciphertexts must be transformed into secure di- • Vectors e ←g 1×n1 , e ←g 1×n1 , and e ←g 1×l are 1 Z(0,s) 2 Z(0,s) 3 Z(0,s) mension n2 > n1. In other words, consider the worst case in the noises in the original ciphertext. which an adversary A owns the secret sk1 in dimension n1, referring to Figure 1, we need to show that the transformed (i) (i) g 1×ni • Vectors r2 , s2 ← Z(0,s) , and 0101×l stands for a vec- ciphertext,

tor of length l with all 0’s except one 1; 11×niκ for a g 0 1×(n2+l) 0 1×n1 c = E0 + F ∈ Zq vector of length niκ with all 1’s. Vectors r, r ← Z(0,s) represent corresponding columns in matrices R,S. remains secure. That holds true since the encryption using pk of zero Here we use the same deviation s for all dimensions to 2 1×(n2+l) ease the computation. We have E0 = f1[A2|P2] + p[f2|f3] ∈ Zq Ph Ph 1×( (2ni+l)+ niκ) e ∈ i=1 i=2 is pseudo-random under the LWE assumption in dimen- Z(0,s) sion n regardless of F . Certainly, we need to mention v 2 u h that A additionally has access to public matrices A2 and (2) (2) (h) (h) 0 u X P = pR −A S and even the update key uk contain- ||x|| ≤ ||(r2 , s2 , . . . , r2 , s2 , r, r )|| + tκ ni + h 2 2 2 2 n1→n2 i=2 ing matrices (X, −XS2 + pE). These pieces of information can be arranged in matrix form as Ph 1×(2 ni) where (r(2), s(2), . . . , r(h), s(h), r, r0) ∈ i=1 . Ap-       2 2 2 2 Z(0,s) A2 R2 A2 Ph , p − S2 plying Lemma 1 for vector of length 2 i=1 ni, with high X E X

40 ∗ which is also pseudo-random under LWE assumption in di- Since Rd is random, so is Cd . Therefore, in this game, mension n2. all information A gets from its queries is random and hence Formally, the security of our proposed scheme is ensured useless in guessing the hidden bit b. Thus in this game 0 1 by the following theorems. Pr[b = b] = 2 . The term l + 1 in the reduction comes from applying Theorem 2 (d-CPA security). Our scheme is d-CPA LWE(nd, sd, q) over the l columns of Sd in Game1, and secure under the decision LWE assumption in dimension nd another one time in Game2, ending the proof. for all d ≥ 1. In particular, for any poly-time adversary A against the proposed scheme, there is a poly-time D against Theorem 3 (CPA security). Our scheme is CPA se- LWE satisfying cure under the decision LWE assumption. In particular, for any poly-time adversary A against the proposed scheme, d−cpa LWE(nd,sd,q) AdvA (λ) ≤ (l + 1) · AdvD (λ). there is a poly-time D against LWE satisfying

Proof. We proceed in games as follows. Let Game cpa LWE(n ,s ,q) 0 Adv (λ) ≤ (l + 1) · Adv d d (λ). be the d-CPA game in Definition 3. The public key at di- A D mension nd is (Ad,Pd = pRd − AdSd) and the update key Proof. The proof is almost identical to that of Theorem from dimension ni (i < d) to dimension nd is ukni→nd = 2. The difference is in Game2 where the challenge cipher-
$ niκ×nd text Xi, −XiSd + pEi + Power2(Si) , where Xi ← Zq and g niκ×l ∗ ∗ ∗ ∗ Gaussian noises Ei ← q are freshly chosen by the chal- Z C = Enc(pkd, mb) = e1[Ad|Pd] + p[e2|e3] + [01×nd |mb] lenger for each update key. is replaced by a random tuple, which is indistinguishable to Game1: this game is identical to Game0 except that public the adversary thanks to the LWE(nd, sd, q) assumption with Pd is taken randomly, and above update keys are computed ∗
secret e1. and returned by the challenger as ukni→nd = Xi,Yi , for $ niκ×nd $ niκ×l random matrices Xi ← Zq and Yi ← Zq . 4.3 Testing implementation The difference between Game0 and Game1 are in turning For parameter selection related to the LWE assumption, the matrices (Ad,Pd = pRd −AdSd) into random, and tuples we rely on attacks on LWE in [1,16,17] and [13]. In particu- of form (Xi, −XiSd + pEi + Power2(Si)) into random tuples lar, our choices of parameters are consistent with the newest (Xi,Yi) where indexes i correspond to update key queries. one in [13]. In other words, the second term ST in the following is turned For generating discrete Gaussian noises, we employ the into a random matrix Knuth-Yao algorithm [15]. The noise generation only occu- pies a negligible time in encryption. For example, when s = 10, our implementation can generate more than 4·104 Gaus-  Ad   Rd      sian samples in one millisecond using only 1.65 megabytes  .   .   .   .  to store a binary tree. FT = −     , ST = FT · Sd + p     ,   Xi     Ei           . . . . 114 30 i i Table 2: Our timings when q = 2 , p = 2 + 1. bit-sec KeyGen Enc Dec Add Mul AddM DecM with secret Sd of dimension nd. To be exact with the LWE assumption, we need to get rid of the p multiplication in ST. 80 1428 63.2 0.92 0.003 35.1 29.3 1313 128 2513 94.7 1.22 0.004 60.8 50.1 2296 Here we use the condition gcd(p, q) = 1 so that p−1 exists −1 −1 256 7249 313 2.05 0.010 164 136 6643 in Zq. Consider the pair (p FT, p ST) where operations −1 are over Zq. Since FT is random , so is p FT. Further- (All times are in milliseconds, averaged over 1000 executions.) more, p−1ST is of form [p−1FT×secret+noise] of the LWE assumption. Therefore the pair (p−1FT, p−1ST) is random under the LWE assumption, so is the pair (FT, ST) again bit-sec → bit-sec UKGen Update due to gcd(p, q) = 1. Key 80 → 80 165.6 (s) 1.1 (s) Thus both games are indistinguishable to A under the rotation 128 → 128 291.4 (s) 1.9 (s) LWE assumption. 256 → 256 846.6 (s) 5.3 (s) Security 80 → 128 238.2 (s) 1.5 (s) Game2: this game is identical to Game1 except that the challenge ciphertext is changed to random. Specifically, update 128 → 256 519.8 (s) 3.3 (s) ∗ ∗ ∗ (In both tables, times are averaged over 1 thread of a Xeon E5- Cd = Update(uknd−1→nd ,Cd−1,Ad,Pd) | {z } 2660 v3, 2.60GHz machine.) pkd

1×(nd+l) 114 30 = f1[Ad|Pd] + p[f2|f3] + F ∈ Zq , Taking q = 2 , p = 2 + 1, s = 8.0, l = 64, we need n = 2661, 3530, 5847 respectively for estimated 80-, 128-, where f , f , f are Gaussian noises chosen by the challenger, 1 2 3 256-bit securities. The message length l = 64 is sufficient to is now computed as handle real numbers of 64-bit precision. The running times ∗ Cd = Rd + F are reported in Table 2. As seen in the table, generating an update key requires a few minutes, while updating a ci- $ 1×(nd+l) where Rd ← Zq . The change is still indistinguishable phertext needs a few seconds. The update task can be fully 1×nd to A thanks to the LWE assumption with secret f1 ∈ Zs . parallelized on the cloud server.

41 5. CONCLUSION instantiations from lattices. In H. Krawczyk, editor, We conceptually propose the notion of key-rotatable and Public-Key Cryptography - PKC 2014, volume 8383 of security-updatable homomorphic encryption, and build a Lecture Notes in Computer Science, pages 95–112. concrete scheme. Our scheme is proved secure under the Springer, 2014. LWE assumption, and is showed efficient via implementa- [13] I. Chillotti, N. Gama, M. Georgieva, and tion. It can be used in secure cloud computing to accom- M. Izabach`ene. Faster fully homomorphic encryption: plish the vital task of key rotation and security update when Bootstrapping in less than 0.1 seconds. In Advances in necessary. Cryptology - ASIACRYPT 2016 - 22nd International Conference on the Theory and Application of 6. REFERENCES Cryptology and Information Security, Proceedings, [1] Y. Aono, X. Boyen, L. T. Phong, and L. Wang. Part I, pages 3–33, 2016. Key-private proxy re-encryption under LWE. In [14] C. Gentry. A fully homomorphic encryption scheme. G. Paul and S. Vaudenay, editors, INDOCRYPT, PhD thesis, Stanford University, 2009. volume 8250 of Lecture Notes in Computer Science, crypto.stanford.edu/craig. pages 1–18. Springer, 2013. [15] D. E. Knuth and A. C. Yao. The complexity of [2] Y. Aono, T. Hayashi, L. T. Phong, and L. Wang. Fast non-uniform random number generation. Algorithms and secure linear regression and biometric and Complexity, Academic Press, New York, pages authentication with security update. IACR Cryptology 357–428, 1976. ePrint Archive, 2015:692, 2015. [16] R. Lindner and C. Peikert. Better key sizes (and [3] Y. Aono, T. Hayashi, L. T. Phong, and L. Wang. attacks) for LWE-based encryption. In A. Kiayias, Privacy-preserving logistic regression with distributed editor, CT-RSA, volume 6558 of Lecture Notes in data sources via homomorphic encryption. IEICE Computer Science, pages 319–339. Springer, 2011. Transactions, 99-D(8):2079–2089, 2016. [17] M. Liu and P. Q. Nguyen. Solving BDD by [4] B. Applebaum, D. Cash, C. Peikert, and A. Sahai. enumeration: An update. In E. Dawson, editor, Fast cryptographic primitives and circular-secure CT-RSA, volume 7779 of Lecture Notes in Computer encryption based on hard learning problems. In Science, pages 293–309. Springer, 2013. S. Halevi, editor, CRYPTO, volume 5677 of Lecture [18] D. Micciancio and O. Regev. Lattice-based Notes in Computer Science, pages 595–618. Springer, cryptography. In Post-Quantum Cryptography, pages 2009. 147–191. Springer, 2009. [5] W. Banaszczyk. New bounds in some transference [19] National Institute of Standards and Technology theorems in the geometry of numbers. Mathematische (NIST). Recommendation for Key Management: Part Annalen, 296(1):625–635, 1993. 1: General (Revision 3). [6] W. Banaszczyk. Inequalities for convex bodies and http://csrc.nist.gov/publications/nistpubs/800-57/ n sp800-57 part1 rev3 general.pdf. polar reciprocal lattices in R . Discrete & Computational Geometry, 13(1):217–231, 1995. [20] R. Nishimaki and K. Xagawa. Key-private proxy [7] M. Blaze, G. Bleumer, and M. Strauss. Divertible re-encryption from lattices, revisited. IEICE protocols and atomic proxy cryptography. In Transactions, 98-A(1):100–116, 2015. K. Nyberg, editor, EUROCRYPT, volume 1403 of [21] Open Web Application Security Project. Lecture Notes in Computer Science, pages 127–144. https://www.owasp.org/index.php/Cryptographic Springer, 1998. Storage Cheat Sheet. [8] Z. Brakerski. Fully homomorphic encryption without [22] Payment Card Industry Data Security Standard. modulus switching from classical gapsvp. In https://www.pcisecuritystandards.org/documents/ R. Safavi-Naini and R. Canetti, editors, CRYPTO, Prioritized Approach V2.0.pdf. volume 7417 of Lecture Notes in Computer Science, [23] O. Regev. On lattices, learning with errors, random pages 868–886. Springer, 2012. linear codes, and cryptography. In H. N. Gabow and [9] Z. Brakerski, C. Gentry, and V. Vaikuntanathan. R. Fagin, editors, STOC, pages 84–93. ACM, 2005. (Leveled) fully homomorphic encryption without bootstrapping. In S. Goldwasser, editor, ITCS, pages 309–325. ACM, 2012. Available at https://eprint.iacr.org/2011/277.pdf. [10] Z. Brakerski, A. Langlois, C. Peikert, O. Regev, and D. Stehl´e.Classical hardness of learning with errors. In D. Boneh, T. Roughgarden, and J. Feigenbaum, editors, STOC, pages 575–584. ACM, 2013. [11] Z. Brakerski and V. Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. In R. Ostrovsky, editor, FOCS, pages 97–106. IEEE, 2011. [12] N. Chandran, M. Chase, F. Liu, R. Nishimaki, and K. Xagawa. Re-encryption, functional re-encryption, and multi-hop re-encryption: A framework for achieving obfuscation-based security and

42