Near Optimal Rate Homomorphic Encryption for Branching Programs

We initiate the study of good rate homomorphic encryption schemes. Based on previous work on securely evaluating (binary I/O) branching programs, we propose a leveled homomorphic encryption scheme for large-output polynomial-size branching programs (which we call LBP) that possesses near optimal-rate. The rate analysis of the new scheme is intricate: the best rate is achieved if a certain parameter s is set equal to the only positive root of a degree-m polynomial, where m is the length of the branching program. We employ the Newton-Puiseux algorithm to find a Puiseux series for this parameter, and based on this, propose a Θ(logm)-time algorithm to find an integer approximation to s. We also describe a rate-optimal 1-out-of-n CPIR based on rate-optimal homomorphic encryption. In concrete terms, when applied to say, a movie database with n = 2 elements of ` = 3.8 · 10bits, the client can privately download a movie with a communication rate of almost 0.99, hence sacrificing only about 1% of bandwidth for privacy. We also analyze the optimality of the rate efficiency of our scheme in a novel model that may be of independent interest. Our 1-out-of-n CPIR has rate 1 − 1.72 √ k/` · log2 n + O`(`), while we show that no black-box construction surpasses 1− √ k/`(logn/ log logn)+O`(` −1) in terms of rate, where ` is the length of the database elements and k the security parameter.

[1]  Helger Lipmaa,et al.  First CPIR Protocol with Data-Dependent Computation , 2009, ICISC.

[2]  Pascal Paillier,et al.  Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999, EUROCRYPT.

[3]  Ivan Damgård,et al.  Constant-Overhead Secure Computation of Boolean Circuits using Preprocessing , 2013, TCC.

[4]  Ivan Damgård,et al.  A Generalisation, a Simplification and Some Applications of Paillier's Probabilistic Public-Key System , 2001, Public Key Cryptography.

[5]  Emmanuela Orsini,et al.  Between a Rock and a Hard Place: Interpolating Between MPC and FHE , 2013, IACR Cryptol. ePrint Arch..

[6]  Craig Gentry,et al.  Fully homomorphic encryption using ideal lattices , 2009, STOC '09.

[7]  David A. Mix Barrington,et al.  Bounded-width polynomial-size branching programs recognize exactly those languages in NC1 , 1986, STOC '86.

[8]  Ivan Damgård,et al.  Secure Two-Party Computation with Low Communication , 2012, IACR Cryptol. ePrint Arch..

[9]  Rafail Ostrovsky,et al.  Replication is not needed: single database, computationally-private information retrieval , 1997, Proceedings 38th Annual Symposium on Foundations of Computer Science.

[10]  Moti Yung,et al.  Non-interactive cryptocomputing for NC/sup 1/ , 1999, 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039).

[11]  Samuel D. Johnson Branching programs and binary decision diagrams: theory and applications by Ingo Wegener society for industrial and applied mathematics, 2000 408 pages , 2010, SIGA.

[12]  Moni Naor,et al.  Communication preserving protocols for secure function evaluation , 2001, STOC '01.

[13]  Julien P. Stern A new and efficient all-or-nothing disclosure of secrets protocol , 1998 .

[14]  Helger Lipmaa,et al.  An Oblivious Transfer Protocol with Log-Squared Communication , 2005, ISC.

[15]  Helger Lipmaa Efficient Multi-Query CPIR from Ring-LWE , 2011, IACR Cryptol. ePrint Arch..

[16]  Craig Gentry,et al.  A fully homomorphic encryption scheme , 2009 .

[17]  Eduardo Casas-Alvero,et al.  Singularities of plane curves , 2000 .

[18]  Birgit Pfitzmann,et al.  Asymmetric Fingerprinting (Extended Abstract) , 1996, EUROCRYPT.

[19]  Silvio Micali,et al.  Computationally Private Information Retrieval with Polylogarithmic Communication , 1999, EUROCRYPT.

[20]  Silvio Micali,et al.  Probabilistic encryption & how to play mental poker keeping secret all partial information , 1982, STOC '82.

[21]  Ingemar J. Cox,et al.  An Asymmetric Fingerprinting Scheme Based on Tardos Codes , 2011, Information Hiding.

[22]  Craig Gentry,et al.  Single-Database Private Information Retrieval with Constant Communication Rate , 2005, ICALP.

[23]  Anat Paskin-Cherniavsky,et al.  On the Power of Correlated Randomness in Secure Computation , 2013, TCC.

[24]  Birgit Pfitzmann,et al.  Asymmetric fingerprinting for larger collusions , 1997, CCS '97.

[25]  Harry B. Hunt,et al.  On the Size of Binary Decision Diagrams Representing Boolean Functions , 1995, Theor. Comput. Sci..

[26]  Anat Paskin-Cherniavsky,et al.  Evaluating Branching Programs on Encrypted Data , 2007, TCC.

[27]  Alan Cobham,et al.  The Recognition Problem for the Set of Perfect Squares , 1966, SWAT.

[28]  Craig Gentry,et al.  Homomorphic Evaluation of the AES Circuit , 2012, IACR Cryptol. ePrint Arch..

[29]  George T. Gilber Positive definite matrices and Sylvester's criterion , 1991 .

[30]  Birgit Pfitzmann,et al.  Trials of Traced Traitors , 1996, Information Hiding.