Tuesday, October 20, 2015

HEAT Summer School on FHE and MLM in Paris

Last week, the HEAT summer school on Mathematical and Practical aspects of Fully Homomorphic Encryption and Multilinear Maps took place in (almost) sunny Paris. The talks all covered a range of subjects, with around three talks per topic, which allowed for a good in-depth understanding of what was being presented.

The school started off with defining what Fully Homomorphic Encryption is, and why we would want to use it. The main application is, of course, outsourcing computation. I have a bunch of data I want to compute on, but do not want (or cannot) compute it all by myself, so I would like to outsource it to an external server. But I may not trust the server, and do not want it to learn anything about my data. So I would like to have an encryption scheme where I encrypt my data, then send it off to someone to perform computations on it, and at the end I recover the result of the computation. This is exactly what FHE gives us.

Most FHE schemes are based on the Learning with Errors problem, which was presented in detail on the first day. This was presented in [R05]. This was followed by a discussion of the [GSW13] cryptosystem, based on the approximate eigenvector method.

This was followed by a discussion of the Ring Learning with Errors problems, and a brief presentation of the various reductions, as presented in [LPR10].  A presentation of the BGV cryptosystem was given, together with an introduction about the use of Galois theory in RLWE schemes, in order to use the “packed ciphertexts” method.

The third day of the summer school was the day for Multilinear Maps. The CLT and GGH schemes were discussed, and also a brief discussion on attacks. The summary is that although there are zeroizing attacks for all the constructions at the moment, these do not seem to affect the obfuscation applications. All the attacks are constructed from low-level encodings of zero, which is why the attacks do not apply to obfuscation applications.


The morning of the fourth day was very mathematical, and consisted of two talks on the algebraic geometry of numbers and the LLL and BKZ algorithms and on recovering short generators in principal ideal, see here. This was followed by a presentation of zeroizing attacks on multilinear maps. The final day of the school was devoted to obfuscation. This started with stating the surprising fact that if $P=NP$ then this implies that any program can be obfuscated. Thus, unlike any other cryptography, iO cannot imply hardness; but it can be used to leverage hardness. The idea of using straddling sets from [BGKPS] to construct obfuscation from branching programs was also discussed.