Homomorphic Encryption for Finite Automata

Abstract

We describe a somewhat homomorphic GSW-like encryption scheme, natively encrypting matrices rather than just single elements. This scheme offers much better performance than existing homomorphic encryption schemes for evaluating encrypted (nondeterministic) finite automata (NFAs). Differently from GSW, we do not know how to reduce the security of this scheme from LWE, instead we reduce it from a stronger assumption, that can be thought of as an inhomogeneous variant of the NTRU assumption. This assumption (that we term iNTRU) may be useful and interesting in its own right, and we examine a few of its properties. We also examine methods to encode regular expressions as NFAs, and in particular explore a new optimization problem, motivated by our application to encrypted NFA evaluation. In this problem, we seek to minimize the number of states in an NFA for a given expression, subject to the constraint on the ambiguity of the NFA.

N. Genise—This work was done when the author was at UCSD.

C. Gentry and S. Halevi—This work was done when the authors were in IBM Research.

Appendices

A Definitions on Regular Expressions and NFA

We recall some standard definitions about regular languages and finite automata [46]. Let \(\varSigma \) be a finite alphabet, and \(\varSigma ^*\) the free monoid generated by \(\varSigma \). A string w is an element of \(\varSigma ^*\), which can be written as a finite sequence of symbols \(w = w_1w_2\cdots w_k\) where \(w_1,\ldots ,w_k \in \varSigma \), and its length is \(|w| = k\). The empty string is denoted by \(\epsilon \), which is the neutral element of \(\varSigma ^*\). The concatenation of two strings \(u = u_1\cdots u_m\) and \(v = v_1\cdots v_n\) is a string \(uv = u_1\cdots u_mv_1\cdots v_n\). A language over \(\varSigma \) is a subset of \(\varSigma ^*\). For any languages L and K, we consider the following regular operations: (union) \(L \cup K\), (product) \(LK = \{uv \mid u\in L, v\in K\}\), and (Kleene star) \(L^* = \cup _{i\ge 0}L^i\), where \(L^0 = \{\epsilon \}\), and \(L^i = LL^{i-1}\) for \(i>0\). Regular languages are the smallest class of languages containing the basic languages \(\emptyset \), \(\{\epsilon \}\), and \(\{a_i\}\) for all \(a_i \in \varSigma \) that are closed under regular operations.

A nondeterministic finite automaton (NFA) over \(\varSigma \) is a quintuple \(M = (Q,\varSigma ,\delta ,Q_I,Q_F)\), where \(Q = \{s_1,\ldots ,s_n\}\) is a finite set of states, \(\delta : Q \times \varSigma \rightarrow \wp (Q)\) is a transition function, \(Q_I \subseteq Q\) is the set of initial states, and \(Q_F \subseteq Q\) is the set of final states. We can extend \(\delta \) to a function \(\delta : Q \times \varSigma ^* \rightarrow \wp (Q)\) over strings in the natural way. Without loss of generality, we assume that all our NFAs have a single initial state \(s_1\). A string \(w\in \varSigma ^*\) is accepted by an NFA M if \(\delta (s_1,w) \cap Q_F \ne \emptyset \). The set of all the strings accepted by an NFA M is called the language of M, and it is denoted by \({\mathcal {L}}(M)\). A deterministic finite automaton (DFA) is an NFA such that \(\delta (s,a_i)\) is a singleton set for all \(s\in Q\) and \(a_i\in \varSigma \), and \(|Q_I|=1\).

A regular expression over \(\varSigma \) is a formal expression generated by the following grammar rules:

$$\begin{aligned} {\mathsf {RE}}\rightarrow \epsilon \mid a_i \mid ({\mathsf {RE}}+ {\mathsf {RE}}) \mid ({\mathsf {RE}}\cdot {\mathsf {RE}}) \mid ({\mathsf {RE}})^*, \end{aligned}$$

where \(a_i\) ranges over \(\varSigma \). The operator \(*\) takes the highest precedence, followed by \(\cdot \), and then by \(+\). The parentheses can be omitted when there is no ambiguity. The operator \(\cdot \) is usually omitted as well, and concatenations can be written as juxtapositions of regular expressions. For a regular expression e, its language \({\mathcal {L}}(e)\) can be defined inductively as follows:

where \(a_i\) ranges over \(\varSigma \), and \(e_0,e_1\) are regular expressions. For any set R of regular expressions, let \({\mathcal {L}}(R) = \cup _{e\in R}{\mathcal {L}}(e)\). It is well known that the languages defined by regular expressions are exactly the regular languages, which are exactly the languages accepted by finite automata.

For any sets R, T of regular expressions, we write RT for the set of regular expressions

$$\begin{aligned} RT = \{e \cdot f \mid e \in R, f \in T \}, \end{aligned}$$

and we write \(Re = \{f \cdot e \mid f \in R\}\) and \(eR = \{e \cdot f \mid f \in R\}\); in particular, \(\emptyset T = R \emptyset = \emptyset e = e \emptyset = \emptyset \).

B Proofs

In this section we present proofs that are omitted in the main paper.

Proposition 3

For any \(n \ge 1\), if \(\mathcal {M}\) is an NFA with \(r \le n\) states, and w a string of length k, the noise vector \(\mathbf {e}^{(k)}\) at the end of homomorphic evaluation of encrypted \(\mathcal {M}\) on w satisfies the following bounds:

• If \(\mathcal {M}\) is unambiguous, then \(\Vert \mathbf {e}^{(k)}\Vert _\infty \le bnk\chi \log _b{q}\).

• If \(\mathcal {M}\) is finitely ambiguous, then \(\Vert \mathbf {e}^{(k)}\Vert _\infty \le bnrk\chi \log _b{q}\).

• If \(\mathcal {M}\) is infinitely ambiguous, then \(\Vert \mathbf {e}^{(k)}\Vert _\infty \le bnk^{\deg (\mathcal {M})+1}\chi \log _b{q}\).

Proof

Let \(\mathcal {M}= (Q,\varSigma ,\delta ,\{s_1\},Q_F)\) be an NFA with r states \(s_1,\ldots ,s_r\), and for each input symbol \(\sigma \in \varSigma \), denote by \(\mathbf {M}_\sigma \in \{0,1\}^{n\times n}\) the transition matrix of \(\mathcal {M}\) on \(\sigma \) (padded with 0s in the extra columns and rows), where \((\mathbf {M}_\sigma )_{t,s}=1\) if \(t \in \delta (s,\sigma )\), and \((\mathbf {M}_\sigma )_{t,s}=0\) othewise. For any \(t\in Q\) let \(\mathcal {M}_t = (Q,\varSigma ,\delta ,Q,\{t\})\) be the NFA obtained from \(\mathcal {M}\) by setting all states to be initial and t the only final state. Notice that \({\mathrm {da}}(\mathcal {M}_t,l)\) is an upper bound on the total number of paths in \(\mathcal {M}\) on a string of length l from any state to t.

Let \(w=w_1\cdots w_k\) be the string to be scanned on \(\mathcal {M}\). For all \(1 \le i \le k\), the encrypted state vector \(\mathbf {q}^{(i)}\) after reading \(w_i\) is:

$$\begin{aligned} \mathbf {q}^{(i)} = \sum _{j=0}^{\log _b q}C_{w_i,j}\mathbf {q}^{(i-1)}_j = \beta \mathbf {S}^{-1} \mathbf {M}_{w_i}\cdots \mathbf {M}_{w_1}\mathbf {v} + \mathbf {S}^{-1}(\mathbf {M}_{w_i}\mathbf {e}^{(i-1)} + \sum _{j=0}^{\log _b q}\mathbf {E}_{w_i,j}\mathbf {q}^{(i-1)}_j), \end{aligned}$$

where \(\mathbf {e}^{(i-1)}\) is the noise term after reading the previous symbol \(w_{i-1}\). As in our assumption, \(s_1\) is always the sole initial state in \(\mathcal {M}\), we can set the initial noise \(\mathbf {e}^{(0)} = \mathbf {0}\) without leaking any additional information about the NFA \(\mathcal {M}\). By expanding all the noise terms, we get

$$\begin{aligned} \mathbf {e}^{(k)} = \sum _{l=2}^{k} \mathbf {M}_{w_k}\cdots \mathbf {M}_{w_l}\sum _{j=0}^{\log _b{q}}\mathbf {E}_{w_{l-1},j}\mathbf {q}^{(l-2)}_j + \sum _{j=0}^{\log _b{q}}\mathbf {E}_{w_k,j}\mathbf {q}^{(k-1)}_j. \end{aligned}$$

(7)

Notice that, for any symbol \(a\in \varSigma \), the (t, s)’th entry of \(\mathbf {M}_a\) is 1 if \(t\in \delta (s,a)\) and it is 0 otherwise. So the (t, s)’th entry of the product \(\mathbf {M}_{w_k}\cdots \mathbf {M}_{w_l}\) counts the number of paths from s to t on the string \(w_l \cdots w_k\), where \(1\le l\le k\). Let \(\mathbf {1}\) be the vector whose entries are all 1. Then the t’th entry of the vector \(\mathbf {M}_{w_k}\cdots \mathbf {M}_{w_l}\mathbf {1}\) counts the total number of paths from an arbitrary state to t on this string, which is at most \({\mathrm {da}}(\mathcal {M}_{t},k-l+1)\). Thus we have

$$\begin{aligned} \Vert \mathbf {M}_{w_k}\cdots \mathbf {M}_{w_l}\sum _{j=0}^{\log _b{q}}\mathbf {E}_{w_{l-1},j}\mathbf {q}^{(l-2)}_j \Vert _\infty \le bn\chi \log _b{q} \cdot \max _{t\in Q}\{{\mathrm {da}}(\mathcal {M}_{t},k-l+1)\} . \end{aligned}$$

It follows that the final noise vector \(\mathbf {e}^{(k)}\) can be bounded by

$$\begin{aligned} \Vert \mathbf {e}^{(k)}\Vert _\infty \le bn \chi \log _b{q} \cdot \sum _{l=1}^{k-1} \max _{t\in Q}\{{\mathrm {da}}(\mathcal {M}_{t},l)\} + bn \chi \log _b{q} \end{aligned}$$

(8)

If \(\mathcal {M}\) is unambiguous, then \({\mathrm {da}}(\mathcal {M}_{t},l)\le 1\) for all \(t \in Q\) and \(l \ge 0\), so

$$\begin{aligned} \Vert \mathbf {e}^{(k)}\Vert _\infty \le bkn\chi \log _b{q}. \end{aligned}$$

If \(\mathcal {M}\) is finitely ambiguous, then for all \(s,t\in Q\), the number of paths of w from s to t is at most 1 [45]. So \({\mathrm {da}}(\mathcal {M}_{t},l) \le r\) for all \(t\in Q\) and \(l \ge 0\), and \(\mathbf {e}^{(k)}\) can be bounded by

$$\begin{aligned} \Vert \mathbf {e}^{(k)}\Vert _\infty \le bknr\chi \log _b{q}. \end{aligned}$$

For the case where \(\mathcal {M}\) is infinitely ambiguous, notice that \({\mathrm {da}}(\mathcal {M}_t,l) \le l^{\deg (\mathcal {M})}\) for all \(l\ge 1\), and we have

$$\begin{aligned} \Vert \mathbf {e}^{(k)}\Vert _\infty&\le b\chi \log _b{q} \sum _{l=1}^{k-1}l^{\deg (\mathcal {M})} + b\chi \log _b{q} \\&\le bnk^{\deg (\mathcal {M})+1} \chi \log _b{q}. \end{aligned}$$

   \(\square \)

C Performance Comparisons with HAO15

In this section we present a brief analysis of applying the matrix-FHE scheme of HAO15 [25] to the case of homomorphic evaluation of NFA.

Fix an NFA \(\mathcal {M}\) of r states and with an alphabet \(\varSigma \), and let \(\mathbf {M}_\sigma \in \{0,1\}^{r \times r}\) for \(\sigma \in \varSigma \) be its transition matrices on symbol \(\sigma \). Recall the “leveled version” of the HAO15 scheme as described in Sect. 3.1. To encrypt \(\mathcal {M}\) for homomorphic evaluation on any string of length at most k, we sample \(k+1\) secret keys \(\mathsf {sk}_i\) for \(i=0,1,\ldots ,k\), and for each \(\sigma \in \varSigma \), we encrypt \(\mathbf {M}_\sigma \) with all keys \(\mathsf {sk}_i\) to get \(\mathbf {C}_{\sigma ,i} \leftarrow \mathsf {HAO}.\mathsf {MatEnc}_{\mathsf {sk}_i}(\mathbf {M}_\sigma )\). We also encrypt the initial state vector \(\mathbf {v} = (1,0,\ldots ,0)^t\) in a ciphertext \(\mathbf {c} = \mathsf {HAO}.\mathsf {VecEnc}_{\mathsf {sk}_0}(\mathbf {v})\).

To scan \(w = w_1\cdots w_k\) on \(\mathcal {M}\), set \(\mathbf {c}_0 = \mathbf {c}\) and \(\mathbf {c}_i = \mathsf {HAO}.\mathsf {Mul}(\mathbf {C}_{w_i,i},\mathbf {c}_{i-1}) = \mathbf {C}_{w_i,i} \times \mathbf {G}^{-1}(\mathbf {c}_{i-1})\). Then each ciphertext \(\mathbf {c}_i\) satisfies \(\mathbf {S}_i\mathbf {c}_i = (\prod _{j=i}^1 \mathbf {M}_{w_j}) \times \mathbf {v} + \mathbf {e}_i\) for some noise vector \(\mathbf {e}_i\). By Eq. 1, the \(l_\infty \) norm of \(\mathbf {e}_k\) can be bounded by

$$\begin{aligned} \Vert \mathbf {e}_k\Vert _\infty \le \chi N + \chi N \sum _{l=2}^k {\mathrm {da}}(\mathcal {M},l) + \chi {\mathrm {da}}(\mathcal {M},k), \end{aligned}$$

which must be bounded away from q/4.

For performance comparison, consider two cases of the ambiguity measures of \(\mathcal {M}\):

• \(\mathcal {M}\) is finitely ambiguous: We have \({\mathrm {da}}(\mathcal {M},l) \le r\) for all \(1 \le l \le k\), so w.h.p.

  $$\begin{aligned} \Vert \mathbf {e}_k\Vert _\infty \le \alpha q (n+r) (kr+1) \log {q}, \end{aligned}$$

  where \(\alpha = \sqrt{2n}/q\) is the LWE noise parameter. Thus, in the HAO15 scheme we can homomorphically evaluate \(\mathcal {M}\) on strings of length \(k \le \frac{1}{\alpha (n+r)r \log {q}}\). For example, assuming at least 100 bit of security is needed, for an NFA of up to 1024 states on strings of length up to 275, we need \(n=1024\) and \(q=2^{42}\). On the other hand, using our scheme we can evaluate \(\mathcal {M}\) on strings of length \(k \le \frac{q}{b^2 n \chi r \log _b{q}}\). So, using our scheme with the above sets of parameters, we can homomorphically evaluate an NFA of up to 1024 states on strings of length up to 551.

• \(\mathcal {M}\) is infinitely ambiguous: We have \({\mathrm {da}}(\mathcal {M},l) \le l^{\deg (\mathcal {M})}\), so w.h.p.

  $$\begin{aligned} \Vert \mathbf {e}_k\Vert _\infty \le \alpha q (n+r) \log {q} \cdot (\sum _{l=1}^k l^{\deg (\mathcal {M})} + 1) \le \alpha q (n+r) \log {q} k^{\deg (\mathcal {M})+1} \end{aligned}$$

  Using the same parameters as the above to achieve at least 100 bit of security, and assuming that \(\deg (\mathcal {M})=2\) for the NFA \(\mathcal {M}\), we can homomorphically evaluate \(\mathcal {M}\) on strings of length up to 65 in the HAO15 scheme, whereas we can homomorphically evaluate \(\mathcal {M}\) on strings of length up to 82 in our scheme.

Moreover, the computational complexity of k homomorphic matrix multiplications, assuming naive matrix-vector multiplication of complexity \(O(n^2)\), is \(O(k(r+n)^2\log {q})\). On the other hand, the complexity of our homomorphic evaluation procedure is \(O(kn^2 \log {q})\).