paradox on fully homomorphic equality checking

Question

Imagine, a client encrypts a corpus of data (say documents of text) with the public key of a Fully Homomorphic Encryption scheme (FHE) and outsources the data to an untrusted server.Now the client wants search for a particular word in the corpus of encrypted documents and retrieve the matching documents that contain the word as a result. So the client could encrypt the search word with public key of FHE scheme and send to the server. The server would evaluate a "equality circuit" for blind folded matching using Evaluate method of FHE scheme. Remember the result (in this case it is MATCH or NO MATCH) also is encrypted in FHE schemes and hidden from the untrusted server.

Now my paradox begins, Does this mean server does not know whether the string matches the document ?

If the server does not know how will it retrieve and send those matching documents alone ?
If the server knows whether the string matches or not in this particular case will such FHE scheme considered secure at all ?
Is this situation any better if the FHE scheme is probabilistic or deterministic ?

On a side note, the above need not be for a word (as in words of a text) equality checking, the same argument could be given for numerical equality checking (arithmetic circuits) as well. Any comments on this paradox ?

How should the server learn the result if it cannot decrypt? Your setting as it is does not really make sense . What would the server return? If you want to have keyword equality, look for searchable encryption. — DrLecter, Nov 29 '15 at 16:51
@DrLecter , If i want keyword equality, can't we do with FHE? — sashank, Nov 30 '15 at 02:21
@RickyDemer The server uses FHness of encryption scheme but then does not the result , does that mean Equality Checking cannot be done using FHE ? — sashank, Nov 30 '15 at 02:22
"does not the result"? (You seem to be missing a verb.) There's certainly no obvious way of using FHE to let the ciphertext-holder non-interactively check equality. — , Nov 30 '15 at 08:47
@RickyDemer "does not know the result" . Oh is there a reference for that ? on non-interactivity of checking ? — sashank, Nov 30 '15 at 08:57
@mikeazo yes i did see that question, which is different than mine — sashank, Nov 30 '15 at 14:11

Yehuda Lindell · Accepted Answer · 2016-06-14T16:26:35.327

This is somewhat a paradox. It seems that if the server cannot know when equality is reached, how can it return only those documents. Surprisingly, it can be done, under the assumption that an upper bound is given on the number of documents (and at the cost of that upper bound).

Assume first that only one document matches, and this is known. Denote by ${\cal X}=X_1,\ldots,X_n$ the documents, and assume that there exist lists ${\cal L}=L_1,\ldots,L_n$ such that $L_i$ is the list of keywords in $X_i$. (This is just to simplify the explanation.) Then, let $f(a,L_i)=1$ if $a$ is in the list $L_i$, and otherwise $f(a,L_i)=0$. Clearly, $f$ can be computed inside FHE. Then, the server can compute the function $g(a,{\cal X},{\cal L})=\sum_{i=1}^n f(a,L_i) \cdot X_i$ inside FHE and return the result to the client. Since we are guaranteed that only one document matches, we have that $f(a,L_i)$ will equal 0 in all but one place. Thus, if $a\in L_j$, then the result will be $X_j$ only.

In order to extend this to the general case where an upper bound $t$ is given on the number of matches, the following can be done. Define $f_m(a,i,{\cal L})$ to be a function so that $f_m(a,i,{\cal L})=1$ if $L_i$ is the $m$th list $(1\leq m\leq t)$ in ${\cal L}$ containing $a$, and otherwise equals 0. Then, define $g_m(a,{\cal X},{\cal L})=\sum_{i=1}^n f_m(a,L_i) \cdot X_i$. Finally, the server computes and returns to the client the (encrypted) values $g_1(a,{\cal X},{\cal L})$, $g_2(a,{\cal X},{\cal L})$, up to $g_t(a,{\cal X},{\cal L})$.

In this way, the communication is just $t$ ciphertexts, and thus not everything needs to be returned.

Note that if you don't have any upper bound on the number of responses, then you can't do this, and you end up sending everything. In order to solve this, the client can first send an encryption of $a$ to the server, who then computes a function that just returns the number of lists that $a$ appears in. The client can then decrypt and send this to the server who continues as above. This does require interaction, but solves the problem of knowing a reasonable upper bound on the size of the output.

score 4 · Answer 2 · answered Jan 16 '16 at 21:54

I think the keyword equality can be done with FHE, but, as you pointed out, the server will not know the result of the test since it will be encrypted.

Considering this, the answer to your question "Does this mean server does not know whether the string matches the document?" should be yes, it does. The server does not know whether a match occurs or not.

And so, I would answer the others questions as follows:

The server will not be able to send the matching documents alone.
If it were a public key scheme, then, it would not be secure in this case, because the server could learn a lot about the content of the documents by encrypting words and running that equality test. But if it were a symmetric one, then I think it would be secure. Not secure to the usual models (IND-CPA, CCA, etc), but still somehow secure...
Any deterministic homomorphic encryption scheme is very weak, so, I think a probabilistic one is always better.

All that said, I think one workaround would be the server sending back the results of the tests and the documents' ids, the client decrypting it to check which documents match the word and sending back to the server only the desired ids plus some ids to obfuscate those ones that really matter...

So far that is best i could think of too. Otherwise it could be an interactive protocol, the client could ask for each document and stop once it decrypted a matched one. But i suspect there could be some better way — sashank, Jun 12 '16 at 06:20

score -1 · Answer 3 · answered Nov 30 '15 at 21:07

A good way to find answers to your questions would be to read Accelerating SWHE based PIRs using GPUs https://eprint.iacr.org/2015/462.pdf.

In the introduction of the article, there are mentioned all kind of references to papers which address the PIR protocol from the beggining up to the present state of the art, which uses homomorphic encryption techniques.

The references are important milestones of the PIR evolution, and the authors say some words about what improvements they brought, so you may go straight to the papers that fit best for your needs.

paradox on fully homomorphic equality checking

3 Answers3

Linked