ISO/IEC standardization path

[Kim Laine]

Dear HE.org community,

 

We have an important update to share.

 

On April 21, we presented a proposal to start a 6-months study period on homomorphic encryption at the ISO/IEC JTC1 SC27 WG2 plenary meeting.

The proposal was approved by unanimous consent by the international delegates. Many experts from countries other than the US, including France, China, UK, and Luxembourg voiced their enthusiasm to join the initiative.

 

The goal of an ISO Study Period is to establish the foundation to start a new work item (or standard) at ISO. The outcome of the study period is a technical report addressing the items in the call for proposals attached. We will present the results of the study period at the next plenary meeting in the fall quarter. The ideal scenario, and our aim, is to have content in good shape to propose the initiation of a new ISO Standard on homomorphic encryption already in the fall. Of course, we plan on incorporating the material consolidated by HE.org in the technical report.

 

The co-rapporteurs for the Study Period are Ro Cammarota (Intel Labs and HE.org, US), Kim Laine (Microsoft Research and HE.org, US), Pascal Paillier (CryptoExperts, France), Xianhui Lu (Chinese Academy of Science, China) and Gaëtan Pradel (INCERT GIE, Luxembourg).

 

We strongly believe that ISO/IEC is an appropriate home for this standard for the following reasons:

              - ISO/IEC standards are broadly recognized internationally.

              - ISO/IEC is already the home for an earlier Standard on partial homomorphic encryption, driven by Pascal Paillier.

              - ISO/IEC is the home for other privacy-enhancing cryptographic technologies standards such as Secret Sharing/SMPC.

 

We also like to thank Laura Lindsay (Microsoft Corporate Standards), Grace Wei (Intel Corporate Standards), and Lily Chen (NIST) for their guidance.

 

 

Best regards,

Kim and Ro

 

[Karim, Hassan]

Congratulations!

What activities will be undertaken during this ISO Study Period?

Regards,

Hassan Karim, CISSP

https://www.linkedin.com/in/hassankarimcissp 

Comp Sci Ph.D. Student

Howard University

(202) 569-1012

--
To unsubscribe from this group and stop receiving emails from it, send an email to standards+...@homomorphicencryption.org.

[Nayna Jain]

Congratulations !! How can someone get involved in the ISO Study Group ?

Thanks & Regards,

    - Nayna

[Anish Mohammed]

sounds interesting to me too ... ( would be interested in knowing how one could get involved)

Anish 

Anish Mohammed
anishmohammed.me
@anishmohammed 

calendly.com/zeroknowledge

PGP E68243345FE1B9AE

--

[SebastianGanson]

Best,

Sebastian

On Jun 11, 2020, at 8:51 AM, Anish Mohammed <anish.m...@gmail.com> wrote:



[Rosario Cammarota]

Dear HE.org,

 

 

We want to share an update about the progress with ISO/IEC Information Security Working Group 2 (WG2) on Fully Homomorphic Encryption standardization. WG2 agreed to continue the discussion as a preliminary standard – Preliminary Work Item (PWI) ISO/IEC 15150 Fully Homomorphic Encryption. 

 

In the PWI period, WG2 plan to hold a series of weekly meetings to clarify doubts that emerged during the latest meeting in September 2020, including:

 

1. Usages: use cases and secure deployments of fully homomorphic encryption.
2. Security: there is a common belief among WG2 experts that secure instantiations of some schemes can be achieved, but there is no common understanding of how to do that.
3. Schemes to standardize: okay for BGV and BFV, oppositions for CKKS.

 

We aim to move the PWI to the stage of a new work item (NWI), which would officially start the standard once the common ground is established.

 

 

Sincerely, Ro and Kim

--

[Mohamed layouni]

Hi Rosario, 

Thanks a lot for the update. 

Can you please provide some insight on the main reasons why CKKS is not likely to be included in this standardization effort? 

Thanks, 

Mohamed.

[Rosario Cammarota]

Thank you for your question, Mohamed:

The long story short is that the Canadian expert said this out really loud: "I don't want CKKS." Others supported him by saying that CKKS was less than three years old, hence it should not be considered for standardization at ISO. Kim and I coped with the second issue, by supplying the original archive paper with an earlier publication date. However, we haven't managed to speak with the Canadian expert about his motives - which we will do in the coming weeks. We will keep the group posted, and reach out for help as needed.

Many thanks, Ro

[Flavio]

Hi Ro,

Thanks for clarifying the background on “not standardizing CKLS”, at least for now.

The problems with this strategy are:

- CKKS is the scheme most in vogue right now, primarily because of the ML related applications

- Postponing the  standardization of CKKS may:

    - result in less confidence by the potential users

    - result in divergent implementations

I would say that as the HE community we will need to provide a convincing rationale to the  ISO/IEC Information Security Working Group 2 (WG2) reviewers.

-Flavio

[Ilia Iliashenko]

Hi all,

it is a bit surprising to see that CKKS was included into a proposal on FHE. Formally, CKKS is not fully homomorphic by definition, but approximately homomorphic. Moreover, CKKS has an extra "non-standard" property that decryption output leaks information on the secret key, which might be maliciously exploited. I guess the Canadian expert could be aware of this.

I also wonder why TFHE is missing in the list. It seems to be the most suitable scheme for standardization right now, because it allows to set the same encryption parameters for any binary circuit. 

Thank you,

Ilia

[Rosario Cammarota]

Hi Ilia, 

Your points are well taken, all of them. But, please, hear me out. There already exists a HE standard at ISO from 2006. It necessarily includes only partial homomorphic encryption. At the same time, a seminal paper titled "fully homomorphic encryption without bootstrapping" exists. In some deployments, bootstrapping can be used as an optimization, but there isn't a need for bootstrapping in other deployments.

So, we proposed the name "fully homomorphic encryption" to distinguish this initiative from the existing standard and gradually include many modern schemes that have deployments. The list includes BGV (of course), BFV, CKKS, FHEW, TFHE. The list will most likely be expanded to include more recent schemes such as the recent  "programmable bootstrapping." Noise mitigation procedures will be described in the standard; it will include "fully" flavored procedures if the specific schema admits. Again, all of this is not automatically approved. It has to find ISO experts' agreement. 

The other part of this discussion is "to gradually" include schemes across a timespan of 3 - 5 years. The idea was to start with RLWE-based schemes, including BGV, BFV, CKKS. But we have gotten burned up on CKKS. The concerns around CKKS may well be, as you mentioned. My guts suggest that there are mixed beliefs and ground feelings against CKKS, but again, it needs to be investigated with the ISO experts, which we will do. 

I hope this clarifies and addresses your points. 

Many thanks, Ro

[Ilia Iliashenko]

Hi Ro,

thank you for clarifications. Now I understand your strategy with standardization bodies.

I just wanted to stress that my comment is not intended to blacken CKKS in any shape or form. It is still an efficient and secure scheme in standard use cases, where we rely on IND-CPA security.

I think there is a lot of confusion in the community about what schemes are fully homomorphic. Due to approximate decryption, CKKS cannot be neither bootstrappable FHE or leveled FHE. This is clearly stated in the original HEAAN paper from 2017. Therefore, protocols that are proven secure with FHE might not be longer secure with CKKS. So mixing CKKS with true FHE schemes might be dangerous.

Ilia  

[Yongsoo Song]

Hi Ilia,

 

I understand your concern, but I have a different opinion.

 

There are several different definitions of homomorphic encryption in the literature,

and any of them can’t cover different concepts and functionality of the existing HE schemes.

 

I think the term ‘homomorphic encryption’ is now more informally used to refer a family of cryptosystems with any kind of homomorphic property (and the same applies to partial/somewhat/leveled/fully HE).

Hence I’d rather say CKKS is also homomorphic, or more specifically, it is an approximate HE scheme.

 

Best,

Yongsoo

[Mohamed layouni]

Thanks Ro for those details. I think the community will greatly benefit from understanding the concerns raised by ISO on CKKS, so we can work together to either mitigate them or offer alternative schemes that could handle real number arithmetics. 

@Ilia, thanks for your remark. Can you point out a reference treating/quantifying the CKKS issue that you mention where CKKS decryption leaks information about the secret key? 

Thanks, 

Mohamed.

[Jonathan Hammell]

Dear Rosario,
Your characterization of my statements as the Canadian delegate and
your summary of the session on fully homomorphic encryption in ISO/IEC
JTC 1 WG2 meeting in September are inaccurate.

On Mon, Nov 16, 2020 at 11:33 AM Rosario Cammarota <r...@ieee.org> wrote:
> The long story short is that the Canadian expert said this out really loud: "I don't want CKKS." Others supported him by saying that CKKS was less than three years old, hence it should not be considered for standardization at ISO. Kim and I coped with the second issue, by supplying the original archive paper with an earlier publication date. However, we haven't managed to speak with the Canadian expert about his motives - which we will do in the coming weeks. We will keep the group posted, and reach out for help as needed.

I do not believe that I ever stated "I don't want CKKS." I expressed
concern whether CKKS would meet the maturity requirements we have in
WG2 for standardization since the paper your contribution cited for
CKKS was published in 2018 (note that CKKS was cited as reference
[10]). I see that this was an incorrect citation in your contribution
and CKKS was actually publicly available in the e-Print paper
2016/421.

WG2 has requirements and a process for introducing new algorithms for
standardization in order to achieve consensus and maintain trust and
confidence in International Standards. In the past two meetings, you
have attempted to skip this process by suggesting going directly to a
new work item for a draft standard. I felt that you received good
feedback during the first 6-month Study Period. However, the
questions in that Study Period did not state explicitly which
algorithms you were proposing for standardization, rather it asked
experts for suggestions. In the September meeting I stated that you
need a 6-month PWI to get consensus from experts on the explicit
algorithms which you wish to standardize based on the feedback in the
Study Period. This is the typical process in WG2 in order to give
experts time to investigate the explicitly proposed algorithms, to
ensure they meet the requirements (including maturity requirements)
established in Part 1 of ISO/IEC 18033, and to consult within their
national bodies.

> On Friday, November 13, 2020, 12:02:53 p.m. EST, Rosario Cammarota <r...@ieee.org> wrote:
> We want to share an update about the progress with ISO/IEC Information Security Working Group 2 (WG2) on Fully Homomorphic Encryption standardization. WG2 agreed to continue the discussion as a preliminary standard – Preliminary Work Item (PWI) ISO/IEC 15150 Fully Homomorphic Encryption.
>
> In the PWI period, WG2 plan to hold a series of weekly meetings to clarify doubts that emerged during the latest meeting in September 2020, including:
>
> Usages: use cases and secure deployments of fully homomorphic encryption.
> Security: there is a common belief among WG2 experts that secure instantiations of some schemes can be achieved, but there is no common understanding of how to do that.
> Schemes to standardize: okay for BGV and BFV, oppositions for CKKS.
>
> We aim to move the PWI to the stage of a new work item (NWI), which would officially start the standard once the common ground is established.

I am unaware of WG2 planning to hold weekly meetings on FHE. WG2 only
meets during SC27 biannual meetings; each are approximately a week
long.

Furthermore, you did not address the concerns I raised about the
stability of FHE parameters. I pointed out how parameters suggested
from this group changed between the 2017 paper "Security of
Homomorphic Encryption" and the 2019/939 ePrint "Homomorphic
Encryption Standard". I suggested that this may be a consequence of
not accounting for minor improvements in cryptanalysis (e.g.
improvements in the LWE Estimator) when choosing parameters in an
effort to achieve efficiency. Indeed, your own contribution in
response acknowledged the issue: "Although extensive research and
benchmarking have been done in the research community to establish the
foundations for this effort, the information has not been
consolidated, along with concrete parameter recommendations for
applications and deployment." These concrete parameters that are
proposed for BGV and BFV (and if you also propose CKKS) must be
included in the PWI Call for Contributions, so that experts can
adequately assess them. It also raises concerns whether your FHE
proposals are indeed "unmodified" in light of the parameter changes
with respect to the requirements in ISO/IEC 18033-1.

Sincerely,
Jonathan

[Ilia Iliashenko]

Hi Mohamed,

I think the best reference is the original CKKS/HEAAN paper (https://eprint.iacr.org/2016/421.pdf, Section 3.1), which states that the decryption function returns 

m + e

where m is the plaintext message and e is a noisy term which depends on the secret key (see proof of Lemma 1). If m has zero low bits (e.g. m = 0), then revealing this plaintext to another party will leak something about the secret key. So far, I am not aware of any result that exploited this issue as well as of any paper that proved this leakage is negligible.

Best,

Ilia    

[Ilia Iliashenko]

Hi Yongsoo,

I totally agree with you. What confuses me is that CKKS is attempted to be standardized as an FHE scheme as suggests the name of the preliminary standard: Preliminary Work Item (PWI) ISO/IEC 15150 Fully Homomorphic Encryption.

Ilia  

[Rosario Cammarota]

Hi Jonathan et al. 

Excellent discussion. We can leave the details of the past ISO plenary to the past, can't we? Now it's time to make progress: 

- Thank you for clarifying your position on CKKS. It wasn't at all clear, and the plan was to ask for clarifications in the coming weeks, which brings me to my next point.

- Sorry for spoiling the future. Now that the PWI has a record in the system, I plan on setting up ad hoc weekly meetings this week. I hope you and others from WG2 will attend. I look forward to the discussion and to make progress.

- About your concerns about the security of HE schemas, we hear them well. Fortunately, this is the right forum for discussion. I am sure that this thread will receive a lot of attention from homomorphic encryption security experts in homomorphicencryption.org. They will be able to help to clarify doubts.

- Also, thank you Ilia for bringing up aspects related to CKKS security! This is an interesting thread of discussion by itself.

All in all, I hope this thread of emails generates a healthy discussion that can help with bringing homomorphic encryption beyond the borders of homomorphicencryption.org faster. 

Cheers, Ro

--

Dr. Rosario Cammarota

Senior Member IEEE

r...@ieee.org - +1-949-232-9114

[Karim, Hassan]

As we move forward, there is a procedural issue that needs to be addressed in order to provide the transparency and open dialogue/debate needed to reach consensus:
Invite contributions. Several people asked to be involved in the process from the spring meeting, as is clear in this thread, but apparently were not..

Ro et al, please be sure to post meeting announcements at least in this standardization mailing list.

Since we are now on a working group, standardizations meetings must now be minuted, correct? 

I too am excited about being a part of this standardization of FHE effort. 

Regards,

Hassan Karim, CISSP

https://www.linkedin.com/in/hassankarimcissp 

Comp Sci Ph.D. Student

Howard University

(202) 569-1012

--

[Rosario Cammarota]

Yes, Karim, it is our intention to follow procedures. Thanks for pointing this out. 

Ro 

--

Dr. Rosario Cammarota

Senior Member IEEE

r...@ieee.org - +1-949-232-9114

[Mohamed layouni]

Hi Ilia, 

Thanks for the reference. I'm not sure I agree with the statement that the noise term in a decrypted CKKS ciphertext depends on the secret key. 

But that's a good point to discuss offline both with the CKKS authors and anyone on this list who might be interested. 

Thanks, 

Mohamed.