Homomorphic Encryption. Liam Morris

Transcription

1 Homomorphic Encryption Liam Morris

2 Topics What Is Homomorphic Encryption? Partially Homomorphic Cryptosystems Fully Homomorphic Cryptosystems Benefits of Homomorphism Drawbacks of Homomorphism

3 What Is Homomorphic Encryption? homomorphism - a transformation of one set into another that preserves in the second set the relations between elements of the first 1 homomorphic encryption - an operation performed on a set of ciphertexts such that decrypting the result of the operation is the same as the result of some operation performed on the plaintexts

4 What Is Homomorphic Encryption? Consider a cryptosystem that has: encryption function ε plaintext x n ciphertext c n such that ε(x n ) = c n

5 What Is Homomorphic Encryption? Homomorphic Addition A given cryptosystem is considered additively homomorphic iff : ε(x 1 ) ε(x 2 ) = ε(x 1 + x 2 ) Homomorphic Multiplication A given cryptosystem is considered multiplicatively homomorphic iff : ε(x 1 ) ε(x 2 ) = ε(x 1 x 2 ) ε - encryption x n - plaintext c n - ciphertext - operation

6 Partially Homomorphic Cryptosystems A given cryptosystem is considered partially homomorphic if it exhibits either additive or multiplicative homomorphism. Some examples of partially homomorphic cryptosystems are: RSA (multiplicative) ElGamal (multiplicative) Paillier (additive)

7 Partially Homomorphic Cryptosystems RSA Given RSA key pair (d, e) e ε(x 1 ) = x 1 ε(x 1 x 2 ) = (x 1 x 2 ) e ε(x 1 )ε(x 2 ) = (x e 1 )(x e 2 ) = (x 1 x 2 ) e = ε(x 1 x 2 )

8 Partially Homomorphic Cryptosystems ElGamal ε(x,k) = (y 1,y 2 ) y 1 = α k mod p y 2 = xβ k mod p

9 Partially Homomorphic Cryptosystems ElGamal ε(x 1,k 1 ) = (y 1,y 2 ) y 1 = α k1 mod p, y 2 = x 1 β k1 mod p ε(x 2,k 2 ) = (y 3,y 4 ) y 3 = α k2 mod p, y 4 = x 2 β k2 mod p

10 Partially Homomorphic Cryptosystems ElGamal ε(x 1,k 1 ) ε(x 2,k 2 ) = (y 1 y 3,y 2 y 4 ) y 1 y 3 = α k1+k2, y 2 y 4 = x 1 x 2 β k1+k2 ε(x 1 x 2,k 1 k 2 ) = (y 5,y 6 ) y 5 = α k1+k2, y 6 = x 1 x 2 β k1+k2

11 Partially Homomorphic Cryptosystems Paillier 2 Choose two primes, p and q, and let n = pq. Let λ(n) = lcm(p - 1, q - 1) Pick g such that 1 g n 2 and L(g λ mod n 2 ) is invertible modulo n (this inverse is μ) (n,g) are public key (λ,μ) are private key ε(x,r) = g x r n mod n 2 d(y) = L(y λ mod n 2 ) μ mod n

12 Partially Homomorphic Cryptosystems Paillier ε(x 1,r 1 ) ε(x 2 r 2 ) = g x1 n r 1 g x2 n r 2 = g x1+x2 (r 1 r 2 ) n d(g x1+x2 (r 1 r 2 ) n ) = x 1 + x 2 mod n ε(x 1 + x 2,r) = g x1+x2 r n d(g x1+x2 r n ) = x 1 + x 2 mod n

13 Partially Homomorphic Cryptosystems Paillier - Example Consider a voting scheme where the votes for each candidate are represented by 1 4-bit string. Total votes = 1011 First 2 bits = 10 = 2 votes for first candidate Second 2 bits = 11 = 3 votes for second candidate When adding a vote for first candidate, add When adding a vote for second candidate, add 0001.

14 Partially Homomorphic Cryptosystems Paillier - Example Consider Paillier system where p = 5, q = 7: n = 35, λ = 12, g = 164, μ = 23 Person Vote x r c 1 A 0100 (4) B 0001 (1) B 0001 (1) A 0100 (4) A 0100 (4) c = {127, 416, 613, 764, 1191}

15 Partially Homomorphic Cryptosystems Paillier - Example c = {127, 416, 613, 764, 1191} Multiply ciphertexts: = 509 mod 1225 d(509) = 14 = First two bits = 11 = 3 votes for first candidate Second two bits = 10 = 2 votes for second candidate

16 Fully Homomorphic Cryptosystems A given cryptosystem is considered fully homomorphic if it exhibits both additive and multiplicative homomorphism. The first such system is a lattice-based cryptosystem developed by Craig Gentry in 2009.

17 Fully Homomorphic Cryptosystems Gentry Scheme Public key - matrix B (represented by d,r), HNF of private 3. Implementing Gentry's Fully-Homomorphic Encryption Scheme Private key - random matrix V and matrix W 3. Implementing Gentry's Fully-Homomorphic Encryption Scheme

18 Fully Homomorphic Cryptosystems Gentry Scheme Encryption of some bit b Generate a random noise vector, u, with values 0 with probability q and ±1 with each having probability (1 - q) / 2 Let a = 2u + b e 1 Let ciphertext = c = a mod B = (a B -1 ) B Decryption of ciphertext c a = c mod V = (c W/d) V

19 Benefits/Applications Enhanced privacy Banking transactions Voting systems Cloud computing applications Private information retrieval

20 Drawbacks Complexity Only fully homomorphic cryptosystem is latticebased Malware Performance Brace yourselves

21 Performance Performance of the fully homomorphic cryptosystem is completely infeasible at worst, and hilariously bad at best. Lattice-based computations do not lend themselves well to computing.

22 Performance 3. Implementing Gentry's Fully-Homomorphic Encryption Scheme As security increases, public key size, encryption operation, and key generation grows exponentially These tests were performed using an Intel Xeon E5450 processor and 24GB ram.

23 Performance 4. Fully Homomorphic Encryption with Relatively Small Key and Ciphertext Sizes Security minimized even further, at this point full homomorphism is not even possible These tests were performed using Intel Core cores.

24 Questions?

25 References 1. com/us/definition/american_english/homomorphism