Fully Homomorphic Encryption

Similar documents
Fully Homomorphic Encryption over the Integers

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Some security bounds for the DGHV scheme

An Overview of Homomorphic Encryption

Fully Homomorphic Encryption over the Integers

Shai Halevi IBM August 2013

Fully Homomorphic Encryption from LWE

An RNS variant of fully homomorphic encryption over integers

FULLY HOMOMORPHIC ENCRYPTION

Report Fully Homomorphic Encryption

Manipulating Data while It Is Encrypted

HOMOMORPHIC ENCRYPTION AND LATTICE BASED CRYPTOGRAPHY 1 / 51

Computing with Encrypted Data Lecture 26

Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers

Packing Messages and Optimizing Bootstrapping in GSW-FHE

FULLY HOMOMORPHIC ENCRYPTION: Craig Gentry, IBM Research

Fully Homomorphic Encryption and Bootstrapping

On Homomorphic Encryption and Secure Computation

Fully Homomorphic Encryption

Classical hardness of the Learning with Errors problem

Classical hardness of Learning with Errors

The Distributed Decryption Schemes for Somewhat Homomorphic Encryption

Lattice Based Crypto: Answering Questions You Don't Understand

Gentry s Fully Homomorphic Encryption Scheme

Multikey Homomorphic Encryption from NTRU

Fully Homomorphic Encryption. Zvika Brakerski Weizmann Institute of Science

Homomorphic Encryption. Liam Morris

Better Bootstrapping in Fully Homomorphic Encryption

Discrete Mathematics GCD, LCM, RSA Algorithm

Fully Homomorphic Encryption

Batch Fully Homomorphic Encryption over the Integers

CRT-based Fully Homomorphic Encryption over the Integers

Parameter Constraints on Homomorphic Encryption Over the Integers

CPSC 467b: Cryptography and Computer Security

Open problems in lattice-based cryptography

Practice Assignment 2 Discussion 24/02/ /02/2018

Public Key Cryptography

Scale-Invariant Fully Homomorphic Encryption over the Integers

Chapter 8 Public-key Cryptography and Digital Signatures

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP

Practical Fully Homomorphic Encryption without Noise Reduction

MASTER. Fully homomorphic encryption in JCrypTool. Ramaekers, C.F.W. Award date: Link to publication

Fully Homomorphic Encryption over the Integers with Shorter Public Keys

k-nearest Neighbor Classification over Semantically Secure Encry

Fully Homomorphic Encryption over the Integers with Shorter Public Keys

Craig Gentry. IBM Watson. Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/ /2/2012

during transmission safeguard information Cryptography: used to CRYPTOGRAPHY BACKGROUND OF THE MATHEMATICAL

TOWARDS PRACTICAL FULLY HOMOMORPHIC ENCRYPTION

Cryptography and RSA. Group (1854, Cayley) Upcoming Interview? Outline. Commutative or Abelian Groups

How to Use Short Basis : Trapdoors for Hard Lattices and new Cryptographic Constructions

Faster Fully Homomorphic Encryption

Multi-key fully homomorphic encryption report

Public Key 9/17/2018. Symmetric Cryptography Review. Symmetric Cryptography: Shortcomings (1) Symmetric Cryptography: Analogy

Public Key Cryptography

Fully Key-Homomorphic Encryption and its Applications

Revisiting Fully Homomorphic Encryption Schemes and Their Cryptographic Primitives

Cryptographic Multilinear Maps. Craig Gentry and Shai Halevi

Lecture 19: Public-key Cryptography (Diffie-Hellman Key Exchange & ElGamal Encryption) Public-key Cryptography

General Impossibility of Group Homomorphic Encryption in the Quantum World

A key recovery attack to the scale-invariant NTRU-based somewhat homomorphic encryption scheme

Evaluation of Homomorphic Primitives for Computations on Encrypted Data for CPS systems

AFRL-RI-RS-TR

Partially homomorphic encryption schemes over finite fields

Fully Homomorphic Encryption using Hidden Ideal Lattice

Gentry s SWHE Scheme

Public-Key Cryptosystems CHAPTER 4

Homomorphic Evaluation of the AES Circuit

Evaluating 2-DNF Formulas on Ciphertexts

Fully homomorphic encryption scheme using ideal lattices. Gentry s STOC 09 paper - Part II

Definition: For a positive integer n, if 0<a<n and gcd(a,n)=1, a is relatively prime to n. Ahmet Burak Can Hacettepe University

Identity-Based Online/Offline Encryption

Fully Homomorphic Encryption - Part II

Classical hardness of Learning with Errors

Multiparty Computation from Somewhat Homomorphic Encryption. November 9, 2011

High-Performance FV Somewhat Homomorphic Encryption on GPUs: An Implementation using CUDA

CIS 551 / TCOM 401 Computer and Network Security

FHE Over the Integers: Decomposed and Batched in the Post-Quantum Regime

Review. CS311H: Discrete Mathematics. Number Theory. Computing GCDs. Insight Behind Euclid s Algorithm. Using this Theorem. Euclidian Algorithm

Fully Homomorphic Encryption

(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces

Lecture 1: Introduction to Public key cryptography

Cryptography. pieces from work by Gordon Royle

A Full Homomorphic Message Authenticator with Improved Efficiency

An Approach to Reduce Storage for Homomorphic Computations

Increased efficiency and functionality through lattice-based cryptography

Introduction to Cybersecurity Cryptography (Part 4)

Cryptanalysis of a Homomorphic Encryption Scheme

Solution to Midterm Examination

Faster fully homomorphic encryption: Bootstrapping in less than 0.1 seconds

Bootstrapping for HElib

16 Fully homomorphic encryption : Construction

Homomorphic Evaluation of Lattice-Based Symmetric Encryption Schemes

Lecture Notes, Week 6

ADVERTISING AGGREGATIONARCHITECTURE

Introduction to Cybersecurity Cryptography (Part 4)

Encryption: The RSA Public Key Cipher

(Batch) Fully Homomorphic Encryption over Integers for Non-Binary Message Spaces

Number Theory & Modern Cryptography

10 Public Key Cryptography : RSA

A Digital Signature Scheme based on CVP

Transcription:

Fully Homomorphic Encryption Thomas PLANTARD Universiy of Wollongong - thomaspl@uow.edu.au Plantard (UoW) FHE 1 / 24

Outline 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 2 / 24

Introduction 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 3 / 24

Introduction Privacy Homomorphism Raised in 1978 by Rivest, Adleman and Dertouzos To evaluate arbitrary number of ciphertext, without knowing corresponding plaintext. Example m 0 = 1 with c 0 = Enc(m0) = (01111111). m 1 = 0 with c 1 = Enc(m1) = (11010111). m 2 = 1 with c 2 = Enc(m2) = (10011000). C(x 0, x 1, x 2, x 3 ) = x 0 x 1 x 3 + x 1 x 2 + x 0 + 1 mod 2. How Find c 3 = Enc(C(m 0, m 2, m 1, m 2 )) without knowing m 0, m 1, m 2. Plantard (UoW) FHE 4 / 24

Formal Definition Fully homomorphic encryption scheme (FHE) A scheme H f consists following four algorithms: KeyGen; Encrypt; Decrypt; Eval. H f is fully homomorphic if for any c i = Encrypt(pk, m i ) and any permitted circuit C n, the following holds: Decrypt(sk, Eval n (pk, C n, c 1, c 2,..., c n )) = C n (m 1, m 2,..., m n ) Plantard (UoW) FHE 5 / 24

Applications Features To bring privacy to cloud computing; Cloud processes users data without necessity of decrypting it. Applications Data is private, Algorithm is public; Example: a hospital outsources its patients information to a research institute for acquiring further analysis from the institute, as the institute has more computational power compared to the hospital; Data is private, Algorithm is private too; Example: a company outsources its financial status to an auditing company, however, the auditing algorithm is auditing the company s private property. Plantard (UoW) FHE 6 / 24

Timeline Fully Homomorphic Encryption Schemes 1978 - Rivest, Adleman and Dertouzos: Privacy Homomorphism. 2009 - Craig Gentry: First FHE based on ideal lattice. 2010 - van Dijk, Gentry, Halevi and Vaikuntanathan: First FHE based on integer (Approximate-GCD problem); 2011 - Gentry-Halevi: First implementation of Gentry09. 2011 - Brakerski-Vaikuntanathan: First based on Ring Learning With Error. 2011 - Brakerski-Vaikuntanathan: First based on Learning With Error. Plantard (UoW) FHE 7 / 24

Gentry Framework 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 8 / 24

A real world scenario Alice s Jewellery store Alice puts materials in locked glovebox, Alice keeps the key, Bob assembles jewellery in the box, Alice unlocks box to get results. Plantard (UoW) FHE 9 / 24

Somewhat Homomorphic Encryption 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 10 / 24

Somewhat homomorphic encryption scheme (SHE) A simple scheme p: an odd integer, (secret key) r i : a small integer, (noise) with r i << p. g i : a big integer, Encrypt: c i = m i + 2r i + g i p. Decrypt: m = (c mod p) mod 2. An example m = 1, p = 107, g = 11, r = 5 Encrypt: c = m + 2r + gp = 1 + 2 5 + 11 107 = 1188. Decrypt: m = (c mod p) mod 2 = (1188 mod 107) mod 2 = 11 mod 2 = 1. Plantard (UoW) FHE 11 / 24

This scheme is already homomorphic. c 1 = m 1 + 2r 1 + g 1 p, c 2 = m 2 + 2r 2 + g 2 p. c 0 = c 1 + c 2 = (m 1 + m 2 ) + 2(r 1 + r 2 ) + (g 1 + g 2 )p. c 0 = c 1 c 2 = (m 1 m 2 )+2(2r 1 r 2 +m 1 r 2 +m 2 r)+(c 2 g 1 +c 1 g 2 +g 1 +g 2 )p. A simple example: a multiplication p = 107, m 1 = 1, m 2 = 0, r 1 = 5, r 2 = 3, g 1 = 11, g 2 = 12; c 1 = 1 + 2 5 + 11 107 = 1188; c 2 = 0 + 2 3 + 12 107 = 1290; c 0 = c 1 c 2 = 1532520; m 0 = (c 0 mod 107) mod 2 = 66 mod 2 = 0 = m 1 m 2 ; Plantard (UoW) FHE 12 / 24

Limitation An example of limitation Finding c 0 = c 1 c 2 c 3 : p = 107; m 1 = 1, m 2 = 0, m 3 = 1; r 1 = 5, r 2 = 3, r 3 = 4, g 1 = 11, g 2 = 12, g 3 = 13; c 1 = 1 + 2 5 + 11 107 = 1188; c 2 = 0 + 2 3 + 12 107 = 1290; c 3 = 1 + 2 4 + 13 107 = 1400; c 1 c 2 c 3 = 2145528000; (c 1 c 2 c 3 mod p) mod 2 = 1 m 1 m 2 m 3. ERROR!!! Plantard (UoW) FHE 13 / 24

Formal Definition Somewhat homomorphic encryption scheme (SHE) H s is somewhat homomorphic if there exist E H such that Eq. 1 holds when the depth of C is smaller than E H. Decrypt(sk, Eval n (pk, C n, c 1, c 2,..., c n )) = C n (m 1, m 2,..., m n ) (1) E H is the evaluation depth and is bounded. Alice s Jewellery Store The process generates lots of rubbish; the glovebox last for only 2 minutes, the process takes 10 minutes. Plantard (UoW) FHE 14 / 24

Bootstrapping 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 15 / 24

Bootstrapping Alice s Jewellery Store The glovebox last for only 2 minutes before being full, the process takes 10 minutes. Alice cuts the process into 10 pieces; Alice places 10 pieces into 10 different glovebox; Alice puts the 1st key into 2nd box, 2nd key into 3rd box... Alice keeps the 10th key. Bob starts with the 1st glovebox; When first glovebox is full, Bob put it into 2nd glovebox, unlock 1st and keep on processing... Plantard (UoW) FHE 16 / 24

Bootstrappability H s : a homomorphic encryption scheme; E H : evaluation circuit depth; D H : decryption circuit depth; H is a bootstrappable homomorphic encryption scheme if D H < E H. SHE Alice encrypts her data with her secret key. Alice gives Bob her secret key encrypted bit by bit. Bob evaluate one operation (addition, multiplication): E H E H 1 Use the rest of your evaluation depth to evaluate homomorphicly Decrypt. Plantard (UoW) FHE 17 / 24

Bootstrapping Plantard (UoW) FHE 18 / 24

Security/Open Problems 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 19 / 24

Principal Ideal Lattice p, γ, n Z such that γ n ±1 mod p. Find f Z[x] of degree < n such that Example f(γ) = 0 mod p, f i << p. p = 19601, γ = 17465, n = 8 such that 17465 8 1 mod 19601. f (x) = 2x 6 + x 5 + 2x 4 2x 3 + x 2 + x + 2 is such that f (17465) 0 mod 19601. Security Unknown asymptotic complexity Small Challenge Parameters: γ, p 2 184320, n = 512. Serious Challenge Parameters: γ, p 2 737280, n = 2048. Plantard (UoW) FHE 20 / 24

Approximate Greatest Common Divisor A i Z. Find p Z such that i, r i = (A i mod p) r i << p. Example A 1 = 1188, A 2 = 1290, A 3 = 1400 p = 107. (1188 mod 107 = 11), (1290 mod 107 = 6),(1400 mod 107 = 9). Security Unknown asymptotic complexity ( Factorization). Old Parameters: A i 2 3.109, #{A i } 3.10 9. New Parameters: A i > 2 19.106, #{A i } = 7659. Plantard (UoW) FHE 21 / 24

Learning With Error Problem s (Z/pZ) n, v i = sa T i + e i. Find s from a i, v i. Example 2s 0 + 6s 1 + 7s 2 + s 3 2 mod 17 5s 0 + 9s 1 + 2s 2 + 11s 3 7 mod 17 4s 0 + 9s 1 + 8s 2 + 13s 3 13 mod 17 9s 0 + s 1 + s 2 + 2s 3 5 mod 17... Security Some complexity equivalence GapUSVP. Some complexity equivalence GapSVP on quantum computer. Plantard (UoW) FHE 22 / 24

Conclusion 1 Introduction Privacy Homomorphism Applications Timeline 2 Gentry Framework Somewhat Homomorphic Encryption Bootstrapping 3 Security/Open Problems Principal Ideal Lattice Approximate GCD Learning With Error 4 Conclusion Plantard (UoW) FHE 23 / 24

Conclusion FHE is possible Construct a Somewhat Homomorphic Encryption (SHE) scheme; Bootstrap the squashed scheme; Requires the user to publish the encryption of its secret key; Major Problem: Efficiency In 2011, a 32-bits addition takes roughly 50 minutes with ideal lattice. In 2012, a 1-bit operation takes roughly 11 minutes with integer with 10MB keys. In 2012, a full AES utilization takes roughly 36 hours using 256GB of RAM based on RLWE. Plantard (UoW) FHE 24 / 24

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback