Download - Fully Homomorphic Encryption
![Page 1: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/1.jpg)
Fully Homomorphic Encryption
Paper by: Craig GentryPresented By: Daniel Henneberger
![Page 2: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/2.jpg)
What is homomorphic encryption?
![Page 3: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/3.jpg)
Computations on ciphertext which predictably modifies the plaintext
Operate on messages while they are encrypted
Data can be securely processed in unsecure environments◦ Cloud Computing◦ Databases◦ Voting machines
Homomorphic Encryption
![Page 4: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/4.jpg)
How it works
![Page 5: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/5.jpg)
How it works
![Page 6: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/6.jpg)
Keygen Encrypt Decrypt Evaluate
![Page 7: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/7.jpg)
1978 – Privacy Homomorphism
US government pumps millions in it
History
![Page 8: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/8.jpg)
Additive◦ E(m1) + E(m2) = E(m1+m2)
Multiplicative◦E(m1) * E(m2) = E(m1*m2)
Why just Add and Mul? ◦ Can evaluate any function◦ Turing complete over a ring
Types of Homomorphism
![Page 9: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/9.jpg)
Somewhat Homomorphic◦ You can do only do some functions◦ RSA
Fully Homomorphic◦ You can do all functions
Leveled Fully Homomorphic◦ Keysize can grow with depth of the function
Bootstrappable◦ Can evaluate its own decryption circuit
Types of Homomorphism
![Page 10: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/10.jpg)
Fully Homomorphic Encryption Using Ideal
LatticesCraig Gentry
Stanford University and IBM Watson2009
![Page 11: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/11.jpg)
“Most unbearably complicated topic ever” –Craig Gentry
![Page 12: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/12.jpg)
Before this paper, it was unknown if fully homomorphic encryption could exist
First feasible result Holy grail of encryption
17 results on YouTube!
Importance of this topic
![Page 13: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/13.jpg)
Ideal lattices are a form of difficult to compute mathematical problems
Similar to:◦ Integer Factorization◦ Discrete logarithm problem ◦ Elliptic curves over finite fields (Elliptical curve)
Closest vector problem Learning with errors Unbreakable with quantum computing
◦ Uses arbitrary approximations
MATH: Lattice
![Page 14: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/14.jpg)
Illustration - A lattice in R2
borrowed from tau.ac.il“Recipe”:1. Take two linearly independent vectors in R2.2. Close them for addition and for multiplication by an integer scalar.
Each point corresponds to a vector in the lattice
etc. ... etc. ...
![Page 15: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/15.jpg)
A cyclic lattice is ‘ideal’ (ring-based) NTRU – Asymmetric key cryptosystem that
uses ring-based lattices
Low circuit complexity Very fast Allows additive and multiplicative
homomorphism
MATH: Ideal Lattice
![Page 16: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/16.jpg)
Lots of math involved with this:◦ Cyclotomic Polynomials
Too much for this class time
More MATH
![Page 17: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/17.jpg)
Evaluate(pk,C, Encrypt(pk,m1),..., Encrypt(pk,mt)) = Encrypt(pk,C(m1,..., mt))
Steps◦ Create a general bootstrapping result◦ Initial construction using ideal lattices◦ Squash the decryption circuit to permit
bootstrapping
Advances
![Page 18: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/18.jpg)
General Bootstrapping Result
![Page 19: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/19.jpg)
Find a Public key scheme that is homomorphic for shallow circuits and uses ideal lattices◦ NTRUEncrypt
Ciphertext has a form of an ideal lattice + offset
Use a cyclic ring of keys◦ Hard to do◦ Large key size (GB)
Initial construction using ideal lattices
![Page 20: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/20.jpg)
“Squash the Decryption Circuit”
![Page 21: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/21.jpg)
Evaluate its own decryption circuit Provides ability to recrypt plaintext Must be allowed to recrypt augmented
versions to provide mathematical operations
Bootstrap Requirements
![Page 22: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/22.jpg)
Allows ‘unlimited’ additions◦ Recrypt algorithm
Greater multiplicative depth◦ log log (N) - log log (n-1)◦ Still bad
Improvements
![Page 23: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/23.jpg)
Can only evaluate in logarithmic depth◦ Ciphertext grows ◦ Noise increases
Addition- circuits can be corrected (recrypting) Multiplication- noise grows quickly
Not yet practical◦ Client must begin the decryption process to be
bootstrappable◦ Solution is approximate◦ >1 day to compute 1 message
Disadvantages
![Page 24: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/24.jpg)
PollyCracker Fully Homomorphic Encryption over the
Integers Fully Homomorphic Encryption over the
Binary Polynomials
Implementations
![Page 25: Fully Homomorphic Encryption](https://reader033.vdocument.in/reader033/viewer/2022061608/56816065550346895dcf903d/html5/thumbnails/25.jpg)
Many people have created new variants Implementations All slow
Finding shortcuts
AES-128 – Completed June 15th 2012◦ Computed with 256GB of ram (still limiting factor)◦ 24 Xeon cores◦ Took 5 days per operation
Since this paper