Soumettre la recherche
Mettre en ligne
HEpres2.ppt
•
Télécharger en tant que PPT, PDF
•
0 j'aime
•
13 vues
R
RahulShah109289
Suivre
Homomorphic Encryption
Lire moins
Lire la suite
Données & analyses
Affichage du diaporama
Signaler
Partager
Affichage du diaporama
Signaler
Partager
1 sur 32
Télécharger maintenant
Recommandé
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
IOSR Journals
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
IOSR Journals
Presentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_Paper
Nithin Cv
SC-FDM-IDMA Scheme Employing BCH Coding
SC-FDM-IDMA Scheme Employing BCH Coding
IJECEIAES
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
iosrjce
B017631014
B017631014
IOSR Journals
Elliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsuba
IAEME Publication
Ecc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithm
Alexander Decker
Recommandé
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
IOSR Journals
Low Power FPGA Based Elliptical Curve Cryptography
Low Power FPGA Based Elliptical Curve Cryptography
IOSR Journals
Presentation on Cryptography_Based on IEEE_Paper
Presentation on Cryptography_Based on IEEE_Paper
Nithin Cv
SC-FDM-IDMA Scheme Employing BCH Coding
SC-FDM-IDMA Scheme Employing BCH Coding
IJECEIAES
A survey on Fully Homomorphic Encryption
A survey on Fully Homomorphic Encryption
iosrjce
B017631014
B017631014
IOSR Journals
Elliptic curve scalar multiplier using karatsuba
Elliptic curve scalar multiplier using karatsuba
IAEME Publication
Ecc cipher processor based on knapsack algorithm
Ecc cipher processor based on knapsack algorithm
Alexander Decker
Pilot induced cyclostationarity based method for dvb system identification
Pilot induced cyclostationarity based method for dvb system identification
iaemedu
Homomorphic Encryption
Homomorphic Encryption
Vipin Tejwani
FPGA based BCH Decoder
FPGA based BCH Decoder
ijsrd.com
Implementation performance analysis of cordic
Implementation performance analysis of cordic
iaemedu
Cloud computing and security final
Cloud computing and security final
Akash Kamble
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET Journal
Text Encryption and Decryption Technique using Columnar Transposition and Sub...
Text Encryption and Decryption Technique using Columnar Transposition and Sub...
IRJET Journal
On theory and applications of mathematics to security in cloud computing: a c...
On theory and applications of mathematics to security in cloud computing: a c...
Dr. Richard Otieno
Application of bpcs steganography to wavelet compressed video (synopsis)
Application of bpcs steganography to wavelet compressed video (synopsis)
Mumbai Academisc
Implementation of bpcs steganography (synopsis)
Implementation of bpcs steganography (synopsis)
Mumbai Academisc
Efficient ECC encryption for WSN’s
Efficient ECC encryption for WSN’s
IDES Editor
Design and Implementation of Encoder for (15, k) Binary BCH Code Using VHDL a...
Design and Implementation of Encoder for (15, k) Binary BCH Code Using VHDL a...
IOSR Journals
Edge-Fog Cloud
Edge-Fog Cloud
Nitinder Mohan
“Proposed Model for Network Security Issues Using Elliptical Curve Cryptography”
“Proposed Model for Network Security Issues Using Elliptical Curve Cryptography”
IOSR Journals
Paillier-ElGamal cryptosystem presentation
Paillier-ElGamal cryptosystem presentation
GauthamSK4
Composite Field Multiplier based on Look-Up Table for Elliptic Curve Cryptogr...
Composite Field Multiplier based on Look-Up Table for Elliptic Curve Cryptogr...
Marisa Paryasto
Mathematics and development of fast TLS handshakes
Mathematics and development of fast TLS handshakes
Alexander Krizhanovsky
Secure image hiding in speech signal by steganography-mining and encryption
Secure image hiding in speech signal by steganography-mining and encryption
nooriasukmaningtyas
Data Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve Cryptography
IJCERT
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
kumargunjan9515
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Bertram Ludäscher
Contenu connexe
Similaire à HEpres2.ppt
Pilot induced cyclostationarity based method for dvb system identification
Pilot induced cyclostationarity based method for dvb system identification
iaemedu
Homomorphic Encryption
Homomorphic Encryption
Vipin Tejwani
FPGA based BCH Decoder
FPGA based BCH Decoder
ijsrd.com
Implementation performance analysis of cordic
Implementation performance analysis of cordic
iaemedu
Cloud computing and security final
Cloud computing and security final
Akash Kamble
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET Journal
Text Encryption and Decryption Technique using Columnar Transposition and Sub...
Text Encryption and Decryption Technique using Columnar Transposition and Sub...
IRJET Journal
On theory and applications of mathematics to security in cloud computing: a c...
On theory and applications of mathematics to security in cloud computing: a c...
Dr. Richard Otieno
Application of bpcs steganography to wavelet compressed video (synopsis)
Application of bpcs steganography to wavelet compressed video (synopsis)
Mumbai Academisc
Implementation of bpcs steganography (synopsis)
Implementation of bpcs steganography (synopsis)
Mumbai Academisc
Efficient ECC encryption for WSN’s
Efficient ECC encryption for WSN’s
IDES Editor
Design and Implementation of Encoder for (15, k) Binary BCH Code Using VHDL a...
Design and Implementation of Encoder for (15, k) Binary BCH Code Using VHDL a...
IOSR Journals
Edge-Fog Cloud
Edge-Fog Cloud
Nitinder Mohan
“Proposed Model for Network Security Issues Using Elliptical Curve Cryptography”
“Proposed Model for Network Security Issues Using Elliptical Curve Cryptography”
IOSR Journals
Paillier-ElGamal cryptosystem presentation
Paillier-ElGamal cryptosystem presentation
GauthamSK4
Composite Field Multiplier based on Look-Up Table for Elliptic Curve Cryptogr...
Composite Field Multiplier based on Look-Up Table for Elliptic Curve Cryptogr...
Marisa Paryasto
Mathematics and development of fast TLS handshakes
Mathematics and development of fast TLS handshakes
Alexander Krizhanovsky
Secure image hiding in speech signal by steganography-mining and encryption
Secure image hiding in speech signal by steganography-mining and encryption
nooriasukmaningtyas
Data Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve Cryptography
IJCERT
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
Similaire à HEpres2.ppt
(20)
Pilot induced cyclostationarity based method for dvb system identification
Pilot induced cyclostationarity based method for dvb system identification
Homomorphic Encryption
Homomorphic Encryption
FPGA based BCH Decoder
FPGA based BCH Decoder
Implementation performance analysis of cordic
Implementation performance analysis of cordic
Cloud computing and security final
Cloud computing and security final
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
IRJET- Secure Data on Multi-Cloud using Homomorphic Encryption
Text Encryption and Decryption Technique using Columnar Transposition and Sub...
Text Encryption and Decryption Technique using Columnar Transposition and Sub...
On theory and applications of mathematics to security in cloud computing: a c...
On theory and applications of mathematics to security in cloud computing: a c...
Application of bpcs steganography to wavelet compressed video (synopsis)
Application of bpcs steganography to wavelet compressed video (synopsis)
Implementation of bpcs steganography (synopsis)
Implementation of bpcs steganography (synopsis)
Efficient ECC encryption for WSN’s
Efficient ECC encryption for WSN’s
Design and Implementation of Encoder for (15, k) Binary BCH Code Using VHDL a...
Design and Implementation of Encoder for (15, k) Binary BCH Code Using VHDL a...
Edge-Fog Cloud
Edge-Fog Cloud
“Proposed Model for Network Security Issues Using Elliptical Curve Cryptography”
“Proposed Model for Network Security Issues Using Elliptical Curve Cryptography”
Paillier-ElGamal cryptosystem presentation
Paillier-ElGamal cryptosystem presentation
Composite Field Multiplier based on Look-Up Table for Elliptic Curve Cryptogr...
Composite Field Multiplier based on Look-Up Table for Elliptic Curve Cryptogr...
Mathematics and development of fast TLS handshakes
Mathematics and development of fast TLS handshakes
Secure image hiding in speech signal by steganography-mining and encryption
Secure image hiding in speech signal by steganography-mining and encryption
Data Security Using Elliptic Curve Cryptography
Data Security Using Elliptic Curve Cryptography
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
Dernier
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
kumargunjan9515
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Bertram Ludäscher
Sonagachi * best call girls in Kolkata | ₹,9500 Pay Cash 8005736733 Free Home...
Sonagachi * best call girls in Kolkata | ₹,9500 Pay Cash 8005736733 Free Home...
HyderabadDolls
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Klinik kandungan
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
ronsairoathenadugay
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
nirzagarg
Computer science Sql cheat sheet.pdf.pdf
Computer science Sql cheat sheet.pdf.pdf
SayantanBiswas37
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
HyderabadDolls
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
nirzagarg
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
gajnagarg
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
kumargunjan9515
Predicting HDB Resale Prices - Conducting Linear Regression Analysis With Orange
Predicting HDB Resale Prices - Conducting Linear Regression Analysis With Orange
ThinkInnovation
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
wsppdmt
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
gajnagarg
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
vexqp
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
gajnagarg
Kings of Saudi Arabia, information about them
Kings of Saudi Arabia, information about them
eitharjee
TrafficWave Generator Will Instantly drive targeted and engaging traffic back...
TrafficWave Generator Will Instantly drive targeted and engaging traffic back...
SOFTTECHHUB
Gulbai Tekra * Cheap Call Girls In Ahmedabad Phone No 8005736733 Elite Escort...
Gulbai Tekra * Cheap Call Girls In Ahmedabad Phone No 8005736733 Elite Escort...
gragchanchal546
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
ZurliaSoop
Dernier
(20)
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Top Call Girls in Balaghat 9332606886Call Girls Advance Cash On Delivery Ser...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Reconciling Conflicting Data Curation Actions: Transparency Through Argument...
Sonagachi * best call girls in Kolkata | ₹,9500 Pay Cash 8005736733 Free Home...
Sonagachi * best call girls in Kolkata | ₹,9500 Pay Cash 8005736733 Free Home...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
Jual obat aborsi Bandung ( 085657271886 ) Cytote pil telat bulan penggugur ka...
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
RESEARCH-FINAL-DEFENSE-PPT-TEMPLATE.pptx
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In Begusarai [ 7014168258 ] Call Me For Genuine Models...
Computer science Sql cheat sheet.pdf.pdf
Computer science Sql cheat sheet.pdf.pdf
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
Charbagh + Female Escorts Service in Lucknow | Starting ₹,5K To @25k with A/C...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Hapur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
Top profile Call Girls In Latur [ 7014168258 ] Call Me For Genuine Models We ...
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
Fun all Day Call Girls in Jaipur 9332606886 High Profile Call Girls You Ca...
Predicting HDB Resale Prices - Conducting Linear Regression Analysis With Orange
Predicting HDB Resale Prices - Conducting Linear Regression Analysis With Orange
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
如何办理英国诺森比亚大学毕业证(NU毕业证书)成绩单原件一模一样
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
Top profile Call Girls In Chandrapur [ 7014168258 ] Call Me For Genuine Model...
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
怎样办理圣地亚哥州立大学毕业证(SDSU毕业证书)成绩单学校原版复制
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
Top profile Call Girls In bhavnagar [ 7014168258 ] Call Me For Genuine Models...
Kings of Saudi Arabia, information about them
Kings of Saudi Arabia, information about them
TrafficWave Generator Will Instantly drive targeted and engaging traffic back...
TrafficWave Generator Will Instantly drive targeted and engaging traffic back...
Gulbai Tekra * Cheap Call Girls In Ahmedabad Phone No 8005736733 Elite Escort...
Gulbai Tekra * Cheap Call Girls In Ahmedabad Phone No 8005736733 Elite Escort...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
Jual Obat Aborsi Surabaya ( Asli No.1 ) 085657271886 Obat Penggugur Kandungan...
HEpres2.ppt
1.
Homomorphic Encryption Alexander Maximov
2.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 2 Overview • History • Partially Homomorphic Encryption Schemes • HE Usage Scenarios • Somewhat HE and Fully HE over the Integers • Bootstrapping Technique • Ciphertext Squashing Technique • Ciphertext Reduction Technique • Converting Somewhat HE to Fully HE • Approximate GCD Problem • Recent Research Results • BGV FHE Scheme • Leveled FHE with(out) Bootstrapping • Performance, Implementations, Patents
3.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 3 Introduction Common notations: pk – public key sk – secret key m – message c – ciphertext c = Encryptpk(m) m=Decryptsk(c) Em(pk) - encryption algorithm as a circuit Dm(sk) - decryption algorithm as a circuit f – is the function or circuit that we want to evaluate on plaintext F – is the function or circuit that corresponds to f and operates on ciphertext in the cryptosystem c1=Encryptpk(m1) … cn=Encryptpk(mn) m=Decryptsk(c) c=F(c1,...,cn)
4.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 4 PartialLY HE Multiplicative Partially HE Unpadded RSA pk=(n,e) c=Epk(m)=me mod n c1*c2=m1 e m2 e mod n = Epk(m1*m2) Additive Partially HE Paillier scheme pk=(n,g) c=Epk(m)=gm rn mod n2 r in {0,…,n-1} – some random value c1*c2= (gm1 r1n )*(gm2 r2 n ) mod n = gm1+m2 (r1r2)n mod n=Epk(m1+m2)
5.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 5 HE Usage Scenarios · Cloud Computing: storage, computation, search query · Spam filtering: Blacklisting encrypted mails. · Medical Applications (Private data, Public functions): search, cloud computation of certain functions (patient’s condition, etc) on behalf of the patient. Analyze disease/ treatment without disclosing them. Search for DNA markers without revealing DNA · Financial Applications (Private data, Private functions): computations on encrypted data such as data about companies, their stock price, or their performance or inventory. The customer may upload encrypted program/function to compute on encrypted data. · Advertising and Pricing: Assume a customer has a mobile phone and uploads his data, such as location, email, time of the day, browsing activity, stream from the camera, etc. The advertising company computes some function to decide which ad is to be sent back to the client. · Electronic voting: need to calculate the result of the voting without decrypting any ballots. More properties are there… · Data Mining: HE solution is both fully private and fully accurate. Allows data miner to compute frequencies of values on the customer data, without revealing the data itself. · Biometric Authentication: relation between biometric trait and personal identity must be hidden, i.e., comparison of the trait and the database fields must be encrypted.
6.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 6 Real-Life Usage Helios: Web-Based Open-Audit Voting Ben Adida, Harvard University · Real-life HE application. · Anyone can create and run an election · Any willing observer can audit the entire process · Uses HE property of the ElGamal cryptosystem to calculate the tally without decrypting of any ballots.
7.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 7 Does Fully Homomorphic Encryption Ever Exists? Fully Homomorphic Encryption (FHE). Some Properties. FHE property (simplified): · Decryptsk(c1*c2)=m1*m2 · Decryptsk(c1+c2)=m1+m2 I.e.: Decryptsk(F(c1,…,cn))=F(m1,…,mn) FHE may support another set of operations to support a ring of plaintexts. Examples: AND, XOR FHE can be: · Public key schemes · Symmetric key schemes
8.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 8 “Holy Grail” for 30 years 1978 Rivest, Adleman, and Dertouzos propose the idea of fully homomorphic encryption (FHE) 1980 1990 2000 2010 June 25, 2009. Craig Gentry announced the first FHE scheme (PhD Thesis, Stanford University). The scheme is based on ideal lattices cryptography 1982. Goldwasser-Micali cryptosystem 1999. Paillier cryptosystem 2005. Boneh-Goh-Nissim cryptosystem (infinite ADD, one MUL) 1998. Okamoto-Uchiyama cryptosystem 1998. Naccache-Stern cryptosystem 2001. DamgÅrd-Jurik cryptosystem 1994. Benaloh cryptosystem 2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based on integers. 2010. Gentry-Halevi working implementation of FHE. April 2013. HElib. IBM releases first public FHE library (c++) with BGV scheme and optimizations. ~30 Years 2012. Brakerski-Gentry-Vaikuntanathan. FHE without Bootstrapping. 2012. Gentry-Halevi-Smart. Homomorphic Evaluation of the AES Circuit.
9.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 9 Types of HE Schemes Homomorphic Encryption (HE) = type of computation for a set of functions f(m1,…,mn) carried on ciphertexts Enc(m1)...Enc(mn) with a corresponding function F such that f(m1,…,mn) = Dec(F(Enc(m1),…,Enc(mn))) Partially HE (PHE) = HE scheme where only one type of operations is possible (multiplication or addition) Somewhat HE (SHE) = HE scheme that can do a limited number of additions and multiplications Fully HE (FHE) = HE scheme that can perform an infinite number of additions and multiplications
10.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 10 SHE over the Integers SHE over the INTEGERS – SYMMETRIC KEY SCHEME 2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based on integers. KeyGen: key is an odd integer pÎ[2h-1 , 2h ). Encrypt(p, m): to encrypt one bit mÎ[0,1] c = pq+2r+m q, r – are chosen random, such that |2r|<p/2. Decrypt(p, c): m = (c mod p) mod 2 Proposed constraint: p~2h , q~2h^3 , r~2sqrt(h) .
11.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 11 SHE over the Integers ADDITION: Decrypt(c1+c2,p) = ((pq1+2r1+m1)+(pq2+2r2+m2) mod p) mod 2 = (p(q1+q2)+2(r1+r2)+(m1+m2) mod p) mod 2 = 2(r1+r2)+(m1+m2) mod 2 = m1 Å m2 MULTIPLICATION: Decrypt(c1*c2,p) =((pq1+2r1+m1)*(pq2+2r2+m2) mod p) mod 2 =(p(pq1q2+2q1r2+q1m2+2q2r1+q2m1)+ 2(2r1r2+r1m2+m2r1)+m1m2) mod p) mod 2 = 2(2r1r2+r1m2+m2r1)+m1m2 mod 2 = m1 Ä m2 · The scheme is both additively and multiplicatively homomorphic for shallow arithmetic circuits. · The number of ADD and MUL is limited since the noise grows. · The noise r must be sufficiently smaller than p to allow more ADDs and MULs.
12.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 12 SHE over the Integers x a b 1 q f(x, a, b): if(x==1) q=a; else q=b F(ca, cx, cb, c1): cq = (ca*cx)+(cx+c1)*cb Any computer program can be represented in terms of AND-XOR gates ci = pqi+2ri+mi r-bits p-bits p*q-bits c1 c2 c1+c2 c1*c2 Ciphertext and noise size expansion
13.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 13 Noise Count Noise Magnitude The degree of noise can be calculated by the evaluator internally. Assume two arguments to an operation · c1 – has the noise of degree n1 bits · c2 – has the noise of degree n2 bits The result of: · ADD(c1, c2) => noise of degree log2(2n1 +2n2 ) bits · MUL(c1, c2) => noise of degree (n1+n2) bits Only when the noise would be larger than p-bits then the evaluator must do the “refreshment” step.
14.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 14 SHE over the Integers SHE over the INTEGERS – PUBLIC KEY SCHEME KeyGen: pk=<x0,…,xt>, where: xi = pqi+ri, unless x0 is the largest, q0 is odd and r0 is even Encrypt(pk, mÎ{0,1}): c = (m+2r+2åiÎS(xi)) mod x0 Where S is a random subset of pk, and r is a random noise. Decrypt(sk=p, c): m = (c mod p) mod 2 Encryption can now be viewed as: adding m to a random subset sum of “encryptions of zero”
15.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 15 Ciphertext Reduction Compactness Property This means that the bit-length of the resulting ciphertext does not depend on the evaluation function F. For this reason we do: · add more “encryptions of zero” to the public key yj such that they use larger q’s. y0 must be of bit-length from |x0|…2|x0|. · after each operation (ADD or MUL) we select yj such that a substraction from the result of the operation will lead again to a ciphertext of size |x0|. Multiplication doubles the number of bits of the ciphertext, but bringing it back to the initial size would cost just an addition of a few trivial noises from yj. Consequence: Evaluation of c1*c2+c1*c3 and c1*(c2+c3) will result in different ciphertexts, although the same result in plaintext.
16.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 16 Bootstrapping Bootstrapping · Assume SHE can evaluate circuits F up to the depth d. · Assume F=Dsk(m) is the decryption algorithm, that can be evaluated by SHE at most depth (d-1). I.e., to decrypt plus “a little more”. Then SHE is called bootstrappable and can be converted to FHE. USER Key1=(pk1, sk1) Input=m c1'=Encryptpk1(m) COMPUTING CLOUD Evaluate F1(c1') c1 – with heavy noise, but still possible to decrypt Key2=(pk2, sk2) Esk1=Encryptpk2(sk1) pk2,Esk1 Ec1=Encryptpk2(c1) Evaluate DecryptEsk1(Ec1) Evaluate F2(c2') c2' – now encrypted by pk2 and “refreshed” noise Result=Decryptskn(cn) REPEAT until all Fis are evaluated c2 pk1,c1' Key3=(pk3, sk3) Esk2=Encryptpk3(sk2) pk3,Esk2 depth (d-t) depth t cn
17.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 17 SHEFHE over the Integers FHE over the INTEGERS – Convert SHE to FHE F=Dsk(m) becomes simple if we use the technique called “squashing the decryption circuit”. Idea: add to pk some information about sk so that Dsk(m) becomes simpler and SWH becomes bootstrappable. Price: · public key contains more information · ciphertext is larger
18.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 18 Squashing Technique s – sparse Θ bit vector S = {i:si=1}, must be s.t. |S|=θ 0 0,1001101101 1 0 1 0 0 0 1 0 0 1,0001100110 0,1100010110 0,1000010110 0,0010000101 1,1100100101 1,0010100111 1,1001101101 0,0100101011 1,1101011010 s y Squashing the Decryption Circuit Three more parameters: θ, Θ, κ - chosen appropriately in accordance with the security parameter λ. yi – random rational Î[0,2) with precision κ. s.t. åiÎS(yi)≈ 1/p-Δ, |Δ|<2-κ pk=(pk as before + y) sk=s Encryptpk(m): c as before, plus z s.t zi=c·yi mod 2, i=1..Θ Keep n=ëlogθù+3 precision bits for zi Decryptsk(c): m=(c- ëåi(si·zi)ù ) mod 2
19.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 19 Security. Approximate GCD Assume we know many {xi=p*qi+ri} where the noise ri is much smaller than p. We need to find the approximate gcd(xi)=p. Brute-force approach: Take x0 and x1 and try all possible values of r0 and r1 Problem: The chosen parameters are such that exhaustive search meets the security parameter λ . Divisor of p: Guess a large divisor d|p, for d>|r|. Test the guess: all (xi mod d) must be of size of the noise r. Then p=d*gcd(xi/d) Problem: guessing is as difficult as the brute-force attack
20.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 20 Security. Approximate GCD Given n xi’s, we want to find a set of n linear combinations: zk = åi=1..n(akixi) such that: · The total noise for zk is = maxnoise* åi=1..n(ai) is <<p · zk is ~p or <<p Then we say that: · if zk<<p then we deal with åi=1..n(aki(p*qi+ri)) = 0*p+noise(zk) Divide by p, and we get noise-free equation: åi=1..n(akiqi) = 0 · If zk~p then, similarly, we deal with åi=1..n(akiqi) = 1 Find all (or one) qi with Gaussian elimination. then p = ëxi/qiù
21.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 21 ALG PARAMS: p~2^16, q~2^16, r~2^8, #eq=12 Secret p=97083 Vector of initial values x_i = {p*q_i+r_i}: x_0 (29 bits)=614535439 = p*6330 + 49 x_1 (30 bits)=1617402906 = p*16660 + 126 x_2 (30 bits)=2084663351 = p*21473 + 92 x_3 (31 bits)=2149029378 = p*22136 + 90 x_4 (31 bits)=2467558848 = p*25417 + 237 x_5 (31 bits)=2504547489 = p*25798 + 255 x_6 (31 bits)=2760166833 = p*28431 + 60 x_7 (31 bits)=3269949614 = p*33682 + 8 x_8 (31 bits)=3812837993 = p*39274 + 251 x_9 (31 bits)=4045837111 = p*41674 + 169 x_10 (32 bits)=4952398228 = p*51012 + 232 x_11 (32 bits)=5135108340 = p*52894 + 138 Found set of linear equatiuons with low noise: 291 = +x0 +x2 +x3 +x4 -x7 -x9 890 = 3*x1 +x3 +2*x5 -x7 +2*x8 -4*x9 +x10 -x11 833 = -x0 +x1 +x2 +x3 -2*x4 +4*x5 +x6 -4*x7 47 = -2*x1 -4*x2 -5*x3 +4*x4 -x5 -6*x6 +2*x7 -3*x8 +9*x9 40 = -x0 +2*x1 +3*x2 +x4 +5*x5 -4*x6 +7*x7 -3*x8 -6*x9 30 = -x0 +6*x2 -3*x3 +6*x4 +3*x5 +6*x7 -5*x8 -7*x9 Example of converting to equations on q’s: 291 = +x0 +x2 +x3 +x4 -x7 -x9 è 0 = q0+q2+q3+q4-q7-q9 è 6330+21473+22136+25417-33682-41674 must be 0 (Check!) Security. Approximate GCD
22.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 22 x1 x2 xn t bits · Try all possible t-bit values for a1...an such that a new linear combination yj=x1*a1+…+xnan - has all zeros on the highest t bits. · Remove yj’s with the highest noise and keep n with the smallest noise. · Repeat the procedure for y-values and remove the next t bits, until we get the values ~p or <<p. Security. Approximate GCD
23.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 23 Security. Approximate GCD Some improvements can apply: · Intermediate sets ys can be much larger than the initial set x. · t is variable for each round. Can be smaller in the beginning, and larger in the next rounds, if we will keep more of the best equations y. · It is beneficial if the high t-bits of xi’s (or yj’s) will first be moved to int-type, then arithmetical operations are faster. · It is also good to limit Hamming weight of a, so that we only test for pairs xi±xj and triples xi±xj±xk. This way, the noise is kept low, but the number of combinations is sufficient to eliminate t high bits and still have a new set of y for the next round. · etc... P ~2128 ~2256 q ~22048 ~26000 r ~232 ~264 z.TotNoise ~2106 ~2270 #eq=|x| 32 48
24.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 24 New Recent Research 2011. Craig Gentry and Shai Halevi. Fully homomorphic encryption without squashing using depth-3 arithmetic circuits. 2011. Zvika Brakerski and Vinod Vaikuntanathan. Efficient fully homomorphic encryption from (standard) LWE. Found different ways to construct FHE without using the squashing step 2012. Zvika Brakerski, Craig Gentry and Vinod Vaikuntanathan. Fully homomorphic encryption without bootstrapping. BGV scheme to construct a FHE of a desired depth D, based on Ring LWE. I.e., no bootstrapping is needed. 2012. Craig Gentry, Shai Halevi, and Nigel P. Smart. Homomorphic evaluation of the AES circuit. 2013. HELib. IBM. 2013. Jacob Alperin- Sheriff and Chris Peikert. Practical bootstrapping in Quasilinear Time. 2011. N.P. Smart and F. Vercauteren. Fully Homomorphic SIMD Operations. Way to Evaluate on packed ciphertext 2013. CryptDB. MIT.
25.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 25 BGV: Leveled FHE Scheme BGV Scheme. Noise Management Technique (Leveled FHE). Lemma: Assume we have cp meaning that p is our secret. Choose another odd q<<p and do cq = (q/p)*cp – take the closest integer s.t. cq=cp mod 2 Then cq encrypts the same message m under the new (and smaller) odd q, but the noise is also smaller roughly by the same ratio (q/p). In BGV they propose: Noise magnitude is x For a larger odd p generate pi≈p/xi for i<k; After MUL of two mod-p0 ciphertexts, the noise magnitude is x2 . Switch to the smaller mod-p1. The magnitude returns to the level x. The more k the more MULs we can do for free. This makes it possible to avoid bootstrapping at all!
26.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 26 BGV: Leveled FHE Scheme c1 mod-p0 c2 mod-p0 p0 p1 x c1*c2 mod-p0 Multiplication Modulus Switching Ciphertext Size Reduction c1*c2 mod-p1 c1*c2 mod-p1
27.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 27 Performance 2010. SHE Performance 1 000 000 000 000x [...] A simple string search using homomorphic encryption is about a trillion times slower than without encryption. Dimension 2048 (800,000 bit ints) 8192 (3,200,000 bit ints) 32768 (13,000,000 bit ints) KeyGen 1.25 s. 10 s. 95 s. Enc (amort) .060 sec .7 sec 5.3 sec Mult/Dec .023 s. .12 s. .6 s. Degree ~200 ~200 ~200 2010. FHE Performance Dimension 2048 8192 32768 KeyGen 40 s. 8 min. 2 hrs PK size 70 Mbyte 285 Mbyte 2.3 Gb ReCrypt 31 sec 3 min 30 min
28.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 28 Evaluation of AES 2012. Homomorphic Evaluation of the AES Circuit Gentry-Halevi-Smart AES-128, 10 rounds 256GB of RAM, D=60. Variant 1: 36 hours, 54 blocks (SIMD technique to use more plaintext slots in each ciphertext, so that operations are done in parallel for free) First round – 7 hours Last round – 30 min Amortized speed ~ 40 min/block Variant 2: 2,5 days, 720 blocks Amortized speed ~ 5 min/block
29.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 29 HElib 2013. HElib. IBM. Based on BGV scheme, based on ideal lattices, SIMD operations on packed ciphertext, quasi-linear bootstrapping, and many other improvement technique. - Does not support bootstrapping (reencrypt) operation. - GPL licensed λ =80 bits of security Modulus 257 8209 65537 Number of Slots 44 22 2 Time for ADD (ms) 0.7 0.7 2.9 Time for MUL (ms) 39 38 177
30.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 30 Patents Activity Patents Activity
31.
EAB/TZ Alexander Maximov
| Public | © Ericsson AB 2013 | 2013-12-13 | Page 31 “Vision of a fully homomorphic cryptosystem have been dancing in cryptographers’ heads for thirty years. [...] It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure.” - Bruce Schneier, April 2013 “Should be usable in niche applications within a year or two.” - Halevi, 2012
Notes de l'éditeur
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
2013-12-13
Télécharger maintenant