HEpres2.ppt

Homomorphic
Encryption
Alexander Maximov

EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 2
Overview
• History
• Partially Homomorphic Encryption Schemes
• HE Usage Scenarios
• Somewhat HE and Fully HE over the Integers
• Bootstrapping Technique
• Ciphertext Squashing Technique
• Ciphertext Reduction Technique
• Converting Somewhat HE to Fully HE
• Approximate GCD Problem
• Recent Research Results
• BGV FHE Scheme
• Leveled FHE with(out) Bootstrapping
• Performance, Implementations, Patents

Introduction
Common notations:
pk – public key
sk – secret key
m – message
c – ciphertext
c = Encryptpk(m)
m=Decryptsk(c)
Em(pk) - encryption algorithm as a circuit
Dm(sk) - decryption algorithm as a circuit
f – is the function or circuit that we want to
evaluate on plaintext
F – is the function or circuit that
corresponds to f and operates on ciphertext
in the cryptosystem
c1=Encryptpk(m1)
…
cn=Encryptpk(mn)
m=Decryptsk(c)
c=F(c1,...,cn)

PartialLY HE
Multiplicative Partially HE
Unpadded RSA
pk=(n,e)
c=Epk(m)=me
mod n
c1*c2=m1
e
m2
e
mod n = Epk(m1*m2)
Additive Partially HE
Paillier scheme
pk=(n,g)
c=Epk(m)=gm
rn
mod n2
r in {0,…,n-1} – some random value
c1*c2= (gm1
r1n
)*(gm2
r2
n
) mod n =
gm1+m2
(r1r2)n
mod n=Epk(m1+m2)

HE Usage Scenarios
· Cloud Computing: storage, computation, search query
· Spam filtering: Blacklisting encrypted mails.
· Medical Applications (Private data, Public functions): search, cloud computation of
certain functions (patient’s condition, etc) on behalf of the patient. Analyze disease/
treatment without disclosing them. Search for DNA markers without revealing DNA
· Financial Applications (Private data, Private functions): computations on encrypted
data such as data about companies, their stock price, or their performance or
inventory. The customer may upload encrypted program/function to compute on
encrypted data.
· Advertising and Pricing: Assume a customer has a mobile phone and uploads his
data, such as location, email, time of the day, browsing activity, stream from the
camera, etc. The advertising company computes some function to decide which ad is
to be sent back to the client.
· Electronic voting: need to calculate the result of the voting without decrypting any
ballots. More properties are there…
· Data Mining: HE solution is both fully private and fully accurate. Allows data miner to
compute frequencies of values on the customer data, without revealing the data itself.
· Biometric Authentication: relation between biometric trait and personal identity
must be hidden, i.e., comparison of the trait and the database fields must be
encrypted.

Real-Life Usage
Helios: Web-Based Open-Audit Voting
Ben Adida, Harvard University
· Real-life HE application.
· Anyone can create and run an election
· Any willing observer can audit the entire process
· Uses HE property of the ElGamal cryptosystem to calculate the
tally without decrypting of any ballots.

Does Fully Homomorphic
Encryption Ever Exists?
Fully Homomorphic Encryption (FHE). Some Properties.
FHE property (simplified):
· Decryptsk(c1*c2)=m1*m2
· Decryptsk(c1+c2)=m1+m2
I.e.:
Decryptsk(F(c1,…,cn))=F(m1,…,mn)
FHE may support another set of operations to support a ring of
plaintexts. Examples: AND, XOR
FHE can be:
· Public key schemes
· Symmetric key schemes

“Holy Grail” for 30 years
1978 Rivest, Adleman, and Dertouzos propose the idea
of fully homomorphic encryption (FHE)
1980
1990
2000
2010
June 25, 2009. Craig Gentry announced the first FHE
scheme (PhD Thesis, Stanford University). The
scheme is based on ideal lattices cryptography
1982. Goldwasser-Micali cryptosystem
1999. Paillier cryptosystem
2005. Boneh-Goh-Nissim cryptosystem
(infinite ADD, one MUL)
1998. Okamoto-Uchiyama
cryptosystem
1998. Naccache-Stern cryptosystem
2001. DamgÅrd-Jurik cryptosystem
1994. Benaloh cryptosystem
2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second
FHE scheme based on integers.
2010. Gentry-Halevi working implementation of FHE.
April 2013. HElib. IBM releases first public FHE library
(c++) with BGV scheme and optimizations.
~30 Years
2012. Brakerski-Gentry-Vaikuntanathan. FHE without
Bootstrapping.
2012. Gentry-Halevi-Smart. Homomorphic Evaluation
of the AES Circuit.

Types of HE Schemes
Homomorphic Encryption (HE) = type of computation for a set of
functions f(m1,…,mn) carried on ciphertexts Enc(m1)...Enc(mn) with a
corresponding function F such that
f(m1,…,mn) = Dec(F(Enc(m1),…,Enc(mn)))
Partially HE (PHE) = HE scheme where only one type of operations is
possible (multiplication or addition)
Somewhat HE (SHE) = HE scheme that can do a limited number of
additions and multiplications
Fully HE (FHE) = HE scheme that can perform an infinite number of
additions and multiplications

SHE over the Integers
SHE over the INTEGERS – SYMMETRIC KEY SCHEME
2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based
on integers.
KeyGen: key is an odd integer pÎ[2h-1
, 2h
).
Encrypt(p, m): to encrypt one bit mÎ[0,1]
c = pq+2r+m
q, r – are chosen random, such that |2r|<p/2.
Decrypt(p, c):
m = (c mod p) mod 2
Proposed constraint: p~2h
, q~2h^3
, r~2sqrt(h)
.

ADDITION:
Decrypt(c1+c2,p) = ((pq1+2r1+m1)+(pq2+2r2+m2) mod p) mod 2
= (p(q1+q2)+2(r1+r2)+(m1+m2) mod p) mod 2
= 2(r1+r2)+(m1+m2) mod 2
= m1 Å m2
MULTIPLICATION:
Decrypt(c1*c2,p) =((pq1+2r1+m1)*(pq2+2r2+m2) mod p) mod 2
=(p(pq1q2+2q1r2+q1m2+2q2r1+q2m1)+
2(2r1r2+r1m2+m2r1)+m1m2) mod p) mod 2
= 2(2r1r2+r1m2+m2r1)+m1m2 mod 2
= m1 Ä m2
· The scheme is both additively and multiplicatively homomorphic for
shallow arithmetic circuits.
· The number of ADD and MUL is limited since the noise grows.
· The noise r must be sufficiently smaller than p to allow more ADDs and
MULs.

x
a
b
1
q
f(x, a, b): if(x==1) q=a; else q=b
F(ca, cx, cb, c1): cq = (ca*cx)+(cx+c1)*cb
Any computer program can be represented
in terms of AND-XOR gates
ci = pqi+2ri+mi
r-bits
p-bits
p*q-bits
c1
c2
c1+c2
c1*c2
Ciphertext and noise size expansion

Noise Count
Noise Magnitude
The degree of noise can be calculated by the evaluator
internally.
Assume two arguments to an operation
· c1 – has the noise of degree n1 bits
· c2 – has the noise of degree n2 bits
The result of:
· ADD(c1, c2) => noise of degree log2(2n1
+2n2
) bits
· MUL(c1, c2) => noise of degree (n1+n2) bits
Only when the noise would be larger than p-bits then
the evaluator must do the “refreshment” step.

SHE over the INTEGERS – PUBLIC KEY SCHEME
KeyGen: pk=<x0,…,xt>, where:
xi = pqi+ri, unless x0 is the largest, q0 is odd and r0 is even
Encrypt(pk, mÎ{0,1}): c = (m+2r+2åiÎS(xi)) mod x0
Where S is a random subset of pk, and r is a random noise.
Decrypt(sk=p, c): m = (c mod p) mod 2
Encryption can now be viewed as:
adding m to a random subset sum of “encryptions of zero”

Ciphertext Reduction
Compactness Property
This means that the bit-length of the resulting ciphertext does not depend on
the evaluation function F.
For this reason we do:
· add more “encryptions of zero” to the public key yj such that they use larger
q’s. y0 must be of bit-length from |x0|…2|x0|.
· after each operation (ADD or MUL) we select yj such that a substraction
from the result of the operation will lead again to a ciphertext of size |x0|.
Multiplication doubles the number of bits of the ciphertext, but bringing it back
to the initial size would cost just an addition of a few trivial noises from yj.
Consequence:
Evaluation of c1*c2+c1*c3 and c1*(c2+c3) will result in different ciphertexts,
although the same result in plaintext.

Bootstrapping
Bootstrapping
· Assume SHE can evaluate circuits F up
to the depth d.
· Assume F=Dsk(m) is the decryption
algorithm, that can be evaluated by
SHE at most depth (d-1). I.e., to
decrypt plus “a little more”.
Then SHE is called bootstrappable and
can be converted to FHE.
USER
Key1=(pk1, sk1)
Input=m
c1'=Encryptpk1(m)
COMPUTING CLOUD
Evaluate
F1(c1')
c1 – with heavy noise, but
still possible to decrypt
Key2=(pk2, sk2)
Esk1=Encryptpk2(sk1) pk2,Esk1 Ec1=Encryptpk2(c1)
Evaluate
DecryptEsk1(Ec1)
Evaluate
F2(c2')
c2' – now encrypted by
pk2 and “refreshed” noise
Result=Decryptskn(cn)
REPEAT until all Fis are
evaluated
c2
pk1,c1'
Key3=(pk3, sk3)
Esk2=Encryptpk3(sk2) pk3,Esk2
depth (d-t)
depth t
cn

SHEFHE over the Integers
FHE over the INTEGERS – Convert SHE to FHE
F=Dsk(m) becomes simple if we use the technique called
“squashing the decryption circuit”.
Idea: add to pk some information about sk so that
Dsk(m) becomes simpler and SWH becomes
bootstrappable.
Price:
· public key contains more information
· ciphertext is larger

Squashing Technique
s – sparse Θ bit vector
S = {i:si=1}, must be
s.t. |S|=θ
0 0,1001101101
1
0
1
0
0
0
1
0
0
1,0001100110
0,1100010110
0,1000010110
0,0010000101
1,1100100101
1,0010100111
1,1001101101
0,0100101011
1,1101011010
s y
Squashing the Decryption Circuit
Three more parameters: θ, Θ, κ - chosen appropriately in
accordance with the security parameter λ.
yi – random rational Î[0,2)
with precision κ.
s.t. åiÎS(yi)≈ 1/p-Δ, |Δ|<2-κ
pk=(pk as before + y)
sk=s
Encryptpk(m):
c as before, plus z s.t
zi=c·yi mod 2, i=1..Θ
Keep n=ëlogθù+3
precision bits for zi
Decryptsk(c):
m=(c- ëåi(si·zi)ù ) mod 2

Security. Approximate GCD
Assume we know many
{xi=p*qi+ri}
where the noise ri is much smaller than p.
We need to find the approximate gcd(xi)=p.
Brute-force approach:
Take x0 and x1 and try all possible values of r0 and r1
Problem: The chosen parameters are such that exhaustive
search meets the security parameter λ .
Divisor of p:
Guess a large divisor d|p, for d>|r|.
Test the guess: all (xi mod d) must be of size of the noise r.
Then p=d*gcd(xi/d)
Problem: guessing is as difficult as the brute-force attack

Given n xi’s, we want to find a set of n linear combinations:
zk = åi=1..n(akixi) such that:
· The total noise for zk is = maxnoise* åi=1..n(ai) is <<p
· zk is ~p or <<p
Then we say that:
· if zk<<p then we deal with
åi=1..n(aki(p*qi+ri)) = 0*p+noise(zk)
Divide by p, and we get noise-free equation:
åi=1..n(akiqi) = 0
· If zk~p then, similarly, we deal with
åi=1..n(akiqi) = 1
Find all (or one) qi with Gaussian elimination.
then p = ëxi/qiù

ALG PARAMS: p~2^16, q~2^16, r~2^8, #eq=12
Secret p=97083
Vector of initial values x_i = {p*q_i+r_i}:
x_0 (29 bits)=614535439 = p*6330 + 49 x_1 (30 bits)=1617402906 = p*16660 + 126
x_2 (30 bits)=2084663351 = p*21473 + 92 x_3 (31 bits)=2149029378 = p*22136 + 90
x_4 (31 bits)=2467558848 = p*25417 + 237 x_5 (31 bits)=2504547489 = p*25798 + 255
x_6 (31 bits)=2760166833 = p*28431 + 60 x_7 (31 bits)=3269949614 = p*33682 + 8
x_8 (31 bits)=3812837993 = p*39274 + 251 x_9 (31 bits)=4045837111 = p*41674 + 169
x_10 (32 bits)=4952398228 = p*51012 + 232 x_11 (32 bits)=5135108340 = p*52894 + 138
Found set of linear equatiuons with low noise:
291 = +x0 +x2 +x3 +x4 -x7 -x9
890 = 3*x1 +x3 +2*x5 -x7 +2*x8 -4*x9 +x10 -x11
833 = -x0 +x1 +x2 +x3 -2*x4 +4*x5 +x6 -4*x7
47 = -2*x1 -4*x2 -5*x3 +4*x4 -x5 -6*x6 +2*x7 -3*x8 +9*x9
40 = -x0 +2*x1 +3*x2 +x4 +5*x5 -4*x6 +7*x7 -3*x8 -6*x9
30 = -x0 +6*x2 -3*x3 +6*x4 +3*x5 +6*x7 -5*x8 -7*x9
Example of converting to equations on q’s:
291 = +x0 +x2 +x3 +x4 -x7 -x9 è 0 = q0+q2+q3+q4-q7-q9
è 6330+21473+22136+25417-33682-41674 must be 0 (Check!)

x1
x2
xn
t bits
· Try all possible t-bit values for a1...an such that a new
linear combination
yj=x1*a1+…+xnan - has all zeros on the highest t bits.
· Remove yj’s with the highest noise and keep n with the
smallest noise.
· Repeat the procedure for y-values and remove the next
t bits, until we get the values ~p or <<p.

Some improvements can apply:
· Intermediate sets ys can be much larger than the initial set x.
· t is variable for each round. Can be smaller in the beginning, and larger in
the next rounds, if we will keep more of the best equations y.
· It is beneficial if the high t-bits of xi’s (or yj’s) will first be moved to int-type,
then arithmetical operations are faster.
· It is also good to limit Hamming weight of a, so that we only test for pairs
xi±xj and triples xi±xj±xk. This way, the noise is kept low, but the number of
combinations is sufficient to eliminate t high bits and still have a new set of
y for the next round.
· etc...
P
~2128
~2256
q
~22048
~26000
r
~232
~264
z.TotNoise
~2106
~2270
#eq=|x|
32
48

New Recent Research
2011. Craig Gentry and Shai
Halevi. Fully homomorphic
encryption without
squashing using depth-3
arithmetic circuits.
2011. Zvika Brakerski and
Vinod Vaikuntanathan.
Efﬁcient fully
homomorphic encryption
from (standard) LWE.
Found different ways to construct FHE
without using the squashing step
2012. Zvika Brakerski, Craig
Gentry and Vinod
Vaikuntanathan. Fully
homomorphic encryption
without bootstrapping.
BGV scheme to construct a
FHE of a desired depth D,
based on Ring LWE. I.e., no
bootstrapping is needed.
2012. Craig Gentry, Shai
Halevi, and Nigel P.
Smart. Homomorphic
evaluation of the AES
circuit.
2013. HELib. IBM.
2013. Jacob Alperin-
Sheriff and Chris Peikert.
Practical bootstrapping
in Quasilinear Time.
2011. N.P. Smart and F.
Vercauteren. Fully
Homomorphic SIMD
Operations.
Way to Evaluate on packed ciphertext
2013. CryptDB. MIT.

BGV: Leveled FHE Scheme
BGV Scheme. Noise Management Technique (Leveled FHE).
Lemma: Assume we have cp meaning that p is our secret.
Choose another odd q<<p and do
cq = (q/p)*cp – take the closest integer s.t. cq=cp mod 2
Then cq encrypts the same message m under the new (and smaller) odd q, but the
noise is also smaller roughly by the same ratio (q/p).
In BGV they propose:
Noise magnitude is x
For a larger odd p generate pi≈p/xi
for i<k;
After MUL of two mod-p0 ciphertexts, the noise magnitude is x2
. Switch to the
smaller mod-p1. The magnitude returns to the level x.
The more k the more MULs we can do for free. This makes it possible to avoid
bootstrapping at all!

BGV: Leveled FHE Scheme
c1 mod-p0
c2 mod-p0
p0 p1 x
c1*c2 mod-p0
Multiplication
Modulus Switching
Ciphertext Size Reduction
c1*c2 mod-p1
c1*c2 mod-p1

Performance
2010. SHE Performance
1 000 000 000 000x
[...] A simple string search using homomorphic encryption is about a trillion times
slower than without encryption.
Dimension
2048 (800,000 bit ints)
8192 (3,200,000 bit ints)
32768 (13,000,000 bit ints)
KeyGen
1.25 s.
10 s.
95 s.
Enc (amort)
.060 sec
.7 sec
5.3 sec
Mult/Dec
.023 s.
.12 s.
.6 s.
Degree
~200
~200
~200
2010. FHE Performance
Dimension
2048
8192
32768
KeyGen
40 s.
8 min.
2 hrs
PK size
70 Mbyte
285 Mbyte
2.3 Gb
ReCrypt
31 sec
3 min
30 min

Evaluation of AES
2012. Homomorphic Evaluation of the AES Circuit
Gentry-Halevi-Smart
AES-128, 10 rounds
256GB of RAM, D=60.
Variant 1: 36 hours, 54 blocks
(SIMD technique to use more plaintext slots in each ciphertext, so
that operations are done in parallel for free)
First round – 7 hours
Last round – 30 min
Amortized speed ~ 40 min/block
Variant 2: 2,5 days, 720 blocks
Amortized speed ~ 5 min/block

HElib
2013. HElib. IBM.
Based on BGV scheme, based on ideal lattices, SIMD operations on packed
ciphertext, quasi-linear bootstrapping, and many other improvement
technique.
- Does not support bootstrapping (reencrypt) operation.
- GPL licensed
λ =80 bits of security
Modulus
257
8209
65537
Number of Slots
44
22
2
Time for ADD (ms)
0.7
0.7
2.9
Time for MUL (ms)
39
38
177

Patents Activity
Patents Activity

“Vision of a fully homomorphic cryptosystem have been
dancing in cryptographers’ heads for thirty years. [...] It will be
years before a sufficient number of cryptographers examine the
algorithm that we can have any confidence that the scheme is
secure.”
- Bruce Schneier, April 2013
“Should be usable in niche applications within a year or two.”
- Halevi, 2012

HEpres2.ppt

Recommandé

Recommandé

Contenu connexe

Similaire à HEpres2.ppt

Similaire à HEpres2.ppt (20)

Dernier

Dernier (20)

HEpres2.ppt

Notes de l'éditeur