Fully Homomorphic Encryption
description
Transcript of Fully Homomorphic Encryption
Fully Homomorphic Encryption
Paper by: Craig GentryPresented By: Daniel Henneberger
What is homomorphic encryption?
Computations on ciphertext which predictably modifies the plaintext
Operate on messages while they are encrypted
Data can be securely processed in unsecure environments◦ Cloud Computing◦ Databases◦ Voting machines
Homomorphic Encryption
How it works
How it works
Keygen Encrypt Decrypt Evaluate
1978 – Privacy Homomorphism
US government pumps millions in it
History
Additive◦ E(m1) + E(m2) = E(m1+m2)
Multiplicative◦E(m1) * E(m2) = E(m1*m2)
Why just Add and Mul? ◦ Can evaluate any function◦ Turing complete over a ring
Types of Homomorphism
Somewhat Homomorphic◦ You can do only do some functions◦ RSA
Fully Homomorphic◦ You can do all functions
Leveled Fully Homomorphic◦ Keysize can grow with depth of the function
Bootstrappable◦ Can evaluate its own decryption circuit
Types of Homomorphism
Fully Homomorphic Encryption Using Ideal
LatticesCraig Gentry
Stanford University and IBM Watson2009
“Most unbearably complicated topic ever” –Craig Gentry
Before this paper, it was unknown if fully homomorphic encryption could exist
First feasible result Holy grail of encryption
17 results on YouTube!
Importance of this topic
Ideal lattices are a form of difficult to compute mathematical problems
Similar to:◦ Integer Factorization◦ Discrete logarithm problem ◦ Elliptic curves over finite fields (Elliptical curve)
Closest vector problem Learning with errors Unbreakable with quantum computing
◦ Uses arbitrary approximations
MATH: Lattice
Illustration - A lattice in R2
borrowed from tau.ac.il“Recipe”:1. Take two linearly independent vectors in R2.2. Close them for addition and for multiplication by an integer scalar.
Each point corresponds to a vector in the lattice
etc. ... etc. ...
A cyclic lattice is ‘ideal’ (ring-based) NTRU – Asymmetric key cryptosystem that
uses ring-based lattices
Low circuit complexity Very fast Allows additive and multiplicative
homomorphism
MATH: Ideal Lattice
Lots of math involved with this:◦ Cyclotomic Polynomials
Too much for this class time
More MATH
Evaluate(pk,C, Encrypt(pk,m1),..., Encrypt(pk,mt)) = Encrypt(pk,C(m1,..., mt))
Steps◦ Create a general bootstrapping result◦ Initial construction using ideal lattices◦ Squash the decryption circuit to permit
bootstrapping
Advances
General Bootstrapping Result
Find a Public key scheme that is homomorphic for shallow circuits and uses ideal lattices◦ NTRUEncrypt
Ciphertext has a form of an ideal lattice + offset
Use a cyclic ring of keys◦ Hard to do◦ Large key size (GB)
Initial construction using ideal lattices
“Squash the Decryption Circuit”
Evaluate its own decryption circuit Provides ability to recrypt plaintext Must be allowed to recrypt augmented
versions to provide mathematical operations
Bootstrap Requirements
Allows ‘unlimited’ additions◦ Recrypt algorithm
Greater multiplicative depth◦ log log (N) - log log (n-1)◦ Still bad
Improvements
Can only evaluate in logarithmic depth◦ Ciphertext grows ◦ Noise increases
Addition- circuits can be corrected (recrypting) Multiplication- noise grows quickly
Not yet practical◦ Client must begin the decryption process to be
bootstrappable◦ Solution is approximate◦ >1 day to compute 1 message
Disadvantages
PollyCracker Fully Homomorphic Encryption over the
Integers Fully Homomorphic Encryption over the
Binary Polynomials
Implementations
Many people have created new variants Implementations All slow
Finding shortcuts
AES-128 – Completed June 15th 2012◦ Computed with 256GB of ram (still limiting factor)◦ 24 Xeon cores◦ Took 5 days per operation
Since this paper