homomorphic encryption
DESCRIPTION
Homomorphic Encryption. Alexander Maximov. Overview. History Partially Homomorphic Encryption Schemes HE Usage Scenarios Somewhat HE and Fully HE over the Integers Bootstrapping Technique Ciphertext Squashing Technique Ciphertext Reduction Technique Converting Somewhat HE to Fully HE - PowerPoint PPT PresentationTRANSCRIPT
Homomorphic Encryption
Alexander Maximov
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 2
Overview• History• Partially Homomorphic Encryption Schemes• HE Usage Scenarios• Somewhat HE and Fully HE over the Integers• Bootstrapping Technique• Ciphertext Squashing Technique• Ciphertext Reduction Technique• Converting Somewhat HE to Fully HE• Approximate GCD Problem• Recent Research Results• BGV FHE Scheme• Leveled FHE with(out) Bootstrapping• Performance, Implementations, Patents
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 3
IntroductionCommon notations:pk – public keysk – secret keym – messagec – ciphertext
c = Encryptpk(m)m=Decryptsk(c)
Em(pk) - encryption algorithm as a circuitDm(sk) - decryption algorithm as a circuitf – is the function or circuit that we want to evaluate on plaintextF – is the function or circuit that corresponds to f and operates on ciphertext in the cryptosystem
c1=Encryptpk(m1)…
cn=Encryptpk(mn)
m=Decryptsk(c)
c=F(c1,...,cn)
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 4
PartialLY HEMultiplicative Partially HEUnpadded RSApk=(n,e)c=Epk(m)=me mod n
c1*c2=m1em2
e mod n = Epk(m1*m2)
Additive Partially HEPaillier schemepk=(n,g)c=Epk(m)=gmrn mod n2 r in {0,…,n-1} – some random value
c1*c2= (gm1r1n)*(gm2r2n) mod n =
gm1+m2(r1r2)n mod n=Epk(m1+m2)
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 5
HE Usage Scenarios· Cloud Computing: storage, computation, search query· Spam filtering: Blacklisting encrypted mails.· Medical Applications (Private data, Public functions): search, cloud computation of
certain functions (patient’s condition, etc) on behalf of the patient. Analyze disease/treatment without disclosing them. Search for DNA markers without revealing DNA
· Financial Applications (Private data, Private functions): computations on encrypted data such as data about companies, their stock price, or their performance or inventory. The customer may upload encrypted program/function to compute on encrypted data.
· Advertising and Pricing: Assume a customer has a mobile phone and uploads his data, such as location, email, time of the day, browsing activity, stream from the camera, etc. The advertising company computes some function to decide which ad is to be sent back to the client.
· Electronic voting: need to calculate the result of the voting without decrypting any ballots. More properties are there…
· Data Mining: HE solution is both fully private and fully accurate. Allows data miner to compute frequencies of values on the customer data, without revealing the data itself.
· Biometric Authentication: relation between biometric trait and personal identity must be hidden, i.e., comparison of the trait and the database fields must be encrypted.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 6
Real-Life Usage
Helios: Web-Based Open-Audit VotingBen Adida, Harvard University
· Real-life HE application.· Anyone can create and run an election· Any willing observer can audit the entire process· Uses HE property of the ElGamal cryptosystem to calculate the
tally without decrypting of any ballots.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 7
Does Fully Homomorphic Encryption Ever Exists?
Fully Homomorphic Encryption (FHE). Some Properties.FHE property (simplified):· Decryptsk(c1*c2)=m1*m2
· Decryptsk(c1+c2)=m1+m2
I.e.: Decryptsk(F(c1,…,cn))=F(m1,…,mn)
FHE may support another set of operations to support a ring of plaintexts. Examples: AND, XOR
FHE can be:· Public key schemes· Symmetric key schemes
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 8
“Holy Grail” for 30 years1978 Rivest, Adleman, and Dertouzos propose the idea of fully homomorphic encryption (FHE)
1980
1990
2000
2010
June 25, 2009. Craig Gentry announced the first FHE scheme (PhD Thesis, Stanford University). The scheme is based on ideal lattices cryptography
1982. Goldwasser-Micali cryptosystem
1999. Paillier cryptosystem
2005. Boneh-Goh-Nissim cryptosystem (infinite ADD, one MUL)
1998. Okamoto-Uchiyama cryptosystem
1998. Naccache-Stern cryptosystem
2001. DamgÅrd-Jurik cryptosystem
1994. Benaloh cryptosystem
2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based on integers.
2010. Gentry-Halevi working implementation of FHE.
April 2013. HElib. IBM releases first public FHE library (c++) with BGV scheme and optimizations.
~30 Years
2012. Brakerski-Gentry-Vaikuntanathan. FHE without Bootstrapping.
2012. Gentry-Halevi-Smart. Homomorphic Evaluation of the AES Circuit.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 9
Types of HE Schemes
Homomorphic Encryption (HE) = type of computation for a set of functions f(m1,…,mn) carried on ciphertexts Enc(m1)...Enc(mn) with a corresponding function F such that
f(m1,…,mn) = Dec(F(Enc(m1),…,Enc(mn)))
Partially HE (PHE) = HE scheme where only one type of operations is possible (multiplication or addition)
Somewhat HE (SHE) = HE scheme that can do a limited number of additions and multiplications
Fully HE (FHE) = HE scheme that can perform an infinite number of additions and multiplications
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 10
SHE over the Integers
SHE over the INTEGERS – SYMMETRIC KEY SCHEME2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based on integers.
KeyGen: key is an odd integer pÎ[2h- 1, 2h).Encrypt(p, m): to encrypt one bit mÎ[0,1]
c = pq+2r+mq, r – are chosen random, such that |2r|<p/2.Decrypt(p, c):
m = (c mod p) mod 2
Proposed constraint: p~2h, q~2h 3̂, r~2sqrt(h).
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 11
SHE over the IntegersADDITION:Decrypt(c1+c2,p) = ((pq1+2r1+m1)+(pq2+2r2+m2) mod p) mod 2
= (p(q1+q2)+2(r1+r2)+(m1+m2) mod p) mod 2= 2(r1+r2)+(m1+m2) mod 2 = m1 Å m2
MULTIPLICATION:Decrypt(c1*c2,p) =((pq1+2r1+m1)*(pq2+2r2+m2) mod p) mod 2
=(p(pq1q2+2q1r2+q1m2+2q2r1+q2m1)+2(2r1r2+r1m2+m2r1)+m1m2) mod p) mod 2
= 2(2r1r2+r1m2+m2r1)+m1m2 mod 2= m1 Ä m2
· The scheme is both additively and multiplicatively homomorphic for shallow arithmetic circuits.
· The number of ADD and MUL is limited since the noise grows.· The noise r must be sufficiently smaller than p to allow more ADDs and
MULs.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 12
SHE over the Integers
xa
b
1
q
f(x, a, b): if(x==1) q=a; else q=b
F(ca, cx, cb, c1): cq = (ca*cx)+(cx+c1)*cb
Any computer program can be represented in terms of AND-XOR gates
ci = pqi+2ri+mi
r-bitsp-bitsp*q-bits
c1
c2
c1+c2
c1*c2
Ciphertext and noise size expansion
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 13
Noise Count
Noise Magnitude
The degree of noise can be calculated by the evaluator internally.Assume two arguments to an operation· c1 – has the noise of degree n1 bits· c2 – has the noise of degree n2 bitsThe result of:· ADD(c1, c2) => noise of degree log2(2
n1+2n2) bits· MUL(c1, c2) => noise of degree (n1+n2) bits
Only when the noise would be larger than p-bits then the evaluator must do the “refreshment” step.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 14
SHE over the Integers
SHE over the INTEGERS – PUBLIC KEY SCHEME
KeyGen: pk=<x0,…,xt>, where:xi = pqi+ri, unless x0 is the largest, q0 is odd and r0 is evenEncrypt(pk, mÎ{0,1}): c = (m+2r+2åiÎS(xi)) mod x0
Where S is a random subset of pk, and r is a random noise.Decrypt(sk=p, c): m = (c mod p) mod 2
Encryption can now be viewed as:adding m to a random subset sum of “encryptions of zero”
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 15
Ciphertext ReductionCompactness PropertyThis means that the bit-length of the resulting ciphertext does not depend on the evaluation function F.
For this reason we do:· add more “encryptions of zero” to the public key yj such that they use larger
q’s. y0 must be of bit-length from |x0|…2|x0|.· after each operation (ADD or MUL) we select yj such that a substraction
from the result of the operation will lead again to a ciphertext of size |x0|.
Multiplication doubles the number of bits of the ciphertext, but bringing it back to the initial size would cost just an addition of a few trivial noises from yj.
Consequence:Evaluation of c1*c2+c1*c3 and c1*(c2+c3) will result in different ciphertexts, although the same result in plaintext.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 16
Bootstrapping
Bootstrapping· Assume SHE can evaluate circuits F up
to the depth d.· Assume F=Dsk(m) is the decryption
algorithm, that can be evaluated by SHE at most depth (d-1). I.e., to decrypt plus “a little more”.
Then SHE is called bootstrappable and can be converted to FHE.
USERKey1=(pk1, sk1)Input=mc1'=Encryptpk1(m)
COMPUTING CLOUD
EvaluateF1(c1')
c1 – with heavy noise, but still possible to decryptKey2=(pk2, sk2)
Esk1=Encryptpk2(sk1) pk2,Esk1 Ec1=Encryptpk2(c1)
EvaluateDecryptEsk1(Ec1)
EvaluateF2(c2')
c2' – now encrypted by pk2 and “refreshed” noise
Result=Decryptskn(cn)
REPEAT until all Fis are evaluated
c2
pk1,c1'
Key3=(pk3, sk3)Esk2=Encryptpk3(sk2) pk3,Esk2
depth (d-t)
depth t
cn
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 17
SHEFHE over the Integers
FHE over the INTEGERS – Convert SHE to FHE
F=Dsk(m) becomes simple if we use the technique called “squashing the decryption circuit”.
Idea: add to pk some information about sk so that Dsk(m) becomes simpler and SWH becomes bootstrappable.
Price:· public key contains more information· ciphertext is larger
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 18
Squashing Technique
s – sparse Θ bit vectorS = {i:si=1}, must be s.t. |S|=θ
0 0,1001101101101000100
1,00011001100,11000101100,10000101100,00100001011,11001001011,00101001111,10011011010,01001010111,1101011010
s y
Squashing the Decryption CircuitThree more parameters: θ, Θ, κ - chosen appropriately in accordance with the security parameter λ.
yi – random rational Î[0,2) with precision κ.s.t. åiÎS(yi) ≈1/p-Δ, |Δ|<2-κ
pk=(pk as before + y)sk=s
Encryptpk(m):c as before, plus z s.tzi=c·yi mod 2, i=1..ΘKeep n=ë logθù+3 precision bits for zi
Decryptsk(c):m=(c- ëåi(si· zi)ù ) mod 2
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 19
Security. Approximate GCD
Assume we know many {xi=p*qi+ri}
where the noise ri is much smaller than p.We need to find the approximate gcd(xi)=p.
Brute-force approach:Take x0 and x1 and try all possible values of r0 and r1Problem: The chosen parameters are such that exhaustive search meets the security parameter λ .
Divisor of p:Guess a large divisor d|p, for d>|r|.Test the guess: all (xi mod d) must be of size of the noise r.Then p=d*gcd(xi/d)Problem: guessing is as difficult as the brute-force attack
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 20
Security. Approximate GCDGiven n xi’s, we want to find a set of n linear combinations:
zk = åi=1..n(akixi) such that:· The total noise for zk is = maxnoise* åi=1..n(ai) is <<p· zk is ~p or <<p
Then we say that:· if zk<<p then we deal with
åi=1..n(aki(p*qi+ri)) = 0*p+noise(zk)Divide by p, and we get noise-free equation:
åi=1..n(akiqi) = 0· If zk~p then, similarly, we deal with
åi=1..n(akiqi) = 1Find all (or one) qi with Gaussian elimination. then p = ëxi/qiù
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 21
ALG PARAMS: p~2̂ 16, q~2̂ 16, r~2̂ 8, #eq=12 Secret p=97083Vector of initial values x_i = {p*q_i+r_i}:x_0 (29 bits)=614535439 = p*6330 + 49 x_1 (30 bits)=1617402906 = p*16660 + 126x_2 (30 bits)=2084663351 = p*21473 + 92 x_3 (31 bits)=2149029378 = p*22136 + 90x_4 (31 bits)=2467558848 = p*25417 + 237 x_5 (31 bits)=2504547489 = p*25798 + 255x_6 (31 bits)=2760166833 = p*28431 + 60 x_7 (31 bits)=3269949614 = p*33682 + 8x_8 (31 bits)=3812837993 = p*39274 + 251 x_9 (31 bits)=4045837111 = p*41674 + 169x_10 (32 bits)=4952398228 = p*51012 + 232 x_11 (32 bits)=5135108340 = p*52894 + 138
Found set of linear equatiuons with low noise:291 = +x0 +x2 +x3 +x4 -x7 -x9890 = 3*x1 +x3 +2*x5 -x7 +2*x8 -4*x9 +x10 -x11833 = -x0 +x1 +x2 +x3 -2*x4 +4*x5 +x6 -4*x747 = -2*x1 -4*x2 -5*x3 +4*x4 -x5 -6*x6 +2*x7 -3*x8 +9*x940 = -x0 +2*x1 +3*x2 +x4 +5*x5 -4*x6 +7*x7 -3*x8 -6*x930 = -x0 +6*x2 -3*x3 +6*x4 +3*x5 +6*x7 -5*x8 -7*x9
Example of converting to equations on q’s:291 = +x0 +x2 +x3 +x4 -x7 -x9 è 0 = q0+q2+q3+q4-q7-q9è 6330+21473+22136+25417-33682-41674 must be 0 (Check!)
Security. Approximate GCD
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 22
x1
x2
xn
t bits
· Try all possible t-bit values for a1...an such that a new linear combination
yj=x1*a1+…+xnan - has all zeros on the highest t bits.· Remove yj’s with the highest noise and keep n with the
smallest noise.· Repeat the procedure for y-values and remove the next
t bits, until we get the values ~p or <<p.
Security. Approximate GCD
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 23
Security. Approximate GCDSome improvements can apply:· Intermediate sets ys can be much larger than the initial set x.· t is variable for each round. Can be smaller in the beginning, and larger in
the next rounds, if we will keep more of the best equations y.· It is beneficial if the high t-bits of xi’s (or yj’s) will first be moved to int-type,
then arithmetical operations are faster.· It is also good to limit Hamming weight of a, so that we only test for pairs
xi±xj and triples xi±xj±xk. This way, the noise is kept low, but the number of combinations is sufficient to eliminate t high bits and still have a new set of y for the next round.
· etc...
P
~2128
~2256
q
~22048
~26000
r
~232
~264
z.TotNoise
~2106
~2270
#eq=|x|
32
48
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 24
New Recent Research
2011. Craig Gentry and Shai Halevi. Fully homomorphic
encryption without squashing using depth-3
arithmetic circuits.
2011. Zvika Brakerski and Vinod Vaikuntanathan.
Efficient fully homomorphic encryption
from (standard) LWE.
Found different ways to construct FHE without using the squashing step
2012. Zvika Brakerski, Craig Gentry and Vinod
Vaikuntanathan. Fully homomorphic encryption without bootstrapping.
BGV scheme to construct a FHE of a desired depth D,
based on Ring LWE. I.e., no bootstrapping is needed.
2012. Craig Gentry, Shai Halevi, and Nigel P.
Smart. Homomorphic evaluation of the AES
circuit.
2013. HELib. IBM.
2013. Jacob Alperin-Sheriff and Chris Peikert. Practical bootstrapping
in Quasilinear Time.2011. N.P. Smart and F.
Vercauteren. Fully Homomorphic SIMD
Operations.
Way to Evaluate on packed ciphertext
2013. CryptDB. MIT.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 25
BGV: Leveled FHE SchemeBGV Scheme. Noise Management Technique (Leveled FHE).
Lemma: Assume we have cp meaning that p is our secret.Choose another odd q<<p and docq = (q/p)*cp – take the closest integer s.t. cq=cp mod 2Then cq encrypts the same message m under the new (and smaller) odd q, but the noise is also smaller roughly by the same ratio (q/p).
In BGV they propose:Noise magnitude is x For a larger odd p generate pi≈p/xi for i<k;
After MUL of two mod-p0 ciphertexts, the noise magnitude is x2. Switch to the smaller mod-p1. The magnitude returns to the level x.
The more k the more MULs we can do for free. This makes it possible to avoid bootstrapping at all!
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 26
BGV: Leveled FHE Scheme
c1 mod-p0
c2 mod-p0
p0 p1 x
c1*c2 mod-p0
Multiplication
Modulus Switching
Ciphertext Size Reductionc1*c2 mod-p1
c1*c2 mod-p1
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 27
Performance2010. SHE Performance
1 000 000 000 000x[...] A simple string search using homomorphic encryption is about a trillion times slower than without encryption.
Dimension
2048 (800,000 bit ints)
8192 (3,200,000 bit ints)
32768 (13,000,000 bit ints)
KeyGen
1.25 s.
10 s.
95 s.
Enc (amort)
.060 sec
.7 sec
5.3 sec
Mult/Dec
.023 s.
.12 s.
.6 s.
Degree
~200
~200
~200
2010. FHE Performance
Dimension
2048
8192
32768
KeyGen
40 s.
8 min.
2 hrs
PK size
70 Mbyte
285 Mbyte
2.3 Gb
ReCrypt
31 sec
3 min
30 min
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 28
Evaluation of AES2012. Homomorphic Evaluation of the AES Circuit
Gentry-Halevi-SmartAES-128, 10 rounds256GB of RAM, D=60.
Variant 1: 36 hours, 54 blocks (SIMD technique to use more plaintext slots in each ciphertext, so that operations are done in parallel for free)First round – 7 hoursLast round – 30 min
Amortized speed ~ 40 min/block
Variant 2: 2,5 days, 720 blocksAmortized speed ~ 5 min/block
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 29
HElib2013. HElib. IBM.
Based on BGV scheme, based on ideal lattices, SIMD operations on packed ciphertext, quasi-linear bootstrapping, and many other improvement technique.- Does not support bootstrapping (reencrypt) operation.- GPL licensed
λ =80 bits of security
Modulus
257
8209
65537
Number of Slots
44
22
2
Time for ADD (ms)
0.7
0.7
2.9
Time for MUL (ms)
39
38
177
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 30
Patents Activity
Patents Activity
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 31
“Vision of a fully homomorphic cryptosystem have been dancing in cryptographers’ heads for thirty years. [...] It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure.”
- Bruce Schneier, April 2013
“Should be usable in niche applications within a year or two.”- Halevi, 2012