homomorphic encryption

Homomorphic Encryption

Alexander Maximov

EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 |

Overview• History• Partially Homomorphic Encryption Schemes• HE Usage Scenarios• Somewhat HE and Fully HE over the Integers• Bootstrapping Technique• Ciphertext Squashing Technique• Ciphertext Reduction Technique• Converting Somewhat HE to Fully HE• Approximate GCD Problem• Recent Research Results• BGV FHE Scheme• Leveled FHE with(out) Bootstrapping• Performance, Implementations, Patents


IntroductionCommon notations:pk – public keysk – secret keym – messagec – ciphertext

c = Encryptpk(m)m=Decryptsk(c)

Em(pk) - encryption algorithm as a circuitDm(sk) - decryption algorithm as a circuitf – is the function or circuit that we want to evaluate on plaintextF – is the function or circuit that corresponds to f and operates on ciphertext in the cryptosystem

c1=Encryptpk(m1)…

cn=Encryptpk(mn)

m=Decryptsk(c)

c=F(c1,...,cn)


PartialLY HEMultiplicative Partially HEUnpadded RSApk=(n,e)c=Epk(m)=me mod n

c1*c2=m1em2

e mod n = Epk(m1*m2)

Additive Partially HEPaillier schemepk=(n,g)c=Epk(m)=gmrn mod n2 r in {0,…,n-1} – some random value

c1*c2= (gm1r1n)*(gm2r2n) mod n =

gm1+m2(r1r2)n mod n=Epk(m1+m2)


HE Usage Scenarios· Cloud Computing: storage, computation, search query· Spam filtering: Blacklisting encrypted mails.· Medical Applications (Private data, Public functions): search, cloud computation of

certain functions (patient’s condition, etc) on behalf of the patient. Analyze disease/treatment without disclosing them. Search for DNA markers without revealing DNA

· Financial Applications (Private data, Private functions): computations on encrypted data such as data about companies, their stock price, or their performance or inventory. The customer may upload encrypted program/function to compute on encrypted data.

· Advertising and Pricing: Assume a customer has a mobile phone and uploads his data, such as location, email, time of the day, browsing activity, stream from the camera, etc. The advertising company computes some function to decide which ad is to be sent back to the client.

· Electronic voting: need to calculate the result of the voting without decrypting any ballots. More properties are there…

· Data Mining: HE solution is both fully private and fully accurate. Allows data miner to compute frequencies of values on the customer data, without revealing the data itself.

· Biometric Authentication: relation between biometric trait and personal identity must be hidden, i.e., comparison of the trait and the database fields must be encrypted.


Real-Life Usage

Helios: Web-Based Open-Audit VotingBen Adida, Harvard University

· Real-life HE application.· Anyone can create and run an election· Any willing observer can audit the entire process· Uses HE property of the ElGamal cryptosystem to calculate the

tally without decrypting of any ballots.


Does Fully Homomorphic Encryption Ever Exists?

Fully Homomorphic Encryption (FHE). Some Properties.FHE property (simplified):· Decryptsk(c1*c2)=m1*m2

· Decryptsk(c1+c2)=m1+m2

I.e.: Decryptsk(F(c1,…,cn))=F(m1,…,mn)

FHE may support another set of operations to support a ring of plaintexts. Examples: AND, XOR

FHE can be:· Public key schemes· Symmetric key schemes


“Holy Grail” for 30 years1978 Rivest, Adleman, and Dertouzos propose the idea of fully homomorphic encryption (FHE)

1980

1990

2000

2010

June 25, 2009. Craig Gentry announced the first FHE scheme (PhD Thesis, Stanford University). The scheme is based on ideal lattices cryptography

1982. Goldwasser-Micali cryptosystem

1999. Paillier cryptosystem

2005. Boneh-Goh-Nissim cryptosystem (infinite ADD, one MUL)

1998. Okamoto-Uchiyama cryptosystem

1998. Naccache-Stern cryptosystem

2001. DamgÅrd-Jurik cryptosystem

1994. Benaloh cryptosystem

2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based on integers.

2010. Gentry-Halevi working implementation of FHE.

April 2013. HElib. IBM releases first public FHE library (c++) with BGV scheme and optimizations.

~30 Years

2012. Brakerski-Gentry-Vaikuntanathan. FHE without Bootstrapping.

2012. Gentry-Halevi-Smart. Homomorphic Evaluation of the AES Circuit.


Types of HE Schemes

Homomorphic Encryption (HE) = type of computation for a set of functions f(m1,…,mn) carried on ciphertexts Enc(m1)...Enc(mn) with a corresponding function F such that

f(m1,…,mn) = Dec(F(Enc(m1),…,Enc(mn)))

Partially HE (PHE) = HE scheme where only one type of operations is possible (multiplication or addition)

Somewhat HE (SHE) = HE scheme that can do a limited number of additions and multiplications

Fully HE (FHE) = HE scheme that can perform an infinite number of additions and multiplications


SHE over the Integers

SHE over the INTEGERS – SYMMETRIC KEY SCHEME2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based on integers.

KeyGen: key is an odd integer pÎ[2h- 1, 2h).Encrypt(p, m): to encrypt one bit mÎ[0,1]

c = pq+2r+mq, r – are chosen random, such that |2r|<p/2.Decrypt(p, c):

m = (c mod p) mod 2

Proposed constraint: p~2h, q~2h 3̂, r~2sqrt(h).


SHE over the IntegersADDITION:Decrypt(c1+c2,p) = ((pq1+2r1+m1)+(pq2+2r2+m2) mod p) mod 2

= (p(q1+q2)+2(r1+r2)+(m1+m2) mod p) mod 2= 2(r1+r2)+(m1+m2) mod 2 = m1 Å m2

MULTIPLICATION:Decrypt(c1*c2,p) =((pq1+2r1+m1)*(pq2+2r2+m2) mod p) mod 2

=(p(pq1q2+2q1r2+q1m2+2q2r1+q2m1)+2(2r1r2+r1m2+m2r1)+m1m2) mod p) mod 2

= 2(2r1r2+r1m2+m2r1)+m1m2 mod 2= m1 Ä m2

· The scheme is both additively and multiplicatively homomorphic for shallow arithmetic circuits.

· The number of ADD and MUL is limited since the noise grows.· The noise r must be sufficiently smaller than p to allow more ADDs and

MULs.



xa

b

1

q

f(x, a, b): if(x==1) q=a; else q=b

F(ca, cx, cb, c1): cq = (ca*cx)+(cx+c1)*cb

Any computer program can be represented in terms of AND-XOR gates

ci = pqi+2ri+mi

r-bitsp-bitsp*q-bits

c1

c2

c1+c2

c1*c2

Ciphertext and noise size expansion


Noise Count

Noise Magnitude

The degree of noise can be calculated by the evaluator internally.Assume two arguments to an operation· c1 – has the noise of degree n1 bits· c2 – has the noise of degree n2 bitsThe result of:· ADD(c1, c2) => noise of degree log2(2

n1+2n2) bits· MUL(c1, c2) => noise of degree (n1+n2) bits

Only when the noise would be larger than p-bits then the evaluator must do the “refreshment” step.



SHE over the INTEGERS – PUBLIC KEY SCHEME

KeyGen: pk=<x0,…,xt>, where:xi = pqi+ri, unless x0 is the largest, q0 is odd and r0 is evenEncrypt(pk, mÎ{0,1}): c = (m+2r+2åiÎS(xi)) mod x0

Where S is a random subset of pk, and r is a random noise.Decrypt(sk=p, c): m = (c mod p) mod 2

Encryption can now be viewed as:adding m to a random subset sum of “encryptions of zero”


Ciphertext ReductionCompactness PropertyThis means that the bit-length of the resulting ciphertext does not depend on the evaluation function F.

For this reason we do:· add more “encryptions of zero” to the public key yj such that they use larger

q’s. y0 must be of bit-length from |x0|…2|x0|.· after each operation (ADD or MUL) we select yj such that a substraction

from the result of the operation will lead again to a ciphertext of size |x0|.

Multiplication doubles the number of bits of the ciphertext, but bringing it back to the initial size would cost just an addition of a few trivial noises from yj.

Consequence:Evaluation of c1*c2+c1*c3 and c1*(c2+c3) will result in different ciphertexts, although the same result in plaintext.


Bootstrapping

Bootstrapping· Assume SHE can evaluate circuits F up

to the depth d.· Assume F=Dsk(m) is the decryption

algorithm, that can be evaluated by SHE at most depth (d-1). I.e., to decrypt plus “a little more”.

Then SHE is called bootstrappable and can be converted to FHE.

USERKey1=(pk1, sk1)Input=mc1'=Encryptpk1(m)

COMPUTING CLOUD

EvaluateF1(c1')

c1 – with heavy noise, but still possible to decryptKey2=(pk2, sk2)

Esk1=Encryptpk2(sk1) pk2,Esk1 Ec1=Encryptpk2(c1)

EvaluateDecryptEsk1(Ec1)

EvaluateF2(c2')

c2' – now encrypted by pk2 and “refreshed” noise

Result=Decryptskn(cn)

REPEAT until all Fis are evaluated

c2

pk1,c1'

Key3=(pk3, sk3)Esk2=Encryptpk3(sk2) pk3,Esk2

depth (d-t)

depth t

cn


SHEFHE over the Integers

FHE over the INTEGERS – Convert SHE to FHE

F=Dsk(m) becomes simple if we use the technique called “squashing the decryption circuit”.

Idea: add to pk some information about sk so that Dsk(m) becomes simpler and SWH becomes bootstrappable.

Price:· public key contains more information· ciphertext is larger


Squashing Technique

s – sparse Θ bit vectorS = {i:si=1}, must be s.t. |S|=θ

0 0,1001101101101000100

1,00011001100,11000101100,10000101100,00100001011,11001001011,00101001111,10011011010,01001010111,1101011010

s y

Squashing the Decryption CircuitThree more parameters: θ, Θ, κ - chosen appropriately in accordance with the security parameter λ.

yi – random rational Î[0,2) with precision κ.s.t. åiÎS(yi) ≈1/p-Δ, |Δ|<2-κ

pk=(pk as before + y)sk=s

Encryptpk(m):c as before, plus z s.tzi=c·yi mod 2, i=1..ΘKeep n=ë logθù+3 precision bits for zi

Decryptsk(c):m=(c- ëåi(si· zi)ù ) mod 2


Security. Approximate GCD

Assume we know many {xi=p*qi+ri}

where the noise ri is much smaller than p.We need to find the approximate gcd(xi)=p.

Brute-force approach:Take x0 and x1 and try all possible values of r0 and r1Problem: The chosen parameters are such that exhaustive search meets the security parameter λ .

Divisor of p:Guess a large divisor d|p, for d>|r|.Test the guess: all (xi mod d) must be of size of the noise r.Then p=d*gcd(xi/d)Problem: guessing is as difficult as the brute-force attack


Security. Approximate GCDGiven n xi’s, we want to find a set of n linear combinations:

zk = åi=1..n(akixi) such that:· The total noise for zk is = maxnoise* åi=1..n(ai) is <<p· zk is ~p or <<p

Then we say that:· if zk<<p then we deal with

åi=1..n(aki(p*qi+ri)) = 0*p+noise(zk)Divide by p, and we get noise-free equation:

åi=1..n(akiqi) = 0· If zk~p then, similarly, we deal with

åi=1..n(akiqi) = 1Find all (or one) qi with Gaussian elimination. then p = ëxi/qiù


ALG PARAMS: p~2̂ 16, q~2̂ 16, r~2̂ 8, #eq=12 Secret p=97083Vector of initial values x_i = {p*q_i+r_i}:x_0 (29 bits)=614535439 = p*6330 + 49 x_1 (30 bits)=1617402906 = p*16660 + 126x_2 (30 bits)=2084663351 = p*21473 + 92 x_3 (31 bits)=2149029378 = p*22136 + 90x_4 (31 bits)=2467558848 = p*25417 + 237 x_5 (31 bits)=2504547489 = p*25798 + 255x_6 (31 bits)=2760166833 = p*28431 + 60 x_7 (31 bits)=3269949614 = p*33682 + 8x_8 (31 bits)=3812837993 = p*39274 + 251 x_9 (31 bits)=4045837111 = p*41674 + 169x_10 (32 bits)=4952398228 = p*51012 + 232 x_11 (32 bits)=5135108340 = p*52894 + 138

Found set of linear equatiuons with low noise:291 = +x0 +x2 +x3 +x4 -x7 -x9890 = 3*x1 +x3 +2*x5 -x7 +2*x8 -4*x9 +x10 -x11833 = -x0 +x1 +x2 +x3 -2*x4 +4*x5 +x6 -4*x747 = -2*x1 -4*x2 -5*x3 +4*x4 -x5 -6*x6 +2*x7 -3*x8 +9*x940 = -x0 +2*x1 +3*x2 +x4 +5*x5 -4*x6 +7*x7 -3*x8 -6*x930 = -x0 +6*x2 -3*x3 +6*x4 +3*x5 +6*x7 -5*x8 -7*x9

Example of converting to equations on q’s:291 = +x0 +x2 +x3 +x4 -x7 -x9 è 0 = q0+q2+q3+q4-q7-q9è 6330+21473+22136+25417-33682-41674 must be 0 (Check!)



x1

x2

xn

t bits

· Try all possible t-bit values for a1...an such that a new linear combination

yj=x1*a1+…+xnan - has all zeros on the highest t bits.· Remove yj’s with the highest noise and keep n with the

smallest noise.· Repeat the procedure for y-values and remove the next

t bits, until we get the values ~p or <<p.



Security. Approximate GCDSome improvements can apply:· Intermediate sets ys can be much larger than the initial set x.· t is variable for each round. Can be smaller in the beginning, and larger in

the next rounds, if we will keep more of the best equations y.· It is beneficial if the high t-bits of xi’s (or yj’s) will first be moved to int-type,

then arithmetical operations are faster.· It is also good to limit Hamming weight of a, so that we only test for pairs

xi±xj and triples xi±xj±xk. This way, the noise is kept low, but the number of combinations is sufficient to eliminate t high bits and still have a new set of y for the next round.

· etc...

P

~2128

~2256

q

~22048

~26000

r

~232

~264

z.TotNoise

~2106

~2270

#eq=|x|

32

48


New Recent Research

2011. Craig Gentry and Shai Halevi. Fully homomorphic

encryption without squashing using depth-3

arithmetic circuits.

2011. Zvika Brakerski and Vinod Vaikuntanathan.

Efficient fully homomorphic encryption

from (standard) LWE.

Found different ways to construct FHE without using the squashing step

2012. Zvika Brakerski, Craig Gentry and Vinod

Vaikuntanathan. Fully homomorphic encryption without bootstrapping.

BGV scheme to construct a FHE of a desired depth D,

based on Ring LWE. I.e., no bootstrapping is needed.

2012. Craig Gentry, Shai Halevi, and Nigel P.

Smart. Homomorphic evaluation of the AES

circuit.

2013. HELib. IBM.

2013. Jacob Alperin-Sheriff and Chris Peikert. Practical bootstrapping

in Quasilinear Time.2011. N.P. Smart and F.

Vercauteren. Fully Homomorphic SIMD

Operations.

Way to Evaluate on packed ciphertext

2013. CryptDB. MIT.


BGV: Leveled FHE SchemeBGV Scheme. Noise Management Technique (Leveled FHE).

Lemma: Assume we have cp meaning that p is our secret.Choose another odd q<<p and docq = (q/p)*cp – take the closest integer s.t. cq=cp mod 2Then cq encrypts the same message m under the new (and smaller) odd q, but the noise is also smaller roughly by the same ratio (q/p).

In BGV they propose:Noise magnitude is x For a larger odd p generate pi≈p/xi for i<k;

After MUL of two mod-p0 ciphertexts, the noise magnitude is x2. Switch to the smaller mod-p1. The magnitude returns to the level x.

The more k the more MULs we can do for free. This makes it possible to avoid bootstrapping at all!


BGV: Leveled FHE Scheme

c1 mod-p0

c2 mod-p0

p0 p1 x

c1*c2 mod-p0

Multiplication

Modulus Switching

Ciphertext Size Reductionc1*c2 mod-p1

c1*c2 mod-p1


Performance2010. SHE Performance

1 000 000 000 000x[...] A simple string search using homomorphic encryption is about a trillion times slower than without encryption.

Dimension

2048 (800,000 bit ints)

8192 (3,200,000 bit ints)

32768 (13,000,000 bit ints)

KeyGen

1.25 s.

10 s.

95 s.

Enc (amort)

.060 sec

.7 sec

5.3 sec

Mult/Dec

.023 s.

.12 s.

.6 s.

Degree

~200

~200

~200

2010. FHE Performance

Dimension

2048

8192

32768

KeyGen

40 s.

8 min.

2 hrs

PK size

70 Mbyte

285 Mbyte

2.3 Gb

ReCrypt

31 sec

3 min

30 min


Evaluation of AES2012. Homomorphic Evaluation of the AES Circuit

Gentry-Halevi-SmartAES-128, 10 rounds256GB of RAM, D=60.

Variant 1: 36 hours, 54 blocks (SIMD technique to use more plaintext slots in each ciphertext, so that operations are done in parallel for free)First round – 7 hoursLast round – 30 min

Amortized speed ~ 40 min/block

Variant 2: 2,5 days, 720 blocksAmortized speed ~ 5 min/block


HElib2013. HElib. IBM.

Based on BGV scheme, based on ideal lattices, SIMD operations on packed ciphertext, quasi-linear bootstrapping, and many other improvement technique.- Does not support bootstrapping (reencrypt) operation.- GPL licensed

λ =80 bits of security

Modulus

257

8209

65537

Number of Slots

44

22

2

Time for ADD (ms)

0.7

0.7

2.9

Time for MUL (ms)

39

38

177


Patents Activity

Patents Activity


“Vision of a fully homomorphic cryptosystem have been dancing in cryptographers’ heads for thirty years. [...] It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure.”

- Bruce Schneier, April 2013

“Should be usable in niche applications within a year or two.”- Halevi, 2012

homomorphic encryption

Documents

bullet level

ptbullets level

embedded font

patentsslide title

cnslide title

heslide title

text block

usage scenariosslide