IHE Columbia Theory Seminar
IHE Columbia Theory Seminar
IHE Columbia Theory Seminar
function
Encryptions of
Encryption of f(m1,…,mt). inputs m1,…,mt to f
I.e., Dec(sk, c) = f(m1, …mt)
c1 x c2 = (c1q2+q1c2−q1q2)p
+ 2(2r1r2+r1m2+m1r2) + m1m2
2(2r1r2+…) still much smaller than p
c1xc2 mod p = 2(2r1r2+…) + m1m2
Why is this homomorphic?
c1=m1+2r1+q1p, …, ct=mt+2rt+qtp
Old
decryption DecE
algorithm
sk c
DecE
Post-
Process
sk c
f(sk, r) c
log Q
auxiliary solutions
(Minkowski’s bound)
converges to ~ logQ+logP
the solution we
are seeking
blue line
remains above
purple line
t
logQ/logP
Conclusions
Fully Homomorphic Encryption is a very
powerful tool
Gentry09 gives first feasibility result
Showing that it can be done “in principle”
We describe a “conceptually simpler”
scheme, using only modular arithmetic
What about efficiency?
Computation, ciphertext-expansion are
polynomial, but a rather large one…
Improving efficiency is an open problem
Extra credit
The hard-core-bit theorem
Connection between approximate-GCD
and simultaneous Diophantine approx.
Gentry’s technique for “squashing” the
decryption circuit
Thank you