SlideShare a Scribd company logo

Homomorphic Encryption

Download as PPTX, PDF
Victor Pereira
Victor Pereira

Homomorphic encryption allows computations to be carried out on encrypted data without decrypting it first. This summary discusses Craig Gentry's scheme for fully homomorphic encryption based on ideal lattices. The scheme works by encrypting bits as ciphertexts with small noise that grows with computations. A bootstrapping procedure called re-crypt reduces the noise to keep ciphertexts decryptable. While promising for applications like cloud computing, the scheme has high computational costs that scale poorly with security level. Current research aims to make homomorphic encryption more efficient and practical.

1 of 20
Downloaded 285 times
Homomorphic Encryption Craig Gentry scheme
Why homomorphic encryption? • Proposed by Rivest, Adleman and Dertouzos • Confidentiality problems • Ability to compute over ciphertext instead of plaintext • One could use information without knowing the content of that information • Privacy garanteed
Homomorphic Encryption • Crypto Magic 5 * 6 = CT(5) * CT(6) -> D ( k, E(k,5) * E(k,6) ) = 5 * 6 Homomorphic Assumption • Partially homomorphic/fully homomorphic
Homomorphic Encryption • Partially homomorphic schemes – RSA: CT(x)*CT(y) = (xe mod M) * (ye mod M) = xeye mod M = (xy)e mod M = CT(x*y), where e is the exponent key and M the modulus • p=61; • q=53; • N=3233; • Φ(N)=60*52=3120; • e=17; • d=2753;
Homomorphic Encryption • Partially homomorphic schemes – RSA: Obtain 5*6 performing RSA(5)*RSA(6) • RSA(5) = 517 (mod 3233) = 3086; • RSA(6) = 617 (mod 3233) = 824; • 3068*824 = 2542864; • RSA-1(2542864) = 25428642753 (mod 3233) = 30; • 5*6 = 30;
Homomorphic Encryption • Fully homomorphic schemes – Craig Gentry scheme • Based on ideal lattices – Zaryab Khan scheme • Based on perfectly colorblind function
Craig Gentry scheme • Suppose a scheme with a “noise parameter” attached to each CT; • Encryption algorithm outputs a CT with a small noise parameter (say less than n); • Decryption algorithm only works if noise is less than some parameter N >> n; • To compute E(a+b) / E(a*b), include noise; • This gives a “somewhat homomorphic” scheme.
Craig Gentry scheme • Now suppose a new algorithm RECRYPT, such that: – Input: E(a), with noise N’ < N – Output: E’(a), with noise √N • “Somewhat homomorphic” -> fully homomorphic! • Apply RECRYPT to E(a) and E(b) to ensure that the noise in E(a*b) or E(a+b) is smaller than N • “Bootstrappable”
Craig Gentry scheme (integers) • Key: odd integer p > 2N • Encryption algorithm: given a bit b -> E(b) = c = b + 2x + kp, where x is in [-n/2,n/2] and k is an integer chosen from some range • Decryption algorithm: b = (c mod p) mod 2, where (c mod p) is the noise and belongs to [-n,n] • Decryption works if b + 2x ∈ [-N,N] ⊂[-p/2,p/2]
Craig Gentry scheme (integers) • Graig Gentry scheme’s homomorphic assumptions – Addiction: c1 + c2 = b1+ b2 + 2(x1+x2) + (k1+k2)p = b1 xor b2 + 2x + kp • Decryption works if (b1+2x1) + (b2+2x2) is in [- N,N] – Multiplication: c1*c2 = b1*b2 + 2(b1x2 + b2x1 + 2x1x2) + kp = b1*b2 + 2x + kp • Decryption works if (b1+2x1) * (b2+2x2) is in [- N,N]
Craig Gentry scheme (integers) • Addition example: 4+4 – CT(100): 22 21 21 • CT(1) = 1 + 2*3 + 5*3 = 22 +22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 44 42 42 • CT(0) = 0 + 2*3 + 5*3 = 21 – D(44 42 42): • D(44) = 44 mod 3 = 2 • D(42) = 42 mod 3 = 0 1000 = 8 = 4+4 • D(42) = 42 mod 3 = 0
Craig Gentry scheme (integers) • Multiplication example: 4*4 – CT(100): • CT(1) = 1 + 2*3 + 5*3 = 22 22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 ×22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 484 924 1365 882 441 – D(484 924 1365 882 441): • D(484) = 484 mod 3 = 1 • D(924) = 924 mod 3 = 0 • D(1365) = 1365 mod 3 = 0 10000 = 16 = 4*4 • D(882) = 882 mod 3 = 0 • D(441) = 441 mod 3 = 0
Craig Gentry scheme (ideal lattices) • Replace integers by ideal lattices • Ideal lattices have many representations or “bases” • Bases: – Good: good to decrypt, bad to encrypt – Bad: bad to decrypt, good to encrypt • Public key scheme, where good bases are private keys and bad bases are public keys
Cryptography over lattices • L = ζ(B) = {Bc : c ∈ Zk}, B ∈ Rn×k, where the k columns of the basis are linearly independent • NP-hard problems over lattices: – SVP (shortest vector problem): given a basis for lattice L of size n, find the shortest nonzero vector v ∈ L s.t. ||v|| = λ(L); – CVP (closest vector problem): given a basis for lattice L of size n and a vector t ∈ Rn, find a nonzero vector v ∈ L s.t. ||t-v|| ≤ γ;
Cryptography over lattices • NP-hard problems over lattices: – SIVP (shortest independent vector problem): like the SVP, except the output are linearly independent vectors v1, …, v2 ∈ L of length at most λ(L); – BDDP (bounded distance decoding problem): same as CVP but with the promise that there is a unique solution.
Craig Gentry scheme • Why inefficient? – CT size and computation time increase sharply as the security level increases; – 2k security -> CT size and computation time are high-degree polynomials in k; – Efforts are being made to reduce the computational requirements of Craig Gentry construction
Homomorphic Encryption • Nowadays: – Craig Gentry presented a working implementation of the fully homomorphic system, including the bootstrapping function – Exists a practical application of homomorphic encryption to a hybrid wireless network – Perform statistical tests over encrypted data such as temperature, humidity, etc. – There are also some practical implementations of simplifications of this scheme over databases
Problems solved • Cloud security • Problems related to personal records like medical records • Work with information stored in databases • Querys to search engines • …
My Project • Design an API and include it on a Web Service that will work over CLOUD platforms • The API should provide homomorphic encryption functions to be used • Create a prototype that will work under the constructed API
QUESTIONS?

More Related Content

Homomorphic Encryption

  • 1. Homomorphic Encryption Craig Gentry scheme
  • 2. Why homomorphic encryption? • Proposed by Rivest, Adleman and Dertouzos • Confidentiality problems • Ability to compute over ciphertext instead of plaintext • One could use information without knowing the content of that information • Privacy garanteed
  • 3. Homomorphic Encryption • Crypto Magic 5 * 6 = CT(5) * CT(6) -> D ( k, E(k,5) * E(k,6) ) = 5 * 6 Homomorphic Assumption • Partially homomorphic/fully homomorphic
  • 4. Homomorphic Encryption • Partially homomorphic schemes – RSA: CT(x)*CT(y) = (xe mod M) * (ye mod M) = xeye mod M = (xy)e mod M = CT(x*y), where e is the exponent key and M the modulus • p=61; • q=53; • N=3233; • Φ(N)=60*52=3120; • e=17; • d=2753;
  • 5. Homomorphic Encryption • Partially homomorphic schemes – RSA: Obtain 5*6 performing RSA(5)*RSA(6) • RSA(5) = 517 (mod 3233) = 3086; • RSA(6) = 617 (mod 3233) = 824; • 3068*824 = 2542864; • RSA-1(2542864) = 25428642753 (mod 3233) = 30; • 5*6 = 30;
  • 6. Homomorphic Encryption • Fully homomorphic schemes – Craig Gentry scheme • Based on ideal lattices – Zaryab Khan scheme • Based on perfectly colorblind function
  • 7. Craig Gentry scheme • Suppose a scheme with a “noise parameter” attached to each CT; • Encryption algorithm outputs a CT with a small noise parameter (say less than n); • Decryption algorithm only works if noise is less than some parameter N >> n; • To compute E(a+b) / E(a*b), include noise; • This gives a “somewhat homomorphic” scheme.
  • 8. Craig Gentry scheme • Now suppose a new algorithm RECRYPT, such that: – Input: E(a), with noise N’ < N – Output: E’(a), with noise √N • “Somewhat homomorphic” -> fully homomorphic! • Apply RECRYPT to E(a) and E(b) to ensure that the noise in E(a*b) or E(a+b) is smaller than N • “Bootstrappable”
  • 9. Craig Gentry scheme (integers) • Key: odd integer p > 2N • Encryption algorithm: given a bit b -> E(b) = c = b + 2x + kp, where x is in [-n/2,n/2] and k is an integer chosen from some range • Decryption algorithm: b = (c mod p) mod 2, where (c mod p) is the noise and belongs to [-n,n] • Decryption works if b + 2x ∈ [-N,N] ⊂[-p/2,p/2]
  • 10. Craig Gentry scheme (integers) • Graig Gentry scheme’s homomorphic assumptions – Addiction: c1 + c2 = b1+ b2 + 2(x1+x2) + (k1+k2)p = b1 xor b2 + 2x + kp • Decryption works if (b1+2x1) + (b2+2x2) is in [- N,N] – Multiplication: c1*c2 = b1*b2 + 2(b1x2 + b2x1 + 2x1x2) + kp = b1*b2 + 2x + kp • Decryption works if (b1+2x1) * (b2+2x2) is in [- N,N]
  • 11. Craig Gentry scheme (integers) • Addition example: 4+4 – CT(100): 22 21 21 • CT(1) = 1 + 2*3 + 5*3 = 22 +22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 44 42 42 • CT(0) = 0 + 2*3 + 5*3 = 21 – D(44 42 42): • D(44) = 44 mod 3 = 2 • D(42) = 42 mod 3 = 0 1000 = 8 = 4+4 • D(42) = 42 mod 3 = 0
  • 12. Craig Gentry scheme (integers) • Multiplication example: 4*4 – CT(100): • CT(1) = 1 + 2*3 + 5*3 = 22 22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 ×22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 484 924 1365 882 441 – D(484 924 1365 882 441): • D(484) = 484 mod 3 = 1 • D(924) = 924 mod 3 = 0 • D(1365) = 1365 mod 3 = 0 10000 = 16 = 4*4 • D(882) = 882 mod 3 = 0 • D(441) = 441 mod 3 = 0
  • 13. Craig Gentry scheme (ideal lattices) • Replace integers by ideal lattices • Ideal lattices have many representations or “bases” • Bases: – Good: good to decrypt, bad to encrypt – Bad: bad to decrypt, good to encrypt • Public key scheme, where good bases are private keys and bad bases are public keys
  • 14. Cryptography over lattices • L = ζ(B) = {Bc : c ∈ Zk}, B ∈ Rn×k, where the k columns of the basis are linearly independent • NP-hard problems over lattices: – SVP (shortest vector problem): given a basis for lattice L of size n, find the shortest nonzero vector v ∈ L s.t. ||v|| = λ(L); – CVP (closest vector problem): given a basis for lattice L of size n and a vector t ∈ Rn, find a nonzero vector v ∈ L s.t. ||t-v|| ≤ γ;
  • 15. Cryptography over lattices • NP-hard problems over lattices: – SIVP (shortest independent vector problem): like the SVP, except the output are linearly independent vectors v1, …, v2 ∈ L of length at most λ(L); – BDDP (bounded distance decoding problem): same as CVP but with the promise that there is a unique solution.
  • 16. Craig Gentry scheme • Why inefficient? – CT size and computation time increase sharply as the security level increases; – 2k security -> CT size and computation time are high-degree polynomials in k; – Efforts are being made to reduce the computational requirements of Craig Gentry construction
  • 17. Homomorphic Encryption • Nowadays: – Craig Gentry presented a working implementation of the fully homomorphic system, including the bootstrapping function – Exists a practical application of homomorphic encryption to a hybrid wireless network – Perform statistical tests over encrypted data such as temperature, humidity, etc. – There are also some practical implementations of simplifications of this scheme over databases
  • 18. Problems solved • Cloud security • Problems related to personal records like medical records • Work with information stored in databases • Querys to search engines • …
  • 19. My Project • Design an API and include it on a Web Service that will work over CLOUD platforms • The API should provide homomorphic encryption functions to be used • Create a prototype that will work under the constructed API