Homomorphic Encryption Overview

Slide Note
Embed
Share

Homomorphic encryption allows computation on encrypted data without revealing the underlying information. It enables secure delegation of data processing to a server while maintaining privacy. The process involves key generation, encryption, decryption, and evaluation of functions on encrypted data. Security is achieved through semantic security, correctness, and compactness principles. Analogy with a jewelry store illustrates the concept of processing data without direct access. Different levels of homomorphic encryption include Somewhat Homomorphic Encryption (SWHE) and Fully Homomorphic Encryption (FHE). The paradox of cloud storage and encrypted files is addressed through semantic security considerations.

kol_ba
kol_ba Follow

Uploaded on Sep 14, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

E N D

Presentation Transcript

  1. Homomorphic Encryption (Part I): SWHE Shai Halevi * Many slides taken from Craig Gentry May 18, 2015 Simons Institute, Cryptography Boot Camp

  2. Computing on Encrypted Data Can we delegate the processing of data, without giving away access to it.

  3. Encrypted Cloud Computing The special sauce! For security parameter , Eval s running should be Time(f) poly( ) Run I want 1) the cloud to process my data 2) even though it is encrypted. Eval[ f, Encpk(x) ] = Encpk[f(x)] Encpk(x) function f Server (Cloud) This could be encrypted too. Alice Delegation: Should cost less for Alice to encrypt x and decrypt f(x) than to compute f(x) herself. (Input: data x, secret key sk) f(x) Encpk[f(x)]

  4. Homomorphic Encryption (HE) Procedures: KeyGen, Encrypt, Decrypt, Eval Semantic Security: same as for basic encryption Correctness: For any function f in supported family F: c1 Encpk(m1) ct Encpk(mt) c* Evalpk(f, c1, , ct) Decsk(c*) = f(m1, , mt) Compactness: complexity of decrypting c* does not depend on complexity of f

  5. An Analogy: Alices Jewelry Store Alice wants workers to assemble raw materials into jewelry But Alice is worried about theft: She wants workers to process raw materials without having access. Alice puts raw materials in locked glovebox. Workers assemble jewelry inside glovebox, using the gloves. Alice unlocks box to get results .

  6. Homomorphic Encryption Somewhat means it works for some functions f f Enc[x] Somewhat Homomorphic Encryption (SWHE): Eval Enc[f(x)] Pre-2009 schemes were somewhat homomorphic.

  7. Homomorphic Encryption Fully means it works for all functions f f Enc[x] Fully Homomorphic Encryption (FHE) [RAD78, Gen09]: Eval Enc[f(x)]

  8. HE Security: A Paradox? Cloud stores my encrypted files: pk, Encpk(f1), , Encpk(fn). Later, I want f3, but want to hide 3 from cloud. I send Encpk (3) to the cloud. Cloud runs Evalpk (F, Encpk(3), Encpk(f1), , Encpk(fn)), where F(n, {files}) is the function that outputs the nth file. It sends me the (encrypted) file f3. Paradox?: Can t the cloud see it is sending the 3rd encrypted file? By comparing the stored value Encpk(f3) to the ciphertext it sends? Resolution of paradox: Semantic security implies: Many encryptions of f3, Hard to tell when two ciphertexts encrypt the same thing.

  9. Properties/Limitations of HE

  10. Some Properties Chosen-ciphertext security: HE is malleable by design, standard CCA security cannot be achieved Can get CCA1other security notions (e.g. homomorphic sigs) Multi-hop: Can we apply Eval to evaluated ciphertexts? Usually yes, but not inherently so Function privacy: Does Evalpk(f, ) hide f? Even from an adversary that has the secret key? This can be arranged Malicious security: What if pk, c are malformed?

  11. Secret-key vs. Public-key HE A helpful aside: for homomorphic encryption, public-key and secret-key are essentially the same Theorem [R11]: There is an easy black-box transformation from secret-key HE to public-key HE Public key: random bits and their encryptions ?1,?1, , ? ,? , ??= ?????(??) is chosen larger than the cipehrtext-size, |??| To Encrypt a bit ?, choose a random bit-string ? such that ????= ?, output ? = ??=1??= ???( ????) ?? =

  12. Transforming HE from SK to PK ?? = ?,? , ??= ?????(??) ? = |??| Enc(?): choose random ? 0,1 s.t. ?,? = ? output ? = ??=1??= ??? Correctness: immediate from additive homomorphism Security: The transformation ? ? is lossy If the ?? s were encryptions of zero then secrecy of ? would follow from leakage resilience of inner-product By security of the underlying secret-key scheme, adversary cannot tell if the ?? s are encryptions of zero ?,?

  13. FHE Doesnt Do Obfuscation Obfuscation: I give the cloud an encrypted program Enc(P). For any input x, cloud can compute Enc(P)(x) = P(x). Cloud learns nothing about P, except {xi,P(xi)}. Difference between obfuscation and FHE: In FHE, cloud computes Enc(P(x)), and it can t decrypt to get P(x). Barak et al: On the (Im)possibility of Obfuscating Programs Certain types of obfuscation are impossible. Garg et al: Candidate Indistinguishability Obfuscation and Functional Encryption for All Circuits Certain types of obfuscation seem possible (we have schemes).

  14. FHE Doesnt Do RAM Circuits vs. RAMs: Circuits are powerful: Circuit-size TM complexity. But random-access machines compute some functions much faster than a TM or circuit (Binary search) Can t do random access on encrypted data without leaking some information (not surprising) What we can do: Oblivious RAM: But this is a very interactive protocol between client and server where server can t tell what client is computing Use Obfuscation to do ORAM: Intuitively, obfuscation allows addresses in memory to be revealed noninteractively .

  15. FHE Doesnt Do Multi-Key Multi-Key FHE Different clients encrypt data under different FHE keys ci Encpki(mi) Later, cloud combines data encrypted under different keys to get c* Eval(pk1, pkt,f,c1, ct). Can decrypt c* to f(m1, ,mt) by pooling sk1, sk FHE doesn t do this automatically . But there are some schemes that do this

  16. Constructing SWHE How to compute on encrypted data? Express functions to compute as a binary circuit with +, That s always possible Design a bit-encryption scheme that supports addition, multiplication of encrypted bits That s the hard part 1. 2.

  17. A Toy HE Scheme (from American Scientist magazine) Encryption: Double the plaintext. x 2x Decryption: Halve the ciphertext. x x/2

  18. About Homomorphism Name inspired by ring-homomorphism Ring of ciphertexts Ring of plaintexts Enc Commutative Diagram +, , Ring of ciphertexts Ring of plaintexts Enc

  19. About Homomorphism Name inspired by ring-homomorphism Ring of ciphertexts Ring of plaintexts Enc Homomorphism should not be taken too literally Else zero-encryptions form a linear subspace (ideal) Is it possible to hide such an ideal? Some attempts (e.g. Polly Cracker), but broken

  20. Noisy Ciphertexts Each ciphertext has some noise that hides the message. Think: hidden error correcting codes If error is small, Alice can use knowledge of hidden code to remove the noise. If noise is large, decryption is hopeless even for Alice.

  21. Example: SWHE over the Integers Main Idea Encryptions of 0 are something small and even modulo a secret integer. Secret key: large odd integer n Public key: integers ??= ??? + 2?? ? , ?? ? These are encryptions of 0 Encrypt: Subset-sum of ?? s, then add ? {0,1} ? = ? ???= ??? ? + 2 ???+ ? Decrypt: ? ??? ? = 2? + ?, LBS is message ? ADD, MULT: sum/product over the integers

  22. Security of SWHE with Integers Reduction: If approximate gcd problem is hard, then the scheme is semantically secure. Approximate GCD Problem: Given many ??= ??? + ?? (approx multiples of ?), find ?.

  23. The Noise Problem ADD: c = c1+c2. Noise of c is [c mod n] = [c1mod n] + [c2mod n] Unless this sum is bigger than n (decryption error). MULT: c = c1 c2. Noise [c mod n] is product of noises, unless product > ?. ?1? + ?1 ?2? + ?2 = ?1?2? + ?1?2+ ?2?1? + ?1?2 Function ?: ? = ?(?1, ,??). Noise [? mod ?] = f([?? mod ?]?) i.e., ? applied to noises. Rough approximation: Noise magnitude increases exponentially with degree of ?.

  24. The Noise Problem Hurts Efficiency. Why? Ciphertexts must be large to let noise room to grow . Noise grows exponentially with degree. Bit-length of noise grows linearly with degree. Ciphertext size grows linearly with degree.

  25. Somewhat Homomorphic Encryption Based on LWE Focusing on the Gentry-Sahai-Waters scheme. (Brakerski and Vaikuntanathan were the first to construct HE based on LWE.)

  26. Regevs Encryption Scheme KeyGen(1?): Choose secret key ? = 1,?? ?? Public key: ? ?? ? ? ? random except ? ?? small Encrypt(?,? {0,1}): For random ? 0,1? output ? ?,0, ,0 ? 2+ ? ? Decrypt(?,?): Compute ?,? = ? ? 2+ ? ? ? = ? ? ?,? 2+ small (mod q) Recover ? as MSB ?

  27. Properties of Regevs Scheme Vectors: Ciphertext ? and secret-key ? are vectors over ??, the1st entry in t is 1 Small dot-product: If ? encrypts ? under ? then ?,? ?= ? ? 2+small Ciphertexts are pseudorandom: Under the hardness of decision-LWE, ciphertext are indistinguishable from uniform vectors over ?? To an attacker who doesn t know the secret key

  28. Homomorphic ADD in Regev Additive Homomorphism: Add ciphertexts ?= ?? ? 2+ smalli then If ??,? ?= ?1+ ?2 ? 2+small ?1+ ?2,? (if original small s were small enough)

  29. Homomorphic MULT in Regev Mulitplicative homomorphism: multiply cipehrtexts? How do you multiply vectors? Tensor product? For ? = ?1, ,??,? = (?1, ,??), the tensor is ? ? = (?1?1, ,????) Fact: ?? ??,? ? = ??,? ??,? (mixed prod.) ?? ?? can be seen as encrypting ?1 ?2 under ? ? Efficiency problem: MULT squares the dimension Brakerski and Vaikuntanathan made this work Turn ciphertexts into matrices? Use matrix product

  30. Matrix Version (1st try) ? KeyGen: As before, secret key ? = 1,? ?? ? ? Encrypt(? {0,1}): Choose ?0 ?? Rows are Regev-encryption of 0, ?0 ? =small Output C = ? ? + ?0 (? is the identity) Security: ?0 is pseudorandom (hence also ?) Decryptt(C): Compute ? = ? ??= ? ? + ?0 ? = ? ? +small Output 0 if ? is small, 1 if ? is close to ? Secret key ? is approximate eigenvector of ? Message ? is the corresponding eighenvalue

  31. Homomorphism in Error-Free Setting Ciphertext Matrix Message Eigenvalue Secret Key Eigenvector If ?? ? = ?? ? ??? ? Then ?1+ ?2 ? = ?1+ ?2 ? (??? ?) And ?1 ?2 ? = ?1 ?2 ? (??? ?)

  32. Homomorphism with Error (1st try) ?? ? = ?? ? + ?? (??? ?) for ? = 1,2 Addition: ?1+ ?2 ? = ?1+ ?2 ? + (?1+ ?2) Multiplication: ? = ?1 ?2 ? ? = ?1 ?2 ? = ?1 ?2 ? + ?? = ?2 ?1 ? + ?1 ?? = ?2 ?1 ? + ?1 + ?1 ?? = ?1 ?2 ? + ?2 ??+ ?1 ?? (??? ?) New Noise

  33. Controlling the Noise New Noise ? ? = ?1 ?2 ? + ?2 ??+ ?1 ?? Keep messages ? small: Easy! Restrict messages to {0,1} and use NAND gates Keep ciphertext entries small: Can we flatten the product matrix ? to make its entries small?

  34. Gadget for Flattening ? ? with associated ? ? ?? Use Gadget Matrix ? ?? inverse transformation ? 1:?? Used for lattice trapdoors [A99, ,MP12] ? ? ? ?: For any ? ?? ? 1? ?? ? 1? ? = ? ? ? is small

  35. Example of a Gadget Matrix ? 1? breaks each entry in C to its bits 7 2 4 5 1 1 1 0 1 0 1 0 0 1 0 1 0 0 1 0 0 1 0 0 0 4 2 1 1 3 4 2 1 0 0 0 ? has powers of two, G =

  36. Modified Matrix Encryption ? ? such that + ? Encryption of ? is a matrix ? ?? ? ? = ? (? ?) ? Easy to modify Enc to get this form Set ? = ? ? + ?0 rather than ? = ? ? + ?0 Security follows from LWE as before Additive homomorphism works just as before

  37. Homomorphic Multiplication ?? ? = ?? ? + ?? for ? = 1,2 (? = ? ?) Set ? = ? 1(?1) ?2 = ? 1?1 ?2 ? = ? 1?1 ?2 ? + ?2 = ?2 ? 1?1 ? ? + ? 1?1 ?? = ?2 ?1 ? + ? 1?1 ?? ? ?

  38. Homomorphic Multiplication ?? ? = ?? ? + ?? for ? = 1,2 (? = ? ?) Set ? = ? 1(?1) ?2 = ? 1?1 ?2 ? = ? 1?1 ?2 ? + ?2 = ?2 ? 1?1 ? ? + ? 1?1 ?? = ?2 ?1 ? + ? 1?1 ?? = ?2 ?1 ? + ?? + ? 1?1 ?? = ?1?2 ? + ?2 ??+ ? 1?1 ?? ? ? (??? ?) small New Noise

  39. Summary of GSW Encryption of ? is ? ? = ? ? + ? (? = ? ?) Additive homomorphism: ?+= ?1+ ?2 New noise is ?+ ??+ ?? 2 max( ??) Multiplicative homomorphism: ? = ? 1(?1) ?2 New noise is ? ?2 ??+ ? ?? ? + 1 max(|??|) Somewhat homomorphic: can evaluate circuits with log?+1? levels

  40. Questions?

Related


Homomorphic Encryption and RLWE Schemes Overview

Homomorphic Encryption and RLWE Schemes Overview

galletta_n
Bootstrapping in Fully Homomorphic Encryption

Bootstrapping in Fully Homomorphic Encryption

elaysia
Understanding Homomorphic Signatures and Fully Homomorphic Encryption

Understanding Homomorphic Signatures and Fully Homomorphic Encryption

dberg
Exploring Cloud Cryptography for Secure Data Processing

Exploring Cloud Cryptography for Secure Data Processing

vespera
Fully Homomorphic Encryption: Foundations and Applications

Fully Homomorphic Encryption: Foundations and Applications

kora
The Vital Role of Encryption in Safeguarding the Digital Economy

The Vital Role of Encryption in Safeguarding the Digital Economy

dsega
Understanding Fully Homomorphic Encryption in Information Security

Understanding Fully Homomorphic Encryption in Information Security

fordh
Understanding AES Encryption in Computer Engineering

Understanding AES Encryption in Computer Engineering

lavinia
Security with Functional Re-Encryption in Cryptography

Security with Functional Re-Encryption in Cryptography

persis
Understanding Encryption: Keys, Algorithms, and Applications

Understanding Encryption: Keys, Algorithms, and Applications

yoha_481
Advancements in Multi-Key Homomorphic Encryption Using TFHE

Advancements in Multi-Key Homomorphic Encryption Using TFHE

vover
Probabilistic Public Key Encryption with Equality Test Overview

Probabilistic Public Key Encryption with Equality Test Overview

keos443
Overview of SMX Algorithm and AES Encryption Standard

Overview of SMX Algorithm and AES Encryption Standard

nmag
Understanding AES Encryption Algorithm and Its Implementation

Understanding AES Encryption Algorithm and Its Implementation

danger
Introduction to SFTP & PGP Encryption for Secure Data Transfer

Introduction to SFTP & PGP Encryption for Secure Data Transfer

bunty
Cryptography Concepts and Encryption Methods Overview

Cryptography Concepts and Encryption Methods Overview

tming
Public key encryption, Digital signature and authentication

Public key encryption, Digital signature and authentication

huda
Understanding Security Threats and Public-Key Cryptosystems

Understanding Security Threats and Public-Key Cryptosystems

ainhoa
Columnar Transposition Cipher: Data Encryption Techniques at Mustansiriyah University Engineering College

Columnar Transposition Cipher: Data Encryption Techniques at Mustansiriyah University Engineering College

remiel
ADFGVX Cipher: Encryption and Decryption Techniques

ADFGVX Cipher: Encryption and Decryption Techniques

scarlett
Understanding Cryptography Basics and Toolbox

Understanding Cryptography Basics and Toolbox

mhed
Overview of Modern Cryptography and Data Encryption Standard (DES)

Overview of Modern Cryptography and Data Encryption Standard (DES)

cop_cro
Introduction to RSA Cryptography and Public Key Encryption

Introduction to RSA Cryptography and Public Key Encryption

romilly
Introduction to Public Key Cryptography

Introduction to Public Key Cryptography

kenna

More Related Content

Introduction to Cryptography, Cryptanalysis, and Cryptology
Introduction to Cryptography, Cryptanalysis, and Cryptology
Understanding Block Ciphers in Cryptography
Understanding Block Ciphers in Cryptography
Understanding Encryption Techniques: From Transposition Ciphers to Rail Fence Ciphers
Understanding Encryption Techniques: From Transposition Ciphers to Rail Fence Ciphers
Improved Encryption Technique for Phase Change Memory (PCM)
Improved Encryption Technique for Phase Change Memory (PCM)
Understanding Public Key Cryptosystems in RSA Encryption
Understanding Public Key Cryptosystems in RSA Encryption
Enhancing Privacy in Crowdsourced Spectrum Allocation
Enhancing Privacy in Crowdsourced Spectrum Allocation
Secure Multiparty Computation: Enhancing Privacy in Data Sharing
Secure Multiparty Computation: Enhancing Privacy in Data Sharing
Efficient Multi-Party Computation Techniques
Efficient Multi-Party Computation Techniques
Understanding Symmetric Key Block Ciphers - Overview and Implementation
Understanding Symmetric Key Block Ciphers - Overview and Implementation
Understanding Cryptography: Basics of Encryption and Padding
Understanding Cryptography: Basics of Encryption and Padding
AN/PRC-117F Characteristics Overview
AN/PRC-117F Characteristics Overview
Introduction to SFTP & PGP Encryption
Introduction to SFTP & PGP Encryption
Conjunctive Searchable Symmetric Encryption From Hard Lattices
Conjunctive Searchable Symmetric Encryption From Hard Lattices
Enhancing Security Definitions for Functional Encryption
Enhancing Security Definitions for Functional Encryption
Introduction to Computer Security and Number Theory
Introduction to Computer Security and Number Theory
Understanding DES Block Cipher in Computer Engineering at Mustansiriyah University
Understanding DES Block Cipher in Computer Engineering at Mustansiriyah University
Discussion on IEEE 802.11 Use Cases for Wi-Fi Deployment in Public and Residential Settings
Discussion on IEEE 802.11 Use Cases for Wi-Fi Deployment in Public and Residential Settings
Transposition Cipher Techniques in Modern Block Ciphers
Transposition Cipher Techniques in Modern Block Ciphers
Secure Memory Encryption Techniques for Virtual Machines across Multiple Hosts
Secure Memory Encryption Techniques for Virtual Machines across Multiple Hosts
Evolution of Proofs in Cryptography
Evolution of Proofs in Cryptography
Dual System Encryption: Concept, History, and Recent Works
Dual System Encryption: Concept, History, and Recent Works
Hardness of Proving CCA-Security in Signed ElGamal
Hardness of Proving CCA-Security in Signed ElGamal
Efficient Rekeying for Encrypted Deduplication Storage
Efficient Rekeying for Encrypted Deduplication Storage
Understanding Public-Key Cryptography and Its Applications
Understanding Public-Key Cryptography and Its Applications