Presentation is loading. Please wait.

Presentation is loading. Please wait.

Fully Homomorphic Encryption (FHE) By: Matthew Eilertson.

Published byShonda Hudson Modified over 8 years ago

Similar presentations

Presentation on theme: "Fully Homomorphic Encryption (FHE) By: Matthew Eilertson."— Presentation transcript:

1 Fully Homomorphic Encryption (FHE) By: Matthew Eilertson

2 Overview FHE, origins, why we care? Background Discussion First Implementation (Craig Gentry) – Somewhat Homomorphic Encryption (SWHE) – Bootstrapping Recent Improvement (Craig Gentry Et al) – Replacing Bootstrapping

3 Computing on Encrypted Data Storing my files on the cloud – Encrypt them to protect my information – Search through them for emails with “homomorphic” in the subject line Cloud should return only these (encrypted) messages, w/o knowing the key Private Internet search – Encrypt my query, send to Google – I still want to get the same results Results would be encrypted too

4 Fully Homomorphic Encryption Function f x Enc(x) Eval: f, Enc(x)  Enc(f(x)) homomorphic evaluation Knows nothing of x. [Rivest-Adleman-Dertouzos’78] 4 of 32

5 Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] – their motivation: searching encrypted data 5 of 32

6 Fully Homomorphic Encryption ► First Defined: “Privacy homomorphism” [RAD’78] ► Limited Variants: – GM & Paillier: additively homomorphic – RSA & El Gamal: multiplicatively homomorphic – their motivation: searching encrypted data c 1 = m 1 e c 2 = m 2 e c n = m n e X c* = c 1 c 2 …c n = (m 1 m 2 …m n ) e mod N 6 of 32

7 Public-key Encryption Three procedures: KeyGen, Enc, Dec – (sk,pk)  KeyGen($) Generate random public/secret key-pair – c  Enc pk (m) Encrypt a message with the public key – m  Dec sk (c) Decrypt a ciphertext with the secret key E.g., RSA: c  m e mod N, m  c d mod N – (N,e) public key, d secret key

8 Homomorphic Public-key Encryption Also another procedure: Eval – c*  Eval pk ( , c 1,…,c n ) –  a Boolean circuit with ADD, MULT mod 2 Encryption of inputs m 1,…,m n to  Circuit Encryption of output value m*=  (m 1,…,m n )

9 An Analogy: Alice’s Jewelry Store Alice’s workers need to assemble raw materials into jewelry But Alice is worried about theft How can the workers process the raw materials without having access to them?

10 An Analogy: Alice’s Jewelry Store Alice puts materials in locked glove box – For which only she has the key Workers assemble jewelry in the box Alice unlocks box to get “results”

11 The Analogy Enc: putting things inside the box – Anyone can do this (imagine a mail-drop) – c i  Enc pk (m i ) Dec: Taking things out of the box – Only Alice can do it, requires the key – m*  Dec sk (c*) Eval: Assembling the jewelry – Anyone can do it, computing on ciphertext – c*  Eval pk ( , c 1,…,c n ) m* =  (m 1,…,m n ) is “the ring”, made from “raw materials” m 1,…,m n

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32 Secret key: large odd number p 0p2p3p-3p-2p-p

33 Secret key: large odd number p To Encrypt a bit b: – pick a (random) “large” multiple of p, say q·p 0p2p3p-3p-2p-p

34 Secret key: large odd number p To Encrypt a bit b: – pick a (random) “large” multiple of p, say q·p – pick a (random) “small” number 2·r+b 0p2p3p-3p-2p-p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b

35 Secret key: large odd number p To Encrypt a bit b: – pick a (random) “large” multiple of p, say q·p – pick a (random) “small” number 2·r+b – Ciphertext c = q·p+2·r+b 0p2p3p-3p-2p-p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b

36 Secret key: large odd number p To Encrypt a bit b: – pick a (random) “large” multiple of p, say q·p – pick a (random) “small” number 2·r+b – Ciphertext c = q·p+2·r+b 0p2p3p-3p-2p-p (this is even if b=0, and odd if b=1) the “noise” = 2·r+b To Decrypt a ciphertext c: Taking c mod p recovers the noise

37 How secure is this? … if there were no noise (think r=0) 0p2p3p-3p-2p-p the “noise” = 2·r+b … and I give you two encryptions of 0 (q 1 p & q 2 p) … then you can recover the secret key p = GCD(q 1 p, q 2 p)

38 How secure is this? … but if there is noise 0p2p3p-3p-2p-p the “noise” = 2·r+b … the GCD attack doesn’t work … and neither does any attack (we believe) … this is called the approximate GCD assumption

39 XORing two encrypted bits: 0p2p3p-3p-2p-p the “noise” = 2·r+b – c 1 = q 1 ·p + (2·r 1 + b 1 ) – c 2 = q 2 ·p + (2·r 2 + b 2 )

40 XORing two encrypted bits: 0p2p3p-3p-2p-p the “noise” = 2·r+b – c 1 = q 1 ·p + (2·r 1 + b 1 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 ) – c 2 = q 2 ·p + (2·r 2 + b 2 )

41 XORing two encrypted bits: 0p2p3p-3p-2p-p the “noise” = 2·r+b – c 1 = q 1 ·p + (2·r 1 + b 1 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 ) Odd if b 1 =0, b 2 =1 (or) b 1 =1, b 2 =0 Even if b 1 =0, b 2 =0 (or) b 1 =1, b 2 =1 – c 2 = q 2 ·p + (2·r 2 + b 2 )

42 XORing two encrypted bits: 0p2p3p-3p-2p-p the “noise” = 2·r+b – c 1 = q 1 ·p + (2·r 1 + b 1 ) – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 ) lsb= b 1 XOR b 2 – c 2 = q 2 ·p + (2·r 2 + b 2 )

43 ANDing two encrypted bits: 0p2p3p-3p-2p-p the “noise” = 2·r+b – c 1 = q 1 ·p + (2·r 1 + b 1 ) – c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2

44 ANDing two encrypted bits: 0p2p3p-3p-2p-p the “noise” = 2·r+b – c 1 = q 1 ·p + (2·r 1 + b 1 ) lsb= b 1 AND b 2 – c 2 = q 2 ·p + (2·r 2 + b 2 ) – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2

45 0p2p3p-3p-2p-p the “noise” = 2·r+b the noise grows!

46 0p2p3p-3p-2p-p the “noise” = 2·r+b the noise grows! – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 ) noise= 2 * (initial noise)

47 0p2p3p-3p-2p-p the “noise” = 2·r+b the noise grows! – c 1 +c 2 = p·(q 1 + q 2 ) + 2·(r 1 +r 2 ) + (b 1 +b 2 ) noise= 2 * (initial noise) noise = (initial noise) 2 – c 1 c 2 = p·(c 2 ·q 1 +c 1 ·q 2 -q 1 ·q 2 ) + 2·(r 1 r 2 +r 1 b 2 +r 2 b 1 ) + b 1 b 2

48 0173451-51-34-17 noise=-14 the noise grows! … so what’s the problem? 20

49 0173451-51-34-17 noise=-14 the noise grows! … so what’s the problem? 20 decryption will recover noise’=3

50 0173451-51-34-17 noise=-14 the noise grows! … so what’s the problem? 20 If the |noise| > p/2, then … decryption will output an incorrect bit decryption will recover noise’=3

51 So, what….? … we can do lots of additions and … some multiplications (= a “somewhat homomorphic” encryption)

52 So, what….? … we can do lots of additions and … some multiplications … enough to do many useful tasks, e.g., database search, spam filtering etc. (= a “somewhat homomorphic” encryption)

53 A Recent Breakthrough Genty09: A bootstrapping technique Somewhat homomorphic → Fully homomorphic Gentry also described a candidate “bootstrappable” scheme – Based on ideal lattices Scheme E can evaluate its own decryption circuit Scheme E* can evaluate any circuit

54 Getting From SWHE to FHE Bootstrapping – A term invented by Gentry to describe an encryption scheme that can evaluate its own (slightly augmented) decryption circuit.

55 RSA&friends MANY mult ZERO add Fully homomorphic MANY add MANY mult WE ARE HERE!

56 Fully homomorphic MANY add MANY mult WE ARE HERE! [bootstrapping] … but how? The “bootstrapping method” … If you can go a (large) part of the way, then you can go all the way. RSA&friends MANY mult ZERO add

57 noise=0 noise=p/2 Let’s think… … What is the best noise-reduction procedure? … something that kills all noise … and recovers the message Decryption! Ctxt = Enc(b)Secret key Decrypt b

58 noise=0 noise=p/2 Let’s think… … What is the best noise-reduction procedure? … something that kills all noise … and recovers the message Decryption! Secret key Decrypt b Fn. that acts on ciphertext and eliminates noise Ctxt = Enc(b)

59 noise=0 noise=p/2 Let’s think… … What is the best noise-reduction procedure? … something that kills all noise … and recovers the message Decryption! Secret key Decrypt b Ctxt = Enc(b) But I can’t give the secret key out for free!

60 noise=0 noise=p/2 Let’s think… Secret key Decrypt b But I can’t give the secret key out for free! Ctxt = Enc(b) … I want to reduce noise without letting you decrypt

61 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Secret key Decrypt b Ctxt = Enc(b)

62 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) … called “Circular Encryption” Secret key Decrypt b Ctxt = Enc(b)

63 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) … called “Circular Encryption” Decrypt b Ctxt = Enc(b)Enc(Secret key)

64 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt b … Homomorphically evaluate the decryption ckt!!! Ctxt = Enc(b) … Now, to reduce noise …

65 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt … Homomorphically evaluate the decryption ckt!!! Ctxt = Enc(b) … Now, to reduce noise … Enc(b)

66 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt … Homomorphically evaluate the decryption ckt!!! Ctxt = Enc(b) … Now, to reduce noise … Enc(b)

67 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt … the input Enc(b) and output Enc(b) have different noise levels … Ctxt = Enc(b) KEY OBSERVATION: Enc(b)

68 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b)… Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED

69 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b)… Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED

70 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b)… Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED

71 noise=0 noise=p/2 KEY IDEA: … I cannot release the secret key (lest everyone sees my data) … but I can release Enc(secret key) Enc(Secret key) Decrypt Regardless of the noise in the input Enc(b)… Ctxt = Enc(b) KEY OBSERVATION: Enc(b) the noise level in the output Enc(b) is FIXED

72 Bottomline: whenever noise level increases beyond a limit … noise=0 noise=p/2 … use bootstrapping to reset it to a fixed level

73 noise=0 noise=p/2 Bootstrapping requires homomorphically evaluating the decryption circuit …

74 Lots of new Encryption Schemes … simpler, more secure, more efficient e.g., [Brakerski, Vaikuntanathan 2012] Dramatic Efficiency Improvements

75 Slide and Paper Credits Slides – Craig Gentry, Winter School on Lattice-Based Cryptography and Applications Bar-Ilan University, Israel 19/2/2012-22/2/2012 – Vinod Vaikuntanathan, University of Toronto Papers – Easy FHE, Craig Gentry https://crypto.stanford.edu/craig/easy-fhe.pdf https://crypto.stanford.edu/craig/easy-fhe.pdf – FHE over Integers http://eprint.iacr.org/2009/616.pdf http://eprint.iacr.org/2009/616.pdf

Download ppt "Fully Homomorphic Encryption (FHE) By: Matthew Eilertson."

Similar presentations

A Simple BGN-Type Cryptosystem from LWE

A Simple BGN-Type Cryptosystem from LWE
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
Fully Homomorphic Encryption over the Integers

Fully Homomorphic Encryption over the Integers
Lattices, Cryptography and Computing with Encrypted Data

Lattices, Cryptography and Computing with Encrypted Data
Cryptographic Multilinear Maps

Cryptographic Multilinear Maps
RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.

RSA COSC 201 ST. MARY’S COLLEGE OF MARYLAND FALL 2012 RSA.
Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.

Data Security 1 El_Gamal Cryptography. Data Security2 Introduction El_Gamal is a public-key cryptosystem technique El_Gamal is a public-key cryptosystem.
Paper by: Craig Gentry Presented By: Daniel Henneberger.

Paper by: Craig Gentry Presented By: Daniel Henneberger.
Exciting experience in participating EDM forum commissioned projects Protect Patient Privacy When Sharing Data for CER 12/01/11 – 6/01/12 Write a commissioned.

Exciting experience in participating EDM forum commissioned projects Protect Patient Privacy When Sharing Data for CER 12/01/11 – 6/01/12 Write a commissioned.
1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.

1 Introduction CSE 5351: Introduction to cryptography Reading assignment: Chapter 1 of Katz & Lindell.
Asymmetric-Key Cryptography

Asymmetric-Key Cryptography
BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.

BY : Darshana Chaturvedi.  INTRODUCTION  RSA ALGORITHM  EXAMPLES  RSA IS EFFECTIVE  FERMAT’S LITTLE THEOREM  EUCLID’S ALGORITHM  REFERENCES.
FULLY HOMOMORPHIC ENCRYPTION

FULLY HOMOMORPHIC ENCRYPTION
1 Information Security – Theory vs. Reality 0368-4474-01, Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.

1 Information Security – Theory vs. Reality , Winter 2011 Lecture 14: More on vulnerability and exploits, Fully homomorphic encryption Eran.
FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.

FULLY HOMOMORPHIC ENCRYPTION IBM T. J. Watson Vinod Vaikuntanathan from the Integers Joint Work with M. van Dijk (MIT & RSA labs), C. Gentry (IBM), S.
Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.

Lecture 3.3: Public Key Cryptography III CS 436/636/736 Spring 2012 Nitesh Saxena.
7. Asymmetric encryption-

7. Asymmetric encryption-
CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 6 Jonathan Katz.
CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.

CMSC 414 Computer (and Network) Security Lecture 2 Jonathan Katz.
20-751 ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

ECOMMERCE TECHNOLOGY FALL 2003 COPYRIGHT © 2003 MICHAEL I. SHAMOS Cryptography.

Similar presentations

Ads by Google