Homomorphic
Encryption
Alexander Maximov
Overview
•
•
•
•
•
•
•
•
•
•
•
•
•
History
Partially Homomorphic Encryption Schemes
HE Usage Scenarios
Somewhat HE and Fully HE over the Integers
Bootstrapping Technique
Ciphertext Squashing Technique
Ciphertext Reduction Technique
Converting Somewhat HE to Fully HE
Approximate GCD Problem
Recent Research Results
BGV FHE Scheme
Leveled FHE with(out) Bootstrapping
Performance, Implementations, Patents
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 2
Introduction
Common notations:
pk – public key
sk – secret key
m – message
c – ciphertext
c = Encryptpk(m)
m=Decryptsk(c)
Em(pk) - encryption algorithm as a circuit
Dm(sk) - decryption algorithm as a circuit
f – is the function or circuit that we want to
evaluate on plaintext
F – is the function or circuit that
corresponds to f and operates on ciphertext
in the cryptosystem
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 3
c1=Encryptpk(m1)
…
cn=Encryptpk(mn)
c=F(c1,...,cn)
m=Decryptsk(c)
PartialLY HE
Multiplicative Partially HE
Unpadded RSA
pk=(n,e)
c=Epk(m)=me mod n
c1*c2=m1em2e mod n = Epk(m1*m2)
Additive Partially HE
Paillier scheme
pk=(n,g)
c=Epk(m)=gmrn mod n2
r in {0,…,n-1} – some random value
c1*c2= (gm1r1n)*(gm2r2n) mod n =
gm1+m2(r1r2)n mod n=Epk(m1+m2)
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 4
HE Usage Scenarios
· Cloud Computing: storage, computation, search query
· Spam filtering: Blacklisting encrypted mails.
· Medical Applications (Private data, Public functions): search, cloud computation of
certain functions (patient’s condition, etc) on behalf of the patient. Analyze disease/
treatment without disclosing them. Search for DNA markers without revealing DNA
· Financial Applications (Private data, Private functions): computations on encrypted
data such as data about companies, their stock price, or their performance or
inventory. The customer may upload encrypted program/function to compute on
encrypted data.
· Advertising and Pricing: Assume a customer has a mobile phone and uploads his
data, such as location, email, time of the day, browsing activity, stream from the
camera, etc. The advertising company computes some function to decide which ad is
to be sent back to the client.
· Electronic voting: need to calculate the result of the voting without decrypting any
ballots. More properties are there…
· Data Mining: HE solution is both fully private and fully accurate. Allows data miner to
compute frequencies of values on the customer data, without revealing the data itself.
· Biometric Authentication: relation between biometric trait and personal identity
must be hidden, i.e., comparison of the trait and the database fields must be
encrypted.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 5
Real-Life Usage
Helios: Web-Based Open-Audit Voting
Ben Adida, Harvard University
·
·
·
·
Real-life HE application.
Anyone can create and run an election
Any willing observer can audit the entire process
Uses HE property of the ElGamal cryptosystem to calculate the
tally without decrypting of any ballots.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 6
Does Fully Homomorphic
Encryption Ever Exists?
Fully Homomorphic Encryption (FHE). Some Properties.
FHE property (simplified):
·
Decryptsk(c1*c2)=m1*m2
·
Decryptsk(c1+c2)=m1+m2
I.e.:
Decryptsk(F(c1,…,cn))=F(m1,…,mn)
FHE may support another set of operations to support a ring of
plaintexts. Examples: AND, XOR
FHE can be:
·
Public key schemes
·
Symmetric key schemes
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 7
“Holy Grail” for 30 years
1982. Goldwasser-Micali cryptosystem
1980
1978 Rivest, Adleman, and Dertouzos propose the idea
of fully homomorphic encryption (FHE)
1994. Benaloh cryptosystem
1990
1998. Okamoto-Uchiyama
cryptosystem
~30 Years
1998. Naccache-Stern cryptosystem
1999. Paillier cryptosystem
2000
June 25, 2009. Craig Gentry announced the first FHE
scheme (PhD Thesis, Stanford University). The
scheme is based on ideal lattices cryptography
2001. DamgÅrd-Jurik cryptosystem
2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second
FHE scheme based on integers.
2005. Boneh-Goh-Nissim cryptosystem
(infinite ADD, one MUL)
2010. Gentry-Halevi working implementation of FHE.
2010
2012. Brakerski-Gentry-Vaikuntanathan. FHE without
Bootstrapping.
2012. Gentry-Halevi-Smart. Homomorphic Evaluation
of the AES Circuit.
April 2013. HElib. IBM releases first public FHE library
(c++) with BGV scheme and optimizations.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 8
Types of HE Schemes
Homomorphic Encryption (HE) = type of computation for a set of
functions f(m1,…,mn) carried on ciphertexts Enc(m1)...Enc(mn) with a
corresponding function F such that
f(m1,…,mn) = Dec(F(Enc(m1),…,Enc(mn)))
Partially HE (PHE) = HE scheme where only one type of operations is
possible (multiplication or addition)
Somewhat HE (SHE) = HE scheme that can do a limited number of
additions and multiplications
Fully HE (FHE) = HE scheme that can perform an infinite number of
additions and multiplications
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 9
SHE over the Integers
SHE over the INTEGERS – SYMMETRIC KEY SCHEME
2009. Dijk-Gentry-Halevi-Vaikuntanathan. Second FHE scheme based
on integers.
KeyGen: key is an odd integer pÎ[2h-1, 2h).
Encrypt(p, m): to encrypt one bit mÎ[0,1]
c = pq+2r+m
q, r – are chosen random, such that |2r|<p/2.
Decrypt(p, c):
m = (c mod p) mod 2
Proposed constraint: p~2h, q~2h^3, r~2sqrt(h).
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 10
SHE over the Integers
ADDITION:
Decrypt(c1+c2,p) = ((pq1+2r1+m1)+(pq2+2r2+m2) mod p) mod 2
= (p(q1+q2)+2(r1+r2)+(m1+m2) mod p) mod 2
= 2(r1+r2)+(m1+m2) mod 2
= m1 Å m2
MULTIPLICATION:
Decrypt(c1*c2,p) =((pq1+2r1+m1)*(pq2+2r2+m2) mod p) mod 2
=(p(pq1q2+2q1r2+q1m2+2q2r1+q2m1)+
2(2r1r2+r1m2+m2r1)+m1m2) mod p) mod 2
= 2(2r1r2+r1m2+m2r1)+m1m2 mod 2
= m1 Ä m2
· The scheme is both additively and multiplicatively homomorphic for
shallow arithmetic circuits.
· The number of ADD and MUL is limited since the noise grows.
· The noise r must be sufficiently smaller than p to allow more ADDs and
MULs.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 11
SHE over the Integers
f(x, a, b): if(x==1) q=a; else q=b
Any computer program can be represented ax
in terms of AND-XOR gates
q
b
1
Ciphertext and noise size expansion
p*q-bits
ci = pqi+2ri+mi
F(ca, cx, cb, c1): cq = (ca*cx)+(cx+c1)*cb
p-bits r-bits
c1
c2
c1+c2
c1*c2
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 12
Noise Count
Noise Magnitude
The degree of noise can be calculated by the evaluator
internally.
Assume two arguments to an operation
·
c1 – has the noise of degree n1 bits
·
c2 – has the noise of degree n2 bits
The result of:
·
ADD(c1, c2) => noise of degree log2(2n1+2n2) bits
·
MUL(c1, c2) => noise of degree (n1+n2) bits
Only when the noise would be larger than p-bits then
the evaluator must do the “refreshment” step.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 13
SHE over the Integers
SHE over the INTEGERS – PUBLIC KEY SCHEME
KeyGen: pk=<x0,…,xt>, where:
xi = pqi+ri, unless x0 is the largest, q0 is odd and r0 is even
Encrypt(pk, mÎ{0,1}): c = (m+2r+2åiÎS(xi)) mod x0
Where S is a random subset of pk, and r is a random noise.
Decrypt(sk=p, c): m = (c mod p) mod 2
Encryption can now be viewed as:
adding m to a random subset sum of “encryptions of zero”
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 14
Ciphertext Reduction
Compactness Property
This means that the bit-length of the resulting ciphertext does not depend on
the evaluation function F.
For this reason we do:
· add more “encryptions of zero” to the public key yj such that they use larger
q’s. y0 must be of bit-length from |x0|…2|x0|.
· after each operation (ADD or MUL) we select yj such that a substraction
from the result of the operation will lead again to a ciphertext of size |x0|.
Multiplication doubles the number of bits of the ciphertext, but bringing it back
to the initial size would cost just an addition of a few trivial noises from yj.
Consequence:
Evaluation of c1*c2+c1*c3 and c1*(c2+c3) will result in different ciphertexts,
although the same result in plaintext.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 15
Bootstrapping
Bootstrapping
· Assume SHE can evaluate circuits F up
to the depth d.
· Assume F=Dsk(m) is the decryption
algorithm, that can be evaluated by
SHE at most depth (d-1). I.e., to
decrypt plus “a little more”.
USER
Key1=(pk1, sk1)
Input=m
c1'=Encryptpk1(m)
COMPUTING CLOUD
Evaluate
F1(c1')
pk1,c1'
c1 – with heavy noise, but
still possible to decrypt
Key2=(pk2, sk2)
Esk1=Encryptpk2(sk1)
pk2,Esk1
Ec1=Encryptpk2(c1)
Evaluate
DecryptEsk1(Ec1)
depth (d-t)
c2' – now encrypted by
pk2 and “refreshed” noise
Then SHE is called bootstrappable and
can be converted to FHE.
Evaluate
F2(c2')
depth t
c2
Key3=(pk3, sk3)
Esk2=Encryptpk3(sk2) pk3,Esk2
REPEAT until all Fis are
evaluated
cn
Result=Decryptskn(cn)
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 16
SHEFHE over the Integers
FHE over the INTEGERS – Convert SHE to FHE
F=Dsk(m) becomes simple if we use the technique called
“squashing the decryption circuit”.
Idea: add to pk some information about sk so that
Dsk(m) becomes simpler and SWH becomes
bootstrappable.
Price:
·
public key contains more information
·
ciphertext is larger
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 17
Squashing Technique
Squashing the Decryption Circuit
Three more parameters: θ, Θ, κ - chosen appropriately in
accordance with the security parameter λ.
pk=(pk as before + y)
s
y
sk=s
0
0,1001101101
1
1,0001100110
Encryptpk(m):
0
0,1100010110
c as before, plus z s.t
1
0,1000010110
zi=c·yi mod 2, i=1..Θ
0
0,0010000101
Keep n=ëlogθù+3
0
1,1100100101
precision bits for zi
0
1,0010100111
1
0
0
s – sparse Θ bit vector
S = {i:si=1}, must be
s.t. |S|=θ
1,1001101101
0,0100101011
1,1101011010
Decryptsk(c):
m=(c- ëåi(si· zi)ù ) mod 2
yi – random rational Î[0,2)
with precision κ.
s.t. åiÎS(yi) ≈ 1/p-Δ, |Δ|<2-κ
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 18
Security. Approximate GCD
Assume we know many
{xi=p*qi+ri}
where the noise ri is much smaller than p.
We need to find the approximate gcd(xi)=p.
Brute-force approach:
Take x0 and x1 and try all possible values of r0 and r1
Problem: The chosen parameters are such that exhaustive
search meets the security parameter λ .
Divisor of p:
Guess a large divisor d|p, for d>|r|.
Test the guess: all (xi mod d) must be of size of the noise r.
Then p=d*gcd(xi/d)
Problem: guessing is as difficult as the brute-force attack
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 19
Security. Approximate GCD
Given n xi’s, we want to find a set of n linear combinations:
zk = åi=1..n(akixi) such that:
· The total noise for zk is = maxnoise* åi=1..n(ai) is <<p
· zk is ~p or <<p
Then we say that:
· if zk<<p then we deal with
åi=1..n(aki(p*qi+ri)) = 0*p+noise(zk)
Divide by p, and we get noise-free equation:
åi=1..n(akiqi) = 0
· If zk~p then, similarly, we deal with
åi=1..n(akiqi) = 1
Find all (or one) qi with Gaussian elimination.
then p = ëxi/qiù
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 20
Security. Approximate GCD
ALG PARAMS: p~2^16, q~2^16, r~2^8, #eq=12
Secret p=97083
Vector of initial values x_i = {p*q_i+r_i}:
x_0 (29 bits)=614535439 = p*6330 + 49
x_2 (30 bits)=2084663351 = p*21473 + 92
x_4 (31 bits)=2467558848 = p*25417 + 237
x_6 (31 bits)=2760166833 = p*28431 + 60
x_8 (31 bits)=3812837993 = p*39274 + 251
x_10 (32 bits)=4952398228 = p*51012 + 232
x_1 (30 bits)=1617402906 = p*16660 + 126
x_3 (31 bits)=2149029378 = p*22136 + 90
x_5 (31 bits)=2504547489 = p*25798 + 255
x_7 (31 bits)=3269949614 = p*33682 + 8
x_9 (31 bits)=4045837111 = p*41674 + 169
x_11 (32 bits)=5135108340 = p*52894 + 138
Found set of linear equatiuons with low noise:
291 = +x0 +x2 +x3 +x4 -x7 -x9
890 = 3*x1 +x3 +2*x5 -x7 +2*x8 -4*x9 +x10 -x11
833 = -x0 +x1 +x2 +x3 -2*x4 +4*x5 +x6 -4*x7
47 = -2*x1 -4*x2 -5*x3 +4*x4 -x5 -6*x6 +2*x7 -3*x8 +9*x9
40 = -x0 +2*x1 +3*x2 +x4 +5*x5 -4*x6 +7*x7 -3*x8 -6*x9
30 = -x0 +6*x2 -3*x3 +6*x4 +3*x5 +6*x7 -5*x8 -7*x9
Example of converting to equations on q’s:
291 = +x0 +x2 +x3 +x4 -x7 -x9 è 0 = q0+q2+q3+q4-q7-q9
è 6330+21473+22136+25417-33682-41674 must be 0 (Check!)
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 21
Security. Approximate GCD
t bits
x1
x2
xn
· Try all possible t-bit values for a1...an such that a new
linear combination
yj=x1*a1+…+xnan - has all zeros on the highest t bits.
· Remove yj’s with the highest noise and keep n with the
smallest noise.
· Repeat the procedure for y-values and remove the next
t bits, until we get the values ~p or <<p.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 22
Security. Approximate GCD
Some improvements can apply:
· Intermediate sets ys can be much larger than the initial set x.
· t is variable for each round. Can be smaller in the beginning, and larger in
the next rounds, if we will keep more of the best equations y.
· It is beneficial if the high t-bits of xi’s (or yj’s) will first be moved to int-type,
then arithmetical operations are faster.
· It is also good to limit Hamming weight of a, so that we only test for pairs
xi±xj and triples xi±xj±xk. This way, the noise is kept low, but the number of
combinations is sufficient to eliminate t high bits and still have a new set of
y for the next round.
· etc...
P
q
r
#eq=|x|
z.TotNoise
~2128
~22048
~232
32
~2106
~2256
~26000
~264
48
~2270
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 23
New Recent Research
Found different ways to construct FHE
without using the squashing step
2011. Craig Gentry and Shai
Halevi. Fully homomorphic
encryption without
squashing using depth-3
arithmetic circuits.
2011. Zvika Brakerski and
Vinod Vaikuntanathan.
Efficient fully
homomorphic encryption
from (standard) LWE.
BGV scheme to construct a
FHE of a desired depth D,
based on Ring LWE. I.e., no
bootstrapping is needed.
2012. Zvika Brakerski, Craig
Gentry and Vinod
Vaikuntanathan. Fully
homomorphic encryption
without bootstrapping.
Way to Evaluate on packed ciphertext
2011. N.P. Smart and F.
Vercauteren. Fully
Homomorphic SIMD
Operations.
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 24
2012. Craig Gentry, Shai
Halevi, and Nigel P.
Smart. Homomorphic
evaluation of the AES
circuit.
2013. HELib. IBM.
2013. CryptDB. MIT.
2013. Jacob AlperinSheriff and Chris Peikert.
Practical bootstrapping
in Quasilinear Time.
BGV: Leveled FHE Scheme
BGV Scheme. Noise Management Technique (Leveled FHE).
Lemma: Assume we have cp meaning that p is our secret.
Choose another odd q<<p and do
cq = (q/p)*cp – take the closest integer s.t. cq=cp mod 2
Then cq encrypts the same message m under the new (and smaller) odd q, but the
noise is also smaller roughly by the same ratio (q/p).
In BGV they propose:
Noise magnitude is x
For a larger odd p generate pi≈p/xi for i<k;
After MUL of two mod-p0 ciphertexts, the noise magnitude is x2. Switch to the
smaller mod-p1. The magnitude returns to the level x.
The more k the more MULs we can do for free. This makes it possible to avoid
bootstrapping at all!
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 25
BGV: Leveled FHE Scheme
p0 p1
x
c1 mod-p0
c2 mod-p0
Multiplication
Modulus Switching
Ciphertext Size Reduction
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 26
c1*c2 mod-p0
c1*c2 mod-p1
c1*c2 mod-p1
Performance
2010. SHE Performance
1 000 000 000 000x
[...] A simple string search using homomorphic encryption is about a trillion times
slower than without encryption.
Dimension
KeyGen
Enc (amort)
Mult/Dec
Degree
2048 (800,000 bit ints)
1.25 s.
.060 sec
.023 s.
~200
8192 (3,200,000 bit ints)
10 s.
.7 sec
.12 s.
~200
32768 (13,000,000 bit ints)
95 s.
5.3 sec
.6 s.
~200
Dimension
KeyGen
PK size
ReCrypt
2048
40 s.
70 Mbyte
31 sec
8192
8 min.
285 Mbyte
3 min
32768
2 hrs
2.3 Gb
30 min
2010. FHE Performance
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 27
Evaluation of AES
2012. Homomorphic Evaluation of the AES Circuit
Gentry-Halevi-Smart
AES-128, 10 rounds
256GB of RAM, D=60.
Variant 1: 36 hours, 54 blocks
(SIMD technique to use more plaintext slots in each ciphertext, so
that operations are done in parallel for free)
First round – 7 hours
Last round – 30 min
Amortized speed ~ 40 min/block
Variant 2: 2,5 days, 720 blocks
Amortized speed ~ 5 min/block
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 28
HElib
2013. HElib. IBM.
Based on BGV scheme, based on ideal lattices, SIMD operations on packed
ciphertext, quasi-linear bootstrapping, and many other improvement
technique.
- Does not support bootstrapping (reencrypt) operation.
- GPL licensed
λ =80 bits of security
Modulus
Number of Slots
Time for ADD (ms)
Time for MUL (ms)
257
44
0.7
39
8209
22
0.7
38
65537
2
2.9
177
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 29
Patents Activity
Patents Activity
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 30
“Vision of a fully homomorphic cryptosystem have been
dancing in cryptographers’ heads for thirty years. [...] It will be
years before a sufficient number of cryptographers examine the
algorithm that we can have any confidence that the scheme is
secure.”
- Bruce Schneier, April 2013
“Should be usable in niche applications within a year or two.”
- Halevi, 2012
EAB/TZ Alexander Maximov | Public | © Ericsson AB 2013 | 2013-12-13 | Page 31