Embed Size (px)
Citation preview
Homomorphic EncryptionRüstem Göktuğ SEREZ
Computations on the Encrypted Data• The user can be able to make operations his/her encrypted data
without decrypting it.
• The user can also encrypt the queries that send to the encrypted data.
Usage of Homomorphic Encryption
• Secure Voting Systems• Cloud Security• Private Information Retrieval (PIR)• Collision Resistant Hash-Functions• Hybrid Wireless Network
Homomorphic Encryption
People currently working on Homomorphic Encryption• Craig Gentry, the creator of first homomorphic scheme• Shai Halevi• Zvika Brakerski• Vinod Vaikuntanathan• Marten van Dijk• Eleanor Rieffel• Nigel Smart• Victor Shoup
Cloud Computing
• Compute on encrypted data
What is the term ‘Homomorphism’
• In ancient Greek it is translated into the ‘Same Form’
• Subtypes of Homomorphism• Isomorphism• Automorphism• Endomorphism
Groups (recall from previous lecture)
• A group is a pair (G, ●) consisting of a nonempty set G and a binary operation ●, (closed) on G, such that ( P,Q,R G)∀ ∈
• Binary operation is associative; (P ● Q) ● R = P ● (Q ● R)• A unique identity exists; 0 ● P = P ● 0 = P• Every element has a unique inverse; P ● Q = Q ● P = 0• Furthermore, (G,+) is abelian if P ● Q = Q ● P P,Q G∀ ∈
Group Homomorphism
Let (G1 ,●) and (G2 , ●) be groups, and let f : G1 -> G2 be a function. Then f is said to be a group homomorphism if
f(a ● b) = f(a) ● f(b)
for all a,b in G1.
Every isomorphism is an one-to-one and onto homomorpism.
Group Homomorphism
G2G1
a
b
a●b
f(a)
f(b)
f : G1 -> G2
f(a) ● f(b)
f
f
f
Homomorphic Encryption
• Fully Homomorphic Encryption• Partially Homomorphic Encryption
Partially Homomorphic Encryptions
• Multipications • Raw RSA• ElGamal
• Additions• Paillier• Goldwasser-Micali
Raw RSA
Homomorphic property of RSA is;• ) * Encrypt()
= = = Encrypt()
Raw RSA MAGMA codep:=NextPrime(Random([1..2^124]));
q:=NextPrime(Random([1..2^124]));
n:=p*q;
phi:=(p-1)*(q-1);
repeat
e:=Random([1..phi]);
until GCD(e,phi) eq 1;
g,x,y:=XGCD(e,phi);
d:=x mod phi;
//ENCRYPTION
m:=Random([0..n]);
c:=Modexp(m,e,n);
m;
//DECRYPTION
Modexp(c,d,n);
Partially Homomorphism of Raw RSA MAGMA code
p:=NextPrime(Random([1..2^124]));
q:=NextPrime(Random([1..2^124]));
n:=p*q;
phi:=(p-1)*(q-1);
repeat
e:=Random([1..phi]);
until GCD(e,phi) eq 1;
g,x,y:=XGCD(e,phi);
d:=x mod phi;
//ENCRYPTION
m1:=Random([0..n]);
m2:=10;
c:=Modexp(m1*m2,e,n);
(Modexp(m1,e,n)*Modexp(m2,e,n)) mod n;
c;
//DECRYPTION
Modexp(c,d,n);
(m1*m2) mod n;
ElGamal
Homomorphic property of ElGamal is;• ) * Encrypt()
= , ** = Encrypt()
ElGamal MAGMA code
G := IntegerRing(558494556463);
P := G!197214177966;
k := Random(#G);
Q := P^k;
//ENCRYPTION
M := G!37498469442;
M;
r := Random(#G);
C0 := P^r; //C0 := r*P
C1 := M*(Q^r); //C1 := M+r*Q
//DECRYPTION
C1/C0^k; //C1-k*C0
Partially Homomorphism of ElGamal MAGMA codeG := IntegerRing(558494556463);
P := G!197214177966;
k := Random(#G);
Q := P^k;
//ENCRYPTION
M1 := G!37498469442;
M2 := G!48494459451;
r1 := Random(#G);
r2 := Random(#G);
C00 := P^r1; //C00 := r1*P
C10 := M1*(Q^r1);//C10 := M1+r1*Q
C01 := P^r2; //C01 := r2*P
C11 := M2*(Q^r2);//C11 := M2+r2*Q
Ca := P^(r1+r2); //Ca := P*(r1+r2)
Cb := M1*M2*(Q^(r1+r2)); //Cb := (M1 + M2)+Q*(r1+r2)
C00 * C01;
C10 * C11;
Ca;
Cb;
//DECRYPTION
Cb/Ca^k;
M1*M2;
Paillier
Homomorphic property of Paillier is;• ) * Encrypt()
= ()* ()
=
= Encrypt(() )
Fully Homomorphic Encryption
Plaintext and Ciphertext are both in ring
Function E in homomorphic for both addition and multipication if; E(x) + E(y) = E(x + y) E(x) * E(y) = E(x * y)
Fully Homomorphic Encryption
• Is there an encryption function (E) such that both E(x + y) and E(x.y) are easy to compute from E(x) and E(y)? (Rivest 1978)
What is ‘Fully Homomorphic’?
• Function ‘Evaluate’ must output a ciphertext which can be efficiently computed without any loss.
Craig Gentry’s Fully Homomorphic Encryption SchemeAn additional ‘Evaluate’ function on encrypted data.
← Evaluate (pk, C, , . . . , )
Craig Gentry’s Fully Homomorphic Encryption Scheme
Craig Gentry’s Fully Homomorphic Encryption Scheme
• Somewhat Homomorphic Encryption
• Bootstrapping
Noise Parameter
• The multipication and addition is done by attached «noise parameter» in ciphertext which is smaller than N.
Somewhat Homomorphism
• Encryption outputs a ciphertext with small noise less than n. • But, decryption works as long as the noise is less than some threshold
N n. • Depth of circuits roughly is; log log N − log log n
Suppose we have ‘Recrypt’ function which has;• Input: ciphertext E(a) with noise .• Output: «fresh» ciphertext E(a) with noise . (Also encrypts ‘a’ again)This operation is done recursively.
Then, we can constract a fully homomorphic scheme for ‘Recrypt’ function out of somewhat homomorphic scheme for addition and multipication.
The term ‘Fully Homomorphic’
Somewhat Homomorphic Scheme Example using Integers• KeyGen = Odd(p) > 2N• Plaintext is b = {0,1}• x = Random(-n/2, n/2)
• Ciphertext is c = b + 2x + k*p which b + 2x )• Noise is c mod p• Decryption is b = (Noise) mod 2
Somewhat Homomorphic Scheme
• To add two ciphertexts;
Decryption recovers the as long as ( + 2) + ( + 2) [-N,N]
• To multiplicate two ciphertexts;x Decryption recovers the as long as ( + 2) * ( + 2) [-N,N]
Lattice Based Cryptosystems
• Cryptosystems based on computational hardness of several lattice problems which are;• Shortest Vector Problem (SVP)• Closest Vector Problem (CVP)• Shortest Independent Vector Problem (SIVP)• Bounded Distance Decoding Problem (BDDP)• Ideal Coset Problem (ICP)
Rings and Ideals
• A ring is a set which are closed under addition, multiplication and have an addivite identitiy ‘0’ and multiplicative identitiy ‘1’
• An ideal I of a ring R is a subset such that for any and E.g. 2 is an ideal of consisting of the set of even numbers.
• An ideal lattice, is simply an ideal in [x]/(f(x)).• f(x) of degree n; each such ideal can be represented by a lattice
generated by the columns of a lattice basis , an n × n matrix.
Ideal Lattices
Ideal Lattices
• Ideal lattices gives the public key scheme of the somewhat homomorhpic encryption.• «Good» representation of an ideal lattice can be used as secret key.• «Bad» representation of an ideal lattice can be used as public key.
• Where is the security of it?
Ideal Coset Problem (ICP)
This problem is close to the decision problem of Closest Vector Problem.R is a ring,I and J are relatively prime ideals if I + J = R. is the basis of the given lattice LFix R, , algorithm IdealGen, and an algorithm Samp1 that efficiently samples R.
The challenger sets b {0, 1} and ( ) IdealGen(R, ). If b = 0, it sets r Samp1(R) and t ← r mod . If b = 1, it samples t uniformly from R mod . The problem: guess b given (t, ).
Ideal Coset Problem (ICP)
Subset Sum problem
Gives security against recovering secret key from additional data due to squashing the decryption circuit.
• Let J is an ideal lattice in ring R• j J• Plaintext is b = {0,1}• x = Random(-n/2, n/2)
• Ciphertext is c = b + 2x + J which b + 2x )• Decryption is b = (Noise) mod 2
Back to Somewhat Homomorphic Scheme
Noise Problem
• While addition and multipication operations are being occured, the «noise» increases.
• If «noise» then decryption will be wrong.
• An extra operation needed for «refreshing» the cyphertext if the secret key is unknown.
• A self-sustaining process without requiring any external help.
Bootstrapping
Bootstrapping
• The noise parameter increases every computation on encrypted data.
• A «Refresh» is needed for the ciphertext every once in a while.
• If the bootstrapping can be made, than we can refresh ciphertext via recryption.
• Suppose we have two public-secret key pairs;• (, ) = (, )
• Then;• (, (,m)) = m• (, (,m)) = mfor any message.
Bootstrapping
• Take an encryption of under the public key • (, ) =
• Take an encryption of the initial ciphertext under the public key pk2• (, (,m)) =
Bootstrapping
• Consider;• (,) = (,m)The inner encryption is removed
• Assume the scheme «Evaluate» can homomorphically evaluate;• (,) + (,)• (,) * (,)Then the «Evaluate» is bootstrappable
Bootstrapping
Advantages of using Ideal Lattices
• Very low circuit complexity compared to RSA or ElGamal.
• Security can be based on standard problems over ideal lattices, that seem to be as hard as standard well-studied problems over general lattices.
Inefficiency of Craig Gentry ’s scheme• Computation time increases sharply with the security level of the
homomorphic scheme.
• The computation time and ciphertext size in Craig Gentry’s scheme are high-degree polynomials.
• Decryption circuit depth is larger than what EvaluateE function can handle.
Second Homomorphic Encryption SchemeAn additional secret key is added into ciphertext scheme,
c * s = b + 2eSecurity is based on the hardness of Learning with Errors problem.
• Improved noise behavior• Improved security reductions• Significant efficiency improvements using “batching”
Implementations
• Using Homomorphic Encryption for Large Scale Statistical Analysis• Private Database Queries using Somewhat Homomorphic Encryption• HElib library, the implementation of Brakerski-Gentry-Vaikuntanathan
(BGV) scheme focusing;• Effective use of the Smart-Vercauteren ciphertext packing techniques • Gentry-Halevi-Smart optimizations
HElib
https://github.com/shaih/HElib
• Has been developed in C++ and NTL Number Theory math library by Victor Shoup and Shai Halevi• Provides low level operations for multipication, addition etc.• Suppors multi-threading
Implementation of Somewhat Homomorphic Encryption over Integers on MAGMA
//SOMEWHAT HOMOMORPHIC ENCRYPTION using RSA
//
//
//Rüstem Göktuğ SEREZ
//
//
//Referenced by
//Computing Arbitrary Functions of Encrypted Data, Craig Gentry
//http://crypto.stanford.edu/craig/easy-fhe.pdf
//lambda is the security parameter
init := function(lambda)
l := lambda;
N := 2^lambda;
P := 2^(lambda^2);
Q := 2^(lambda^5);
return l,N,P,Q;
end function;
l,N,P,Q := init(3);
Implementation of Somewhat Homomorphic Encryption over Integers on MAGMA
//randomly select odd number of P bits with base 2
keygen := function()
p := Random([1,P-1]);
if (p mod 2) eq 0 then
p := p + Random([1,2]);
end if;
return p;
end function;
p := keygen();
Implementation of Somewhat Homomorphic Encryption over Integers on MAGMA
//compute m' = m mod 2, c = m' + pq
encrypt := function(m)
mprime := Random([1,N-1]);
mprime := mprime - mprime mod 2 + m mod 2;
q := Random([1,Q-1]);
return mprime + p*q;
end function;
//compute m = (c mod p) mod 2
decrypt := function(c)
return (c mod p) mod 2;
end function;
Implementation of Somewhat Homomorphic Encryption over Integers on MAGMA
//RSA
p1:=NextPrime(Random([1..2^124]));
q1:=NextPrime(Random([1..2^124]));
n1:=p1*q1;
phi:=(p1-1)*(q1-1);
repeat
e:=Random([1..phi]);
until GCD(e,phi) eq 1;
g,x,y:=XGCD(e,phi);
d:=x mod phi;
Implementation of Somewhat Homomorphic Encryption over Integers on MAGMA
//RSA ENCRYPTION
m1:=Random([1..n1]);
c1:=Modexp(m1,e,n1);
printf "Plaintext: %o\n",m1;
printf "Ciphertext: %o\n",c1;
//value that we will add to ciphertext
op := 128;
//binary conversions
mbin := IntegerToSequence(m1,2);
opbin := IntegerToSequence(op,2);
cbin := IntegerToSequence(c1,2);
Implementation of Somewhat Homomorphic Encryption over Integers on MAGMA
//noise parameter must be smaller than b
//HOMOMORPHIC ENCRYPTION
for i in [1..#opbin] do
cbin[i] := encrypt(cbin[i]) + encrypt(opbin[i]);
end for;
//HOMOMORPHIC DECRYPTION
for i in [1..#cbin] do
cbin[i] := decrypt(cbin[i]);
end for;
//decimal conversion
c2 := SequenceToInteger(cbin,2);
printf "Summed Ciphertext: %o\n",c2;
printf "Addend value to Ciphertext: %o\n",AbsoluteValue(c2 - c1);
printf "Noise: %o",c2 mod 2;
Implementation of Somewhat Homomorphic Encryption over Integers on MAGMA
References
• http://blog.cryptographyengineering.com/2012/01/very-casual-introduction-to-fully.html• http://en.wikipedia.org/wiki/Homomorphic_encryption• http://en.wikipedia.org/wiki/Homomorphism• https://github.com/shaih/HElib• https://martinralbrecht.wordpress.com/2010/08/19/somewhat-homomorphic-encryption/• http://crypto.stanford.edu/craig/easy-fhe.pdf• C. Gentry, A FULLY HOMOMORPHIC ENCRYPTION SCHEME, September 2009• Homomorphic Encryption and Applications, By Xun Yi, Russell Paulet, Elisa Bertino.• Homomorphic Cryptosystems, Edlyn Teske-Wilson, University of Waterloo, University of Waterloo• 5 years of FHE, Zvika Brakerski, Weizmann Institute of Science, Aarhus MPC Workshop, May 2014• Open problems in lattice-based cryptography, Steven Galbraith• Public Key Ciphers, Hüseyin HIŞIL, Spring, 2014-2015• Homomorphic Encryption, Shai Halevi, Crypto 2011
Thank you for listening
![Design and Implementation of a Homomorphic-Encryption Library · 1 The BGV Homomorphic Encryption Scheme A homomorphic encryption scheme [8, 3] allows processing of encrypted data](https://img.pdfslide.us/doc/110x75/5e94f8e9f798e3376273aec2/design-and-implementation-of-a-homomorphic-encryption-library-1-the-bgv-homomorphic.jpg)
