homomorphic cryptography
TRANSCRIPT
-
8/12/2019 Homomorphic Cryptography
1/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
Homomorphic Cryptography
Deepak Babu SamSushant Mahajan
Nikhil George
IIT Bombay
April 4, 2014
http://find/ -
8/12/2019 Homomorphic Cryptography
2/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
SUMMARYBASICS
Homomorphic EncryptionApplications in Cloud ComputingMore DefinitionsSimple Schemes can be Homomorphic
PARTIAL HOMOMORPHISM
A Partial Homomorphic SchemeParameters
BOOTSTRAPPINGBootsrappable Encryption
COMPLETEHOMOMORPHISMBasicsKeysCipherParameters
FunctionsDEMO
http://find/ -
8/12/2019 Homomorphic Cryptography
3/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
HOMOMORPHICENCRYPTION
Definition
Homomorphic encryption is a form of encryption which allows specific types
of computations to be carried out on ciphertext and generate an encrypted re-
sult which, when decrypted, matches the result of operations performed on the
plaintext.
In simple words!!
f(P1,
P2, ...
Pn) =Decrypt(f(Encrypt(P1),
Encrypt(P2), ...,
Encrypt(Pn)))
PiPlain text
fan n-ary function
http://find/http://goback/ -
8/12/2019 Homomorphic Cryptography
4/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
APPLICATIONS INCLOUDCOMPUTING
http://find/ -
8/12/2019 Homomorphic Cryptography
5/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
FUNCTIONS
Normal CryptographyKeyGen()Encrypt(p,pk)Decrypt(c, sk)
Homomorphic CryptographyKeyGen()Encrypt(p,pk)Decrypt(c, sk)
Evaluate(,f,pk) is the security parameter. It determines other
cryptographic parameters
Evaluate takes a set of inputs, a circuit and the public key
and produces another cipher text. For correctness,Decrypt(Evaluate(,f,pk))
should matchf()
http://find/ -
8/12/2019 Homomorphic Cryptography
6/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
SIMPLESCHEMES CAN BEHOMOMORPHICA simple symmetric encryption below is homomorphic :)
Secret keypis a large odd number.p=7
To encrypt a single bitm, choose two randomnumbersqandr, calculatec = pq + 2r + m.
q = 4,r = 2c = 32 + m
To decryptc, dom = (c mod p) mod2((32 + m) mod7) mod2 = (6 + m) mod2 = m
There is a restrictionr < p/2 We claim ifc1 = Encrypt(m1) andc2 = Encrypt(m2) Addition betweenc1andc2is homomorphic to
Addition(XOR) betweenm1andm2 Multiplication betweenc1andc2is homomorphic to
multiplication(AND) betweenm1andm2
B P H B C H D T Y
http://find/ -
8/12/2019 Homomorphic Cryptography
7/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
SIMPLESCHEMES CAN BEHOMOMORPHIC
Lets check addition
Key:p=7
Encryptm1:q = 4,r = 1c1 = 30 + m1
Encryptm2
:q = 6,r = 1c2= 44 + m2
Addition:c1 + c2 = 74 + m1 + m2
To decryptc, dom = (c mod p) mod2((74 + m1 + m2) mod7) mod2 =(4 + m1 + m2) mod2 = (m1 + m2) mod2
Check multiplication with a largepand sufficiently smallr.This scheme can go wrong, sincerincreases after everyoperation.
BASICS PARTIAL H OMOMORPHISM BOOTSTRAPPING COMPLETE HOMOMORPHISM DEMO THANK Y OU
http://find/http://goback/ -
8/12/2019 Homomorphic Cryptography
8/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
A PARTIALHOMOMORPHICSCHEME
We can easily extend the simple scheme, to a public key scheme
Public Key Scheme (over simplified version)
Private key is, a large odd numberp Public key is, set of many integers of the formpq+ 2r
To encrypt a bitm, add the subset of public keys tom
To decrypt, do the usual (c%p)%2
Rememberrobeys the constraint it had before, (r
-
8/12/2019 Homomorphic Cryptography
9/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
PARAMETERS
These are parameters that determine the sizes of the keysThese are computed as a function of security parameter
Parameters
number of bits in secret key.O(2) number of bits inr, the noise.O()
number of bits in public key.O(5)
number of integers in public key set.O(5)
These values in our implementation are, = 4, = 32,= 2046,= 2050
BASICS PARTIAL H OMOMORPHISM BOOTSTRAPPING COMPLETE HOMOMORPHISM DEMO THANK Y OU
http://find/ -
8/12/2019 Homomorphic Cryptography
10/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
ALGORITHMS
Partial Homomorphic Scheme (simplified)
KeyGen():Private key is, a large odd numberpofbit length, Public key is, set of many integers of theformpq + rofbit length (rofbits).
Encrypt(pk,m):To encrypt a bitm, choose a thesubsetSofpk, and choose a random numberrofbits, and performc = m + 2r + 2
iSi
Evaluate(pk,C,):Evaluate the boolean
circuitC, withANDgates replaced withmultiplication,XORgates replaced with addition,over integers< c1, ..cn>
Decrypt(sk,c):To decrypt, do the usual (c%sk)%2
BASICS PARTIAL H OMOMORPHISM BOOTSTRAPPING COMPLETE HOMOMORPHISM DEMO THANK Y OU
http://find/ -
8/12/2019 Homomorphic Cryptography
11/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
EVALUATEFigure shows evaluation of boolean circuits with integer values
BASICS PARTIAL H OMOMORPHISM BOOTSTRAPPING COMPLETE HOMOMORPHISM DEMO THANK Y OU
http://find/ -
8/12/2019 Homomorphic Cryptography
12/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
CORRECTNESS
For circuits of lower depth, this scheme is correct
For deep circuits, the noise increases, and at a certain pointnoise may become larger than the private key, and it maycause a decryption error
For correctness, the degree of the polynomial computed bythe circuit should be less than,
d4
+ 2 The above one is an approximate formula. Its proof is
straight forward.
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
13/27
BOOTSRAPPABLEENCRYPTION
We saw, every partially homomorphic encryption has a setof circuits it can evaluate
We can model theDecryptionalgorithm as a circuit ofAND
andXORgates If an encryption scheme can evaluate its own decryption
circuit correctly it is called a bootstrappable encryptionscheme
If an encryption scheme is bootstrappable it can beconverted into a fully homomorphic scheme (that canevaluate all circuits)
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
14/27
GENTRYSCONSTRUCTION
As the cipher text grows up, noise increases.
The only way, we can reduce noise is to decrypt, thenencrypt again.
So we are really going to decrypt, but homomorphically!!!.
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/http://goback/ -
8/12/2019 Homomorphic Cryptography
15/27
GENTRYSCONSTRUCTION
LetDbe the decryption circuit. Wired withANDandXORgates.
Key Idea!
D takesSecret Key bitsandCipher Text bits, and produces thedecrypted bit.
If instead of secret key and cipher text bits, an encrypted version of those are
provided, still the decryption is correct. But the output bit is still in encrypted
form.
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
16/27
RECRYPTFUNCTION
So we have a functionRecrypt, that performs the bootstrap.Recrypt
Recrypttakes the arguments
Cipher Text
Private Key, encrypted with public key
The Decryption circuit
The public key
It encrypts each bit of the cipher text with public key.
Then evaluated the Decryption Circuit. The output textis in encrypted form, but has low noise.
So after eachEvaluate()we have to fire aRecrypt()to reducenoise.
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
17/27
CHALLENGES The Recrypt is an expensive operation, since it has to
encrypt each bit in the cipher text.
The Decryption circuit should be small enough forhomomorphic evaluation by the encryption scheme
m = (c mod p) mod2 is an expensive operation, since itinvolves division.
We can see (c mod p) mod2 = (c c/p p) mod2 m = (c c/p) mod2 sincepis odd.
Here the bottleneck isc/pwhich requires a circuit,
deeper than what we can actually evaluate.
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
18/27
FULLYHOMOMORPHICENCRYPTION
The division in the decryption circuit is the majorbottleneck is achieving bootstrap.
So we start part of the decryption during encryption itself
Within the public key we keep some information tocalculate 1/p
During in encryption, we keep some information with thecipher to calculatec/p
Now during decryption, we just have to collectinformation in the ciphertext to computec/p
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
19/27
KEYS
Keys
Keys are different now. 1/pis divided into some () fractions (p1, ..p) such that
their sum is 1/p
Private key is a vectorsof large length (say ) but of hamming weight.
With the public key, append vectorYof length, it containspi, in place ofith 1 in
svector. All other positions ofYcontains some random value.
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
20/27
CIPHER
Cipher
The information to compute,c/p, we are carrying
with the cipher text. With cipher textc we are attaching a vectorZ
which is obtained asZ = cY, (Yfrom public key)
Note that at any point,s.Zgivesc/p, this is used for
decryption.
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
21/27
PARAMETERS
These are parameters that determine the sizes of the keys
Parameters
The precision of fraction inZvector. = + 2 Hamming weight of secret key. =
Total length of secret key vector. = .log()
These values in our implementation are, = 2048, = 4, = 4096
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
22/27
FUNCTIONS
Functions (Simplified)
KeyGen():Generate sk* and pk* as before.Privatekey is a bit vector (says) with hamming weight.
Public key is the pair, (pk
,Y) whereYis a bitvector such thats.Y= 1/p
Encrypt(pk,m):Generatec as before. Output a pair(c,Z) whereZ = cY
Evaluate(pk,C,):Generatec as before.Output a pair (c,Z) whereZ = cY
Decrypt(sk,c):Calculatem = (c s.Z) mod2
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
23/27
PERFORMANCE WITHOUTBOOTSTRAPPING
Operation Time (Sec)3 bit addition 0.008492946624764 bit addition 0.01480793952945 bit addition 0.0200610160828
6 bit addition 0.02525591850287 bit addition 0.03281998634348 bit addition 0.0364289283752
3 bit multiplication 0.04778695106514 bit multiplication 0.102718114853
5 bit multiplication 0.176491022116 bit multiplication 0.2765541076667 bit multiplication 0.3863689899448 bit multiplication 0.514411211014
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
24/27
PERFORMANCE WITHBOOTSTRAPPING
Operation Time (Sec)3 bit addition 24.04337692264 bit addition 39.52604389195 bit addition 57.569133997
6 bit addition 71.87063598637 bit addition 91.55149984368 bit addition 106.403455019
3 bit multiplication 132.1768119344 bit multiplication 273.399508953
5 bit multiplication 469.8536438946 bit multiplication 721.540588147 bit multiplication 1020.819857128 bit multiplication 1361.10715199
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
25/27
PERFORMANCE WITH MODERATEBOOTSTRAPPING
Operation Time (Sec)3 bit addition 4.772707939154 bit addition 4.939280033115 bit addition 10.12009096156 bit addition 20.02057385447 bit addition 24.15292596828 bit addition 24.2124249935
3 bit multiplication 34.09624695784 bit multiplication 69.1047542095
5 bit multiplication 120.9155759816 bit multiplication 192.9947059157 bit multiplication 274.3995809568 bit multiplication 362.931727886
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
26/27
BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU
http://find/ -
8/12/2019 Homomorphic Cryptography
27/27
http://find/