homomorphic cryptography

8/12/2019 Homomorphic Cryptography

1/27

BASICS PARTIALH OMOMORPHISM BOOTSTRAPPING COMPLETEHOMOMORPHISM DEMO THANKY OU

Homomorphic Cryptography

Deepak Babu SamSushant Mahajan

Nikhil George

IIT Bombay

April 4, 2014
http://find/


2/27


SUMMARYBASICS

Homomorphic EncryptionApplications in Cloud ComputingMore DefinitionsSimple Schemes can be Homomorphic

PARTIAL HOMOMORPHISM

A Partial Homomorphic SchemeParameters

BOOTSTRAPPINGBootsrappable Encryption

COMPLETEHOMOMORPHISMBasicsKeysCipherParameters

FunctionsDEMO
http://find/


3/27


HOMOMORPHICENCRYPTION

Definition

Homomorphic encryption is a form of encryption which allows specific types

of computations to be carried out on ciphertext and generate an encrypted re-

sult which, when decrypted, matches the result of operations performed on the

plaintext.

In simple words!!

f(P1,

P2, ...

Pn) =Decrypt(f(Encrypt(P1),

Encrypt(P2), ...,

Encrypt(Pn)))

PiPlain text

fan n-ary function
http://find/http://goback/


4/27


APPLICATIONS INCLOUDCOMPUTING
http://find/


5/27


FUNCTIONS

Normal CryptographyKeyGen()Encrypt(p,pk)Decrypt(c, sk)

Homomorphic CryptographyKeyGen()Encrypt(p,pk)Decrypt(c, sk)

Evaluate(,f,pk) is the security parameter. It determines other

cryptographic parameters

Evaluate takes a set of inputs, a circuit and the public key

and produces another cipher text. For correctness,Decrypt(Evaluate(,f,pk))

should matchf()
http://find/


6/27


SIMPLESCHEMES CAN BEHOMOMORPHICA simple symmetric encryption below is homomorphic :)

Secret keypis a large odd number.p=7

To encrypt a single bitm, choose two randomnumbersqandr, calculatec = pq + 2r + m.

q = 4,r = 2c = 32 + m

To decryptc, dom = (c mod p) mod2((32 + m) mod7) mod2 = (6 + m) mod2 = m

There is a restrictionr < p/2 We claim ifc1 = Encrypt(m1) andc2 = Encrypt(m2) Addition betweenc1andc2is homomorphic to

Addition(XOR) betweenm1andm2 Multiplication betweenc1andc2is homomorphic to

multiplication(AND) betweenm1andm2

B P H B C H D T Y
http://find/


7/27


SIMPLESCHEMES CAN BEHOMOMORPHIC

Lets check addition

Key:p=7

Encryptm1:q = 4,r = 1c1 = 30 + m1

Encryptm2

:q = 6,r = 1c2= 44 + m2

Addition:c1 + c2 = 74 + m1 + m2

To decryptc, dom = (c mod p) mod2((74 + m1 + m2) mod7) mod2 =(4 + m1 + m2) mod2 = (m1 + m2) mod2

Check multiplication with a largepand sufficiently smallr.This scheme can go wrong, sincerincreases after everyoperation.

BASICS PARTIAL H OMOMORPHISM BOOTSTRAPPING COMPLETE HOMOMORPHISM DEMO THANK Y OU


8/27


A PARTIALHOMOMORPHICSCHEME

We can easily extend the simple scheme, to a public key scheme

Public Key Scheme (over simplified version)

Private key is, a large odd numberp Public key is, set of many integers of the formpq+ 2r

To encrypt a bitm, add the subset of public keys tom

To decrypt, do the usual (c%p)%2

Rememberrobeys the constraint it had before, (r


9/27


PARAMETERS

These are parameters that determine the sizes of the keysThese are computed as a function of security parameter

Parameters

number of bits in secret key.O(2) number of bits inr, the noise.O()

number of bits in public key.O(5)

number of integers in public key set.O(5)

These values in our implementation are, = 4, = 32,= 2046,= 2050

http://find/


10/27


ALGORITHMS

Partial Homomorphic Scheme (simplified)

KeyGen():Private key is, a large odd numberpofbit length, Public key is, set of many integers of theformpq + rofbit length (rofbits).

Encrypt(pk,m):To encrypt a bitm, choose a thesubsetSofpk, and choose a random numberrofbits, and performc = m + 2r + 2

iSi

Evaluate(pk,C,):Evaluate the boolean

circuitC, withANDgates replaced withmultiplication,XORgates replaced with addition,over integers< c1, ..cn>

Decrypt(sk,c):To decrypt, do the usual (c%sk)%2

http://find/


11/27


EVALUATEFigure shows evaluation of boolean circuits with integer values

http://find/


12/27


CORRECTNESS

For circuits of lower depth, this scheme is correct

For deep circuits, the noise increases, and at a certain pointnoise may become larger than the private key, and it maycause a decryption error

For correctness, the degree of the polynomial computed bythe circuit should be less than,

d4

+ 2 The above one is an approximate formula. Its proof is

straight forward.

http://find/


13/27

BOOTSRAPPABLEENCRYPTION

We saw, every partially homomorphic encryption has a setof circuits it can evaluate

We can model theDecryptionalgorithm as a circuit ofAND

andXORgates If an encryption scheme can evaluate its own decryption

circuit correctly it is called a bootstrappable encryptionscheme

If an encryption scheme is bootstrappable it can beconverted into a fully homomorphic scheme (that canevaluate all circuits)

http://find/


14/27

GENTRYSCONSTRUCTION

As the cipher text grows up, noise increases.

The only way, we can reduce noise is to decrypt, thenencrypt again.

So we are really going to decrypt, but homomorphically!!!.



15/27

GENTRYSCONSTRUCTION

LetDbe the decryption circuit. Wired withANDandXORgates.

Key Idea!

D takesSecret Key bitsandCipher Text bits, and produces thedecrypted bit.

If instead of secret key and cipher text bits, an encrypted version of those are

provided, still the decryption is correct. But the output bit is still in encrypted

form.

http://find/


16/27

RECRYPTFUNCTION

So we have a functionRecrypt, that performs the bootstrap.Recrypt

Recrypttakes the arguments

Cipher Text

Private Key, encrypted with public key

The Decryption circuit

The public key

It encrypts each bit of the cipher text with public key.

Then evaluated the Decryption Circuit. The output textis in encrypted form, but has low noise.

So after eachEvaluate()we have to fire aRecrypt()to reducenoise.

http://find/


17/27

CHALLENGES The Recrypt is an expensive operation, since it has to

encrypt each bit in the cipher text.

The Decryption circuit should be small enough forhomomorphic evaluation by the encryption scheme

m = (c mod p) mod2 is an expensive operation, since itinvolves division.

We can see (c mod p) mod2 = (c c/p p) mod2 m = (c c/p) mod2 sincepis odd.

Here the bottleneck isc/pwhich requires a circuit,

deeper than what we can actually evaluate.

http://find/


18/27

FULLYHOMOMORPHICENCRYPTION

The division in the decryption circuit is the majorbottleneck is achieving bootstrap.

So we start part of the decryption during encryption itself

Within the public key we keep some information tocalculate 1/p

During in encryption, we keep some information with thecipher to calculatec/p

Now during decryption, we just have to collectinformation in the ciphertext to computec/p

http://find/


19/27

KEYS

Keys

Keys are different now. 1/pis divided into some () fractions (p1, ..p) such that

their sum is 1/p

Private key is a vectorsof large length (say ) but of hamming weight.

With the public key, append vectorYof length, it containspi, in place ofith 1 in

svector. All other positions ofYcontains some random value.

http://find/


20/27

CIPHER

Cipher

The information to compute,c/p, we are carrying

with the cipher text. With cipher textc we are attaching a vectorZ

which is obtained asZ = cY, (Yfrom public key)

Note that at any point,s.Zgivesc/p, this is used for

decryption.

http://find/


21/27

PARAMETERS

These are parameters that determine the sizes of the keys

Parameters

The precision of fraction inZvector. = + 2 Hamming weight of secret key. =

Total length of secret key vector. = .log()

These values in our implementation are, = 2048, = 4, = 4096

http://find/


22/27

FUNCTIONS

Functions (Simplified)

KeyGen():Generate sk* and pk* as before.Privatekey is a bit vector (says) with hamming weight.

Public key is the pair, (pk

,Y) whereYis a bitvector such thats.Y= 1/p

Encrypt(pk,m):Generatec as before. Output a pair(c,Z) whereZ = cY

Evaluate(pk,C,):Generatec as before.Output a pair (c,Z) whereZ = cY

Decrypt(sk,c):Calculatem = (c s.Z) mod2

http://find/


23/27

PERFORMANCE WITHOUTBOOTSTRAPPING

Operation Time (Sec)3 bit addition 0.008492946624764 bit addition 0.01480793952945 bit addition 0.0200610160828

6 bit addition 0.02525591850287 bit addition 0.03281998634348 bit addition 0.0364289283752

3 bit multiplication 0.04778695106514 bit multiplication 0.102718114853

5 bit multiplication 0.176491022116 bit multiplication 0.2765541076667 bit multiplication 0.3863689899448 bit multiplication 0.514411211014

http://find/


24/27

PERFORMANCE WITHBOOTSTRAPPING

Operation Time (Sec)3 bit addition 24.04337692264 bit addition 39.52604389195 bit addition 57.569133997

6 bit addition 71.87063598637 bit addition 91.55149984368 bit addition 106.403455019



http://find/


25/27

PERFORMANCE WITH MODERATEBOOTSTRAPPING

Operation Time (Sec)3 bit addition 4.772707939154 bit addition 4.939280033115 bit addition 10.12009096156 bit addition 20.02057385447 bit addition 24.15292596828 bit addition 24.2124249935



http://find/


26/27

http://find/


27/27
http://find/

homomorphic cryptography

Documents