Homomorphic Cryptography

BASICS PARTIAL HOMOMORPHISM BOOTSTRAPPING COMPLETE HOMOMORPHISM DEMO THANK YOU
Homomorphic Cryptography
Deepak Babu Sam
Sushant Mahajan
Nikhil George
IIT Bombay
April 4, 2014
SUMMARY
BASICS
Homomorphic Encryption
Applications in Cloud Computing
More Denitions
Simple Schemes can be Homomorphic
PARTIAL HOMOMORPHISM
A Partial Homomorphic Scheme
Parameters
BOOTSTRAPPING
Bootsrappable Encryption
COMPLETE HOMOMORPHISM
Basics
Keys
Cipher
Parameters
Functions
DEMO
HOMOMORPHIC ENCRYPTION
Denition
Homomorphic encryption is a form of encryption which allows specic types
of computations to be carried out on ciphertext and generate an encrypted re-
sult which, when decrypted, matches the result of operations performed on the
plaintext.
In simple words!!
f (P
1
, P
2
, ...P
n
) = Decrypt(f (Encrypt(P
1
), Encrypt(P
2
), ..., Encrypt(P
n
)))
P
i
Plain text
f an n-ary function
APPLICATIONS IN CLOUD COMPUTING
FUNCTIONS
Normal Cryptography
KeyGen()
Encrypt(p, pk)
Decrypt(c, sk)
Homomorphic Cryptography
KeyGen()
Encrypt(p, pk)
Decrypt(c, sk)
Evaluate(< c1, ..cn >, f , pk)
is the security parameter. It determines other

cryptographic parameters
Evaluate takes a set of inputs, a circuit and the public key

and produces another cipher text.
For correctness, Decrypt(Evaluate(< c1, ..cn >, f , pk))

should match f (< c1, ..cn >)
SIMPLE SCHEMES CAN BE HOMOMORPHIC
A simple symmetric encryption below is homomorphic :)
Secret key p is a large odd number.

p=7
To encrypt a single bit m, choose two random

numbers q and r, calculate c = pq +2r +m.
q = 4, r = 2 c = 32 +m
To decrypt c, do m = (c mod p) mod 2

((32 +m) mod 7) mod 2 = (6 +m) mod 2 = m
There is a restriction r < p/2
We claim if c
1
= Encrypt(m
1
) and c
2
= Encrypt(m
2
)
Addition between c
1
and c
2
is homomorphic to
Addition(XOR) between m
1
and m
2
Multiplication between c
1
and c
2
is homomorphic to
multiplication(AND) between m
1
and m
2
SIMPLE SCHEMES CAN BE HOMOMORPHIC
Lets check addition
Key: p=7
Encrypt m
1
: q = 4, r = 1 c
1
= 30 +m1
Encrypt m
2
: q = 6, r = 1 c
2
= 44 +m2
Addition: c
1
+c
2
= 74 +m1 +m2
To decrypt c, do m = (c mod p) mod 2

((74 +m
1
+m
2
) mod 7) mod 2 =
(4 +m
1
+m
2
) mod 2 = (m
1
+m
2
) mod 2
Check multiplication with a large p and sufciently small r.
This scheme can go wrong, since r increases after every
operation.
A PARTIAL HOMOMORPHIC SCHEME
We can easily extend the simple scheme, to a public key scheme
Public Key Scheme (over simplied version)
Private key is, a large odd number p
Public key is, set of many integers of the form pq +2r
To encrypt a bit m, add the subset of public keys to m
To decrypt, do the usual (c%p)%2

Remember r obeys the constraint it had before, (r < p/2)
PARAMETERS
These are parameters that determine the sizes of the keys
These are computed as a function of security parameter
Parameters
number of bits in secret key. O(

2
)
number of bits in r, the noise. O()
number of bits in public key. O(

5
)
number of integers in public key set. O(

5
)
These values in our implementation are, = 4, = 32,
= 2046, = 2050
ALGORITHMS
Partial Homomorphic Scheme (simplied)
KeyGen(): Private key is, a large odd number p of

bit length, Public key is, set of many integers of the
form pq +r of bit length (r of bits).
Encrypt(pk,m): To encrypt a bit m, choose a the

subset S of pk, and choose a random number r of
bits, and perform c = m+2r +2
iS
i
Evaluate(pk,C,< c1, ..cn >): Evaluate the boolean

circuit C, with AND gates replaced with
multiplication, XOR gates replaced with addition,
over integers < c1, ..cn >
Decrypt(sk,c): To decrypt, do the usual (c%sk)%2

EVALUATE
Figure shows evaluation of boolean circuits with integer values
CORRECTNESS
For circuits of lower depth, this scheme is correct
For deep circuits, the noise increases, and at a certain point

noise may become larger than the private key, and it may
cause a decryption error
For correctness, the degree of the polynomial computed by

the circuit should be less than,
d
4
+2
The above one is an approximate formula. Its proof is

straight forward.
BOOTSRAPPABLE ENCRYPTION
We saw, every partially homomorphic encryption has a set

of circuits it can evaluate
We can model the Decryption algorithm as a circuit of AND

and XOR gates
If an encryption scheme can evaluate its own decryption

circuit correctly it is called a bootstrappable encryption
scheme
If an encryption scheme is bootstrappable it can be

converted into a fully homomorphic scheme (that can
evaluate all circuits)
GENTRYS CONSTRUCTION
As the cipher text grows up, noise increases.
The only way, we can reduce noise is to decrypt, then

encrypt again.
So we are really going to decrypt, but homomorphically!!!.

GENTRYS CONSTRUCTION
Let D be the decryption circuit. Wired with AND and XOR
gates.
Key Idea!
D takes Secret Key bits and Cipher Text bits, and produces the decrypted bit.
If instead of secret key and cipher text bits, an encrypted version of those are
provided, still the decryption is correct. But the output bit is still in encrypted
form.
RECRYPT FUNCTION
So we have a function Recrypt, that performs the bootstrap.
Recrypt
Recrypt takes the arguments
Cipher Text
Private Key, encrypted with public key
The Decryption circuit
The public key

It encrypts each bit of the cipher text with public key.
Then evaluated the Decryption Circuit. The output text
is in encrypted form, but has low noise.
So after each Evaluate() we have to re a Recrypt() to reduce
noise.
CHALLENGES
The Recrypt is an expensive operation, since it has to

encrypt each bit in the cipher text.
The Decryption circuit should be small enough for

homomorphic evaluation by the encryption scheme
m = (c mod p) mod 2 is an expensive operation, since it

involves division.
We can see (c mod p) mod 2 = (c c/p p) mod 2

m = (c c/p) mod 2 since p is odd.
Here the bottleneck is c/p which requires a circuit,

deeper than what we can actually evaluate.
FULLY HOMOMORPHIC ENCRYPTION
The division in the decryption circuit is the major

bottleneck is achieving bootstrap.
So we start part of the decryption during encryption itself
Within the public key we keep some information to

calculate 1/p
During in encryption, we keep some information with the

cipher to calculate c/p
Now during decryption, we just have to collect

information in the ciphertext to compute c/p
KEYS
Keys
Keys are different now. 1/p is divided into some () fractions (p

1
, ..p
) such that
their sum is 1/p
Private key is a vector s of large length (say ) but of hamming weight .
With the public key, append vector Y of length , it contains p

i
, in place of i
th
1 in
s vector. All other positions of Y contains some random value.
CIPHER
Cipher
The information to compute, c/p, we are carrying

with the cipher text.
With cipher text c
we are attaching a vector Z

which is obtained as Z = c
Y, (Y from public key)
Note that at any point, s.Z gives c/p, this is used for
decryption.
PARAMETERS
These are parameters that determine the sizes of the keys
Parameters
The precision of fraction in Z vector. = +2
Hamming weight of secret key. =
Total length of secret key vector. = .log()

These values in our implementation are, = 2048, = 4,
= 4096
FUNCTIONS
Functions (Simplied)
KeyGen(): Generate sk* and pk* as before.Private

key is a bit vector (say s) with hamming weight .
Public key is the pair, (pk
, Y) where Y is a bit
vector such that s.Y = 1/p
Encrypt(pk,m): Generate c
as before. Output a pair

(c
, Z) where Z = c
Evaluate(pk,C,< c1, ..cn >): Generate c
as before.
Output a pair (c
, Z) where Z = c
Decrypt(sk,c): Calculate m = (c
s.Z) mod 2
PERFORMANCE WITHOUT BOOTSTRAPPING
Operation Time (Sec)
3 bit addition 0.00849294662476
4 bit addition 0.0148079395294
5 bit addition 0.0200610160828
6 bit addition 0.0252559185028
7 bit addition 0.0328199863434
8 bit addition 0.0364289283752
3 bit multiplication 0.0477869510651
PERFORMANCE WITH BOOTSTRAPPING
3 bit addition 24.0433769226
4 bit addition 39.5260438919
5 bit addition 57.569133997
6 bit addition 71.8706359863
7 bit addition 91.5514998436
8 bit addition 106.403455019
PERFORMANCE WITH MODERATE BOOTSTRAPPING
3 bit addition 4.77270793915
4 bit addition 4.93928003311
5 bit addition 10.1200909615
6 bit addition 20.0205738544
7 bit addition 24.1529259682
8 bit addition 24.2124249935

Homomorphic Cryptography

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Homomorphic Cryptography

Hochgeladen von

Copyright:

Verfügbare Formate

BASICS PARTIAL HOMOMORPHISM BOOTSTRAPPING COMPLETE HOMOMORPHISM DEMO THANK YOU

is the security parameter. It determines other

Evaluate takes a set of inputs, a circuit and the public key

For correctness, Decrypt(Evaluate(< c1, ..cn >, f , pk))

Secret key p is a large odd number.

To encrypt a single bit m, choose two random

To decrypt c, do m = (c mod p) mod 2

To decrypt c, do m = (c mod p) mod 2

Private key is, a large odd number p

Public key is, set of many integers of the form pq +2r

To encrypt a bit m, add the subset of public keys to m

To decrypt, do the usual (c%p)%2

number of bits in secret key. O(

number of bits in r, the noise. O()

number of bits in public key. O(

number of integers in public key set. O(

KeyGen(): Private key is, a large odd number p of

Encrypt(pk,m): To encrypt a bit m, choose a the

Evaluate(pk,C,< c1, ..cn >): Evaluate the boolean

Decrypt(sk,c): To decrypt, do the usual (c%sk)%2

For circuits of lower depth, this scheme is correct

For deep circuits, the noise increases, and at a certain point

For correctness, the degree of the polynomial computed by

The above one is an approximate formula. Its proof is

We saw, every partially homomorphic encryption has a set

We can model the Decryption algorithm as a circuit of AND

If an encryption scheme can evaluate its own decryption

If an encryption scheme is bootstrappable it can be

As the cipher text grows up, noise increases.

The only way, we can reduce noise is to decrypt, then

So we are really going to decrypt, but homomorphically!!!.

Private Key, encrypted with public key

The Decryption circuit

The public key

The Recrypt is an expensive operation, since it has to

The Decryption circuit should be small enough for

m = (c mod p) mod 2 is an expensive operation, since it

We can see (c mod p) mod 2 = (c c/p p) mod 2

Here the bottleneck is c/p which requires a circuit,

The division in the decryption circuit is the major

So we start part of the decryption during encryption itself

Within the public key we keep some information to

During in encryption, we keep some information with the

Now during decryption, we just have to collect

Keys are different now. 1/p is divided into some () fractions (p

Private key is a vector s of large length (say ) but of hamming weight .

With the public key, append vector Y of length , it contains p

The information to compute, c/p, we are carrying

With cipher text c

we are attaching a vector Z

Y, (Y from public key)

The precision of fraction in Z vector. = +2

Hamming weight of secret key. =

Total length of secret key vector. = .log()

KeyGen(): Generate sk* and pk* as before.Private

as before. Output a pair

Evaluate(pk,C,< c1, ..cn >): Generate c

Das könnte Ihnen auch gefallen