homomorphic encryption: what, why, and how
DESCRIPTION
Homomorphic Encryption: WHAT, WHY, and HOW. Vinod Vaikuntanathan. University of Toronto. A Brief History of Cryptography. In the beginning, there was symmetric encryption. Julius Ceasar (100-44 BC). Message: . ATTACK AT DAWN. A Brief History of Cryptography. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/1.jpg)
Homomorphic Encryption:WHAT, WHY, and HOW
Vinod VaikuntanathanUniversity of Toronto
![Page 2: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/2.jpg)
A Brief History of Cryptography
Julius Ceasar (100-44 BC)
In the beginning, there was symmetric encryption.
Message:
ATTACK AT DAWN
![Page 3: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/3.jpg)
A Brief History of Cryptography
Julius Ceasar (100-44 BC)
Message:
ATTACK AT DAWNKey: +3Ciphertext:
↓↓↓↓↓↓ ↓↓ ↓↓↓↓
DWWDFN DW GDZQ
If you had the key, you could encrypt…
DWWDFN DW GDZQ
![Page 4: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/4.jpg)
A Brief History of Cryptography
Julius Ceasar (100-44 BC)
Ciphertext:
DWWDFN DW GDZQKey: -3Message:
↓↓↓↓↓↓ ↓↓ ↓↓↓↓
ATTACK AT DAWN
If you had the key, you could decrypt…
DWWDFN DW GDZQ
![Page 5: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/5.jpg)
A Brief History of Cryptography
Julius Ceasar (100-44 BC)
If you had the key, you could decrypt…
DWWDFN DW GDZQ
Symmetric Encryption:Encryption and Decryption use the same key
![Page 6: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/6.jpg)
A Brief History of Cryptography
Symmetric Encryption:Encryption and Decryption use the same key
Vigenere EnigmaClaude Shannon andInformation Theory
1900-1950
![Page 7: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/7.jpg)
A Brief History of Cryptography
Asymmetric EncryptionMerkle, Hellman and Diffie (1976) Shamir, Rivest and Adleman (1978)
Encryption uses a public key, Decryption uses the secret key
(1970s)
![Page 8: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/8.jpg)
A Brief History of Cryptography
Asymmetric Encryption:The Foundation of E-Commerce
![Page 9: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/9.jpg)
A Brief History of CryptographyRSA: The first and most popular
asymmetric encryption
𝐸 (𝑚 )=𝑚𝑒 ¿
D
![Page 10: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/10.jpg)
YET…
The world was black and white
![Page 11: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/11.jpg)
YET…
The world was black and white
The only thing anyone did with encrypted data was …
… decrypt it.
![Page 12: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/12.jpg)
YET…Encryption =
![Page 13: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/13.jpg)
What else can we do with encrypted data, anyway?
Functionf
xsearchquery Google
searchSearch results
x
f(x)
WANT PRIVACY!
![Page 14: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/14.jpg)
Computing on Encrypted Data
What else can we do with encrypted data, anyway?
Functionf
xEnc(x)
Enc(f(x))
WANT PRIVACY!
![Page 15: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/15.jpg)
Computing on Encrypted Data
Some people noted the algebraic structure in RSA…
Ergo …
Multiplicative Homomorphism
![Page 16: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/16.jpg)
Computing on Encrypted Data
RSA is multiplicatively homomorphic
Ergo …
Multiplicative Homomorphism
![Page 17: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/17.jpg)
Computing on Encrypted Data
RSA is multiplicatively homomorphic
Ergo …
Multiplicative Homomorphism
(but not additively homomorphic)
![Page 18: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/18.jpg)
Computing on Encrypted Data
Other Encryptions were additively homomorphic
Additive Homomorphism
(but not multiplicatively homomorphic)
![Page 19: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/19.jpg)
Computing on Encrypted Data
What people really wanted was the ability to do arbitrary computing on encrypted data…
… and this required the ability to compute both sums and products …
… on the same encrypted data set!
![Page 20: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/20.jpg)
Computing on Encrypted Data
XOR0 XOR 0
1 XOR 0
0 XOR 1
1 XOR 1
0
1
1
0
AND 0 AND 0
1 AND 0
0 AND 1
1 AND 1
0
0
0
1
Why SUMs and PRODUCTs?SUM=
PRODUCT=
![Page 21: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/21.jpg)
Computing on Encrypted Data
XOR0 XOR 0
1 XOR 0
0 XOR 1
1 XOR 1
0
1
1
0
AND 0 AND 0
1 AND 0
0 AND 1
1 AND 1
0
0
0
1
Because {XOR,AND} is Turing-complete …… any function is a combination of XOR and AND gates
![Page 22: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/22.jpg)
Computing on Encrypted Data
Because {XOR,AND} is Turing-complete …… any function is a combination of XOR and AND gates
Example: Indexing a database
0
1
1
0
DB indexi = i1i0
return DBi
i0 i1
DB3 DB2 DB0 DB1
![Page 23: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/23.jpg)
Computing on Encrypted Data
Because {XOR,AND} is Turing-complete …… if you can compute sums and products on encrypted bits
… you can compute ANY function on encrypted inputs
E(x1) E(x2) E(x3) E(x4)
E(x3 AND x4)E(x1 XOR x2)
E(f(x1,x2,x3,x4))
![Page 24: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/24.jpg)
Computing on Encrypted Data
Fully-Homomorphic Encryption!
Cryptography’s Holy Grail
![Page 25: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/25.jpg)
Computing on Encrypted Data
Fully-Homomorphic Encryption!Amazing Applications:
Private Cloud Computing
Delegate arbitrary processing of datawithout giving away access to it
![Page 26: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/26.jpg)
Computing on Encrypted Data
Fully-Homomorphic Encryption!
People tried do this …… for years …
… and years …… with no success.
![Page 27: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/27.jpg)
… until, in October 2008 …
… Craig Gentry came up with the first fully homomorphic encryption scheme …
![Page 28: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/28.jpg)
How does it work?
What is the magic?
![Page 29: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/29.jpg)
What sort of math can we use?
![Page 30: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/30.jpg)
What sort of objects can we add and multiply?
Polynomials? +
X
![Page 31: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/31.jpg)
Polynomials?
Matrices?
+
X
=
=
What sort of objects can we add and multiply?
![Page 32: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/32.jpg)
Polynomials?
Matrices?
+
X
How about integers?!?
+ 3
X 3
=
=
[Gentry, Halevi, van Dijk, Vaikuntanathan’09]
What sort of objects can we add and multiply?
![Page 33: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/33.jpg)
TODAY: Symmetric Encryption
![Page 34: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/34.jpg)
Secret key: large odd number p
0 p 2p 3p-3p -2p -p
![Page 35: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/35.jpg)
Secret key: large odd number p
To Encrypt a bit b:– pick a (random) “large” multiple of p, say q·p
0 p 2p 3p-3p -2p -p
![Page 36: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/36.jpg)
Secret key: large odd number p
To Encrypt a bit b:– pick a (random) “large” multiple of p, say q·p
– pick a (random) “small” number 2·r+b
0 p 2p 3p-3p -2p -p
(this is even if b=0, and odd if b=1)
the “noise” = 2·r+b
![Page 37: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/37.jpg)
Secret key: large odd number p
To Encrypt a bit b:– pick a (random) “large” multiple of p, say q·p
– pick a (random) “small” number 2·r+b
– Ciphertext c = q·p+2·r+b
0 p 2p 3p-3p -2p -p
(this is even if b=0, and odd if b=1)
the “noise” = 2·r+b
![Page 38: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/38.jpg)
Secret key: large odd number p
To Encrypt a bit b:– pick a (random) “large” multiple of p, say q·p
– pick a (random) “small” number 2·r+b
– Ciphertext c = q·p+2·r+b
0 p 2p 3p-3p -2p -p
(this is even if b=0, and odd if b=1)
the “noise” = 2·r+b
To Decrypt a ciphertext c:Taking c mod p recovers the noise
![Page 39: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/39.jpg)
How secure is this?
… if there were no noise (think r=0)
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
… and I give you two encryptions of 0 (q1p & q2p)
… then you can recover the secret key p= GCD(q1p, q2p)
![Page 40: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/40.jpg)
How secure is this?
… but if there is noise
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
… the GCD attack doesn’t work
… and neither does any attack (we believe)
… this is called the approximate GCD assumption
![Page 41: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/41.jpg)
XORing two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c2 = q2·p + (2·r2 + b2)
![Page 42: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/42.jpg)
XORing two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
– c2 = q2·p + (2·r2 + b2)
![Page 43: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/43.jpg)
XORing two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
Odd if b1=0, b2=1 (or) b1=1, b2=0Even if b1=0, b2=0 (or) b1=1, b2=1
– c2 = q2·p + (2·r2 + b2)
![Page 44: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/44.jpg)
XORing two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
lsb= b1 XOR b2
– c2 = q2·p + (2·r2 + b2)
![Page 45: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/45.jpg)
ANDing two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
– c2 = q2·p + (2·r2 + b2)
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
![Page 46: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/46.jpg)
ANDing two encrypted bits:
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
– c1 = q1·p + (2·r1 + b1)
lsb= b1 AND b2
– c2 = q2·p + (2·r2 + b2)
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
![Page 47: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/47.jpg)
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
the noise grows!
![Page 48: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/48.jpg)
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
the noise grows!
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
noise= 2 * (initial noise)
![Page 49: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/49.jpg)
0 p 2p 3p-3p -2p -p
the “noise” = 2·r+b
the noise grows!
– c1+c2 = p·(q1 + q2) + 2·(r1+r2) + (b1+b2)
noise= 2 * (initial noise)
noise = (initial noise)2
– c1c2 = p·(c2·q1+c1·q2-q1·q2) + 2·(r1r2+r1b2+r2b1) + b1b2
![Page 50: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/50.jpg)
0 17 34 51-51 -34 -17
noise=-14
the noise grows!
… so what’s the problem?
20
![Page 51: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/51.jpg)
0 17 34 51-51 -34 -17
noise=-14
the noise grows!
… so what’s the problem?
20
decryption will recover noise’=3
![Page 52: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/52.jpg)
0 17 34 51-51 -34 -17
noise=-14
the noise grows!
… so what’s the problem?
20
If the |noise| > p/2, then …
decryption will output an incorrect bit
decryption will recover noise’=3
![Page 53: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/53.jpg)
So, what did we accomplish? … we can do lots of additions and
… some multiplications(= a “somewhat homomorphic” encryption)
![Page 54: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/54.jpg)
So, what did we accomplish? … we can do lots of additions and
… some multiplications
… enough to do many useful tasks, e.g.,database search, spam filtering etc.
(= a “somewhat homomorphic” encryption)
![Page 55: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/55.jpg)
So, what did we accomplish? … we can do lots of additions and
… some multiplications
… enough to do many useful tasks, e.g.,database search, spam filtering etc.
But I promised much more …
(= a “somewhat homomorphic” encryption)
![Page 56: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/56.jpg)
RSA&friends
MANY multZERO add
Fully homomorphic
MANY addMANY mult
WE ARE HERE!
![Page 57: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/57.jpg)
Fully homomorphic
MANY addMANY mult
WE ARE HERE!
[bootstrapping]
… but how?
The “bootstrapping method”
… If you can go a (large) part of the way,then you can go all the way.
RSA&friends
MANY multZERO add
![Page 58: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/58.jpg)
noise=0
noise=p/2
Initial noise
The “bootstrapping method”
![Page 59: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/59.jpg)
Noise after some sums and products
noise=0
noise=p/2
The “bootstrapping method”
![Page 60: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/60.jpg)
noise=0
noise=p/2
Bootstrapping = “Valve” at a fixed height
The “bootstrapping method”
![Page 61: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/61.jpg)
noise=0
noise=p/2
Bootstrapping = “Valve” at a fixed height
The “bootstrapping method”
![Page 62: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/62.jpg)
noise=0
noise=p/2
… repeat until done
The “bootstrapping method”
![Page 63: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/63.jpg)
noise=0
noise=p/2
… repeat until done
The “bootstrapping method”
![Page 64: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/64.jpg)
Lots of new Encryption Schemes… simpler, more secure, more efficient
e.g., [Brakerski, Vaikuntanathan 2012]
Dramatic Efficiency Improvements
2011
2010
2009
10100
100010000
100000
1000000
Time (in millisec) for a basic operation
![Page 65: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/65.jpg)
[3] “Fully Homomorphic Encryption from the Integers”,Marten van Dijk, Craig Gentry, Shai Halevi, Vinod Vaikuntanathanhttp://eprint.iacr.org/2009/616, Eurocrypt 2010.
References:
[1] “Computing arbitrary functions of Encrypted Data”,Craig Gentry, Communications of the ACM 53(3), 2010.
[2] “Computing Blindfolded: New Developments in Fully Homomorphic Encryption”,Vinod Vaikuntanathan, IEEE Foundations of Computer Science Invited Talk, 2012.
![Page 66: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/66.jpg)
Thank You!
![Page 67: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/67.jpg)
Gentry’s “bootstrapping method” …… If you can go a (large) part of the way,
then you can go all the way…
noise=0
noise=p/2
![Page 68: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/68.jpg)
Gentry’s “bootstrapping method” …… If you can go a (large) part of the way,
then you can go all the way…
noise=0
noise=p/2
Problem: Add and Mult increase noise(Add doubles, Mult squares the noise)
![Page 69: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/69.jpg)
Gentry’s “bootstrapping method” …… If you can go a (large) part of the way,
then you can go all the way…
noise=0
noise=p/2
Problem: Add and Mult increase noise(Add doubles, Mult squares the noise)
So, we want to do noise-reduction
![Page 70: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/70.jpg)
noise=0
noise=p/2
Let’s think…
… What is the best noise-reduction procedure?
![Page 71: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/71.jpg)
noise=0
noise=p/2
Let’s think…
… What is the best noise-reduction procedure?
… something that kills all noise
![Page 72: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/72.jpg)
noise=0
noise=p/2
Let’s think…
… What is the best noise-reduction procedure?
… something that kills all noise
… and recovers the message
![Page 73: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/73.jpg)
noise=0
noise=p/2
Let’s think…
… What is the best noise-reduction procedure?
… something that kills all noise
… and recovers the message
Decryption!
![Page 74: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/74.jpg)
noise=0
noise=p/2
Let’s think…
… What is the best noise-reduction procedure?
… something that kills all noise
… and recovers the message
Decryption!
Ctxt = Enc(b) Secret key
Decrypt
b
![Page 75: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/75.jpg)
noise=0
noise=p/2
Let’s think…
… What is the best noise-reduction procedure?
… something that kills all noise
… and recovers the message
Decryption!
Secret key
Decrypt
bFn. that acts on ciphertext and eliminates noise
Ctxt = Enc(b)
![Page 76: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/76.jpg)
noise=0
noise=p/2
Let’s think…
… What is the best noise-reduction procedure?
… something that kills all noise
… and recovers the message
Decryption!
Secret key
Decrypt
b
Ctxt = Enc(b)
But I can’t give the
secret key out for free!
![Page 77: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/77.jpg)
noise=0
noise=p/2
Let’s think…
Secret key
Decrypt
b
But I can’t give the
secret key out for free!
Ctxt = Enc(b)
… I want to reduce noise without letting you decrypt
![Page 78: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/78.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Secret key
Decrypt
b
Ctxt = Enc(b)
![Page 79: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/79.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
… called “Circular Encryption”
Secret key
Decrypt
b
Ctxt = Enc(b)
![Page 80: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/80.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
… called “Circular Encryption”
Decrypt
b
Ctxt = Enc(b) Enc(Secret key)
![Page 81: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/81.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
b
… Homomorphically evaluate the decryption ckt!!!
Ctxt = Enc(b)
… Now, to reduce noise …
![Page 82: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/82.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
… Homomorphically evaluate the decryption ckt!!!
Ctxt = Enc(b)
… Now, to reduce noise …
Enc(b)
![Page 83: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/83.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
… Homomorphically evaluate the decryption ckt!!!
Ctxt = Enc(b)
… Now, to reduce noise …
Enc(b)
![Page 84: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/84.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
… the input Enc(b) and output Enc(b) have different noise levels …
Ctxt = Enc(b)
KEY OBSERVATION:
Enc(b)
![Page 85: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/85.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
Regardless of the noise in the input Enc(b)…
Ctxt = Enc(b)
KEY OBSERVATION:
Enc(b)
the noise level in the output Enc(b) is FIXED
![Page 86: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/86.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
Regardless of the noise in the input Enc(b)…
Ctxt = Enc(b)
KEY OBSERVATION:
Enc(b)
the noise level in the output Enc(b) is FIXED
![Page 87: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/87.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
Regardless of the noise in the input Enc(b)…
Ctxt = Enc(b)
KEY OBSERVATION:
Enc(b)
the noise level in the output Enc(b) is FIXED
![Page 88: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/88.jpg)
noise=0
noise=p/2
KEY IDEA:
… I cannot release the secret key (lest everyone sees my data)
… but I can release Enc(secret key)
Enc(Secret key)
Decrypt
Regardless of the noise in the input Enc(b)…
Ctxt = Enc(b)
KEY OBSERVATION:
Enc(b)
the noise level in the output Enc(b) is FIXED
![Page 89: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/89.jpg)
Bottomline: whenever noise level increases beyond a limit …
noise=0
noise=p/2
… use bootstrapping to reset it to a fixed level
![Page 90: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/90.jpg)
noise=0
noise=p/2
Bootstrapping requires homomorphically evaluating the decryption circuit …
![Page 91: Homomorphic Encryption: WHAT, WHY, and HOW](https://reader036.vdocuments.mx/reader036/viewer/2022062411/56816689550346895dda44b8/html5/thumbnails/91.jpg)
noise=0
noise=p/2
Bootstrapping requires homomorphically evaluating the decryption circuit …
Thus, Gentry’s “bootstrapping theorem”:If an enc scheme can evaluate its own decryption circuit, then it can evaluate everything