Create Presentation
Download Presentation

Download Presentation
## Fully Homomorphic Encryption

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -

**Fully Homomorphic Encryption**Paper by: Craig Gentry Presented By: Daniel Henneberger**Homomorphic Encryption**• Computations on ciphertext which predictably modifies the plaintext • Operate on messages while they are encrypted • Data can be securely processed in unsecure environments • Cloud Computing • Databases • Voting machines**Keygen**• Encrypt • Decrypt • Evaluate**History**• 1978 – Privacy Homomorphism • US government pumps millions in it**Types of Homomorphism**• Additive • E(m1) + E(m2) = E(m1+m2) • Multiplicative • E(m1) * E(m2) = E(m1*m2) • Why just Add and Mul? • Can evaluate any function • Turing complete over a ring**Types of Homomorphism**• Somewhat Homomorphic • You can do only do some functions • RSA • Fully Homomorphic • You can do all functions • Leveled Fully Homomorphic • Keysize can grow with depth of the function • Bootstrappable • Can evaluate its own decryption circuit**Fully Homomorphic Encryption Using Ideal Lattices**Craig Gentry Stanford University and IBM Watson 2009**Importance of this topic**• Before this paper, it was unknown if fully homomorphic encryption could exist • First feasible result • Holy grail of encryption • 17 results on YouTube!**MATH: Lattice**• Ideal lattices are a form of difficult to compute mathematical problems • Similar to: • Integer Factorization • Discrete logarithm problem • Elliptic curves over finite fields (Elliptical curve) • Closest vector problem • Learning with errors • Unbreakable with quantum computing • Uses arbitrary approximations**Illustration - A lattice in R2borrowed from tau.ac.il**Each point corresponds to a vector in the lattice “Recipe”: 1. Take two linearly independent vectors in R2. 2. Close them for addition and for multiplication by an integer scalar. etc. ... etc. ...**MATH: Ideal Lattice**• A cyclic lattice is ‘ideal’ (ring-based) • NTRU – Asymmetric key cryptosystem that uses ring-based lattices • Low circuit complexity • Very fast • Allows additive and multiplicative homomorphism**More MATH**• Lots of math involved with this: • Cyclotomic Polynomials • Too much for this class time**Advances**• Evaluate(pk,C, Encrypt(pk,m1),..., Encrypt(pk,mt)) = Encrypt(pk,C(m1,..., mt)) • Steps • Create a general bootstrapping result • Initial construction using ideal lattices • Squash the decryption circuit to permit bootstrapping**Initial construction using ideal lattices**• Find a Public key scheme that is homomorphic for shallow circuits and uses ideal lattices • NTRUEncrypt • Ciphertext has a form of an ideal lattice + offset • Use a cyclic ring of keys • Hard to do • Large key size (GB)**Bootstrap Requirements**• Evaluate its own decryption circuit • Provides ability to recrypt plaintext • Must be allowed to recrypt augmented versions to provide mathematical operations**Improvements**• Allows ‘unlimited’ additions • Recrypt algorithm • Greater multiplicative depth • log log (N) - log log (n-1) • Still bad**Disadvantages**• Can only evaluate in logarithmic depth • Ciphertext grows • Noise increases • Addition- circuits can be corrected (recrypting) • Multiplication- noise grows quickly • Not yet practical • Client must begin the decryption process to be bootstrappable • Solution is approximate • >1 day to compute 1 message**Implementations**• PollyCracker • Fully Homomorphic Encryption over the Integers • Fully Homomorphic Encryption over the Binary Polynomials**Since this paper**• Many people have created new variants • Implementations • All slow • Finding shortcuts • AES-128 – Completed June 15th 2012 • Computed with 256GB of ram (still limiting factor) • 24 Xeon cores • Took 5 days per operation