Homomorphic Encryption
Mike Merry
• Motivations for homomorphic encryption
• What do we need?
• What is homomorphic encryption?
• How do we make it work?
• An example of how to do it
• Motivations for homomorphic encryption
• What is necessary?
• What is homomorphic encryption?
• How do we make it work?
• An example of how to do it
Motivations
• Medical data is sensitive
• Would like to use machinelearning to process it
• Do you trust putting it in the
cloud?
• Do you trust the integrity of
these servers all the time, in all
jurisdictions?
• Would still like to use cloud
services on the data
Medical data
e’
e
Enc(k, m = e)
Dec(k, e) = m
m
f(m)
m’
g(e)
e’
e
Enc(k, m = e)
Dec(k, e) = m
m
f(m)
m’
g(e)
e’
e
Enc(k, m = e)
Dec(k, e) = m
m
f(m)
m’
• Motivations for homomorphic encryption
• What do we need?
• What is homomorphic encryption?
• How do we make it work?
• An example of how to do it
What do we need?
• Process data:
•
•
•
•
In any way we want
On an insecure environment
Without leaking information about the data
In a time- and space-efficient manner
• We are not (necessarily) concerned with hiding what we are doing
• This is called Functional Encryption (FE) and is related, but distinct
• Motivations for homomorphic encryption
• What do we need?
• What is homomorphic encryption?
• How do we make it work?
• An example of how to do it
A (reasonably loose) definition
• Let U be unencrypted space, and be E encrypted space. Let f: U → U
be a function that we want to compute on our data
• We would like to find g: E → E such that g(e) = Enc(k, f(m)), that is
efficient and secure
A formal definition [1]
• A Homomorphic Encryption Scheme is an encryption scheme with
the following:
•
•
•
•
𝐺𝑒𝑛 1𝜆 , 𝛼 = 𝑝𝑘, 𝑠𝑘, 𝑒𝑣𝑘 a key generation function
𝐸𝑛𝑐 𝑝𝑘, 𝑚 : 𝑀 → 𝑋 an encryption function
𝐸𝑣𝑎𝑙 𝑒𝑣𝑘, 𝑓, 𝑐1 , … 𝑐𝑛 : 𝑋 → 𝑌 an evaluation function a.k.a. g(e)
𝐷𝑒𝑐 𝑠𝑘, 𝑐 : 𝑌 → 𝑀
• Note that the evaluation and encryption spaces can be distinct
• This is hardly an issue as the identity function can be used on cipher texts
[1] Armknecht, F., Boyd, C., Carr, C., Gjosteen, K., Jaschke, A., Reuter, C. A., & Strand, M. (2015). A Guide to Fully Homomorphic
Encryption. Cryptology ePrint Archive, 1–35. Retrieved from https://eprint.iacr.org/2015/1192
Properties: correctness
• Correct decryption: Dec sk, 𝐸𝑛𝑐 𝑝𝑘, 𝑚
=𝑚
• Correct evaluation: 𝐷𝑒𝑐 𝑠𝑘, 𝐸𝑣𝑎𝑙 𝑒𝑣𝑘, 𝑓, 𝐸𝑛𝑐 𝑝𝑘, 𝑚
• Pr 𝐷𝑒𝑐 𝑠𝑘, 𝐸𝑣𝑎𝑙 𝑒𝑣𝑘, 𝑓, 𝐸𝑛𝑐 𝑝𝑘, 𝑚
=𝑓 𝑚
=1−𝜖
• I.e., we want decryption to work as we would expect
=𝑓 𝑚
Properties: Compactness
• Compactness: the length of 𝐸𝑣𝑎𝑙 𝑒𝑣𝑘, 𝑓, 𝑚 is limited by a
polynomial dependent on 𝜆 (is independent of length of f)
• Compactly evaluate: compactness and both correctness properties
hold
• Compactness is important because it prevents the trivial scheme
• 𝐸𝑣𝑎𝑙 𝑓, 𝑐1 , 𝑐2, … , 𝑐𝑛 = 𝐸𝑛𝑐 𝑓 𝑐1 𝑐2 … 𝑐𝑛
• Decryption first decrypts this, then applies f to the cipher texts
Properties: Privacy
• Circuit privacy: The distribution of the evaluation of a circuit in
homomorphic space is indistinguishable from the encryption of the
output of the circuit
• A different way of viewing Circuit Privacy is to consider whether you
would be happy to release the encrypted results of a message-space
function. If you would, then as the distribution of the evaluation
space is the same, you should be happy to release those results as
well.
• This doesn’t mean the distributions are equivalent to fresh cipher texts as the
distribution of f(x) is not random.
• Motivations for homomorphic encryption
• What do we need?
• What is homomorphic encryption?
• How do we make it work?
• An example of how to do it
Bootstrapping [2]
• Take a somewhat homomorphic scheme
• This means that there is some limit on the depth of the functions f for 𝑒𝑣𝑎𝑙
• Ensure that 𝐷𝑒𝑐 𝑠𝑘, 𝑐 can be evaluated in encryption space
• When the limit is being approached, re-encrypt the cipher text
• Decrypt the first layer of encryption, within the second layer of
encryption
• For this to work, the limit must be greater than the requirements of
𝐷𝑒𝑐 𝑠𝑘, 𝑐
[2] Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. In Proceedings of the 41st annual ACM symposium on
Symposium on theory of computing - STOC ’09 (Vol. 19, p. 169). New York, New York, USA: ACM Press.
m
𝑚
𝐸𝑛𝑐
𝑚
𝐸𝑛𝑐 𝑘1 , 𝑚
𝑚
𝐸𝑛𝑐 𝑘1 , 𝑚
𝐸𝑣𝑎𝑙
𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐(𝑘1 , 𝑚)
𝑚
𝐸𝑛𝑐 𝑘1 , 𝑚
𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐(𝑘1 , 𝑚)
𝐸𝑛𝑐
𝐸𝑛𝑐 𝑘2 , 𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐 𝑘1 , 𝑚
𝑘1
𝑚
𝐸𝑛𝑐 𝑘1 , 𝑚
𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐(𝑘1 , 𝑚)
𝐸𝑛𝑐 𝑘2 , 𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐 𝑘1 , 𝑚
𝐸𝑣𝑎𝑙(𝐷𝑒𝑐𝑘1 )
𝐸𝑣𝑎𝑙(𝐷𝑒𝑐𝑘1 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐 𝑘1 , 𝑚
𝑚
𝐸𝑛𝑐 𝑘1 , 𝑚
𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐(𝑘1 , 𝑚)
𝐸𝑛𝑐
𝐸𝑛𝑐 𝑘2 , 𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐 𝑘1 , 𝑚
𝐸𝑣𝑎𝑙(𝐷𝑒𝑐𝑘1 , 𝐸𝑛𝑐 𝑘2 , 𝐸𝑣𝑎𝑙 𝑓, 𝐸𝑛𝑐 𝑘1 , 𝑚
= 𝐸𝑛𝑐 𝑘2 , 𝑓(𝑚)
• Motivations for homomorphic encryption
• What do we need?
• What is homomorphic encryption?
• How do we make it work?
• An example of how to do it
Dijk and Gentry’s FHE over the integers [3]
• 𝐺𝑒𝑛 1𝜆 , 𝛼 = 𝑝𝑘, 𝑠𝑘, 𝑒𝑣𝑘
• 𝑠𝑘 = 𝑝 = odd, n-bit integer
• 𝑒𝑣𝑘 = 𝑝𝑘 = {set of numbers of the form x = 𝑞𝑝 + 𝑟}
• 𝑟 ∈ −2𝑚 , 2𝑚 : random, comparatively small noise of order 𝑚 ≪ 𝜆
• 𝑞<
2𝜆
𝑝
: big random numbers
• Let 𝑥0 = max 𝑝𝑘 and it must be odd
′
• 𝐸𝑛𝑐 𝑝𝑘, 𝑚 = 𝑚 + 2𝑟 + 2
• S is a random subset of p𝑘
• 𝑚 is a single bit 𝑚 ∈ {0, 1}
• 𝜇 is the overall noise
𝑆 𝑚𝑜𝑑 𝑥0 = 𝑚 + 2𝜇 𝑚𝑜𝑑 𝑥0
[3] Van Dijk, M., Gentry, C., Halevi, S., & Vaikuntanathan, V. (2010). Fully Homomorphic Encryption over the Integers. In Annual International Conference on the Theory
and Applications of Cryptographic Techniques (pp. 24–43). Springer Berlin Heidelberg. http://doi.org/10.1007/978-3-642-13190-5_2
Dijk and Gentry’s FHE over the integers
• 𝐸𝑣𝑎𝑙 𝑝𝑘, 𝑓, 𝑐1 , … 𝑐𝑛 for f, a composition of addition and
multiplication
•
•
•
•
Just apply f
𝑐1 = 𝑚1 + 2𝜇1 𝑚𝑜𝑑 𝑥0 ; c2 = 𝑚2 + 2𝜇2 𝑚𝑜𝑑 𝑥0
𝑐1 + 𝑐2 = 𝑚1 + 𝑚2 + 2 𝜇1 + 𝜇2 𝑚𝑜𝑑 𝑥0 = 𝑚1 + 𝑚2 𝑚𝑜𝑑 2
𝑐1 × 𝑐2 = 𝑚1 𝑚2 + 2𝑚1 𝜇2 + 2𝑚2 𝜇1 + 4𝜇1 𝜇2 𝑚𝑜𝑑 𝑥0 = 𝑚1 × 𝑚2 𝑚𝑜𝑑 2
• Note:
• We have addition and multiplication
• Noise increases after every operation
Dijk and Gentry’s FHE over the integers
• 𝐷𝑒𝑐 𝑠𝑘, 𝑐
• Output 𝑚′ = 𝑐′ 𝑚𝑜𝑑 𝑝 𝑚𝑜𝑑 2
• For 𝑐 = 𝑒𝑛𝑐 𝑝𝑘, 𝑚 = 𝑚 + 2𝑟′ + 2
𝑆 𝑚𝑜𝑑 𝑥0
• For each 𝑠 ∈ 𝑆; 𝑠 𝑚𝑜𝑑 𝑝 = 𝑞𝑝 + 𝑟 𝑚𝑜𝑑 𝑝 ≅ 𝑟
• (𝑚 + 2𝑟 ′ + 2 𝑆 𝑚𝑜𝑑 𝑝) 𝑚𝑜𝑑 2 = m + 2r ′ + 2 𝑟 𝑚𝑜𝑑 2 = 𝑚
• On evaluated functions – the noise still falls away, provided it hasn’t become
too large
• As 𝐸𝑛𝑐(𝑝𝑘, 𝑚) is just a set of additions and multiplications, we can
bootstrap FHE, provided we are careful with our choice of parameters
References
1. Armknecht, F., Boyd, C., Carr, C., Gjosteen, K., Jaschke, A., Reuter, C. A., &
Strand, M. (2015). A Guide to Fully Homomorphic Encryption. Cryptology
ePrint Archive, 1–35. Retrieved from https://eprint.iacr.org/2015/1192
2. Gentry, C. (2009). Fully homomorphic encryption using ideal lattices. In
Proceedings of the 41st annual ACM symposium on Symposium on theory
of computing - STOC ’09 (Vol. 19, p. 169). New York, New York, USA: ACM
Press. http://doi.org/10.1145/1536414.1536440
3. Van Dijk, M., Gentry, C., Halevi, S., & Vaikuntanathan, V. (2010). Fully
Homomorphic Encryption over the Integers. In Annual International
Conference on the Theory and Applications of Cryptographic Techniques
(pp. 24–43). Springer Berlin Heidelberg. http://doi.org/10.1007/978-3642-13190-5_2