SlideShare a Scribd company logo
Introduction to
Homomorphic Encryption
Hubert Hesse Christoph Matthies Robert Lehmann
1
@hubx @chrisma0 @rlehmann
2013
operation(plain)
What is that?
2
operation(plain)
==
decrypt(operation'(encrypt(plain)))
What is that?
3
operation(plain)
==
decrypt(operation'(encrypt(plain)))
i.e. outputs of operations on encrypted data are still usable
What is that?
4
July 2013:
Change in "De-Mail-Gesetz" defining De-Mail as
secure [1]
● Needs to be decrypted by
provider to "check for viruses"
● (Secret) key on server of provider
○ Server becomes juicy target
● Homomorphic encryption
○ Can check without decryption
[1] http://www.spiegel.de/netzwelt/netzpolitik/de-mail-bundestag-erklaert-bundes-mail-per-gesetz-als-sicher-a-895361.html
Current context
5
● Medical records
○ Analyze disease / treatment without disclosing them
○ Search for DNA markers without revealing DNA
○ "Digitale Krankenakte"
● Spam filtering
○ Blacklisting encrypted mails
○ Third parties can scan your PGP traffic
Use cases
Doing something without knowing what6
Homomorphism
groups (P, ⊕) and (C, ⊗)
relation f : P → C
f is a group homomorphism in P and C, if:
∀ a,b ∈ P: f(a ⊕ b) = f(a) ⊗ f(b)
Especially:
∀ a,b ∈ P: a ⊕ b = f-1
( f(a) ⊗ f(b) )
7
be aware, mapping from one operation to another
Examples
groups (R, +) and (R*
, ×)
function: R → R
exp(x+y) = exp(x) × exp(y)
10x+y
= 10x
× 10y
ln(a×b) = ln(a) + ln(b)
8
In RSA,
multiplication is
(accidentally)
a homomorphism
Practical example
9
Imagine
width = 7
height = 3
10
what's the area?
Imagine
width = 7
height = 3
11
area
solver™
Enter the cloud
width = 7
height = 3
12
Enter the cloud
width = 7
height = 3
privacy
privacy
area
solver™
13
Enter the cloud
width = 7
height = 3
privacy
privacy
area
solver™
RSA to the rescue
14
private key
(47, 143)
public key
(23, 143)
public key
(23, 143)
private key
(47, 143)
Select p=11,q=13
p*q=143=N
φ(N)=φ(143)=(p-1)*(q-1)=120
select e w/ gcd(e,120)=1,
e=23
Calculate e*d ≡ 1 mod φ(N):
e*d+k*φ(N)=1=gcd(e,φ(N))
=23*d+k*120=1=gcd(23,120)
d=47, k=-9
15 the justified sinner, flickr (CC BY-NC-SA 2.0)
wait, RSA?
Encryption in RSA
≡
Homomorphic property
16
width = 7
height = 3
private
public
encrypt
private key := (47, 143)
public key := (23, 143)
17
width = 7
height = 3
encrypt
private
public
cw
≡ widthe
mod N
cw
≡ 723
mod 143
cw
= 2
ch
≡ heighte
mod N
ch
≡ 323
mod 143
ch
= 126
private key := (47, 143)
public key := (23, 143)
18
width = 7
height = 3
encrypt
width = 2
height = 126
private
public
private key := (47, 143)
public key := (23, 143)
19
width = 7
height = 3
private
public
width = 2
height = 126
area
solver
private key := (47, 143)
public key := (23, 143)
20
width = 7
height = 3
private
public
width = 2
height = 126
area = 252
area
solver
private key := (47, 143)
public key := (23, 143)
21
width = 7
height = 3
private
public
width = 2
height = 126
area = 252
private key := (47, 143)
public key := (23, 143)
22
width = 7
height = 3
private
public
width = 2
height = 126
area = 252
area = decrypt(252)
= 21
private key := (47, 143)
public key := (23, 143)
decrypt
area = 21
area ≡ cipherd
mod N
≡ 25247
mod 143
= 21
23
width = 7
height = 3
private
public
width = 2
height = 126
area = 252
area = decrypt(252)
= 21
= 7 x 3
private key := (47, 143)
public key := (23, 143)
decrypt
area = 21
(sanity check)
24
● RSA allows only multiplication
○ Other operations on ciphertext
(e.g. +) break decryption
● Other schemes allow different operations
(e.g. + and -)
● Algebra homomorphisms
allows x and +
○ Much more powerful
Different homomorphisms
circumference calculation
correct: 3*2 + 7*2 = 20
encrypted: 2*2 + 2*126 = 256
decryption: 25647
mod 143 = 42
42 ≠ 20 ⚡
f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A:
• f(k*x)=k*f(x)
• f(x+y)=f(x)+f(y)
• f(x*y)=f(x)*f(y)
25
● RSA allows only multiplication
○ Other operations on ciphertext
(e.g. +) break decryption
● Other schemes allow different operations
(e.g. + and -)
● Algebra homomorphisms
allows x and +
○ Much more powerful
Different homomorphisms
circumference calculation
correct: 3*2 + 7*2 = 20
encrypted: 2*2 + 2*126 = 256
decryption: 25647
mod 143 = 42
42 ≠ 20 ⚡
f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A:
• f(k*x)=k*f(x)
• f(x+y)=f(x)+f(y)
• f(x*y)=f(x)*f(y)
Need to select appropriate homomorphic
encryption scheme for application
26
System Plaintext operation Cipher operation
RSA × ×
Paillier +, −
m×k, m+k
×, ÷
ck
, c×gk
ElGamal ×
m×k, mk
×
c×k, ck
Goldwasser-Micali ⊕ ×
Benaloh +, − ×, ÷
Naccache-Stern +, −
m×k
×, ÷
ck
Sander-Young-Yung × +
Okamoto-Uchiyama +, −
m×k, m+k
×, ÷
ck
, c+e(k)
Boneh-Goh-Nissim Paillier (+, −, m×k, m+k)
× (once)
Paillier
bilinear pairing
US 7'995'750 / ROT13 + +
27
● Operations on ciphertext accumulate "noise"
○ Addition adds noise, multiplication multiplies it
○ Noise gets too high → decryption fails
● These "limited" algebra
homomorphism schemes:
Somewhat Homomorphic Encryption Schemes
(simplified)Pollution
28 Bob August, flickr (CC BY-NC-SA 2.0)
● Using small N in RSA and large inputs
○ When output larger than RSA-modulus, decryption fails
Pollution
Calculate area of
square using RSA
10*15=150
Encryption:
c_w ≡ 1023
mod 143
≡ 43
c_h = 1523
mod 143
= 20
c_a = 43*20 = 860
Decryption:
a ≡ 86047
mod 143
(≡ 150 mod 143)
≡ 7
7 ≠ 150 ⚡
Example
15
10
29
Beyond + and ×
Every program can be expressed in
terms of a digital circuit.
*
* referentially transparent, ie. w/o side effects, today() is not ref. transparent
30 Tristan Nitot, flickr (CC BY-NC-SA 2.0)
Beyond + and ×
Every digital circuit can be expressed
in terms of AND, OR, and NOT.
31
Beyond + and ×
Every digital circuit can be expressed
in terms of AND, OR, and NOT.
(remember Disjunctive Normal Forms?)
32
Beyond + and ×
Every digital circuit can be expressed
in terms of AND, OR, and XOR.
XOR(x, 1) = NOT(x)
NOT(AND(NOT(x), NOT(y))) = !(!x & !y) = OR(x, y)
33
With ∧ and ⊕ we can
represent any operation
Fully homomorphic encryptionFully homomorphic encryption
34 Duane Romanell, flickr (CC BY-NC-ND 2.0)Duane Romanell, flickr (CC BY-NC-ND 2.0)
Circuit Encryption
● Assume homomorphic enc:
○ 0-bits → even ints
○ 1-bits → odd ints
○ ⊕ → +
○ ∧ → ×
○ Define: ∘ = (a + b) + ( a x b) (Logical OR)
⊕
{ OR = (a ∧ b) ∧ (a ⊕ b) }
(+ random r * secret p mod p!)
{ simple truth tables }
35
Circuit Encryption
● Single Bit Adder
○ A,B: inputs, Cin
: carry-in, S: sum, Cout
: carry-out
Toy example
S = ((A ⊕ B) ⊕ C)
Cout
= (A ∧ B) v ((A ⊕ B) ∧ Cin
)36
S = ((A ⊕ B) ⊕ C)
Cout
= (A ∧ B) v ((A ⊕ B) ∧ Cin
)
S = ((A + B) + C)
Cout
= (A × B) ∘ ((A+B) × Cin
)
Circuit Encryption
Toy example
map
operators
37
A B Cin
S Cout
1 0 1 0 1
3 4 7 ? ?encrypted
Circuit Encryption
Toy example - calc. S
S = ((A + B) + C)
S = ((3 + 4) + 7) = ?
apply
38
A B Cin
S Cout
1 0 1 0 1
3 4 7 14 ?encrypted
Circuit Encryption
Toy example - calc. S
S = ((A + B) + C)
S = ((3 + 4) + 7) = 14 ≙ 0
39
A B Cin
S Cout
1 0 1 0 1
3 4 7 14 649
Circuit Encryption
Toy example - calc. Cout
Cout
= (A × B) ∘ ((A + B) × Cin
)
Cout
= (3 × 4) ∘ ((3 + 4) × 7)
= 12 ∘ 49
= (12 + 49) + (12 * 49)
= 61 + 588 = 649 ≙ 1
∘ = (a + b) + (a x b)
apply
40
Circuit Encryption
● Assume homomorphic enc:
○ 0-bits → even ints
○ 1-bits → odd ints
○ ⊕ → +
○ ∧ → ×
○ Define: ∘ = (a + b) + ( a x b) (Logical OR)
⊕
{ OR = (a ∧ b) ∧ (a ⊕ b) }
(actually mod a secret p)
{ simple truth tables }
41
Circuit Enc.
● Encrypted Memory Access
●
Example
¬ao
∧ ¬a1
∧ m0
ao
∧ ¬a1
∧ m1
¬ao
∧ a1
∧ m2
ao
∧ a1
∧ m3
m0
m1
m2
m3
a0
a1
1 x x x 0 0
x 1 x x 1 0
x x 1 x 0 1
x x x 1 1 1
42
Encrypted Memory Access
●
row3
= ao
∧ a1
∧ m3
row2
= ¬ao
∧ a1
∧ m2
row1
= ao
∧ ¬a1
∧ m1
row0
= ¬ao
∧ ¬a1
∧ m0
c = row0
∨row1
∨row2
∨row3
[1] M Brenner, J Wiebelitz, G von Voigt. Secret program execution in the cloud applying homomorphic encryption. 201143
●
row3
= ao
∧ a1
∧ m3
row2
= ¬ao
∧ a1
∧ m2
row1
= ao
∧ ¬a1
∧ m1
row0
= ¬ao
∧ ¬a1
∧ m0
c = row0
∨row1
∨row2
∨row3
m = {1, 0, 1, 0} a = 01
Encrypted Memory Access
44
●
row3
= ao
∧ a1
∧ m3
row2
= ¬ao
∧ a1
∧ m2
row1
= ao
∧ ¬a1
∧ m1
row0
= ¬ao
∧ ¬a1
∧ m0
c = row0
∨row1
∨row2
∨row3
m = {1, 0, 1, 0} a = 01
Encrypted Memory Access
45
●
row3
= ao
∧ a1
∧ 0
row2
= ¬ao
∧ a1
∧ 1
row1
= ao
∧ ¬a1
∧ 0
row0
= ¬ao
∧ ¬a1
∧ 1
c = row0
∨row1
∨row2
∨row3
m = {1, 0, 1, 0} a = 01
Encrypted Memory Access
46
●
row3
= ao
∧ a1
∧ 0
row2
= ¬ao
∧ a1
∧ 1
row1
= ao
∧ ¬a1
∧ 0
row0
= ¬ao
∧ ¬a1
∧ 1
c = row0
∨row1
∨row2
∨row3
m = {1, 0, 1, 0} a = 01
Encrypted Memory Access
47
●
row3
= 0 ∧ 1 ∧ 0
row2
= 1 ∧ 1 ∧ 1
row1
= 0 ∧ 0 ∧ 0
row0
= 1 ∧ 0 ∧ 1
c = row0
∨row1
∨row2
∨row3
m = {1, 0, 1, 0} a = 01
Encrypted Memory Access
48
●
row3
= 0 ∧ 1 ∧ 0 = 0
row2
= 1 ∧ 1 ∧ 1 = 1
row1
= 0 ∧ 0 ∧ 0 = 0
row0
= 1 ∧ 0 ∧ 1 = 0
c = row0
∨row1
∨row2
∨row3
m = {1, 0, 1, 0} a = 01
Encrypted Memory Access
49
●
row3
= 0 ∧ 1 ∧ 0 = 0
row2
= 1 ∧ 1 ∧ 1 = 1
row1
= 0 ∧ 0 ∧ 0 = 0
row0
= 1 ∧ 0 ∧ 1 = 0
c = 0∨0∨1∨0 = 1
m = {1, 0, 1, 0}
Encrypted Memory Access
a = 01
50
●
c = row0
∘row1
∘row2
∘row3
row3
= 0 ∧ 1 ∧ 0 = 0
row2
= 1 ∧ 1 ∧ 1 = 1
row1
= 0 ∧ 0 ∧ 0 = 0
row0
= 1 ∧ 0 ∧ 1 = 0
row3
= (ao
× a1
× 6)
row2
= (ao
+ 1) × a1
× 9
row1
= (ao
× (a1
+ 1) × 4
row0
= (ao
+ 1) × (a1
+ 1) × 5
¬a0
¬a1
→
→
→
→
c = 0∨0∨1∨0 = 1
m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01
Encrypted Memory Access
0-bits → even ints
1-bits → odd ints
⊕ → +
∧ → ×
51
●
c = row0
∘row1
∘row2
∘row3
row3
= 0 ∧ 1 ∧ 0 = 0
row2
= 1 ∧ 1 ∧ 1 = 1
row1
= 0 ∧ 0 ∧ 0 = 0
row0
= 1 ∧ 0 ∧ 1 = 0
row3
= (ao
× a1
× 6)
row2
= (ao
+ 1) × a1
× 9
row1
= (ao
× (a1
+ 1) × 4
row0
= (ao
+ 1) × (a1
+ 1) × 5
¬a0
¬a1
→
→
→
→
c = 0∨0∨1∨0 = 1
m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01
Encrypted Memory Access
52
●
c = row0
∘row1
∘row2
∘row3
row3
= 0 ∧ 1 ∧ 0 = 0
row2
= 1 ∧ 1 ∧ 1 = 1
row1
= 0 ∧ 0 ∧ 0 = 0
row0
= 1 ∧ 0 ∧ 1 = 0
row3
= (8 × 3 × 6)
row2
= (8 + 1) × 3 × 9
row1
= (8 × (3 + 1) × 4
row0
= (8 + 1) × (3 + 1) × 5
¬a0
¬a1
→
→
→
→
c = 0∨0∨1∨0 = 1
m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01
Encrypted Memory Access
53
●
c = row0
∘row1
∘row2
∘row3
row3
= 0 ∧ 1 ∧ 0 = 0
row2
= 1 ∧ 1 ∧ 1 = 1
row1
= 0 ∧ 0 ∧ 0 = 0
row0
= 1 ∧ 0 ∧ 1 = 0
row3
= (8 × 3 × 6) = 144
row2
= (8 + 1) × 3 × 9 = 243
row1
= (8 × (3 + 1) × 4 = 128
row0
= (8 + 1) × (3 + 1) × 5 = 180
¬a0
¬a1
→
→
→
→
c = 0∨0∨1∨0 = 1
m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01
Encrypted Memory Access
54
●
c = 180∘128∘243∘144
= 826087619 ≙ 1
row3
= 0 ∧ 1 ∧ 0 = 0
row2
= 1 ∧ 1 ∧ 1 = 1
row1
= 0 ∧ 0 ∧ 0 = 0
row0
= 1 ∧ 0 ∧ 1 = 0
row3
= (8 × 3 × 6) = 144
row2
= (8 + 1) × 3 × 9 = 243
row1
= (8 × (3 + 1) × 4 = 128
row0
= (8 + 1) × (3 + 1) × 5 = 180
¬a0
¬a1
→
→
→
→
c = 0∨0∨1∨0 = 1
m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01
Encrypted Memory Access
55
Fully homomorphic encryption
● "Holy Grail" of cryptography
● First proposed within a year of RSA
development
○ 1979
○ Idea due to weird homomorphic property of RSA
● for more than 30 years:
unclear whether FHE even possible
○ During that time: best one = Boneh-Goh-Nissim
(remember the area solver example)
(the one where only one multiplication was possible)
56
"fully homomorphic encryption"
Google trends
1000
patents
200
patents
57
Gentry's approach
● 2009: Craig Gentry shows fully homomorphic
encryption in his doctoral thesis
● Employs somewhat homomorphic encryption
scheme using ideal lattices
● Scheme is bootstrappable
○ can evaluate its own decryption circuit
● Through recursive self-embedding, leads to
FHE
○ ciphertexts are reencrypted, eliminating noise
(based on "shortest lattice vector" problem used in cryptography, which is NP-hard)
58
Gentry's approachGentry's approach
@ł€¶ħæſðđŋæſþðøđł«»¢„
0101100101000101111
@ł€¶ħæſðđŋæſþðøđł«»¢„
³½¬³½¬[¬¼]²′³}³¬½¼¬³²³]
qebrgibfvjkadfnvarskdjhfq
þø»«ĸ@ł½{µ„þøþ@↓ðħþ
plaintext
ciphertext
refreshed ciphertext
ciphertext
secret key
encryption of secret key
59 catechism, flickr (CC BY-NC-SA 2.0)
https://www.youtube.com/watch?v=Y1TxCiOuoYY60
[...] a simple string search using
homomorphic encryption is about a trillion
times slower than without encryption. [1]
Issues
1 000 000 000 000x
61 [1] CryptDB: A practical encrypted relational DBMS, RA Popa, N Zeldovich, H Balakrishnan, 2011
62
Fully hom. enc. IRL
● HELib by Shai Halevi (2013)
○ Implementation of Brakerski-Gentry-Vaikuntanathan[1]
scheme
○ Using many optimizations in literature[2][3] for speed
○ Does not implement bootstrapping (yet)
[1] Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan: (Leveled) fully homomorphic encryption without bootstrapping. ITCS 201
[2] Nigel P. Smart, Frederik Vercauteren: Fully Homomorphic SIMD Operations. IACR Cryptology ePrint Archive 2011: 133 (2011)
[3] Craig Gentry and Shai Halevi and Nigel P. Smart Homomorphic Evaluation of the AES Circuit, CRYPTO 2012
Performance
Modulus Time for addition (ms) Time for multiplication
(ms)
257 0.7 39
8209 0.7 38
65537 2.9 177
Even numbers < 65537,
80 Bits of security
63
Visions of a fully homomorphic cryptosystem
have been dancing in cryptographers' heads for
thirty years. [...] It will be years before a
sufficient number of cryptographers examine
the algorithm that we can have any confidence
that the scheme is secure. [1]
—Bruce Schneier, cryptographer, April 2013
Criticism
“ “
64
[1] Homomorphic Encryption Breakthrough, Schneier on Security, Bruce Schneier https://www.schneier.
com/blog/archives/2009/07/homomorphic_enc.html
Last few years
65
●
○
■
○
●
●
™
○
Conclusion
66
Conclusion
— Halevi, 2012
“ “
67
[1] Recent Advances in Homomorphic Encryption, presentation by Shai Halevi, IBM Research, Feb. 13, 2012, http://n
csail.mit.edu/sys-security/FHE.pptx
Thanks for listening
Questions?
68
Source: http://www.google.com/patents/US7995750

More Related Content

What's hot

Hw #2
Hw #2Hw #2
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
Cyber Security Alliance
 
Integral table
Integral tableIntegral table
Integral table
Ankitcos0
 
138191 rvsp lecture notes
138191 rvsp lecture notes138191 rvsp lecture notes
138191 rvsp lecture notes
Ahmed Tayeh
 
Single page-integral-table
Single page-integral-tableSingle page-integral-table
Single page-integral-table
Monique Anderson
 
Single page-integral-table
Single page-integral-table Single page-integral-table
Single page-integral-table
Weverson Luiz Pereira
 
Derivative of an exponential function
Derivative of an exponential functionDerivative of an exponential function
Derivative of an exponential function
Nadeem Uddin
 
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
Ken'ichi Matsui
 
Gems of GameplayKit. UA Mobile 2017.
Gems of GameplayKit. UA Mobile 2017.Gems of GameplayKit. UA Mobile 2017.
Gems of GameplayKit. UA Mobile 2017.
UA Mobile
 
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
Ken'ichi Matsui
 
Microsoft Word Hw#3
Microsoft Word   Hw#3Microsoft Word   Hw#3
Microsoft Word Hw#3
kkkseld
 
Bresenham's line drawing algorithm
Bresenham's line drawing algorithmBresenham's line drawing algorithm
Bresenham's line drawing algorithm
Mani Kanth
 
SOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKASOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKA
Afrilio Franseda
 
Артём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data AnalysisАртём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data Analysis
SpbDotNet Community
 
Elementos finitos
Elementos finitosElementos finitos
Elementos finitos
jd
 
adders/subtractors, multiplexers, intro to ISA
adders/subtractors, multiplexers, intro to ISAadders/subtractors, multiplexers, intro to ISA
adders/subtractors, multiplexers, intro to ISA
i i
 
Derivadas
DerivadasDerivadas
Integral table
Integral tableIntegral table
Integral table
zzzubair
 
Integral table
Integral tableIntegral table
Integral table
Antonio Alanya
 
Machine Learning Introduction
Machine Learning IntroductionMachine Learning Introduction
Machine Learning Introduction
Akira Sosa
 

What's hot (20)

Hw #2
Hw #2Hw #2
Hw #2
 
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
ASFWS 2012 - Hash-flooding DoS reloaded: attacks and defenses par Jean-Philip...
 
Integral table
Integral tableIntegral table
Integral table
 
138191 rvsp lecture notes
138191 rvsp lecture notes138191 rvsp lecture notes
138191 rvsp lecture notes
 
Single page-integral-table
Single page-integral-tableSingle page-integral-table
Single page-integral-table
 
Single page-integral-table
Single page-integral-table Single page-integral-table
Single page-integral-table
 
Derivative of an exponential function
Derivative of an exponential functionDerivative of an exponential function
Derivative of an exponential function
 
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
数学カフェ 確率・統計・機械学習回 「速習 確率・統計」
 
Gems of GameplayKit. UA Mobile 2017.
Gems of GameplayKit. UA Mobile 2017.Gems of GameplayKit. UA Mobile 2017.
Gems of GameplayKit. UA Mobile 2017.
 
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
「ベータ分布の謎に迫る」第6回 プログラマのための数学勉強会 LT資料
 
Microsoft Word Hw#3
Microsoft Word   Hw#3Microsoft Word   Hw#3
Microsoft Word Hw#3
 
Bresenham's line drawing algorithm
Bresenham's line drawing algorithmBresenham's line drawing algorithm
Bresenham's line drawing algorithm
 
SOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKASOAL RANGKAIAN LOGIKA
SOAL RANGKAIAN LOGIKA
 
Артём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data AnalysisАртём Акуляков - F# for Data Analysis
Артём Акуляков - F# for Data Analysis
 
Elementos finitos
Elementos finitosElementos finitos
Elementos finitos
 
adders/subtractors, multiplexers, intro to ISA
adders/subtractors, multiplexers, intro to ISAadders/subtractors, multiplexers, intro to ISA
adders/subtractors, multiplexers, intro to ISA
 
Derivadas
DerivadasDerivadas
Derivadas
 
Integral table
Integral tableIntegral table
Integral table
 
Integral table
Integral tableIntegral table
Integral table
 
Machine Learning Introduction
Machine Learning IntroductionMachine Learning Introduction
Machine Learning Introduction
 

Similar to Introduction to Homomorphic Encryption

zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
Alex Pruden
 
Cryptography: way to Arkham - Andriy Savchenko
Cryptography: way to Arkham - Andriy SavchenkoCryptography: way to Arkham - Andriy Savchenko
Cryptography: way to Arkham - Andriy Savchenko
Ruby Meditation
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
Victor Pereira
 
Math 3-H6
Math 3-H6Math 3-H6
Math 3-H6
jjlendaya
 
Crypto lecture PDF
Crypto lecture PDFCrypto lecture PDF
Crypto lecture PDF
Nedia Hamoudi
 
Blockchain Technology - Week 6 - Role of Cryptography in Blockchain
Blockchain Technology - Week 6 - Role of Cryptography in BlockchainBlockchain Technology - Week 6 - Role of Cryptography in Blockchain
Blockchain Technology - Week 6 - Role of Cryptography in Blockchain
Ferdin Joe John Joseph PhD
 
Elliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proofElliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proof
Nimish Joseph
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge Proof
Arunanand Ta
 
Appendex
AppendexAppendex
Appendex
swavicky
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
Priyanka Aash
 
Signyourd digital signature certificate provider
Signyourd   digital signature certificate providerSignyourd   digital signature certificate provider
Signyourd digital signature certificate provider
Kishankant Yadav
 
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
PyData
 
Yoyak ScalaDays 2015
Yoyak ScalaDays 2015Yoyak ScalaDays 2015
Yoyak ScalaDays 2015
ihji
 
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Spark Summit
 
Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)
Daniel Lemire
 
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Codemotion
 
Introduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve CryptographyIntroduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve Cryptography
David Evans
 
Ap calculus extrema v2
Ap calculus extrema v2Ap calculus extrema v2
Ap calculus extrema v2
gregcross22
 
The Perceptron (D1L2 Deep Learning for Speech and Language)
The Perceptron (D1L2 Deep Learning for Speech and Language)The Perceptron (D1L2 Deep Learning for Speech and Language)
The Perceptron (D1L2 Deep Learning for Speech and Language)
Universitat Politècnica de Catalunya
 
DeepXplore: Automated Whitebox Testing of Deep Learning
DeepXplore: Automated Whitebox Testing of Deep LearningDeepXplore: Automated Whitebox Testing of Deep Learning
DeepXplore: Automated Whitebox Testing of Deep Learning
Masahiro Sakai
 

Similar to Introduction to Homomorphic Encryption (20)

zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
zkStudyClub: PLONKUP & Reinforced Concrete [Luke Pearson, Joshua Fitzgerald, ...
 
Cryptography: way to Arkham - Andriy Savchenko
Cryptography: way to Arkham - Andriy SavchenkoCryptography: way to Arkham - Andriy Savchenko
Cryptography: way to Arkham - Andriy Savchenko
 
Homomorphic Encryption
Homomorphic EncryptionHomomorphic Encryption
Homomorphic Encryption
 
Math 3-H6
Math 3-H6Math 3-H6
Math 3-H6
 
Crypto lecture PDF
Crypto lecture PDFCrypto lecture PDF
Crypto lecture PDF
 
Blockchain Technology - Week 6 - Role of Cryptography in Blockchain
Blockchain Technology - Week 6 - Role of Cryptography in BlockchainBlockchain Technology - Week 6 - Role of Cryptography in Blockchain
Blockchain Technology - Week 6 - Role of Cryptography in Blockchain
 
Elliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proofElliptic curve cryptography and zero knowledge proof
Elliptic curve cryptography and zero knowledge proof
 
Elliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge ProofElliptic Curve Cryptography and Zero Knowledge Proof
Elliptic Curve Cryptography and Zero Knowledge Proof
 
Appendex
AppendexAppendex
Appendex
 
Digital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signaturesDigital Signatures: Reassessing security of randomizable signatures
Digital Signatures: Reassessing security of randomizable signatures
 
Signyourd digital signature certificate provider
Signyourd   digital signature certificate providerSignyourd   digital signature certificate provider
Signyourd digital signature certificate provider
 
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
Pythran: Static compiler for high performance by Mehdi Amini PyData SV 2014
 
Yoyak ScalaDays 2015
Yoyak ScalaDays 2015Yoyak ScalaDays 2015
Yoyak ScalaDays 2015
 
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
Engineering Fast Indexes for Big-Data Applications: Spark Summit East talk by...
 
Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)Engineering fast indexes (Deepdive)
Engineering fast indexes (Deepdive)
 
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
Sasha Romijn - Everything I always wanted to know about crypto, but never tho...
 
Introduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve CryptographyIntroduction to Elliptic Curve Cryptography
Introduction to Elliptic Curve Cryptography
 
Ap calculus extrema v2
Ap calculus extrema v2Ap calculus extrema v2
Ap calculus extrema v2
 
The Perceptron (D1L2 Deep Learning for Speech and Language)
The Perceptron (D1L2 Deep Learning for Speech and Language)The Perceptron (D1L2 Deep Learning for Speech and Language)
The Perceptron (D1L2 Deep Learning for Speech and Language)
 
DeepXplore: Automated Whitebox Testing of Deep Learning
DeepXplore: Automated Whitebox Testing of Deep LearningDeepXplore: Automated Whitebox Testing of Deep Learning
DeepXplore: Automated Whitebox Testing of Deep Learning
 

Recently uploaded

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
Pixlogix Infotech
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
DianaGray10
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
KAMESHS29
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
名前 です男
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
Kumud Singh
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
SOFTTECHHUB
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
Matthew Sinclair
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
Neo4j
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
Safe Software
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
IndexBug
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
Claudio Di Ciccio
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
Adtran
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
innovationoecd
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
tolgahangng
 

Recently uploaded (20)

Best 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERPBest 20 SEO Techniques To Improve Website Visibility In SERP
Best 20 SEO Techniques To Improve Website Visibility In SERP
 
Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1Communications Mining Series - Zero to Hero - Session 1
Communications Mining Series - Zero to Hero - Session 1
 
RESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for studentsRESUME BUILDER APPLICATION Project for students
RESUME BUILDER APPLICATION Project for students
 
TrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy SurveyTrustArc Webinar - 2024 Global Privacy Survey
TrustArc Webinar - 2024 Global Privacy Survey
 
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
みなさんこんにちはこれ何文字まで入るの?40文字以下不可とか本当に意味わからないけどこれ限界文字数書いてないからマジでやばい文字数いけるんじゃないの?えこ...
 
Mind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AIMind map of terminologies used in context of Generative AI
Mind map of terminologies used in context of Generative AI
 
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
20240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 202420240609 QFM020 Irresponsible AI Reading List May 2024
20240609 QFM020 Irresponsible AI Reading List May 2024
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024GraphSummit Singapore | The Art of the  Possible with Graph - Q2 2024
GraphSummit Singapore | The Art of the Possible with Graph - Q2 2024
 
Essentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FMEEssentials of Automations: The Art of Triggers and Actions in FME
Essentials of Automations: The Art of Triggers and Actions in FME
 
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial IntelligenceAI 101: An Introduction to the Basics and Impact of Artificial Intelligence
AI 101: An Introduction to the Basics and Impact of Artificial Intelligence
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”“I’m still / I’m still / Chaining from the Block”
“I’m still / I’m still / Chaining from the Block”
 
Pushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 daysPushing the limits of ePRTC: 100ns holdover for 100 days
Pushing the limits of ePRTC: 100ns holdover for 100 days
 
Presentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of GermanyPresentation of the OECD Artificial Intelligence Review of Germany
Presentation of the OECD Artificial Intelligence Review of Germany
 
Serial Arm Control in Real Time Presentation
Serial Arm Control in Real Time PresentationSerial Arm Control in Real Time Presentation
Serial Arm Control in Real Time Presentation
 

Introduction to Homomorphic Encryption

  • 1. Introduction to Homomorphic Encryption Hubert Hesse Christoph Matthies Robert Lehmann 1 @hubx @chrisma0 @rlehmann 2013
  • 4. operation(plain) == decrypt(operation'(encrypt(plain))) i.e. outputs of operations on encrypted data are still usable What is that? 4
  • 5. July 2013: Change in "De-Mail-Gesetz" defining De-Mail as secure [1] ● Needs to be decrypted by provider to "check for viruses" ● (Secret) key on server of provider ○ Server becomes juicy target ● Homomorphic encryption ○ Can check without decryption [1] http://www.spiegel.de/netzwelt/netzpolitik/de-mail-bundestag-erklaert-bundes-mail-per-gesetz-als-sicher-a-895361.html Current context 5
  • 6. ● Medical records ○ Analyze disease / treatment without disclosing them ○ Search for DNA markers without revealing DNA ○ "Digitale Krankenakte" ● Spam filtering ○ Blacklisting encrypted mails ○ Third parties can scan your PGP traffic Use cases Doing something without knowing what6
  • 7. Homomorphism groups (P, ⊕) and (C, ⊗) relation f : P → C f is a group homomorphism in P and C, if: ∀ a,b ∈ P: f(a ⊕ b) = f(a) ⊗ f(b) Especially: ∀ a,b ∈ P: a ⊕ b = f-1 ( f(a) ⊗ f(b) ) 7
  • 8. be aware, mapping from one operation to another Examples groups (R, +) and (R* , ×) function: R → R exp(x+y) = exp(x) × exp(y) 10x+y = 10x × 10y ln(a×b) = ln(a) + ln(b) 8
  • 9. In RSA, multiplication is (accidentally) a homomorphism Practical example 9
  • 11. what's the area? Imagine width = 7 height = 3 11
  • 13. Enter the cloud width = 7 height = 3 privacy privacy area solver™ 13
  • 14. Enter the cloud width = 7 height = 3 privacy privacy area solver™ RSA to the rescue 14
  • 15. private key (47, 143) public key (23, 143) public key (23, 143) private key (47, 143) Select p=11,q=13 p*q=143=N φ(N)=φ(143)=(p-1)*(q-1)=120 select e w/ gcd(e,120)=1, e=23 Calculate e*d ≡ 1 mod φ(N): e*d+k*φ(N)=1=gcd(e,φ(N)) =23*d+k*120=1=gcd(23,120) d=47, k=-9 15 the justified sinner, flickr (CC BY-NC-SA 2.0)
  • 16. wait, RSA? Encryption in RSA ≡ Homomorphic property 16
  • 17. width = 7 height = 3 private public encrypt private key := (47, 143) public key := (23, 143) 17
  • 18. width = 7 height = 3 encrypt private public cw ≡ widthe mod N cw ≡ 723 mod 143 cw = 2 ch ≡ heighte mod N ch ≡ 323 mod 143 ch = 126 private key := (47, 143) public key := (23, 143) 18
  • 19. width = 7 height = 3 encrypt width = 2 height = 126 private public private key := (47, 143) public key := (23, 143) 19
  • 20. width = 7 height = 3 private public width = 2 height = 126 area solver private key := (47, 143) public key := (23, 143) 20
  • 21. width = 7 height = 3 private public width = 2 height = 126 area = 252 area solver private key := (47, 143) public key := (23, 143) 21
  • 22. width = 7 height = 3 private public width = 2 height = 126 area = 252 private key := (47, 143) public key := (23, 143) 22
  • 23. width = 7 height = 3 private public width = 2 height = 126 area = 252 area = decrypt(252) = 21 private key := (47, 143) public key := (23, 143) decrypt area = 21 area ≡ cipherd mod N ≡ 25247 mod 143 = 21 23
  • 24. width = 7 height = 3 private public width = 2 height = 126 area = 252 area = decrypt(252) = 21 = 7 x 3 private key := (47, 143) public key := (23, 143) decrypt area = 21 (sanity check) 24
  • 25. ● RSA allows only multiplication ○ Other operations on ciphertext (e.g. +) break decryption ● Other schemes allow different operations (e.g. + and -) ● Algebra homomorphisms allows x and + ○ Much more powerful Different homomorphisms circumference calculation correct: 3*2 + 7*2 = 20 encrypted: 2*2 + 2*126 = 256 decryption: 25647 mod 143 = 42 42 ≠ 20 ⚡ f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A: • f(k*x)=k*f(x) • f(x+y)=f(x)+f(y) • f(x*y)=f(x)*f(y) 25
  • 26. ● RSA allows only multiplication ○ Other operations on ciphertext (e.g. +) break decryption ● Other schemes allow different operations (e.g. + and -) ● Algebra homomorphisms allows x and + ○ Much more powerful Different homomorphisms circumference calculation correct: 3*2 + 7*2 = 20 encrypted: 2*2 + 2*126 = 256 decryption: 25647 mod 143 = 42 42 ≠ 20 ⚡ f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A: • f(k*x)=k*f(x) • f(x+y)=f(x)+f(y) • f(x*y)=f(x)*f(y) Need to select appropriate homomorphic encryption scheme for application 26
  • 27. System Plaintext operation Cipher operation RSA × × Paillier +, − m×k, m+k ×, ÷ ck , c×gk ElGamal × m×k, mk × c×k, ck Goldwasser-Micali ⊕ × Benaloh +, − ×, ÷ Naccache-Stern +, − m×k ×, ÷ ck Sander-Young-Yung × + Okamoto-Uchiyama +, − m×k, m+k ×, ÷ ck , c+e(k) Boneh-Goh-Nissim Paillier (+, −, m×k, m+k) × (once) Paillier bilinear pairing US 7'995'750 / ROT13 + + 27
  • 28. ● Operations on ciphertext accumulate "noise" ○ Addition adds noise, multiplication multiplies it ○ Noise gets too high → decryption fails ● These "limited" algebra homomorphism schemes: Somewhat Homomorphic Encryption Schemes (simplified)Pollution 28 Bob August, flickr (CC BY-NC-SA 2.0)
  • 29. ● Using small N in RSA and large inputs ○ When output larger than RSA-modulus, decryption fails Pollution Calculate area of square using RSA 10*15=150 Encryption: c_w ≡ 1023 mod 143 ≡ 43 c_h = 1523 mod 143 = 20 c_a = 43*20 = 860 Decryption: a ≡ 86047 mod 143 (≡ 150 mod 143) ≡ 7 7 ≠ 150 ⚡ Example 15 10 29
  • 30. Beyond + and × Every program can be expressed in terms of a digital circuit. * * referentially transparent, ie. w/o side effects, today() is not ref. transparent 30 Tristan Nitot, flickr (CC BY-NC-SA 2.0)
  • 31. Beyond + and × Every digital circuit can be expressed in terms of AND, OR, and NOT. 31
  • 32. Beyond + and × Every digital circuit can be expressed in terms of AND, OR, and NOT. (remember Disjunctive Normal Forms?) 32
  • 33. Beyond + and × Every digital circuit can be expressed in terms of AND, OR, and XOR. XOR(x, 1) = NOT(x) NOT(AND(NOT(x), NOT(y))) = !(!x & !y) = OR(x, y) 33
  • 34. With ∧ and ⊕ we can represent any operation Fully homomorphic encryptionFully homomorphic encryption 34 Duane Romanell, flickr (CC BY-NC-ND 2.0)Duane Romanell, flickr (CC BY-NC-ND 2.0)
  • 35. Circuit Encryption ● Assume homomorphic enc: ○ 0-bits → even ints ○ 1-bits → odd ints ○ ⊕ → + ○ ∧ → × ○ Define: ∘ = (a + b) + ( a x b) (Logical OR) ⊕ { OR = (a ∧ b) ∧ (a ⊕ b) } (+ random r * secret p mod p!) { simple truth tables } 35
  • 36. Circuit Encryption ● Single Bit Adder ○ A,B: inputs, Cin : carry-in, S: sum, Cout : carry-out Toy example S = ((A ⊕ B) ⊕ C) Cout = (A ∧ B) v ((A ⊕ B) ∧ Cin )36
  • 37. S = ((A ⊕ B) ⊕ C) Cout = (A ∧ B) v ((A ⊕ B) ∧ Cin ) S = ((A + B) + C) Cout = (A × B) ∘ ((A+B) × Cin ) Circuit Encryption Toy example map operators 37
  • 38. A B Cin S Cout 1 0 1 0 1 3 4 7 ? ?encrypted Circuit Encryption Toy example - calc. S S = ((A + B) + C) S = ((3 + 4) + 7) = ? apply 38
  • 39. A B Cin S Cout 1 0 1 0 1 3 4 7 14 ?encrypted Circuit Encryption Toy example - calc. S S = ((A + B) + C) S = ((3 + 4) + 7) = 14 ≙ 0 39
  • 40. A B Cin S Cout 1 0 1 0 1 3 4 7 14 649 Circuit Encryption Toy example - calc. Cout Cout = (A × B) ∘ ((A + B) × Cin ) Cout = (3 × 4) ∘ ((3 + 4) × 7) = 12 ∘ 49 = (12 + 49) + (12 * 49) = 61 + 588 = 649 ≙ 1 ∘ = (a + b) + (a x b) apply 40
  • 41. Circuit Encryption ● Assume homomorphic enc: ○ 0-bits → even ints ○ 1-bits → odd ints ○ ⊕ → + ○ ∧ → × ○ Define: ∘ = (a + b) + ( a x b) (Logical OR) ⊕ { OR = (a ∧ b) ∧ (a ⊕ b) } (actually mod a secret p) { simple truth tables } 41
  • 42. Circuit Enc. ● Encrypted Memory Access ● Example ¬ao ∧ ¬a1 ∧ m0 ao ∧ ¬a1 ∧ m1 ¬ao ∧ a1 ∧ m2 ao ∧ a1 ∧ m3 m0 m1 m2 m3 a0 a1 1 x x x 0 0 x 1 x x 1 0 x x 1 x 0 1 x x x 1 1 1 42
  • 43. Encrypted Memory Access ● row3 = ao ∧ a1 ∧ m3 row2 = ¬ao ∧ a1 ∧ m2 row1 = ao ∧ ¬a1 ∧ m1 row0 = ¬ao ∧ ¬a1 ∧ m0 c = row0 ∨row1 ∨row2 ∨row3 [1] M Brenner, J Wiebelitz, G von Voigt. Secret program execution in the cloud applying homomorphic encryption. 201143
  • 44. ● row3 = ao ∧ a1 ∧ m3 row2 = ¬ao ∧ a1 ∧ m2 row1 = ao ∧ ¬a1 ∧ m1 row0 = ¬ao ∧ ¬a1 ∧ m0 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 44
  • 45. ● row3 = ao ∧ a1 ∧ m3 row2 = ¬ao ∧ a1 ∧ m2 row1 = ao ∧ ¬a1 ∧ m1 row0 = ¬ao ∧ ¬a1 ∧ m0 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 45
  • 46. ● row3 = ao ∧ a1 ∧ 0 row2 = ¬ao ∧ a1 ∧ 1 row1 = ao ∧ ¬a1 ∧ 0 row0 = ¬ao ∧ ¬a1 ∧ 1 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 46
  • 47. ● row3 = ao ∧ a1 ∧ 0 row2 = ¬ao ∧ a1 ∧ 1 row1 = ao ∧ ¬a1 ∧ 0 row0 = ¬ao ∧ ¬a1 ∧ 1 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 47
  • 48. ● row3 = 0 ∧ 1 ∧ 0 row2 = 1 ∧ 1 ∧ 1 row1 = 0 ∧ 0 ∧ 0 row0 = 1 ∧ 0 ∧ 1 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 48
  • 49. ● row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 c = row0 ∨row1 ∨row2 ∨row3 m = {1, 0, 1, 0} a = 01 Encrypted Memory Access 49
  • 50. ● row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} Encrypted Memory Access a = 01 50
  • 51. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (ao × a1 × 6) row2 = (ao + 1) × a1 × 9 row1 = (ao × (a1 + 1) × 4 row0 = (ao + 1) × (a1 + 1) × 5 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 0-bits → even ints 1-bits → odd ints ⊕ → + ∧ → × 51
  • 52. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (ao × a1 × 6) row2 = (ao + 1) × a1 × 9 row1 = (ao × (a1 + 1) × 4 row0 = (ao + 1) × (a1 + 1) × 5 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 52
  • 53. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (8 × 3 × 6) row2 = (8 + 1) × 3 × 9 row1 = (8 × (3 + 1) × 4 row0 = (8 + 1) × (3 + 1) × 5 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 53
  • 54. ● c = row0 ∘row1 ∘row2 ∘row3 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (8 × 3 × 6) = 144 row2 = (8 + 1) × 3 × 9 = 243 row1 = (8 × (3 + 1) × 4 = 128 row0 = (8 + 1) × (3 + 1) × 5 = 180 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 54
  • 55. ● c = 180∘128∘243∘144 = 826087619 ≙ 1 row3 = 0 ∧ 1 ∧ 0 = 0 row2 = 1 ∧ 1 ∧ 1 = 1 row1 = 0 ∧ 0 ∧ 0 = 0 row0 = 1 ∧ 0 ∧ 1 = 0 row3 = (8 × 3 × 6) = 144 row2 = (8 + 1) × 3 × 9 = 243 row1 = (8 × (3 + 1) × 4 = 128 row0 = (8 + 1) × (3 + 1) × 5 = 180 ¬a0 ¬a1 → → → → c = 0∨0∨1∨0 = 1 m = {1, 0, 1, 0} m = {5, 4, 9, 6} a = {8, 3}a = 01 Encrypted Memory Access 55
  • 56. Fully homomorphic encryption ● "Holy Grail" of cryptography ● First proposed within a year of RSA development ○ 1979 ○ Idea due to weird homomorphic property of RSA ● for more than 30 years: unclear whether FHE even possible ○ During that time: best one = Boneh-Goh-Nissim (remember the area solver example) (the one where only one multiplication was possible) 56
  • 57. "fully homomorphic encryption" Google trends 1000 patents 200 patents 57
  • 58. Gentry's approach ● 2009: Craig Gentry shows fully homomorphic encryption in his doctoral thesis ● Employs somewhat homomorphic encryption scheme using ideal lattices ● Scheme is bootstrappable ○ can evaluate its own decryption circuit ● Through recursive self-embedding, leads to FHE ○ ciphertexts are reencrypted, eliminating noise (based on "shortest lattice vector" problem used in cryptography, which is NP-hard) 58
  • 61. [...] a simple string search using homomorphic encryption is about a trillion times slower than without encryption. [1] Issues 1 000 000 000 000x 61 [1] CryptDB: A practical encrypted relational DBMS, RA Popa, N Zeldovich, H Balakrishnan, 2011
  • 62. 62
  • 63. Fully hom. enc. IRL ● HELib by Shai Halevi (2013) ○ Implementation of Brakerski-Gentry-Vaikuntanathan[1] scheme ○ Using many optimizations in literature[2][3] for speed ○ Does not implement bootstrapping (yet) [1] Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan: (Leveled) fully homomorphic encryption without bootstrapping. ITCS 201 [2] Nigel P. Smart, Frederik Vercauteren: Fully Homomorphic SIMD Operations. IACR Cryptology ePrint Archive 2011: 133 (2011) [3] Craig Gentry and Shai Halevi and Nigel P. Smart Homomorphic Evaluation of the AES Circuit, CRYPTO 2012 Performance Modulus Time for addition (ms) Time for multiplication (ms) 257 0.7 39 8209 0.7 38 65537 2.9 177 Even numbers < 65537, 80 Bits of security 63
  • 64. Visions of a fully homomorphic cryptosystem have been dancing in cryptographers' heads for thirty years. [...] It will be years before a sufficient number of cryptographers examine the algorithm that we can have any confidence that the scheme is secure. [1] —Bruce Schneier, cryptographer, April 2013 Criticism “ “ 64 [1] Homomorphic Encryption Breakthrough, Schneier on Security, Bruce Schneier https://www.schneier. com/blog/archives/2009/07/homomorphic_enc.html
  • 67. Conclusion — Halevi, 2012 “ “ 67 [1] Recent Advances in Homomorphic Encryption, presentation by Shai Halevi, IBM Research, Feb. 13, 2012, http://n csail.mit.edu/sys-security/FHE.pptx