Homomorphic Encryption

0 views

Published on

Presentation about Homomorphic Encryption, focusing Craig Gentry scheme

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
0
On SlideShare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
226
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide

Homomorphic Encryption

  1. 1. Homomorphic Encryption Craig Gentry scheme
  2. 2. Why homomorphic encryption?• Proposed by Rivest, Adleman and Dertouzos• Confidentiality problems• Ability to compute over ciphertext instead of plaintext• One could use information without knowing the content of that information• Privacy garanteed
  3. 3. Homomorphic Encryption• Crypto Magic 5 * 6 = CT(5) * CT(6) -> D ( k, E(k,5) * E(k,6) ) = 5 * 6 Homomorphic Assumption• Partially homomorphic/fully homomorphic
  4. 4. Homomorphic Encryption• Partially homomorphic schemes – RSA: CT(x)*CT(y) = (xe mod M) * (ye mod M) = xeye mod M = (xy)e mod M = CT(x*y), where e is the exponent key and M the modulus • p=61; • q=53; • N=3233; • Φ(N)=60*52=3120; • e=17; • d=2753;
  5. 5. Homomorphic Encryption• Partially homomorphic schemes – RSA: Obtain 5*6 performing RSA(5)*RSA(6) • RSA(5) = 517 (mod 3233) = 3086; • RSA(6) = 617 (mod 3233) = 824; • 3068*824 = 2542864; • RSA-1(2542864) = 25428642753 (mod 3233) = 30; • 5*6 = 30;
  6. 6. Homomorphic Encryption• Fully homomorphic schemes – Craig Gentry scheme • Based on ideal lattices – Zaryab Khan scheme • Based on perfectly colorblind function
  7. 7. Craig Gentry scheme• Suppose a scheme with a “noise parameter” attached to each CT;• Encryption algorithm outputs a CT with a small noise parameter (say less than n);• Decryption algorithm only works if noise is less than some parameter N >> n;• To compute E(a+b) / E(a*b), include noise;• This gives a “somewhat homomorphic” scheme.
  8. 8. Craig Gentry scheme• Now suppose a new algorithm RECRYPT, such that: – Input: E(a), with noise N’ < N – Output: E’(a), with noise √N• “Somewhat homomorphic” -> fully homomorphic!• Apply RECRYPT to E(a) and E(b) to ensure that the noise in E(a*b) or E(a+b) is smaller than N• “Bootstrappable”
  9. 9. Craig Gentry scheme (integers)• Key: odd integer p > 2N• Encryption algorithm: given a bit b -> E(b) = c = b + 2x + kp, where x is in [-n/2,n/2] and k is an integer chosen from some range• Decryption algorithm: b = (c mod p) mod 2, where (c mod p) is the noise and belongs to [-n,n]• Decryption works if b + 2x ∈ [-N,N] ⊂[-p/2,p/2]
  10. 10. Craig Gentry scheme (integers)• Graig Gentry scheme’s homomorphic assumptions – Addiction: c1 + c2 = b1+ b2 + 2(x1+x2) + (k1+k2)p = b1 xor b2 + 2x + kp • Decryption works if (b1+2x1) + (b2+2x2) is in [- N,N] – Multiplication: c1*c2 = b1*b2 + 2(b1x2 + b2x1 + 2x1x2) + kp = b1*b2 + 2x + kp • Decryption works if (b1+2x1) * (b2+2x2) is in [- N,N]
  11. 11. Craig Gentry scheme (integers)• Addition example: 4+4 – CT(100): 22 21 21 • CT(1) = 1 + 2*3 + 5*3 = 22 +22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 44 42 42 • CT(0) = 0 + 2*3 + 5*3 = 21 – D(44 42 42): • D(44) = 44 mod 3 = 2 • D(42) = 42 mod 3 = 0 1000 = 8 = 4+4 • D(42) = 42 mod 3 = 0
  12. 12. Craig Gentry scheme (integers)• Multiplication example: 4*4 – CT(100): • CT(1) = 1 + 2*3 + 5*3 = 22 22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 ×22 21 21 • CT(0) = 0 + 2*3 + 5*3 = 21 484 924 1365 882 441 – D(484 924 1365 882 441): • D(484) = 484 mod 3 = 1 • D(924) = 924 mod 3 = 0 • D(1365) = 1365 mod 3 = 0 10000 = 16 = 4*4 • D(882) = 882 mod 3 = 0 • D(441) = 441 mod 3 = 0
  13. 13. Craig Gentry scheme (ideal lattices)• Replace integers by ideal lattices• Ideal lattices have many representations or “bases”• Bases: – Good: good to decrypt, bad to encrypt – Bad: bad to decrypt, good to encrypt• Public key scheme, where good bases are private keys and bad bases are public keys
  14. 14. Cryptography over lattices• L = ζ(B) = {Bc : c ∈ Zk}, B ∈ Rn×k, where the k columns of the basis are linearly independent• NP-hard problems over lattices: – SVP (shortest vector problem): given a basis for lattice L of size n, find the shortest nonzero vector v ∈ L s.t. ||v|| = λ(L); – CVP (closest vector problem): given a basis for lattice L of size n and a vector t ∈ Rn, find a nonzero vector v ∈ L s.t. ||t-v|| ≤ γ;
  15. 15. Cryptography over lattices• NP-hard problems over lattices: – SIVP (shortest independent vector problem): like the SVP, except the output are linearly independent vectors v1, …, v2 ∈ L of length at most λ(L); – BDDP (bounded distance decoding problem): same as CVP but with the promise that there is a unique solution.
  16. 16. Craig Gentry scheme• Why inefficient? – CT size and computation time increase sharply as the security level increases; – 2k security -> CT size and computation time are high-degree polynomials in k; – Efforts are being made to reduce the computational requirements of Craig Gentry construction
  17. 17. Homomorphic Encryption• Nowadays: – Craig Gentry presented a working implementation of the fully homomorphic system, including the bootstrapping function – Exists a practical application of homomorphic encryption to a hybrid wireless network – Perform statistical tests over encrypted data such as temperature, humidity, etc. – There are also some practical implementations of simplifications of this scheme over databases
  18. 18. Problems solved• Cloud security• Problems related to personal records like medical records• Work with information stored in databases• Querys to search engines• …
  19. 19. My Project• Design an API and include it on a Web Service that will work over CLOUD platforms• The API should provide homomorphic encryption functions to be used• Create a prototype that will work under the constructed API
  20. 20. QUESTIONS?

×