fully homomorphic encryption
play

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - - PowerPoint PPT Presentation

Aug 28, 2022 •434 likes •1.07k views

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole Polytechnique, Universit e Paris-Saclay Applied Cryptography @ ProtonMail Generic homomorphic encryption Gentrys blueprint Second generation

  1. Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt ’19 IMFD Chile, Ecole Polytechnique, Universit´ e Paris-Saclay Applied Cryptography @ ProtonMail

  2. Generic homomorphic encryption Gentry’s blueprint Second generation Overview Generic homomorphic encryption, a priori observations Gentry’s blueprint Second and third generation schemes Francisco Vial-Prado Fully Homomorphic Encryption

  3. Generic homomorphic encryption Gentry’s blueprint Second generation The problem (Rivest, Adleman, Dertouzos, 1978) On Data Banks And Privacy Homomorphisms - 1978 ... a system working with encrypted data can at most store or retrieve data for the user; any more complicated operations seem to require that the data be decrypted before being operated on. ... it appears likely that there exist [...] Privacy Homomorphisms. Francisco Vial-Prado Fully Homomorphic Encryption

  4. Generic homomorphic encryption Gentry’s blueprint Second generation Privacy Homomorphisms Find an encryption scheme S such that: Let y = S . Enc k ( x ). For any PPT function f mapping plaintexts to plaintexts, find y ′ publicly such that S . Dec k ( y ′ ) = f ( x ). Example: If S . plainspace is a ring, provide functionalities Add , Mult such that Add ( Enc ( x ) , Enc ( y )) encrypts x + y Mult ( Enc ( x ) , Enc ( y )) encrypts x × y . Disclaimer Along with reasonable security properties! Francisco Vial-Prado Fully Homomorphic Encryption

  5. Generic homomorphic encryption Gentry’s blueprint Second generation Privacy Homomorphisms Find an encryption scheme S such that: Let y = S . Enc k ( x ). For any PPT function f mapping plaintexts to plaintexts, find y ′ publicly such that S . Dec k ( y ′ ) = f ( x ). Example: If S . plainspace is a ring, provide functionalities Add , Mult such that Add ( Enc ( x ) , Enc ( y )) encrypts x + y Mult ( Enc ( x ) , Enc ( y )) encrypts x × y . Disclaimer Along with reasonable security properties! Francisco Vial-Prado Fully Homomorphic Encryption

  6. Generic homomorphic encryption Gentry’s blueprint Second generation Privacy Homomorphisms Find an encryption scheme S such that: Let y = S . Enc k ( x ). For any PPT function f mapping plaintexts to plaintexts, find y ′ publicly such that S . Dec k ( y ′ ) = f ( x ). Example: If S . plainspace is a ring, provide functionalities Add , Mult such that Add ( Enc ( x ) , Enc ( y )) encrypts x + y Mult ( Enc ( x ) , Enc ( y )) encrypts x × y . Disclaimer Along with reasonable security properties! Francisco Vial-Prado Fully Homomorphic Encryption

  7. A priori observations

  8. Generic homomorphic encryption Gentry’s blueprint Second generation HE is non determinist 1. Homomorphic encryption must be non-determinist The attacker could solve ring equations x = k ⇔ ( x � = 0) ∧ ( x 2 = x + x + · · · + x ) � �� � k times 1bis. Broccoli heuristics: If ciphertext spaces are distinguishable, they should be somewhat separable. Francisco Vial-Prado Fully Homomorphic Encryption

  9. Generic homomorphic encryption Gentry’s blueprint Second generation HE is non determinist 1. Homomorphic encryption must be non-determinist The attacker could solve ring equations x = k ⇔ ( x � = 0) ∧ ( x 2 = x + x + · · · + x ) � �� � k times 1bis. Broccoli heuristics: If ciphertext spaces are distinguishable, they should be somewhat separable. Francisco Vial-Prado Fully Homomorphic Encryption

  10. Generic homomorphic encryption Gentry’s blueprint Second generation HE runs in worst-case complexity for decision algorithms 2. Logical conditions translate to homomorphic comparison circuits. Consider the equality circuit: Let a , b ∈ { 0 , 1 } κ . � 0 κ if a = b , � Eq( a , b ) = 1 ⊕ ( a i ⊕ b i ⊕ 1) = 1 if a � = b . i =1 Francisco Vial-Prado Fully Homomorphic Encryption

  11. Generic homomorphic encryption Gentry’s blueprint Second generation Don’t allow easy CCA’s 3. – Decrypt Verifiable Computations Only If Possible (Homomorphic encryption schemes are known to be vulnerable to IND-CCA Key-Recovery attacks) Francisco Vial-Prado Fully Homomorphic Encryption

  12. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  13. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  14. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  15. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  16. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  17. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  18. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  19. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  20. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  21. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  22. Generic homomorphic encryption Gentry’s blueprint Second generation Ideals + Lattices = Ideal Lattices Gentry’s first FHE scheme Specialized the latter construction using polynomial rings and two sets of ideal lattices. Secret and public keys are parallelepipeds in R n , with large n , and plaintexts/ciphertexts are polynomials in Z [ X ] / ( X n − 1). Francisco Vial-Prado Fully Homomorphic Encryption

Recommend

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt 2019 (Fully Homomorphic) Encryption Encryption: used to protect data at rest or in transit Enc( m ) Enc( m ) Enc( m ) Fully Homomorphic

2.2k views • 39 slides
References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf Fully Homomorphic Encryption Gentry, C., Computing arbitrary functions of encrypted

233 views • 7 slides
CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

Introduction CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi Sakurai and Jian Weng 1 / 26 Introduction Outline Background Related Work CCA-Secure Keyed-Fully Homomorphic Encryption Conclusion

686 views • 26 slides
CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1 2 Joint work with: C. Boura, N. Gama, D. Jetchev 1 / 30 Homomorphic encryption Given ( c 1 , c 2 , . . . , c k ) = ( E ( m 1 ) , E ( m 2 ) , . . .

497 views • 48 slides
Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for Boolean functions Pierrick M AUX cole normale suprieure, INRIA, CNRS, PSL Boolean Functions and their Applications (BFA) Os, Norway Tuesday

1.23k views • 101 slides
Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic Encryption Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all x,y G,

1.79k views • 165 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A b e 1 LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has small entries from a matrix in A Z q

514 views • 12 slides
Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski Vinod Vaikuntanathan (Weizmann) (University of Toronto) CRYPTO 2011 Outsourcing Computation x Function x f f ( x ) medical records

520 views • 15 slides
Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With Errors s where = + A b A r b A e LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has

345 views • 15 slides
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Introduction Previous work Our contribution Conclusion Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS

864 views • 60 slides
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University CRYPTO 2012 Outsourcing Computation () Email, web- search, navigation, social networking Search query,

380 views • 21 slides
A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special Class of Non-Commutative Groups Koji Nuida National Institute of Advanced Industrial Science and Technology (AIST), Japan (Japan Science and

1.24k views • 57 slides
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October 2013 Outsourcing Computation () Email, web- search, navigation, social networking Search query, location, business

1.15k views • 51 slides
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS: DAN BONEH, ROSARIO GENNARO, STEVEN GOLDFEDER, AAYUSH JAIN, SAM KIM, PETER M. R. RASMUSSEN AND AMIT SAHAI Introduction to Characters Thanos: Bad Guy

567 views • 36 slides
Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California, Berkeley and Microsoft Research September 3, 2015 Homomorphic Encryption Homomorphic Encryption Consider a public key cryptosystem, and operations

777 views • 35 slides
Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information

Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information

Motivation Security Correctness Performance Bibliography Parameter Selection in Ring-LWE-based Fully Homomorphic Encryption Rachel Player Information Security Group, Royal Holloway, University of London based on joint works with Martin R.

851 views • 64 slides
Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption

Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption

Homomorphic Encryption for Genomic Analysis Hoon Cho (MIT) and David Wu (Stanford) March, 2015 Homomorphic Encryption Homomorphic encryption (HE): encryption schemes that support computation on ciphertexts Consists of three functions: m c

548 views • 26 slides
How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December

How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December

How Ideal Lattices unlocked Fully Homomorphic Encryption Francisco Jos e VIAL PRADO December 10, 2014 Ph.D. advisor : Louis GOUBIN Introduction Gentrys IL scheme Other FHE schemes Open questions This talk Introduction Gentrys

718 views • 58 slides
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science AWSCS, March 2015 Outsourcing Computation () Email, web- search, navigation, social networking Search query, location, business

2.13k views • 55 slides
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY,

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY,

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science Technion CRYPTODAY, December 2015 What Are You Searching For? We know Medical information, navigation, email, business information, other personal information Want

295 views • 18 slides
Berkeley CS276 & MIT 6.875 Specialized homomorphic encryption, commitments and applications

Berkeley CS276 & MIT 6.875 Specialized homomorphic encryption, commitments and applications

Berkeley CS276 & MIT 6.875 Specialized homomorphic encryption, commitments and applications Lecturer: Raluca Ada Popa Announcements Starting to record Specialized/partial homomorphic encryption An encryption scheme that is

990 views • 53 slides
Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many

Homomorphic Secret Sharing & Applications from Lattice-Based Assumptions Elette Boyle Many slides taken/adapted from Geoffroy Couteau, Lisa Kohl, & Peter Scholl Fully Homomorphic Encryption (FHE) Supports homomorphic

791 views • 40 slides
Secure Face Matching Using Fully Homomorphic Encryption Vishnu Boddeti Michigan State University

Secure Face Matching Using Fully Homomorphic Encryption Vishnu Boddeti Michigan State University

Secure Face Matching Using Fully Homomorphic Encryption Vishnu Boddeti Michigan State University October 23rd, 2018 []$ [1/1] >>> Face Representation and Matching * Face Representation: Alignment Embedding Function Representation

1.19k views • 55 slides

More recommend