References Gentry, C., A fully homomorphic encryption scheme , Ph.D. - PowerPoint PPT Presentation

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf Fully Homomorphic Encryption Gentry, C., Computing arbitrary functions of encrypted data, 2 Communications of the ACM 53 (2010) 97–105. Jim Royer http://dl.acm.org/citation.cfm?id=1666444 CIS 428/628: Introduction to Cryptography Acar, C., Aksu, H., Uluagac, A., and Conti, M., A Survey on 3 Homomorphic Encryption Schemes: Theory and Implementation , 2017. November 29, 2018 https://arxiv.org/abs/1704.03578 Armknecht, F., et al , A Guide to Fully Homomorphic Encryption , 2015 4 https://eprint.iacr.org/2015/1192.pdf Jim Royer Fully Homomorphic Encryption 1 / 21 Jim Royer Fully Homomorphic Encryption 2 / 21 Craig Gentry’s Thesis Feeding Frenzy Craig Gentry’s 2009 Stanford Ph.D. thesis constructed the first fully homomorphic encryption (FHE) scheme. Under a FHE scheme: You send a program f and encrypted data E ( m ) to a compute server. The compute server returns E ( f ( m )) (without learning m or f ( m ) ). You decrypt E ( f ( m )) to obtain f ( m ) . For this work he won the ACM’s 2009 Doctoral Dissertation Award, received a Grace Murray Hopper award, ... His thesis gave cryptography a who parcel of new ideas and tools to play with. If you know academic research, you’ll know what happened next. Jim Royer Fully Homomorphic Encryption 3 / 21 Jim Royer Fully Homomorphic Encryption 4 / 21

Partial Homomorphic Encryption: RSA, 1 Partial Homomorphic Encryption: RSA, 2 Bob wants to send a message RSA Setup for User U m ∈ { 0, . . . , n − 1 } to Alice Picks two large primes p U & q U . 1 Bob: Alice’s encryption/decryption functions Computes n U = p U · q U and 2 Computes 1 E A ( m ) = m e A mod n A D A ( c ) = c d A mod n A ϕ ( n U ) = ( p U − 1 ) · ( q U − 1 ) . c = m e A mod n A . ran Picks e U ∈ { 1, . . . , ϕ ( n U ) − 1 } Sends c to Alice. 3 Hence, 2 with gcd ( e U , ϕ ( n U )) = 1 .  D A ( ( m e A 1 × m e A Alice: D A ( E A ( m 1 ) × E A ( m 2 ) ) = 2 ) )  Computes d U ∈ { 1, . . . , ϕ ( n U ) − 1 }  4  D A ( ( m 1 × m 2 ) e A ) = with d U · e U ≡ 1 ( mod ϕ ( n U )) . Receives c . 1 ( mod n A ) = D A ( E A ( m 1 × m 2 ) )    Public : e U and n U . Computes 5 2 = m 1 × m 2 m ′ = c d A mod n A . Private: d U , p U , q U , and ϕ ( n U ) . Proof. Lemma m = m ′ Appeal to Euler’s Theorem ( 1736 ) . Jim Royer Fully Homomorphic Encryption 5 / 21 Jim Royer Fully Homomorphic Encryption 6 / 21 Partial Homomorphic Encryption, Other Operations Partial Homomorphic Encryption, Other Operations Fully Homomorphic Encryption 7 / 21[width=8cm] Paillier: E ( m ) = g m r n mod n 2 ( g ∈ Z ∗ n 2 with n | ord ( g ) ) 2018-11-29 D ( E ( m 1 ) × E ( m 2 )) = D (( g m 1 r n 1 ) × ( g m 2 r n 2 )) D ( g ( m 1 + m 2 ) mod n ( r 1 r 2 ) n ) = = ( m 1 + m 2 ) mod n Goldwasser-Micali: E ( b ) = r 2 a b mod n , a is a pseudo-residue for n Paillier: E ( m ) = g m r n mod n 2 ( g ∈ Z ∗ D ( E ( b 1 ) × E ( b 2 )) = D (( r 2 1 a b 1 ) × ( r 2 2 a b 2 )) n 2 with n | ord ( g ) ) Partial Homomorphic Encryption, Other = D (( r 1 r 2 ) 2 a b 1 + b 2 ) D (( r 1 r 2 ) 2 a b 1 ⊕ b 2 ) = Why? See next slide = b 1 ⊕ b 2 Operations For a fuller list, see: http://en.wikipedia.org/wiki/Homomorphic_encryption#Partially_ homomorphic_cryptosystems D (( g m 1 r n 1 ) × ( g m 2 r n D ( E ( m 1 ) × E ( m 2 )) = 2 )) D ( g ( m 1 + m 2 ) mod n ( r 1 r 2 ) n ) = • r , always an integer/string chosen randomly from some set = ( m 1 + m 2 ) mod n Goldwasser-Micali: E ( b ) = r 2 a b mod n , a is a pseudo-residue for n D (( r 2 1 a b 1 ) × ( r 2 2 a b 2 )) D ( E ( b 1 ) × E ( b 2 )) = D (( r 1 r 2 ) 2 a b 1 + b 2 ) = D (( r 1 r 2 ) 2 a b 1 ⊕ b 2 ) = Why? See next slide = b 1 ⊕ b 2 For a fuller list, see: http://en.wikipedia.org/wiki/Homomorphic_encryption#Partially_ homomorphic_cryptosystems Jim Royer Fully Homomorphic Encryption 7 / 21

Brief Digression: Randomized Encryption, 1 Brief Digression: Randomized Encryption, 2 The distinguishability game for cryptosystem S and security parameter λ QR ( m ) = { v 2 mod n v ∈ Z ∗ m } (quadratic residues) The house , H , generates a key pair ( K pub , K priv ) based on λ . Fact: QR ( pq ) = { u ∈ Z ∗ ( u mod p ) ∈ QR ( p ) & ( u mod q ) ∈ QR ( q ) } m The opponent , O , picks two messages m 0 and m 1 . Fact: � QR ( pq ) = { u ∈ Z ∗ ( u mod p ) / ∈ QR ( p ) & ( u mod q ) / ∈ QR ( q ) } m ran (pseudo-residues) H picks b ∈ { 0, 1 } sends c = E ( K pub , m b ) to the opponent. Fact: Knowing how to factor pq ≡ knowing how to find sq. roots mod pq O tries to guess if c = E ( K pub , m 0 ) or c = E ( K pub , m 1 ) . Fact: a ∈ � ⇒ ( au mod pq ) ∈ � QR ( pq ) & u ∈ QR ( pq ) = QR ( pq ) . O is ǫ -successful if O ’s fraction of wins is > ( 1 2 + ǫ ) . Encrypting and Decrypting Goldwasser-Micali: Setup Computationally indistinguishability ( ≡ semantic security) p and q , distinct primes priv. For each (i) probabilistic polytime opponent O and each (ii) negligible function e k ( b , r ) = a b r 2 ( mod n ) . n = p · q and a ∈ � QR ( n ) ǫ ( λ ) : O fails to be ǫ ( λ ) -successful against S for sufficiently large λ . pub. b ∈ P = { 0, 1 } � Plaintexts if y ∈ QR ( n ) ; R = Z ∗ 0, Fact: If the QR - � r ∈ Randomizers QR -problem is “hard”, n d k ( y ) = if y ∈ � C = Z ∗ c ∈ n . Ciphertexts QR ( n ) . then GM is computationally indistinguishable. 1, Jim Royer Fully Homomorphic Encryption 8 / 21 Jim Royer Fully Homomorphic Encryption 9 / 21 Aside: ǫ ( λ ) being a negligible function means Homomorphic Encryption A Standard Cryptosystem S (symmetric or asymmetric) For a given security parameter λ , we have algorithms K ( . . . ) for key generation E ( . . . ) for encryption � � k � D ( . . . ) for decryption � 1 These need to run in time poly ( λ ) . ( ∀ k )( ∃ λ k )( ∀ λ ≥ λ k ) | ǫ ( λ ) | < λ A Homomorphic Cryptosystem S (symmetric or asymmetric) λ ) O ( 1 ) ) . I.e., ǫ ( λ ) ∈ o ( ( 1 For a given security parameter λ , we have algorithms K , E , D , and E val ( key , f , c 1 , . . . , c n ) , where f is a program each c i = E ( key , m i ) for some m i c = E val ( key , f , c 1 , . . . , c n ) is of size ≤ the size of the c i ’s (compactness) D ( key ′ , c ) = f ( m 1 , . . . , m n ) E val is “efficient” (details forthcoming) Jim Royer Fully Homomorphic Encryption 10 / 21 Jim Royer Fully Homomorphic Encryption 11 / 21