Computations on ciphertext which predictably modifies the plaintext Operate on messages while they are encrypted Data can be securely processed in unsecure environments ◦ Cloud Computing ◦ Databases ◦ Voting machines
1978 – Privacy Homomorphism US government pumps millions in it
Additive ◦ E(m1) + E(m2) = E(m1+m2) Multiplicative ◦ E(m1) * E(m2) = E(m1*m2) Why just Add and Mul? ◦ Can evaluate any function ◦ Turing complete over a ring
Somewhat Homomorphic ◦ You can do only do some functions ◦ RSA Fully Homomorphic ◦ You can do all functions Leveled Fully Homomorphic ◦ Keysize can grow with depth of the function Bootstrappable ◦ Can evaluate its own decryption circuit
Craig Gentry Stanford University and IBM Watson 2009
Before this paper, it was unknown if fully homomorphic encryption could exist First feasible result Holy grail of encryption 17 results on YouTube!
Ideal lattices are a form of difficult to compute mathematical problems Similar to: ◦ Integer Factorization ◦ Discrete logarithm problem ◦ Elliptic curves over finite fields (Elliptical curve) Closest vector problem Learning with errors Unbreakable with quantum computing ◦ Uses arbitrary approximations
“Recipe”: 1. Take two linearly independent vectors in R 2. 2. Close them for addition and for multiplication by an integer scalar. Each point corresponds to a vector in the lattice etc....
A cyclic lattice is ‘ideal’ (ring-based) NTRU – Asymmetric key cryptosystem that uses ring-based lattices Low circuit complexity Very fast Allows additive and multiplicative homomorphism
Lots of math involved with this: ◦ Cyclotomic Polynomials Too much for this class time
Evaluate(pk,C, Encrypt(pk,m1),..., Encrypt(pk,mt)) = Encrypt(pk,C(m1,..., mt)) Steps ◦ Create a general bootstrapping result ◦ Initial construction using ideal lattices ◦ Squash the decryption circuit to permit bootstrapping
Find a Public key scheme that is homomorphic for shallow circuits and uses ideal lattices ◦ NTRUEncrypt Ciphertext has a form of an ideal lattice + offset Use a cyclic ring of keys ◦ Hard to do ◦ Large key size (GB)
Can only evaluate in logarithmic depth ◦ Ciphertext grows ◦ Noise increases Addition- circuits can be corrected (recrypting) Multiplication- noise grows quickly Not yet practical ◦ Client must begin the decryption process to be bootstrappable ◦ Solution is approximate ◦ >1 day to compute 1 message
PollyCracker Fully Homomorphic Encryption over the Integers Fully Homomorphic Encryption over the Binary Polynomials
Many people have created new variants Implementations All slow Finding shortcuts AES-128 – Completed June 15 th 2012 ◦ Computed with 256GB of ram (still limiting factor) ◦ 24 Xeon cores ◦ Took 5 days per operation