# Paper by: Craig Gentry Presented By: Daniel Henneberger.

## Presentation on theme: "Paper by: Craig Gentry Presented By: Daniel Henneberger."— Presentation transcript:

Paper by: Craig Gentry Presented By: Daniel Henneberger

 What is homomorphic encryption?

 Computations on ciphertext which predictably modifies the plaintext  Operate on messages while they are encrypted  Data can be securely processed in unsecure environments ◦ Cloud Computing ◦ Databases ◦ Voting machines

 Keygen  Encrypt  Decrypt  Evaluate

 1978 – Privacy Homomorphism  US government pumps millions in it

 Additive ◦ E(m1) + E(m2) = E(m1+m2)  Multiplicative ◦ E(m1) * E(m2) = E(m1*m2)  Why just Add and Mul? ◦ Can evaluate any function ◦ Turing complete over a ring

 Somewhat Homomorphic ◦ You can do only do some functions ◦ RSA  Fully Homomorphic ◦ You can do all functions  Leveled Fully Homomorphic ◦ Keysize can grow with depth of the function  Bootstrappable ◦ Can evaluate its own decryption circuit

Craig Gentry Stanford University and IBM Watson 2009

 Before this paper, it was unknown if fully homomorphic encryption could exist  First feasible result  Holy grail of encryption  17 results on YouTube!

 Ideal lattices are a form of difficult to compute mathematical problems  Similar to: ◦ Integer Factorization ◦ Discrete logarithm problem ◦ Elliptic curves over finite fields (Elliptical curve)  Closest vector problem  Learning with errors  Unbreakable with quantum computing ◦ Uses arbitrary approximations

“Recipe”: 1. Take two linearly independent vectors in R 2. 2. Close them for addition and for multiplication by an integer scalar. Each point corresponds to a vector in the lattice etc....

 A cyclic lattice is ‘ideal’ (ring-based)  NTRU – Asymmetric key cryptosystem that uses ring-based lattices  Low circuit complexity  Very fast  Allows additive and multiplicative homomorphism

 Lots of math involved with this: ◦ Cyclotomic Polynomials  Too much for this class time

 Evaluate(pk,C, Encrypt(pk,m1),..., Encrypt(pk,mt)) = Encrypt(pk,C(m1,..., mt))  Steps ◦ Create a general bootstrapping result ◦ Initial construction using ideal lattices ◦ Squash the decryption circuit to permit bootstrapping

 Find a Public key scheme that is homomorphic for shallow circuits and uses ideal lattices ◦ NTRUEncrypt  Ciphertext has a form of an ideal lattice + offset  Use a cyclic ring of keys ◦ Hard to do ◦ Large key size (GB)

 Evaluate its own decryption circuit  Provides ability to recrypt plaintext  Must be allowed to recrypt augmented versions to provide mathematical operations

 Allows ‘unlimited’ additions ◦ Recrypt algorithm  Greater multiplicative depth ◦ log log (N) - log log (n-1) ◦ Still bad

 Can only evaluate in logarithmic depth ◦ Ciphertext grows ◦ Noise increases  Addition- circuits can be corrected (recrypting)  Multiplication- noise grows quickly  Not yet practical ◦ Client must begin the decryption process to be bootstrappable ◦ Solution is approximate ◦ >1 day to compute 1 message

 PollyCracker  Fully Homomorphic Encryption over the Integers  Fully Homomorphic Encryption over the Binary Polynomials

 Many people have created new variants  Implementations  All slow  Finding shortcuts  AES-128 – Completed June 15 th 2012 ◦ Computed with 256GB of ram (still limiting factor) ◦ 24 Xeon cores ◦ Took 5 days per operation