Fully homomorphic encryption

The fully homomorphic encryption (fhe) solution proposed by IBM Gentry in 2009 is a major breakthrough in cryptography. The following is a small summary.

1. Definition

If an encryption scheme decrypts the ciphertext in any depth and the result is the same as the result of the corresponding operation on the plaintext, the scheme is a fully homomorphic encryption scheme.

It can also be described as follows: if an encryption scheme meets both addition homomorphic and multiplication homomorphic, it is called a fully homomorphic encryption scheme.

(1) homomorphic: the algebra system {A, ++}, {B, *}, F is the ing between A and B. If f (a + B) = f () * F (B), then A and B are homomorphic.

A simple example is provided. The two groups of objects are positive real and logarithm, respectively. The multiplication of real numbers and the addition of logarithm are homomorphic operations, that is, for any positive number X, Y and Z,

If X * Y = z, log (x) + Log (y) = Log (z ). This homomorphic provides two options for achieving the same purpose in different ways. If X and Y are given, we can multiply them directly,

You can also add their logarithm, and the final result is the same, all of which are Z.

(2) arbitrary depth: Computing in any depth is the most important feature of fully homomorphic encryption. Previously, some homomorphic encryption schemes were available, which either meet the requirements of addition homomorphic, such as paillier and benaloh algorithms,

There are also some homomorphic schemes that can satisfy the limited addition and multiplication at the same time, such as RSA and ElGamal algorithms, but none of these schemes are completely homomorphic.

2. Key Technologies: homomorphic decryption

The random components added to the encryption process produce noise, which increases rapidly with the calculation. (in general, the noise of the ciphertext product is the product of noise, ciphertext and noise are the sum of noise). Once the threshold is exceeded, the decryption result is unreliable. Noise is the biggest obstacle to fully homomorphic encryption. The key to fully homomorphic encryption is to control noise and use the homomorphic decryption technology.

In the earliest version, Gentry first proposed a partial homomorphic encryption scheme (somwhatfhe or swhe) based on the ideal lattice. This scheme only supports low-order polynomial operation on ciphertext. Then, the solution is improved to make it a fully homomorphic encryption solution. First, the function to be computed is decomposed into basic calculation: Addition and multiplication (gentry describes a function using a binary circuit. This has two advantages: 1. The calculation complexity is measured by the circuit depth and number of gate circuits in the circuit model. 2. The calculation is divided into basic steps: Binary addition and multiplication ), perform "homomorphic decryption" or "re-encryption" on the ciphertext before each step of basic computing to obtain the new ciphertext and control the noise of the new ciphertext within the threshold, it is equivalent to refreshing the ciphertext and then performing the next basic calculation. To describe the circuit, add a decryption circuit before the basic door circuit to form the basic door circuit of the enhanced version, such:

Homomorphic decryption refers to the execution of decryption functions in the ciphertext space. The input is the encrypted decryption key and the encrypted ciphertext, and the output is a fresh ciphertext with a lower noise. It sounds a bit difficult. To understand this process, we can think of the plaintext space. If a decryption function is executed in the plaintext space, the input should be the decryption key and ciphertext, and the output should be plain text. Because there is a homomorphic relationship between the plaintext space and the ciphertext space, after ing to the ciphertext space, the input and output are all encrypted in the plaintext space.

The following problem arises: whether the decryption function can be executed in the ciphertext space. The reason for this problem is that the decryption function also has the computing depth problem. Once the depth of the decryption function exceeds the limit of swhe, the ciphertext space cannot execute the decryption function, if you cannot execute a decryption function, you cannot reduce the noise. If you cannot reduce the noise, you cannot perform any in-depth computation, that is, you cannot implement full homomorphic. Unfortunately, the decryption function constructed according to the gentry idea has been proved that it cannot be calculated by swhe. The solution of gentry is to compress the decryption function and enable it to go to swhe's acceptable function set. The basic idea of the compression and decryption function is "preprocessing", that is, adding a part of the private key information to the public key. During encryption, the ciphertext is preprocessed and some auxiliary information is calculated in advance and added to the password, it is used to ease the burden on decryption functions and reduce the depth of decryption functions. By the way, this pre-processing encryption method is widely used in server-assisted encryption solutions. Clients with weak computing capabilities leak part of the decryption key information to the server, the powerful computing capability of the server is used for partial decryption, leaving only a small amount of work to run on the client.

Due to the huge overhead of homomorphic decryption, some people later invented the key exchange technology and the mode exchange technology to cut down the ciphertext noise.

3. Solution description

(1) keygen algorithm (Key Generation)

This algorithm generates an encryption public key and a decryption private key, and may also generate a ciphertext computing public key for evaluate password calculation.

(2) ENC algorithm (encryption)

This algorithm generates ciphertext. In addition, the ciphertext noise obtained through ENC is the lowest, and the ciphertext noise after homomorphic calculation will gradually increase.

(3) DEC algorithm (decryption)

When the ciphertext noise is within the threshold, the decryption is correct. If the ciphertext noise exceeds the threshold, the decryption is unreliable.

(4) Evaluate algorithm (ciphertext calculation)

This algorithm is the most important part of fully homomorphic encryption. Using evaluate, you can compute any function, and the input is ciphertext. In particular, this algorithm can calculate decryption functions, this is the key to forming a fully homomorphic encryption solution.

4. Development

(1) In 1978, Rivest and others proposed the concept of homomorphic encryption and launched the earliest public key cryptography system RSA, which satisfies the multiplication homomorphic.

(2) gentry proposed the first fully homomorphic encryption solution in 2009 [1]. The solution is constructed based on the ideal lattice, and the difficulty is based on two assumptions: Standard lattice difficulties and sparse Subsets and difficulties.

(3) In 2009, Dijk, gentry, and others proposed a fully homomorphic encryption solution for integers [2]. The difficulty is based on the approximate GCD challenge. The main contribution of this solution is to replace the swhe originally based on the "ideal lattice" with a very simple swhe integer description. The concept is greatly simplified, but swhe is still converted to fhe using Gentry's homomorphic decryption technology. Therefore, the efficiency is not improved.

(4) Full homomorphic encryption solution [3] proposed by brakerski, gentry, and vaikuntan.pdf in 2011, BGV solution for short, can be regarded as the second generation fhe. The difficulty is based on LWE (error correction learning ). Key Exchange Technology and mode exchange technology are used to reduce the ciphertext dimension and reduce noise, greatly improving the efficiency.

5. Case Analysis

Here we select a relatively easy-to-understand solution analysis, which is a fully homomorphic encryption solution based on Modulo operations on integers proposed by Dijk and gentry in 2009.

The first is a symmetric partial homomorphic encryption scheme:

Key Generation: Generate key P (ODD), Public parameter q (large integer)

Encryption: C = m + 2R + PQ

Decryption: M = (cmod p) mod 2 = (c-"C/P") mod 2 = LSB (c) xor lsb ("C/P 」)

Ciphertext computing: Basic addition and multiplication calculation.

Here, R is a random small integer; the plaintext m is {0, 1}; the ciphertext C; "": rounding method is an integer; LSB: the lowest valid bit.

Define a mod p ε (-P/2, P/2), regard m + 2R as "noise", the plaintext space is {0, 1}, and the ciphertext space is the integral number field.

Correctness verification: if the noise m + 2R <p/2 is ensured, the decryption can be performed correctly. (m + 2R + PQ) mod 2 = (m + 2R) mod 2 = m, in the Parameter Selection of the solution, the noise of the fresh ciphertext m + 2R must be smaller than P/2, so the decryption is successful.

Homomorphic verification: Suppose C1 = m1 + 2r1 + pq1, C2 = m2 + 2r2 + pq2, where c1 is the encryption of the ciphertext M1 and C2 is the encryption of the ciphertext m2.

C1 + C2 = (M1 + m2) + 2 (R1 + R2) + P (Q1 + q2) if the noise of C1 + C2 is 2 (R1 + R2) + M1 + m2 <p/2

Then (C1 + C2) mod p) mod 2 = (M1 + m2) + 2 (R1 + R2) mod2 = m1 + m2, that is, addition homomorphic;

C1 * C2 = (M1 + 2r1) (M2 + 2r2) + P (pq1q2 + m1q2 + m2q1 + 2r1q2 + 2r2q1). If C1 * C2 is noisy (M1 + 2r1) (M2 + 2r2) <p/2

Then (C1 * C2 mod p) mod 2 = (M1 + 2r1) (M2 + 2r2) mod 2 = m1 * m2, that is, multiplication homomorphic;

From the above formula, we can see that the noise of the ciphertext is the sum of the noise of the ciphertext, and the noise of the ciphertext product is the noise.

The solution described above is symmetric encryption, which is convenient to change to asymmetric encryption (public key encryption.

Key Generation: Private Key Sk = P, Public Key PK = {x1, x2 ,..., Xt}, where xi = pqi + 2ri, that is, Xi is encrypted to 0.

Encryption: C = m + 2R + sum (s), where S is {x1, x2 ,..., A random subset of xt}, sum (s) is the sum of some 0 encryption, so it does not affect the decryption result.

Decryption: M = (cmod p) mod) 2 = (c-"C/P") mod 2 = LSB (c) xor lsb ("C/P 」)

Ciphertext computing: Basic addition and multiplication calculation.

In addition, the approximate GCD problem here refers to the Section XI = pqi + 2ri, which is difficult to find P.

Improve the above scheme to make it a fully homomorphic encryption scheme.

Key Generation: Private Key secret' = <S1, S2 ,... Sm> is a random binary vector with a sparse subset S = {I: SI = 1}. The public key PK '= <PK, Y1, Y2 ,..., ym>, where the rational number Yi ε [0, 2) and sum (yi) ≈ (1/p) mod 2, I ε s

Encryption: C' = <C, Z1, Z2 ,... ZM>, where Zi = (C * Yi) mod 2

Decryption: M = (C'-"sum (SI * zi)") mod 2 = LSB (C') xor lsb ("sum (SI * zi )」)

Ciphertext computing: Consists of basic addition and multiplication calculation.

From the above improvements, we can see that the size of both the key and the ciphertext has increased. At this cost, the decryption function is simplified, the complex division operation C/P will be replaced with sum (SI * zi). Of course, to truly simplify the decryption function, Hamming weight technology will be used to simplify the binary addition calculation.

6. application [4]

Completely homomorphic can solve cloud computing security issues. The data delegated to the cloud is encrypted, and the cloud can perform user request operations without decryption.

For example, a bank has a lot of transaction data to analyze, but if its data processing capabilities are weak, it can encrypt the transaction data and hand it over to the cloud data processing center for processing and analysis. The processing center analyzes the data, obtains the result, and returns the result. In this process, the data processing center is exposed to ciphertext, which can fully guarantee the confidentiality of bank data.

For another example, medical institutions can encrypt and store the patient's medical data to the cloud. The cloud performs statistical analysis on the data to predict the patient's condition and provide treatment advice, this not only ensures patient privacy, but also makes full use of the powerful computing capabilities of the cloud.

Homomorphic encryption can also be used for spam filtering. If you publish an encrypted public key, your friends can send encrypted emails to you, But Spammers can also use the public key to encrypt ads and other spam emails to fill your mailbox. With fully homomorphic encryption technology, the spam filter can filter out spam without being able to decrypt emails.

Reference:

Http://blog.sciencenet.cn/blog-411071-651836.html

Http://www.doc88.com/p-8085463342065.html

[1]. Fully homomorphic encryption using ideallattices

[2]. Fully homomorphic encryption over theintegers

[3]. Fully homomorphic encryption withoutbootstrapping

[4]. Can homomorphic encryption be practical

Fully homomorphic encryption