An Overview of Homomorphic Encryption Alexander Lange Department of - PowerPoint PPT Presentation

An Overview of Homomorphic Encryption Alexander Lange Department of Computer Science Rochester Institute of Technology Rochester, NY 14623 May 9, 2011 Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 1 / 22

Outline Algebraic Homomorphisms 1 Group & Ring Homomorphism Application to Cryptography 2 Example: RSA 3 History Data Banks Blind Signatures 4 Additive Homomorphisms ElGamal Paillier Applications 5 E-Voting Private Information Retrieval Fully Homorphic Encryption 6 Overview Craig Gentry Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 2 / 22

Algebraic Homomorphisms Group & Ring Homomorphism Algebraic Homomorphisms Definition (Group Homomorphism) Let ( G , ⋆ ) and ( H , ⋄ ) be groups. The map ϕ : G → H is a homomorphism if ϕ ( x ⋆ y ) = ϕ ( x ) ⋄ ϕ ( y ) ∀ x , y ∈ G Definition (Ring Homomorphism) Let R and S be rings with addition and multiplication. The map ϕ : R → S is a homomorphism if 1 ϕ is a group homomorphism on the additive groups ( R , +) and ( S , +) 2 ϕ ( xy ) = ϕ ( x ) ϕ ( y ) ∀ x , y ∈ R Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 3 / 22

Application to Cryptography Application to Cryptography A homomorphic encryption function allows for the manipulation of encrypted data with out the seemingly inherent loss of the encryption. Applications • E-Cash • E-Voting • Private information retrieval • Cloud computing A fully homomorphic encryption function (two operations) has been an open problem in cryptography for 30+ years. The first ever system was proposed by Craig Gentry in 2009. However, encryption systems that respect one operation have been utilized for decades. Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 4 / 22

Application to Cryptography Example: RSA Example: The RSA Cryptosystem Definition (RSA) Let n = pq where p and q are primes. Pick a and b such that ab ≡ 1 ( mod φ ( n )) . n and b are public while p , q and a are private. e K ( x ) = x b mod n d K ( y ) = y a mod n The Homomorphism: Suppose x 1 and x 2 are plaintexts. Then, 2 mod n = ( x 1 x 2 ) b mod n = e K ( x 1 x 2 ) e K ( x 1 ) e K ( x 2 ) = x b 1 x b Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 5 / 22

History Data Banks History On Data Banks and Privacy Homomorphisms • Rivest, Adleman and Dertouzos, 1978 • Introduced idea of “Privacy Homomorphisms” • “...it appears likely that there exist encryption functions which permit encrypted data to be operated on without preliminary decryption.” • Encrypted data of loan company • What is the size of the average loan? • How many loans over $5,000? • Introduced four possible encryption functions (RSA was one of them) Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 6 / 22

History Blind Signatures History Blind signatures for untraceable payments • David Chaum, 1982 • Calls for payment system with: • Anonymity of payment • Proof of payment • Analogy to secure voting • Place vote in a carbon envelope • The signer can then sign the envelope, consequently signing the vote with out ever knowing what the vote is • Although no mention of a private homomorphism, the paper helps introduce the need for secure voting as well as the relationship between e-cash and e-voting Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 7 / 22

Additive Homomorphisms ElGamal ElGamal Cryptosystem Definition (ElGamal) Let p be a prime and pick α ∈ Z ∗ p such that α is a generator of Z ∗ p . Pick a and β such that β ≡ α a ( mod p ) . p , α and β are public; a is private. Let r ∈ Z p − 1 be a secret random number. Then, e K ( x , r ) = ( α r mod p , x β r mod p ) The Homomorphism: Let x 1 and x 2 be plaintexts. Then, α r 1 mod p , x 1 β r 1 mod p α r 2 mod p , x 2 β r 2 mod p � �� � e K ( x 1 , r 1 ) e K ( x 2 , r 2 ) = α r 1 α r 2 mod p , x 1 β r 1 x 2 β r 2 mod p � � = α r 1 + r 2 mod p , ( x 1 x 2 ) β r 1 + r 2 mod p � � = = e K ( x 1 x 2 , r 1 + r 2 ) Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 8 / 22

Additive Homomorphisms ElGamal ElGamal The Problem: This homomorphism is multiplicative • E-cash and e-voting would benefit from an additive homomorphism One solution: Modify ElGamal • Put the plaintext in the exponent If we modify ElGamal so that e K ( x , r ) = ( α r mod p , α x β r mod p ) Then the homomorphism is α r 1 mod p , α x 1 β r 1 mod p α r 2 mod p , α x 2 β r 2 mod p � �� � e K ( x 1 , r 1 ) e K ( x 2 , r 2 ) = α r 1 + r 2 mod p , α x 1 + x 2 β r 1 + r 2 mod p � � = = e K ( x 1 + x 2 , r 1 + r 2 ) Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 9 / 22

Additive Homomorphisms ElGamal The problem with this modification is that d K = α x , introducing the discrete logarithm problem into the decryption. For large enough texts, this becomes impractical. We would like another cryptosystem which takes advantage of this additive property of exponentiation, but does so with out extra decryption time. Solution: the Paillier Cryptosystem Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 10 / 22

Additive Homomorphisms Paillier Paillier Cryptosystem • Introduced by Pascal Paillier in Public-Key Cryptosystems Based on Composite Degree Residuosity Classes , 1999 • Probabilistic, asymmetric algorithm • Decisional composite residuosity assumption • Given composite n and integer z , it is hard to determine if y exists such that z ≡ y n ( mod n 2 ) • Homomorphic and self-blinding • Extended by Damg˚ ard and Jurik in 2001 • modulo n 2 = ⇒ modulo n s + 1 Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 11 / 22

Additive Homomorphisms Paillier Paillier Cryptosystem Definition Pick two large primes p and q and let n = pq . Let λ denote the Carmichael n 2 such that L ( g λ function, that is, λ ( n ) = lcm ( p − 1 , q − 1 ) . Pick random g ∈ Z ∗ mod n 2 ) is invertible modulo n (where L ( u ) = u − 1 n ). n and g are public; p and q (or λ ) are private. For plaintext x and resulting ciphertext y , select a random r ∈ Z ∗ n . Then, e K ( x , r ) = g m r n mod n 2 d K ( y ) = L ( y λ mod n 2 ) L ( g λ mod n 2 ) mod n Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 12 / 22

Applications E-Voting Paillier Example: E-Voting Suppose Alice, Bob and Oscar are running in an election. Only 6 people voted in the election, and the results are tabulated below. Vote Oscar Bob Alice ✦ 1 00 00 01 = 1 − → ✦ 2 − → 00 01 00 = 4 ✦ 3 − → 00 01 00 = 4 ✦ 4 00 00 01 = 1 − → ✦ 5 − → 01 00 00 = 16 ✦ 6 − → 00 00 01 = 1 Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 13 / 22

Applications E-Voting Paillier Example: E-Voting Let p = 5 and q = 7. Then n = 35, n 2 = 1225 and λ = 12. g is chosen to be 141. For the first vote x 1 = 1, r is randomly chosen as 4. Then, e K ( x 1 , r 1 ) = e K ( 1 , 4 ) = 141 1 · 4 35 = 141 · 324 = 359 mod 1225 All votes, r values and resulting encryptions are shown below x r e K ( x , r ) 1 4 359 4 17 173 4 26 486 1 12 1088 16 11 541 1 32 163 Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 14 / 22

Applications E-Voting Paillier Example: E-Voting In order to sum the votes, we multiply the encrypted data modulo n 2 : 359 · 173 · 486 · 1088 · 541 · 163 mod 1225 = 983 We then decrypt: L ( y λ mod n 2 ) = L ( 983 12 mod 1225 ) = 36 − 1 = 1 35 L ( g λ mod n 2 ) = L ( 141 12 mod 1225 ) = 456 − 1 = 13 35 � − 1 mod n L ( y λ mod n 2 ) L ( g λ mod n 2 ) � �� d K ( y ) = = 1 · 13 − 1 mod 35 = 27 We convert 27 to ( 01 02 03 ) for the final results. Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 15 / 22

Applications Private Information Retrieval Another Application: Private Information Retrieval • Idea first introduced by Chor, Goldreich, Kushilevitz and Sudan in 1997 • The problem: • How can the user access an item from a database with out the database knowing which item it is? (Private Information Retrieval) • How can the user do this with out knowing about any other item of the database? (Symmetric Private Information Retrieval) • The additive homomorphic properties of Paillier allow for the indexing and filtering of an encrypted database Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 16 / 22

Applications Private Information Retrieval Some PIR Protocols • Stern Protocol - Uses a simple homomorphic scheme and a linear indexing technique • Chang Protocol - Expands on Stern by allowing the indexing to take place on a hyper cube. Uses the Paillier Cryptosystem • Lipmaa Protocol - Expands on Chang by using Damg˚ ard-Jurik system - removes the limit set on the plaintext due to Paillier Alexander Lange (RIT) Homomorphic Encryption May 9, 2011 17 / 22