fully homomorphic encryption
play

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - - PowerPoint PPT Presentation

Aug 28, 2022 •434 likes •1.07k views

Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt 19 IMFD Chile, Ecole Polytechnique, Universit e Paris-Saclay Applied Cryptography @ ProtonMail Generic homomorphic encryption Gentrys blueprint Second generation

  1. Fully Homomorphic Encryption Francisco Vial-Prado ASCrypto - LatinCrypt ’19 IMFD Chile, Ecole Polytechnique, Universit´ e Paris-Saclay Applied Cryptography @ ProtonMail

  2. Generic homomorphic encryption Gentry’s blueprint Second generation Overview Generic homomorphic encryption, a priori observations Gentry’s blueprint Second and third generation schemes Francisco Vial-Prado Fully Homomorphic Encryption

  3. Generic homomorphic encryption Gentry’s blueprint Second generation The problem (Rivest, Adleman, Dertouzos, 1978) On Data Banks And Privacy Homomorphisms - 1978 ... a system working with encrypted data can at most store or retrieve data for the user; any more complicated operations seem to require that the data be decrypted before being operated on. ... it appears likely that there exist [...] Privacy Homomorphisms. Francisco Vial-Prado Fully Homomorphic Encryption

  4. Generic homomorphic encryption Gentry’s blueprint Second generation Privacy Homomorphisms Find an encryption scheme S such that: Let y = S . Enc k ( x ). For any PPT function f mapping plaintexts to plaintexts, find y ′ publicly such that S . Dec k ( y ′ ) = f ( x ). Example: If S . plainspace is a ring, provide functionalities Add , Mult such that Add ( Enc ( x ) , Enc ( y )) encrypts x + y Mult ( Enc ( x ) , Enc ( y )) encrypts x × y . Disclaimer Along with reasonable security properties! Francisco Vial-Prado Fully Homomorphic Encryption

  5. Generic homomorphic encryption Gentry’s blueprint Second generation Privacy Homomorphisms Find an encryption scheme S such that: Let y = S . Enc k ( x ). For any PPT function f mapping plaintexts to plaintexts, find y ′ publicly such that S . Dec k ( y ′ ) = f ( x ). Example: If S . plainspace is a ring, provide functionalities Add , Mult such that Add ( Enc ( x ) , Enc ( y )) encrypts x + y Mult ( Enc ( x ) , Enc ( y )) encrypts x × y . Disclaimer Along with reasonable security properties! Francisco Vial-Prado Fully Homomorphic Encryption

  6. Generic homomorphic encryption Gentry’s blueprint Second generation Privacy Homomorphisms Find an encryption scheme S such that: Let y = S . Enc k ( x ). For any PPT function f mapping plaintexts to plaintexts, find y ′ publicly such that S . Dec k ( y ′ ) = f ( x ). Example: If S . plainspace is a ring, provide functionalities Add , Mult such that Add ( Enc ( x ) , Enc ( y )) encrypts x + y Mult ( Enc ( x ) , Enc ( y )) encrypts x × y . Disclaimer Along with reasonable security properties! Francisco Vial-Prado Fully Homomorphic Encryption

  7. A priori observations

  8. Generic homomorphic encryption Gentry’s blueprint Second generation HE is non determinist 1. Homomorphic encryption must be non-determinist The attacker could solve ring equations x = k ⇔ ( x � = 0) ∧ ( x 2 = x + x + · · · + x ) � �� � k times 1bis. Broccoli heuristics: If ciphertext spaces are distinguishable, they should be somewhat separable. Francisco Vial-Prado Fully Homomorphic Encryption

  9. Generic homomorphic encryption Gentry’s blueprint Second generation HE is non determinist 1. Homomorphic encryption must be non-determinist The attacker could solve ring equations x = k ⇔ ( x � = 0) ∧ ( x 2 = x + x + · · · + x ) � �� � k times 1bis. Broccoli heuristics: If ciphertext spaces are distinguishable, they should be somewhat separable. Francisco Vial-Prado Fully Homomorphic Encryption

  10. Generic homomorphic encryption Gentry’s blueprint Second generation HE runs in worst-case complexity for decision algorithms 2. Logical conditions translate to homomorphic comparison circuits. Consider the equality circuit: Let a , b ∈ { 0 , 1 } κ . � 0 κ if a = b , � Eq( a , b ) = 1 ⊕ ( a i ⊕ b i ⊕ 1) = 1 if a � = b . i =1 Francisco Vial-Prado Fully Homomorphic Encryption

  11. Generic homomorphic encryption Gentry’s blueprint Second generation Don’t allow easy CCA’s 3. – Decrypt Verifiable Computations Only If Possible (Homomorphic encryption schemes are known to be vulnerable to IND-CCA Key-Recovery attacks) Francisco Vial-Prado Fully Homomorphic Encryption

  12. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  13. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  14. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  15. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  16. Generic homomorphic encryption Gentry’s blueprint Second generation Connections with other cryptographic problems (implied by) Functional encryption (provides reduction of) Secure Multiparty Computation (compatible with) Identity/Attribute-Based Encryption (brick of?) Indistinguishability Obfuscation (first multi-hop?) Proxy Re-encryption Francisco Vial-Prado Fully Homomorphic Encryption

  17. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  18. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  19. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  20. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  21. Generic homomorphic encryption Gentry’s blueprint Second generation Gentry’s solution The Sophomore’s Dream Let R be some ring and I be an ideal of R . Let m ∈ R / I . Let Enc ( m ) := m + i where i ∈ I is sampled randomly. Enc ( m 1 ) + Enc ( m 2 ) = m 1 + m 2 + i ′ , Enc ( m 1 ) × Enc ( m 2 ) = m 1 × m 2 + i ′′ . Good game; now look for Random efficient sampling from α + I for every α ∈ R / I Secret decryption power: ideal annihilation procedure α + xI �→ α . Connection to hard problems. Francisco Vial-Prado Fully Homomorphic Encryption

  22. Generic homomorphic encryption Gentry’s blueprint Second generation Ideals + Lattices = Ideal Lattices Gentry’s first FHE scheme Specialized the latter construction using polynomial rings and two sets of ideal lattices. Secret and public keys are parallelepipeds in R n , with large n , and plaintexts/ciphertexts are polynomials in Z [ X ] / ( X n − 1). Francisco Vial-Prado Fully Homomorphic Encryption

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt

Fully Homomorphic Encryption from the ground up Daniele Micciancio (UC San Diego) Eurocrypt 2019 (Fully Homomorphic) Encryption Encryption: used to protect data at rest or in transit Enc( m ) Enc( m ) Enc( m ) Fully Homomorphic

2.2k views • 39 slides
References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford

References Gentry, C., A fully homomorphic encryption scheme , Ph.D. Thesis, 1 Standford University, 2009. http://crypto.stanford.edu/craig/craig-thesis.pdf Fully Homomorphic Encryption Gentry, C., Computing arbitrary functions of encrypted

233 views • 7 slides
CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi

Introduction CCA-Secure Keyed-Fully Homomorphic Encryption Junzuo Lai, Robert H. Deng, Changshe Ma, Kouichi Sakurai and Jian Weng 1 / 26 Introduction Outline Background Related Work CCA-Secure Keyed-Fully Homomorphic Encryption Conclusion

686 views • 26 slides
CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1

CHIMERA: Combining Ring-LWE-based Fully Homomorphic Encryption Schemes Mariya Georgieva 1 , 2 1 2 Joint work with: C. Boura, N. Gama, D. Jetchev 1 / 30 Homomorphic encryption Given ( c 1 , c 2 , . . . , c k ) = ( E ( m 1 ) , E ( m 2 ) , . . .

497 views • 48 slides
Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for

Symmetric Encryption Scheme adapted to Fully Homomorphic Encryption Scheme: New Criteria for Boolean functions Pierrick M AUX cole normale suprieure, INRIA, CNRS, PSL Boolean Functions and their Applications (BFA) Os, Norway Tuesday

1.23k views • 101 slides
Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic

Homomorphic Encryption Lecture 18 And some applications Homomorphic Encryption Homomorphic Encryption Group Homomorphism: Two groups G and G are homomorphic if there exists a function (homomorphism) f:G G such that for all x,y G,

1.79k views • 165 slides
Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption

Building Applications with Homomorphic Encryption A Presentation from the Homomorphic Encryption Standardization Consortium HomomorphicEncryption.org 0.1 Presenters Roger A. Hallman (SPAWAR Systems Center Pacific; Thayer School of

1.36k views • 91 slides
Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A

Fully Homomorphic Encryption Lecture 21 Recall Learning With Errors -s = A b A r A b e 1 LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has small entries from a matrix in A Z q

514 views • 12 slides
Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika

Fully Homomorphic Encryption from Ring-LWE and Security for Key Dependent Messages Zvika Brakerski Vinod Vaikuntanathan (Weizmann) (University of Toronto) CRYPTO 2011 Outsourcing Computation x Function x f f ( x ) medical records

520 views • 15 slides
Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With

Lattice Cryptography: Towards Fully Homomorphic Encryption Lecture 20 Recall Learning With Errors s where = + A b A r b A e LWE (decision version): (A,A s + e ) (A, r ), where A random m n , s uniform, e has

345 views • 15 slides
Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron,

Introduction Previous work Our contribution Conclusion Fully Homomorphic Encryption over the Integers with Shorter Public Keys Jean-S ebastien Coron, Avradip Mandal, David Naccache and Mehdi Tibouchi University of Luxembourg & ENS

864 views • 60 slides
Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski

Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP Zvika Brakerski Stanford University CRYPTO 2012 Outsourcing Computation () Email, web- search, navigation, social networking Search query,

380 views • 21 slides
A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special

A Simple Framework for Noise-Free Construction of Fully Homomorphic Encryption from a Special Class of Non-Commutative Groups Koji Nuida National Institute of Advanced Industrial Science and Technology (AIST), Japan (Japan Science and

1.24k views • 57 slides
Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October

Fully Homomorphic Encryption Zvika Brakerski Weizmann Institute of Science ASCrypto, October 2013 Outsourcing Computation () Email, web- search, navigation, social networking Search query, location, business

1.15k views • 51 slides
Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS:

Threshold Cryptosystems from Threshold Fully Homomorphic Encryption Aayush Jain, UCLA AUTHORS: DAN BONEH, ROSARIO GENNARO, STEVEN GOLDFEDER, AAYUSH JAIN, SAM KIM, PETER M. R. RASMUSSEN AND AMIT SAHAI Introduction to Characters Thanos: Bad Guy

567 views • 36 slides
Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California,

Parameters for Homomorphic Encryption Kim Laine and Kristin Lauter University of California, Berkeley and Microsoft Research September 3, 2015 Homomorphic Encryption Homomorphic Encryption Consider a public key cryptosystem, and operations

777 views • 35 slides
Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1

Key Recovery Attack for ZHFE Daniel Cabarcas 1 Daniel Smith-Tone 2 , 3 Javier A. Verbel 1 1 Universidad Nacional de Colombia, Sede Medell n, Colombia 2 University of Louisville, USA 3 National Institute of Standards and Technology, USA

817 views • 33 slides
Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau,

Ramesses : a Rank Metric Encryption Scheme with Short Keys Julien Lavauzelle , Pierre Loidreau, Ba-Duc Pham IRMAR, Universit de Rennes 1 Groupe de travail cryptographie base de codes 25/11/2019 Introduction Goal: design a new public-key

1.11k views • 68 slides
2 Update as model change. Hard information: learning P eliminates worlds with P false: from M s to

2 Update as model change. Hard information: learning P eliminates worlds with P false: from M s to

1 LOGICAL DYNAMICS OF INTELLIGENT INTERACTION Johan van Benthem, http://staff.science.uva.nl/~johan Monday 12 Dec 2011, ILLC Amsterdam We motivate the logical dynamics of information-driven agency, and then illustrate the resulting research

190 views • 7 slides
Recent Progress on the Abelian Sector of F-Theory

Recent Progress on the Abelian Sector of F-Theory

Strings 2014, Princeton 25 th of June, 2014 Recent Progress on the Abelian Sector of F-Theory Denis Klevers arXiv:1303.6970 [hep-th]: M. Cve8,

470 views • 44 slides
A Public Key encryption scheme based on the Polynomial Reconstruction problem Daniel Augot

A Public Key encryption scheme based on the Polynomial Reconstruction problem Daniel Augot

A Public Key encryption scheme based on the Polynomial Reconstruction problem Daniel Augot Matthieu Finiasz Eurocrypt 2003 Warsaw Reed-Solomon Codes Definition Reed-Solomon code of length n and dimension k Choose a set of

290 views • 16 slides
Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence

Multivariate Public Key Cryptosystems Produced by Quasigroups Simona Samardjiska PhD defence Trondheim, June 22, 2015 Department of Telematics, Faculty of Information Technology, Mathematics and Electrical Engineering, Norwegian University of

2.51k views • 157 slides
Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of

1 Lattice-based cryptography: Episode V: the ring strikes back Daniel J. Bernstein University of Illinois at Chicago Crypto 1999 Nguyen: At Crypto 97, Goldreich, Goldwasser and Halevi proposed a public-key cryptosystem based on the

683 views • 32 slides
PGP web of trust Web of trust From:

PGP web of trust Web of trust From:

PGP web of trust Web of trust From: h2p://pgp.cs.uu.nl/plot/ The PGP web of trust can be viewed as a directed graph where the points are

558 views • 10 slides

More recommend