SLIDE 1
Homomorphic Cryptography &
Its Applications
Aaram Yun, UNIST FIF presentation, 2015
1
Cryptography
2
Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 - - PowerPoint PPT Presentation
Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 - - PowerPoint PPT Presentation
Homomorphic Cryptography & Its Applications Aaram Yun, UNIST FIF presentation, 2015 1 Cryptography 2 Cryptography Bike lock of Internet Provides many important building blocks for security For example, encryption or
SLIDE 2
SLIDE 3
Cryptography
» Bike lock of Internet » Provides many important building blocks for security » For example, encryption or authentication
3
SLIDE 4
Very secure
4
SLIDE 5
Using data
Eventually, crypto-protected data should be used somewhere
5
SLIDE 6
Using data
However, this usually means removing cryptographic protection Often makes it hard to apply crypto in designing secure systems
6
SLIDE 7
Homomorphic cryptography
» Computation using cryptographically protected data » While maintaining security » Many potential applications, for example, secure cloud computing
7
SLIDE 8
RSA Encryption
» » » » 'Homomorphism' in mathematics » From and , can be computed by anybody
8
SLIDE 9
Homomorphic encryption
» E.g., from , compute a ciphertext , such that, » ' can be homomorphically evaluated using ciphertexts' » What kind of function can be computed like this? » Any function, if you don't care about security » Just use the identity function as Enc()
9
SLIDE 10
It remains to be seen whether it is possible to have a [homomorphic encryption] with a large set of
- perations which is highly secure.
— Rivest, Adleman, and Dertouzos, 1978
10
SLIDE 11
Fully homomorphic encryption
» Craig Gentry, "Fully Homomorphic Encryption Using Ideal Lattices", STOC 2009 » Any polynomial-time algorithm can be homomorphically evaluated
11
SLIDE 12
Homomorphic encryption
» 'Somewhat homomorphic': can handle low-degree polynomial functions mod » 'Fully homomorphic': can handle arbitrary polynomial-sized polynomial functions mod » When , it can handle practically any boolean functions, so, any practical algorithms
12
SLIDE 13
'Gentry's blueprint'
13
SLIDE 14
Somewhat homomorphic encryption (SHE)
» Each ciphertext has its 'noise level' » Freshly encrypted ciphertext has low loise level » Adding ciphertexts: noises are added » Multiplying ciphertexts: noises are multiplied
14
SLIDE 15
Somewhat homomorphic encryption (SHE)
» If the noise level is above certain threshold, correct decryption is not guaranteed » Addition is okay: 1-bit increment » Multiplication is the problem: noise level is doubled » Relatively efficient, but only 'somewhat homomorphic'
15
SLIDE 16
Refreshing the ciphertext
» There is a way to reduce the noise level of a 'noisy', but yet correctly decryptable ciphertext » Idea: decrypt to get the plaintext , then encrypt again to obtain the refreshed ciphertext » Problem: can be done only by the owner of the decryption key
16
SLIDE 17
Bootstrapping
» Gentry's solution: can be done if SHE can homomorphically evaluate its own decryption circuit » This is called 'bootstrapping' » 'SHE + bootstrapping' gives you a FHE
17
SLIDE 18
Efficiency of HE
» Slower, with larger ciphertext expansion » Still, if your application requires only SHE, it is relatively efficient » FHE is the problem
18
SLIDE 19
Efficiency of FHE
» First FHEs were s..l..o..w.. » About 6-30 minutes to refresh one bit! » Many improvements made afterwards » Better noise management » Parallelization
19
SLIDE 20
AES evaluation
» Can evaluate AES homomorphically » About 180 blocks in 1050 sec. (Eurocrypt 2015)
20
SLIDE 21
In comparision...
» Native evaluation of AES: » About 18 cycles/ block » Roughly 10,000,000,000 blocks during the same time » About 108 times faster
21
SLIDE 22
Efficiency of FHE
» Still a long way to go » Perhaps completely different paradigm needed for drastic speedup » Everything still within Gentry's blueprint » I am optimistic... » If bootstrapping is not needed, already somewhat usable
22
SLIDE 23
Homomorphic signature
» Each block of data is signed: » When computing using , anyone can homomorphically evaluate the signature for using corresponding signatures » Given and , anyone can check if » Even when you don't have
23
SLIDE 24
Applications
24
SLIDE 25
Private cloud computing
» Storage is outsourced » No local copy » Computation is outsourced » Only receive the output » Data is sensitive, private » E.g., medical, or genomic data
25
SLIDE 26
26
SLIDE 27
FHE is not always needed
» Some of the previous conditions are not needed » Conventional encryption is enough » Your application may not require evaluating any circuit » SHE would be enough » Also, conventionally encrypted data can be turned into FHE encrypted data when necessary » Homomorphically evaluate the decryption circuit, later
27
SLIDE 28
Verifjable cloud computing
» Storage is outsourced » No local copy » Computation is outsourced » Only receive the output » You want guarantee that the output is correct
28
SLIDE 29
Secure cloud computing
» Right now not very realistic economically, for general computation » In the future, when FHE becomes practically practical, not theoretically practical, ... » That's what we are doing: 'Future Internet' » After Snowden's revelation about NSA surveillance, perhaps secure cloud makes more sense already
29
SLIDE 30
Questions
» Imagine very practical homomorphic crypto in the future » What other new Internet applications can we build out of it? » Can we use it even in building services on lower layers? » What can we do with SHE right now?
30
SLIDE 31
Conclusions
» In homomorphic cryptography, it is possible to provide rich functionality without sacrificing security » This is a promising, relatively new area with big dreams and many applications » Still a long way to go, but progresses are being actively made
31