B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

Homomorphic Cryptography

Deepak Babu Sam

Sushant Mahajan
Nikhil George
IIT Bombay

April 4, 2014
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

S UMMARY
B ASICS
Homomorphic Encryption
Applications in Cloud Computing
More Definitions
Simple Schemes can be Homomorphic
PARTIAL H OMOMORPHISM
A Partial Homomorphic Scheme
Parameters
B OOTSTRAPPING
Bootsrappable Encryption
C OMPLETE H OMOMORPHISM
Basics
Keys
Cipher
Parameters
Functions
D EMO
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

H OMOMORPHIC E NCRYPTION

Definition
Homomorphic encryption is a form of encryption which allows specific types
of computations to be carried out on ciphertext and generate an encrypted re-
sult which, when decrypted, matches the result of operations performed on the
plaintext.

In simple words!!

f (P1 , P2 , ...Pn ) = Decrypt(f (Encrypt(P1 ), Encrypt(P2 ), ..., Encrypt(Pn )))

Pi Plain text
f an ’n-ary’ function
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

A PPLICATIONS IN C LOUD C OMPUTING

B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

F UNCTIONS

Homomorphic Cryptography
Normal Cryptography
KeyGen(λ)
KeyGen(λ)
Encrypt(p, pk)
Encrypt(p, pk)
Decrypt(c, sk)
Decrypt(c, sk)
Evaluate(< c1, ..cn >, f , pk)
I λ is the security parameter. It determines other
cryptographic parameters
I Evaluate takes a set of inputs, a circuit and the public key
and produces another cipher text.
I For correctness, Decrypt(Evaluate(< c1, ..cn >, f , pk))
should match f (< c1, ..cn >)
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

S IMPLE S CHEMES CAN BE H OMOMORPHIC

A simple symmetric encryption below is homomorphic :)

I Secret key p is a large odd number.

p=7
I To encrypt a single bit m, choose two random
numbers q and r, calculate c = pq + 2r + m.
q = 4, r = 2 ⇒ c = 32 + m
I To decrypt c, do m = (c mod p) mod 2
((32 + m) mod 7) mod 2 = (6 + m) mod 2 = m

There is a restriction r < p/2

I We claim if c1 = Encrypt(m1 ) and c2 = Encrypt(m2 )
I Addition between c1 and c2 is homomorphic to
Addition(XOR) between m1 and m2
I Multiplication between c1 and c2 is homomorphic to
multiplication(AND) between m1 and m2
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

S IMPLE S CHEMES CAN BE H OMOMORPHIC

Let’s check addition

I Key: p=7
I Encrypt m1 : q = 4, r = 1 ⇒ c1 = 30 + m1
I Encrypt m2 : q = 6, r = 1 ⇒ c2 = 44 + m2
I Addition: c1 + c2 = 74 + m1 + m2
I To decrypt c, do m = (c mod p) mod 2
((74 + m1 + m2 ) mod 7) mod 2 =
(4 + m1 + m2 ) mod 2 = (m1 + m2 ) mod 2

Check multiplication with a large p and sufficiently small r.

This scheme can go wrong, since r increases after every
operation.
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

A PARTIAL H OMOMORPHIC S CHEME

We can easily extend the simple scheme, to a public key scheme

Public Key Scheme (over simplified version)

I Private key is, a large odd number p

I Public key is, set of many integers of the form pq + 2r
I To encrypt a bit m, add the subset of public keys to m
I To decrypt, do the usual (c%p)%2

Remember r obeys the constraint it had before, (r < p/2)

B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

PARAMETERS

These are parameters that determine the sizes of the keys

These are computed as a function of security parameter λ
Parameters
I η number of bits in secret key. O(λ2 )
I ρ number of bits in r, the noise. O(λ)
I γ number of bits in public key. O(λ5 )
I τ number of integers in public key set. O(λ5 )

These values in our implementation are, λ = 4, η = 32,

γ = 2046, τ = 2050
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

A LGORITHMS
Partial Homomorphic Scheme (simplified)

I KeyGen(λ): Private key is, a large odd number p of η

bit length, Public key is, set of many integers of the
form pq + r of γ bit length (r of ρ bits).
I Encrypt(pk,m): To encrypt a bit m, choose a the
subset S of pk, and choose a random
P number r of ρ
bits, and perform c = m + 2r + 2 i∈S i
I Evaluate(pk,C,< c1, ..cn >): Evaluate the boolean
circuit C, with AND gates replaced with
multiplication, XOR gates replaced with addition,
over integers < c1, ..cn >
I Decrypt(sk,c): To decrypt, do the usual (c%sk)%2
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

E VALUATE
Figure shows evaluation of boolean circuits with integer values
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

C ORRECTNESS

I For circuits of lower depth, this scheme is correct

I For deep circuits, the noise increases, and at a certain point
noise may become larger than the private key, and it may
cause a decryption error
I For correctness, the degree of the polynomial computed by
the circuit should be less than,
η−4
d≤
ρ+2
I The above one is an approximate formula. Its proof is
straight forward.
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

B OOTSRAPPABLE E NCRYPTION

I We saw, every partially homomorphic encryption has a set

of circuits it can evaluate
I We can model the Decryption algorithm as a circuit of AND
and XOR gates
I If an encryption scheme can evaluate its own decryption
circuit correctly it is called a bootstrappable encryption
scheme
I If an encryption scheme is bootstrappable it can be
converted into a fully homomorphic scheme (that can
evaluate all circuits)
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

G ENTRY ’ S C ONSTRUCTION
I As the cipher text grows up, noise increases.
I The only way, we can reduce noise is to decrypt, then
encrypt again.

I So we are really going to decrypt, but homomorphically!!!.

B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

G ENTRY ’ S C ONSTRUCTION
Let D be the decryption circuit. Wired with AND and XOR
gates.

Key Idea!
D takes Secret Key bits and Cipher Text bits, and produces the decrypted bit.
‘If instead of secret key and cipher text bits, an encrypted version of those are
provided, still the decryption is correct‘. But the output bit is still in encrypted
form.
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

R ECRYPT F UNCTION
So we have a function Recrypt, that performs the bootstrap.
Recrypt

Recrypt takes the arguments

I Cipher Text
I Private Key, encrypted with public key
I The Decryption circuit
I The public key
It encrypts each bit of the cipher text with public key.
Then evaluated the Decryption Circuit. The output text
is in encrypted form, but has low noise.

So after each Evaluate() we have to fire a Recrypt() to reduce

noise.
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

C HALLENGES
I The Recrypt is an expensive operation, since it has to
encrypt each bit in the cipher text.

I The Decryption circuit should be small enough for

homomorphic evaluation by the encryption scheme
I m = (c mod p) mod 2 is an expensive operation, since it
involves division.
I We can see (c mod p) mod 2 = (c − bc/pc ∗ p) mod 2
∴ m = (c − bc/pc) mod 2 since p is odd.
I Here the bottleneck is bc/pc which requires a circuit,
deeper than what we can actually evaluate.
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

F ULLY H OMOMORPHIC E NCRYPTION

I The division in the decryption circuit is the major

bottleneck is achieving bootstrap.
I So we start part of the decryption during encryption itself
I Within the public key we keep some information to
calculate 1/p
I During in encryption, we keep some information with the
cipher to calculate bc/pc
I Now during decryption, we just have to collect
information in the ciphertext to compute bc/pc
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

K EYS

Keys
I Keys are different now. 1/p is divided into some (θ) fractions (p1 , ..pθ ) such that
their sum is 1/p
I Private key is a vector s of large length (say Θ) but of hamming weight θ.
I With the public key, append vector Y of length Θ, it contains pi , in place of ith 1 in
s vector. All other positions of Y contains some random value.
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

C IPHER

Cipher

I The information to compute, bc/pc, we are carrying

with the cipher text.
I With cipher text c∗ we are attaching a vector Z
which is obtained as Z = c∗ Y, (Y from public key)
I Note that at any point, s.Z gives c/p, this is used for
decryption.
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

PARAMETERS

These are parameters that determine the sizes of the keys

Parameters
I κ The precision of fraction in Z vector. = γ + 2
I θ Hamming weight of secret key. = λ
I Θ Total length of secret key vector. = κ.log(λ)

These values in our implementation are, κ = 2048, θ = 4,

Θ = 4096
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

F UNCTIONS

Functions (Simplified)

I KeyGen(λ): Generate sk* and pk* as before.Private

key is a Θ bit vector (say s) with hamming weight θ.
Public key is the pair, (pk∗ , Y) where Y is a Θ bit
vector such that s.Y = 1/p
I Encrypt(pk,m): Generate c∗ as before. Output a pair
(c∗ , Z) where Z = c∗ Y
I Evaluate(pk,C,< c1, ..cn >): Generate c∗ as before.
Output a pair (c∗ , Z) where Z = c∗ Y
I Decrypt(sk,c): Calculate m = (c∗ − bs.Zc) mod 2
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

P ERFORMANCE WITHOUT B OOTSTRAPPING

Operation Time (Sec)

3 bit addition 0.00849294662476
4 bit addition 0.0148079395294
5 bit addition 0.0200610160828
6 bit addition 0.0252559185028
7 bit addition 0.0328199863434
8 bit addition 0.0364289283752
3 bit multiplication 0.0477869510651
4 bit multiplication 0.102718114853
5 bit multiplication 0.17649102211
6 bit multiplication 0.276554107666
7 bit multiplication 0.386368989944
8 bit multiplication 0.514411211014
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

P ERFORMANCE WITH B OOTSTRAPPING

Operation Time (Sec)

3 bit addition 24.0433769226
4 bit addition 39.5260438919
5 bit addition 57.569133997
6 bit addition 71.8706359863
7 bit addition 91.5514998436
8 bit addition 106.403455019
3 bit multiplication 132.176811934
4 bit multiplication 273.399508953
5 bit multiplication 469.853643894
6 bit multiplication 721.54058814
7 bit multiplication 1020.81985712
8 bit multiplication 1361.10715199
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU

P ERFORMANCE WITH MODERATE B OOTSTRAPPING

Operation Time (Sec)

3 bit addition 4.77270793915
4 bit addition 4.93928003311
5 bit addition 10.1200909615
6 bit addition 20.0205738544
7 bit addition 24.1529259682
8 bit addition 24.2124249935
3 bit multiplication 34.0962469578
4 bit multiplication 69.1047542095
5 bit multiplication 120.915575981
6 bit multiplication 192.994705915
7 bit multiplication 274.399580956
8 bit multiplication 362.931727886
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU
B ASICS PARTIAL H OMOMORPHISM B OOTSTRAPPING C OMPLETE H OMOMORPHISM D EMO T HANK Y OU