Introduction to

Homomorphic Encryption
Hubert Hesse Christoph Matthies Robert Lehmann
@hubx @chrisma0 @rlehmann

1 2013
What is that?
operation(plain)

2
What is that?
operation(plain)

==

decrypt(operation'(encrypt(plain)))

3
What is that?
operation(plain)

==

decrypt(operation'(encrypt(plain)))

i.e. outputs of operations on encrypted data are still usable

4
Current context
July 2013:
Change in "De-Mail-Gesetz" defining De-Mail as
secure [1]

● Needs to be decrypted by
provider to "check for viruses"
● (Secret) key on server of provider
○ Server becomes juicy target
● Homomorphic encryption
○ Can check without decryption

5 [1] http://www.spiegel.de/netzwelt/netzpolitik/de-mail-bundestag-erklaert-bundes-mail-per-gesetz-als-sicher-a-895361.html
Use cases
● Medical records
○ Analyze disease / treatment without disclosing them
○ Search for DNA markers without revealing DNA
○ "Digitale Krankenakte"

● Spam filtering
○ Blacklisting encrypted mails
○ Third parties can scan your PGP traffic

Doing something without knowing what

6
Homomorphism
groups (P, ⊕) and (C, ⊗)
relation f : P → C

f is a group homomorphism in P and C, if:

∀ a,b ∈ P: f(a ⊕ b) = f(a) ⊗ f(b)

Especially:
∀ a,b ∈ P: a ⊕ b = f-1( f(a) ⊗ f(b) )
7
Examples
groups (R, +) and (R*, ×)
function: R → R

exp(x+y) = exp(x) × exp(y)

10x+y = 10x × 10y

ln(a×b) = ln(a) + ln(b)

be aware, mapping from one operation to another

8
Practical example

In RSA,
multiplication is
(accidentally)
a homomorphism
9
Imagine

width = 7
height = 3

10
Imagine
what's the area?

width = 7
height = 3

11
Enter the cloud
width = 7
height = 3

area
solver™

12
Enter the cloud
width = 7
height = 3
a cy
priv
a c y
priv

area
solver™

13
Enter the cloud
width = 7
height = 3
a cy
priv
a c y
priv
RSA to the rescue
area
solver™

14
 public
public key
key Select p=11,q=13
p*q=143=N
φ(N)=φ(143)=(p-1)*(q-1)=120

(23,
(23, 143)
143)
select e w/ gcd(e,120)=1,
e=23

Calculate e*d ≡ 1 mod φ(N):

e*d+k*φ(N)=1=gcd(e,φ(N))
private
private key
key
15
=23*d+k*120=1=gcd(23,120)
d=47, k=-9 (47,
(47, 143)
143)the justified sinner, flickr (CC BY-NC-SA 2.0)
wait, RSA?
Encryption in RSA

Homomorphic property

16
 width = 7 private key := (47, 143)
encrypt
height = 3 public key := (23, 143)

private
public

17
 width = 7 private key := (47, 143)
encrypt
height = 3 public key := (23, 143)

private
public

cw ≡ widthe mod N
cw ≡ 723 mod 143
cw = 2

ch ≡ heighte mod N
ch ≡ 323 mod 143
ch = 126

18
 width = 7 private key := (47, 143)
encrypt
height = 3 public key := (23, 143)

private
public

width = 2
height = 126

19
 width = 7 private key := (47, 143)
height = 3 public key := (23, 143)

private
public

width = 2
height = 126

area
solver

20
 width = 7 private key := (47, 143)
height = 3 public key := (23, 143)

private
public

width = 2
height = 126
area = 252
area
solver

21
 width = 7 private key := (47, 143)
height = 3 public key := (23, 143)

private
public

width = 2
height = 126
area = 252

22
 area = 21

width = 7 private key := (47, 143)

decrypt
height = 3 public key := (23, 143)

private
public

area = decrypt(252)
= 21

width = 2
height = 126
area = 252 area ≡ cipherd mod N
≡ 25247 mod 143
= 21

23
 area = 21

width = 7 private key := (47, 143)

decrypt
height = 3 public key := (23, 143)

private
public

area = decrypt(252)
= 21
=7x3
(sanity check)
width = 2
height = 126
area = 252

24
Different homomorphisms
● RSA allows only multiplication circumference calculation
correct: 3*2 + 7*2 = 20
○ Other operations on ciphertext encrypted: 2*2 + 2*126 = 256
(e.g. +) break decryption decryption: 25647 mod 143 = 42

42 ≠ 20 ⚡

● Other schemes allow different operations

(e.g. + and -)
● Algebra homomorphisms f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A:
• f(k*x)=k*f(x)
allows x and + • f(x+y)=f(x)+f(y)

○ Much more powerful • f(x*y)=f(x)*f(y)

25
Different homomorphisms
● RSA allows only multiplication circumference calculation
correct: 3*2 + 7*2 = 20
○ Other operations on ciphertext encrypted: 2*2 + 2*126 = 256
(e.g. +) break decryption decryption: 25647 mod 143 = 42

42 ≠ 20 ⚡

● Other schemes allow different operations

(e.g. + and -)
● Algebra homomorphisms f: A→B alg. hom. ⇔ ∀k∈K; x,y∈A:
• f(k*x)=k*f(x)
allows x and + • f(x+y)=f(x)+f(y)

○ Much more powerful • f(x*y)=f(x)*f(y)

Need to select appropriate homomorphic

encryption scheme for application
26
 System Plaintext operation Cipher operation
RSA × ×
Paillier +, − ×, ÷
m×k, m+k ck, c×gk
ElGamal × ×
m×k, mk c×k, ck
Goldwasser-Micali ⊕ ×
Benaloh +, − ×, ÷
Naccache-Stern +, − ×, ÷
m×k ck
Sander-Young-Yung × +
Okamoto-Uchiyama +, − ×, ÷
m×k, m+k ck, c+e(k)
Boneh-Goh-Nissim Paillier (+, −, m×k, m+k) Paillier
× (once) bilinear pairing
US 7'995'750 / ROT13 + +
27
Pollution (sim p l i f i ed)

● Operations on ciphertext accumulate "noise"

○ Addition adds noise, multiplication multiplies it
○ Noise gets too high → decryption fails

● These "limited" algebra

homomorphism schemes:
Somewhat Homomorphic Encryption Schemes

28 Bob August, flickr (CC BY-NC-SA 2.0)

Pollution Example
● Using small N in RSA and large inputs
○ When output larger than RSA-modulus, decryption fails

Calculate area of Encryption: Decryption:

square using RSA c_w ≡ 1023 mod 143 a ≡ 86047 mod 143
15 ≡ 43 (≡ 150 mod 143)

10
c_h = 1523 mod 143 ≡ 7

= 20
7 ≠ 150 ⚡
10*15=150 c_a = 43*20 = 860

29
Beyond + and ×

*
Every program can be expressed in
terms of a digital circuit.

* referentially transparent, ie. w/o side effects, today() is not ref. transparent

30 Tristan Nitot, flickr (CC BY-NC-SA 2.0)

Beyond + and ×

Every digital circuit can be expressed

in terms of AND, OR, and NOT.

31
Beyond + and ×

Every digital circuit can be expressed

in terms of AND, OR, and NOT.
(remember Disjunctive Normal Forms?)

32
Beyond + and ×

Every digital circuit can be expressed

in terms of AND, OR, and XOR.
XOR(x, 1) = NOT(x)
NOT(AND(NOT(x), NOT(y))) = !(!x & !y) = OR(x, y)

33
Fully homomorphic encryption

With ∧ and ⊕ we can

represent any operation
34 Duane Romanell, flickr (CC BY-NC-ND 2.0)
Circuit Encryption
● Assume homomorphic enc:
○ 0-bits → even ints
(+ random r * secret p mod p!)
○ 1-bits → odd ints

○ ⊕ → + ⊕

{ simple truth tables }

○ ∧→ ×
○ Define: ∘ = (a + b) + ( a x b) (Logical OR)
{ OR = (a ∧ b) ∧ (a ⊕ b) }

35
Circuit Encryption
Toy example
● Single Bit Adder
○ A,B: inputs, Cin: carry-in, S: sum, Cout: carry-out

S = ((A ⊕ B) ⊕ C)
36
Cout = (A ∧ B) v ((A ⊕ B) ∧ Cin)
Circuit Encryption
Toy example
S = ((A ⊕ B) ⊕ C)
Cout = (A ∧ B) v ((A ⊕ B) ∧ Cin)
map
S = ((A + B) + C) operators

Cout = (A × B) ∘ ((A+B) × Cin)

37
Circuit Encryption
Toy example - calc. S
S = ((A + B) + C)

A B Cin S Cout
apply 1 0 1 0 1

encrypted 3 4 7 ? ?

S = ((3 + 4) + 7) = ?

38
Circuit Encryption
Toy example - calc. S
S = ((A + B) + C)

A B Cin S Cout

1 0 1 0 1

encrypted 3 4 7 14 ?

S = ((3 + 4) + 7) = 14 ≙ 0

39
Circuit Encryption
Toy example - calc. Cout
Cout = (A × B) ∘ ((A + B) × Cin)
apply
Cout = (3 × 4) ∘ ((3 + 4) × 7)
= 12 ∘ 49
= (12 + 49) + (12 * 49)
= 61 + 588 = 649 ≙ 1
A B Cin S Cout

1 0 1 0 1
∘ = (a + b) + (a x b)
3 4 7 14 649
40
Circuit Encryption
● Assume homomorphic enc:
○ 0-bits → even ints
(actually mod a secret p)
○ 1-bits → odd ints

○ ⊕ → + ⊕

{ simple truth tables }

○ ∧→ ×
○ Define: ∘ = (a + b) + ( a x b) (Logical OR)
{ OR = (a ∧ b) ∧ (a ⊕ b) }

41
Circuit Enc. Example
● Encrypted Memory Access
●

ao ∧ a 1 ∧ m 3 m0 m1 m2 m3 a0 a1

1 x x x 0 0
¬ao ∧ a1 ∧ m2
x 1 x x 1 0

x x 1 x 0 1
ao ∧ ¬a1 ∧ m1 x x x 1 1 1

¬ao ∧ ¬a1 ∧ m0

42
Encrypted Memory Access
●

row3 = ao ∧ a1 ∧ m3

row2 = ¬ao ∧ a1 ∧ m2

row1 = ao ∧ ¬a1 ∧ m1

row0 = ¬ao ∧ ¬a1 ∧ m0

c = row0∨row1∨row2∨row3
43 [1] M Brenner, J Wiebelitz, G von Voigt. Secret program execution in the cloud applying homomorphic encryption. 2011
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01

row3 = ao ∧ a1 ∧ m3

row2 = ¬ao ∧ a1 ∧ m2

row1 = ao ∧ ¬a1 ∧ m1

row0 = ¬ao ∧ ¬a1 ∧ m0

c = row0∨row1∨row2∨row3
44
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01

row3 = ao ∧ a1 ∧ m3

row2 = ¬ao ∧ a1 ∧ m2

row1 = ao ∧ ¬a1 ∧ m1

row0 = ¬ao ∧ ¬a1 ∧ m0

c = row0∨row1∨row2∨row3
45
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01

row3 = ao ∧ a1 ∧ 0

row2 = ¬ao ∧ a1 ∧ 1

row1 = ao ∧ ¬a1 ∧ 0

row0 = ¬ao ∧ ¬a1 ∧ 1

c = row0∨row1∨row2∨row3
46
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01

row3 = ao ∧ a1 ∧ 0

row2 = ¬ao ∧ a1 ∧ 1

row1 = ao ∧ ¬a1 ∧ 0

row0 = ¬ao ∧ ¬a1 ∧ 1

c = row0∨row1∨row2∨row3
47
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01

row3 = 0 ∧ 1 ∧ 0

row2 = 1 ∧ 1 ∧ 1

row1 = 0 ∧ 0 ∧ 0

row0 = 1 ∧ 0 ∧ 1

c = row0∨row1∨row2∨row3
48
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01

row3 = 0 ∧ 1 ∧ 0 = 0

row2 = 1 ∧ 1 ∧ 1 = 1

row1 = 0 ∧ 0 ∧ 0 = 0

row0 = 1 ∧ 0 ∧ 1 = 0

c = row0∨row1∨row2∨row3
49
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01

row3 = 0 ∧ 1 ∧ 0 = 0

row2 = 1 ∧ 1 ∧ 1 = 1

row1 = 0 ∧ 0 ∧ 0 = 0

row0 = 1 ∧ 0 ∧ 1 = 0

c = 0∨0∨1∨0 = 1
50
Encrypted Memory Access
0-bits → even ints
1-bits → odd ints
⊕ → +
● ∧ → ×

m = {1, 0, 1, 0} a = 01 m = {5, 4, 9, 6} a = {8, 3}

row3 = 0 ∧ 1 ∧ 0 = 0 → row3 = (ao × a1 × 6)

row2 = 1 ∧ 1 ∧ 1 = 1 → row2 = (ao + 1) × a1 × 9

row1 = 0 ∧ 0 ∧ 0 = 0 → row1 = (ao × (a1 + 1) × 4

row0 = 1 ∧ 0 ∧ 1 = 0 → row0 = (ao + 1) × (a1 + 1) × 5

¬a0 ¬a1

c = 0∨0∨1∨0 = 1 c = row0∘row1∘row2∘row3
51
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01 m = {5, 4, 9, 6} a = {8, 3}

row3 = 0 ∧ 1 ∧ 0 = 0 → row3 = (ao × a1 × 6)

row2 = 1 ∧ 1 ∧ 1 = 1 → row2 = (ao + 1) × a1 × 9

row1 = 0 ∧ 0 ∧ 0 = 0 → row1 = (ao × (a1 + 1) × 4

row0 = 1 ∧ 0 ∧ 1 = 0 → row0 = (ao + 1) × (a1 + 1) × 5

¬a0 ¬a1

c = 0∨0∨1∨0 = 1 c = row0∘row1∘row2∘row3
52
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01 m = {5, 4, 9, 6} a = {8, 3}

row3 = 0 ∧ 1 ∧ 0 = 0 → row3 = (8 × 3 × 6)

row2 = 1 ∧ 1 ∧ 1 = 1 → row2 = (8 + 1) × 3 × 9

row1 = 0 ∧ 0 ∧ 0 = 0 → row1 = (8 × (3 + 1) × 4

row0 = 1 ∧ 0 ∧ 1 = 0 → row0 = (8 + 1) × (3 + 1) × 5
¬a0 ¬a1

c = 0∨0∨1∨0 = 1 c = row0∘row1∘row2∘row3
53
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01 m = {5, 4, 9, 6} a = {8, 3}

row3 = 0 ∧ 1 ∧ 0 = 0 → row3 = (8 × 3 × 6) = 144

row2 = 1 ∧ 1 ∧ 1 = 1 → row2 = (8 + 1) × 3 × 9 = 243

row1 = 0 ∧ 0 ∧ 0 = 0 → row1 = (8 × (3 + 1) × 4 = 128

row0 = 1 ∧ 0 ∧ 1 = 0 → row0 = (8 + 1) × (3 + 1) × 5 = 180

¬a0 ¬a1

c = 0∨0∨1∨0 = 1 c = row0∘row1∘row2∘row3
54
Encrypted Memory Access
●
m = {1, 0, 1, 0} a = 01 m = {5, 4, 9, 6} a = {8, 3}

row3 = 0 ∧ 1 ∧ 0 = 0 → row3 = (8 × 3 × 6) = 144

row2 = 1 ∧ 1 ∧ 1 = 1 → row2 = (8 + 1) × 3 × 9 = 243

row1 = 0 ∧ 0 ∧ 0 = 0 → row1 = (8 × (3 + 1) × 4 = 128

row0 = 1 ∧ 0 ∧ 1 = 0 → row0 = (8 + 1) × (3 + 1) × 5 = 180

¬a0 ¬a1

c = 0∨0∨1∨0 = 1 c = 180∘128∘243∘144
= 826087619 ≙ 1
55
Fully homomorphic encryption

● "Holy Grail" of cryptography

● First proposed within a year of RSA

development
○ 1979
○ Idea due to weird homomorphic property of RSA
(remember the area solver example)

● for more than 30 years:

unclear whether FHE even possible
○ During that time: best one = Boneh-Goh-Nissim
(the one where only one multiplication was possible)
56
Google trends
"fully homomorphic encryption"

nts nt
s
te at
e
pa p
200 00
0
1

57
Gentry's approach
● 2009: Craig Gentry shows fully homomorphic
encryption in his doctoral thesis

● Employs somewhat homomorphic encryption

scheme using ideal lattices
(based on "shortest lattice vector" problem used in cryptography, which is NP-hard)

● Scheme is bootstrappable
○ can evaluate its own decryption circuit

● Through recursive self-embedding, leads to

FHE
58 ○ ciphertexts are reencrypted, eliminating noise
Gentry's approach
ciphertext
@ł€¶ħæſðđŋæſþðøđł«»¢„ plaintext
secret key qebrgibfvjkadfnvarskdjhfq
0101100101000101111

ciphertext
@ł€¶ħæſðđŋæſþðøđł«»¢„ refreshed ciphertext
encryption of secret key þø»«ĸ@ł½{µ„þøþ@↓ðħþ
³½¬³½¬[¬¼]²′³}³¬½¼¬³²³]

59 catechism, flickr (CC BY-NC-SA 2.0)

60 https://www.youtube.com/watch?v=Y1TxCiOuoYY
Issues
1 000 000 000 000x

[...] a simple string search using

homomorphic encryption is about a trillion
times slower than without encryption. [1]

61 [1] CryptDB: A practical encrypted relational DBMS, RA Popa, N Zeldovich, H Balakrishnan, 2011
62
Fully hom. enc. IRL
● HELib by Shai Halevi (2013)
○ Implementation of Brakerski-Gentry-Vaikuntanathan[1]
scheme
○ Using many optimizations in literature[2][3] for speed
○ Does not implement bootstrapping (yet)

Performance
Modulus Time for addition (ms) Time for multiplication
(ms)
Even numbers < 65537,
257 0.7 39
80 Bits of security
8209 0.7 38

65537 2.9 177

[1] Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan: (Leveled) fully homomorphic encryption without bootstrapping. ITCS 201
[2] Nigel P. Smart, Frederik Vercauteren: Fully Homomorphic SIMD Operations. IACR Cryptology ePrint Archive 2011: 133 (2011)
63 [3] Craig Gentry and Shai Halevi and Nigel P. Smart Homomorphic Evaluation of the AES Circuit, CRYPTO 2012
Criticism

“
Visions of a fully homomorphic cryptosystem
have been dancing in cryptographers' heads for
thirty years. [...] It will be years before a
sufficient number of cryptographers examine
the algorithm that we can have any confidence
“
that the scheme is secure. [1]

—Bruce Schneier, cryptographer, April 2013

[1] Homomorphic Encryption Breakthrough, Schneier on Security, Bruce Schneier https://www.schneier.
64 com/blog/archives/2009/07/homomorphic_enc.html
 Last few years

65
Conclusion
●
○
■
○

●
™
○

66
Conclusion

“ — Halevi, 2012
“
[1] Recent Advances in Homomorphic Encryption, presentation by Shai Halevi, IBM Research, Feb. 13, 2012, http://n
67 csail.mit.edu/sys-security/FHE.pptx
Thanks for listening

Questions?

68
Source: http://www.google.com/patents/US7995750