(Fully) Homomorphic

Encryption
Presentation by Tran Tien Dat

Overview and Motivation

Homomorphic Properties:
Multiplication: Dec(Enc(A) * Enc(B)) = A * B
Addition: Dec(Enc(A) + Enc(B)) = A + B
ElGamal - partially homomorphic encryption scheme:
Enc(m1) * Enc(m2) = (gr1, m1 . hr1) * (gr2, m2 . hr2)
= (gr1 . gr2, m1 . hr1 . m2 . hr2)
= (gr1 + r2, (m1 . m2) . hr1 + r2)
= Enc(m1 . m2)
With both multiplication and addition, we can perform any arbitrary computation
Allows computation on encrypted data directly, without decrypting the data
Enable outsourcing private computations to the cloud

A Somewhat Homomorphic Encryption Scheme

Symmetric
Parameter: P, N, Q (N < P < Q)
Plaintext: 1 bit, Secret key: P bits, Ciphertext: Q + P bits

KeyGen:
Select a random P-bit odd integer p as the secret key
Encrypt(p, m):
Output ciphertext c = m + 2r + pq
where r is a random (N-1)-bit number,
q is a random Q-bit number.
Decrypt(p, c):
Output m = (c mod p) mod 2

Validity
Encrypt(p, m):= m + 2r + pq
Decrypt(p, c):= (c mod p) mod 2
Decrypt(p, Encrypt(p, m)) = Decrypt(p, m + 2r + pq)
= ((m + 2r + pq) mod p) mod 2
= (m + 2r) mod 2
=m
Works only if m + 2r < p
Satisfied initially because m + 2r is N-bit, p is P-bit, N < P
r is called the noise
Example: p = 17, m = 1
Encrypt(p, m) = c = m + 2r + pq = 1 + 2 . 0 + 17 . 2 = 39 (choose r = 0, q = 2)
Decrypt(p, c) = (c mod p) mod 2 = (39 mod 17) mod 2 = 5 mod 2 = 1 = m

Homomorphic Addition
c1 = Encrypt(p, m1) = m1 + 2r1 + pq1

c2 = Encrypt(p, m2) = m2 + 2r2 + pq2

c1 + c2 = (m1 + m2) + 2(r1 + r2) + p(q1 + q2)

Decrypt(p, c1 + c2) = ((c1 + c2) mod p) mod 2
= (((m1 + m2) + 2(r1 + r2) + p(q1 + q2)) mod p) mod 2
= ((m1 + m2) + 2(r1 + r2)) mod 2
= m1 + m2
Works if (m1 + m2) + 2(r1 + r2) < p
Noise is added up

Homomorphic Multiplication
c1 = Encrypt(p, m1) = m1 + 2r1 + pq1

c2 = Encrypt(p, m2) = m2 + 2r2 + pq2

c1c2 = (m1 + 2r1 + pq1) (m2 + 2r2 + pq2)

= m1m2 + 2m1r2 + m1pq2 + 2m2r1 + 4r1r2 + 2r1pq2 + m2pq1 + 2r2pq1 + p2q1q2
= m1m2 + 2(m1r2 + m2r1+ 2r1r2) + p(m1q2 + m2q1 + 2r1q2 + 2r2q1 + pq1q2)
Decrypt(p, c1c2) = ((c1c2) mod p) mod 2
= (m1m2 + 2(m1r2 + m2r1+ 2r1r2)) mod 2
= m1m2
Works if m1m2 + 2(m1r2 + m2r1+ 2r1r2) < p
Noise is multiplied

Homomorphic Computation of an arbitrary function

Binary addition = XOR, multiplication = AND
For any boolean function f, we can express it as a circuit of XOR and AND gate
Hence we can compute the encryption of f(m1, m2, , mt) from the ciphertexts
c1, c2, , ct
ci = Encrypt(p, mi)
We can compute Evaluate(p, f, c1, c2, , ct)
Such that:
Decrypt(p, Evaluate(p, f, c1, c2, , ct)) = f(m1, m2, , mt)

Limitations of the Somewhat Homomorphic

Encryption Scheme
Addition works if (m1 + m2) + 2(r1 + r2) < p
Multiplication works if m1m2 + 2(m1r2 + m2r1+ 2r1r2) < p
Eventually, the noise will accumulate and exceed p
The scheme can only evaluate a Boolean expression of certain degree
(hence the name Somewhat Homomorphic Encryption)
Symmetric
Can be made asymmetric by using a list of integers as the public key
Beyond todays presentation

Bootstrapping and Fully Homomorphic Encryption

Decrypting, like any other computation, is running a boolean circuit
can be decomposed into binary additions (XOR) and multiplications (AND)
operations
Bootstrappable Homomorphic Encryption: a Homomorphic Encryption scheme
that can evaluate its own decryption circuit and one more addition /
multiplication
can be constructed by including a hint of the secret p in the public key
Decryption will remove noise
we can extend the Somewhat Homomorphic Encryption Scheme to remove
noise when necessary (idea of recryption)
hence we can compute any function of arbitrary degree homomorphically
(i.e. we have a Fully Homomorphic Encryption scheme)