Difference between revisions of "Homomorphic encryption"
(29 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
− | |||
== Intuitive idea == | == Intuitive idea == | ||
+ | |||
+ | Suppose one would like to delegate the ability of processing its data without giving away access to it. This type of situation becomes more and more frequent with the widespread use of cloud computing. To store unencrypted data in the cloud is very risky and, for some types of data such as medical records, can even be illegal. | ||
+ | |||
+ | On the other hand, at first thought encrypting data seems to cancel out the possible benefits of cloud computing unless one gives the cloud the secret decryption key, sacrificing privacy. Fortunately, there are methods of encrypting data in a ''malleable'' way, such that the encryption can be manipulated without decrypting the data. | ||
+ | |||
+ | To explain the ideas in a tangible manner, we are going to use a physical analogy: Alice, who owns a jewellery store and wants her workers to process raw precious materials into jewellery pieces. Alice is constantly concerned about giving her workers complete access to the materials in order to minimise the possibility of theft. The analogy was coined by Gentry <ref name = G10> C. Gentry. Computing arbitrary functions of encrypted data. In "Communications of the ACM", 2010.</ref> and we follow the presentation in his paper. | ||
+ | |||
+ | '''Alice's plan''' | ||
+ | |||
+ | Use a transparent impenetrable glovebox [https://www.cleatech.com/wp-content/uploads/2015/12/Mini-Glove-Box-with-Airlock_2-450x308C.jpg (see image)] secured by a lock for which only Alice has the key. Using the gloves, a worker can assemble pieces of jewellery using the materials that were previously locked inside the box by Alice. When the pieces are finished, she unlocks the box with her key and extracts them. | ||
+ | |||
+ | The locked glovebox with the raw precious materials inside is an analogy for an encryption of some data <math>m_1, \dots, m_t </math> which can be accessed only using the decryption key. The gloves should be regarded as the ''malleability'' or the ''homomorphic property'' of the encryption. The finished piece of jewellery in the box can be thought of as the encryption of <math> f(m_1, \dots, m_t) </math>, a desired computation using the initial data. The lack of physical access to the raw precious materials in the box is an analogy for the fact that knowing encryptions of <math>m_1, \dots, m_t </math> or <math>f(m_1, \dots, m_t) </math> does not give any information about <math> m_1, \dots, m_t </math> or <math> f(m_1, \dots, m_t) </math>, without the knowledge of the decryption key. | ||
+ | |||
+ | Of course, Alice's jewellery store, like any analogy, does not represent some aspect of homomorphic encryption very well and one does not have to take it too literally. Some flaws of this analogy are discussed in Section 4 of Gentry's aforementioned article. | ||
== Definition == | == Definition == | ||
+ | |||
+ | Every encryption scheme <math>\mathcal E </math> is composed of three algorithms: <math> KeyGen, Encrypt</math> and <math>Decrypt</math> and two sets <math> \mathcal P </math> (the plaintext space) and <math> \mathcal C</math> (the ciphertext space). All of the algorithms must be efficient, in the sense that they must run in polynomial time with respect to an a priori fixed security parameter <math> \lambda </math>. Encryption schemes can be [https://en.wikipedia.org/wiki/Symmetric-key_algorithm symmetric] or [https://en.wikipedia.org/wiki/Public-key_cryptography asymmetric]. We will focus here on the asymmetric case (commonly known as public key encryption). | ||
+ | |||
+ | Basically, given a security parameter <math> \lambda </math>, one generates using KeyGen a pair <math> (sk,pk) </math>. The next two algorithms describe how to associate to a plaintext <math> m \in \mathcal P </math> a ciphertext <math> c = Encrypt(m,pk) \in \mathcal C </math> using the public key <math> pk </math> and viceversa, how to associate to a ciphertext <math> c \in \mathcal C </math> a plaintext <math> m = Decrypt(c,sk) </math>, using the secret key <math> s_k </math> such that <math> Decrypt(Encrypt(m,pk),sk)=m</math>. | ||
+ | |||
+ | A '''homomorphic encryption scheme''' has a fourth algorithm <math>Evaluate</math>, which is associated to a set <math> \mathcal F </math> of permitted functions. For any function <math>f \in \mathcal F</math> and any ciphertexts <math> c_1,\dots, c_t \in \mathcal C </math> with <math>c_i = Encrypt(m_i, pk) </math>, the algorithm <math>Evaluate(f,c_1,\dots, c_t,pk) </math> outputs a ciphertext <math>c</math> that encrypts <math> f(m_1, \dots, m_t) </math>. In other words, we want that <math> Decrypt(c,sk) = f(m_1, \dots, m_t)</math>. As a shorthand we say that <math> \mathcal E </math> can ''handle functions'' in <math> \mathcal F </math>. For a function <math>g \not \in \mathcal F</math>, <math>Evaluate(g,c_1, \dots, c_t,pk) </math> is not guaranteed to output anything meaningful. | ||
+ | |||
+ | As described so far, it is trivial to construct an encryption scheme that can handle all functions. We can just define <math>Evaluate(f,c_1, \dots, c_t, pk) </math> to output <math> (f,c_1, \dots, c_t) </math> without processing the ciphertexts <math>c_i </math> at all. Then, we modify <math>Decrypt</math> slightly. To decrypt <math>(f,c_1, \dots,c_t) </math> first decrypt <math>c_1, \dots, c_t </math> to obtain <math>m_1, \dots, m_t </math> and then apply <math> f </math> to them. But this does not fit the purpose of ''delegating'' the processing of information. In the jewellery store analogy, this is as if the worker sends the box back to Alice without doing any work on the raw precious materials. Then Alice has to assemble the jewellery herself. | ||
+ | |||
+ | The purpose of delegating computation is to reduce one's workload. In terms of running times, in a practical encryption scheme, decrypting <math>c = Evaluate(f,c_1,\dots, c_t,pk) </math> should require the same amount of computation as decrypting <math> c_1 </math> or any of the ciphertexts <math> c_i </math> for that matter. Some schemes require additionally that <math> c </math> is of the same size as <math>c_1 </math>. This property, called compactness, whose precise definition can be found in <ref name = BRA> Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE, R. Ostrovsky editor, IEEE 52nd Annual Symposium on Foundations of | ||
+ | Computer Science, FOCS 2011, Palm Springs 2011, pp. 97 - 106 </ref> (Definition 3.4). Also, in a practical encryption scheme, the algorithms <math>KeyGen </math>, <math>Encrypt</math> and <math> Decrypt</math> should be effectively computable. In terms of complexity, one usually requires that these algorithms should be polynomial in a security parameter <math> \lambda </math>. | ||
+ | |||
+ | An encryption scheme is fully homomorphic ([[FHE]]) if it can handle all functions, is compact and the <math>Evaluate </math> is efficient. The trivial solution presented above is not fully homomorphic, since the size of the cirphertexts outputed by <math> Evaluate </math> depend on the function being evaluated. Moreover, in the trivial example the time needed to decrypt such a ciphertext depends on the evaluated function as well. | ||
== Examples == | == Examples == | ||
+ | |||
+ | Below we list a few examples of homomorphic encryption schemes. We hope that just presenting the public key together with the <math>Encrypt</math> is enough to give the reader a clear picture of the whole scheme. | ||
+ | |||
+ | In the [https://en.wikipedia.org/wiki/ElGamal_encryption ElGamal cryptosystem], in a cyclic group <math>G</math> of order <math>q</math> with generator <math>g</math>, if the public key is <math>(G, q, g, h)</math>, where <math>h = g^x</math>, and <math>x</math> is the secret key, then the encryption of a message <math>m</math> is <math>\mathcal{E}(m) = (g^r,m\cdot h^r)</math>, for some random <math>r \in \{0, \ldots, q-1\}</math>. The homomorphic property is then | ||
+ | |||
+ | :<math> | ||
+ | \begin{align} | ||
+ | \mathcal{E}(m_1) \cdot \mathcal{E}(m_2) &= (g^{r_1},m_1\cdot h^{r_1})(g^{r_2},m_2 \cdot h^{r_2}) \\[6pt] | ||
+ | &= (g^{r_1+r_2},(m_1\cdot m_2) h^{r_1+r_2}) \\[6pt] | ||
+ | &= \mathcal{E}(m_1 \cdot m_2). | ||
+ | \end{align} | ||
+ | </math> | ||
+ | |||
+ | '''Goldwasser–Micali''' | ||
+ | |||
+ | In the [https://en.wikipedia.org/wiki/Goldwasser%E2%80%93Micali_cryptosystem Goldwasser–Micali cryptosystem], if the public key is the modulus <math>n</math> and quadratic non-residue <math>x</math>, then the encryption of a bit <math>b</math> is <math>\mathcal{E}(b) = x^b r^2 \;\bmod\; n</math>, for some random <math>r \in \{0, \ldots, n-1\}</math>. The homomorphic property is then | ||
+ | |||
+ | :<math> | ||
+ | \begin{align} | ||
+ | \mathcal{E}(b_1)\cdot \mathcal{E}(b_2) &= x^{b_1} r_1^2 x^{b_2} r_2^2 \;\bmod\; n \\[6pt] | ||
+ | &= x^{b_1+b_2} (r_1r_2)^2 \;\bmod\; n \\[6pt] | ||
+ | &= \mathcal{E}(b_1 \oplus b_2). | ||
+ | \end{align} | ||
+ | </math> | ||
+ | |||
+ | where <math>\oplus</math> denotes addition modulo 2, (i.e. [https://en.wikipedia.org/wiki/Exclusive_or Exclusive disjunction]). | ||
+ | |||
+ | Other examples include the [https://en.wikipedia.org/wiki/RSA_(cryptosystem) RSA ], | ||
+ | [https://en.wikipedia.org/wiki/Paillier_cryptosystem Paillier] and the [https://en.wikipedia.org/wiki/Benaloh_cryptosystem Benaloh] encryption schemes. | ||
+ | |||
+ | == References == |
Latest revision as of 08:09, 30 December 2020
Intuitive idea
Suppose one would like to delegate the ability of processing its data without giving away access to it. This type of situation becomes more and more frequent with the widespread use of cloud computing. To store unencrypted data in the cloud is very risky and, for some types of data such as medical records, can even be illegal.
On the other hand, at first thought encrypting data seems to cancel out the possible benefits of cloud computing unless one gives the cloud the secret decryption key, sacrificing privacy. Fortunately, there are methods of encrypting data in a malleable way, such that the encryption can be manipulated without decrypting the data.
To explain the ideas in a tangible manner, we are going to use a physical analogy: Alice, who owns a jewellery store and wants her workers to process raw precious materials into jewellery pieces. Alice is constantly concerned about giving her workers complete access to the materials in order to minimise the possibility of theft. The analogy was coined by Gentry [1] and we follow the presentation in his paper.
Alice's plan
Use a transparent impenetrable glovebox (see image) secured by a lock for which only Alice has the key. Using the gloves, a worker can assemble pieces of jewellery using the materials that were previously locked inside the box by Alice. When the pieces are finished, she unlocks the box with her key and extracts them.
The locked glovebox with the raw precious materials inside is an analogy for an encryption of some data which can be accessed only using the decryption key. The gloves should be regarded as the malleability or the homomorphic property of the encryption. The finished piece of jewellery in the box can be thought of as the encryption of , a desired computation using the initial data. The lack of physical access to the raw precious materials in the box is an analogy for the fact that knowing encryptions of or does not give any information about or , without the knowledge of the decryption key.
Of course, Alice's jewellery store, like any analogy, does not represent some aspect of homomorphic encryption very well and one does not have to take it too literally. Some flaws of this analogy are discussed in Section 4 of Gentry's aforementioned article.
Definition
Every encryption scheme is composed of three algorithms: and and two sets (the plaintext space) and (the ciphertext space). All of the algorithms must be efficient, in the sense that they must run in polynomial time with respect to an a priori fixed security parameter . Encryption schemes can be symmetric or asymmetric. We will focus here on the asymmetric case (commonly known as public key encryption).
Basically, given a security parameter , one generates using KeyGen a pair . The next two algorithms describe how to associate to a plaintext a ciphertext using the public key and viceversa, how to associate to a ciphertext a plaintext , using the secret key such that .
A homomorphic encryption scheme has a fourth algorithm , which is associated to a set of permitted functions. For any function and any ciphertexts with , the algorithm outputs a ciphertext that encrypts . In other words, we want that . As a shorthand we say that can handle functions in . For a function , is not guaranteed to output anything meaningful.
As described so far, it is trivial to construct an encryption scheme that can handle all functions. We can just define to output without processing the ciphertexts at all. Then, we modify slightly. To decrypt first decrypt to obtain and then apply to them. But this does not fit the purpose of delegating the processing of information. In the jewellery store analogy, this is as if the worker sends the box back to Alice without doing any work on the raw precious materials. Then Alice has to assemble the jewellery herself.
The purpose of delegating computation is to reduce one's workload. In terms of running times, in a practical encryption scheme, decrypting should require the same amount of computation as decrypting or any of the ciphertexts for that matter. Some schemes require additionally that is of the same size as . This property, called compactness, whose precise definition can be found in [2] (Definition 3.4). Also, in a practical encryption scheme, the algorithms , and should be effectively computable. In terms of complexity, one usually requires that these algorithms should be polynomial in a security parameter .
An encryption scheme is fully homomorphic (FHE) if it can handle all functions, is compact and the is efficient. The trivial solution presented above is not fully homomorphic, since the size of the cirphertexts outputed by depend on the function being evaluated. Moreover, in the trivial example the time needed to decrypt such a ciphertext depends on the evaluated function as well.
Examples
Below we list a few examples of homomorphic encryption schemes. We hope that just presenting the public key together with the is enough to give the reader a clear picture of the whole scheme.
In the ElGamal cryptosystem, in a cyclic group of order with generator , if the public key is , where , and is the secret key, then the encryption of a message is , for some random . The homomorphic property is then
Goldwasser–Micali
In the Goldwasser–Micali cryptosystem, if the public key is the modulus and quadratic non-residue , then the encryption of a bit is , for some random . The homomorphic property is then
where denotes addition modulo 2, (i.e. Exclusive disjunction).
Other examples include the RSA , Paillier and the Benaloh encryption schemes.
References
- ↑ C. Gentry. Computing arbitrary functions of encrypted data. In "Communications of the ACM", 2010.
- ↑ Brakerski, Z., Vaikuntanathan, V.: Efficient fully homomorphic encryption from (standard) LWE, R. Ostrovsky editor, IEEE 52nd Annual Symposium on Foundations of Computer Science, FOCS 2011, Palm Springs 2011, pp. 97 - 106