Difference between revisions of "FHE"
Line 5: | Line 5: | ||
Let <math> \mathcal E = (\mathcal C, \mathcal P, KeyGen, Encrypt, Decrypt, Evaluate) </math> be a [[Homomorphic encryption|homomorphic encryption scheme]]. A desirable property of <math> \mathcal E </math> is the possibility of evaluation arbitrary functions on ciphertexts from <math> \mathcal C </math> in a meaningful way. Clearly the complexity of <math>Evaluate(f,c)</math> must depend on the complexity of the function <math>f </math>. To measure the latter, we use <math> S_f </math>, the size of a [[boolean circuit]] that computes <math>f </math>. The algorithm <math> Evaluate </math> is efficient if there exists a polynomial <math> g </math> such that for any function <math> f </math> that is represented by a circuit of size <math> S_f </math>, the complexity of <math> Evaluate(f,c_1, \dots, c_t, pk) </math> is at most <math>S_f \cdot g(\lambda) </math>. | Let <math> \mathcal E = (\mathcal C, \mathcal P, KeyGen, Encrypt, Decrypt, Evaluate) </math> be a [[Homomorphic encryption|homomorphic encryption scheme]]. A desirable property of <math> \mathcal E </math> is the possibility of evaluation arbitrary functions on ciphertexts from <math> \mathcal C </math> in a meaningful way. Clearly the complexity of <math>Evaluate(f,c)</math> must depend on the complexity of the function <math>f </math>. To measure the latter, we use <math> S_f </math>, the size of a [[boolean circuit]] that computes <math>f </math>. The algorithm <math> Evaluate </math> is efficient if there exists a polynomial <math> g </math> such that for any function <math> f </math> that is represented by a circuit of size <math> S_f </math>, the complexity of <math> Evaluate(f,c_1, \dots, c_t, pk) </math> is at most <math>S_f \cdot g(\lambda) </math>. | ||
+ | The circuit representation of <math>f </math> breaks down the computation of <math>f </math> into AND, OR, and NOT gates. To evaluate these it is enough to be able to add, subtract and multiply. Therefore, to obtain a fully homomorphic encryption scheme, all we need is a scheme that supports arbitrary additions, subtractions and multiplications on the ciphertexts, so as it does on their underlying encrypted messages. | ||
== Definitions == | == Definitions == |
Revision as of 09:02, 9 March 2020
Let us fix a security parameter , a variable that measures the input size of the computational problem. In the case of the encryption scheme, both the requirements of the cryptographic algorithms as well as the security of the scheme are expressed in terms of .
Contents
Intuition
Let be a homomorphic encryption scheme. A desirable property of is the possibility of evaluation arbitrary functions on ciphertexts from in a meaningful way. Clearly the complexity of must depend on the complexity of the function . To measure the latter, we use , the size of a boolean circuit that computes . The algorithm is efficient if there exists a polynomial such that for any function that is represented by a circuit of size , the complexity of is at most .
The circuit representation of breaks down the computation of into AND, OR, and NOT gates. To evaluate these it is enough to be able to add, subtract and multiply. Therefore, to obtain a fully homomorphic encryption scheme, all we need is a scheme that supports arbitrary additions, subtractions and multiplications on the ciphertexts, so as it does on their underlying encrypted messages.
Definitions
L Assume that the ciphertext and the plaintext have the algebraic structure of a ring and that is a ring homomorphism.
Definition. A homomorphic encryption scheme is called leveled if the decryption algorithm is correct for for a certain number of ring operations made on .
TODO: Write about the practical reasons for using a leveled scheme.
Definition. A homomorphic encryption scheme is called compact if there exists a polynomial function such that the output length of is at most bits long, regardless of the ring homomorphism or the number of ciphertext inputs , for any tuple of ciphertexts.
A homomorphic encryption scheme as above, but for which we do not require that is polynomial in is called bounded .