FULLY HOMOMORPHIC ENCRYPTION WITH POLYLOG OVERHEAD Craig Gentry
- Slides: 54
FULLY HOMOMORPHIC ENCRYPTION WITH POLYLOG OVERHEAD Craig Gentry and Shai Halevi IBM Watson Nigel Smart Univ. Of Bristol
Homomorphic Encryption • Usual procedures (Key. Gen, Enc, Dec) • Say, encrypting bits • Usual semantic-security requirement • (pk, Encpk(0)) ~ (pk, Encpk(1)) • Additional Eval procedure • Evaluate arithmetic circuits on ciphertexts • Result decrypted to the evaluation of the same circuit on the underlying plaintext bits • Ciphertext does not grow with circuit complexity • This work: asymptotically efficient Eval
Contemporary HE Schemes •
Our Result • time per level # of levels
Our Approach • Use HE over polynomial rings • Pack an array of bits in each ciphertext • Use ring-automorphisms to move bits around in the arrays • Efficient data-movement schemes • Using Beneš/Waksman networks and extensions
BACKGROUND • Homomorphic Encryption over Polynomials Rings • Evaluation representation, plaintext slots • Homomorphic SIMD operations
HE Over Polynomial Rings •
Plaintext Algebra (1) •
Plaintext Algebra (2) • 32 T: 32 34 44 31 29 19 16 T: 16 17 22 47 46 41 8 T: 8 40 11 55 23 52 4 T: 4 20 37 59 43 26 2 T: 2 10 50 61 53 13 T: 1 5 25 62 58 38
Plaintext Slots •
Homomorphic SIMD [SV’ 11] •
x x x 1 x 2 x 3 x 4 x 5 x 6 x 7 1 0 0 1 0 x 8 x 9 x 10 x 11 x 12 x 13 0 1 1 0 = x 14 = x 1 0 0 x 4 0 x 6 0 + 0 x 9 x 10 0 x 12 0 x 14 x 1 x 9 x 10 x 4 x 12 x 6 x 14 1 • We will use this later
COMPUTING ON DATA ARRAYS Forget about encryption for the moment…
+ + + + + So you want to compute some function… × × + + + × + × × × × × 1 x 2 x 3 x 4 x 5 0 + + + 1 x 7 x 8 x 9 x 10 x 11 x 12 1 x 14 x 15 x 16 x 17 x 18 x 19 1 x 22 x 23 x 24 x 25 x 26 ADD and MUL are a complete set of operations. Input bits
+ + + + + So you want to compute some function using SIMD… × × + + + × + × × × × × 1 x 2 x 3 x 4 x 5 x 1 x 2 x 3 x 4 x 5 0 + + + 1 x 7 x 8 x 9 x 10 x 11 x 12 x 7 x 8 x 9 x 10 x 11 x 12 1 x 14 x 15 x 16 x 17 x 18 x 19 1 x 22 x 23 x 24 x 25 x 26 x 21 x 22 x 23 x 24 x 25 x 26 Input bits
Routing Values Between Levels • We need to map this x 1 x 2 x 3 x 4 x 5 0 x 7 x 8 x 9 x 10 x 11 x 12 x 15 x 16 x 17 x 18 x 19 1 x 22 x 23 x 24 x 25 x 26 1 + + + + • Into that x 1 x 3 x 5 x 7 x 9 x 11 1 x 15 x 17 x 19 x 21 x 23 x 25 x 2 x 4 0 x 8 x 10 x 12 x 14 x 16 x 18 1 x 22 x 24 x 26 x 14
+ + + x 1 x 2 x 3 x 4 x 5 0 x 1 x 2 x 3 x 4 x 5 x 7 x 1 x 3 x 5 * * x 2 x 4 * * * 1 1 1 0 0 0 0 0 x 1 x 3 x 5 0 0 x 2 x 4 0 0 0
+ + + x 1 x 2 x 3 x 4 x 5 0 x 1 x 3 x 5 0 0 + + x 21 x 43 x 5 0 0 x 2 x 4 0 0 0
+ + + + + × × × + + + + × × × + × 1 + + 1 x 2 x 3 x 4 x 5 0 x 7 x 8 x 9 x 10 x 11 x 12 1 x 14 x 15 x 16 x 17 x 18 x 19 1 x 22 x 23 x 24 x 25 x 26 • Not quite obvious Input bits
Routing Values Between Levels: Three Problems to Solve •
Moving Values Between Slots • 32 T: 32 34 44 31 29 19 16 T: 16 17 22 47 46 41 8 T: 8 40 11 55 23 52 4 T: 4 20 37 59 43 26 2 T: 2 10 50 61 53 13 T: 1 5 25 62 58 38
Moving Values Between Slots •
Homomorphic Automorphisms •
From Shifts to Arbitrary Permutations •
From Shifts to Arbitrary Permutations Use Beneš/Walksman Permutation Networks: • Two back-to-back butterflies • Every exchange is controlled by a bit • Values sent on either straight edges or cross edges • Every permutation can be realized by appropriate setting of the control bits
Realizing Permutation Networks • Claim: every butterfly level can be realized by two shifts and two SELECTs • Example: 0 1 2 3 4 5 6 7 2 1 0 3 6 7 4 5 Control bits: 1 0 1 1
Realizing Permutation Networks a 1 0 1 2 3 4 5 6 7 input a 2 0 1 2 3 4 5 6 7 shift(-2) a 3 0 1 2 3 4 5 6 7 shift(2) 2 1 0 3 6 7 4 5 output
Realizing Permutation Networks a 1 0 1 2 3 4 5 6 7 input a 2 2 3 4 5 6 7 0 1 shift(-2) a 3 6 7 0 1 2 3 4 5 shift(2) a 4 2 1 4 3 6 7 0 1 SELECT(a 1, a 2) a 5 2 1 0 3 6 7 4 5 SELECT(a 3, a 4) 2 1 0 3 6 7 4 5 output
Realizing Permutation Networks Claim: every level of the Benes network can be realized by two shifts and two SELECTs Proof : In every level, all the exchanges are between nodes at the same distance • Distance 2 i for some i Can implement all these exchanges using shift(2 i), shift(-2 i), and two SELECTs
Realizing Permutation Networks •
Routing Values Between Levels • see paper
Handling Large Permutations •
Decomposing Permutations 13 18 14 16 12 15 3 4 5 6 7 8 9 20 19 2 17 1 11 10 ? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Decomposing Permutations 13 18 14 16 12 15 3 4 5 6 7 8 9 20 19 2 17 1 11 10 13 17 14 5 6 15 3 4 16 12 7 8 9 11 10 2 18 1 20 19 ? 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20
Decomposing Permutations 13 18 14 16 12 1 2 3 4 5 15 3 4 5 6 6 7 8 9 10 7 8 9 20 19 11 12 13 14 15 2 17 1 11 10 16 17 18 19 20 13 17 14 5 6 6 17 13 14 5 15 3 4 16 12 3 4 15 7 8 9 11 10 11 7 8 9 10 2 18 1 20 19 1 2 18 19 20 ?
Decomposing Permutations 13 18 14 16 12 1 2 3 4 5 15 3 4 5 6 6 7 8 9 10 7 8 9 20 19 11 12 13 14 15 2 17 1 11 10 16 17 18 19 20 13 17 14 5 6 6 17 13 14 5 15 3 4 16 12 3 4 15 7 8 9 11 10 11 7 8 9 10 2 18 1 20 19 1 2 18 19 20 ?
Decomposing Permutations 13 18 14 16 12 1 2 3 4 5 15 3 4 5 6 6 7 8 9 10 7 8 9 20 19 11 12 13 14 15 2 17 1 11 10 16 17 18 19 20 13 17 14 5 6 6 17 13 14 5 15 3 4 16 12 3 4 15 7 8 9 11 10 11 7 8 9 10 2 18 1 20 19 1 2 18 19 20 ?
Decomposing Permutations 13 18 14 16 12 1 2 3 4 5 15 3 4 5 6 6 7 8 9 10 7 8 9 20 19 11 12 13 14 15 2 17 1 11 10 16 17 18 19 20 13 17 14 5 6 6 17 13 14 5 15 3 4 16 12 3 4 15 7 8 9 11 10 11 7 8 9 10 2 18 1 20 19 1 2 18 19 20 ?
Handling Large Permutations •
Permuting The Columns Implement a Beneš network over each column
Permuting The Columns First level in all the networks
Permuting The Columns Second level in all the networks, etc.
Handling Large Permutations •
Routing Values Between Levels • see paper
Low Overhead Homomorphic Encryption •
QUESTIONS?
Fan-Out and Cloning intended multiplicity 2 3 1 1 2 2 4 1 2 1 3 1 2 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 x 21 variables
Fan-Out and Cloning 2 3 1 1 2 2 4 1 2 1 3 1 2 x 1 x 2 x 3 x 4 x 5 x 6 x 7 x 8 x 9 x 10 x 11 x 12 x 13 x 14 x 15 x 16 x 17 x 18 x 19 x 20 x 21 Sort by intended multiplicity: 4 3 3 2 2 2 2 2 1 1 1 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 x 3 x 4 x 7 x 8 x 12 x 14 x 16 x 18 x 20
Fan-Out and Cloning 4 3 3 2 2 2 2 2 1 1 1 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 x 3 x 4 x 7 x 8 x 12 x 14 x 16 x 18 x 20 Replicate 4 3 3 x 11 x 2 x 17 Replicate and shift 4 3 3 x 11 x 2 x 17
Fan-Out and Cloning 4 3 3 2 2 2 2 2 1 1 1 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 x 3 x 4 x 7 x 8 x 12 x 14 x 16 x 18 x 20 Merge 4 3 3 x 11 x 2 x 17
Fan-Out and Cloning 4 3 3 2 2 2 2 2 1 1 1 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 x 3 x 4 x 7 x 8 x 12 x 14 x 16 x 18 x 20 Replicate, shift, merge 4 3 3 2 2 2 2 2 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 Replicate, shift 4 3 3 2 2 2 2 2 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21
Fan-Out and Cloning 4 3 3 2 2 2 2 2 1 1 1 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 x 3 x 4 x 7 x 8 x 12 x 14 x 16 x 18 x 20 4 3 3 2 2 2 2 2 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 Merge 4 3 3 2 2 2 2 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19
Fan-Out and Cloning 4 3 3 2 2 2 2 2 1 1 1 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 x 3 x 4 x 7 x 8 x 12 x 14 x 16 x 18 x 20 Copy, merge 4 3 3 2 2 2 2 2 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 21 x 3 x 4 Copy 4 3 3 2 2 2 2 1 1 1 1 x 11 x 2 x 17 x 1 x 5 x 6 x 9 x 10 x 13 x 15 x 19 x 7 x 8 x 12 x 14 x 16 x 18 x 20 Each variable appears at least as much as needed
- Craig gentry homomorphic encryption
- Craig gentry homomorphic encryption
- Homomorphic encryption
- Craig gentry
- Craig gentry ibm
- Pq0p
- Homomorphic encryption tutorial
- Homomorphic encryption
- Functional encryption
- Homomorphic encryption tutorial
- Applications for homomorphic encryption
- Skw vk
- Homomorphic encryption tutorial
- Swhe
- Homomorphic encryption standard
- Gsw homomorphic encryption
- Anggaran aktual adalah
- Concordance of remedy relationship
- Scholar-gentry definition
- Gentry e yeomen
- Gentry gallery v berkline
- Scholar gentry definition ap world history
- Gentry locke rakes & moore
- Back handspring slow motion
- Homomorphic filtering block diagram
- Functional encryption
- Asymmetric encryption 歴史
- Searchable symmetric encryption
- Azure sql encryption in transit
- Encryption
- Rfc5116
- Data encryption standard
- Encryption
- Encoding and encryption
- Eax encryption
- Rsa base
- Searchable symmetric encryption
- Functional encryption
- Modern block cipher in cryptography
- Cloudera
- Classical encryption techniques
- Des encryption example
- Conventional encryption
- Outlook 365
- El gamal algorithm
- Conventional encryption
- Sdes encryption algorithm
- Mobile encryption
- Asymmetric encryption java
- Cryptography techniques
- Functional encryption
- Lucifer encryption
- Java symmetric encryption
- Voltage securemail cloud
- Ibm cloud backup