Homomorphic encryption
General | |
---|---|
Derived from | Ring learning with errors |
Related to | Private set intersection |
Homomorphic encryption is a form of encryption allowing one to perform calculations on encrypted data without decrypting it first. The result of the computation is in an encrypted form, when decrypted the output is the same as if the operations had been performed on the unencrypted data.
Homomorphic encryption can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted. In highly regulated industries, such as health care, homomorphic encryption can be used to enable new services by removing privacy barriers inhibiting data sharing. For example, predictive analytics in health care can be hard to apply via a third party service provider due to medical data privacy concerns, but if the predictive analytics service provider can operate on encrypted data instead, these privacy concerns are diminished.
Description
Homomorphic encryption is a form of encryption with an additional evaluation capability for computing over encrypted data without access to the secret key. The result of such a computation remains encrypted. Homomorphic encryption can be viewed as an extension of either symmetric-key or public-key cryptography. Homomorphic refers to homomorphism in algebra: the encryption and decryption functions can be thought of as homomorphisms between plaintext and ciphertext spaces.
Homomorphic encryption includes multiple types of encryption schemes that can perform different classes of computations over encrypted data.[1] Some common types of homomorphic encryption are partially homomorphic, somewhat homomorphic, leveled fully homomorphic, and fully homomorphic encryption. The computations are represented as either Boolean or arithmetic circuits. Partially homomorphic encryption encompasses schemes that support the evaluation of circuits consisting of only one type of gate, e.g., addition or multiplication. Somewhat homomorphic encryption schemes can evaluate two types of gates, but only for a subset of circuits. Leveled fully homomorphic encryption supports the evaluation of arbitrary circuits of bounded (pre-determined) depth. Fully homomorphic encryption (FHE) allows the evaluation of arbitrary circuits of unbounded depth, and is the strongest notion of homomorphic encryption. For the majority of homomorphic encryption schemes, the multiplicative depth of circuits is the main practical limitation in performing computations over encrypted data.
Homomorphic encryption schemes are inherently malleable. In terms of malleability, homomorphic encryption schemes have weaker security properties than non-homomorphic schemes.
History
Homomorphic encryption schemes have been developed using different approaches. Specifically, fully homomorphic encryption schemes are often grouped into generations corresponding to the underlying approach.[2]
Pre-FHE
The problem of constructing a fully homomorphic encryption scheme was first proposed in 1978, within a year of publishing of the RSA scheme.[3] For more than 30 years, it was unclear whether a solution existed. During that period, partial results included the following schemes:
- RSA cryptosystem (unbounded number of modular multiplications);
- ElGamal cryptosystem (unbounded number of modular multiplications);
- Goldwasser–Micali cryptosystem (unbounded number of exclusive or operations);
- Benaloh cryptosystem (unbounded number of modular additions);
- Paillier cryptosystem (unbounded number of modular additions);
- Sander-Young-Yung system (after more than 20 years solved the problem for logarithmic depth circuits);[4]
- Boneh–Goh–Nissim cryptosystem (unlimited number of addition operations but at most one multiplication);[5]
- Ishai-Paskin cryptosystem (polynomial-size branching programs).[6]
First-generation FHE
Craig Gentry, using lattice-based cryptography, described the first plausible construction for a fully homomorphic encryption scheme.[7] Gentry's scheme supports both addition and multiplication operations on ciphertexts, from which it is possible to construct circuits for performing arbitrary computation. The construction starts from a somewhat homomorphic encryption scheme, which is limited to evaluating low-degree polynomials over encrypted data; it is limited because each ciphertext is noisy in some sense, and this noise grows as one adds and multiplies ciphertexts, until ultimately the noise makes the resulting ciphertext indecipherable. Gentry then shows how to slightly modify this scheme to make it bootstrappable, i.e., capable of evaluating its own decryption circuit and then at least one more operation. Finally, he shows that any bootstrappable somewhat homomorphic encryption scheme can be converted into a fully homomorphic encryption through a recursive self-embedding. For Gentry's "noisy" scheme, the bootstrapping procedure effectively "refreshes" the ciphertext by applying to it the decryption procedure homomorphically, thereby obtaining a new ciphertext that encrypts the same value as before but has lower noise. By "refreshing" the ciphertext periodically whenever the noise grows too large, it is possible to compute an arbitrary number of additions and multiplications without increasing the noise too much. Gentry based the security of his scheme on the assumed hardness of two problems: certain worst-case problems over ideal lattices, and the sparse (or low-weight) subset sum problem. Gentry's Ph.D. thesis[8] provides additional details. The Gentry-Halevi implementation of Gentry's original cryptosystem reported timing of about 30 minutes per basic bit operation.[9] Extensive design and implementation work in subsequent years have improved upon these early implementations by many orders of magnitude runtime performance.
In 2010, Marten van Dijk, Craig Gentry, Shai Halevi and Vinod Vaikuntanathan presented a second fully homomorphic encryption scheme,[10] which uses many of the tools of Gentry's construction, but which does not require ideal lattices. Instead, they show that the somewhat homomorphic component of Gentry's ideal lattice-based scheme can be replaced with a very simple somewhat homomorphic scheme that uses integers. The scheme is therefore conceptually simpler than Gentry's ideal lattice scheme, but has similar properties with regards to homomorphic operations and efficiency. The somewhat homomorphic component in the work of Van Dijk et al. is similar to an encryption scheme proposed by Levieil and Naccache in 2008,[11] and also to one that was proposed by Bram Cohen in 1998.[12] Cohen's method is not even additively homomorphic, however. The Levieil–Naccache scheme supports only additions, but it can be modified to also support a small number of multiplications. Many refinements and optimizations of the scheme of Van Dijk et al. were proposed in a sequence of works by Jean-Sébastien Coron, Tancrède Lepoint, Avradip Mandal, David Naccache, and Mehdi Tibouchi.[13][14][15][16] Some of these works included also implementations of the resulting schemes.
Second-generation FHE
The homomorphic cryptosystems in current use are derived from techniques that were developed starting in 2011-2012 by Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan, and others. These innovations led to the development of much more efficient somewhat and fully homomorphic cryptosystems. These include:
- The Brakerski-Gentry-Vaikuntanathan (BGV, 2011) scheme,[17] building on techniques of Brakerski-Vaikuntanathan;[18]
- The NTRU-based scheme by Lopez-Alt, Tromer, and Vaikuntanathan (LTV, 2012);[19]
- The Brakerski/Fan-Vercauteren (BFV, 2012) scheme,[20] building on Brakerski's scale-invariant cryptosystem;[21]
- The NTRU-based scheme by Bos, Lauter, Loftus, and Naehrig (BLLN, 2013),[22] building on LTV and Brakerski's scale-invariant cryptosystem;[21]
The security of most of these schemes is based on the hardness of the (Ring) Learning With Errors (RLWE) problem, except for the LTV and BLLN schemes that rely on an overstretched[23] variant of the NTRU computational problem. This NTRU variant was subsequently shown vulnerable to subfield lattice attacks,[24][23] which is why these two schemes are no longer used in practice.
All the second-generation cryptosystems still follow the basic blueprint of Gentry's original construction, namely they first construct a somewhat homomorphic cryptosystem and then convert it to a fully homomorphic cryptosystem using bootstrapping.
A distinguishing characteristic of the second-generation cryptosystems is that they all feature a much slower growth of the noise during the homomorphic computations. Additional optimizations by Craig Gentry, Shai Halevi, and Nigel Smart resulted in cryptosystems with nearly optimal asymptotic complexity: Performing operations on data encrypted with security parameter has complexity of only .[25][26][27] These optimizations build on the Smart-Vercauteren techniques that enables packing of many plaintext values in a single ciphertext and operating on all these plaintext values in a SIMD fashion.[28] Many of the advances in these second-generation cryptosystems were also ported to the cryptosystem over the integers.[15][16]
Another distinguishing feature of second-generation schemes is that they are efficient enough for many applications even without invoking bootstrapping, instead operating in the leveled FHE mode.
Third-generation FHE
In 2013, Craig Gentry, Amit Sahai, and Brent Waters (GSW) proposed a new technique for building FHE schemes that avoids an expensive "relinearization" step in homomorphic multiplication.[29] Zvika Brakerski and Vinod Vaikuntanathan observed that for certain types of circuits, the GSW cryptosystem features an even slower growth rate of noise, and hence better efficiency and stronger security.[30] Jacob Alperin-Sheriff and Chris Peikert then described a very efficient bootstrapping technique based on this observation.[31]
These techniques were further improved to develop efficient ring variants of the GSW cryptosystem: FHEW (2014)[32] and TFHE (2016).[33] The FHEW scheme was the first to show that by refreshing the ciphertexts after every single operation, it is possible to reduce the bootstrapping time to a fraction of a second. FHEW introduced a new method to compute Boolean gates on encrypted data that greatly simplifies bootstrapping, and implemented a variant of the bootstrapping procedure.[31] The efficiency of FHEW was further improved by the TFHE scheme, which implements a ring variant of the bootstrapping procedure[34] using a method similar to the one in FHEW.
Fourth-generation FHE
CKKS scheme[35] supports efficient rounding operations in encrypted state. The rounding operation controls noise increase in encrypted multiplication, which reduces the number of bootstrapping in a circuit. In Crypto2018, CKKS is focused as a solution for encrypted machine learning. This is due to a characteristic of CKKS scheme that encrypts approximate values rather than exact values. When computers store real-valued data, they remember approximate values with long significant bits, not real values exactly. CKKS scheme is constructed to deal efficiently with the errors arising from the approximations. The scheme is familiar to machine learning which has inherent noises in its structure.
A 2021 article by Baiyu Li and Daniele Micciancio discusses passive attacks against CKKS.[36] The authors apply the attack to four modern homomorphic encryption libraries (HEAAN, SEAL, HElib and PALISADE) and report that it is possible to recover the secret key in several parameter configurations. According to the article, a potential mitigation would require updating the decryption algorithm of CKKS to prevent recovering the encryption noise of a ciphertext.
Partially homomorphic cryptosystems
In the following examples, the notation is used to denote the encryption of the message .
Unpadded RSA
If the RSA public key has modulus and encryption exponent , then the encryption of a message is given by . The homomorphic property is then
ElGamal
In the ElGamal cryptosystem, in a cyclic group of order with generator , if the public key is , where , and is the secret key, then the encryption of a message is , for some random . The homomorphic property is then
Goldwasser–Micali
In the Goldwasser–Micali cryptosystem, if the public key is the modulus and quadratic non-residue , then the encryption of a bit is , for some random . The homomorphic property is then
where denotes addition modulo 2, (i.e. exclusive-or).
Benaloh
In the Benaloh cryptosystem, if the public key is the modulus and the base with a blocksize of , then the encryption of a message is , for some random . The homomorphic property is then
Paillier
In the Paillier cryptosystem, if the public key is the modulus and the base , then the encryption of a message is , for some random . The homomorphic property is then
Other partially homomorphic cryptosystems
- Okamoto–Uchiyama cryptosystem
- Naccache–Stern cryptosystem
- Damgård–Jurik cryptosystem
- Sander–Young–Yung encryption scheme
- Boneh–Goh–Nissim cryptosystem
- Ishai–Paskin cryptosystem
- Castagnos–Laguillaumie cryptosystem[37]
Fully homomorphic encryption
A cryptosystem that supports arbitrary computation on ciphertexts is known as fully homomorphic encryption (FHE). Such a scheme enables the construction of programs for any desirable functionality, which can be run on encrypted inputs to produce an encryption of the result. Since such a program need never decrypt its inputs, it can be run by an untrusted party without revealing its inputs and internal state. Fully homomorphic cryptosystems have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing.[38]
Implementations
A list of open-source FHE libraries implementing second-generation and/or third-generation FHE schemes is provided above. An up-to-date list of homomorphic encryption implementations is also maintained by the HomomorphicEncryption.org industry standards consortium.
There are several open-source implementations of second- and third-generation fully homomorphic encryption schemes. Second-generation FHE scheme implementations typically operate in the leveled FHE mode (though bootstrapping is still available in some libraries) and support efficient SIMD-like packing of data; they are typically used to compute on encrypted integers or real/complex numbers. Third-generation FHE scheme implementations often bootstrap after each Boolean gate operation but have limited support for packing and efficient arithmetic computations; they are typically used to compute Boolean circuits over encrypted bits. The choice of using a second-generation vs. third-generation scheme depends on the input data types and the desired computation.
Name | Developer | BGV[17] | CKKS[35] | BFV[20] | FHEW [32] | CKKS Bootstrapping [39] | TFHE[33] | Description |
---|---|---|---|---|---|---|---|---|
HElib[40] | IBM | Yes | Yes | No | No | No | No | BGV scheme with the GHS optimizations. |
Microsoft SEAL[41] | Microsoft | No | Yes | Yes | No | No | No | |
PALISADE[42] | Consortium of DARPA-funded defense contractors and academics: New Jersey Institute of Technology, Duality Technologies, Raytheon BBN Technologies, MIT, University of California, San Diego and others. | Yes | Yes | Yes | Yes | No | Yes | General-purpose lattice cryptography library. |
HEAAN[43] | Seoul National University | No | Yes | No | No | Yes | No | |
FHEW[32] | Leo Ducas and Daniele Micciancio | No | No | No | Yes | No | No | |
TFHE[33] | Ilaria Chillotti, Nicolas Gama, Mariya Georgieva and Malika Izabachene | No | No | No | No | No | Yes | |
FV-NFLlib[44] | CryptoExperts | No | No | Yes | No | No | No | |
NuFHE[45] | NuCypher | No | No | No | No | No | Yes | Provides a GPU implementation of TFHE. |
Lattigo[46] | No | Yes | Yes | No | No | No | Implementation in Go along with their distributed variants enabling Secure multi-party computation. |
Name | Developer | FHEW [32] | TFHE | Helib | SEAL | PALISADE |
---|---|---|---|---|---|---|
E3[47] | MoMA Lab at NYU Abu Dhabi | Yes | Yes | Yes | Yes | Yes |
SHEEP[48] | Alan Turing Institute | No | Yes | Yes | Yes | Yes |
Standardization
A community standard for homomorphic encryption is maintained by the HomomorphicEncryption.org group, an open industry/government/academia consortium co-founded in 2017 by Microsoft, IBM and Duality Technologies. The current standard document includes specifications of secure parameters for RLWE.
See also
- Homomorphic secret sharing
- Homomorphic signatures for network coding
- Private biometrics
- Verifiable computing using a fully homomorphic scheme
- Client-side encryption
- Searchable symmetric encryption
- Secure multi-party computation
- Format-preserving encryption
- Polymorphic code
- Private set intersection
References
- ^
Armknecht, Frederik; Boyd, Colin; Gjøsteen, Kristian; Jäschke, Angela; Reuter, Christian; Strand, Martin (2015). "A Guide to Fully Homomorphic Encryption".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Vinod Vaikuntanathan. "Homomorphic Encryption References".
- ^ R. L. Rivest, L. Adleman, and M. L. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, 1978.
- ^
Sander, Tomas; Young, Adam L.; Yung, Moti (1999). Non-Interactive CryptoComputing For NC1. pp. 554–566. doi:10.1109/SFFCS.1999.814630. ISBN 978-0-7695-0409-4. S2CID 1976588.
{{cite book}}
:|journal=
ignored (help) - ^ D. Boneh, E. Goh, and K. Nissim. Evaluating 2-DNF Formulas on Ciphertexts. In Theory of Cryptography Conference, 2005.
- ^ Y. Ishai and A. Paskin. Evaluating branching programs on encrypted data. In Theory of Cryptography Conference, 2007.
- ^ Craig Gentry. Fully Homomorphic Encryption Using Ideal Lattices. In the 41st ACM Symposium on Theory of Computing (STOC), 2009.
- ^ Craig Gentry. "A Fully Homomorphic Encryption Scheme (Ph.D. thesis)" (PDF).
- ^ Gentry, Craig; Halevi, Shai (2010). "Implementing Gentry's fully-homomorphic encryption scheme". Eurocrypt 2011.
- ^ Van Dijk, Marten; Gentry, Craig; Halevi, Shai; Vinod, Vaikuntanathan (2009). "Fully Homomorphic Encryption over the Integers". Eurocrypt 2010.
- ^ Levieil, Eric; Naccache, David. "Cryptographic Test Correction" (PDF).
- ^ Cohen, Bram. "Simple Public Key Encryption". Archived from the original on 2011-10-07.
- ^ Coron, Jean-Sébastien; Naccache, David; Tibouchi, Mehdi (2011). "Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers". Eurocrypt 2012.
- ^ Coron, Jean-Sébastien; Mandal, Avradip; Naccache, David; Tibouchi, Mehdi (2011). "Fully Homomorphic Encryption over the Integers with Shorter Public Keys". Crypto 2011. Lecture Notes in Computer Science. 6841: 487–504. doi:10.1007/978-3-642-22792-9_28. ISBN 978-3-642-22791-2.
- ^ a b Coron, Jean-Sébastien; Lepoint, Tancrède; Tibouchi, Mehdi (2013). "Batch Fully Homomorphic Encryption over the Integers". Eurocrypt 2013.
- ^ a b Coron, Jean-Sébastien; Lepoint, Tancrède; Tibouchi, Mehdi (2014). "Scale-Invariant Fully Homomorphic Encryption over the Integers". PKC 2014.
- ^ a b Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully Homomorphic Encryption without Bootstrapping, In ITCS 2012
- ^ Z. Brakerski and V. Vaikuntanathan. Efficient Fully Homomorphic Encryption from (Standard) LWE. In FOCS 2011 (IEEE)
- ^ A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. In STOC 2012 (ACM)
- ^ a b
Fan, Junfeng; Vercauteren, Frederik (2012). "Somewhat Practical Fully Homomorphic Encryption".
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ a b Z. Brakerski. Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP, In CRYPTO 2012 (Springer)
- ^ J. Bos, K. Lauter, J. Loftus, and M. Naehrig. Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme. In IMACC 2013 (Springer)
- ^ a b M. Albrecht, S. Bai, and L. Ducas. A subfield lattice attack on overstretched NTRU assumptions, In CRYPTO 2016 (Springer)
- ^ Cheon, J. H.; Jeong, J; Lee, C. (2016). "An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero". LMS Journal of Computation and Mathematics. 19 (1): 255–266. doi:10.1112/S1461157016000371.
- ^ C. Gentry, S. Halevi, and N. P. Smart. Fully Homomorphic Encryption with Polylog Overhead. In EUROCRYPT 2012 (Springer)
- ^ C. Gentry, S. Halevi, and N. P. Smart. Better Bootstrapping in Fully Homomorphic Encryption. In PKC 2012 (SpringeR)
- ^ C. Gentry, S. Halevi, and N. P. Smart. Homomorphic Evaluation of the AES Circuit. In CRYPTO 2012 (Springer)
- ^ Smart, Nigel P.; Vercauteren, Frederik (2014). "Fully Homomorphic SIMD Operations". Designs, Codes and Cryptography. 71 (1): 57–81. doi:10.1007/s10623-012-9720-4. S2CID 11202438.
- ^ C. Gentry, A. Sahai, and B. Waters. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. In CRYPTO 2013 (Springer)
- ^ Z. Brakerski and V. Vaikuntanathan. Lattice-Based FHE as Secure as PKE. In ITCS 2014
- ^ a b J. Alperin-Sheriff and C. Peikert. Faster Bootstrapping with Polynomial Error. In CRYPTO 2014 (Springer)
- ^ a b c d Leo Ducas; Daniele Micciancio. "FHEW: A Fully Homomorphic Encryption library". Retrieved 31 December 2014.
- ^ a b c Ilaria Chillotti; Nicolas Gama; Mariya Georgieva; Malika Izabachene. "Faster Fully Homomorphic Encryption: Bootstrapping in less than 0.1 Seconds". Retrieved 31 December 2016.
- ^ N. Gama, M. Izabachène, P.Q. Nguyen, and X. Xie Structural Lattice Reduction: Generalized Worst-Case to Average-Case Reductions and Homomorphic Cryptosystems. In EUROCRYPT 2016 (Springer)
- ^ a b Cheon, Jung Hee; Kim, Andrey; Kim, Miran; Song, Yongsoo (2017). "Homomorphic encryption for arithmetic of approximate numbers". Takagi T., Peyrin T. (eds) Advances in Cryptology – ASIACRYPT 2017. ASIACRYPT 2017. Springer, Cham. pp. 409–437. doi:10.1007/978-3-319-70694-8_15.
- ^ Li, Baily; Micciancio, Daniele (5 January 2021). "On the Security of Homomorphic Encryption on Approximate Numbers" (PDF). IACR ePrint Archive 2020/1533.
- ^
Guilhem Castagnos and Fabien Laguillaumie (2015). "Linearly Homomorphic Encryption from DDH" (PDF).
{{cite journal}}
: Cite journal requires|journal=
(help) - ^ Daniele Micciancio (2010-03-01). "A First Glimpse of Cryptography's Holy Grail". Association for Computing Machinery. p. 96. Retrieved 2010-03-17.
- ^ Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. Bootstrapping for Approximate Homomorphic Encryption. In EUROCRYPT 2018 (Springer).
- ^ Shai Halevi; Victor Shoup. "HElib: An Implementation of homomorphic encryption". Retrieved 31 December 2014.
- ^ Microsoft Research. "Microsoft SEAL". Retrieved 20 February 2019.
- ^ "PALISADE Lattice Cryptography Library". Retrieved 1 January 2019.
- ^ Jung Hee Cheon; Kyoohyung Han; Andrey Kim; Miran Kim; Yongsoo Song. "Homomorphic Encryption for Arithmetic of Approximate Numbers". Retrieved 15 May 2016.
- ^ Crypto Experts. "FV-NFLlib". Retrieved 1 November 2019.
- ^ NuCypher. "A GPU implementation of fully homomorphic encryption on torus". Retrieved 1 November 2019.
- ^ EPFL-LDS. "Lattigo v1.3.0". Retrieved 6 January 2020.
- ^ MoMA Lab, New York University Abu Dhabi (2019-07-24). "Encrypt-Everything-Everywhere (E3)". Retrieved 27 July 2019.
- ^
Alan Turing Institute, London, UK (2019-11-01). "SHEEP, a Homomorphic Encryption Evaluation Platform". Retrieved 1 November 2019.
{{cite web}}
: CS1 maint: multiple names: authors list (link)
External links
- Daniele Micciancio's FHE references
- Vinod Vaikuntanathan's FHE references
- "Alice and Bob in Cipherspace". American Scientist. September 2012. Retrieved 2018-05-08.
- HElib, open-source homomorphic encryption library
- Microsoft SEAL, open-source homomorphic encryption library by Microsoft
- PALISADE, open-source lattice cryptography framework
- HEAAN, open-source homomorphic encryption library
- FHEW, open-source homomorphic encryption library
- TFHE, open-source homomorphic encryption library