A Survey on Homomorphic Encryption Schemes: Theory and Implementation

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the survey that is being submitted to ACM CSUR and has been uploaded to arXiv for feedback from stakeholder

Masteroppgave i kryptografi

In this paper we look at the use of bootstrapping and squashing in order to make an encryption scheme fully homomorphic. The focus will be on what this is and how it can be used. The main focus will be on how this is applied in the paper [11] by van Dijk, Gentry, Halevi and Vaikuntanathan

동형암호 재부팅 기법에 관한 연구

학위논문 (박사)-- 서울대학교 대학원 : 자연과학대학 수리과학부, 2019. 2. 천정희.2009년 Gentry에 의해서 완전동형암호가 처음 설계된 이후로 최적화와 고속화를 위해서 다양한 기법들과 스킴들이 설계되어 왔다. 하지만 동형암호의 연산횟수를 무제한으로 늘리기 위해서 필수적인 재부팅 기법의 효율성 문제로 실제 응용에 적용하기에는 부적합하다는 평가를 많이 받아왔다. 본 논문에서는 재부팅 기법의 고속화를 위한 다양한 기법을 제시하고 이를 실제로 응용분야에 적용하였다. 본 논문에서는 대표적인 동형암호 스킴들에 대한 재부팅 기법에 대한 연구를 수행하였는데, 첫 번째로는 Microsoft Research와 IMB에서 만든 동형암호 라이브러리인 SEAL과 HElib에 적용가능한 재부팅 기법에 대한 연구를 수행하였다. 해당 재부팅 기법에서 핵심적이 과정은 암호화된 상태에서 복호화 함수를 계산하는 부분이다. 암호된 상태에서 최하위 비트를 추출하는 새로운 방법을 제시하여 재부팅 과정에서 소모되는 계산량과 표현되는 다항식의 차수를 줄이는데에 성공하였다. 두 번째로는, 비교적 최근에 개발된 근사계산 동형암호인 HEAAN 스킴의 재부팅 기법을 개선하는 연구를 수행하였다. 2018년에 삼각함수를 이용한 근사법을 통해서 처음 해당 스킴에 대한 재부팅 기법이 제시되었는데, 많은 데이터를 담고있는 암호문에 대해서는 전처리, 후처리 과정이 계산량의 대부분을 차지하는 문제가 있었다. 해당 과정들을 여러 단계로 재귀적인 함수들로 표현하여 계산량이 데이터 사이즈에 대해서 로그적으로 줄이는 것에 성공하였다. 추가로, 다른 스킴들에 비해서 많이 사용되지는 않지만, 정수기반 동형암호들에 대해서도 재부팅 기법을 개선하는 연구를 수행하였고 그 결과 계산량을 로그적으로 줄이는 것에 성공하였다. 마지막으로, 재부팅 기법의 활용성과 사용 가능성을 보이기 위해 실제 데이터 보안을 필요로 하는 기계학습 분야에 적용해보았다. 실제로 400,000건의 금융 데이터를 이용한 회귀분석을 암호화된 데이터를 이용해서 수행하였다. 그 결과 약 16시간 안에 80\% 이상의 정확도와 0.8 정도의 AUROC 값을 가지는 유의미한 분석 모델을 얻을 수 있었다.After Gentry's blueprint on homomorphic encryption (HE) scheme, various efficient schemes have been suggested. For unlimited number of operations between encrypted data, the bootstrapping process is necessary. There are only few works on bootstrapping procedure because of the complexity and inefficiency of bootstrapping. In this paper, we propose various method and techniques for improved bootstrapping algorithm, and we apply it to logistic regression on large scale encrypted data. The bootstrapping process depends on based homomorphic encryption scheme. For various schemes such as BGV, BFV, HEAAN, and integer-based scheme, we improve bootstrapping algorithm. First, we improved bootstrapping for BGV (HElib) and FV (SEAL) schemes which is implemented by Microsoft Research and IMB respectively. The key process for bootstrapping in those two scheme is extracting lower digits of plaintext in encrypted state. We suggest new polynomial that removes lowest digit of input, and we apply it to bootstrapping with previous method. As a result, both the complexity and the consumed depth are reduced. Second, bootstrapping for multiple data needs homomorphic linear transformation. The complexity of this part is O(n) for number of slot n, and this part becomes a bottleneck when we use large n. We use the structure of linear transformation which is used in bootstrapping, and we decompose the matrix which is corresponding to the transformation. By applying recursive strategy, we reduce the complexity to O(log n). Furthermore, we suggest new bootstrapping method for integer-based HE schemes which are based on approximate greatest common divisor problem. By using digit extraction instead of previous bit-wise approach, the complexity of bootstrapping algorithm reduced from O(poly(lambda)) to O(log^2(lambda)). Our implementation for this process shows 6 seconds which was about 3 minutes. To show that bootstrapping can be used for practical application, we implement logistic regression on encrypted data with large scale. Our target data has 400,000 samples, and each sample has 200 features. Because of the size of the data, direct application of homomorphic encryption scheme is almost impossible. Therefore, we decide the method for encryption to maximize the effect of multi-threading and SIMD operations in HE scheme. As a result, our homomorphic logistic regression takes about 16 hours for the target data. The output model has 0.8 AUROC with about 80% accuracy. Another experiment on MNIST dataset shows correctness of our implementation and method.Abstract 1 Introduction 1.1 Homomorphic Encryption 1.2 Machine Learning on Encrypted Data 1.3 List of Papers 2 Background 2.1 Notation 2.2 Homomorphic Encryption 2.3 Ring Learning with Errors 2.4 Approximate GCD 3 Lower Digit Removal and Improved Bootstrapping 3.1 Basis of BGV and BFV scheme 3.2 Improved Digit Extraction Algorithm 3.3 Bootstrapping for BGV and BFV Scheme 3.3.1 Our modications 3.4 Slim Bootstrapping Algorithm 3.5 Implementation Result 4 Faster Homomorphic DFT and Improved Bootstrapping 4.1 Basis of HEAAN scheme 4.2 Homomorphic DFT 4.2.1 Previous Approach 4.2.2 Our method 4.2.3 Hybrid method 4.2.4 Implementation Result 4.3 Improved Bootstrapping for HEAAN 4.3.1 Linear Transformation in Bootstrapping 4.3.2 Improved CoeToSlot and SlotToCoe 4.3.3 Implementation Result 5 Faster Bootstrapping for FHE over the integers 5.1 Basis of FHE over the integers 5.2 Decryption Function via Digit Extraction 5.2.1 Squashed Decryption Function 5.2.2 Digit extraction Technique 5.2.3 Homomorphic Digit Extraction in FHE over the integers 5.3 Bootstrapping for FHE over the integers 5.3.1 CLT scheme with M Z_t 5.3.2 Homomorphic Operations with M Z_t^a 5.3.3 Homomorphic Digit Extraction for CLT scheme 5.3.4 Our Method on the CLT scheme 5.3.5 Analysis of Proposed Bootstrapping Method 5.4 Implementation Result 6 Logistic Regression on Large Encrypted Data 6.1 Basis of Logistic Regression 6.2 Logistic Regression on Encrypted Data 6.2.1 HE-friendly Logistic Regression Algorithm 6.2.2 HE-Optimized Logistic Regression Algorithm 6.2.3 Further Optimization 6.3 Evaluation 6.3.1 Logistic Regression on Encrypted Financial Dataset 6.3.2 Logistic Regression on Encrypted MNIST Dataset 6.3.3 Discussion 7 Conclusions Abstract (in Korean)Docto

Integer-based fully homomorphic encryption

The concept of fully homomorphic encryption has been considered the holy grail of cryptography since the discovery of secure public key cryptography in the 1970s. Fully homomorphic encryption allows arbitrary computation on encrypted data to be performed securely. Craig Gentry\u27s new method of bootstrapping introduced in 2009 provides a technique for constructing fully homomorphic cryptosystems. In this paper we explore one such bootstrappable system based on simple integer arithmetic in a manner that someone without a high level of experience in homomorphic encryption can readily understand. Further, we present an implementation of the system as well as a lattice- based attack. We present performance results of our implementation under various parameter choices and the resistance of the system to the lattice-based attack under those parameters. Unfortunately, while the system is very interesting from a theoretical point of view, the results show that it is still not feasible for use

Improving Additive and Multiplicative Homomorphic Encryption Schemes Based on Worst-Case Hardness Assumptions}

In CRYPTO 2010, Aguilar et al. proposed a somewhat homomorphic encryption scheme, i.e. an encryption scheme allowing to compute a limited amount of sums and products over encrypted data, with a security reduction from LWE over general lattices. General lattices (as opposed to ideal lattices) do not have an inherent multiplicative structure but, using a tensorial product, Aguilar et al. managed to obtain a scheme allowing to compute products with a polylogarithmic amount of operands. In this paper we present an alternative construction allowing to compute products with polynomially-many operands while preserving the security reductions of the initial scheme. Unfortunately, despite this improvement our construction seems to be incompatible with Gentry\u27s seminal transformation allowing to obtain fully-homomorphic encryption schemes. Recently, Brakerski et al. used the tensorial product approach introduced by Aguilar et al. in a new alternative way which allows to radically improve the performance of the obtained scheme. Based on this approach, and using two nice optimizations, their scheme is able to evaluate products with exponentially-many operands and can be transformed into an efficient fully-homomorphic encryption scheme while being based on general lattice problems. However, even if these results outperform the construction presented here, we believe the modifications we suggest for Aguilar et al.\u27s schemes are of independent interest

Homomorphic Encryption

In this thesis, we provide a summary of fully homomorphic encryption, and in particular, look at the BGV encryption scheme by Brakerski, Gentry, and Vaikuntanathan; as well the DGHV encryption scheme by van Dijk, Gentry, Halevi, and Vaikuntanathan. We explain the mechanisms developed by Gentry in his breakthrough work, and show examples of how they are used. While looking at the BGV encryption scheme, we make improvements to the underlying lemmas dealing with modulus switching and noise management, and show that the lemmas as currently stated are false. We then examine a lower bound on the hardness of the Learning With Errors lattice problem, and use this to develop specific parameters for the BGV encryption scheme at a variety of security levels. We then study the DGHV encryption scheme, and show how the somewhat homomorphic encryption scheme can be implemented as both a fully homomorphic encryption scheme with bootstrapping, as well as a leveled fully homomorphic encryption scheme using the techniques from the BGV encryption scheme. We then extend the parameters from the optimized version of this scheme to higher security levels, and describe a more straightforward way of arriving at these parameters

Development of Cryptography since Shannon

This paper presents the development of cryptography since Shannon\u27s seminal paper ``Communication Theory of Secrecy Systems\u27\u27 in 1949