A Survey on Homomorphic Encryption Schemes: Theory and Implementation

Legacy encryption systems depend on sharing a key (public or private) among the peers involved in exchanging an encrypted message. However, this approach poses privacy concerns. Especially with popular cloud services, the control over the privacy of the sensitive data is lost. Even when the keys are not shared, the encrypted material is shared with a third party that does not necessarily need to access the content. Moreover, untrusted servers, providers, and cloud operators can keep identifying elements of users long after users end the relationship with the services. Indeed, Homomorphic Encryption (HE), a special kind of encryption scheme, can address these concerns as it allows any third party to operate on the encrypted data without decrypting it in advance. Although this extremely useful feature of the HE scheme has been known for over 30 years, the first plausible and achievable Fully Homomorphic Encryption (FHE) scheme, which allows any computable function to perform on the encrypted data, was introduced by Craig Gentry in 2009. Even though this was a major achievement, different implementations so far demonstrated that FHE still needs to be improved significantly to be practical on every platform. First, we present the basics of HE and the details of the well-known Partially Homomorphic Encryption (PHE) and Somewhat Homomorphic Encryption (SWHE), which are important pillars of achieving FHE. Then, the main FHE families, which have become the base for the other follow-up FHE schemes are presented. Furthermore, the implementations and recent improvements in Gentry-type FHE schemes are also surveyed. Finally, further research directions are discussed. This survey is intended to give a clear knowledge and foundation to researchers and practitioners interested in knowing, applying, as well as extending the state of the art HE, PHE, SWHE, and FHE systems.Comment: - Updated. (October 6, 2017) - This paper is an early draft of the survey that is being submitted to ACM CSUR and has been uploaded to arXiv for feedback from stakeholder

Why you cannot even hope to use Gr\uf6bner bases in cryptography: an eternal golden braid of failures

In 1994, Moss Sweedler\u2019s dog proposed a cryptosystem, known as Barkee\u2019s Cryptosystem, and the related cryptanalysis. Its explicit aim was to dispel the proposal of using the urban legend that \u201cGr\uf6bner bases are hard to compute\u201d, in order to devise a public key cryptography scheme. Therefore he claimed that \u201cno scheme using Gr\uf6bner bases will ever work\u201d. Later, further variations of Barkee\u2019s Cryptosystem were proposed on the basis of another urban legend, related to the infiniteness (and consequent uncomputability) of non-commutative Gr\uf6bner bases; unfortunately Pritchard\u2019s algorithm for computing (finite) non-commutative Gr\uf6bner bases was already available at that time and was sufficient to crash the system proposed by Ackermann and Kreuzer. The proposal by Rai, where the private key is a principal ideal and the public key is a bunch of polynomials within this principal ideal, is surely immune to Pritchard\u2019s attack but not to Davenport\u2019s factorization algorithm. It was recently adapted specializing and extending Stickel\u2019s Diffie\u2013Hellman protocols in the setting of Ore extension. We here propose a further generalization and show that such protocols can be broken simply via polynomial division and Buchberger reduction

Bounded Fully Homomorphic Encryption from Monoid Algebras

We present a new method that produces bounded FHE schemes (see Definition 3), starting with encryption schemes that support one algebraic operation. We use this technique to construct examples of encryption schemes that, theoretically can handle any algebraic function on encrypted data

Additively Homomorphic Encryption with d-Operand Multiplications

The search for encryption schemes that allow to evaluate functions (or circuits) over encrypted data has attracted a lot of attention since the seminal work on this subject by Rivest, Adleman and Dertouzos in 1978. In this work we define a theoretical object, chained encryption schemes, which allow an efficient evaluation of polynomials of degree d over encrypted data. Chained encryption schemes are generically constructed by concatenating cryptosystems with the appropriate homomorphic properties; such schemes are common in lattice-based cryptography. As a particular instantiation we propose a chained encryption scheme whose IND-CPA security is based on a worst-case/average-case reduction from uSVP

Homomorphic encryption in algebraic settings

PhD ThesisCryptography methods have been around for a long time to protect sensitive data. With data sets becoming increasingly large we wish to not only store sensitive data in public clouds but in fact, analyse and compute there too. The idea behind homomorphic encryption is that encryption preserves the structure and allows us to perform the same operations on ciphertext as we would on the plaintext. A lot of the work so far restricts the operations that can be performed correctly on ciphertexts. The goal of this thesis is to explore methods for encryption which should greatly increase the amount of analysis and computation that can be performed on ciphertexts. First of all, we will consider the implications of quantum computers on cryptography. There has already been research conducted into quantum-resistant encryption methods. The particular method we will be interested in is still classical. We are assuming these schemes are going to be used in a post-quantum world anyway, we look at how we can use the quantum properties to improve the cryptosystem. More speci cally, we aim to remove a restriction that naturally comes with the scheme restricting how many operations we can perform on ciphertexts. Secondly, we propose a key exchange protocol that works in a polynomial ideal setting. We do this so that the key can be used for a homomorphic cryptography protocol. The advantage of using key exchange over a public key system is that a large proportion of the process needs to be carried out only once instead of needing a more complicated encryption function to use for each piece of data. Polynomial rings are an appropriate choice of structure for this particular type of scheme as they allow us to do everything we need. We will examine how we can perform computation correctly on ciphertexts and address some of the potential weaknesses of such a process. Finally after establishing a fully homomorphic encryption system we will take a more in-depth look at complexity. Measuring the complexity of mathematical problems is, of course, crucial in cryptography, but the choice of measure is something we need to consider seriously. In the nal chapter we will look at generic complexity as its gives us a good feel for how di cult the typical instances of a problem are to solve.Engineering and Physical Sciences Research Council, Centre for Doctoral Training in Cloud Computing for Big Dat

On FHE without bootstrapping

We investigate the use of multivariate polynomials in constructing a fully homomorphic encryption. In this work we come up with two fully homomorphic schemes. First, we propose an IND-CPA secure symmetric key homomorphic encryption scheme using multivariate polynomial ring over finite fields. This scheme gives a method of constructing a CPA secure homomorphic encryption scheme from another symmetric deterministic CPA secure scheme. We base the security of the scheme on pseudo random functions and also construct an information theoretically secure variant, rather than basing security on hard problems like Ideal Membership and Gröbner basis as seen in most polly cracker based schemes which also use multivariate polynomial rings. This scheme is not compact but has many interesting properties- It can evaluate circuits of arbitrary depths without bootstrapping for bounded length input to the algorithm. Second what follows naturally is, an attempt to make it compact we propose some changes to the scheme and analyse the scheme in (Albrecht et. al. Asiacrypt-2011). We try to make it compact but fail and realise that this could give us a Multi Party Computation protocol. Realising that polynomials leads us to non compact schemes we move propose schemes based on matrices. We then propose our candidate for a fully homomorphic encryption without bootstrapping