Misplaced Pages

Homomorphic encryption: Difference between revisions

Article snapshot taken from Wikipedia with creative commons attribution-sharealike license. Give it a read and then ask your questions in the chat. We can research this topic together.
Browse history interactively← Previous editContent deleted Content addedVisualWikitext
Revision as of 06:58, 19 June 2023 editWikiCleanerBot (talk | contribs)Bots928,066 editsm v2.05b - Bot T20 CW#61 - Fix errors for CW project (Reference before punctuation)Tag: WPCleaner← Previous edit Latest revision as of 10:34, 14 January 2025 edit undo180.254.77.80 (talk) Fully homomorphic encryption: Edited a typoTag: Visual edit 
(44 intermediate revisions by 28 users not shown)
Line 16: Line 16:
}} }}


'''Homomorphic encryption''' is a form of ] that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. Homomorphic encryption can be used for privacy-preserving outsourced ] and ]. This allows data to be encrypted and out-sourced to commercial cloud environments for processing, all while encrypted. '''Homomorphic encryption''' is a form of ] that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. While homomorphic encryption does not protect against side-channel attacks that observe behavior, it can be used for privacy-preserving outsourced ] and ]. This allows data to be encrypted and outsourced to commercial cloud environments for processing, all while encrypted.


As an example of a practical application of homomorphic encryption: encrypted photographs can be scanned for points of interest, without revealing the contents of a photo. However, observation of side-channels can see a photograph being sent to a point-of-interest lookup service, revealing the fact that photographs were taken.
For sensitive data, such as health care information, homomorphic encryption can be used to enable new services by removing privacy barriers inhibiting data sharing or increase security to existing services. For example, ] in health care can be hard to apply via a third party service provider due to ] concerns, but if the predictive analytics service provider can operate on encrypted data instead, these privacy concerns are diminished. Moreover, even if the service provider's system is compromised, the data would remain secure.<ref>{{cite journal |last1=Munjal |first1=Kundan |last2=Bhatia |first2=Rekha |title=A systematic review of homomorphic encryption and its contributions in healthcare industry |journal=Complex & Intelligent Systems |date=2022 |doi=10.1007/s40747-022-00756-z |doi-access=free}}</ref>

Thus, homomorphic encryption eliminates the need for processing data in the clear, thereby preventing attacks that would enable an attacker to access that data while it is being processed, using ].<ref>{{Cite web |last=Sellers |first=Andrew |title=Council Post: Everything You Wanted To Know About Homomorphic Encryption (But Were Afraid To Ask) |url=https://www.forbes.com/sites/forbestechcouncil/2021/04/14/everything-you-wanted-to-know-about-homomorphic-encryption-but-were-afraid-to-ask/ |access-date=2023-08-18 |website=Forbes |language=en}}</ref>

For sensitive data, such as healthcare information, homomorphic encryption can be used to enable new services by removing privacy barriers inhibiting data sharing or increasing security to existing services. For example, ] in healthcare can be hard to apply via a third-party service provider due to ] concerns. But if the predictive-analytics service provider could operate on encrypted data instead, without having the decryption keys, these privacy concerns are diminished. Moreover, even if the service provider's system is compromised, the data would remain secure.<ref>{{cite journal |last1=Munjal |first1=Kundan |last2=Bhatia |first2=Rekha |title=A systematic review of homomorphic encryption and its contributions in healthcare industry |journal=Complex & Intelligent Systems |date=2022 |volume=9 |issue=4 |pages=3759–3786 |doi=10.1007/s40747-022-00756-z |pmid=35531323 |pmc=9062639 |doi-access=free}}</ref>


{{TOC limit|3}} {{TOC limit|3}}
Line 64: Line 68:
* ] (unbounded number of modular additions) * ] (unbounded number of modular additions)
* Sander-Young-Yung system (after more than 20 years solved the problem for logarithmic depth circuits)<ref> * Sander-Young-Yung system (after more than 20 years solved the problem for logarithmic depth circuits)<ref>
{{cite book|last1=Sander|first1=Tomas |last2=Young|first2=Adam L.|last3=Yung|first3=Moti {{cite book|last1=Sander|first1=Tomas |last2=Young|first2=Adam L.|last3=Yung|first3=Moti |title=40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039) |chapter=Non-interactive cryptocomputing for NC/Sup 1/ |pages=554–566 |doi=10.1109/SFFCS.1999.814630 |year=1999 |isbn=978-0-7695-0409-4 |s2cid=1976588 }}</ref>
|chapter=Non-Interactive CryptoComputing For NC1|title=Focs1991|pages=554–566 |doi=10.1109/SFFCS.1999.814630 |year=1999 |isbn=978-0-7695-0409-4 |s2cid=1976588 }}</ref>
* Boneh–Goh–Nissim cryptosystem (unlimited number of addition operations but at most one multiplication)<ref>D. Boneh, E. Goh, and K. Nissim. Evaluating 2-DNF Formulas on Ciphertexts. In ''Theory of Cryptography Conference'', 2005.</ref> * Boneh–Goh–Nissim cryptosystem (unlimited number of addition operations but at most one multiplication)<ref>D. Boneh, E. Goh, and K. Nissim. Evaluating 2-DNF Formulas on Ciphertexts. In ''Theory of Cryptography Conference'', 2005.</ref>
* Ishai-Paskin cryptosystem (polynomial-size ])<ref>Y. Ishai and A. Paskin. Evaluating branching programs on encrypted data. In ''Theory of Cryptography Conference'', 2007.</ref> * Ishai-Paskin cryptosystem (polynomial-size ])<ref>Y. Ishai and A. Paskin. Evaluating branching programs on encrypted data. In ''Theory of Cryptography Conference'', 2007.</ref>
Line 71: Line 74:
===First-generation FHE=== ===First-generation FHE===


], using ], described the first plausible construction for a fully homomorphic encryption scheme in 2009.<ref>{{cite book | doi=10.1145/1536414.1536440 | chapter=Fully homomorphic encryption using ideal lattices | title=Proceedings of the forty-first annual ACM symposium on Theory of computing | date=2009 | last1=Gentry | first1=Craig | pages=169–178 | isbn=978-1-60558-506-2 }}</ref> Gentry's scheme supports both addition and multiplication operations on ciphertexts, from which it is possible to construct circuits for performing arbitrary computation. The construction starts from a ''somewhat homomorphic'' encryption scheme, which is limited to evaluating low-degree polynomials over encrypted data; it is limited because each ciphertext is noisy in some sense, and this noise grows as one adds and multiplies ciphertexts, until ultimately the noise makes the resulting ciphertext indecipherable.
], using ], described the first plausible construction for a fully homomorphic encryption scheme in 2009.<ref>
Craig Gentry. . In ''the 41st ACM Symposium on Theory of Computing (STOC)'', 2009.</ref> Gentry's scheme supports both addition and multiplication operations on ciphertexts, from which it is possible to construct circuits for performing arbitrary computation. The construction starts from a ''somewhat homomorphic'' encryption scheme, which is limited to evaluating low-degree polynomials over encrypted data; it is limited because each ciphertext is noisy in some sense, and this noise grows as one adds and multiplies ciphertexts, until ultimately the noise makes the resulting ciphertext indecipherable.


Gentry then shows how to slightly modify this scheme to make it ''bootstrappable'', i.e., capable of evaluating its own decryption circuit and then at least one more operation. Finally, he shows that any bootstrappable somewhat homomorphic encryption scheme can be converted into a fully homomorphic encryption through a recursive self-embedding. For Gentry's "noisy" scheme, the bootstrapping procedure effectively "refreshes" the ciphertext by applying to it the decryption procedure homomorphically, thereby obtaining a new ciphertext that encrypts the same value as before but has lower noise. By "refreshing" the ciphertext periodically whenever the noise grows too large, it is possible to compute an arbitrary number of additions and multiplications without increasing the noise too much. Gentry then shows how to slightly modify this scheme to make it ''bootstrappable'', i.e., capable of evaluating its own decryption circuit and then at least one more operation. Finally, he shows that any bootstrappable somewhat homomorphic encryption scheme can be converted into a fully homomorphic encryption through a recursive self-embedding. For Gentry's "noisy" scheme, the bootstrapping procedure effectively "refreshes" the ciphertext by applying to it the decryption procedure homomorphically, thereby obtaining a new ciphertext that encrypts the same value as before but has lower noise. By "refreshing" the ciphertext periodically whenever the noise grows too large, it is possible to compute an arbitrary number of additions and multiplications without increasing the noise too much.


Gentry based the security of his scheme on the assumed hardness of two problems: certain worst-case problems over ], and the sparse (or low-weight) subset sum problem. Gentry's Ph.D. thesis<ref> Gentry based the security of his scheme on the assumed hardness of two problems: certain worst-case problems over ], and the sparse (or low-weight) subset sum problem. Gentry's Ph.D. thesis<ref>
{{cite web {{cite thesis
|title=A Fully Homomorphic Encryption Scheme (Ph.D. thesis) |title=A Fully Homomorphic Encryption Scheme
|type=PhD Thesis
|publisher=Stanford University
|url=http://crypto.stanford.edu/craig/ |url=http://crypto.stanford.edu/craig/
|author=Craig Gentry |author=Craig Gentry
|format=PDF |format=PDF
}}</ref> provides additional details. The Gentry-Halevi implementation of Gentry's original cryptosystem reported timing of about 30 minutes per basic bit operation.<ref name=GH11> }}</ref> provides additional details. The Gentry-Halevi implementation of Gentry's original cryptosystem reported a timing of about 30 minutes per basic bit operation.<ref name=GH11>
{{cite journal|last1=Gentry|first1=Craig|last2=Halevi|first2=Shai|title=Implementing Gentry's fully-homomorphic encryption scheme|journal=Eurocrypt 2011|url=http://eprint.iacr.org/2010/520|year=2010}}</ref> Extensive design and implementation work in subsequent years have improved upon these early implementations by many orders of magnitude runtime performance. {{cite book|doi=10.1007/978-3-642-20465-4_9|last1=Gentry|first1=Craig|last2=Halevi|first2=Shai|title=Advances in Cryptology – EUROCRYPT 2011 |chapter=Implementing Gentry's Fully-Homomorphic Encryption Scheme |series=Lecture Notes in Computer Science |chapter-url=http://eprint.iacr.org/2010/520|year=2010|volume=6632 |pages=129–148 |isbn=978-3-642-20464-7 }}</ref> Extensive design and implementation work in subsequent years have improved upon these early implementations by many orders of magnitude runtime performance.


In 2010, Marten van Dijk, ], ] and Vinod Vaikuntanathan presented a second fully homomorphic encryption scheme,<ref> In 2010, Marten van Dijk, ], ] and Vinod Vaikuntanathan presented a second fully homomorphic encryption scheme,<ref>
{{cite journal|last1=Van Dijk|first1=Marten|last2=Gentry|first2=Craig|last3=Halevi|first3=Shai {{cite book|last1=Van Dijk|first1=Marten|last2=Gentry|first2=Craig|last3=Halevi|first3=Shai
|last4=Vinod|first4=Vaikuntanathan |title=Fully Homomorphic Encryption over the Integers|journal=Eurocrypt 2010|url=http://eprint.iacr.org/2009/616|year=2009 }}</ref> which uses many of the tools of Gentry's construction, but which does not require ]. Instead, they show that the somewhat homomorphic component of Gentry's ideal lattice-based scheme can be replaced with a very simple somewhat homomorphic scheme that uses integers. The scheme is therefore conceptually simpler than Gentry's ideal lattice scheme, but has similar properties with regards to homomorphic operations and efficiency. The somewhat homomorphic component in the work of Van Dijk et al. is similar to an encryption scheme proposed by Levieil and ] in 2008,<ref> |last4=Vinod|first4=Vaikuntanathan |title=Advances in Cryptology – EUROCRYPT 2010 |chapter=Fully Homomorphic Encryption over the Integers |series=Lecture Notes in Computer Science |doi=10.1007/978-3-642-13190-5_2|chapter-url=http://eprint.iacr.org/2009/616|year=2009 |volume=6110 |pages=24–43 |isbn=978-3-642-13189-9 }}</ref> which uses many of the tools of Gentry's construction, but which does not require ]. Instead, they show that the somewhat homomorphic component of Gentry's ideal lattice-based scheme can be replaced with a very simple somewhat homomorphic scheme that uses integers. The scheme is therefore conceptually simpler than Gentry's ideal lattice scheme, but has similar properties with regards to homomorphic operations and efficiency. The somewhat homomorphic component in the work of Van Dijk et al. is similar to an encryption scheme proposed by Levieil and ] in 2008,<ref>
{{cite web {{cite book
|title=Cryptographic Test Correction |chapter=Cryptographic Test Correction
|url=https://www.iacr.org/archive/pkc2008/49390088/49390088.pdf |chapter-url=https://www.iacr.org/archive/pkc2008/49390088/49390088.pdf
|last1=Levieil |first1=Eric |last1=Levieil |first1=Eric
|last2=Naccache |first2=David |author-link2=David Naccache |last2=Naccache |first2=David |title=Public Key Cryptography – PKC 2008
|series=Lecture Notes in Computer Science
|date=2008
|volume=4939
|pages=85–100
|author-link2=David Naccache
|doi=10.1007/978-3-540-78440-1_6
|isbn=978-3-540-78439-5
}}</ref> and also to one that was proposed by ] in 1998.<ref> }}</ref> and also to one that was proposed by ] in 1998.<ref>
{{cite web {{cite web
Line 106: Line 117:


] is not even additively homomorphic, however. The Levieil–Naccache scheme supports only additions, but it can be modified to also support a small number of multiplications. Many refinements and optimizations of the scheme of Van Dijk et al. were proposed in a sequence of works by Jean-Sébastien Coron, Tancrède Lepoint, Avradip Mandal, ], and Mehdi Tibouchi.<ref name=CNT12> ] is not even additively homomorphic, however. The Levieil–Naccache scheme supports only additions, but it can be modified to also support a small number of multiplications. Many refinements and optimizations of the scheme of Van Dijk et al. were proposed in a sequence of works by Jean-Sébastien Coron, Tancrède Lepoint, Avradip Mandal, ], and Mehdi Tibouchi.<ref name=CNT12>
{{cite journal|last1=Coron|first1=Jean-Sébastien|last2=Naccache|first2=David|last3=Tibouchi|first3=Mehdi|title=Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers|journal=Eurocrypt 2012|url=http://eprint.iacr.org/2011/440|year=2011}}</ref><ref name=CMNT11> {{cite book|last1=Coron|first1=Jean-Sébastien|last2=Naccache|first2=David|last3=Tibouchi|first3=Mehdi|title=Advances in Cryptology – EUROCRYPT 2012 |chapter=Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers |series=Lecture Notes in Computer Science |chapter-url=http://eprint.iacr.org/2011/440|year=2011|volume=7237 |pages=446–464 |doi=10.1007/978-3-642-29011-4_27|isbn=978-3-642-29010-7 }}</ref><ref name=CMNT11>
{{cite book|last1=Coron|first1=Jean-Sébastien|last2=Mandal|first2=Avradip|last3=Naccache|first3=David |last4=Tibouchi|first4=Mehdi|chapter=Fully Homomorphic Encryption over the Integers with Shorter Public Keys|title=Advances in Cryptology – CRYPTO 2011|volume=6841|pages=487–504|url=http://eprint.iacr.org/2011/441|year=2011|doi=10.1007/978-3-642-22792-9_28|series=Lecture Notes in Computer Science|isbn=978-3-642-22791-2|doi-access=free|editor-last=Rogaway |editor-first= P. }}</ref><ref name=CLT13> {{cite book|last1=Coron|first1=Jean-Sébastien|last2=Mandal|first2=Avradip|last3=Naccache|first3=David |last4=Tibouchi|first4=Mehdi|chapter=Fully Homomorphic Encryption over the Integers with Shorter Public Keys|title=Advances in Cryptology – CRYPTO 2011|volume=6841|pages=487–504|url=http://eprint.iacr.org/2011/441|year=2011|doi=10.1007/978-3-642-22792-9_28|series=Lecture Notes in Computer Science|isbn=978-3-642-22791-2|doi-access=free|editor-last=Rogaway |editor-first= P. }}</ref><ref name=CLT13>
{{cite journal|last1=Coron|first1=Jean-Sébastien|last2=Lepoint|first2=Tancrède|last3=Tibouchi|first3=Mehdi|title=Batch Fully Homomorphic Encryption over the Integers|journal=Eurocrypt 2013|url=http://eprint.iacr.org/2013/036|year=2013}}</ref><ref name=CLT14> {{cite book|last1=Coron|first1=Jean-Sébastien|last2=Lepoint|first2=Tancrède|last3=Tibouchi|first3=Mehdi|title=Advances in Cryptology – EUROCRYPT 2013 |chapter=Batch Fully Homomorphic Encryption over the Integers |series=Lecture Notes in Computer Science |doi=10.1007/978-3-642-38348-9_20|chapter-url=http://eprint.iacr.org/2013/036|year=2013|volume=7881 |pages=315–335 |isbn=978-3-642-38347-2 }}</ref><ref name=CLT14>
{{cite journal|last1=Coron|first1=Jean-Sébastien|last2=Lepoint|first2=Tancrède|last3=Tibouchi|first3=Mehdi|title=Scale-Invariant Fully Homomorphic Encryption over the Integers|journal=PKC 2014|url=http://eprint.iacr.org/2014/032|year=2014}}</ref> Some of these works included also implementations of the resulting schemes. {{cite book|last1=Coron|first1=Jean-Sébastien|last2=Lepoint|first2=Tancrède|last3=Tibouchi|first3=Mehdi|title=Public-Key Cryptography – PKC 2014 |chapter=Scale-Invariant Fully Homomorphic Encryption over the Integers |series=Lecture Notes in Computer Science |doi=10.1007/978-3-642-54631-0_18|chapter-url=http://eprint.iacr.org/2014/032|year=2014|volume=8383 |pages=311–328 |isbn=978-3-642-54630-3 }}</ref> Some of these works included also implementations of the resulting schemes.


===Second-generation FHE=== ===Second-generation FHE===


The homomorphic cryptosystems of this generation are derived from techniques that were developed starting in 2011-2012 by Zvika Brakerski, ], Vinod Vaikuntanathan, and others. These innovations led to the development of much more efficient somewhat and fully homomorphic cryptosystems. These include: The homomorphic cryptosystems of this generation are derived from techniques that were developed starting in 2011–2012 by ], ], ], and others. These innovations led to the development of much more efficient somewhat and fully homomorphic cryptosystems. These include:
* The Brakerski-Gentry-Vaikuntanathan (BGV, 2011) scheme,<ref name=BGV12>Z. Brakerski, C. Gentry, and V. Vaikuntanathan. , In ''ITCS 2012''</ref> building on techniques of Brakerski-Vaikuntanathan;<ref name=BV11b>Z. Brakerski and V. Vaikuntanathan. . In ''FOCS 2011'' (IEEE)</ref> * The Brakerski-Gentry-Vaikuntanathan (BGV, 2011) scheme,<ref name=BGV12>Z. Brakerski, C. Gentry, and V. Vaikuntanathan. , In ''ITCS 2012''</ref> building on techniques of Brakerski-Vaikuntanathan;<ref name=BV11b>Z. Brakerski and V. Vaikuntanathan. . In ''FOCS 2011'' (IEEE)</ref>
* The ]-based scheme by Lopez-Alt, Tromer, and Vaikuntanathan (LTV, 2012);<ref name=LTV12>A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan. . In ''STOC 2012'' (ACM)</ref> * The ]-based scheme by Lopez-Alt, Tromer, and Vaikuntanathan (LTV, 2012);<ref name=LTV12>A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan. . In ''STOC 2012'' (ACM)</ref>
Line 133: Line 144:


A distinguishing characteristic of the second-generation cryptosystems is that they all feature a much slower growth of the noise during the homomorphic computations. Additional optimizations by ], ], and ] resulted in cryptosystems with nearly optimal asymptotic complexity: Performing <math>T</math> operations on data encrypted with security parameter <math>k</math> has complexity of only <math>T\cdot\mathrm{polylog}(k)</math>.<ref name=GHS12a>C. Gentry, S. Halevi, and N. P. Smart. . In ''EUROCRYPT 2012'' (Springer) A distinguishing characteristic of the second-generation cryptosystems is that they all feature a much slower growth of the noise during the homomorphic computations. Additional optimizations by ], ], and ] resulted in cryptosystems with nearly optimal asymptotic complexity: Performing <math>T</math> operations on data encrypted with security parameter <math>k</math> has complexity of only <math>T\cdot\mathrm{polylog}(k)</math>.<ref name=GHS12a>C. Gentry, S. Halevi, and N. P. Smart. . In ''EUROCRYPT 2012'' (Springer)
</ref><ref name=GHS12b>C. Gentry, S. Halevi, and N. P. Smart. . In ''PKC 2012'' (SpringeR)</ref><ref name=GHS12c>C. Gentry, S. Halevi, and N. P. Smart. . In ''CRYPTO 2012'' (Springer)</ref> These optimizations build on the Smart-Vercauteren techniques that enables packing of many plaintext values in a single ciphertext and operating on all these plaintext values in a ] fashion.<ref name=SV11> </ref><ref name=GHS12b>C. Gentry, S. Halevi, and N. P. Smart. . In ''PKC 2012'' (SpringeR)</ref><ref name=GHS12c>C. Gentry, S. Halevi, and N. P. Smart. . In ''CRYPTO 2012'' (Springer)</ref> These optimizations build on the Smart-Vercauteren techniques that enable packing of many plaintext values in a single ciphertext and operating on all these plaintext values in a ] fashion.<ref name=SV11>
{{cite journal|last1=Smart|first1=Nigel P.|last2=Vercauteren|first2=Frederik|title=Fully Homomorphic SIMD Operations |journal=Designs, Codes and Cryptography|volume=71|number=1|pages=57–81 |date=2014|url=http://eprint.iacr.org/2011/133|doi=10.1007/s10623-012-9720-4|s2cid=11202438}}</ref> Many of the advances in these second-generation cryptosystems were also ported to the cryptosystem over the integers.<ref name=CLT13/><ref name=CLT14/> {{cite journal|last1=Smart|first1=Nigel P.|last2=Vercauteren|first2=Frederik|title=Fully Homomorphic SIMD Operations |journal=Designs, Codes and Cryptography|volume=71|number=1|pages=57–81 |date=2014|url=http://eprint.iacr.org/2011/133|doi=10.1007/s10623-012-9720-4|s2cid=11202438|citeseerx=10.1.1.294.4088}}</ref> Many of the advances in these second-generation cryptosystems were also ported to the cryptosystem over the integers.<ref name=CLT13/><ref name=CLT14/>


Another distinguishing feature of second-generation schemes is that they are efficient enough for many applications even without invoking bootstrapping, instead operating in the leveled FHE mode. Another distinguishing feature of second-generation schemes is that they are efficient enough for many applications even without invoking bootstrapping, instead operating in the leveled FHE mode.
Line 236: Line 247:
*Joye-Libert cryptosystem<ref name=BHJL17> *Joye-Libert cryptosystem<ref name=BHJL17>
{{cite journal|last1=Benhamouda|first1=Fabrice|last2=Herranz|first2=Javier|last3=Joye|first3=Marc|last4=Libert|first4=Benoît|title=Efficient cryptosystems from 2<sup>''k''</sup>-th power residue symbols |journal=Journal of Cryptology|volume=30|number=2|pages=519–549|date=2017|url=https://link.springer.com/content/pdf/10.1007/s00145-016-9229-5.pdf|doi=10.1007/s00145-016-9229-5|hdl=2117/103661|s2cid=62063}}</ref> {{cite journal|last1=Benhamouda|first1=Fabrice|last2=Herranz|first2=Javier|last3=Joye|first3=Marc|last4=Libert|first4=Benoît|title=Efficient cryptosystems from 2<sup>''k''</sup>-th power residue symbols |journal=Journal of Cryptology|volume=30|number=2|pages=519–549|date=2017|url=https://link.springer.com/content/pdf/10.1007/s00145-016-9229-5.pdf|doi=10.1007/s00145-016-9229-5|hdl=2117/103661|s2cid=62063}}</ref>
*Castagnos–Laguillaumie cryptosystem<ref> *Castagnos–Laguillaumie cryptosystem<ref>{{cite conference
| last1 = Castagnos | first1 = Guilhem
{{cite journal
| last2 = Laguillaumie | first2 = Fabien
|title=Linearly Homomorphic Encryption from DDH
| editor-last = Nyberg | editor-first = Kaisa
|url=https://eprint.iacr.org/2015/047.pdf
| contribution = Linearly Homomorphic Encryption from DDH
|author=Guilhem Castagnos and Fabien Laguillaumie
| contribution-url = https://eprint.iacr.org/2015/047.pdf
|year=2015
| doi = 10.1007/978-3-319-16715-2_26
}}</ref>
| pages = 487–505
| publisher = Springer
| series = Lecture Notes in Computer Science
| title = Topics in Cryptology – CT-RSA 2015, The Cryptographer's Track at the RSA Conference 2015, San Francisco, CA, USA, April 20–24, 2015. Proceedings
| volume = 9048
| year = 2015| isbn = 978-3-319-16714-5
}}</ref>
<!-- Maybe add information about implementations of partial HE?? --> <!-- Maybe add information about implementations of partial HE?? -->


Line 261: Line 279:


There are several open-source implementations of fully homomorphic encryption schemes. Second-generation and fourth-generation FHE scheme implementations typically operate in the leveled FHE mode (though bootstrapping is still available in some libraries) and support efficient ]-like packing of data; they are typically used to compute on encrypted integers or real/complex numbers. Third-generation FHE scheme implementations often bootstrap after each operation but have limited support for packing; they were initially used to compute Boolean circuits over encrypted bits, but have been extended to support integer arithmetics and univariate function evaluation. The choice of using a second-generation vs. third-generation vs fourth-generation scheme depends on the input data types and the desired computation. There are several open-source implementations of fully homomorphic encryption schemes. Second-generation and fourth-generation FHE scheme implementations typically operate in the leveled FHE mode (though bootstrapping is still available in some libraries) and support efficient ]-like packing of data; they are typically used to compute on encrypted integers or real/complex numbers. Third-generation FHE scheme implementations often bootstrap after each operation but have limited support for packing; they were initially used to compute Boolean circuits over encrypted bits, but have been extended to support integer arithmetics and univariate function evaluation. The choice of using a second-generation vs. third-generation vs fourth-generation scheme depends on the input data types and the desired computation.

In addition, FHE has been combined with ], the blockchain technology that proves that something is true, without revealing any private information. zkFHE enables data encryption throughout data processing, while the results of any processing are verified in a confidential manner.<ref>{{Cite web |title=Don’t Put All Your Privacy Eggs in One ZK Basket {{!}} CoinMarketCap |url=https://coinmarketcap.com/academy/article/dont-put-all-your-privacy-eggs-in-one-zk-basket |access-date=2025-01-14 |website=CoinMarketCap Academy |language=en}}</ref>


{| class="wikitable" {| class="wikitable"
|+ FHE libraries |+ FHE libraries
! Name!!Developer!! BGV<ref name=BGV12 /> !! CKKS<ref name=CKKS17 /> !! BFV<ref name=FV12 /> !! FHEW <ref name=FHEW /> !! CKKS Bootstrapping <ref name="CHK+18">Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. . In ''EUROCRYPT 2018 (Springer)''.</ref> !! TFHE<ref name=TFHE/> !! Description ! Name!!Developer!! BGV<ref name=BGV12 /> !! CKKS<ref name=CKKS17 /> !! BFV<ref name=FV12 /> !! FHEW<ref name=FHEW /> !! CKKS Bootstrapping<ref name="CHK+18">Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. . In ''EUROCRYPT 2018 (Springer)''.</ref>!! TFHE<ref name=TFHE/> !! Description
|- |-
| ]<ref name=HElib>{{cite web|title=HElib: An Implementation of homomorphic encryption|url=https://github.com/homenc/HElib|author=Shai Halevi|author2=Victor Shoup|website=]|access-date=31 December 2014}}</ref>|| ] || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || BGV scheme with the GHS optimizations. | ]<ref name=HElib>{{cite web|title=HElib: An Implementation of homomorphic encryption|url=https://github.com/homenc/HElib|author=Shai Halevi|author2=Victor Shoup|website=]|access-date=31 December 2014}}</ref>|| ] || {{Yes}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || BGV scheme with the GHS optimizations.
Line 294: Line 314:
|website=] |website=]
|access-date=15 May 2016}} |access-date=15 May 2016}}
</ref> || ] || {{No}} || {{Yes}} || {{No}} || {{No}} || {{Yes}} || {{No}} || </ref> || CryptoLab || {{No}} || {{Yes}} || {{No}} || {{No}} || {{Yes}} || {{No}} ||
|- |-
| FHEW<ref name=FHEW> | FHEW<ref name=FHEW>
Line 339: Line 359:
|author=EPFL-LDS |author=EPFL-LDS
|website=] |website=]
|access-date=13 September 2022}}</ref> || , || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{Yes}}<ref name="BOSSUAT+21">Jean-Philippe Bossuat, Christian Mouchet, Juan Troncoso-Pastoriza and Jean-Pierre Hubaux. . In ''EUROCRYPT 2021 (Springer)''.</ref>|| {{No}} || Implementation in ] along with their ] variants<ref name="MOUCHET+20">Christian Mouchet, Juan Troncoso-Pastoriza, Jean-Philippe Bossuat and Jean-Pierre Hubaux. .</ref> enabling ]. |access-date=13 September 2022}}</ref> || EPFL-LDS, Tune Insight || {{Yes}} || {{Yes}} || {{Yes}} || {{No}} || {{Yes}}<ref name="BOSSUAT+21">Jean-Philippe Bossuat, Christian Mouchet, Juan Troncoso-Pastoriza and Jean-Pierre Hubaux. . In ''EUROCRYPT 2021 (Springer)''.</ref>|| {{No}} || Implementation in ] along with their ] variants<ref name="MOUCHET+20">Christian Mouchet, Juan Troncoso-Pastoriza, Jean-Philippe Bossuat and Jean-Pierre Hubaux. .</ref> enabling ].
|- |-
| TFHE-rs<ref name=TFHE-rs>{{cite web | TFHE-rs<ref name=TFHE-rs>{{cite web
Line 346: Line 366:
|author=Zama |author=Zama
|website=] |website=]
|date=15 June 2023}}</ref> || || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} || |date=15 June 2023}}</ref> || Zama || {{No}} || {{No}} || {{No}} || {{No}} || {{No}} || {{Yes}} ||
Rust implementation of TFHE-extended. Supporting boolean, integer operation and univariate function evaluation (via Programmable Bootstrapping<ref>{{cite journal |last1=Chillotti |first1=Ilaria |last2=Joye |first2=Marc |last3=Paillier |first3=Pascal |title=Programmable Bootstrapping Enables Efficient Homomorphic Inference of Deep Neural Networks |journal=Cyber Security Cryptography and Machine Learning |series=Lecture Notes in Computer Science |date=2021 |volume=12716 |pages=1–19 |doi=10.1007/978-3-030-78086-9_1 |isbn=978-3-030-78085-2 |s2cid=231732347 |url=https://eprint.iacr.org/2021/091.pdf |access-date=17 November 2022 |language=en}}</ref>). Rust implementation of TFHE-extended. Supporting Boolean, integer operation and univariate function evaluation (via Programmable Bootstrapping<ref>{{cite book |last1=Chillotti |first1=Ilaria |last2=Joye |first2=Marc |last3=Paillier |first3=Pascal |title=Cyber Security Cryptography and Machine Learning |chapter=Programmable Bootstrapping Enables Efficient Homomorphic Inference of Deep Neural Networks |series=Lecture Notes in Computer Science |date=2021 |volume=12716 |pages=1–19 |doi=10.1007/978-3-030-78086-9_1 |isbn=978-3-030-78085-2 |s2cid=231732347 |chapter-url=https://eprint.iacr.org/2021/091.pdf |access-date=17 November 2022 |language=en}}</ref>).
|-
| Liberate.FHE<ref name=Liberate.FHE>{{cite web
|title=Liberate.FHE
|url=https://github.com/Desilo/liberate-fhe
|author=Desilo
|website=]
|access-date=7 March 2024}}</ref> || Desilo || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || A multi-GPU implementation of CKKS.
|} |}


{| class="wikitable" {| class="wikitable"
|+ FHE frameworks |+ FHE frameworks
! Name !!Developer !! FHEW <ref name=FHEW /> !! TFHE !! HElib !! SEAL !! PALISADE !! Lattigo !! Description ! Name !!Developer !! FHEW<ref name=FHEW /> !! TFHE !! HElib !! SEAL !! PALISADE !! Lattigo !! Description
|- |-
| Concrete<ref name=Concrete>{{cite web | Concrete<ref name=Concrete>{{cite web
Line 359: Line 386:
|author=Zama |author=Zama
|website=] |website=]
|access-date=20 May 2022}}</ref> || || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} || |access-date=20 May 2022}}</ref> || Zama || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} ||
TFHE-extended compiler with a Python Frontend.<ref name=ConcretePython> TFHE-extended compiler with a Python Frontend.<ref name=ConcretePython>
{{cite web {{cite web
Line 368: Line 395:
|date=15 June 2023 |date=15 June 2023
}}</ref> }}</ref>
|- |-
| E3<ref name=E3> | E3<ref name=E3>
{{cite web {{cite web
Line 398: Line 425:
}} }}
</ref> || TwC Group || {{No}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || </ref> || TwC Group || {{No}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} || {{Yes}} ||
|-
| HELM<ref name=HELM>
{{cite web
|title=HELM: Navigating Homomorphic Evaluation through Gates and Lookups
|url=https://github.com/TrustworthyComputing/helm
|author=Trustworthy Computing (TwC) Group
|website=]
|access-date=29 July 2024|date=2024-07-29
}}
</ref> || TwC Group || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} ||
|-
| Juliet<ref name=Juliet>
{{cite web
|title=Juliet: A Configurable Processor for Computing on Encrypted Data
|url=https://github.com/TrustworthyComputing/Juliet
|author=Trustworthy Computing (TwC) Group
|website=]
|access-date=25 June 2024|date=2024-06-25
}}
</ref> || TwC Group || {{No}} || {{Yes}} || {{No}} || {{No}} || {{No}} || {{No}} ||
|-
|PEEV<ref>{{Citation |last=TrustworthyComputing |title=TrustworthyComputing/PEEV-verifiableFHE |date=2024-07-18 |url=https://github.com/TrustworthyComputing/PEEV-verifiableFHE |access-date=2024-07-18}}</ref>
|TwC Group
|{{No}}
|{{No}}
|{{No}}
|{{Yes}}
|{{No}}
|{{No}}
|Verifiable encrypted computations based on Rinocchio ZKP and BGV homomorphic Encryption.
|} |}


===Standardization=== ===Standardization===
In 2017, researchers from ], ], ], the ], and others formed an open consortium, the Homomorphic Encryption Standardization Consortium , that maintains a community security ] (The Standard).<ref>{{cite web|date=2017-07-13|title=Homomorphic Encryption Standardization Workshop|url=https://www.microsoft.com/en-us/research/event/homomorphic-encryption-standardization-workshop/ |access-date=2022-05-12|publisher=Microsoft}}</ref><ref>{{cite web|date=2019-08-16|title=Intel, Microsoft Research and Duality Technologies Convene AI Community for Privacy Standards|url=https://newsroom.intel.com/news/intel-microsoft-research-duality-technologies-convene-ai-community-privacy-standards/ |access-date=2022-05-12|publisher=Intel Newsroom}}</ref><ref>{{cite web|date=8 March 2021|title=Intel, Microsoft join DARPA effort to accelerate fully homomorphic encryption|url=https://www.csoonline.com/article/3610752/intel-microsoft-join-darpa-effort-to-accelerate-fully-homomorphic-encryption.html}}</ref> In 2017, researchers from ], ], ], the ], and others formed the open , which maintains a community security ].<ref>{{cite web|date=2017-07-13|title=Homomorphic Encryption Standardization Workshop|url=https://www.microsoft.com/en-us/research/event/homomorphic-encryption-standardization-workshop/ |access-date=2022-05-12|publisher=Microsoft}}</ref><ref>{{cite web|date=2019-08-16|title=Intel, Microsoft Research and Duality Technologies Convene AI Community for Privacy Standards|url=https://newsroom.intel.com/news/intel-microsoft-research-duality-technologies-convene-ai-community-privacy-standards/ |access-date=2022-05-12|publisher=Intel Newsroom}}</ref><ref>{{cite web|date=8 March 2021|title=Intel, Microsoft join DARPA effort to accelerate fully homomorphic encryption|url=https://www.csoonline.com/article/3610752/intel-microsoft-join-darpa-effort-to-accelerate-fully-homomorphic-encryption.html}}</ref>


==See also== ==See also==
Line 409: Line 466:
*] *]
*] *]
*]
*] *]
*] *]

Latest revision as of 10:34, 14 January 2025

Form of encryption that allows computation on ciphertexts
Homomorphic encryption
General
Derived fromVarious assumptions, including learning with errors, Ring learning with errors or even RSA (multiplicative) and others
Related toFunctional encryption

Homomorphic encryption is a form of encryption that allows computations to be performed on encrypted data without first having to decrypt it. The resulting computations are left in an encrypted form which, when decrypted, result in an output that is identical to that produced had the operations been performed on the unencrypted data. While homomorphic encryption does not protect against side-channel attacks that observe behavior, it can be used for privacy-preserving outsourced storage and computation. This allows data to be encrypted and outsourced to commercial cloud environments for processing, all while encrypted.

As an example of a practical application of homomorphic encryption: encrypted photographs can be scanned for points of interest, without revealing the contents of a photo. However, observation of side-channels can see a photograph being sent to a point-of-interest lookup service, revealing the fact that photographs were taken.

Thus, homomorphic encryption eliminates the need for processing data in the clear, thereby preventing attacks that would enable an attacker to access that data while it is being processed, using privilege escalation.

For sensitive data, such as healthcare information, homomorphic encryption can be used to enable new services by removing privacy barriers inhibiting data sharing or increasing security to existing services. For example, predictive analytics in healthcare can be hard to apply via a third-party service provider due to medical data privacy concerns. But if the predictive-analytics service provider could operate on encrypted data instead, without having the decryption keys, these privacy concerns are diminished. Moreover, even if the service provider's system is compromised, the data would remain secure.

Description

Homomorphic encryption is a form of encryption with an additional evaluation capability for computing over encrypted data without access to the secret key. The result of such a computation remains encrypted. Homomorphic encryption can be viewed as an extension of public-key cryptography. Homomorphic refers to homomorphism in algebra: the encryption and decryption functions can be thought of as homomorphisms between plaintext and ciphertext spaces.

Homomorphic encryption includes multiple types of encryption schemes that can perform different classes of computations over encrypted data. The computations are represented as either Boolean or arithmetic circuits. Some common types of homomorphic encryption are partially homomorphic, somewhat homomorphic, leveled fully homomorphic, and fully homomorphic encryption:

  • Partially homomorphic encryption encompasses schemes that support the evaluation of circuits consisting of only one type of gate, e.g., addition or multiplication.
  • Somewhat homomorphic encryption schemes can evaluate two types of gates, but only for a subset of circuits.
  • Leveled fully homomorphic encryption supports the evaluation of arbitrary circuits composed of multiple types of gates of bounded (pre-determined) depth.
  • Fully homomorphic encryption (FHE) allows the evaluation of arbitrary circuits composed of multiple types of gates of unbounded depth and is the strongest notion of homomorphic encryption.

For the majority of homomorphic encryption schemes, the multiplicative depth of circuits is the main practical limitation in performing computations over encrypted data. Homomorphic encryption schemes are inherently malleable. In terms of malleability, homomorphic encryption schemes have weaker security properties than non-homomorphic schemes.

History

Homomorphic encryption schemes have been developed using different approaches. Specifically, fully homomorphic encryption schemes are often grouped into generations corresponding to the underlying approach.

Pre-FHE

The problem of constructing a fully homomorphic encryption scheme was first proposed in 1978, within a year of publishing of the RSA scheme. For more than 30 years, it was unclear whether a solution existed. During that period, partial results included the following schemes:

First-generation FHE

Craig Gentry, using lattice-based cryptography, described the first plausible construction for a fully homomorphic encryption scheme in 2009. Gentry's scheme supports both addition and multiplication operations on ciphertexts, from which it is possible to construct circuits for performing arbitrary computation. The construction starts from a somewhat homomorphic encryption scheme, which is limited to evaluating low-degree polynomials over encrypted data; it is limited because each ciphertext is noisy in some sense, and this noise grows as one adds and multiplies ciphertexts, until ultimately the noise makes the resulting ciphertext indecipherable.

Gentry then shows how to slightly modify this scheme to make it bootstrappable, i.e., capable of evaluating its own decryption circuit and then at least one more operation. Finally, he shows that any bootstrappable somewhat homomorphic encryption scheme can be converted into a fully homomorphic encryption through a recursive self-embedding. For Gentry's "noisy" scheme, the bootstrapping procedure effectively "refreshes" the ciphertext by applying to it the decryption procedure homomorphically, thereby obtaining a new ciphertext that encrypts the same value as before but has lower noise. By "refreshing" the ciphertext periodically whenever the noise grows too large, it is possible to compute an arbitrary number of additions and multiplications without increasing the noise too much.

Gentry based the security of his scheme on the assumed hardness of two problems: certain worst-case problems over ideal lattices, and the sparse (or low-weight) subset sum problem. Gentry's Ph.D. thesis provides additional details. The Gentry-Halevi implementation of Gentry's original cryptosystem reported a timing of about 30 minutes per basic bit operation. Extensive design and implementation work in subsequent years have improved upon these early implementations by many orders of magnitude runtime performance.

In 2010, Marten van Dijk, Craig Gentry, Shai Halevi and Vinod Vaikuntanathan presented a second fully homomorphic encryption scheme, which uses many of the tools of Gentry's construction, but which does not require ideal lattices. Instead, they show that the somewhat homomorphic component of Gentry's ideal lattice-based scheme can be replaced with a very simple somewhat homomorphic scheme that uses integers. The scheme is therefore conceptually simpler than Gentry's ideal lattice scheme, but has similar properties with regards to homomorphic operations and efficiency. The somewhat homomorphic component in the work of Van Dijk et al. is similar to an encryption scheme proposed by Levieil and Naccache in 2008, and also to one that was proposed by Bram Cohen in 1998.

Cohen's method is not even additively homomorphic, however. The Levieil–Naccache scheme supports only additions, but it can be modified to also support a small number of multiplications. Many refinements and optimizations of the scheme of Van Dijk et al. were proposed in a sequence of works by Jean-Sébastien Coron, Tancrède Lepoint, Avradip Mandal, David Naccache, and Mehdi Tibouchi. Some of these works included also implementations of the resulting schemes.

Second-generation FHE

The homomorphic cryptosystems of this generation are derived from techniques that were developed starting in 2011–2012 by Zvika Brakerski, Craig Gentry, Vinod Vaikuntanathan, and others. These innovations led to the development of much more efficient somewhat and fully homomorphic cryptosystems. These include:

  • The Brakerski-Gentry-Vaikuntanathan (BGV, 2011) scheme, building on techniques of Brakerski-Vaikuntanathan;
  • The NTRU-based scheme by Lopez-Alt, Tromer, and Vaikuntanathan (LTV, 2012);
  • The Brakerski/Fan-Vercauteren (BFV, 2012) scheme, building on Brakerski's scale-invariant cryptosystem;
  • The NTRU-based scheme by Bos, Lauter, Loftus, and Naehrig (BLLN, 2013), building on LTV and Brakerski's scale-invariant cryptosystem;

The security of most of these schemes is based on the hardness of the (Ring) Learning With Errors (RLWE) problem, except for the LTV and BLLN schemes that rely on an overstretched variant of the NTRU computational problem. This NTRU variant was subsequently shown vulnerable to subfield lattice attacks, which is why these two schemes are no longer used in practice.

All the second-generation cryptosystems still follow the basic blueprint of Gentry's original construction, namely they first construct a somewhat homomorphic cryptosystem and then convert it to a fully homomorphic cryptosystem using bootstrapping.

A distinguishing characteristic of the second-generation cryptosystems is that they all feature a much slower growth of the noise during the homomorphic computations. Additional optimizations by Craig Gentry, Shai Halevi, and Nigel Smart resulted in cryptosystems with nearly optimal asymptotic complexity: Performing T {\displaystyle T} operations on data encrypted with security parameter k {\displaystyle k} has complexity of only T p o l y l o g ( k ) {\displaystyle T\cdot \mathrm {polylog} (k)} . These optimizations build on the Smart-Vercauteren techniques that enable packing of many plaintext values in a single ciphertext and operating on all these plaintext values in a SIMD fashion. Many of the advances in these second-generation cryptosystems were also ported to the cryptosystem over the integers.

Another distinguishing feature of second-generation schemes is that they are efficient enough for many applications even without invoking bootstrapping, instead operating in the leveled FHE mode.

Third-generation FHE

In 2013, Craig Gentry, Amit Sahai, and Brent Waters (GSW) proposed a new technique for building FHE schemes that avoids an expensive "relinearization" step in homomorphic multiplication. Zvika Brakerski and Vinod Vaikuntanathan observed that for certain types of circuits, the GSW cryptosystem features an even slower growth rate of noise, and hence better efficiency and stronger security. Jacob Alperin-Sheriff and Chris Peikert then described a very efficient bootstrapping technique based on this observation.

These techniques were further improved to develop efficient ring variants of the GSW cryptosystem: FHEW (2014) and TFHE (2016). The FHEW scheme was the first to show that by refreshing the ciphertexts after every single operation, it is possible to reduce the bootstrapping time to a fraction of a second. FHEW introduced a new method to compute Boolean gates on encrypted data that greatly simplifies bootstrapping and implemented a variant of the bootstrapping procedure. The efficiency of FHEW was further improved by the TFHE scheme, which implements a ring variant of the bootstrapping procedure using a method similar to the one in FHEW.

Fourth-generation FHE

In 2016, Cheon, Kim, Kim and Song (CKKS) proposed an approximate homomorphic encryption scheme that supports a special kind of fixed-point arithmetic that is commonly referred to as block floating point arithmetic. The CKKS scheme includes an efficient rescaling operation that scales down an encrypted message after a multiplication. For comparison, such rescaling requires bootstrapping in the BGV and BFV schemes. The rescaling operation makes CKKS scheme the most efficient method for evaluating polynomial approximations, and is the preferred approach for implementing privacy-preserving machine learning applications. The scheme introduces several approximation errors, both nondeterministic and deterministic, that require special handling in practice.

A 2020 article by Baiyu Li and Daniele Micciancio discusses passive attacks against CKKS, suggesting that the standard IND-CPA definition may not be sufficient in scenarios where decryption results are shared. The authors apply the attack to four modern homomorphic encryption libraries (HEAAN, SEAL, HElib and PALISADE) and report that it is possible to recover the secret key from decryption results in several parameter configurations. The authors also propose mitigation strategies for these attacks, and include a Responsible Disclosure in the paper suggesting that the homomorphic encryption libraries already implemented mitigations for the attacks before the article became publicly available. Further information on the mitigation strategies implemented in the homomorphic encryption libraries has also been published.

Partially homomorphic cryptosystems

In the following examples, the notation E ( x ) {\displaystyle {\mathcal {E}}(x)} is used to denote the encryption of the message x {\displaystyle x} .

Unpadded RSA

If the RSA public key has modulus n {\displaystyle n} and encryption exponent e {\displaystyle e} , then the encryption of a message m {\displaystyle m} is given by E ( m ) = m e mod n {\displaystyle {\mathcal {E}}(m)=m^{e}\;{\bmod {\;}}n} . The homomorphic property is then

E ( m 1 ) E ( m 2 ) = m 1 e m 2 e mod n = ( m 1 m 2 ) e mod n = E ( m 1 m 2 ) {\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=m_{1}^{e}m_{2}^{e}\;{\bmod {\;}}n\\&=(m_{1}m_{2})^{e}\;{\bmod {\;}}n\\&={\mathcal {E}}(m_{1}\cdot m_{2})\end{aligned}}}

ElGamal

In the ElGamal cryptosystem, in a cyclic group G {\displaystyle G} of order q {\displaystyle q} with generator g {\displaystyle g} , if the public key is ( G , q , g , h ) {\displaystyle (G,q,g,h)} , where h = g x {\displaystyle h=g^{x}} , and x {\displaystyle x} is the secret key, then the encryption of a message m {\displaystyle m} is E ( m ) = ( g r , m h r ) {\displaystyle {\mathcal {E}}(m)=(g^{r},m\cdot h^{r})} , for some random r { 0 , , q 1 } {\displaystyle r\in \{0,\ldots ,q-1\}} . The homomorphic property is then

E ( m 1 ) E ( m 2 ) = ( g r 1 , m 1 h r 1 ) ( g r 2 , m 2 h r 2 ) = ( g r 1 + r 2 , ( m 1 m 2 ) h r 1 + r 2 ) = E ( m 1 m 2 ) . {\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=(g^{r_{1}},m_{1}\cdot h^{r_{1}})(g^{r_{2}},m_{2}\cdot h^{r_{2}})\\&=(g^{r_{1}+r_{2}},(m_{1}\cdot m_{2})h^{r_{1}+r_{2}})\\&={\mathcal {E}}(m_{1}\cdot m_{2}).\end{aligned}}}

Goldwasser–Micali

In the Goldwasser–Micali cryptosystem, if the public key is the modulus n {\displaystyle n} and quadratic non-residue x {\displaystyle x} , then the encryption of a bit b {\displaystyle b} is E ( b ) = x b r 2 mod n {\displaystyle {\mathcal {E}}(b)=x^{b}r^{2}\;{\bmod {\;}}n} , for some random r { 0 , , n 1 } {\displaystyle r\in \{0,\ldots ,n-1\}} . The homomorphic property is then

E ( b 1 ) E ( b 2 ) = x b 1 r 1 2 x b 2 r 2 2 mod n = x b 1 + b 2 ( r 1 r 2 ) 2 mod n = E ( b 1 b 2 ) . {\displaystyle {\begin{aligned}{\mathcal {E}}(b_{1})\cdot {\mathcal {E}}(b_{2})&=x^{b_{1}}r_{1}^{2}x^{b_{2}}r_{2}^{2}\;{\bmod {\;}}n\\&=x^{b_{1}+b_{2}}(r_{1}r_{2})^{2}\;{\bmod {\;}}n\\&={\mathcal {E}}(b_{1}\oplus b_{2}).\end{aligned}}}

where {\displaystyle \oplus } denotes addition modulo 2, (i.e., exclusive-or).

Benaloh

In the Benaloh cryptosystem, if the public key is the modulus n {\displaystyle n} and the base g {\displaystyle g} with a blocksize of c {\displaystyle c} , then the encryption of a message m {\displaystyle m} is E ( m ) = g m r c mod n {\displaystyle {\mathcal {E}}(m)=g^{m}r^{c}\;{\bmod {\;}}n} , for some random r { 0 , , n 1 } {\displaystyle r\in \{0,\ldots ,n-1\}} . The homomorphic property is then

E ( m 1 ) E ( m 2 ) = ( g m 1 r 1 c ) ( g m 2 r 2 c ) mod n = g m 1 + m 2 ( r 1 r 2 ) c mod n = E ( m 1 + m 2 mod c ) . {\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=(g^{m_{1}}r_{1}^{c})(g^{m_{2}}r_{2}^{c})\;{\bmod {\;}}n\\&=g^{m_{1}+m_{2}}(r_{1}r_{2})^{c}\;{\bmod {\;}}n\\&={\mathcal {E}}(m_{1}+m_{2}\;{\bmod {\;}}c).\end{aligned}}}

Paillier

In the Paillier cryptosystem, if the public key is the modulus n {\displaystyle n} and the base g {\displaystyle g} , then the encryption of a message m {\displaystyle m} is E ( m ) = g m r n mod n 2 {\displaystyle {\mathcal {E}}(m)=g^{m}r^{n}\;{\bmod {\;}}n^{2}} , for some random r { 0 , , n 1 } {\displaystyle r\in \{0,\ldots ,n-1\}} . The homomorphic property is then

E ( m 1 ) E ( m 2 ) = ( g m 1 r 1 n ) ( g m 2 r 2 n ) mod n 2 = g m 1 + m 2 ( r 1 r 2 ) n mod n 2 = E ( m 1 + m 2 ) . {\displaystyle {\begin{aligned}{\mathcal {E}}(m_{1})\cdot {\mathcal {E}}(m_{2})&=(g^{m_{1}}r_{1}^{n})(g^{m_{2}}r_{2}^{n})\;{\bmod {\;}}n^{2}\\&=g^{m_{1}+m_{2}}(r_{1}r_{2})^{n}\;{\bmod {\;}}n^{2}\\&={\mathcal {E}}(m_{1}+m_{2}).\end{aligned}}}

Other partially homomorphic cryptosystems

Fully homomorphic encryption

A cryptosystem that supports arbitrary computation on ciphertexts is known as fully homomorphic encryption (FHE). Such a scheme enables the construction of programs for any desirable functionality, which can be run on encrypted inputs to produce an encryption of the result. Since such a program need never decrypt its inputs, it can be run by an untrusted party without revealing its inputs and internal state. Fully homomorphic cryptosystems have great practical implications in the outsourcing of private computations, for instance, in the context of cloud computing.

Implementations

This section relies excessively on references to primary sources. Please improve this section by adding secondary or tertiary sources.
Find sources: "Homomorphic encryption" – news · newspapers · books · scholar · JSTOR (July 2022) (Learn how and when to remove this message)

A list of open-source FHE libraries implementing second-generation (BGV/BFV), third-generation (FHEW/TFHE), and/or fourth-generation (CKKS) FHE schemes is provided below.

There are several open-source implementations of fully homomorphic encryption schemes. Second-generation and fourth-generation FHE scheme implementations typically operate in the leveled FHE mode (though bootstrapping is still available in some libraries) and support efficient SIMD-like packing of data; they are typically used to compute on encrypted integers or real/complex numbers. Third-generation FHE scheme implementations often bootstrap after each operation but have limited support for packing; they were initially used to compute Boolean circuits over encrypted bits, but have been extended to support integer arithmetics and univariate function evaluation. The choice of using a second-generation vs. third-generation vs fourth-generation scheme depends on the input data types and the desired computation.

In addition, FHE has been combined with zero knowledge proofs, the blockchain technology that proves that something is true, without revealing any private information. zkFHE enables data encryption throughout data processing, while the results of any processing are verified in a confidential manner.

FHE libraries
Name Developer BGV CKKS BFV FHEW CKKS Bootstrapping TFHE Description
HElib IBM Yes Yes No No No No BGV scheme with the GHS optimizations.
Microsoft SEAL Microsoft Yes Yes Yes No No No
OpenFHE Duality Technologies, Samsung Advanced Institute of Technology [kr], Intel, MIT, University of California, San Diego and others. Yes Yes Yes Yes Yes Yes Successor to PALISADE.
PALISADE New Jersey Institute of Technology, Duality Technologies, Raytheon BBN Technologies, MIT, University of California, San Diego and others. Yes Yes Yes Yes No Yes General-purpose lattice cryptography library. Predecessor of OpenFHE.
HEAAN CryptoLab No Yes No No Yes No
FHEW Leo Ducas and Daniele Micciancio No No No Yes No No
TFHE Ilaria Chillotti, Nicolas Gama, Mariya Georgieva and Malika Izabachene No No No No No Yes
FV-NFLlib CryptoExperts No No Yes No No No
NuFHE NuCypher No No No No No Yes Provides a GPU implementation of TFHE.
REDcuFHE TwC Group No No No No No Yes A multi-GPU implementation of TFHE.
Lattigo EPFL-LDS, Tune Insight Yes Yes Yes No Yes No Implementation in Go along with their distributed variants enabling Secure multi-party computation.
TFHE-rs Zama No No No No No Yes

Rust implementation of TFHE-extended. Supporting Boolean, integer operation and univariate function evaluation (via Programmable Bootstrapping).

Liberate.FHE Desilo No Yes No No No No A multi-GPU implementation of CKKS.
FHE frameworks
Name Developer FHEW TFHE HElib SEAL PALISADE Lattigo Description
Concrete Zama No Yes No No No No

TFHE-extended compiler with a Python Frontend.

E3 MoMA Lab at NYU Abu Dhabi Yes Yes Yes Yes Yes No
SHEEP Alan Turing Institute No Yes Yes Yes Yes No
T2 TwC Group No Yes Yes Yes Yes Yes
HELM TwC Group No Yes No No No No
Juliet TwC Group No Yes No No No No
PEEV TwC Group No No No Yes No No Verifiable encrypted computations based on Rinocchio ZKP and BGV homomorphic Encryption.

Standardization

In 2017, researchers from IBM, Microsoft, Intel, the NIST, and others formed the open Homomorphic Encryption Standardization Consortium, which maintains a community security Homomorphic Encryption Standard.

See also

References

  1. Sellers, Andrew. "Council Post: Everything You Wanted To Know About Homomorphic Encryption (But Were Afraid To Ask)". Forbes. Retrieved 2023-08-18.
  2. Munjal, Kundan; Bhatia, Rekha (2022). "A systematic review of homomorphic encryption and its contributions in healthcare industry". Complex & Intelligent Systems. 9 (4): 3759–3786. doi:10.1007/s40747-022-00756-z. PMC 9062639. PMID 35531323.
  3. Armknecht, Frederik; Boyd, Colin; Gjøsteen, Kristian; Jäschke, Angela; Reuter, Christian; Strand, Martin (2015). "A Guide to Fully Homomorphic Encryption". Cryptology ePrint Archive.
  4. Vinod Vaikuntanathan. "Homomorphic Encryption References".
  5. R. L. Rivest, L. Adleman, and M. L. Dertouzos. On data banks and privacy homomorphisms. In Foundations of Secure Computation, 1978.
  6. Sander, Tomas; Young, Adam L.; Yung, Moti (1999). "Non-interactive cryptocomputing for NC/Sup 1/". 40th Annual Symposium on Foundations of Computer Science (Cat. No.99CB37039). pp. 554–566. doi:10.1109/SFFCS.1999.814630. ISBN 978-0-7695-0409-4. S2CID 1976588.
  7. D. Boneh, E. Goh, and K. Nissim. Evaluating 2-DNF Formulas on Ciphertexts. In Theory of Cryptography Conference, 2005.
  8. Y. Ishai and A. Paskin. Evaluating branching programs on encrypted data. In Theory of Cryptography Conference, 2007.
  9. Gentry, Craig (2009). "Fully homomorphic encryption using ideal lattices". Proceedings of the forty-first annual ACM symposium on Theory of computing. pp. 169–178. doi:10.1145/1536414.1536440. ISBN 978-1-60558-506-2.
  10. Craig Gentry. A Fully Homomorphic Encryption Scheme (PDF) (PhD Thesis). Stanford University.
  11. Gentry, Craig; Halevi, Shai (2010). "Implementing Gentry's Fully-Homomorphic Encryption Scheme". Advances in Cryptology – EUROCRYPT 2011. Lecture Notes in Computer Science. Vol. 6632. pp. 129–148. doi:10.1007/978-3-642-20465-4_9. ISBN 978-3-642-20464-7.
  12. Van Dijk, Marten; Gentry, Craig; Halevi, Shai; Vinod, Vaikuntanathan (2009). "Fully Homomorphic Encryption over the Integers". Advances in Cryptology – EUROCRYPT 2010. Lecture Notes in Computer Science. Vol. 6110. pp. 24–43. doi:10.1007/978-3-642-13190-5_2. ISBN 978-3-642-13189-9.
  13. Levieil, Eric; Naccache, David (2008). "Cryptographic Test Correction" (PDF). Public Key Cryptography – PKC 2008. Lecture Notes in Computer Science. Vol. 4939. pp. 85–100. doi:10.1007/978-3-540-78440-1_6. ISBN 978-3-540-78439-5.
  14. Cohen, Bram. "Simple Public Key Encryption". Archived from the original on 2011-10-07.
  15. Coron, Jean-Sébastien; Naccache, David; Tibouchi, Mehdi (2011). "Public Key Compression and Modulus Switching for Fully Homomorphic Encryption over the Integers". Advances in Cryptology – EUROCRYPT 2012. Lecture Notes in Computer Science. Vol. 7237. pp. 446–464. doi:10.1007/978-3-642-29011-4_27. ISBN 978-3-642-29010-7.
  16. Coron, Jean-Sébastien; Mandal, Avradip; Naccache, David; Tibouchi, Mehdi (2011). "Fully Homomorphic Encryption over the Integers with Shorter Public Keys". In Rogaway, P. (ed.). Advances in Cryptology – CRYPTO 2011. Lecture Notes in Computer Science. Vol. 6841. pp. 487–504. doi:10.1007/978-3-642-22792-9_28. ISBN 978-3-642-22791-2.
  17. ^ Coron, Jean-Sébastien; Lepoint, Tancrède; Tibouchi, Mehdi (2013). "Batch Fully Homomorphic Encryption over the Integers". Advances in Cryptology – EUROCRYPT 2013. Lecture Notes in Computer Science. Vol. 7881. pp. 315–335. doi:10.1007/978-3-642-38348-9_20. ISBN 978-3-642-38347-2.
  18. ^ Coron, Jean-Sébastien; Lepoint, Tancrède; Tibouchi, Mehdi (2014). "Scale-Invariant Fully Homomorphic Encryption over the Integers". Public-Key Cryptography – PKC 2014. Lecture Notes in Computer Science. Vol. 8383. pp. 311–328. doi:10.1007/978-3-642-54631-0_18. ISBN 978-3-642-54630-3.
  19. ^ Z. Brakerski, C. Gentry, and V. Vaikuntanathan. Fully Homomorphic Encryption without Bootstrapping, In ITCS 2012
  20. Z. Brakerski and V. Vaikuntanathan. Efficient Fully Homomorphic Encryption from (Standard) LWE. In FOCS 2011 (IEEE)
  21. A. Lopez-Alt, E. Tromer, and V. Vaikuntanathan. On-the-Fly Multiparty Computation on the Cloud via Multikey Fully Homomorphic Encryption. In STOC 2012 (ACM)
  22. ^ Fan, Junfeng; Vercauteren, Frederik (2012). "Somewhat Practical Fully Homomorphic Encryption". Cryptology ePrint Archive.
  23. ^ Z. Brakerski. Fully Homomorphic Encryption without Modulus Switching from Classical GapSVP, In CRYPTO 2012 (Springer)
  24. J. Bos, K. Lauter, J. Loftus, and M. Naehrig. Improved Security for a Ring-Based Fully Homomorphic Encryption Scheme. In IMACC 2013 (Springer)
  25. ^ M. Albrecht, S. Bai, and L. Ducas. A subfield lattice attack on overstretched NTRU assumptions, In CRYPTO 2016 (Springer)
  26. Cheon, J. H.; Jeong, J; Lee, C. (2016). "An algorithm for NTRU problems and cryptanalysis of the GGH multilinear map without a low-level encoding of zero". LMS Journal of Computation and Mathematics. 19 (1): 255–266. doi:10.1112/S1461157016000371.
  27. C. Gentry, S. Halevi, and N. P. Smart. Fully Homomorphic Encryption with Polylog Overhead. In EUROCRYPT 2012 (Springer)
  28. C. Gentry, S. Halevi, and N. P. Smart. Better Bootstrapping in Fully Homomorphic Encryption. In PKC 2012 (SpringeR)
  29. C. Gentry, S. Halevi, and N. P. Smart. Homomorphic Evaluation of the AES Circuit. In CRYPTO 2012 (Springer)
  30. Smart, Nigel P.; Vercauteren, Frederik (2014). "Fully Homomorphic SIMD Operations". Designs, Codes and Cryptography. 71 (1): 57–81. CiteSeerX 10.1.1.294.4088. doi:10.1007/s10623-012-9720-4. S2CID 11202438.
  31. C. Gentry, A. Sahai, and B. Waters. Homomorphic Encryption from Learning with Errors: Conceptually-Simpler, Asymptotically-Faster, Attribute-Based. In CRYPTO 2013 (Springer)
  32. Z. Brakerski and V. Vaikuntanathan. Lattice-Based FHE as Secure as PKE. In ITCS 2014
  33. ^ J. Alperin-Sheriff and C. Peikert. Faster Bootstrapping with Polynomial Error. In CRYPTO 2014 (Springer)
  34. ^ Leo Ducas; Daniele Micciancio. "FHEW: A Fully Homomorphic Encryption library". GitHub. Retrieved 31 December 2014.
  35. ^ Ilaria Chillotti; Nicolas Gama; Mariya Georgieva; Malika Izabachene. "Faster Fully Homomorphic Encryption: Bootstrapping in less than 0.1 Seconds". Retrieved 31 December 2016.
  36. N. Gama, M. Izabachène, P.Q. Nguyen, and X. Xie Structural Lattice Reduction: Generalized Worst-Case to Average-Case Reductions and Homomorphic Cryptosystems. In EUROCRYPT 2016 (Springer)
  37. ^ Cheon, Jung Hee; Kim, Andrey; Kim, Miran; Song, Yongsoo (2017). "Homomorphic encryption for arithmetic of approximate numbers". Takagi T., Peyrin T. (eds) Advances in Cryptology – ASIACRYPT 2017. ASIACRYPT 2017. Lecture Notes in Computer Science. Vol. 10624. Springer, Cham. pp. 409–437. doi:10.1007/978-3-319-70694-8_15. ISBN 978-3-319-70693-1.
  38. Kim A., Papadimitriou A., Polyakov Y. Approximate Homomorphic Encryption with Reduced Approximation Error, In CT-RSA 2022 (Springer)
  39. Li, Baily; Micciancio, Daniele (2020). "On the Security of Homomorphic Encryption on Approximate Numbers" (PDF). IACR ePrint Archive 2020/1533.
  40. Cheon, Jung Hee; Hong, Seungwan; Kim, Duhyeong (2020). "Remark on the Security of CKKS Scheme in Practice" (PDF). IACR ePrint Archive 2020/1581.
  41. "Security of CKKS". Retrieved 10 March 2021.
  42. Benhamouda, Fabrice; Herranz, Javier; Joye, Marc; Libert, Benoît (2017). "Efficient cryptosystems from 2-th power residue symbols" (PDF). Journal of Cryptology. 30 (2): 519–549. doi:10.1007/s00145-016-9229-5. hdl:2117/103661. S2CID 62063.
  43. Castagnos, Guilhem; Laguillaumie, Fabien (2015). "Linearly Homomorphic Encryption from DDH" (PDF). In Nyberg, Kaisa (ed.). Topics in Cryptology – CT-RSA 2015, The Cryptographer's Track at the RSA Conference 2015, San Francisco, CA, USA, April 20–24, 2015. Proceedings. Lecture Notes in Computer Science. Vol. 9048. Springer. pp. 487–505. doi:10.1007/978-3-319-16715-2_26. ISBN 978-3-319-16714-5.
  44. Daniele Micciancio (2010-03-01). "A First Glimpse of Cryptography's Holy Grail". Association for Computing Machinery. p. 96. Retrieved 2010-03-17.
  45. "Don't Put All Your Privacy Eggs in One ZK Basket | CoinMarketCap". CoinMarketCap Academy. Retrieved 2025-01-14.
  46. Jung Hee Cheon, Kyoohyung Han, Andrey Kim, Miran Kim and Yongsoo Song. Bootstrapping for Approximate Homomorphic Encryption. In EUROCRYPT 2018 (Springer).
  47. Shai Halevi; Victor Shoup. "HElib: An Implementation of homomorphic encryption". GitHub. Retrieved 31 December 2014.
  48. Microsoft Research. "Microsoft SEAL". Microsoft. Retrieved 20 February 2019.
  49. "PALISADE Lattice Cryptography Library". Retrieved 1 January 2019.
  50. Jung Hee Cheon; Kyoohyung Han; Andrey Kim; Miran Kim; Yongsoo Song. "Homomorphic Encryption for Arithmetic of Approximate Numbers". GitHub. Retrieved 15 May 2016.
  51. Crypto Experts. "FV-NFLlib". GitHub. Retrieved 1 November 2019.
  52. NuCypher. "A GPU implementation of fully homomorphic encryption on torus". GitHub. Retrieved 1 November 2019.
  53. Trustworthy Computing (TwC) Group. "A Multi-GPU Implementation of the CGGI Cryptosystem". GitHub. Retrieved 7 March 2023.
  54. EPFL-LDS. "Lattigo v3.0.5". GitHub. Retrieved 13 September 2022.
  55. Jean-Philippe Bossuat, Christian Mouchet, Juan Troncoso-Pastoriza and Jean-Pierre Hubaux. Efficient Bootstrapping for Approximate Homomorphic Encryption with Non-Sparse Keys. In EUROCRYPT 2021 (Springer).
  56. Christian Mouchet, Juan Troncoso-Pastoriza, Jean-Philippe Bossuat and Jean-Pierre Hubaux. Multiparty Homomorphic Encryption from Ring-Learning-With-Errors.
  57. Zama (15 June 2023). "TFHE-rs". GitHub.
  58. Chillotti, Ilaria; Joye, Marc; Paillier, Pascal (2021). "Programmable Bootstrapping Enables Efficient Homomorphic Inference of Deep Neural Networks" (PDF). Cyber Security Cryptography and Machine Learning. Lecture Notes in Computer Science. Vol. 12716. pp. 1–19. doi:10.1007/978-3-030-78086-9_1. ISBN 978-3-030-78085-2. S2CID 231732347. Retrieved 17 November 2022.
  59. Desilo. "Liberate.FHE". GitHub. Retrieved 7 March 2024.
  60. Zama. "Concrete". GitHub. Retrieved 20 May 2022.
  61. Zama (15 June 2023). "Concrete Python". Pypi.
  62. MoMA Lab, New York University Abu Dhabi (2019-07-24). "Encrypt-Everything-Everywhere (E3)". GitHub. Retrieved 27 July 2019.
  63. Alan Turing Institute, London, UK (2019-11-01). "SHEEP, a Homomorphic Encryption Evaluation Platform". GitHub. Retrieved 1 November 2019.{{cite web}}: CS1 maint: multiple names: authors list (link)
  64. Trustworthy Computing (TwC) Group (2023-03-02). "T2: A cross compiler and standardized benchmarks for FHE computation". GitHub. Retrieved 3 February 2023.
  65. Trustworthy Computing (TwC) Group (2024-07-29). "HELM: Navigating Homomorphic Evaluation through Gates and Lookups". GitHub. Retrieved 29 July 2024.
  66. Trustworthy Computing (TwC) Group (2024-06-25). "Juliet: A Configurable Processor for Computing on Encrypted Data". GitHub. Retrieved 25 June 2024.
  67. TrustworthyComputing (2024-07-18), TrustworthyComputing/PEEV-verifiableFHE, retrieved 2024-07-18
  68. "Homomorphic Encryption Standardization Workshop". Microsoft. 2017-07-13. Retrieved 2022-05-12.
  69. "Intel, Microsoft Research and Duality Technologies Convene AI Community for Privacy Standards". Intel Newsroom. 2019-08-16. Retrieved 2022-05-12.
  70. "Intel, Microsoft join DARPA effort to accelerate fully homomorphic encryption". 8 March 2021.

External links

Categories: