Student QD MCGAW Supervisors Dr Wei Dai and Dr Cong Ling Second marker Professor Athanassios Manikas 20 June 2016 Provide a general purpose C API for homomorphic encryption and cloud computing ID: 796749
Download The PPT/PDF document "Homomorphic encryption: Cryptography for..." is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Homomorphic encryption: Cryptography for Cloud computing
Student: Q.D. MCGAW
Supervisors:
Dr.
Wei Dai and
Dr.
Cong Ling
Second marker: Professor
Athanassios
Manikas
20 June 2016
Slide2Provide a general purpose C++ API for homomorphic encryption and cloud computingThis is regularly asked by the cryptographic communityPush current available technologies to their limitsImplement a simple but useful data analysis operation: the averageProve homomorphic encryption can be used for some computing operations today.1. Objectives of the project
Slide3Unsecured communication mediumMy sensitive dataMy sensitive dataClient sideCloud storagel#sd9?/$%fg(45}[Encryptionl#sd9?/$%fg(45}[Decryptionl#sd9?/$%fg(45}[My sensitive dataMy sensitive resultClient sideCloud computing
l#sd9?/$%fg(45}[EncryptionDecryptionl#sd9?/$%fg(45}[DecryptionMy sensitive dataMy sensitive result^dfsd&12@ff90~Encryption^dfsd&12@ff90~Normal ProcessingCiphertextPlaintext
2. Cloud computing today
Slide4Homomorphic EncryptionCiphertextPlaintextUnsecured communication mediumMy sensitive dataMy sensitive resultClient sideCloud computingl#sd9?/$%fg(45}[EncryptionDecryptionl#sd9?/$%fg(45}[DecryptionMy sensitive dataMy sensitive result
^dfsd&12@ff90~Encryption^dfsd&12@ff90~Normal ProcessingHomomorphic ProcessingHomomorphic Decryption17100Xp4#hs11df~9tq?^dfsd&12@ff90~Homomorphic EncryptionHomomorphic DecryptionXp4#hs11df~9tq?
^dfsd&12@ff90~Homomorphic operations3. Homomorphic encryption for cloud computing
Slide5HistoryHomomorphic encryption has been there for many years, i.e. in the RSA scheme.Fully homomorphic encryption (FHE) allows arbitrary numbers of additions and multiplications to be processed on ciphertexts in the plaintext space.It was theoretically proved possible in 2009 by Craig GentryThis was made practically possible in 2011 by Craig Gentry and Shai Halevi.Since then many FHE schemes were designed.There are today several software libraries implementing FHE schemes, such as HElib which is maintained by Shai Halevi (IBM).Fan and Vercauteren schemeBGV schemeLTV schemeNTRU schemeGSW schemeDGHV schemeDHS sceme4. The technology today
Slide6Homomorphic ciphertext AHomomorphic ciphertext BHomomorphic ciphertext A Homomorphic ciphertext BHomomorphic ciphertext A
Homomorphic ciphertext BHomomorphic ciphertext AHomomorphic multiplications add more noise to the ciphertext than the homomorphic additions.The ciphertext can’t be decrypted anymore once the noise grows above a certain threshold.From now, the number of homomorphic multiplications required is called the complexityCiphertext noise4. The technology today
Slide7To counter the growing ciphertext noise, there are two main techniques as listed in the columns of the table below. BootstrappingLevelled homomorphic encryptionUsed by Craig Gentry’s first construction (2009)Used by the BGV scheme (2011)Homomorphic operations are not bounded.Homomorphic operations are bounded according to the level parameter L.Very slow and expensiveMore performant, for low values of L.The level parameter is proportional to the maximum number of homomorphic operations to be performed on a ciphertext. The smaller L is, the faster the homomorphic operations will be. Bootstrapping and BGV scheme4. The technology today
Slide8The library HElib isThe second most performant homomorphic encryption libraryPortableFlexible and tweakableWell documented and maintainedIt supportsBootstrapping, for a fully homomorphic encryption (Craig Gentry’s 2009 construction)Modulus key switching, for a levelled homomorphic encryption (BGV scheme)Homomorphic addition and multiplication operations in any field.SIMD mode, for a higher maximum throughput.417192Plaintext vector v162112Resulting plaintext vectorXPlaintext vector v2&f5£sc25@kg*G3)#fh[2j{\gz5EncryptionG>7£9sg2/ky0p
Decryption24341924EncryptionSingle instructionMultiple dataThe library used: HElib4. The technology today
Slide9There are many schemes and several homomorphic software librariesThere are a few already built applicationsRemote end-to-end votingPrince block cipherSorting algorithmBut no general purpose API for number operations such as comparison or division.5. The missing part
Slide10HElib provides only the addition and multiplication homomorphic operationsThe only way to design new operations was to use binary – do calculations in the field .The first step was to implement homomorphic logic gates
The last gate required to go forward was the NOT gate How does the cloud computer knows what is 1... Without knowing it?6. ImplementationStarting point
Slide11CLIENTCLOUD COMPUTERGeneration of key pairNumber of plaintext slots nslotsCreates a vector filled with nslots 1sEncrypt vector and send SIMD ready ciphertextAssigns the ciphertext to the “Ones” ciphertextCopies the “Ones” ciphertext into the “Zeroes” ciphertextAdds “Zeroes” to “Zeroes”
will be completely different than so the only thing the cloud computer learns is an eventual SIMD result filled with s, which is unlikely to happen due to the high number of plaintext slots (1024). 6. ImplementationThe NOT gate
Slide1201………000………101………1 bits One number ciphertexts 6. Implementation
Representation of an n bit number
Slide13Homomorphic Euclidian division arithmetic circuit bits bits
bits QuotientBinary number ABinary number B bits Remainder6. ImplementationExample: The homomorphic Euclidean division arithmetic circuit
Slide14AND logic gateComplexity 1XOR logic gateComplexity 0NOT logic gateComplexity 0NAND logic gateComplexity 1Requires AND, NOTOR logic gateComplexity 1Requires AND, NOTNOR logic gateComplexity 1Requires AND, NOTXNOR logic gateComplexity 0Requires XOR, NOTHalf AdderComplexity 1Requires XOR, ANDHalf SubtractorComplexity 1Requires XOR, NOT, ANDHalf EqualComplexity 0Requires XNORLower than comparatorComplexity 1Requires NOT, AND2:1 multiplexerComplexity 3Requires NAND, NOTFull AdderComplexity 3Requires Half adder, ORFull SubtractorComplexity 3Requires Half subtractor, ORFull EqualComplexity 1Requires Half Equal, ANDHalf comparatorComplexity 1Requires Half Equal, Lower than comparatorFull comparatorComplexity 4Requires Full Equal, Lower than comparator, AND, ORRipple carry adderComplexity 3n+1Requires Half and Full AdderRipple borrow subtractorComplexity 3n+1Requires Half and Full SubtractorRipple comparatorComplexity 4(n-1)+1Requires Half and Full SubtractorN:1 multiplexer
Complexity 3nRequires 2:1 multiplexerRipple equality testerComplexity n-1Requires Half and Full EqualityBinary left & right shiftComplexity 0Multiplication circuitComplexity 4-3.5nRequires Ripple carry adder, left shift and AND Euclidian divisionComplexity +nRequires Ripple borrow subtractor, shifts, NOT and N:1 multiplexer Average circuitVery high complexity Requires ripple carry adder and Euclidian division
Fast Average circuit
Very high complexity
Requires ripple carry adder and Euclidian division
6. Implementation
The other gates and circuits implemented
Slide15Homomorphic multiplications add between 12 and 34 times more noise than the homomorphic addition. This is why it is called complexity here.7. Results and evaluationsLogic gates
Slide167. Results and evaluationsCombinational circuits, for 1024 SIMD plaintext slotsThe complexity of a homomorphic circuit and its execution time are highly correlated
Slide17LINEARIncreasing the number of SIMD data slots decreases the time per operation7. Results and evaluationsSequential circuits, for 1024 SIMD plaintext slots
Slide18This involves the following 5 circuits built on top of the sequential circuits:Binary multiplicationBinary Euclidean divisionBinary AverageBinary “Fast” Average which only calculates the quotient of a divisionExponential7. Results and evaluationsArithmetic circuits, for 1024 SIMD plaintext slotsArithmetic circuits become quickly unusable as the number of bits n grows
Slide19Not timely useful anymore7. Results and evaluationsArithmetic circuits, for 1024 SIMD plaintext slots
Slide20Some operations can be used now with the API developed and are not too expensive in terms of time.Binary additions, subtractions, comparisonsBinary “Fast” averages (based on shifts)Binary multiplications, for numbers up to 8 bits.MultiplexersCode isRobust: 75% of the API code is covered by unit testsOpen source: http://qdm12.github.io/hbc/ and well documentedEasy to setup and use: A makefile was crafted for Windows and Linux to download, compile and install everythingCompatible: On all platforms, although some like OSX will have to install manually.A lot of future work possibleChanging the sequential and arithmetic circuits algorithmsAdding more homomorphic circuitsUsing bootstrapping for very complex circuitsAdding parallel circuits for an even bigger throughputUsing multiple cores of the CPU, or even GPU with the cuHE libraryAlready used by a Computer science Masters student in the University of Manitoba, Canada.8. Conclusion9. Thank you10. Questions11. Answers
Slide21Slide22Slide23A: 101B: 010X: 000 101X: 001 010R: 001 – 010 = 1111 X: 001 010Left shiftLeft shiftIteration 1X: 010 100R: 010 – 010 = 0000 X: 000 100Left shiftIteration 2X: 001 001
R: 001 – 010 = 1111 X: 001 001Left shiftIteration 3X: 010 010Q: 010R: 010Right shiftR: 001Q: 010LOOP5 / 3 ?5 = 2 x 2 + 1Blue arrows operations represent memory operations or shifts and have a zero homomorphic complexityRed and orange arrows have a high homomorphic complexityThe green arrow is a NOT gate (zero complexity)
Slide240OR&f5£s@kg*Encryption1………000………1a39es$sfzEncryptionG6”15fl8h01………1Decryption