Recently, I am learning homomorphic encryption related technologies. This is a little note on the learning process. Let me share it:
Homomorphic encryption : cryptography technology based on computational complexity theory of mathematical problems. Processing the homomorphically encrypted data yields an output that, when decrypted, yields the same output as the original unencrypted data.
Technical advantages : Using homomorphic encryption technology, the result obtained by the user after computing and decrypting the ciphertext is consistent with the result obtained by directly computing the plaintext. This feature allows an untrusted third party to directly decrypt the encrypted text without the private key. The operation is performed on the text, which avoids the leakage of user sensitive information caused by the need for a third party to decrypt the ciphertext during the operation. Using homomorphic encryption technology, the user performs operations on the ciphertext and then decrypts the result to be consistent with the result obtained by directly operating on the plaintext. This feature allows an untrusted third party to directly perform operations on the ciphertext without the private key, avoiding The calculation process needs to decrypt the ciphertext, which may lead to the leakage of user sensitive information.
example
Alice uses Homomorphic Encryption (hereafter referred to as HE) to process data through the Cloud. The whole process is roughly as follows:
1. Alice encrypts the data. And send the encrypted data to Cloud;
2. Alice submits the data processing method to Cloud, which is represented by function f here;
3. Cloud processes the data under function f, and sends the processed result to Alice;
4. Alice decrypts the data and gets the result.
Development:
One of the research hotspots in recent years is: how to construct an efficient fully homomorphic encryption scheme. This paper mainly summarizes the research progress of verifiable fully homomorphic encryption schemes. Comparing and analyzing the performance of the current mainstream fully homomorphic encryption libraries Helib, SEAL and TFHE, sorting out the typical application scenarios of homomorphic encryption technology, and pointing out the possible research and development directions in the future.
In 1978, Rivest and others first proposed the concept of privacy homomorphism, aiming to construct an encryption mechanism that supports ciphertext retrieval. In 2009, Gentry first used the ideal lattice to give the construction of the FHE scheme, which is based on the ideal lattice. Bounded coding problem and sparse subset sum problem.
The idea is as follows: the plaintext space is {0, 1}, first construct a homomorphic encryption (Some What Homomorphic Encryption, SWHE) scheme that supports finite degree polynomial operations on "fresh" ciphertext; then based on sparse subsets and difficult problems It is assumed that the form of the private key is transformed, the decryption circuit is compressed, and expressed as a polynomial with a sufficiently low degree of the private key; finally, auxiliary information such as the ciphertext of the private key is added to the public key, which is used for synchronizing the "fresh" ciphertext. The ciphertext generated after the state operation is decrypted homomorphically, the noise contained in it is reduced, and the "bootstrapping" function is realized to achieve the purpose of performing arbitrary function transformation on the ciphertext. This technology is called Bootstrapping (bootstrapping) technology.
The construction mode proposed by Gentry is called the Gentry system. Since then, the fully homomorphic encryption technology has developed rapidly and is divided into two research lines, one is the FHE scheme designed according to Gentry's ideas, and the other is based on error learning ( Learning With Errors, LWE) problem or Ring Error Learning (Ring-LWE, RLWE) problem to achieve the FHE scheme. Below, this article mainly analyzes some new developments in homomorphic encryption technology in recent years and proposes several development directions worthy of attention in the future.
Features of homomorphic encryption:
Homomorphic encryption classification:
According to the types and times of ciphertext calculations allowed by each homomorphic encryption scheme, it can be divided into three categories:
partial homomorphic encryption (Partial Homomorphic Encryption, PHE) scheme, homomorphic encryption scheme and full homomorphic encryption scheme encryption scheme . PHE can only satisfy the ciphertext homomorphic operation of addition or multiplication; SWHE can satisfy the ciphertext homomorphic operation of limited number of addition and multiplication at the same time; FHE can satisfy the ciphertext homomorphic operation of unlimited addition and multiplication at the same time.
Due to the contradiction between homomorphism and extensibility, fully homomorphic encryption cannot achieve IND-CCA2 security. Therefore, the research on fully homomorphic encryption still has a long way to go, and the corresponding main focus is two aspects: one is to improve the efficiency of the FHE scheme; the other is to improve the security of the FHE scheme.
Research stage
The research on fully homomorphic encryption in the past ten years can be divided into three stages :
the first is various FHE schemes constructed based on Gentry's work, first constructing a SWHE scheme, and then controlling noise growth through Bootstrapping technology to achieve full homomorphism ;
The second stage is an FHE scheme based on LWE and RLWE error learning (Learning With Errors, LWE) problems or Ring-LWE, RLWE (Ring-LWE, RLWE) based on the work of Brakerski and Vaikuntanathan. Switching) technology to solve the problem of dimension expansion, and control noise through Modulus Switching technology, to a certain extent get rid of the dependence on Bootstrapping technology;
The third stage is a GSW scheme based on approximate eigenvectors constructed by Gentry et al. The homomorphic operations of this scheme are all simple matrix operations, so there will be no problem of dimension expansion. This scheme provides a construction FHE scheme The new idea simplifies the original complex ciphertext operation process into a relatively simple algebraic operation, which is easier to understand. Song Xinxia and others studied the nature and construction method of the ciphertext matrix, and revealed the inclusion relationship between the ciphertext matrix FHE and other FHEs.
In addition to the above-mentioned division by development stage, FHE can also be classified according to the difficult problems on which it is based. There are two main types. One is the difficult problem based on traditional number theory, such as the Approximate Greatest Common Divisor (AGCD) problem on integers. , and the other is based on difficult problems in lattice cryptography, such as LWE problems and RLWE problems on lattices.
In addition, in recent years, many other types of FHE schemes such as NTRU (Number Theory Research Unit)-based FHE schemes, identity- and attribute-based FHE schemes, and noise-free FHE schemes have emerged. key pair, and then use Flattening technology to construct a fully homomorphic encryption scheme based on NTRU chosen plaintext attack that can prove secure. In order to solve the safety hazards of side channel attacks in the implementation of NTRU, Yang Yatao et al. performed masking operations on all coefficients of the NTRU algorithm, and constructed an NTRU fully homomorphic mask defense scheme that can effectively defend against differential energy attacks and related energy attacks. It can be found that a large number of FHE schemes based on lattice cryptography have emerged in the past ten years. As a potential cryptographic system in post-quantum cryptography, lattice cryptography still has important application value in the era of quantum computing.
In 2009, Gentry used the ideal lattice to give the construction of the FHE scheme, based on the bounded coding problem and the sparse subset problem on the ideal lattice. The following briefly introduces the principle of Bootstrapping technology. Before using Bootstrapping, we can perform a limited number of ciphertext homomorphic operations, but the ciphertext noise will increase correspondingly after each homomorphic operation, especially when performing homomorphic multiplication operations, the ciphertext noise increases with the number of operations. Exponential growth, so measures must be taken for noise control.
Noise Control Schematic
Fully homomorphic encryption noise problem: Constructing a noise-free FHE scheme has become an important idea in the current fully homomorphic encryption research. The addition of noise is to ensure the safety of the FHE scheme, but it also brings troubles in noise control. Although the noise-free FHE scheme is considered unsafe, this conclusion has not been strictly proved. Therefore, the noise-free FHE scheme is studied. The FHE scheme still has practical significance. Solutions to improve the efficiency of full encryption on the same platform :
Broadbent et al. formally gave the definition of quantum homomorphic encryption (Quantum homomorphic encryption), which is to realize the encryption of quantum information and the quantum homomorphic operation of ciphertext. In addition, the author also gave the definition of IND-CPA in quantum information accordingly. Then in CRYPTO2016, based on the proposed architecture, Dulek et al. constructed the first quantum fully homomorphic encryption (Quantum FHE, QFHE) scheme, which can realize the ciphertext operation of any polynomial-level quantum circuit.
Verifiable homomorphic encryption:
Both homomorphic signature and homomorphic MAC can be used as effective means to protect the integrity and reliability of outsourced data. However, homomorphic signature can realize public verification (Public verification), and homomorphic MAC can realize private verification (Private verification).
Related to the application of homomorphic encryption
Scholars have constructed and implemented an additive partial homomorphic encryption scheme based on the CO-ACD (CO-Approximate Common Divisor) problem. A signature scheme based on homomorphic encryption is disclosed, which can be applied to anonymous certificates, electronic voting and group signatures.
There is also a fully homomorphic encryption scheme and its implementation that can verify the correctness of computation. and a homomorphic encryption library that includes key exchange, modulo exchange, and dynamic management of noise.
There is also a system on chip (System on Chip, SoC) privacy protection verification method. During the verification, all parties participating in the verification can verify the IP core through encrypted test vectors to avoid leaking unnecessary information. Scholars invented a computer-readable memory for reading homomorphic operation instructions, and realized homomorphic encrypted communication between two terminals . Also disclosed is a method for secure retrieval of personal images based on a homomorphic encryption algorithm , which realizes secure retrieval of images without revealing user retrieval information and data.
The literature discloses a ciphertext retrieval method based on homomorphic encryption in cloud storage , which ensures data privacy and security, and uses a tree structure to store and improve ciphertext retrieval efficiency.
A linear SVM (Support Vector Machine) model training algorithm based on homomorphic encryption is disclosed, which can train the ciphertext SVM model on the cloud, thereby avoiding the disclosure of private information such as training data. There is also a biometric authentication technology based on fully homomorphic encryption, which allows biometric authentication in the ciphertext state, thereby avoiding user information leakage.
At present, homomorphic encryption has been applied in the field of machine learning privacy protection. The most representative one is the privacyCryptonets, which are well suited for small neural networks. A method of obtaining the sum of loans based on hidden decentralized loan amounts based on additive homomorphism is disclosed, which is an application scenario of multi-party secure computing. A multi-value packing scheme based on homomorphic encryption
is disclosed . The literature discloses a two-party oblivious transfer scheme based on fully homomorphic encryption. There is also a method to calculate the edit distance of DNA using homomorphic encryption technology , which first encodes the DNA sequence into a string, and then realizes the calculation of the edit distance between two strings in the ciphertext domain. It also discloses a method for selling electricity to smart grid users based on homomorphic encryption, which uses homomorphic encryption technology to encrypt the user's real electricity purchase demand, and combines identity authentication to protect the user's electricity purchase information from being obtained by the power company. There is also disclosed a technology for generating barcodes based on homomorphic encryption technology , which can generate corresponding identification codes in the cipher text domain according to the generation request received from the server. There is a scheme and its implementation based on homomorphic encryption algorithm to protect program code , so as to increase the security of program code. The document discloses a communication technology based on homomorphic encryption, which ensures the computing security and storage security of data during the communication process. Existing Homomorphic Encryption Function Libraries and Their Efficiencies
At present, some teams have implemented software for the FHE scheme, such as Helib based on the BGV scheme, SEAL based on the BFV scheme , and TFHE based on the GSW scheme . The following analyzes the operating efficiency of Helib, SEAL and TFHE fully homomorphic encryption libraries.
A Dell laptop with 8 GB of memory is tested for efficiency. Table 5 shows the operating efficiency of Helib when level=2, and m represents the modulus.
The efficiency test results of the BFV scheme under the default parameters are shown in Table 6, and the efficiency test results of the CKKS scheme under the default parameters are shown in Table 7. Among them, Poly, Coeff and Plain are the three main parameters of the scheme, and different parameters will affect the security, efficiency and number of homomorphic operations of the scheme.
Reference
link: https://www.zhihu.com/question/27645858/answer/37598506 Source: Zhihu Author: Liu Weiran- Xuesu
Yang Yatao, Zhao Yang, Zhang Juanmei, Huang Jierun, Gao Yuan. Homomorphic encryption theory and Application progress[J].Journal of Electronics and Information Technology,2021,43(02):475-487.