[quote] When you approach any field, you will find yourself small and insignificant, and you will become more in awe of technology and the unknown, and privacy computing is no exception. After reading some articles and papers, I feel that this review on ACM (https://queue.acm.org/detail.cfm?id=3561800) can give an overview of fully homomorphic encryption, so as to understand its context. , and then increase a little awareness of privacy computing.
Completely homomorphic encryption in privacy computing provides quantum-safe computing for encrypted data, ensuring that plaintext data and its derivative calculation results will never be made public, and will remain safe and will not be modified and/or destroy. Most fully homomorphic encryption schemes are described mathematically based on lattices (an abstraction studied in order theory and abstract algebraic subdisciplines), considered quantum computing secure, and considered post-quantum cryptography. New hardware accelerator architectures are an active area of research and development, and academic research continues to develop new and more efficient implementations, bringing the realization of fully homomorphic encryption for data processing to the commercial stage. in:
Data, including its unrestricted computation and its derivatives, remains encrypted at rest and throughout its lifetime, and can only be decrypted to plaintext in a secure, trusted environment.
Through artificial intelligence, big data, and analytics, valuable insights can be extracted from data, even from multiple disparate sources, without exposing the data or, if necessary, the underlying evaluation code.
1. Current Data Security Model
Not only fails, but quickly loses relevance
In today's IT infrastructure, common industry-standard and perimeter-based security mechanisms are built from thousands of integrated, ever-changing hardware and software components. They rely primarily on cryptography, relying on the difficulty of finding discrete logarithms and/or primes of large integers with existing hardware. In addition, the quantity and quality of these components are constantly changing, the only thing not known is whether these changes will be identified and exploited, the point of failure of the infrastructure is always there.
Data protection has become an increasingly complex and vulnerability-prone process, and many current approaches fail to achieve provable data security. In addition, data processing is carried out in an increasingly stringent regulatory environment, and the consequences and costs of non-compliance are severe.
Encryption techniques widely used today depend on the difficulty of finding discrete logarithms and/or factoring large integers on standard hardware, whereas quantum computing algorithms can easily solve these problems. With the quantum computing market growing at a CAGR of 36.5% and projected to reach $1,987.6 million by 2028, these encryption techniques are becoming obsolete and require a security mechanism such as cryptography in the post-quantum era:
Assuming the IT infrastructure has been compromised, data can be protected without relying on strong perimeter defenses.
Use encryption techniques that are not vulnerable to quantum computing attacks.
Judging from the current technological progress, fully homomorphic encryption can meet these two requirements.
2. Start with homomorphic encryption
In 1978, Ronald L. Rivest, Len Adelman, and Michael L. Dertouzos proposed the idea of performing computations directly on encrypted data. They found that, under RSA encryption, two encrypted numbers can be multiplied and the result will be equivalent to the plaintext product encrypted with the same key. They refer to these properties as privacy homomorphisms, recognizing that encryption schemes can have properties such as:
对明文数据的一组操作的结果等于对其加密形式执行然后解密的那些相同操作的结果。Therefore, RSA encryption exhibits the property of multiplicative homomorphism, which in turn recognizes:
With homomorphic encryption, the ability to perform computations on encrypted data, access to the data can be separated from the processing of the data, enabling computations to be performed on encrypted data without the need to use a key to decrypt it.
Users can obtain a piece of data, encrypt it homomorphically, and then query the encrypted data in the database. The query itself can be encrypted or unencrypted, and the encrypted result can be obtained in the same way.
During computation, the raw data of the query, the decryption key, the query result, or the query itself are never disclosed.
More than 30 years later, in 2009, Craig Gentry proposed the first seemingly safe fully homomorphic scheme. An algorithm is defined as a circuit of logic gates that performs unrestricted computations on encrypted data, and the result is encrypted in the same way. It's very slow, taking about 30 minutes to complete a single logic gate on standard x86 hardware. Therefore, the conventional wisdom is that at least an additional 1 million times performance speedup is required for FHE to run at commercially viable speeds.
3. The basis of homomorphic encryption
Homomorphic encryption provides all the functionality supported by asymmetric public key encryption. Current asymmetric public-key cryptography is based on finding discrete logarithms, or factorizations of large integers, with five properties:
Key generation: (sk, pk)->K (λ), where the key generation function K with a random seed parameter λ generates a key pair consisting of a key sk and a public key pk.
Encryption: c <- E(pk, m), where the encryption function E uses the parameter pk and the plaintext message m to generate the encrypted message ciphertext c.
Decryption: m <- D(sk, c), where the decryption function D with parameters sk and c yields m.
Correctness: m = D(sk, E(pk,m)) for all key pairs, messages and cryptographic randomness.
Semantic security: for all unit messages m for m ∈ {0,1}, members E(pk,0) and E(pk,1) of sets 0 and 1 must be computationally indistinguishable and must be probabilistically random (eg, for every plaintext message m there should be many encrypted messages c).
For homomorphic encryption, two additional properties must be added:
Evaluation: In addition to the K, E and D functions, V is added for evaluation.
Correctness correction: D (sk, V (pk, f, c1, ... cn)) = f (m1, ... , mn), where the decryption function D has a parameter sk, and the calculation function V has a parameter pk ; Function f, where f ∈ F (a set of highly efficient computable functions with homomorphic properties); ciphertext c1,..., cn is equal to the f function calculation results of parameters m1,..., mn.
For a multiplicative homomorphism, this would be D(sk,HE-MULTIPLY(pk,MULTIPLY,E(pk,m1),E(pk,m2))) = MultiplY(m1,m2).
Therefore, to achieve unrestricted homomorphic computations, F must be chosen as a complete set of functions to perform all computations. Since the set {XOR, AND} is Turing-complete, the two functions needed to achieve this are bitwise addition (equivalent to Boolean XOR) and bitwise multiplication (equivalent to Boolean AND). Any computable function can be created by a combination of XOR and AND. The homomorphic computing system is Turing-complete, and XOR and AND are necessary, but the algorithm does not need to be defined directly with these underlying semantics. Currently, Boolean circuits, integer algorithms, or real/complex algorithms are generally used to define calculations.
4. The security of homomorphic encryption
In the paper by Ronald L. Rivest, Len Adelman, and Michael L. Dertouzos, the key sk is hidden in the public key pk by creating random multiples of p, qi is a factorization of the key, for each encryption is different. Encrypting a single bit b using the public key is adding a random multiple of p to b, and decrypting is m = (c modulo p modulo 2).
Unfortunately, this approach breaks semantic security, since c = qip + b modulo 2, then the ciphertext of 0 = qip + 0 modulo 2, then the encryption of plaintext bit 0 is only a multiple of p.
In 2010, Martin van Dijk, Craig Gentry, Shai Halevi and Vinod Vaikuntanathan found that adding noise to the public key can prevent the key from being discovered if from the set {xi = qip + 2ri : ri << p : p << qi} where (1) ri is a slight amount of noise and is different for each encryption, (2) each xi is very close to a multiple of p, but not an exact multiple of p,
Then the set xi of integers is indistinguishable from random integers of the same size.
4.1 Mathematical basis of homomorphic encryption
Homomorphic encryption is to encrypt the plaintext bit b into a polynomial, the specific steps are:
Choose a large odd number p as the key.
For each encryption, choose a random, large multiple of p, such as qip.
Then, for each encryption, bits b and qip are summed with a noise expression defined as dividing a random fraction by 2ri. This will generate the ciphertext c = qip + 2ri + b, where qip + 2ri is the public key.
The addition of homomorphic encryption shows:
c1 = q1p + 2r1 + b1
c2 = q2p + 2r2 + b2
c1 + c2 = p(q1 + q2) + 2(r1 + r2) + (b1 + b2) 其中 2(r1 + r2) 是噪声Multiplication of homomorphic encryption:
c1 = q1p + 2r1 + b1
c2 = q2p + 2r2 + b2
c1c2 = p(q1q2 + q1b2 + q2b1) + r1(2pq2 + b2) + r2(2pq1 + b1) + r1r2 + b1b2 其中 r1(2pq2 + b2) + r2(2pq1 + b1) + r1r2为噪声It can be seen that there is noise growth in the calculation of homomorphic encryption. If |noise| exceeds p/2, decryption is not guaranteed. Additive noise growth is linear, multiplication is exponential, and if there is no mechanism to reset the noise growth, multiple homomorphic encryption calculations will hit the p/2 limit. Working within the p/2 noise limit, which is the definition of "partially" homomorphic encryption, is efficient for many valuable, bounded uses such as database queries and spam filtering. If during the calculation of encrypted values, unlimited calculation of encrypted data is not supported, so it is not fully homomorphic encryption.
4.2 Fully Homomorphic Encryption
Prior to Gentry's 2009 paper, the problem of aggregated noise during homomorphic encryption computation significantly limited the real application scenarios. There are basically two options for dealing with larger homomorphic calculations. The first option is to increase the noise limit by increasing the size of the key sk, but it cannot cure the noise problem. Another way is slightly more complicated, the steps are as follows:
Freeze homomorphic computing on untrusted and unsafe nodes.
Transmit the encrypted intermediate state value cn back to a secure, trusted node.
Use the key sk to decrypt the plaintext mn of cn.
Use the public key pk to encrypt mn back to cn, reducing the noise to a small state.
Pass cn back to untrusted, insecure nodes.
Restart the homomorphic computation with the new re-encrypted low-noise cn.
Obviously, the latter is unrealistic. Gentry developed a mechanism for resetting the "noise" in the encrypted results so that the computational threads could continue running indefinitely. In his approach, Lattice-based cryptography is used, employing a recursive, embedded homomorphic decryption method that allows resetting the noise of the encrypted value without exposing it or the key for potential damage or Physically transfer it to a secure, trusted node for decryption. In this way, Gentry demonstrates the possibility of unlimited computation on encrypted data. Gentry's method follows these steps:
Use public key pk to encrypt plaintext message m to generate ciphertext c1.
Perform a certain number of homomorphic calculations on c1 to generate cn such that cn approaches but does not exceed the noise limit sk/2.
Encrypt key sk using public key pk to create an encrypted key ck.
Use the public key pk to encrypt cn to generate a new double-encrypted ccn.
Deciphering ccn with the encryption key ck yields cn with a reset noise level.
Use cn to continue the calculation.
What Gentry implements is to decrypt and re-encrypt the encrypted value c using a homomorphic computation using the encrypted secret key sk and public key pk. Gentry calls his noise reset process bootstrapping. Although it shows that unrestricted computation of encrypted data is possible, there are two significant limitations that hinder its use in programming applications: (1) The computation required by the bootstrap algorithm far exceeds that of existing hardware platforms Performance capability; (2) Lack of effective realization of judgment conditions.
Since 2009, the industry has made a lot of performance and functional improvements based on the original Gentry scheme: improving the performance of fully homomorphic computing; increasing bootstrapping performance; reducing the number of bootstrapping required for a fixed number of homomorphic computing; Minimize noise growth during homomorphic computing without bootstrapping; and improve cryptographic models based on known, difficult lattice mathematical problems that cannot be solved by quantum computing. Specifically include:
LWE (Learning with Errors) and RLWE (Ring Learning with Errors), are equivalent to solving the CVP (Closest Vector Problem) in Lattice mathematics, based on a system of linear equations over finite fields with undeterminable coefficients (representing keys) (LWE) or sampling of polynomial rings (RLWE), where each equation has a small, random, additive error.
leveling measure. Allows a predetermined depth of logic gates to be evaluated before a bootstrap device is required.
Re-linearize. Reduce the overhead and storage burden of homomorphic computations by reducing the ciphertext length (produced by homomorphic multiplication) while maintaining the correctness of the underlying message.
Modulus conversion. Generate a new, low-noise, equivalent ciphertext c' = c/r modulo q/r by dividing the ciphertext c modulo q by the noise factor |r|, while preserving the integrity of the ciphertext c without using key to reduce noise.
5. The development of fully homomorphic encryption
Initially, Lattice-based fully homomorphic encryption schemes supported the addition and multiplication of ciphertexts, allowing logic circuits to perform unlimited calculations, very slowly. Then, Martin van Dijk, Craig Gentry, Shai Halevi, and Vinod Vaikuntanathan replaced the homomorphic encryption part of Gentry's method with a simple integer-based scheme.
Next, BFV (Brakerski/Fan-Vercauteren) and BGV (Brakerski-Gentry-Vaikuntantan) introduced the LWE and RLWE security models, and also introduced leveling schemes that allow logic gates of set depth to be executed before bootstrapping is required.
Then, GSW (Gentry-Sahai-Waters) avoids the computationally expensive linearization problem in homomorphic multiplication, making the noise grow slower. More efficient loop variants were developed using FHEW, while simplifying and increasing bootstrap optimization.
Recently, CKKS (Cheon-Kim-Kim-Song) introduced efficient rounding operations for encrypted values, controlling the increase in noise rate in homomorphic multiplication and reducing the amount of bootstrapping in logic circuits. It also introduces the concept of PBS (Programmable Bootstrapping) into TFHE (Torus Totally Homomorphic Encryption), reducing the number of bootstrapping required for logic circuits.
Currently, the technical framework and modes that support fully homomorphic encryption are as follows:
The current fully homomorphic encryption scheme mainly has three ways to realize calculation:
5.1 Boolean circuits
Plaintext: bits
Computation: Arbitrary Boolean logic gates
Features: Fast numeric comparison and bootstrapping
Typical ways: GSW, FHEW, TFHE
5.2 High precision/modulo operation
Plaintext: Perform integer modulo on a plaintext data to get a (or its vector)
Computation: Integer arithmetic circuit modulo a
Features:
Efficient SIMD (Single Instruction Multiple Data) batch computation on vectors of integers
Fast, high-precision integer arithmetic and scalar multiplication
Level measurement that can avoid bootstrapping
Typical methods: BGV, BFV
5.3 Approximate Numeral Arithmetic
plaintext: real or complex
Calculation: similar to floating point operations
Features:
Fast Polynomial Approximation
Relatively fast reciprocal and discrete Fourier transform
Deep approximate computing, such as Logit model learning
Efficient SIMD batch computation on real vectors
Level measurement that can avoid bootstrapping
Typical methods: BGV, BFV
6. Typical application scenarios of fully homomorphic encryption
With the emergence of hardware accelerators for fully homomorphic encryption, some possible application areas based on fully homomorphic encryption include:
6.1 Protect data from destruction/modification throughout its life cycle
Privacy-preserving computation on encrypted data guarantees that the data and its derived computations are immune to modification and/or destruction in the event of infrastructure compromise. Provable data security at rest and throughout the computing lifecycle will accelerate the move to trustless platforms for computing services of confidential data, removing most of the reasons for using private data centers.
6.2 Protecting data from quantum computing attacks
Algorithms based on Lattice mathematics used in fully homomorphic encryption are not vulnerable to quantum computing attacks. With the release or planned release of many quantum computer products, the era of post-quantum cryptography may have begun.
6.3 Protect application service data, results and analysis models from disclosure
Through fully homomorphic encryption, user-encrypted data input can be safely introduced, and big data, AI and/or analysis services can be performed on service results and analysis model information (such as neural network weights).
6.4 Analyzing Encrypted Data Aggregated by Multiple Organizations
Disparate encrypted datasets from multiple organizations can be aggregated and analyzed without underlying data disclosure, including:
Big data, artificial intelligence or analytical insights into industry-wide trends;
Evaluate balance sheet summaries for mergers and acquisitions;
Combining data from different suppliers to facilitate drug trials;
Analytics applied to incorporate potential partner data to determine potential commercial value.
6.5 Security and Privacy Rules Matched to Network Traffic
Through advanced NTA (Network Traffic Analysis), behavioral patterns, methods and techniques used by cyber-malicious actors are learned over time, defined as rules, and encrypted using fully homomorphic encryption. These encryption rules are applied to network traffic in an untrusted environment through fully homomorphic encryption calculations, identifying and monitoring the presence of threat actors without exposing threat characteristics or mismatching traffic. This is very useful for computer network security and anti-money laundering of Guangzhou/City/LAN.
6.7 Interaction of Private Datasets
Safe and secure dataset inspection in larger databases, which is the ability to query a large data store for the presence of specific data without revealing information about the query or the contents of the data store.
6.8 Enhanced Blockchain
Using fully homomorphic encryption and zero-knowledge proofs, then, when private transactions are recorded on the blockchain, it can be proven that no data details were disclosed when the transaction occurred.
6.9 Ensuring data security and integrity of the perception/control/execution real-time control chain
By encrypting sensor data at the source and supporting encrypted computations throughout the real-time control chain, data is protected from corruption and modification.
6.10 Monetization of Encrypted Data Resources
Private/confidential datasets encrypted via fully homomorphic encryption can generate revenue streams for consumption by trustless machine learning platforms, big data platforms, or analytics applications on trustless platforms.
7. Summary
Generally, fully homomorphic encryption is called the Holy Grail of cryptography, and its commercialization may be in the not-too-distant future. Infrastructure security models will become an unavoidable requirement, and cryptography in the post-quantum era will become a top priority for governments and industry. Once the commercialization of fully homomorphic encryption is realized, data access will be completely separated from unrestricted data processing, and secure storage and computing will become relatively cheap. Similar to the impact of databases, cloud computing, PKI, and artificial intelligence, fully homomorphic encryption will trigger dramatic changes in the way confidential/private information is protected, processed, and shared, and will fundamentally change the course of basic computing.
【Associated reading】