U.S. patent application number 14/097472 was filed with the patent office on 2014-05-22 for fully homomorphic encryption method based on a bootstrappable encryption scheme, computer program and apparatus.
This patent application is currently assigned to International Business Machines Corporation. The applicant listed for this patent is International Business Machines Corporation. Invention is credited to Craig B. Gentry.
Application Number | 20140140514 14/097472 |
Document ID | / |
Family ID | 43974189 |
Filed Date | 2014-05-22 |
United States Patent
Application |
20140140514 |
Kind Code |
A1 |
Gentry; Craig B. |
May 22, 2014 |
Fully Homomorphic Encryption Method Based On A Bootstrappable
Encryption Scheme, Computer Program And Apparatus
Abstract
A method includes encrypting information in accordance with an
encryption scheme that uses a public key; encrypting a plurality of
instances of a secret key, each being encrypted using at least one
additional instance of the public key; sending the encrypted
information and the plurality of encrypted instances of the secret
key to a destination; receiving an encrypted result from the
destination; and decrypting the encrypted result. A further method
includes receiving a plurality of encrypted secret keys and
information descriptive of a function to be performed on data;
converting the information to a circuit configured to perform the
function on the data; and applying the data to inputs of the
circuit and evaluating the data using, in turn, the plurality of
encrypted secret keys.
Inventors: |
Gentry; Craig B.; (New York,
NY) |
|
Applicant: |
Name |
City |
State |
Country |
Type |
International Business Machines Corporation |
Armonk |
NY |
US |
|
|
Assignee: |
International Business Machines
Corporation
Armonk
NY
|
Family ID: |
43974189 |
Appl. No.: |
14/097472 |
Filed: |
December 5, 2013 |
Related U.S. Patent Documents
|
|
|
|
|
|
Application
Number |
Filing Date |
Patent Number |
|
|
12590584 |
Nov 10, 2009 |
8630422 |
|
|
14097472 |
|
|
|
|
Current U.S.
Class: |
380/281 |
Current CPC
Class: |
H04L 2209/50 20130101;
H04L 2209/08 20130101; H04L 9/14 20130101; H04L 9/0822 20130101;
H04L 9/008 20130101; H04L 2209/46 20130101 |
Class at
Publication: |
380/281 |
International
Class: |
H04L 9/08 20060101
H04L009/08 |
Claims
1. A method, comprising: encrypting information in accordance with
an encryption scheme that uses a public key; encrypting a plurality
of secret keys, each being encrypted using one public key of a
plurality of additional public keys and encrypted using different
ones of the plurality of additional public keys; sending the
encrypted information and the plurality of encrypted secret keys to
a destination; receiving an encrypted result from the destination,
the encrypted result corresponding at least to the encrypted
information and the plurality of encrypted secret keys; and
decrypting the encrypted result.
2. The method of claim 1, where a number of the plurality of
encrypted secret keys is descriptive of a function to be performed
by the destination on the encrypted information.
3. The method of claim 1, where a number of the plurality of
encrypted secret keys is descriptive of a number of levels of a
circuit used to compute a function to be performed by the
destination on the encrypted information.
4. The method of claim 1, where the encrypted result comprises an
output of a search engine.
5. The method of claim 1, where the encrypted result comprises
information related to one or more files stored at the
destination.
6. The method of claim 1, where the encrypted result comprises an
output of a spam filter applied to encrypted messages at the
destination.
7. A method, comprising: receiving from a requestor a plurality of
encrypted secret keys and encrypted information; determining a
circuit configured to perform a function on the encrypted
information; applying the encrypted information to inputs of the
circuit and evaluating the encrypted information using, in turn,
the plurality of encrypted secret keys to create an encrypted
result; and sending the encrypted result to the requestor.
8. The method of claim 7, where the plurality of secret keys are
each encrypted using a different one of a plurality of public
keys.
9. The method of claim 7, where the received encrypted information
is encrypted using a first public key, and where the plurality of
secret keys are each encrypted using one of a plurality of
additional public keys and encrypted using different ones of the
plurality of additional public keys.
10. The method of claim 7, where a number of the plurality of
received encrypted secret keys is descriptive of a number of levels
of the circuit and wherein determining further comprises
determining at least the number of levels of the circuit based on
the number of the plurality of received encrypted secret keys.
11.-15. (canceled)
16. A non-transitory program storage device readable by a machine
and tangibly embodying a program of instructions executable by the
machine for performing operations comprising: encrypting
information in accordance with an encryption scheme that uses a
public key; encrypting a plurality of secret keys, each being
encrypted using one additional public key of a plurality of
additional public keys and encrypted using different ones of the
plurality of additional public keys; sending the encrypted
information and the plurality of encrypted the secret keys to a
destination; receiving an encrypted result from the destination,
the encrypted result corresponding at least to the encrypted
information and the plurality of encrypted secret keys; and
decrypting the encrypted result.
17. The program storage device of claim 16, where a number of the
plurality of encrypted secret keys is descriptive of a function to
be performed by the destination on the encrypted information.
18. The program storage device of claim 16, where a number of the
plurality of encrypted secret keys is descriptive of a number of
levels of a circuit used to compute a function to be performed by
the destination on the encrypted information.
19. The program storage device of claim 16, where the encrypted
result comprises an output of a search engine.
20. The program storage device of claim 16, where the encrypted
result comprises information related to one or more files stored at
the destination.
21. The program storage device of claim 16, where the encrypted
result comprises an output of a spam filter applied to encrypted
messages at the destination.
22. A non-transitory program storage device readable by a machine
and tangibly embodying a program of instructions executable by the
machine for performing operations comprising: receiving from a
requestor a plurality of encrypted secret keys and encrypted
information; determining a circuit configured to perform a function
on the encrypted information; applying the encrypted information to
inputs of the circuit and evaluating the encrypted information
using, in turn, the plurality of encrypted secret keys to create an
encrypted result; and sending the encrypted result to the
requestor.
23. The program storage device of claim 22, where the plurality of
secret keys are each encrypted using a different one of a plurality
of public keys.
24. The program storage device of claim 22, where the received
encrypted information is encrypted using a first public key, and
where the plurality of secret keys are each encrypted using one of
a plurality of additional public keys and encrypted using different
ones of the plurality of additional public keys.
25. The program storage device of claim 22, where a number of the
plurality of received encrypted secret keys is descriptive of a
number of levels of the circuit and wherein determining further
comprises determining at least the number of levels of the circuit
based on the number of the plurality of received encrypted secret
keys.
Description
FIELD OF THE INVENTION
[0001] This invention relates generally to encryption and
decryption algorithms and apparatus and, more specifically, to
homomorphic encryption algorithms and apparatus.
BACKGROUND OF THE INVENTION
[0002] A fully homomorphic encryption scheme may be considered as
one that allows the computation of arbitrary functions over
encrypted data without requiring the use of a decryption key.
[0003] There has existed an open problem of constructing a fully
homomorphic encryption scheme. This notion, originally called a
privacy homomorphism, was introduced by Rivest, Adleman and
Dertouzous (R. Rivest, L. Adleman, and M. Dertouzous. On data banks
and privacy homomorphisms. In Foundations of Secure Computation,
pages 169-180, 1978) shortly after the development of RSA by
Rivest, Shamir, and Adleman (R. Rivest, A. Shamir, and L. Adleman.
A method for obtaining digital signatures and public-key
cryptosystems. In Comm. of the ACM, 21:2, pages 120-126, 1978).
Basic RSA is a multiplicatively homomorphic encryption scheme,
i.e., given RSA public key pk=(N,e) and ciphertexts
{.psi..sub.i.rarw..pi..sub.i.sup.e mod N}, one can efficiently
compute .PI..sub.i.psi..sub.i=(.PI..sub.i.pi..sub.i).sup.e mod N, a
ciphertext that encrypts the product of the original plaintexts.
One may assume that it was RSA's multiplicative homomorphism, an
accidental but useful property, that led Rivest et al. to ask a
natural question: What can one do with an encryption scheme that is
fully homomorphic: a scheme .epsilon. with an efficient algorithm
Evaluate.sub..epsilon. that, for any valid public key pk, any
circuit C (not just a circuit consisting of multiplication gates as
in RSA), and any ciphertexts
.psi..sub.i.rarw.Encrypt.sub..epsilon.(pk,.pi..sub.i), outputs
.psi..rarw.Evaluate.sub..epsilon.(pk,C,.psi..sub.1, . . .
,.psi..sub.t),
[0004] a valid encryption of C(.pi..sub.1, . . . , .pi..sub.t)
under pk? Their answer: one can arbitrarily compute on encrypted
data, i.e., one can process encrypted data (query it, write into
it, do anything to it that can be efficiently expressed as a
circuit) without the decryption key. As an application, they
suggested private data banks. A user can store its data on an
untrusted server in encrypted form. Later, the user can send a
query on the data to the server, whereupon the server can express
this query as a circuit to be applied to the data, and use the
Evaluate.sub..epsilon. algorithm to construct an encrypted response
to the user's query, which the user then decrypts. One would
obviously want the server's response here to be more concise than
the trivial solution, in which the server just sends all of the
encrypted data back to the user to process on its own.
[0005] It is known that one can construct additively homomorphic
encryption schemes from lattices or linear codes. The lattice-based
scheme and the Reed-Solomon-code-based scheme allow
multiplications, though with exponential expansion in ciphertext
size. Ciphertexts implicitly contain an "error" that grows as
ciphertexts are added together. Thus, ciphertexts output by
Evaluate do not have the same distribution as ciphertexts output by
Encrypt, and at some point the error may become large enough to
cause incorrect decryption. For this reason, the homomorphism is
sometimes referred to as a "pseudohomomorphism" or a "bounded
homomorphism"
[0006] There are schemes that use a singly homomorphic encryption
scheme to construct a scheme that can perform more complicated
homomorphic operations (T. Sander, A. Young, and M. Yung.
Non-interactive cryptocomputing for NC1. In Proc. of FOCS '99,
pages 554-567, 1999, and Y. Ishai and A. Paskin. Evaluating
Branching Programs on Encrypted Data. In Proc. of TCC '07. Sanders,
Young and Yung (SYY) show that one can use a circuit-private
additively homomorphic encryption scheme to construct a
circuit-private scheme that can handle arbitrary circuits, where
the ciphertext size increases exponentially with the depth of the
circuit. Their scheme may, therefore, feasibly evaluate NC1
circuits. Ishai and Paskin show how to evaluate branching programs,
and with much smaller ciphertexts than SYY. In their scheme
Evaluate outputs a ciphertext whose length is proportional to the
length of the branching program. This remains true even if the size
of the branching program is very large, e.g., super-polynomial.
However, the computational complexity of their scheme is
proportional to the size.
[0007] In more detail, Ishai and Paskin use a "leveled" approach to
evaluate a branching program. A (deterministic) branching program
(BP) P is defined by a DAG from a distinguished initial node in
which each nonterminal node has two outgoing edges labeled 0 and 1,
and where the terminal nodes also have labels.
[0008] Cryptographers have accumulated an assortment of
applications for fully homomorphic encryption since then. However,
until now, there was no viable construction of a fully homomorphic
encryption scheme.
SUMMARY
[0009] The foregoing and other problems are overcome by the use of
the exemplary embodiments of this invention.
[0010] In a first aspect thereof the exemplary embodiments of this
invention provide a method that comprises encrypting information in
accordance with an encryption scheme that uses a public key;
encrypting a plurality of instances of a secret key, each being
encrypted using at least one additional instance of the public key;
sending the encrypted information and the plurality of encrypted
instances of the secret key to a destination; receiving an
encrypted result from the destination; and decrypting the encrypted
result.
[0011] In a further aspect thereof the exemplary embodiments of
this invention provide a method that comprises receiving a
plurality of encrypted secret keys and information descriptive of a
function to be performed on data; converting the information to a
circuit configured to perform the function on the data; and
applying the data to inputs of the circuit and evaluating the data
using, in turn, the plurality of encrypted secret keys.
[0012] In a further aspect thereof the exemplary embodiments of
this invention provide a method that comprises receiving second
information comprising first information encrypted under a second
public key of an encryption scheme, where the first information
comprises original information encrypted under a first public key
of the encryption scheme, where the encryption scheme uses public
key and secret key pairs and includes an encryption function, a
decryption function and an evaluation function, where the
encryption function operates to encrypt data using a certain public
key, where the decryption function operates to decrypt data
encrypted using the certain public key by using a certain secret
key to obtain the data, where the encryption scheme is operable to
evaluate at least one of the decryption function and an augmented
version of the decryption function, where the augmented version of
the decryption function comprises a circuit having at least two
copies of the decryption function as inputs for a gate; receiving a
first secret key encrypted under the second public key, where the
first secret key corresponds to the first public key; and
evaluating the second information by operating the evaluation
function, where the evaluation function receives as inputs the
second information, the first secret key encrypted under the second
public key, the second public key and an input circuit, where the
evaluation function outputs third information comprising the
original information encrypted under the second public key of the
encryption scheme.
[0013] In a further aspect thereof the exemplary embodiments of
this invention provide a program storage device readable by a
machine and tangibly embodying a program of instructions executable
by the machine for performing operations that comprise encrypting
information in accordance with an encryption scheme that uses a
public key; encrypting a plurality of instances of a secret key,
each being encrypted using at least one additional instance of the
public key; sending the encrypted information and the plurality of
encrypted instances of the secret key to a destination; receiving
an encrypted result from the destination; and decrypting the
encrypted result.
[0014] In a further aspect thereof the exemplary embodiments of
this invention provide a program storage device readable by a
machine and tangibly embodying a program of instructions executable
by the machine for performing operations that comprise receiving a
plurality of encrypted secret keys and information descriptive of a
function to be performed on data; converting the information to a
circuit configured to perform the function on the data; and
applying the data to inputs of the circuit and evaluating the data
using, in turn, the plurality of encrypted secret keys.
BRIEF DESCRIPTION OF THE DRAWINGS
[0015] FIG. 1 illustrates a simple block diagram of a requestor and
a server, such as a search engine, that use the fully homomorphic
encryption scheme constructed from a bootstrappable encryption
scheme in accordance with the exemplary embodiments of this
invention.
[0016] FIGS. 2A and 2B, collectively referred to as FIG. 2, show an
exemplary decryption circuit and the exemplary decryption circuit
augmented by a NAND logic function, respectively.
[0017] FIG. 3 shows an example of homomorphically evaluating a
decryption circuit.
[0018] FIG. 4 shows an example of homomorphically evaluating a
decryption circuit augmented with an operation, such as a NAND
logic function.
[0019] FIG. 5 shows another example of homomorphically evaluating
the decryption circuit augmented with an operation, such as the
NAND logic function.
[0020] FIG. 6 illustrates an informal theorem for circuits of
arbitrary depth.
[0021] FIGS. 7A and 7B, collectively referred to as FIG. 7, are
each a logic flow diagram illustrative of the operation of a
method, and the operation of a computer program, in accordance with
the exemplary embodiments of this invention.
[0022] FIG. 8 illustrates a block diagram of a system in which
certain embodiments may be implemented.
[0023] FIG. 9 is a block diagram of a method in accordance with an
exemplary embodiment herein.
DETAILED DESCRIPTION OF THE EXEMPLARY EMBODIMENTS OF THIS
INVENTION
[0024] In accordance with the exemplary embodiments of this
invention, an "initial" encryption scheme is created that is
somewhat homomorphic, i.e., it can compute shallow circuits. Then,
techniques are provided that allow constructing a fully homomorphic
encryption scheme from the somewhat homomorphic encryption scheme.
The initial technique may be referred to as bootstrapping. That is,
a bootstrappable encryption scheme is one wherein the encryption
scheme can evaluate its own decryption circuit (e.g., slightly
augmented versions of its own decryption circuit). It is shown that
if the decryption circuit of a somewhat homomorphic encryption
scheme is shallow enough, in particular, if it is shallow enough to
be evaluated homomorphically by the somewhat homomorphic scheme
itself (a self-referential property), then this somewhat
homomorphic scheme becomes "bootstrappable", and can be used to
construct a fully homomorphic scheme that can evaluate circuits of
arbitrary depth.
[0025] The somewhat homomorphic scheme itself improves upon prior
work; in particular, it allows an essentially arbitrary number of
addition operations while allowing up to O(loglog .alpha.)
multiplicative depth, where .alpha.=2.sup.n.sup.O(1) is the
approximation factor for the lattice problem underlying the
scheme's security. The somewhat homomorphic scheme is more
efficient than the fully homomorphic one, i.e., it requires less
work per gate of the circuit since it does not require the
computation associated with the bootstrapping.
[0026] Described below is a fully homomorphic encryption scheme
that solves a central open problem in cryptography. Such a scheme
allows one to compute arbitrary functions over encrypted data
without the decryption key, i.e., given encryptions E(m.sub.1), . .
. , E(m.sub.t) of m.sub.1, . . . , m.sub.t, one can efficiently
compute a compact ciphertext that encrypts f(m.sub.1, . . . ,
m.sub.t) for any efficiently computable function f. This problem
was posed by Rivest et al. in 1978.
[0027] Fully homomorphic encryption has numerous applications. For
example, it enables private search engine queries where the search
engine responds to a query without knowledge of the query, i.e., a
search engine can provide a succinct encrypted answer to an
encrypted (Boolean) query without knowing what the query was. It
also enables searching on encrypted data; one can store encrypted
data on a remote server and later have the server retrieve only
files that (when decrypted) satisfy some Boolean constraint, even
though the server cannot decrypt the files on its own. More
broadly, fully homomorphic encryption improves the efficiency of
secure multiparty computation.
[0028] Provided below is a somewhat homomorphic "boostrappable"
encryption scheme that is operable when the function f is the
scheme's own decryption function. It is then shown, through
recursive self-embedding, how bootstrappable encryption gives fully
homomorphic encryption.
[0029] By way of introduction, assume the presence of an encryption
scheme with a "noise parameter" attached to each ciphertext, where
encryption outputs a ciphertext with small noise, say less than n,
but decryption works as long as the noise is less than some
threshold N>>n. Furthermore, assume the presence of
algorithms Add and Mult that can take ciphertexts E(a) and E(h) and
compute E (a+b) and E (a*b), but at the cost of adding or
multiplying the noise parameters. This immediately gives a
"somewhat homomorphic" encryption scheme that can accommodate
circuits of depth roughly loglog N-loglog n.
[0030] Next assume the presence of an algorithm Recrypt that takes
a ciphertext E(a) with noise N'<N and outputs a "fresh"
ciphertext E(a) that also encrypts a, but which has noise parameter
smaller than {square root over (N)}. This Recrypt algorithm is
sufficient to construct a fully homomorphic scheme from the
somewhat homomorphic one. In particular, before Add or Mult E(a)
and E(b), one can apply Recrypt to E(a) and E(h) to ensure that
their noise parameters are small enough so that the noise parameter
of E(a*b) is less than N, and so on recursively.
[0031] A somewhat homomorphic encryption scheme is first provided.
Then it is shown how to modify the somewhat homomorphic encryption
scheme so that its decryption circuit has multiplicative depth at
most loglog N-loglog n-1, i.e., less depth than what the scheme can
accommodate. It is shown to be the case that a somewhat homomorphic
encryption scheme that has this self-referential property of being
able to handle circuits that are deeper than its own decryption
circuit, in which it can be said that the somewhat homomorphic
encryption scheme is "bootstrappable", is sufficient to obtain the
Recrypt algorithm, and thereby provide fully homomorphic
encryption.
[0032] Consider the following secret key encryption scheme which
merely uses integers. The key is an odd integer p>2N. An
encryption of a bit b is simply a random multiple of p, plus a
random integer B with the same parity as b, i.e., B is even if b=0
and is odd if b=1. More specifically, the ciphertext is c=b+2x+kp,
where x is a random integer in (-n/2, n/2) and k is an integer
chosen from some range. One decrypts by setting b.rarw.(c mod p)
mod 2, where (c mod p) is the number in (-p/2, p/2) that equals c
modulo p. Actually, (c mod p), which is the "noise parameter" in
this scheme, will be in [-n,n], since b+2x is in that range.
However, decryption would have worked correctly as long as
b+2x.di-elect cons.[-N,N].OR right.(-p/2, p/2). It can be noted
that computing c mod p can be done by a very shallow circuit, with
depth logarithmic in the bit-lengths of c and p.
[0033] Now consider what occurs when two ciphertexts are added,
i.e., there is obtained a ciphertext that has a similar format to
the originals. Specifically,
c.rarw.c.sub.1+c.sub.2=b.sub.1+b.sub.2+2(x.sub.1+x.sub.2)+(k.sub.1+k.sub-
.2)p=b.sub.1.sym.b.sub.2+2x+kp
[0034] for some integers and k. Decryption recovers
b.sub.1.sym.b.sub.2 as long as
(b.sub.1+2x.sub.1)+(b.sub.2+2x.sub.2).di-elect cons.[-N,N].
Multiplication also gives ciphertexts with a similar format.
c.rarw.c.sub.1*c.sub.2=b.sub.1*b.sub.2+2(b.sub.1x.sub.2+b.sub.2x.sub.1+2-
x.sub.1x.sub.2)+kp=b.sub.1*b.sub.2+2x+kp
[0035] for some integers and k. Decryption is workable whenever
(b.sub.1+2x.sub.1)*(b.sub.2+2x.sub.2).di-elect cons.[-N,N].
[0036] Assume that there are good and bad representations of p,
such that the bad representation can be used in encryption but
cannot be used to distinguish whether an integer is close to a
multiple of p or is uniform modulo p. A question that arises is how
to prove security? If there is an adversary A that can break
semantic security, B uses A to decide which distribution an integer
in comes from as follows: give A the challenge ciphertext c=b+2m+kp
for random k. If in is close to a multiple of p, then so is 2m, and
the closest p-multiple is an even distance away; in particular,
b+2m.di-elect cons.[-N,N] mod p and b+2m mod p=b, the challenge
ciphertext decrypts correctly to b, and A should guess b with
non-negligible advantage. But if in is uniform modulo p, then so is
2m (since p is odd), c is independent of b and A has no advantage.
Basically, B can distinguish the distribution that in came from by
observing whether A guesses correctly with non-negligible
advantage.
[0037] The exemplary embodiments of this invention enable the
constructions of a fully homomorphic encryption scheme .epsilon..
At a high-level, the essence of fully homomorphic encryption is as
follows: given ciphertexts that encrypt .pi..sub.1, . . . ,
.pi..sub.t, fully homomorphic encryption should allow anyone (not
just the key-holder) to output a ciphertext that encrypts
f(.pi..sub.1, . . . , .pi..sub.t) for any desired function f, as
long as that function can be efficiently computed. No information
about .pi..sub.1, . . . , .pi..sub.t or f(.pi..sub.1, . . . ,
.pi..sub.t), or any intermediate plaintext values, should leak;
i.e., the inputs, output and intermediate values are encrypted.
[0038] Formally, there are different ways of defining what it means
for the final ciphertext to "encrypt" f(.pi..sub.1, . . . ,
.pi..sub.t). The minimal requirement is correctness. A fully
homomorphic encryption scheme .epsilon. should have an efficient
algorithm Evaluate.sub..epsilon. that, for any valid .epsilon. key
pair (sk,pk), any circuit C, and any ciphertexts
.psi..sub.i.rarw.Encrypt.sub..epsilon.(pk,.pi..sub.i), outputs
[0039] .psi..rarw.Evaluate.sub..epsilon.(pk, C, .omega..sub.1, . .
. , .psi..sub.t) suchthat
Decrypt.sub..epsilon.(sk,.psi.)=C(.pi..sub.1, . . . .pi..sub.t)
[0040] This minimal requirement, however, may not be sufficient,
since it permits the trivial solution where .psi. simply consists
of (C, .psi..sub.1, . . . , .psi..sub.t)--i.e., where the
Evaluate.sub..epsilon. algorithm does not "process" the input
ciphertexts at all.
[0041] There are different ways of excluding the trivial solution.
One way is to require circuit privacy, i.e., (roughly) that the
output of Evaluate E reveals nothing (at least computationally)
about the circuit C that it took as input. If circuit privacy is
the only additional requirement, then fully homomorphic encryption
(under this definition) can be achieved by using a two-flow
oblivious transfer (OT) protocol in combination with Yao's garbled
circuit (A. C. Yao. Protocols for secure computations (extended
abstract). FOCS '82, pages 80-91, A. C. Yao. How to generate and
exchange secrets. FOCS '86, pages 162-167.) Typically two-flow OT
protocols use an additively homomorphic encryption scheme, and the
OT query consists of a ciphertext .psi. in this encryption scheme.
In the fully homomorphic scheme, Evaluate(pk, C, .psi..sub.1, . . .
, .psi..sub.t) constructs a Yao garbling C.sup..dagger. of C, uses
the OT queries .psi..sub.1, . . . , .psi..sub.t to construct OT
responses .psi..sub.1*, . . . , .psi..sub.t* designed to
obliviously transfer Yao keys associated to the c input wires in
C.sup..dagger., and outputs (C.sup..dagger., .psi..sub.1*, . . . ,
.psi..sub.t*). To decrypt this ciphertext, the key holder
"decrypts" the OT responses .psi..sub.1*, . . . , .psi..sub.t* to
recover Yao keys for the input wires, and then evaluates the
garbled circuit. It has also been shown how to achieve statistical
circuit privacy, but only for limited classes of circuits, namely,
NC1 and NLOGSPACE.
[0042] A more interesting technique to exclude the trivial solution
is to require (roughly) that the ciphertext encrypting
C(.pi..sub.1, . . . , .pi..sub.t) should "look like" an "ordinary"
ciphertext, as long as C(.pi..sub.1, . . . , .pi..sub.t) is a
single bit (or element of the same plaintext space that contains
{.pi..sub.i}). For example, the size of the ciphertext output by
Evaluate(pk, C, .psi..sub.1, . . . .psi..sub.t) should not depend
on C. Focus is placed on this definition. Actually, a stronger
requirement is assumed: that Decrypt.sub..epsilon. be expressible
by a circuit D.sub..epsilon., which takes a (formatted) secret key
and (formatted) ciphertext as input, and whose size is (a fixed)
polynomial in the security parameter. This implies that there is an
upper bound on the ciphertext size that depends only on the
security parameter, and is independent of C.
[0043] It may be useful to provide a physical analogy as an aid in
visualizing the concept of fully homomorphic encryption. Assume
that the owner of a jewelry store wants her employees to assemble
raw precious materials (diamonds, gold, etc.) into finished
products, but is worried about theft. The owner addresses the
problem by constructing glove boxes for which only the owner has
the key, and puts the raw materials inside the glove boxes. Using
the gloves, an employee can manipulate the items inside the box.
Moreover, an employee can put things inside the box, e.g., a
soldering iron to use on the raw materials, although the employee
cannot take anything out. Also, the box is transparent, so that an
employee can see what he is doing within the box. In this analogy,
encryption means that the employee is unable to take something out
of the box, not that he is unable to see it. After the employee is
finished, the jewelry store owner can recover the finished product
at her leisure by using her key. This analogy is inadequate in the
sense that the glove box might become quite cluttered, whereas in
the fully homomorphic encryption scheme only the final product need
remain. In other words, to improve the analogy, imagine that the
employee has some way to make any item in the glove box (of his
choosing) disappear, even though he still cannot extract the
item.
[0044] In view of the foregoing analogy, and now with respect to
fully homomorphic encryption, assume that, a priori, there is a
scheme .epsilon. that is only guaranteed to be correct for some
subset C.sub..epsilon. of circuits, i.e.,
Decrypt.sub..epsilon.(sk,Evaluate.sub..epsilon.(pk,C,.psi..sub.1, .
. . ,.psi..sub.t))=C(.pi..sub.1, . . . ,.pi..sub.t)
[0045] is guaranteed to hold only if C.di-elect
cons.C.sub..epsilon. (and, as before,
.psi..sub.i.rarw.Encrypt.sub..epsilon.(pk, .pi..sub.i)). Can one
then use .epsilon. to construct a scheme .epsilon.* that is fully
homomorphic?
[0046] It is shown below that that the answer to this question is
yes. Suppose that C.sub..epsilon. contains just two circuits:
D.sub..epsilon. and the augmentation of D.sub..epsilon. by NAND
(i.e., a NAND gate connecting two copies of D.sub..epsilon.), where
D.sub..epsilon. is the circuit associated to the decryption
algorithm. Reference in this regard can be made to FIG. 2. A NAND
is used for convenience in that any circuit can be expressed in
terms of NAND gates. However, the decryption circuit could be
augmented by a different set of universal gates. If c has this
self-referential property of being able to evaluate its own
(augmented) decryption circuit, it can be said that is
bootstrappable. It is shown that the bootstrappable encryption
implies leveled fully homomorphic encryption, i.e., that
D.sub..epsilon. plus the NAND-augmentation of D.sub..epsilon.
constitute a "complete" set of circuits:
[0047] Theorem 1 (Informal) If .epsilon. is bootstrappable, then,
for any integer d, one can construct a scheme .epsilon..sup.(d)
that can evaluate any circuit (consisting of NAND gates) of depth
d. The decryption circuit for .epsilon..sup.(d) is the same as for
.epsilon., and the complexity of encryption is also the same,
.epsilon..sup.(d)'s public key size is O(d) times that of
.epsilon.'s. The complexity of Evaluate.sub..epsilon..sub.(d) is
polynomial in the security parameter and linear in the circuit
size. If .epsilon. is semantically secure against chosen plaintext
attacks, then so is Evaluate.sub..epsilon..sub.(d)
[0048] Note with regard to .epsilon..sup.(d) that its public key is
O(d) times that of .epsilon.'s public key. Since .epsilon..sup.(d)
has this dependence on d, one can say that it is merely leveled
fully homomorphic. Under certain assumptions, one can make the
.epsilon..sup.(d) public key size be independent of d, in which
case it can be said that the derived scheme is fully
homomorphic.
[0049] It can be noted that, significantly, .epsilon. can evaluate
(augmentations of) D.sub..epsilon.. Assume that the distributions
of Evaluate.sub..epsilon.(pk, C, .psi..sub.1, . . . , .psi..sub.t)
and Encrypt.sub..epsilon.(pk, C(.pi..sub.1, . . . , .pi..sub.t))
are different. In particular, assume that there is an "error"
associated with each ciphertext, that ciphertexts output by
Encrypt.sub..epsilon. have small error, that ciphertexts output by
Evaluate.sub..epsilon. have larger error that increases with the
depth of the circuit being evaluated, and that eventually (as the
depth of the circuit being evaluated increases) the "error" becomes
so large that applying Decrypt.sub..epsilon. to the ciphertext
results in a decryption error. Intuitively, as one evaluates a
circuit and the implicit "error" becomes large, it would be
desirable to "refresh" the ciphertext so that the error becomes
small again. One could refresh a ciphertext by completely
decrypting it, simply by generating an entirely new and fresh
ciphertext that encrypts the same thing. However, this would
require knowledge of the secret key, which is not desirable,
Instead, in bootstrapping it becomes possible to decrypt the
ciphertext, but homomorphically.
[0050] Specifically, assume that c is bootstrappable, with
plaintext space P={0,1}, and that the circuits are Boolean. Assume
further that there is exists a ciphertext .psi..sub.1 that encrypts
.pi. under pk.sub.1, which is desired to be refreshed. So that it
can be decrypted homomorphically, also assume the presence of
sk.sub.1, the secret key for pk.sub.1, encrypted under a second
public key pk.sub.2: let sk.sub.1j be the encryption of the j th
bit of sk.sub.1. Consider the following algorithm.
Recrypt ( pk 2 , D , sk 1 j _ , .psi. 1 ) . Set .psi. 1 j _ R
Encrypt ( pk 2 , .psi. 1 j ) ##EQU00001## Output .psi. 2 Evaluate
.eta. ( pk 2 , D , sk 1 j _ , .psi. 1 j _ ) ##EQU00001.2##
[0051] Above, Evaluate takes in the bits of sk.sub.1 and
.psi..sub.1, each encrypted under pk.sub.2. Then, e is used to
evaluate the decryption circuit homomorphically. The output
.psi..sub.2 is thus an encryption under pk.sub.2 of
Decrypt.sub..epsilon.(sk.sub.1,.psi..sub.1)=.pi.. In other words,
Recrypt decrypts homomorphically using the encrypted secret key,
thus obtaining a new ciphertext that encrypts the same thing as the
original one.
[0052] It can be noted how .pi. is doubly encrypted at one point,
and that Evaluate.sub..epsilon. is used to remove the inner
encryption. Applying the decryption circuit D.sub..epsilon. removes
the "error" associated to the first ciphertext under pk.sub.1, but
Evaluate.sub..epsilon. simultaneously introduces a new "error"
while evaluating the ciphertexts under pk.sub.2. Intuitively,
progress has been made so long as the second error is less
(shorter). It is important to note that revealing the encrypted
secret key bits sk.sub.1 does not compromise semantic security; as
these encrypted secret key bits are indistinguishable from
encryptions of 0 as long as .epsilon. is semantically secure by a
standard hybrid argument. This hybrid argument breaks down if
pk.sub.1=pk.sub.2. However, if .epsilon. securely encrypts
key-dependent messages (is KDM-secure), i.e., roughly, if providing
a ciphertext that encrypts a function of the secret key does not
hurt security, then Recrypt can have a "self-loop" of encrypted
secret keys.
[0053] Reference with regard to the concept of KDM-secure may be
made to, for example: J. Black, P. Rogaway, and T. Shrimpton.
Encryption-scheme security in the presence of key-dependent
messages. In Proc. of SAC '02, LNCS 2595, pages 62-75. Springer,
2002; S. Halevi and H. Krawczyk. Security under key-dependent
inputs. In Proc. of ACM CCS '07, 2007; and D. Boneh, S. Halevi, M.
Hamburg, and R. Ostrovsky. Circular-Secure Encryption from Decision
Diffe-Hellman. In Proc. of Crypto '08, LNCS 5157, pages
108-125.
[0054] However, the goal is to perform nontrivial homomorphic
operations on underlying plaintexts, not merely to obtain refreshed
encryptions of the same plaintext. If one can also evaluate a NAND
augmentation of the decryption circuit, then one can generate an
encryption of (.pi..sub.1 NAND .pi..sub.2) under pk.sub.2 using the
encrypted secret key (sk.sub.1 under pk.sub.2) together with the
two ciphertexts encrypting .pi..sub.1 and .pi..sub.2 respectively,
under pk.sub.1. By recursively performing this type of operation on
all ciphertexts at a given level in the circuit, it becomes
possible to evaluate a d-depth circuit of NANDs. If .epsilon. is
KDM-secure, the operation is fully homomorphic (rather than leveled
fully homomorphic). In a random oracle model, discussed below, it
is shown that a bootstrappable encryption scheme implies a scheme
that is both bootstrappable and KDM-secure, and thus implies a
fully homomorphic encryption scheme.
[0055] Again, it may be helpful to view bootstrapping in terms of
the jewelry store physical analogy. Imagine that the glove boxes
are defective; after an employee uses the gloves for one minute,
the gloves stiffen and become unusable. Unfortunately, even the
fastest employee cannot assemble some of the more intricate designs
in under a minute. To solve this problem the jewelry store owner
gives to an employee that is assembling an intricate design a glove
box containing the raw materials, but also several additional glove
boxes. Each of these additional glove boxes holds a copy of the
master key. To assemble the intricate design, the employee
manipulates the materials in box #1 until the gloves stiffen. Then,
he places box #1 inside box #2, where the latter box already
contains a master key. Using the gloves for box #2, he opens box #1
with the master key, extracts the partially assembled item, and
continues the assembly within box #2 until its gloves stiffen. He
then places box #2 inside box #3, and so on. The employee finally
finishes his assembly inside of box #n. Of course, this procedure
assumes that the employee can open box #i within box #(i+1), and
have time to some progress on the assembly, all before the gloves
of box #(i+1) stiffen. This is analogous to the requirement for a
bootstrappable encryption scheme .epsilon., that the complexity of
.epsilon.'s (augmented) decryption circuit is less than what
.epsilon. can homomorphically evaluate.
[0056] The foregoing analogy assumes that it is safe to use a
single master key that opens all boxes. However, perhaps an
employee could use the gloves for box #2, together with master key
inside that box, to open the box from the inside, extract the key,
and use it to open box #1 and remove the jewels. However, this
situation can be avoided by using distinct keys for the boxes, and
placing the key for box #1 inside box #2, the key for box #2 inside
box #3, and so on. This is analogous to the question of whether the
encryption scheme is KDM-secure.
[0057] One non-limiting application of fully homomorphic encryption
is in a two-party setting. A simple example is making encrypted
queries to search engines. Referring to FIG. 1, to perform an
encrypted search a party (requestor 1) generates a public key pk
for the fully homomorphic encryption scheme, and generates
ciphertexts .psi..sub.1, . . . , .psi..sub.t that encrypt the query
.pi..sub.1, . . . , .pi..sub.t under pk. (For example, each
.pi..sub.i could be a single bit of the query.) Now, let the
circuit C express a search engine server 2 search function for data
stored in storage 3. The server 2 sets
.psi..sub.i*.rarw.Evaluate(pk, C.sub.i, .psi..sub.1, . . . ,
.psi..sub.t), where C.sub.i is the sub-circuit of C that computes
the ith bit of the output. Note that, in practice, the evaluation
of C.sub.i* and C.sub.j* may share intermediate results, in which
case it may be needlessly inefficient to run independent instances
of the Evaluate algorithm. The server 2 sends these ciphertexts to
the requestor 1. It is known that, by the correctness requirement,
Decrypt(sk, .psi..sub.i*)=C.sub.i(.pi..sub.1, . . . , .pi..sub.t).
These latter values constitute precisely the answer to the query,
which is recoverable through decryption.
[0058] As another non-limiting application, the exemplary
embodiments of this invention enable searching over encrypted data.
In this scenario, assume that the requestor 1 stores files on the
server 2 (e.g., on the Internet), so that the requestor 1 can
conveniently access these files without needing the requestor's
computer. However, the requestor encrypts the files, otherwise the
server 2 could potentially read the private data. Let bits
.pi..sub.1, . . . , .pi..sub.t represent the files, which are
encrypted in the ciphertexts .psi..sub.1, . . . , .psi..sub.t.
Assume then that the requestor 1 later wants to download all
encrypted files that satisfy a query, e.g., all files containing
the word `homomorphic` within 5 words of `encryption`, but not the
word `evoting`. The requestor 1 sends the query to the server 2,
which expresses it as a circuit C. The server sets
.psi..sub.i*.rarw.Evaluate(pk, C.sub.i, .psi..sub.1, . . . ,
.psi..sub.t) and sends these ciphertexts to the requestor 1, who
decrypts the returned ciphertexts to recover C(.pi..sub.1, . . . ,
.pi..sub.t), the (bits of the) files that satisfy the query.
[0059] Note that in this application, as in the encrypted search
application, the requestor preferably provides an upper bound on
the number of bits that the response should have, and the encrypted
response from the server 2 is padded or truncated to meet the upper
bound.
[0060] Assume now that a party A wants the value of f(.pi..sub.1, .
. . , .pi..sub.t), where f is some function "owned" by a party B,
but party A does not want to reveal .pi..sub.1, . . . , .pi..sub.t.
(Possibly, party B also does not want to reveal f.) In the above
mentioned technique of Yao party B would express the function as a
Boolean circuit C, generate (for each wire in the circuit) two
random strings that are associated respectively to `0` and `1` at
that wire, and construct ciphertexts that encrypt the gates of the
circuit in a certain way using a symmetric encryption scheme. Party
B then sends the "garbled circuit," which consists of the
ciphertexts, along with the strings for `0` and `1` associated to
the output wire of C, to party A. To obtain f(.pi..sub.1, . . . ,
.pi..sub.t), party A would use oblivious transfer to obtain the
strings associated to the bits .pi..sub.1, . . . , .pi..sub.t for
the input wires of the garbled circuit, and then evaluate the
garbled circuit to obtain the string for either `0` or `1`
associated to the output wire of C.
[0061] Comparing now the fully homomorphic encryption technique in
accordance with the exemplary embodiments of this invention to a
previous general solution for secure two-party computation, namely,
"Yao's garbled circuit", one problem with Yao's protocol is that
the communication complexity is proportional to the size of the
circuit C. This makes the protocol rather unattractive in both of
the scenarios discussed above (encrypted search and searching
encrypted data). In the encrypted search scenario, the search
engine 2 would need to send the requestor 1 a large garbled circuit
whose size is proportional to the data being searched. In the
scenario of searching on encrypted data, the requestor 1 would need
to send a circuit whose size is proportional to the size of the
data. If such communication complexity could be tolerated, then the
server 2 may simply just send all of the requestor's encrypted
without "processing" those files at all, and let the requestor 1
determine which files are needed. With fully homomorphic
encryption, however, the communication complexity is significantly
reduced. In particular, the communication needed, other than pk, is
simply the number of bits needed to express the (cleartext) query
and the (cleartext) response of the server 2, each multiplied by
the size of the security parameter, since each cleartext bit
becomes a ciphertext. Actually, for the inputs to the circuit,
e.g., the search query, the scheme's communication overhead here
can be only additive, rather than multiplicative. Note that while
Yao's protocol enables hiding the circuit, the fully homomorphic
encryption scheme can be augmented to provide unconditional circuit
privacy.
[0062] In view of the computational overhead of the fully
homomorphic encryption technique in accordance with this invention
asynchronous application scenarios may be more desirable in
practice. One example is the spam filtering of encrypted emails:
given an email encrypted using the fully homomorphic encryption
technique under the public key of a certain party, that party's
e-mail server can homomorphically apply its spam filter to the
email to obtain an encryption of `0` (indicating the email is not
spam) or `1` (indicating that it is). Later the party can decrypt
this single ciphertext to recover a bit b, and then only decrypt
the remainder of the email if b=.sup.0.
[0063] Regarding multiparty computation, it has been shown that the
fully homomorphic encryption technique can securely compute any
function. More specifically, one can construct efficient secure
protocols for any multiparty computation in which there is an
honest majority (see O. Goldreich, S. Micali, and A. Wigderson. How
to play any mental game--a completeness theorem for protocols with
honest majority. J. of the ACM, vol. 38, no. 1, pp. 691-729, 1991,
Preliminary version in FOCS '86), assuming only the existence of
trapdoor permutations. By "efficient" it is not implied that these
protocols are necessarily practical. What is meant instead is that
the communication and computational complexity of the secure
protocol equals the computational complexity of the insecure
protocol times some factor that is polynomial in the security
parameter and number of parties.
[0064] It is known that it is possible to construct a secure
protocol whose communication complexity is polynomial in the
security parameter and the communication complexity of the insecure
protocol. However, at least one conventional approach exhibits a
computational complexity that is exponential (in the worst case) in
the communication complexity. In eliminating one type of unwanted
dependence, it introduces another. The question thus remains as to
whether a protocol can be made secure while leaving both the
communication and the computational complexity unchanged, up to a
factor polynomial in the security parameter? With fully homomorphic
encryption, the answer is essentially yes. More precisely, the
answer is affirmative if one relaxes the definition of
communication complexity to include the bit-lengths of the output
functions (which normally would not necessarily be included, since
they are not communicated).
[0065] In greater detail, assume first a simple case of two-party
secure function evaluation, where only one party receives an
output. In a "semi-honest setting", a first party generates a
public key for the fully homomorphic encryption scheme and provides
the public key, along with encrypted inputs, to a second party. The
second party encrypts his inputs, homomorphically evaluates the
function on his and the first party's input, randomizes the output
ciphertexts if necessary (to achieve circuit privacy, so that the
output ciphertexts are statistically independent of the second
party's inputs, except insofar as the output plaintexts are
dependent on the second party's inputs), and sends the output
ciphertexts to the first party. The privacy of the first party's
inputs follows from the semantic security of the encryption scheme,
while the privacy of the second party is unconditional. The total
communication in this protocol is exactly that of the insecure
protocol, times a factor polynomial in the security parameter
(similarly for the computational complexity); this is a significant
qualitative improvement over Yao's garbled circuit, where the
communication is proportional to the computational complexity of
the function. Actually, it is possible to increase the
communication overhead by only an additive factor polynomial in the
security parameter, except that the communication overhead is
multiplicative with respect to the output function's
bit-length.
[0066] Extending the application of fully homomorphic encryption
from the two-party setting to the multiparty setting is not
entirely trivial since, in the two-party setting, the second party
prevents the first party from seeing any intermediate values
encrypted under the first party's key simply by completing the
computation and sending back the final encrypted value to the first
party. However, in the multiparty setting, it is less clear how one
prevents the first party from seeing intermediate value encrypted
under the key of the first party.
[0067] An approach can be used that was initially proposed by M.
Franklin and S. Haber. Joint encryption and message-efficient
secure computation, Journal of Cryptology, 9(4):217-232, 1996), and
further developed in R. Cramer, I. Damgaard, and J. B. Nielsen.
Multiparty computation from threshold homomorphic encryption, In
Proc. of Crypto '01, LNCS 2045, pages 280-300. Namely, basing
secure multiparty computation on threshold homomorphic encryption.
The underlying concept is simple: the parties must use some (other)
scheme for secure computation to set up a public key for the fully
homomorphic encryption scheme and distribute shares of the secret
key; this introduces additive communication and computational
overhead that is independent of the insecure protocol. After setup,
the parties perform exactly the communications and computations
that they would in the insecure protocol, except on encrypted data;
fully homomorphic encryption ensures that, if a party was able to
perform computations locally in the insecure protocol, it is also
able to in the secure protocol. Afterwards, they use some scheme
for secure computation to perform threshold decryption on the
encrypted outputs; again, this overhead is independent of the
insecure protocol, except insofar as it depends on the bit-lengths
of the function outputs. This scheme is dependent on the number of
multiplication gates in the circuit, because these could not be
performed homomorphically. With a fully homomorphic encryption
scheme this problem is avoided, and the high-level concept of an
"arithmetic black box" can be fully realized.
[0068] To handle malicious parties one can use a transformation
(e.g., see M. Naor and K. Nissim. Communication preserving
protocols for secure function evaluation, In Proc. of STOC '01,
pages 590-599, 2001) from a protocol for multiparty SFE with
semi-honest parties to a protocol for malicious ones via a compiler
that is communication-preserving, i.e., the transformation adds
communication polynomial in the security parameter and
polylogarithmic in the inputs.
[0069] The literature mentions numerous other applications where
fully homomorphic encryption would be useful. For example, O.
Goldreich and R. Ostrovsky. Software protection and simulation by
oblivious RAMs, JACM, 1996 consider software protection and show
that any program can be converted to a pair consisting of an
encrypted program and a CPU with .lamda. bits of "shielded" memory,
where .lamda. is the security parameter, which defeats
"experiments" by an adversary that might either attempt the
determine the values that are stored and retrieved from memory, or
try to determine the program's "access pattern", i.e., its attempts
to change the values. In this scheme there is a logarithmic
increase in the computation time; however, the shielded CPU needs
to be accessed for any nontrivial computation. With a fully
homomorphic encryption scheme, the program and values can remain
encrypted throughout the computation until the end. The shielded
CPU only needs to be accessed to perform the decryption of the
final output.
[0070] In S. Goldwasser, Y. T. Kalai, and G. Rothblum, One-Time
Programs. In Proc. of Crypto '08, LNCS 5157, pages 39-56. Springer,
2008 there is introduced the concept of one-time programs, in which
minimal use of hardware is made to ensure that a program is used
only once. This approach essentially encrypts the program using
Yao's garbled circuit, and uses a secure device to perform the
decryption (a toggle bit is used to ensure that this decryption
occurs only once). One shortcoming of this approach is that the
size of the encrypted program is proportional to the maximal
running time of the program. With a fully homomorphic encryption
scheme, however, one can construct an (encrypted) one-time program
whose size is proportional to the original program. Essentially,
one simply encrypts the program using the fully homomorphic
encryption scheme, and runs it homomorphically, using the device to
perform the final decryption.
[0071] As a further application of interest, R. Ostrovsky and W. E.
Skeith. Private Searching on Streaming Data. In Proc. of Crypto
'05, LNCS 3621, pp. 223-240) propose the notion of public-key
obfuscation, i.e., where a sort of obfuscation is achieved simply
by encrypting the program; somehow, one then runs the encrypted
program, and afterwards decrypts the output. With a fully
homomorphic encryption scheme, running the encrypted program is
straightforward. This may be of particular interest for
applications such as web services and cloud computing, where the
use of fully homomorphic encryption would permit remote
computations on encrypted data with complete privacy.
[0072] In a proxy re-encryption (e.g., see M. Blaze, G. Bleumer,
and M. Strauss. Divertible protocols and atomic proxy cryptography.
Eurocrypt '98, LNCS 1403, pp. 127-144) the idea is that the first
party publishes a tag .tau. that will permit anyone to convert a
ciphertext encrypted under the public key pk.sub.A of the first
party into an encryption of the same message under the public key
pk.sub.B of a second party. However, previous proxy re-encryption
schemes have shortcomings, e.g., they either are not unidirectional
(i.e., the tag of the first party can also be used to convert
ciphertexts under pk.sub.B to ciphertexts under pk.sub.A, and both
parties must cooperate to produce .tau.), or they are not multi-use
(i.e., it is impossible to construct a sequence of tags
.tau..sub.1, .tau..sub.2, . . . that allows anyone to convert
ciphertexts under pk.sub.A to pk.sub.B, pk.sub.b to pk.sub.C, and
so on indefinitely, without the ciphertexts growing in size).
Recursive application of the Recrypt algorithm in accordance with
an aspect of this invention provided the first unidirectional
multi-use proxy re-encryption scheme.
[0073] With fully homomorphic encryption, one can construct
non-interactive zero knowledge proofs (NIZKs) of small size. For
example, assume that the first party wishes to prove that
.pi..sub.1, . . . , .pi..sub.t is a satisfying assignment of a
Boolean circuit C. The first party generates a public key pk for
the fully homomorphic encryption scheme, the input ciphertext:
[0074] {.psi..sub.i.rarw.Encrypt(pk, .pi..sub.i(},
[0075] and the output ciphertext:
[0076] .psi.*.rarw.Evaluate(pk, C, .psi..sub.1, . . . ,
.psi..sub.t).
[0077] The NIZK that the assignment is satisfying is composed of
NIZK proofs, under any NIZK scheme, that pk, {.psi..sub.i} and
.psi.* are well-formed, where well-formedness for the ciphertexts
means that each .psi..sub.i is a valid encryption of `0` or `1`,
and .psi.* is a valid encryption of `1`. A verifier checks the
NIZKs for well-formedness, and confirms that .psi.*=Evaluate(pk, C,
.psi..sub.1, . . . , .psi..sub.t). Intuitively, the NIZK proof
works because, if the verifier believes that pk and the input
ciphertexts are well-formed, then the correctness of the encryption
scheme implies that the output ciphertext can encrypt `1` only if
C(.pi..sub.1, . . . , .pi..sub.t)=1. The size of the NIZK proof is
proportional to the number of inputs to the circuit, but is
otherwise independent of the size of the circuit.
[0078] Described now in even further detail is the leveled fully
homomorphic encryption from bootstrappable encryption, in
accordance with the exemplary embodiments of this invention.
[0079] To explain this procedure mathematically, begin by
considering the following algorithm, which may be referred to as
Recrypt. For simplicity, assume the plaintext space P is {0,1} and
D.sub..epsilon. is a Boolean circuit in C.sub..epsilon.. Let
(sk.sub.1, pk.sub.1) and (sk.sub.2, pk.sub.2) be two .epsilon.
key-pairs. Let .psi..sub.1 be an encryption of .pi..di-elect cons.P
under pk.sub.1. Let sk.sub.1,j be an encryption of the j-th bit of
the first secret key sk.sub.1 under the second public key pk.sub.2.
Recrypt takes these as inputs, and outputs an encryption of .pi.
under pk.sub.2.
Recrypt ( pk 2 , D , sk 1 j _ , .psi. 1 ) . Set .psi. 1 j _ R
Encrypt ( pk 2 , .psi. 1 j ) where ##EQU00002## .psi. 1 j is the j
- th bit of .psi. 1 ##EQU00002.2## Set .psi. 2 Evaluate ( pk 2 , D
, sk 1 j _ , .psi. 1 j _ ) ##EQU00002.3## Output .psi. 2
##EQU00002.4##
[0080] Above, the Evaluate algorithm takes in all of the bits of
sk.sub.1 and all of the bits of .psi..sub.1, each encrypted under
pk.sub.2. Then, .epsilon. is used to evaluate the decryption
circuit homomorphically. The output .psi..sub.2 is thus an
encryption under pk.sub.2 of Decrypt.sub..epsilon.(sk.sub.1,
.psi..sub.1).fwdarw..pi..
[0081] It can be noted that the Recrypt algorithm plies a proxy
one-way re-encryption scheme, where a one-way proxy re-encryption
scheme allows the owner of sk.sub.1 to generate a tag that enables
an untrusted proxy to convert an encryption of .pi. under pk.sub.1
to an encryption of .pi. under pk.sub.2, but not the reverse. In
the description above, the tag is sk.sub.1j, the encrypted secret
key. Strictly speaking, the security model for proxy re-encryption
typically requires the security of the delegator's secret key, even
against a collusion of delegatee's who also are enabled to see the
delegating tags. However, this requirement seems unnecessary, since
a delegatee will in any case be able to decrypt ciphertexts
directed to the delegator.
[0082] In the Recrypt algorithm above, the plaintext .pi. is doubly
encrypted at one point, under both pk.sub.1 and pk.sub.2. Depending
on the encryption scheme .epsilon., however, this double encryption
may be excessive. For example, assume that
WeakEncrypt.sub..epsilon. is an algorithm such that the image of
WeakEncrypt.sub..epsilon.(pk, .pi.) is always a subset of the image
of Encrypt.sub..epsilon.(pk, .pi.). Then we can replace the first
step of Recrypt.sub..epsilon. with:
Set .psi. 1 j _ R WeakEncrypt ( pk 2 , .psi. 1 j ) where
##EQU00003## .psi. 1 j is the j - th bit of .psi. 1
##EQU00003.2##
This relaxation may be referred to as Recrypt.sub..epsilon.'. An
element of this relaxation is that WeakEncrypt does not need to be
semantically secure for Recrypt.sub..epsilon.' to be a secure
one-way proxy re-encryption scheme, or for Recrypt.sub..epsilon.'
to be useful toward bootstrapping (as is shown below). Thus,
depending on .epsilon., WeakEncrypt.sub..epsilon. can be very
simple, e.g., for some schemes WeakEncrypt.sub..epsilon. may leave
the input "bits" entirely unmodified. This will affect the eventual
computational complexity of the algorithm, since it will require
less computation to apply the decryption circuit homomorphically to
ciphertexts in which the outer encryption is weak. Another way of
viewing this relaxation is that one only needs to be able to
evaluate non-uniform decryption circuits, where the ciphertext is
"hard-wired" into the circuit (making this circuit simpler than the
"normal" decryption circuit that takes the ciphertext (and secret
key) as input.
[0083] To be bootstrappable, .epsilon. needs to be able to
compactly evaluate not only its decryption circuit, which allows
recryptions of the same plaintext, but also slightly augmented
versions of it, so that it becomes possible to perform binary
operations on plaintexts and thus make actual progress through a
circuit.
[0084] An "Augmented Decryption Circuit" may be defined as follows:
let D.sub..epsilon. be .epsilon.'s decryption circuit, which takes
a secret key and ciphertext as input, each formatted as an element
of P.sup.l(.lamda.), where P is the plaintext space. Let .GAMMA. be
a set of gates with inputs and output in P, which includes the
trivial gate (input and output are the same). One may then call a
circuit composed of multiple copies of D.sub..epsilon. connected by
a single g gate (the number of copies equals the number of inputs
to g) a "g-augmented decryption circuit", where one may denote the
set of g-augmented decryption circuits, g.di-elect cons..GAMMA., by
D.sub..epsilon.(.GAMMA.).
[0085] Defined now is a "Bootstrappable Encryption Scheme". As
before, let C.sub..epsilon. denote the set of circuits that
.epsilon. can compactly evaluate. It can be said that .epsilon. is
bootstrappable with respect to .GAMMA. if
D.sub..epsilon.(.GAMMA.).OR right.C.sub..epsilon..
[0086] For example, if .GAMMA. includes the trivial gate and a
NAND, .epsilon. is bootstrappable with respect to .GAMMA. if
C.sub..epsilon. contains D.sub..epsilon. and the circuit formed by
joining two copies of D.sub..epsilon. with a NAND gate.
Significantly, and as will be shown below, if there is a scheme
.epsilon. that can compactly evaluate only these two circuits, then
there is a scheme that is leveled fully homomorphic.
[0087] It should be noted that one can relax the bootstrappability
definition slightly to say that c only needs to be able to
homomorphically evaluate its (augmented) decryption circuit when
the input ciphertext is weakly encrypted, similar to the relaxation
Recrypt.sub..epsilon.' above. However, this approach could make the
definition of being bootstrappable more cumbersome and, as a
result, the following description will use the definition given
above. However, it should be kept in mind that the foregoing
relaxation can be used.
[0088] From the informal description above, it should be apparent
to those skilled in the art how to use a bootstrappable encryption
scheme to construct a leveled fully homomorphic one. A more formal
description is given below.
[0089] Let .epsilon. be bootstrappable with respect to a set of
gates .GAMMA.. For any integer d.gtoreq.1, uses .epsilon. to
construct a scheme .epsilon..sup.(d)=(KeyGen.sub..epsilon..sub.(d),
Encrypt.sub..epsilon..sub.(d), Evaluate.sub..epsilon..sub.(d),
Decrypt.sub..epsilon..sub.(d)) that can handle all circuits of
depth d with gates in .GAMMA.. Note that in the description below
the secret keys are encrypted in reverse order. However, this is
not a limitation on the use of this invention, but is used to
simplify the description of the recursion in Evaluate. When a
reference is made to the level of a wire in C, what is implied is
the level of the gate for which the wire is an input. The notation
D.sub..epsilon.(.GAMMA., .delta.) is used to refer to the set of
circuits that equal a .delta.-depth circuit with gates in .GAMMA.
augmented by D.sub..epsilon. (copies of D.sub..epsilon. become
inputs to the .delta.-depth circuit).
[0090] KeyGen.sub..epsilon..sub.(d)(.lamda.,d). This function takes
as input a security parameter .lamda. and a positive integer d. For
l=l(.lamda.), as in the definition above, it sets
( sk i , pk i ) R KeyGen ( .lamda. ) for i .di-elect cons. [ 0 , d
] sk ij _ R Encrypt ( pk i + 1 , sk ij ) for i .di-elect cons. [ 0
, d - 1 ] , j .di-elect cons. [ 1 , ] ##EQU00004##
where sk.sub.i1, . . . , sk.sub.il is the representation of
sk.sub.i as elements of P. It outputs the secret key
sk.sup.(d).rarw.sk.sub.d and the public key
pk.sup.(d).rarw.(pk.sub.i, sk.sub.ij). Let .epsilon..sup.(.delta.)
refer to a sub-system that uses sk.sup.(.delta.).rarw.sk.sub.d and
pk.sup.(.delta.).rarw.(pk.sub.i.sub.i.di-elect cons.[d-.delta.,d],
sk.sub.ij.sub.i.di-elect cons.[d-.delta.,d-1]) for
.delta..ltoreq.d.
[0091] Encrypt.sub..epsilon..sub.(d)(pk.sup.(d),.pi.). This
function takes as input a public key pk.sup.(d) and a plaintext
.pi..di-elect cons.P. It outputs a ciphertext
.psi. R Encrypt ( pk 0 , .pi. ) . ##EQU00005##
[0092] Decrypt.sub..epsilon..sub.(d) (sk.sup.(d),.psi.). This
function takes as input a secret key sk.sup.(d) and a ciphertext
.psi. (which should be an encryption under pk.sub.d). It outputs
Decrypt.sub..epsilon.(sk d,.psi.).
[0093] Evaluate.sub..epsilon..sub.(.delta.) (pk.sup.(.delta.),
C.sub..delta., .PSI..sub..delta.). This function takes as input a
public key pk.sup.(.delta.), a circuit C.sub..delta. of depth at
most .delta. with gates in .GAMMA., and a tuple of input
ciphertexts .PSI..sub..delta. (where each input ciphertext should
be under pk.sub..delta.). It is assumed that each wire in
C.sub..delta. connects gates at consecutive levels; if not, trivial
gates may be added to make it so. If a .delta.=0, this function
outputs .PSI..sub.0 and terminates. Otherwise, this function does
the following: [0094] Sets (C.sub..delta.-1.sup..dagger.,
.PSI..sub..delta.-1.sup..dagger.).rarw.Augment.sub..epsilon..sub.(.delta.-
) (pk.sup.(.delta.), C.sub..delta., .PSI..sub..delta.). [0095] Sets
(C.sub..delta.-1,
.PSI..sub..delta.-1).rarw.Reduce.sub..epsilon..sub.(.delta.-1)
(pk.sup.(.delta.-1), C.sub..delta.-1.sup..dagger.,
.PSI..sub..delta.-1.sup..dagger.). [0096] Runs
Evaluate.sub..epsilon..sub.(.delta.-1) (pk.sup..delta.-1),
C.sub..delta.-1, .PSI..sub..delta.-1).
[0097] Augment.sub..epsilon..sub.(.delta.) (pk.sup.(.delta.),
C.sub..delta., .PSI..sub..delta.). This function takes as input a
public key pk.sup.(.delta.), a circuit C.sub..delta. of depth at
most .delta. with gates in .GAMMA., and a tuple of input
ciphertexts .PSI..sub..delta. (where each input ciphertext should
be under pk.sub..delta.). This function augments C.sub..delta. with
D.sub..epsilon. (call the resulting circuit
C.sub..delta.-1.sup..dagger.). Let .PSI..sub..delta.-1.sup..dagger.
be the tuple of ciphertexts formed by replacing each input
ciphertext .psi..di-elect cons..PSI..sub..delta. by the tuple
sk.sub..delta.j, .psi..sub.j, where
.psi..sub.j.rarw.WeakEncrpt.sub..epsilon..sub.(.delta.-1)
(pk.sup.(.delta.-1), .psi..sub.j) and the .psi..sub.j's form the
properly-formatted representation of .psi. as elements of P. This
function outputs (C.sub..delta.-1.sup..dagger.,
.PSI..sub..delta.-1.sup..dagger.).
[0098] Reduce.sub..epsilon..sub.(.delta.) (pk.sup.(.delta.),
C.sub..delta..sup..dagger., .PSI..sub..delta..sup..dagger.). This
function takes as input a public key pk.sup.(.delta.), a tuple of
input ciphertexts .PSI..sub..delta..sup..dagger. (where each input
ciphertext should be in the image of
Encrypt.sub..epsilon..sub.(.delta.)), and a circuit
C.sub..delta..sup..dagger..di-elect cons.D.sub..epsilon.(.GAMMA.,
.delta.+1). It sets C.sub..delta. to be the sub-circuit of
C.sub..delta..sup..dagger. consisting of the first .delta. levels.
It sets .PSI..sub..delta. to be the induced input ciphertexts of
C.sub..delta., where the ciphertext .psi..sub..delta..sup.(w)
associated to wire w at level .delta. is set to
Evaluate.sub..epsilon.(pk.sub..delta., C.sub..delta..sup.(w),
.PSI..sub..delta..sup.(w)), where C.sub..delta..sup.(w) is the
sub-circuit of C.sub..delta..sup..dagger. with output wire w, and
.PSI..sub..delta..sup.(w) are the input ciphertexts for
C.sub..delta..sup.(w). This function outputs (C.sub..delta.,
.PSI..sub..delta.).
[0099] A high level review of the Evaluate algorithm is now
provided. Assume the presence of a circuit C.sub.d of, say, d
levels with gates in .GAMMA.. For each input wire w of C.sub.d
there is an associated input ciphertext .psi..sub.w encrypted under
pk.sub.d. Also assume the presence of an encryption scheme
.epsilon. that compactly evaluates circuits in
D.sub..epsilon.(.GAMMA.).
[0100] Note that it is not assumed that .epsilon. can evaluate
gates in .GAMMA.; instead it is only assumed it can evaluate gates
in .GAMMA. that are augmented by the decryption circuit. A first
step then is to augment C.sub.d by placing copies of
D.sub..epsilon. at the leaves of C.sub.d (as is done in Augment),
thereby constructing C.sub.d-1.sup..dagger.. A question then that
may arise is what are the input ciphertexts for the new circuit
C.sub.d-1.sup..dagger.?
[0101] Reconsider the algorithm Recrypt.sub..epsilon.'. In
Recrypt.sub..epsilon.', one begins with a ciphertext .psi..sub.1
encrypting .pi. under pk.sub.1 for the single wire w, and an
"empty" circuit C.sub.1 (since Recrypt.sub..epsilon.'doesn't
actually evaluate any gates, it just generates a new encryption of
the same plaintext). The next step was to augment C.sub.1 with the
decryption circuit D.sub..epsilon. to obtain
C.sub.2.rarw.D.sub..epsilon.. The input ciphertexts .PSI..sub.2 to
C.sub.2 include the encrypted secret key bits, and the weakly
encrypted bits of .psi..sub.1. It was then explained that the
ciphertext generated by
.psi..sub.2.rarw.Evaluate.sub..epsilon.(pk.sub.2, C.sub.2,
.PSI..sub.2), which is also associated to wire w, also encrypts
.pi., but now under pk.sub.2.
[0102] In the full scheme above, the ciphertexts that were
associated to the decryption circuit that was attached to wire w
are analogous to the ones used in Recrypt.sub..epsilon.': the
encrypted secret key (sk.sub.d under pk.sub.d-1), and the
re-encryption ciphertexts of .psi..sub.w under pk.sub.d-1. By the
correctness of Recrypt, the ciphertext now associated to w (after
performing Evaluate.sub..epsilon.) should encrypt the same
plaintext as .psi..sub.w, but now under pk.sub.d-1.
[0103] The Reduce step simply performs this Evaluate up to the wire
w, and one level beyond. Since Evaluate can correctly continue one
level beyond the wire w, because (by assumption) .epsilon. can
evaluate not just the decryption circuit attached to w but can
evaluate a circuit containing one .GAMMA.-gate above w. Reduce
outputs C.sub.d-1 ciphertexts associated to C.sub.d-1's input
wires. It can be noted that progress has been made, since C.sub.d-1
is one level shallower than C.sub.d. This entire process is
performed d-1 more times to obtain the final output
ciphertexts.
[0104] Note that it was previously said that Evaluate takes as
input ciphertexts that are "fresh" outputs of Encrypt. However,
note that Evaluate.sub..epsilon..sub.(.delta.) also operates
correctly on ciphertexts output by Evaluate. For .delta.<d
above, this is precisely what Evaluate.sub..epsilon..sub.(.delta.)
does.
[0105] Discussed now is the correctness, computational complexity
and the security of the foregoing generic construction.
[0106] Several theorems regarding the generic construction are now
presented. Regarding correctness, consider the following
theorem:
[0107] Let .epsilon. be bootstrappable with respect to a set of
gates .GAMMA.. Then .epsilon..sup.(d) compactly evaluates all
circuits of depth d with gates in .GAMMA., i.e., if .GAMMA. is a
universal set of gates, the family .epsilon..sup.(d) is leveled
fully homomorphic.
[0108] The proof of the foregoing correctness theorem may be stated
as follows. First, define a convenient notation: let D(.delta., w,
C, .PSI.) denote the plaintext value for wire w in circuit C
induced by the decryptions (under sk.sub..delta.) of the
ciphertexts .PSI.associated to C's input wires. If C is empty (has
no gates), then the input wires are the same as the output wires,
and D(.delta., w, C, .PSI.) just denotes the decryption of the
single ciphertext .psi..di-elect cons..PSI. associated to w. To
prove correctness, it suffices to show that
D(d,w.sub.out,C.sub.d,.psi..sub.d)=D(0,w.sub.out,C.sub.0,.PSI..sub.0)
(1)
for every output wire w.sub.out of C.sub.0 (at level 0). First,
when (C.sub..delta.-1.sup..dagger.,
.PSI..sub..delta.-1.sup..dagger.).rarw.Augment.sub..epsilon..sub.(.delta.-
) (pk.sup.(.delta.), C.sub..delta., .PSI..sub..delta.), it can be
said that D(.delta., w, C.sub..delta.,
.PSI..sub..delta.)=D(.delta.-1, w, C.sub..delta.-1.sup..dagger.,
.PSI..sub..delta.-1.sup..dagger.) for any wire w at level at most
.delta.-1. This follows from the correctness of Recrypt
(generalized beyond a Boolean plaintext space and Boolean
circuits), and the fact that circuits C.sub..delta. and
C.sub..delta.-1.sup..dagger. are identical up to level
.delta.-1.
[0109] Next, when (C.sub..delta.,
.PSI..sub..delta.).rarw.Reduce.sub..epsilon..sub.(.delta.)
(pk.sup.(.delta.), C.sub..delta..sup..dagger.,
.PSI..sub..delta..sup..dagger.) then D(.delta., w,
C.sub..delta..sup..dagger.,
.PSI..sub..delta..sup..dagger.)=D(.delta., w, C.sub..delta.,
.PSI..sub..delta.) for any wire at level at most .delta.. This
follows from the correctness of Evaluate.sub..epsilon. over
circuits in D.sub..epsilon.(.GAMMA.), and the fact that circuits
C.sub..delta..sup..dagger. and C.sub..delta. are identical up to
level .delta..
[0110] From these two claims, Equation 1 follows.
[0111] Note that .GAMMA. is arbitrary. For example, each gate in
.GAMMA. could be a circuit of (ANDs, ORs, NOTs) of depth m and
fan-in 2; for this value of .GAMMA., The correctness theorem above
implies that the described embodiment correctly evaluates Boolean
circuits up to depth dm.
[0112] Another factor to now consider is that the computational
complexity of Evaluate.sub..epsilon..sub.(d) is reasonable, e.g.,
that recursive applications of Augment do not increase the
effective circuit size exponentially.
[0113] Regarding computation complexity, consider the following
theorem: for a circuit C of depth at most d and size s (defined
here as the number of wires), the computational complexity of
applying Evaluate.sub..epsilon..sub.(d) to C is dominated by at
most sld applications of WeakEncrypt.sub..epsilon. and at most sd
applications of Evaluate.sub..epsilon. to circuits in
D.sub..epsilon.(.GAMMA.), where l is as defined above.
[0114] Considering now a proof of the foregoing theorem, assume a
pre-processing step to ensure that all wires in the circuit connect
gates at consecutive levels. Clearly, this step increases the
number of wires in the circuit by at most a multiplicative factor
of d. It remains to prove that, for the pre-processed circuit, the
computational complexity is dominated by at most s'l applications
of Encrypt and at most s' applications of Evaluate.sub..epsilon. to
circuits in D.sub..epsilon.(.GAMMA.), where s' is the size of the
pre-processed circuit.
[0115] The complexity of Augment.sub..epsilon..sub.(.delta.)
(pk.sub.(.delta.), C.sub..delta., .PSI..sub..delta.) is dominated
by replacing each ciphertext .psi..di-elect cons..PSI..sub..delta.
by the ciphertexts sk.sub..delta.j, .psi..sub.j; generating the
.psi..sub.j's involves |W.sub..delta.|l applications of
WeakEncrypt.sub..epsilon., where W.sub..delta. is the set of wires
at level .delta.. Summing over all .delta., there are at most s'l
applications of WeakEncrypt.sub..epsilon..
[0116] The complexity of Reduce.sub..epsilon..sub.(.delta.)
(pk.sup.(.delta.), C.sub..delta..sup..dagger.,
.psi..sub..delta..sup..dagger.) is dominated by the evaluation of
C.sub..delta..sup.(w) for each w.di-elect cons.W.sub..delta., which
involves |W.sub..delta.| applications of Evaluate.sub..epsilon. to
circuits in D.sub..epsilon.(.GAMMA.). Summing over all .delta.,
there are at most s' such applications. The theorem thus
follows.
[0117] Finally, assuming the semantic security of .epsilon., the
semantic security of .epsilon..sup.(d) is now proved In this
theorem let A be an algorithm that (t, .alpha.)-breaks the semantic
security of .epsilon..sup.(d). Then, there is an algorithm B that
(t', .alpha.')-breaks the semantic security of .epsilon. for
t'.apprxeq.tl and .alpha.'.gtoreq..alpha./l(d+1), for l as defined
above.
[0118] The proof of this theorem is as follows. Let
(.epsilon.).sup.l be equivalent to .epsilon., but with plaintext
space P.sup..ltoreq.l, where Encrypt.sub.(.epsilon.).sub.l involves
up to l invocations of .epsilon. and a concatenation of the
results. A hybrid argument is used to show that B (t'',
.alpha.'')-breaks the semantic security of (.epsilon.).sup.l for
t''.apprxeq.t and .alpha.''.gtoreq..alpha./(d+1), from which the
result follows.
[0119] For k.di-elect cons.[0,d], let Game k denote a game against
.epsilon..sup.(d) in which everything is exactly as in the
real-world game, except that for all i.di-elect cons.[l, k] the
challenger sets
( sk i ' , pk i ' ) R KeyGen ( .lamda. ) and sk ij _ R Encrypt ( pk
i - 1 , sk ij ' ) ##EQU00006##
In other words, for i.di-elect cons.[l, k], sk.sub.ij is the
encryption (under pk.sub.i-1) of the j-th bit of a random secret
key sk.sub.i unrelated to sk.sub.i. Game d+1 is identical to Game
d, except that the challenger ignores b and (.pi..sub.0,
.pi..sub.1), generates a random plaintext .pi. of the appropriate
length, and encrypts .pi. to construct the challenge ciphertext.
Let .epsilon..sub.k denote the adversary's advantage in Game k.
[0120] Since Game 0 is identical to the real world attack, the
adversary's advantage is .alpha. by assumption. Also,
.alpha..sub.d+1=0, since the challenge is independent of b.
Consequently, for some k.di-elect cons.[0,d], it must hold that
|.alpha..sub.k-.alpha..sub.k+1|.gtoreq..alpha./(d+1); fix this
value of k.
[0121] B uses A to break (.epsilon.).sup.l as follows. B receives
from the challenger a public key pk. B generates the secret and
public values exactly as in Game k, except that it replaces its
original value of pk.sub.k with pk. Also, if k<d, it generates a
dummy key pair
( sk k + 1 ' , pk k + 1 ' ) R KeyGen E ( .lamda. ) ,
##EQU00007##
sets .pi..sub.0.rarw.sk.sub.k+1 and .pi..sub.1.rarw.sk.sub.k+1',
and requests a challenge ciphertext (under pk) encrypting either
.pi..sub.0, .pi..sub.1.di-elect cons.P.sup.l. The challenger
generates
.beta. R { 0 , 1 } ##EQU00008##
and sends a tuple of ciphertexts .psi..sub.j encrypting the bits
.pi..sub..beta.j. B replaces its original tuple sk.sub.(k+1)j with
the tuple .psi..sub.j. One can verify that the public values are
generated exactly as in Game k+.beta.. B sends the public values to
A.
[0122] Eventually, A requests a challenge ciphertext on .pi..sub.0
or .pi..sub.1. B sets
b R { 0 , 1 } . ##EQU00009##
If k<d, B sends the values
.psi. j R Encrypt ( pk d , .pi. bj ) . ##EQU00010##
If k=d, B generates random
.pi. R P ##EQU00011##
and asks the challenger for a challenge ciphertext on .pi..sub.b or
.pi.. The challenger generates
.beta. R { 0 , 1 } ##EQU00012##
and encrypts .pi..sub.b or .pi. accordingly, and B forwards the
challenge to A. A sends a bit b'. B sends bit .beta.'.rarw.b.sym.b'
to the challenger. One can verify that the challenge is generated
as in Game k+.beta..
[0123] Since B's simulation has the same distribution as Game
k+.beta., and the probability that B outputs 0 is
.epsilon..sub.k+.beta., the result thus follows.
[0124] Discussed now is fully homomorphic encryption from
KDM-secure bootstrappable encryption.
[0125] The length of the public key in .epsilon..sup.(d) is
proportional to d (the depth of the circuits that can be
evaluated). It would be preferable to have a construction
.epsilon.* where the public key size is completely independent of
the circuit depth, a construction that is fully homomorphic rather
than merely leveled fully homomorphic. In order to make the public
key pk* of .epsilon.* short: for .epsilon. key pair (sk, pk), pk*
includes only pk and (the "bits" of) sk encrypted under pk. In
other words, a cycle is presented (in fact, a self-loop in this
example) of encrypted secret keys rather than an acyclic chain. It
is clear that .epsilon.* is correct: the recursive algorithm
Evaluate.sub..epsilon.* works as before, except that the implicit
recryptions generate "refreshed" ciphertexts under the same public
key.
[0126] Using an acyclic chain of encrypted secret keys allows one
to base the security of .epsilon..sup.(d) on .epsilon. using a
hybrid argument. However, this hybrid argument breaks down when
there is a cycle. In general, a semantically secure encryption
scheme is not guaranteed to be KDM-secure, i.e., secure when the
adversary can request the encryptions of key-dependent messages,
such as the secret key itself. Typically, when proving an
encryption scheme semantically secure there is not an obvious
attack when the adversary is given the encryption of a
key-dependent message. However, KDM-security is highly nontrivial
to prove. The problem is precisely that the usual hybrid argument
breaks down.
[0127] As a review of (a restriction of) the definition of
KDM-security, one may state that a scheme .epsilon. is KDM-secure
if all polynomial-time adversaries A have negligible advantage in
the following KDM-security game.
[0128] KDM-Security Game
[0129] Setup(.lamda., n). The challenger sets
( sk i , pk i ) R KeyGen ( .lamda. ) ##EQU00013##
for i.di-elect cons.[0, n-1] for integer n=poly(.lamda.). It
chooses a random bit
b R { 0 , 1 } . ##EQU00014##
If b=0, then for i.di-elect cons.[0, n-1] and j.di-elect cons.[1,
l], it sets
sk ij _ R Encrypt ( pk ( i - 1 ) mod n , sk ij ) , ##EQU00015##
where sk.sub.ij is the jth "bit" of sk.sub.i. If b=1 it generates
the sk.sub.ij values as encryptions of random secret keys,
unrelated to pk.sub.0, . . . , pk.sub.n-1. It sends the public keys
and encrypted secret keys to A.
[0130] Challenge and Guess. Basically as in the semantic security
game.
[0131] This definition of KDM-security is a restriction of the
general setting where A can select multiple functions f, and
request the encryption of f(sk.sub.0, . . . , sk.sub.n-1). However,
when .epsilon. is a bootstrappable encryption scheme, A can use the
cycle of encrypted secret keys in the game to generate the
encryption of f(sk.sub.0, . . . , sk.sub.n-1) under any pk.sub.i,
as long as f can be computed in polynomial time. Hence, one only
need to consider the restricted setting. The following theorem can
thus be presented.
[0132] Suppose .epsilon. is KDM-secure and also bootstrappable with
respect to a universal set of gates .GAMMA.. Then, .epsilon.*,
obtained from .epsilon. as described above (with the self-loop), is
semantically secure (and fully homomorphic).
[0133] The theorem is a straightforward consequence of the fact
that, from any loop of public keys and encrypted secret keys that
includes (pk.sub.0, sk.sub.0) one can compute an encryption of
sk.sub.0 under pk.sub.0. It is not apparent that there is any
advantage in having pk* contain any cycle of encrypted secret keys
other than a self-loop.
[0134] Absent proof of KDM-security in the plain model, one way to
obtain fully homomorphic encryption from bootstrappable encryption
is to assume that the underlying bootstrappable encryption scheme
is also KDM-secure. While an encrypted secret key is very useful in
a bootstrappable encryption scheme, indeed one may view this as the
essence of bootstrappability, no actual attack on a bootstrappable
encryption scheme is seen that provides a self-encrypted key.
[0135] Above, a fully homomorphic encryption .epsilon.* was
constructed from a bootstrappable encryption scheme .epsilon.
basically by adding a "self-loop", the .epsilon. secret key sk
encrypted under its corresponding public key pk, to the .epsilon.*
public key pk*. It was shown that .epsilon.* should inherit the
semantic security of .epsilon., under the assumption that .epsilon.
is KDM-secure, and in particular under the assumption that it is
"safe" to reveal a direct encryption of a secret key under its own
public key (as opposed to some possibly-less-revealing non-identity
function of the secret key). A question that arises is whether it
can be shown that .epsilon.* is semantically secure without this
assumption.
[0136] Evidence of this is now described in the context of the
random oracle model. First, given a leveled fully homomorphic
scheme .epsilon..sub.(d) and a hash function, an intermediate
scheme is defined where .epsilon..sup.(d).sup..dagger..
.epsilon..sup.(d).sup..dagger. is the same as .epsilon..sup.(d),
except for the following. The public key includes a hash function
H:P.sup.l.fwdarw.P.sup.l. Also, in KeyGen, one generates
r R P ' , ##EQU00016##
sets
r j _ R Encrypt ( d ) ( pk ( d ) , r j ) ##EQU00017##
for j.di-elect cons.[1, l'], sets
.sigma..rarw.H(r).smallcircle.sk.sub.0, and includes ( r.sub.j,
.sigma.) in the public key, (Assume .smallcircle. is some
invertible operation such that a.smallcircle.b would completely
hide b.di-elect cons.P.sup.l if a.di-elect cons.P.sup.l were a
one-time pad.) In other words, the .epsilon..sup.(d).sup..dagger.
public key includes some additional information: an encryption of
the secret key sk.sub.0, where the encryption uses a hash function
that will be treated as a random oracle in the security
analysis.
[0137] The following two theorems are now proved.
[0138] Theorem (A) If .epsilon..sup.(d) is semantically secure,
then .epsilon..sup.(d).sup..dagger. is semantically secure in the
random oracle model.
[0139] Theorem (B) Suppose .epsilon. is leveled circuit-private (in
addition to being bootstrappable) and let
.epsilon..sup.(d).sup..dagger. and .epsilon.* be constructed from
.epsilon. as described above. Then, if
.epsilon..sup.(d).sup..dagger. is semantically secure (in the plain
model), and the circuit required to compute the hash function H and
invert the .smallcircle. operation is at most d levels, then
.epsilon.* is semantically secure.
[0140] This result is unexpected and clearly advantageous, as the
scheme .epsilon.* does not contain a hash function, and yet it can
be said that it is secure in the random oracle model. Said another
way, one scheme is proven secure in the random oracle model, and
then a second scheme's security is based on the first scheme, even
though the second scheme does not use a hash function.
[0141] Consider the Theorem (B) above. This theorem basically
states that one can readily construct a KDM-secure encryption
scheme in the random oracle model. This is because the random
oracle allows the reduction to construct a "fake" ciphertext
purportedly encrypting the secret key, such that the adversary
learns that it was fake ciphertext only after it has queried the
random oracle. This query gives the reduction all of the
information that it needs to solve the underlying problem. In the
particular case of interest herein, .epsilon..sup.(d).sup..dagger.
has a loop among (sk.sub.0, pk.sub.0), . . . , (sk d, pk d),
because .epsilon..sup.(d) reveals direct encryptions of sk.sub.i
under pk.sub.i-1 for i.di-elect cons.[1,d], and
.epsilon..sup.(d).sup..dagger. also reveals an indirect encryption
( r.sub.j, .sigma.) of sk.sub.0 under pk.sub.d ("indirect," because
encryption in .epsilon. does not normally use a hash function).
However, the reduction algorithm in the proof of Theorem (A) above
will construct .sigma. simply as a random string, i.e., it does not
actually need to have knowledge of sk.sub.0.
[0142] Theorem (B) above is perhaps the more surprising result.
However, the result is actually a consequence of the fact that:
given a correctly constructed .epsilon..sup.(d).sup..dagger. public
key, the reduction algorithm can generate an .epsilon.-encryption
of sk.sub.0 under pk.sub.0, as needed for the .epsilon.* public
key. A question that arises then is how to generate the latter
ciphertext. The reduction algorithm is given r.sub.j, an encryption
of r under pk.sub.d, and it uses the leveled homomorphism and the
circuit corresponding to the hash function H to compute a
ciphertext that encrypts H(r) from the ciphertext that encrypts r.
Then, given that ciphertext and the value of
.sigma.=H(r).smallcircle.sk.sub.0, it computes a ciphertext that
encrypts sk.sub.0 in the natural way, i.e., directly, rather than
with the hash function. It was assumed that the hash function H and
the operation can be computed with a circuit of depth at most d;
therefore, the leveled homomorphic scheme .epsilon..sup.(d) has
sufficient levels to evaluate this circuit. Consequently, one
obtains a "natural" encryption of sk.sub.0 (i.e., under .epsilon.)
under some public key pk.sub.i for i.gtoreq.0, and one can then use
Recrypt operations to obtain a natural encryption of sk.sub.0 under
pk.sub.0. This ciphertext is an output of Evaluate.sub..epsilon.,
but circuit privacy guarantees that the ciphertext is distributed
as if it were output directly by Encrypt.sub..epsilon..
[0143] It can be noted that although one can view ( r.sub.j,
.sigma.) as an "encryption" of sk.sub.0, this "encryption" function
is not the usual encryption function and it may have a very complex
decryption circuit, much more complex than D.sub..epsilon.. In
particular, one cannot assume that its decryption circuit is in
C.sub..epsilon.. For this reason many (d) levels were needed in the
leveled scheme to recover sk.sub.0, and a self-loop was not used
from the outset.
[0144] If .epsilon.* is secure in the random oracle model despite
not using a hash function, a question that arises is whether this
implies that it is secure in the plain model. This is not the case.
The obstacle to this conclusion is that random oracles cannot be
instantiated in general (e.g., see R. Canetti, O. Goldreich, and S.
Halevi. The random oracle methodology, revisited. In Proc. of STOC
'98, pages 209-218. ACM, 1998). A bit more specifically, however,
the obstacle is that the proof of Theorem (A) above depends on the
correctness of the ciphertext ( r.sub.j, .sigma.) in
.epsilon..sup.(d).sup..dagger. to construct (homomorphically) an
encryption of sk.sub.0 under pk.sub.0 as needed for the .epsilon.*
public key; however, in the proof of Theorem (A) the ciphertext is
not correct (except with negligible probability): the adversary
finds out that it was fake only after it has queried r to the
random oracle, giving the reduction all the information that it
needs.
[0145] As a proof of the theorem (A) above let A be an algorithm
that attacks the semantic security of
.epsilon..sup.(d).sup..dagger.; from A, and construct an algorithm
B that attacks the semantic security of .epsilon..sup.(d).
Algorithm B will actually request l'+1 challenge ciphertexts; thus,
the reduction loses a factor of l'+1 under the usual hybrid
argument.
[0146] The challenger gives algorithm B a .epsilon..sup.(d) public
key. It also sets a bit
b R { 0 , 1 } . ##EQU00018##
Algorithm B selects two messages r.sup.(0), r.sup.(1).di-elect
cons.P.sup.l' and sends them to the challenger. The challenger
sets
.PSI. R { Encrypt ( pk d , r j ( b ) ) : j .di-elect cons. [ 1 , '
] } ##EQU00019##
j.di-elect cons.[1, l']} and sends back .PSI.. The following is
included in the public key that algorithm B sends to algorithm A:
the public key for .epsilon..sup.(d) sent by the challenger, the
set of ciphertexts .PSI., and
.sigma. R P . ##EQU00020##
[0147] Algorithm A requests a challenge ciphertext on one
.pi..sub.0, .pi..sub.1.di-elect cons.P, and algorithm B forwards
the query to the challenger, who responds with a ciphertext
encrypting .pi..sub.b, which algorithm B forwards to algorithm
A.
[0148] Eventually, either algorithm A queries some r'.di-elect
cons.{r.sup.(0),r.sup.(1)} to the random oracle, or algorithm A
finishes with a guess b'. In the former case, algorithm B sets b'
so that r'=r.sup.(b'). In either case, algorithm B sends b' as its
guess to the challenger.
[0149] Let p be the probability that algorithm A queries some
r'.di-elect cons.{r.sup.(0),r.sup.(1)} to the random oracle. The
simulation of algorithm B appears perfect to algorithm A if it does
not query some r'.di-elect cons.{r.sup.(0),r.sup.(1)}; in this
case, which occurs with probability 1-p, the advantage of algorithm
A advantage is at least a. Since the view of algorithm A is
independent of r.sup.(1-b), the probability that it queries
r.sup.(b) to the random oracle is at least p-q.sub.H/|P|.sup.l',
where q.sub.H is the number of random oracle queries make by
algorithm A Overall, the advantage of algorithm B in guessing b' is
at least
(1-p).alpha.+p-q.sub.H/|P|.sup.l'.gtoreq..alpha.-q.sub.H/|P|.sup.l'.
[0150] Provided now is a proof of the theorem (B) above. This proof
is essentially a simple consequence of the fact that, given a
public key for e.sup.(d).sup..dagger., it is possible to readily
generate the public key for .epsilon.* homomorphically.
[0151] Let A be an algorithm that breaks the semantic security of
.epsilon.*, and use algorithm A to construct an algorithm B that
breaks the semantic security of e.sup.(d).sup..dagger..
[0152] Algorithm B receives a e.sup.(d).sup..dagger. public key
from the challenger. This public key consists of pk.sub.j.di-elect
cons.[0,.delta.], sk.sub.ij.sub.j.di-elect cons.[1,.delta.],
r.sub.j.sub.j.di-elect cons.[1,l'], and
.sigma.=H(r).smallcircle.sk.sub.0. From r.sub.j, algorithm B uses
the homomorphism of .epsilon..sup.(d) to compute ciphertexts .PSI.
that encrypt H(r). It encrypts .sigma., and then uses the
homomorphism to recover or obtain an encryption of sk.sub.0 from
the encryptions of H(r) and .sigma. (inverting the operation). By
assumption, these homomorphic operations take at most d levels. If
they require only .delta.<d levels, and an encryption of
sk.sub.0 under pk.sub.d-.delta. is obtained, then one can perform
Recrypt operations until one obtains the desired encryption of
sk.sub.0 under pk.sub.0. By circuit privacy, this ciphertext is
distributed properly. Algorithm B includes the encryption of
sk.sub.0 under pk.sub.0 as the encrypted secret key contained in
the public key for .epsilon.* that it provides to algorithm A.
[0153] Algorithm A requests a challenge ciphertext on one
.pi..sub.0, .pi..pi..sub.1.di-elect cons.P. Algorithm B forwards
the query to the challenger, who responds with a ciphertext
encrypting .pi..sub.b. Algorithm B uses Recrypt operations to
obtain an encryption of .pi..sub.b under pk.sub.0 and forwards the
result to algorithm A which sends a guess b', and which algorithm B
forwards to the challenger. Clearly, the advantage of algorithm B
is the same as the advantage of algorithm A.
[0154] It should be appreciated that as employed herein the
"circuit C" can be, for example, a Boolean circuit with AND, OR,
and/or NOT gates (and/or NAND gates as discussed above), or an
arithmetic circuit with ADD, MULT and NEGATION functions, or a
combination of Boolean gates and arithmetic functions. In general,
it is assumed that any function of interest can be expressed as a
circuit. The bootstrappable encryption scheme in accordance with
the exemplary embodiments of this invention can accommodate a wide
range of circuits and circuit functions, and is not limited for use
with only, for example, the evaluation of circuits containing
multiplication functions (e.g., RSA) or exclusive OR functions
(e.g., Goldwasser-Micali).
[0155] FIG. 3 shows an example of homomorphically evaluating a
decryption circuit using public keys PK.sub.A and PK.sub.B. FIG. 4
shows an example of homomorphically evaluating a decryption circuit
augmented with an operation, such as a NAND logic function. Note in
FIGS. 3 and 4 that m is encrypted under PK.sub.A, which in turn is
encrypted under PK.sub.B. FIG. 5 shows another example of
homomorphically evaluating the decryption circuit augmented with an
operation, and in this further embodiment for the case of m.sub.1,
m.sub.2, m.sub.3 and m.sub.4. Note in FIGS. 4 and 5 that the NAND
function is provided as a non-limiting example, and other logical
or arithmetic function(s) could be used as well.
[0156] FIG. 6 may be viewed as summarizing certain elements of the
description appearing above, and illustrates an informal theorem
for circuits of arbitrary depth.
[0157] FIGS. 7A and 7B are each a logic flow diagram illustrative
of the operation of a method, and the operation of a computer
program, in accordance with the exemplary embodiments of this
invention.
[0158] In FIG. 7A there is a step 700 of encrypting information in
accordance with an encryption scheme that uses a public key; a step
702 of encrypting a plurality of instances of a secret key, each
being encrypted using at least one additional instance of the
public key; a step 704 of sending the encrypted information and the
plurality of encrypted instances of the secret key to a
destination; a step 706 of receiving an encrypted result from the
destination; and a step 708 of decrypting the encrypted result.
FIG. 7A may be viewed as being descriptive of the operation of the
requestor 1 in FIG. 1.
[0159] In FIG. 7B there is a step 720 of receiving a plurality of
encrypted secret keys and information descriptive of a function to
be performed on data; a step 722 of converting the information to a
circuit configured to perform the function on the data; and a step
724 of applying the data to inputs of the circuit and evaluating
the data using, in turn, the plurality of encrypted secret keys.
FIG. 7B may be viewed as being descriptive of the operation of the
server 2 in FIG. 1.
[0160] Below are further descriptions of various non-limiting,
exemplary embodiments of the invention. The below-described
exemplary embodiments are numbered separately for clarity purposes.
This numbering should not be construed as entirely separating the
various exemplary embodiments since aspects of one or more
exemplary embodiments may be practiced in conjunction with one or
more other aspects or exemplary embodiments.
[0161] (1) in one exemplary embodiment, and as shown in FIG. 7A, a
method comprising: encrypting information in accordance with an
encryption scheme that uses a public key (700); encrypting a
plurality of instances of a secret key, each being encrypted using
at least one additional instance of the public key (702); sending
the encrypted information and the plurality of encrypted instances
of the secret key to a destination (704); receiving an encrypted
result from the destination (706); and decrypting the encrypted
result (708).
[0162] A method as above, where a number of instances of the
encrypted secret key is related to a function to be performed on
the information. A method as in any above, where a number of
instances of the encrypted secret key is related to a number of
levels of a circuit used to compute a function to be performed on
the information. A method as in any above, where the encrypted
result comprises an output of a search engine. A method as in any
above, where the encrypted result comprises information related to
one or more files stored at the destination. A method as in any
above, where the encrypted result comprises an output of a spam
filter applied to encrypted messages at the destination. A method
as in any above, where encrypting the plurality of instances of the
secret key is further in accordance with the encryption scheme. A
method as in any above, where the public key corresponds to the
secret key (e.g., as in a public key-secret key pair). A method as
in any above, implemented as a computer program. A method as in any
above, further comprising one or more aspects of the exemplary
embodiments of the invention as described herein.
[0163] (2) In another exemplary embodiment, a program storage
device readable by a machine and tangibly embodying a program of
instructions executable by the machine for performing operations
comprising: encrypting information in accordance with an encryption
scheme that uses a public key (700); encrypting a plurality of
instances of a secret key, each being encrypted using at least one
additional instance of the public key (702); sending the encrypted
information and the plurality of encrypted instances of the secret
key to a destination (704); receiving an encrypted result from the
destination (706); and decrypting the encrypted result (708).
[0164] A program storage device as above, further comprising one or
more aspects of the exemplary embodiments of the invention as
described herein.
[0165] (3) In a further exemplary embodiment, an apparatus
comprising: at least one processor configured to encrypt
information in accordance with an encryption scheme that uses a
public key, where the at least one processor is further configured
to encrypt a plurality of instances of a secret key, each being
encrypted using at least one additional instance of the public key;
at least one transmitter configured to send the encrypted
information and the plurality of encrypted instances of the secret
key to a destination; and a received configured to receive an
encrypted result from the destination, where the at least one
processor is further configured to decrypt the encrypted
result.
[0166] An apparatus as above, where the apparatus comprises a
computer. An apparatus as in any above, further comprising one or
more aspects of the exemplary embodiments of the invention as
described herein.
[0167] (4) In another exemplary embodiment, an apparatus
comprising: first means for encrypting information in accordance
with an encryption scheme that uses a public key; second means for
encrypting a plurality of instances of a secret key, each being
encrypted using at least one additional instance of the public key;
means for sending the encrypted information and the plurality of
encrypted instances of the secret key to a destination; means for
receiving an encrypted result from the destination; and means for
decrypting the encrypted result.
[0168] An apparatus as above, where the first means for encrypting
comprises at least one of the second means for encrypting and the
means for decrypting. An apparatus as in any above, where the first
means for encrypting, the second means for encrypting and the means
for decrypting comprise at least one processor, the means for
sending comprises at least one transmitter and the means for
receiving comprises at least one receiver. An apparatus as in any
above, further comprising one or more aspects of the exemplary
embodiments of the invention as described herein.
[0169] (5) In a further exemplary embodiment, an apparatus
comprising: first encryption circuitry configured to encrypt
information in accordance with an encryption scheme that uses a
public key; second encryption circuitry configured to encrypt a
plurality of instances of a secret key, each being encrypted using
at least one additional instance of the public key; first
communications circuitry configured to send the encrypted
information and the plurality of encrypted instances of the secret
key to a destination; second communications circuitry configured to
receive an encrypted result from the destination; and decryption
circuitry configured to decrypt the encrypted result.
[0170] An apparatus as above, further comprising one or more
aspects of the exemplary embodiments of the invention as described
herein.
[0171] (6) In another exemplary embodiment, and as shown in FIG.
7B, a method comprising: receiving a plurality of encrypted secret
keys and information descriptive of a function to be performed on
data (720); converting the information to a circuit configured to
perform the function on the data (722); and applying the data to
inputs of the circuit and evaluating the data using, in turn, the
plurality of encrypted secret keys (724).
[0172] A method as above, where the plurality of secret keys are
each encrypted using one of a plurality of public keys. A method as
in any above, where the received information is encrypted using a
first public key, and where the plurality of secret keys are each
encrypted using one of a plurality of additional public keys. A
method as in any above, where a number of received encrypted secret
keys is related to a number of levels of the circuit. A method as
in any above, implemented as a computer program. A method as in any
above, further comprising one or more aspects of the exemplary
embodiments of the invention as described herein.
[0173] (7) In a further exemplary embodiment, a program storage
device readable by a machine and tangibly embodying a program of
instructions executable by the machine for performing operations
comprising: receiving a plurality of encrypted secret keys and
information descriptive of a function to be performed on data
(720); converting the information to a circuit configured to
perform the function on the data (722); and applying the data to
inputs of the circuit and evaluating the data using, in turn, the
plurality of encrypted secret keys (724).
[0174] A program storage device as above, further comprising one or
more aspects of the exemplary embodiments of the invention as
described herein.
[0175] (8) In another exemplary embodiment, an apparatus
comprising: at least one receiver configured to receive a plurality
of encrypted secret keys and information descriptive of a function
to be performed on data; and at least one processor configured to
convert the information to a circuit configured to perform the
function on the data, where the at least one processor is further
configured to apply the data to inputs of the circuit and to
evaluate the data using, in turn, the plurality of encrypted secret
keys.
[0176] An apparatus as above, further comprising one or more
aspects of the exemplary embodiments of the invention as described
herein.
[0177] (9) In a further exemplary embodiment, an apparatus
comprising: means for receiving a plurality of encrypted secret
keys and information descriptive of a function to be performed on
data; means for converting the information to a circuit configured
to perform the function on the data; and means for applying the
data to inputs of the circuit and for evaluating the data using, in
turn, the plurality of encrypted secret keys.
[0178] An apparatus as above, where the means for receiving
comprises at least one receiver and the means for converting and
the means for applying and evaluating comprise at least one
processor. An apparatus as in any above, further comprising one or
more aspects of the exemplary embodiments of the invention as
described herein.
[0179] (10) In another exemplary embodiment, an apparatus
comprising: reception circuitry configured to receive a plurality
of encrypted secret keys and information descriptive of a function
to be performed on data; conversion circuitry configured to convert
the information to a circuit configured to perform the function on
the data; and evaluation circuitry configured to apply the data to
inputs of the circuit and evaluate the data using, in turn, the
plurality of encrypted secret keys.
[0180] An apparatus as above, further comprising one or more
aspects of the exemplary embodiments of the invention as described
herein,
[0181] (11) In a further exemplary embodiment, and as shown in FIG.
9, a method comprising: receiving second information comprising
first information encrypted under a second public key of an
encryption scheme, where the first information comprises original
information encrypted under a first public key of the encryption
scheme, where the encryption scheme uses public key and secret key
pairs and includes an encryption function, a decryption function
and an evaluation function, where the encryption function operates
to encrypt data using a certain public key, where the decryption
function operates to decrypt data encrypted using the certain
public key by using a certain secret key to obtain the data, where
the encryption scheme is operable to evaluate at least one of the
decryption function and an augmented version of the decryption
function, where the augmented version of the decryption function
comprises a circuit having at least two copies of the decryption
function as inputs for a gate (901); receiving a first secret key
encrypted under the second public key, where the first secret key
corresponds to the first public key (902); and evaluating the
second information by operating the evaluation function, where the
evaluation function receives as inputs the second information, the
first secret key encrypted under the second public key, the second
public key and an input circuit, where the evaluation function
outputs third information comprising the original information
encrypted under the second public key of the encryption scheme
(903).
[0182] A method as above, where the encryption scheme is fully
homomorphic and the evaluation function enables bootstrapping by
converting the input circuit into a converted circuit comprising at
least one of the decryption function and the augmented version of
the decryption function. A method as in any above, where the first
public key comprises the second public key and the first secret key
comprises the second secret key. A method as in any above,
implemented as a computer program. A method as in any above,
further comprising one or more aspects of the exemplary embodiments
of the invention as described herein.
[0183] (12) In another exemplary embodiment, a program storage
device readable by a machine and tangibly embodying a program of
instructions executable by the machine for performing operations
comprising: receiving second information comprising first
information encrypted under a second public key of an encryption
scheme, where the first information comprises original information
encrypted under a first public key of the encryption scheme, where
the encryption scheme uses public key and secret key pairs and
includes an encryption function, a decryption function and an
evaluation function, where the encryption function operates to
encrypt data using a certain public key, where the decryption
function operates to decrypt data encrypted using the certain
public key by using a certain secret key to obtain the data, where
the encryption scheme is operable to evaluate at least one of the
decryption function and an augmented version of the decryption
function, where the augmented version of the decryption function
comprises a circuit having at least two copies of the decryption
function as inputs for a gate (901); receiving a first secret key
encrypted under the second public key, where the first secret key
corresponds to the first public key (902); and evaluating the
second information by operating the evaluation function, where the
evaluation function receives as inputs the second information, the
first secret key encrypted under the second public key, the second
public key and an input circuit, where the evaluation function
outputs third information comprising the original information
encrypted under the second public key of the encryption scheme
(903).
[0184] A program storage device as above, further comprising one or
more aspects of the exemplary embodiments of the invention as
described herein.
[0185] (13) In a further exemplary embodiment, an apparatus
comprising: at least one receiver configured to receive second
information comprising first information encrypted under a second
public key of an encryption scheme, where the first information
comprises original information encrypted under a first public key
of the encryption scheme, where the encryption scheme uses public
key and secret key pairs and includes an encryption function, a
decryption function and an evaluation function, where the
encryption function operates to encrypt data using a certain public
key, where the decryption function operates to decrypt data
encrypted using the certain public key by using a certain secret
key to obtain the data, where the encryption scheme is operable to
evaluate at least one of the decryption function and an augmented
version of the decryption function, where the augmented version of
the decryption function comprises a circuit having at least two
copies of the decryption function as inputs for a gate, where the
at least one receiver is further configured to receive a first
secret key encrypted under the second public key, where the first
secret key corresponds to the first public key; and at least one
processor configured to evaluate the second information by
operating the evaluation function, where the evaluation function
receives as inputs the second information, the first secret key
encrypted under the second public key, the second public key and an
input circuit, where the evaluation function outputs third
information comprising the original information encrypted under the
second public key of the encryption scheme.
[0186] An apparatus as above, further comprising one or more
aspects of the exemplary embodiments of the invention as described
herein.
[0187] (14) In another exemplary embodiment, an apparatus
comprising: first means for receiving second information comprising
first information encrypted under a second public key of an
encryption scheme, where the first information comprises original
information encrypted under a first public key of the encryption
scheme, where the encryption scheme uses public key and secret key
pairs and includes an encryption function, a decryption function
and an evaluation function, where the encryption function operates
to encrypt data using a certain public key, where the decryption
function operates to decrypt data encrypted using the certain
public key by using a certain secret key to obtain the data, where
the encryption scheme is operable to evaluate at least one of the
decryption function and an augmented version of the decryption
function, where the augmented version of the decryption function
comprises a circuit having at least two copies of the decryption
function as inputs for a gate; second means for receiving a first
secret key encrypted under the second public key, where the first
secret key corresponds to the first public key; and means for
evaluating the second information by operating the evaluation
function, where the evaluation function receives as inputs the
second information, the first secret key encrypted under the second
public key, the second public key and an input circuit, where the
evaluation function outputs third information comprising the
original information encrypted under the second public key of the
encryption scheme.
[0188] An apparatus as above, where the means for evaluating
comprises at least one processor and the first means for receiving
and the second means for receiving comprise at least one receiver.
An apparatus as in any above, further comprising one or more
aspects of the exemplary embodiments of the invention as described
herein.
[0189] (15) In a further exemplary embodiment, an apparatus
comprising: first reception circuitry configured to receive second
information comprising first information encrypted under a second
public key of an encryption scheme, where the first information
comprises original information encrypted under a first public key
of the encryption scheme, where the encryption scheme uses public
key and secret key pairs and includes an encryption function, a
decryption function and an evaluation function, where the
encryption function operates to encrypt data using a certain public
key, where the decryption function operates to decrypt data
encrypted using the certain public key by using a certain secret
key to obtain the data, where the encryption scheme is operable to
evaluate at least one of the decryption function and an augmented
version of the decryption function, where the augmented version of
the decryption function comprises a circuit having at least two
copies of the decryption function as inputs for a gate; second
reception circuitry configured to receive a first secret key
encrypted under the second public key, where the first secret key
corresponds to the first public key; and evaluation circuitry
configured to evaluate the second information by operating the
evaluation function, where the evaluation function receives as
inputs the second information, the first secret key encrypted under
the second public key, the second public key and an input circuit,
where the evaluation function outputs third information comprising
the original information encrypted under the second public key of
the encryption scheme.
[0190] An apparatus as above, further comprising one or more
aspects of the exemplary embodiments of the invention as described
herein.
[0191] The exemplary embodiments of the invention, as discussed
herein and as particularly described with respect to exemplary
methods, may be implemented in conjunction with a program storage
device (e.g., at least one memory, at least one computer-readable
medium) readable by a machine (e.g., a processor, a computer),
tangibly embodying a program of instructions (e.g., a program or
computer program) executable by the machine for performing
operations. The operations comprise steps of utilizing the
exemplary embodiments or steps of the method.
[0192] The blocks shown in FIGS. 7 and 9 further may be considered
to correspond to one or more functions and/or operations that are
performed by one or more components, circuits, chips, apparatus,
processors, computer programs and/or function blocks. Any and/or
all of the above may be implemented in any practicable solution or
arrangement that enables operation in accordance with the exemplary
embodiments of the invention as described herein.
[0193] In addition, the arrangement of the blocks depicted in FIGS.
7 and 9 should be considered merely exemplary and non-limiting. It
should be appreciated that the blocks shown in FIGS. 7 and 9 may
correspond to one or more functions and/or operations that may be
performed in any order (e.g., any suitable, practicable and/or
feasible order) and/or concurrently (e.g., as suitable, practicable
and/or feasible) so as to implement one or more of the exemplary
embodiments of the invention. In addition, one or more additional
functions, operations and/or steps may be utilized in conjunction
with those shown in FIGS. 7 and 9 so as to implement one or more
further exemplary embodiments of the invention.
[0194] That is, the exemplary embodiments of the invention shown in
FIGS. 7 and 9 may be utilized, implemented or practiced in
conjunction with one or more further aspects in any combination
(e.g., any combination that is suitable, practicable and/or
feasible) and are not limited only to the steps, blocks, operations
and/or functions shown in FIGS. 7 and 9.
[0195] Still further, the various names used for variables,
parameters and the like are not intended to be limiting in any
respect, as these parameters may be identified by any suitable
name.
[0196] The described techniques may be implemented as a method,
apparatus or article of manufacture involving software, firmware,
micro-code, hardware and/or any combination thereof. The term
"article of manufacture" as used herein refers to code or logic
implemented in a medium, where such medium may comprise hardware
logic (e.g., an integrated circuit chip, Programmable Gate Array
(PGA), Application Specific Integrated Circuit (ASIC), etc.) or a
computer readable medium, such as magnetic storage medium (e.g.,
hard disk drives, floppy disks, tape, etc.), optical storage
(CD-ROMs, optical disks, etc.), volatile and/or non-volatile memory
devices (e.g., Electrically Erasable Programmable Read Only Memory
(EEPROM), Read Only Memory (ROM), Programmable Read Only Memory
(PROM), Random Access Memory (RAM), Dynamic Random Access Memory
(DRAM), Static Random Access Memory (SRAM), flash, firmware,
programmable logic, etc.), as non-limiting examples. Code in the
computer readable medium is accessed and executed by a processor. A
transmission signal in which the code or logic is encoded is
capable of being transmitted by a transmitting station and received
by a receiving station, where the code or logic encoded in the
transmission signal may be decoded and stored in hardware or a
computer readable medium at the receiving and transmitting stations
or devices. Additionally, the "article of manufacture" may comprise
a combination of hardware and software components in which the code
is embodied, processed, and executed.
[0197] Those skilled in the art will recognize that many
modifications may be made without departing from the scope of
embodiments, and that the article of manufacture may comprise any
information bearing medium. For example, the article of manufacture
may comprise a storage medium having stored therein instructions
that, when executed by a machine, result in operations being
performed.
[0198] Certain embodiments can take the form of an entirely
hardware embodiment, an entirely software embodiment or an
embodiment containing both hardware and software elements. The
invention can be implemented in software, which includes but is not
limited to firmware, resident software, microcode, etc.
[0199] Furthermore, certain embodiments can take the form of a
computer program product accessible from a computer usable or
computer readable medium providing program code for use by or in
connection with a computer or any instruction execution system. For
the purposes of this description, a computer usable or computer
readable medium can be any apparatus that can contain, store,
communicate, propagate, or transport the program for use by or in
connection with the instruction execution system, apparatus, or
device. The medium can be an electronic, magnetic, optical,
electromagnetic, infrared, or semiconductor system (or apparatus or
device) or a propagation medium. Examples of a computer-readable
medium include a semiconductor or solid state memory, magnetic
tape, a removable computer diskette, a random access memory (RAM),
a read-only memory (ROM), a rigid magnetic disk and an optical
disk. Current examples of optical disks include compact disk-read
only memory (CD-ROM), compact disk-read/write (CD-R/W) and digital
video disc (DVD).
[0200] The terms "certain embodiments", "an embodiment",
"embodiment", "exemplary embodiment", "embodiments", "exemplary
embodiments", "the embodiment", "the embodiments", "one or more
embodiments", "some embodiments", and "one embodiment" mean one or
more (but not all) embodiments unless expressly specified
otherwise. The terms "including", "comprising", "having" and
variations thereof mean "including but not limited to", unless
expressly specified otherwise. The terms "a", "an" and "the" mean
"one or more", unless expressly specified otherwise.
[0201] Devices that are in communication with each other need not
be in continuous communication with each other, unless expressly
specified otherwise. In addition, devices that are in communication
with each other may communicate directly or indirectly through one
or more intermediaries. Additionally, a description of an
embodiment with several components in communication with each other
does not imply that all such components are required. On the
contrary a variety of optional components are described to
illustrate the wide variety of possible embodiments.
[0202] Any use of the terms "connected," "coupled" or variants
thereof should be interpreted to indicate any such connection or
coupling, direct or indirect, between the identified elements. As a
non-limiting example, one or more intermediate elements may be
present between the "coupled" elements. The connection or coupling
between the identified elements may be, as non-limiting examples,
physical, electrical, magnetic, logical or any suitable combination
thereof in accordance with the described exemplary embodiments. As
non-limiting examples, the connection or coupling may comprise one
or more printed electrical connections, wires, cables, mediums or
any suitable combination thereof.
[0203] Further, although process steps, method steps, algorithms or
the like may be described in a sequential order, such processes,
methods and algorithms may be configured to work in alternate
orders. In other words, any sequence or order of steps that may be
described does not necessarily indicate a requirement that the
steps be performed in that order. The steps of processes described
herein may be performed in any order practical. Further, some steps
may be performed simultaneously, in parallel, or concurrently.
[0204] When a single device or article is described herein, it will
be apparent that more than one device/article (whether or not they
cooperate) may be used in place of a single device/article.
Similarly, where more than one device or article is described
herein (whether or not they cooperate), it will be apparent that a
single device/article may be used in place of the more than one
device or article. The functionality and/or the features of a
device may be alternatively embodied by one or more other devices
which are not explicitly described as having such
functionality/features. Thus, other embodiments need not include
the device itself.
[0205] FIG. 8 illustrates a block diagram of a system 800 in which
certain embodiments may be implemented. In certain embodiments, the
requestor and server blocks 1 and 2 shown in FIG. 1 may each be
implemented in accordance with the system 800. The system 800 may
include at least one circuitry 802 that may in certain embodiments
include at least one processor 804. The system 800 may also include
at least one memory 806 (e.g., a volatile memory device), and/or at
least one storage 808. The storage 808 may include a non-volatile
memory device (e.g., EEPROM, ROM, PROM, RAM, DRAM, SRAM, flash,
firmware, programmable logic, etc.), magnetic disk drive, optical
disk drive, tape drive, etc. The storage 808 may comprise an
internal storage device, an attached storage device and/or a
network accessible storage device. The system 800 may include at
least one program logic 810 including code 812 that may be loaded
into the memory 806 and executed by the processor 804 and/or
circuitry 802. In certain embodiments, the program logic 810
including code 812 may be stored in the storage 808. In certain
other embodiments, the program logic 810 may be implemented in the
circuitry 802. Therefore, while FIG. 8 shows the program logic 810
separately from the other elements, the program logic 810 may be
implemented in the memory 806 and/or the circuitry 802. The system
800 may include at least one communications component 814 that
enables communication with at least one other system, device and/or
apparatus. The communications component 814 may include a
transceiver configured to send and receive information, a
transmitter configured to send information and/or a receiver
configured to receive information. As a non-limiting example, the
communications component 814 may comprise a modem or network card.
The system 800 of FIG. 8 may be embodied in a computer or computer
system, such as a desktop computer, a portable computer or a
server, as non-limiting examples. The components of the system 800
shown in FIG. 8 may be connected or coupled together using one or
more internal buses, connections, wires and/or (printed) circuit
boards, as non-limiting examples.
[0206] Certain embodiments may be directed to a method for
deploying computing instruction by a person or automated processing
integrating computer-readable code into a computing system, wherein
the code in combination with the computing system is enabled to
perform the operations of the described embodiments.
[0207] At least certain of the operations illustrated in FIGS. 1-7
may be performed in parallel as well as sequentially. In
alternative embodiments, certain of the operations may be performed
in a different order, modified or removed.
[0208] Furthermore, many of the software and hardware components
have been described in separate modules for purposes of
illustration. Such components may be integrated into a fewer number
of components or divided into a larger number of components.
Additionally, certain operations described as performed by a
specific component may be performed by other components.
[0209] Any data structures and components shown or referred to in
the other Figures and in the specification are described as having
specific types of information. In alternative embodiments, the data
structures and components may be structured differently and have
fewer, more or different fields or different functions than those
shown or referred to in the Figures.
[0210] Therefore, the foregoing description of the embodiments has
been presented for the purposes of illustration and description. It
is not intended to be exhaustive or to limit the embodiments to the
precise form disclosed. Many modifications and variations are
possible in light of the above teaching
* * * * *