资源描述:
《PPTCan homomorphic encryption be practica》由会员上传分享,免费在线阅读,更多相关内容在学术论文-天天文库。
1、Canhomomorphicencryptionbepractical?MichaelNaehrigTU/emichael@cryptojedi.orgjointworkwithKristinLauterandVinodVaikuntanathanCryptographyWorkingGroup30September2011Anapplicationscenario–privatemedicalrecords◮Healthcareprovidersuploadallyourmedicalrecordsinpublickeyen
2、cryptedformtoacloudservice.◮Youcontrolaccesstoyourdata.◮Youcandoencryptedsearchonyourdata.◮Differentmonitoringdevicesstreamencrypteddata,e.g.yourbloodpressure,heartrate,bloodsugarlevel.◮Thecloudservicecancomputestatisticalfunctionsonyourdata,determinerisks,sendalert
3、stoyou,yourdoctor.◮Partsofthiscanalreadyberealized(Benalohetal.2009).◮Computingfunctionsonyourencrypteddatacouldbedonewithhomomorphicencryption.Homomorphicencryption◮Manycryptosystemshavehomomorphicproperties:RSA,ElGamal,Benaloh,Paillier,butonlyprovideadditiveormult
4、iplicativehomomorphism,notboth.◮Firstsystemthatcoulddoboth:Boneh-Goh-Nissim2005manyadditionsandonemultiplication(usespairings).◮Fullyhomomorphicencryptionallowstodoarbitrarycomputationsonencrypteddatawithoutknowingthesecretkey,◮inparticularitallowsdoinganarbitrarynu
5、mberofadditionsandmultiplications.FullyhomomorphicencryptionGentryproposedthefirstfullyhomomorphicencryptionschemein2009basedonideallattices.◮Thebasisisasomewhathomomorphicencryptionschemethatcanevaluatelow-degreepolynomialsonencrypteddata.◮Ciphertextsare“noisy”andth
6、enoisegrowsslightlyduringadditionandstronglyduringmultiplication.◮IftheSWHEschemecanevaluateitsowndecryptioncircuit,thenabootstrappingstepcanrefreshciphertextsbyhomomorphicallydecryptingusinganencryptedsecretkey.◮Onlyworksby“squashing”thedecryptioncircuit.◮Sofarquit
7、einefficient.Fullyhomomorphicencryption◮Recently,manyimprovements,butstillinefficient.Implementation(Gentry,Halevi2011),◮toysetting:encryptabitin0.2s,recryptin6s,publickey:17MB◮largesetting:encryptin3min,recryptin31minpublickey:2.3GB◮Newvariants,mostlyfollowingGentry’
8、sblueprint.◮RecentvariantsbasedontheLWEproblemorRLWEproblem.◮Applicationsmightnotneedfullyhomomorphicencryption,somewhathomomorphiccouldbe
